09-24-2010 10:38 AM - edited 03-11-2019 11:45 AM
Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to configure and troubleshoot the PIX, Adaptive Security Appliances and Firewall Service Module product lines with Magnus Mortensen. Magnus is a Technical Assistance Center (TAC) engineer supporting Cisco's firewall security products in Research Triangle Park, North Carolina. He also takes part in the monthly TAC Security Podcast, which covers a wide range of network security related topics as well as troubleshooting and configuration tips and tricks from a TAC engineer's point of view. His specialties include the Cisco ASA Adaptive Security Appliance, Cisco Firewall Services Module, and Cisco IOS Software firewall technologies. He is currently studying for his CCIE Security Lab.
Remember to use the rating system to let Magnus know if you have received an adequate response.
Magnus might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through October 8, 2010. Visit this forum often to view responses to your questions and the questions of other community members.
09-24-2010 03:05 PM
ASA PHONE PROXY
hello,
I have a cuestion I need configure asa proxy phone but this asa apliance radicate in DMZ network
is posible configure this aplication in this design?
regards
09-24-2010 04:42 PM
Angel,
I wish I had good new for you, but unfortunately a NAT router/firewall in front of a Phone Proxy ASA is not supported. Phone Proxy requires publicly routable addresses for both signaling and media termination as a result implementation you are trying to setup will most likely not work. Many customers implement a standalone phone proxy ASA in parallel to the existing firewall in the network. The ASA would have interfaces on the outside Internet segment as well as on the inside subnet. Would you be able to place the Phone Proxy ASA in such a fashion? If you go down that path, then all you need to do to make sure routing isn't a problem is to use ASA version 8.2 or later and run per interface MTA along with some NAT tricks in order to make sure that traffic destined for the proxied phones goes through the proxy asa and not through the other firewall.
- Magnus
09-26-2010 04:23 AM
Hi,
I was wondering when the next TAC Security Podcast was going to be released?
Thanks
Sean
09-27-2010 06:44 AM
Sean,
For Episode 14, we changed how/where we are doing the recordings, so it is taking us a little bit of time to re-tool/edit and release this latest podcast. We hope to have it up and running soon. Thanks for listening!
- Magnus
09-26-2010 07:48 AM
Hello,
I am working on project that involves CAT6K with ACE and FWSM modules (one ACE and two FWSM modules per physical chassis). I want to run FWSM in routed mode but according to docs FWSM in VSS does not support RHI.
I was wondering if RHI will be supported in this setup anytime soon?
One "workaround" is to put ACE before FWSM so in that case FWSM lack of RHI support does not present a problem.
Is this valid scenario?
09-27-2010 05:30 AM
Pavel,
We see this question come up from time to time. There are some documents out there that incorrectly state that VSS and RHI do not work together. From FWSM version 4.0.4 onwards, RHI is supported in VSS.You can get more information about supported chassis code for VSS and RHI here:
FWSM 4.1.x: http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/release/notes/fwsmrn41.html#wp161314
FWSM 4.0.x: http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/release/notes/fwsmrn40.html#wp161314
If you are running FWSM 4.0.x and this is a new installation, you should run the latested 4.0.x image in order to get around bugs like:
CSCsz13933 - RHI:FWSM inject routes to MSFC even after state change from act to stdby (Fixed in 4.0.6 and beyond).
If you could, can you please provide a link to the documentation that noted it was not supported.
- Magnus
09-27-2010 10:37 AM
Hi Magnus,
thank you for your answer.
I concluded that RHI is not supported on FWSM in VSS configuration reading the following white paper.
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps9336/white_paper_c11_513360.html
The link on the left side says:
FWSM4.0(4): Virtual Switching System (VSS) Integration
Althought I am not native english speaker so maybe I missed the point.
09-28-2010 05:45 PM
Pavel,
Thanks for the link. I will follow up and get that corrected if need be.
- Magnus
09-26-2010 02:17 PM
How does ASA in routed mode handle received multicast packets when there's no mroute in its routing table?
We have hosts sending packets towards 224.2.0.8 on our network.
Since we don't have multicast set up, switches simply forward them as broadcast.
What does the ASA do w/ these packets?
Is it smart enough to know these are multicast packets, and drop them since there's no mroute, or does it forward on according to the default route,as if it's a normal L3 packet?
09-26-2010 03:32 PM
Kevin,
The firewall, being a security device, will drop those packets. I went ahead and verified this here in my lab, and without a mroute, the traffic is dropped.
- Magnus
09-27-2010 11:39 PM
I have a 6500 with VSS FWSM and ACE.
I suggest to not to use RHI.
I find 2 errors on plattaform:
- Wrong RHI in failover between FWSM (I use 4.1).
- Wrong RHI in VSS and ACE (inject wrong next-hop on VSS).
Then I suggest to go with static route. KISS.
Bye.
09-28-2010 06:16 PM
Jorge,
Most of the bugs that manifest as RHI routes not being removed after failover should be fixed in the 4.1.x versions. It may be worth opening a case so we can ID a bug (worst case, file one) so we can improve the feature.
- Magnus
09-27-2010 12:51 AM
Hi Magnus,
I have a question about DAP on Cisco ASA 5510.
Our firewall: ASA5510 8.2(1)11
When I try to connect from the LAN to the vpn client (ipsec) I receive a message of Authorization denied for user 'unknown' because of the DAP applied to the vpn connection.
This is the log I have:
6 Sep 24 2010 09:39:32 109025 Server 1648 10.26.0.2 9595 Authorization denied (acl=DAP-ip-user-0076860E) for user '
where 10.26.0.2 is the ip address of the vpnclient.
In the dap I added an acl that permits traffic from the Server to the vpnclient network, and from dap trace I see that this acl is applied to the connection.
Can you make me any suggestion?
09-27-2010 06:19 AM
Hello.
I need some help about FWSM running software version 4.1(1) and Device Manager Version 6.2(1)F.
Using ASDM, at first time, when selecting NAT from Firewall menù, or Access Rules page appears after one minute!
Why?
I'm registering this issue afte the ASDM upgrade.
Thannks.
Regards.
Andrea
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide