Cisco Community
English
Register
Congratulate December's Spotlight Awardees. CLICK HERE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Community November 2020 Spotlight Award Winners

Q&A from "Troubleshooting ASA Firewalls - Packet Flow,Upgrade best practices and Handling dual ISP links" session

Labels:
1753
Views
0
Helpful
0
Comments
Vinay Sharma
Rising star
‎12-06-2013 11:22 PM
edited on: ‎03-08-2019 ‎06:53 PM

 

 

This is the Q&A from "Troubleshooting ASA Firewalls - Packet Flow,Upgrade best practices and Handling dual ISP links" session.

 

Q:  In 8.3, is it possible to access the webserver from LAN(inside) using public IP?

A. Yes it is possible to do that. You will need to enable the option called DNS rewrite, that will enable you do access a server on inside using public ip.

PIX/ASA: Perform DNS Doctoring with the static Command and Two NAT Interfaces Configuration Example

DNS Server and Web Server on Mapped Interface, Web Server is Translated (Static NAT with DNS Modification)

 

Q. This is for dst nat. how about the traffic flow of src natting traffic flow?

A. Source address NAT is the 6th stage in the packet flow - just prior to the IPS redirection.

 

Q:  Differentiate NAT translate & NAT ip hdr, which separated by acl & inspection.

A. The first NAT stage translates the destination IP address of the packet and determines the egress interface of the packet. The second NAT stage is for translating the source IP address. 

 

Q:  What is the option for packet trace in FWSM?

A. That's a great question but unfortunately FWSMs do not support packet-tracer. We depend on the other tools (such as captures, and syslogs) to troubleshoot network problems. 

 

Q:  The order in which the packet will flow to the nat and I very confused with the new nat order.

A. That is completely understandable if you are new to this version of ASAs. Here are some documents that might help you understand this better: https://supportforums.cisco.com/docs/DOC-12690.  There are some useful videos at the end of this doc. 

 

Q:  Is this capture command cpu intensive?

A. The capture command has very little overhead on the CPU. It is important though to ensure that you are as specific as possible when working with packet captures. 

 

Q:  What is the command to take backup via cli so that all  keys will backed up?

A. The CLI command to backup certificates using CLI is "crypto ca export <trustpoint_name> pkcs12 <secret_key>". 

More information about the command: http://www.cisco.com/en/US/docs/security/asa/command-reference/c7.html#wp2260393 

If you are talking specifically about the AAA/VPN keys, you should use the command "more system:running-config".  

 

Q:  Can we execute Packet tracer command in FWSM firewall?

A. FWSMs do not support packet-tracer. You can use other tools like syslogs and captures. 

 

Q:  As the ASA an stateful so there is no need of opening ports in bir-direction . for ex: i have opened a port for a user from src to dst ...my question is when the user try to  initiate the traffic from dst does that ACL works for me ?

A. As we discussed, the first stage of packet-processing is does the packet match an existing connection. hence, if the DST is responding to a previous packet from the SRC, then yes, the ASA will allow it without an ACL. 

 

Q:  How to look encrypted password in show run of asa?

A. One can not view the un-encrypted passwords of users using CLI. You can though, view the un-encrypted passwords for features like AAA or VPN using the "more system:running-config" and "show run all".  

 

Q:  SACK 0k is the only flag that is showin in packet capture?

A. That is actually a TCP option and not the TCP flag. Most of the supported TCP options will be shown in the packet captures. 

 

Q:  Please share the document for the packet capture

A:  here you go: https://supportforums.cisco.com/docs/DOC-1222

 

Related Information:

Video Recording

Session Presentation - Troubleshooting ASA Firewalls, Packet Flow,Upgrade best practices and Handling dual ISP links

0 Helpful
Latest Contents
ISE 5400 Failed User Authentication Why?
Created by jamie.mai on 01-19-2021 09:28 AM
0
0
0
0
Hello, we are doing PEAP machine only for wired 802.1x, (Policy is set up so if a PC has the cert and is in the AD group it passes) so wondering why we are getting these user auth attempts and so then the switch shows dot1x failed even though the machine ... view more
NAT rule in ASA for Tunnel interface
Created by Nitin S on 01-19-2021 07:10 AM
7
0
7
0
Hello All, I have configure IPsec  VTI tunnel on ASA. i am try to configure NAT rule but interface not showing while adding nat statemen.  
FTD 2120 chassis and asa management IP
Created by kostasthedelegate on 01-19-2021 07:08 AM
2
0
2
0
Hello,  I would like to ask about the management addresses of Firepower 2120It has one IP for the chassis management and one IP for the ASA management. By default they are in the same subnet.  Is it necessary to be in the same subnet?&... view more
AnyConnect Posture Scan stuck at 10% for a long time
Created by jerryblack143 on 01-19-2021 07:01 AM
4
0
4
0
Hello Everyone,We are running into an issue whereby AnyConnect Posture/system scan gets stuck at 10% for select users. We have been working this with TAC for almost 4 months now with now success and the number of affected users seems to be growing each da... view more
.tmp files Flagged as "Malicious"
Created by Fire_Dragon on 01-19-2021 06:28 AM
6
5
6
5
Hello, I am having a ton of noise mostly from .tmp files and it seems to be mainly from chrome, other browsers, and temp file locations. Amp seems to not like .tmp files and thinks they are "malicious" Is it worth creating exclusion rules for browser... view more
Content for Community-Ad