I have a Cisco ISR 4k 4321 router that has 2 VPN tunnels on it.
1 VPN tunnel is IPSEC GRE
other VPN tunnel is just IPSEC for manufacturer connectivity
Our server sits behind the IPSEC GRE tunnel to our data center 100.102.55.1
FTP server for manufacturer is behind the IPSEC tunnel to their data center 100.105.9.1
Traffic flow is as follows.
Our Server 100.102.55.1 >> IPSEC GRE to ISR4k >>> IPSEC VPN to Manufacturer >>> FTP server 100.105.9.1
Due to our network design we are forced to have to NAT traffic from the FTP server to one of our IP's we control back to our server.
So we have a NAT as follows
ip nat inside source static 100.105.9.1 100.102.56.10 route-map NAT-FTP-SERVER
ip access-list extended NAT-FTP-SERVER
permit ip host 100.105.9.1 100.102.55.1
match ip address FTPSERVER
Our NAT table shows the nat build occuring. Our IPSEC VPN tunnel shows encrypt and decypt. However we never get an ICMP reply or FTP to work when testing connectivity from our server 100.102.55.1 to the FTP server NAT 100.102.56.10 . It simply hangs.
ip nat outside is enabled on our IPSEC GRE tunnel
ip nat inside is enabled on our LAN interface to the local PC.s
This router is essentially a transit. I get the feeling that there is no true 'ip nat inside' that's happening here and that's why this is breaking. Any advice?
... View more
We have a UCMP and UCMS boxes hosted over WAN. We also have a PRI on a local voice gateway with H323 and SIP bound to loopback 0. There are over 250 phone at this location and we want to ensure that SRST works if the WAN connectivity fails. However, we cannot do this during business hours which is pretty much 24/7. We need to ensure this works so how can I successfully test a couple of phones with inbound and outbound calls without impacting the rest of the location?
I have a mix of SCCP and SIP phones.
We can put the phones into SRST by adding ACL to WAN, and the phones successfully register and we can make an outbound call. The problem is testing inbound calls. Since the voice gateway is still registered and can talk to UCMP and UCMS my SRST test doesnt work 100%. I need a way to take a test DID and force the voice gateway to think its in SRST for only these 2 phones. Any ideas would be helpful. Thanks!
... View more
We have 2 VRF's INTERNET and INTERNAL
NAT VASI left, and NAT VASI right are configured for this ISR 4K. We are forcing Internet traffic through the VASI left and into VASI right (ip nat inside) and out our public interface G0/0/1.
I am using a NAT pool with the G0/0/1 interface IP. This is required for NAT VASI.
What I am seeing is hosts are unable to access the Internet at all if I use the Interface IP in the nat pool. However if I use a different IP address in the range of the /29 for the NAT pool, everything works fine.
Attached are the platform debug packet capture showing the difference between the two, one with Interface pool IP and one with a separate IP for the pool. From what I can tell its hitting the OUTSIDE-TO-SELF policy class default and dropping traffic. Need help sorting this one out. I want to be able to use the interface IP in the pool due to public IP restrictions for some of our customers. Some only are able to get a /30. Having to burn another public IP for a pool IP puts us in a bad spot.
-------------OUTPUT of router config for reference-------------
r2-customer#sh vrf Name Default RD Protocols Interfaces CDK 64995:2470 ipv4 Gi0/0/0.1 vl1 INTERNET 100:1 ipv4,ipv6 Gi0/0/1 vr1
r2-customer#sh zone security zone self Description: System defined zone
zone INSIDE Member Interfaces: GigabitEthernet0/0/0.1 vasileft1
zone OUTSIDE Member Interfaces: GigabitEthernet0/0/1 vasiright1
r2-customer#sh zone-pair security
Zone-pair name IN-TO-OUT Source-Zone INSIDE Destination-Zone OUTSIDE service-policy IN-TO-OUT-PMAP
Zone-pair name OUTSIDE-TO-SELF Source-Zone OUTSIDE Destination-Zone self service-policy TO-SELF-PMAP
Zone-pair name SELF-TO-OUTSIDE Source-Zone self Destination-Zone OUTSIDE service-policy FROM-SELF-PMAP
class-map type inspect match-any TO-SELF-CMAP match access-group name INTERNET_IN class-map type inspect match-any ALL-PROTOCOLS-CMAP match protocol tcp match protocol udp match protocol icmp
r2-customer#sh access-list INTERNET_IN Extended IP access list INTERNET_IN 10 permit udp any eq bootps any eq bootpc 50 permit icmp any host 126.96.36.199 echo (1 match) 60 permit icmp any host 188.8.131.52 echo-reply 70 permit icmp any host 184.108.40.206 unreachable 80 permit icmp any host 220.127.116.11 time-exceeded 90 permit icmp any host 18.104.22.168 administratively-prohibited 100 permit icmp any host 22.214.171.124 packet-too-big 110 permit esp any host 126.96.36.199 120 permit udp any host 188.8.131.52 eq isakmp (5 matches) 130 permit udp any host 184.108.40.206 eq non500-isakmp 140 permit gre any host 220.127.116.11
class-map type inspect match-any SPECIFIC-PROTOCOLS-CMAP match protocol ftp match protocol dns match protocol h323 match protocol http match protocol https match protocol smtp match protocol tftp match protocol telnet match protocol ssh match protocol pop3 match protocol ntp class-map type inspect match-any ALLOWED-PROTOCOLS-CMAP match class-map SPECIFIC-PROTOCOLS-CMAP match class-map ALL-PROTOCOLS-CMAP class-map type inspect match-any TO-SELF-CMAP-TESTGLENN match class-map SPECIFIC-PROTOCOLS-CMAP match class-map ALL-PROTOCOLS-CMAP ! policy-map type inspect IN-TO-OUT-PMAP class type inspect ALLOWED-PROTOCOLS-CMAP inspect TIMERS class class-default drop ! policy-map type inspect FROM-SELF-PMAP class type inspect ALLOWED-PROTOCOLS-CMAP inspect TIMERS class class-default pass ! policy-map type inspect TO-SELF-PMAP class type inspect TO-SELF-CMAP inspect class class-default drop
r2-customer#sh run int g0/0/0.1 Building configuration...
Current configuration : 471 bytes ! interface GigabitEthernet0/0/0.1 description Default LAN encapsulation dot1Q 1 native vrf forwarding INTERNAL ip address 10.144.50.236 255.255.255.0 no ip redirects ip nat inside zone-member security INSIDE end
r2-customer#sh run int vasileft1 Building configuration...
Current configuration : 177 bytes ! interface vasileft1 description VASI InterVrf interface in INTERNAL vrf forwarding INTERNAL ip address 172.30.248.185 255.255.255.252 zone-member security INSIDE no keepalive end
r2-customer#sh run int vasiright1 Building configuration...
Current configuration : 204 bytes ! interface vasiright1 description VASI InterVrf interface in INTERNET vrf forwarding INTERNET ip address 172.30.248.186 255.255.255.252 ip nat inside zone-member security OUTSIDE no keepalive end
r2-customer#sh run int g0/0/1 Building configuration...
Current configuration : 369 bytes ! interface GigabitEthernet0/0/1 description Internet Access bandwidth 5120 vrf forwarding INTERNET ip address 18.104.22.168 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ip nat outside zone-member security OUTSIDE negotiation auto no cdp enable end
ip nat pool INTERNET 22.214.171.124 126.96.36.199 prefix-length 29 ip nat inside source route-map NAT-TO-INTERNET pool INTERNET vrf INTERNET match-in-vrf overload
ip route vrf INTERNAL 0.0.0.0 0.0.0.0 vasileft1 172.30.248.186 name default_thru_vasileft
ip route vrf INTERNET 0.0.0.0 0.0.0.0 188.8.131.52 ip route vrf INTERNET 10.144.50.0 255.255.255.0 vasiright1 172.30.248.185 name inside_thru_vasiright
... View more
I'm looking for some assistance/direction for a solution on my issue. Topology Site A (Hub 1) Cisco 2921 with security license Site B (Hub 2) Cisco 2921 with security license Both sites will have VPN+P2PGRE tunnels to our data center using EIGRP on each 2921. Site A being the primary path Site B being the backup path for 8 locations routed over MPLS. These two sites are connected via a 3rd party managed MPLS solution running static routes as well as to the other 8 sites. Problem: Normally we have both routers installed at the same location. And we utilize HSRP with STATIC NAT redundancy (printer and terminal connectivity). We cannot route RFC1918 space into our data center so we are forced to NAT on the Data center connected routers (2921's) using a combination of NAT overload and static NAT for devices that our data center initiates connectivity to. Solution help Is there a way to provide NAT redundancy and HSRP failover whilst locations are physically separated by MPLS WAN?
... View more
I have a router with the following configuration DMVPN Tunnel for backup path to voice server to Data Center A P2P GRE Tunnel for Business Applications to Data Center B The router has G0/0 connected to LAN and G0/1 connected to any flavor ISP circuit (DSL, Cable, etc etc) My issue is I am not very clear where to apply my QoS to on this setup. The one requirement we have by our data center folks in Data Center B is that we apply a shaping policy to the P2P GRE tunnel at their purchased rate in steps of 1.544Mbps. So an example would be this customer purchased speed to the data center of 1.544Mbps, so a shaping policy is applied to the GRE Tunnel to restrict this. So Business traffic on GRE, Backup Voice Traffic on DMVPN, and General Internet browsing on G0/1. I need to provide adequate QoS settings to match the requirement of Data Center B and also protect Voice traffic from getting squeezed out by Internet traffic. Based on this information where is the best place to apply QoS? The only thing I can come up with is, shape the upload bandwidth of the ISP service and build a policy within that shaper? But how can I also keep the Data Center requirement of keeping GRE traffic at its allocated amount? Thoughts?
... View more
You’re understanding of our issue is correct..... “On the other hand if same APP servers need different translations towards different servers then I can see your problem. Though in that case I would simply suggest avoid configuring the NAT destination network with such a large network mask. You should then clearly specify the destination hosts which need to be forwarded to each of the interfaces” We want to avoid breaking up the NAT destination network is the issue. If we can simply configure NAT destination to be 192.168.0.0/16 and allow the route table to be consulted we could resolve our issue. It sounds like we might have to do some moving and shifting of interfaces around to resolve our problem. Unless someone has another suggestion at this point. Again thank you for the post. Jouni. -Glenn
... View more
We've run into a bit of a pickle and looking for possible solutions to our issue. We run 8.4 which has the NAT dirvert functionality. Below is what were trying to accomplish. Cisco ASA 5585-60 (8.4) 3 total interfaces Inbound Interface App_LAN (Apps reside here) Outbound Interface #1 Inter_DC_Path (Customer servers sit behind this interface) Outbound Interface #2 Inside_Core (Customer servers sit behind this interface) We have App servers that need to talk to our customer servers behind both interfaces (InterDC and Inside Core). The customer servers are in the network range of 192.168.0.0/16 and they are split between both interfaces. So Customer A might be on IP 192.168.11.1 behind the Inter_DC_Path and Customer B might be on IP 192.168.12.1 behind the Inside Core interface on the ASA. Our App servers need to hide behind NAT due to routing restrictions to our customers. Also, the customer IP's are not contiguous so I can't break apart the 192.168.0.0/16 very easily between Inter_DC_Path and Inside Core. So routing might look like this on the ASA Firewall route Inter_DC_Path 192.168.11.1 255.255.255.255 172.19.249.254 route Inside_Core 192.168.12.1 255.255.255.255 172.28.222.254 I am looking to put NAT statements that say Source: Appservers 10.10.10.1 and 10.10.10.2 (behind App_LAN) Destination: 192.168.0.0 255.255.0.0 (Either egress Inter_DC_Path or Inside Core) NAT To 172.28.220.2 The issue is that since the destination is 192.168.0.0/16 NAT Divert will send traffic out the wrong interface correct? Is there a way to turn off the NAT direct and allow us to NAT to the 192.168.0.0/16 and allow the firewall routing table to be consulted for egress??
... View more
I have been scouring the netpro and Cisco Support docs looking for a way to monitor the status of the Standby Nexus 1010 Virtual Service appliance. As I understand it the Standby is unreachable from the network unless the primary comes online. Has anyone had any luck monitoring the standby Virtual appliance for any reboots or loss of the appliance? If so do you have the SNMP OID or what I can monitor to help us keep track of the status? -Glenn
... View more
So, I've read through netpro and found everyone points to this doc. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml However that still doesnt allow traceroute through for us. We still see syslogs with deny's on high level random UDP ports to different Internet destinations. Can someone look at our config and tell me why this might be happening? Host 10.10.10.12 (default gateway is the ASA) ---> traceroute to 184.108.40.206 >>>>>Firewall config<<<<< object-group service TRACEROUTE service-object icmp unreachable service-object icmp time-exceeded service-object icmp echo service-object icmp echo-reply service-object icmp traceroute service-object icmp time-exceeded access-list Admin_Network-in extended permit object-group TRACEROUTE 10.10.10.0 255.255.255.0 any access-group Admin_Network-in in interface Admin_Network class-map IPS match access-list IPS class-map CONNS match any class-map inspection_default match default-inspection-traffic policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 1024 policy-map IPS-Policy class IPS ips inline fail-open sensor PreProd_Sensor set connection timeout dcd set connection decrement-ttl class inspection_default inspect icmp inspect icmp error policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect dns preset_dns_map inspect dcerpc inspect icmp inspect icmp error class class-default set connection decrement-ttl ! ! service-policy global_policy global service-policy IPS-Policy interface Admin_Network >>>>>>SYSLOG output<<<<< Mar 13, 2013 18:57:57|Deny udp src Admin_Network:10.10.10.12/59937 dst Preprod_F5:220.127.116.11/33450 by access-group "Admin_Network-in" [0x0, 0x0] Mar 13, 2013 18:57:57|Deny udp src Admin_Network:10.10.10.12/48882 dst Preprod_F5:18.104.22.168/33452 by access-group "Admin_Network-in" [0x0, 0x0] Mar 13, 2013 18:57:57|Deny udp src Admin_Network:10.10.10.12/58173 dst Preprod_F5:22.214.171.124/33451 by access-group "Admin_Network-in" [0x0, 0x0] Mar 13, 2013 18:57:57|Deny udp src Admin_Network:10.10.10.12/60679 dst Preprod_F5:126.96.36.199/33455 by access-group "Admin_Network-in" [0x0, 0x0] Mar 13, 2013 18:57:57|Deny udp src Admin_Network:10.10.10.12/49612 dst Preprod_F5:188.8.131.52/33453 by access-group "Admin_Network-in" [0x0, 0x0]
... View more
Robert I apprecieate you providing us the SNMP OID for load on the IPS modules for ASA firewalls. I was looking for clarification. Is the OID you've mentioned in the support forum 184.108.40.206.220.127.116.11.318.104.22.168.0. provide me the same output as when I look at load in IME for that device? Say IME says 5% load for that IPS, the OID you provided is it the same info? Further to this, if we have IPS's that are not on 7.1 and can't support this, what are our other options for reporing load issues back to us? Can we send TRAP alerts when the load reaches a certain level somehow? If so how do we do that as its not clear in documentation.
... View more
Sawan, I did follow-up on this, and the bug you mentioned seems to be very clear that one of the 24 CPU's would peg at 100% during this flow. However that is not the case in our situation. I may see a spike on one of the CPU's up to 50-60% during my http GET transaction which I allow to run for 2 minutes. But nowhere near 100% as the bug suggets.
... View more
Cisco ASA 5585-60 in context mode ver. 8.4.4(9) with SSP-60 IPS using virtual sensors ver. 7.1(4)E4 Synopsis: Host A (linux) runs curl command to download a file from Host B (linux) around 72MB in size. Host A is on a different subnet than host B and they use the Cisco ASA as their default gateway. The ASA firewall is a virtual context using a virtual sensor with default signatures enabled, no customization other than the mgmt ip address we defined several months back. Problem: With IPS enabled we note a 90% decrease in throughput when running the same command versus with IPS on. To put a number on it, we usually get 33-34MB (yes that's MegaBytes) per second with IPS off. When IPS is enabled we're lucky to get 3MBps. I've created an ACL to redirect ONLY this traffic to the IPS and tracked which IPS signatures we're being hit while we ran the download. Turns out NONE of the signature hit counts are increasing. Im gathering this info by refreshing the statistics in IDM and reviewing hit counters over a 30 minute period. So what else can we check for here? If no signatures are being hit, what else can I check to determine the drop in throughput. With the biggest IPS you make I wouldn't expect to see this big of a drop here. Some other points to note here: SCP copies in the same direction show no problem with IPS on or off, I suspect its due to the fact that the IPS cannot see this traffic so it ignores it. We also note that if we change from port 80 to say port 8067 we DO NOT see the issue either. If we do use 8080 the problem does present itself. Very strange one. Ive attached the Diag report to maybe help with this. Any help would be appreciated!
... View more
We have 2 data center locations. We are attempting to connect them together using 2 ASAs. Data Center 1 - ASA 5520 8.0(4) Data Center 2 - ASA 5585-10 8.4(3) DC 1 ASA 5520 INSIDE - Security 100 OUTSIDE - Security 0 MIGRATION - Security 50 DC 2 ASA 5585-10 Edge_Inside Security 100 Edge_Outside - Security 0 The OUTSIDE interface of the 5585-10 is using a private network (connection to our corporate Internet routers not advertised to the Internet) so we have to use the INSIDE interface to build VPN tunnels (our public network). (Note NAT is not an option on the Corp routers) We are attempting to build a standard L2L IPSEC VPN tunnel from the DC1 5520 MIGRATION to DC2 5585-10 INSIDE interface. You see IKE fire up on the 5520 and then goes into a MSG WAIT 2 waiting for reply from the 5585. However on the 5585 side we see no IKE engagement. "show cry isa" output shows no IKEv1 Packets arrive at all in or out. Packet captures show UDP 500 enter the firewall from the 5520 with correct source and destination but no reponse packets from the 5585. Here are the syslogs from 5585-10 when I start interesting traffic from 5520 DC1 side(Public IP's changed to private in syslog FYI) Mar 23, 2012 12:58:7|Built local-host Edge_Outside:192.168.1.110 Mar 23, 2012 12:58:7|Built inbound UDP connection 235278 for Edge_Outside:192.168.1.110/500 (192.168.1.110/500) to identity:10.10.193.252/500 (10.10.193.252/500) Mar 23, 2012 12:58:7|Teardown UDP connection 235278 for Edge_Outside:192.168.1.110/500 to identity:10.10.193.252/500 duration 0:00:00 bytes 296 Mar 23, 2012 12:58:7|Teardown local-host Edge_Outside:192.168.1.110 duration 0:00:00 I know this is not conventional however I dont' see why this shouldn't work. The crypto map is applied to the Edge_Inside interface. Any ideas?
... View more
Were running CSM 3.3.1 SP1 on a windows machine. We aquired a company and have found that they were making out of band changes without the use of CSM directly from the CLI. Is there any easy way to sync the running config on the ASA firewalls to the CSM server? I dug in help files but nothing really pointing me where to go. Thanks for any help!
... View more