About nikolamitev

nikolamitev · ‎10-10-2013

Hi, I have just enabled DNS snooping on our ASA5585-X in preparation for enabling Botnet filter. Since we have a fair amount of DNS over TCP and to ensure that I don't leave an easy way around the new protection, I looked at enabling snooping on TCP port 53 as well. Unexpectedly, this resulted in all TCP/53 traffic being dropped. Removing 'botnet_snoop_class_tcp' from 'policy-map botnet_snoop_policy' immediately restores traffic. Is this a known limitation, a bug or a misconfiguration? Related config: class-map botnet_snoop_class_udp match port udp eq 53 class-map botnet_snoop_class_tcp match port tcp eq 53 ! policy-map botnet_snoop_policy class botnet_snoop_class_udp inspect dns dynamic-filter-snoop class botnet_snoop_class_tcp inspect dns dynamic-filter-snoop ! service-policy botnet_snoop_policy interface outside service-policy botnet_snoop_policy interface inside

nikolamitev · ‎10-30-2012

Thanks for your input Julio, I seems it jogged my brains a bit and I think I figured out what the issue is. The firewall is configured to log to two syslog servers on the inside interface - turning off the syslogging brought the traffic graphs for the two interfaces in sync again. Looks like the locally generated syslog traffic is filtered out of captures, as I did not see it in there. Again, thanks for your time. Nik

nikolamitev · ‎10-29-2012

It might be worth adding that somewhat counterintuitively I am having to do those tests on a live VLAN and the setum is actually PC -- vlanX -- inside FW outside -- laptop (directly plugged into FW) On vlanX there are a number of hosts and some loadbalancing and multicast traffic is creating a constant noise. The below is the normal situation outside of any purposefully generated traffic. Traffic Statistics for "outside": ... 1 minute input rate 0 pkts/sec, 0 bytes/sec 1 minute output rate 6 pkts/sec, 388 bytes/sec 1 minute drop rate, 0 pkts/sec 5 minute input rate 0 pkts/sec, 0 bytes/sec 5 minute output rate 7 pkts/sec, 430 bytes/sec 5 minute drop rate, 0 pkts/sec Traffic Statistics for "inside": ... 1 minute input rate 25 pkts/sec, 1258 bytes/sec 1 minute output rate 26 pkts/sec, 2916 bytes/sec 1 minute drop rate, 1 pkts/sec 5 minute input rate 25 pkts/sec, 1284 bytes/sec 5 minute output rate 26 pkts/sec, 2935 bytes/sec 5 minute drop rate, 1 pkts/sec

nikolamitev · ‎10-29-2012

Thanks for your reply Julio. I did run a test similar to what you ask for before and I didn't find any differences. I ran it again exactly as you specified just in case and packets are identical - 1:1 I also tried making a single but more intensive connection, like in a large file transfer and that increases counters on both interfaces as expected. It seems to me that it has to do with tcp intercept or a similar feature of the firewall. i believe I read somwhere recently that the firewall is doing some checks on the validity of the destinaton for new connections and I am inclined to ascribe the extra traffic to those checks. I am failing to find that passage though so I might well be wrong or have misunderstood something. All my attempts to see the extra traffic in captures or tcpdump have been unsuccessful so far.

nikolamitev · ‎10-25-2012

Hi, I am doing some pre-deployment testing with a ASA5585X and noticed that when I feed it a stream of SYN packets on the outside interface the measured traffic rate on the inside interface going out is about 10x the rate of the outside interface going in. laptop --- ASA --- PC I send 6k TCP SYN pkts at interface rate from the laptop targeted at PC. No packets are dropped by ACLs or policies and can be sniffed at the PC. Show interface commands show: sh int inside: ... ... Traffic Statistics for "inside": ... 1 minute input rate 23 pkts/sec, 1303 bytes/sec 1 minute output rate 4454 pkts/sec, 820757 bytes/sec sh int outside: ... ... Traffic Statistics for "outside": ... 1 minute input rate 885 pkts/sec, 70847 bytes/sec 1 minute output rate 7 pkts/sec, 425 bytes/sec I would expect that if 885 pkts/sec enter the firewall on the outside interface the same amount or less would exit it on the inside...? Any clues as to why this is not the case? The paket rate is about 5x and the data rate is about 10x greater. Cheers, Nik

nikolamitev · ‎05-30-2012

From this diagram it looks like your 3750 is terminating the vlan and doing the routing between the two vlans?

nikolamitev · ‎05-09-2012

Looking at price to performance ratio it seems that the IPS SSP modules are the winner. The 4200 series devices however has hardware bypass which can ensure traffic flow is not interrupted even if the power to the IPS goes down. How likely is it that a malfunction of the IPS SSP affects the work of the ASA? We are looking at ASA5585X S20 with IPS SSP S20 or same ASA with IPS 4260. Any and all input in terms of pros and cons you are aware of will be appreciated.

nikolamitev · ‎04-26-2012

Hi, The specification for the 5585-X says up to 10Gb throughput, 4Gb multiprotocol, 3Gb with IPS. Does anyone have experience of how the IPS throughput is influenced by the load on the IPS? Case 1: I only pass 300Mb, or 10% of the capacity of the IPS for inspection through th IPS engines. Does that increase overall throughput over 3Gb? Case 2: I pass all traffic through IPS and enable all inspections available. Assuming traffic with characteristics exactly like the one in your network , will my throughput fall below 3Gb and how much? All input appreciated.

nikolamitev · ‎04-26-2012

Doesn't make sense to me... how will your users be connecting to the command line of those machines to issue the netstat command? IPS can only work in the way you describe if they connect over an unencrypted connection, or if your encryption is certificate based and you are decrypting/re-encrypting/swapping certificates on the IPS unit.

nikolamitev · ‎12-11-2009

Could you point me to the new thread?

nikolamitev · 10-10-2013

Hi,I have just enabled DNS snooping on our ASA5585-X in preparation for enabling Botnet filter.Since...

nikolamitev · 10-30-2012

Thanks for your input Julio,I seems it jogged my brains a bit and I think I figured out what the iss...

nikolamitev · 10-29-2012

It might be worth adding that somewhat counterintuitively I am having to do those tests on a live VL...

nikolamitev · 10-29-2012

Thanks for your reply Julio.I did run a test similar to what you ask for before and I didn't find an...

nikolamitev · 10-25-2012

Hi,I am doing some pre-deployment testing with a ASA5585X and noticed that when I feed it a stream o...

nikolamitev · 05-30-2012

From this diagram it looks like your 3750 is terminating the vlan and doing the routing between the ...

nikolamitev · 05-09-2012

Looking at price to performance ratio it seems that the IPS SSP modules are the winner.The 4200 seri...

nikolamitev · 04-26-2012

Hi,The specification for the 5585-X says up to 10Gb throughput, 4Gb multiprotocol, 3Gb with IPS.Does...

nikolamitev · 04-26-2012

Doesn't make sense to me... how will your users be connecting to the command line of those machines ...

nikolamitev · 12-11-2009

Could you point me to the new thread?

Date Registered	‎04-19-2009 06:34 AM
Date Last Visited	‎08-18-2017 03:56 AM
Total Messages Posted	10

Snooping on DNS over TCP breaks service

Re: Packet rate on inside and outside i...

Packet rate on inside and outside inter...

Packet rate on inside and outside inter...

Packet rate on inside and outside inter...

Allow only one host access to VPN site ...

IPS SSP module vs standalone 4200 serie...

ASA5585-X with IPS SSP20 capacity

ips questions about

Re: UC520: Skype SIP Beta Configuration

Snooping on DNS over TCP breaks service

Re: Packet rate on inside and outside interface doesn't match

Packet rate on inside and outside interface doesn't match

Packet rate on inside and outside interface doesn't match

Packet rate on inside and outside interface doesn't match

Allow only one host access to VPN site to site tunnel

IPS SSP module vs standalone 4200 series devices

ASA5585-X with IPS SSP20 capacity

ips questions about

Re: UC520: Skype SIP Beta Configuration