Solved

cisco asa cx module

Posted on 2014-02-05
6
912 Views
Last Modified: 2014-02-22
i have an Cisco ASA 5525. I have started using the inbuilt CX module. I can see the traffic passing through it when I use the Cisco Prime Security manager. However when I create a policy to deny a web site eg www.bbc.co.uk. It does not stop the traffic. However when I stop the module from running I can not get to the WWW so I know traffic is passing through it OK.

Any ideas ?
0
Comment
Question by:tjwoollard
  • 4
  • 2
6 Comments
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 39836183
1) Are both the ASA and CX modules configured for normal inline mode or at least do they match?
2) Did you create/complete the service policy rule>Traffic classification>and Rules Action portion also?


Let us know.
0
 

Author Comment

by:tjwoollard
ID: 39836250
Not sure what you mean there. I have a global policy that makes all the traffic go through the cx module.

policy-map global-policy
 class class-default
  cxsc fail-close
!
service-policy global-policy global

From what I have read that is all you need to do. The www traffic is passing through the CX unit because if I shut it down I cannot browse the WWW at all.
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 39836297
A few things here:

In PRSM choose to "Edit" that Service Policy rule and verify that under the Traffic classification/Rules Actions section that those options are properly populated.
It sounds like you just want to redirect only that traffic (IE:web) to the CX module.
Also, did you previously have a service policy redirecting that traffic through an IPS module? Is so, that service policy would need to be removed. Are you running auth-proxy?

From your output above:
cxsc-fail-close—The packet is dropped because the card is not up and the policy configured was 'fail-close' (rather than 'fail-open' which allows packets through even if the card was down). <== This would account for your scenario in your initial description.



Could you also issue the following commands and return and paste the outputs here:

show service-policy cxsc

show asp table classify domain cxsc

<With the module active:>
show asp drop


Let us know.
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 

Author Comment

by:tjwoollard
ID: 39838342
the asa unit is straight out of the box so there were no policies other than the default which I deleted and replaced with :-

policy-map global-policy
 class class-default
  cxsc fail-close
!
service-policy global-policy global

I know the traffic is going through the CX unit as when I turn it off I can not get to the WWW.
It seems it is ignoring the policy i have created. here is what you you requested :-

asa1# sh service-policy cxsc

Global policy:
  Service-policy: global-policy
    Class-map: class-default
      CXSC: card status Up, mode fail-close, auth-proxy disabled
        packet input 34094, packet output 33641, drop 0, reset-drop 0, proxied 0

show asp table classify domain cxsc

Input Table
in  id=0x7fff33f9cc90, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=outside, output_ifc=any
in  id=0x7fff33f9d440, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x10000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0 dscp=0x0
        input_ifc=outside, output_ifc=any
in  id=0x7fff33f9dcf0, priority=71, domain=cxsc, deny=false
        hits=759, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=inside, output_ifc=any
in  id=0x7fff33f9e4a0, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x10000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0 dscp=0x0
        input_ifc=inside, output_ifc=any
in  id=0x7fff33f9ed50, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=homesvpn, output_ifc=any
in  id=0x7fff33f9f500, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x10000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0 dscp=0x0
        input_ifc=homesvpn, output_ifc=any
in  id=0x7fff33f9fdb0, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=management, output_ifc=any
in  id=0x7fff33fa0560, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x10000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0 dscp=0x0
        input_ifc=management, output_ifc=any
in  id=0x7fff33f9d050, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0
        input_ifc=outside, output_ifc=any
in  id=0x7fff33f9d800, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x20000, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        input_ifc=outside, output_ifc=any
in  id=0x7fff33f9e0b0, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0
        input_ifc=inside, output_ifc=any
in  id=0x7fff33f9e860, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x20000, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        input_ifc=inside, output_ifc=any
in  id=0x7fff33f9f110, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0
        input_ifc=homesvpn, output_ifc=any
in  id=0x7fff33f9f8c0, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x20000, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        input_ifc=homesvpn, output_ifc=any
in  id=0x7fff33fa0170, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0
        input_ifc=management, output_ifc=any
in  id=0x7fff33fa0920, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x20000, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        input_ifc=management, output_ifc=any

Output Table:

L2 - Output Table:

L2 - Input Table:


asa1# sh asp drop

Frame drop:
  No route to host (no-route)                                                274
  Flow is denied by configured rule (acl-drop)                              2044
  First TCP packet not SYN (tcp-not-syn)                                       2
  TCP failed 3 way handshake (tcp-3whs-failed)                                36
  TCP RST/FIN out of order (tcp-rstfin-ooo)                                    3
  Slowpath security checks failed (sp-security-failed)                      1997
  ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched)          1
  FP L2 rule drop (l2_acl)                                                    21
  Interface is down (interface-down)                                       37302

Last clearing: Never

Flow drop:
  Inspection failure (inspect-fail)                                            4
0
 

Accepted Solution

by:
tjwoollard earned 0 total points
ID: 39866877
resolved it myself but deleting the config and starting again,
0
 

Author Closing Comment

by:tjwoollard
ID: 39878994
that it what fixed the issue.
0

Featured Post

New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
preview video of network plus 2 96
Windows 10 nic replacing assing ip address 6 44
Network Connection 5 58
Server Room Hardware 5 90
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now