Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

cisco asa cx module

Posted on 2014-02-05
6
944 Views
Last Modified: 2014-02-22
i have an Cisco ASA 5525. I have started using the inbuilt CX module. I can see the traffic passing through it when I use the Cisco Prime Security manager. However when I create a policy to deny a web site eg www.bbc.co.uk. It does not stop the traffic. However when I stop the module from running I can not get to the WWW so I know traffic is passing through it OK.

Any ideas ?
0
Comment
Question by:tjwoollard
  • 4
  • 2
6 Comments
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 39836183
1) Are both the ASA and CX modules configured for normal inline mode or at least do they match?
2) Did you create/complete the service policy rule>Traffic classification>and Rules Action portion also?


Let us know.
0
 

Author Comment

by:tjwoollard
ID: 39836250
Not sure what you mean there. I have a global policy that makes all the traffic go through the cx module.

policy-map global-policy
 class class-default
  cxsc fail-close
!
service-policy global-policy global

From what I have read that is all you need to do. The www traffic is passing through the CX unit because if I shut it down I cannot browse the WWW at all.
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 39836297
A few things here:

In PRSM choose to "Edit" that Service Policy rule and verify that under the Traffic classification/Rules Actions section that those options are properly populated.
It sounds like you just want to redirect only that traffic (IE:web) to the CX module.
Also, did you previously have a service policy redirecting that traffic through an IPS module? Is so, that service policy would need to be removed. Are you running auth-proxy?

From your output above:
cxsc-fail-close—The packet is dropped because the card is not up and the policy configured was 'fail-close' (rather than 'fail-open' which allows packets through even if the card was down). <== This would account for your scenario in your initial description.



Could you also issue the following commands and return and paste the outputs here:

show service-policy cxsc

show asp table classify domain cxsc

<With the module active:>
show asp drop


Let us know.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:tjwoollard
ID: 39838342
the asa unit is straight out of the box so there were no policies other than the default which I deleted and replaced with :-

policy-map global-policy
 class class-default
  cxsc fail-close
!
service-policy global-policy global

I know the traffic is going through the CX unit as when I turn it off I can not get to the WWW.
It seems it is ignoring the policy i have created. here is what you you requested :-

asa1# sh service-policy cxsc

Global policy:
  Service-policy: global-policy
    Class-map: class-default
      CXSC: card status Up, mode fail-close, auth-proxy disabled
        packet input 34094, packet output 33641, drop 0, reset-drop 0, proxied 0

show asp table classify domain cxsc

Input Table
in  id=0x7fff33f9cc90, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=outside, output_ifc=any
in  id=0x7fff33f9d440, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x10000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0 dscp=0x0
        input_ifc=outside, output_ifc=any
in  id=0x7fff33f9dcf0, priority=71, domain=cxsc, deny=false
        hits=759, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=inside, output_ifc=any
in  id=0x7fff33f9e4a0, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x10000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0 dscp=0x0
        input_ifc=inside, output_ifc=any
in  id=0x7fff33f9ed50, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=homesvpn, output_ifc=any
in  id=0x7fff33f9f500, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x10000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0 dscp=0x0
        input_ifc=homesvpn, output_ifc=any
in  id=0x7fff33f9fdb0, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=management, output_ifc=any
in  id=0x7fff33fa0560, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x10000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0 dscp=0x0
        input_ifc=management, output_ifc=any
in  id=0x7fff33f9d050, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0
        input_ifc=outside, output_ifc=any
in  id=0x7fff33f9d800, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x20000, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        input_ifc=outside, output_ifc=any
in  id=0x7fff33f9e0b0, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0
        input_ifc=inside, output_ifc=any
in  id=0x7fff33f9e860, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x20000, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        input_ifc=inside, output_ifc=any
in  id=0x7fff33f9f110, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0
        input_ifc=homesvpn, output_ifc=any
in  id=0x7fff33f9f8c0, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x20000, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        input_ifc=homesvpn, output_ifc=any
in  id=0x7fff33fa0170, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0
        input_ifc=management, output_ifc=any
in  id=0x7fff33fa0920, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x20000, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        input_ifc=management, output_ifc=any

Output Table:

L2 - Output Table:

L2 - Input Table:


asa1# sh asp drop

Frame drop:
  No route to host (no-route)                                                274
  Flow is denied by configured rule (acl-drop)                              2044
  First TCP packet not SYN (tcp-not-syn)                                       2
  TCP failed 3 way handshake (tcp-3whs-failed)                                36
  TCP RST/FIN out of order (tcp-rstfin-ooo)                                    3
  Slowpath security checks failed (sp-security-failed)                      1997
  ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched)          1
  FP L2 rule drop (l2_acl)                                                    21
  Interface is down (interface-down)                                       37302

Last clearing: Never

Flow drop:
  Inspection failure (inspect-fail)                                            4
0
 

Accepted Solution

by:
tjwoollard earned 0 total points
ID: 39866877
resolved it myself but deleting the config and starting again,
0
 

Author Closing Comment

by:tjwoollard
ID: 39878994
that it what fixed the issue.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Is your computer hacked? learn how to detect and delete malware in your PC
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question