I have a branch office set up were all traffic goes back to the core, iincluding internet acces.
It has been working fine for a year, but recently I have started to see the firewalls Asa 5505 closing the connection and stopping the phone from answering the calls.
I have skinny inspection turned on all my branch offices, but had to turn it off at the one site to get one of my phones to registered.
I haven't made any changes to the network that would trigger this issue, such as upgrading phone firmware.
My firewall is configured for default deny, other than Skinny (tcp 2000), do I need Skinny inspection to be turned on?
It's turned on my 5 other branches.How can I debug why the skinny inspection is closing the connection?As a separate note this phone is part of a pool of phones that shares a common DN, would this be causing the issue?
I am testing out some inspection options on an ASA 5505, and I am running into a situation in which applying a http inspection is dropping all outbound http traffic. I get a "protocol violation" error in the logs.
Here is the setup: I'm not sure why the web traffic is getting dropped.
policy-map type inspect dns preset_dns_map parameters message-length maximum client auto
Im trying to configure HTTP Inpsection with regex matching on a ASA 5505 (8.2) so that I can deny all websites apart from google and yahoo. And also enclude host 192.168.1.2 from this inspection. I have been through a number of examples and the syntax below appears correct but appears not to work. The logs report only that traffic has been dropped by the inspection policy.
We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0).Incoming mails are going thru Spam and Virus Blocker so that bypassing SMTP inspection is not security issue in this case.
I have multiple customers and servers behind my ASA5510s. After moving a new customer with an FTP server behind the firewalls, they immediatly had issues with customers connecting to their FTP server. I had the default inspection rules running regarding FTP. After removing the "inspect ftp" from the global policy their issues went away. Since this is a larger customer I can't force them to change their server, I need to accomodate and fix this on the firewall. I left the "inspect ftp" command out and there have been sporatic issues from other customers, unable to connect to outside FTP servers from the terminal servers and timeouts and disconnects to our own FTP servers.
This is what I "think" is the solution.. I added a second inspection policy after the default one and only added "inspect ftp" to it. Then I used the "exclude" option to exclude the new customer. That new customer is fine and things are better, but still not working right. Does the following config accomplish what I want?? Does the exclude ACL get what I need or do I need an "include" or permit statement in that ACL?
ASA 5520 running 8.4.5:We had an issue with a remote SMTP connection getting screwed up as a result of ESMPT inspect.It took me 3 hours of troubleshooting the SMTP connection before finally figuring out that the firewall was the culprit. What really through me off was that I saw nothing in the ASA logs (warning and above) that showed packets were being dropped. I'm probably crazy but I thought I remembered seeing entries in the log when packets were dropped due to a type of inspection (specifically, I remember entries in the log saying something to the effect of packet dropped due to ESMPT inspect, packet too big). My quesiton to Cisco TAC was: Is there a simple way to have the log give a warning every time a packet is dropped due to any inspection rule, just like we can see any drops due to ACLs? So far the only answer has been a complex list of log changes to allow debugging and notifications of certain events. This isn't something I want to roll out to all my ASAs.
We have several customers running ASA 8.4x code and all seem to be plagued with the ESMTP inspection bug CSCtr92976.I have tested this in the lab with an ASA 5505 running 8.4(1), 8.4(2) and 8.4(4)1 & 8.4(4)3 and the behaviour is always the same. I have an Exchange 2007 server and I can see in the logs the following messages:
This is with the default ESMTP inspection enabled. I have also created a custom ESMTP inspection policy that does nothing but log and the behaviour is still the same. Sometimes traffic will pass but most of the time it won't. The workaround is to just disable the ESMTP inspection.
By default ASA applies DNS packet inspection with a default (maximum) packet size of 512bytes as recommended by RFC 1035, anything above is dropped.
I have a customer that is trying to use larger packet sizes due to extension mechanisms for DNS defined in RFC2671.
My question is , is it safe to increase the default packet size in the DNS inspection thus applied globally for all DNS traffic, or should / can we apply a policy that applies only to this specific customer ?
From past few months, we keep getting Connection Timeout and Connection Failure error messages in our vendor application which connects to SQL Server 2005. Also Terminal Server 2003 keep disconnecting for every few hours.After several days of troubleshooting, we come to know that this Cisco ASA 5500 is not working properly. When I access the ASDM, it shows several warning messages.I know there is a setting option to configure TimeOut, but is there anyway to test and track the ASA 5500 regarding this Timeout issues?
Tech Support Guy System Info Utility version 1.0.0.2 OS Version: Microsoft Windows XP Home Edition, Service Pack 3, 32 bit Processor: Intel(R) Celeron(R) M processor 1.60GHz, x86 Family 6 Model 13 Stepping 8 Processor Count: 1 RAM: 894 Mb Graphics Card: ATI RADEON XPRESS 200M Series, 128 Mb Hard Drives: C: Total - 38146 MB, Free - 13896 MB; Motherboard: TOSHIBA, Satellite L30 Antivirus: AVG Internet Security 2012, Updated: Yes, On-Demand Scanner: Enabled
I had deleted so many programs already, ran a ccleaner (which solved some of my problems) but still when I shuts down it takes a very long time?
On FWSM (running version 4.1 in my case) the default global policy uses the following class map:class-map inspection_default match default-inspection-traffic
What "default-inspection-traffic" includes? Is it all traffic? If so, do I really want all my traffic to go through the inspection engine? I would imagine this would have a performance impact on traffic that is not part of the protocols being inspected.
I have an issue with Cisco ASA 5520, The summary is below!
Packet # 1 on inside capture the Call-ID was: Call-ID: 2a54f680- a5d1de2a-160c-164070a@10.7.100.1 Packet # 1 on outside interface the Call-ID was: Call-ID: 2a54f680- a5d1de2a-160c-164070a@149.5.33.44 --- this bcz of the inspection. Packet # 2 on outside capture the Call-ID was: Call-ID: 2a54f680- a5d1de2a-160c-164070a@149.5.33.44 Packet # 2 on inside capture the Call-ID stay: Call-ID: 2a54f680- a5d1de2a-160c-164070a@149.5.33.44 --- this is the problem.
(This suppose to be Call-ID: 2a54f680-a5d1de2a-160c-164070a@10.7.100.1)The inspection should change the Call-ID for the incoming packet as it did with the outgoing packet. Whenever, the CM receive the trying message with different Call-ID it considered as new session and it keep sending invitation messages for the SIP provider.NAT is enabled.
I am having issues with PXE boot images for PCs cannot be loaded from remotely.The diagnosis revealed that SunRPC & TFTP were being inspected by ASA causing drop of packets.So I excluded these two inspections for the particular server behind the firewall. It seem to resolve the issue for instance but it crawled back again.
Is there a way that the inspection can be turned off for that particular server at the IP level?
I need to allow traffic between webserver in dmz and mssql (Microsoft SQL Server 2008).MSSQL use dynamic port (now it is 63796) and this cannot be changed.
Basically, I can allow such traffic using next configuration:access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 1433access-list dmz extended permit udp host 1.2.3.4 host 5.6.7.8 eq 1434 access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 63796
But, I would like to add mssql inspection and I did the next:
I can't find any specific information on the implementation of packet inspection in a zone based policy firewall. In other words, is there a specification or even just a set of values that define the default inspection parameters for all protocols? With DPI I can manage 'some' of the inspection capabilities but I have some fairly rigorous and specific requirements to meet and I need to validate that the IOS ZBFW will meet those requirements. Specifically, I'm interested in HTTP, DNS, and ICMP but all other protocols would be useful as well.I'm working with basic routers; 871's, 2811's, 1841's, etc. The IOS in use in most cases is adventerprisek9-mz.151-3.T.
I currently have the default inspection engine configured in my firewall to inspect http traffic. I noticed that the ASA will drop packets when visting legitimate websites. I've tried googling for a workaround but have been unsucsselful. How can I exclude some websites or IP's from being affected by the inspection engine?
verify if the ASA 5520 CSC module way of applying security policy (http, smtp, pop3, etc.) is per network/subnet or group of users? Based on my understanding through reading, web and email protection profile/config is global. It will be the same to every network user that is redirected via service-policy config on the ASA.
Scenario: I have two VLAN, guest and employee. Of course guest and employee have different web filter profile. Can i configure it such that guest web-filter profile is not just strict while employee's access is limited only to productive internet sites.
I have problem with icmp traceroute configuration. When I enabling icmp error inspection in global policy, my traceroute results through ASA 8.2.4 looks like this: My traceroute [v0.75]
icmp inspection and ttl decrement on ASA is enabled. Also I configured ACL on outside interface to permit ICMP completely.
I have a client that is running an ASA5512-X. When I initially installed it, they were having issues sending out emails. I disabled ESMTP inspection and thought it resolved the issue. Recently, they upgraded to Exchange 2010 and are still having an issue with some emails getting hung up in the queue. If I watch the ASA when they try to telnet to the external mail servers that do not work, they get a SYN timeout.
I am not sure why this would happen since ESMTP is disabled. They are running 8.6(1) on the ASA.
I'm looking fot a way to do static URL blocking with ASA and when the URL is blocked present a "Web Page" to the user saying that it's been blocked.
So, i was wondering if i can use the http parameter "spoof server string" to replace the original URL sent by the user for another URL that points to an internal web server holding a basic page saying "Your URL request has been blocked".
The point is to have a way to tell users that the page they are trying to browse is blocked by a policy.
i have removed the icmp inspection from my default policy-map in my ASA 5520,now i could not able to ping to 4.2.2.2 from my LAN even though i have configured an ICMP Access-list in my asa like ,but I can't ping 4.2.2.2 for testing the Internet connectivity,what shall i do to allow only my self as admin to ping outside?
I am having an issue with an ASA 5510, running 8.4(1) code, causing outbound mail to remain in the SMTP server queue (Exchange 2007). This only happens with some remote mail servers. The connection usually ends with the remote server eventually sending a TCP reset.
I've taken multiple inside and outside packet traces.Other trace's contain either X's preceding various sections of the stream content or all X's in the content. The X's only appear when inspection is enabled.
Disabling inspection is the only thing that seems to allow mail to flow. I find this curious because I'm running this same ESMTP policy on other ASA's. However, they are on 8.3 code.
Most everything I find when searching on this subject says to disable ESMTP inspection. [code]
I got a problem yesterday with a customer that says that the calls from a CISCO IP Phone 7961 to an Alcatel 4018 IP Touch didn't work, well the phone rings but there's no voice; I manage a CISCO ASA version 8.2(1) and I was checking the Inspection Rules in the Service Policy Rules section and when you open the inspection_default at the Rule Actions tab I find that the H.323 H.225 and H.323 RAS box wasn't checked so I ask to the customer to made a test and the same problem happen so I checked both box and again ask to the customer for a test and it works.
I was talking to a partner and he said that maybe this Inspect fix some signaling parameters of this protocol that can't work fine behind of a firewall.
I have the asa 5505 with asdm 6.4(5). my inside LAN is 192.168.0.0/24. the outside of asa is connected on lan 10.13.74.0/24 and i need over LAN 10.13.74.0/24 connect on LAN 10.15.100.0/24. i put nat rule on asa 5505 and acl rule and users from lan 10.15.100.0/24 can connect on my server, but i can't connect on from inside of asa connect on lan 10.15.100.0/24 and 10.13.74.0/24. my configuration asa is Result of the command:
We recently got a 10 meg dedicated internet fiber connection installed. I connected it to a PIX 501 firewall and everything worked fine (I tested it for a couple of weeks). A couple of days ago I got a new ASA 5505 and replaced the PIX with this device. It works, but every so often there seems to be a timeout when surfing the web whereby I click on a link and there is up to a 45 second wait and then the page loads quickly. I was not getting this before on the PIX so I'm assuming it's not a latency issue with the connection. I am the only one using this connection on the network so it's not to say that it's being bogged down. I want to roll this out to the other users on the network but not when this is happening. The configuration is below:
I have a SIP trunk in my Florida office connected to a Cisco 2851 ISR. I'm using Unified Communications Manager 8.0 and life is great.
We just opened a new office in Spain and now the fun begins. We created a site-to-site VPN tunnel using ASA 5510 in Florida and ASA 5505 in Spain. We can register IP Commuicator phones in Spain but when they make calls it shows up as a Florida call. We need it to show up as a Spain call.
We are thinking to get a SIP trunk into the Spain office but I only have a ASA 5505 over there. Can I terminate a SIP connection to it? Is this the best option? If not, what is the recommened setup?
I am having a problem with a ASA 5505. The users on the inside cannot access internet for the most of the time. When i looked over the configuration and tried a few changes i got out to internet about 5 seconds every 30 minute or so. Very strange. When i try to access internet i just get the windows post that DNS is not working properly. As you can see in my config i get all addresses dynamic from ISP.
I am not sure what to do next, i tried to set static routes, make Nat changes, static dns addresses, searching this forum but nothing works. It seems like there is a ISP problem but i have talked to the support twice today and they say that all is fine from their side. Does ASA behave like this?
