07-20-2010 10:58 AM
Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to address and troubleshoot common problems with Adaptive Security Appliances, Private Internet Exchange and Firewall Service Modules with Kureli Sankar. Kureli is an engineer supporting Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco Adaptive Security Appliance, Firewall Services Module, Cisco Security Manager, the Content Security and Control module, and the Zone Based Firewall module in Cisco IOS Software.
Remember to use the rating system to let Kureli know if you have received an adequate response.
Kureli might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 30, 2010. Visit this forum often to view responses to your questions and the questions of other community members.
07-30-2010 12:15 PM
Thanks I will give that a try.
But woould the PIX not have a problem with this? Why would affect the SIP trunk so much on the ASA and not at all on the PIX?
07-30-2010 12:24 PM
What code was the PIX running? Did you not get a warning message when you added the global 2 and static statement?
Once you make the change that I suggested it should work fine. Unfortunatley I do not have very much time left to respond back on this thread. This will be locked in about 30 min.
You are welcome to continue this if needed on our support forum: https://supportforums.cisco.com/community/netpro/security/firewall
-Kureli
07-30-2010 12:31 PM
Currently the PIX is in place running 8.0(4) and we are not expriencing any problems with the SIP trunk. During the configuration of both the PIX and ASA I did not get an error message with adding the global 2 and static nat statments. I would have to schedule the change because it is a call center so I will not be able to put the ASA in for a little while.
07-30-2010 12:42 PM
I tried to add the same global 2 and static 1-1 NAT and didn't get any warning. I will look into this. You are saying that the same 192.168.50.3 host was able to go out to the internet find and you did not see any 305006 syslog messages with the PIX? 8.0.x code should behave the same on the ASA as well as on the PIX even though the file size is a lot diff.
Anyway, that change should resolve the problem. Good luck.
-Kureli
07-30-2010 01:22 PM
That's correct there were no error messages on the PIX. I will downgrade the ASA to 8.0.4 and see what happens.
07-30-2010 01:25 PM
What code is the ASA running?
-Kureli
07-30-2010 01:27 PM
It is currently running 8.2.2
08-10-2010 02:02 PM
Answers and tips on Troubleshooting ASA, PIX, and FWSM from our expert, Kureli Sankar. This is a transcript of the TweetChat session held on August 10, 2010.
.
Q: The nat translation and permission has config for all inside hosts to go out to the internet. Why isn't the internet account working?
A: Default GW configured on the ASA may be incorrect or there is no GW configured at all on the ASA.
Tip: Use sh xlate debug | i x.x.x.x to verify translation
Q: Can the ASA load balance between two ISPs?
A: No the ASA can't do load balancing or Policy Based Routing. You need a layer 3 device in order to do this on the outside.
Tip: Use sh local x.x.x.x to verify the number of connections that a single host has established
Q: How do I re-image the CSC module?
A: Please follow the link at
https://supportforums.cisco.com/docs/DOC-1323
Q: I configured Netflow on the ASA. The ASA is able to ping the collector but, it is not working.
A: What does "sh flow-export counters" show? If we are sending packets then maybe the collector doesn't support V9 templates. The ASA only supports version 9.
Q: I need full config & troubleshooting guide of PIX firewall.
A: Use
http://bit.ly/aKKo9k (troubleshooting link). It has command reference, configuration guide, syslog guide & troubleshooting guide.
Tip: Use sh run policy-map as the best way to check what inspections are enabled on the firewall.
Q: Able to load google.com and yahoo.com but unable to ping yahoo or google. What could cause this?
A: Either icmp replies are not being allowed on the outside ACL or inspect icmp is not enabled.
Q: Do you think a malicious host can cause a CPU spike on the firewall?
A: Certainly!
Tip: Command to find the total number of ACE for each access-list configured in the firewall?
sh access-list | i element
Q: How do we selectively apply inspection only for certain traffic and not for others?
A: Via MPF (Modular Policy Framework)
Q: What 3 things should we check when any traffic breaks through the firewall?
A: RTP (Route, Translation and permission)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide