I recently purchased a shiny new iPhone 3G and wanted to be able to connect back to my house where I have a Cisco ASA 5505. I have noticed a lot of questions about how to get this to work, so here it is…
After installing a new ASA 5520, I noticed that a few websites were loading very slowly or not at all. The problem seemed to be very intermittent, but reproducible by revisiting the websites at any time of the day. Browsing to the site from outside of the firewall showed the site to be responsive.
I started to watch the live log while browsing to the site and noticed packets being dropped. The log read:
Apparently, this is a new security feature for the 7.0+ code for the ASA. Normally, the client and server send their MSS (Maximum Segment Size) while establishing the TCP connection. Once this occurs, neither the client or server should send a packet larger than their peer’s MSS. However, some HTTP servers do not recognize the MSS and send packets that are too large, and are thus dropped by the ASA.
The workaround for this is to allow the firewall to pass the packets whose data exceeds the MSS. Let’s say the server causing the problems ip is 192.168.10.9. First, create and access-list for any host accessing that server.
And then create a class map.
match access-list MSS_Exceeded_ACL
exceeded mss allow
Create the policy map.
set connection advanced-options mss-map
Apply the map to the outside interface.
If there is more than one site, just add the additional sites to the MSS_Exceeded_ACL access list or change it to allow all sites.
For more information about MSS and logging these events, check out the document from Cisco.
If you have recently tried to setup SSH access on a new ASA, it might not have worked the way you wanted. That is because the RSA keys need to be generated first. To do that:
INFO: The name for the keys will be:
Keypair generation process begin. Please wait…
And then configure SSH to be allowed from the inside interface:
Now you will be able to login using the default username and password of pix/cisco, Or you can configure AAA and setup your own usernames. Doing this will make the pix username no longer work for SSH.
First, a username needs to be created:
And then configure AAA:
I was working on an ASA config and ran into an interesting error. I needed to not perform NAT on the traffic from the inside LAN to the DMZ. I configured an access-list:
access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 10.10.49.0 255.255.255.0
access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 172.31.3.0 255.255.255.0
access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 172.31.4.0 255.255.255.0
And then specified to not perform NAT:
nat (inside) 1 0.0.0.0 0.0.0.0
I then needed to add another line to the InsideNoNAT_ACL, and that is where I received the error.
Unable to download NAT policy for ACE
All this error message is saying is that the new line in the access-list was not added to the active NAT table, but was added to the access-list. Upon doing some searching, I read in several places that a reboot fixed the problem. While this is true, it is not necessary. All that needs to be done is to remove and reapply the nat statement.
(config)#nat (inside) 0 access-list InsideNoNAT_ACL
This rebuilds the NAT rules and applies all rules in the ACL. Much better than a reload!
As I am sure many of you who have ever worked with a Cisco firewall know, ICMP is not allowed through the firewall by default. If you are just configuring the device, this can make it very difficult to troubleshoot connectivity issues. Thankfully, there are several ways to get around this.
Solution 1: Use access-lists to allow pings from inside/DMZ to the outside.
To allow pinging from the inside to the outside interfaces, you will need to configure an access-list for the outside interface.
Then apply the access-list to the outside interface.
This will allow only ping. If you would like to allow trace route, you will also need to allow time-exceeded.
Solution 2: Use access-list to allow ping and trace route from the internet to your dmz/inside servers.
To do this, we are going to build off of what we did above, so you should already have this in the config.
Here are the relevant parts of the configuration to setup an etherchannel between an IOS device and a CatOS device. First lets start with the CatOS device, in this case a 6509. We will be using ports 3/9 and 3/10.
We first need to set the ports we want to use to be a trunk. Here we are forcing dot1q.
Now we need to setup the port channels. These channels will be used as 1 and aggregate bandwidth between them.
Note: There is an option at the end of this command to specify the admin group. This is how the CatOS groups the ports. If you do not specify the admin group, the CatOS will automatically assign one. This is something to watch out for if you set each port separately.