Hi, I recently had the case at one of my customers that the ASA Service Module in their coreswitch was making trouble. The symptoms were massive packet-loss for valid connections and also problems with high-availablity (the failover-cluster fell apart multiple times, with both modules being in the same chassis). During troubleshooting, we found one (one!) PC in a segment which had a perl-script running. The script sent loads of small UDP-packets, as much as the PC could generate. This host was located inside and tried to send to internet - those packets were denied and also generated lots of syslog-messages (because of the deny). As soon as the host was removed from the network, the problems disappeared. I want to ask: Is this normal, expected behaviour? A single PC can knock out the ASASM? What methods can you think of the mitigate this beforehand? I searched the configuration-guide of ASASM and only found log rate-limiting, which I'd like to try out (I don't know yet if the logging was the reason for the problems at all, but I guess at the moment). Any other ideas? Thanks, Florian ... View more

Hello! I have a very simple (so I thought) requirement, which I want to solve with ZBF. Although it seems simple, I can't get it to work with Cisco IOS Zone-Based Firewalling (ZBF). The requirement is to simply filter HTTP-requests to a certain server. Only a certain hostname in the request should be allowed. The server serves also other hostnames (= vhosts), but these should not be allowed. ZBF seems to have the necessary capabilities for this simple task. First you have to define a regex + class-map to match the hostname: parameter-map type regex SERVERNAME.REGEX pattern .SERVERNAME ! class-map type inspect http match-all SERVERNAME.SET match request header host regex SERVERNAME.REGEX Then, you can define a http inspection policy, which matches this class: # Example 0 policy-map type inspect http SERVERNAME.ONLY class type inspect http SERVERNAME.SET   reset Example 0 does exactly the opposite of what I want to achieve - it resets the connection to the vhost I'd like to pass through, and allows the rest (which I would like to block). It's just a test to confirm the regex is working as expected. How can I turn this around to allow the specific class, and deny everything else? # Example 1 policy-map type inspect http SERVERNAME.ONLY class type inspect http SERVERNAME.SET   allow class type inspect http HTTP.ANY   reset For Example 1 I configured a class-map which matches anything, and configured the policy-map to reset this class (so resets anything). Only the class above (SERVERNAME-SET) should override this and allow the traffic. The problem is - it doesn't work. Everything is reset. It seems that ZBF evaluates all classes within the policy-map, no matter if a previous clause matched or not. The connection is always reset, no matter of the previous clause. # Example 2 policy-map type inspect http SERVERNAME.ONLY class type inspect http HTTP.ANY   reset class type inspect http SERVERNAME.SET   allow In Example 2 i just swapped the two class entries within the policy-map. It didn't change anything. It seems that independent of the order, "reset" is dominant over "allow". It would help a lot, if it was possible to define negative matches within a class-map: class-map type inspect http match-all SERVERNAME.NOTSET match not request header host regex SERVERNAME.REGEX This is possible on the ASA. While the configuration syntax is very similar in IOS for ZBF, it is not possible there (I use IOS 153-3.M). Any other ideas? I would really appreciate it, because I'd need this simple functionality. Thanks a lot, Florian ... View more

Hi, is it possible to somehow log HTTP-Requests in a more detailed, DPI-manner? So that requested content, like the host, URI or GET-String is logged? I couldn't achieve this in the lab. The "audit-trail"-function doesn't help here, this stays on IP/TCP level and doesn't look into the packet. But even with HTTP-DPI enabled (I tried a regex-filter for the URI which allowed everything) and debug enabled (debug policy-firewall protocol http) I couldn't get to that info. Thanks, airflow ... View more

Hello, Multi-Session/Per-Session PAT: I don't quite get the difference between those. Where is the technical difference? I read config-guide and command-reference, but the explanation is not clear enough for me. It only lists advantages and disadvantages, but not the actual difference. What's a session considered in this case? I understand that Per-session scales better because of decreased timeouts and the possibility to cluster. But why is this not possible in Multi-Session mode? And why are there protocols who "profit" from Multi-session PAT, such as H.323, SIP, or Skinny? Thanks for any explanation. Florian ... View more

Hi, it is common practice to configure a kind of "fallback-user" in case the "normal" way of AAA-checking is not working. For example, on the device you configure LOCAL fallback (with a locally configured fallbackuser), which is only used when the primary AAA-method (RADIUS or TACACS) is not reachable, for whatever reason. We have that in place, and it works fine. In our case the TACACS-Server (ACS 5.3) is checking against a external database (AD). Now we also want to achieve a kind of "fallback"-mechanism in case this external database is not reachable. We want to cover the case that the TACACS-Server itself (ACS 5.3) is still reachable, but the external database is not. In this case the switch would be able to contact the TACACS-Server (and wouldn't fallback to LOCAL), but you wouldn't be able authenticating with your user stored in the external database. For this case I wanted to configure the fallback-user locally on the ACS 5.3 also. This, combined with the use of "identity sequence stores" on the ACS should do it - I thought. In reality, the ACS in this configuration checks the external database first, if it doesn't find it there, it searches the locally configured users and authenticates normally. This leads to the unwanted situation that the fallback-user *always* works. Is there a way to configure it that local fallback (on the ACS) only works when the external database is not working? Thanks, Florian ... View more