I was under the impression that all Cisco ASA firewalls shipped with a default inspection policy.
Example
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
[Code]......
can I build this myself? Why is it missing (I have two other ASA 5505s here that also do not have it). What would I do to rebuild it?
I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time. I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part.
The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
Guest VLAN has access to 2 IP's in Data for printing. Cisco871#sh run
Building configuration...
Current configuration : 8005 bytes
!
version 12.4
no service pad
[Code].....
By default ASA applies DNS packet inspection with a default (maximum) packet size of 512bytes as recommended by RFC 1035, anything above is dropped.
I have a customer that is trying to use larger packet sizes due to extension mechanisms for DNS defined in RFC2671.
My question is , is it safe to increase the default packet size in the DNS inspection thus applied globally for all DNS traffic, or should / can we apply a policy that applies only to this specific customer ?
On FWSM (running version 4.1 in my case) the default global policy uses the following class map:class-map inspection_default match default-inspection-traffic
What "default-inspection-traffic" includes? Is it all traffic? If so, do I really want all my traffic to go through the inspection engine? I would imagine this would have a performance impact on traffic that is not part of the protocols being inspected.
I can't find any specific information on the implementation of packet inspection in a zone based policy firewall. In other words, is there a specification or even just a set of values that define the default inspection parameters for all protocols? With DPI I can manage 'some' of the inspection capabilities but I have some fairly rigorous and specific requirements to meet and I need to validate that the IOS ZBFW will meet those requirements. Specifically, I'm interested in HTTP, DNS, and ICMP but all other protocols would be useful as well.I'm working with basic routers; 871's, 2811's, 1841's, etc. The IOS in use in most cases is adventerprisek9-mz.151-3.T.
View 4 Replies View RelatedI currently have the default inspection engine configured in my firewall to inspect http traffic. I noticed that the ASA will drop packets when visting legitimate websites. I've tried googling for a workaround but have been unsucsselful. How can I exclude some websites or IP's from being affected by the inspection engine?
View 1 Replies View Relatedi have removed the icmp inspection from my default policy-map in my ASA 5520,now i could not able to ping to 4.2.2.2 from my LAN even though i have configured an ICMP Access-list in my asa like ,but I can't ping 4.2.2.2 for testing the Internet connectivity,what shall i do to allow only my self as admin to ping outside?
-icmp permit host 192.168.60.60 echo
-icmp permit host 192.168.60.60 echo-reply
let me know how to enable HTTP inspection in ASA 5505 through ASDM.
View 1 Replies View RelatedI'm trying to support a friend. They just switched to TWC Business Class from Megapath. They have a Cisco 5505 ASA and are trying to configure it to work with the new TimeWarner cable modem. But we can't get PCs behind the firewall out to the Internet.
We think it should be a pretty simple config. They have the ASA connected directly to the modem. The modem is running DHCP, and we''ve configured the ASA to get its address via DHCP. We have a Windows server behind the firewall; it can't get out the Internet either. It's set up to be a DHCP server and is giving IP addresses to the PCs on the network.
Laptops connected via wifi to a wireless router attached to the modem are able to connect to the internet, thus we know the modem is up and running fine.
Here's our running config:
ASA Version 8.4(1)!hostname ciscoasadomain-name opanslab.comenable password yYME2neTGgA0S1./ encryptedpasswd yYME2neTGgA0S1./ encryptednames!interface Vlan1nameif insidesecurity-level 100ip address
[Code].....
I have a branch office set up were all traffic goes back to the core, iincluding internet acces.
It has been working fine for a year, but recently I have started to see the firewalls Asa 5505 closing the connection and stopping the phone from answering the calls.
I have skinny inspection turned on all my branch offices, but had to turn it off at the one site to get one of my phones to registered.
I haven't made any changes to the network that would trigger this issue, such as upgrading phone firmware.
My firewall is configured for default deny, other than Skinny (tcp 2000), do I need Skinny inspection to be turned on?
It's turned on my 5 other branches.How can I debug why the skinny inspection is closing the connection?As a separate note this phone is part of a pool of phones that shares a common DN, would this be causing the issue?
I am testing out some inspection options on an ASA 5505, and I am running into a situation in which applying a http inspection is dropping all outbound http traffic. I get a "protocol violation" error in the logs.
Here is the setup: I'm not sure why the web traffic is getting dropped.
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
[Code].....
I was looking at a problem where a traffic from certain sites have a restricted bandwidth, an ongoing problem for a year or so, apparently this throughput never exceeds around 25Mbps. My customer describes a situation where the end to end utilisation rises, eventually flat-lining at around 25Mbps. how many extra systems come on line, this traffic never exceeds this rate, and end users complain of poor responses.
During my investigation I found that one of the switches (Cat 6509) in the traffic path has a policer configured on a vlan interface, the policer has 3 sections for different traffic based on DSCP markers, and a default (unconfigured) class-default. Various people have had a poke about with this config over the years, with the result that all the traffic has the CoS and DSCP tags set to 0. All this traffic is hitting the class-default in the policer.The link that this traffic hits the Cat 6509 on is a 100Mbps link.
If I was designing this from scratch I'd probably configure a rate for the class-default.my question is, in the case where no specific configuration has been entered for the class-default, how much bandwidth is allocated to this class?
What is the factory default config on ASA5505 with 8.4.1?
View 3 Replies View Relatedi have a new 5505 and i have done a few configurations on it. When i try to reset it to the factory settings via asdm i get an error saying it could not be done. I have used config-factory-default using the cli option available in the asdm. I am using asa 8.2 and asdm 6.2. Will erasing the flash reset to factory defaults.
View 4 Replies View RelatedCISCO ASA 5505
Interfaces:
OUTSIDE - 194.50.90.221 255.255.255.0 / security level 0
DMZ - 192.168.12.254 255.255.255.0 / security level 25
INSIDE - 192.168.0.6 255.255.255.0 / security level 50
Now, if I want to ping from the DMZ to INSIDE, I get an error message "no translation group found for icmp src DMZ: ...... dst: INSIDE...."
I fixed is by adding "NAT 0" onto the INSIDE interface so that packets originating from "INSIDE" that are destined for "DMZ" do not get NAT'd.
Now my question is, becasue these are all directly connected networks, how come the firewall does not route the packets, but tries to NAT them instead.
Im trying to configure HTTP Inpsection with regex matching on a ASA 5505 (8.2) so that I can deny all websites apart from google and yahoo. And also enclude host 192.168.1.2 from this inspection. I have been through a number of examples and the syntax below appears correct but appears not to work. The logs report only that traffic has been dropped by the inspection policy.
View 11 Replies View RelatedA customer got a new VoIP PBX, and now I have to forward port 443 on the ASA to the PBX for remote administration purposes. The LAN-interface of the PBX is in the same subnet as the ASA but has an external VoIP-router as default gateway and not our ASA. Is it even possible to forward the port to the PBX when there is no route of any sort to our ASA on it?
View 2 Replies View RelatedWhy when I try to reset Cisco ASA 5505 by pressing the button behind the hardware nothing happen? Just via software I can reset it?
I bought the hardware an year ago and I've never used, the problem that I don't have the blue cable and via software connecting to PC doesn't work.
ASA 8.3(2) 5505
I've configured a number of remote access vpns on ASAs, but I don't recall having a default gateway setting assigned after logging in.
Is there a way to disable the assignment of a default gateway upon login?
The value assigned is meaningless. It's just the next available address in the local pool.
We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0). The original configuration.
View 2 Replies View RelatedWe had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0).Incoming mails are going thru Spam and Virus Blocker so that bypassing SMTP inspection is not security issue in this case.
View 1 Replies View RelatedSo here is my network.
ASA5505--->Cisco1841--->Cat2960
Code
ASA asa831-k8.bin
Cisco 1841 c1841-adventerprisek9-mz.151-4.M2.bin
Cat 2960 c2960-lanbasek9-mz.122-55.SE1.bin
and here is my dilemma.
I can SSH from the internet to my ASA on default port 22, directly to my public IP. I can SSH from the internet to my Cisco 1841 on port 2001. I can not however, SSH to my Cat 2960. From what i can tell, on the Cat2960 i can't change the default port 22 for SSH to different port, just like i did on the Cisco 1841. I looked to see if I can change the default port for SSH on he ASA, it does not look like this is an option.
The bottom line is that i want to be able to SSH to all three devices from the internet. I only have one public IP. As of now, what i can do is only SSH to the ASA on default port 22 directly to the public IP and Cisco 1841 on port 2001. It appears that changing the default SSH port on Cat 2960 is not an option. It also appears that I can't change the default SSH port on the ASA, if i could, i would and then i should be able to SSH to the Cat 2960 on port 22. No matter what i did on the ASA, it always listens on port 22 for SSH connections.
show asp table socket
TCP 001f549f <<pub IP>>:22 0.0.0.0:* LISTEN
how do i make it listen on different port?
Here is relevent config for SSH for cisco 1841 (port forwarding)
ON ASA
object network ROUTER
host 10.10.1.1
[Code].....
I have multiple customers and servers behind my ASA5510s. After moving a new customer with an FTP server behind the firewalls, they immediatly had issues with customers connecting to their FTP server. I had the default inspection rules running regarding FTP. After removing the "inspect ftp" from the global policy their issues went away. Since this is a larger customer I can't force them to change their server, I need to accomodate and fix this on the firewall. I left the "inspect ftp" command out and there have been sporatic issues from other customers, unable to connect to outside FTP servers from the terminal servers and timeouts and disconnects to our own FTP servers.
This is what I "think" is the solution.. I added a second inspection policy after the default one and only added "inspect ftp" to it. Then I used the "exclude" option to exclude the new customer. That new customer is fine and things are better, but still not working right. Does the following config accomplish what I want?? Does the exclude ACL get what I need or do I need an "include" or permit statement in that ACL?
object-group network DM_INLINE_NETWORK_10 network-object 172.24.X.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp port-object eq ftp port-object eq ftp-data
access-list global_mpc extended deny tcp any object-group DM_INLINE_TCP_1 object-group DM_INLINE_NETWORK_10(code)
I have a request for blocking urls using a class map. I have made this work with HTTP, however it does not work for https. This is a 2851 router with IOS Version 12.4(15)T7. I see i could use the command "match protocol secure-https" however this does not let me specify any specific urls.
Does a new IOS version will support what I'm trying to do? Or if there is another way?
ASA 5520 running 8.4.5:We had an issue with a remote SMTP connection getting screwed up as a result of ESMPT inspect.It took me 3 hours of troubleshooting the SMTP connection before finally figuring out that the firewall was the culprit. What really through me off was that I saw nothing in the ASA logs (warning and above) that showed packets were being dropped. I'm probably crazy but I thought I remembered seeing entries in the log when packets were dropped due to a type of inspection (specifically, I remember entries in the log saying something to the effect of packet dropped due to ESMPT inspect, packet too big). My quesiton to Cisco TAC was: Is there a simple way to have the log give a warning every time a packet is dropped due to any inspection rule, just like we can see any drops due to ACLs? So far the only answer has been a complex list of log changes to allow debugging and notifications of certain events. This isn't something I want to roll out to all my ASAs.
View 5 Replies View RelatedI am using the Cisco ASA5510 for my Telepresent infarstructure. I have a problem with Encrypted SIP calling for call in/out.
Is there is a way to disable the TLS inspection for Cisco ASA5510?
We have several customers running ASA 8.4x code and all seem to be plagued with the ESMTP inspection bug CSCtr92976.I have tested this in the lab with an ASA 5505 running 8.4(1), 8.4(2) and 8.4(4)1 & 8.4(4)3 and the behaviour is always the same. I have an Exchange 2007 server and I can see in the logs the following messages:
2012-08-10T13:04:37.331Z,EXCHANGEDefault EXCHANGE,08CF3610468A42D7,3,192.168.102.28:25,192.168.250.26:52756,<,XXXX XXXXXXXXXXXXXXX,
2012-08-10T13:04:42.345Z,EXCHANGEDefault EXCHANGE,08CF3610468A42D7,4,192.168.102.28:25,192.168.250.26:52756,>,500 5.3.3 Unrecognizedcommand, 2012-08-10T13:05:20.506Z,EXCHANGEDefault EXCHANGE,08CF3610468A42D7,5,192.168.102.28:25,192.168.250.26:52756,<,XXX,
This is with the default ESMTP inspection enabled. I have also created a custom ESMTP inspection policy that does nothing but log and the behaviour is still the same. Sometimes traffic will pass but most of the time it won't. The workaround is to just disable the ESMTP inspection.
I really need understanding some of the logic behind the default ZBFW settings on my Cisco 881W courtesy of Cisco Configuration Professional. Here are my two questions:
1.) What is the purpose and logic behind consolidating the first class-map (ccp-cls-insp-traffic) in to the second Class-Map (ccp-insp-traffic) as follows?
Code ....
2.) What is the purpose and logic of Policy-Map ccp-inspect is trying to drop traffic from ccp-invalid-src, which is filtering based on ACL 100:
policy-map type inspect ccp-inspectclass type inspect ccp-invalid-src drop logclass type inspect ccp-insp-traffic inspectclass type inspect ccp-protocol-httpclass class-default drop.
Code ....
I am carving up an internet Class C for customer. This class C is used by 3 distinct QA, Corporate and Production firewalls. I want to carve up IP space so there is a /26 for each environment. The issue I have is the firewalls may need communication with each other via the public IP space. Currently I don’t have any L3 switches in between the firewalls and the edge internet router. So with subnetting, it would seem I need to push everything through the internet router for the intra-firewall communication.I would rather not push this traffic through the edge router, so I came up with an idea to allocate all firewall outside interface IP’s in the 4th (last remaining) /26. That way, I can allow firewalls to communicate over the primary interface IP’s, which will all be in the same subnet – without going through a routing “engine”/device.
For the actual environment subnets (NAT's on respective firewalls), I create a static route on the edge router pointing to each of the firewall’s primary IP’s for the respective environment routes (the first 3 - /26’s).This is still a beta design, but I have done this before on small scale when ISP gave me 2 subnets for example, assuming I was going to put a router in between the customer firewall and ISP. I would use the “routed subnet” on the ASA interface, and then pull the NAT’s from the other subnet. The ISP would have to add a static route directing the NAT subnet to the “routed subnet” correct IP - which would be the firewall outside interface primary IP.I recently found out that with ASA OS 8.4.3 and up, ASA will not proxy arp for IP’s not in its local interface subnet. This means the ISP/router will have to assign static ARP entries on the edge router. This can get messy after the first few NAT entries. So I am debating the design now. I think this kind of stuff going forward won’t be worthwhile with newer ASA 8.4.3 code.
How to communicate between different ASA’s, while still carving up the Class C into usable smaller subnets? The primary reason for doing this in the first place is to support routing on the edge router. I am thinking it might be time to ask for another Class C to do the routing functions, and keep the firewalls all at Layer 2 in one /24 - Class C?
I have an issue with Cisco ASA 5520, The summary is below!
Packet # 1 on inside capture the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@10.7.100.1
Packet # 1 on outside interface the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44 --- this bcz of the inspection.
Packet # 2 on outside capture the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44
Packet # 2 on inside capture the Call-ID stay: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44 --- this is the problem.
(This suppose to be Call-ID: 2a54f680-a5d1de2a-160c-164070a@10.7.100.1)The inspection should change the Call-ID for the incoming packet as it did with the outgoing packet. Whenever, the CM receive the trying message with different Call-ID it considered as new session and it keep sending invitation messages for the SIP provider.NAT is enabled.
I am having issues with PXE boot images for PCs cannot be loaded from remotely.The diagnosis revealed that SunRPC & TFTP were being inspected by ASA causing drop of packets.So I excluded these two inspections for the particular server behind the firewall. It seem to resolve the issue for instance but it crawled back again.
Is there a way that the inspection can be turned off for that particular server at the IP level?
I Have a 2821 Router with a IOS Version 12.4(13r)T. When i enabled the firewall, my download speed slows down to 10-20kbps (the normal is 5-6 Mbps).
View 11 Replies View RelatedI need to allow traffic between webserver in dmz and mssql (Microsoft SQL Server 2008).MSSQL use dynamic port (now it is 63796) and this cannot be changed.
Basically, I can allow such traffic using next configuration:access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 1433access-list dmz extended permit udp host 1.2.3.4 host 5.6.7.8 eq 1434 access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 63796
But, I would like to add mssql inspection and I did the next:
class-map class_sqlnetmatch port tcp eq 1433policy-map global_policyclass inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp class class_sqlnet inspect sqlnet service-policy global_policy global
[Code] ..........
