Cisco Firewall :: ASA 5520 / How To See / Log Drops Due To Inspection

Jan 29, 2013

ASA 5520 running 8.4.5:We had an issue with a remote SMTP connection getting screwed up as a result of ESMPT inspect.It took me 3 hours of troubleshooting the SMTP connection before finally figuring out that the firewall was the culprit. What really through me off was that I saw nothing in the ASA logs (warning and above) that showed packets were being dropped. I'm probably crazy but I thought I remembered seeing entries in the log when packets were dropped due to a type of inspection (specifically, I remember entries in the log saying something to the effect of packet dropped due to ESMPT inspect, packet too big). My quesiton to Cisco TAC was: Is there a simple way to have the log give a warning every time a packet is dropped due to any inspection rule, just like we can see any drops due to ACLs?  So far the only answer has been a complex list of log changes to allow debugging and notifications of certain events. This isn't something I want to roll out to all my ASAs.

View 5 Replies


ADVERTISEMENT

Cisco Firewall :: ASA 5520 SIP Inspection Process Is Not Working?

Jul 16, 2009

I have an issue with Cisco ASA 5520, The summary is below!
 
Packet # 1 on inside capture the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@10.7.100.1
 Packet # 1 on outside interface the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44 --- this bcz of the inspection.
 Packet # 2 on outside capture the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44 
Packet # 2 on inside capture the Call-ID stay: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44 --- this is the problem.
 
(This suppose to be Call-ID: 2a54f680-a5d1de2a-160c-164070a@10.7.100.1)The inspection should change the Call-ID for the incoming packet as it did with the outgoing packet. Whenever, the CM receive the trying message with different Call-ID it considered as new session and it keep sending invitation messages for the SIP provider.NAT is enabled.

View 2 Replies View Related

Cisco Firewall :: ASA 5520 - Inspection Of MSSQL Dynamic Port

Jun 5, 2012

I need to allow traffic between webserver in dmz and mssql (Microsoft SQL Server 2008).MSSQL use dynamic port (now it is 63796) and this cannot be changed.
 
Basically, I can allow such traffic using next configuration:access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 1433access-list dmz extended permit udp host 1.2.3.4 host 5.6.7.8 eq 1434 access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 63796
 
But, I would like to add mssql inspection and I did the next:
 
class-map class_sqlnetmatch port tcp eq 1433policy-map global_policyclass inspection_default  inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect ip-options   inspect netbios   inspect rsh   inspect rtsp   inspect skinny    inspect esmtp   inspect sqlnet   inspect sunrpc   inspect tftp   inspect sip    inspect xdmcp class class_sqlnet  inspect sqlnet service-policy global_policy global
[Code] ..........

View 1 Replies View Related

Cisco Firewall :: ASA 5520 Default Inspection Engine Dropping Connections

May 25, 2011

I currently have the default inspection engine configured in my firewall to inspect http traffic.  I noticed that the ASA will drop packets when visting legitimate websites.  I've tried googling for a workaround but have been unsucsselful.  How can I exclude some websites or IP's from being affected by the inspection engine?

View 1 Replies View Related

Cisco Firewall :: ASA 5520 CSC Module Per Subnet / IP Group Inspection Profile

Sep 7, 2011

verify if the ASA 5520 CSC module way of applying security policy (http, smtp, pop3, etc.) is per network/subnet or group of users? Based on my understanding through reading, web and email protection profile/config is global. It will be the same to every network user that is redirected via service-policy config on the ASA.
 
Scenario: I have two VLAN, guest and employee. Of course guest and employee have different web filter profile. Can i configure it such that guest web-filter profile is not just strict while employee's access is limited only to productive internet sites.

View 5 Replies View Related

Cisco Firewall :: ASA 5520 Removed Icmp Inspection From Default Policy-map

May 10, 2012

i have removed the icmp inspection from my default policy-map in my ASA 5520,now i could not able to ping to 4.2.2.2 from my LAN even though i have configured an ICMP Access-list in my asa like ,but I can't ping 4.2.2.2 for testing the Internet connectivity,what shall i do to allow only my self as admin to ping outside?
 
-icmp permit host 192.168.60.60 echo
-icmp permit host 192.168.60.60 echo-reply

View 1 Replies View Related

Cisco :: Asa Dns Inspection Can See Alot Of Dns Drops

Jul 8, 2011

We have ASA 5580 with multiple context in our company. On the one of the context (where the DNS servers are located) i can see a lot of DNS drops.

View 1 Replies View Related

Cisco Firewall :: ASA 5520 8.3 VPN Tunnel Drops Traffic

Aug 23, 2011

We have a 100 Mbps WAN circuit, we have configured an IPsec tunnel between ASA 5520 and Cisco 3845 Router for our DR site replication via Veeam Backup and Replication, it was working fine before, when we established the 3DES tunnel the traffic for certain subnets is dropped after an hour and it stops the replication, although tunnel remains up and we can access the other subnets, as soon as we clear the crypto SA and ISAKMP sessions on the firewall the traffic starts flowing again and then after an hour the traffic is dropped again.So far the testing and differnet configurations we tried are as under.
 
Tried with a different MTU size both on firewall and ESXi servers but nothing happened.Their is no QOS configuration.Checked the utilization on both ends its Noram although their are subsequent 100% spikes on Cisco 3845 but on average it remians at 30-40%.

View 6 Replies View Related

Cisco Firewall :: Does ASA 5520 Support Dual Network Drops

Oct 9, 2011

We are looking to deploy an ASA 5520, but I need to know if it is possible for it to work in this environment.
 
We have colo space, with two IP ranges. They provide two network drops, one from each switch connected to different routers. One in which has 4 usable IP's for management purposes. This address range will be used only for remote access to the ASA and VPN into the management VLAN. The management VLAN will have all internal devices such as the switches, etc. The second range is for the servers, of which will be assigned directly to the hosts and the ASA will need to act as just a firewall. I can do this on IOS, but not sure about the ASA.
 
I need to answer the following questions:
 
Does the ASA support dual network drops, and would this be a failover port configuration in order for it to work?A management VLAN with outbound internet access only, and VPN/RA capability. NAT will need to be used I'm guessing. Can we have a DMZ VLAN which has defined ports, say 80, 443 and 25 inbound and outbound. I need the hosts to have the public IP assigned to them with no NAT configuration.
 
I know there are some advantaged to using NAT, but I really can't use it because the applications behind prefer public IP's being assigned to them.

View 23 Replies View Related

Cisco Firewall :: ASA 5520 Activating Failover Config Drops Routing Table

May 21, 2012

I'm attempting to configure two ASA 5520 for active/standby failover.When I enter the “failover” command to enable the config on the primary ASA, the entire routing table disappears.There is no routing process running, only static routes are configured.
 
Is this an expected behavior of the failover process and if so, how long should I wait for the routes to come back?

View 5 Replies View Related

Cisco Firewall :: 2901 - How To Avoid SMTP Inspection On Zone Based Firewall

Aug 2, 2011

We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0). The original configuration.

View 2 Replies View Related

Cisco Firewall :: 2901 To Avoid SMTP Inspection On Zone Based Firewall

Jun 21, 2011

We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0).Incoming mails are going thru Spam and Virus Blocker so that bypassing SMTP inspection is not security issue in this case.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - FTP Inspection

May 25, 2011

I have multiple customers and servers behind my ASA5510s.  After moving a new customer with an FTP server behind the firewalls, they immediatly had issues with customers connecting to their FTP server.  I had the default inspection rules running regarding FTP.  After removing the "inspect ftp" from the global policy their issues went away.  Since this is a larger customer I can't force them to change their server, I need to accomodate and fix this on the firewall.  I left the "inspect ftp" command out and there have been sporatic issues from other customers, unable to connect to outside FTP servers from the terminal servers and timeouts and disconnects to our own FTP servers. 
 
This is what I "think" is the solution.. I added a second inspection policy after the default one and only added "inspect ftp" to it.  Then I used the "exclude" option to exclude the new customer.  That new customer is fine and things are better, but still not working right.  Does the following config accomplish what I want??  Does the exclude ACL get what I need or do I need an "include" or permit statement in that ACL?
 
object-group network DM_INLINE_NETWORK_10 network-object 172.24.X.0 255.255.255.0
 
object-group service DM_INLINE_TCP_1 tcp port-object eq ftp port-object eq ftp-data
 
access-list global_mpc extended deny tcp any object-group DM_INLINE_TCP_1 object-group DM_INLINE_NETWORK_10(code)

View 3 Replies View Related

Cisco Firewall :: How To Disable TLS Inspection For SIP On ASA5510

Jun 13, 2012

I am using the Cisco ASA5510 for my Telepresent infarstructure. I have a problem with Encrypted SIP calling for call in/out.
 
Is there is a way to disable the TLS inspection for Cisco ASA5510?

View 2 Replies View Related

Cisco Firewall :: ASA 8.4x ESMTP Inspection Bug CSCtr92976

Aug 9, 2012

We have several customers running ASA 8.4x code and all seem to be plagued with the ESMTP inspection bug CSCtr92976.I have tested this in the lab with an ASA 5505 running 8.4(1), 8.4(2) and 8.4(4)1 & 8.4(4)3 and the behaviour is always the same.  I have an Exchange 2007 server and I can see in the logs the following messages:

2012-08-10T13:04:37.331Z,EXCHANGEDefault EXCHANGE,08CF3610468A42D7,3,192.168.102.28:25,192.168.250.26:52756,<,XXXX XXXXXXXXXXXXXXX,
2012-08-10T13:04:42.345Z,EXCHANGEDefault EXCHANGE,08CF3610468A42D7,4,192.168.102.28:25,192.168.250.26:52756,>,500 5.3.3 Unrecognizedcommand, 2012-08-10T13:05:20.506Z,EXCHANGEDefault EXCHANGE,08CF3610468A42D7,5,192.168.102.28:25,192.168.250.26:52756,<,XXX,

This is with the default ESMTP inspection enabled.  I have also created a custom ESMTP inspection policy that does nothing but log and the behaviour is still the same.  Sometimes traffic will pass but most of the time it won't.  The workaround is to just disable the ESMTP inspection.

View 2 Replies View Related

Cisco Firewall :: RFC2671 / Default ASA DNS Inspection

Sep 21, 2011

By default ASA applies DNS packet inspection with a default (maximum) packet size of 512bytes as recommended by RFC 1035, anything above is dropped.
 
I have a customer that is trying to use larger packet sizes due to extension mechanisms for DNS defined in RFC2671.
 
My question is , is it safe to increase the default packet size in the DNS inspection thus applied globally for all DNS traffic, or should / can we apply a policy that applies only to this specific customer ?

View 3 Replies View Related

Cisco Firewall :: HTTP Inspection On ASA 5505

May 3, 2011

let me know how to enable HTTP inspection in ASA 5505 through ASDM.

View 1 Replies View Related

Cisco Firewall :: No Class Inspection Default On 5505?

May 9, 2012

I was under the impression that all Cisco ASA firewalls shipped with a default inspection policy.
 
Example 
policy-map global_policy
class inspection_default
inspect dns preset_dns_map

[Code]......
 
can I build this myself? Why is it missing (I have two other ASA 5505s here that also do not have it). What would I do to rebuild it?

View 2 Replies View Related

Cisco Firewall :: Default FWSM 4.1 Inspection Policy

Jan 10, 2011

On FWSM (running version 4.1 in my case) the default global policy uses the following class map:class-map inspection_default match default-inspection-traffic
 
What "default-inspection-traffic" includes? Is it all traffic? If so, do I really want all my traffic to go through the inspection engine? I would imagine this would have a performance impact on traffic that is not part of the protocols being inspected.

View 9 Replies View Related

Cisco Firewall :: ASA5580-40 Deep Packet Inspection?

Jan 18, 2012

I am having issues with PXE boot images for PCs cannot be loaded from remotely.The diagnosis revealed that SunRPC & TFTP were being inspected by ASA causing drop of packets.So I excluded these two inspections for the particular server behind the firewall. It seem to resolve the issue for instance but it crawled back again.
 
Is there a way that the inspection can be turned off for that particular server at the IP level?

View 1 Replies View Related

Cisco Firewall :: ASA 5505 / Skinny Inspection Closes Connection

Dec 31, 2011

I have a branch office set up were all traffic goes back to the core, iincluding internet acces.
 
It has been working fine for a year, but recently I have started to see the firewalls Asa 5505 closing the connection and stopping the phone from answering the calls.
 
I have skinny inspection turned on all my branch offices, but had to turn it off at the one site to get one of my phones to registered.
 
I haven't made any changes to the network that would trigger this issue, such as upgrading phone firmware.
 
 My firewall is configured for default deny, other than Skinny (tcp 2000), do I need Skinny inspection to be turned on?
 
It's turned on my 5 other branches.How can I debug why the skinny inspection is closing the connection?As a separate note this phone is part of a pool of phones that shares a common DN, would this be causing the issue?

View 1 Replies View Related

Cisco Firewall :: 2821 - ZBF - Inspection Slows Down HTTP Downloads

Mar 8, 2011

I Have a 2821 Router with a IOS Version 12.4(13r)T. When i enabled the firewall, my download speed slows down to 10-20kbps (the normal is 5-6 Mbps).

View 11 Replies View Related

Cisco Firewall :: 871 / 2811 / 1841 - ZBFW Default Inspection Specification

May 6, 2011

I can't find any specific information on the implementation of packet inspection in a zone based policy firewall.  In other words, is there a specification or even just a set of values that define the default inspection parameters for all protocols?  With DPI I can manage 'some' of the inspection capabilities but I have some fairly rigorous and specific requirements to meet and I need to validate that the IOS ZBFW will meet those requirements.  Specifically, I'm interested in HTTP, DNS, and ICMP but all other protocols would be useful as well.I'm working with basic routers; 871's, 2811's, 1841's, etc.  The IOS in use in most cases is adventerprisek9-mz.151-3.T.

View 4 Replies View Related

Cisco Firewall :: Trace-route Through ASA 8.2 Is Not Working When ICMP Error Inspection

Jun 6, 2011

I have problem with icmp traceroute configuration. When I enabling icmp error inspection in global policy, my traceroute results through ASA 8.2.4 looks like this: My traceroute  [v0.75]
                                                    
icmp inspection and ttl decrement on ASA is enabled. Also I configured ACL on outside interface to permit ICMP completely.

View 14 Replies View Related

Cisco Firewall :: ASA5512-X Outbound Email With ESMTP Inspection Disabled

Jan 14, 2013

I have a client that is running an ASA5512-X.  When I initially installed it, they were having issues sending out emails.  I disabled ESMTP inspection and thought it resolved the issue.  Recently, they upgraded to Exchange 2010 and are still having an issue with some emails getting hung up in the queue.  If I watch the ASA when they try to telnet to the external mail servers that do not work, they get a SYN timeout. 
 
I am not sure why this would happen since ESMTP is disabled.  They are running 8.6(1) on the ASA.

View 5 Replies View Related

Cisco Firewall :: ASA 5500 - HTTP Inspection Spoof Server String

Aug 11, 2011

I'm looking fot a way to do static URL blocking with ASA and when the URL is blocked present a "Web Page" to the user saying that it's been blocked.

So, i was wondering if i can use the http parameter "spoof server string" to replace the original URL sent by the user for another URL that points to an internal web server holding a basic page saying "Your URL request has been blocked".
 
The point is to have a way to tell users that the page they are trying to browse is blocked by a policy.

View 1 Replies View Related

Cisco Firewall :: ASA5510 ESMTP Inspection Stopping Outbound Mail

Jun 13, 2011

I am having an issue with an ASA 5510, running 8.4(1) code, causing outbound mail to remain in the SMTP server queue (Exchange 2007). This only happens with some remote mail servers. The connection usually ends with the remote server eventually sending a TCP reset.
 
I've taken multiple inside and outside packet traces.Other trace's contain either X's preceding various sections of the stream content or all X's in the content. The X's only appear when inspection is enabled.
 
Disabling inspection is the only thing that seems to allow mail to flow. I find this curious because I'm running this same ESMTP policy on other ASA's. However, they are on 8.3 code.
 
Most everything I find when searching on this subject says to disable ESMTP inspection. [code]

View 4 Replies View Related

Cisco Firewall :: IP Phone 7961 - Inspection Rule Activated And Call Works

Jun 23, 2011

I got a problem yesterday with a customer that says that the calls from a CISCO IP Phone 7961 to an Alcatel 4018 IP Touch didn't work, well the phone rings but there's no voice; I manage a CISCO ASA version 8.2(1) and I was checking the Inspection Rules in the Service Policy Rules section and when you open the inspection_default at the Rule Actions tab I find that the H.323 H.225 and H.323 RAS box wasn't checked so I ask to the customer to made a test and the same problem happen so I checked both box and again ask to the customer for a test and it works.
 
I was talking to a partner and he said that maybe this Inspect fix some signaling parameters of this protocol that can't work fine behind of a firewall.

View 1 Replies View Related

Cisco Firewall :: ASA 5505 - Http Inspection Dropping All Http Traffic

May 9, 2012

I am testing out some inspection options on an ASA 5505, and I am running into a situation in which applying a http inspection is dropping all outbound http traffic. I get a "protocol violation" error in the logs.
 
Here is the setup: I'm not sure why the web traffic is getting dropped.
 
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto

[Code].....

View 2 Replies View Related

Cisco Firewall :: Different Between ASA-5520-K9 And ASA-5520-K8

Nov 2, 2012

We were using ASA-5520-K9 with  ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.

View 1 Replies View Related

Cisco Firewall :: Upgrade From 5505 To 5520 On Network - ASA Firewall Throughput

Feb 27, 2013

I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
 
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
 
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.

View 5 Replies View Related

Cisco Firewall :: ASA 5520 - Routed Management Interface On Transparent Firewall?

May 5, 2013

I have an asa 5520.  How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?

View 1 Replies View Related

Cisco Firewall :: 5520 Identity Based Firewall Doesn't Work Using Citric Published

Jul 26, 2012

We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
 
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
 
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
 
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.

View 17 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved