Re: ASK THE EXPERTS - TROUBLESHOOTING ASA, PIX AND FWSM - Page 4

ciscomoderator · ‎01-03-2011

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to address and troubleshoot common problems with Adaptive Security Appliances, Private Internet Exchange and Firewall Service Modules with Kureli Sankar. Kureli is an engineer supporting Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco Adaptive Security Appliance, Firewall Services Module, Cisco Security Manager, the Content Security and Control module, and the Zone Based Firewall module in Cisco IOS Software.

Remember to use the rating system to let Kureli know if you have received an adequate response.

Kureli might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through January 14, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

mkashifashraf · ‎01-09-2011

Dear Experts,

after removing sub-interface for vlan1 and using physical interface for that. My vlan1 is working. But still my intervlan communication is not working.

I already used same security level inter & intra both.

please reply soon, it's critical for me.

Regards,

Kureli Sankar · ‎01-09-2011

Ashraf,

If this is very critical, I'd suggest opening a TAC case.

Now that vlan1 is working and all these interfaces have the same security level we need to look at

permission and translation to see if they are configured correctly.

What traffic is breaking now?

source vlan source IP

destination vlan desatination IP

Watch what the logs say.

conf t

logging on

logging buffered 7

exit

sh logg | i x.x.x.x where x.x.x.x. is the host in question.

-Kureli

mkashifashraf · ‎01-09-2011

interface gi 0/1 (VLAN1 & NATIVE VLAN)

nameif inside

security-level 100

ip add 192.168.0.x 255.255.255.0

no shut

interface gi 0/1.20

vlan 20

nameif inside20

security-level 100

ip add 192.168.20.x 255.255.255.0

no sh

interface gi 0/1.30

vlan 30

nameif inside30

security-level 100

ip add 192.168.30.x 255.255.255.0

no sh

Can you send me configuration example for permission and Translation with Same security level on sub-interfaces.

I already opened a TAC case, but your response is fast and accurate than TAC on this case.

Waiting for your earliest response.

Regards,

Kureli Sankar · ‎01-09-2011

Do you have nat control enabled or not? Do you have any translation configured on this ASA?

If you use "no nat-control" then, all you need to do is restrict who can access what via acl.

If you do have nat-control enabled then you need to provide translation.

How about nat 0 with acl? Depending on which interface got created first you may need just one set or all of them.

nat (inside) 0 access-list inside-to-vlans

access-list inside-to-vlans permit ip 192.168.0.0 255.255.255.0 92.168.20.0 255.255.255.0

access-list inside-to-vlans permit ip 192.168.0.0 255.255.255.0 92.168.30.0 255.255.255.0

** Test with just the above, if you have trouble and see some no translation messages then add all the ones below **

nat (inside20) 0 access-list 20-inside-30

access-list 20-inside-30 permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 20-inside-30 permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255.255.255.0

nat (inside30) 0 access-list 30-20-inside

access-list 30-20-inside per ip 192.168.30.0 255.255.255.0 92.168.0.0 255.255.255.0

access-list 30-20-inside per ip 192.168.30.0 255.255.255.0 92.168.20.0 255.255.255.0

Make sure you have permission allowed in the acl applied on the interfaces (all three of them).

Give it a shot. Problems like this can be solved quickly once TAC has access to the device.

-KS

mkashifashraf · ‎01-09-2011

As I understand, Permission for all INSIDE (different VLANs) should be outbound. Please correct me, If i'm wrong.

Regards,

mkashifashraf · ‎01-10-2011

NAT FOR SAME SECURITY LEVEL

access-list inside1-inside10 extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside10-inside1 extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (inside1) 0 access-list inside1-inside10
nat (inside10) 0 access-list inside10-inside1

PERMISSION FOR SAME SECURITY LEVEL

access-list 100 extended permit ip any any

access-group 100 out interface inside1
access-group 100 out interface inside10

i'm pinging from host reside inside1---to---inside10

source VLAN1 source IP ADD = 192.168.0.244 ------>destination vlan10 destionation ip add 192.168.10.4 (ASA's sub-interface IP)

RESULT is below..........!

%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.0.244/1 gaddr 192.168.10.4/0 laddr 192.168.10.4/0

%ASA-6-110003: Routing failed to locate next hop for icmp from inside10:192.168.10.4/0 to inside10:192.168.0.244/0

ICMP echo request from 192.168.0.244 to 192.168.10.4 ID=1 seq=5 len=32

%ASA-6-302021: Teardown ICMP connection for faddr 192.168.0.244/1 gaddr 192.168.10.4/0 laddr 192.168.10.4/0

Please reply soon......!

Regards,

Kureli Sankar · ‎01-10-2011

Hello,

access-group 100 out interface inside1
access-group 100 out interface inside10

what is the reason for applying this access-list "OUT" on the interface?

Usually access-list is applied "IN" on the interface. Pls. change them to "IN" on the interface. Aplly the access-list on the third interface as well.

Also, pls. verify the following:

1. Route

2. Translation

3. Permission.

I am not sure what the interface IP addresses are. Use a host on one interface to ping the host on the other interface. Pls. do not test pinging the far side interface on the firewall. You can only ping the closes interface to the test host or client. This is by design.

Pls. let me know the case number of the case that you have opened.

-Kureli

mkashifashraf · ‎01-10-2011

NAT FOR SAME SECURITY LEVEL

access-list inside1-inside10 extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside10-inside1 extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (inside1) 0 access-list inside1-inside10
nat (inside10) 0 access-list inside10-inside1

PERMISSION FOR SAME SECURITY LEVEL

access-list 100 extended permit ip any any

access-group 100 out interface inside1
access-group 100 out interface inside10

i'm pinging from host reside inside1---to---inside10

source VLAN1 source IP ADD = 192.168.0.244 ------>destination vlan10 destionation ip add 192.168.10.4 (ASA's sub-interface IP)

RESULT is below..........!

%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.0.244/1 gaddr 192.168.10.4/0 laddr 192.168.10.4/0

%ASA-6-110003: Routing failed to locate next hop for icmp from inside10:192.168.10.4/0 to inside10:192.168.0.244/0

ICMP echo request from 192.168.0.244 to 192.168.10.4 ID=1 seq=5 len=32

%ASA-6-302021: Teardown ICMP connection for faddr 192.168.0.244/1 gaddr 192.168.10.4/0 laddr 192.168.10.4/0

Please reply soon......!

Regards,

jmprats · ‎01-10-2011

Hi, I want to evaluate Botnet Traffic Filter on ASA. I have two units with Failover Active / Standby, I have received one temporary license for the Active unit.

Do I need another temporary license for the standby pair for evaluating?

I read in the configuration Guide “Because the temporary license continues to count down for as long as it is activated on a failover unit, we do not recommend using a temporary license in a permanent failover installation; when the temporary license expires, failover will no longer work”

What does it mean? It sounds very dangerous

Thanks

Kureli Sankar · ‎01-10-2011

I believe your question got answered here: https://supportforums.cisco.com/message/3265543#3265543

What code is the ASA running?

http://www.cisco.com/en/US/docs/security/asa/asa83/license_standalone/license_management/license.html#wp1455101

Failover License Requirements (8.3)

Failover units do not require the same license on each unit.

Older versions of adaptive security appliance software required that the licenses match on each unit. Starting with Version 8.3(1), you no longer need to install identical licenses. Typically, you buy a license only for the primary unit; for Active/Standby failover, the secondary unit inherits the primary license when it becomes active. If you have licenses on both units, they combine into a single running failover cluster license.

-KS

MataKiera · ‎01-11-2011

Hello,

I have a very basic question. I am setting up a small network an for the pourpuse of initial testing I would like to setup the firewall (ASA 5510, version 8.0(4)) so that it permits all traffic. The trouble is it does not want to work. I have this commands.

interface Ethernet0/0

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.252

interface Ethernet0/3

nameif outside

security-level 0

ip address 172.16.0.1 255.255.255.0

access-list INSIDEACL extended permit ip any any log warnings

access-list OUTSIDEACL extended permit ip any any log warnings

access-group INSIDEACL in interface inside

access-group INSIDEACL out interface inside

access-group OUTSIDEACL in interface outside

access-group OUTSIDEACL out interface outside

Kureli Sankar · ‎01-11-2011

Tomaz,

You really don't need an ACL applied "out" on the interface so, you an remove these

conf t

no access-group INSIDEACL out interface inside

no access-group OUTSIDEACL out interface outside

Next, I do not see any translation or route. Do you have another layer 3 device doing address translation? If so, that is fine but, you still need a route pointing to the layer 3 device on the outside.

route outside 0 0 172.16.0.x

As for translation you could add the following:

nat (inside) 1 0 0

global (outside) 1 interface

-KS

MataKiera · ‎01-11-2011

Sankar,

Thank you for the help. But traffic still seems to be blocked (icmp, dns, h323, sip, ftp, ssh,....). I will give you my entire configuration (I added ----- in places that are sensitive). On the outside I have 3 servers two are for dns, ftp, http and one is for voip. On the inside I have a router 3825 and behind the router i have a switch and then I have the client devices.

ASA Version 8.0(4)

!

hostname ----------

domain-name -----------

enable password -------------- encrypted

passwd ---------------- encrypted

names

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.252

!

interface Ethernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

nameif outside

security-level 0

ip address 172.16.0.1 255.255.255.0

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 172.16.0.251

name-server 172.16.0.252

domain-name ---------------

same-security-traffic permit inter-interface

access-list INSIDEACL extended permit ip any any log warnings

access-list OUTSIDEACL extended permit ip any any log warnings

pager lines 24

logging enable

logging timestamp

logging trap warnings

logging asdm informational

logging device-id hostname

logging host outside 172.16.0.251

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo inside

icmp permit any echo-reply inside

icmp permit any echo outside

icmp permit any echo-reply outside

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group INSIDEACL in interface inside

access-group OUTSIDEACL in interface outside

!

router ospf 100

network 10.0.0.0 255.255.255.252 area 0

network 172.16.0.0 255.255.255.0 area 0

log-adj-changes

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

aaa authentication secure-http-client

http server enable

http 172.16.0.0 255.255.255.0 outside

http redirect inside 80

snmp-server host outside 172.16.0.251 community ---------- version 2c

no snmp-server location

no snmp-server contact

snmp-server community ------------

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 172.16.0.1 255.255.255.255 outside

telnet timeout 5

ssh 172.16.0.0 255.255.255.0 outside

ssh 172.16.0.251 255.255.255.255 outside

ssh 172.16.0.252 255.255.255.255 outside

ssh timeout 5

ssh version 1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 172.16.0.251

ntp server 172.16.0.252

ssl certificate-authentication interface inside port 443

username ------------ password -------------------------- encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect dns preset_dns_map

inspect icmp

inspect mgcp

inspect snmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:---------------------------------------------

: end

-lp

Kureli Sankar · ‎01-11-2011

You have a route to the servers on the outside? You are using ospf.

Could you pls. post the output of "sh route"?

Try to telnet from the "run" line from a client PC on the inside to the www server on the outside and post what the logs show.

conf t

logging on

logging buffered 7

exit

sh logg | i x.x.x.x - where x.x.x.x is the IP address of the www server on the outside.

-KS

MataKiera · ‎01-11-2011

This is the sh route

Gateway of last resort is 172.16.0.250 to network 0.0.0.0

O 20.0.0.0 255.255.255.0 [110/11] via 10.0.0.2, 8:13:54, inside --------------------- Network behind the router

O 200.0.1.3 255.255.255.255 [110/12] via 10.0.0.2, 8:13:54, inside ---------------------- Loopback of the switch

O 200.0.1.2 255.255.255.255 [110/11] via 10.0.0.2, 8:13:54, inside ---------------------- Loopback of the router

C 172.16.0.0 255.255.255.0 is directly connected, outside ------------------------ Network on the outside of the firewall connected to the server

C 127.0.0.0 255.255.0.0 is directly connected, cplane --------------------------- ????? default

C 10.0.0.0 255.255.255.252 is directly connected, inside --------------------------- Network on the inside of the firewall connected to the router

S* 0.0.0.0 0.0.0.0 [1/0] via 172.16.0.250, outside --------------------------- Static route on the outside (nat)

Telnet from outside to inside.

Logging to outside 172.16.0.251 errors: 540 dropped: 733

Jan 11 2011 17:07:45 fw-s-svn : %ASA-6-302020: Built inbound ICMP connection for faddr 172.16.0.251/0 gaddr 172.16.0.1/0 laddr 172.16.0.1/0

Jan 11 2011 17:07:45 fw-s-svn : %ASA-6-302021: Teardown ICMP connection for faddr 172.16.0.251/0 gaddr 172.16.0.1/0 laddr 172.16.0.1/0

Jan 11 2011 17:07:55 fw-s-svn : %ASA-6-302020: Built inbound ICMP connection for faddr 172.16.0.251/0 gaddr 172.16.0.1/0 laddr 172.16.0.1/0

Jan 11 2011 17:07:55 fw-s-svn : %ASA-3-313001: Denied ICMP type=3, code=3 from 172.16.0.251 on interface outside

Jan 11 2011 17:07:55 fw-s-svn : %ASA-6-302021: Teardown ICMP connection for faddr 172.16.0.251/0 gaddr 172.16.0.1/0 laddr 172.16.0.1/0

Jan 11 2011 17:08:49 fw-s-svn : %ASA-6-302020: Built inbound ICMP connection for faddr 172.16.0.251/0 gaddr 172.16.0.1/0 laddr 172.16.0.1/0

Jan 11 2011 17:08:49 fw-s-svn : %ASA-6-302021: Teardown ICMP connection for faddr 172.16.0.251/0 gaddr 172.16.0.1/0 laddr 172.16.0.1/0

Jan 11 2011 17:08:58 fw-s-svn : %ASA-7-710005: UDP request discarded from 172.16.0.251/137 to outside:172.16.0.255/137

Jan 11 2011 17:08:59 fw-s-svn : %ASA-6-302020: Built inbound ICMP connection for faddr 172.16.0.251/0 gaddr 172.16.0.1/0 laddr 172.16.0.1/0

Jan 11 2011 17:08:59 fw-s-svn : %ASA-3-313001: Denied ICMP type=3, code=3 from 172.16.0.251 on interface outside

Jan 11 2011 17:08:59 fw-s-svn : %ASA-6-302021: Teardown ICMP connection for faddr 172.16.0.251/0 gaddr 172.16.0.1/0 laddr 172.16.0.1/0

Jan 11 2011 17:08:59 fw-s-svn : %ASA-7-710005: UDP request discarded from 172.16.0.251/137 to outside:172.16.0.255/137

Jan 11 2011 17:09:00 fw-s-svn : %ASA-7-710005: UDP request discarded from 172.16.0.251/137 to outside:172.16.0.255/137

Jan 11 2011 17:09:03 fw-s-svn : %ASA-7-710005: UDP request discarded from 172.16.0.251/137 to outside:172.16.0.255/137

The telnet from inside to the outside will have to wait till tomorow. coz today I dont have acces to the client PC.

lp