I am having issues with PXE boot images for PCs cannot be loaded from remotely.The diagnosis revealed that SunRPC & TFTP were being inspected by ASA causing drop of packets.So I excluded these two inspections for the particular server behind the firewall. It seem to resolve the issue for instance but it crawled back again.
Is there a way that the inspection can be turned off for that particular server at the IP level?
-cisco 2651XM
-IOS: c2600-ipbasek9-mz.124-23.bin
I need to diable RDP packet inspection on this router but I can't find where I do that. I'm having troubele with audio on a sip line and I read here (bottom of page) url...that turning off RDP packet solved the problem. I've looked through the config and searched on google but couldn't find the asnwer. what is the command to turn off RDP packet inspection?
I am having a spot of bother with a Cisco PIX515, I have posted the current running config below, now I am no cisco expert by any means although I can do basic stuff with them, now I am having trouble with traffic sent from the outside to address: 10.75.32.25 it just doesn't appear to be going anywhere.
Now this firewall is deep inside a private network, with an upstream firewall that we don't manage. I have spoken to the people that look after that firewall and they say they they have traffic routing to 10.75.32.21 and 10.75.32.25 and thats it (although there is a website that runs from the server 172.16.102.5 which (if my understanding is correct) gets traffic via 10.75.32.23. [code]
We are in the process of building a new DC and would like to know which is the recommended version of code to run on the following:
Firewall Services Module
Cisco ASA5580, 5550, 5520
ACE module
Anyway, here's the situation I'm trying to configure several VLANs on my ASA to uniquely allocate to contexts, the VLANs will be trunked from my VSS. Unfortunately I'm not clear on how to achieve this, the configuration guide for 8.4 talks about multiple contexts and routed setups all which don't appear to apply exactly. I've configured the port channel at both ends and I've configured sub-interfaces on the port channel and assigned VLAN IDs. These sub-interfaces are then allocated to the contexts to set 'ip address' etc. I've not been able to successfully test this configuration and I am concerned that it is incorrect..
View 1 Replies View RelatedWe have an active-active pair of cisco ASA5580-20 with software version 8.4(1)9. There are 8 contexts on it (including admin and system). 1 context is active on Primary node and other 7 are active on Secondary node. User traffic is going through this 1 context (2 interfaces - inside to users, outside to internet) and there are peaks to 1.16M concurrent connections, max bandwidth is 1.25Gbps. CPU usage for this context in peak hours is 63%, but we noticed that when we run "show cpu usage context all" from system it shows that system context is using 25% of CPU and "Total CPU utilization" (form output of show cpu detailed - on system context) is 88% which is bad. In non peak hours - user context use 33.6% CPU, system use 14.5%, total CPU usage is 50.5% So, is it normal this cpu utilization on system context (system on Primary node)?
View 1 Replies View RelatedRunning ASDM V6.3 connecting to a couple of ASA5580's V8.2. After initial configuration everything seemed to work great, however, as of a few days ago I can no longer view statistical information. I can attach to the devices without a problem, view and edit all configuration information but the dashboard applets do not pull or display any statistical info. Resource, Interface, and Traffic status all time out with the error "Lost Connetion to Firewall". The syslog info is not display rather the error "Syslog Lost Connection". My first thought was a java issue on the client. I have ripped out and reinstalled even back-revisioned to no avail. I'm to the point where a dumpe of the management workstation is the next step. I'd like to avoid that extreme if possible.
View 3 Replies View Relatedcustomer has a server which located in inside interace. and an outside interface connected to ISPA. cu config a static nat map inside server address to ISPA address, one day customer install a new outside interface to ISPB, cu config new static nat ,map same server inside server address to ISPB address. the server will allways be vistited from outside interface and reply, custome want traffic coming from ISPA will return to ISPA, traffic coming from ISPB will return to ISPB. but i found it is difficult implement this on ASA5580. i want use route-map on static nat, but it will not satisfy customer's request.
View 3 Replies View Relatedi have a problem customer has a server which located in inside interace. and an outside interface connected to ISPA. cu config a static nat map inside server address to ISPA address one day customer install a new outside interface to ISPB, cu config new static nat ,map same server inside server address to ISPB address. the server will allways be vistited from outside interface and reply, custome want traffic coming from ISPA will return to ISPA, traffic coming from ISPB will return to ISPB. but i found it is difficult implement this on ASA5580. i want use route-map on static nat, but it will not satisfy customer's request.
View 6 Replies View RelatedI am looking for the way to define an idle timeout for specific flows on an ASA5580 by using Cisco security manager. For ex I needed to define a specific idle timeout for connections beetween specific devices (Devices in vlan1, Device2 in vlan2).To test it I did following changes by CLI and it works fine. access-list L1 extended permit ip <@IP1> <mask1> host <@IP2> class-map CM1 match access-list L1 policy-map PM1 class CM1 set connection timeout idle 02:00:00
I try do do the same configuration with CSM in order to be able to manage each changes only by using CSM.So I defined Access control list, Traffic flow and then I define timeout in CSM --> PIX/ASA/FWSM Platform --> Service Policy Rules --> IPS, QoS and Connections Rules -> connections settings -> Traffic flow idle time-out. The problem is that each time I deploy the configuration with CSM I loose the timeout config line which is the most important for my application..
We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0). The original configuration.
View 2 Replies View RelatedWe had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0).Incoming mails are going thru Spam and Virus Blocker so that bypassing SMTP inspection is not security issue in this case.
View 1 Replies View RelatedI have multiple customers and servers behind my ASA5510s. After moving a new customer with an FTP server behind the firewalls, they immediatly had issues with customers connecting to their FTP server. I had the default inspection rules running regarding FTP. After removing the "inspect ftp" from the global policy their issues went away. Since this is a larger customer I can't force them to change their server, I need to accomodate and fix this on the firewall. I left the "inspect ftp" command out and there have been sporatic issues from other customers, unable to connect to outside FTP servers from the terminal servers and timeouts and disconnects to our own FTP servers.
This is what I "think" is the solution.. I added a second inspection policy after the default one and only added "inspect ftp" to it. Then I used the "exclude" option to exclude the new customer. That new customer is fine and things are better, but still not working right. Does the following config accomplish what I want?? Does the exclude ACL get what I need or do I need an "include" or permit statement in that ACL?
object-group network DM_INLINE_NETWORK_10 network-object 172.24.X.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp port-object eq ftp port-object eq ftp-data
access-list global_mpc extended deny tcp any object-group DM_INLINE_TCP_1 object-group DM_INLINE_NETWORK_10(code)
ASA 5520 running 8.4.5:We had an issue with a remote SMTP connection getting screwed up as a result of ESMPT inspect.It took me 3 hours of troubleshooting the SMTP connection before finally figuring out that the firewall was the culprit. What really through me off was that I saw nothing in the ASA logs (warning and above) that showed packets were being dropped. I'm probably crazy but I thought I remembered seeing entries in the log when packets were dropped due to a type of inspection (specifically, I remember entries in the log saying something to the effect of packet dropped due to ESMPT inspect, packet too big). My quesiton to Cisco TAC was: Is there a simple way to have the log give a warning every time a packet is dropped due to any inspection rule, just like we can see any drops due to ACLs? So far the only answer has been a complex list of log changes to allow debugging and notifications of certain events. This isn't something I want to roll out to all my ASAs.
View 5 Replies View RelatedI am using the Cisco ASA5510 for my Telepresent infarstructure. I have a problem with Encrypted SIP calling for call in/out.
Is there is a way to disable the TLS inspection for Cisco ASA5510?
We have several customers running ASA 8.4x code and all seem to be plagued with the ESMTP inspection bug CSCtr92976.I have tested this in the lab with an ASA 5505 running 8.4(1), 8.4(2) and 8.4(4)1 & 8.4(4)3 and the behaviour is always the same. I have an Exchange 2007 server and I can see in the logs the following messages:
2012-08-10T13:04:37.331Z,EXCHANGEDefault EXCHANGE,08CF3610468A42D7,3,192.168.102.28:25,192.168.250.26:52756,<,XXXX XXXXXXXXXXXXXXX,
2012-08-10T13:04:42.345Z,EXCHANGEDefault EXCHANGE,08CF3610468A42D7,4,192.168.102.28:25,192.168.250.26:52756,>,500 5.3.3 Unrecognizedcommand, 2012-08-10T13:05:20.506Z,EXCHANGEDefault EXCHANGE,08CF3610468A42D7,5,192.168.102.28:25,192.168.250.26:52756,<,XXX,
This is with the default ESMTP inspection enabled. I have also created a custom ESMTP inspection policy that does nothing but log and the behaviour is still the same. Sometimes traffic will pass but most of the time it won't. The workaround is to just disable the ESMTP inspection.
By default ASA applies DNS packet inspection with a default (maximum) packet size of 512bytes as recommended by RFC 1035, anything above is dropped.
I have a customer that is trying to use larger packet sizes due to extension mechanisms for DNS defined in RFC2671.
My question is , is it safe to increase the default packet size in the DNS inspection thus applied globally for all DNS traffic, or should / can we apply a policy that applies only to this specific customer ?
let me know how to enable HTTP inspection in ASA 5505 through ASDM.
View 1 Replies View RelatedI was under the impression that all Cisco ASA firewalls shipped with a default inspection policy.
Example
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
[Code]......
can I build this myself? Why is it missing (I have two other ASA 5505s here that also do not have it). What would I do to rebuild it?
On FWSM (running version 4.1 in my case) the default global policy uses the following class map:class-map inspection_default match default-inspection-traffic
What "default-inspection-traffic" includes? Is it all traffic? If so, do I really want all my traffic to go through the inspection engine? I would imagine this would have a performance impact on traffic that is not part of the protocols being inspected.
I have an issue with Cisco ASA 5520, The summary is below!
Packet # 1 on inside capture the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@10.7.100.1
Packet # 1 on outside interface the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44 --- this bcz of the inspection.
Packet # 2 on outside capture the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44
Packet # 2 on inside capture the Call-ID stay: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44 --- this is the problem.
(This suppose to be Call-ID: 2a54f680-a5d1de2a-160c-164070a@10.7.100.1)The inspection should change the Call-ID for the incoming packet as it did with the outgoing packet. Whenever, the CM receive the trying message with different Call-ID it considered as new session and it keep sending invitation messages for the SIP provider.NAT is enabled.
I have a branch office set up were all traffic goes back to the core, iincluding internet acces.
It has been working fine for a year, but recently I have started to see the firewalls Asa 5505 closing the connection and stopping the phone from answering the calls.
I have skinny inspection turned on all my branch offices, but had to turn it off at the one site to get one of my phones to registered.
I haven't made any changes to the network that would trigger this issue, such as upgrading phone firmware.
My firewall is configured for default deny, other than Skinny (tcp 2000), do I need Skinny inspection to be turned on?
It's turned on my 5 other branches.How can I debug why the skinny inspection is closing the connection?As a separate note this phone is part of a pool of phones that shares a common DN, would this be causing the issue?
I Have a 2821 Router with a IOS Version 12.4(13r)T. When i enabled the firewall, my download speed slows down to 10-20kbps (the normal is 5-6 Mbps).
View 11 Replies View RelatedI need to allow traffic between webserver in dmz and mssql (Microsoft SQL Server 2008).MSSQL use dynamic port (now it is 63796) and this cannot be changed.
Basically, I can allow such traffic using next configuration:access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 1433access-list dmz extended permit udp host 1.2.3.4 host 5.6.7.8 eq 1434 access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 63796
But, I would like to add mssql inspection and I did the next:
class-map class_sqlnetmatch port tcp eq 1433policy-map global_policyclass inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp class class_sqlnet inspect sqlnet service-policy global_policy global
[Code] ..........
I can't find any specific information on the implementation of packet inspection in a zone based policy firewall. In other words, is there a specification or even just a set of values that define the default inspection parameters for all protocols? With DPI I can manage 'some' of the inspection capabilities but I have some fairly rigorous and specific requirements to meet and I need to validate that the IOS ZBFW will meet those requirements. Specifically, I'm interested in HTTP, DNS, and ICMP but all other protocols would be useful as well.I'm working with basic routers; 871's, 2811's, 1841's, etc. The IOS in use in most cases is adventerprisek9-mz.151-3.T.
View 4 Replies View RelatedI currently have the default inspection engine configured in my firewall to inspect http traffic. I noticed that the ASA will drop packets when visting legitimate websites. I've tried googling for a workaround but have been unsucsselful. How can I exclude some websites or IP's from being affected by the inspection engine?
View 1 Replies View Relatedverify if the ASA 5520 CSC module way of applying security policy (http, smtp, pop3, etc.) is per network/subnet or group of users? Based on my understanding through reading, web and email protection profile/config is global. It will be the same to every network user that is redirected via service-policy config on the ASA.
Scenario: I have two VLAN, guest and employee. Of course guest and employee have different web filter profile. Can i configure it such that guest web-filter profile is not just strict while employee's access is limited only to productive internet sites.
I have problem with icmp traceroute configuration. When I enabling icmp error inspection in global policy, my traceroute results through ASA 8.2.4 looks like this: My traceroute [v0.75]
icmp inspection and ttl decrement on ASA is enabled. Also I configured ACL on outside interface to permit ICMP completely.
I have a client that is running an ASA5512-X. When I initially installed it, they were having issues sending out emails. I disabled ESMTP inspection and thought it resolved the issue. Recently, they upgraded to Exchange 2010 and are still having an issue with some emails getting hung up in the queue. If I watch the ASA when they try to telnet to the external mail servers that do not work, they get a SYN timeout.
I am not sure why this would happen since ESMTP is disabled. They are running 8.6(1) on the ASA.
I'm looking fot a way to do static URL blocking with ASA and when the URL is blocked present a "Web Page" to the user saying that it's been blocked.
So, i was wondering if i can use the http parameter "spoof server string" to replace the original URL sent by the user for another URL that points to an internal web server holding a basic page saying "Your URL request has been blocked".
The point is to have a way to tell users that the page they are trying to browse is blocked by a policy.
i have removed the icmp inspection from my default policy-map in my ASA 5520,now i could not able to ping to 4.2.2.2 from my LAN even though i have configured an ICMP Access-list in my asa like ,but I can't ping 4.2.2.2 for testing the Internet connectivity,what shall i do to allow only my self as admin to ping outside?
-icmp permit host 192.168.60.60 echo
-icmp permit host 192.168.60.60 echo-reply
I am having an issue with an ASA 5510, running 8.4(1) code, causing outbound mail to remain in the SMTP server queue (Exchange 2007). This only happens with some remote mail servers. The connection usually ends with the remote server eventually sending a TCP reset.
I've taken multiple inside and outside packet traces.Other trace's contain either X's preceding various sections of the stream content or all X's in the content. The X's only appear when inspection is enabled.
Disabling inspection is the only thing that seems to allow mail to flow. I find this curious because I'm running this same ESMTP policy on other ASA's. However, they are on 8.3 code.
Most everything I find when searching on this subject says to disable ESMTP inspection. [code]
I got a problem yesterday with a customer that says that the calls from a CISCO IP Phone 7961 to an Alcatel 4018 IP Touch didn't work, well the phone rings but there's no voice; I manage a CISCO ASA version 8.2(1) and I was checking the Inspection Rules in the Service Policy Rules section and when you open the inspection_default at the Rule Actions tab I find that the H.323 H.225 and H.323 RAS box wasn't checked so I ask to the customer to made a test and the same problem happen so I checked both box and again ask to the customer for a test and it works.
I was talking to a partner and he said that maybe this Inspect fix some signaling parameters of this protocol that can't work fine behind of a firewall.