Comments for PacketU http://www.packetu.com What's on your wire[s]? Tue, 21 Feb 2012 12:40:15 +0000 hourly 1 http://wordpress.org/?v=3.3.1 Comment on ASA VPN with Address Overlap by Paul Stewart, CCIE 26009 (Security) http://www.packetu.com/2012/01/02/asa-vpn-with-address-overlap/#comment-315 Paul Stewart, CCIE 26009 (Security) Tue, 21 Feb 2012 12:40:15 +0000 http://packetu.com/?p=647#comment-315 There's no such thing as a stupid question. That is a good question. The nat configuration on the business partner ASA would depend on how the global addresses relate to their internal network. If they need changed as the enter and leave their network, they would need to configure their nat accordingly. The crypto logic on the ASA is on the outside of the ASA. therefore if the business partner is using an ASA, the crypto configuration will be a mirror image to the enterprise ASA. There’s no such thing as a stupid question. That is a good question. The nat configuration on the business partner ASA would depend on how the global addresses relate to their internal network. If they need changed as the enter and leave their network, they would need to configure their nat accordingly. The crypto logic on the ASA is on the outside of the ASA. therefore if the business partner is using an ASA, the crypto configuration will be a mirror image to the enterprise ASA.

]]> Comment on ASA VPN with Address Overlap by Rod http://www.packetu.com/2012/01/02/asa-vpn-with-address-overlap/#comment-314 Rod Tue, 21 Feb 2012 12:31:11 +0000 http://packetu.com/?p=647#comment-314 Hi, great article. Have a maybe stupid question though.. Is the configurations above made to the ASA of the inside network? And then I need to apply a mirrored config to the Business Partner ASA? Hi, great article. Have a maybe stupid question though.. Is the configurations above made to the ASA of the inside network? And then I need to apply a mirrored config to the Business Partner ASA?

]]> Comment on The “ip subnet-zero” Command by Paul Stewart, CCIE 26009 (Security) http://www.packetu.com/2011/11/14/the-ip-subnet-zero-command/#comment-311 Paul Stewart, CCIE 26009 (Security) Sun, 19 Feb 2012 18:36:27 +0000 http://packetu.com/wordpress/?p=89#comment-311 That is my experience as well. My guess is there may be differences in some IOS versions. I see plenty of people claiming ip subnet-zero affects the all 1's and all 0's subnet. But I typically see it affecting the all 0's subnet--and that is what the name implies as well. That is my experience as well. My guess is there may be differences in some IOS versions. I see plenty of people claiming ip subnet-zero affects the all 1′s and all 0′s subnet. But I typically see it affecting the all 0′s subnet–and that is what the name implies as well.

]]> Comment on The “ip subnet-zero” Command by Bibelo http://www.packetu.com/2011/11/14/the-ip-subnet-zero-command/#comment-310 Bibelo Sun, 19 Feb 2012 18:13:59 +0000 http://packetu.com/wordpress/?p=89#comment-310 Thank you for the examples. Contrary to what is explained in many other forum, it seems the last subnet is absolutely not concerned by the ip subnet-zero command. Whether it's activated or not, the last subnet can be used on the interface. Can you confirm? Thank you. Thank you for the examples.

Contrary to what is explained in many other forum, it seems the last subnet is absolutely not concerned by the ip subnet-zero command. Whether it’s activated or not, the last subnet can be used on the interface. Can you confirm?

Thank you.

]]> Comment on Traceroute Through the ASA by Paul Stewart, CCIE 26009 (Security) http://www.packetu.com/2009/10/09/traceroute-through-the-asa/#comment-309 Paul Stewart, CCIE 26009 (Security) Sat, 18 Feb 2012 19:54:20 +0000 http://packetu.com/wordpress/?p=228#comment-309 Ed, I have been experimenting with "icmp inspection error". That is an interesting and underdocumented command (to say the least). I was planning on writing a post on it (and may still do that at some point), when I found a <a href="http://astorinonetworks.com/2012/02/13/asa-icmp-error-inspection/" rel="nofollow">great blog post</a> by Joe Astorino. One challenge I have found to this command (at least in my initial testing) is that if there is a configuration that matches a PAT entry for the intermediary hosts, the ASA drops the outgoing icmp errors if error inspection is enabled. When it does, it produces the error below. I'll try to keep this thread posted if I post a inbound equivalent of this article Error: %ASA-3-305006: regular translation creation failed for icmp src inside:192.168.3.2 dst outside:192.0.2.1 (type 3, code 3) Ed, I have been experimenting with “icmp inspection error”. That is an interesting and underdocumented command (to say the least). I was planning on writing a post on it (and may still do that at some point), when I found a great blog post by Joe Astorino. One challenge I have found to this command (at least in my initial testing) is that if there is a configuration that matches a PAT entry for the intermediary hosts, the ASA drops the outgoing icmp errors if error inspection is enabled. When it does, it produces the error below. I’ll try to keep this thread posted if I post a inbound equivalent of this article

Error:
%ASA-3-305006: regular translation creation failed for icmp src inside:192.168.3.2 dst outside:192.0.2.1 (type 3, code 3)

]]> Comment on Traceroute Through the ASA by Paul Stewart, CCIE 26009 (Security) http://www.packetu.com/2009/10/09/traceroute-through-the-asa/#comment-306 Paul Stewart, CCIE 26009 (Security) Wed, 15 Feb 2012 21:44:50 +0000 http://packetu.com/wordpress/?p=228#comment-306 Depending on the desktop operating system, you would most likely be initiating an ICMP (Windows) or UDP (Linux) based traceroute. So those packets would need to be delivered toward the destination. This means that there might need to be a "static" or equivalent "nat" (in 8.4) statement in the new syntax. Exceptions would also be required in the applicable ACL's. Additionally, the ICMP messages (TTL Exceeded and Unreachables) would need to flow back in the other direction. For the ASA itself to show up in the trace, the TTL would need to be decremented as described in this article. I doubt that would work on the transparent FWSM since it is basically a bump on the wire. Some additional magic can be performed on the ICMP messages as they flow back toward the desktop. This is invoked by enabling "ip inspect error" on the applicable policy-map. This will cause the real IP addresses to be exposed to the station that initiated the trace. I wish I had an 8.4 inbound example readily available, but I don't today. I'll try to get one out there in the future. Depending on the desktop operating system, you would most likely be initiating an ICMP (Windows) or UDP (Linux) based traceroute. So those packets would need to be delivered toward the destination. This means that there might need to be a “static” or equivalent “nat” (in 8.4) statement in the new syntax. Exceptions would also be required in the applicable ACL’s. Additionally, the ICMP messages (TTL Exceeded and Unreachables) would need to flow back in the other direction.

For the ASA itself to show up in the trace, the TTL would need to be decremented as described in this article. I doubt that would work on the transparent FWSM since it is basically a bump on the wire.

Some additional magic can be performed on the ICMP messages as they flow back toward the desktop. This is invoked by enabling “ip inspect error” on the applicable policy-map. This will cause the real IP addresses to be exposed to the station that initiated the trace.

I wish I had an 8.4 inbound example readily available, but I don’t today. I’ll try to get one out there in the future.

]]> Comment on Traceroute Through the ASA by Ed http://www.packetu.com/2009/10/09/traceroute-through-the-asa/#comment-305 Ed Wed, 15 Feb 2012 20:41:29 +0000 http://packetu.com/wordpress/?p=228#comment-305 Hi Paul, I want to enable traceroutes through from my desktop to a secure network. Path is as follows: Desktop -> router -> FWSM v3.2(4) (transparent mode, multi context) -> ASA 5520 v8.4(2) (routed mode) -> secure network. Any help is appreciated. Hi Paul, I want to enable traceroutes through from my desktop to a secure network. Path is as follows:
Desktop -> router -> FWSM v3.2(4) (transparent mode, multi context) -> ASA 5520 v8.4(2) (routed mode) -> secure network. Any help is appreciated.

]]> Comment on ASA VPN with Address Overlap by Paul Stewart, CCIE 26009 (Security) http://www.packetu.com/2012/01/02/asa-vpn-with-address-overlap/#comment-280 Paul Stewart, CCIE 26009 (Security) Mon, 30 Jan 2012 23:47:29 +0000 http://packetu.com/?p=647#comment-280 I know this is probably not what you want to hear, but in my case we have tried to nat everything to a non-RFC1918 that was owned by our customer. Then we only had to worry about destination overlap. I don’t know of an elegant solution to your problem. You could do something really ugly like policy nat it in a router before it gets to the ASA. Then you could use a completely separate set of translations in the firewall. Very ugly. I know this is probably not what you want to hear, but in my case we have tried to nat everything to a non-RFC1918 that was owned by our customer. Then we only had to worry about destination overlap. I don’t know of an elegant solution to your problem. You could do something really ugly like policy nat it in a router before it gets to the ASA. Then you could use a completely separate set of translations in the firewall. Very ugly.

]]>