Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

cisco asa cx module

Posted on 2014-02-05
6
Medium Priority
?
987 Views
Last Modified: 2014-02-22
i have an Cisco ASA 5525. I have started using the inbuilt CX module. I can see the traffic passing through it when I use the Cisco Prime Security manager. However when I create a policy to deny a web site eg www.bbc.co.uk. It does not stop the traffic. However when I stop the module from running I can not get to the WWW so I know traffic is passing through it OK.

Any ideas ?
0
Comment
Question by:tjwoollard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 39836183
1) Are both the ASA and CX modules configured for normal inline mode or at least do they match?
2) Did you create/complete the service policy rule>Traffic classification>and Rules Action portion also?


Let us know.
0
 

Author Comment

by:tjwoollard
ID: 39836250
Not sure what you mean there. I have a global policy that makes all the traffic go through the cx module.

policy-map global-policy
 class class-default
  cxsc fail-close
!
service-policy global-policy global

From what I have read that is all you need to do. The www traffic is passing through the CX unit because if I shut it down I cannot browse the WWW at all.
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 39836297
A few things here:

In PRSM choose to "Edit" that Service Policy rule and verify that under the Traffic classification/Rules Actions section that those options are properly populated.
It sounds like you just want to redirect only that traffic (IE:web) to the CX module.
Also, did you previously have a service policy redirecting that traffic through an IPS module? Is so, that service policy would need to be removed. Are you running auth-proxy?

From your output above:
cxsc-fail-close—The packet is dropped because the card is not up and the policy configured was 'fail-close' (rather than 'fail-open' which allows packets through even if the card was down). <== This would account for your scenario in your initial description.



Could you also issue the following commands and return and paste the outputs here:

show service-policy cxsc

show asp table classify domain cxsc

<With the module active:>
show asp drop


Let us know.
0
Take our survey for a chance to win!

As a valued customer of Targus, we’d like to ask you a few questions about us. As thanks, you will be automatically entered for a chance to win a $500 VISA gift card. To enter, just complete the survey by September 15, 2017.

 

Author Comment

by:tjwoollard
ID: 39838342
the asa unit is straight out of the box so there were no policies other than the default which I deleted and replaced with :-

policy-map global-policy
 class class-default
  cxsc fail-close
!
service-policy global-policy global

I know the traffic is going through the CX unit as when I turn it off I can not get to the WWW.
It seems it is ignoring the policy i have created. here is what you you requested :-

asa1# sh service-policy cxsc

Global policy:
  Service-policy: global-policy
    Class-map: class-default
      CXSC: card status Up, mode fail-close, auth-proxy disabled
        packet input 34094, packet output 33641, drop 0, reset-drop 0, proxied 0

show asp table classify domain cxsc

Input Table
in  id=0x7fff33f9cc90, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=outside, output_ifc=any
in  id=0x7fff33f9d440, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x10000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0 dscp=0x0
        input_ifc=outside, output_ifc=any
in  id=0x7fff33f9dcf0, priority=71, domain=cxsc, deny=false
        hits=759, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=inside, output_ifc=any
in  id=0x7fff33f9e4a0, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x10000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0 dscp=0x0
        input_ifc=inside, output_ifc=any
in  id=0x7fff33f9ed50, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=homesvpn, output_ifc=any
in  id=0x7fff33f9f500, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x10000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0 dscp=0x0
        input_ifc=homesvpn, output_ifc=any
in  id=0x7fff33f9fdb0, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=management, output_ifc=any
in  id=0x7fff33fa0560, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x10000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0 dscp=0x0
        input_ifc=management, output_ifc=any
in  id=0x7fff33f9d050, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0
        input_ifc=outside, output_ifc=any
in  id=0x7fff33f9d800, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x20000, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        input_ifc=outside, output_ifc=any
in  id=0x7fff33f9e0b0, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0
        input_ifc=inside, output_ifc=any
in  id=0x7fff33f9e860, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x20000, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        input_ifc=inside, output_ifc=any
in  id=0x7fff33f9f110, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0
        input_ifc=homesvpn, output_ifc=any
in  id=0x7fff33f9f8c0, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x20000, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        input_ifc=homesvpn, output_ifc=any
in  id=0x7fff33fa0170, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=::/0, port=0, tag=0
        input_ifc=management, output_ifc=any
in  id=0x7fff33fa0920, priority=71, domain=cxsc, deny=false
        hits=0, user_data=0x7fff33f9ae30, cs_id=0x0, use_real_addr, flags=0x20000, protocol=0
        src ip/id=::/0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        input_ifc=management, output_ifc=any

Output Table:

L2 - Output Table:

L2 - Input Table:


asa1# sh asp drop

Frame drop:
  No route to host (no-route)                                                274
  Flow is denied by configured rule (acl-drop)                              2044
  First TCP packet not SYN (tcp-not-syn)                                       2
  TCP failed 3 way handshake (tcp-3whs-failed)                                36
  TCP RST/FIN out of order (tcp-rstfin-ooo)                                    3
  Slowpath security checks failed (sp-security-failed)                      1997
  ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched)          1
  FP L2 rule drop (l2_acl)                                                    21
  Interface is down (interface-down)                                       37302

Last clearing: Never

Flow drop:
  Inspection failure (inspect-fail)                                            4
0
 

Accepted Solution

by:
tjwoollard earned 0 total points
ID: 39866877
resolved it myself but deleting the config and starting again,
0
 

Author Closing Comment

by:tjwoollard
ID: 39878994
that it what fixed the issue.
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So, you're experiencing issues on your network and you've decided that you need to perform some tests to determine whether your cabling is good.  You're likely thinking that you may need to spend money which you probably don't have on hiring/purchas…
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question