Cisco Firewall :: What Is The Impact Of Disabling Xlate In FWSM 4.0.8
Nov 27, 2011
What is the impact of disabling xlate in FWSM
We have dynamic NAT configured from inside to outside interface, but still it is showing NAT entry as below.
"NAT from inside:177.26.99.10 to outside:177.26.99.10 flags Ii"
Expected NAT entry should as below :
"NAT from inside:177.26.99.10 to outside:111.111.111.111 flags Ii"
We were considering implementing "ip verify revert-path" .Hence here i am thinking whether xlate-bypass is the issue here and implementing same with "ip verify revert-path" woud be a good idea.
I have FWSM running version 3.2(23) , configured with interface vlans , all having the same security level , except outside interface vlan which has security level 0 , also same-security-traffic permit inter-interface and same-security-traffic permit intra-interface are configured, my problem is when establishing sessions (I tried TCP only using ssh and telnet , in addition of ping ) from one specific vlan (172.16.1.0/28) to other vlan (172.16.1.16/28) , I can not see the established sessions in "show xlate debug" output ! although I can see these sessions from capture ! the two subnets are separate , two different /28.
I can see the session established from the remaining interface vlans with same security level toward 172.16.1.16/28 , my question is what is the exception with vlan having this subnet172.16.1.0/28, how it can reach other vlan with subnnet 172.16.1.16/28 without showing anything in xlate table ? do you thing it is bug ?
if SSH v1 is considered vulnerable why is it still enabled by default on the ASA 8.4 by default?What is the vulnerability impact of using SSH v1 on an ASA?
I have ASA that just started to reboot through out the day yesterday. It seems to happen every few hours but not in a pattern.Right before it reboots there is a flood of sys log id 305006 messages "portmap translation creation failed for tcp src inside:xxx dst outside:xxx the xlats go from around 2-3k to about 30+k then crash.Memory ussage is already pretty high normally on this device (about %75 used) CPU is around %15-20 I notice that the portmap translation errors are always from 3 inside host.
we have two ASA 5520, on the failover unit is showing LU allocate xlate failed. We read on [URL] that it could be a memory problem , but have cheked it and we have 85% of memory free on both nodes. We also can see all xlate on failover unit.
We have forced failover this evenig and we can´t stablish outbound connexions by outside interface, we think xlates or nat cant work properly.
I got an asa5510. After problems with ipsec connections the log said :
LU allocate xlate failed this error repeats every minute. At the cisco site i found the following :
explantion : stateful failover failed to allocate a translation (xlate) slot record recommended Action : check the available memory by using the show memory command to make sure that the security appliance had free memory in the system. If no memory is available, add more memory
How to schedule automatic Xlate sessions cleaning in ASA5550. I want to clear few global nat sessions manually every week.Is there any way to automate that?
I have the ASA5520, everyday I have a lot of connections through my ASA5520. But buffer in ASA5520 to save connections is limited. Now, I want my ASA can auto save the conn detail and Xlate to my Syslog server, how can i do that?
We just recently upgraded a 5540 ASA running 8.2 to a 5555 running 8.6. I have a question concerning disabling proxy ARP with static nat rules in place. We have several instance where devices in a dmz have a static nat entry to the outside and a static nat entry to the inside using the same IP. My question is if we disable proxy arp on the inside interface would that cause device on the inside not to be able to reach the device in the dmz? From what I have seen you don't want to disable it on the outside interface due to all the static nat translations. But we have some that are have nat translation going to the inside as well. How does proxy arp come into play there? Below is a diagram of an example of the setup I a referring to. This is on the new 5555 running 8.6
I have a RV082.I need to disable the firewall, since firewalling is done better elsewhere.However disabling firewall Remote management on wan ip is forcefully enabled.I don't need Remote management, keeping it enabled is a security risk for my setup.I don't understand the rationale behind the choice to forcefully enable remote management if firewall is disabled.Is there a way to disable both firewall and remote management?Or at least a workaround?
I'm on firmware 2.0.0.19-tm on a probably v2 hardware. (Cannot find this info in the web configuration).This is not the newest even for v2 hw but I cannot afford to break it trying to upgrade the firmware.Moreover no release notes for firmware releases refers to a correction of firewall/remote management behavior.Is this behavior also in newer firmware releases?
Im running 8.3 on a 5505. We've got a few ssh tunnels originating from inside to some place on the internet. It seems these tunnels are closed every n minutes. I've seen two recommendations for altering the timeout values, and what I am interested in is infinite timeout (0) for these SSH tunnels.
Suggestion 1, alter timeout "conn". Default is 30 minutes, but I suspect this might have a negative impact because no inactive connections would be closed, ever. If it however is recommended to alter, how to set it to "0" (off/unlimited)? timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Suggestion 2, enable a ssh class map which explicitely set the timeout for the ssh connection. Is this recommended? How would I achieve unlimited time? And what about random-sequence-number disabled as seen below, is that really recommended?
class CLASS_MAP_SSH set connection random-sequence-number disable set connection timeout idle 48:00:00 reset set connection decrement-ttl
We have 2 FWSM modules in each 6500 switches. 1st module is having 04 firewall vlan groups with 18 vlan interfaces in a single context firewall. All are working fine with no issues. Recently we create one more vlan on MFSC and add into the same firewall module. However newly created vlan inside the FW is not able to communicate with outside and also outside users not able to reach newly created subnet. But within the firewall zones (other interfaces) it can communicate. Once we did packet capture we noticed that its hitting firewall outside interface only and when we ping we got TTL expired error. we have default routes to outside and there's no any route inside as new segment is within the firewall (no any hop).
I guess there's no limitation on number of vlans that we can assign on one firewall eventhough there is a limitation for number of vlan-group which is 16 max (but we are within that limit).
We need Solution for disabling Anti-Replay on the Firewall for a specific tunnel. ASA 8.4(2) ) does not support disabling Anti-Replay on specific Ipsec tunnel , is it true , then if we want to disable Anti-replay , what we have to do in ASA5540 .
I have just logged into the ASDM for my 5520 and can see under the "Firewall Dashboard" tab that I can enable these graphs/stats, why would they be disabled? So I was wondering if I enable these and they use alot of memory how can I disable them again?
I have just logged into the ASDM for my 5520 and can see under the "Firewall Dashboard" tab that I can enable these graphs/stats, why would they be disabled? So I was wondering if I enable these and they use alot of memory how can I disable them again?
i bought a cisco 2950 series switch to play around with and im trying to set it up to SSH. I have google'd a bit on how to do this and i've sort of hit a wall... i have downloaded the cryptographic image from cisco's website, installed a TFTP server (think this is where my issue lies) but when i do the copy tftp flash global command i keep getting the error accessing "xxxx" message.I have tried allowing the server through windows firewall, disabling windows firewall, allowing access through the router..
I want to upgrade a pair of FWSM in active failover from 4.0(4) to 4.1(8) i just want to double check the process. i have tftp access to the primary at the minute. i cannot access the same tftp server with the standby. do i need flip over to the standby to be able to tftp the image across?
I am planning for an VSS in Core but firstly I need to upgrade FWSM which is at 3.2 Ver to 4.0.4 (min release) I have checked software dependencies but not sure about Hardware Dependency on Fwsm and Chassis for Eg. Rommon Upgrade on Chassis.
I wanna upgrade FWSM Version 3.1(11) to latest 4.x version is this possible or i have to upgrade first to 3.2 and then to 4.x?
Is there any changes in configuration commands that i need to know? The version that 6500 running is s72033-advipservicesk9_wan-mz.122-18.SXF14.bin,an upgrade to 6500 is needed also?And if so what ios version will i put?Also which is the asdm supported version?
We recently deployed a FWSM on our 6503-e boxes (w/ sup720). NAT is working (PAT) but the issue I am seeing is private traffic from remote sites is not being allowed through the FW. I was able to get the remote site to ping the FWSM itself (inside address), but no hosts behind it. Maybe an ACL issue? Also when I turn off NAT on the remote end, I can than access everything (We are NATng on both ends). Im a routing guy by nature so I will defer this to the security guys out there.
We have a pair of 6500s with Sup720 running 12.2(33)SXI3. Each has an ACE-20 (s/w A2(2.0)) and FWSM (s/w v3.2(15)). We have reached a limit on the number of rules we can configure on the FWSM, and have determined that we shall upgrade to 4.1(5), with ASDM to 6.2(2)F. A question has been raised regarding the s/w on the ACE-20 modules. Do we need to upgrade them as well?
ASA code 8.3 and higher uses NAT objects and totally changes the NAT rule config. I am new to FWSM .... but was wondering if this comparable ? I am lookinig at upgrading FWSM 3.1(16) to a higher 4.1 version .... but have a feeling this could be a huge task if NAT config changes as with the ASA's
am trying to config a FWSM by ASDM 6.2f.there are formerly configured interfaces and new interfaces i created.when i add a new access rule it gets added only to all the old interfaces but not to the new ones i created.
1. what wrong with the new interfces i created?
2. whats the logic of auto adding a rule to "all" interfaces , the rules are incoming rules specific to interfaces or groups , why add the to the rule to "all" intefaces?.
We would like to decommission our FWSMs and upgrade to the ASA 5555Xs. This leads me to ask the following: What would be the most efficient way of doing this without any interruption to production? How to successfully accomplish this?
our FWSM (in 6509) is not coming up, when tried to sesssion up using "Session slot 1 proc 1" command,It is giving error , "Tyring 127.0.0.11 .....connection timed out remote host not responding".
In "show mod" command output at Switch in IOS console: under Card Type Section: it is showing Model & Serial Number correctly, Under MAC address sectino: displaying some MAC address But in Online Diag Status, it showing "Unknown" for Module 1.
We tried re-seating in other slots, but of no use. Giving same error. Some of other forms are saying it is the issue with 128 Mb CF image problem, FWSM is no more reachable from 6509 IOS console. We even tried using FWSM console (using PC-Conse & LCP Console) but FWSM is not contactable.
I am having two dc switches with FWSM modules installed. DC switch1 FWSM (Ver 3.2(12) is wokring as active and Secondary DC switch2 FWSM (ver 3.2.(12) is in standby mode.
From yesterday I am trying to login primary FWSM, It is accepting my username and credentials but prompting again for username please refer below
DXB-DC1>session slot 5 p 1The default escape character is Ctrl-^, then x.You can also type 'exit' at the remote prompt to end the sessionTrying 127.0.0.51 Open. [code]
I have had a strange issue with a pair of FWSM's in 2 6500's, it seems there was a failover but both module's have been reset.
CAT1 Feb 03 17:08:46.525: %SNMP-5-MODULETRAP: Module 8 [Down] Trap Feb 03 17:08:46.522: SP: The PC in slot 8 is shutting down. Please wait ...Feb 03 17:09:01.525: SP: shutdown_pc_process:No response from module 8 Feb 03 17:09:11.382: %C6KPWR-SP-4-DISABLED: power to module in slot 8 set off (Reset) Feb 03 17:10:56.093: %DIAG-SP-6-RUN_MINIMUM: Module 8: Running Minimal Diagnostics...Feb 03 17:10:59.796: %SVCLC-5-FWVTPMODE: VTP [Code]...
I'm running two C6509 Chassis with FWSM and ACE module install on each chasiss.I have no problem with session into 1 FWSM and 2 ACE modules.But 1 FWSM module can't be access by session command.As I understand two FWSM module status is OK, and working fine.When I tried to session into FWSM, I got these messages..
I need to upgrade the fwsm image from 3.1(10) to 4.0(8). Can i do it directly from 3.1(10) to 4.0(8) ?Do i need to upgrade other image also along with Firewall version 4.0(8)?
