cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
50032
Views
14
Helpful
97
Replies

ASK THE EXPERTS - TROUBLESHOOTING ASA, PIX AND FWSM

ciscomoderator
Community Manager
Community Manager

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to address and troubleshoot common problems with Adaptive Security Appliances, Private Internet Exchange and Firewall Service Modules with Kureli Sankar.  Kureli is an engineer supporting Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco Adaptive Security Appliance, Firewall Services Module, Cisco Security Manager, the Content Security and Control module, and the Zone Based Firewall module in Cisco IOS Software.

Remember to use the rating system to let Kureli know if you have received an adequate response.

Kureli might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through January 14, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

97 Replies 97

cchuges,

The crypto acl on one side is usually a mirror image of the other.

debug cry isa

debug cry ips

(level 1) should be good engough. Once done you should start some interesting traffic by pinging from one side to the other.

If the debugs don't even show anything then, it looks like crypto isakmp is not even enabled on the interface.

Could you pls. post the output of

"sh run crypto" from the firewall

-KS

while the acls include all the same subnet pairs, they are not lsted in the fortigate config in the same order. i dont think that is an issue but thought i'd ask.

generating interesting traffic yields no output no matter what debug level i use up to 200.

crypto isakmp is enabled and other sa's are establishing.

i will send the output you requested. is there a way to capture the encrypted interesting traffic and view the headers to look for corruption and such?

Chris Hughes

Layer8 Consulting

Chughes@l8c.com

(240)460-7283

This interesting traffic is listed in the nat 0 acl correct?

The oder of the access-list should not matter. More and more it looks like of us should really ge on the box and look at it.

Pls. do open a case and let me know the case number. You can open a case here: https://www.cisco.com/tac

If you captured on the outside interface you will only see esp and udp 500 packets so, that may not help.

You can capture on the inside interface and see if you do see clear traffic arriving.

-KS

jsluzewski
Level 1
Level 1

Is it possible to NAT multiple source addresses to a single IP using policy NAT?

Will the following config translate any 10.x.x.x address to 172.16.1.250 while accessing the /24 ?

access-list policy-nat-acl extended permit 10.0.0.0 255.0.0.0 152.220.108.0 255.255.255.0

static (inside,outside) 172.16.1.250 access-list policy-nat-acl

Thank you,

Jarek

No. You will get an error message that will talk about mask being inconsistent with the global address.

You can do dynamic policy nat

access-list policy-nat-acl extended permit ip 10.0.0.0 255.0.0.0 152.220.108.0 255.255.255.0

nat (inside) 100 access-l policy-nat-acl

global (outside) 100 172.16.1.250

-KS

dianewalker
Level 1
Level 1

Kureli,

Welcome back!!!  You did a tutorial on Troubleshooting Common Firewall Problems in July 2010.  I learned a lot from this tutorial.  Not everyone can teach or explain firewall in basic terms.  You did very well on this tutorial.   Have you done more tutorials since July 2010 or do you plan to do more tutorials in the future?  Do you have any recommendations on learning the basics on ASA VPN/firewall?

Thanks.

Diane

Diane,

I do remember you! Glad to hear that you learned a lot from my webcast.  I haven't  done another one since then.  May be it is time now.

Let me know if you have any questions that I can answer.

I just posted this blog today that you can read: https://supportforums.cisco.com/community/netpro/security/firewall/blog/2011/01/07/asa-pix-dhcp-relay-through-vpn-tunnel

Let me know what you think.

Hmm...ASA/VPN basics....Best thing to do is to purchase an asa5505 and some small routers and try out different topologies. Does your job involve maintaining a network? Take some classes. I can send you some information regarding that.

There is no place (that I know of) better than Cisco TAC to learn! We learn something new every single day!

-KS

Thanks Kureli.  Another great, helpful documents.  I hope to see more of these or web casts in the future. Thanks again.

Diane

mkashifashraf
Level 1
Level 1

Dear Experts,

I have ASA5520, Configured Subinterface on inside for different VLANS with same security level. But i'm not able to communicate with same security level subinterface with VLAN1. I can communicate between other subinterfaces (with same security level) and different VLANS.

Waiting for your expert recommendation ASAP.

Regards,

Configure same-security-traffic intra-interface also

Sent from my iPhone

Dear,

I already configured both same-security-traffic intra-interface & Inter.

I have one Catalyst 3560 with different VLANS. Configured one port as TRUNK which is connected to ASA for INSIDE. We configured interface Vlans for different Vlans. All Other Vlans can communicate with ASA Subinterfaces except VLAN1 & our native Vlan also Vlan 1.

Regards,

I have suggested a few options in thread: https://supportforums.cisco.com/message/3265079#3265079

This is not recommended practice and that is the reason I didn't suggest this. Many people do configure it and it does work.

According to our documentation: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html#wp1044006

Note: If   you use subinterfaces, you typically do not also want the physical   interface to pass traffic, because the physical interface passes   untagged packets. Because the physical interface must be enabled for  the  subinterface to pass traffic, ensure that the physical interface  does  not pass traffic by leaving out the nameif command. If you want to let the physical interface pass untagged packets, you can configure the nameif command as usual.

So, pls. configure the main interface wtih an IP address in vlan 1 and security level and remove the sub-interface that you configured for vlan1.

-Kureli

Are you using ASDM? If so theres a check box on the interface configuration screen to enable traffic between two interfaces with the same security level. Or you can use the command "same-security-traffic permit inter-interface"

Dears,

I didn't configured any Access-list, Routing and NAT for same security level INSIDE Subinterfaces.and My all Vlans can communicate except VLAN1.

Regards,

Can you post ASA config pls?

Sent from my iPhone

Review Cisco Networking for a $25 gift card