Sie sind auf Seite 1von 356

Cisco ASA Firewall Solution

AT&T Internal Training


Mentor: Mikis Zafeiroudis

Course Agenda
Class Timing
Start daily at 9 AM
10 min break between subjects
Lunch break between 12:00 13:00 PM
Class ends ~ 17:30 PM
Classroom introduction
Questions in class
Participation is a key

Classroom software/hardware overview


GNS3, Virtual PC

Course in line with CCNP Sec FW 642-617 exam


CLI-based ASDM will be checked briefly
2

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

Course Agenda
Topics covered
1. FW Overview
2. ASA Overview
3. ASA Get knowing the tools
4. ASA Routing
5. Administrative access
6. ASA Monitoring (Syslog/SNMP)
7. ASA ACLs
8. ASA NAT
9. ASA algorithm, Packet Flow
10. MPF - Protocol handling
11. Asymmetric Routing uRPF

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

Course Agenda
Topics covered (cont.)
12. AAA Identity management
13. Transparent FW
14. Contexts
15. Redundant interfaces
16. Failover
17. Miscellaneous topics
18. Troubleshooting
19. Review

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

Course Overview
Recommended Reading
Cisco Press - Cisco ASA: All-in-One Firewall, IPS, Anti-X, and
VPN Adaptive Security Appliance 2nd edition (2010)
Cisco Press - Cisco Firewalls (2011)
Cisco ASA 5500 Series Configuration Guide 8.x
Cisco ASA 5500 Series Command Reference 8.x
Cisco ASA 5500 Migration to Version 8.3 and Later
Cisco ASA New Features by Release
CCNP Sec Firewall 642-618 Certification Guide guide

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

Firewalls Overview
Stateful Firewalls
The firewall creates a State Table

Incoming traffic is allowed only by the configured Access-List


Returning traffic is allowed by the state-table
Protocols like UDP/ICMP create entries based on inactivity timers
Check L3 and L4

Stateful Firewalls with AIC


FW checks L3-L7 OSI layers (Deep Packet Inspection DPI)
Requires more processing power

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

Firewalls Overview
Stateful Firewalls (cont.)
TCP State Table

UDP State Table

Src IP

10.0.1.1

Src IP

10.0.1.1

Src Port

1055

Src Port

1055

Dst IP

20.0.1.5

Dst IP

20.1.1.5

Dst Port

23

Dst Port

53

Seq #

2650914815

Idle time

1min 5 sec

Flags

PUSH

Idle time

15min 15sec

ESP State Table

ICMP State Table


Src IP

10.0.1.1

Dst IP

20.0.1.5

Src IP

10.0.1.1

ICMP Type

Dst IP

20.1.1.5

ICMP Code

SPI

0xDFC15269

Packet ID

Idle time

8 sec

Idle time

1 sec

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Order of operations


ASA Order of operations summary

Pre-8.3 src NAT only

Pre-8.3 dst NAT only

Pre-8.3 src & dst NAT

1.
2.
3.
4.

1.
2.
3.
4.

1.
2.
3.
4.
5.

ROUTE-LOOKUP
ACL (CUST1_ACL)
NAT (Source NAT)
VPN Encrypt

ACL (CUST2_ACL)
UN-NAT (Dest NAT)
ROUTE-LOOKUP (VPN peer)
VPN Encrypt

UN-NAT (Dest NAT)


ACCESS-LIST
NAT (Source NAT)
ROUTE-LOOKUP (VPN peer)
VPN Encrypt

Post-8.3 src NAT only

Post-8.3 dst NAT only

Post-8.3 src & dst NAT

1.
2.
3.
4.

1.
2.
3.
4.

1.
2.
3.
4.
5.

ROUTE-LOOKUP
ACL (CUST1_ACL)
NAT (Source NAT)
VPN Encrypt

UN-NAT (Dest NAT)


ACL (CUST2_ACL)
ROUTE-LOOKUP (VPN peer)
VPN Encrypt

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

UN-NAT (Dest NAT)


ACCESS-LIST
NAT (Source NAT)
ROUTE-LOOKUP (VPN peer)
VPN Encrypt

ASA Packet Flow


Stateful Inspection overview (with source NAT) pre-8.3

session management path + fast path = accelerated security path.

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Packet Flow


Stateful Inspection overview (destination NAT) pre-8.3

session management path + fast path = accelerated security path.

10

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Adaptive Security Algorithm


TCP Connection Establishment

1.
2.
3.
4.
5.
6.
7.

11

Check for existing entry in the state table


Check if ACL permits the traffic
Check for existing Xlate entry
Check for NAT
Randomize Sequence Number
Increment Embryonic Connection counter
Start Idle Timer for conn and xlate entries

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Protocol handling


TCP Connection Establishment

1.
2.
3.
4.

12

Check the state table and the idle timer


Randomize the Sequence Number and un-randomize the ACK number
Undo the NAT (Untranslate)
Reset idle timers for conn and xlate entries

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Protocol handling


TCP Connection Establishment

1.
2.
3.
4.
5.

13

Check the state table and the idle timer


Check the xlate table for existing entry
Randomize the Sequence Number and un-randomize the ACK number
Decrement the Embryonic Connection number
Reset the Idle timer for conn and xlate entries

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Protocol handling


TCP Connection Establishment

14

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Adaptive Security Algorithm


Questions
Put in the proper order the following checks
1.
2.
3.
4.
5.
6.
7.

uAuth
Egress capturing
VPN Encryption
Ingress capturing
NAT
ACL
Routing

Which path will take a packet that belongs to an


existing connection? What will be checked in this path?

15

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

PIX/ASA Evolution
In 1994 Brantley Coile and John Mayes, owners of Network
Translation Inc created PIX (Private Internet eXchange). PIX
uses Finesse OS (Fast InterNet Server Executive) (now called
PIX OS) written by Brantley Coile
In 1995 Cisco bought Network Translation Inc
In May 2005 Cisco introduced ASA (Adaptive Security
Appliance) which inherited much of PIX features. ASA run PIX
OS code 7.0 and later. ASA also replaces Cisco VPN 3000
concentrators
As from ASA 8.0, ASA runs on Linux kernel. PIX 8.0 continues
using PIX OS/Finesse OS
In July 2008 Cisco announced PIX End of Sale (EoS)
Last date of PIX SW, licenses and accessories sales Jan 2009
PIX end of support/end of life is 27 July 2013
16

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

PIX/ASA Evolution
ASA/PIX evolution overview

*For more information check the Cisco Release Notes at:


http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html
17

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Overview
ASA 5500 Model Comparison
Small Office and Branch Office

Internet Edge

Enterprise Data Center

18

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Overview
Main features
Stateful Packet Inspection (Adaptive Security Algorithm)
NAT
Advanced Routing capabilities
Dot1q subinterfaces
Modular Policy Framework (MPF)
Security contexts

Failover (A/A, A/S)


Application Layer Inspection
Transparent Firewall capability
Web management via ASDM
Quality of Service (QoS)

19

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Overview
Main features (cont)
IPsec VPN/SSL VPN
Asymmetric routing support (as from 8.2(1))
LACP EtherChannel support (as from 8.4(1))
CSC-SSM (Content Security Control Security Service Module)
provides anti-X capabilities (anti-X = blocks viruses, spam,
spyware, URL blocking) for FTP, HTTP, POP3, SMTP
IPS capabilities (AIP-SSM module Adaptive Inspection and
Prevention)

20

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Overview
Main features (cont)
QoS Traffic Shaping 8.1(2)
Botnet Traffic Filter (malware protection) - 8.2(1)
Global ACLs - 8.3(1)
Stateful Failover with Dynamic Routing Protocols - 8.4(1)
TCP Ping Enhancement - 8.4(1)
Identity Firewall - 8.4(2)
Mixed firewall mode support in multiple context mode - 8.5(1)
ASA Clustering 9.0 ASA 5580 and 5585
VPN and dynamic routing in contexts

21

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Overview
ASA/PIX Unsupported features
ASA doesnt support ISP load balancing
ASA cannot block applications that negotiate dynamic ports
over encrypted channels (e.g. Skype). ASA CX is the new
weapon.
ASA doesnt support PBR
ASA cannot be configured as EZVPN Client (only exemption is
ASA 5505)
ASA doesnt support VTIs
PIX doesnt support SSL VPNs
PIX doesnt support AIP-SSM and CSC-SSM modules

22

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Overview
ASA Basic Configuration
5 modes of configuration:
EXEC or nonprivileged mode
ciscoasa> enable

Privileged mode
ciscoasa#configure terminal

Global Configuration mode


ciscoasa(config)#interface e0/0

Specific configuration modes


ciscoasa(config-if)#

ROMMON mode
rommon>

Show running-configuration command can be combined


with include, begin, exclude, grep grep v
Show running-config all will show the default configuration
23

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Overview
ASA Basic Configuration
ASA keeps last 19 entered commands in memory
ASA# show history

In order to change the terminal screen width


ASA(config)# terminal width [columns]

In order to change the number of lines shown in large outputs


ASA(config)# pager [lines]

Startup config is saved in Flash memory. In order to see it:


ASA# show startup-config

Running configuration is on RAM and it is lost after reboot. In


order to see it
ASA# show run {all} | {include}|{exclude}{grep}

To remove the startup configuration


ASA# write erase
24

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Overview
ASA Basic Configuration
To erase the existing running configuration:
ASA(config)# clear configure all or
ASA(config)# configure factory-default

2 ways to configure the ASA


Setup utility is the fastest way to configure ASA. In order to run it:
1. I must have an interface named inside
2. Use the setup command

CLI

In order to save the configuration I have 2 options:


. Option 1:
ASA# write memory (or wr)
. Option 2:
ASA# copy running-config startup-config

To reboot a device type


ASA# reload
25

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Overview
ASA Licensing
A License is a 160-bit value (activation key) specifies the
features that are enabled on ASA
By default the ASA will come with a license depending on the
order (www.cisco.com/go/license)
There are permanent licenses and Time-Based licenses
(Evaluation)
The activation key is tied to the serial number of the device
To enter an activation key (reload might be required)
ASA# activation-key 0xa1b34b58c 0x42afb341d ..
To see the activation key
ASA# show activation-key
Or
ASA# show version
26

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Overview
ASA File System
disk0 = flash0
To view the contents of flash
ASA# dir

To navigate into file system


ASA# cd disk0:/.private

To see the contents of a file


ASA# more disk0:/.private/startup-config

In order to copy files to and from the flash


ASA# copy {source} {destination}

To delete a file
ASA# delete flash0:/{file_name}

27

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Overview
ASA Boot Files and HW
ASA can keep in Flash one or more OS images
To specify from which to boot
1. ASA(config)# boot system {image}
2. ASA# copy running-config startup-config
3. ASA# reload
Note
In case of an image upgrade do not forget to remove the previous
boot system command - the new command doesnt overwrite
the old (ACL logic). More on this later

To verify the boot system


ASA# show bootvar

28

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Overview
ASA Basic Interface Configuration
Basic interface configuration:
ASA(config)# interface Ethernet0/0
ASA(config-if)# nameif dmz
ASA(config-if)# security-level 50
ASA(config-if)# ip address 100.0.104.10 255.255.255.0
ASA(config-if)# no shut
On subinterfaces I have to specify the VLAN:
ASA(config)# interface Ethernet0/2.104
ASA(config-subif)# vlan 104

29

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Overview
Security Levels
Interfaces are assigned security levels 0-100
Traffic from Higher to Lower Security Level is allowed by
default. How the ASA will know the exit interface?
Based on the routing lookup (unless NAT is used)

Returning traffic is allowed due to stateful inspection


Security level values define the direction of the traffic:
Inbound (Low-to-High) or Outbound (High-to-Low)
If I name an interface Inside it will get Security Level 100 by
default. Any other interface name will get Security Level of 0
By default, traffic is not allowed between interfaces that have
the same security levels. I can use the command samesecurity-traffic permit inter-interface|intra-interface
Lab 1
30

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Overview
Questions
What happens by default if you configure two interfaces
with the same security level?
1. Traffic will pass freely between those connected networks
2. Traffic will not pass between those interfaces
3. Specific ACLs must allow traffic between those interfaces

Which information does the ASA keep in the state table?

31

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA - Get knowing the tools


Syslog
By default, logging is disabled
Syslog messages can be sent to various places:

Internal log buffer


External syslog server
ASDM
Console port
SNMP server
Telnet/SSH sessions
Email address

In order to use any of the above destinations I must first


enable syslog. Optionally, I can enable logging timestamps:
ASA(config)# logging enable
ASA(config)# logging timestamps
32

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA - Get knowing the tools


Syslog levels
Syslog messages are divided in 8 levels:
ASA(config)# logging buffered ?
configure mode commands/options:
<0-7>
Enter syslog level (0 - 7)
alerts
(1)
critical
(2)
debugging
(7)
emergencies (0)
errors
(3)
informational (6)
notifications
(5)
warnings
(4)

Each message has also a message-ID


%ASA-7-710005: UDP request discarded from 100.0.101.250/138 to
inside:100.0.101.255/138
More details on www.cisco.com/go/asa -> Troubleshooting and Alerts
33

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA - Get knowing the tools


Modifying Syslog levels
Allows to move a syslog message to different level
Example

I dont have command accounting enabled


I want to know what show commands were executed on the FW
Message 111009 logs show commands
The severity level of 111009 is 7
%ASA-7-111009: User 'enable_15' executed cmd: show logging

ASA(config)# logging message 111009 level informational


%ASA-6-111009: User 'enable_15' executed cmd: show running-config
logging

34

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA - Get knowing the tools


Logging to Internal Buffer
In order to send messages to Internal Buffer:
ASA(config)# logging buffered severity-level
The default buffer size in 4 KBytes. I can change this:
ASA(config)# logging buffer-size 1048576
The internal buffer is a circular. I can save manually the
internal buffer into flash:
ASA# logging savelog
Or configure it to happen automatically:
ASA(config)# logging flash-bufferwrap
ASA(config)# logging flash-maximum-allocation 249336
ASA(config)# logging flash-minimum-free 10000

35

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA - Get knowing the tools


Logging to External Syslog server
In order to send messages to External Syslog server:
ASA(config)# logging host ifname 100.0.101.250
To specify which syslog messages will be sent to the syslog
server:
ASA(config)# logging trap severity-level
By default, syslog messages are sent to syslog server via UDP
port 514. Optionally, I can configure the usage of TCP
ASA(config)# logging host ifname 1.2.3.4 6/1470 secure
Note that if you use TCP and the syslog server is down, new
connections through the ASA will not be allowed. I can change
this:
ASA(config)# logging permit-hostdown

36

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA - Get knowing the tools


Logging to ASDM
In order to send messages to ASDM:
ASA(config)# logging asdm severity-level
Optionally, I can define the ASDM buffer size which defines
how many messages will can be kept on ASA before they are
sent to ASDM:
ASA(config)# logging asdm-buffer-size 512
Logging to Console
In order to send messages to Console port:
ASA(config)# logging console severity-level

To limit the rate at which the logging messages are generated:


ASA(config)# logging rate-limit 1 10 level 7
The above command will generate 1 debug message every 10 sec
The messages at a specified severity level are limited individually

37

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA - Get knowing the tools


Logging to SNMP server
In order to send messages to SNMP server:
ASA(config)# logging history severity-level
Logging to Telnet or SSH session
In order to see logging messages in Telnet or SSH session I
have to do 2 things:
Step 1
ASA(config)# logging monitor severity-level
Step 2
I telnet or SSH to ASA and I put the command
ASA# terminal monitor

38

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA - Get knowing the tools


Logging to email address
In order to send messages to SMTP server I have to do 4 things:
1. Specify which messages will be sent to the email server:
ASA(config)# logging mail severity-level
I can get more granular by using logging lists
2. Specify the source mail address:
ASA(config)# logging from-address ASA1@LAB.TEST
3. Specify the destination mail address:
ASA(config)# logging recipient-address
bob1@LAB.TEST level debugging
4. Specify the SMTP server that I will sent the messages to:
ASA(config)# smtp-server 100.0.101.250
Lab 2
39

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA - Get knowing the tools


Debug
Use debug with caution
To redirect debug messages to log (711001):
ASA(config)# logging debug-trace

In order to debug ICMP packets only


ASA# debug icmp trace
debug icmp trace enabled at level 1
ASA# ICMP echo request from inside:100.0.101.1 to outside:100.0.103.3
ID=0 seq=0 len=72
ICMP echo reply from outside:100.0.103.3 to inside:100.0.101.1 ID=0
seq=0 len=72

NSEL (Netflow Security Event Logging)


Allows better logging of flow-create, flow-teardown, and flowdenied events (binary vs text)
8.1(1) and later
40

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA - Get knowing the tools


Packet Tracer on ASA
Available as from 7.2(1) version
Simulates the life of a packet through the ASA (Adaptive
Security Algorithm)
Helps to identify the cause of packet drops
Allows to verify the configuration proactively
Accessible from CLI and ASDM
Not available in ASA Transparent mode
In order to use it you have to know the following:

41

Source IP
Source interface
Destination IP
Destination port

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA - Get knowing the tools


Packet Tracer on ASA (cont)
ASA# packet-tracer input <src_int> <protocol>
<src_IP> <src_port> <dst_IP> <dst_port> {detailed}

Note
Packet-tracer will cause a hit-count increase in the ACL
42

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA - Get knowing the tools


Capture utility

Available as from 6.2(1) version


Useful to troubleshoot connectivity problems
Shows packets going through and to the ASA itself
On the ingress side, the packets are captured from the moment they
hit the ASA interface, and on the egress side the packets are
captured just before they are sent out on the wire
You must specify an interface
Basic usage
ASA(config)# access-list CAP_ACL permit ip host 100.0.110.1
host 100.0.101.1
ASA# capture CAP access-list CAP_ACL interface outside
To see the existing captures:
ASA# show capture
I can apply 2 or more captures on the same interface
43

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA - Get knowing the tools


Capture utility
Capture utility uses an internal buffer.The default size is 512 Kbytes
ASA# show capture
capture CAP_INSIDE type raw-data access-list CAP_ACL buffer 5000000
trace interface inside [Capturing - 1300 bytes]

If the buffer is full, the capture stops capturing


ASA# show capture
capture CAP_INSIDE type raw-data access-list CAP_ACL buffer 1534 trace
interface inside [Buffer Full - 1502 bytes]

In order to modify the capture buffer size


ASA(config)# capture CAP_INSIDE buffer 1000000

To remove the capture


ASA(config)# no capture <capture-name>

To clear the capture buffer


ASA# clear capture <capture-name>

As from 8.0(4) I can use the 'real-time' keyword

44

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA - Get knowing the tools


Capture utility
I can see the contents of a capture output on a web browser
First I create the capture
ASA1# capture CAP_IN interface inside

Then I specify the following URL from the browser:


https://100.0.101.10/admin/capture/CAP_IN

45

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA - Get knowing the tools


Capture utility
I can also download the contents of a capture in a .pcap
format and open it with Wireshark
First I create the capture
ASA1# capture CAP_IN interface inside

Then download the capture in .pcap format


https://100.0.101.10/capture/CAP_IN/pcap

Open the .pcap file with Wireshark

46

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA - Get knowing the tools


ASP Drop
In order to see accelerated security path (ASP) packet drops
ASA# show asp drop
In order to clear the asp counters
ASA# clear asp drop
asp-drop capturing
Configure a capture with type asp-drop to see all packets
dropped in the ASP (session management path + fast path):
ASA# capture ASP_DROP_CAP type asp-drop all
ASA1# show capture ASP_DROP_CAP

47

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA - Get knowing the tools


ASP Drop output example

48

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA - Get knowing the tools


TCP Ping
Available as from 8.4(1)
The ASA will send a TCP SYN packet to the destination
Any source IP can be used by the ASA even if it doesnt belong
to the ASA itself
Note
Make sure that on ASA there is ACL that permits the traffic that you
test via TCP Ping

Can be useful in the following cases:


You want to know if the remote server is listening to a specific TCP
port
You want to know if the remote server has routing towards the
source
You want to trigger a VPN connection

49

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA - Get knowing the tools


TCP Ping configuration example

50

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Routing
General overview and ARP
ASA 8.x supports the following routing options:
Static routing
RIPv1/v2
EIGRP
OSPF
Proxy ARP is used when a device responds to an ARP request with its own MAC
address, even though the device does not own the IP address. The ASA uses
proxy ARP when you configure NAT and specify a mapped address. There are
rare cases where I want to disable Proxy ARP. I do this with the command:
ASA(config)# sysopt noproxyarp ifname
ARP is handled by CPU and ARP flooding is possible cause of DoS
When an interface goes down, the ARP entries are not deleted

51

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Routing
Static routing
Syntax:
ASA(config)# route OUTSIDE 10.0.2.2 255.255.255.255
100.0.123.2 1
Routing verification
In order to display the routing table
ASA# show route

In order to display the configured static routes


ASA# show running-config route

52

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Routing
RIP
RIP support added in version 7.0(1)
ASA supports RIPv1 and RIPv2
Basic config
ASA(config)# router rip
ASA(config-router)# network 10.0.0.0
Passive-interface command is supported
In RIPv2 I can disable auto-summarization with the command
no auto-summary
ASA(config-router)# no auto-summary
I can redistribute routes from OSPF, EIGRP, Static or
Connected into RIP

53

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Routing
RIP
RIPv1 doesnt support authentication. RIPv2 supports text and
MD5 authentication
ASA(config-if)# rip authentication key CISCO key_id 1
ASA(config-if)# rip authentication mode md5
In order to generate a default route with RIP:
ASA(config-router)# default-information originate
I can filter RIP updates by using distribute-lists (I must use a
Standard ACL in order to denote what traffic will be allowed
and denied by the distribute-list)
ASA(config)# access-list ACL extended permit ip any any
ASA(config-router)# distribute-list ACL out
ERROR: Access-list ACL does not exist or not standard type acl

54

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Routing
RIP
Verification/Troubleshooting
ASA# show run router rip
ASA# show rip database
Useful RIP debug commands:
ASA# debug rip events
ASA# debug rip database
Note Use debug with caution!

55

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Routing
OSPF
Basic OSPF configuration
ASA(config)# router ospf 1
ASA(config-router)# network 100.0.101.10
255.255.255.255 area 0
Note that we dont use wildcard masks
ASA supports intra-area routes (LSA1, LSA2), inter-area
routes (LSA3, LSA4), external routes (LSA5) and LSA7
Virtual Link support
Null, clear text and MD5 authentication. MD5 auth example:
ASA(config)# int e0/2.124
ASA(config-subif)# ospf message-digest-key 1 md5 CISCO
ASA(config-subif)# ospf authentication message-digest

56

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Routing
OSPF
ASA can be DR, BDR or ASBR
Support for Stub areas (blocks LSA3 and LSA4) and NSSA
(allows LSA7)
ASA supports LSA3 filtering (create a prefix-list and apply it
under the filter-list command in config-router mode)
I can change the OSPF network type on the ASA interface:
ASA(config-if)# ospf network point-to-point nonbroadcast
I need also to configure the neighbor command in order to
sent unicast hellos
ASA(config)# router ospf 1
ASA(config-router)# neighbor 100.0.104.4 interface dmz

57

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Routing
OSPF
I can redistribute routes into and from OSPF. In order to
redistribute e.g. EIGRP into OSPF I go under OSPF process:
ASA(config)# router ospf 1
ASA(config-router)# redistribute eigrp 1 subnets
If not set, default metric will be 20 as for IOS
In order for ASA to advertise a default route into OSFP:
ASA(config)# router ospf 1
ASA(config-router)# default-information-originate
{always}

58

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Routing
OSPF
OSPF verification/troubleshooting
ASA# show route
ASA#
ASA#
ASA#
ASA#

show
show
show
show

run router
ospf
ospf interface
ospf neighbor

Useful OSPF debug commands:


ASA# debug ospf events
ASA# debug ospf packets
Note Use debug with caution!

59

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Routing
EIGRP
Basic EIGRP configuration
ASA(config)# router eigrp 1
ASA(config-router)# network 100.0.123.10
255.255.255.255
ASA(config-router)# no auto-summary
I can filter outgoing and incoming EIGRP route advertisement
by using distribute-lists
ASA(config)# access-list STOP_EIGRP standard deny
10.0.22.0 255.255.255.0
ASA(config)# access-list STOP_EIGRP standard permit any
ASA(config)# router eigrp 1
ASA(config-router)# distribute-list STOP_EIGRP in

60

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Routing
EIGRP
ASA supports EIGRP MD5 authentication
ASA(config)# int e0/1
ASA(config-if)# authentication mode eigrp 1 md5
ASA(config-if)# authentication key eigrp 1 EIGRP
On non-broadcast networks I must define static EIGRP
neighbors
ASA(config)# router eigrp 1
ASA(config-router)# neighbor 136.0.123.2 interface
outside
In order to redistribute into EIGRP I must define the metric
ASA(config)# router eigrp 1
ASA(config-router)# redistribute ospf 1 metric 1 1 1 1 1

61

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Routing
EIGRP
In order to disable EIGPR split-horizon on non-broadcast
networks:
ASA(config)# int e0/1
ASA(config-if)# no split-horizon eigrp 1
In order to send a default route:
ASA(config)# int e0/1
ASA(config-if)# summary-address eigrp 1 0.0.0.0 0.0.0.0
or
ASA(config)# route dmz 0.0.0.0 0.0.0.0 100.0.104.4
ASA(config)# router eigrp 1
ASA(config-router)# redistribute static

62

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Routing
EIGRP
EIGRP verification/troubleshooting
ASA# show eigrp neighbors
ASA# show eigrp topology {all-links}
ASA# show eigrp interfaces
Useful EIGRP debug commands:
ASA# debug eigrp fsm
ASA# debug eigrp packets (useful for authentication problems)
Note Use debug with caution!

63

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Routing
Local Name resolution
If I want to use names instead of IPs on ASA, I have to enable
the feature by typing names and then create static name
entries
ASA(config)# names
ASA(config)# name 100.0.101.1 R1
Note
names feature can make troubleshooting very challenging
Lab 3

64

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Routing
Questions
Which routing protocols are supported on ASA?
How do you clear the ARP entry for IP 100.0.123.2 on
interface outside?

65

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA IP Connectivity
Configuring DHCP
I can configure ASA as:
DHCP Client (DHCP Client can not be enabled while in Failover mode)
DHCP Server
DHCP Relay Agent

ASA as a DHCP Client

Configuration
FW1(config)#int e0
FW1(config-if)# nameif outside
FW1(config-if)# ip address dhcp
FW1(config-if)# no shut
FW1# debug dhcpc packet
66

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA IP Connectivity
ASA as DHCP Server

To create an address pool


FW1(config)#dhcpd address {start_IP-end_IP} {nameif}

To enable it on an interface:
FW1(config)#dhcpd enable {nameif}

DHCP verification
In order to display the DHCP server status
FW1# show dhcpd state

In order to display the DHCP bindings


FW1# show dhcpd binding all
FW1# debug dhcpd packet
67

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA IP Connectivity
ASA as DHCP Relay

To define a DHCP server


FW1(config)# dhcprelay server {IP_of_DHCP_server} {nameif}
Nameif is the interface facing the DHCP server

To enable DHCP relay agent on ASA interface


FW1(config)# dhcprelay enable {nameif}
Nameif is the interface facing the DHCP client

To replace the default route with ASAs interface


FW1(config)# dhcprelay setroute {nameif}
Nameif is the interface facing the DHCP client
FW1(config)# debug dhcprelay packet

68

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Monitoring
SNMP
SNMP implementation requires an SNMP Manager (e.g.
CiscoWorks) and an SNMP Agent (e.g. ASA)
SNMP uses 5 message types. 3 of them are sent by the SNMP
Manager and 2 by the SNMP Agent:

GET (sent by the SNMP Manager)


GET NEXT (sent by the SNMP Manager)
SET (sent by the SNMP Manager)
GET-RESPONSE (sent by the SNMP Agent)
TRAP (sent by the SNMP Agent)

Note
ASA doesnt accept SNMP SET messages
ASA supports only SNMP read access
ASA supports SNMPv1, SNMPv2c and SNMPv3 (8.2(1))
69

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Monitoring
SNMP

In order to configure SNMP on ASA I must make sure that it is


enabled (which is the default option)
ASA(config)# snmp-server enable
In SNMPv1 and SNMPv2c I have to specify the SNMP Manager
who is allowed to poll the ASA and where the TRAPS are sent
ASA(config)# snmp-server host ifname 100.0.101.250
community community-string

70

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Monitoring
SNMP
In order to enable snmp traps:
ASA(config)# snmp-server enable traps snmp authentication
linkup linkdown coldstart

In order to see the SNMP configuration


ASA# show run snmp-server

In order to make sure that the SNMP process is running:


ASA# sh processes | in SNMP|Snmp|snmp
we 08a9bea8 d8b7125c d64e151c

713 d8b6fa38 4292/8192 snmp

In order to make sure that the SNMP process sends and


receives SNMP packets and there are no authentication issues:
ASA# show snmp-server statistics

In order to see what OIDs are supported on ASA (hidden


command)
ASA1# show snmp-server oid
71

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Monitoring
SNMP For your reference
Useful SNMP OIDs
Usage

OID

CPU usage (5 sec)

1.3.6.1.4.1.9.9.109.1.1.1.1.3.1

CPU usage (1 min)

1.3.6.1.4.1.9.9.109.1.1.1.1.4.1

CPU usage (5 min)

1.3.6.1.4.1.9.9.109.1.1.1.1.5.1

Connections (current)

1.3.6.1.4.1.9.9.147.1.2.2.2.1.5.40.6

Traffic (out Bytes)

1.3.6.1.2.1.2.2.1.16.n

Traffic (in Bytes)

1.3.6.1.2.1.2.2.1.10.n

For more info check:


tools.cisco.com/Support/SNMP/do/ BrowseOID.do?local=en

72

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Monitoring
Questions
Which syslog level will produce the most messages?
1.
2.
3.
4.
5.
6.

Errors
Critical
Informational
Debugging
Alerts
Notifications

What is the purpose of 'logging trap' command?

73

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Administrative access


Telnet
By default, I cannot access the ASA device via Telnet unless I
specify which hosts are allowed from which interface:
ASA(config)# telnet 100.0.101.0 255.255.255.0 inside
I cannot Telnet the lowest security interface unless I have
IPsec tunnel on it.
%ASA-4-402117: IPSEC: Received a non-IPSec packet (protocol= TCP) from
100.0.123.2 to 100.0.123.10

The default Telnet password is cisco. I order to change it:


ASA(config)# passwd telnet
I cannot Telnet from the ASA itself
In order to see who is connected via Telnet on the ASA and
disconnect:
ASA# who
ASA# kill Telnet_session_ID
74

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Administrative access


SSH
By default, I cannot access the ASA device via SSH. In order
to it via SSH I have to specify which hosts are allowed to SSH
on it:
ASA(config)# ssh 100.0.101.0 255.255.255.0 inside
In order to allow SSH connection on the ASA I have to
configure an RSA key:
ASA(config)# crypto key generate rsa modulus key-size
In order to reset the RSA key:
ASA(config)# crypto key zeroize rsa

75

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Administrative access


SSH
The default SSH username is pix and password cisco.
This is not true as from 8.4(2) where you must configure AAA
authentication in order to access the device via SSH.
I can change the SSH password:
ASA(config)# passwd ssh
or
ASA(config)# password ssh
In order to see who is connected to the ASA via SSH:
ASA# show ssh sessions
In order to disconnect an active SSH session:
ASA# ssh disconnect session_ID

76

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Administrative access


Questions
Which command will set the SSH password to 'Pa$
$word'?
Which command will set the Telnet password to 'Pa$
$word'?
What is the default idle timeout for a Telnet session?
What for SSH?
Which command shows who is connected on ASA via
SSH?
How can I see the listening ports on the ASA?

77

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA ACLs
ACL Overview
By default, traffic from lower security interface to higher
security interface is not allowed. ACLs (Access Control Lists)
can be used to overcome this restriction
ACL can allow return traffic that is not inspected by default
As soon as I apply an ACL on an interface, the security level is
not important anymore (note same sec-level!)
Implicit deny at the end (like in IOS)
An ACL consists of one or more ACEs (Access Control Entries)
There are 5 types of ACLs:

78

Extended
Standard
EtherType (only in Transparent mode)
WebType (for Clientless SSL VPN)
IPv6
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA ACLs
ACL Overview
I can name or number an ACL as I want regardless its type (unlike
IOS that I have the number ranges depending on type)
The order of ACEs is important. Put more specific ACEs at the top
For TCP and UDP connections, regardless if the ASA works in routed
(L3) or transparent mode (L2), I do not need an access list to allow
returning traffic
For ICMP you have to allow the returning traffic unless ICMP
inspection engine is on
One Extended and one Ethertype ACL per interface per direction

ACL syntax options

79

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA ACLs
Extended ACLs
Extended ACLs can be used in order to:

Control network access through the FW (routed and transparent)


Cut-Through Proxy (user authentication)
NAT Exemption and Policy NAT
Establish VPN

To create an Extended ACL


ASA(config)# access-list OUTSIDE_IN extended permit tcp host
1.1.1.1 host 2.2.2.2 eq 23 {inactive} {log} {time-range}

To apply Extended ACL on interface


ASA(config)# access-group OUTSIDE_IN in|out interface OUTSIDE

80

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA ACLs
Extended ACLs
I can insert an ACE by using the line keyword. Otherwise, the ACE
will be added at the end
ASA(config)# access-list OUTSIDE_IN line 2 extended permit
tcp host 5.5.5.5 host 6.6.6.6 eq www
access-list OUTSIDE_IN
access-list OUTSIDE_IN
after insertion
access-list OUTSIDE_IN
access-list OUTSIDE_IN
access-list OUTSIDE_IN

line 1 extended permit ip host 1.1.1.1 host 2.2.2.2


line 2 extended permit ip host 3.3.3.3 host 4.4.4.4
line 1 extended permit ip host 1.1.1.1 host 2.2.2.2
line 2 extended permit tcp host 5.5.5.5 host 6.6.6.6
line 3 extended permit ip host 3.3.3.3 host 4.4.4.4

I can use the remark keyword in order to insert comments


ASA(config)# access-list OUTSIDE_IN remark CHG-123456
In order to delete an ACE:
ASA(config)# no access-list OUTSIDE_IN extended permit tcp
host 5.5.5.5 host 6.6.6.6 eq www
In order to delete the entire ACL:
ASA(config)# clear configure access-list ACL-name
Note - You are not going to receive any warning!
81

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA ACLs
The log keyword
'permit' without 'log' keyword
%ASA-6-302020: Built outbound ICMP connection for faddr 100.0.123.2/0 gaddr 100.0.101.1/0 laddr 100.0.101.1/0
%ASA-6-302020: Built inbound ICMP connection for faddr 100.0.123.2/0 gaddr 100.0.101.1/0 laddr 100.0.101.1/0

'permit with 'log' keyword


%ASA-6-302020: Built outbound ICMP connection for faddr 100.0.123.2/0 gaddr 100.0.101.1/1 laddr 100.0.101.1/1
%ASA-6-106100: access-list OUTSIDE_IN permitted icmp OUTSIDE/100.0.123.2(0) -> INSIDE/100.0.101.1(0)
hit-cnt 1 first hit [0x835eb415, 0x0]
%ASA-6-302020: Built inbound ICMP connection for faddr 100.0.123.2/0 gaddr 100.0.101.1/1 laddr 100.0.101.1/1

'deny' without 'log' keyword


%ASA-6-302020: Built outbound ICMP connection for faddr 100.0.123.2/0 gaddr 100.0.101.1/2 laddr 100.0.101.1/2
%ASA-4-106023: Deny icmp src OUTSIDE:100.0.123.2 dst INSIDE:100.0.101.1 (type 0, code 0) by access-group
"OUTSIDE_IN" [0xb487b3e1, 0x0]

'deny' with 'log' keyword


%ASA-6-302020: Built outbound ICMP connection for faddr 100.0.123.2/0 gaddr 100.0.101.1/6 laddr 100.0.101.1/6
%ASA-6-106100: access-list OUTSIDE_IN denied icmp OUTSIDE/100.0.123.2(0) -> INSIDE/100.0.101.1(0) hitcnt 1 first hit [0xb487b3e1, 0x0]

82

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA ACLs
Extended ACLs
Router ACL vs ASA/PIX ACL
The ASA/PIX ACL will check only the first packet of a connection
Any = 0.0.0.0 0.0.0.0, host = 255.255.255.255
ASA(config)# access-list OUT_IN permit ip 100.0.123.2
255.255.255.255 0.0.0.0 0.0.0.0
the same as:
ASA(config)# access-list OUT_IN permit ip host 100.0.123.2 any

In order to verify an Extended ACL:


ASA# show running-config access-list
ASA# show access-list
Useful tip 1
In order to find ACEs that contain IP 100.0.101 and service www
ASA# show access-list | in 100.0.101.*www
Useful tip 2
In order to see the ACEs that contain 100.0.101.1, www and dont have 0 hit counts

ASA# show access-list | i 100.0.101.*www.*hitcnt=[1-9]


83

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA ACLs
ACL limits and ACL optimization
On ASA, the number of ACEs is limited only by memory (check FWSM
limits on https://supportforums.cisco.com/docs/DO-8786)
Each ACE uses at least 212 Bytes of RAM
High number of ACEs can affect session establishment and throughput
In order to see how many ACEs has each ACL:
ASA# show access-list | in elements

Max recommended
ACEs

Tested ACEs
Max observed
from customers

550
5

551
0

5520

554
0

555
0

25k

80k
80k

5580

5585/60

ASA SM

200k

500k

700k

750k

2m

2m

300k

700k

700k

1m

2m

2m

2.74m

2.77m

After 8.3 ASA, the following command can save some CPU and memory
resources by not expanding network object-groups, but expands only
service object-groups (ACL Optimization)
ASA(config)# object-group-search access-control
84
Only INBOUND ACLs will be optimized
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA ACLs
Standard ACLs
Syntax
ASA(config)# access-list ACL1 standard permit host
226.0.0.10
Standard ACLs can be used for:
PIM
Route-maps
Distribute Lists

In order to verify a Standard ACL:


ASA# show running-config access-list
ASA# show access-list

85

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA ACLs
Object-grouping
Object groups can be used in order to ease the ACL
administration and avoid repetitive tasks
4 types of object groups:
Protocol object-group
I can group IP protocols (e.g. TCP, UDP, ICMP, ESP etc)
ASA(config)# object-group protocol TCP
ASA(config-protocol)# description Whole TCP Protocol
ASA(config-protocol)# protocol-object tcp

Network object-group
I can group IP hosts and networks
ASA(config)# object-group network OUTSIDE_HOSTS
ASA(config-network)# description Outside Hosts
ASA(config-network)# network-object host 100.0.123.2
ASA(config-network)# network-object 10.0.2.0 255.255.255.0
86

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA ACLs
Object-grouping
ICMP type
I can group different ICMP types (e.g. echo, echo-reply etc)
ASA(config)# object-group icmp-type TRACEROUTE
ASA(config-icmp)# description Traceroute Group
ASA(config-icmp)# icmp-object time-exceeded
ASA(config-icmp)# icmp-object unreachable

Service object-group
I can group TCP ports, UDP ports, ICMP
ASA(config)# object-group service TCP_GROUP1 tcp
ASA(config-service)# description TCP Group1
ASA(config-service)# port-object eq telnet
ASA(config-service)# port-object eq www
ASA(config-service)# port-object eq https

87

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA ACLs
Object-grouping
Enhanced Service object-group
As from 8.0(2) version Enhanced Service Object grouping allow the
mixing of TCP, UDP and ICMP into a single group
ASA(config)# object-group service ENHANCED_GROUP1
ASA(config-service)# description Enhanced Group 1
ASA(config-service)# service-object tcp eq www
ASA(config-service)# service-object udp eq tftp
ASA(config-service)# service-object icmp echo

I can nest an object-group within an object-group of the same


type
ASA(config)# object-group network INSIDE_HOSTS
ASA(config-network)# network-object host 1.1.1.1
ASA(config-network)# group-object OUTSIDE_HOSTS

Object groups do not decrease the number of actual ACEs


(show run access-list vs show access-list)
88

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA ACLs
Using Object-grouping with ACLs
ASA(config)# object-group network OUTSIDE_HOSTS
ASA(config-network)# description Outside Hosts
ASA(config-network)# network-object host 100.0.123.2
ASA(config-network)# network-object 10.0.2.0 255.255.255.0
!

ASA(config)# object-group service TCP_GRP1 tcp


ASA(config-service)# description TCP Group1
ASA(config-service)# port-object eq telnet
ASA(config-service)# port-object eq www
!

ASA(config)# object-group service ENHANCED_GRP1


ASA(config-service)# description Enhanced Group 1
ASA(config-service)# service-object tcp eq www
ASA(config-service)# service-object udp eq tftp
ASA(config-service)# service-object icmp echo
!

ASA(config)# access-list OUTSIDE_IN extended permit tcp object-group


OUTSIDE_HOSTS 100.0.101.0 255.255.255.0 object-group TCP_GRP1
!

ASA(config)# access-list OUTSIDE_IN extended permit object-group

ENHANCED_GRP1 object-group OUTSIDE_HOSTS 100.0.101.0 255.255.255.0


89

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA ACLs
Object-group verification/modification
Displaying Object-groups
To show all object-groups
ASA# show run object-group
To show all object-groups from a specific type
ASA# show run object-group service
To show only a specific object-group
ASA# show run object-group id GROUP1

Object-group modification
I can remove an object-group if it is not used in any ACL
ASA(config)# no object-group icmp-type TRACEROUTE
In order to remove an object from an object-group
ASA(config)# object-group network OUTSIDE_HOSTS
ASA(config-network)# no network-object host 100.0.150.24

90

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA ACLs
Questions
What are the 4 types of ACL object groups? Which one
is the most flexible?
Which rule is applied inbound to the inside interface, by
default?
1. All IP traffic sourced from any source to any less secure
destination is permitted
2. All IP traffic is denied
3. All IP traffic is permitted
4. All IP traffic sourced from any source to any more secure
destination is permitted

How much do object groups reduce the CPU usage


compared to simple ACLs?
What syslog message will be generated by the implicit
deny at the end of an ACL?
91

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA ACLs
Questions

What syslog message will be generated If I apply the


following ACL and 100.0.101.1 tries to ping 100.0.123.3?
Case 1
ASA(config)# access-list INSIDE_IN deny ip any any
Case 2
ASA(config)# access-list INSIDE_IN permit ip any host 2.2.2.2
Case 3
ASA(config)# access-list INSIDE_IN deny icmp host 100.0.101.1 host
100.0.123.3 log
1. 106100
2. 106023
3. 111008

. When ASA denies transit traffic does it send TCP RST? How
can I change the default behavior?
92

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


NAT Overview
NAT benefits:
Allows private IP addresses to be used on inside networks
As security feature hides the real addresses
Resolves routing issues (e.g. overlapping address or unroutable
networks)

NAT in ASA is composed of 2 phases:


Translate phase - Real IP address translated into a mapped address
Untranslate phase - The return traffic is untranslated from the
mapped into real address

As from version 7.0, ASA supports nat-control' command


which makes NAT optional for transiting traffic
ASA(config)# nat-control

By default, nat-control is disabled


ASA# show run nat-control
93

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


NAT Control and security levels
Traffic direction

NAT Control disabled


ASA(config)#no nat-control

NAT Control enabled


ASA(config)#nat-control

Low sec-level
High sec-level

No need for NAT

I have to configure
NAT. Otherwise I get
error message 305005

High sec-level
Low sec-level

No need for NAT

I have to configure
NAT. Otherwise I get
error message 305005

Between
interfaces of
same sec-level

No need for NAT

No need for NAT

94

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


Types of NAT
2 main types of translations
NAT One-to-one translation
PAT One-to-many translation

NAT and PAT have 2 variations

Dynamic translations IPs or ports are allocated dynamically


Static translations IPs or ports are mapped manually
Dynamic NAT
PAT (Port Address Translation)
Static NAT
Static PAT
Dynamic Policy NAT
Static Policy NAT
Identity NAT/Static Identity NAT
NAT Exemption
95

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


Dynamic NAT
A group of IP addresses is translated to a pool of IP addresses
The mapping is not sequential
The configuration of Dynamic NAT is 2 step process
Step 1 Configure the group of addresses that will be translated
(real IPs)
ASA(config)# nat (nameif) 1 100.0.101.0 255.255.255.0

Step 2 Configure the pool that will be used for address translation
ASA(config)# global (nameif) 1 100.0.123.80-100.0.123.90

I can also configure connection limits by using the nat


command
ASA(config)# nat (nameif) 1 0 0 tcp 10 20 udp 10

If I configure nat command for an interface then I have to


have NAT rules in order to be able to access destinations
behind lower security interfaces (ASA 8.0 conf. guide p.19-24)
96

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


Dynamic NAT
Dynamic NAT allows only the one side to initiate traffic.The
remote side can also initiate traffic if xlate exists and ACL or
security-level permits it. Traffic to real IP is also denied even if
ACL permits it (ASA 8.0 config. guide p.19-6 19-7)
Verification
ASA# show run nat
ASA# show run global
ASA# show nat
ASA# show xlate {detail} {debug}
debug will add nameif, idle and xlate timeouts

In order to clear existing NAT translation


ASA# clear xlate

97

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


Dynamic NAT Example

ASA(config)#
ASA(config)#
ASA(config)#
ASA(config)#
98

nat (inside) 1 0 0
nat (dmz) 1 100.0.104.0 255.255.255.0 0 0
!
global (outside) 1 100.0.123.100-100.0.123.110

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


PAT
Translates multiple real IP addresses to a single IP address
(virtual or real). What is used for the mapping is the src port
The configuration of PAT is 2 step process
Step 1 Configure the group of addresses that will be translated
(real IPs)
ASA(config)# nat (nameif) 1 100.0.101.0 255.255.255.0
Step 2 Configure the IP that will be used for address
translation
ASA(config)# global (nameif) 1 100.0.123.100
Or
ASA(config)# global (nameif) 1 interface

Traffic can be initiated only from the real IP side. In case there
is xlate open, the remote side can reach the source by using
the appropriate IP/dst-port
99

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


PAT Example

ASA(config)#
ASA(config)#
ASA(config)#
ASA(config)#
100

nat (inside) 1 0 0
nat (dmz) 1 100.0.104.0 255.255.255.0 0 0 udp 0
!
global (outside) 1 interface

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


Using PAT for backup example

ASA(config)#
ASA(config)#
ASA(config)#
ASA(config)#
101

nat (inside) 1 100.0.101.0 255.255.255.0


!
global (outside) 1 100.0.123.100-100.0.123.109
global (outside) 1 100.0.123.110

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


Static NAT
Translates a real IP address to a single mapped IP address
Allows bidirectional traffic
I need equal number of virtual (mapped) IPs and real IPs
ASA(config)# static (prenat-nameif,postnat-nameif) postnatsrc-IP prenat-src-IP

In order to verify static NAT configuration


ASA# show run static
In order to see the xlate table along with the flags
ASA# show xlate detail

102

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


Static NAT example 1

ASA(config)# static (inside,outside) 100.0.123.100 100.0.101.1


ASA(config)# access-list OUTSIDE_IN permit ip any host
100.0.123.100
ASA(config)# access-group OUTSIDE_IN in interface outside
ASA# show xlate detail
NAT from inside:100.0.101.1 to outside:100.0.123.100 flags s

103

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


Static NAT example 2

ASA(config)# static (inside,outside) 100.0.123.0 100.0.101.0


netmask 255.255.255.0
ASA(config)# access-list OUTSIDE_IN permit ip any 100.0.123.0
255.255.255.0
ASA(config)# access-group OUTSIDE_IN in interface outside
ASA# show xlate detail
NAT from outside:100.0.123.0 to inside:100.0.101.0 flags s

104

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


Static PAT (Port Forwarding)
Allows redirection of traffic that is destined towards a specified
port of the mapped IP to a specified port of the real IP
From R1 I can have the src IP translated only if I use src port =
second port specified in the command. If I want the inside host(s)
to access the outside destinations and have their sources translated
for ALL ports, then I have to configure Dynamic NAT
ASA(config)# static (prenat-nameif,postnat-nameif) tcp|udp
<postnat-IP> <port> <prenat-IP> <port>

ASA(config)# static (inside,outside) tcp 100.0.123.240 2023


100.0.101.1 23
105

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


Outside NAT
In case I am configuring Dynamic NAT from a lower to a
higher security-level then I need to put the keyword outside
In this case I also need to configure reverse static NAT in order to
be able to access from higher security-level to lower security-level

ASA(config)#
ASA(config)#
ASA(config)#
ASA(config)#
106
ASA(config)#

nat (outside) 1 100.0.123.0 255.255.255.0 outside


global (inside) 1 100.0.101.100-100.0.101.105
access-list OUTSIDE_IN permit ip any host 100.0.101.1
access-group OUTSIDE_IN in interface outside
static (outside,inside) 100.0.101.88 100.0.123.2

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


Dynamic Policy NAT
Regular NAT takes into account only the source IP, not the
destination. Dynamic Policy NAT allows to take into account
also the destination along with services
For example I can have src A to be translated to src B when I
am trying to access dst C while src A will be translated to src D
when I am trying to access dst E. I can also have src A to be
translated to src B when I access dst C port X, but src A will
be translated to src D when I access dest E port Y
Dynamic Policy NAT is Unidirectional

107

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


Dynamic Policy NAT example 1
R1 appears with different src IP depending on destination (R2 or R3)

ASA(config)# access-list CONDITION_1 permit ip host 100.0.101.1 host


100.0.123.2
ASA(config)# nat (inside) 1 access-list CONDITION_1
ASA(config)# global (outside) 1 100.0.123.101
ASA(config)# access-list CONDITION_2 permit ip host 100.0.101.1 host
100.0.123.3
ASA(config)# nat (inside) 2 access-list CONDITION_2
108
ASA(config)# global (outside) 2 100.0.123.102
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


Dynamic Policy NAT example 2
R1 appears with different src IP depending on the service

ASA(config)# access-list CONDITION_1 permit tcp host 100.0.101.1


host 100.0.123.2 eq 23
ASA(config)# nat (inside) 1 access-list CONDITION_1
ASA(config)# global (outside) 1 100.0.123.188
ASA(config)# access-list CONDITION_2 permit tcp host 100.0.101.1
host 100.0.123.2 eq 80
ASA(config)# nat (inside) 2 access-list CONDITION_2
109
ASA(config)# global (outside) 2 100.0.123.189
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


Static Policy NAT
Static Policy NAT is like Dynamic Policy NAT, but allows
bidirectional traffic
ASA(config)# access-list CONDITION permit ip host
<Real_IP> eq <Real_Port> <SRC_IP>|<DST_IP>
ASA(config)# static (prenat-nameif,postnat-nameif)
<tcp>|<udp> <postnat-IP> <port> access-list
CONDITION
For the traffic from the remote side to the local, the source IP
is not checked against the ACL so Static Policy NAT will behave
as normal Static PAT (Port-forwarding) (8.0 Config. Guide NAT
p.19-14)

110

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


Static Policy NAT example 1

ASA(config)# access-list CONDITION_1 permit ip host 100.0.101.1 host


100.0.123.2
ASA(config)# access-list CONDITION_2 permit ip host 100.0.101.1 host
100.0.123.3
ASA(config)# static (inside,outside) 100.0.123.122 access-list
CONDITION_1
111
ASA(config)# static (inside,outside) 100.0.123.133 access-list
CONDITION_2
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


Static Policy NAT example 2 (Policy Static PAT)

ASA(config)# access-list CONDITION_1 permit tcp host 100.0.101.250


eq 80 host 100.0.123.2
ASA(config)# access-list CONDITION_2 permit tcp host 100.0.101.250
eq 80 host 100.0.123.3
ASA(config)# static (inside,outside) tcp 100.0.123.122 80 access-list
CONDITION_1
112
ASA(config)# static (inside,outside) tcp 100.0.123.133 80 access-list
CONDITION_2
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


Identity NAT
Identity NAT translates the real IP address to itself (creates
xlate)
The syntax is the following:
ASA(config)# nat (nameif) 0 <network> <subnet-mask>
Since there is no global command, it applies to all outgoing
interfaces
Identity NAT is Unidirectional. In order to access an inside
host, I have to wait for it to initiate traffic
Identity NAT would be useful in case I have NAT-Control
enabled and I want the inside hosts to be able to initiate traffic
without having its src IPs modified

113

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


Identity NAT example

In order for R1 to be able to access R2 and R4:


ASA(config)# nat (inside) 0 100.0.101.1 255.255.255.255
Verification
ASA# sh xlate detail
NAT from inside:100.0.101.1 to outside:100.0.101.1 flags iI

114

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


Static Identity NAT
Identity NAT translates the real IP address to itself (creates
xlate), but it can take into account also the exit outbound
interface (Regular Static Identity NAT) and the destination
(Policy Static Identity NAT) along with ports (Policy Static
Identity NAT)
The syntax is the following:
ASA(config)# static (prenat_int,postnat_int) postnat_ip
prenat_ip
or
ASA(config)# static (prenat_int,postnat_int) postnat_ip
access-list ACL_NAME
(the source IP in the ACL must match the real IP)
Static Identity NAT is Bidirectional since the static translation
is always active
115

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


Static Identity NAT example

R1 will be able to access both R2 and R4


ASA(config)# static (inside,outside) 100.0.101.1 100.0.101.1
Or (R1 will be able to access R2, but not R4)
ASA(config)# access-list CONDITION_1 extended permit ip host
100.0.101.1 host 100.0.123.2
ASA(config)# static (inside,outside) 100.0.101.1 access-list
116 CONDITION_1
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


NAT Exemption
NAT Exemption (like the Static Identity NAT) is Bidirectional
Unlike Identity NAT and Static Identity NAT, NAT Exemption doesnt
create xlate
Like Regular Static Identity NAT, it allows to specify the destination
Unlike Policy Static Identity NAT, it doesnt allow to specify the ports
NAT Exemption syntax
ASA(config)# nat (inside) 0 access-list ACL_NAME

Note 1
The ACL allows to specify only the whole IP protocol
ERROR: access-list has protocol or port

Note 2
The ACL that is used with NAT Exemption doesnt increase the
hitcounts

117

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


NAT Exemption example

ASA(config)# nat (inside) 1 0.0.0.0 0.0.0.0


ASA(config)# global (outside) 1 100.0.123.100
!
ASA(config)# access-list NAT_EXEMPTION extended permit ip
host 100.0.101.1 100.0.104.0 255.255.255.0
ASA(config)# nat (inside) 0 access-list NAT_EXEMPTION
118

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


DNS Doctoring
With DNS Doctoring the ASA inspects DNS replies and changes
the IP address sent by the DNS server to an address specified
in the NAT configuration
The problem:

The solution:
ASA(config)# static (inside,outside) 100.0.123.100
100.0.101.250 netmask 255.255.255.255 dns
119

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


NAT Order of operations
In a case there is overlap, ASA will apply NAT in the following
order
1. NAT Exemption (nat 0 access-list)
2. Static NAT/Static Identity NAT/ Static PAT/Static Policy NAT
(static command). In the case of overlap between Static
NAT and Static PAT, the order that I apply the commands is
important
3. Dynamic Policy NAT (nat access-list command)
4. Dynamic Identity NAT (nat 0 without ACL)
5. Dynamic NAT (nat command)
6. Dynamic PAT
Remember the order in case of source NAT:
Routing lookup -> ACL checking -> NAT -> VPN Encryption
120

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


NAT summary
Dynamic NAT (Unidirectional The remote side is allowed to initiate traffic
only if there is xlate open)
Hosts on the Inside going to the Outside have their addresses translated into address
pool 100.0.123.100-100.0.123.105:
ASA(config)# nat (inside) 2 100.0.101.0 255.255.255.0
ASA(config)# global (outside) 2 100.0.123.100-100.0.123.105

PAT using the interface IP Unidirectional - It allows traffic to be


initiated from the remote host only if there is xlate and use the appropriate
IP/port. The guessing of port is very difficult, so TCP Reset-I very possible.
Hosts in the inside going to outside have their addresses translated into the interface
IP address:
ASA(config)# nat (inside) 1 100.0.101.0 255.255.255.0
ASA(config)# global (outside) 1 interface

Static NAT Bidirectional - It allows traffic to be initiated from both sides


Source IP of host behind Inside with ip address 100.0.101.1 will be translated to IP
100.0.123.99 as it goes out of the outside interface:
ASA(config)# static (inside,outside) 100.0.123.99 100.0.101.1

121

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


NAT summary (cont)
Static PAT (port forwarding) Bidirectional - I have to configure Dynamic
NAT in order for the inside host to have its src IP translated if I want to use
other ports
Telnet sessions to the outside interface (100.0.123.100) are redirected to 100.0.101.1:
ASA(config)# static (inside,outside) tcp interface 23 100.0.101.1 23

Dynamic Policy NAT (Unidirectional Dynamic Policy NAT allows to take


into account also the destination IP(s) along with services
Src 100.0.101.1 will appear as 100.0.123.199 when accesses dst 100.0.123.2 port 80
Src 100.0.101.1 will appear as 100.0.123.200 when accesses dst 100.0.123.2 port 23
ASA(config)# access-list CONDITION_1 permit tcp host 100.0.101.1 host
100.0.123.2 eq 80
ASA(config)# access-list CONDITION_2 permit tcp host 100.0.101.1 host
100.0.123.2 eq 23
ASA(config)# nat (inside) 1 access-list CONDITION_1
ASA(config)# nat (inside) 2 access-list CONDITION_2
ASA(config)# global (outside) 1 100.0.123.199
ASA(config)# global (outside) 1 100.0.123.209

122

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


NAT summary (cont)
Static Policy NAT (Bidirectional - Same as Dynamic Policy NAT, but Bidirectional)
For traffic originated from 100.0.101.1 and destined to 100.0.123.2 the source will be
translated to 100.0.123.122
Any remote host can access 100.0.101.1 by using dst IP 100.0.123.122 (Bidirectional)
ASA(config)# access-list COND_1 permit ip host 100.0.101.1 host 100.0.123.2
ASA(config)# static (inside,outside) 100.0.123.122 access-list COND_1

Identity NAT (Unidirectional Translates the real IP to itself)


Host 100.0.101.1 will have its IP unmodified as it goes from Inside interface to any
other outgoing interface
ASA(config)# nat (inside) 0 100.0.101.1 255.255.255.255

Static Identity NAT (Bidirectional - Translates the real IP to itself, but


can take into account the destination along with TCP/UDP ports)
Host 100.0.101.1 will have its IP unmodified as it goes from Inside to Outside interface
ASA(config)# static (inside,outside) 100.0.101.1 100.0.101.1

NAT Exemption (Bidirectional exempts the real IP from the NAT process)
Host 100.0.101.1 will not be NATed as it goes to host 100.0.104.4
ASA(config)# access-list NO_NAT permit ip host 100.0.101.1 host 100.0.104.4
ASA(config)# nat (inside) 0 access-list NO_NAT
123

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

Lab 4

ASA pre-8.3 NAT


Questions
Put in proper order the following NAT technologies
according to the order of execution in case of overlap:

Identity NAT
Static NAT
PAT
NAT Exemption
Dynamic NAT

How do I clear the xlate for Local IP 10.0.1.1?


What is the purpose of the id field in the nat command?
What is the difference between regular network address
translation and policy-based network translation?

124

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA pre-8.3 NAT


Questions
Which of the following is the correct syntax for mapping
an internal web server with an IP address of
10.10.10.15 to an outside IP address of 192.168.100.15
for HTTP traffic?
1.
2.
3.
4.

125

static (inside, outside) 192.168.100.15 80 10.10.10.15 netmask


255.255.255.255 eq www
static (inside, outside) 192.168.100.15 80 10.10.10.15 netmask
255.255.255.255
static (inside, outside) tcp 192.168.100.15 80 10.10.10.15 www
netmask 255.255.255.255
static (inside, outside) 192.168.100.15 eq 80 10.10.10.15 netmask
255.255.255.255

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA post-8.3 NAT


Post-8.3 NAT
With ASA 8.3 when I configure NAT and ACLs, I have to
specify the real IPs in the ACL instead of mapped IPs. Note
that some features, like capture ACL and Packet-Tracer will
continue to use mapped IPs
NAT-Control is no longer supported
The following commands are no longer supported:
Nat (old config), global, static

As from ASA 8.3 there are 2 main NAT variations


Network Object NAT (also mentioned as Auto-NAT): The
translation rule is defined under the network object
Twice NAT (Manual): Used when there is need to translated
source and destination at the same time

126

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA post-8.3 NAT


NAT 8.3 Objects
I create objects in order to be able to reuse them in many
places in the configuration (Checkpoint logic). One of the main
things I can configure under the object is the NAT
2 types of objects:
Network objects
3 types of network objects:
Host
ASA(config)# object network NET_OBJECT_HOST1
ASA(config-network-object)# host 1.1.1.1
Network
ASA(config)# object network NET_OBJECT_NETWORK1
ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0
Range
ASA(config)# object network NET_OBJECT_RANGE1
ASA(config-network-object)# range 192.168.1.100 192.168.1.110
127

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA post-8.3 NAT


NAT 8.3 Objects (cont.)
Service objects 4 types
A Service object contains a protocol and optional a src or dst port
Protocol
ASA(config)# object service SER_OBJECT_PROTOCOL89
ASA(config-service-object)# service 89
ICMP
ASA(config)# object service SER_OBJECT_ICMP
ASA(config-service-object)# service icmp echo
TCP
ASA(config)# object service SER_OBJECT_DST_TCP23
ASA(config-service-object)# service tcp destination eq www
Or

ASA(config)# object service SER_OBJECT_srcTCP1500


ASA(config-service-object)# service tcp source eq 1500
UDP
ASA(config)# object service SER_OBJECT_dstUDP53
ASA(config-service-object)# service udp destination eq 53
128

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA post-8.3 NAT


NAT 8.3 (cont)
New NAT order of operations
1. Twice NAT (Manual) (first match) = Section 1
2. Network Object NAT = Section 2
3. Twice NAT (Manual) with after-auto keyword (first match) =
Section 3

If I upgrade from pre-8.3 version to post-8.3 version the FW


will do automatically the following:
.Migrate the existing pre-8.3 NAT rules to post-8.3 NAT rules
.It will migrate the ACLs to post-8.3 format
.It will generate a file with errors during the migration
.It will make a copy of the pre-8.3 configuration into flash

For post-8.3 NAT vs pre-8.3 NAT command difference check


Cisco ASA 5500 Migration to Version 8.3 and Later pages 1934
129

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA post-8.3 NAT


ASA post-8.3 Static NAT example

Pre-8.3
ASA1(config)# static (LONDON,PARIS) 100.0.123.101 100.0.11.1
ASA1(config)# access-list PARIS_IN permit ip any host 100.0.123.101
ASA1(config)# access-group PARIS_IN in interface PARIS

Post-8.3 config

ASA1(config)# object network R1_100.0.11.1


ASA1(config-network-object)# host 100.0.11.1
ASA1(config-network-object)# nat (LONDON,PARIS) static 100.0.123.101
Or (Twice NAT)
ASA1(config)#object network R1_NAT_100.0.123.102
ASA1(config-network-object)# host 100.0.123.102
ASA1(config)#nat (LONDON,PARIS) source static R1_100.0.11.1 R1_NAT_100.0.123.102
ASA1(config)# access-list PARIS_IN extended permit ip any host 100.0.11.1
ASA1(config)# access-group PARIS_IN in interface PARIS
130

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA post-8.3 NAT


ASA post-8.3 Dynamic NAT example

Pre-8.3 config
ASA1(config)# nat (LONDON) 1 1.1.1.0 255.255.255.0
ASA1(config)# global (PARIS) 1 100.0.123.50-100.0.123.51

Post-8.3 config
ASA1(config)# object network RANGE_100.0.123.50-51
ASA1(config-network-object)# range 100.0.123.50 100.0.123.51
ASA1(config)# object network NET_1.1.1.0_24bits
ASA1(config-network-object)#subnet 1.1.1.0 255.255.255.0
ASA1(config-network-object)#nat (LONDON,PARIS) dynamic RANGE_100.0.123.50-51

Or (Twice NAT)
ASA1(config)#nat (LONDON,PARIS) source dynamic NET_1.1.1.0_24bits
RANGE_100.0.123.50-51
131

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA post-8.3 NAT


ASA post-8.3 PAT example

Pre-8.3
ASA1(config)# nat (LONDON) 1 0 0
ASA1(config)# global (PARIS) 1 interface

Post-8.3 config
ASA1(config)# object network ANY
ASA1(config-network-object)# subnet 0 0
ASA1(config-network-object)# nat (LONDON,PARIS) dynamic interface
Or (Twice NAT)
ASA1(config)# nat (LONDON,PARIS) source dynamic any interface

132

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA post-8.3 NAT


ASA post-8.3 Static PAT (Port Forwarding)

Pre-8.3
ASA1(config)# static (LONDON,PARIS) tcp 100.0.123.111 9999 100.0.11.1 23
ASA1(config)# access-list PARIS_IN permit tcp any host 100.0.123.111 eq 9999
ASA1(config)# access-group PARIS_IN in interface PARIS

Post-8.3 config
ASA1(config)# object network R1_NAT
ASA1(config-network-object)# host 100.0.123.111
ASA1(config)# object network R1_REAL
ASA1(config-network-object)#host 100.0.11.1
ASA1(config-network-object)#nat (LONDON,PARIS) static R1_NAT service tcp 23 9999

ASA1(config)# access-list PARIS_IN permit tcp any host 100.0.11.1 eq 23


ASA1(config)# access-group PARIS_IN in interface PARIS

133

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA post-8.3 NAT


ASA post-8.3 Dynamic Policy NAT

Pre-8.3
ASA1(config)#
ASA1(config)#
ASA1(config)#
ASA1(config)#
ASA1(config)#
ASA1(config)#

access-list R1_to_R2 permit ip host 100.0.11.1 host 100.0.123.2


access-list R1_to_R3 permit ip host 100.0.11.1 host 100.0.123.3
nat (LONDON) 1 access-list R1_to_R2
nat (LONDON) 2 access-list R1_to_R3
global (PARIS) 1 100.0.123.102
global (PARIS) 2 100.0.123.103

Post-8.3 config
ASA1(config)# object network R1_REAL
ASA1(config-network-object)# host 100.0.11.1
ASA1(config)# object network R1_NAT1
ASA1(config-network-object)# host 100.0.123.102

134

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA post-8.3 NAT


ASA post-8.3 Dynamic Policy NAT (cont.)

Post-8.3 config (cont.)


ASA1(config)# object network R1_NAT2
ASA1(config-network-object)# host 100.0.123.103
ASA1(config)# object network R2_REAL
ASA1(config-network-object)# host 100.0.123.2
ASA1(config)# object network R3_REAL
ASA1(config-network-object)# host 100.0.123.3
ASA1(config)# nat (LONDON,PARIS) source dynamic R1_REAL R1_NAT1
destination static R2_REAL R2_REAL
ASA1(config)# nat (LONDON,PARIS) source dynamic R1_REAL R1_NAT2
destination static R3_REAL R3_REAL

135

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA post-8.3 NAT


ASA post-8.3 NAT Exemption

Pre-8.3
ASA1(config)#
ASA1(config)#
ASA1(config)#
ASA1(config)#

nat (LONDON) 1 0 0
global (PARIS) 1 interface
access-list NO_NAT permit ip host 100.0.11.1 host 2.2.2.2
nat (LONDON) 0 access-list NO_NAT

Post-8.3 config
ASA1(config)# object network ANY
ASA1(config-network-object)# subnet 0 0
ASA1(config-network-object)# nat (LONDON,PARIS) dynamic interface
ASA1(config)# object network R1_100.0.11.1
ASA1(config-network-object)# host 100.0.11.1
ASA1(config)# object network R2_2.2.2.2
ASA1(config-network-object)# host 2.2.2.2
ASA1(config)# nat (LONDON,PARIS) 1 source static R1_100.0.11.1
R1_100.0.11.1 destination static R2_2.2.2.2 R2_2.2.2.2
136

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA post-8.3 NAT


ASA post-8.3 NAT Exemption example 2

Pre-8.3
ASA1(config)#
ASA1(config)#
ASA1(config)#
ASA1(config)#
ASA1(config)#

nat (LONDON) 1 0 0
global (PARIS) 1 interface
global (PRAGUE) 1 interface
access-list NO_NAT permit ip host 1.1.1.1 any
nat (LONDON) 0 access-list NO_NAT

Post-8.3 config
ASA1(config)# object network ANY
ASA1(config-network-object)# subnet 0 0
ASA1(config-network-object)# nat (LONDON,PARIS) dynamic interface
ASA1(config)# object network ANY2
ASA1(config-network-object)# subnet 0 0
ASA1(config-network-object)# nat (LONDON,PRAGUE) dynamic interface
ASA1(config)# nat (LONDON,any) 1 source static R1_1.1.1.1 R1_1.1.1.1
137

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA post-8.3 NAT


ASA post-8.3 Twice NAT (src & dst translation/Dual NAT)

ASA1(config)# object network R1_REAL


ASA1(config-network-object)# host 100.0.11.1
ASA1(config)# object network R1_NAT
ASA1(config-network-object)# host 100.0.123.101
ASA1(config)# object network R2_REAL
ASA1(config-network-object)# host 100.0.123.2
ASA1(config)# object network R2_NAT
ASA1(config-network-object)# host 100.0.11.102
ASA1(config)# object service TCP_1023
ASA1(config-service-object)# service tcp destination eq 1023
ASA1(config)# object service TCP_23
ASA1(config-service-object)# service tcp destination eq telnet
ASA1(config)# nat (LONDON,PARIS) source static R1_REAL R1_NAT destination static R2_NAT
R2_REAL service TCP_1023 TCP_23

138

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA post-8.3 NAT


ASA post-8.3 summary

139

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA post-8.3 NAT


Reordering Manual NAT entries
ASA842(config)# sh nat
Manual NAT Policies (Section 1)
1 (INSIDE) to (OUTSIDE) source static IP_4.4.4.4 IP_4.4.4.4
translate_hits = 0, untranslate_hits = 0
2 (INSIDE) to (OUTSIDE) source static IP_1.1.1.1 IP_1.1.1.1
translate_hits = 0, untranslate_hits = 0
ASA842(config)# nat (INSIDE,OUTSIDE) 1 source static IP_8.8.8.8 IP_8.8.8.8
ASA842(config)# sh nat
Manual NAT Policies (Section 1)
1 (INSIDE) to (OUTSIDE) source static IP_8.8.8.8 IP_8.8.8.8
translate_hits = 0, untranslate_hits = 0
2 (INSIDE) to (OUTSIDE) source static IP_4.4.4.4 IP_4.4.4.4
translate_hits = 0, untranslate_hits = 0
3 (INSIDE) to (OUTSIDE) source static IP_1.1.1.1 IP_1.1.1.1
translate_hits = 0, untranslate_hits = 0

Note
Follows the ACL logic
140

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA post-8.3 NAT


NAT performance considerations
According to Cisco:
Static NAT is the best for high performance
Dynamic NAT and PAT require more CPU cycles and affect connection
setup rate
PAT may also affect throughput up to 18%
The performance drop can be even higher if you log translation
creation and tear down
ASA(config)#
ASA(config)#
ASA(config)#
ASA(config)#

141

no
no
no
no

logging
logging
logging
logging

message
message
message
message

305009
305010
305011
305012

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA post-8.3 NAT


NAT and Packet-Tracer
Packet-tracer like the Capture utility will be checked before NAT and
ACLs. This means you have to use pre-NATed IPs in the Packet-Tracer
is used and the IPs are NATed
In the following example ASA3 is doing Dual NAT (source and
destination at the same time). Note the Packet-tracer syntax:

ASA3#packet-tracer input NET4 tcp 4.4.4.4 1111 10.0.34.1 23

142

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

Lab 5

ASA post-8.3 NAT


Questions
What is the purpose of the following NAT rules?
object network obj-NET1
subnet 172.31.196.0 255.255.255.0
object network obj-NET2
subnet 172.31.197.0 255.255.255.0
object network obj-NET3
subnet 172.31.198.0 255.255.255.0
object network SERVER_FARM
subnet 10.149.0.0 255.255.255.0
Object service TCP-8080
service tcp destination eq 8080
!
nat (INSIDE,any) source static obj-NET1 obj-NET1 destination static
SERVER_FARM SERVER_FARM unidirectional
nat (INSIDE,DMZ) after-auto source static obj-NET2 obj-NET3 destination
static SERVER_FARM SERVER_FARM service TCP-8080 TCP-8080

143

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA post-8.3 NAT


Questions
What is the difference between the following NAT rules?
object service TCP_2244
service tcp source eq 2244
object service TCP_2006
service tcp source eq 2006
object service TCP_515
service tcp source eq 515
nat (BACK,any) source static Host_192.168.2.1 Host_192.168.4.10 service TCP_2244 TCP_515
nat (BACK,any) source static Host_192.168.2.1 Host_192.168.4.4 service TCP_2006 TCP_515
object service TCP_2244
service tcp destination eq 2244
object service TCP_2006
service tcp destination eq 2006
object service TCP_515
service tcp destination eq 515
nat (any,BACK) source static any any destination static Host_192.168.4.10 Host_192.168.2.1
service TCP_515 TCP_2244
nat (any,BACK) source static any any destination static Host_192.168.4.4 Host_192.168.2.1
service TCP_515 TCP_2006
144

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Protocol handling


ASA State Tables
ASA maintains 2 important state tables in its RAM
Connection Table
Keeps all connections going through the FW
In order to see the connection table:
ASA# show conn {detail}

Local-host Table
Maintains information per-IP that goes through the FW
In order to verify connections through the FW:
ASA# show local-host 100.0.101.1

145

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Protocol handling


UDP Inspection
UDP is inspected by default
UDP Entry removed from state table:
End of Idle time (2 min) or DNS Reply or clear conn or clear local-host

ICMP Inspection
ICMP is not inspected by default
I can allow ICMP returning traffic by:
ACL
ASA(config)# access-list OUTSIDE_IN permit icmp host
100.0.123.2 host 100.0.101.1 echo-reply
Opens a permanent hole
Enabling ICMP inspection
ASA(config)# policy-map policy_default
ASA(config-pmap)# class inspection_default
ASA(config-pmap-c)# inspect icmp
Opens one connection per ICMP packet.
Is Removed from state table:

146

End of idle time (2 sec) or clear conn or clear local-host

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Protocol handling


TCP Inspection
TCP is inspected by default
ASA checks TCP flags

147

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

TCP entry is removed from state table when:

ASA Modular Policy Framework


Modular Policy Framework (MPF) Overview
MPF is a method of configuring ASA features in a way similar to
IOS MQC (Modular QoS CLI)
MPF can be used for:
L7 Application Inspection HTTP, DNS, SMTP etc
e.g Traffic to example.com will be denied

TCP/UDP normalization, connection limits, timeouts, TCP SN


randomization, TCP State Bypass (8.2(1))
Quality of Service (QoS )
Police traffic
Shape traffic
Prioritize traffic

Divert traffic to CSC SSM


Divert traffic to AIP SSM
Divert traffic to CX module
148

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Modular Policy Framework


MPF Configuration Overview
MPF is a 3-step configuration:
Create a Class-map
Identifies traffic

Create a Policy-map
Applies policies to identified traffic

Configure Service policy


Applies the Policy-map to the device

149

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Modular Policy Framework


MPF Ingredients
L3/L4 Class-maps
Matches traffic based on L3/L4 attributes
Called within L3/L4 Policy-map

Inspection (Layer 7) Class-map


Matches criteria specific to applications

L3/L4 Policy-map
Applies actions to L3/L4 Class-map

Inspection Policy-map
Applies special actions to applications

L3/L4 Class-maps are called by L3/L4 Policy-maps. Inspection


Class-maps are called by Inspection Policy-maps

150

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Modular Policy Framework


MPF Ingredients
L3/L4 Class-map

ASA(config)# class-map CLASS1


MPF Class-map can match:
All traffic
ASA(config-cmap)# match any

Extended ACL
ASA(config-cmap)# match access-list ACL1

Port numbers
ASA(config-cmap)# match port tcp eq 80

DSCP/IP Precedence (usually for Voice)


ASA(config-cmap)# match precedence 5
ASA(config-cmap)# match dscp ef

Tunnel Group (for VPN)


ASA(config-cmap)# match tunnel-group TUNNEL_GROUP_1

151

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Modular Policy Framework


MPF Ingredients
L3/L4 Class-map (cont)

MPF Class-map can match:


RTP traffic
ASA(config-cmap)# match rtp 16384 16383

Default-inspection-traffic
ASA(config-cmap)# match default-inspection-traffic

In order to verify the current Class-maps


ASA# show run all class-map
Inspection (Layer 5-7) Class-map

ASA(config)# class-map type inspect <app> INS_CLASS1


ASA(config-cmap)# match
match commands depend on the application
152

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Modular Policy Framework


MPF Ingredients
L3/L4 Policy-map
Specifies what policies will be applied to the matched traffic
ASA(config)# policy-map POL1
ASA(config-pmap)# class CLASS1

MPF L3/L4 Policy-map can apply the following:


Inspect enables the Inspection Engine for a protocol
Set connection settings for TCP and UDP connections
In order to control the total number of open sessions
ASA(config-pmap-c)# set connection conn-max
In order to control the total number of open sessions per-host
ASA(config-pmap-c)# set connection per-client-max
In order to control the total number of embryonic sessions
ASA(config-pmap-c)# set connection embryonic-conn-max

153

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Modular Policy Framework


MPF Ingredients
L3/L4 Policy-map (cont)
TCP Initial Sequence Number randomization
ASA(config-pmap-c)#no set connection random-sequence-number
ASA will work as a proxy (2 sessions: client-> ASA, ASA-> server
TCP Option (kind 19) used by BGP (RFC 2385) and LDP for MD5
authentication (RFC 5925 is the new alternative). SN is used to create
the 128 bit MD5 hash
TCP Advanced Options can be modified by using TCP-map

ASA(config)# tcp-map TCP_MAP


ASA(config-tcp-map)# tcp-options range 19 19 allow
ASA(config-pmap-c)# set connection advanced-options TCP_MAP

QoS Policing
QoS Shaping
QoS Priority

In order to verify the current Policy-maps


ASA# show run all policy-map
154

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Modular Policy Framework


MPF Ingredients
Inspection (Layer 5-7) Policy-map
To perform additional actions on some inspection traffic
ASA(config)# policy-map type inspect http INS_POL1

You can match a L5-7 class-map


If I dont match a L5/7 class-map I get the following error:
ERROR: Specified class type is different from the policy-map type.

Apply an action to the matched traffic


ASA(config-pmap-c)# drop-connection | reset etc

Call the Inspection Policy-map from a L3/L4 Class config mode


ASA(config-pmap-c)# inspect http INS_POL1

155

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Modular Policy Framework


MPF Ingredients
Regular Expressions (regex)
Many times regular strings have to be matched (e.g. URL, file
name). I can do this by using regular expressions (regex)
Regex can be called from an Inspection Policy-map:
Directly from a match command or indirectly from a Class-map
type regex (more scalable way)
ASA(config-pmap)# match request uri regex ?
WORD < 41 char Enter name of regex
class
Specify the name of the regex class to match against uri

In order to see all the regular expressions


ASA# show run all regex

In order to test a regex


ASA# test regex EXAMPLE.COM [Ee]XAMPLE\.COM

156

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Modular Policy Framework


MPF Ingredients
Service-policy
Specifies where the policies will be applied (global or interface)
One global policy only per device
Applies to ingress traffic on all interfaces (inherently egress)
ASA(config)# service-policy global_policy global

One policy-map per interface


ASA(config)# service-policy POLICY_1 interface inside
The direction (Inbound or Outbound) depends on the feature

Take into account the overlap between the Global and perinterface policies (per-interface takes precedence)
To verify service-policy
ASA# show service-policy

157

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Modular Policy Framework


Modular Policy Framework (MPF) Overview
ASA configuration includes a default policy-map
global_policy which is applied globally
The global_policy calls a default L3/L4 Class-map
inspection_default and a default L3/L4 Class-map classdefault
MPF is processed top to bottom like IOS MQC
Unlike MQC, MPF actions can be combined
If actions are the same -> First match according to Internal Actions
order is applied
If actions are not the same -> Combine them
Put more specific at the top

158

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Modular Policy Framework


MPF example
ASA(config)# access-list TCP permit tcp any any
!
ASA(config)# class-map TCP_TRAFFIC
ASA(config-cmap)# match access-list TCP
!
ASA(config)# class-map HTTP_TRAFFIC
ASA(config-cmap)# match port tcp eq 80
!
ASA(config)# policy-map POLICY_1
ASA(config-pmap)# class HTTP_TRAFFIC
ASA(config-pmap-c)# inspect http
ASA(config-pmap-c)# set connection conn-max 500
ASA(config-pmap-c)# class TCP_TRAFFIC
ASA(config-pmap-c)# set connection conn-max 100
ASA(config-pmap-c)# set connection embryonic-conn-max 50
!
ASA(config)# service-policy POLICY_1 interface inside
159

Lab 6

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Asymmetric Routing


ICMP Asymmetric Routing

160

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Asymmetric Routing


TCP Asymmetric Routing Case 1

161

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Asymmetric Routing


TCP Asymmetric Routing Case 2

162

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Asymmetric Routing


TCP Asymmetric Routing Case 3

163

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Unicast RPF Check


Asymmetric Routing and uRPF

ASA1(config)# ip verify reverse-path interface inside

164

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA MPF Asymmetric routing


Questions
Does ASA support asymmetric routing?
Which feature is enabled if I write ip verify reversepath interface <nameif>?
1.
2.
3.
4.

TCP Intercept
Threat detection
IPS
uRPF

Which inspections are enabled by default (choose 3)


1.
2.
3.
4.
5.

ICMP
SIP
NETBIOS
HTTP
FTP

Which command will show you if packets are dropped


by MPF inspection?
165

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Contexts
Overview
I can partition a single appliance into multiple virtual firewalls.
Every context has its own routing, FW policy and resources
The number of contexts depends on the model and the license
I can use Active/Active failover or Active/Standby failover
Unsupported features in FW Multimode (before 9.0 ver)*

166

*I cannot run dynamic routing protocols, but only use static routes
*VPN termination is not supported
Multicast routing is not supported
QoS is not supported

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Contexts
Types of contexts
System context
Admin context
User context(s)

167

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Contexts
System context
Doesnt have any interfaces
It is used in order to do 3 main tasks:
Create and maintain other contexts (including admin)
Allocate interfaces to other contexts
Specify the location of the configuration file of other contexts

Optional tasks available from System context

Enable or disable interfaces


Configure banner
Allocate resources to other contexts
Set failover parameters
NTP configuration

Can be accessed only via console or from admin context

168

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Contexts
Admin context
Automatically created after converting from single to multiple
mode
I can connect to the Admin context remotely and then jump
to the other contexts. In order to do this:
Allocate an interface
Assign IP, nameif
Configure Telnet, SSH or ASDM access

When I convert from single mode to multimode, the config is


saved into admin context
Later I can configure any customer context to be the admin
context
Admin context can be used as a regular FW, but it is not
recommended

169

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Contexts
User-defined (customer) contexts
Manually created from system context
In order to create it:
ASA(config)# context <context-name>
ASA(config-ctx)# allocate-interface <if>
ASA(config-ctx)# config-url <path:/name>
Optionaly, I can allocate resources to the context

All other configuration is done in the context itself. From


system or admin context I type:
ASA# changeto context <context-name>

In order to verify contexts:


ASA# show context {detail}|{count}

170

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Contexts
Interface allocation
Interfaces can be non-shared or shared
Unique interface per context
Unique subinterface per context
Shared interface or subinterface between contexts

Physical characteristics must be defined under system context


Speed, duplex, enable/disable

Logical characteristics must be defined under the user context


IP address, nameif, security-levels

171

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Contexts
Packet classification rules (ASA Classifier)
The FW must know to which context to send inbound traffic
If an interface (or subinterface) belongs to a single context, the
ASA will classify the packet into that context
If multiple contexts share an interface (or subinterface), then the
classification is done based on interface destination MAC
ASA(config)# mac-address auto
or
ASA(config-if)# mac-address <MAC>

If multiple contexts share a physical interface and I use the same


MAC for all contexts then classification is based on destination IP. In
this case I need to use NAT for the destination IP

172

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Contexts
Resource management
By default, all security contexts share the same HW resources
One context could exhaust all physical resources of the firewall
Configuration of resource management is a two-step process:
Step 1 Define a resource class
ASA(config)# class Silver
ASA(config-class)# limit-resource xlates 1500
ASA(config-class)# limit-resource cons 10000
ASA(config-class)# limit-resource ssh 3

Step 2 Map a resource class to a context


ASA(config)# context ContextA
ASA(config-ctx)# member Silver

Verification
ASA# show resource {usage}|{allocation}|{types}
ASA# show resource usage detail resources allocated/ context
ASA# show resource usage context <context-name>
173

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Contexts
Example 1 Non-shared interfaces

174

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Contexts
Example 1 Shared interfaces

175

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

Lab 7

ASA Contexts
Questions
What is the command to show if the FW runs in single
or multiple context mode?
In Active/Active context, on which context will you
troubleshoot failover link issues?
1. Customer Contexts
2. System Context
3. Admin Context

What are the 3 main things that I can configure from


System context?
What is the command to move between contexts?
What is the purpose of 'Admin' context?
How can I verify which context has the role of 'admincontext'?
176

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Redundant Interfaces


Overview
It is a logical interface that consists up to 2 physical interfaces
One physical interface Active, the other Standby
If one interface fails the other one takes over (no preemption)
By default, the first int listed in configuration is the Active
I cannot have subinterfaces as members of a redundant int
I can configure subinterfaces under Redundant int mode
The interfaces can have different speeds (not recommended)
By default, the Active physical interface MAC is used. When the active
interface fails over to the standby, the same MAC address is maintained so
that traffic is not disrupted
When a redundant interface member becomes Active it sends a GARP
If I make a redundant interface member Active manually the ASA will
remember the new Active even after rebooting

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Redundant Interfaces


Configuration

ASA(config)# interface redundant 1


ASA(config-if)# member-interface e0/1
ASA(config-if)# member-interface e0/2
ASA(config-if)# nameif DMZ
ASA(config-if)# security-level 60
ASA(config-if)# ip address 100.0.0.1 255.255.255.0
Under the physical interface I can only configure: speed, duplex,
description, shutdown
I can change the Active interface:
ASA(config)# redundant-interface redundant 1 activemember e0/2
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Redundant Interfaces


Verification

To view all information regarding a redundant interface


ASA# show interface redundant 1
To view which one is the Active physical interface
ASA# show interface redundant 1 | grep Member
To view redundant interface configuration
ASA# show run interface redundant 1
To debug redundant interface events
ASA# debug redundant-interface event|error

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Redundant Interfaces


Questions
When troubleshooting a redundant interface problem
what should be checked?
1. If the Standby interface receives keepalives from the Active
interface
2. If the 2 physical interfaces have the same MAC
3. If the IP address configured under the logical interface is correct
4. If the duplex/speed configuration under the logical interface is
correct

When I enable for first time a redundant interface


where I put the no shut command?
1. Under the logical interface mode
2. Under the physical interface mode

180

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Overview
ASA supports 2 types of failover configurations:
Active/Standby (A/S)
Active unit passes traffic
Standby unit monitors the Active unit and waits to take over
Standby unit takes over IP and MAC during failover Except
Failover and Stateful Failover interfaces
Single or Multiple Context mode Routed or Transparent

Active/Active (A/A)
Both units can pass traffic (load balancing)
Supported only in Multiple Context mode Routed & Transparent
Contexts are assigned to failover groups. Per group failover

Both units must have the same HW, SW, mode, license (8.3(1))
Commands are replicated from Active to Standby
Both types support Stateless or Stateful failover
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Active/Standby

182

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Failover Health Monitoring
The 2 units monitor each other in 2 ways:
Unit Health Monitoring
Hello messages over Failover Link (IP 105)

Interface Health Monitoring


Hello messages over all monitored interfaces (IP 105)

What causes failover


Power/Software failure/crashing of Active unit
All communications between the 2 units are lost
Number of monitored-interfaces < Monitored-interfaces
Threshold
Manual failover

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Failover Behavior
Event
Active unit fails (HW or
SW failure)
.
Formerly Active recovers

Primary unit
action (Active)
-

Becomes Standby

Secondary unit
action (Standby)

Notes

Becomes Active
Marks ex-Active as
Failed

No action

No preemption*
preemption

Standby unit fails (HW or


Marks Standby as
Standby unit fails (HW or
SW failure)
Failed
SW failure)
Failover link fails during
Mark failover link
Mark failover link as
Failover link fails during
operation
as Failed
Failed
operation
Both units Active and
Remains Active
Becomes Standby
Both units Active and
Secondary detects
Secondary detects
Primary
Primary
Stateful Failover Link fails
No action
No action
Stateful Failover Link fails
.
.
Interface failure on Active Mark Active as
Becomes Active
Interface failure on Active
above threshold
Failed
above threshold
Interface failure on
Mark Standby as
No action
Interface failure on
Standby above threshold
Failed
Standby
above threshold
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

Active will not


attempt any failover
The 2 units cannot
failover (next slide)
failover*
-

State information
becomes outdated
Active will not
attempt any failover

ASA Failover
Failover Behavior
Q: What happens when the LAN Failover interface goes down?
A: Depends on the ASA OS version (CSCsw37519):

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Failover design options

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Failover design options

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Failover design options

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Active/Standby Configuration
3 main-steps
Step 1 - Configure Primary unit (6 sub-steps)
Step 2 - Configure Secondary unit (3 sub-steps)
Step 3 - Configure Optional features
Configuring Primary Unit
Substep 1 Configure Data interfaces
ASA(config)# int e0/1
ASA(config-if)# ip address 100.0.101.10 255.255.255.0
standby 100.0.101.11
ASA(config-if)# nameif inside
ASA(config-if)# no shut

Substep 2 (PIX only)


PIX(config)# failover lan enable
189

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Active/Standby Configuration (cont.)
Substep 3 Set the unit as Primary
ASA(config)# failover lan unit primary

Substep 4 Configure the Failover Link


ASA(config)# failover lan interface FOVER e0/2
ASA(config)# failover interface ip FOVER 100.0.100.10
255.255.255.0 standby 100.0.100.11
ASA(config)# int e0/2
ASA(config-if)# no shut

Substep 5 (Optional) Configure the Stateful Failover Link


ASA(config)# failover link STATE e0/3
ASA(config)# failover interface ip STATE 100.0.103.10
255.255.255.0 standby 100.0.103.11
ASA(config)# int e0/3
ASA(config-if)# no shut
190

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Active/Standby Configuration (cont.)
Substep 6 Enable Failover
ASA(config)# failover

Configuring Secondary Unit


Substep 1 (PIX only)
ASA(config)# failover lan enable

Substep 2 Configure the Failover Link


ASA(config)# failover lan interface FOVER e0/2
ASA(config)# failover interface ip FOVER 100.0.100.10
255.255.255.0 standby 100.0.100.11
ASA(config)# int e0/2
ASA(config-if)# no shut

Substep 3 Enable Failover


ASA(config)# failover

191

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Active/Standby Configuration (cont.)
Configuring Optional features
Stateful Failover HTTP Replication
By default, HTTP connections are not replicated
ASA(config)# failover replication http

Disable interface monitoring


By default, all physical interfaces are monitored. Subinterfaces no
ASA(config)# no monitor-interface outside

Unit Health Polltime


ASA/PIX sends Hellos over Failover Link to monitor remote unit
PIX hello every 15 sec, holdtime 45 sec
ASA hello every 1 sec, holdtime 15 sec
If one Hello is missed, testing through other interfaces starts
Holdtime = how long it takes from the time a hello packet is missed to
when the interface is marked as failed
ASA(config)# failover polltime 5 {holdtime 20}

192

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Active/Standby Configuration (cont.)
Interface Health Polltime
ASA/PIX sends Hellos out each data interface to monitor remote interface
PIX/ASA hello every 5 sec, holdtime 5 x Hello Polltime
ASA(config)# failover polltime interface 2 {holdtime 15}
If 2 consecutive Hello messages are missed on a monitored interface, the
interface goes into testing mode. If all tests fail, the interface is marked as
failed
Note
If an ASA monitored interface goes DOWN then the failover happens
immediately without going through any tests (ASA 9.1 config guide page
8-17)

Virtual MAC address configuration


If Secondary boots first Becomes Active and uses its own MAC
If Primary comes online Secondary takes MAC of Primary
This can disrupt network traffic
ASA(config)# failover mac address nameif active-MAC standby-MAC
ASA(config)# failover mac address outside 00a0.c965.8513
00a0.c965.8514
193

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Controlling Failover
In order to force the Standby unit to become Active:
From the Active unit
ASA(config)# no failover active

or
From the Standby unit
ASA(config)# failover active

In order disable failover


On both units
ASA(config)# no failover

Save the running configuration into flash:


ASA# write memory
ASA# copy running-config startup-config

In order to overwrite the running config of standby unit


ASA# write standby
194

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Failover Verification
In order to verify failover status
ASA# show failover {state} {history}

In order to see the failover configuration


ASA# show run {all} failover

Failover debugging
In order to debug failover
ASA# debug fover cable {cmd-exec}|{fail}|{fmsg}|{ifc}|
{open}{rx}{rxdmp}|{rxip}|{switch}|{sync}|{tx}|
{txdmp}|{txip}|{verify}

Lab 8
195

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Upgrade
Zero Downtime upgrade

Major Release
I can upgrade from the last minor release of the previous version to
the next major release.
E.g. 7.2(1) to 8.0(1)

Minor Release
I can upgrade from a minor release to the next minor release. I
cannot skip a minor release.
E.g. I can upgrade from 7.0(1) to 7.1(1)

Maintenance Release
I can upgrade from any maintenance release to any other
maintenance release within a minor release
E.g. I can upgrade from 7.0(1) to 7.0(4)
196

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Upgrade
Zero Downtime upgrade on A/S Failover way 1
Step 1 - Download the software on both devices
Step 2 - Specify the new boot image on both units. Delete the old
boot system path
ASA(config)# boot system asa842-k8.bin
ASA(config)# no boot system disk0:/asa832-k8.bin

Step 3 - Reload the Standby unit to boot with the new image
From the Active unit: failover reload-standby or
From the Standby unit: reload

Step 4 - The Standby now has new image. Make it active:


From the Active unit: no failover active or
From the Standby unit: failover active

Step 5 - Reload the former Active unit (current Standby)


newstandby# reload

Step 6 - Make the former Active unit (current Standby), Active


again
newstandby# failover active
197

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Upgrade
Zero Downtime upgrade on A/S Failover way 2
Step 1 - Download the software on both devices
Step 2 - Specify the new boot image on both units. Delete the old
boot system path
ASA(config)# boot system asa842-k8.bin
ASA(config)# no boot system disk0:/asa832-k8.bin
Step 3 swap the failover so that the unit that was Active is now
Standby
On the Standby unit: failover active
Step 4 - Reload the former Active unit (current Standby)
newstandby# reload
Step 5 Wait few minutes for the 2 units to get synchronized
(show conns, show xlate, show crypto isakmp sa etc)
Step 6 - Make the former Active unit (current Standby), Active
again
newstandby# failover active
Step 7 Reload the Standby unit so it boots with the new image
Step 8 - Verify that the Standby got synchronized with the Active
198

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA RMA (Return Material Authorization)


Replacing a failed Primary ASA unit
Assuming that device1 is the new device (Primary) and device2 is the new
Active device (Secondary):
Step 1 Use the show version command and make sure that the outputs
look the same (pay special attention to licenses and OS version)
Step 2 - Issue the show failover command and make sure that the
device2 shows This host: Secondary Active and Other host: Primary
Failed:

199

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA RMA (Return Material Authorization)


Replacing a failed Primary ASA unit
Step 3 Configure the following commands on device1 (Primary unit)
failover
failover
failover
failover
failover
!
int g1
no sh
int g2
no sh

lan unit primary


lan interface FOVER g1
link STATE g2
interface ip FOVER 2.2.2.2 255.255.255.0 standby 2.2.2.3
interface ip STATE 3.3.3.2 255.255.255.0 standby 3.3.3.3

Note The above commands are recommended by Cisco. Testing shows


that the blue highlighted lines above are enough to do the job. Test in lab
to check the behavior!
Step 4 Enable failover on device1 (Primary unit). The device1 will detect
the existing Active/Secondary unit and get synchronized with it
failover

200

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA RMA (Return Material Authorization)


Replacing a failed Primary ASA unit
Show failover on both units should show the Primary unit as Standby and the
Secondary unit as Active:

Step 5 Make sure that the devices are synchronized and make device1
(Primary unit) Active again:
failover active

201

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Upgrade
Case study
After downloading the new image to flash and reloading the device, ASA
cannot find the new image. The ASA writes the errors in a file:
ASA# more flash:upgrade_startup_errors_201301092038.log

INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201301092038.log'


Reading from flash...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
REAL IP MIGRATION: WARNING
In this version access-lists used in 'access-group', 'class-map',
'dynamic-filter classify-list', 'aaa match' will be migrated from
using IP address/ports as seen on interface, to their real values.
If an access-list used by these features is shared with per-user ACL
then the original access-list has to be recreated.
INFO: Note that identical IP addresses or overlapping IP ranges on
different interfaces are not detectable by automated Real IP migration.
If your deployment contains such scenarios, please verify your migrated
configuration is appropriate for those overlapping addresses/ranges.
Please also refer to the ASA 8.3 migration guide for a complete
explanation of the automated migration process.
INFO: MIGRATION - Saving the startup configuration to file
INFO: MIGRATION - Startup configuration saved to file 'flash:8_0_4_0_startup_cfg.sav'
*** Output from config line 4, "ASA Version 8.0(4) "
WARNING: BOOT variable added, but unable to find disk0:/asa832-34-k8.bin
*** Output from config line 141, "boot system disk0:/asa83..."

Solution
The ASA File System was corrupted. Fsck command utility fixed the issue:
ASA# fsck disk0:

202

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Questions
What is the correct order of operation in order to
perform upgrade with zero downtime on 2 ASAs
operating in Active/Standby failover mode? Put the
following actions in the correct order:
Reload the Standby ASA
Force the Active ASA to failover to the Standby ASA
Reload the former Active ASA
Download the new ASA image
Specify on ASA to boot from the new image
Make the former Active ASA, Active again
What will happen if you dont put the standby IPs?
What will happen if you put no failover on Active unit?
What will happen if you do clear configure all on Active
unit?
203

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Questions
How do you replace the Active unit?
What is the difference between Active and Standby?
What is the difference between Primary and
Secondary?
What is the difference between Serial and LAN-based
failover?
What is the difference between Stateless and Stateful
failover?
In case of LAN-based failover, what happens if the LAN
failover interface goes down?

204

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Active/Active Overview
Only available in multiple context mode
Both appliances can pass traffic
Divide the contexts in up to 2 failover groups
One failover group contains 1 or more contexts
Admin context is in failover group 1
To save the configs on both appliances 'write memory all'
from the system context of the unit that has group 1 Active
Group failover can be triggered by:
monitored interface in failover group < threshold
no failover active group group_id or failover active
group 1|2

205

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Active/Active Overview
Primary/Secondary definitions
primary/secondary dictates which unit provides the running configuration
to the peer when they boot at the same time
ASA(config)# failover lan unit primary
If I dont specify failover lan unit primary to at least one device, the 2
peers will not detect each other
I can dictate which will become Active if they boot simultaneously per group
level by specifying the preference
ASA(config)# failover group 1
ASA(config-fover-group)# primary
This also dictates the MAC addresses that will be used for the active IPs
If an appliance boots while the peer is down, both failover groups in the
appliance will be Active
When using A/A failover, the contexts will use Virtual MACs in the form of:

Active unit default MAC address: 00a0.c9physical_port_number.failover_group_id01


Standby unit default MAC address: 00a0.c9physical_port_number.failover_group_id02
e.g. ASA1/ctx1/pri/act# sh int e0/1 | in MAC
MAC address 00a0.c901.0101, MTU 1500

Use debug fover only from System context (use with caution!)
206

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Active/Active Overview

207

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Active/Active Configuration
Active/Active configuration implies multiple context config
Convert BOTH ASAs to multiple mode:
ciscoasa(config)# mode multiple
Context config necessary only on Primary unit

3 main step configuration


Step 1 - Configure Primary unit
Step 2 - Configure Secondary unit
Step 3 - Configure optional features

Configure Primary unit


Substep 1 - Configure Data interfaces
ASA1/CUST1(config-if)# changeto context CUST1
ASA1/CUST1(config-if)# ip add 100.0.101.10 255.255.255.0
standby 100.0.101.11
ASA1/CUST1(config-if)# nameif inside
208

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Active/Active Configuration (cont)
Substep 2 - System context - (PIX only)
PIX(config)# failover lan enable

Substep 3 - System context - Designate 'primary' unit.


ASA(config)# failover lan unit primary

Substep 4 - System context - Configure failover link


ASA(config)# failover lan interface FOVER e0/2
ASA(config)# failover interface ip FOVER 100.0.150.10
255.255.255.0 standby 100.0.150.11

Substep 5 (Optional) - System context - Configure State link


ASA(config)# failover link FOVER

209

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Active/Active Configuration (cont)
Substep 6 - System context - Configure failover groups

ASA(config)# failover group 1


ASA(config-fover-group)# primary
ASA(config)# failover group 2
ASA(config-fover-group)# secondary

Substep 7 - System context - Assign contexts to failover


groups

ASA(config)#context CUST1
ASA(config-ctx)# join-failover-group 1
ASA(config)#context CUST2
ASA(config-ctx)# join-failover-group 2

Substep 8 - System context - Initialize failover


ASA(config)# failover

210

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Active/Active Configuration (cont)
Configure Secondary unit
Substep 1 - System context - (PIX only)
PIX(config)# failover lan enable

Substep 2 - System context - Configure failover link


ASA2(config)# failover lan interface FOVER e0/2
ASA2(config)# failover interface ip FOVER 100.0.150.10
255.255.255.0 standby 100.0.150.11

Substep 3 - System context - Initilize failover


ASA2(config)# failover

Configure Optional features


Configure Failover Group Preemption -combined with primary
ASA(config)# failover group 1
ASA(config-fover-group)# preempt <delay in sec>
211

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Active/Active Configuration (cont)
Configure Optional features (cont)
Configure HTTP Replication
ASA(config)# failover group 1
ASA(config-fover-group)# replication http

Configure Interface Monitoring (inside context configuration)


ASA(config)# changeto context CUST1
ASA/CUST1(config)# monitor-interface <nameif>

Configure Interface Health Monitoring


ASA(config)# failover group 1
ASA(config-fover-group)# polltime interface 1 holdtime 5

Configure Failover Criteria


ASA(config)# failover group 1
ASA(config-fover-group)# interface-policy 2
212

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Controlling Failover
In order to force the Standby unit to become Active:
From the Active unit
ASA(config)# no failover active group {1}|{2}

or
From the Standby unit
ASA(config)# failover active group {1}|{2}

Active/Active Verification
ASA# show failover
ASA# show ip

In order to see the failover reason


ASA# show failover state
This information is not saved after reloading

In order to see the failover configuration (from System context)


ASA# show run failover
213

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Active/Active failover example

214

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Questions
Which 3 ASA modes do not support VPN termination
and dynamic routing protocols?
1.
2.
3.
4.
5.

Active/Standby failover mode


Routed mode
Multiple context mode (pre 9.0)
Active/Active mode (pre 9.0)
Transparent mode

When using Active/Standby failover how can I achieve


subsecond failover?
1.
2.
3.
4.

215

Enable stateful failover


Increase the number of monitored interfaces to 3
Use redundant interfaces
Decrease the unit pollitime to 300msec and holdtime to 900msec

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Questions
How many ASA Firewalls can you operate in a highavailability failover cluster?
Does failover support preemption?
What are the HW and SW requirements for failover?
Which of the following causes a failover event?
1. A reboot or power interruption on the active ASA Firewall
2. Low HTTP traffic on the outside interface
3. Issuance of the no failover active command on the standby ASA
Firewall
4. Low memory utilization for several consecutive seconds

What info is passed over the Failover Link?


What info is passed over the Stateful Failover Link?

216

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Failover
Questions
How do I replicate the config from the Active to the
Standby unit? Does configuration replication save the
running configuration to Flash memory on the standby
unit?
Based on the following configuration, which command
enables the stateful failover option?
ASA(config)# failover lan unit primary
ASA(config)# failover lan interface FOVER e0/2
ASA(config)# failover interface ip FOVER 10.0.1.1
255.255.255.0 standby 10.0.1.2
ASA(config)# failover link interface FOVER e0/2
ASA(config)# failover key $ecRet1
ASA(config)# failover

Which protocol is not replicated by default with Stateful


failover?
217

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

VPN Overview
VPN goals
In general, a VPN must meet 4 goals:
1. Data confidentiality (encryption)
2. Data integrity (hashing also often documented as
message authentication)
3. Anti-replay (prevent the sender from denying that it sent
the message)
4. Authentication (the message came from where it was
supposed to come)

218

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

VPN Overview
Data confidentiality
Two main types of encryption:
1. Symmetric key encryption

The same key is used for encryption and decryption of data


Not CPU intensive
DES, 3DES, AES
Used for bulk data encryption

2. Asymmetric key encryption

219

A Public key is used for encryption of data


A Private key is used for decryption of data
In case of Digital Signatures, a Private key encrypts and the Public key decrypts
CPU intensive
RSA, Diffie-Hellman

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

VPN Overview
Data integrity (hashing)
The sender appends a hash of the message to the original message
The receiver runs the same hash algorithm to the original message and
compares the hashes
MD5, SHA1

Digital Signature
It is a hash encrypted with senders Private key
The attachment of a Digital signature to a message is called signing

HMAC (Hashed Message Authentication Code)


It is a hash that was computed by using a shared secret (salt). The HMAC is
not encrypted

220

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

VPN Overview
Digital Certificate
Binds the identity of a device with its Public key
A Digital Certificate contains 3 main values:
1. Device ID (Subject)
2. Device Public key
3. CAs Digital Signature

Other important values:


4. Validity period
5. CRL Distribution Point

Diffie-Hellman
Algorithm used to produce a Shared Secret key over an insecure medium
Assuming that I have 2 hosts: A and B
. Host A chooses 2 prime numbers (P1,P2) and sends them to B
. Both hosts generate a Private key (PrivK1,PrivK2)
. Both hosts calculate their Public Keys: PubK1=(P2^PrivK1)modP1
. The two hosts exchange their Public Keys
. Both hosts generate a Shared Secret: DH1 = (PubK2^PrivK1)modP1
221

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

VPN Overview
Authentication with PKI

222

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

VPN Overview
Security Protocols
AH (Authentication Header)
IP Protocol 51
Doesnt provide encryption
AH Transport mode

AH Tunnel mode

ESP (Encapsulated Security Payload)


IP Protocol 50
ESP Transport mode

223

Note

ESP Tunnel mode

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN
IPsec Security Association (SA)
It is a simplex connection that provides security services to the traffic
carried by it (RFC 4301)
Each VPN connection requires at least 2 SAs (one per each direction)
SA is identified by 3 things:
Security Parameter Index (SPI) - 32-bit number
Destination IP
A security protocol (AH/ESP)

IPsec uses 3 databases:


Security Policy Database (SPD)
Specifies what traffic should be discarded, protected or not protected by IPsec

Security Association Database (SAD)


Contains parameters for each SA (e.g. SPI, sequence #, Anti-reply window etc)
SAD is populated during IKE negotiation

Peer Authorization Database (PAD)


Specifies remote peers, peer authentication methods, peer authentication data etc
224

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

VPN Overview
Questions
What is the difference between an HMAC and a Digital
signature?
What is the purpose of the CA Digital Signature in a
Digital Certificate?
What are the 2 variations of asymmetric key
encryption?
How do Transport and Tunnel modes differ?
What port is used by ESP?

225

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

LAN-to-LAN IPsec VPN


10000 feet overview

Host A initiates traffic towards Host B (10.0.0.100)


ASA1 receives the traffic and checks the following:
If has routing towards remote destination 10.0.0.100
If the traffic is allowed to enter Gig1
If there is source NAT for 192.168.0.5, the ASA will do the translation
The flow is checked against Proxy-ACL. If there is a match and ASA1 has a route
towards the remote VPN peer it starts the VPN negotiation
If negotiation succeeds, the VPN tunnels (ISAKMP SAs and IPsec SAs) come UP

Data starts flowing through the IPsec tunnel


When ISAKMP lifetime is about to expire the 2 peers re-negotiate P1
When IPsec lifetime is about to expire the 2 peers re-negotiate P2 (new SPIs)
If there is DPD enabled and the communication between the VPN peers is lost,
the VPN tunnel goes DOWN, otherwise the SAs stay UP until the SA VPN idletimeout expires (30 min by default). If all SAs are expire, the tunnel goes
DOWN
226

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

LAN-to-LAN IPsec VPN


IKEv1
It is a hybrid protocol (ISAKMP, QAKLEY, SKEME)
It operates in two phases and three modes
Phase 1
2 goals:
Establish a secure tunnel (IKE SA) that will protect later ISAKMP negotiations
Generate 3 keys (SKEYID_a, SKEYID_d, SKEYID_e)

Main Mode (MM)


6

messages in total
First two messages negotiate policy
Next two messages exchange DH Public Keys + Extra data
Last two messages authenticate the two peers (device authentication)
Pre-shared keys
RSA signatures
CRACK (if you dont want to use PKI)

The content of the six messages is affected by the authentication method


The outcome is an IKE SA

Aggressive Mode (AM)


3 messages in total
227

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

LAN-to-LAN IPsec VPN


IKEv1 (cont.)
Phase 2
2 goals:
Establish IPsec SAs
Generate keys that will protect the SAs (data)

Quick Mode (QM)


3 messages in total
First two messages negotiate policy
Last message is acknowledgment and proof of liveliness

Note

Messages do not necessarily correspond to packets. This is a common


misconception: a message might need multiple packets to be sent
Recommended RFCs

228

RFC
RFC
RFC
RFC
RFC

2408
2409
4301
3947
4306

(ISAKMP)
(IKE_v1)
(IPsec)
(NAT-Traversal in the IKE)
(IKEv2)

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

LAN-to-LAN IPsec VPN


IKEv1

Phase 1 (Main Mode)

Phase 2 (Quick Mode)

229

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

LAN-to-LAN IPsec VPN


IKEv1

Phase 1 (Aggressive Mode)

Phase 2 (Quick Mode)

230

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

LAN-to-LAN IPsec VPN


NAT Traversal (NAT-T)
The main reason of NAT-T is to allow the usage of ESP when PAT is configured
between the 2 VPN peers.
How it works
In case of ISAKMP Main Mode (MM), in messages 1 and 2 the 2 VPN peers use
VID to advertise NAT-T support capability.
In messages 3 & 4 the 2 VPN peers send 2 VIDs with NAT-T detection
The NAT-D payload detects not only the presence of NAT between the two IKE
peers, but also where the NAT is
If there is NAT, only messages 1-4 in MM or messages 1-2 in Aggressive mode
will use UDP 500. The remaining messages, including the data, will use port
UDP 4500 (a new UDP header is added)
Configuration and verification
On ASA, by default, NAT-T is enabled. You can verify this:
ASA# sh run all crypto | in nat
crypto isakmp nat-traversal 2
To disable in a crypto-map entry, use the following command:
ASA(config)# crypto map CRYPTOMAP 10 set nat-t-disable
For more details check RFC 3947
231

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

LAN-to-LAN IPsec VPN


For your reference - IKEv1 main formulas
After MM message 4:
To authenticate either exchange the initiator of the protocol generates
HASH_I and the responder generates HASH_R where:
HASH_I = prf(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b )
HASH_R = prf(SKEYID, g^xr | g^xi | CKY-R | CKY-I | SAi_b | IDir_b )

After QM message 2:
Initiator generates IPsec keying material
IPsec session key for incoming IPsec SA = PRF (SKEYID_d, protocol
(ISAKMP), new DH shared secret, SPIr, Ni', Nr')
IPsec session key for outgoing IPsec SA = PRF (SKEYID_d, protocol
(ISAKMP), new DH shared secret, SPIi, Ni', Nr')

Responder generates IPsec keying material


IPsec session key for incoming IPsec SA = PRF (SKEYID_d, protocol
(ISAKMP), new DH shared secret, SPIi, Ni', Nr')
IPsec session key for outgoing IPsec SA = PRF (SKEYID_d, protocol
(ISAKMP), new DH shared secret, SPIr, Ni', Nr')

232

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

LAN-to-LAN IPsec VPN


For your reference - IKEv1 main formulas
Nx is the nonce payload; x can be: i or r for the ISAKMP initiator and
responder respectively
SKEYID is a string derived from secret material known only to the
active players in the exchange.
SKEYID = prf(pre-shared-key, Ni_b | Nr_b)

SKEYID_d is the keying material used to derive keys for non-ISAKMP


security associations.
SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0)

SKEYID_a is the keying material used by the ISAKMP SA to


authenticate its messages.
SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1)

SKEYID_e is the keying material used by the ISAKMP SA to protect


the confidentiality of its messages.
SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2)

g^xy is the Diffie-Hellman shared secret


233

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

VPN Overview
Questions
What are the 2 modes in IKE phase 1? How do they
differ?
What is NONCE and what is its role?
When I use preshared keys for authentication how the 2
peers authenticate each other?
Where is typically used the Aggressive mode?
When we say an ISAKMP message is authenticated
what does that mean?
Which ISAKMP messages are authenticated?
How the ISAKMP messages are authenticated?
Which ISAKMP messages are encrypted?
How the ISAKMP messages are encrypted?

234

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

VPN Overview
Questions
What is the purpose of NAT-T and how it works?
What is the difference between the Hash in messages 56 in MM and the 3 Hashes in QM?
How IPsec encrypts the user data?

235

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN
ASA VPN Overview
ASA supports:
Site-to-site VPNs (L2L)
IKEv1
IKEv2 - 8.4(1) and later

Remote access VPN (IPsec-based) = EZVPN


Remote access VPN (SSL-based) = Webvpn or Anyconnect
*Anyconnect can also support IKEv2-based remote access VPN

Remote access VPN (L2TP over IPsec)

ASA doesnt support:

236

DMVPNs
GET VPNs
VTIs (forthcoming feature)
GRE tunnels
Remote access VPN with Multiple Contexts (forthcoming feature)
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN
ASA VPN L2L IKEv1 Configuration

ASA1 (pre-8.4)

ASA2 (post-8.4)

In ASA post-8.4 the isakmp keyword was replaced by the ikev1 and ikev2 keywords
237

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN
ASA VPN Configuration key points
Regarding the ISAKMP policy, all the values must match. The only
exception is the lifetime where in case of difference the lowest value
will be chosen
Note
Different lifetimes are supported only between Cisco devices. If
you have a VPN between ASA and another vendor make sure that
the P1 and P2 timers match
If I use pre-shared keys for authentication, the tunnel-group name
must be the IP of the remote peer
The crypto ACLs of the VPN peers must be mirror of each other. The
only exception is overlapping subnets. In this case, only the peer with
the stricter ACL can initiate the VPN (see next slide)
PFS is optional and can add a bit more security
In the static crypto map must be specified 3 things:
set peer = Who
match address = What
set transform-set = How
238

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN
Be aware of overlapping ACLs!

In this case only the spokes will be able to initiate the VPN tunnel
239

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN
ASA VPN features
Lifetimes and Timeouts
ISAKMP SA lifetime

When Phase 1 lifetime reaches a percentage of the threshold (seconds) the


2 peers run again Phase 1 negotiation
crypto isakmp policy 10
lifetime 86400

IPsec SA lifetime

When Phase 2 lifetime reaches a percentage of the threshold (seconds or


KBytes) the 2 peers run again Phase 2 negotiation.
crypto map MAP 5 set security-association lifetime seconds 28800
Default lifetimes:
For phase 1 = 86400 sec (24 hours)
For phase 2 = 28800 sec (8 hours)

Active VPN Session Timeout

By default, if there is data traffic, both ISAKMP Sas and Ipsec Sas stay UP.
This is because the default VPN Session Timeout is none
ASA(config)# group-policy DfltGrpPolicy attributes
ASA(config-group-policy)# vpn-session-timeout none

240

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN
ASA VPN features
VPN Idle Timeout

If there is no VPN traffic both inbound and outbound expired SPIs are deleted. The
other SPIs remain UP. If the SPIs were the last ones, ISAKMP SA also is deleted
In order to set the VPN Idle-Timeout for all tunnels to 120 minutes:
ASA(config)# group-policy DfltGrpPolicy attributes
ASA(config-group-policy)# vpn-idle-timeout 120
In order to verify the VPN uptime and idle-timeout use the command:
ASA# show vpn-sessiondb detail l2l

241

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN
ASA VPN features
DPD Keepalives (RFC 3706)
The isakmp keepalive feature is enabled by default:
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2

Keepalives are negotiated in P1 via VID (messages 5,6). If


both peers have ISAKPM keepalives disabled, then both peers
dont use keepalives
Note the following:
If DPD is locally disabled and the ASA initiates the VPN tunnel (Initiator),
DPDs are used
If DPD is locally disabled and the ASA is the responder, DPDs are not used

DPD messages are semi-periodic: if there is no VPN data then


it sends DPDs every interval. If there is VPN data, no DPDs are
sent

242

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN
ASA Filtering VPN traffic
By default, ASA will allow encrypted traffic arriving on the VPN
interface even if you have ACL with deny ip any any. This is
due to command sysopt connection permit-vpn

There are 2 main ways to filter VPN traffic:


Way 1 - ACLs
Disable the sysopt connection permit-vpn and configure an
ACL that filters the VPN traffic:
ASA1(config)# no sysopt connection permit-vpn
ASA1(config)# access-list NET2_IN permit tcp host 3.3.3.3 host 1.1.1.1
ASA1(config)# access-group NET2_IN in interface NET2
243
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN
ASA Filtering VPN traffic

Way 2 VPN Filters


VPN filter is an ACL applied to the VPN traffic. The source of
the ACL should always be the remote destination
ASA1(config)# access-list VPN_FILTER_ACL extended permit tcp host
3.3.3.3 eq www host 1.1.1.1
ASA1(config)# group-policy GROUP_POLICY1 internal
ASA1(config)# group-policy GROUP_POLICY1 attributes
ASA1(config-group-policy)# vpn-filter value VPN_FILTER_ACL
ASA1(config)# tunnel-group 10.0.23.12 general-attributes
ASA1(config-tunnel-general)# default-group-policy GROUP_POLICY1

Note Pay special attention to ICMP VPN-Filters since the logic is not
very straight forward! Test in a lab before implementing
244

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN
ASA Filtering VPN traffic

ICMP and VPN Filter ACL logic


VPN Filter on ASA1:
Goal: I want to permit R1 (1.1.1.1) to ping R3 (3.3.3.3)
access-list VPN_FILTER_ACL extended permit icmp host 3.3.3.3 host 1.1.1.1 echo
access-list VPN_FILTER_ACL extended permit icmp host 3.3.3.3 host 1.1.1.1 echo-reply

Note 1
If I only put the following line:
access-list VPN_FILTER_ACL extended permit icmp host 3.3.3.3 host 1.1.1.1 echo
The ICMP packets will reach R3, but the ICMP echo-replies will be dropped on ASA1

Note 2
For TCP, the VPN Filter doesnt allow the traffic to be transmitted over the tunnel
245

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Basic commands
Show commands
In order to verify your configuration
ASA#
ASA#
ASA#
ASA#

246

show
show
show
show

run
run
run
run

crypto {isakmp|ipsec|map}
{all} tunnel-group
{all} group-policy
access-list

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Basic commands
Show commands
In order to verify that Phase 1 is UP:
ASA# show crypto isakmp sa {detail}

247

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Basic commands
Show commands
In order to verify that Phase 2 is UP:
ASA# show crypto ipsec sa

248

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Basic commands
Show commands
In order to see information about VPN sessions
ASA# show vpn-sessiondb {detail l2l|summary}

249

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Basic commands
Finding info about your VPN connection
ASA# sh run crypto | i 10.0.15.236
crypto map public_map 450 set peer 10.0.15.236
ASA#!
ASA# sh run crypto map | i 450
crypto map public_map 450 match address cust_tun_acl
crypto map public_map 450 set pfs
crypto map public_map 450 set peer 10.0.15.236
crypto map public_map 450 set transform-set ESP-3DES-SHA
crypto map public_map 450 set security-association lifetime seconds 28800
crypto map public_map 450 set security-association lifetime kilobytes 28800
ASA#!
ASA# show run access-list cust_tun_acl
access-list cust_tun_acl permit ip 19.118.230.0 255.255.255.0 object-group
cust_rem_servers
access-list cust_tun_acl permit ip 12.39.141.4 255.255.255.254 object-group
cust_rem_servers
250

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Basic commands
Clear commands
In order to clear Phase 1 and Phase 2 of a specific remote peer
ASA# clear crypto ipsec sa peer IP_OF_REMOTE_PEER
Note
The command will send a DELETE message to remote peer so it will delete P1
and P2 in both VPN peers.
Jan 18 15:23:15 [IKEv1]IP = 10.0.12.10, IKE_DECODE RECEIVED Message (msgid=c1a89cae) with
payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jan 18 15:23:15 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, processing hash payload
Jan 18 15:23:15 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, processing delete
Jan 18 15:23:15 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, Connection terminated for peer
10.0.12.10. Reason: Peer Terminate Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
Jan 18 15:23:15 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, Active unit receives a delete
event for remote peer 10.0.12.10.

In post-8.4 ASA I can use:


ASA# clear crypto ikev1 sa IP_OF_REMOTE_PEER

251

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Basic commands
Debug commands
In order to see information about tunnel negotiation (Phase 1
and 2)
ASA# debug crypto isakmp [debug level 1-255]

Note that the default debug level is 1. Level 127 will provide
enough information for troubleshooting
Use condition per peer:
ASA# debug crypto condition peer 10.0.23.12

To verify the condition:


ASA# show debug crypto

To clear the condition:


ASA# debug crypto condition reset

252

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Basic commands
Capture ISAKMP

You can use a special type of capturing to see the VPN


negotiation. In order to do this follow the next steps:
Prepare an ACL that will be used as a filter for the capturing:
ASA1(config)# access-list CAP_ACL permit ip host 10.0.12.10 host 10.0.22.11
ASA1(config)# access-list CAP_ACL permit ip host 10.0.22.11 host 10.0.12.10

Apply the capture:


ASA1#capture CAP type isakmp access-list CAP_ACL interface NET2

In order to see the capture:


ASA1# show capture CAP decode
253

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


ASA VPN message analysis
Debug used: debug crypto isakmp 127
ASA is initiator and sends Main Mode (MM) message 1
proposals for IKE
Nov 30 00:16:59 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 30 00:16:59 [IKEv1]: IP = 10.0.22.11, IKE Initiator: New Phase 1, Intf NET1, IKE Peer 10.0.22.11
local Proxy Address 10.0.11.0, remote Proxy Address 10.0.23.0, Crypto map (mymap)
Nov 30 00:16:59 [IKEv1 DEBUG]: IP = 10.0.22.11, constructing ISAKMP SA payload
Nov 30 00:16:59 [IKEv1 DEBUG]: IP = 10.0.22.11, constructing NAT-Traversal VID ver 02 payload
Nov 30 00:16:59 [IKEv1 DEBUG]: IP = 10.0.22.11, constructing NAT-Traversal VID ver 03 payload
Nov 30 00:16:59 [IKEv1 DEBUG]: IP = 10.0.22.11, constructing Fragmentation VID + extended capabilities
payload
Nov 30 00:16:59 [IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=0) with payloads :
HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152

Relevant configuration
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2

254

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


ASA VPN message analysis
Debug used: debug crypto isakmp 127
ASA is initiator and receives Main Mode (MM) message 2
Proposal acceptance or rejection
Nov 30 00:16:59 [IKEv1]: IP = 10.0.22.11, IKE_DECODE RECEIVED Message (msgid=0) with payloads :
HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132
Nov 30 00:16:59 [IKEv1 DEBUG]: IP = 10.0.22.11, processing SA payload
Nov 30 00:16:59 [IKEv1 DEBUG]: IP = 10.0.22.11, Oakley proposal is acceptable
Nov 30 00:16:59 [IKEv1 DEBUG]: IP = 10.0.22.11, processing VID payload
Nov 30 00:16:59 [IKEv1 DEBUG]: IP = 10.0.22.11, Received NAT-Traversal ver 02 VID
Nov 30 00:16:59 [IKEv1 DEBUG]: IP = 10.0.22.11, processing VID payload
Nov 30 00:16:59 [IKEv1 DEBUG]: IP = 10.0.22.11, Received Fragmentation VID

In case of mismatch in the SA proposals I see:


Nov 30 00:53:04 [IKEv1]: IP = 10.0.22.11, IKE_DECODE RECEIVED Message (msgid=0) with payloads :
HDR + NOTIFY (11) + NONE (0) total length : 100
Nov 30 00:53:04 [IKEv1]: IP = 10.0.22.11, Received an un-encrypted NO_PROPOSAL_CHOSEN notify
message, dropping

255

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


ASA VPN message analysis
Debug used: debug crypto isakmp 127
ASA is initiator and sends Main Mode (MM) message 3
NAT-T discovery + Diffie-Hellman exchange of KE and NONCE
Nov 30 00:16:59 [IKEv1 DEBUG]: IP = 10.0.22.11, constructing ke payload
Nov 30 00:16:59 [IKEv1 DEBUG]: IP = 10.0.22.11, constructing nonce payload
Nov 30 00:16:59 [IKEv1 DEBUG]: IP = 10.0.22.11, constructing Cisco Unity VID payload
Nov 30 00:16:59 [IKEv1 DEBUG]: IP = 10.0.22.11, constructing xauth V6 VID payload
Nov 30 00:16:59 [IKEv1 DEBUG]: IP = 10.0.22.11, Send IOS VID
Nov 30 00:16:59 [IKEv1 DEBUG]: IP = 10.0.22.11, Constructing ASA spoofing IOS Vendor ID payload
(version: 1.0.0, capabilities: 20000001)
Nov 30 00:16:59 [IKEv1 DEBUG]: IP = 10.0.22.11, constructing VID payload
Nov 30 00:16:59 [IKEv1 DEBUG]: IP = 10.0.22.11, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Nov 30 00:16:59 [IKEv1 DEBUG]: IP = 10.0.22.11, constructing NAT-Discovery payload
Nov 30 00:16:59 [IKEv1 DEBUG]: IP = 10.0.22.11, computing NAT Discovery hash
Nov 30 00:16:59 [IKEv1 DEBUG]: IP = 10.0.22.11, constructing NAT-Discovery payload
Nov 30 00:16:59 [IKEv1 DEBUG]: IP = 10.0.22.11, computing NAT Discovery hash
Nov 30 00:16:59 [IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=0) with payloads :
HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D
(130) + NAT-D (130) + NONE (0) total length : 304

256

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


ASA VPN message analysis
Debug used: debug crypto isakmp 127
ASA is initiator and receives Main Mode (MM) message 4
NAT-T detection from peer
Diffie-Hellman exchange material continuation
Nov 30 00:17:00 [IKEv1]: IP = 10.0.22.11, IKE_DECODE RECEIVED Message (msgid=0) with payloads :
HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D
(130) + NAT-D (130) + NONE (0) total length : 304
Nov 30 00:17:00 [IKEv1 DEBUG]: IP = 10.0.22.11, processing ke payload
Nov 30 00:17:00 [IKEv1 DEBUG]: IP = 10.0.22.11, processing ISA_KE payload
Nov 30 00:17:00 [IKEv1 DEBUG]: IP = 10.0.22.11, processing nonce payload
Nov 30 00:17:00 [IKEv1 DEBUG]: IP = 10.0.22.11, processing VID payload
Nov 30 00:17:00 [IKEv1 DEBUG]: IP = 10.0.22.11, Received Cisco Unity client VID
Nov 30 00:17:00 [IKEv1 DEBUG]: IP = 10.0.22.11, processing VID payload
Nov 30 00:17:00 [IKEv1 DEBUG]: IP = 10.0.22.11, Received xauth V6 VID
Nov 30 00:17:00 [IKEv1 DEBUG]: IP = 10.0.22.11, processing VID payload
Nov 30 00:17:00 [IKEv1 DEBUG]: IP = 10.0.22.11, Processing VPN3000/ASA spoofing IOS Vendor ID
payload (version: 1.0.0, capabilities: 20000001)
Nov 30 00:17:00 [IKEv1 DEBUG]: IP = 10.0.22.11, processing VID payload
Nov 30 00:17:00 [IKEv1 DEBUG]: IP = 10.0.22.11, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Nov 30 00:17:00 [IKEv1 DEBUG]: IP = 10.0.22.11, processing NAT-Discovery payload
Nov 30 00:17:00 [IKEv1 DEBUG]: IP = 10.0.22.11, computing NAT Discovery hash
Nov 30 00:17:00 [IKEv1 DEBUG]: IP = 10.0.22.11, processing NAT-Discovery payload
Nov 30 00:17:00 [IKEv1 DEBUG]: IP = 10.0.22.11, computing NAT Discovery hash
Nov 30 00:17:00 [IKEv1]: IP = 10.0.22.11, Connection landed on tunnel_group 10.0.22.11
257

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


ASA VPN message analysis
Debug used: debug crypto isakmp 127
ASA is initiator and sends Main Mode (MM) message 5
Initiator sends his identity
Initiator sends its key for authentication (HASH)
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Generating keys for Initiator...
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing ID payload
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing hash payload
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Computing hash for ISAKMP
Nov 30 00:17:00 [IKEv1 DEBUG]: IP = 10.0.22.11, Constructing IOS keep alive payload:
proposal=32767/32767 sec.
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing dpd vid payload
Nov 30 00:17:00 [IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=0) with payloads :
HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Nov 30 00:17:00 [IKEv1]: Group = 10.0.22.11, IP = 10.0.22.11, Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end is NOT behind a NAT device

Relevant configuration
crypto isakmp identity auto

auto = Determines ISAKMP negotiation by connection type; IP address for


preshared key or cert DN for certificate authentication. In case of preshared
keys, the identity is always the IP even if you put hostname
258

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


ASA VPN message analysis
Debug used: debug crypto isakmp 127
ASA is initiator and receives Main Mode (MM) message 6
Identity sent by remote VPN peer
Hash sent by remote VPN peer
Tunnel-group selection
Nov 30 00:17:00 [IKEv1]: IP = 10.0.22.11, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR +
ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, processing ID payload
Nov 30 00:17:00 [IKEv1 DECODE]: Group =10.0.22.11, IP =10.0.22.11, ID_IPV4_ADDR ID received 10.0.22.11
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, processing hash payload
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Computing hash for ISAKMP
Nov 30 00:17:00 [IKEv1 DEBUG]: IP = 10.0.22.11, Processing IOS keep alive payload: proposal=32767/32767 sec.
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, processing VID payload
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Received DPD VID
Nov 30 00:17:00 [IKEv1]: IP = 10.0.22.11, Connection landed on tunnel_group 10.0.22.11
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Oakley begin quick mode
Nov 30 00:17:00 [IKEv1 DECODE]: Group = 10.0.22.11, IP = 10.0.22.11, IKE Initiator starting QM: msg id=dfed5ff1
Nov 30 00:17:00 [IKEv1]: Group = 10.0.22.11, IP = 10.0.22.11, PHASE 1 COMPLETED
Nov 30 00:17:00 [IKEv1]: IP = 10.0.22.11, Keep-alive type for this connection: DPD
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Starting P1 rekey timer: 73440 seconds.

Relevant configuration
tunnel-group 10.0.22.11 type ipsec-l2l
tunnel-group 10.0.22.11 ipsec-attributes
pre-shared-key cisco
259

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


ASA VPN message analysis
Debug used: debug crypto isakmp 127
ASA is initiator and sends Quick Mode (QM) message 1
Initiator sends: Tranform-set, Proxy IDs, NONCE
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, IKE got SPI from key engine: SPI =
0x9f398469
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, oakley constucting quick mode
Nov 30 00:17:00 [IKEv1 DEBUG]: Group=10.0.22.11, IP=10.0.22.11, constructing blank hash payload
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing IPSec SA payload
Nov 30 00:17:00 [IKEv1 DEBUG]:Group=10.0.22.11, IP=10.0.22.11, constructing IPSec nonce payload
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing proxy ID
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Transmitting Proxy Id:
Local subnet: 10.0.11.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 10.0.23.0 Mask 255.255.255.0 Protocol 0 Port 0
Nov 30 00:17:00 [IKEv1 DECODE]: Group=10.0.22.11, IP=10.0.22.11, IKE Initiator sending Initial Contact
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing qm hash payload
Nov 30 00:17:00 [IKEv1 DECODE]: Group = 10.0.22.11, IP = 10.0.22.11, IKE Initiator sending 1st QM pkt: msg id =
dfed5ff1
Nov 30 00:17:00 [IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=dfed5ff1) with payloads :
HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 200

Relevant configuration
crypto ipsec transform-set ESP_AES_SHA esp-aes esp-sha-hmac

access-list CRYPTO_ACL extended permit ip 10.0.11.0 255.255.255.0 10.0.23.0 255.255.255.0


crypto map mymap 10 match address CRYPTO_ACL
crypto map mymap 10 set transform-set ESP_AES_SHA
260

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


ASA VPN message analysis
Debug used: debug crypto isakmp 127
ASA is initiator and receives Quick Mode (QM) message 2
Remote peers sends its parameters (NONCE, Proxy IDs, proposal chosen)
Nov 30 00:17:00 [IKEv1]: IP = 10.0.22.11, IKE_DECODE RECEIVED Message (msgid=dfed5ff1) with
payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, processing hash payload
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, processing SA payload
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, processing nonce payload
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, processing ID payload
Nov 30 00:17:00 [IKEv1 DECODE]: Group = 10.0.22.11, IP = 10.0.22.11, ID_IPV4_ADDR_SUBNET ID
received--10.0.11.0--255.255.255.0
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, processing ID payload
Nov 30 00:17:00 [IKEv1 DECODE]: Group = 10.0.22.11, IP = 10.0.22.11, ID_IPV4_ADDR_SUBNET ID
received--10.0.23.0--255.255.255.0

In case of mismatch in the Proxy IDs (ACLs) I see:


Nov 30 02:48:48 [IKEv1]: Group = 10.0.22.11, IP = 10.0.22.11, Received non-routine Notify message:
Invalid ID info (18)
Nov 30 02:48:48 [IKEv1]: IP = 10.0.22.11, IKE_DECODE RECEIVED Message (msgid=2ff69b7) with
payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Nov 30 02:48:48 [IKEv1]: Group = 10.0.22.11, IP = 10.0.22.11, Connection terminated for peer
10.0.22.11. Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A

261

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


ASA VPN message analysis
Debug used: debug crypto isakmp 127
ASA is initiator and sends Quick Mode (QM) message 3
Initiator sends a Hash (message authentication)
2 Keys for data encryption/decryption are generated
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, loading all IPSEC SAs
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Generating Quick Mode Key!
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Generating Quick Mode Key!
Nov 30 00:17:00 [IKEv1]: Group = 10.0.22.11, IP = 10.0.22.11, Security negotiation complete for LAN-toLAN Group (10.0.22.11) Initiator, Inbound SPI = 0x9f398469, Outbound SPI = 0x5754d135
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, oakley constructing final quick
mode
Nov 30 00:17:00 [IKEv1 DECODE]: Group = 10.0.22.11, IP = 10.0.22.11, IKE Initiator sending 3rd QM
pkt: msg id = dfed5ff1
Nov 30 00:17:00 [IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=dfed5ff1) with
payloads : HDR + HASH (8) + NONE (0) total length : 76
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, IKE got a KEY_ADD msg for SA:
SPI = 0x5754d135
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Pitcher: received KEY_UPDATE,
spi 0x9f398469
Nov 30 00:17:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Starting P2 rekey timer: 24480
seconds.
Nov 30 00:17:00 [IKEv1]: Group = 10.0.22.11, IP = 10.0.22.11, PHASE 2 COMPLETED (msgid=dfed5ff1)

262

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


ASA VPN message analysis
Debug used: debug crypto isakmp 127
ASA is responder and receives Main Mode (MM) message 1

(Initial contact)

Phase 1 proposals
Vendor IDs (VID)
ASA2# Jan 14 13:32:05 [IKEv1]IP = 10.0.12.10, IKE_DECODE RECEIVED Message (msgid=0) with
payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, processing SA payload
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, Oakley proposal is acceptable
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, processing VID payload
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, Received NAT-Traversal ver 02 VID
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, processing VID payload
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, Received NAT-Traversal ver 03 VID
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, processing VID payload
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, Received Fragmentation VID
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, processing IKE SA payload
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, IKE SA Proposal # 1, Transform # 1 acceptable
Matches global IKE entry # 1

Relevant configuration
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
263

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


ASA VPN message analysis
Debug used: debug crypto isakmp 127
ASA is responder and sends Main Mode (MM) message 2 (reply to initial
contact)
Our capabilities
SA acceptance or rejection
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, constructing ISAKMP SA payload
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, constructing NAT-Traversal VID ver 02 payload
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, constructing Fragmentation VID + extended capabilities
payload
Jan 14 13:32:05 [IKEv1]IP = 10.0.12.10, IKE_DECODE SENDING Message (msgid=0) with payloads :
HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132

In case of mismatch in the SA proposals I see:


Jan 14 13:43:21 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd:
Group 2 Cfg'd: Group 5
Jan 14 13:43:21 [IKEv1]IP = 10.0.12.10, IKE_DECODE SENDING Message (msgid=0) with payloads :
HDR + NOTIFY (11) + NONE (0) total length : 100
Jan 14 13:43:21 [IKEv1 DEBUG]IP = 10.0.12.10, All SA proposals found unacceptable
Jan 14 13:43:21 [IKEv1]IP = 10.0.12.10, Error processing payload: Payload ID: 1
Jan 14 13:43:21 [IKEv1 DEBUG]IP = 10.0.12.10, IKE MM Responder FSM error history (struct
&0xbc4240f0) <state>, <event>: MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START,
EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM->MM_START, EV_START_MM-->MM_START, EV_START_MM
264

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


ASA VPN message analysis
Debug used: debug crypto isakmp 127
ASA is responder and receives Main Mode (MM) message 3
NAT-T Discovery Hashes of remote peer
Diffie-Hellman KE, NONCE of remote peer
Jan 14 13:32:05 [IKEv1]IP = 10.0.12.10, IKE_DECODE RECEIVED Message (msgid=0) with payloads :
HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D
(130) + NAT-D (130) + NONE (0) total length : 304
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, processing ke payload
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, processing ISA_KE payload
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, processing nonce payload
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, processing VID payload
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, Received Cisco Unity client VID
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, processing VID payload
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, Received xauth V6 VID
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, processing VID payload
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, Processing VPN3000/ASA spoofing IOS Vendor ID payload
(version: 1.0.0, capabilities: 20000001)
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, processing VID payload
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, processing NAT-Discovery payload
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, computing NAT Discovery hash
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, processing NAT-Discovery payload
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, computing NAT Discovery hash

265

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


ASA VPN message analysis
Debug used: debug crypto isakmp 127
ASA is responder and sends Main Mode (MM) message 4
NAT-T Discovery Hashes of local peer
Diffie-Hellman KE, NONCE of local peer
Jan 14 13:32:06 [IKEv1 DEBUG]IP = 10.0.12.10, constructing ke payload
Jan 14 13:32:06 [IKEv1 DEBUG]IP = 10.0.12.10, constructing nonce payload
Jan 14 13:32:06 [IKEv1 DEBUG]IP = 10.0.12.10, constructing Cisco Unity VID payload
Jan 14 13:32:06 [IKEv1 DEBUG]IP = 10.0.12.10, constructing xauth V6 VID payload
Jan 14 13:32:06 [IKEv1 DEBUG]IP = 10.0.12.10, Send IOS VID
Jan 14 13:32:06 [IKEv1 DEBUG]IP = 10.0.12.10, Constructing ASA spoofing IOS Vendor ID payload
(version: 1.0.0, capabilities: 20000001)
Jan 14 13:32:06 [IKEv1 DEBUG]IP = 10.0.12.10, constructing VID payload
Jan 14 13:32:06 [IKEv1 DEBUG]IP = 10.0.12.10, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 14 13:32:06 [IKEv1 DEBUG]IP = 10.0.12.10, constructing NAT-Discovery payload
Jan 14 13:32:06 [IKEv1 DEBUG]IP = 10.0.12.10, computing NAT Discovery hash
Jan 14 13:32:06 [IKEv1 DEBUG]IP = 10.0.12.10, constructing NAT-Discovery payload
Jan 14 13:32:06 [IKEv1 DEBUG]IP = 10.0.12.10, computing NAT Discovery hash
Jan 14 13:32:06 [IKEv1]IP = 10.0.12.10, Connection landed on tunnel_group 10.0.12.10
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, Generating keys for Responder...
Jan 14 13:32:06 [IKEv1]IP = 10.0.12.10, IKE_DECODE SENDING Message (msgid=0) with payloads :
HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D
(130) + NAT-D (130) + NONE (0) total length : 304

266

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


ASA VPN message analysis
Debug used: debug crypto isakmp 127
ASA is responder and receives Main Mode (MM) message 5
ID of remote peer
Authentication Hash of remote peer
Tunnel-group choice
Jan 14 13:32:06 [IKEv1]IP = 10.0.12.10, IKE_DECODE RECEIVED Message (msgid=0) with payloads :
HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, processing ID payload
Jan 14 13:32:06 [IKEv1 DECODE]Group = 10.0.12.10, IP = 10.0.12.10, ID_IPV4_ADDR ID received
10.0.12.10
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, processing hash payload
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, Computing hash for ISAKMP
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, processing VID payload
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, Received DPD VID
Jan 14 13:32:06 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end is NOT behind a NAT device
Jan 14 13:32:06 [IKEv1]IP = 10.0.12.10, Connection landed on tunnel_group 10.0.12.10

Relevant configuration
tunnel-group 10.0.12.10 type ipsec-l2l
tunnel-group 10.0.12.10 ipsec-attributes
ikev1 pre-shared-key cisco
267

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


ASA VPN message analysis
Debug used: debug crypto isakmp 127
ASA is responder and sends Main Mode (MM) message 6
ID of local peer
Authentication Hash of local peer
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, constructing ID payload
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, constructing hash payload
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, Computing hash for ISAKMP
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, constructing dpd vid payload
Jan 14 13:32:06 [IKEv1]IP = 10.0.12.10, IKE_DECODE SENDING Message (msgid=0) with payloads :
HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Jan 14 13:32:06 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, PHASE 1 COMPLETED
Jan 14 13:32:06 [IKEv1]IP = 10.0.12.10, Keep-alive type for this connection: DPD
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, Starting P1 rekey timer: 82080
seconds.

Relevant configuration
crypto isakmp identity auto

268

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


ASA VPN message analysis
Debug used: debug crypto isakmp 127
ASA is responder and receives Quick Mode (QM) message 1
Transform-sets, NONCE and Proxy IDs and of the remote peer

Jan 14 13:32:06 [IKEv1 DECODE]IP = 10.0.12.10, IKE Responder starting QM: msg id = 35e9bd82
Jan 14 13:32:06 [IKEv1]IP = 10.0.12.10, IKE_DECODE RECEIVED Message (msgid=35e9bd82) with payloads : HDR + HASH (8) + SA (1)
+ NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 200
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, processing hash payload
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, processing SA payload
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, processing nonce payload
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, processing ID payload
Jan 14 13:32:06 [IKEv1 DECODE]Group = 10.0.12.10, IP =10.0.12.10, ID_IPV4_ADDR_SUBNET ID received--10.0.11.0--255.255.255.0
Jan 14 13:32:06 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, Received remote IP Proxy Subnet data in ID Payload: Address 10.0.11.0,
Mask 255.255.255.0, Protocol 0, Port 0
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, processing ID payload
Jan 14 13:32:06 [IKEv1 DECODE]Group = 10.0.12.10, IP =10.0.12.10, ID_IPV4_ADDR_SUBNET ID received--10.0.23.0--255.255.255.0
Jan 14 13:32:06 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, Received local IP Proxy Subnet data in ID Payload: Address 10.0.23.0, Mask
255.255.255.0, Protocol 0, Port 0
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, processing notify payload
Jan 14 13:32:06 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, QM IsRekeyed old sa not found by addr
Jan 14 13:32:06 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, Static Crypto Map check, checking map = mymap, seq = 10...
Jan 14 13:32:06 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, Static Crypto Map check, map mymap, seq = 10 is a successful match
Jan 14 13:32:06 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, IKE Remote Peer configured for crypto map: mymap
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, processing IPSec SA payload
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, IPSec SA Proposal # 1, Transform # 1 acceptable Matches
global IPSec SA entry # 10

Relevant configuration

crypto ipsec transform-set ESP_AES_SHA esp-aes esp-sha-hmac


access-list CRYPTO_ACL extended permit ip 10.0.23.0 255.255.255.0 10.0.11.0 255.255.255.0
crypto map mymap 10 match address CRYPTO_ACL
crypto map mymap 10 set transform-set ESP_AES_SHA
269

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


ASA VPN message analysis
Debug used: debug crypto isakmp 127
ASA is responder and sends Quick Mode (QM) message 2
Transform-sets, NONCE and Proxy IDs and of the local peer
Jan 14 13:32:06 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, IKE: requesting SPI!
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, IKE got SPI from key engine: SPI =
0x44faa662
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, oakley constucting quick mode
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, constructing blank hash payload
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, constructing IPSec SA payload
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, constructing IPSec nonce
payload
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, constructing proxy ID
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, Transmitting Proxy Id:
Remote subnet: 10.0.11.0 Mask 255.255.255.0 Protocol 0 Port 0
Local subnet: 10.0.23.0 mask 255.255.255.0 Protocol 0 Port 0
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, constructing qm hash payload
Jan 14 13:32:06 [IKEv1 DECODE]Group = 10.0.12.10, IP = 10.0.12.10, IKE Responder sending 2nd QM
pkt: msg id = 35e9bd82
Jan 14 13:32:06 [IKEv1]IP = 10.0.12.10, IKE_DECODE SENDING Message (msgid=35e9bd82) with
payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172

Note
The outbound SPI matches the inbound SPI of the remote peer and vice versa
270

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


ASA VPN message analysis
Debug used: debug crypto isakmp 127
ASA is responder and receives Quick Mode (QM) message 3
Hash
Jan 14 13:32:06 [IKEv1]IP = 10.0.12.10, IKE_DECODE RECEIVED Message (msgid=35e9bd82) with
payloads : HDR + HASH (8) + NONE (0) total length : 52
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, processing hash payload
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, loading all IPSEC SAs
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, Generating Quick Mode Key!
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, NP encrypt rule look up for crypto
map mymap 10 matching ACL CRYPTO_ACL: returned cs_id=bbd6d2b0; rule=bc3980e8
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, Generating Quick Mode Key!
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, NP encrypt rule look up for crypto
map mymap 10 matching ACL CRYPTO_ACL: returned cs_id=bbd6d2b0; rule=bc3980e8
Jan 14 13:32:06 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, Security negotiation complete for LAN-toLAN Group (10.0.12.10) Responder, Inbound SPI = 0x44faa662, Outbound SPI = 0x33f09e9c
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, IKE got a KEY_ADD msg for SA: SPI
= 0x33f09e9c
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, Pitcher: received KEY_UPDATE, spi
0x44faa662
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, Starting P2 rekey timer: 27360
seconds.
Jan 14 13:32:06 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, PHASE 2 COMPLETED (msgid=35e9bd82)

271

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


ASA VPN message analysis
Debug used: debug crypto isakmp 127
ASA is sending and receiving DPD messages (Keepalives)
Nov 30 00:53:55 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing blank hash payload
Nov 30 00:53:55 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing qm hash payload
Nov 30 00:53:55 [IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=5dff9c98) with
payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Nov 30 00:53:55 [IKEv1]: IP = 10.0.22.11, IKE_DECODE RECEIVED Message (msgid=d71e98e9) with
payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Nov 30 00:53:55 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, processing hash payload
Nov 30 00:53:55 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, processing notify payload
Nov 30 00:53:55 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Received keep-alive of type
DPD R-U-THERE-ACK (seq number 0x25bd57e5)
Nov 30 00:54:05 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Sending keep-alive of type
DPD R-U-THERE (seq number 0x25bd57e6)
Nov 30 00:54:05 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing blank hash payload
Nov 30 00:54:05 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing qm hash payload
Nov 30 00:54:05 [IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=c28ed310) with
payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Nov 30 00:54:05 [IKEv1]: IP = 10.0.22.11, IKE_DECODE RECEIVED Message (msgid=46e6cc2d) with
payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Nov 30 00:54:05 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, processing hash payload
Nov 30 00:54:05 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, processing notify payload
Nov 30 00:54:05 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Received keep-alive of type
DPD R-U-THERE-ACK (seq number 0x25bd57e6)
272

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


ASA VPN message summary
Main Mode (MM)

Key information exchanged

Message 1

SA

Message 2

SA

Message 3

KE, NONCE (NAT-D, NAT-D)

Message 4

KE, NONCE (NAT-D, NAT-D)

Message 5

ID, HASH

Message 6

ID, HASH

Quick Mode (QM) Key information exchanged


Message 1

HASH, SA, NONCE, ID, ID

Message 2

HASH, SA, NONCE, ID, ID

Message 3

HASH

DPD Keepalive

HASH, NOTIFY

273

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Questions
From which message(s) belongs the following output?
Nov 30 02:48:48 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing hash payload
Nov 30 02:48:48 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Computing hash for ISAKMP
Nov 30 02:48:48 [IKEv1 DEBUG]: IP = 10.0.22.11, Constructing IOS keep alive payload:
proposal=32767/32767 sec.
Nov 30 02:48:48 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing dpd vid payload
Nov 30 02:48:48 [IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=0) with payloads :
HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Nov 30 02:48:48 [IKEv1]: Group = 10.0.22.11, IP = 10.0.22.11, Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end is NOT behind a NAT device
Nov 30 02:48:48 [IKEv1]: IP = 10.0.22.11, IKE_DECODE RECEIVED Message (msgid=0) with payloads :
HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Nov 30 02:48:48 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, processing ID payload
Nov 30 02:48:48 [IKEv1 DECODE]: Group = 10.0.22.11, IP = 10.0.22.11, ID_IPV4_ADDR ID received
10.0.22.11
Nov 30 02:48:48 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, processing hash payload
Nov 30 02:48:48 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Computing hash for ISAKMP

274

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Questions
From which message(s) belongs the following output?
Nov 30 02:48:48 [IKEv1 DEBUG]: IP = 10.0.22.11, constructing ke payload
Nov 30 02:48:48 [IKEv1 DEBUG]: IP = 10.0.22.11, constructing nonce payload
Nov 30 02:48:48 [IKEv1 DEBUG]: IP = 10.0.22.11, constructing Cisco Unity VID payload
Nov 30 02:48:48 [IKEv1 DEBUG]: IP = 10.0.22.11, constructing xauth V6 VID payload
Nov 30 02:48:48 [IKEv1 DEBUG]: IP = 10.0.22.11, Send IOS VID
Nov 30 02:48:48 [IKEv1 DEBUG]: IP = 10.0.22.11, Constructing ASA spoofing IOS Vendor ID payload
(version: 1.0.0, capabilities: 20000001)
Nov 30 02:48:48 [IKEv1 DEBUG]: IP = 10.0.22.11, constructing VID payload
Nov 30 02:48:48 [IKEv1 DEBUG]: IP = 10.0.22.11, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Nov 30 02:48:48 [IKEv1 DEBUG]: IP = 10.0.22.11, constructing NAT-Discovery payload
Nov 30 02:48:48 [IKEv1 DEBUG]: IP = 10.0.22.11, computing NAT Discovery hash
Nov 30 02:48:48 [IKEv1 DEBUG]: IP = 10.0.22.11, constructing NAT-Discovery payload
Nov 30 02:48:48 [IKEv1 DEBUG]: IP = 10.0.22.11, computing NAT Discovery hash
Nov 30 02:48:48 [IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=0) with payloads :
HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D
(130) + NAT-D (130) + NONE (0) total length : 304
Nov 30 02:48:48 [IKEv1]: IP = 10.0.22.11, IKE_DECODE RECEIVED Message (msgid=0) with payloads :
HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D
(130) + NAT-D (130) + NONE (0) total length : 304

275

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Questions
From which message(s) belongs the following output?
Nov 30 04:24:25 [IKEv1 DEBUG]: IP = 10.0.22.11, constructing NAT-Traversal VID ver 02 payload
Nov 30 04:24:25 [IKEv1 DEBUG]: IP = 10.0.22.11, constructing NAT-Traversal VID ver 03 payload
Nov 30 04:24:25 [IKEv1 DEBUG]: IP = 10.0.22.11, constructing Fragmentation VID + extended capabilities
payload
Nov 30 04:24:25 [IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=0) with payloads :
HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152
Nov 30 04:24:27 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 30 04:24:27 [IKEv1]: IP = 10.0.22.11, Queuing KEY-ACQUIRE messages to be processed when P1 SA
is complete.
Nov 30 04:24:33 [IKEv1]: IP = 10.0.22.11, IKE_DECODE RESENDING Message (msgid=0) with payloads :
HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152
Nov 30 04:24:42 [IKEv1]: IP = 10.0.22.11, IKE_DECODE RESENDING Message (msgid=0) with payloads :
HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152
Nov 30 04:24:50 [IKEv1]: IP = 10.0.22.11, IKE_DECODE RESENDING Message (msgid=0) with payloads :
HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152
Nov 30 04:24:59 [IKEv1 DEBUG]: IP = 10.0.22.11, IKE MM Initiator FSM error history (struct
&0xd8a954b8) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2,
EV_RETRY

276

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Questions
From which message(s) belongs the following output?
Nov 30 04:34:27 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Computing hash for ISAKMP
Nov 30 04:34:27 [IKEv1 DEBUG]: IP = 10.0.22.11, Constructing IOS keep alive payload:
proposal=32767/32767 sec.
Nov 30 04:34:27 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing dpd vid payload
Nov 30 04:34:27 [IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=0) with payloads :
HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Nov 30 04:34:27 [IKEv1]: Group = 10.0.22.11, IP = 10.0.22.11, Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end is NOT behind a NAT device
Nov 30 04:34:27 [IKEv1]: IP = 10.0.22.11, IKE_DECODE RECEIVED Message (msgid=0) with payloads :
HDR + NOTIFY (11) + NONE (0) total length : 120
Nov 30 04:34:27 [IKEv1]: IP = 10.0.22.11, IKE_DECODE RECEIVED Message (msgid=0) with payloads :
HDR + NOTIFY (11) + NONE (0) total length : 120
Nov 30 04:34:27 [IKEv1]: Group = 10.0.22.11, IP = 10.0.22.11, Received an un-encrypted
PAYLOAD_MALFORMED notify message, dropping
Nov 30 04:34:27 [IKEv1]: Group = 10.0.22.11, IP = 10.0.22.11, Error, peer has indicated that something
is wrong with our message. This could indicate a pre-shared key mismatch.
Nov 30 04:34:27 [IKEv1]: Group = 10.0.22.11, IP = 10.0.22.11, Information Exchange processing failed

277

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Questions
From which message(s) belongs the following output?
Jan 14 15:05:58 [IKEv1]IP = 10.0.12.10, Connection landed on tunnel_group 10.0.12.10
Jan 14 15:05:58 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, Generating keys for Responder...
Jan 14 15:05:58 [IKEv1]IP = 10.0.12.10, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR
+ KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D
(130) + NAT-D (130) + NONE (0) total length : 304
Jan 14 15:05:58 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, Received encrypted Oakley Main Mode
packet with invalid payloads, MessID = 0
Jan 14 15:05:58 [IKEv1]IP = 10.0.12.10, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR
+ NOTIFY (11) + NONE (0) total length : 120
Jan 14 15:05:58 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, ERROR, had problems decrypting packet,
probably due to mismatched pre-shared key. Aborting
ASA2# Jan 14 15:06:06 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, Duplicate Phase 1 packet detected.
Retransmitting last packet.
Jan 14 15:06:06 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, P1 Retransmit msg dispatched to MM FSM
Jan 14 15:06:06 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, Duplicate Phase 1 packet detected.
Retransmitting last packet.
Jan 14 15:06:06 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, P1 Retransmit msg dispatched to MM FSM
Jan 14 15:06:06 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, Duplicate Phase 1 packet detected.
Retransmitting last packet.
Jan 14 15:06:06 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, P1 Retransmit msg dispatched to MM FSM

278

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Questions
From which message(s) belongs the following output?
Nov 30 00:42:34 [IKEv1 DEBUG]: IP = 10.0.22.11, Processing VPN3000/ASA spoofing IOS Vendor ID
payload (version: 1.0.0, capabilities: 20000001)
Nov 30 00:42:34 [IKEv1 DEBUG]: IP = 10.0.22.11, processing VID payload
Nov 30 00:42:34 [IKEv1 DEBUG]: IP = 10.0.22.11, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Nov 30 00:42:34 [IKEv1 DEBUG]: IP = 10.0.22.11, processing NAT-Discovery payload
Nov 30 00:42:34 [IKEv1 DEBUG]: IP = 10.0.22.11, computing NAT Discovery hash
Nov 30 00:42:34 [IKEv1 DEBUG]: IP = 10.0.22.11, processing NAT-Discovery payload
Nov 30 00:42:34 [IKEv1 DEBUG]: IP = 10.0.22.11, computing NAT Discovery hash
Nov 30 00:42:34 [IKEv1]: IP = 10.0.22.11, Connection landed on tunnel_group 10.0.22.11
Nov 30 00:42:34 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Generating keys for Initiator...
Nov 30 00:42:34 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing ID payload
Nov 30 00:42:34 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing hash payload
Nov 30 00:42:34 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Computing hash for ISAKMP
Nov 30 00:42:34 [IKEv1 DEBUG]: IP = 10.0.22.11, Constructing IOS keep alive payload:
proposal=32767/32767 sec.
Nov 30 00:42:34 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing dpd vid payload
Nov 30 00:42:34 [IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=0) with payloads :
HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Nov 30 00:42:34 [IKEv1]: Group = 10.0.22.11, IP = 10.0.22.11, Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device

279

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Questions
From which message(s) belongs the following output?
Nov 30 00:42:34 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, oakley constructing final quick mode
Nov 30 00:42:34 [IKEv1 DECODE]: Group = 10.0.22.11, IP = 10.0.22.11, IKE Initiator sending 3rd QM pkt: msg id =
bf1f16db
Nov 30 00:42:34 [IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=bf1f16db) with payloads : HDR
+ HASH (8) + NONE (0) total length : 76
Nov 30 00:42:34 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, IKE got a KEY_ADD msg for SA: SPI =
0xe9d03ea9
Nov 30 00:42:34 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Pitcher: received KEY_UPDATE, spi
0x4303af68
Nov 30 00:42:34 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Starting P2 rekey timer: 24480 seconds.
Nov 30 00:42:34 [IKEv1]: Group = 10.0.22.11, IP = 10.0.22.11, PHASE 2 COMPLETED (msgid=bf1f16db)
Nov 30 00:42:52 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Sending keep-alive of type DPD R-U-THERE
(seq number 0x25bd57a5)
Nov 30 00:42:52 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing blank hash payload
Nov 30 00:42:52 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing qm hash payload
Nov 30 00:42:52 [IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=4d04a468) with payloads : HDR
+ HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Nov 30 00:42:52 [IKEv1]: IP = 10.0.22.11, IKE_DECODE RECEIVED Message (msgid=8cc47755) with payloads :
HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Nov 30 00:42:52 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, processing hash payload
Nov 30 00:42:52 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, processing notify payload

280

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Questions
What could be the case in the following output?
Nov 30 00:10:25 [IKEv1 DEBUG]: IP = 10.0.56.10, processing IKE SA payload
Nov 30 00:10:25 [IKEv1 DEBUG]: IP = 10.0.56.10, IKE SA Proposal # 1, Transform # 1 acceptable Matches global
IKE entry # 3
Nov 30 00:10:25 [IKEv1 DEBUG]: IP = 10.0.56.10, constructing ISAKMP SA payload
Nov 30 00:10:25 [IKEv1 DEBUG]: IP = 10.0.56.10, constructing NAT-Traversal VID ver 02 payload
Nov 30 00:10:25 [IKEv1 DEBUG]: IP = 10.0.56.10, constructing Fragmentation VID + extended capabilities payload
Nov 30 00:10:25 [IKEv1]: IP = 10.0.56.10, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA
(1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Nov 30 00:10:35 [IKEv1]: IP = 10.0.56.10, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA
(1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Nov 30 00:10:44 [IKEv1]: IP = 10.0.56.10, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA
(1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Nov 30 00:10:54 [IKEv1]: IP = 10.0.56.10, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA
(1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Nov 30 00:11:00 [IKEv1]: IP = 10.0.56.10, Duplicate Phase 1 packet detected. Retransmitting last packet.
Nov 30 00:11:00 [IKEv1]: IP = 10.0.56.10, P1 Retransmit msg dispatched to MM FSM
Nov 30 00:11:00 [IKEv1 DEBUG]: IP = 10.0.56.10, IKE MM Responder FSM error history (struct &0xd8a221b8)
<state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG3,
NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2,
EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent
Nov 30 00:11:00 [IKEv1 DEBUG]: IP = 10.0.56.10, IKE SA MM:77526a83 terminating: flags 0x01000002, refcnt 0,
Nov 30 00:11:00 [IKEv1 DEBUG]: IP = 10.0.56.10, sending delete/delete with reason message
Nov 30 00:11:00 [IKEv1]: IP = 10.0.56.10, Removing peer from peer table failed, no match!
Nov 30 00:11:00 [IKEv1]: IP = 10.0.56.10, Error: Unable to remove PeerTblEntry
281

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Questions
What could be the case in the following output?
Nov
Nov
Nov
Nov

30 00:05:56
30 00:05:56
30 00:05:56
30 00:05:56
(11) + NONE
Nov 30 00:05:58
Nov 30 00:05:58
Nov 30 00:05:58
Nov 30 00:05:58
(11) + NONE
Nov 30 00:06:00
Nov 30 00:06:00
Nov 30 00:06:00
Nov 30 00:06:00
(11) + NONE
Nov 30 00:06:02
Nov 30 00:06:02
0x0020c062,
Nov 30 00:06:02
Nov 30 00:06:02
Nov 30 00:06:02
Nov 30 00:06:02
Nov 30 00:06:02
(12) + NONE
Nov 30 00:06:02
Nov 30 00:06:02

282

[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Sending keep-alive of type DPD R-U-THERE (seq number 0x75bf1ee8)
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing blank hash payload
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing qm hash payload
[IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=963b86e9) with payloads : HDR + HASH (8) + NOTIFY
(0) total length : 84
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Sending keep-alive of type DPD R-U-THERE
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing blank hash payload
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing qm hash payload
[IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=aa2f9995) with payloads : HDR + HASH (8) + NOTIFY
(0) total length : 84
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Sending keep-alive of type DPD R-U-THERE
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing blank hash payload
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing qm hash payload
[IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=28f0bd25) with payloads : HDR + HASH (8) + NOTIFY
(0) total length : 84
[IKEv1]: Group = 10.0.22.11, IP = 10.0.22.11, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, IKE SA MM:7574c8b1 rcv'd Terminate: state MM_ACTIVE flags
refcnt 1, tuncnt 1
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, sending delete/delete with reason message
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing blank hash payload
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing IPSec delete payload
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing qm hash payload
[IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=fec694b7) with payloads : HDR + HASH (8) + DELETE
(0) total length : 68
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Active unit receives a delete event for remote peer 10.0.22.11.
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, IKE Deleting SA: Remote Proxy 10.0.23.0, Local Proxy 10.0.11.0

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Questions
What could be the case in the following output?
Nov 30 00:53:11 [IKEv1]: Group = 10.0.22.11, IP = 10.0.22.11, IKE Initiator: Rekeying Phase 2, Intf NET1, IKE Peer 10.0.22.11 local Proxy
Address 10.0.11.0, remote Proxy Address 10.0.23.0, Crypto map (mymap)
Nov 30 00:53:11 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Oakley begin quick mode
Nov 30 00:53:11 [IKEv1 DECODE]: Group = 10.0.22.11, IP = 10.0.22.11, IKE Initiator starting QM: msg id = b140ee8e
Nov 30 00:53:11 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Active unit starts Phase 2 rekey with remote peer 10.0.22.11.
Nov 30 00:53:11 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, IKE got SPI from key engine: SPI = 0x4d549a32
Nov 30 00:53:11 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, oakley constucting quick mode
Nov 30 00:53:11 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing blank hash payload
Nov 30 00:53:11 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing IPSec SA payload
Nov 30 00:53:11 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing IPSec nonce payload
Nov 30 00:53:11 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing proxy ID
Nov 30 00:53:11 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Transmitting Proxy Id:
Local subnet: 10.0.11.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 10.0.23.0 Mask 255.255.255.0 Protocol 0 Port 0
Nov 30 00:53:11 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing qm hash payload
Nov 30 00:53:11 [IKEv1 DECODE]: Group = 10.0.22.11, IP = 10.0.22.11, IKE Initiator sending 1st QM pkt: msg id = b140ee8e
Nov 30 00:53:11 [IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=b140ee8e) with payloads : HDR + HASH (8) + SA (1) +
NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172
Nov 30 00:53:42 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, sending delete/delete with reason message
Nov 30 00:53:42 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing blank hash payload
Nov 30 00:53:42 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing IPSec delete payload
Nov 30 00:53:42 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing qm hash payload
Nov 30 00:53:42 [IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=67541dca) with payloads : HDR + HASH (8) + DELETE
(12) + NONE (0) total length : 68
Nov 30 00:53:42 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Active unit receives a centry expired event for remote peer
10.0.22.11.
Nov 30 00:53:42 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, IKE Deleting SA: Remote Proxy 10.0.23.0, Local Proxy 10.0.11.0
Nov 30 00:53:44 [IKEv1]: Group = 10.0.22.11, IP = 10.0.22.11, QM FSM error (P2 struct &0xd8a7a5b8, mess id 0xb140ee8e)!
Nov 30 00:53:44 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, IKE QM Initiator FSM error history (struct &0xd8a7a5b8) <state>,
<event>: QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
Nov 30 00:53:44 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, sending delete/delete with reason message
Nov 30 00:53:44 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing blank hash payload
283

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Questions
What could be the case in the following output?
Nov 30 01:04:06 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Pitcher: received key delete msg,
spi 0x252ce05e
Nov 30 01:04:06 [IKEv1]: Group = 10.0.22.11, IP = 10.0.22.11, Connection terminated for peer
10.0.22.11. Reason: IPSec SA Idle Timeout Remote Proxy 3.3.3.0, Local Proxy 1.1.1.0
Nov 30 01:04:06 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, sending delete/delete with reason
message
Nov 30 01:04:06 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing blank hash payload
Nov 30 01:04:06 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing IPSec delete payload
Nov 30 01:04:06 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing qm hash payload
Nov 30 01:04:06 [IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=99ff76c8) with
payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Nov 30 01:04:06 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Active unit receives a delete event
for remote peer 10.0.22.11.
Nov 30 01:04:06 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, IKE Deleting SA: Remote Proxy
3.3.3.0, Local Proxy 1.1.1.0
Nov 30 01:04:06 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x252ce05e
Nov 30 01:04:06 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xd94cbshow vpn-sessiondb detail
l2l

284

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Questions
What could be the case in the following output?
Nov 30 01:01:38 [IKEv1 DEBUG]: IP = 10.0.22.11, Starting phase 1 rekey
Nov 30 01:01:38 [IKEv1]: IP = 10.0.22.11, IKE Initiator: Rekeying Phase 1, Intf NET1, IKE Peer 10.0.22.11 local Proxy
Address N/A, remote Proxy Address N/A, Crypto map (N/A)
Nov 30 01:01:38 [IKEv1 DEBUG]: IP = 10.0.22.11, constructing ISAKMP SA payload
Nov 30 01:01:38 [IKEv1 DEBUG]: IP = 10.0.22.11, constructing Fragmentation VID + extended capabilities payload
Nov 30 01:01:38 [IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) +
VENDOR (13) + NONE (0) total length : 112
Nov 30 01:01:46 [IKEv1]: IP = 10.0.22.11, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) +
VENDOR (13) + NONE (0) total length : 112
Nov 30 01:01:55 [IKEv1]: IP = 10.0.22.11, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) +
VENDOR (13) + NONE (0) total length : 112
Nov 30 01:02:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, IKE SA MM:090fd5f9 terminating: flags
0x0100c026, refcnt 0, tuncnt 0
Nov 30 01:02:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, sending delete/delete with reason message
Nov 30 01:02:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing blank hash payload
Nov 30 01:02:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing IKE delete payload
Nov 30 01:02:00 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing qm hash payload
Nov 30 01:02:00 [IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=455d4013) with payloads : HDR +
HASH (8) + DELETE (12) + NONE (0) total length : 80
Nov 30 01:02:03 [IKEv1]: IP = 10.0.22.11, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) +
VENDOR (13) + NONE (0) total length : 112
Nov 30 01:02:11 [IKEv1 DEBUG]: IP = 10.0.22.11, IKE MM Initiator FSM error history (struct &0xd8a11448) <state>,
<event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1,
EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Nov 30 01:02:11 [IKEv1]: IP = 10.0.22.11, Removing peer from peer table failed, no match!
Nov 30 01:02:11 [IKEv1 DEBUG]: IP = 10.0.22.11, sending delete/delete with reason message
Nov 30 01:02:11 [IKEv1 DEBUG]: IP = 10.0.22.11, Active unit receives a delete event for remote peer 10.0.22.11.
285

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Questions
What could be the case in the following output?
Jan 22 14:25:29 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, QM FSM error (P2 struct &0xbc431730, mess id 0x51d2fec9)!
Jan 22 14:25:29 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, IKE QM Responder FSM error history (struct
&0xbc431730) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2,
EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Jan 22 14:25:29 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, sending delete/delete with reason message
Jan 22 14:25:29 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, Removing peer from correlator table failed, no match!
Jan 22 14:25:38 [IKEv1 DECODE]IP = 10.0.12.10, IKE Responder starting QM: msg id = 51d2fec9
Jan 22 14:25:38 [IKEv1]IP = 10.0.12.10, IKE_DECODE RECEIVED Message (msgid=51d2fec9) with payloads : HDR + HASH (8)
+ SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172
Jan 22 14:25:38 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, processing hash payload
Jan 22 14:25:38 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, processing SA payload
Jan 22 14:25:38 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, processing nonce payload
Jan 22 14:25:38 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, processing ID payload
Jan 22 14:25:38 [IKEv1 DECODE]Group = 10.0.12.10, IP = 10.0.12.10, ID_IPV4_ADDR_SUBNET ID received--1.1.1.0-255.255.255.0
Jan 22 14:25:38 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, Received remote IP Proxy Subnet data in ID Payload: Address
1.1.1.0, Mask 255.255.255.0, Protocol 0, Port 0
Jan 22 14:25:38 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, processing ID payload
Jan 22 14:25:38 [IKEv1 DECODE]Group = 10.0.12.10, IP = 10.0.12.10, ID_IPV4_ADDR_SUBNET ID received--3.3.3.0-255.255.255.0
Jan 22 14:25:38 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, Received local IP Proxy Subnet data in ID Payload: Address
3.3.3.0, Mask 255.255.255.0, Protocol 0, Port 0
Jan 22 14:25:38 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, QM IsRekeyed old sa not found by addr
Jan 22 14:25:38 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, Static Crypto Map check, checking map = mymap, seq =10
Jan 22 14:25:38 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, Static Crypto Map check, map = mymap, seq = 10, ACL does not
match proxy IDs src:1.1.1.0 dst:3.3.3.0
Jan 22 14:25:38 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, Rejecting IPSec tunnel: no matching crypto map entry for remote
proxy 1.1.1.0/255.255.255.0/0/0 local proxy 3.3.3.0/255.255.255.0/0/0 on interface NET3
Jan 22 14:25:38 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, sending notify message
286

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Questions
What could be the case in the following output?
Nov 30 03:16:01 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Pitcher: received key delete msg, spi 0x3a556c9a
Nov 30 03:16:01 [IKEv1]: Group = 10.0.22.11, IP = 10.0.22.11, Connection terminated for peer 10.0.22.11. Reason: IPSec SA Max time
exceeded Remote Proxy 10.0.23.0, Local Proxy 10.0.11.0
Nov 30 03:16:01 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, IKE SA MM:594acae4 rcv'd Terminate: state MM_ACTIVE flags
0x0020c062, refcnt 1, tuncnt 1
Nov 30 03:16:01 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, sending delete/delete with reason message
Nov 30 03:16:01 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing blank hash payload
Nov 30 03:16:01 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing IPSec delete payload
Nov 30 03:16:01 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing qm hash payload
Nov 30 03:16:01 [IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=d9330b34) with payloads : HDR + HASH (8) +
DELETE (12) + NONE (0) total length : 68
Nov 30 03:16:01 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Active unit receives a delete event for remote peer 10.0.22.11.
Nov 30 03:16:01 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, IKE Deleting SA: Remote Proxy 10.0.23.0, Local Proxy 10.0.11.0
Nov 30 03:16:01 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, IKE SA MM:594acae4 terminating: flags 0x0120c022, refcnt 0,
tuncnt 0
Nov 30 03:16:01 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, sending delete/delete with reason message
Nov 30 03:16:01 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing blank hash payload
Nov 30 03:16:01 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing IKE delete payload
Nov 30 03:16:01 [IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing qm hash payload
Nov 30 03:16:01 [IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=1285a941) with payloads : HDR + HASH (8) +
DELETE (12) + NONE (0) total length : 80
Nov 30 03:16:01 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x3a556c9a
Nov 30 03:16:01 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xc42fc2ef
Nov 30 03:16:03 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 30 03:16:03 [IKEv1]: IP = 10.0.22.11, IKE Initiator: New Phase 1, Intf NET1, IKE Peer 10.0.22.11 local Proxy Address 10.0.11.0,
remote Proxy Address 10.0.23.0, Crypto map (mymap)
Nov 30 03:16:03 [IKEv1 DEBUG]: IP = 10.0.22.11, constructing ISAKMP SA payload
Nov 30 03:16:03 [IKEv1 DEBUG]
ASA1# : IP = 10.0.22.11, constructing Fragmentation VID + extended capabilities payload
Nov 30 03:16:03 [IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) +
NONE (0) total length : 112
287

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Questions
In which phase and message will fail a VPN negotiation
if there is Proxy ID mismatch?
In which phase and message will fail a VPN negotiation
if there is no pre-shared key configured at all?
In which phase and message will fail a VPN negotiation
if there is problem in the SP between the 2 peers?
In which phase and message will fail a VPN negotiation
if there is mismatch in the Transform-Sets?
What will happen if one side is configured to use PFS
while the other is not? What if the remote side is IOS
router?

288

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Questions

What will happen in the following scenario if R3 10.0.13.3 tries to connect to R5 (10.0.35.5)?

289

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Methodology
Is phase 1 UP?
ASA# show crypto isakmp sa
Remember: MM_ACTIVE is good. Everything else is bad.
PIX devices older than 7.0 will show QM_IDLE if Phase 1 is UP

If phase 1 is not UP check the following:


1. Does the initiator receive the interesting traffic?
a) Check if hit-counts of the Proxy ACL increase and if the ACL is
misconfigured (remember that NAT is done before Proxy ACL matching)
b) Check if there is need to configure NAT exemption
c) Check if there is an inbound ACL blocking the interesting traffic
show access-list
d) Do capture on ASA on the inside interface that should receive the traffic
e) Check if you have same security level on the interfaces and the
command same-security-traffic permit inter-interface
show nameif

290

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Methodology
1. Is IKE phase 1 negotiation initiated?
To verify this, run debug crypto isakmp 127 with condition and
use Packet-Tracer or Ping TCP utilities to trigger the VPN. If it is
not initiated:
a) Check the routing on the initiator
show route
b) Check if the crypto-map is applied on the proper interface (or not at all)
ASA1# show run crypto map | in STATIC_MAP.*interface
c) Check if the peer IP address is correct
show run crypto map | i STATIC_MAP.*peer
show run tunnel-group
d) Check if ISAKMP is enabled*
show run crypto isakmp | i enable
* If you disable ISAKMP on interface, the ASA still initiates the VPN
connection, but doesnt complete (ignores all ISAKMP messages from
remote peer). If the remote peer initiates the VPN connection the ASA
doesnt respond at all
291

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Methodology
3. Does the responder receive ISAKMP messages from the initiator?
To verify this run conditional debug on the remote peer. If the
remote peer doesnt receive traffic check the following:
a) Is there IP connectivity between the 2 VPN peers?
b) Is there any firewall between the 2 VPN peers that blocks UDP 500?

4. Does the responder reply to the initiator?


a) Check if there is route on the responder and the remote destination
b) Check if the Crypto ACL on the responder is misconfigured

5. Is there any ISAKMP policy mismatch?


To verify this check debug messages 1 and 2 of Main Mode (MM).
Then verify the config:
show run crypto isakmp

6. Does authentication fail?


To verify this check messages 5 and 6 of Main Mode. Then check
the key:
more system:running-config | i pre-shared-key
292

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Methodology
Is phase 2 UP?
ASA# show crypto ipsec sa
Remember that you have to see pkts counters increasing for both
encrypt and decrypt.
If not then run
debug crypto isakmp 127 with condition and check the QM 3 messages

IPsec Quick Mode (QM) failure reasons can be:


1. IPsec transform-set mismatch between the 2 peers
show run crypto ipsec
show run crypto map | in transform
2. Mismatched ACLs (Proxy IDs) or overlapping ACLs
a) Remember that if only one side can initiate the VPN the reason
can be overlapping Proxy ACLs
3. If PFS is used, make sure that the same DH group is used. If it is
not used make sure that both peers dont have it configured
crypto map mymap 10 set pfs group2
293

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA VPN troubleshooting


Methodology
If both Phase 1 and Phase 2 are UP, but still there are
connectivity issues check the following:

a) Check if the counters of show crypto ipsec sa command output


increase.
Keep in mind that Crypto ACL hit-counts dont increase once the
IKE phase 2 tunnel is UP and traffic goes through the tunnel
b) Is there any firewall or ACL in the path that blocks ESP?
c) If you see that the ASA decrypts, but doesnt encrypt or vice versa
check the routing on the source or the destination (not the ASAs)
d) Is there any PAT device in the path?
Make sure that both VPN peers support NAT-T

e) If you use VPN Filters make sure that they are properly configured
show vpn-sessiondb detail l2l
show run group-policy
show run tunnel-group

Check the following link for most common L2L VPN problems:

www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0ac
a.shtml#solution13
Labs 9-10

294

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

LAN-to-LAN IPsec VPN


IKEv2 (RFC 4306) A sight to the future
Used ports
IKEv2 uses ports UDP 500 and in case of NAT-T also UDP 4500

Different exchange messages:


IKEv2 IKE_SA_INIT and IKE_AUTH exchanges = IKEv1 Phase 1
IKE_SA_INIT = 2 messages (SA, NONCE, KE, NAT-T Detection)
IKE_AUTH = 2 messages (ID, AUTH (hash), TSi ,TSr)

IKEv2 CREATE_CHILD_SA exchanges = IKEv1 Phase 2


CREATE_CHILD_SA = 2 messages (SA, NONCE, [KE],[Tsi,TSr])
TSi and TSr = Proxy IDs

INFORMATIONAL messages = convey control messages to each other


regarding errors or notifications of certain events

Lifetimes are not negotiated anymore


In IKEv1 SA lifetimes were negotiated while In IKEv2, each end of the SA is
responsible for enforcing its own lifetime policy on the SA and rekeying the
SA when necessary

295

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

LAN-to-LAN IPsec VPN


IKEv2 (RFC 4306) A sight to the future
Message exchange

After IKE_SA_INIT messages the 2 peers will generate SKEYSEED (prf(Ni | Nr, g^ir))
similar to SKEYID in IKEv1
From SKEYSEED, seven other secret keys are generated:
SK_ai = message authentication of initiator (similar to SKEYID_a)
SK_ar = message authentication of responder (similar to SKEYID_a)
SK_ei = message encryption of initiator (similar to SKEYID_e)
SK_er = message encryption of responder (similar to SKEYID_e)
SK_pi = to generate an AUTH payload
SK_pr = to generate an AUTH payload
SK_d = used for derivation of further keying material for CHILD_SAs
The two directions of traffic flow use different keys
Messages IKE_AUTH and all data are encrypted and authenticated
296

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

LAN-to-LAN IPsec VPN


IKEv2 (RFC 4306) A sight to the future
Main and Aggressive mode
IKEv2 doesnt support Aggressive Mode

IKEv1 and IKEv2 compatibility


IKEv1 and IKEv2 are incompatible. If both peers support both IKEv1 and
IKEv2, the initiator can force the responder to use IKEv1 (no downgrade
protection)

DPD, NAT-T, INITIAL_CONTACT


In IKEv2, DPD, NAT-T and INITIAL_CONTACT are natively supported

IKEv2 DOS protection


IKEv2 provides better DOS protection with a usage of Cookies
Cookies dont consume many resources

IKEv2 supports asymmetric authentication


E.g. one side can be authenticated via pre-shared key and the other via
Certificates

On ASA, IKEv2 doesnt support multiple peers while IKEv1 does

297

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

LAN-to-LAN IPsec VPN


IKEv2 (RFC 4306) A sight to the future
Basic configuration

298

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA AAA
AAA Overview
AAA = Authentication, Authorization, Accounting
Authentication = Who are you?
Authorization = What can you do?
Accounting = What did you do?

AAA can be implemented by using the local user database


(LOCAL) or by using an external database (server). Two most
common AAA external servers are TACACS+ and RADIUS
TACACS+ (Terminal Access Controller
Access Control System)

RADIUS (Remote Authentication Dial


In User Service)

Cisco proprietary

Open Standard (IETF)

Uses TCP port 49

Uses UDP 1645-1646 (legacy ports) or


1812-1813 (official ports)

More secure (packet fully encrypted)

Only password encrypted

Supports Command Authorization

Does not support Command Authorization

299

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA AAA
Using the local database
On ASA I have to refer to the local database as LOCAL
(uppercase). The Cisco routers or switches dont care about
the uppercase
LOCAL database can be used for Authentication, Authorization,
but not for Accounting
If you use LOCAL database for Authentication, do not forget
first to create users in the LOCAL database. Otherwise you can
lock your self out of the ASA
To create a user in the LOCAL database
ASA(config)# username <name> password|nopassword
{privilege} <0-15>
The privilege keyword is used with command authorization
Default privilege level is 2
Username must be at least 4 characters
300

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA AAA
Using the local database (cont)
To enable authentication for Console access by using the local database
ASA(config)# aaa authentication serial console LOCAL
To enable authentication for Telnet access by using the local database

ASA(config)# aaa authentication telnet console LOCAL


To enable authentication for SSH access by using the local database

ASA(config)# aaa authentication ssh console LOCAL


To enable authentication for ASDM access by using the local database

ASA(config)# aaa authentication http console LOCAL


To enable authentication for accessing the privilege mode (enable) by
using the local database

ASA(config)# aaa authentication enable console LOCAL


Privilege levels 0 and 1 cannot access privilege exec
To enable command authorization by using the local database

ASA(config)# aaa authorization command LOCAL


301

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA AAA
Using the local database Example 1
Step 1 I create a user in the local database
ASA(config)# username user1 password cisco
This user will get the default privilege level (2)
ASA# show run all username

Step 2 If I want to use the local database for Telnet access:


ASA(config)# aaa authentication telnet console LOCAL
Do not forget to enable telnet access (telnet command)

Step 3 If I want to enable command authorization for user1


ASA(config)# aaa authorization command LOCAL

Step 4 If I do not use enable authentication, after I enter


the enable command, I am not longer logged in as a particular
user (ASA 8.4 Command Ref. p1-11). To maintain the user:
ASA(config)# aaa authentication enable console LOCAL
ASA# show curpriv (after logging via telnet)
302

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA AAA
Using the local database - Command privileges
Command authorization by using the local database uses the
concept of privilege levels
By default, ASA commands belong to privilege level 0, 1 or 15

I can check the default level of all commands


ASA(config)# sh run all privilege all

To check the privilege level of a specific command


ASA# sh run all privilege command "router rip

A specific user has access to all commands that are equal or


lower than his/her privilege level. In general, I have 3 options:
Move a lev-15 command to lev-1 to make it available to all users
Move a lev-1 command to higher level preventing users from
accessing it
Move lev-15 commands to a level between 2-14 and assign user(s)
to this level
303

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA AAA
Using the local database - Command privileges (cont)
If I configure aaa authorization command LOCAL, I can set
privilege levels for ASA commands different than their default.
In order to do this I have to use the privilege command
ASA(config)# privilege {show|clear|configure} level level
command command
show, clear and configure are the command forms and are
optional. If I dont specify the command form then all are affected
Example moving a command to different privilege level
I use the user1 that I created in the previous example in order to login via
Telnet into ASA. Since the user user1 has privilege level of 2 and the show
run command belongs to lev-15, user1 cannot run the command show run.
I move the command show run to lev-2

ASA(config)# privilege level 2 command "show run


Now user1 can execute the command show run
304

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA AAA
Using external server for AAA
I order to configure an external server for AAA I have to follow
the following steps:
Step 1 - I have to create at least one AAA server group per AAA
protocol
ASA(config)# aaa-server group_name protocol protocol

Step 2 - I need to specify an AAA server including the AAA server


group that it belongs to (created in Step 1)
ASA(config)# aaa-server group_name interface (nameif) host IP

Step 3 As soon as I put the command in Step 2, ASA puts me in


host mode. From there I can configure things like the key (used as
password between ASA and ACS) and the timeout (sec waiting for
response from ACS)
ASA(config-aaa-server-host)# key asakey
ASA(config-aaa-server-host)# timeout 7

Step 4 I speficy the server-group as an AAA method


ASA(config)# aaa authentication telnet console group_name LOCAL
305

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA AAA
Using TACACS+ for AAA authentication example

ASA(config)# username user1 password user1 privilege 15


ASA(config)# aaa-server TACACS_GROUP protocol tacacs+
ASA(config)# aaa-server TACACS_GROUP host 100.0.101.250
ASA(config-aaa-server-host)# key asa1key
ASA(config-aaa-server-host)# timeout 7
ASA(config)# aaa authentication telnet console TACACS_GROUP
LOCAL
306

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA AAA
Using TACACS+ for AAA authentication example (cont)
ACS configuration specify ASA1 as AAA Client

307

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA AAA
Using TACACS+ for AAA authentication example (cont)
ACS configuration create user user1

308

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA AAA
Using TACACS+ for AAA authentication example (cont)
Verification
ASA# show run aaa
ASA# sh run aaa-server
ASA# show aaa-server

Server
Server
Server
Server
Server

Group: TACACS_GROUP
Protocol: tacacs+
Address: 100.0.101.250
port:
49
status: ACTIVE, Last transaction at 01:30:44 UTC Tue Nov 30 1999

ASA# test aaa-server authentication TACACS_GROUP host


100.0.101.250 username user1 password user1
INFO: Attempting Authentication test to IP address <100.0.101.250>
(timeout: 10 seconds)
INFO: Authentication Successful
309

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA AAA
Using TACACS+ for AAA authorization example
I create 2 groups on ACS: GROUP1_ASA_LAB and GROUP2_ASA_LAB
I also create 2 users on ACS: user1 and user2. user1 belongs to
GROUP1_ASA_LAB while user2 belongs to GROUP2_ASA_LAB

310

On ASA I configure:
Use ACS and then LOCAL database for Telnet authentication
ASA(config)# aaa authentication telnet console TACACS_GROUP
LOCAL
Use ACS and then LOCAL database for enable authentication
ASA(config)# aaa authentication enable console TACACS_GROUP
LOCAL
Use ACS and then LOCAL database for command authorization
ASA(config)# aaa authorization command TACACS_GROUP LOCAL
LOCAL command authorization is based on user and cmd privileges
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA AAA
Using TACACS+ for AAA authorization example
Under the GROUP1_ASA_LAB and GROUP2_ASA_LAB settings I set:

311

Now user1 is able to Telnet to ASA, but doesnt have access to config t
command. User user2 has access to all commands
ASA# conf t
Command authorization failed
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA AAA
Using TACACS+ for AAA Accounting
I can configure ASA to send accounting messages to TACACS+
server whenever a user enters a command
ASA(config)# aaa accounting command TACACS_GROUP
Command accounting doesnt account show commands
The result on ACS server:

312

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

Lab 11

ASA AAA
Cut-Through Proxy
With Cut-Through Proxy a user has first to authenticate before
being able to pass any traffic
I can authenticate the users against a remote AAA server (e.g.
ACS or the LOCAL database)
In order for traffic to be permitted, the ASA has also to permit
the traffic (via ACL or sec-level)
As soon as a user (from a specific IP) authenticates then all
services specified by the uauth ACL and the ASA policy are
permitted. In order to authenticate I have to use one of the
following interactive protocols:

313

HTTP
HTTPS
FTP
Telnet
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA AAA
Cut-Through Proxy (cont)
In order to configure Cut-Through Proxy I need to follow the
following steps:
Step 1 Configure an AAA server for authentication (server-group)
In case I use the LOCAL database, this step is optional

Step 2 Use an ACL to specify the interesting traffic. Make sure to


include in the ACL either HTTP, HTTPS, FTP or Telnet
Step 3 Configure authentication for the interesting traffic
ASA(config)# aaa authentication match <ACL> <nameif>
<server_group>|LOCAL
The nameif is the name of the interface that accepts the connection
request
ACL is the ACL that specifies the interesting traffic (Step 2)
server_group is the group I created in Step 1

Step 4 (Optional) for HTTP and HTTPS I can configure the ASA to
redirect users to an internal web page for authentication
ASA(config)# aaa authentication listener http(s) <nameif> redirect
314

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA AAA
Cut-Through Proxy (cont)
Step 5 (Optional) The authenticated session stays active until a
timeout expires (absolute or inactive). I can change the timers:
ASA(config)# timeout uauth 1:00:00 absolute uauth 0:20:00 inactivity

The default timeout is 0:05:00 absolute

Step 6 (Optional) I can configure the ASA so that the users


exchange credentials with the ASA over HTTPS. Note that the
interface ACL has to permit traffic between source and destination
over HTTPS, but the UAUTH ACL doesnt need to permit it
ASA(config)# aaa authentication secure-http-client

Step 7 (Optional) I can configure the ASA so that users


authenticate directly to the ASA itself by using Telnet or HTTP. For
HTTP the preferable method is mentioned in Step-4
ASA(config)# virtual telnet virtual_IP
ASA(config)# virtual http virtual_IP

In order to show and clear active uauth


ASA# show uauth
ASA# clear uauth {username}
315

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA AAA
Cut-Through Proxy example 1
Using the LOCAL database for authentication

ASA(config)# access-list OUTSIDE_IN permit tcp host 100.0.123.250 host


100.0.101.250 eq 80
ASA(config)# access-group OUTSIDE_IN in interface outside
ASA(config)# access-list UAUTH permit tcp host 100.0.123.250 host
100.0.101.250 eq 80
ASA(config)# aaa authentication match UAUTH outside LOCAL
ASA(config)# timeout uauth 1:00:00 absolute uauth 0:10:0 inactivity
!
316
ASA(config)#
aaa authentication listener http(s) outside redirect
ASA# clear uauth <username>
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA AAA
Cut-Through Proxy example 2
Using TACACS for authentication

ASA(config)# access-list OUTSIDE_IN permit tcp host 100.0.123.250 host


100.0.101.250 eq 80
ASA(config)# access-group OUTSIDE_IN in interface outside
ASA(config)# access-list UAUTH_INT permit tcp host 100.0.123.250 host
100.0.101.250 eq 80
ASA(config)# aaa-server TACACS protocol tacacs+
ASA(config)# aaa-server TACACS host 100.0.101.250
ASA(config-aaa-server-host)# key asa1key
317
ASA(config)#
aaa authentication match UAUTH_INT outside TACACS
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

Lab 12

ASA AAA
Questions
Where can users be stored and used for authentication?
What is the default privilege level for a user? What is
the highest?
What options are available to authenticate users on a
ASA Firewall?
What options are available for Command Authorization
on a ASA Firewall?
1.
2.
3.
4.

318

Local user database


Remote RADIUS server
Remote TACACS+ server
All of the above

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Miscellaneous topics


ASA Web Filtering
Content Filtering
Filtering ActiveX objects
ASA(config)# filter activex 80 0 0 0 0

Filtering Java applets on ASA


ASA(config)# filter java 80 0 0 0 0

You can except specific IPs from filtering


ASA(config)# filter activex|java except 0 0 9.5.2.0 255.255.255.0

Note that all these will filter only outbound traffic

HTTP,HTTPS and FTP Filtering with external filtering server


2 solutions
Secure Computing SmartFilter (ex N2H2)
Websense

319

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Miscellaneous topics


URL filtering operation

320

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Miscellaneous topics


ASA Web Filtering
The configuration is 2 step process:
Identify the URL server:
ASA(config)# url-server (inside) host 100.0.101.199

Specify what will be sent to the URL server:


ASA(config)# filter url|https|ftp {port} 0 0 0 0 {allow}

'url' = http
'port specifies the port if different than the default
'allow' will permit connections if the URL server is unavailable

Verification
ASA# show url-server statistics
ASA# show run url-server
ASA# show run filter

321

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Miscellaneous topics


Questions
How does the ASA Firewall filter Java applets and
ActiveX objects?
1. The ASA Firewall does not filter ActiveX objects or Java applets
2. By commenting out the <OBJECT> </OBJECT> tags or the
<APPLET> </ APPLET> tags in the HTML page
3. By deleting the <OBJECT CLASSID> </OBJECT> tags or the
<APPLET> </ APPLET> tags in the HTML page
4. It notifies the content-filtering server, which in turn disables the
ActiveX objects and Java applets

322

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Miscellaneous topics


Quality of Service (QoS)
Allows a device to provide different treatment to different packets
Available only in Single Context mode
ASA supports 3 types of QoS
Traffic Prioritization
Allows time sensitive traffic to be sent ahead of other traffic
Only for outbound traffic
Traffic policing
Limits the maximum bandwidth for a flow
For inbound and outbound traffic
Traffic shaping
Slows down the speed in order to avoid choking of the next device
Only for outbound traffic

How QoS features interact


I cannot configure Policing and Prioritization for the same traffic

323

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Miscellaneous topics


Quality of Service (QoS)
Traffic Prioritization Configuration
Enable Priority queue on interface
ASA(config)# priority-queue outside
Optionally, tune the Priority Queue size and/or HW Queue size
ASA(config-priority-queue)# queue-limit 200
ASA(config-priority-queue)# tx-ring-limit 5
Identify time-sensitive traffic
ASA(config)# class-map RTP_CMAP
ASA(config-cmap)# match rtp 16384 16383
Prioritize the RTP traffic
ASA(config)# policy-map RTP_PMAP
ASA(config-pmap)# class RTP_CMAP
ASA(config-pmap-c)# priority
Apply the policy-map
ASA(config)# service-policy RTP_PMAP interface outside
ASA# show priority-queue config
324

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Miscellaneous topics


Quality of Service (QoS)
Traffic Policing Configuration
I specify traffic by using L3/L4 class-map
I can apply policing ingress or egress on interface
Basic configuration
ASA(config)# access-list ICMP_ACL permit icmp any any
ASA(config)# class-map ICMP_CMAP
ASA(config-cmap)# match access-list ICMP_ACL
ASA(config-cmap)# policy-map ICMP_PMAP
ASA(config-pmap)# class ICMP_CMAP
ASA(config-pmap-c)# police input 8000

Verification
ASA# show service-policy police

325

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Miscellaneous topics


Quality of Service (QoS)
Traffic Shaping Configuration
For Traffic Shaping I can only use the class-default
ASA(config)# policy-map SHAPER_PMAP
ASA(config-pmap)# class class-default
ASA(config-pmap-c)# shape average <rate> <burst-size>
Rate = bps
Burst-size = bits per interval

326

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA QoS
Questions
Which option can be applied to which feature?
1.
2.
3.
4.
5.
6.
7.

327

Feature 1 Traffic Shaping


Feature 2 Traffic Policing
Feature 3 Traffic Prioritization
Option 1 Can be applied only to the default-class
Option 2 Can be applied inbound and outbound
Option 3 Can be applied only outbound
Option 4 Txring and queue-limit can be defined

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Miscellaneous topics


Time/Date Configuration
Setting Date and Time manually
In order to set the clock:
ASA# clock set 22:29:00 31 Oct 2011

In order to set the timezone:


ASA(config)# clock timezone CET 1

In order to set daylight saving time


ASA(config)# clock summer-time CEST recurring

Setting Date and Time with NTP


NTP without authentication
ASA(config)# ntp server 100.0.101.99

NTP with authentication


To enable NTP authentication
ASA(config)# ntp authenticate

To set the authentication key


ASA(config)# ntp authentication-key 1 md5 KEY
328

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Miscellaneous topics


Time/Date Configuration
To trust a key
ASA(config)# ntp trusted-key 1

To specify an NTP server


ASA(config)# ntp server 100.0.101.99 key 1 {prefer}

NTP with authentication example


ASA(config)# ntp authentication-key 1 md5 SecretKey1
ASA(config)# ntp authentication-key 2 md5 SecretKey2
ASA(config)# ntp trusted-key 1
ASA(config)# ntp trusted-key 2
ASA(config)# ntp server 100.0.0.1 key 1 prefer
ASA(config)# ntp server 100.1.0.2 key 2
ASA(config)# ntp authenticate
Verification
ASA# show ntp status
329

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Miscellaneous topics


Banners
Allow to configure a message to display when a user connects
to ASA
Three types of banners:
MOTD(Message Of The Day)
Login
Exec

I can use $(hostname) in order to add dynamically the hostname


Banner MOTD configuration example
ASA(config)# banner motd You have logged in to a secure device,
ASA(config)# banner motd If you are not authorized to access this
device,

ASA(config)# banner motd log out immediately or risk possible


criminal consequences.

330

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Miscellaneous topics


Best practices
Configure connection limits per-host in order to avoid DoS
attacks
Instead of configuring high-level logging, move the level of the
messages you want to log to a lower level
Use SSH instead of Telnet for remote access
Use AAA for management access and LOCAL as fallback
If possible, enable anti-spoofing ip verify reverse-path on
all interfaces
Make a baseline of your current CPU load, number of
connections (conns), translations (xlates) and traffic per
interface
Keep configuration archives

331

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Troubleshooting
Fundamentals
Cisco recommends RTP checking
RTP Route Translation Permission - Are necessary for any
flow to work through the FW
R = Routing
Make sure the interfaces are properly configured and Routing is OK
ASA# show route

T = Translation
Make sure NAT is OK
ASA# show nat

P = Permission
High-to-Low is allowed by default
Packet-tracer utility
ASA# show access-list | in 1.1.1.*5529

332

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Troubleshooting
Troubleshooting Performance issues
In order to see the resource usage on the FW
ASA# show resource usage
Resource
Current
Peak
Limit
Denied Context
SSH
1
5
5
0 System
Syslogs [rate]
26
6271
N/A
0 System
Conns
1082
8175
650000
0 System
Xlates
25
28
N/A
0 System
Hosts
860
7001
N/A
0 System
Conns [rate]
8
2431
N/A
0 System
Inspects [rate] 1
1622
N/A
0 System

333

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Troubleshooting
Troubleshooting Performance issues
In order to see the CPU load
ASA# show cpu usage
When CPU utilization > 90% the FW starts dropping packets

Run show processes cpu-usage few times


ASA# show proc cpu-usage sorted non-zero
PC
Thread
5Sec
1Min
5Min Process
081beaa4 1c5afb50
1.9%
1.8%
1.7% Dispatch Unit
08c9291c 1c5af370
0.4%
0.4%
0.4% ssm4ge_cfg_poll_thread
08c73c2c 1c5ac238
0.1%
0.0%
0.0% ssh

Possible reasons for high CPU


1.
2.
3.
4.
5.
334

Attack due to infected hosts


L2 loop in the network
Inspections
Syslog server with no syslog service running
Maybe it is time to upgrade
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Troubleshooting
Troubleshooting Performance issues
1. Attack due to infected hosts
In order to identify infected hosts trying to establish too many TCP, UDP or
embryonic connections:
ASA# show local-host | in host|count/limit
local host: <100.0.123.3>,
TCP flow count/limit = 15/unlimited
TCP embryonic count to host = 12124
UDP flow count/limit = 9/unlimited

Now use show local-host 100.0.123.3 to see the connections

2. L2 loop in the network


Use capture utility on FWs interfaces during the problem
Configure capture
ASA(config)# access-list PERMIT_ANY extended permit ip any any
ASA(config)# capture CAP_INSIDE access-list PERMIT_ANY interface inside

View capture
ASA# show capture CAP_INSIDE

Remove capture
ASA# no capture CAP_INSIDE
335

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Troubleshooting
Troubleshooting Performance issues
3. Inspections can cause high CPU

See what inspections are used and how many packets each one has
processed
ASA# show service-policy
Remove inspections one-by-one to see if CPU goes down

4. Syslog server with no syslog service running


1. ASA will send syslog messages to syslog server
2. The syslog will send port unreachable messages
3. The ASA will create logs for the port unreachable messages and send
them back to the server
4. Syslog messages can grow exponentially causing high CPU

5. Maybe it is time to upgrade

336

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Troubleshooting
Troubleshooting Performance issues
Issue show interface command
ASA# show interface inside | in buffer|collisions|software|overrun|underrun

0 packets input, 506127 bytes, 0 no buffer


0 input errors, 0 CRC, 0 frame, 81 overrun, 0 ignored, 0 abort
317389047 packets output, 10417629232 bytes, 17 underruns
0 output errors, 0 collisions, 0 interface resets
input queue (curr/max packets): hardware (128/128) software (0/3)
no buffers indicate drops typically due to bursty traffic
overrun shows dropped packets due to full ingress interface queue
underruns shows dropped packets due to full eggress interface queue
collisions could indicate duplex mismatch or very long cable
software input queue is indicator of load

Issue show conn count in order to see the number of connections


ASA# show conn count
1 in use, 1 most used
ASA# show conn detail
Adds uptime and timeout of connections
8.0(4) and later
337

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Troubleshooting
Troubleshooting Performance issues
Issue show memory command to see the free memory
ASA# show memory
Free memory:
10721224 bytes ( 8%)
Used memory:
123496504 bytes (92%)
---------------------------Total memory:
134217728 bytes (100%)

In order to see the amount of traffic that it passes through the


FW per interface
ASA# show traffic
Ethernet0:
received (in 402.600 secs):
13454 packets
130344234 bytes
2174 pkts/sec
1059282 bytes/sec
transmitted (in 402.600 secs):
194205 packets
2342205 bytes
120 pkts/sec
2035 bytes/sec
338

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Troubleshooting
Troubleshooting Performance issues
show perfmon will show the total number of connections
ASA# show perfmon
PERFMON STATS:
Current
Average
Xlates
0/s 0/s
Connections
24/s
0/s
TCP Conns
21/s
0/s
UDP Conns
1/s 0/s
URL Access
0/s 0/s
URL Server Req
0/s
0/s
TCP Fixup
0/s
0/s
TCP Intercept Established Conns
0/s
0/s
TCP Intercept Attempts
0/s
0/s
TCP Embryonic Conns Timeout
0/s
0/s
HTTP Fixup
0/s
0/s
FTP Fixup
0/s
0/s
AAA Authen
0/s
0/s
AAA Author
0/s
0/s
AAA Account
0/s
0/s
VALID CONNS RATE in TCP INTERCEPT: Current
Average
N/A
99.00%
339

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Troubleshooting
Troubleshooting Connections
show local-host will show all connections and xlates (only dynamic)
for a specific host IP
ASA# show local-host 100.0.101.1
Interface dmz: 0 active, 0 maximum active, 0 denied
Interface outside: 1 active, 1 maximum active, 0 denied
Interface inside: 1 active, 1 maximum active, 0 denied
local host: <100.0.101.1>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Xlate:
PAT Global 100.0.123.10(1024) Local 100.0.101.1(47551)
Conn:
TCP out 100.0.123.3:23 in 100.0.101.1:47551 idle 0:00:08 bytes 53 flags UIO

In order to clear a specific connection (8.0(4) and later)


ASA# clear conn address 100.0.101.1 address 10.0.3.3
340

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Troubleshooting
Troubleshooting Connections
When a connection is terminated the FW shows in the log the
teardown reason (syslog level 6)
ASA# show log
%ASA-6-302014: Teardown TCP connection 3 for outside:100.0.123.3/23 to
inside:100.0.101.1/19810 duration 0:00:00 bytes 0 TCP Reset-I
Reason

Description

Conn Timeout

Connection Ended Because It Was Idle Longer Than the Configured


Idle Timeout

SYN Timeout

Force Termination After Two Minutes Awaiting


Three-Way Handshake Completion

TCP Reset-I

TCP Reset Was Sent From the Inside Host (host from the higher
security interface)

TCP Reset-O

TCP Reset Was Sent From the Outside Host (host from the lower
security interface)

See Cisco doc Syslog Messages, message 302014 for more details
341

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Troubleshooting
Quick Reference of TCP Connection Termination Reasons
Reason

Description

Deny Terminate

Flow Was Terminated by Application Inspection

Failover Primary Closed

The Standby Unit in a Failover Pair Deleted a Connection


Because of a Message Received from the Active Unit

FIN Timeout

Force Termination After Ten Minutes Awaiting the Last


ACK or After Half-Closed Timeout

Flow Closed by Inspection

Flow Was Terminated by Inspection Feature

Flow Terminated by ASA IPS

Flow Was Terminated by IPS

Flow Reset by IPS

Flow Was Reset by IPS

Flow Terminated by TCP


Intercept

Flow Was Terminated by TCP Intercept

Invalid SYN

SYN Packet Not Valid

Idle Timeout

Connection Timed Out Because It Was Idle Longer than


the Timeout Value

IPS Fail-Close

Flow Was Terminated Due to IPS Card Down

342

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Troubleshooting
Quick Reference of TCP Connection Termination Reasons
Reason

Description

SYN Control

Back Channel Initiation from Wrong Side

SYN Timeout

Force Termination After Two Minutes Awaiting Three-Way


Handshake Completion

TCP Bad Retransmission

Connection Terminated Because of Bad TCP


Retransmission

TCP Fins

Normal Close Down Sequence

TCP Segment Partial Overlap

Detected a Partially Overlapping Segment

TCP Unexpected Window Size


Variation

Connection Terminated Due to a Variation in the TCP


Window Size

Tunnel Has Been Torn Down

Flow Terminated Because Tunnel Is Down

Xlate Clear

User Executed the Clear Xlate Command

Unauth Deny

Connection Denied by URL Filtering Server

Unknown

Catch-All Error

343

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Troubleshooting
Troubleshooting Connections
The total limit of connections it is specified by the HW platform
Limiting the number of embryonic conns protects from a DoS attack
To manually set the maximum connection limit for the whole device:
TCP max conns 20000, TCP max embryonic 1000, UDP max 10000:
ASA(config)# class-map TCP_TRAFFIC
ASA(config-cmap)# match port tcp range 1 65535
ASA(config-cmap)# class-map UDP_TRAFFIC
ASA(config-cmap)# match port udp range 1 65535
ASA(config-cmap)# policy-map global_policy
ASA(config-pmap)# class TCP_TRAFFIC
ASA(config-pmap-c)# set connection conn-max 20000 embryonicconn-max 1000
ASA(config-pmap-c)# class UDP_TRAFFIC
ASA(config-pmap-c)# set connection conn-max 10000

In order to verify
ASA# show service-policy global set connection
344

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Troubleshooting
Troubleshooting Connections
To manually set the maximum connection limit per host: TCP max
conns per host 100, TCP max embryonic conns per host 50:
ASA(config)# class-map TCP_TRAFFIC
ASA(config-cmap)# match port tcp range 1 65535
ASA(config-cmap)# policy-map global_policy
ASA(config-pmap)# class TCP_TRAFFIC
ASA(config-pmap-c)# set connection per-client-embryonic-max 50
ASA(config-pmap-c)# set connection per-client-max 100

show conn will show all connections through the FW. Adding
keyword all will show also connections to and from the FW
ASA# show conn all
ICMP out 100.0.123.3:0 in 100.0.101.1:2 idle 0:00:01 bytes 144
TCP out 100.0.123.3:23 in 1.0.101.1:4726 idle 0:02:08 bytes 11280 flags UIO
TCP out 100.0.1.250:1295 in 1.0.1.10:443 idle 0:00:03 bytes 8294 flags UOB

Always shows from low-sec-level to high-sec-level.


B flag in TCP means connections with direction from Low to High
345

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Troubleshooting
Troubleshooting Connections Out-of-Order TCP packets
Inspections and packets sent to SSM (AIP or CSC) require
packets to arrive in order
By default, ASA will buffer up to 3 TCP packets
The buffer size can be increased
How to detect the problem
ASA# show asp drop
Frame drop:
No route to host
Flow is denied by configured rule
First TCP packet not SYN
TCP packet bucket full

346

39
506
27
58135

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Troubleshooting
Troubleshooting Connections Out-of-Order TCP packets
How to fix
ASA(config)# access-list OOO_ACL permit tcp any any
ASA(config)# class-map OOO_CMAP
ASA(config-cmap)# match access-list OOO_ACL
ASA(config)# tcp-map OOO_TCP_MAP
ASA(config-tcp-map)# queue-limit 10
ASA(config)# policy-map global_policy
ASA(config-pmap)# class OOO_CMAP
AAA(config-pmap-c)# set connection advanced-options
OOO_TCP_MAP

How to verify
ASA# show service-policy
Class-map: OOO_CLASS
...
Out-of-order packets: 0
347

No buffer drops

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

:0

ASA Troubleshooting
Troubleshooting HTTP Latency
Host outside the FW has also the same latency symptoms?
1.
2.
3.
4.
5.

HTTP inspection is enabled?


QoS Policing is enabled?
Content filtering is enabled?
URL filtering is enabled?
Threat detection is enabled?

6.
7.
8.
9.

FW interfaces have errors?


Dynamic NAT fails, but static is OK?
MSS issue
ISP uses load-balancing based on source and destination?

348

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Troubleshooting
Troubleshooting HTTP Latency
Step 1 Is HTTP inspection enabled?
ASA# show service-policy flow tcp host 1.1.1.1 host 2.2.2.2 eq 80

Try to disable it and try again


ASA(config)# policy-map global_policy
ASA(config-pmap)# class inspection_default
ASA(config-pmap-c)# no http inspect
ASA# clear local-host 1.1.1.1 clears conns and xlates for 1.1.1.1

Step 2 Is QoS Policing enabled?


ASA# show service-policy flow tcp host 1.1.1.1 host 2.2.2.2 eq 80

Try to disable it and try again


ASA(config)# policy-map POLICE_TRAFFIC
ASA(config-pmap)# class HTTP_CLASS
ASA(config-pmap-c)# no police output 50000
ASA# clear local-host 1.1.1.1

349

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Troubleshooting
Troubleshooting HTTP Latency
Step 3 Content filtering is enabled?
ASA# show run filter

Try to disable it and try again

Step 4 URL Filtering is enabled?


ASA# show run url-server

Try to disable it and try again

Step 5 Threat detection is enabled?


ASA# show run threat

Try to disable it and try again

Step 6 FW interfaces have errors?


ASA# show int | in error

If you see errors identify the interface and:


Change switchport
Change cable
350

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Troubleshooting
Troubleshooting HTTP Latency
Step 7 Check NAT, PAT, Static
The remote site doesnt allow certain IP addresses
Change your NAT IP
Clear xlate
ASA# clear xlate 100.0.101.1
Try again

In case of PAT, maybe the remote site doesnt allow many


connections from same IP

Step 8 MSS issue


Normally, client and server agree on MSS during TCP 3-way handshake
Some web servers do not adhere to MSS of the client
ASA will drop the packets and will show in the log:
%ASA-4-419001: Dropping TCP packet from outside:100.0.123.250/80 to
inside:100.0.101.1:1026, reason: MSS exceeded, MSS 560, data 1440
Allow exceeding MSS by configuring MPF. See Cisco doc

351

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Troubleshooting
Questions
What is an embryonic connection?
What are the default timeouts for TCP, UDP, ICMP and
embryonic connections?
What command shows all active connections on ASA?
1.
2.
3.
4.

show
show
show
show

conn
xlate
connection status
local-host

Which flags should be shown in the show conn output


if the TCP connection is established from in to out?
1.
2.
3.
4.
352

aB
U
UIO
aAB
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Troubleshooting
Questions
What can be determined from the following output?
Which IP initiated the connection?
ASA# show conn
19 in use, 158 most used
TCP NET1 100.0.123.3:23 NET2 100.0.101.1:22830 idle 0:00:02
bytes 53 flags UIO
1. The host in the lower security level is waiting for ACK
2. The connection was initiated from the higher security level
3. The connection is UP and has received inbound and outbound
traffic
4. The host in the higher security level is waiting for SYN-ACK
5. The connection was initiated from the lower security level

What does the TCP Reset-O mean in the Teardown TCP


connection syslog?
353

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Troubleshooting
Questions
What can be determined from the following output?
ASA# show local-host 100.0.101.1
Interface dmz: 0 active, 0 maximum active, 0 denied
Interface outside: 1 active, 1 maximum active, 0 denied
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
31511 in use, 52242 most used
TCP out 150.0.10.3:231 in 100.0.101.1:47262 idle 0:02:07 bytes 10 flags saA
TCP out 1.0.123.3:23 in 100.0.101.1:47262 idle 0:02:08 bytes 10 flags saA
TCP out 100.0.121.2:1295 in 100.0.101.1:4113 idle 0:00:03 bytes 4 flags saA
TCP out 113.0.12.3:213 in 100.0.101.1:47262 idle 0:02:08 bytes 10 flags saA
TCP out 150.0.10.25:1295 in 100.0.101.1:4133 idle 0:00:03 bytes 4 flags saA

354

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Troubleshooting
Questions
What is happening in the following example?

%ASA-7-609001: Built local-host NET2:100.0.123.250


%ASA-7-609001: Built local-host NET1:100.0.101.250
%ASA-6-302013: Built inbound TCP connection 27 for
NET2:100.0.123.250/15649 (100.0.123.250/15649) to NET1:100.0.101.250/81
(100.0.101.250/81)
%ASA-6-302014: Teardown TCP connection 27 for NET2:100.0.123.250/15649
to NET1:100.0.101.250/81 duration 0:00:00 bytes 0 TCP Reset-I
%ASA-7-609002: Teardown local-host NET2:100.0.123.250 duration 0:00:00
%ASA-7-609002: Teardown local-host NET1:100.0.101.250 duration 0:00:00

355

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

ASA Revision
Course revision Confirm what you learnt

356

2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.