Cisco Firewall :: 2911 - Control Link In Zone-Based Policy High Availability
Jun 26, 2012
I have set up a zone-based policy firewall with HA on two 2911 routers as per the Cisco security configuration guide, for an active/passive LAN-LAN cluster. All works as expected, but there is one problem I find: when the control link between the two devices fails, they go into an active/active state as each member assumes it's the last surviving member. The ARP entries for the Virtual IPs on the neighboring devices point to the device that last claimed the active role (usually the standby device). This works in a way, just sessions don't get synched anymore (control link is the same as data link). Now when the link comes back up, the preemtion works and the active, former standby device goes back to standby. But the ARP entries on the neighboring devices still point to the standby device and nothing goes (also sessions established during the active/active state are lost due to resync with the now active member).
This is a single point of failure and what I need is a way to mitigate that. Under:
redundancy
application redundancy
group 1
control <interface> protocol 1
only one control interface is allowed. Other manufacturers with similar functionality provide for the possibilty of a backup control link, for example the internal LAN interface or a dedicated backup link.
How would I go about that? Maybe use a port-channel for the control/data link (but I'm out of interfaces)?
View 1 Replies
ADVERTISEMENT
May 16, 2011
I have two 1811's connected in a lab using a ipsec vpn tunnel (using a switch to simulate an internet connection between them).I am trying to configure one of the routers as a ZBPF just to allow a remote windows login (DC on the firewalled side, workstations on the other side).I'm trying to verify that the zbpf is working, but it doesn't seem to stop anything. I had match icmp added to the class-map, but took it out to test if icmp would fail. It didn't. Basically, I don't think the firewall is working at all. Any thoughts on how I can configure this so that the policies will work between zone-pairs?
Here's an quick drawing:
Here are the configurations:
Local router:
hostname sdc-1811-LocalLab
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
[code]....
View 11 Replies
View Related
Jan 16, 2012
I'm trying to configure a zone-based firewall on an SR520 and am confused about the 'not' criterion. The 'zone-design-guide' says (my stress): Class- maps define the traffic that the firewall selects for policy application. Layer 4 class-maps sort the traffic based on these criteria listed here. These criteria are specified using the match.where my intention is to let only LAN hosts with IPs in the range 192.168.1.1 to 192.168.1.7 out through the firewall. There may be an easier way of doing this which I'd be pleased to hear about. But, even if there is, I'd also be interested to know what I'm doing wrong in the above.
View 0 Replies
View Related
Apr 19, 2012
Cisco 3560 does not support "set ip next-hop verify-availabilty". I need this command in my config. "set ip next-hop" do not do the same job.
View 8 Replies
View Related
Mar 18, 2013
I have setup a basic PBR config to route Http and Https out of a different interface (fa0/0/0) but for some reason http traffic is still going out of the Gi0/1 interface.
Config attached minus the crypto stuff and the publics have been changed.
View 17 Replies
View Related
Sep 18, 2012
I'm having a few problems at the moment with a zone based firewall setup. The more I looked into the problems the more I question whether I need the ZBF or not.My network is pretty simple. 1 Internet connection and 1 LAN interface and a few site to site vpns to the router.So what do people think to having this kind of set up and not using a ZBF?
View 11 Replies
View Related
Mar 20, 2011
A customer is currently running a 5520 ASA pair in active/standby HA mode. The devices also have an IPS module, one of them using a temporary (60-day) license. So, right now, licensing is identical on both ASAs and HA is operational.
The question is what exactly will happen after 60 days, once the temporary license expires? Does HA shutdown completely once it's determined that the licensing isn't a 100% match any longer, or does it just cripple one feature (such as the IPS module)?
The customer is balking at purchasing SMARTnet for the 2nd ASA, so I need to explain exactly what is going to happen (if anything) once the license on the 2nd ASA drops off...
View 4 Replies
View Related
Aug 2, 2011
We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0). The original configuration.
View 2 Replies
View Related
Jun 21, 2011
We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0).Incoming mails are going thru Spam and Virus Blocker so that bypassing SMTP inspection is not security issue in this case.
View 1 Replies
View Related
Jul 27, 2011
I've been trying to configured Websense urlfiltering using ZFW feature on my Cisco 881G router. The router is running on IOS 15.0(1)M with Advanced IP Services. And I have confirmed it supports urlfilter feature.
This is what I tried to accomplish but IOS version 15.0x seems to have different command set.
-----------------------
class-map type inspect httptraffic
match protocol http
parameter-map type urlfilter param
server vendor websense 10.20.30.40
[Code]...
View 2 Replies
View Related
Mar 16, 2011
I am getting ready to deploy a 3945 ISR to serve as an internet and core router for and remote site. I will be terminating a site-to-site VPN tunnel on it and also configuring a zone based firewall config between my "outside" (internet link) and "inside" (all internal nets). My question is about how to approach securing the WAN interface with the Zone based FW in place?what kind of ACL do I need beyond those allowing and restricting remote access to the outside ip?
View 3 Replies
View Related
Jan 3, 2013
I have a cisco 1841 router , and i want to configure zone based firewall on it. But the document of zone based firewall only said that "after 12.4(6)T" can support zone based firewall. I use the ios " c1841-ipbasek9-mz.124-15.T9.bin ", but it can't support ZFW. What kind of ios support ZFW. for example: ipbase, ent base, ip service ,advent etc.
View 2 Replies
View Related
Sep 11, 2011
we are experiencing performance issues on ASR 1004 with ZBF as our campus edge router.Symptoms:
- sending small packets from inside zone to outside zone, for example UDP packets without payload
- this way I can generate up to 150.000 pps traffic (testing with packeth software, but we have had a real example with some kind of worm/virus)
- CPU load is about 1% (yes one!) to 2% all time !! (weird)
- ASR response to pings rises very quickly up to 5 seconds which makes box unusable dropping everything what goes through ZBF (so internet connection is gone)
- if I do the ping directly from box, it seems to work fine (no rules from self to outside zone in ZBF)
- if I remove interfaces from inside and outside zone (so disabling ZBF) and do the test again, ASR response goes from normal (0.2ms) up to 2ms (still sending 150.000 pps) and everything seems to work fine)
According to Cisco Datasheets: routing, Qos, Zbf ... on ASR 1000 with RP1, ESP10 should be done in hardware with up to 17.000.000 pps performance.
View 5 Replies
View Related
Mar 20, 2011
One of my remote sites acquires Internet connectivity via a cable modem service. This goes down intermittently, of course. I would like to purchase DSL service from the local telco and configure the edge ASA (currently a 5505) to use the cable modem path normally ... and fall back to the DSL path if necessary.
These seems hard to do. The edge box would need to evaluate the viability of a WAN path using some set of tests ... perhaps pings to a handful of major Internet sites. If all those pings start failing, it would stall for a minute, to give the WAN service provider time to recover ... then cut over to the second path. Cutting to the second path might mean pushing new DNS server addresses to clients (or perhaps the edge box would hand out both sets of DNS servers all the time and rely on the clients to try them all.) Once the cable modem provider restored service, the edge box would stall for a while (ten minutes? an hour?) and then cut back.
I'm willing to replace the edge box with something fancier (a bigger ASA or something sold as a router or whatever), although I'd like to stay under 10K (list) for such a replacement.
View 3 Replies
View Related
Dec 25, 2012
I am looking to implement Zone-Based Firewall on some 2900 series routers (2911 and 2921.) Based on some research I've done it looks like the cisco2911-sec/k9 and cisco2921-sec/k9 bundles should be all I need. Is this correct, or is there some other licensing component that needs to be enabled for me to implement Zone-Based Firewall?
View 2 Replies
View Related
Mar 20, 2013
I have a simple setup where I have a 2911 router with three interfaces, Inside, Outside and a second "Inside" interface which is labelled as a DMZ. The Zone Firewall applied to the "DMZ" is actually Inside (until I can work through problems). I need to be able to access a device on the DMZ via its external IP so I have designed NAT to use IP Nat Enable commands. This is now working for me fine. However, since utilising IP Nat Enable, my zone firewall now denies return TCP / UDP traffic and consequently I no longer have any internet access. Looking at the syslog messages, the reason for this is that the router is denying these return flows not because they are matching the outside-to-inside policy, but rather they are matching the outside-to-SELF policy. The router seems the detect that the internet traffic is being returned to SELF, when in reality the NAT rule should pick this up and forward it to inside. I can understand why this is happening, because I am NATting all private / inside traffic behind the external IP of the router, which is assigned to the Gi0/0 interface. [code]
View 1 Replies
View Related
Feb 16, 2011
I am confiuring ZFW on a Cisco 2951 Router. The router has the following interfaces: [code]Port Channel 1, 1.5, 1.10, 1.15, 1.20 have been added to the zone called IN-OUT. All the subinterfaces correspond to an internal VLAN.The router is connected to a MPLS network and has a BGP peer on interface MPPP. Over the MPLS network, an ecrypted DMVPN tunnel to HQ has been built (tunnel 0). EIGRP is the routing protocol running over the tunnel.Traffic coming in from HQ has to be firewalled on this router (don't ask me why!!). As a result, I am configuring ZFW on this router.
1-The router itself does not need to be protected, only the servers in the remote offices. That being said, I am not planning to create any self zone on this router. I don't want to break BGP, therefore the MPPP interface will NOT belong to any zone. Is this the correct way to do it?
2-The tunnel 0 interface will belong to OUT-IN zone that will protect all incoming traffic into this site from HQ. So when writing class-maps for the traffic coming INTO this site, do I need to write any class-maps for EIGRP or ESP? My guess is no, since that traffic will not be coming into the site, but rather just terminating on the router.
View 5 Replies
View Related
Nov 1, 2011
I am new to Cisco firewalls. We are moving from a different vendor to Cisco ASA 5520s.I have two ASA 5520s running ASA 8.2(5). I am managing them with ASDM 6.4(5).I am trying to setup Active/Standby using the High Availability Wizard. I have interfaces on each device setup with just an IP address and subnet mask. Primary is 10.1.70.1/24 and secondary is 10.1.70.2/24. The interfaces are connected to a switch and these interfaces are the only nodes on this switch. When I run the Wizard on the primary, configure for Active/Standby, enter the peer IP of 10.1.70.2 and I get an error message saying that the peer test failed, followed by an error saying ASDM is temporarily unable to connect to the firewall.
View 5 Replies
View Related
Mar 3, 2013
I'm having an issue accessing a clients router on the WAN interface with Cisco config pro. I can get CLI access with SSH without any issue. I have port 22 and 443 allowed as management access from my public IP - SSH working fine but config pro being refused connection, Possibly a certificate issue?
View 1 Replies
View Related
Apr 3, 2013
we have an ASR1002 running zone-based-firewall with 2 zones:
zone_ouside
zone_ph
I have a common ZFW-configuration on that interfaces, e.g.
<code>
class-map type inspect match-any pass_cmap_in
match access-group name pass-ipv4-in
!
class-map type inspect match-any ph_cmap_in
match access-group name ph-ipv4-in
[code]....
There is some basic stuff in the Access-Lists; direction ph-ipv4-in contains basically "permit ip any any" and ph-ipv4-out contains some permits for certain services, but nothing else. The pass-ipv4-in/out ACL contains particularly the udp-500/4500-stuff as well as gre/esp/ah.
Here are the zone-pairs:
<code>
zone-pair security zone_ph-zone_outside source zone_ph destination zone_outside
service-policy type inspect ph_pmap_in
!
zone-pair security zone_outside-zone_ph source zone_outside destination zone_ph
service-policy type inspect ph_pmap_out
!
</code>
[code]...
The xconnect is only built up correctly when I configure the interface in the zone_outside. The destination for the xconnect is an ASR9k. If I do not configure the zone on the L2VPN-Interface, only arp-packet are allowed to tgo through the tunnel.
The L2VPN connects a branch office to the network of "PH". Now the trouble starts: when they are putting a host in the branch office, DHCP via the L2VPn works fine, they can ping anything from the branch office-PC in their local network and reach all internal servers etc.
BUT if they want to go to a destination outside their network, it will not work properly. For example, the branch-office-PC can ping 8.8.8.8 fine, but when they try to connect to a website, e.g. www.google.com, they run into a timeout. Netstat says, that the http-syn is sent, but no ack is received.
On the router, I see:
Session 1178BAE8 (x.y.225.250:2370)=>(173.194.35.151:80) http SIS_OPENING
whereas x.y.225.250 is the PC connected via L2VPN in the branch office to their local lan. When they put the same machine in their local lan directly behind the router (without l2vpn) everything works fine. When I switch off the firewall on the Gi0/0/0-Interface, the PC from the branch office also reaches its destination, so for me it looks like the firewall inspects the traffic going via Gi0/0/1 and L2VPN, what in my opinion, it should not do....
View 1 Replies
View Related
Apr 4, 2011
We are testing a Zone Based FW config since 1month, everything run smooth but we're having problem ( big slow speed access ) when a user try to reach a website on a non-standard port ( 8080 in that case ). All the trafic stay in our LAN, using a IPSEC/EZVPN connection between the 2 sites.As soon as I have disabled the Zone Based FW, the speed was much better.
I'm sure I'm missing a parameter to fix that problem but I tried many different options and I didn't find anything yet. All the routers are Cisco 1811 running adv IP Services 15.1.2.T1 IOS.A port-map has been created to map the port 8080 to the HTTP protocol for the inspection.The PC will have an IP address in the 10.2.2.x/24 and will access a server on 10.2.3.x/24, both devices are part of the zone private in each site/LAN.All the access between sites are managed by an ASA; the IPSEC/EZVPN peer.Little summary, it's gonna be something like : SiteA with a PC on private zone then on public zone for the EZVPN to SiteB on public zone and then private zone to access the server in the LAN.
View 6 Replies
View Related
Feb 27, 2011
How can I configure police-based nat to allow ICMP-only traffic on asaos 8.4.1 or 8.3?On 8.3 it was very simple:global (outside) 1 interface ,access-list outside_nat_outbound extended permit icmp any any,nat (outside) 1 access-list outside_nat_outbound.
View 10 Replies
View Related
Nov 3, 2011
My firmware is 1.35NA and have a schedule established. When I try to add a policy for access control, I can select a policy name but when I hit "next", I get an error stating "Internet Explorer has stopped working" and wants to close. I was able to add policies previously but can not any more.
View 3 Replies
View Related
Mar 19, 2011
Just want to ask if a PIX firewall specific with a 6.3 OS version do support Dual WAN and PBR.
View 2 Replies
View Related
Jan 28, 2013
The problem I am having is very strange and I have tried to upgrade the IOS on the 1841 to solve the problem but no luck. The issue is when I enable Zone Based firewall security on of the 1841 routers two VPN site-to-site tunnels stops working. If I turn off CEF (no ip cef) then the traffic for both tunnels works. Someone told me that the Zone Based firewall must have a match for the VPN traffic and I created that with ACL 160 and 161 but it did not solve the problem.
Current IOS is below.
Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 15.0(1)M9, RELEASE SOFTWARE (fc1)
Technical Support: [URL]
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 11-Sep-12 23:58 by prod_rel_team
[code]....
View 2 Replies
View Related
Sep 20, 2012
I would like to know about asa 5500-x. Does it supports application visibility and granular control for different applications. Moreover bandwidth control based on different users and different applications
View 1 Replies
View Related
Mar 4, 2011
Is it possible to establish PBR rules that set the ip next-hop to point directly to the inside interface of the ASA5550?Or, do I need to direct this PBR traffic first to a directly connected router interface and then default route to the ASA?At a high level, here's what we have:
ISP 1 - with /21 IP PrefixNo BGP Routing3845 Edge Router - Default Route to ISP 1PIX535 Firewalls (HA) - Default Route to Edge RouterLAN Core/Distribution - Default Route to PIX535 Inside InterfaceAll applications/services use this egress path for PAT/NAT/DMZ/VPN/Etc.
Here's what we are adding:
ISP 2 - with /24 IP PrefixNo BGP Routing3925E Edge Router - Default Route to ISP 2ASA5550 Firewalls (HA) - Default Route to Edge RouterSame connectivity to LAN Core/Distribution
Goals:Maintain ISP 1 for nowMigrate only end user Internet traffic to ISP 2No disruptions to applications/services using current DefGW to PIX535
Question: how to best use PBR to selectively direct traffic to the ASA inside interface?
View 4 Replies
View Related
Jun 10, 2011
I have two cisco wlc 5508. I wan to install them in two differents site. One WLC in the site A and the another WLC in the site B.
Site B is the WAN of the site A. The site A is the headquarter.
But i need to configure them in High Availability. For example if the Cisco WLC in site A goes down, the ap's have to registered in the WLC of the site B.
Then the traffic LWAPP have to pass over the WAN between site A to site B.
I have to configure two cisco wlc in HA over a WAN . Is ok configure the roamming L3 intercontroller?
View 5 Replies
View Related
Jun 9, 2012
I have a Cisco 2901 which terminates a Class C address pool. I have split the Class C address pool into 3 sub-nets and 2 zones and created a non-addressable pool (private pool):
dmz-zone : x.x.x.0 TO x.x.x.127 (x.x.x.0/25)
in-zone: x.x.x.128 TO x.x.x.159 (x.x.x.128/27) & x.x.x.160 TO x.x.x.191 (x.x.x.160/27)
private-zone: 192.168.x.0 TO 192.168.x.255 (192.168.x.0/24)
I have configured private-zone NAT to use address pool x.x.x.161 TO x.x.x.189 within the in-zone.
Within the:
dmz-zone - are servers for : DNS, Syslog, SIP & HTTP/HTTPS in-zone - is a SMTP mail server which is behind VPN Gateway/NAT, TomCat (Application Server) and PostgreSQL Server private-zone - is where all standard users are operating from and they can access the SIP & HTTP/HTTPS servers within dmz-zone My problem is that I cannot seem to configure the ZBFW to allow the dmz-zone HTTP/HTTP server to redirect to in-zone TomCat server.
I do not want to make the TomCat server generally visible and am instead using the Apache proxy/ajp13 to connect from dmz-zone server to in-zone server.However I cannot seem to get anything (including icmp) to work from dmz-zone to in-zone.
I have Policy:
POLICY-DMZ-IN (dmz-zone to in-zone) which has:
any any udp/tcp inspect
any any icmp inspect
unmatched traffic DROP/LOG
But I still cannot get anything from dmz-zone to in-zone...Could the POLICY-DMZ-IN be being overridden by other dmz-zone to out-zone policies?
NOTE: I have routing rules for each of various sub-nets and all out-zone to dmz-zone, out-zone to in-zone and private-zone to out-zone, in-zone and dmz-zone routing works ok, so it appears problem is with ZBFW not routing table.
View 4 Replies
View Related
Oct 1, 2012
One of my customer wants to upgrade their Cisco ACS version from 4.0 to 5.3. The client has existing ACS version 4.0 windows on VM with two instance and need to upgrade to 5.3 Linux.As per my understanding following version are supporter to upgrade ACS to version 5.3 ACS 4.1.1.24ACS 4.1.4ACS 4.2.0.124ACS 4.2.1 but unfortunatlly there is running 4.0.I suggested to my client the upgradation for ACS and proposed this Upgrade lisence L-CSACS-53VMUP-K9 and CON-SAS-CSACS3V? how I can do the smooth deployment / Migration from 4.0 to 5.3 with (A/P)high availability.
View 1 Replies
View Related
Oct 28, 2012
Current environment is Cisco 2125 WLC managing ~12 3502E AP's for a single location. Client is looking to provide HA for the single 2125 WLC. With the 2125 now EO-Sale is it possible to go with one additional 2504 WLC and leverage the existing 2125 or would it require going with just (2) 2504's?
View 1 Replies
View Related
Jan 19, 2012
I have 2 WLC (5508), i configured the option for enable the high availability, but when the 2 WLC is working the mesh network is unstable, when only wlc is working the mesh is fine.
View 3 Replies
View Related
May 7, 2012
We want to make High Availability between two Cisco 3560G switches. Can you tell how we should proceed?Is there any HA module available for Cisco 3560G?
View 1 Replies
View Related
