Take this for example, & from a ASA5505 running 9.1.1-4;
-->
ERROR: This license does not allow configuring more than 2
interfaces with
nameif and without a "no forward" command on this
interface or on 1 interface(s)
with nameif already configured.
Okay so what does that really mean ? Will 1st let's look at our show version output;
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has a Base license.
Serial Number: JMX1515Z135
Running Permanent Activation Key: 0x65285667 0x9c212c13 0x7c505978 0xbaecc4d4 0xc231aa90
Configuration register is 0x1
You notice the DMZ restricted? Hmm....... I bet you didn't realize that.
Will let's look at cisco website and the ASA5505 as they currently list it on the side as of today 03/21/2013;
http://www.cisco.com/en/US/customer/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html
I'm going to zero in on the cisco "gotcha", take alook at the interface counts and for virtual as listed in the specifications. Look very very closely :)
Okay I will help out some, by highlighting the area ( see above ). It simply says 3 virtual-interfaces. No hint or warning about any type of restrictions. Let's look farther into what's on the cisco website;
No restrictions right ? Wrong !
So what about the based license, any clues in that? Will let's look at it?
Nothing here either :(
The earlier posted warning, is basically saying; " your screwed and because we ( cisco ) are greedy and want to charge you for everything ". You have 3 interfaces ( virtually ) , but you can't use this as what most individuals would think or expect to use this as.
To wrap up my post;
Here's my current virtual interfaces?
asaken# show ip add
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.110.1 255.255.255.0 CONFIG
Vlan2 outside 0.0.1.175 255.255.255.0 DHCP
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.110.1 255.255.255.0 CONFIG
Vlan2 outside 0.0..1.175 255.255.255.0 DHCP
asaken#
route table;
Gateway of last resort is xx.xx.52.1 to network 0.0.0.0
C 192.168.110.0 255.255.255.0 is directly connected, inside
C xx.xx.1.0 255.255.255.0 is directly connected, outside
d* 0.0.0.0 0.0.0.0 [1/0] via xx.52.1.1, outside
asaken#
So I have a 2 interface model , a simple inside+outside on vlan1 and 2. So in order to create a 3rd interface, I can only create it with forwarding disable to one of the existing two.
asaken(config-if)# no forward interface ?
interface mode commands/options:
Vlan Catalyst Vlans
asaken(config-if)# no forward interface vlan 1
asaken(config-if)#
Okay fine, I picked my outside interface only, So inside can only speak to the outside and my newly crafted inside1 can only speak to the outside.
!
interface Vlan3
description inside1
no forward interface Vlan1
nameif inside1
security-level 100
ip address 192.168.111.1 255.255.255.0
Okay so now, I have my 3rd interface. And can configure rules, policy and so on. So now we can configure the rest of the unit, with the exception that vlan1 and vlan3 would never talk. Let's explore that;
here's my dhcp binding for vlan1 and vlan3,
asaken# show dhcpd bind
IP address Client Identifier Lease expiration Type
192.168.110.2 0140.6c8f.0318.c4 3451 seconds Automatic
192.168.110.3 01c8.2a14.0567.78 3588 seconds Automatic
192.168.111.2 0140.6c8f.0318.c4 3516 seconds Automatic
asaken#
and route table;
Gateway of last resort is xx.xx.1.1 to network 0.0.0.0
C 192.168.110.0 255.255.255.0 is directly connected, inside
C 192.168.111.0 255.255.255.0 is directly connected, inside1
C xx.xx.1.0 255.255.255.0 is directly connected, outside
d* 0.0.0.0 0.0.0.0 [1/0] via xx.xx.1.1, outside
asaken#
So if a person in vlan1 tries to ping a machine in vlan3;
Last login: Thu Mar 21 05:19:21 on ttys000KenENG009:~ kfelix$ ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=2b<RXCSUM,TXCSUM,VLAN_HWTAGGING,TSO4>
ether 40:6c:8f:03:18:c4
inet6 fe80::426c:8fff:fe03:18c4%en0 prefixlen 64 scopeid 0x4
inet 192.168.111.2 netmask 0xffffff00 broadcast 192.168.111.255
inet6 2001:db8::426c:8fff:fe03:18c4 prefixlen 64 autoconf
inet6 2001:db8::ecd5:27ab:d636:ab62 prefixlen 64 autoconf temporary
media: autoselect (100baseTX <full-duplex>)
status: active
KenENG009:~ kfelix$ ping 192.168.110.3
PING 192.168.110.3 (192.168.110.3): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
^C
--- 192.168.110.3 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
KenENG009:~ kfelix$ ping 192.168.110.2
PING 192.168.110.2 (192.168.110.2): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
cRequest timeout for icmp_seq 2
^C
--- 192.168.110.2 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
And this is regardless if we have the same security zone or even allow inter-zone traffic
asaken# show run int vlan 1 | i security
security-level 100
asaken# show run int vlan 3 | i security
security-level 100
asaken# show run sma
asaken# show run sam
asaken# show run same-security-traffic
same-security-traffic permit inter-interface
asaken#
What I found out that's happening; the firewall NAT's you thru, even tho you would not expect this activity;
asaken# show xlate interface inside1
19 in use, 441 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
ICMP PAT from inside1:192.168.111.2/55319 to outside:xx.xx.1.175/55319 flags ri idle 0:00:02 timeout 0:00:30
ICMP PAT from inside1:192.168.111.2/54807 to outside:xx.xx.1.175/54807 flags ri idle 0:00:04 timeout 0:00:30
So plan accordingly if your going to buy a cisco ASA product. You will run into hurdles and limitations. Cisco main goal as I see it;
- is for you to forklift into a bigger chassis
- purchase some type of license-enhancement upgrade
Ken Felix
Freelance Network/Security Engineer
kfelix at hyperfeed d-o-t com
Friends don't let friends buy ASA :)
No comments:
Post a Comment