In order to create a port-channel between an ASA5520 and a 4948 I needed to upgrade the code. The process is very simple to say the least. For some reason I expected it to be difficult. The process I followed is below.
1. Confirm the feature set you are looking for is supported in the new code and look for any new potential gotchas. Its is customary to request a BUG SCRUB from Cisco before deploying any new code.
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/asa_91_general_config.html
2. Download the code from the Cisco portal.
3. Confirm you have enough space for the new code. Use the DIR command.
Cisco-ASA5520-01# dir
Directory of disk0:/
129 -rwx 16275456 06:03:42 Jan 30 2011 asa821-k8.bin
130 -rwx 11348300 09:15:52 Jan 30 2011 asdm-621.bin
6 drwx 4096 00:03:46 Jan 01 2003 log
13 drwx 4096 00:03:54 Jan 01 2003 crypto_archive
14 drwx 4096 00:04:28 Jan 01 2003 coredumpinfo
132 -rwx 12105313 09:13:20 Jan 30 2011 csd_3.5.841-k9.pkg
133 drwx 4096 09:13:24 Jan 30 2011 sdesktop
134 -rwx 2857568 09:13:26 Jan 30 2011 anyconnect-wince-ARMv4I-2.4.1012-k9.pkg
135 -rwx 3203909 09:13:26 Jan 30 2011 anyconnect-win-2.4.1012-k9.pkg
136 -rwx 4832344 09:13:28 Jan 30 2011 anyconnect-macosx-i386-2.4.1012-k9.pkg
137 -rwx 5209423 09:13:30 Jan 30 2011 anyconnect-linux-2.4.1012-k9.pkg
118 -rwx 3080 13:40:55 Dec 05 2012 8_2_1_0_startup_cfg.sav
255582208 bytes total (170237952 bytes free)
4. Upload the code onto the device via tftp. Use the following command copy tftp disk0:/ and you will be prompted for the ip address of the tftp server, source file name, and press enter unless you want to change the name of the file once its uploaded, I never do. Confirm the MD5 key with what was show on the Cisco website.
5. Change your boot statement and confirm it took. I always like to setup two statements in case there are any issues with the first IOS code.;
config t
boot system disk0:/asa911-k8.bin
boot system disk0:/asa821-k8.bin
end
!
WR
!
Cisco-ASA5520-01# show bootvar
BOOT variable = disk0:/asa911-k8.bin;disk0:/asa821-k8.bin
Current BOOT variable = disk0:/asa911-k8.bin;disk0:/asa821-k8.bin;disk0:/end
CONFIG_FILE variable =
Current CONFIG_FILE variable =
6. Save your configuration and reload the device with the reload command.
7. Confirm your new code is running with the show version command.
Cisco-ASA5520-01# show version
Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 6.2(1)
Compiled on Wed 28-Nov-12 10:38 by builders
System image file is "disk0:/asa911-k8.bin"
Config file at boot was "startup-config"
Showing posts with label security.. Show all posts
Showing posts with label security.. Show all posts
Wednesday, December 5, 2012
Saturday, December 1, 2012
Cisco ASA Oversubscription - Maximizing Throughput (ASA 5550) Part 1
This week I ran into an oversubcription issue on an ASA5550. To alleviate the issue, we followed the recommendations below from Cisco. I am including some of the conditions I saw before the change. Keyword is Alleviate, depending on your traffic rates you might resolve the problem going this route. In other cases, you would just have to get a second pair or firewalls to segregate traffic or just upgrade to 10GB. The best way to determine this is to place a sniffer between the ASA and drill down as close to the microsecond to see the microbursts on the line and data rate patterns.
Maximizing Throughput (ASA 5550)
Show Traffic
----------------------------------------
Per Slot Throughput Profile (1 minute)
----------------------------------------
Packets-per-second profile:
Slot 0: 12654 89%|********************************************
Slot 1: 1603 11%|*****
Bytes-per-second profile:
Slot 0: 1649003 76%|**************************************
Slot 1: 511183 24%|************
On the interface level, you would see the Underruns counter increment along with the Overruns counter (See below). To try and alleviate or resolve this issue move one of the ports to Gi1/X and mmonitor it over a few days.
Per Cisco:
ASA5550/act# show interface gigabitEthernet 0/1
Interface GigabitEthernet0/1 "HM", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: 6509
MAC address 6400.f182.6771, MTU 1500
IP address 192.168.1.1 subnet mask 255.255.255.0
24794625 packets input, 4336231091 bytes, 0 no buffer
Received 4648 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
40981082 packets output, 3012528711 bytes, 1614642 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/0)
Traffic Statistics for "HM":
23737668 packets input, 3724976676 bytes
42595724 packets output, 2342955016 bytes
6597 packets dropped
Maximizing Throughput (ASA 5550)
The ASA 5550 has two internal buses providing
copper Gigabit Ethernet and fiber Gigabit Ethernet connectivity. For Slot 1 (Bus
1), you can use either the copper ports or the fiber ports. The copper ports are
enabled by default.
For maximum throughput, configure the ASA so that traffic is
distributed equally between the two buses. Lay out the network so that traffic
enters through one bus and exits through the other.
For example, the following figure shows the ASA configured so
that traffic from the unsecure network and the secure network is evenly
distributed between Bus 0 and Bus 1. Traffic from hosts on the secured network
flows through interface 0/0 on Bus 0 to hosts on the unsecured network. Traffic
from hosts on the unsecured network flows through interface 1/0 on Bus 1 to
hosts on the secured network.
http://www.cisco.com/en/US/docs/security/asa/quick_start/5500/5500_quick_start.html#wp35995
On the ASA you can issue the show traffic command and near the end of the output you will see the following output. Ideally you would want this to be balance. In this case, both of the oversubscribed interfaces were both on Slot 0.
----------------------------------------
Per Slot Throughput Profile (1 minute)
----------------------------------------
Packets-per-second profile:
Slot 0: 12654 89%|********************************************
Slot 1: 1603 11%|*****
Bytes-per-second profile:
Slot 0: 1649003 76%|**************************************
Slot 1: 511183 24%|************
On the interface level, you would see the Underruns counter increment along with the Overruns counter (See below). To try and alleviate or resolve this issue move one of the ports to Gi1/X and mmonitor it over a few days.
Per Cisco:
Interface overruns, no buffer
and underruns often show that the firewall cannot process all the traffic it is
receiving on its NIC. Overruns and no buffers indicate that input traffic is
too much on a given interface. The interface maintains a receive ring where
packets are stored before they are processed by the ASA. If the NIC is
receiving traffic faster than the ASA can pull them off the receive ring, the
packet will be dropped and either the no buffer or overrun counter will
increment. Underruns behavior similarly but deal with the transmit ring
instead.
ASA5550/act# show interface gigabitEthernet 0/0
Interface GigabitEthernet0/0 "HH", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: 6509
MAC address 6400.f182.6770, MTU 1500
IP address 192.168.168.2, subnet mask 255.255.255.248
56937880 packets input, 12657181986 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
831 input errors, 0 CRC, 0 frame, 831 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
33686564 packets output, 5457717040 bytes, 577125 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/0)
Traffic Statistics for "HH":
56937881 packets input, 11616408550 bytes
34263689 packets output, 5097504222 bytes
12365 packets dropped
Interface GigabitEthernet0/0 "HH", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: 6509
MAC address 6400.f182.6770, MTU 1500
IP address 192.168.168.2, subnet mask 255.255.255.248
56937880 packets input, 12657181986 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
831 input errors, 0 CRC, 0 frame, 831 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
33686564 packets output, 5457717040 bytes, 577125 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/0)
Traffic Statistics for "HH":
56937881 packets input, 11616408550 bytes
34263689 packets output, 5097504222 bytes
12365 packets dropped
ASA5550/act# show interface gigabitEthernet 0/1
Interface GigabitEthernet0/1 "HM", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: 6509
MAC address 6400.f182.6771, MTU 1500
IP address 192.168.1.1 subnet mask 255.255.255.0
24794625 packets input, 4336231091 bytes, 0 no buffer
Received 4648 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
40981082 packets output, 3012528711 bytes, 1614642 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/0)
Traffic Statistics for "HM":
23737668 packets input, 3724976676 bytes
42595724 packets output, 2342955016 bytes
6597 packets dropped
Tuesday, November 20, 2012
Installing a new Cisco ASA-5520 & Creating Secure Networks
I decided to add a Cisco ASA 5520 to my lab. We will use figure 1 to
visualize this. I am going to Guide you on how to this and actually
route some packets through it. I have only done minor configurations on
an ASA before hand, never to this extent. I created two networks,
10.50.51.0/24 and 10.50.52.0/24 for this lab. These are what I will call
secure networks. All communication between these two networks must
traverse the Firewall.
On 4948_01 I created VLAN 51 (10.50.51.0/24) and on 4948_02, I created VLAN 52. All communication between these two networks must traverse the Firewall. I have seen this used in networks as it was a security requirement by the infosec guys. I also could of created both vlans on one switch and still routed the traffic via the firewall. Some people might use Vlan ACLS to secure communications between two vlans, but lets say that for this we had a requirement to use a Firewall. Additionally, the networks had two live on two separate switches.
Lets create the Vlan on the switches and SVI along with assigning IP addresses.
Cisco_4948E_01#
vlan 51
name secure_network_10.50.51.0
!
interface Vlan51
ip address 10.50.51.254 255.255.255.0
no shut
Cisco_4948E_02#
vlan 52
name secure_network_10.50.52.0
!
interface Vlan52
ip address 10.50.52.254 255.255.255.0
no shut
Now we need to add the firewall into the mix. For this I connected one cable from each 4948(Gi1/46) to the ASA_5520. I made the interfaces on the 4948's routed(L23). I also defined a static route to point to the opposite network. By the way, I used named static routes, a few weeks or months from now you might not remember why you put in that static route. When possible, use them..
Cisco_4948E_01
interface GigabitEthernet1/46
description ASA_GigabitEthernet0/3
no switchport
ip address 192.168.1.1 255.255.255.252
exit
!
ip route 10.50.52.0 255.255.255.0 GigabitEthernet1/46 192.168.1.2 name secure_network
!
Cisco_4948E_02
interface GigabitEthernet1/46
description ASA_GigabitEthernet0/2
no switchport
ip address 192.168.1.5 255.255.255.252
!
ip route 10.50.51.0 255.255.255.0 GigabitEthernet1/46 192.168.1.6 name secure_network
!
This takes care of the switching end of things. Now onto the firewall configuration. First you need to configure your interfaces because the static routes and ACLS will tie into them later. Under each interface you need to assign it a name and ip address. Then you need to assign it a security level. I chose 50 and 100 at random. Security Levels are exactly that. A higher level interface can talk to a lower level interface but not a lower level interface to a higher level interface unless an ACL is define.
Cisco-ASA5520-01#
interface GigabitEthernet0/2
description Cisco_4948E_02 Gi1/46
nameif Cisco_4948E_02
security-level 50
ip address 192.168.1.6 255.255.255.252
interface GigabitEthernet0/3
description Cisco_4948E_01 Gi1/46
nameif Cisco_4948E_01
security-level 100
ip address 192.168.1.2 255.255.255.252
Now we need to create an acl and in this case I created a ACL that will permit anything and applied it to the lower level interface per Cisco Rule. The permit any is just for this example, I will harden it later.
Cisco-ASA5520-01#
access-list any permit ip any any Cisco_4948E_02
!
access-group any in interface Cisco_4948E_02
Now we need to tell the ASA how to route the traffic and for this I created static routes. Now lets test.
Cisco-ASA5520-01#
route Cisco_4948E_01 10.50.51.0 255.255.255.0 192.168.1.1 1
route Cisco_4948E_02 10.50.52.0 255.255.255.0 192.168.1.5 1
Success!!!!!
Cisco_4948E_02#ping 10.50.51.254 source 10.50.52.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.51.254, timeout is 2 seconds:
Packet sent with a source address of 10.50.52.254
!!!!!
Cisco_4948E_01#ping 10.50.52.254 source 10.50.51.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.52.254, timeout is 2 seconds:
Packet sent with a source address of 10.50.51.254
!!!!!
 |
| Figure 1 |
Lets create the Vlan on the switches and SVI along with assigning IP addresses.
Cisco_4948E_01#
vlan 51
name secure_network_10.50.51.0
!
interface Vlan51
ip address 10.50.51.254 255.255.255.0
no shut
Cisco_4948E_02#
vlan 52
name secure_network_10.50.52.0
!
interface Vlan52
ip address 10.50.52.254 255.255.255.0
no shut
Now we need to add the firewall into the mix. For this I connected one cable from each 4948(Gi1/46) to the ASA_5520. I made the interfaces on the 4948's routed(L23). I also defined a static route to point to the opposite network. By the way, I used named static routes, a few weeks or months from now you might not remember why you put in that static route. When possible, use them..
Cisco_4948E_01
interface GigabitEthernet1/46
description ASA_GigabitEthernet0/3
no switchport
ip address 192.168.1.1 255.255.255.252
exit
!
ip route 10.50.52.0 255.255.255.0 GigabitEthernet1/46 192.168.1.2 name secure_network
!
Cisco_4948E_02
interface GigabitEthernet1/46
description ASA_GigabitEthernet0/2
no switchport
ip address 192.168.1.5 255.255.255.252
!
ip route 10.50.51.0 255.255.255.0 GigabitEthernet1/46 192.168.1.6 name secure_network
!
This takes care of the switching end of things. Now onto the firewall configuration. First you need to configure your interfaces because the static routes and ACLS will tie into them later. Under each interface you need to assign it a name and ip address. Then you need to assign it a security level. I chose 50 and 100 at random. Security Levels are exactly that. A higher level interface can talk to a lower level interface but not a lower level interface to a higher level interface unless an ACL is define.
Cisco-ASA5520-01#
interface GigabitEthernet0/2
description Cisco_4948E_02 Gi1/46
nameif Cisco_4948E_02
security-level 50
ip address 192.168.1.6 255.255.255.252
interface GigabitEthernet0/3
description Cisco_4948E_01 Gi1/46
nameif Cisco_4948E_01
security-level 100
ip address 192.168.1.2 255.255.255.252
Now we need to create an acl and in this case I created a ACL that will permit anything and applied it to the lower level interface per Cisco Rule. The permit any is just for this example, I will harden it later.
Cisco-ASA5520-01#
access-list any permit ip any any Cisco_4948E_02
!
access-group any in interface Cisco_4948E_02
Now we need to tell the ASA how to route the traffic and for this I created static routes. Now lets test.
Cisco-ASA5520-01#
route Cisco_4948E_01 10.50.51.0 255.255.255.0 192.168.1.1 1
route Cisco_4948E_02 10.50.52.0 255.255.255.0 192.168.1.5 1
Success!!!!!
Cisco_4948E_02#ping 10.50.51.254 source 10.50.52.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.51.254, timeout is 2 seconds:
Packet sent with a source address of 10.50.52.254
!!!!!
Cisco_4948E_01#ping 10.50.52.254 source 10.50.51.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.52.254, timeout is 2 seconds:
Packet sent with a source address of 10.50.51.254
!!!!!
Thursday, March 15, 2012
Cisco ASA Object-Group
What is an object group?
It allows you to group ports and protocols within a group and simplifies your ACL and how many ACLs you require.
How to view an object group.
CISCOASA# show run object-group id OBJECT_GROUP_NAME
object-group service OBJECT_GROUP_NAME tcp
description testing ports
port-object range 4000 4999
port-object range 8000 8999
port-object eq 25570
port-object range 5000 5999
port-object range 21000 21999
port-object eq 30101
port-object range 30005 30006
port-object eq 19420
port-object eq 19720
port-object eq 19920
CISCOASA#
Some examples of an object group in use.
access-list from-switchch extended permit udp any 172.200.18.0 255.255.255.0 object-group OBJECT_GROUP_NAME
access-list from-switchch extended permit tcp any 172.200.18.0 255.255.255.0 object-group OBJECT_GROUP_NAME
It allows you to group ports and protocols within a group and simplifies your ACL and how many ACLs you require.
How to view an object group.
CISCOASA# show run object-group id OBJECT_GROUP_NAME
object-group service OBJECT_GROUP_NAME tcp
description testing ports
port-object range 4000 4999
port-object range 8000 8999
port-object eq 25570
port-object range 5000 5999
port-object range 21000 21999
port-object eq 30101
port-object range 30005 30006
port-object eq 19420
port-object eq 19720
port-object eq 19920
CISCOASA#
Some examples of an object group in use.
access-list from-switchch extended permit udp any 172.200.18.0 255.255.255.0 object-group OBJECT_GROUP_NAME
access-list from-switchch extended permit tcp any 172.200.18.0 255.255.255.0 object-group OBJECT_GROUP_NAME
Subscribe to:
Posts (Atom)