06-20-2011 09:21 AM - edited 03-11-2019 01:47 PM
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn expert tips on how to configure and troubleshoot Network Address Translation (NAT) and Failover on Cisco ASA Firewalls with Cisco Expert Amitashwa Agarwal. Amitashwa is a senior customer support engineer and technical lead at the Cisco Technical Assistance Center in Bangalore, India. He works with the Security Firewall team, where his areas of expertise include configuring and troubleshooting issues related to firewall, VPN, and AAA technology. He holds a bachelor's degree in computer science from the University of Pune, India, and holds CCSP and CCIE certifications in Security (#22164).
Remember to use the rating system to let Amitashwa know if you have received an adequate response.
Amitashwa might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the shortly after the event. This event lasts through July 1st, 2011. Visit this forum often to view responses to your questions and the questions of other community members.
06-22-2011 05:03 AM
Hi Amit,
I need to clarify few points in FWSM failover in multi-context mode same as done in context based failover in Cisco ASA.
We have 2 FWSMs in 2 different chasiss at Site A and Site B. FWSM mod in site A is in Activve mode and another mod in site B is in Standby mode.
I want to setup 2 security contexts X and Y in active FWSM which would get replicated to standby FWSM.
Both contexts have separate inside and outside virtual interfaces and do not share any of their interface with each other.
We are use static routing as dynamic routing is not yet supported in multi-context mode. is that right?
Is it possible to setup the 2 contexts to have 2 separate inside interfaces but a single common external interface? How?
Kashi
 
					
				
		
06-23-2011 06:56 AM
Hi Kashi,
Please find the answers to your questions inline:
I want to setup 2 security contexts X and Y in active FWSM which would get replicated to standby FWSM.
In order to create security contexts on the active FWSM you will have to convert it to multiple mode. When you change from single to multiple it takes the running configuration from the single mode and adds it to the admin context. Also, these contexts will only get replicated over to the standby firewall if it will be in multiple mode as well.
You can refer to the link given below to configure the firewall in multiple context:
Both contexts have separate inside and outside virtual interfaces and do not share any of their interface with each other.
We are use static routing as dynamic routing is not yet supported in multi-context mode. is that right?
Yes, it is correct.
Here is the link that states the same:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/contxt_f.html#wp1116132
Is it possible to setup the 2 contexts to have 2 separate inside interfaces but a single common external interface? How?
Yes, it is possible to share the external interface between 2 contexts in routed mode.
Here is an example for your reference:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/exampl_f.html#wp1029314
Let me know in case of further questions or concerns.
Regards,
Amitashwa
06-23-2011 06:56 PM
Amit,
Thanks for the response.
Is it possible to setup the 2 contexts to have 2 separate inside interfaces but a single common external interface? How?
you said, yes...it's possible.
1. What happens if the shared interface switchport is down? Will whole fwsm failover occurs?
2. Say, each of the 2 context is meant for 2 customers A and B who need to have separate links. In this case, shared interface is recommended or separate internal and external interface for each context?
3. Both the links of each customer would be terminated on 2 separate switchports. Say, if any one link is down, is it possible to only failover that single context ot again the whole module failovers?
4. With dynamic routing not possible in multi context mode, is it possible to make FWSM failover automatic? or is it manual in any fwsm failover design type?
Kashi
 
					
				
		
06-25-2011 02:08 AM
Hi Kashi,
Please find the answers to your questions inline:
1.Is it possible to setup the 2 contexts to have 2 separate inside interfaces but a single common external interface? How? you said, yes...it's possible. What happens if the shared interface switchport is down? Will whole fwsm failover occurs?
Yes, in this case both the contexts will become Active on the standby firewall. However, this is only possible if the 2 context's sharing the outside interface are configured in Active/Standby failover. In this case, if the shared interface goes down then both the contexts will fail over to the Standby unit.
FWSM cannot have a shared vlan interface in active/active failover, if there are only 2 contexts on it. FWSM can have a shared vlan interface in active/active failover only if the shared vlan remains in the same failover group.
Here is a link that explains how Active/Active failover works:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/fail_f.html#wp1041964
2. Say, each of the 2 context is meant for 2 customers A and B who need to have separate links. In this case, shared interface is recommended or separate internal and external interface for each context?
In this case I would suggest using unique internal and external interfaces in each context.
3. Both the links of each customer would be terminated on 2 separate switchports. Say, if any one link is down, is it possible to only failover that single context ot again the whole module failovers?
If it is Active/Standby failover in multiple context then in case of any issues with any link belonging to any of the contexts both the contexts will fail over to the Standby firewall. However, in case of Active/Active failover if a link belonging to an Active context on one firewall goes down then the Standby context on the other firewall will become Active.
4. With dynamic routing not possible in multi context mode, is it possible to make FWSM failover automatic? or is it manual in any fwsm failover design type?
Dynamic routing has nothing to do with failover. Failover happens automatically in case of FWSM depending upon unit/interface health monitoring.
Here is a link that talks about the same:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/fail_f.html#wp1042444
Regards,
Amit
06-26-2011 06:04 AM
Than you Amit for the response.
For the 4th question - regarding automatic FWSM failover, i think, i did not put the question correctly, i will diagram it for u.
SiteA SiteB
CoreSW1----CoreSW2------L2-----CoreSW3
| |
| |
ActFWSM1 StndFWSM2
| |
| |
InetRTR1 InetRTR2
| |
| active link1 | passive link2
|------------Internetcloud--------------|
We have 2 fwsm mods in 2 separate chassis in SiteA and SiteB as shown above. Both modules are configured in Active/Standby mode, and both routers RTR1 and RTR2 connected to active and standby fwsm mods respectively. Routers are setup with HSRP for redundancy with static routing for local LAN and BGP with ISP for multihoming.
Default route in active fwsm is pointing to router HSRP Virtual IP..so incase..the active router, RTR1, fails standby router,RTR2, takes over. In this situation when the active router is down, FWSM is not failing over automatically. We have to manually failover the FWSM to SiteB and then traffic comes over from
link2 --->CoreSw3--->Link2--->CoreSw2---->CoreSw1---> To local LAN
I'm looking to automate fwsm failover and i want your opinion on my solution, if its correct else suggest one:
Remove static routing on the routers, use dynamic routing and ensure default route is injected into active fwsm by dynamic routing on the routers..so that..when the router is down...injected default route is removed and fwsm realize their upstream device/link is down and would failover.
Thanks - Kashi
 
					
				
		
06-27-2011 01:27 PM
Hi Kashi,
The solution that you have in mind will not work because firewall will not look at its routing table to determine the status of the upstream device/link in order to fail over. If the interface connecting to the upstream device is a monitored interface on the firewall then hellos will be sent out on this interface from both the firewall's and in case if either firewall does not receive hellos on this interface then they will run the following tests (in order) to check the status of the interface:
Link Up/Down test - Is the link up or down
Network Activity test - Am I receiving any traffic on this interface
ARP test - Generate ARP request for most recently learnt ARP entries on that interface.
Broadcast Ping test - Generate a broadcast ping on that interface
If all network tests fail for an interface, but this interface on the other unit continues to successfully pass traffic, then this interface will be considered as failed and if the threshold for failed interfaces is met, then a failover will occur.
In your case I would like to know if the interface/vlan connecting the FWSM to the router is being monitored or not. Also, is there a way for the hellos to be exchanged between the firewall's on the outside interface (as per the diagram I do not see any connection between the routers like a trunk port or something)?
Regards,
Amit
06-28-2011 12:16 AM
Thanks for the response Amit.
As i mentioned each FWSM mod has 2 contexts, X and Y.
Each context has it's own inside and outiside interface and context Y has a DMZ interface as well.
As part of failover configuration, i have configured following commands to monitor all the interfaces within a context
monitor-interface inside
monitor-interface outside
monitor-interface dmz
Both the routers are interconnected using a Layer 2 link that connects both the sites, A and B. This link is where the hello packets are being share between both the modules and therefore the interface, i believe. Correct if i'm wrong.
Routers are setup with HSRP on their interfacing connecting the FWSM external interface and the other interface connecting the ISP is being tracked.
How can i rate your comments, i do not see any option.
 
					
				
		
06-28-2011 11:10 AM
Hi Kashi,
Your understanding about the hello packets exchange on the outside interface of the firewall's looks correct.
Also, you mentioned earlier that:
Default route in active fwsm is pointing to router HSRP Virtual IP..so incase..the active router, RTR1, fails standby router,RTR2, takes over. In this situation when the active router is down, FWSM is not failing over automatically. We have to manually failover the FWSM to SiteB and then traffic comes over from
link2 --->CoreSw3--->Link2--->CoreSw2---->CoreSw1---> To local LAN
So, help me understand the status of failover on the active fwsm when RTR1 goes down. Does the outside interface changes state to Waiting or Failed when RTR1 goes down? Also, what is the interface policy set to for failover?
Regards,
Amit
06-28-2011 08:39 PM
Amit,
interface policy is set to 50% i.e if any one interface goes down...FWSM failover should triggger.
when the RTR1 goes down, say, we reboot it..FWSM context outside interface does not go down ..dont know why...and we are therefore forced to manually failover the FWSM.
When the RTR1 goes down, as it is setup for HSRP...RTR2 takes over the active role. But as FWSM does not failover traffic does not pass ..and we are forced to failover the FWSM ..in which case both standby FWSM and RTR2 become active and then only traffic passes into the local LAN from outside.
Few questions:
a. As each contexts has Virtual Interfaces, would they ever go down?
b. Monitor-interface command is to monitor the virtual interface in the contexts or the switchport to which the virtual interace is mapped to? Bcoz, even if i shut the switchport the virtual interface is nor foing down.
 
					
				
		
06-30-2011 12:59 PM
Kashi,
As soon as RTR1 goes down RTR2 takes over (it takes the virtual ip and mac from RTR1) as a result of which the FWSM does not see any change on its outside interface or does not drop any packets on that interface and thus does not fail over. In order to test failover in this case shut down the actual port on the switch that connects it to RTR1 and then check the status of "show failover" in the context. Also, you can apply captures in this context from active ip to standby ip and vice versa to check the hello packets on this interface.
Here is a doc that explains how to take captures off the FWSM:
https://supportforums.cisco.com/docs/DOC-1222
Here are the answers to your questions:
a. As each contexts has Virtual Interfaces, would they ever go down?
FWSM does not have any physical ports of its own. It only has logical interfaces in the form of vlans that are pushed to it from the switch. In case of failover on FWSM an interface would only show up as failed if it stops receibing hellos on that interface and then during interface testing if all network tests fail for it, but this interface on the other unit continues to successfully pass traffic. Unless a vlan that is getting pushed to the FWSM goes down on the switch it will not show up as down on the FWSM.
b. Monitor-interface command is to monitor the virtual interface in the contexts or the switchport to which the virtual interace is mapped to? Bcoz, even if i shut the switchport the virtual interface is nor foing down.
This command is used to monitor the interface assigned to the context in failover. Here is more information about this command:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/command/reference/m.html#wp1765154
Regards,
Amit
07-01-2011 04:18 AM
Amit,
Now that you know about our topology,
Can you please let me know the solution on how i can make the FWSM failover automatic.
Kashi
06-23-2011 12:38 AM
I have a website hosted on an internal web server (say 10.0.0.1) and would like to access it from inside using its external ip address (say 1.1.1.1) in the same way as I do it from the Internet. Also, I am doing port forwarding for traffic going to this web server so basically traffic comes on 443 for the outside ip (1.1.1.1) of the firewall and gets redirected to the internal ip (10.0.0.1) on 8443. So, basically the internal server is listening on 8443 for web traffic. Please let me know how can I get the website to work for a user who is on the inside of an ASA running 8.3.2 code on it.
 
					
				
		
06-23-2011 06:05 AM
Hi Ratnesh,
Based on the description that you have provided I am assuming that when you do “nslookup” for the website from a machine on the inside network it gets resolved to its external ip address i.e 1.1.1.1.
Here are the commands that you need to configure on the ASA to achieve the desired objective:
1]
object network Server-Internal
host 10.0.0.1
nat (inside,inside) static 1.1.1.1 service tcp 8443 443
This command will redirect traffic destined for 1.1.1.1 on port 443 on the inside interface of the ASA to 10.0.0.1 on port 8443 back out the same interface.
2] same-security-traffic permit intra-interface
This command will allow the ASA to U-turn the traffic coming on its inside interface back out the same interface again.
3]
object network obj-10.0.0.0
subnet 10.0.0.0 255.255.255.0
nat (inside,inside) dynamic interface
This command will ensure that the source of the traffic gets PATTED to the inside ip address of the ASA so that the web server is forced to send the SYN-ACK back to the ASA otherwise the server would send it directly to the inside host and in that case the ASA would drop the ACK from the client as it would not have seen a SYN-ACK from the server going through it. This step is required to maintain the stateful behavior of the firewall.
Hope this helps. Let me know in case of further questions or concerns.
Regards,
Amitashwa
06-23-2011 12:17 PM
Hi All,
Apologies if this sounds like the wrong thing to say on a Cisco Support forum, many people have so far asked if the ASA can do this and that and mostly the answer seems to be no.
Do we all think cisco trying hard enough to raise the profile of these devices, I have heard through the channel that they are concerned about not being strong in the firewall/security arena yet they seem determined to do as much damage as possible themselves.
1. ISP load share - not available
2. Load Balanced Site to Site vpn
3. NAT from 8.3 onwards - complete mess
4. Passive FTP through firewalls from 8.3 on - doesn't work
Cisco really need to put the effort in now to raise their game. Checkpoint and Juniper must be laughing out loud
 
					
				
		
06-30-2011 01:52 PM
Hi Robins,
Here is my take on the points raised by you:
1. ISP load share - not available
We dont support ISP load balancing on the ASA because we cannot configure more than 1 default route on the ASA as it by design not supposed to work like a router. However, as I mentioned earlier we do support ISP fallback on ASA and there are workarounds to support ISP load balancing as well with ASA as specified in the links given below:
https://supportforums.cisco.com/docs/DOC-15622#comment-7229
https://supportforums.cisco.com/docs/DOC-13015#What_other_options_do_we_have
2. Load Balanced Site to Site vpn
Again, by design L2L tunnels should terminate on the native outside ip address of the head-end ASA and not to the virtual ip or "vcpip" address of the ASA's in cluster. However, we do support this feature for remote access VPN as mentioned earlier.
3. NAT from 8.3 onwards - complete mess
NAT in 8.3 has been simplified and is pretty powerful. It gives us a lot more flexibility in configuring NAT as opposed to the previous versions of the ASA. However, this is a major migration step as the configuration style has been completely changed in it so we can see things breaking after the upgrade but then this is true of any major migration. Having said that I would like to mention that many of our customers have been able to successfully upgrade to 8.3 and are happy with it.
Here is a video that outlines the things that we need to know before upgrading to 8.3 on ASA:
Also, here are a few links to configure nat on 8.3:
Configuration guide:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html
ASA Pre-8.3 to 8.3 NAT configuration examples:
https://supportforums.cisco.com/docs/DOC-9129#comment-3934
4. Passive FTP through firewalls from 8.3 on - doesn't work
There is no known issue found in ASA 8.3 with passive FTP. There is a known issue with passive FTP however this only applies if the following conditions are met:
1) The ASA must be running version 8.4(1) or greater
2) The ASA must have multiple CPUs. ASA 5580 and 5585 platforms are affected by this problem. The ASA 5505, 5510, 5520, 5540 and 5550 platforms are NOT affected by this problem
3) The FTP connection must be subjected to port address translation (PAT) on the ASA. Connections subjected to static NAT, or connections that do not hit any NAT rule on the ASA will not encounter this problem.
Regards,
Amit
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide