Cisco Firewall :: ASR1002 - Implement ZBF On Router?
Jun 3, 2012
We are trying to implement the ZBF on our router to assist us in limiting the intial impact of DDOS attacks.We have configured the below and it appears that it's not working, as when un der attack the statistics don't increae.
My client is asking can the Cisco ASA 5505 implement MAC ACL in Cisco ASA 5505 which is now running in Router Mode.I have tried to search the document and also tried the ASDM in the Cisco ASA 5505 but could not see any way to do the ACL by MAC address.At the same time how to find out that by using command line the ASA 5505 able to run MAC ACL in router mode?
we have an ASR1002 running zone-based-firewall with 2 zones:
I have a common ZFW-configuration on that interfaces, e.g.
<code> class-map type inspect match-any pass_cmap_in match access-group name pass-ipv4-in ! class-map type inspect match-any ph_cmap_in match access-group name ph-ipv4-in
There is some basic stuff in the Access-Lists; direction ph-ipv4-in contains basically "permit ip any any" and ph-ipv4-out contains some permits for certain services, but nothing else. The pass-ipv4-in/out ACL contains particularly the udp-500/4500-stuff as well as gre/esp/ah.
The xconnect is only built up correctly when I configure the interface in the zone_outside. The destination for the xconnect is an ASR9k. If I do not configure the zone on the L2VPN-Interface, only arp-packet are allowed to tgo through the tunnel.
The L2VPN connects a branch office to the network of "PH". Now the trouble starts: when they are putting a host in the branch office, DHCP via the L2VPn works fine, they can ping anything from the branch office-PC in their local network and reach all internal servers etc.
BUT if they want to go to a destination outside their network, it will not work properly. For example, the branch-office-PC can ping 22.214.171.124 fine, but when they try to connect to a website, e.g. www.google.com, they run into a timeout. Netstat says, that the http-syn is sent, but no ack is received.
whereas x.y.225.250 is the PC connected via L2VPN in the branch office to their local lan. When they put the same machine in their local lan directly behind the router (without l2vpn) everything works fine. When I switch off the firewall on the Gi0/0/0-Interface, the PC from the branch office also reaches its destination, so for me it looks like the firewall inspects the traffic going via Gi0/0/1 and L2VPN, what in my opinion, it should not do....
I need to implement the backup between two sites I have router 2800 which is having a point to point connectivity with the far end.At the far end there is no router ,only one firewall is there on that firewall one access-list is there to allow the traffic .To implement the back up link i have created a site to site vpn .But the problem is as soon as the tunnel is establised .For the time being i have removed by site to site config from both firewall.
I'm having a cow of a time trying to implement a NAT configuration after having upgraded our ASA5510 recently from IOS 8.2 to 8.4. The upgrade went fine, however we now have a need to add a new NAT rule and I'm not sure whether it's possible.
The upgraded NAT rule and access list works fine at allowing external access to a web server.
However we now need to NAT the SOURCE address (either to a pool or single address) of incoming http requests before forwarding the request to the server. Hence the server will see all requests as originating from a pool with a route heading back to the ASA. The basic issue is that the severs default gateway does not return to the ASA, so "tagging" the source address of external requests to an address or interface associated with the ASA should allow the server to return the traffic to the ASA. I know we shouldn't be doing it this way but we can't see any alternative.
Having read a huge amount of examples we can access the server with the above config (or Object NAT), and we can NAT incoming traffic,however we can't combine the two by having all external http requests Source Natted before forwarding to the server.
I am looking to implement Zone-Based Firewall on some 2900 series routers (2911 and 2921.) Based on some research I've done it looks like the cisco2911-sec/k9 and cisco2921-sec/k9 bundles should be all I need. Is this correct, or is there some other licensing component that needs to be enabled for me to implement Zone-Based Firewall?
We have a cisco7206 router which is going to be replaced with an ASR1002 router. The 7206 has some interfaces in a BVI-group - the config of which i am trying to translate over into IOS XE (which runs on the ASR1002). How to translate this config from IOS to IOS XE.
We are looking to implement traffic shaping/policing primarily for P2P traffic. As natively the ASA5550 is only capable of p2p inspection if the traffic is tunneled via port 80 is the AIP-SSM the way forward? We have 2 5550s in active/active failover config. As a side note we are also looking to implement an IDS/IPS system so could this module cover all?Is this module going to provide the desired outcome or is there another module/device out there better suited for this? I would prefer to use the ASA5550s as opposed to implementing another product if only that we can make use of the investment we already made on these devices.
I am going to configure the NATing on ASR1002 and expecing to have near about 1Million nat translation. Will ASR1002 support 1million nat translations ? how many NAT translations are supportable on the ASR1002 ?I am going to configure NAT on ASR1002-5G/K9 U& have FLASR1-FWNAT-RED.
Right now I have a ASR1002 running a very old IOS version.Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 12.2(33)XNE, RELEASE SOFTWARE (fc1) asr1000rp1-ipbasek9.02.05.00.122-33.XNE.bin – 25-NOV-2009?
I am looking to upgrade to a newer version.I was wondering if there are any tricks when upgradeing this IOS. Is it as easy as loading the IOS onto the ASR and then changing the bootpath or is there an upgrade path I must follow? Also would there any need for a licence between 2.x and 3.x.
The loopback of the ASR1002 is 126.96.36.199. When I use a browser to access it, I got the authentication dialog box asking for username/password. I input the information and submit. But authentication box comes back again and ask for the username/password.
The username/password is test okay. But somehow, the web GUI just does not use it.
We have an ASR1002 with asr1000rp1-adventerprisek9.03.05.01.S.152-1.S1.bin software.I couldn't find any documentation on how to attach an L2 interface, in my case a subinterface with a single dot1q vlan, to a BDI interface.I'm able to create a bridge-domain interface but it's down down.The command bridge-domain on the subinterface url...
I'm aware ACL's are handled in hardware on the ASR platform but wondered if there was any way to inspect how many hits we get on each line of an ACL on the ASR, I can't seem to find a command to do this.
Using LOG is not possible due to the large number of hits.
One of our customer just purchased ASR1002 router, they have three internet links from different ISPs and they dont have any remote site, they have three different public IP pool as their respective ISPs. So, is it possible to load balance the internet traffic using all three link on Cisco ASR router ( IOS - Advance Enterprise Services)
I've inherited a project building an internet connectivity solution for a large corporate. It has its own AS and its own PI space. They are putting in 100Mbit connections from 5 different Tier1's , taking full internet routing from each. Cisco ASR1002's have already been specified and purchased for the job. I'm not familiar with the ASR platform at all - is it up to the job with full routing tables? multiple instances of full tables ? (not likely to put all 5 into one box!)
we are using an ASR 1002 for dynamic NAT (with route maps). I do have a Problem with the usage of the NAT pool it self.The total NAT Translations for the pool are:
#sh ip nat stat [Id: 1] route-map natted-host-01 pool nat-pool-01 refcount 136 pool nat-pool-01: netmask 255.255.254.0 start XX.XX.202.0 end XX.XX.203.255 type generic, total addresses 512, allocated 88 (17%), missee 0
If i now look into the NAT translation Table i do get less entries:
#sh ip nat translations filter map-id dynamic 1 total Total number of translations: 43
Only a deeper look into the QFP gives here the right values:
# sh platform hardware qfp active feature nat data The ouput count matches the values I get if i isue a sh ip nat stat
My question is how is it handled internally.
We do have a problem too, with raising usage of the pool over the time.Once allocated Pool entries are not released after a period of time. And no NAT translation occur for that used IP NAT pool Addresses.
The timer on the device are set: ip nat translation timeout 300 ip nat translation tcp-timeout 900 ip nat translation pptp-timeout 900 ip nat translation udp-timeout 120 ip nat translation routemap-entry-timeout 900 ip nat translation max-entries 750000
I am trying to bring up a couple of ASR's. They are fitted with SPA modules (SPA-8X1GE-V2). These have SFP modules GLC-T fitted into them. For the life of me I cannot get these ports to come up. If I have a look at the inv the SFP's show as GE-T's (physically they are GLC-T's)
Is there a compatability problem with these GLC-T's on ASR 100x?
I have recently purchased ASR1002-RP1-ESP5 with 2 x 4K Broadband licenses to be used as LNS. Cisco have sent me PAK files for the licenses however when I try to enter the licenses into the device I get an error message saying that Licensing is not supported on this platform.
Any experience with this platform and installation of the broadband licenses?
When I spoke to Cisco TAC they told me that for this particular model the licensing is on "trust" basis where you buy license and do not install it on the actual router - similar to what 7200 used to do.
We recently purchased a Cisco ASR1002 router with four on-board Gigabit SFP-style Ethernet ports. However, when I do a "show ip interface brief", I see that there's an extra Gigabit Ethernet port. See the last interface in the following output:
ASR_1002_router#sh ip int b Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0/0 unassigned YES manual down down
On the router itself, in addition to the four Ethernet SFP ports, there are four additional RJ-45 ports. They're labeled "BITS", "MGMT", "CON", and "AUX". I know what the Con and Aux ports are, but what are the Bits and Mgmt ports? And is one of them the Gigabit Ethernet interface that I see listed at the bottom of the output? And if it is, is there anything special about it, or is it just another routed Ethernet port? Can I do something special with it, like out-of-line managment?
We have ASR1002 routers configured to run individual SubPackages, at this point everything is operating without problems.We just received a Cisco Security Advisory informing us SSHv2 is vulnerable in our version of router code.We have to upgrade to the recommended stable release, so we downloaded, installed and expanded the IOS to expose the SubPackages on the ASR routers bootflash.
Since we are running SubPackages, do we need to upgrade all SubPackages (I.E. complete IOS upgrade) of can we just upgrade the vulnerable SubPackage? How do you determine which SubPackage contains the SSHv2 application?