Troubleshooting ASA, PIX, and FWSM

Q. What are the different modes you can run on the ASA firewall and what is the most practical mode to run the ASA? A. There are two modes you can run a firewall in: - Routed - Transparent

In routed mode ASA is a hop in a network and in transparent mode, ASA is not a hop and works at Layer 2. A transparent firewall can only use 2 interfaces for traffic filtering and can be installed in an existing network with minimal changes. It completely depends on security policy/environment as to which mode would suite the network.

ASA/PIX-Software Versions Q. Why should we upgrade to ASA Version 8.3 considering the learning curve with changes to the NAT rules? A. ASA version 8.3 has new features like Smart Call Home, global ACLs, VPN and inspection enhancements that could be very useful to people. I would suggest looking at the ASA 8.3 Release Notes for all the new features. As a side note, the learning curve is something that will take time. One more advantage is that NAT will be simpler in ASA 8.3. I hope this makes sense. Q. When I upgraded to 8.3, our NAT quit working. Looking through the Release notes and Migration guide, we didn’t see any notes on this or even procedures to take before the upgrade. Do you have any suggestions? A. the Release notes say that you need to upgrade memory. But the rest of the migration should go smoothly. Also the notes will say how to downgrade using the downgrade command. Now if you faced issue you could be hitting one defect we have seen with ACL migration or one with overlapping nats. I am not sure which exactly. I would suggest downgrading if there are issues and keep a copy of the 8.3 config to talk to TAC to see if you hit the defects I mentioned. Q. I have an ASA 5510 running 7.0(6). If I upgrade to 8.2, will I have to update the config file for incompatibility? A. There have been few commands which got changed/deprecated from 7.0 -> 8.2. Hence, it would be better to possibly do a step-by-step upgrade so that command changes are done accordingly. 7.0 -> 7.1 -> 7.2 -> 8.0 -> 8.2. Q. What special considerations do I need to consider when I have to put private addresses on the outside of the ASA? In this case, we have a subordinate campus that wants their own ASA but we are in 10.1.1.x here for their uplink (We are the ISP). A. Private IP address is to save address space. They will work as other IP addresses as long as there is the routing in place. I am not sure exactly how you will assign private IP addresses to a campus reachable from the internet, but you need to consider routing and also that sometimes following RFC1918, network administrators might block private ip addresses on their routers,firewalls etc. Otherwise the private ranges can be used exactly as public. I hope it helps. Q. I'm using an ASA 5505. When copying a config from tftp to startup config, is startup config merged with the tftp config like when using pix w/ 6.3, or is the startup config overwritten completely? A. The config is completely overwritten, only when do you copy over to the running config, it merges. Once you copy over the startup config, it will completely overwrite the startup config. Click here for the live answer.

Q. Can I copy the config from ASA5550 to ASA5540? A. Yes we can. However, keep in mind that ASA5550 comes with a bundled 4-GE-SSM module. If these interfaces are in use on ASA5550, but do not exist on ASA5540, configuration related to those interfaces will be ignored. Failover Q. We have our failover going through a switch. This is preferred over a cable? We had a module fail that had the primary interfaces and the failover on it, so the ASA did not fail over. We assume to fix this; we need to move the failover to another switch blade as the primary interfaces. Is this correct? A. That would be correct. The firewall performs an ARP test before failing over when the failover link goes. It wills ARP out all interfaces for its peer to see if it can elicit a response. If any response is received a failover will not take place as to avoid an active/active scenario. With the failover link down, the two firewalls cannot communicate their status to each other. In your case, they probably saw each other on another interface preventing the failover. Q. Is VPN's supported in an active/active configuration? A.When the security appliance is configured for security contexts (also called firewall multimode) or Active/Active stateful failover, IPSec or SSL VPN cannot be enabled. Therefore, these features are unavailable. Q. Can you configure a two 5500 ASAs in failover mode via the management interface to connect the two? A. Yes. However, keep in mind that Management interfaces are FastEthernet interfaces. If you plan to share stateful link also with failover link, you should use fastest interface available on the unit. Q. Is it possible to have a failover ASA that does not have the AIP - SSM installed when the primary has the AIP-SSM installed? A. Yes. However, if the configuration is utilizing AIP-SSM, then this would not work. Q. Shouldn't stateful failover include routing information / OSPF negotiations if customers aren't supposed to notice an outage during a failover event? A. Correct. Currently, dynamic routing tables are not replicated from active to standby unit. There is an enhancement request filed to add this feature--Refer the bug ID CSCsu90386 (registered customers only). Q. Is there a roadmap to adding routing tables to stateful failover? We have ASA's in statefull failover, but that is worthless as we need to wait 20-40 seconds for OSPF to update the routing tables on the newly active ASA when a failover occurs. A. Yes. This is on the roadmap. There is an enhancement bug filed for this --Refer the Bug ID CSCsl08631 (registered customers only). You can track the progress of this request or you can work with Accounts team to get this feature added in future releases. Q. Can we upgrade the firmware for a pair of firewalls in HA mode without downtime? Especially since only one of the firewalls needs to be upgraded. A. You can use 'Zero-downtime upgrade' procedure. Please find the same on following link: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mswlicfg.html#wp1053398 Q. What is difference between STATE failover & LAN failover? Type of failover: like LAN, STATE, and Serial? What is exact difference? A. There are two types of failover mechanisms: -Cable based failover (Only on PIX) -Lan based failover

In cable based failover a serial cable is connected between two firewalls over which failover communications happen. In Lan based failover [fast/gig]ethernet ports of two units are connected on which failover communications occur. Stateful failover is an additional feature which can be utilized in cable/lan failover. This feature allows replication of state table from Active to Standby unit. Thus, in event of failover, user does not have to re-establish the connection. Q. Between these two commands -- failover interface ip FAILOVER and failover interface ip STATE -- what is difference between both commands? A. One is for interface, the other is for stateful. Stateful is the state that tcp will be updated between the two machines over the STATE link. Sometimes the failover and STATE links are over the same line. When a failover happens, and the stateful is not defined, all the tcp and udp sessions have to be re-established Click here for the live answer.

Q. for ASA5510, will it be better to use 1GE interface as failover interface or 100T interface? Which is sufficient to become failover interface? A. For these connections, will you be routing the traffic out to an intermediary device on the outside interface then back to the ASA? Without knowing the exact requirements it is hard to say exactly how this will be accomplished. Here is a link for intra interface communications on the ASA. http://www.cisco.com/en/US/partner/products/ps6120/products_tech_note09186a0080734db7.shtml Q. Do route tables sync in 3.1 failover? A. No. For example, OSPF will need to re-converge after a failover event. I hope it makes sense. ASA/PIX-Support Q. Does the ASA5505 and 5510 support DMVPN with SR520? A. ASA does not support DMVPN. Click here for the live answer.

Q. Is it still a recommended feature to keep the number of firewall rules not in a big number? A. You can say that it is a good recommendation. It makes the ACE search faster so your firewall can process packets faster. most people will not notice any difference but we have seen CPU issues in the past with huge ACLs (~400K on an ASA). I hope it helps.

Q. To confirm, ASA doesn't do routing protocol/BGP for multiple internet connections? Must use router or L3 switch? A. Correct. The ASA will not do BGP. It can do RIP, OSPF, EIGRP. The FWSM will support BGP. I hope it clarifies it. Cisco ASA-QoS Q. Can the ASA set QoS tags? A. Nope. The ASA will match and police/shape/prioritize based on tags. But it cannot set them. Q. I have a cisco 5510 and several Cisco 5505's. At each location we have a Cisco 5505, with 2 types of traffic: staff and public. How can I setup QoS or prioritization for our staff so they get priority through the VPN? A. There is a very good example here https://supportforums.cisco.com/docs/DOC-1230#Traffic_Policing_with_Prioritization

You match on the staff traffic and you police the rest of your VPN. Note that you need to police in order for prioritization to kick in. So decide how much your VPN will take and prioritized traffic that matches the staff. I hope it helps. Q. We are using phone proxy on our ASA5520 in our organization. Is there anything that can be done to improve call quality? A. the ASA does provide functionality for QOS and priority queuing of the voice traffic. This typically only comes into play if the interfaces are being saturated with traffic. Besides QOS we would need to take a look at the interfaces to see if there are any errors or indications or problems. It may be something further upstream which is causing the quality issues. It is also important to monitor when the problem occurs. Does it only happen during peak times? This would be an indication of link saturation.

More about: Full info of How to Troubleshoot ASA, PIX, and FWSM?

More Related TOPICS: Create IPv6 LAN-to-LAN VPN Tunnel on Cisco ASAs

What Things to be Considered While Upgrading ASA 5500 Series?

What is Cisco ASA CX Security Module?

ght Commands on a Cisco ASA Security Appliance You Should Know

How to Configure Cisco PIX Firewall?

Related Articles - troubleshoot ASA, PIX, FWSM, ASA/PIX-Basic Configuration, PIX firewall, network security, DHCP,

Email this Article to a Friend! Receive Articles like this one direct to your email box! Subscribe for free today!