Re: ASK THE EXPERTS - TROUBLESHOOTING ASA, PIX, and FWSM - Page 7

ciscomoderator · ‎07-20-2010

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to address and troubleshoot common problems with Adaptive Security Appliances, Private Internet Exchange and Firewall Service Modules with Kureli Sankar. Kureli is an engineer supporting Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco Adaptive Security Appliance, Firewall Services Module, Cisco Security Manager, the Content Security and Control module, and the Zone Based Firewall module in Cisco IOS Software.

Remember to use the rating system to let Kureli know if you have received an adequate response.

Kureli might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 30, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

lmn20176 · ‎07-28-2010

I have an ASA 5510 running 8.3.1.6 and cannot get identity NAT to work.

The remote VPN ip local pool is 10.31.98.2-254/24, so i create

nat (inside,outside) source static any any destination static VPN-pool VPN-pool

with object network VPN-pool

subnet 10.32.98.0 255.255.255.0

I also have

nat (inside,outside) source dynamic LAN PAT destination static L2LSite L2LSite

where all the Enterprise LAN got PATted to an IP address sending over to a site to site VPN.

I kept getting Asymmetric NAT rules matched for forward and reverse flows and connection src outside:IP/port dst inside:IP/port denied due to NAT reverse path failure.

I don't have problem with nat (inside) 0 access-list nonat using 8.2.

The different is with 8.2 it's patted to an interface instead of an ip address like in 8.3

Any known bugs...etc?

Thanks.

-lmn

Kureli Sankar · ‎07-28-2010

Interesting...Let me see what I can find ...

-Kureli

lmn20176 · ‎07-28-2010

I have a TAC case open with Craig L, probably in your team.

The wierd thing is I can go out the internet fine. Just the HQ LAN causes problem.

j.beckner · ‎07-29-2010

I recently replaced a 1711 router with an ASA5505. The DHCP server on the IOS router had some IP addresses assigned based on the mac address of the DHCP client, using the IOS client-identifier subcommand in the ip dhcp pool configuration. I have not found a similar configuration in the ASA. Is there an equivalent command on the ASA?

Kureli Sankar · ‎07-29-2010

Yes, there is...certainly...

dhcpd dns 172.18.108.43 172.18.108.34
dhcpd domain cisco.com
dhcpd auto_config 172-net
!
dhcpd address 192.168.2.2-192.168.2.3 inside
dhcpd enable inside

Here is a link that would help you: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/dhcp.html#wp1115467

-Kureli

j.beckner · ‎07-29-2010

Thank you for the reply, I have previously set up the DHCP server on the 5505 as shown in the configuration guide. What I am looking for is an equivalent command in the ASA to the IOS command client-identifier

http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_dhc1.html#wp1011901

This IOS command is used to create a manual DHCP binding.

Kureli Sankar · ‎07-30-2010

I believe this is what you are looking for.

dhcp-client client-id

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/d2.html#wp1975821

-Kureli

ciscomoderator · ‎07-29-2010

Hi Kureli,

During the live Webcast event on July 20th we had three questions that were not answered due to the limitation of time. Can you please post the replies to these questions here?

Here they are:

Does the Firewall Services Module v4.x software support the H.239 protocol (like the ASA v8.2 code)?

How can you force a Clientless SSL login user to a specific profile?

What is the best way to restrict traffic to specific users on an SSL VPN?

Thank you,

CSC Moderator

Kureli Sankar · ‎07-29-2010

1. Does the Firewall Services Module v4.x software support the H.239 protocol (like the ASA v8.2 code)?

ANS: We have filed an ENH defect CSCtd80694 to get the support added for H.239. So, presently the FWSM does not support H.239.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtd80694

2. How can you force a Clientless SSL login user to a specific profile?

ANS: If you use AD for authentication, you can use ldap attribute maps to map users to a group-policy based on some attributes. You can then use the group-lock feature to make sure they're coming from a specific tunnel-group (Connection Profile in ASDM).

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

certificate mapping to map the user to a specific tunnel-group is another option.

Group-url would map to a tunnel-group based on the url

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml

3. What is the best way to restrict traffic to specific users on an SSL VPN?
ANS: VPN filter

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

vpn-filter is for full client
clientless uses web-type-acl

-Kureli

dianewalker · ‎07-29-2010

Kureli,

I have a config file running on ASA 5550, IOS ver 8.0(5) and ASDM 6.2(3). I want to copy this config file to the ASA 5540, running IOS 8.0.2 and ASDM 6.11. Do you expect any problems since I am running from a higher IOS version to a lower IOS version?

By the way, I enjoy your webcast very much. It was very helpful. I hope you have more webcasts in the future.

Thanks.

Diane

Kureli Sankar · ‎07-29-2010

Diane,

Glad you enjoyed the webcast. Yes, we will certainly do another one with a few other topics in the near future. I don't see any issues copying and pasting config from 8.0.2 to 8.0.5. If you go from 7.2 to 8.2 then, if you do not go sequentially some commands may be lost depending on what commands changed or removed from 7.2 to 8.2. Since you are staying in 8.0. there should not be any problem.

You can upgrade ASDM later to the latest or to match the one that is on your 5550.

-Kureli

Kelvin Willacey · ‎07-29-2010

Hi,

I recently upgraded from a PIX runing 8.0.4 to an ASA running 8.2.2, since then I have noticed a lot of translation errors that are affecting a SIP trunk that we have

Jul 23 2010 15:54:09: %ASA-3-305006: regular translation creation failed for protocol 46
src inside:192.168.50.3 dst outside:65.183.6.122

Could this be a bug because the configuration has not changed. We have since had to put in the PIX in order to get the calls to work.

Kureli Sankar · ‎07-30-2010

IP protocol 46 is RSVP:http://www.networksorcery.com/enp/protocol/ip.htm

I don' t believe this is a bug. May be you are seeing this traffic only after the upgrade which makes you think this could be a bug. This is just a standard translation creation failed message for the inside host 192.168.50.3.

Do you have nat/global created for this host 192.168.50.3? If the syslog says "no translation group" then the nat line is missing if it says translation creation failed then the "global" line is missing or there are not enough translation slots to provide this host to go outside.

Here is the link to the syslog message that you are seeing: http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4770951

-Kureli

Kelvin Willacey · ‎07-30-2010

Hi Kureli

Thanks for your response. I do actually have the nat configured with a nat inside and a nat global, the following is my nat configuration.

global (outside) 1 interface
global (outside) 2 x.x.x.252
global (outside) 3 x.x.x.250

nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 2 192.168.50.0 255.255.255.0
nat (inside) 3 192.168.55.0 255.255.255.0

static (inside,outside) x.x.x.252 192.168.50.1 netmask 255.255.255.255

If there are not enough translation slots to allow the host to go outside. How do I fix this and why is this not an issue on the PIX. Because as I said we have put the PIX back in and have no problems.

Kureli Sankar · ‎07-30-2010

PIX probably was running an old code where it didn' t log this.

I see the problem. Pls. change either of the following:

global (outside) 2 x.x.x.252 ---------> change this to another available IP address

or

static (inside,outside) x.x.x.252 192.168.50.1 netmask 255.255.255.255 ---------> change this to the following from static 1-1 NAT

static (inside,outside) tcp x.x.x.252 80 192.168.50.1 80 netmask 255.255.255.255 ----> to static PAT only for the port that this host 192.168.50.1 is listening.

-Kureli