01-14-2013 01:33 PM - edited 03-11-2019 05:46 PM
With Kureli Sankar
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask any questions about adaptive security appliances (ASAs), Private Internet Exchange (PIX), and firewall services modules (FWSMs) with Cisco Expert Kureli Sankar. This is a continuation of the live Webcast.
Kureli Sankar is an engineer supporting Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco ASA, FWSM, Cisco Security Manager, the Content Security and Control module, and the zone-based firewall module in Cisco IOS Software. Prior to joining Cisco, Sankar worked for the John Morrell Co., where she was the network administrator in charge of the company's enterprise network covering 27 locations in the United States. She also was an adjunct professor at the University of Cincinnati, teaching undergraduate-level networking courses. Sankar holds a degree in electrical and electronic engineering from Regional Engineering College, Trichirappalli, India, and holds CCSP and CCIE Security (#35505) certification.
Remember to use the rating system to let Kureli know if you have received an adequate response.
Kureli might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through January 25, 2013. Visit this forum often to view responses to your questions and the questions of other community members.
Webcast related links:
01-26-2013 09:53 AM
Taufique,
Phone proxy configuration is pretty hard to troubleshoot via the forum. You mentioned following the forum guide. If CTL file isn't getting to the phone then, there is something wrong with the tftp traffic between the call manager and the phone.
Do you have tftp inspection enabled?
We pretty much following this when troubleshooting phone proxy issues.
https://supportforums.cisco.com/docs/DOC-1226
What do captures and syslogs show? It would be better if you could open a TAC case and work with a TAC engineer as we need to grab multiple captures, debugs and syslogs to figure out what might be going on. Added to that this event ended yesterday and probably will be closed today or Monday and I will be unable to add or edit content to it.
-Kureli
01-26-2013 10:03 AM
Good Day,
Thankyou for the link. As per the link in deb am getting output as like same below.
Traffic from Call Manager to phone does not traverse ASA causing TFTP failures
PP: opened 0x116804ea
PP: Data Block 1 forwarded from 14.36.107.90/8554 to 172.18.254.73/52361 ingress ifc outside
PP: Received ACK Block 1 from outside:172.18.254.73/52361 to inside:172.18.124.230
PP: Data Block 2 forwarded to 172.18.254.73/52361
PP: Received ACK Block 2 from outside:172.18.254.73/52361 to inside:172.18.124.230
PP: Data Block 3 forwarded to 172.18.254.73/52361
PP: Received ACK Block 3 from outside:172.18.254.73/52361 to inside:172.18.124.230
PP: Data Block 4 forwarded to 172.18.254.73/52361
PP: Received ACK Block 4 from outside:172.18.254.73/52361 to inside:172.18.124.230
PP: Data Block 5 forwarded to 172.18.254.73/52361
PP: Received ACK Block 5 from outside:172.18.254.73/52361 to inside:172.18.124.230
PP: Data Block 6 forwarded to 172.18.254.73/52361
PP: Received ACK Block 6 from outside:172.18.254.73/52361 to inside:172.18.124.230
PP: Data Block 7 forwarded to 172.18.254.73/52361
PP: Received ACK Block 7 from outside:172.18.254.73/52361 to inside:172.18.124.230
PP: Data Block 8 forwarded to 172.18.254.73/52361
PP: Received ACK Block 8 from outside:172.18.254.73/52361 to inside:172.18.124.230
PP: Data Block 9 forwarded to 172.18.254.73/52361
PP: Received ACK Block 9 from outside:172.18.254.73/52361 to inside:172.18.124.230
PP: TFTP session complete, all data sent
PP: 172.18.254.73/52362 requesting SEP0007EBF0EE54.cnf.xml.sgn
PP: opened 0x116974f6
PP: 172.18.254.73/52363 requesting SEP0007EBF0EE54.cnf.xml.sgn
PP: opened 0x116a21e2
PP: 172.18.254.73/52364 requesting SEP0007EBF0EE54.cnf.xml.sgn
PP: opened 0x116b06ae
Is there any NAT issue with my ASA..? as my debug output is same as above.
I have below NAT configure
Static NAT 1.1.1.84(Public routable IP) to 192.168.1.25(IP for CUCM and TFTP as both are on same server)
Media Terminal IP outside (1.1.1.82) and inside(192.168.1.9)
acl for inside and outside both is allow ip any any
I shall enable tftp in inspection as per suggestion.
Addition to this if you can guide something will be great help as per said time by you in reply..!
Thank you.
01-26-2013 10:05 AM
I would like to add one more point in above that...
as per log CIPC from my home laptop is requesting of unsign config file..
that is its requsting file format as SEP0007EBF0EE54.cnf.xml and not SEP0007EBF0EE54.cnf.xml.sgn
That the error messgae from CUCM TFTP
01-29-2013 05:45 AM
If a firewall is in the network path between the phone and the outside of the ASA, it could be blocking the file from being sent from the ASA to the remote phone using the secondary UDP data channel. Ensure that the device is either tracking the TFTP connection statefully ('inspect tftp' on ASA/PIX) or that the device is forwarding all ports to the inside phone.
We have seen this problem crop up in some cases where the ISP itself is blocking tftp traffic. In this case there is nothing that the user can do, and the ISP has to stop blocking this traffic for the phone to register correctly. Some ISPs apparently do this to prevent problems with cable modems, which download their config over tftp as well.
'debug phone-proxy tftp' will show the remote phone requesting a file, then the phone proxy will send back Data Block 1, which will never be acknowledged.
As I mentioned earlier, it would be appropriate to work with a TAC engineer to resolve this problem. Pls. feel free to open a TAC case.
-Kureli
01-28-2013 07:04 PM
Hi Kureli,
i am new to this support channel,
i am not sure if you could ask you some question on ASA5505,
i have done the basic setup and everything looking fine, now i there is a request on doing web filtering, i just need to
block website like "facebook" "youtube" on only 2 PC with IP Address 192.168.1.10 and 192.168.1.11
the rest of the PC should not affected.
however when i browse through the firewall i didnt see any section available for me to configure as per my requirement.
would you mind advise?
thank you
Derrick
01-28-2013 07:38 PM
Derrick,
Pls. follow this thread.
https://supportforums.cisco.com/thread/2087031
One of our readers listed all of Facebook IP blocks. On the ACL that is used to deny the source is listed as any. In your case add the two IPs as the sources and that should work.
-Kureli
01-29-2013 04:41 AM
Hi Thanks for your quick repsonse, i will study on your link post and try on it,
beside this, i have another issue which is ONLY my Laptop (Window XP Pro), i am getting dhcp from the cisco ASA and able to surf net, however i am some how block from ping and accessing the Cisco ASA it self, which is my gateway.
with the same dhcp to the other pc/desktop, all of other station can access the cisco ASA through ssh and ASDM and can ping to cisco asa.
after some troubleshooting i suspect my pc somehow block by cisco ASA. but there is no access list created to block my pc, how can i check further? please advise and appreciate!
01-29-2013 05:33 AM
Pings from XP to ASA - broken?
Pings from ASA to XP - working?
Do you have a windows firewall enabled on the XP?
This ATE event ended on Jan 25th and will be locked. Pls. post further questions on our forum here:
https://supportforums.cisco.com/community/netpro/security/firewall
-Kureli
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide