Saturday, March 27, 2010

Get rid of console timeout on GNS3/dynamips

One of the things that I hate is the processor to be cycling on 100% while I'm trying to configure something. Most of the time the reason for it is console timeout. I'm using this script on each router to get rid of console timeout, and some other things:

conf t
no ip domain-lookup
no cdp log mismatch duplex
line console 0
exec-timeout 33333

That will setup the timeout to 3 weeks and 2 days, and your processor can breath a bit ;-)


Tuesday, March 23, 2010

Troubleshooting BGP Flowchart

Amazing... just came across this flowchart. It is interactive as well!

Sunday, March 14, 2010

Destination NAT (Outside NAT) on Cisco and xlate flags

The task was extremely simple. The packet with: SRC:, DST:, needs to be translated to: SRC:, DST: Having extensive amount of all kinds of NAT done on Checkpoint (you can do that with 3 clicks on Checkpoint), I thought this will be piece of cake. It took me 4-6 hours, going through many Cisco FWSM examples and I had to write to IPexpert CCIE Security mailing list for help.

I started to look for a way to use static (outside, inside) I as thought the first interface is the interface which will hit the packet. It turn out that I'm totally wrong, and it doesn't matter the order in the static statement as long the first statement match the real interface and the second interface match the mapped interface.

At the end the config was:

static (inside,outside)

We can use: show xlate debug to verify the NAT:

NAT from inside: to outside: flags si idle 0:00:33 timeout 0:01:00 connections 0

Note the "si" flag above. The list of all flags:

Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,
       o - outside, r - portmap, s - static

For explanation for each flag, check the table named: Translation Flags in the command refference for the version of the FWSM/ASA.

Also few days ago, Cisco announced that they will do changes also on NAT in ASA version 8.3.

Tuesday, March 2, 2010

NAT on FWSM and not good syslog message

Syslog is absolutely my best friend in troubleshooting Cisco firewalls. Today, I got surprised by getting so "usual" message for such unpredictable issue. I hope Cisco can add new syslog message for this issue. I've checked version 4.1 documentation of syslog messages, and I wasn't able to find syslog message when traffic is dropped due to passing between interfaces with same security levels.

Today I was doing some NAT setup on FWSM 3.1. I wasn't sure that the config will work as there is no example on configuration guide for 2 nat statements with same number on same interface with different source addresses. However there was an example of this in the config guide for version 4.0 (Figure 15-15), so I wanted to try it if it will work. The configuration is below:

nat (if1) 1
nat (if1) 1
nat (if1) 1
nat (if1) 1
nat (if1) 1
nat (if1) 1
nat (if2) 1
nat (if3) 1
global (if4) 1

Everything worked as expected except the connections from if2. Looking at the log I got this message:

Mar  2 16:07:12 %FWSM-3-106011: Deny inbound (No xlate) tcp src if2: dst if4

I've checked the access-list, and the hitcounts were there, so next step in the traffic flow is matching of xlate table. I've removed the specific nat statement, re-tried and same message. I've added it again and re-tried, and again the same message. It took some time until I got the idea to check the security levels on the interfaces, and I got this:

FWSM/context#show nameif
Interface                Name                     Security
ethernet2                if1                       25
ethernet4                if2                       20
ethernet3                if4                       20
ethernet1                if3                      100
ethernet5                if5                       20

After permitting traffic on same security levels interface, I got the connection:

FWSM/context# show runn same-security-traffic
same-security-traffic permit inter-interface

FWSM/context# show xlate debug | grep
TCP PAT from if2: to if4: flags ri idle 0:00:20 timeout 0:00:30 connections 1

FWSM/context# show conn detail | grep
TCP out in idle 0:00:02 Bytes 64 FLAGS -