Hi,
These counters show cumulative value so try to monitor the counters and check if it is incrementing or not. If it is incrementing continuously then you can start checking which application/traffic is getting affected.
Thanks,
RS
... View more
Hi,
You can try capturing traffic on ingress and egress interface and analyse captures on the egress interface (ISP facing interface). Check if there is any latency in the traffic that you receive on the egress (refer timestamp) you can also check if there are too many retransmissions in the stream.
As the analysis require only headers so you can avoid capturing the entire packet and restrict captures to headers only for specific traffic.
Captures on ASA can be CPU intensive so ensure that you have very specific captures.
Hope it helps.
RS
Rate if it helps.
... View more
Hi imran,
If you are using firewall for address translation then you need a mechanism to identify traffic on switch to perform PBR based on translated address.
If translated ip for all internal vlans then you will not be able differentiate the traffic on switch.
You can plan your network in such a way that you have different ip address for different vlans and then decide egress ISP based on your network.
Thanks
RS
... View more
Hi Imran,
The requirement of segregating traffic based on source or destination IP addresses can be be achieved using PBR.
ASA 5500-x running 9.4.1 and above support PBR. ASA 5520 does not have support for PBR as newer image requires newer hardware.
Hope it helps.
RS
Rate if it helps.
... View more
Hi,
The acl should permit real port and IP address. So ensure the real IP and port of DC are permitted in the acl.
Hope it helps.
RS
Rate if it helps.
... View more
Hi,
Based on the syslog message 302014 it looks like that the host on inside is sending reset and that is what is causing asa to clear session.
Now, you have mentioned that removing asa with other firewall resolves the problem. Can you verify and share what changes in the traffic flow when you replace the firewall. Also check on the internal host logs to identify the reason for disconnection.
I have personally seen some issues where timeout on the application causes the reset of the connection so you can try running wireshark for the entire session on the end client and check what happens just before reset of connection and if you notice latency causing the reset of connection then you can tweak timeout on the application.
Based on the syslog the issue seems to be with internal host.
Hope it helps.
RS
Rate if it helps.
... View more
Hi,
You can use PBR to route traffic based on policies configured.
Also you can use track keyword in the PBR configuration to decide the next hop based on reachability of an ipv4 address.
Here is a link you can refer : Click here
Hope it helps.
RS
Rate if it helps.
... View more
Hi,
To open a port on ASA to a specific device on an internal network requires nat and acl configuration.
Create a static nat to map real IP and port with global IP and port.
Depending upon the asa version make sure that you have appropriate IP allowed in the acl. Pre 8.3 global IP should be allowed and post 8.3 real IP should be allowed in acl.
Hope this helps.
RS
Rate answers if it helps.
... View more
Here are couple of links that you can follow:
Cisco Firewall Best Practices Guide
http://www.cisco.com/c/en/us/about/security-center/firewall-best-practices.html
Cisco Guide to Harden ASA firewall
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/200150-Cisco-Guide-to-Harden-Cisco-ASA-Firewall.html
Thanks,
RS
Rate if this post helps.
... View more
Hi Doug,
ACLs are evaluated only once while creation of the connection. So while creating acls keep in mind the direction in which they are applied and evaluate packet flow based on the direction of traffic from source to destination and create appropriate acls to allow traffic.
For example; assume there are two interfaces Inside and Outside. There is an acl acess_in on inside interface in IN direction and there is a acess_out acl on outside interface in OUT direction. If traffic from in to out needs to be allowed then access_in and acess_out both should allow traffic.
So basically evaluate how your ASA is configured and accordingly allow traffic. You can also use packet tracer utility to check the cause of drop and rectify configuration.
Thanks,
RS
... View more
Hi Doug,
You can create nat rules using different public IP addresses. ASA allows only one up address on an interface. So you can identify the type of nat(static/dynamic) that is required for your network and configure it with public IP addresses.
I hope this will help you in right direction, in case my understanding of you requirement is wrong then feel free to correct me.
Thanks,
RS
Rate if the post helps.
... View more
Hi,
Based on your configuration the acl applied on the Comcast interface will allow only RDP to specific hosts from the outside. You should check the Comcast_access_in all and permit traffic for Skype server.
You have mentioned that you have dual ISP and one ISP act as backup for the other, so you should add nat for backup ISP as well or else servers won't be accessible if one of the ISP is down.
Hope it helps.
Thanks,
RS
Rate if this helps in resolving your query.
... View more