01-23-2013 10:32 AM - edited 03-08-2019 06:48 PM
During the live event you will learn how to troubleshoot common problems that firewall administrators encounter on a daily basis in regards to Adaptive Security Appliances (ASAs), Private Internet Exchange (PIX), and Firewall Services Modules (FWSMs) with Cisco expert Kureli Sankar. The event will include a live demonstration.
Kureli Sankar is an engineer who supports Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco ASA, FWSM, Cisco Security Manager, Content Security and Control (CSC) Security Services Module, and the zone-based firewall module in Cisco IOS® software. Before she joined Cisco, Sankar worked for the John Morrell Co. where she was the network administrator in charge of the company's enterprise network, which covered 27 locations in the United States. She also was an adjunct professor at the University of Cincinnati, where she taught undergraduate-level networking courses. Sankar holds a degree in electrical and electronic engineering from Regional Engineering College, Trichirappalli, India, and holds CCSP and CCIE Security (#35505) certifications.
Webcast related links:
A. To migrate from FWSM to ASA, there is a migration tool available to convert and copy the configuration. For a major upgrade, Cisco recommends to open a Technical Assistance Center (TAC) case and ask a TAC engineer further questions.
A. No end-of-support plans have been announced for release 8.2. The team still actively receives updates.
A. Yes, it is possible with the show run nat command. However, there are some issues. For example, if you need to do a Port Address Translation (PAT) for a server for port 80,443,25, five different objects must be created for all the ports the server listens on.
A. Yes. It is possible with the help of dynamic NAT, but it has to map one-to-one.
A. If it is just one host on the destination, you would not use an object group. If it is one destination, you would use an object and configure a host under the object. If it is a whole subnet, the content of the object would be a subnet instead of a host.
A. I covered this issue in my last webcast in 2010.
The recording from this webcast is located at this URL: https://supportforums.cisco.com/videos/1075
The FAQ for this webcast is located at this URL: https://supportforums.cisco.com/docs/DOC-14443
Q. We want to determine if the services are currently running on the server, which is directly connected to interface of the firewall. Is there a command such as "telnet 10.10.10.1 80", which we generally use on the switch or the router?
A. Telnet from the firewall is simply not allowed, since it is a security device. You can use an adjacent router, switch, or PC to telnet from the run line to ensure the server listens.
A. For example, there is a remote network with an IPsec tunnel between 2 ASAs and both networks use the 10.10.10.0 range. You want to change what you look like when you reach the remote network. You also want the remote network to look like somebody else when it tries to reach you. This is the reason you use Twice NAT.
A. The packet is redirected from port 80 to port 443.
A. Yes, you can download the slides at any point from this URL: https://supportforums.cisco.com/docs/DOC-29170
A. No end-of-support plans have been announced for release 8.2. The team still actively receives updates.
A. Yes, this webcast is recorded and will be posted in the Support Community in approximately 5 days. Users will find it at this URL:
https://supportforums.cisco.com/community/netpro/ask-the-expert/webcasts
A. Yes, you can enter the show processes command.
A. 'Static (inside,inside) 14.36.90.210 10.55.16.2' means that packets destined to 14.36.90.210 will have their destination IP address changed to 10.55.16.2. However, 'static (inside,inside) 10.55.16.2 14.36.90.210' matches packets destined to 10.55.16.2. When the 'dns' keyword is added to doctor the DNS, the (inside,inside) static statements are not needed to pass traffic.
A. The common issues seen with non-Cisco devices are RFC compliance, rekey operations, timers, isakmp identity usage, proxy ID negotiation, and so on. The best way to start is to make sure your proxy IDs match, that the phase 1 and phase 2 proposals match, and so on. After that, debugs are looked at to see where and why the tunnel fails. The debug crypto isakmp and debug crypto ipsec commands are very useful. You can increase the debug level to 10, 120 and so on based on what you troubleshoot. The debugs can also be filtered for specific peers.
A. There are two deployment modes for Intrusion Prevention System (IPS), inline mode and promiscuous mode. With inline mode, you will inspect all the data received by your network devices (Firewall or switch using SPAN configuration). With promiscuous mode, you will receive just a copy of this data.
You can obtain more details about the GC modes at this URL: https://supportforums.cisco.com/docs/DOC-26810
A: Connection limits are still configured using the set connection command in release 8.3 and later. Yes, that's correct. If the concurrent count drops to 999, the client will then be allowed to generate 1 additional connection at that point.
A. Yes, we support this using Optimal Gateway Selection (OGS). Please refer to the document at this URL: https://supportforums.cisco.com/docs/DOC-15326. An OGS cache is maintained on the client to choose the optimal gateway.
A: Support for Windows 8 is currently limited. Please refer to the document at this URL:
A: We have both concepts, standard/aggressive/permissive is for Global correlation inspection modes and the inline/promiscuous is for IPS implementation modes.
A: To have real information about the measurement of your BW line, use wireshark and run a packet capture. Then, start a download of a large file from the outside. Once you have started that, go to Statistics > IO Graphs and change the unit to Bytes/Tick. Then you will see the maximum bandwidth you hit. You can complete the same scenario for upload BW.
A: It does not indicate that it is an ARP issue. The packet tracer does not tell you whether you have a MAC address entry for the next hop.
A: We do not have any best practices. It all depends on the traffic that your firewall will process and what you think is relevant information you need to capture and save or archive from the firewall. As a TAC engineer we want to see all the information when we troubleshoot, so we enable debug level logs and buffer logs.
A: No plans for this support have been announced. Please contact your Cisco account representative to discuss the future roadmap and request support for new features.
A: Yes, a hardware upgrade is required. Expert will provide the link which will give more information.
A: Connection limits do not directly limit xlate creation. However, since a single source IP address is limited to 1000 connections, that source will not be able to allocate more than 1000 xlates.
A: No plans for this support have been announced. Please contact your Cisco account representative to discuss the future roadmap and request support for new features.
A: This was a decision made by the ASA business unit when the release schedule was set.
A: The upgrade generally goes smoothly. Known issues are listed in the "Open Caveats" section of the 9.0 Release Notes located at this URL:
http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html
A: New features are listed in the 9.0 Release Notes located at this URL: http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html
A. There is no single tool for this. It is best to test the upgrade in a lab or open a TAC case for assistance to understand any configuration or syntax changes during the upgrade.
A: Yes, the ASA supports IPv6. Please refer to the configuration guide for examples:
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/asa_90_cli_config.html
When you add a standby firewall to the failover cluster, it is necessary to enter a write standby command, such that the RSA keys and certificates are carried over to the standby firewall. After that is complete, enter the show crypto ca trustpoint command to verify that the trustpoint is authenticated. If not, ensure you have the complete certificate chain. Look at the certificate to see what the Subject name and other fields are set to. What kind of errors do you see when the new firewall is active. Does the certificate use an FQDN or IP address in the CN or SAN?
A: You can enter the show nat detail command to view the object names and contents in a single output.
Pre 8.3 NAT order of operation
All you need to know about 8.3 upgrade
Before and after NAT config samples
ASA 8.3 Asymmetric NAT rules matched for forward and reverse flows
Global Correlation white paper
Failover pair Zero downtime code upgrade
FWSM release note link for 4.1
Scan Safe Web Security Configuartion
Cisco ASA CX Context-Aware Security
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: