Any idea why traffic destined to port 443 might be bypassing an ACL for that port and hitting an IP any/any ACL that's at the bottom of the list, at least according to syslog.
access-list inside_access_in line 5 extended permit tcp 10.1.0.0 255.255.0.0 any4 object-group DM_INLINE_TCP_6 (https & https) log disable (hitcnt=2951027) 0xb0c12c26
access-list inside_access_in line 24 extended permit ip any4 any4 log informational interval 300 (hitcnt=295888) 0x2bc0c8ca
What i see in syslog:
12-09-2018 15:22:19 Local7.Info 10.1.1.232 %ASA-6-106100: access-list inside_access_in permitted tcp inside/10.1.2.91(52106) -> outside-WAN/126.96.36.199(443) hit-cnt 1 first hit [0xb0c12c26, 0x15b7e092]
12-09-2018 15:22:19 Local7.Info 10.1.1.232 %ASA-6-106100: access-list inside_access_in permitted udp inside/10.1.2.7(51150) -> outside-WAN/188.8.131.52(443) hit-cnt 1 first hit [0x2bc0c8ca, 0x00000000]
How reliable is the information coming from syslog?
... View more
Thanks for your response.
We are getting 2 x 3560CX-8TC-S, as far as i can these are not stackable?
Currently the LAN and ASA Inside interfaces are all in the same subnet.
In which case, do you think i can get away with configuring the ASA Inside interfaces on a separate subnet, configuring the switch ports as routed and enabling HSRP for LAN nodes so i can use the switches as the network's default gateway? I can then point to the firewalls with a static route and point back from the firewalls with another static route?
edit: alternatively i could use the firewalls as the network's default gateway (they are in an active/standby config) and simply use the switches for L2 switching with STP for failover. I just don't think it feels right to use the firewalls as the default gateway.
... View more
We are in the process of replacing a very old core router that works as the network's default gateway:
network: 10.1.0.0/16 (flat, no VLANs)
ASA SSL VPN remotepool: 184.108.40.206/24
All the router does here is be the default gateway for the network and send all traffic out to the firewall with a static route (it used to route to remote sites too). That includes the SSL VPN remotepool subnet:
ip route 0.0.0.0 0.0.0.0 ASAinsideipaddr
ip route 220.127.116.11 255.255.255.0 ASAinsideipaddr
So I've been thinking of replacing the router with two layer 3 switches for redundancy and future-proofness:
And just realised i'm a but rusty with layer 3 switch routing.
Now my question is, if i configure these switch ports as routed ports they cannot belong to the same network, correct?
I would have to configure a single VLAN 1 on the switch for the 10.1.0.0/16 subnet but would i also have to tag the ports as belonging in VLAN1 or simply add a default route to the firewall's interface? How would this work? If all ports are switch ports and the VLAN is in the 10.1.0.0/16 subnet then i would only need to add a single static route to send remotepool traffic out to the ASA's inside interface?
These LAN connections would be connecting to a HPE switch stack so RSTP would also be needed.
Which makes me think, is it worth using the ASAs as the default gateway instead for now to simplify things and look to buy layer 3 switches only if we decide to split the network into VLANs? The userbase is somewhere between 100-150 users.
In which case, is there anything i should be aware of when using the ASA as the network's default gateway? I assume the ASA would not need any additional routing done to connect the inside interface 10.1.0.x/16 to the remotepool clients.
... View more
Hi Mahesh, it is still considered as bc by Cisco,in the config you set it as 'police bps bc value ms', since you can never set the tc,it calculates itself (well,in case of Frame Relay). The formula you suggested is used the other way around (Cisco reference),for example,inside the map-class for FRTS: bc / CIR = tc => 2560 bits / 256000 bps= 0.01 s = 10 ms,which is the recommended value for an edge running voice. It has no relation to the MTU indeed as i tried taking it down and that didn't work. My thoughts Thanks for yout time.
... View more
(There is a small into which you might want to ignore) <intro>This is the first of a series of topics i will post over the next week or so as im during a QOS over MPLS VPNs project which will actually focus on the customer edge mostly and the way traffic is treated.I have a few things that need answering because i am simply not covered by the Cisco docs which sometimes seem to be very laconic,thanks for your time </intro> I have configured a traffic policer as a part of the customer's output policy to (de)mark or drop traffic destined for the provider edge and i am stuck over two things: 1. I am using a percentage-based policer which,according to Cisco documentation,has got a default bc burst value of 4 ms (Cisco QOS command reference). Not according to this though: police: cir 40 % cir 102000 bps, bc 3187 bytes conformed 0 packets, 0 bytes; actions: set-dscp-transmit af21 exceeded 0 packets, 0 bytes; actions: set-dscp-transmit af23 conformed 0 bps, exceed 0 bps If you do the maths,the bc value is 250 ms, not 4.Am i missing something here? (i must be) 2. The policer runs inside classes being a part of a policy map attached on a FR interface as output. The interface runs Frame Relay Traffic Shaping and with fragmentation at 320 bytes inside the map-class, where the policy map is applied. When applied though,the policer automatically sets the default bc in bytes to 1500,which is the Ethernet MTU value. police: cir 10 % cir 25500 bps, bc 1500 bytes conformed 0 packets, 0 bytes; actions: set-dscp-transmit af41 exceeded 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps According to the 250 ms bc i explained above which i think it takes as default, the bc in bytes should be 796 (using the formula: bc in bytes * 8 / class BW = bc in ms). But i get a message saying: "burst bc increased to 1500 bytes".I can only assume it does this because the ingress interface is an Ethernet interface and the policer runs before FRTS? (again,according to Cisco diagrams). This stops me from setting the bc value to lower than 1500 by lowering the value in ms, by the way you cannot specify bc in bytes, only in ms. Now, what's a logical solution?I have tried lowering the interface MTU ( a serial interface) but nothing. It wouldn't make any sense to lower the MTU on the ingress Ethernet interface,would it? FRTS config: ! map-class frame-relay 2PE frame-relay cir 256000 frame-relay bc 2560 frame-relay be 0 frame-relay mincir 256000 frame-relay fragment 320 service-policy output ce2pe policy-map: ! policy-map ce2pe class voice priority percent 33 police cir percent 33 bc 20 ms conform-action transmit exceed-action drop class data bandwidth percent 40 random-detect dscp-based police cir percent 40 conform-action set-dscp-transmit af21 exceed-action set-dscp-transmit af23 class video bandwidth percent 10 police cir percent 10 conform-action set-dscp-transmit af41 exceed-action drop class control bandwidth percent 5 class vocontrol bandwidth percent 5 set ip dscp cs3 class class-default bandwidth percent 5 set ip dscp default interface: ! interface Serial0/0 no ip address encapsulation frame-relay frame-relay traffic-shaping max-reserved-bandwidth 100 ! interface Serial0/0.1 point-to-point ip address 10.0.1.2 255.255.255.0 no cdp enable frame-relay class 2PE frame-relay interface-dlci 100 Thanks
... View more