i have removed the icmp inspection from my default policy-map in my ASA 5520,now i could not able to ping to 4.2.2.2 from my LAN even though i have configured an ICMP Access-list in my asa like ,but I can't ping 4.2.2.2 for testing the Internet connectivity,what shall i do to allow only my self as admin to ping outside?
-icmp permit host 192.168.60.60 echo
-icmp permit host 192.168.60.60 echo-reply
On FWSM (running version 4.1 in my case) the default global policy uses the following class map:class-map inspection_default match default-inspection-traffic
What "default-inspection-traffic" includes? Is it all traffic? If so, do I really want all my traffic to go through the inspection engine? I would imagine this would have a performance impact on traffic that is not part of the protocols being inspected.
I currently have the default inspection engine configured in my firewall to inspect http traffic. I noticed that the ASA will drop packets when visting legitimate websites. I've tried googling for a workaround but have been unsucsselful. How can I exclude some websites or IP's from being affected by the inspection engine?
View 1 Replies View RelatedI have problem with icmp traceroute configuration. When I enabling icmp error inspection in global policy, my traceroute results through ASA 8.2.4 looks like this: My traceroute [v0.75]
icmp inspection and ttl decrement on ASA is enabled. Also I configured ACL on outside interface to permit ICMP completely.
By default ASA applies DNS packet inspection with a default (maximum) packet size of 512bytes as recommended by RFC 1035, anything above is dropped.
I have a customer that is trying to use larger packet sizes due to extension mechanisms for DNS defined in RFC2671.
My question is , is it safe to increase the default packet size in the DNS inspection thus applied globally for all DNS traffic, or should / can we apply a policy that applies only to this specific customer ?
I was under the impression that all Cisco ASA firewalls shipped with a default inspection policy.
Example
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
[Code]......
can I build this myself? Why is it missing (I have two other ASA 5505s here that also do not have it). What would I do to rebuild it?
I can't find any specific information on the implementation of packet inspection in a zone based policy firewall. In other words, is there a specification or even just a set of values that define the default inspection parameters for all protocols? With DPI I can manage 'some' of the inspection capabilities but I have some fairly rigorous and specific requirements to meet and I need to validate that the IOS ZBFW will meet those requirements. Specifically, I'm interested in HTTP, DNS, and ICMP but all other protocols would be useful as well.I'm working with basic routers; 871's, 2811's, 1841's, etc. The IOS in use in most cases is adventerprisek9-mz.151-3.T.
View 4 Replies View RelatedASA 5520 running 8.4.5:We had an issue with a remote SMTP connection getting screwed up as a result of ESMPT inspect.It took me 3 hours of troubleshooting the SMTP connection before finally figuring out that the firewall was the culprit. What really through me off was that I saw nothing in the ASA logs (warning and above) that showed packets were being dropped. I'm probably crazy but I thought I remembered seeing entries in the log when packets were dropped due to a type of inspection (specifically, I remember entries in the log saying something to the effect of packet dropped due to ESMPT inspect, packet too big). My quesiton to Cisco TAC was: Is there a simple way to have the log give a warning every time a packet is dropped due to any inspection rule, just like we can see any drops due to ACLs? So far the only answer has been a complex list of log changes to allow debugging and notifications of certain events. This isn't something I want to roll out to all my ASAs.
View 5 Replies View RelatedI'm having issues with NAT dropping ICMP on default NAT. Do I need to create another NAT for ICMP?
Here's the packet-tracer result:
firewall01# packet-tracer input inside icmp 172.23.1.74 0 10 8.8.8.8 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
[code]....
More and more recently I'm seeing that inspect ICMP and ICMP error do not allow trace route to work through the firewall from inside to outside.I used to go in, enable the inspections and subsequent trace route's worked. Now when this is enabled, the firewall still blocks return trace route.
View 4 Replies View RelatedI have an issue with Cisco ASA 5520, The summary is below!
Packet # 1 on inside capture the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@10.7.100.1
Packet # 1 on outside interface the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44 --- this bcz of the inspection.
Packet # 2 on outside capture the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44
Packet # 2 on inside capture the Call-ID stay: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44 --- this is the problem.
(This suppose to be Call-ID: 2a54f680-a5d1de2a-160c-164070a@10.7.100.1)The inspection should change the Call-ID for the incoming packet as it did with the outgoing packet. Whenever, the CM receive the trying message with different Call-ID it considered as new session and it keep sending invitation messages for the SIP provider.NAT is enabled.
I need to allow traffic between webserver in dmz and mssql (Microsoft SQL Server 2008).MSSQL use dynamic port (now it is 63796) and this cannot be changed.
Basically, I can allow such traffic using next configuration:access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 1433access-list dmz extended permit udp host 1.2.3.4 host 5.6.7.8 eq 1434 access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 63796
But, I would like to add mssql inspection and I did the next:
class-map class_sqlnetmatch port tcp eq 1433policy-map global_policyclass inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp class class_sqlnet inspect sqlnet service-policy global_policy global
[Code] ..........
verify if the ASA 5520 CSC module way of applying security policy (http, smtp, pop3, etc.) is per network/subnet or group of users? Based on my understanding through reading, web and email protection profile/config is global. It will be the same to every network user that is redirected via service-policy config on the ASA.
Scenario: I have two VLAN, guest and employee. Of course guest and employee have different web filter profile. Can i configure it such that guest web-filter profile is not just strict while employee's access is limited only to productive internet sites.
We have a problem with some websites being blocked every now and then. Everyone inside can access this external website for weeks, and then suddenly it's not available for a few hours, and then it comes back. All without me making any changes to the firewall, ASA5510. The external website that has nothing to do with us can be accessed from anywhere outside our network, example on my iphone through Verizon.
We have not set up any rules about blocking websites, all I found was the Default Service Policy. After backing up and then deleting the rule we are able to access all sites.
I recently upgraded the ios image and the asdm on a cisco 5520 firewall. I use a policy on a cisco security manager to push policys out to this firewall. But it cant push to them now because the image has changed on the device.Is their anyway to re - assign the policy without having to do a new discovery.
View 2 Replies View Relatedwe have a nat exemption rule for 10.0.0.0/8 to w.x.y.z followed by some static nat rules and then dynamic policy nat rule for 10.0.0.0/8 to w.x.y.z natting to IP a.b.c.d.When I do a packet trace from 10.10.10.10 to w.x.y.z, it shows the packet first matching against the nat exemption rule, and then immediately afterwards it matches the dynamic policy NAT rule. The static nat rules are being successfully bypassed (which is what I want), but why does the dynamic policy nat rule apply if an exempt rule has been hit already? An actual test between the IPs above reflects the result of the packet tracer as well (IP a.b.c.d is seen on server w.x.y.z).We are running the following software on an ASA5520.
View 7 Replies View RelatedI have configured the primary firewall every thing seem to be fine, And we have configured fail over device while config is getting replicated to the fail over device we are getting below error.
ERROR: Cannot add policy to rule engine
ERROR: Unable to assign access-list LAN_out to interface inside
IOS and Model are same.But all the config got replicated from primary to secondary but except the one access group command.
access-group LAN_out in interface inside.
ASA 5520 can handle 2 ISP? not to load balance or not standby/active but to use the 2 ISP at the same time and separately. for example, ISP_A who has 10m will be dedicated to the customer A/VLAN A, then ISP_B who has 4m will be for the rest of the customer's traffic. Can the ASA 5520 do traffic shaping or policy map just like in a normal router?
View 5 Replies View RelatedI have another asa 5520 and it is configured. when i do factory default every thing erase. ok. when i enter again it promped for enable password. and it takes my privious password taht i gave in full configuration.
It generally comes no password . Why enable PW dont erase ? why factory default holds my previous password ?
When you use Group Policy to determine whether a link is fast or slow, fast links may be incorrectly flagged as slow links.
This problem may occur when a network that you are trying to detect a slow link to is configured to control the size and flow of Internet Control Message Protocol (ICMP) packets. For example, if a router allows for only ICMP ping packets that have a size of 1,024 bytes, the slow-link detection feature may flag the connection as a slow link. This is because the router discards ICMP packets that are larger than 1,024 bytes. If the router discards the packet because it exceeds the allowed size, fast links may be reported as slow links.
According to Microsoft, the default ICMP ping packet size of 2048 is used.Microsoft recommends changing every single Windows machine's ICMP size...but my customer would rather just change the router. It is a 2821 router, running 12.4(24)T4, using MLPPP to bundle two T1s.
I have made some test and i noticed that qos input policy does not classify the icmp packet based on their dscp.The "match dscp ef" or "match precedence 5" is not working only the "match protocol icmp" shows hits.
We need to classify the different icmp packets based on dscp ( TOS ) for measurement purpose.CISCO 7200, 12.4.25d and 12.4.20T have a same behavior.
I cannot seem to ping between devices on two networks hanging off a 5520 unless I use the same-security interface command. I have the relevant ACL's set up between the interfaces, but it just doesnt work unless I have that command in - if I use that command, it bypasses the ACL.
Config
interface GigabitEthernet0/0.224
description NMS
vlan 224
nameif NMS
security-level 100
ip address 10.11.120.225 255.255.255.240[code].....
I had setup a lan infrastructure with 5 3750 stack swithes. In these 3 of them are in one stack which is acting as access switch, 2 of them in another stack which is as core switch where all the SVI is configured. Now, when i tried to ping from our edge pc which is connected in access switch to default gaeway, which is configured in core switch, the ICMP is getting delayed . But when try to ping from the same edge pc to another user PC, it is getting less tahn 1 millisecond icmp replies.
why icmp is delaying to default gateway , but working with another edge to edge pcs without any delays?
i am facing a problem when the client vlan is commmunicating with the default gateway on the core 3750-x.
ios in 3750-x core is 3750e-universalk9-mz.150-2.SE.bin. But, client to client communication is happening without any dealy and icmp is less than 1 ms always.
When try to ping default gateway of client vlan, it is getting delayed (variable icmp delays). Is this an ios bug?
I am trying to set up remote access vpn on an asa 5520 running 8.4.1. I have the ipsec group, policies, and ip pool set up. When I try and connect with the cisco vpn client I see the following in the logs. Deny icmp src outside:214.67.39.42 dst outside:24.252.51.73 (type 3, code 3) by access-group "acl_inbound". Do I need to put in some firewall rules to allow this traffice so that the VPN can connect?
View 9 Replies View Relatedwe have noted the automatically removing of the only "nat (inside,any)" line, during the upgrade of ASA 5540 from 8.4(3) to 8.4(4) 1: why ?
View 1 Replies View RelatedHow to set the default outbound policy as block in access rules of rv220w? I configure my company router RV220W to block all outbound service traffic, just allow outbound service as : http, https, smtp, dns_tcp / udp. it works fine for some hours, the next day, the rules like expired, the https / smtp / DNS service fail to outgoing, only the http is still ok? What happen? Now I just set the default outbound policy as allow, all traffic can go out, but that is meaningless for a firewall device.
View 1 Replies View RelatedWe had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0). The original configuration.
View 2 Replies View RelatedWe had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0).Incoming mails are going thru Spam and Virus Blocker so that bypassing SMTP inspection is not security issue in this case.
View 1 Replies View RelatedIs it possible via Group Policy to prevent the domain computers from automatically creating default favorites when the users log in? Currently on the Favorites Bar it creates "Web Slice Gallery" and "Suggested Sites", as well as a "Websites for United Kingdom" folder. The domain controller is running Windows Server 2008 R2, and the clients are running Windows 7.
View 4 Replies View RelatedMy company recently failed a PCI scan because our router was returning 56bit des encryption for isakmp negotiation on an existing default isakmp policy. How do I remove this default isakmp policy. I am not running 12.4(15)T1 so the no crypto isakmp policy default does not work. Is there any way other than upgrading the IOS?
Is there any way to configure a maximum number of isakmp policies that an authenticating router will check? I have 2 configured higher priority ISAKMP policies. Maybe if there is a command to limit the number of isakmp policies the router checks, that would eliminate this default policy being matched?
I have multiple customers and servers behind my ASA5510s. After moving a new customer with an FTP server behind the firewalls, they immediatly had issues with customers connecting to their FTP server. I had the default inspection rules running regarding FTP. After removing the "inspect ftp" from the global policy their issues went away. Since this is a larger customer I can't force them to change their server, I need to accomodate and fix this on the firewall. I left the "inspect ftp" command out and there have been sporatic issues from other customers, unable to connect to outside FTP servers from the terminal servers and timeouts and disconnects to our own FTP servers.
This is what I "think" is the solution.. I added a second inspection policy after the default one and only added "inspect ftp" to it. Then I used the "exclude" option to exclude the new customer. That new customer is fine and things are better, but still not working right. Does the following config accomplish what I want?? Does the exclude ACL get what I need or do I need an "include" or permit statement in that ACL?
object-group network DM_INLINE_NETWORK_10 network-object 172.24.X.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp port-object eq ftp port-object eq ftp-data
access-list global_mpc extended deny tcp any object-group DM_INLINE_TCP_1 object-group DM_INLINE_NETWORK_10(code)
I am using the "File exist"-check in my Dynamic Access Policies to be sure that VPN-computers are corporate. I would like to place the file in each users %APPDATA%-directory, but it seem that the ASA cannot use variables when specifying the path? Is there a way to do this or do I have to use a absolute path in the check?I am running a ASA 5520 with sw 8.4(1).
View 1 Replies View Related