Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

cisco asa cx module

Posted on 2014-02-05
6
Medium Priority
?
996 Views
Last Modified: 2014-02-22
i have an Cisco ASA 5525. I have started using the inbuilt CX module. I can see the traffic passing through it when I use the Cisco Prime Security manager. However when I create a policy to deny a web site eg www.bbc.co.uk. It does not stop the traffic. However when I stop the module from running I can not get to the WWW so I know traffic is passing through it OK.

Any ideas ?
0
Comment
Question by:tjwoollard
  • 4
  • 2
6 Comments
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 39836183
1) Are both the ASA and CX modules configured for normal inline mode or at least do they match?
2) Did you create/complete the service policy rule>Traffic classification>and Rules Action portion also?


Let us know.
0
 

Author Comment

by:tjwoollard
ID: 39836250
Not sure what you mean there. I have a global policy that makes all the traffic go through the cx module.

policy-map global-policy
 class class-default
  cxsc fail-close
!
service-policy global-policy global

From what I have read that is all you need to do. The www traffic is passing through the CX unit because if I shut it down I cannot browse the WWW at all.
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 39836297
A few things here:

In PRSM choose to "Edit" that Service Policy rule and verify that under the Traffic classification/Rules Actions section that those options are properly populated.
It sounds like you just want to redirect only that traffic (IE:web) to the CX module.
Also, did you previously have a service policy redirecting that traffic through an IPS module? Is so, that service policy would need to be removed. Are you running auth-proxy?

From your output above:
cxsc-fail-close—The packet is dropped because the card is not up and the policy configured was 'fail-close' (rather than 'fail-open' which allows packets through even if the card was down). <== This would account for your scenario in your initial description.



Could you also issue the following commands and return and paste the outputs here:

show service-policy cxsc

show asp table classify domain cxsc

<With the module active:>
show asp drop


Let us know.
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 

Author Comment

by:tjwoollard
ID: 39838342
the asa unit is straight out of the box so there were no policies other than the default which I deleted and replaced with :-

policy-map global-policy
 class class-default
  cxsc fail-close
!
service-policy global-policy global

I know the traffic is going through the CX unit as when I turn it off I can not get to the WWW.
It seems it is ignoring the policy i have created. here is what you you requested :-

asa1# sh service-policy cxsc

Global policy:
  Service-policy: global-policy
    Class-map: class-default
      CXSC: card status Up, mode fail-close, auth-proxy disabled
        packet input 34094, packet output 33641, drop 0, reset-drop 0, proxied 0

show asp table classify domain cxsc

Input Table
in  id=0x7fff33f9cc90, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=outside, output_ifc=any
in  id=0x7fff33f9d440, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x10000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0 dscp=0x0
        input_ifc=outside, output_ifc=any
in  id=0x7fff33f9dcf0, priority=71, domain=cxsc, deny=false
        hits=759, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=inside, output_ifc=any
in  id=0x7fff33f9e4a0, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x10000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0 dscp=0x0
        input_ifc=inside, output_ifc=any
in  id=0x7fff33f9ed50, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=homesvpn, output_ifc=any
in  id=0x7fff33f9f500, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x10000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0 dscp=0x0
        input_ifc=homesvpn, output_ifc=any
in  id=0x7fff33f9fdb0, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=management, output_ifc=any
in  id=0x7fff33fa0560, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x10000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0 dscp=0x0
        input_ifc=management, output_ifc=any
in  id=0x7fff33f9d050, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0
        input_ifc=outside, output_ifc=any
in  id=0x7fff33f9d800, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x20000, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        input_ifc=outside, output_ifc=any
in  id=0x7fff33f9e0b0, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0
        input_ifc=inside, output_ifc=any
in  id=0x7fff33f9e860, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x20000, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        input_ifc=inside, output_ifc=any
in  id=0x7fff33f9f110, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0
        input_ifc=homesvpn, output_ifc=any
in  id=0x7fff33f9f8c0, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x20000, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        input_ifc=homesvpn, output_ifc=any
in  id=0x7fff33fa0170, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0
        input_ifc=management, output_ifc=any
in  id=0x7fff33fa0920, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x20000, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        input_ifc=management, output_ifc=any

Output Table:

L2 - Output Table:

L2 - Input Table:


asa1# sh asp drop

Frame drop:
  No route to host (no-route)                                                274
  Flow is denied by configured rule (acl-drop)                              2044
  First TCP packet not SYN (tcp-not-syn)                                       2
  TCP failed 3 way handshake (tcp-3whs-failed)                                36
  TCP RST/FIN out of order (tcp-rstfin-ooo)                                    3
  Slowpath security checks failed (sp-security-failed)                      1997
  ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched)          1
  FP L2 rule drop (l2_acl)                                                    21
  Interface is down (interface-down)                                       37302

Last clearing: Never

Flow drop:
  Inspection failure (inspect-fail)                                            4
0
 

Accepted Solution

by:
tjwoollard earned 0 total points
ID: 39866877
resolved it myself but deleting the config and starting again,
0
 

Author Closing Comment

by:tjwoollard
ID: 39878994
that it what fixed the issue.
0

Featured Post

Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question