cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19902
Views
48
Helpful
112
Replies

ASK THE EXPERTS - TROUBLESHOOTING ASA, PIX, and FWSM

ciscomoderator
Community Manager
Community Manager

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to address and troubleshoot common problems with Adaptive Security Appliances, Private Internet Exchange and Firewall Service Modules with Kureli Sankar.  Kureli is an engineer supporting Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco Adaptive Security Appliance, Firewall Services Module, Cisco Security Manager, the Content Security and Control module, and the Zone Based Firewall module in Cisco IOS Software.

Remember to use the rating system to let Kureli know if you have received an adequate response.

Kureli might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 30, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

112 Replies 112

Here is a support forum doc: Before and after diff. types of nat examples. https://supportforums.cisco.com/docs/DOC-9129

Here is a video link: https://supportforums.cisco.com/docs/DOC-12324

-Kureli

m.volodko
Level 1
Level 1

Hello Kureli

We have some FWSMs implemented in DCs and sometime troubleshoot connectivity through them.
Imagine a typical engeneer task: we have soure IP, destination IP and port. We want to know: is traffic allowed by firewall.
On ASA, it's pretty easy to find out - packet tracer tells this.
As I understand, on FWSM all packets are processed by hardware not by CPU, thats why this command isn't implemented there, but fact I understand why doesn't make my life easier when some troubleshooting needs to be done.
So, assuming I cannot generate traffic but have full access to FWSM, how can I tell if this is traffic allowed?

Misha

Misha,

Very good question. You are correct. There is no packet tracker command in the FWSM.  Only way is to look in the access-list to make sure the permission is already there. If the access-list is huge it may be hard but, if you use the following command you may be able to get what you are looking for.

sh access-list blah | i x.x.x.x  -----> for the IP address in question

or

sh access-list blah | i 5060 --------> for the specific port number in question.

Once you have traffic flowing then, you can enable logging and look through the logs for denies due to access-list.

-Kureli


Kureli,

According to cisco recommendation we build object oriented policy and configuration looks like this:

object-group network Hosts_in_DMZ
network-object host 10.10.10.10
network-object host 10.10.20.10
network-object host 10.10.30.10

Assuming we looking for acl which allows traffic to 10.10.10.10, your method return just "network-object host 10.10.10.10", or possible few of them.

Misha

Misha,

Unfortunately, we are out of luck. I shall bring it up to our BU (Business Unit).  There isn't an easy way to get what we need until we see some traffic and then use the logs to make sure the conn is not getting denied.

-Kureli

gdspa
Level 1
Level 1

Dear Kureli,

I have a question about external flash.

I need to add an external compact flash to 2 ASA5510 in failover configuration(active-passive).

IOS version is 8.0(4).

Do I need to power them off , insert the compact flash and power on?

Could I utilize failover in any way? I thought, for example, to add memory to the standby unit, switch the role and add memory to the "new" standby unit, without any power off. What do you think?

gdspa,

Failover will not disable for memory discrepancy reason.  Only if other hardware is different failover will disable itself.  So you can add the external flash to the primary/active ASA first and then add it on the Sec/Standby.  That should not cause any harm. There is no need to power them off and on.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1077536

-Kureli

Paul Cummings
Level 1
Level 1

Hi Kureli,

I'm importing some legacy firewall policies (from a linux firewall) into multiple contexts on an ASA 5550 running ASA 8.3 and using global access lists..

I have some concerns over the number of object/object-groups being used in the ACLS and the impact on performance.

I've stumbled across the "object-group search access-control" command in the 8.3 command line configuration guide which seems to make processing ACLs with many object-groups more efficient.

Is there a threshold on the size and quantity of object-groups used in ACLs upon which cisco recommend activating this functionality?


Would there be any drawbacks to activating this in my contexts? for example, we will be using CSM 4.0 to manage the policies - will this be possible with the object-group search access-control feature enabled?

Thanks

Paul

Paul,

At this point I'd suggest not to implement this command.  From what I see there is an internal defect

CSCtb54865 - ENH Support "object-group-search access-control" command in CSM

This is an enhancement.  I need to get more details as to whether this defect is resolved and make sure CSM 4.0 will support this command.

I will get back to you once I find out.

-Kureli

Paul,

I reached out to our development team and they confirmed that this command is supported in CSM 4.0.

-Kureli

venkat.247cs
Level 1
Level 1

Hi,

I am need to configure QOS on certain IP in the Cisco ASA 5510. Assume the IP's are 10.0.1.5 , 10.0.1.6 , 10.0.1.7. Here i have to configure 512 KBPS for 10.0.1.5 and 2 MBPS for 10.0.1.6 and 10.0.1.7

Can this done on a ASA 5510 series? if yes can you help me how ?

Regards,
Venkat

Venkat,

Yes you can configurre policing. Follow this link it has a nice example:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/p.html#wp1917025

-Kureli

joe-vieira
Level 1
Level 1

I have set up 2 ASAs for SSL VPN using both Please point me to some links or documents to configure load-balancing for 2 or more ASAs in the future. Can all boxes be active and do load balancing? Can more than 2 boxes be added to the balancing even if they're in different locations? Will each box need a separate certificate?

Thanks

Hi ,

I have a ASA5550 Failover pair on one of the sites. it failsover regularly and the error message it gives is that it fails the communication to standby on a interface. for the moment I diabled monitoring on that interface so that it will not failover. is there any way I can check whether it fails the communication on that interface  to the standby unit please? I checked all the interfaces on the switches in related to this problem and I couldn't find any port error on any of them. But I saw some spanning tree topology chages. Can there be any connection between spanning tree convegence and this firewall failover issue please?

Thanks,

Janaki 

Janaki,

How long does it say that it failed communication to the standby? Just a few seconds and recovers on its own? May be this interface is just seeing too much traffic that some times it misses the failover hellos sent over this particular interface. Layer 2 issues can certainly cause this.

Is this is busiest interface in the firewall? If so, you can try to increase the poll time and the hold time.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html#wp1097223

Command reference: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1931144

-Kureli

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: