Downloads stall or stop on a Cisco 877 Router using Zone Based Firewall

May 4, 2012 Leave a comment

I was setting up a Cisco 877 router on an ADSL 2 BT Broadband connection this week and came across an issue when downloading large files from the Internet. With the router configured, and connected everything appeared to be working OK. The ADSL connection was stable, and the VPN tunnel was up and transferring data happily. I performed a few more checks, one of which was to run a speed test using speedtest.net. The test started fine downloading at around 6.5Mb per sec but when it got halfway through it stalled and didn’t complete. Following this I tried to download a 600MB ISO file using my web browser. It downloaded about 100MB and then stalled. Subsequent attempts produced similar results, although sometimes I could only download a couple of MB, and sometimes 50MB to 100MB, but at some point the download would stop and not get any further.

Interestingly, I didn’t seem to get this problem when transferring files over the Site to Site VPN connection, as I transferred around 400MB of data across the VPN without issue. This made me think that it it could be something to do with traffic inspection on the zone based firewall. I did a little digging on the Internet, and found some information relating to out of order packets on Cisco equipment using the Zone Based Firewall. Other reports suggested that if you remove the zone based firewall, downloads proceed normally. It seemed quite a few people have had the same issue that I was having, and there were a few steps that could be taken for verification.

Firstly, in configuration mode set the logging level on the device to ‘debugging’:

 router(config)# logging buffered 51200 debugging 

Next, turn on logging of dropped packets:

 router(config)# ip inspect log drop-pkt

At this stage if you are running in a telnet session you can use the following command to output debug messages to your session:

router(config)# terminal monitor

Alternatively, you can view the log file after testing by running:

router# show logging

After adding the commands to log dopped packets, I kicked off the ISO download again and waited for it to stall. Sure enough after it stopped downloading I got the following message logged (IP addresses have been removed):

%FW-6-DROP_PKT: Dropping tcp session X.X.X.X:80 X.X.X.X:52334 due to Out-Of-Order Segment with ip ident 0

Apparently the zone based firewall has a bit of an issue with out of order packets, but fortunately support for out of order packets has been introduced in IOS versions 15 and above. This 877 router was running IOS version c870-advsecurityk9-mz.124-24.T7.bin. There was only the standard 24MB flash in this router so I upgraded to IOS version c870-advsecurityk9-mz.151-1.T4.bin.

After applying this upgrade the issue was fixed, and downloads proceeded normally.

References:

https://supportforums.cisco.com/thread/2089462

http://www.dslreports.com/forum/r24332834-Config-Zonebased-firewall-and-outororder-dropped-packets

Filed under Cisco Tagged with , , , , , , , , , , , ,

Cisco ASA (8.4) to PIX (6.x) Site to Site VPN example

April 13, 2012 13 Comments

Here is a basic example of a site to site VPN between a Cisco ASA firewall running version 8.3 or higher, and a Cisco PIX firewall running version 6.x

Configuration for the Cisco ASA side of the connection:

Define network objects for your internal subnets:

object network Main-Office
subnet 192.168.1.0 255.255.255.0

object network Branch-Office
subnet 192.168.2.0 255.255.255.0

Create an access list for the VPN traffic using the network objects that you have created:

access-list VPN-to-Branch-Office extended permit ip object Main-Office object Branch-Office

Use double NAT (effictively no nat) to ensure the traffic travelling across the VPN tunnel will not have NAT applied to it:

nat (inside,outside) source static Main-Office Main-Office destination static Branch-Office Branch-Office

Create a transform set using the encryption of your choice, in this case AES 128:

crypto ipsec ikev1 transform-set myset-aes128 esp-aes esp-sha-hmac

Ensure IKE version 1 is enabled on the outside interface:

crypto ikev1 enable outside

Create a policy for phase 1 of the VPN connection:

crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400

Configure a tunnel group containing the Pre Shared Key:

tunnel-group 172.16.0.2 type ipsec-l2l
tunnel-group 172.16.0.2 ipsec-attributes
ikev1 pre-shared-key My53cr3tPSK

Create a crypto map for phase 2 of the VPN connection:

crypto map myvpnmap 10 match address VPN-to-Branch-Office
crypto map myvpnmap 10 set pfs group5
crypto map myvpnmap 10 set peer 172.16.0.2            (This should be set to the ip of the outside interface of the PIX you are connecting to)
crypto map myvpnmap 10 set ikev1 transform-set myset-aes128
crypto map myvpnmap interface outside

 

Configuration for the Cisco PIX side of the connection:

Configure an access list for the VPN tunnel:

access-list 100 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

Make sure NAT is not applied to traffic passing across the VPN tunnel:

nat (inside) 0 access-list 100

Configure the PIX to permit IPSEC:

sysopt connection permit-ipsec

Create a policy for phase 1 of the VPN connection:

isakmp enable outside

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400

Configure keepalives to match the default setting on the ASA of 10 seconds retry 2 seconds:

isakmp keepalive 10

Create a transform set to match the ASA end of the connection, in this case AES 128:

crypto ipsec transform-set myset-aes128 esp-aes esp-sha-hmac

Create a crypto map for phase 2 of the VPN connection:

crypto map myvpnmap 10 ipsec-isakmp
crypto map myvpnmap 10 match address 100
crypto map myvpnmap 10 set pfs group5
crypto map myvpnmap 10 set peer 172.168.0.1               (This should be set to the ip of the outside interface of the ASA you are connecting to)
crypto map myvpnmap 10 set transform-set myset-aes128
crypto map myvpnmap interface outside

Configure the Pre Shared Key to match the other end of the connection

isakmp key My53cr3tPSK address 172.16.0.1 netmask 255.255.255.255 no-xauth no-config-mode

Filed under Cisco Tagged with , , , , , ,

Enable ssh on a Cisco PIX firewall

April 2, 2012 Leave a comment

To enable ssh on a Cisco Pix firewall, firstly make sure you have set a hostname and domain name:

pixfirewall(config)#hostname myfirewall

myfirewall(config)# domain-name oasysadmin.local

Set an enable password and telnet password:

myfirewall(config)# enable password 3n48lePa55word

myfirewall(config)# passwd t3ln3tPa55word

Next generate an RSA key pair by issuing the following command:

myfirewall(config)# ca generate rsa key 2048

Then save the key:

myfirewall(config)# ca save all

Next specify the hosts or networks that you want to be able to access the device through ssh:

ssh 192.168.1.0 255.255.255.0 inside

Finally use an ssh client such as Putty to access your device, specifying pix as the username and your telnet password as the password.

 

Filed under Cisco Tagged with , ,

Older posts

Newer posts