Bug in Cisco ASA 8.4(4)1 found

I had a new office set-up in Sao Paulo/Brazil and found a bug what should be already fixed but still exists. You cannot access the management interface (inside) of your ASA when you come over an L2L/RemoteAccess VPN and your NAT statements overlaps the management ip address.

It’s an split-tunneling configuration where VPN traffic keeps the original IP address and when you go into the internet you will translated to the outside IP address. Have a look here at the cisco bug CSCtr16184

I used the following config what didn’t work:

nat (inside,outside) source static inside-subs inside-subs destination static vpn-subs vpn-subs

When you use the NAT statements described in the workaround it works fine:

nat (inside,outside) source static inside-subs inside-subs destination static vpn-subs vpn-subs route-lookup
nat (outside,inside) source static vpn-subs vpn-subs destination static inside-subs inside-subs route-lookup

This behavior should be already fixed in version 8.4(2.3) but in my 8.4(4)1 it still exists.

Here the bug details from Cisco:

To-the-box traffic fails from hosts over vpn after upgrade to 8.4.2.

Symptom:

After upgrading the ASA to 8.4.2, all management traffic to-the-box(including icmp/telnet/ssh/ASDM) from hosts over the VPN (L2L or Remote ACcess VPN) may fail when destined to the management-access interface IP address.

Conditions:

1. Issue is observed if ASA is on 8.4.2. Not observed on 8.4.1.
2. Users directly connected to the internal interfaces face no issues with icmp/telnet/ssh/asdm to their respective interfaces.

Workaround:

The problem can be traced to a Manual NAT statement that overlaps with the management-access interface IP address. The NAT statement must have both the source and destination fields. Adding the “route-lookup” keyword at the end of the NAT statement resolves the issue.

Cisco Catalyst SPAN and Remote SPAN Configuration

To analyze network traffic passing through ports or VLANs you can configure SPAN or remote SPAN to mirror the traffic to another port on the switch or on another switch that has been connected to a network analyzer. The network analyzer can be Wireshark or Riverbed Cascade Pilot what capture or analyze the traffic. Cascade Pilot is here quite interesting because you can filter the traffic before and then send it to Wireshark for a deep analysis.

Back to the configuration, SPAN mirrors traffic received or sent (or both) on source ports or source VLANs to a destination port for analysis. The SPAN session does not affect the switching of network traffic on the source. Except for traffic on the destination, ports do not receive or forward traffic there are shown as monitoring interfaces.

 

Configure local SPAN session:

Define the source interface which traffic you want to mirror

monitor session 1 source interface GigabitEthernet 0/41

or VLAN as source

monitor session 1 source vlan 500

Define the destination interface

monitor session 1 destination interface GigabitEthernet 0/10

 

Configure remote SPAN session (1st switch):

At first create an remote SPAN VLAN

vlan 2010
  name RSPAN_VLAN
  remote-span
  exit

Then like the local SPAN session define the source

monitor session 1 source interface gi 0/47

or VLAN

monitor session 1 source vlan 500

At the end of the configuration of the 1st switch you configure the remote SPAN VLAN as destination

monitor session 1 destination remote vlan 2010

 

Configure remote SPAN session (2nd switch):

Like on the other switch you need to create at first an remote SPAN VLAN

vlan 2010
  name RSPAN_VLAN
  remote-span
  exit

Then as source you configure the RSPAN VLAN

monitor session 1 source remote vlan 2010

In the end the destination interface

monitor session 1 destination interface gi 0/18

Important is to verify that the RSPAN VLAN is allowed between these two switches on thier Trunk Interfaces!

 

With the following command you can verify the monitoring session you configured

show monitor session 1

ASA and PPPoE example

Just a short example what you need to configure when use PPPoE on Cisco ASA…

vpdn group myconnection request dialout pppoe
vpdn group myconnection localname [email protected]
vpdn group myconnection ppp authentication pap
vpdn username [email protected] password aeb1puj43

interface Vlan 2
	nameif outside
	security-level 0
	pppoe client vpdn group myconnection
	ip address pppoe setroute
	no shutdown
	exit

Configure syslog server on F5 BIG-IP

Syslog servers are a great idea they centralise all your logs from your Servers and networking devices.

I used for the syslog server the following command

bigpipe syslog remote server 'syslog-srv.local-domain.com' host 10.1.1.100 add

After that everything looked fine and I saw syslog messages but I got lots of informational messages and the following debug message.

debug snmpd[PID]: error on subcontainer 'ia_addr' insert (-1)

For the debug message I found a solution on AskF5: http://support.f5.com/kb/en-us/solutions/public/12000/100/sol12136.html?sr=16487442

There is saw that I went the wrong way of configuring syslog on my load balancer, I also needed to set the log level for remote syslog server. Here the solution from F5: http://support.f5.com/kb/en-us/solutions/public/11000/700/sol11723.html

1. Log in to the command line of the BIP-IP

2. Create in /tmp/syslog.inc file with the syslog configuration.

syslog include "
filter f_remote_loghost {
level(notice..emerg);
};
destination d_loghost {
udp(\"10.1.1.100\" port(514));
};
log {
source(s_syslog_pipe);
filter(f_remote_loghost);
destination(d_loghost);
};
"

3. To remove the currently configured remote syslog servers, type the following command:
Important: This step disables all remote logging.

[[email protected]:Active] tmp # b syslog remote server none

4. Copy the changes into the configuration

[[email protected]:Active] tmp # bpsh < /tmp/syslog.inc

5. Refresh and start syslog deamon

[[email protected]:Active] tmp # syslog-ng -s

6. Save the configuration

[[email protected]:Active] tmp # b save all
/config/bigip_base.conf was renamed to /config/bigip_base.conf.bak (86 lines).
/config/bigip_sys.conf was renamed to /config/bigip_sys.conf.bak (66 lines).
/config/bigip.conf was renamed to /config/bigip.conf.bak (894 lines).
/config/bigip_local.conf was renamed to /config/bigip_local.conf.bak (1 lines).
[[email protected]:Active] tmp #

If the new logging configuration is not working as expected, make the desired changes to the /tmp/syslog.inc file and return to Step 2.

When the syslog-ng -s command reports the following error message:

# syslog-ng -s syntax error at 751

Remove the syslog include entries by typing the following command:

bigpipe syslog include none

Review the import configuration for syntax errors before attempting to re-import by typing the command listed in Step 2.

Redirect Cisco show commands

Short overview of how to redirect Cisco show commands… quite useful sometimes 😉

show <command> | redirect URL

The syntax to redirect the command output to the file location specified in the URL. The pipe (|) is required. Prefixes can be local file locations, like flash: or disk0:. Alternatively, you can specify network locations using the following:

ftp://username:[email protected]/directory/filename
tftp://location/directory/filename

Rcp: prefix is not supported.

Example: Redirect show tech-support

show tech-support | redirect tftp://10.1.1.100/show-tech_c2960s-01.txt