Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS - Page 3

ciscomoderator · ‎09-24-2010

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to configure and troubleshoot the PIX, Adaptive Security Appliances and Firewall Service Module product lines with Magnus Mortensen. Magnus is a Technical Assistance Center (TAC) engineer supporting Cisco's firewall security products in Research Triangle Park, North Carolina. He also takes part in the monthly TAC Security Podcast, which covers a wide range of network security related topics as well as troubleshooting and configuration tips and tricks from a TAC engineer's point of view. His specialties include the Cisco ASA Adaptive Security Appliance, Cisco Firewall Services Module, and Cisco IOS Software firewall technologies. He is currently studying for his CCIE Security Lab.

Remember to use the rating system to let Magnus know if you have received an adequate response.

Magnus might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through October 8, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

Magnus Mortensen · ‎10-03-2010

Hi,

You can export the Access-list rule configuration page of ASDM. In ASDM go to 'COnfiguration' -> 'Firewall' -> 'Access Rules' and click on the EXPORT button in the bar above the rule table. Options include HTML or CSV. I just tested this on my ASA 8.3.x/ASDM 6.3.x and ASA 8.2.x/ASDM 6.2.x setups and it seems to export a CSV file just fine.

- Magnus

MSAD_ADMIN · ‎09-30-2010

We have 2 pairs of ASAs (5520), each pair is in Active/Active mode, I noticed that the failover IP gets the same Automatic MAC address (1200.0200.0400) on both pairs. Is this normal behavior? If this gives me MAC flapping when connecting the mentioned ports to same management zone, is the solution is to assign manual MAC addresses?

Magnus Mortensen · ‎10-03-2010

Mohammed,

It sounds like you may want to look into use the 'mac-address auto prefix' command. This commane was first put into ASA code in version 8.0.5 and the goal is make the mac-address auto generated more unique so you could have multiple ASAs without MAC conflict. More information about this command can be found here:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/m.html#wp1973105

- Magnus

NAGISWAREN2 · ‎09-30-2010

Hi Magnus,

My office have one Cisco ASA 5510. I've notice in firewall dashboard tab, there is scanning attack and syn attack. Its always have numbers of attack there.. average 4 attacks.Is there any possibility to know who doing attack and how to stop them?

And beside that, the TOP 10 Protected Server Under Syn Attack is showing as below

server:port Interface | total Source IP

---------------------------------------------------------------------------------------------------------------

Outside Server IP:23 inside | 60 My inside server IP

Does this means My inside server attack outside Server on port 23 ? Any idea ? Please advice.

Regards, Nagis

dipak.timsina · ‎10-04-2010

Hi,

I've configured ipsec vpn on cisco sa520 with fortigate router. Phase 1 and Phase 2 configuration all okay but ipsec tunnel isn't up. In ipsec vpn logs i got these -

2010-10-04 14:42:03: INFO: Received Malformed packet of payload length 41726 and total length 72.
2010-10-04 14:42:07: INFO: Received Malformed packet of payload length 41726 and total length 72.
2010-10-04 14:42:12: ERROR: Ignore information because ISAKMP-SA has not been established yet.
2010-10-04 14:42:12: INFO: Configuration found for 212.16.98.190[500].
2010-10-04 14:42:12: INFO: Received request for new phase 1 negotiation: 22.16.221.227[500]<=>212.16.98.190[500]
2010-10-04 14:42:12: INFO: Beginning Identity Protection mode.
2010-10-04 14:42:12: INFO: Received Vendor ID: DPD
2010-10-04 14:42:14: ERROR: Phase 1 negotiation failed due to time up for 212.16.98.190[500]. b43474085f0471b9:03022b503977fbba
2010-10-04 14:42:14: INFO: Received Malformed packet of payload length 55242 and total length 72.
2010-10-04 14:42:15: INFO: Received Malformed packet of payload length 25961 and total length 72.
2010-10-04 14:42:19: INFO: Received Malformed packet of payload length 25961 and total length 72.

What does this mean?

kathy-kat · ‎10-06-2010

Hello!!

I have some problems with authentication into FWSM, if i try to do from CLI through of Catalyts 6509, this happens:

509_CORE_A#session slot 3 processor 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
Trying 127.0.0.31 ... Open

User Access Verification

Password:
Type help or '?' for a list of available commands.
FWSM-A> ena
Command authorization failed
FWSM-A>

Any idea??

jorgeangelalvarezalvarez · ‎10-06-2010

Ummm It's seem to be aaa authorization command CONSOLE that point to Radius or TACACS server. Do you have correct persmissions to be on "enable mode"?

Good luck

Magnus Mortensen · ‎10-06-2010

Katherine,

Depending on the FWSM version and configuration there are different ways to control the AAA when sessioning down from the chassis...

- If you are in single mode, you can control the sessioning to the module with 'aaa authentication telnet console xxx' line

- If you are in multiple mode running code 3.2 or later, you can control the authentication used for sessions by using the 'aaa authentication telnet console xxx' in the *admin* context.

- If you are in multiple mode running code earlier than 3.2, you may be a bit out of luck.

If you are in multiple mode and running 3.2 or later, do not use the 'enable' command after logging in, instead use the 'login' command. That will allow you to keep the authenticated username as you transition between contexts.

- Magnus

Mhon Baul · ‎10-07-2010

Hi Magnus,

I have some few questions regarding ASA and FWSM:

- I know that multicast is not supported when running in multi-context mode, but is there a workaround or road map to support this feature?

- i want to implement fwsm in separating DC, inside users,dmz, customers, outside network from each other. what mode that you recommend to use if i use multicast for all this network?

- is it true that ASA 5580 has greater functionality than fwsm?

-can VSS w/ FWSM support multi-context mode?

thanks in advanced!

cheers,

mhon

ROBERTO TACCON · ‎10-07-2010

Hi Magnus,

how can I configure a pix Version 8.0(4) to NOT block the LAND ATTACK ?

pix# sh log | i 17.12.18.24

Oct 07 2010 15:47:31: %PIX-2-106017: Deny IP due to Land Attack from 17.12.18.24 to 17.12.18.24

Oct 07 2010 15:47:31: %PIX-6-302014: Teardown TCP connection 1264706965 for outside:17.12.18.24/80 to inside:10.12.40.114/59790 duration 0:00:00 bytes 0 looping-address

I've already disable the signature 1102

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=1102&signatureSubId=0&softwareVersion=6.0&releaseVersion=S473

pix# sh run | i audit

ip audit signature 1102 disable

pix#

but the drop continue ....

pix# sh log | i 17.12.18.24

Oct 07 2010 15:50:22: %PIX-2-106017: Deny IP due to Land Attack from 17.12.18.24 to 17.12.18.24

Oct 07 2010 15:50:22: %PIX-6-302014: Teardown TCP connection 1264706965 for outside:17.12.18.24/80 to inside:10.12.40.114/59891 duration 0:00:00 bytes 0 looping-address

I think (as I have caputerd all the traffic inside and outside interfaces and I can't see any src-dst same IP) the problem is pix bug

The questions are:

- how I can DISABLE on the pix the "Deny IP due to Land Attack" ?

- is the following the correct command do disable the LAND ATTACK "ip audit signature 1102 disable" ?

- how can i capture ONLY the ASP DROP packets ?

Thanks

Roberto Taccon

huangedmc · ‎10-08-2010

I have a question about NAT on ASA's.

There are three interfaces on the ASA: inside, DMZ, & outside

Two static NAT's already existed:

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

When we tried to add a new NAT statement, we got an error:

ASA(config)# static (DMZ,outside) 10.28.16.0 10.28.16.0 netmask 255.255.255.0
WARNING: mapped-address conflict with existing static
inside:10.0.0.0 to outside:10.0.0.0 netmask 255.0.0.0

Why did we get this error/warning?

Is it just cosmetic, and NAT would still work properly, or should we change our configuration?

We have a bunch of 10.x.x.x subnets on the inside network, which is why we had to "summarize" it as 10.0.0.0/8.

We utilize 10.28.16.0/24 in our DMZ, and want to make some of the devices accessible by devices on our external edge network, thus the DMZ to outside nat.

We want to achieve this w/o having to NAT to different external IP's, which is why we're doing the NAT this way.