07-20-2010 10:58 AM
Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to address and troubleshoot common problems with Adaptive Security Appliances, Private Internet Exchange and Firewall Service Modules with Kureli Sankar. Kureli is an engineer supporting Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco Adaptive Security Appliance, Firewall Services Module, Cisco Security Manager, the Content Security and Control module, and the Zone Based Firewall module in Cisco IOS Software.
Remember to use the rating system to let Kureli know if you have received an adequate response.
Kureli might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 30, 2010. Visit this forum often to view responses to your questions and the questions of other community members.
07-28-2010 08:26 AM
I have an ASA 5510 running 8.3.1.6 and cannot get identity NAT to work.
The remote VPN ip local pool is 10.31.98.2-254/24, so i create
nat (inside,outside) source static any any destination static VPN-pool VPN-pool
with object network VPN-pool
subnet 10.32.98.0 255.255.255.0
I also have
nat (inside,outside) source dynamic LAN PAT destination static L2LSite L2LSite
where all the Enterprise LAN got PATted to an IP address sending over to a site to site VPN.
I kept getting Asymmetric NAT rules matched for forward and reverse flows and connection src outside:IP/port dst inside:IP/port denied due to NAT reverse path failure.
I don't have problem with nat (inside) 0 access-list nonat using 8.2.
The different is with 8.2 it's patted to an interface instead of an ip address like in 8.3
Any known bugs...etc?
Thanks.
-lmn
07-28-2010 10:29 AM
Interesting...Let me see what I can find ...
-Kureli
07-28-2010 11:04 AM
I have a TAC case open with Craig L, probably in your team.
The wierd thing is I can go out the internet fine. Just the HQ LAN causes problem.
07-29-2010 08:55 AM
I recently replaced a 1711 router with an ASA5505. The DHCP server on the IOS router had some IP addresses assigned based on the mac address of the DHCP client, using the IOS client-identifier subcommand in the ip dhcp pool configuration. I have not found a similar configuration in the ASA. Is there an equivalent command on the ASA?
07-29-2010 11:50 AM
Yes, there is...certainly...
dhcpd dns 172.18.108.43 172.18.108.34
dhcpd domain cisco.com
dhcpd auto_config 172-net
!
dhcpd address 192.168.2.2-192.168.2.3 inside
dhcpd enable inside
Here is a link that would help you: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/dhcp.html#wp1115467
-Kureli
07-29-2010 01:54 PM
Thank you for the reply, I have previously set up the DHCP server on the 5505 as shown in the configuration guide. What I am looking for is an equivalent command in the ASA to the IOS command client-identifier
http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_dhc1.html#wp1011901
This IOS command is used to create a manual DHCP binding.
07-30-2010 10:35 AM
I believe this is what you are looking for.
http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/d2.html#wp1975821
-Kureli
07-29-2010 10:01 AM
Hi Kureli,
During the live Webcast event on July 20th we had three questions that were not answered due to the limitation of time. Can you please post the replies to these questions here?
Here they are:
Does the Firewall Services Module v4.x software support the H.239 protocol (like the ASA v8.2 code)?
How can you force a Clientless SSL login user to a specific profile?
What is the best way to restrict traffic to specific users on an SSL VPN?
Thank you,
CSC Moderator
07-29-2010 01:50 PM
1. Does the Firewall Services Module v4.x software support the H.239 protocol (like the ASA v8.2 code)?
ANS: We have filed an ENH defect CSCtd80694 to get the support added for H.239. So, presently the FWSM does not support H.239.
2. How can you force a Clientless SSL login user to a specific profile?
ANS: If you use AD for authentication, you can use ldap attribute maps to map users to a group-policy based on some attributes. You can then use the group-lock feature to make sure they're coming from a specific tunnel-group (Connection Profile in ASDM).
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
certificate mapping to map the user to a specific tunnel-group is another option.
Group-url would map to a tunnel-group based on the url
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml
3. What is the best way to restrict traffic to specific users on an SSL VPN?
ANS: VPN filter
vpn-filter is for full client
clientless uses web-type-acl
-Kureli
07-29-2010 11:37 AM
Kureli,
I have a config file running on ASA 5550, IOS ver 8.0(5) and ASDM 6.2(3). I want to copy this config file to the ASA 5540, running IOS 8.0.2 and ASDM 6.11. Do you expect any problems since I am running from a higher IOS version to a lower IOS version?
By the way, I enjoy your webcast very much. It was very helpful. I hope you have more webcasts in the future.
Thanks.
Diane
07-29-2010 12:34 PM
Diane,
Glad you enjoyed the webcast. Yes, we will certainly do another one with a few other topics in the near future. I don't see any issues copying and pasting config from 8.0.2 to 8.0.5. If you go from 7.2 to 8.2 then, if you do not go sequentially some commands may be lost depending on what commands changed or removed from 7.2 to 8.2. Since you are staying in 8.0. there should not be any problem.
You can upgrade ASDM later to the latest or to match the one that is on your 5550.
-Kureli
07-29-2010 02:57 PM
Hi,
I recently upgraded from a PIX runing 8.0.4 to an ASA running 8.2.2, since then I have noticed a lot of translation errors that are affecting a SIP trunk that we have
Jul 23 2010 15:54:09: %ASA-3-305006: regular translation creation failed for protocol 46
src inside:192.168.50.3 dst outside:65.183.6.122
Could this be a bug because the configuration has not changed. We have since had to put in the PIX in order to get the calls to work.
07-30-2010 10:47 AM
IP protocol 46 is RSVP:http://www.networksorcery.com/enp/protocol/ip.htm
I don' t believe this is a bug. May be you are seeing this traffic only after the upgrade which makes you think this could be a bug. This is just a standard translation creation failed message for the inside host 192.168.50.3.
Do you have nat/global created for this host 192.168.50.3? If the syslog says "no translation group" then the nat line is missing if it says translation creation failed then the "global" line is missing or there are not enough translation slots to provide this host to go outside.
Here is the link to the syslog message that you are seeing: http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4770951
-Kureli
07-30-2010 11:46 AM
Hi Kureli
Thanks for your response. I do actually have the nat configured with a nat inside and a nat global, the following is my nat configuration.
global (outside) 1 interface
global (outside) 2 x.x.x.252
global (outside) 3 x.x.x.250
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 2 192.168.50.0 255.255.255.0
nat (inside) 3 192.168.55.0 255.255.255.0
static (inside,outside) x.x.x.252 192.168.50.1 netmask 255.255.255.255
If there are not enough translation slots to allow the host to go outside. How do I fix this and why is this not an issue on the PIX. Because as I said we have put the PIX back in and have no problems.
07-30-2010 12:03 PM
PIX probably was running an old code where it didn' t log this.
I see the problem. Pls. change either of the following:
global (outside) 2 x.x.x.252 ---------> change this to another available IP address
or
static (inside,outside) x.x.x.252 192.168.50.1 netmask 255.255.255.255 ---------> change this to the following from static 1-1 NAT
static (inside,outside) tcp x.x.x.252 80 192.168.50.1 80 netmask 255.255.255.255 ----> to static PAT only for the port that this host 192.168.50.1 is listening.
-Kureli
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide