Summer Webinar Series
20
Christopher Rose Sr. Client Network Engineer [email protected] Summer Webinar Series Troubleshooting Traffic Flows Through Cisco ASA Firewalls Webinar Links: www.mcnc.org/cne-webinars
Transcript of Summer Webinar Series
Christopher Rose Sr. Client Network Engineer [email protected]
Summer Webinar Series
Troubleshooting Traffic Flows Through Cisco ASA Firewalls
Webinar Links: www.mcnc.org/cne-webinars
Agenda
1. Firewall best prac0ces
2. ASA monitoring/administra0on tools
3. Typical traffic troubleshoo0ng scenario
4. Performing packet traces to check for issues
5. Performing packet captures to help resolve issues
6. Where to go for informa0on; MCNC Support
7. Q&A
2 8/11/16
Prerequisites
n You will need to have administrative access to your ASA in order to perform some of these functions.
3 8/11/16
n Security Zoning Related • Use a DMZ if possible for public servers (web, ftp) • Use AnyConnect VPN where possible in lieu of direct remote outside access to internal hosts
n Ruleset Related • Be as specific as possible - avoid any/any. • Allow only essential services in to the internal zones(ingress filtering) and essential services
out to the Internet(egress filtering). • Document rules for later review. Use good naming conventions and comments. Group
network objects, ports. • Perform regular housekeeping including periodic rule review, removal of unused rules.
n Monitoring Related
• Log events as necessary. • Monitor load for capacity planning purposes • Use the firewall to troubleshoot network issues
8/11/16
Firewall Best Practices
ASA Monitoring-Administration Tools
n ASDM - GUI tool for administering and monitoring the firewall. • Packet-Tracer
• Packet Capture Wizard • Syslog viewer
• Ping
• Traceroute
n SSH – Command Line tool for administering and monitoring the firewall. • Show Commands • Debug Commands
• Ping
• Traceroute
n Syslog Server-Not absolutely necessary but very nice to have. Keeps a log of everything that happens on the firewall.
5 8/11/16
Typical Traffic Troubleshooting Scenario
6 8/11/16
Some Cautions About Using Ping And Traceroute As Troubleshooting Tools
n Not all devices in the network path will reply to ICMP protocol requests.
n Traceroute works differently on different operating systems. Windows uses ICMP. Unix generally uses UDP.
n Information from these two tools is useful, but packet captures and logs are the gold standard for verifying connectivity.
7 8/11/16
Simplified Traffic Flow Through an ASA
n Ingress Interface Access List
n Address Translation
n Route
8 8/11/16
Troubleshooting Network Traffic Flow Through an ASA
1. Establish that traffic is getting to the ASA from the client. (Ping, Packet Capture, Syslog Viewer)
2. Check that the traffic is not blocked on the ingress interface by an ACL. (Packet Tracer, Syslog)
3. Check that there is a valid NAT rule to translate from a private to public IP address. (Packet Tracer, Syslog)
4. Check that there is a valid route for the source and destination traffic in the ASA routing table. (Packet Tracer, Syslog)
5. Establish that correctly translated traffic is leaving the outside interface. (Packet Capture, Syslog)
6. Establish that traffic is reaching the intended source (You may need support at the server end to verify this.)
7. Establish that return traffic from the server is coming back to the ASA outside interface. (Packet Capture, Syslog)
8. Establish that Return traffic is making it back through the ASA and egressing the inside interface. (Packet Capture, Syslog)
9 8/11/16
Perform Packet Captures to Check For Issues
n The ASA has a GUI packet capture wizard to help the user properly configure the ASA for a packet capture and to get the capture downloaded off the firewall for analysis.
n Packet captures can be done at the command line but they are more complicated to perform.
n Packet captures can be customized to only capture the traffic you need. All captures are stored on the local file system of the ASA. The flash storage space is limited so try to avoid capturing too much traffic.
10 8/11/16
Packet Capture Wizard Demo
11 8/11/16
Performing Packet Traces to Check for Issues
n Packet Tracer is a tool to simulate the flow of a packet through the ASA processing chain and report back on how the ASA would handle the packet.
n Available in the ASDM GUI and at the Command Line.
n You will need to know your numerical ICMP message and reply types if you packet trace ICMP through the firewall.
12 8/11/16
Packet Tracer Demo
13 8/11/16
Using Syslog Messages For Troubleshooting
n If you have a Syslog server configured and collecting you can use it to review syslog messages.
n Set the logging level to debugging to get the most level of detail when troubleshooting. It is not recommended to keep at this level during normal operations for performance and log size reasons.
n ASDM has a GUI Syslog viewer you can use in troubleshooting sessions.
n Using Syslog at the command line is usually not helpful due to the small memory buffer and how quickly messages scroll by.
14 8/11/16
ASDM Syslog Viewer Demo
15 8/11/16
Putting It All Together
1. Establish that traffic is getting to the ASA from the client. Perform a packet capture at the firewall on the inside interface. If you see the packets then you know they are getting there.
2. Use the Packet Tracer tool in ASDM to check if the traffic is allowed by the current firewall configuration. This will show problems with ACL’s, Translations, and Routes in the configuration.
3. Perform a packet capture on the outside interface. Establish that correctly translated traffic is leaving the outside interface and headed to the correct Internet address.
4. Establish that traffic is reaching the intended source (You may need support at the server end to verify this.)
5. Perform a packet capture on the outside interface. Look for return traffic from the server coming back to the ASA outside interface. If you see TCP resets or ICMP error codes you know it is probably a server side problem. (Firewall on the server side, wrong host, etc.)
6. Perform a packet capture on the inside interface. Establish that Return traffic is making it back through the ASA and egressing the inside interface. If you see it getting this far but it’s not making it to the person with the reported issue, chances are it’s a problem on your internal network.
16 8/11/16
Where To Go For Additional Information Or Support
n Cisco Support Community • https://supportforums.cisco.com/
n ICMP Packet Types • http://www.nthelp.com/icmp.html
17 8/11/16
Your Feedback is Important!
n Please provide feedback so we can improve future webinars!
n https://www.mcnc.org/events/training/cne-summer-webinars2016
19 8/11/16
Christopher Rose Sr. Client Network Engineer [email protected]
Summer Webinar Series
Troubleshooting Traffic Flows Through Cisco ASA Firewalls
Webinar Links: www.mcnc.org/cne-webinars
