cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21964
Views
48
Helpful
112
Replies

ASK THE EXPERTS - TROUBLESHOOTING ASA, PIX, and FWSM

ciscomoderator
Community Manager
Community Manager

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to address and troubleshoot common problems with Adaptive Security Appliances, Private Internet Exchange and Firewall Service Modules with Kureli Sankar.  Kureli is an engineer supporting Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco Adaptive Security Appliance, Firewall Services Module, Cisco Security Manager, the Content Security and Control module, and the Zone Based Firewall module in Cisco IOS Software.

Remember to use the rating system to let Kureli know if you have received an adequate response.

Kureli might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 30, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

112 Replies 112

Thanks I will give that a try.

But woould the PIX not have a problem with this? Why would affect the SIP trunk so much on the ASA and not at all on the PIX?

What code was the PIX running? Did you not get a warning message when you added the global 2 and static statement?

Once you make the change that I suggested it should work fine. Unfortunatley I do not have very much time left to respond back on this thread.  This will be locked in about 30 min.

You are welcome to continue this if needed on our support forum: https://supportforums.cisco.com/community/netpro/security/firewall

-Kureli

Currently the PIX is in place running 8.0(4) and we are not expriencing any problems with the SIP trunk. During the configuration of both the PIX and ASA I did not get an error message with adding the global 2 and static nat statments. I would have to schedule the change because it is a call center so I will not be able to put the ASA in for a little while.

I tried to add the same global 2 and static 1-1 NAT and didn't get any warning.  I will look into this.  You are saying that the same 192.168.50.3 host was able to go out to the internet find and you did not see any 305006 syslog messages with the PIX? 8.0.x code should behave the same on the ASA as well as on the PIX even though the file size is a lot diff.

Anyway, that change should resolve the problem. Good luck.

-Kureli

That's correct there were no error messages on the PIX. I will downgrade the ASA to 8.0.4 and see what happens.

What code is the ASA running?

-Kureli

It is currently running 8.2.2

ciscomoderator
Community Manager
Community Manager

Answers and tips on Troubleshooting ASA, PIX, and FWSM from our expert,  Kureli Sankar. This is a transcript of the TweetChat session held on  August 10, 2010.

.

Q:  The nat translation and permission has config for all inside hosts  to go out to the internet. Why isn't the internet account working?

A:  Default GW configured on the ASA may be incorrect or there is no GW configured at all on the ASA.

Tip: Use sh xlate debug | i x.x.x.x to verify translation

Q: Can the ASA load balance between two ISPs?

A:  No the ASA can't do load balancing or Policy Based Routing. You need a layer 3 device in order to do this on the outside.

Tip: Use sh local x.x.x.x to verify the number of connections that a single host has established

Q: How do I re-image the CSC module?

A: Please follow the link at

https://supportforums.cisco.com/docs/DOC-1323

Q: I configured Netflow on the ASA. The ASA is able to ping the collector but, it is not working.

A: What does "sh flow-export counters" show? If we are sending packets  then maybe the collector doesn't support V9 templates. The ASA only  supports version 9.

Q: I need full config & troubleshooting guide of PIX firewall.

A: Use

http://bit.ly/aKKo9k (troubleshooting link). It has command reference, configuration guide, syslog guide & troubleshooting guide.

Tip: Use sh run policy-map as the best way to check what inspections are enabled on the firewall.

Q: Able to load google.com and yahoo.com but unable to ping yahoo or google. What could cause this?

A: Either icmp replies are not being allowed on the outside ACL or inspect icmp is not enabled.

Q: Do you think a malicious host can cause a CPU spike on the firewall?

A: Certainly!

Tip: Command to find the total number of ACE for each access-list configured in the firewall?

sh access-list | i element

Q: How do we selectively apply inspection only for certain traffic and not for others?

A: Via MPF (Modular Policy Framework)

Q: What 3 things should we check when any traffic breaks through the firewall?

A: RTP (Route, Translation and permission)