cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21970
Views
48
Helpful
112
Replies

ASK THE EXPERTS - TROUBLESHOOTING ASA, PIX, and FWSM

ciscomoderator
Community Manager
Community Manager

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to address and troubleshoot common problems with Adaptive Security Appliances, Private Internet Exchange and Firewall Service Modules with Kureli Sankar.  Kureli is an engineer supporting Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco Adaptive Security Appliance, Firewall Services Module, Cisco Security Manager, the Content Security and Control module, and the Zone Based Firewall module in Cisco IOS Software.

Remember to use the rating system to let Kureli know if you have received an adequate response.

Kureli might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 30, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

112 Replies 112

philtukey
Level 1
Level 1

Hello

I am the network administrator for a county wide public library system. Some of our branches are on a VPN (either DSL or Charter) connected via a cisco 5505 (branch side) and a cisco 5510 (main).

How do I seperate my staff (giving them priority over the bandwidth) from the public PC's?

Thanks,

Phil

I hope you have separate subnet/ip address for staff and the public PCs and you can identify them via an access-list.  You can configure police and priority.

Follow this link:

https://supportforums.cisco.com/docs/DOC-1230

-Kureli

I am not used to the command line and is there way to do this using the GUI interface?

I have already set up 2 groups 1 for staff (and added thier IP's to that list) and then added a group for the rest of the PC's (and added those IP's to that list). I then went into the the Service Policy Rules, and said

Source - Staff to any destination on any IP has QoS enabled priority for this flow

Followed by

Souce - Public to any destination on any IP has Policy Direct input Commited rate 8000

I am really new to this and I will look at the link you sent me but in the mean time can you see if there is something I am doing wrong?

*All of the PC's (Staff and Public) are on the same subnet.

Thanks,

Phil

Phil,

Follow this link to configure this using ASDM: http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/qos.html#wp1053674

You are on the right track.

-Kureli

Phil,

Once done pls. post the output of

sh run class-map

sh run policy-map

along with the access-list that you match in the class-map.

-Kureli

For the sh run class-map:

!

class-map inspection_default

     match default-inspection-traffic

class-map access-list outside_mpc

!

For sh run policy-map

!

policy-map type inspect dns present_dns_map

     parameters

          message-length maximum 512

policy-map global_policy

     class inspection_default

          inspect dns present_dns_map

          inspect ftp

          inspect h323 h226

          inspect h323 ras

          inspect rsh

          inspect rtsp

          inspect esmtp

          inspect sqlnet

          inspect skinny

          inspect sunrpc

          inspect xdmcp

          inspect sip

          inspect netbios

          inspect tftp

policy-map outside-policy

     class ouside-class

          priority

!

What do you mean by the access-list that I matchin the class-map?

Phil

Any more thoughts?

Thanks!

Phil,

Sorry about the delay.  Pls. replace the public pc ip and staff pc ip with proper translated IP address. I hope you are translating staff PC to a certain IP address when it goes out to the internet and the public PCs to another IP address when they go out to the internet.  Pls. send me "sh run" from the firewall so, I can take a look at it.

You should configure something like this. You can copy and paste these lines onto the ASA once you verify the interface names and replace the IP addresses.

conf t

access-list public-pc permit ip host x.x.x.x any eq 80  ----------> where x.x.x.x is the IP address of the public PCs when they go out to the internet

access-list staff-pc permit ip host y.y.y.y any eq 80 ---------------> where y.y.y.y is the IP address of the staff PCs when they go out to the internet.

class-map police-traffic

match access-list public-pc

class-map pirority-traffic

match access-list staff-pc

!

priority-queue outside

policy-map police-priority-policy

class police-traffic

police output 500000  ---------------> You are providing 500Kbps for the public PCs out of the available BW to you. You may choose another value.

class priority-traffic

priority

service-policy police-priority-policy interface outside

-Kureli

From the ASDM launcher how to copy the results of a sh run?

Thanks!

Nevermind I got it to copy and paste

Here is the sh run:

Result of the command: "sh run"

: Saved
:
ASA Version 7.2(4)
!
hostname SVCisco5505
domain-name Poldom
enable password ER.y749.lMleEpRJ encrypted
passwd ER.y749.lMleEpRJ encrypted
names
name 192.168.11.23 SVBack
name 192.168.11.20 SVLeft
name 192.168.11.22 SVMid
name 192.168.11.21 SVRight
name 192.168.11.24 SVoffice
name 192.168.11.202 SVOpac01
name 192.168.11.204 SVOpac02
name 192.168.11.201 SVOpac03
name 192.168.11.200 SVOpac04
name 192.168.11.210 SVPublic01
name 192.168.11.203 SVPublic02
name 192.168.11.209 SVPublic03
name 192.168.11.212 SVPublic04
name 192.168.11.211 SVPublic05
name 192.168.11.205 SVPublic06
name 192.168.11.206 SVXC1
name 192.168.11.208 SVXC2
name 192.168.11.207 SVXC3
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.11.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group SU
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name Poldom
object-group network SVStaff
description SVStaff
network-object host SVLeft
network-object host SVRight
network-object host SVMid
network-object host SVBack
network-object host SVoffice
object-group network SVPublic
description SVPublic
network-object host SVOpac04
network-object host SVOpac03
network-object host SVOpac01
network-object host SVPublic02
network-object host SVOpac02
network-object host SVPublic06
network-object host SVXC1
network-object host SVXC3
network-object host SVXC2
network-object host SVPublic03
network-object host SVPublic01
network-object host SVPublic05
network-object host SVPublic04
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list outside_1_cryptomap extended permit ip 192.168.11.0 255.255.255.0 any
access-list outside_mpc extended permit ip object-group SVStaff any
pager lines 24
logging enable
logging list Config-Saved level notifications class sys
logging list Config-Saved message 111008
logging history informational
logging asdm informational
logging mail Config-Saved
logging from-address Summitviewvpn@yvl.org
logging recipient-address ptukey@yvl.org level notifications
logging recipient-address twalker@yvl.org level notifications
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authorization command LOCAL
http server enable
http 68.185.48.254 255.255.255.255 outside
http 192.168.11.0 255.255.255.0 inside
snmp-server host outside 68.185.48.254 community ciscoyvl5505
snmp-server location Summitview
snmp-server contact ptukey@yvl.org
snmp-server community ciscoyvl5505
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 68.185.48.225
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal  20
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group SU request dialout pppoe
vpdn group SU localname sulibrary@qwest.net
vpdn group SU ppp authentication pap
vpdn username sulibrary@qwest.net password ********* store-local
dhcpd auto_config outside
!

priority-queue outside
username infotech password tzgCRDEHUdVE5LVu encrypted privilege 3
username config password 6j16spycqHHv8ERa encrypted privilege 15
tunnel-group 68.185.48.225 type ipsec-l2l
tunnel-group 68.185.48.225 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
class-map outside-class
match access-list outside_mpc
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map outside-policy
class outside-class
  priority
!
service-policy global_policy global
service-policy outside-policy interface outside
smtp-server 68.185.48.200
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:8ab83d0e54174e23156c747a98db5171
: end

Have you had a chance to look over the log I posted?

Phil,

Apologies.  I was hoping you were going to implement the config that I suggested earlier.  Either use the ASDM link that I provided or use CLI and replace the IP addresses in the sample that I provided and add those config lines in place.  If you are skeptical, then we would have to get on the firewall and assist you with the configuration.  Feel free to open a TAC case. Let me know the case once number if you do open one.

-Kureli

I created a TAC case and updated to a newer version of firmware on our Cisco 5505 and with the help of the Cisco TAC guy we are getting the issue resolved thank you for your help!

mohamed_makled
Level 1
Level 1

Hi

i have an ASA firewall as the internet gateway for our network. if i need to add another internet line for our network, the ASA firewall can load balance the network traffic on the two internet lines or not??? and how??

Mohamed