Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1015
  • Last Modified:

cisco asa cx module

i have an Cisco ASA 5525. I have started using the inbuilt CX module. I can see the traffic passing through it when I use the Cisco Prime Security manager. However when I create a policy to deny a web site eg www.bbc.co.uk. It does not stop the traffic. However when I stop the module from running I can not get to the WWW so I know traffic is passing through it OK.

Any ideas ?
0
tjwoollard
Asked:
tjwoollard
  • 4
  • 2
1 Solution
 
Robert Sutton JrSenior Network ManagerCommented:
1) Are both the ASA and CX modules configured for normal inline mode or at least do they match?
2) Did you create/complete the service policy rule>Traffic classification>and Rules Action portion also?


Let us know.
0
 
tjwoollardAuthor Commented:
Not sure what you mean there. I have a global policy that makes all the traffic go through the cx module.

policy-map global-policy
 class class-default
  cxsc fail-close
!
service-policy global-policy global

From what I have read that is all you need to do. The www traffic is passing through the CX unit because if I shut it down I cannot browse the WWW at all.
0
 
Robert Sutton JrSenior Network ManagerCommented:
A few things here:

In PRSM choose to "Edit" that Service Policy rule and verify that under the Traffic classification/Rules Actions section that those options are properly populated.
It sounds like you just want to redirect only that traffic (IE:web) to the CX module.
Also, did you previously have a service policy redirecting that traffic through an IPS module? Is so, that service policy would need to be removed. Are you running auth-proxy?

From your output above:
cxsc-fail-close—The packet is dropped because the card is not up and the policy configured was 'fail-close' (rather than 'fail-open' which allows packets through even if the card was down). <== This would account for your scenario in your initial description.



Could you also issue the following commands and return and paste the outputs here:

show service-policy cxsc

show asp table classify domain cxsc

<With the module active:>
show asp drop


Let us know.
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
tjwoollardAuthor Commented:
the asa unit is straight out of the box so there were no policies other than the default which I deleted and replaced with :-

policy-map global-policy
 class class-default
  cxsc fail-close
!
service-policy global-policy global

I know the traffic is going through the CX unit as when I turn it off I can not get to the WWW.
It seems it is ignoring the policy i have created. here is what you you requested :-

asa1# sh service-policy cxsc

Global policy:
  Service-policy: global-policy
    Class-map: class-default
      CXSC: card status Up, mode fail-close, auth-proxy disabled
        packet input 34094, packet output 33641, drop 0, reset-drop 0, proxied 0

show asp table classify domain cxsc

Input Table
in  id=0x7fff33f9cc90, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=outside, output_ifc=any
in  id=0x7fff33f9d440, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x10000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0 dscp=0x0
        input_ifc=outside, output_ifc=any
in  id=0x7fff33f9dcf0, priority=71, domain=cxsc, deny=false
        hits=759, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=inside, output_ifc=any
in  id=0x7fff33f9e4a0, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x10000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0 dscp=0x0
        input_ifc=inside, output_ifc=any
in  id=0x7fff33f9ed50, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=homesvpn, output_ifc=any
in  id=0x7fff33f9f500, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x10000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0 dscp=0x0
        input_ifc=homesvpn, output_ifc=any
in  id=0x7fff33f9fdb0, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=management, output_ifc=any
in  id=0x7fff33fa0560, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x10000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0 dscp=0x0
        input_ifc=management, output_ifc=any
in  id=0x7fff33f9d050, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0
        input_ifc=outside, output_ifc=any
in  id=0x7fff33f9d800, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x20000, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        input_ifc=outside, output_ifc=any
in  id=0x7fff33f9e0b0, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0
        input_ifc=inside, output_ifc=any
in  id=0x7fff33f9e860, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x20000, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        input_ifc=inside, output_ifc=any
in  id=0x7fff33f9f110, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0
        input_ifc=homesvpn, output_ifc=any
in  id=0x7fff33f9f8c0, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x20000, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        input_ifc=homesvpn, output_ifc=any
in  id=0x7fff33fa0170, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0
        input_ifc=management, output_ifc=any
in  id=0x7fff33fa0920, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x20000, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        input_ifc=management, output_ifc=any

Output Table:

L2 - Output Table:

L2 - Input Table:


asa1# sh asp drop

Frame drop:
  No route to host (no-route)                                                274
  Flow is denied by configured rule (acl-drop)                              2044
  First TCP packet not SYN (tcp-not-syn)                                       2
  TCP failed 3 way handshake (tcp-3whs-failed)                                36
  TCP RST/FIN out of order (tcp-rstfin-ooo)                                    3
  Slowpath security checks failed (sp-security-failed)                      1997
  ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched)          1
  FP L2 rule drop (l2_acl)                                                    21
  Interface is down (interface-down)                                       37302

Last clearing: Never

Flow drop:
  Inspection failure (inspect-fail)                                            4
0
 
tjwoollardAuthor Commented:
resolved it myself but deleting the config and starting again,
0
 
tjwoollardAuthor Commented:
that it what fixed the issue.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now