Saturday, May 19, 2018

Active Standby Configuration of Cisco Transparent ASA

Fail over requires 2 dedicated connections between 2 firewalls, one to replicate configurations and the other one to sync real time connection information. This post explains how it can be done in transparent mode firewall. Fail over configurations are almost identical in routed mode too.

If you want to know about the transparent mode operation of a Cisco ASA, please go here.

Assuming all other configuration works fine,

Starting from ASA-1,

Make it a transparent firewall..
ciscoasa(config)# firewall transparent 

Create a BVI..
ciscoasa(config)# interface bVI 1
ciscoasa(config-if)# ip address standby

Assigning bridge group to 2 interfaces..
ciscoasa(config-if)# int e2
ciscoasa(config-if)# nameif INSIDE
ciscoasa(config-if)# bridge-group 1 

ciscoasa(config-if)# int e3
ciscoasa(config-if)# nameif OUTSIDE
ciscoasa(config-if)# bridge-group 1

Configure the configuration replicating link..
ciscoasa(config)# failover lan interface LAN_FAIL eth0
ciscoasa(config)# failover interface ip LAN_FAIL standby

Configure the real time connections syncing link..
ciscoasa(config)# failover link STATEFUL_FAIL eth1
ciscoasa(config)# failover interface ip STATEFUL_FAIL standby

Make ASA-1 the primary..
ciscoasa(config)# failover lan unit primary

Display the primary state in hostname..
ciscoasa(config)# prompt hostname priority state

Activate the failing over..
ciscoasa(config)# failover

Configuring the ASA-2 as the secondary link,

ciscoasa(config)# failover lan interface LAN_FAIL eth0
ciscoasa(config)# failover interface ip LAN_FAIL standby
ciscoasa(config)# failover lan unit secondary
ciscoasa(config)# failover

Following commands can verify the configuration..

Monday, April 30, 2018

TCL Script to Ping Multiple Destinations at Once

TCL scripting can be used to automate what you do in Cisco CLI. It is basically a scripting language which can be used to simplify a work load you have to do in Cisco IOS. Here is the official reference to learn more about TCL scripting.

Here is a simple code which can be used to ping multiple destinations at once, which will be handy in troubleshooting..

foreach X {
} { ping $X }

Where X is the variable name. In the middle of the script are IP addresses which represents the variable X, If you are going to use an extended version of ping, ex:- ping [destination] repeat 100, you have to write the 2nd parenthesis like the following.
{ ping $X repeat 100}

Let's see an actual CLI output; Remember, this should be coded in privileged mode..

To exit from the tcl mode, you can use exit, tclquit or just Ctrl+Z..

Sunday, March 25, 2018

Storm Control

Rate limiting of layer 2 traffic is needed in port level of a switch to overcome some of the worst nightmare attacks in networking. Storms can be unicast, multicast or broadcast..

Controlling storms can be done by setting rising & falling thresholds based on followings..

1) Packet rate
2) Percentage of the interface bandwidth

When any of the configured threshold is passed, the switch can take following actions..

1) Discarding excess traffic according to the configured commands
2) Shut down the port or send an SNMP trap

Let's see a real world configuration requirement..

(1) Limit broadcast traffic to 100 packets per second. When broadcast traffic drops back to 50 packets per second, begin forwarding broadcast traffic again.
(2) Limit multicast traffic to 0.5% of the interface. When multicast traffic traffic drops to 0.4% begin forwarding multicast traffic again.
(3) Limit unicast traffic to 80% of the interface, forward all unicast traffic upto this limit.
(4) Send an SNMP trap for above conditions.

Following show commands will confirm the configurations..

As you can see in the 3rd task, if you haven't configured a falling threshold switch will not wait to forward traffic until a lower threshold.

Note:- Storm control can be done in physical ports only. Though the commands are visible in etherchannel interfaces they don't work..

Here is a good post I found online explaining how the traffic limiting is done with poling intervals

Saturday, February 3, 2018

DHCP Traffic through Transparent ASA

Transparent firewall only allows broadcast traffic of ARP to pass through. All other broadcast traffic will blocked. Which means DHCP traffic will not flow through. Here are the essential ACLs which are needed to allow DHCP traffic through Transparent mode of Cisco ASA.

ZONE-1 and ZONE-2 are in same security level & the traffic between same security levels are enabled.

To understand what really happened at the back end of DHCP protocol please go here. This post explains it with Wireshark captures.

According to the packet capture, Discover and Request packets are sent by the client as a broadcast with a source IP address of and a destination IP address of & destination port is udp 67 (bootps). So this requires an ACL on ZONE-2 interface.

Also the Offer & Ack packets have the source IP of the DHCP server and the destination can be any, & destination port is udp 68 (bootpc). This also requires an ACL on ZONE-1 interface.

(click on the images to view in full size)