07-20-2010 10:58 AM
Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to address and troubleshoot common problems with Adaptive Security Appliances, Private Internet Exchange and Firewall Service Modules with Kureli Sankar. Kureli is an engineer supporting Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco Adaptive Security Appliance, Firewall Services Module, Cisco Security Manager, the Content Security and Control module, and the Zone Based Firewall module in Cisco IOS Software.
Remember to use the rating system to let Kureli know if you have received an adequate response.
Kureli might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 30, 2010. Visit this forum often to view responses to your questions and the questions of other community members.
07-30-2010 01:17 PM
Here is a support forum doc: Before and after diff. types of nat examples. https://supportforums.cisco.com/docs/DOC-9129
Here is a video link: https://supportforums.cisco.com/docs/DOC-12324
-Kureli
07-21-2010 02:04 AM
Hello Kureli
We have some FWSMs implemented in DCs and sometime troubleshoot connectivity through them.
Imagine a typical engeneer task: we have soure IP, destination IP and port. We want to know: is traffic allowed by firewall.
On ASA, it's pretty easy to find out - packet tracer tells this.
As I understand, on FWSM all packets are processed by hardware not by CPU, thats why this command isn't implemented there, but fact I understand why doesn't make my life easier when some troubleshooting needs to be done.
So, assuming I cannot generate traffic but have full access to FWSM, how can I tell if this is traffic allowed?
Misha
07-21-2010 05:31 AM
Misha,
Very good question. You are correct. There is no packet tracker command in the FWSM. Only way is to look in the access-list to make sure the permission is already there. If the access-list is huge it may be hard but, if you use the following command you may be able to get what you are looking for.
sh access-list blah | i x.x.x.x -----> for the IP address in question
or
sh access-list blah | i 5060 --------> for the specific port number in question.
Once you have traffic flowing then, you can enable logging and look through the logs for denies due to access-list.
-Kureli
07-21-2010 06:02 AM
Kureli,
According to cisco recommendation we build object oriented policy and configuration looks like this:
object-group network Hosts_in_DMZ
network-object host 10.10.10.10
network-object host 10.10.20.10
network-object host 10.10.30.10
Assuming we looking for acl which allows traffic to 10.10.10.10, your method return just "network-object host 10.10.10.10", or possible few of them.
Misha
07-21-2010 07:34 PM
Misha,
Unfortunately, we are out of luck. I shall bring it up to our BU (Business Unit). There isn't an easy way to get what we need until we see some traffic and then use the logs to make sure the conn is not getting denied.
-Kureli
07-21-2010 02:51 AM
Dear Kureli,
I have a question about external flash.
I need to add an external compact flash to 2 ASA5510 in failover configuration(active-passive).
IOS version is 8.0(4).
Do I need to power them off , insert the compact flash and power on?
Could I utilize failover in any way? I thought, for example, to add memory to the standby unit, switch the role and add memory to the "new" standby unit, without any power off. What do you think?
07-21-2010 06:24 AM
gdspa,
Failover will not disable for memory discrepancy reason. Only if other hardware is different failover will disable itself. So you can add the external flash to the primary/active ASA first and then add it on the Sec/Standby. That should not cause any harm. There is no need to power them off and on.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1077536
-Kureli
07-21-2010 04:18 AM
Hi Kureli,
I'm importing some legacy firewall policies (from a linux firewall) into multiple contexts on an ASA 5550 running ASA 8.3 and using global access lists..
I have some concerns over the number of object/object-groups being used in the ACLS and the impact on performance.
I've stumbled across the "object-group search access-control" command in the 8.3 command line configuration guide which seems to make processing ACLs with many object-groups more efficient.
Is there a threshold on the size and quantity of object-groups used in ACLs upon which cisco recommend activating this functionality?
Would there be any drawbacks to activating this in my contexts? for example, we will be using CSM 4.0 to manage the policies - will this be possible with the object-group search access-control feature enabled?
Thanks
Paul
07-21-2010 09:30 PM
Paul,
At this point I'd suggest not to implement this command. From what I see there is an internal defect
CSCtb54865 - ENH Support "object-group-search access-control" command in CSM
This is an enhancement. I need to get more details as to whether this defect is resolved and make sure CSM 4.0 will support this command.
I will get back to you once I find out.
-Kureli
07-23-2010 12:41 PM
Paul,
I reached out to our development team and they confirmed that this command is supported in CSM 4.0.
-Kureli
07-21-2010 08:39 AM
Hi,
I am need to configure QOS on certain IP in the Cisco ASA 5510. Assume the IP's are 10.0.1.5 , 10.0.1.6 , 10.0.1.7. Here i have to configure 512 KBPS for 10.0.1.5 and 2 MBPS for 10.0.1.6 and 10.0.1.7
Can this done on a ASA 5510 series? if yes can you help me how ?
Regards,
Venkat
07-21-2010 07:38 PM
Venkat,
Yes you can configurre policing. Follow this link it has a nice example:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/p.html#wp1917025
-Kureli
07-21-2010 08:41 AM
I have set up 2 ASAs for SSL VPN using both Please point me to some links or documents to configure load-balancing for 2 or more ASAs in the future. Can all boxes be active and do load balancing? Can more than 2 boxes be added to the balancing even if they're in different locations? Will each box need a separate certificate?
Thanks
07-21-2010 06:59 PM
Hi ,
I have a ASA5550 Failover pair on one of the sites. it failsover regularly and the error message it gives is that it fails the communication to standby on a interface. for the moment I diabled monitoring on that interface so that it will not failover. is there any way I can check whether it fails the communication on that interface to the standby unit please? I checked all the interfaces on the switches in related to this problem and I couldn't find any port error on any of them. But I saw some spanning tree topology chages. Can there be any connection between spanning tree convegence and this firewall failover issue please?
Thanks,
Janaki
07-21-2010 08:15 PM
Janaki,
How long does it say that it failed communication to the standby? Just a few seconds and recovers on its own? May be this interface is just seeing too much traffic that some times it misses the failover hellos sent over this particular interface. Layer 2 issues can certainly cause this.
Is this is busiest interface in the firewall? If so, you can try to increase the poll time and the hold time.
Command reference: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1931144
-Kureli
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: