Cisco asa security context active/active failover

Similar Messages

• Dynamic Routing Protocol Support in Cisco ASA Multiple Context Mode

                     Dear Experts,
  Wold like to know whether dynamic Routing Protocol Support in Cisco ASA Firewall Multiple Context Mode. If yes then please provide OS version and Hardware Model of Cisco ASA Firewall. Appreciate the quick response.  Thanks.

  Hi,
  Check out this document for the information
  http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp93116
  Its lists the following for software level 9.0(1)
  Multiple   Context Mode Features
  Dynamic routing in Security   Contexts
  EIGRP and OSPFv2 dynamic   routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing   are not supported.
  Seems to me you would need some 9.x version to support the above mentioned Dynamic Routing Protocols.
  I don't think its related to the hardware model of the ASA other than that it requires a model that supports Multiple Context Mode. To my understanding the only model that doesnt support that is ASA5505 of the whole ASA5500 and ASA5500-X series.
  Hope this helps
  - Jouni

• Cisco ASA Security Levels

  Hi All
  I have just started working on Cisco ASAs and working on following scenario:
  3 Depts having 3 separate Networks given following names
  Finance
  Accounts
  HR
  Communication Between them should be restricted and allowed on specfic host and services. My approach is that I have assigned security level of "0"
  to each of them and also enabled "same-security-traffic permit inter-interface", so that they can communicate with each other. Now what I have observed is that as soon as I enable same-security-traffic permit inter-interface traffic starts flowing among them without the need for any access-list. But as soon as I create an access list for some specific host , traffic stops flowing for all other hosts except for the one which was granted access in access-list.
  Is my approach right? Please do advise, and also Is this a default behaviour of ASA to implicitly deny traffic for all host as soon as I place a acl after enabling same-security-traffic permit inter-interface.
  Thanks and Regards

  Hello,
  If all of the networks zone have the same security level for your company then you can use the same one on them.
  Remember that all the ACL's have an implicit deny at the bottom, so the behavior is expected.
  Same security level interfaces with the same-security-traffic command will be allow to exchange traffic without the need on an ACL but as soon as you place one on any of those interfaces you will need to specify the traffic you will need to allow.
  Regards,
  Rate all the helpful pots
  Julio
  Security Engineer

• What´s the price for any Cisco ASA security parts?

  Hello everybody,
  Please, I need to know the prices for the items:
  ASA5500X-SSD120=     
  FS-VMW-2-SW-K9       
  L-ASA5525-TAM=       
  I need to implement Cisco IPS with 2 Cisco ASA 5525X.
  Thank you.

  Your local Cisco partner can provide pricing for your area.
  The Cisco Support Community is not the place to request price quotes.
  Please go to www.cisco.com and refer to the top menu pick "How to Buy" to find an authorized partner / reseller serving your area.

• IfSpeed and ASA security context config

  If the "system" context of a multi-context ASA has per-interface config set to a specific speed, say 10Mbit on a 1Gbit interface, I see the interface is reported as 10Mbit in ifSpeed. But does the config only impact the management aspect, or does it throttle the interface down to 10Mbit as well?

  What if you do the calculation manually using the delta values polled from SNMP, and the value of ifSpeed?  What is the port speed of the upstr
  eam switch?  Perhaps the port is really negotiated at a higher speed than what the context is reporting.

• Ask the Expert: Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features)

  With Namit Agarwal and Rahul Govindan 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features) with experts Namit Agarwal and Rahul Govindan.
  This is a continuation of the live webcast.
  Cisco ASA CX (Context-Aware) is a next generation firewall service that serves as an extension to the Cisco Adaptive Security Appliance (ASA) firewall platform. In addition to the proven stateful inspection firewall capabilities, it provides us with next-generation capabilities and a host of additional network-based security controls for end-to-end network intelligence and streamlined security operations.
  Namit Agarwal is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has more than four years of experience in the security domain. His areas of expertise include ASA firewalls, IPS, and ASA content-aware security (ASA CX). He has been involved in various escalation requests from around the world. He holds CCIE certification (number 33795) in security.   
  Rahul Govindan has been an engineer with the Security Technical Assistance Center team in Bangalore for more than three years. He works on security technologies such as VPN; Cisco ASA firewalls; and authentication, authorization, and accounting. His particular expertise is in Secure Sockets Layer VPN and IP security VPN technologies. He holds CCIE certification (number 29948) in security.
  Remember to use the rating system to let Namit and Govindan know if you have received an adequate response. 
  Because of the volume expected during this event, Namit and Govindan might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity VPN shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
  Webcast related links:
  Slides from the live webcast
  Video Recording of the live webcast
  Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features): FAQ from live webcast

  Hello Namit and Rahul,
  Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
  1)      How is ASA CX different from other UTM solutions ?
  2)      How is dynamic application inspection of CX better than other inspection engines  ?
  3)      What features or functionalities on the CX are available by default ?
  4)      what are the different ways we can run or install CX on the ASA platform ?
  5)      What VPN features are supported with multi context ASA in the 9.x release ?
  6)      What are the IPv6 Enhancements in the ASA version 9.x ?
  Request you to please provide your responses to them individually.
  Thanks.

• Cisco ASA 5585-X SSP-20 8.4(2) - TCP Syslog problem

  Hi,
  We have a firewall service environment where logging is handled with UDP at the moment.
  Recently we have noticed that some messages get lost on the way to the server (Since the server doesnt seem to be under huge stress from syslog traffic). We decided to try sending the syslog via TCP.
  You can imagine my surprise when I enabled the "logging host <interface name> <server ip> tcp/1470" on an ASA Security context and find out that all the connections through that firewall are now being blocked. Granted, I could have checked the command reference for this specific command but I never even thought of the possibility of a logging command beeing able to stop all traffic on a firewall.
  The TCP syslog connection failing was caused by a missmatched TCP port on the server which got corrected quickly. Even though I could now view log messages from the firewall in question in real time, the only message logged was the blocking of new connections with the following syslog message:
  "%ASA-3-201008: Disallowing new connections."
  Here start my questions:
  - New connections are supposed to be blocked when the the TCP Syslog server aint reachable. How is it possible that I am seeing the TCP syslog sent to the server and the ASA Security Context is still blocking the traffic?
  - I configured the "logging permit-hostdown" after I found the command and it supposedly should prevent the above problem/situation from happening. Yet after issuing this command on the Security Context in question, connections were still being blocked with the same syslog message. Why is this?
  - Eventually I changed the logging back to UDP. This yet again caused no change to the situation. All the customer connections were still being blocked. Why is this?
  - After all the above I removed all possible logging configurations from the Security Context. This had absolutely no effect on the situation either.
  - As a last measure I changed to the system context of the ASA and totally removed the syslog interface from the Security Context. This also had absolutely no effect on the situation.
  At the end I was forced to save the configuration on the ASAs Flash -memory, remove the Security Context, create the SC again, attach the interfaces again and load the configuration from the flash into the Security Context. This in the end corrected the problem.
  Seems to me this is some sort of bug since the syslog server was receiving the syslog messages from the SC but the ASA was still blocking all new connections. Even the command "logging permit-hostdown" command didnt help or changing back to UDP.
  It seems the Security Context in question just simply got stuck and continued blocking all connections even though in the end it didnt have ANY logging configurations on.
  Seems to me that this is quite a risky configuration if you are possibly facing cutting all traffic for hundreds of customers when the syslog connection is lost or the above situation happens and isnt corrected by any of the above measures we took (like the command "logging permit-hostdown" which is supposed to avoid this situation alltogether).
  - Jouni

  Hi,
  I FINALLY had the time to look at this issue as I was testing something else in our lab too.
  In short, here is what I did:
  I configured the TCP logging in the same way as in the original post
  I configured the TCP logging giving the commands in different order
  Did some other tests related to the proble
  Device used: ASA 5585-X
  Software: 8.4(2)
  Original Device and software : ASA 5585-X running 8.4(1)9
  Heres the above scenarions and what actually happened
  Original situation
  Before doing any changes the test firewall context in question is working normally and the log sent by UDP/514 is arriving to the Syslog server as usual.
  I now change the syslog to TCP by giving a command "logging host tcp/1471" (actual port being TCP/1470)
  The firewall immediatly starts blocking all connections going through it.
  I change the configuration to the correct port TCP/1470 after which log starts appearing in my realtime view on the syslog server. The firewall context in question is still sending only the message "Disallowing new connections" even though the TCP -port on the Syslog server is clearly reachable and the connection is active.
  After this I try to do the suggest "clear local-host all" command. This has no effect on the firewall context. No connections are getting through. No connections/xlates are formed on the firewall. I can only see the firewall doing DNS queries with its outside interface (related to another configuration).
  After this I try to start correcting the situation the same way as before. I add "logging permit-hostdown" command which has no effect on the situation. I remove all logging configurations and it doesnt have any effect on the situation.
  After this I activate UDP logging and can see the logs arriving on the syslog server but again I can only see "Disallowing new connections" message.
  In the end I have no other option (to my knowledge) other than to delete the Security Context and create it again with same interfaces and with the configuration saved to the Flash -memory of the ASA.
  After this the connections work like usual. (UDP logging in the saved configuration)
  Giving the configurations in different order
  After I've created the firewall again and all is working I have another try in configuring the TCP Syslog while giving the commands in different order.
  First I add the command "logging permit-hostdown" command
  Then I add the command "logging host tcp/1470"
  After this logs start arriving on the syslog server and connections work as usual. Seems giving the "logging permit-hostdown" first before any other configurations is the right way to go.
  Removing the "logging permit-hostdown" command
  After I saw that everything was working I tried to remove the "logging permit-hostdown" command and see what happens. Everything worked fine.
  Configuring wrong TCP port to "logging host" command
  I decide to try and change the TCP port used to a wrong one and see if anything happens. (logging permit-hostdown is active). Firewall works as usual. Naturally no logs can be viewed at the syslog server.
  Configuring the TCP Syslogging without "logging permit-hostdown" but with correct port
  Finally I tried to configure the TCP Syslogging on ASA with the correct TCP port without issuing the "logging permit-hostdown" command. Everything seemed to work fine after this.
  So in conclusion it seems that IF you don't have the "logging permit-hostdown" command issued before you start configuring "logging host tcp/xxxx" , you might run into problems IF you don't have matching settings on the ASA sending the log and the Syslog server receiving the log.
  There doesnt seem to be any easy way to correct the situation (with the connections getting blocked) after you have once messed up the configurations. Seems your only option is to reconfigure the Security Context (which is easy) or if this problem exists in the same way in a single ASA you will have to reboot the device which means longer downtime than reconfiguring a context.
  There would still be a couple of things to test but at the moment I have no more time for this. I will update if there is any new information.
  - Jouni

• Question about security context in multithreading environment

  I have a need to make concurrent calls to multiple EJBs in parallel threads. Let's
  say I establish the security context once by creating an InitialContext with given
  security principal and credential. With the security context active, I spawn multiple
  threads from the current thread and in each of those threads I make a call to
  a secure EJB method, which my security principal is allowed to access. My question
  is, will the same security context be established in each of the spawned thread
  so that my EJB calls succeed? For various reasons it's not feasible to login in
  each of the spawned threads, only to login once from the main thread.
  I tried this with WebLogic 6.1sp3 and it seems to work as expected. However, I
  have not been able to find any documentation on how security contexts are propagated
  to spawned threads. All I could find was a statement that when an InitialContext
  is created, the corresponding security context becomes associated with the current
  thread.
  My concern is that even though it works in WebLogic 6.1, it may no longer work
  the same way in WebLogic 7.0 or later. And will it work when the JNDI login mechanism
  is replaced by JAAS? If any WebLogic/security guru out there could give me some
  info on how WebLogic security contexts work in a multithreaded environment, I
  would be much obliged.
  Thanks in advance!
  Minh-Tue Vo

  "Minh-Tue Vo" <[email protected]> wrote in message
  news:[email protected]..
  >
  \> My concern is that even though it works in WebLogic 6.1, it may no longer
  work
  the same way in WebLogic 7.0 or later. And will it work when the JNDIlogin mechanism
  is replaced by JAAS? If any WebLogic/security guru out there could give mesome
  info on how WebLogic security contexts work in a multithreadedenvironment, I
  would be much obliged.
  With the JAAS model, you should be able to get a subject once and then do a
  runas in the spawned threads.

• Firewalling vlans on Catalyst 6500 by using Cisco ASA Firewalls

  Hello,
  How to secure vlans on Catalyst 6500 by using Cisco ASA Firewalls?
  There are no free modules on Catalyst 6500 to install a FWSM module.
  What is the best configuration to secure vlans (~80 vlans) by using cisco ASA firewalls (context, hairpining...)?
  Thanks

  Hi Bro
  Just to understand your question once again, you don't have anymore available slots in your present Cat6K, but you want to know how to secure your VLANs or SVIs that has been configured in your Cat6K?
  If you were to ask me, I would not apply a bunch of ACLs in the Cat6K, for starters. You might wanna look into COPP (Control Plane Policing) instead. Furthermore you could also refer to this Cisco document http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00801b49a4.shtml
  However, if you do have Cisco ASA FW appliance (not module, I presume from your question), you could enable ACLs, threat-detection feature, IP Audit features, reverse-path policing, capping of the embryonic values etc.
  P/S: If you think this comment is useful, please do rate them nicely :-)

• Cisco ASA 5505 IOS 9.2(1), ASDM 7.3(2) NAT issues

  Hey all,
  I am really new to Cisco and am trying to get this Cisco ASA 5505 configured that I bought recently configured properly.
  Things I have successfully been able to do:
  1. Configure static WAN IP on WAN port e0/0 (I have a /29 block of addresses)
  2. Create static routes to point to all of my vlans that are currently being being routed through my layer 3 SG-300
  3. Install and run ASDM 7.3(2)
  4. Went through the start-up  wizard and configured all of my WAN and LAN settings (I have a WAN block of /29 addresses. So I congured my device with NAT and put in the range the first usable IP address outside of the one I configured for the direct connected WAN port from my modem. Example: 10.24.56.99-102 where .98 is already configured as the direct connect from modem to ASA 5505 and .97 is the gateway of my ISP modem.)
  The struggle that I am running into today is with NAT rules from outside to inside. I currently have an Exchange server behind this device but I am unable to get ports forwarded to it. I followed this tutorial about Static NAT, however there is still no joy. 
  http://www.networkworld.com/article/2162844/tech-primers/how-to-configure-static-nat-on-a-cisco-asa-security-appliance.html
  Attached is a copy of my running-config and version. Any help with this would be greatly appreciated. 

  Your Ethernet0/1 is a trunk with multiple VLANs allowed but you do not have corresponding VLAN interfaces for SVIs in each of the associated subnets. If, as your routing setup indicates, you will be going via your internal gateway at 10.10.1.1 to reach the internal subnets then Eth0/1 should just be an access port.
  So your Exchange server in the 10.10.12.0/24 subnet  will talk via the internal gateway (10.10.12.1?) and thus on to the ASA inside interface at 10.10.1.2.
  I assume your "public" IPs have been changed to anonymize the output. If those are your actual addresses (10.24.56.x) then there must be additional NAT taking place upstream - that would all need to be setup properly as well.

• Single AIP-SSM in Cisco ASA Failover Active / Standby Mode

  Hi,
  I can add single AIP-SSM on Cisco ASA in failover active / standby mode?

  No, both units need the same hardware, that includes the installed modules.
  Sent from Cisco Technical Support iPad App

• Active-Active Failover when different contexts monitor different interfaces

  I'm trying to understand the relationship between failover groups and contexts, however it appears that the configuration is split in an way that I am having trouble understanding.
  The interfaces that you actually monitor are configured PER CONTEXT e.g.
  ciscoasa/ConextA(config)# monitor-interface inside
  But the number of interfaces that need to fail for failover to take place is done PER FAILOVER GROUP e.g.
  ciscoasa(config)# failover group 1
  ciscoasa(config-fover-group)# interface-policy 1
  (from the system context)
  If my laptop could take it, I would spin up a test environment in GNS3, but I think the best way to ask the question is to give an example. What would happen in the following setup:
  OPTION 1
  OPTION 2
  Thanks in advance

  You would never have a scenario where, as you put it, the Admin context would monitor Gi0 and ContextB also monitor Gi0.  This is because you need to assign the interface to a specific context and once it is assigned to one context it can not also be assigned to another...unless you have configured subinterfaces, then those subinterfaces can be split up and assigned to seperate contexts.  But one interface or one subinterface can not be assigned to more than one context.
  Now, if you have failover groups configured and an interface on one failover group dies, then only the context that the interface belongs to will failover to the standby failover group.
  The following is a good article to have a read through on the Active/Active failover functions:
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91336-pix-activeactive-config.html
  Please remember to rate and select a correct answer

• ASA CX / PRSM Active/Active Failover?

  Hi everyone.
  I've spent my last 2 days trying to find something on this matter, but I can't find anything conclusive about it.
  I'm trying to find if a 2 ASAs+CX in Active/Active configuration is supported and how to do it.
  On one side, on the PRSM configuration guide for 9.2, it says "Active-Standby is the only supported high availability configuration", but I don't understand if it's just for adding devices to PRSM or that an Active/Active configuration is not supported by the CX module.
  On the other hand, this forum discussion says that they are using Active/Active with CX.
  So, I need to know if it will work. I know that if I use Active/Active I should use contexts, which some are Active on one ASA and others are active on the other one.  I would assume that the CX module configuration should be the same for both ASAs as to support all the networks policies, but I want to know if this will work (I don't want to tell the customer that it'll work and then be stuck with an unsupported and non-working configuration).
  Any advice on this? Guides maybe?
  Thanks in advance.

  Yes, it can be done. Off-box PRSM manages an ASA context like a "separate" ASA. That's when it's managing the ASA configuration itself - distinct from managing the CX module features.
  Note however that there is an unresolved bug with CX modules and HA ASA pairs: https://tools.cisco.com/bugsearch/bug/CSCud54665
  The other thing to remember - as you had alluded to - is that the CX configuration is a common one despite there being multiple contexts (with potentially differing security policies with respect to the web filtering and IPS functions they want from the CX) on the box.

• ASA Active/Active Failover with Redundant Guest Anchors

  Does anyone know how an ASA and a guest anchor 5508 will interact if I setup an Active/Active failover pair with physical interface redundancy?  I see from documentation that I can create a logical group in the ASA to bond physical interfaces together, but it doesn't describe what protocol is being used to manage that bundle.  Do I assume etherchannel?  If I were to create this scenario, can I run the 5508 in LAG mode?
  The current failover configuration example is for PIX, and old code at that.  I'm referencing an ASA/PIX guide ISBN:1-58705-819-7 beginning on page 531.
  Regards,
  Scott

  In addition to what you have, you should add to each unit the global configuration command "failover".
  We generally don't manually configure the MAC addresses in single context mode since the ASA ill automatically assign virtual MAC addresses and manage their moving to the newly active unit in the event of a failover event. Reference.

• ASA active/active failover back to back

  Hi,
        for HA  I want to connect 4 ASA's in active/active failover with each ASA having two contexts.
  The reason I need this is to separate two domains. Each domain has the ASA pair in active/active failover.
  Is this possible and what would you need to do it  ie a switch or two in between ?
  I know you need switches or vlans to do the LAN side as the failover context needs to be in the same network. So I'm assuming you would need to do something similar between the 4 ASA's ???
  Would you put 2 switches trunked together carrying two vlans, one for each context ?
            -| CTX1 |-          ?         -| CTX1 |-
            -| CTX2 |-          ?         -| CTX2 |-
                 |  |                                |  |
            -| CTX1 |-          ?         -| CTX1 |-
            -| CTX2 |-          ?         -| CTX2 |-
  Thanks in advance.

  Your latest attachment is pretty close to what I was thinking.
  I would add a second interface on each ASA to the switches.
  So (considering the "Inside" interfaces of ASA1 for example) it would have one physical interface allocated to context 1 and connected to a port in VLAN2 and a second physical interface allocated to context 2 and connected to a port in VLAN 3.
  An alternative would be to stick with a single physical interface and allocate subinterfaces (on a trunk) to each context.
  You could further add redundancy by creating Etherchannels (with either the physical or logical interface approach).