I have a Cisco ISR 4k 4321 router that has 2 VPN tunnels on it. 1 VPN tunnel is IPSEC GRE other VPN tunnel is just IPSEC for manufacturer connectivity   Our server sits behind the IPSEC GRE tunnel to our data center 100.102.55.1 FTP server for manufacturer is behind the IPSEC tunnel to their data center   100.105.9.1   Traffic flow is as follows.   Our Server 100.102.55.1 >> IPSEC GRE to ISR4k  >>> IPSEC VPN to Manufacturer >>> FTP server 100.105.9.1   Due to our network design we are forced to have to NAT traffic from the FTP server to one of our IP's we control back to our server.     So we have a NAT as follows   ip nat inside source static 100.105.9.1 100.102.56.10 route-map NAT-FTP-SERVER   ip access-list extended NAT-FTP-SERVER permit ip host 100.105.9.1 100.102.55.1   route-map NAT-FTP-SERVER match ip address FTPSERVER     Our NAT table shows the nat build occuring.  Our IPSEC VPN tunnel shows encrypt and decypt.  However we never get an ICMP reply or FTP to work when testing connectivity from our server 100.102.55.1 to the FTP server NAT 100.102.56.10 .  It simply hangs.   ip nat outside is enabled on our IPSEC GRE tunnel ip nat inside is enabled on our LAN interface to the local PC.s   This router is essentially a transit.  I get the feeling that there is no true 'ip nat inside' that's happening here and that's why this is breaking.  Any advice?         ... View more

Scenario: We have 2 VRF's INTERNET and INTERNAL NAT VASI left, and NAT VASI right are configured for this ISR 4K. We are forcing Internet traffic through the VASI left and into VASI right (ip nat inside) and out our public interface G0/0/1. I am using a NAT pool with the G0/0/1 interface IP. This is required for NAT VASI. What I am seeing is hosts are unable to access the Internet at all if I use the Interface IP in the nat pool. However if I use a different IP address in the range of the /29 for the NAT pool, everything works fine. Attached are the platform debug packet capture showing the difference between the two, one with Interface pool IP and one with a separate IP for the pool. From what I can tell its hitting the OUTSIDE-TO-SELF policy class default and dropping traffic. Need help sorting this one out. I want to be able to use the interface IP in the pool due to public IP restrictions for some of our customers. Some only are able to get a /30. Having to burn another public IP for a pool IP puts us in a bad spot. -------------OUTPUT of router config for reference------------- ---------------------VRF info-------------------- r2-customer#sh vrf Name Default RD Protocols Interfaces CDK 64995:2470 ipv4 Gi0/0/0.1 vl1 INTERNET 100:1 ipv4,ipv6 Gi0/0/1 vr1 ------------ZBF--------------------------------------- r2-customer#sh zone security zone self Description: System defined zone zone INSIDE Member Interfaces: GigabitEthernet0/0/0.1 vasileft1 zone OUTSIDE Member Interfaces: GigabitEthernet0/0/1 vasiright1 r2-customer#sh zone-pair security Zone-pair name IN-TO-OUT Source-Zone INSIDE Destination-Zone OUTSIDE service-policy IN-TO-OUT-PMAP Zone-pair name OUTSIDE-TO-SELF Source-Zone OUTSIDE Destination-Zone self service-policy TO-SELF-PMAP Zone-pair name SELF-TO-OUTSIDE Source-Zone self Destination-Zone OUTSIDE service-policy FROM-SELF-PMAP class-map type inspect match-any TO-SELF-CMAP match access-group name INTERNET_IN class-map type inspect match-any ALL-PROTOCOLS-CMAP match protocol tcp match protocol udp match protocol icmp r2-customer#sh access-list INTERNET_IN Extended IP access list INTERNET_IN 10 permit udp any eq bootps any eq bootpc 50 permit icmp any host 1.1.1.243 echo (1 match) 60 permit icmp any host 1.1.1.243 echo-reply 70 permit icmp any host 1.1.1.243 unreachable 80 permit icmp any host 1.1.1.243 time-exceeded 90 permit icmp any host 1.1.1.243 administratively-prohibited 100 permit icmp any host 1.1.1.243 packet-too-big 110 permit esp any host 1.1.1.243 120 permit udp any host 1.1.1.243 eq isakmp (5 matches) 130 permit udp any host 1.1.1.243 eq non500-isakmp 140 permit gre any host 1.1.1.243 class-map type inspect match-any SPECIFIC-PROTOCOLS-CMAP match protocol ftp match protocol dns match protocol h323 match protocol http match protocol https match protocol smtp match protocol tftp match protocol telnet match protocol ssh match protocol pop3 match protocol ntp class-map type inspect match-any ALLOWED-PROTOCOLS-CMAP match class-map SPECIFIC-PROTOCOLS-CMAP match class-map ALL-PROTOCOLS-CMAP class-map type inspect match-any TO-SELF-CMAP-TESTGLENN match class-map SPECIFIC-PROTOCOLS-CMAP match class-map ALL-PROTOCOLS-CMAP ! policy-map type inspect IN-TO-OUT-PMAP class type inspect ALLOWED-PROTOCOLS-CMAP inspect TIMERS class class-default drop ! policy-map type inspect FROM-SELF-PMAP class type inspect ALLOWED-PROTOCOLS-CMAP inspect TIMERS class class-default pass ! policy-map type inspect TO-SELF-PMAP class type inspect TO-SELF-CMAP inspect class class-default drop ------------Interfaces--------------------------------------- r2-customer#sh run int g0/0/0.1 Building configuration... Current configuration : 471 bytes ! interface GigabitEthernet0/0/0.1 description Default LAN encapsulation dot1Q 1 native vrf forwarding INTERNAL ip address 10.144.50.236 255.255.255.0 no ip redirects ip nat inside zone-member security INSIDE end r2-customer# r2-customer# r2-customer#sh run int vasileft1 Building configuration... Current configuration : 177 bytes ! interface vasileft1 description VASI InterVrf interface in INTERNAL vrf forwarding INTERNAL ip address 172.30.248.185 255.255.255.252 zone-member security INSIDE no keepalive end r2-customer#sh run int vasiright1 Building configuration... Current configuration : 204 bytes ! interface vasiright1 description VASI InterVrf interface in INTERNET vrf forwarding INTERNET ip address 172.30.248.186 255.255.255.252 ip nat inside zone-member security OUTSIDE no keepalive end r2-customer#sh run int g0/0/1 Building configuration... Current configuration : 369 bytes ! interface GigabitEthernet0/0/1 description Internet Access bandwidth 5120 vrf forwarding INTERNET ip address 1.1.1.243 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ip nat outside zone-member security OUTSIDE negotiation auto no cdp enable end ---------------NAT Config----------------------------- ip nat pool INTERNET 1.1.1.243 1.1.1.243 prefix-length 29 ip nat inside source route-map NAT-TO-INTERNET pool INTERNET vrf INTERNET match-in-vrf overload ----------------Routing-------------------------------- ip route vrf INTERNAL 0.0.0.0 0.0.0.0 vasileft1 172.30.248.186 name default_thru_vasileft ip route vrf INTERNET 0.0.0.0 0.0.0.0 1.1.1.241 ip route vrf INTERNET 10.144.50.0 255.255.255.0 vasiright1 172.30.248.185 name inside_thru_vasiright ... View more

I'm looking for some assistance/direction for a solution on my issue.     Topology Site A (Hub 1) Cisco 2921 with security license Site B (Hub 2) Cisco 2921 with security license   Both sites will have VPN+P2PGRE tunnels to our data center using EIGRP on each 2921.  Site A being the primary path Site B being the backup path for 8 locations routed over MPLS.  These two sites are connected via a 3rd party managed MPLS solution running static routes as well as to the other 8 sites.   Problem: Normally we have both routers installed at the same location.  And we utilize HSRP with STATIC NAT redundancy (printer and terminal connectivity).  We cannot route RFC1918 space into our data center so we are forced to NAT on the Data center connected routers (2921's) using a combination of NAT overload and static NAT for devices that our data center initiates connectivity to.     Solution help Is there a way to provide NAT redundancy and HSRP failover whilst locations are physically separated by MPLS WAN?       ... View more

I have a router with the following configuration DMVPN Tunnel for backup path to voice server to Data Center A P2P GRE Tunnel for Business Applications to Data Center B   The router has G0/0 connected to LAN and G0/1 connected to any flavor ISP circuit (DSL, Cable, etc etc)   My issue is I am not very clear where to apply my QoS to on this setup.  The one requirement we have by our data center folks in Data Center B is that we apply a shaping policy to the P2P GRE tunnel at their purchased rate in steps of 1.544Mbps.  So an example would be this customer purchased speed to the data center of 1.544Mbps, so a shaping policy is applied to the GRE Tunnel to restrict this.     So Business traffic on GRE, Backup Voice Traffic on DMVPN, and General Internet browsing on G0/1.  I need to provide adequate QoS settings to match the requirement of Data Center B and also protect Voice traffic from getting squeezed out by Internet traffic.     Based on this information where is the best place to apply QoS?     The only thing I can come up with is, shape the upload bandwidth of the ISP service and build a policy within that shaper?  But how can I also keep the Data Center requirement of keeping GRE traffic at its allocated amount?     Thoughts? ... View more

We've run into a bit of a pickle and looking for possible solutions to our issue.  We run 8.4 which has the NAT dirvert functionality.  Below is what were trying to accomplish. Cisco ASA 5585-60 (8.4) 3 total interfaces Inbound Interface App_LAN   (Apps reside here) Outbound Interface #1 Inter_DC_Path  (Customer servers sit behind this interface) Outbound Interface #2 Inside_Core        (Customer servers sit behind this interface) We have App servers that need to talk to our customer servers behind both interfaces (InterDC and Inside Core).  The customer servers are in the network range of 192.168.0.0/16 and they are split between both interfaces.  So Customer A might be on IP  192.168.11.1 behind the Inter_DC_Path and Customer B might be on IP 192.168.12.1 behind the Inside Core interface on the ASA. Our App servers need to hide behind NAT due to routing restrictions to our customers.  Also, the customer IP's are not contiguous so I can't break apart the 192.168.0.0/16 very easily between Inter_DC_Path and Inside Core.  So routing might look like this on the ASA Firewall route Inter_DC_Path 192.168.11.1 255.255.255.255 172.19.249.254 route Inside_Core 192.168.12.1 255.255.255.255 172.28.222.254 I am looking to put NAT statements that say Source: Appservers 10.10.10.1 and 10.10.10.2 (behind App_LAN) Destination: 192.168.0.0 255.255.0.0 (Either egress Inter_DC_Path or Inside Core) NAT To 172.28.220.2 The issue is that since the destination is 192.168.0.0/16 NAT Divert will send traffic out the wrong interface correct?  Is there a way to turn off the NAT direct and allow us to NAT to the 192.168.0.0/16 and allow the firewall routing table to be consulted for egress??  ... View more

I have been scouring the netpro and Cisco Support docs looking for a way to monitor the status of the Standby Nexus 1010 Virtual Service appliance.  As I understand it the Standby is unreachable from the network unless the primary comes online.  Has anyone had any luck monitoring the standby Virtual appliance for any reboots or loss of the appliance?  If so do you have the SNMP OID or what I can monitor to help us keep track of the status? -Glenn ... View more

So,   I've read through netpro and found everyone points to this doc.  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml However that still doesnt allow traceroute through for us.  We still see syslogs with deny's on high level random UDP ports to different Internet destinations.  Can someone look at our config and tell me why this might be happening?  Host 10.10.10.12 (default gateway is the ASA) ---> traceroute to 8.8.8.8 >>>>>Firewall config<<<<< object-group service TRACEROUTE service-object icmp unreachable service-object icmp time-exceeded service-object icmp echo service-object icmp echo-reply service-object icmp traceroute service-object icmp time-exceeded access-list Admin_Network-in extended permit object-group TRACEROUTE 10.10.10.0 255.255.255.0 any access-group Admin_Network-in in interface Admin_Network class-map IPS match access-list IPS class-map CONNS match any class-map inspection_default match default-inspection-traffic policy-map type inspect dns preset_dns_map parameters   message-length maximum client auto   message-length maximum 1024 policy-map IPS-Policy class IPS   ips inline fail-open sensor PreProd_Sensor   set connection timeout dcd   set connection decrement-ttl class inspection_default   inspect icmp   inspect icmp error policy-map global_policy class inspection_default   inspect ftp   inspect h323 h225   inspect h323 ras   inspect ip-options   inspect netbios   inspect rsh   inspect rtsp   inspect skinny    inspect esmtp   inspect sqlnet   inspect sunrpc   inspect tftp   inspect sip    inspect xdmcp   inspect dns preset_dns_map   inspect dcerpc   inspect icmp   inspect icmp error class class-default   set connection decrement-ttl ! ! service-policy global_policy global service-policy IPS-Policy interface Admin_Network >>>>>>SYSLOG output<<<<< Mar 13, 2013 18:57:57|Deny udp src Admin_Network:10.10.10.12/59937 dst Preprod_F5:8.8.8.8/33450 by access-group "Admin_Network-in" [0x0, 0x0] Mar 13, 2013 18:57:57|Deny udp src Admin_Network:10.10.10.12/48882 dst Preprod_F5:8.8.8.8/33452 by access-group "Admin_Network-in" [0x0, 0x0] Mar 13, 2013 18:57:57|Deny udp src Admin_Network:10.10.10.12/58173 dst Preprod_F5:8.8.8.8/33451 by access-group "Admin_Network-in" [0x0, 0x0] Mar 13, 2013 18:57:57|Deny udp src Admin_Network:10.10.10.12/60679 dst Preprod_F5:8.8.8.8/33455 by access-group "Admin_Network-in" [0x0, 0x0] Mar 13, 2013 18:57:57|Deny udp src Admin_Network:10.10.10.12/49612 dst Preprod_F5:8.8.8.8/33453 by access-group "Admin_Network-in" [0x0, 0x0] ... View more

Cisco ASA 5585-60 in context mode ver. 8.4.4(9) with SSP-60 IPS  using virtual sensors ver. 7.1(4)E4 Synopsis: Host A (linux) runs curl command to download a file from Host B (linux) around 72MB in size.  Host A is on a different subnet than host B and they use the Cisco ASA as their default gateway.  The ASA firewall is a virtual context using a virtual sensor with default signatures enabled, no customization other than the mgmt ip address we defined several months back. Problem: With IPS enabled we note a 90% decrease in throughput when running the same command versus with IPS on.  To put a number on it, we usually get 33-34MB (yes that's MegaBytes) per second with IPS off.  When IPS is enabled we're lucky to get 3MBps.  I've created an ACL to redirect ONLY this traffic to the IPS and tracked which IPS signatures we're being hit while we ran the download.  Turns out NONE of the signature hit counts are increasing.  Im gathering this info by refreshing the statistics in IDM and reviewing hit counters over a 30 minute period.  So what else can we check for here?  If no signatures are being hit, what else can I check to determine the drop in throughput.  With the biggest IPS you make I wouldn't expect to see this big of a drop here.   Some other points to note here: SCP copies in the same direction show no problem with IPS on or off, I suspect its due to the fact that the IPS cannot see this traffic so it ignores it.  We also note that if we change from port 80 to say port 8067 we DO NOT see the issue either.  If we do use 8080 the problem does present itself.  Very strange one.  Ive attached the Diag report to maybe help with this.  Any help would be appreciated!  ... View more

We have 2 data center locations.  We are attempting to connect them together using 2 ASAs. Data Center 1 -  ASA 5520 8.0(4) Data Center 2 -  ASA 5585-10 8.4(3) DC 1 ASA 5520 INSIDE - Security 100 OUTSIDE - Security 0 MIGRATION  - Security 50 DC 2 ASA 5585-10 Edge_Inside Security 100 Edge_Outside - Security 0 The OUTSIDE interface of the 5585-10 is using a private network (connection to our corporate Internet routers not advertised to the Internet) so we have to use the INSIDE interface to build VPN tunnels (our public network).  (Note NAT is not an option on the Corp routers) We are attempting to build a standard L2L IPSEC VPN tunnel from the DC1 5520 MIGRATION  to DC2 5585-10 INSIDE interface. You see IKE fire up on the 5520 and then goes into a MSG WAIT 2 waiting for reply from the 5585.  However on the 5585 side we see no IKE engagement.  "show cry isa" output shows no IKEv1 Packets arrive at all in or out.  Packet captures show UDP 500 enter the firewall from the 5520 with correct source and destination but no reponse packets from the 5585.  Here are the syslogs from 5585-10 when I start interesting traffic from 5520 DC1 side(Public IP's changed to private in syslog FYI) Mar 23, 2012 12:58:7|Built local-host Edge_Outside:192.168.1.110 Mar 23, 2012 12:58:7|Built inbound UDP connection 235278 for Edge_Outside:192.168.1.110/500 (192.168.1.110/500) to identity:10.10.193.252/500 (10.10.193.252/500) Mar 23, 2012 12:58:7|Teardown UDP connection 235278 for Edge_Outside:192.168.1.110/500 to identity:10.10.193.252/500 duration 0:00:00 bytes 296 Mar 23, 2012 12:58:7|Teardown local-host Edge_Outside:192.168.1.110 duration 0:00:00 I know this is not conventional however I dont' see why this shouldn't work.  The crypto map is applied to the Edge_Inside interface.  Any ideas? ... View more

  Were running CSM 3.3.1 SP1 on a windows machine.  We aquired a company and have found that they were making out of band changes without the use of CSM directly from the CLI.  Is there any easy way to sync the running config on the ASA firewalls to the CSM server?  I dug in help files but nothing really pointing me where to go.  Thanks for any help! ... View more