Search This Blog

Thursday, October 08, 2009

firewall-wizards Digest, Vol 42, Issue 6

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: How to rename a CMA in Provider-1 (Trey Darley)
2. Re: Slow FTP transfers (sky)
3. Re: asa 5505 vpn ipsec l2l problem (Eric Gearhart)
4. Re: asa 5505 vpn ipsec l2l problem (Farrukh Haroon)


----------------------------------------------------------------------

Message: 1
Date: Mon, 5 Oct 2009 17:10:37 +0200 (CEST)
From: "Trey Darley" <trey@kingfisherops.com>
Subject: Re: [fw-wiz] How to rename a CMA in Provider-1
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<8abf7b60f0930272d09bb6ffca5dbc0b.squirrel@kingfisherops.com>
Content-Type: text/plain;charset=iso-8859-1

Hi, Achim -

Mostly R65 with a few R60 (and odd R55 here and there.)

So basically I'd have to re-sic all the member firewalls after recreating
the CMA? I was dearly wishing there were some shortcut. I don't actually
so much care what the CMA is named; I just wish there were some way of
changing the display name.

No cli hacks lurking out there in the ether?

Cheers,
--Trey

> Hi Trey,
>
>> As my google-fu is seemingly weak today I put the question to you: is
>> there a way to rename a CMA (or at least change the display name) in
>> Check
>> Point Provider-1?
>
> Renaming the CMA is like renaming a SmartCenter Server - which usually
> means your CA changes, so all certificates need to be recreated.
> Which version(s) are you running?
>
>
>
> Regards,
> Achim
>
> --
> Achim Dreyer
> Senior Unix & Network Admin
> RHCE, RHCA, CCSA, CCSE, CCSE+, CCNA
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

Message: 2
Date: Wed, 07 Oct 2009 14:49:41 -0700
From: sky <aptgetd@gmail.com>
Subject: Re: [fw-wiz] Slow FTP transfers
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4ACD0CF5.6050003@gmail.com>
Content-Type: text/plain; charset=us-ascii

Hi,

I've looked at every possible aspect of this connection based on the
feedback I've received w/ no avail.

FSWM module is running v1.1(4) and CATOS v7.6(16).

Any further insight will be appreciated.


regards,
sky

sky wrote:
> Hi,
>
> I'm having an issue when ftp'ing (default port mode) large file (50megs)
> to a remote server sitting behind FWSM. The transfer gets real slow and
> at times just timeouts.
>
> Now when I change ftp mode to passive the same file transfer works w/o
> any issues. Why?
>
> Have inspect ftp and mtu is set for 1500. I've checked for duplex
> settings as well which is good.
>
> Any thoughts will be great.
>
> regards
> sky
>
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

Message: 3
Date: Mon, 5 Oct 2009 21:45:33 -0700
From: Eric Gearhart <eric@nixwizard.net>
Subject: Re: [fw-wiz] asa 5505 vpn ipsec l2l problem
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<5792267e0910052145m5172832dj2e13fa080cf4dbcf@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

On Sat, Oct 3, 2009 at 5:38 AM, Hrvoje Popovski <hrvoje@srce.hr> wrote:

> > If you're not seeing IPsec build the tunnel with debug crypto, I would
>
>> guess that traffic is getting NAT'd out, and not hitting the tunnel (by
>> the way, you probably only need debug crypto ipsec 5, not 100...)
>>
>>
>> Do you have NAT setup on the 5505? If you do, do you have a NAT exclude
>> ACL setup that excludes "your device networks -> remote device networks"?
>>
>> --
>> Eric
>>
>>
> hello eveyone,
>
> first thanks everyone who replay on my post.
> I can't established SA, crypto acl is the same on both ends, well they tell
> me so. I can't see config on other side but maybe from log that i can se on
> my ASA i think that problem is on my side. I realy don't know maybe problem
> is in licence (10 inside hosts) but i have only 2 inside hosts
> (192.168.11.11 and 11.12).
> I will try to apply crypto acl with ip rule and see what happens.
>
>
I think this was previously mentioned by Paul Melson... try to use IP
addresses in your IPsec interesting traffic ACL... I agree with him, that
having specific ports in ACL1 is the problem, as far as I know

So ACL1 is now:
access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.100.13 eq
4000
access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.110.250 eq
4000
access-list ACL1 extended permit tcp host 192.168.11.11 eq ftp host
10.1.100.105 eq ftp
access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.100.105 eq
ftp-data
access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.100.13 eq
4000
access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.110.250 eq
4000
access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.100.105 eq
ftp
access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.100.105 eq
ftp-data

ACL1 should be:
access-list ACL1 extended permit ip host 192.168.11.11 host 10.1.100.13
access-list ACL1 extended permit ip host 192.168.11.11 host 10.1.110.250
access-list ACL1 extended permit ip host 192.168.11.11 host 10.1.100.105
access-list ACL1 extended permit ip host 192.168.11.11 host 10.1.100.105
access-list ACL1 extended permit ip host 192.168.11.12 host 10.1.100.13
access-list ACL1 extended permit ip host 192.168.11.12 host 10.1.110.250
access-list ACL1 extended permit ip host 192.168.11.12 host 10.1.100.105
access-list ACL1 extended permit ip host 192.168.11.12 host 10.1.100.105

At least try this config, and see if it works... worst case roll it back to
what you had before.

Do a 'debug cry isa 5' and try to ping a remote host from e.g. 10.1.100.13
and see if the tunnel tries to build

--
Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20091005/83373499/attachment-0001.html>

------------------------------

Message: 4
Date: Mon, 5 Oct 2009 09:14:18 +0300
From: Farrukh Haroon <farrukhharoon@gmail.com>
Subject: Re: [fw-wiz] asa 5505 vpn ipsec l2l problem
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<eff3217d0910042314n17b5f333n9c3dcec7d1415e3d@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

I don't know if you got my older email, here it is again:

Run these three debugs
debug crypto engine
debug crypto isakmp 127
debug crypto ipsec 127
and then see if you get any more meaningful debugs.

Its better to clear both Phase 1 and Phase 2 before you run the debugs (just
in case the SAs are already established).

Also try removing the crypto map from the interface and re-applying it!

Please also check the logging levels on your ASA 'show logging'

logging buffered 7
logging monitor 7 (save/log the telnet session after issuing the 'terminal
monitor' command)


Regards

Farrukh

On Sat, Oct 3, 2009 at 3:38 PM, Hrvoje Popovski <hrvoje@srce.hr> wrote:

> > If you're not seeing IPsec build the tunnel with debug crypto, I would
>
>> guess that traffic is getting NAT'd out, and not hitting the tunnel (by
>> the way, you probably only need debug crypto ipsec 5, not 100...)
>>
>>
>> Do you have NAT setup on the 5505? If you do, do you have a NAT exclude
>> ACL setup that excludes "your device networks -> remote device networks"?
>>
>> --
>> Eric
>>
>>
> hello eveyone,
>
> first thanks everyone who replay on my post.
> I can't established SA, crypto acl is the same on both ends, well they tell
> me so. I can't see config on other side but maybe from log that i can se on
> my ASA i think that problem is on my side. I realy don't know maybe problem
> is in licence (10 inside hosts) but i have only 2 inside hosts
> (192.168.11.11 and 11.12).
> I will try to apply crypto acl with ip rule and see what happens.
>
> ---------------------------------
> log:
> Ignoring msg to mark SA with specified coordinates <abcMap, 1> dead
>
> debug crypto engine, ipsec 127 and ipsec 127 gave me nothing
>
> ---------------------------------
> my asa:
> ciscoasa# sh crypto isakmp sa
> There are no isakmp sas
>
> ciscoasa# sh crypto ipsec sa
> There are no ipsec sas
> ---------------------------------
> my asa - 22.22.22.22
> other asa - 33.33.33.33
> -----------------------------------------------
> config on 33.33.33.33 asa:
> access-list acl1 permit tcp host 10.1.100.13 eq 4000 host 192.168.11.11
> access-list acl1 permit tcp host 10.1.110.250 eq 4000 host 192.168.11.11
> access-list acl1 permit tcp host 10.1.100.105 eq ftp host 192.168.11.11 eq
> ftp
> access-list acl1 permit tcp host 10.1.100.105 eq ftp-data host
> 192.168.11.11
> access-list acl1 permit tcp host 10.1.100.13 eq 4000 host 192.168.11.12
> access-list acl1 permit tcp host 10.1.110.250 eq 4000 host 192.168.11.12
> access-list acl1 permit tcp host 10.1.100.105 eq ftp host 192.168.11.12
> access-list acl1 permit tcp host 10.1.100.105 eq ftp-data host
> 192.168.11.12
>
> transform-set esp-3des esp-md5-hmac
>
> isakmp key * address 22.22.22.22 netmask 255.255.255.255 no-xauth
> no-config-mode
>
> this is all information that i know
>
> -------------------------------------------------
>
> here is my config - 22.22.22.22 asa:
>
> ASA Version 7.2(4)
> !
> hostname ciscoasa
> domain-name default.domain.invalid
> names
> !
> interface Vlan1
> nameif inside
> security-level 100
> ip address 192.168.11.254 255.255.255.0
> !
> interface Vlan2
> nameif outside
> security-level 10
> ip address 22.22.22.22 255.255.255.0
> !
> interface Ethernet0/0
> switchport access vlan 2
> !
> interface Ethernet0/1
> !
> interface Ethernet0/2
> !
> interface Ethernet0/3
> !
> interface Ethernet0/4
> !
> interface Ethernet0/5
> !
> interface Ethernet0/6
> !
> interface Ethernet0/7
> !
> boot system disk0:/asa724-k8.bin
> ftp mode passive
> clock timezone CEST 1
> clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
> dns server-group DefaultDNS
> domain-name default.domain.invalid
> access-list NoNAT extended permit ip host 192.168.11.11 host 10.1.100.13
> access-list NoNAT extended permit ip host 192.168.11.11 host 10.1.100.105
> access-list NoNAT extended permit ip host 192.168.11.11 host 10.1.110.250
> access-list NoNAT extended permit ip host 192.168.11.12 host 10.1.100.13
> access-list NoNAT extended permit ip host 192.168.11.12 host 10.1.100.105
> access-list NoNAT extended permit ip host 192.168.11.12 host 10.1.110.250
> access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.100.13 eq
> 4000
> access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.110.250
> eq 4000
> access-list ACL1 extended permit tcp host 192.168.11.11 eq ftp host
> 10.1.100.105 eq ftp
> access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.100.105
> eq ftp-data
> access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.100.13 eq
> 4000
> access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.110.250
> eq 4000
> access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.100.105
> eq ftp
> access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.100.105
> eq ftp-data
> pager lines 24
> logging enable
> logging timestamp
> logging buffer-size 10000
> logging buffered debugging
> logging asdm informational
> mtu inside 1500
> mtu outside 1500
> icmp unreachable rate-limit 1 burst-size 1
> icmp permit any inside
> icmp permit any outside
> asdm image disk0:/asdm-522.bin
> no asdm history enable
> arp timeout 14400
> nat-control
> nat (inside) 0 access-list NoNAT
> static (inside,outside) 192.168.113.11 192.168.11.11 netmask
> 255.255.255.255
> static (inside,outside) 192.168.113.12 192.168.11.12 netmask
> 255.255.255.255
> *i need this static nat but not for now*
> route inside 192.168.10.0 255.255.255.0 192.168.11.1 1
> route outside 0.0.0.0 0.0.0.0 22.22.22.1 1
>
> crypto ipsec transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto map abcMap 1 match address ACL1
> crypto map abcMap 1 set peer 33.33.33.33
> crypto map abcMap 1 set transform-set ESP-3DES-MD5
> crypto map abcMap 1 set security-association lifetime seconds 3600
> crypto map abcMap 1 set security-association lifetime kilobytes 2560
> crypto map abcMap interface outside
> crypto isakmp identity address
> crypto isakmp enable outside
> crypto isakmp policy 1
> authentication pre-share
> encryption 3des
> hash md5
> group 2
> lifetime 86400
> crypto isakmp policy 2
> authentication pre-share
> encryption aes
> hash sha
> group 2
> lifetime 86400
> crypto isakmp nat-traversal 20
>
> ntp server 192.168.10.2
> ntp server 192.168.10.3
> ssl encryption des-sha1
>
> tunnel-group DefaultL2LGroup ipsec-attributes
> isakmp keepalive threshold 120 retry 10
> tunnel-group DefaultRAGroup ipsec-attributes
> isakmp keepalive threshold 120 retry 10
> tunnel-group 33.33.33.33 type ipsec-l2l
> tunnel-group 33.33.33.33 ipsec-attributes
> pre-shared-key *
>
> !
> !
> prompt hostname context
> Cryptochecksum:ad3bf9e8fef81844b866e79c1b0c8e2f
> : end
>
> --
>
> /hrvoje
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20091005/7b3b6c49/attachment.html>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 42, Issue 6
***********************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)