Solved

pix v asa

Posted on 2014-02-27
9
375 Views
Last Modified: 2014-03-24
i am in the process of changing a pix firewall to an asa5525. i have configured the asa with an inside interface an a outside interface. I have also configured the CX module. i configured an ip address on the inside interface and simply plugged it into the switch stack(cisco) expecting to do some testing. However as soon as I did that the users complained about no internet access which is via a MS TMG server as a proxyserver. And they were right the ASA stopped the the TMG from passsing any traffic and it seemed to be trying to route the TCP packets itself. I stopped this behaviour by turning off the cx module. There was also some other weird things happening eg no users could print via the MS printserver. I have had to dis-connect the ASA now but I am not able to explain this effect. I did make sure the IP address was unique on the network so it is not an address issue.
0
Comment
Question by:tjwoollard
  • 5
  • 4
9 Comments
 
LVL 61

Expert Comment

by:btan
ID: 39894930
probably is to do some troubleshooting too and looking at this guide (pdf)for CX. Note there is configuration step and can set Monitor mode such that policy in place does not drop traffic e.g.

(pg 3)
For testing purposes, you can configure the ASA to send a duplicate stream of
read-only traffic to the ASA CX module, so you can see how the module inspects the traffic without affecting the ASA traffic flow. In this mode, the ASA CX module inspects the traffic as usual, makes policy decisions, and generates events. However, because the packets are read-only copies, the module actions do not affect the actual traffic.


To enable ASA CX debugging, enter the following command:
debug cxsc [error | event | message] - Enables debugs at error, event, or message level.

(pg 31-32) Problems with the Authentication Proxy

If you are having a problem using the authentication proxy feature, follow these steps to troubleshoot your configuration and connections:
1. Check your configurations.
• On the ASA, check the output of the show asp table classify domain cxsc-auth-proxy command and make sure there are rules installed and that they are correct.
• In PRSM, ensure the directory realm is created with the correct credentials and test the connection to make sure you can reach the authentication server; also ensure that a policy object or objects are configured for authentication.
2. Check the output of the show service-policy cxsc command to see if any packets were proxied.
3. Perform a packet capture on the backplane, and check to see if traffic is being redirected on the correct configured port. See the “Capturing Module Traffic” section on page 28-30. You can check the configured port using the show running-config cxsc command or the show asp table classify domain cxsc-auth-proxy command.

If you have a connection between hosts on two ASA interfaces, and the ASA CX service policy is only configured for one of the interfaces, then all traffic between these hosts is sent to the ASA CX module, including traffic originating on the non-ASA CX interface (the feature is bidirectional). However, the ASA only performs the authentication proxy on the interface to which the service policy is applied, because this feature is ingress-only.

In this case, you may want to check the port used by TMG to ASA CX as compared to past TMG to PIX

Example 28-1 Make sure port 2000 is used consistently:

1. Check the authentication proxy port:
ciscoasa# show running-config cxsc
cxsc auth-proxy port 2000

2. Check the authentication proxy rules:
ciscoasa# show asp table classify domain cxsc-auth-proxy
Input Table
in id=0x7ffed86cc470, priority=121, domain=cxsc-auth-proxy, deny=false
hits=0, user_data=0x7ffed86ca220, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.0.100, mask=255.255.255.255, port=2000, dscp=0x0
input_ifc=inside, output_ifc=identity

3. In the packet captures, the redirect request should be going to destination port 2000.
0
 

Author Comment

by:tjwoollard
ID: 39923017
Hi there,

Sorry for not comming back on this but it seems the problem is a lot worse that I thought.
I have 2 ASA devices configured in fail-over active/passive mode. It is to replace a 2 PIX firewall device running in active/passive mode. I have recently plugged the ASA device into the Cisco switch stack. Th PIX is still plugged in but the ASA is on a different IP address.
There is a MS TMG server which comprises of 2 servers running in NLB mode. Also we have 2 MS Exchange CAS servers running in NLB mode. About 20 minutes after plugging in the ASA device these server stop responding. The respond to a PING but not at the application level. I did not make the ASA the default router for any device on the network but they seem to be doing something weird to the servers but there are no reported errors on any device. Any ideas ?
0
 
LVL 61

Expert Comment

by:btan
ID: 39923323
That is really strange.

a-So if the ASA FW are not powered on yet and plugged in, will the effect still occurred?
b-If the powered ASA FW is unplugged, will the servers go revert back to work properly as intended?  

pretty tough to isolate but if static route is configured such that IP segment or VLAN for ASA FW is denied to access any routes to the existing servers and PIX, I dont see how it can create that effect. there may be some static routing that ASA FW is able to traffic out? or assume PIX FW ip due to ARP causing MAC confusion...
0
 

Author Comment

by:tjwoollard
ID: 39923360
well it is the weirdest thing i have ever seen. if you unplug the ASA the problem disappears. If the interface is shutdown the problem does not occur. I have removed the static routes i had installed a and re-booted several times. Is it that the PIX is plugged into the same network ?. When I observe the ASA through ASDM it appears to be passing or at least monitoring traffic even though no devices a configured to use it. It is as if there is CDP configured and it is discovering the network. I am aware that CDP is not installed on ASA devices.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 61

Expert Comment

by:btan
ID: 39923376
ASA should not be placed inline at all for a start and I supposed you shouldnt have PIX and ASA all at one switch. unplugging PIX may confused routes since PIX is likely the default gateway to each segments, the bouncer is controlling the traffic and PIX is the suspect. Maybe unplug PIX and see if the server behaviour for a while, plug in ASA FW to observe server, unplug ASA and observe server and plug in PIX FW. No change to any routes
0
 

Accepted Solution

by:
tjwoollard earned 0 total points
ID: 39939278
It has now become clear that you cannot have a PIX fire wall on the same subnet as a ASA device. They do not get along that well and so the only solution is to switch the PIX off when installing the ASA as we have now tested at our Office.
0
 
LVL 61

Expert Comment

by:btan
ID: 39939279
thanks for sharing but just want to check if the suggestion from posting has assisted in any way?
0
 

Author Closing Comment

by:tjwoollard
ID: 39949781
There is nothing wrong with the config or the device it is just that a PIX firewall can not be on the same network an an ASA device.
0
 
LVL 61

Expert Comment

by:btan
ID: 39950136
thanks and well received. As per last isolation testing stated to isolate them to verify if it work, have thought that helped though.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now