Summer Webinar Series

Similar documents
Firewall Stateful Inspection of ICMP

Integration Debugging Information

Troubleshooting. Testing Your Configuration CHAPTER

ASA 8.X and later: Add or Modify an Access List through the ASDM GUI Configuration Example

Troubleshooting the Security Appliance

Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM

Exam Name: Implementing Cisco Edge Network Security Solutions

ASA 7.x/PIX 6.x and Above: Open/Block the Ports Configuration Example

Three interface Router without NAT Cisco IOS Firewall Configuration

CISCO EXAM QUESTIONS & ANSWERS

Exam Actual. Higher Quality. Better Service! QUESTION & ANSWER

Broadcast Infrastructure Cybersecurity - Part 2

ASA/PIX Security Appliance

DOWNLOAD PDF CISCO ASA 5505 CONFIGURATION GUIDE

Access Rules. Controlling Network Access

Using NAT in Overlapping Networks

Chapter 10 Lab B: Configuring ASA Basic Settings and Firewall Using ASDM

Configuring Commonly Used IP ACLs

VPN Connection through Zone based Firewall Router Configuration Example

Lab 8: Firewalls ASA Firewall Device

Deploying Cisco ASA Firewall Solutions (FIREWALL v1.0)

Configure the ASA for Dual Internal Networks

PIX/ASA : Port Redirection(Forwarding) with nat, global, static and access list Commands

Juniper Exam JN0-696 Security Support, Professional (JNCSP-SEC) Version: 9.0 [ Total Questions: 71 ]

ASACAMP - ASA Lab Camp (5316)

Cisco CISCO Securing Networks with ASA Advanced. Practice Test. Version

Configuring Logging. Information About Logging CHAPTER

How to Configure ASA 5500-X Series Firewall to send logs to EventTracker. EventTracker

CCNA Discovery 3 Chapter 8 Reading Organizer

Access Control Lists (Beyond Standard and Extended)

New Features for ASA Version 9.0(2)

Cisco Systems Korea Cisco Systems, Inc. All rights reserved. 1

Logging. About Logging. This chapter describes how to log system messages and use them for troubleshooting.

Use NAT to Hide the Real IP Address of CTC to Establish a Session with ONS 15454

Exam Questions

NAT Support for Multiple Pools Using Route Maps

Multiple Context Mode

Configuring Management Access

CCNA Security PT Practice SBA

Summer Webinar Series

NAT Examples and Reference

ASA 8.0: How to Change the WebVPN Logo

NAT Examples and Reference

Log Management. Configuring Syslog

CISCO EXAM QUESTIONS & ANSWERS

Cisco. Maintaining Cisco Service Provider VPNs and MPLS Networks (MSPVM)

Enabling ALGs and AICs in Zone-Based Policy Firewalls

SonicWALL / Toshiba General Installation Guide

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

H3C Firewall and UTM Devices Log Management with IMC Firewall Manager Configuration Examples (Comware V5)

CISCO EXAM QUESTIONS & ANSWERS

PIX/ASA as a DHCP Server and Client Configuration Example

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Enabling ALGs and AICs in Zone-Based Policy Firewalls

CISCO EXAM QUESTIONS & ANSWERS

Cisco - ASA Lab Camp v9.0

See the following screens for showing VPN connection data in graphical or tabular form for the ASA.

Configuring Routes on the ACE

502 / 504 GATEWAY_TIMEOUT errors when browsing to certain sites

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

ETSF10 Internet Protocols Network Layer Protocols

Transparent or Routed Firewall Mode

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Junos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

SecBlade Firewall Cards Log Management and SecCenter Configuration Example

Configuring Logging for Access Lists

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Configuration and Operation of FTD Prefilter

IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management

CCNA Security 1.0 Student Packet Tracer Manual

To access the Startup Wizard, choose one of the following options: Wizards > Startup Wizard.

ASA with CX/FirePower Module and CWS Connector Configuration Example

ASA Access Control. Section 3

Lab Configure Service Object Groups using ASDM

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

CertifyMe. CertifyMe

This study aid describes the purpose of security contexts and explains how to enable, configure, and manage multiple contexts.

Unit 4: Firewalls (I)

Logging. About Logging. This chapter describes how to log system messages and use them for troubleshooting.

Testing and Troubleshooting

Fundamentals of Network Security v1.1 Scope and Sequence

Introduction to Firewalls using IPTables

Troubleshooting High CPU Utilization Due to the IP Input Process

Object Groups for ACLs

SecBlade Firewall Cards NAT Configuration Examples

Expert Reference Series of White Papers. Cisco Security Troubleshooting: Part I Connectivity Through ASA or PIX Firewalls

Google Cloud VPN Interop Guide

ASA Clientless SSL VPN (WebVPN) Troubleshooting Tech Note

Technical Support Information

ECE 697J Advanced Topics in Computer Networks

CCNA Exploration Network Fundamentals

Configuring the Hostname, Domain Name, Passwords, and Other Basic Settings

Table of Contents. Cisco NAT Order of Operation

Contents. Introduction

Configuration Examples

Configuring IP SLAs ICMP Echo Operations

Configure FTD Interfaces in Inline-Pair Mode

PT Activity 5.6.1: Packet Tracer Skills Integration Challenge Topology Diagram

Syslog Server Configuration on Wireless LAN Controllers (WLCs)

Transcription:

Summer Webinar Series Troubleshooting Traffic Flows Through Cisco ASA Firewalls Christopher Rose Sr. Client Network Engineer crose@mcnc.org Webinar Links: www.mcnc.org/cne-webinars

Agenda 1. Firewall best prac0ces 2. ASA monitoring/administra0on tools 3. Typical traffic troubleshoo0ng scenario 4. Performing packet traces to check for issues 5. Performing packet captures to help resolve issues 6. Where to go for informa0on; MCNC Support 7. Q&A 2 8/11/16

Prerequisites n You will need to have administrative access to your ASA in order to perform some of these functions. 3 8/11/16

Firewall Best Practices n n n Security Zoning Related Use a DMZ if possible for public servers (web, ftp) Use AnyConnect VPN where possible in lieu of direct remote outside access to internal hosts Ruleset Related Be as specific as possible - avoid any/any. Allow only essential services in to the internal zones(ingress filtering) and essential services out to the Internet(egress filtering). Document rules for later review. Use good naming conventions and comments. Group network objects, ports. Perform regular housekeeping including periodic rule review, removal of unused rules. Monitoring Related Log events as necessary. Monitor load for capacity planning purposes Use the firewall to troubleshoot network issues 8/11/16

ASA Monitoring-Administration Tools n n n ASDM - GUI tool for administering and monitoring the firewall. Packet-Tracer Packet Capture Wizard Syslog viewer Ping Traceroute SSH Command Line tool for administering and monitoring the firewall. Show Commands Debug Commands Ping Traceroute Syslog Server-Not absolutely necessary but very nice to have. Keeps a log of everything that happens on the firewall. 5 8/11/16

Typical Traffic Troubleshooting Scenario 6 8/11/16

Some Cautions About Using Ping And Traceroute As Troubleshooting Tools n Not all devices in the network path will reply to ICMP protocol requests. n Traceroute works differently on different operating systems. Windows uses ICMP. Unix generally uses UDP. n Information from these two tools is useful, but packet captures and logs are the gold standard for verifying connectivity. 7 8/11/16

Simplified Traffic Flow Through an ASA n Ingress Interface Access List n Address Translation n Route 8 8/11/16

Troubleshooting Network Traffic Flow Through an ASA 1. Establish that traffic is getting to the ASA from the client. (Ping, Packet Capture, Syslog Viewer) 2. Check that the traffic is not blocked on the ingress interface by an ACL. (Packet Tracer, Syslog) 3. Check that there is a valid NAT rule to translate from a private to public IP address. (Packet Tracer, Syslog) 4. Check that there is a valid route for the source and destination traffic in the ASA routing table. (Packet Tracer, Syslog) 5. Establish that correctly translated traffic is leaving the outside interface. (Packet Capture, Syslog) 6. Establish that traffic is reaching the intended source (You may need support at the server end to verify this.) 7. Establish that return traffic from the server is coming back to the ASA outside interface. (Packet Capture, Syslog) 8. Establish that Return traffic is making it back through the ASA and egressing the inside interface. (Packet Capture, Syslog) 9 8/11/16

Perform Packet Captures to Check For Issues n The ASA has a GUI packet capture wizard to help the user properly configure the ASA for a packet capture and to get the capture downloaded off the firewall for analysis. n Packet captures can be done at the command line but they are more complicated to perform. n Packet captures can be customized to only capture the traffic you need. All captures are stored on the local file system of the ASA. The flash storage space is limited so try to avoid capturing too much traffic. 10 8/11/16

Packet Capture Wizard Demo 11 8/11/16

Performing Packet Traces to Check for Issues n Packet Tracer is a tool to simulate the flow of a packet through the ASA processing chain and report back on how the ASA would handle the packet. n Available in the ASDM GUI and at the Command Line. n You will need to know your numerical ICMP message and reply types if you packet trace ICMP through the firewall. 12 8/11/16

Packet Tracer Demo 13 8/11/16

Using Syslog Messages For Troubleshooting n If you have a Syslog server configured and collecting you can use it to review syslog messages. n Set the logging level to debugging to get the most level of detail when troubleshooting. It is not recommended to keep at this level during normal operations for performance and log size reasons. n ASDM has a GUI Syslog viewer you can use in troubleshooting sessions. n Using Syslog at the command line is usually not helpful due to the small memory buffer and how quickly messages scroll by. 14 8/11/16

ASDM Syslog Viewer Demo 15 8/11/16

Putting It All Together 1. Establish that traffic is getting to the ASA from the client. Perform a packet capture at the firewall on the inside interface. If you see the packets then you know they are getting there. 2. Use the Packet Tracer tool in ASDM to check if the traffic is allowed by the current firewall configuration. This will show problems with ACL s, Translations, and Routes in the configuration. 3. Perform a packet capture on the outside interface. Establish that correctly translated traffic is leaving the outside interface and headed to the correct Internet address. 4. Establish that traffic is reaching the intended source (You may need support at the server end to verify this.) 5. Perform a packet capture on the outside interface. Look for return traffic from the server coming back to the ASA outside interface. If you see TCP resets or ICMP error codes you know it is probably a server side problem. (Firewall on the server side, wrong host, etc.) 6. Perform a packet capture on the inside interface. Establish that Return traffic is making it back through the ASA and egressing the inside interface. If you see it getting this far but it s not making it to the person with the reported issue, chances are it s a problem on your internal network. 16 8/11/16

Where To Go For Additional Information Or Support n Cisco Support Community https://supportforums.cisco.com/ n ICMP Packet Types http://www.nthelp.com/icmp.html 17 8/11/16

Questions? n Christopher Rose n crose@mcnc.org n (919) 248-1811 18 8/11/16

Your Feedback is Important! n Please provide feedback so we can improve future webinars! n https://www.mcnc.org/events/training/cnesummer-webinars2016 19 8/11/16

Summer Webinar Series Troubleshooting Traffic Flows Through Cisco ASA Firewalls Christopher Rose Sr. Client Network Engineer crose@mcnc.org Webinar Links: www.mcnc.org/cne-webinars

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback