Topic 'Re: ASA vs ZBFW' in forum 'Cisco' - dslreports.com

Re: ASA vs ZBFW

Wed, 28 Nov 2012 19:53:23 EDT

RyanG1 posted : So just to come full circle on this... i figured out what was going on.

the router is not tracking the connections properly and anything that was coming back was being denied (but not logged as a deny!)... i figured the only thing i had not done was bump to a higher rev IOS... that did the trick. All consoles now report as open connectivity and ZBFW is processing the traffic just as the ASA does (cpu load is decreased now as well when maxing out my internet download).... i could not find any bugs on this at all from any source.....

went from c890-universalk9-mz.152-2.T1 to c890-universalk9-mz.152-3.T

*shrug*

i should have tried that first but whatever... i hope this helps someone else in the future =)

ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams

Re: ASA vs ZBFW

Sat, 17 Nov 2012 15:53:45 EDT

RyanG1 posted : yea i captured traffic coming inbound on the WAN interface and its identical for the most part.

Im just going to shelve this for now and revisit later.

Re: ASA vs ZBFW

Sat, 17 Nov 2012 01:40:36 EDT

HELLFIRE posted :

said by RyanG1:

Honestly if i could find even one shred of info as to how the xbox live service tests, im sure i could find the reasoning to whats going on here but... meh... nothing.

Wireshark it? But I feel your pain. I got a doozy of a one at work... ipad + ios 5 or 6 + two redundant pods of firewalls, POD A is one revision of code behind POD B. Go thru one pod, it works; go thru the other one it borks. Last I heard, SOMEone (not me thankfully) has to put in a call to Apple to see why their wonderful new toy is acting so screwy.

Regards

Re: ASA vs ZBFW

Fri, 16 Nov 2012 03:16:36 EDT

RyanG1 posted : Yea i ran a debug on both and logged all traffic and the only difference is that the asa doesnt bind the global public port to the same inside local port and IOS does. I dont think this is the reasoning behind it and i may just put my ASA back in front and have it handle all NAT.

Honestly if i could find even one shred of info as to how the xbox live service tests, im sure i could find the reasoning to whats going on here but... meh... nothing.

I just hate situations where it feels like a simple issue but the lack of information about the problem grinds everything to a halt. It also bugs me since i cant figure it out lol.

Who knows maybe someone will google search this and come up with an answer to this burning question...and should i come across the solution ill post it =)

I agree though, the asa product is a rather nice piece of hardware and i find it very simple to manage compared to the ordeal of ZBFW haha.

Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams

Re: ASA vs ZBFW

Fri, 16 Nov 2012 02:49:12 EDT

HELLFIRE posted : Couldnt tell you either RyanG1. Unfortunately I don't have the nuts and bolts into either IOS or ASA-OS to tell how
they work. Only way to know possibly would be to go into debug mode -- don't know if you want to try that or not.

I haven't run ASA much of late, but I do agree while CBAC / ZBFW just works, ya can't beat the ASA for security.

Regards

Re: ASA vs ZBFW

Fri, 16 Nov 2012 02:03:53 EDT

RyanG1 posted : well ive come to the conclusion that this must be some inherent difference in how its handling the connections that cannot be duplicated with ZBFW... or.... the asa is causing a false positive....im leaning towards this one but i dont have evidence to support it one way or the other...

Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams

Re: ASA vs ZBFW

Tue, 13 Nov 2012 13:25:44 EDT

RyanG1 posted : yea if i do a port forward it reports Open on the one but the others report strict. Im really not even trying to do this to fix the handful of xboxs in the house... its more so to understand what the difference is. Im also kinda of wondering if the ASA is tricking the xbox service into thinking the connection is open... but im not sure and i have no evidence to support it. I personally believe the ASA is superior to ZFW but that's a biased opinion =p

Heres the ZFW config:

ip access-list extended acl_all_protocols_v4 permit gre any any permit tcp any any permit udp any any permit icmp any anyip access-list extended acl_fw_fpx_outside_in permit icmp any any permit tcp any any established permit tcp any eq bgp any permit tcp any any eq bgp deny   ip any anyip access-list extended acl_fw_outside_ports_in permit tcp any any eq 9990 permit tcp any any range 5500 5510 permit tcp any any eq 4490 permit tcp any any eq 3389 permit udp any any gt 1024 permit tcp any any eq 3074 permit udp any any eq 88class-map type inspect match-any cmap_all_protocols match access-group name acl_all_protocols_v6 match access-group name acl_all_protocols_v4class-map type inspect match-any cmap_outside_self_in match access-group name acl_fw_outside_self_inclass-map match-any cmap_qos_bw_high match access-group name acl_qos_bw_highclass-map match-any cmap_qos_bw_low match access-group name acl_qos_bw_lowclass-map match-any cmap_qos_bw_med match access-group name acl_qos_bw_medclass-map match-any cmap_police_bw_ftps match access-group name acl_police_bw_ftpsclass-map type inspect match-any cmap_outside_ports_in match access-group name acl_fw_outside_ports_inclass-map match-any cmap_qos_bw_other match access-group name acl_qos_bw_otherclass-map type inspect match-any cmap_fpx_outside_in match access-group name acl_fw_fpx_outside_in match access-group name acl_fw_fpx_outside_in_v6class-map match-any cmap_qos_priority description priority traffic queue match access-group name acl_qos_priorityclass-map type inspect match-any cmap_fpx_in match access-group name fpx_in!!policy-map type inspect Inside2FPX-Outside class type inspect cmap_all_protocols  inspect class class-default  drop logpolicy-map type inspect FPX-Outside2Inside class type inspect cmap_fpx_outside_in  inspect class class-default  drop logpolicy-map type inspect Inside2Outside class type inspect cmap_all_protocols  inspect  class class-default  drop logpolicy-map type inspect Outside2Inside class type inspect cmap_outside_ports_in  inspect  class type inspect cmap_all_protocols  inspect  class class-default  drop logpolicy-map type inspect Outside2Self class type inspect cmap_outside_self_in  inspect  class class-default  drop logpolicy-map type inspect Self2Outside class type inspect cmap_all_protocols  inspect  class class-default  drop log  zone security inside description inside zonezone security outside description outside zonezone security FPX-Outside description fpx tunnelzone-pair security Inside2Outside source inside destination outside service-policy type inspect Inside2Outsidezone-pair security Outside2Inside source outside destination inside service-policy type inspect Outside2Insidezone-pair security Inside2FPX-Outside source inside destination FPX-Outside service-policy type inspect Inside2FPX-Outsidezone-pair security FPX-Outside2Inside source FPX-Outside destination inside service-policy type inspect FPX-Outside2Inside

Heres the ASA config:

: Saved: Written by ryan.sa at 19:05:51.106 cdt Fri Nov 2 2012!ASA Version 8.2(5)6 !hostname fw-nat1enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0 description to modem switchport access vlan 99!interface Ethernet0/1 switchport access vlan 100!interface Ethernet0/2 switchport access vlan 100!interface Ethernet0/3shutdown!interface Ethernet0/4 shutdown!interface Ethernet0/5 shutdown!interface Ethernet0/6 shutdown!interface Ethernet0/7 shutdown!interface Vlan1 no nameif no security-level no ip address!interface Vlan99 nameif outside security-level 0 ip address dhcp setroute!interface Vlan100 description to managed gig switch nameif inside security-level 100 ip address 192.168.6.1 255.255.255.248  ospf hello-interval 1 ospf dead-interval 3!boot system disk0:/asa825-6-k8.binftp mode passiveclock timezone cst -6clock summer-time cdt recurringsame-security-traffic permit inter-interfacesame-security-traffic permit intra-interfaceobject-group service outside_allow_ports_in service-object tcp eq 5500  service-object tcp eq 5501  service-object tcp eq 5502  service-object tcp eq 5503  service-object tcp eq 5504  service-object tcp eq 5505  service-object tcp eq 5506  service-object tcp eq 5507  service-object tcp eq 5508  service-object tcp eq 5509  service-object tcp eq 5510  service-object tcp eq 3074  service-object tcp eq 9990  service-object gre  service-object 41  service-object udp gt 1024  service-object esp  service-object udp eq 4500  service-object udp eq isakmp  service-object tcp eq 4490  service-object tcp eq 4491  service-object tcp eq 4489  service-object tcp eq 25565 service-object tcp range 6784 6786 object-group network deny-ip-in network-object host 187.114.255.224 network-object 0.0.0.0 255.0.0.0 network-object 127.0.0.0 255.0.0.0 network-object 169.254.0.0 255.255.0.0 network-object 192.0.0.0 255.255.255.0 network-object 192.0.2.0 255.255.255.0 network-object 198.18.0.0 255.254.0.0 network-object 198.51.100.0 255.255.255.0 network-object 203.0.113.0 255.255.255.0 network-object 224.0.0.0 240.0.0.0 network-object 240.0.0.0 240.0.0.0 network-object host 166.87.181.113object-group icmp-type icmp-allowed description "default ICMP types allowed" icmp-object echo-reply icmp-object unreachable icmp-object echo icmp-object time-exceeded icmp-object tracerouteaccess-list nat_acl extended permit ip 192.168.10.0 255.255.255.0 any access-list nat_acl extended permit ip 192.168.11.0 255.255.255.0 any access-list nat_acl extended permit ip 192.168.6.0 255.255.255.0 any access-list outside_in extended deny ip any object-group deny-ip-in log access-list outside_in extended deny ip object-group deny-ip-in any log access-list outside_in extended permit icmp any any object-group icmp-allowed access-list outside_in extended permit ip 192.168.6.248 255.255.255.248 192.168.10.0 255.255.255.0 access-list outside_in extended permit object-group outside_allow_ports_in any any access-list outside_in extended deny tcp any any log access-list outside_in extended deny udp any any log access-list outside_in extended deny ip any any log access-list nonat extended permit ip 192.168.10.0 255.255.255.0 host 172.32.2.1 access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.6.0 255.255.255.0 access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.237.0 255.255.255.0 access-list nonat extended permit ip 192.168.6.0 255.255.255.248 host 172.32.2.1 access-list nonat extended permit ip 192.168.6.0 255.255.255.248 host 172.31.2.1 access-list nonat extended permit ip 192.168.237.0 255.255.255.0 192.168.6.0 255.255.255.0 access-list nonat extended permit ip 192.168.6.0 255.255.255.0 192.168.237.0 255.255.255.0 access-list acl-qos-rdp extended permit tcp any any eq 3389 access-list acl-qos-rdp extended permit tcp any any eq 4489 access-list acl-qos-rdp extended permit tcp any any eq 4490 access-list acl-qos-rdp extended permit tcp any eq 3389 any access-list acl-qos-rdp extended permit tcp any eq 4489 any access-list acl-qos-rdp extended permit tcp any eq 4490 any access-list acl-qos-rdp extended permit tcp any eq 4491 any access-list acl-qos-xboxlive extended permit udp any any eq 3074 access-list acl-qos-halflife extended permit udp any any range 27000 27500 access-list torrent_conn_limit extended permit udp any gt 28000 any access-list torrent_conn_limit extended permit udp any any gt 28000 access-list torrent_conn_limit extended permit tcp any any gt 28000 access-list acl-qos-ip extended permit ip any host 4.2.2.2 access-list acl-qos-ip extended permit ip any host 50.56.228.65 access-list acl-qos-ip extended permit ip host 50.56.228.65 any access-list acl-qos-ftps extended permit tcp any range 5500 5510 any access-list CLIENTVPN extended permit ip 192.168.10.0 255.255.255.0 192.168.237.0 255.255.255.0access-list CLIENTVPN extended permit ip 192.168.6.0 255.255.255.0 192.168.237.0 255.255.255.0 access-list nat_acl_outside extended permit ip 192.168.237.0 255.255.255.0 any access-list ipsec11 extended permit ip 192.168.6.0 255.255.255.248 host 172.32.2.1 access-list ipsec11 extended permit gre 192.168.6.0 255.255.255.248 host 172.32.2.1 access-list inside_in extended permit ip any any access-list ipsec12 extended permit ip 192.168.6.0 255.255.255.248 host 172.31.2.1 access-list ipsec12 extended permit gre 192.168.6.0 255.255.255.248 host 172.31.2.1 access-list LABVPN extended permit ip host 192.168.10.254 192.168.237.0 255.255.255.0 pager lines 24logging enablelogging timestamplogging buffer-size 8192logging buffered notificationslogging trap warningslogging history warningslogging host inside 192.168.10.254logging message 302014 level debuggingflow-export destination inside 192.168.10.254 2055flow-export template timeout-rate 1flow-export delay flow-create 60mtu outside 1500mtu inside 1500ip local pool IPPOOL 192.168.237.1-192.168.237.254 mask 255.255.255.0no failovericmp unreachable rate-limit 10 burst-size 5icmp deny any outsideasdm image disk0:/asdm-523.binno asdm history enablearp timeout 14400global (outside) 1 interfacenat (outside) 1 access-list nat_acl_outsidenat (inside) 0 access-list nonatnat (inside) 1 access-list nat_aclstatic (inside,outside) tcp interface 4491 192.168.10.254 3389 netmask 255.255.255.255 static (inside,outside) tcp interface 9990 192.168.10.254 9990 netmask 255.255.255.255 static (inside,outside) tcp interface 5500 192.168.10.254 5500 netmask 255.255.255.255 static (inside,outside) tcp interface 5501 192.168.10.254 5501 netmask 255.255.255.255 static (inside,outside) tcp interface 5502 192.168.10.254 5502 netmask 255.255.255.255 static (inside,outside) tcp interface 5503 192.168.10.254 5503 netmask 255.255.255.255 static (inside,outside) tcp interface 5504 192.168.10.254 5504 netmask 255.255.255.255 static (inside,outside) tcp interface 5505 192.168.10.254 5505 netmask 255.255.255.255 static (inside,outside) tcp interface 5506 192.168.10.254 5506 netmask 255.255.255.255 static (inside,outside) tcp interface 5507 192.168.10.254 5507 netmask 255.255.255.255 static (inside,outside) tcp interface 5508 192.168.10.254 5508 netmask 255.255.255.255 static (inside,outside) tcp interface 5509 192.168.10.254 5509 netmask 255.255.255.255 static (inside,outside) tcp interface 5510 192.168.10.254 5510 netmask 255.255.255.255 static (inside,outside) tcp interface 25565 192.168.10.254 25565 netmask 255.255.255.255 static (inside,outside) tcp interface 6784 192.168.10.101 6784 netmask 255.255.255.255 static (inside,outside) tcp interface 6785 192.168.10.101 6785 netmask 255.255.255.255 static (inside,outside) tcp interface 6786 192.168.10.101 6786 netmask 255.255.255.255 static (inside,outside) tcp interface 4490 192.168.10.101 3389 netmask 255.255.255.255 access-group outside_in in interface outsideaccess-group inside_in in interface inside!!router ospf 2004 network 192.168.6.0 255.255.255.248 area 11 log-adj-changes default-information originate metric-type 1!timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyaaa-server radius-auth protocol radius reactivation-mode timedaaa-server radius-auth (inside) host 192.168.10.253 key testaaa-server TACACS+ protocol tacacs+ reactivation-mode timedaaa-server TACACS+ (inside) host 192.168.10.253 timeout 2 key ZaQ1@wSx#aaa authentication http console LOCAL aaa authentication telnet console LOCAL aaa authentication ssh console TACACS+ LOCALaaa authentication enable console TACACS+ LOCALaaa authorization command LOCAL http server enable 8443http 192.168.10.0 255.255.255.0 insidesnmp-server host inside 192.168.10.254 poll community home.lan! version 2cno snmp-server locationno snmp-server contactsnmp-server community home.lan!snmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map home 65535 set transform-set ESP-AES-SHAcrypto dynamic-map home 65535 set reverse-routecrypto map ipsec-vpn 11 match address ipsec11crypto map ipsec-vpn 11 set peer 108.166.74.130 crypto map ipsec-vpn 11 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-AES-SHAcrypto map ipsec-vpn 11 set reverse-routecrypto map ipsec-vpn 12 match address ipsec12crypto map ipsec-vpn 12 set peer 198.101.196.211 crypto map ipsec-vpn 12 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-AES-SHAcrypto map ipsec-vpn 12 set reverse-routecrypto map ipsec-vpn 65535 ipsec-isakmp dynamic homecrypto map ipsec-vpn interface outsidecrypto isakmp identity address crypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400crypto isakmp policy 12 authentication pre-share encryption aes hash sha group 2 lifetime 86400crypto isakmp policy 15 authentication pre-share encryption 3des hash md5 group 5 lifetime 86400telnet timeout 15ssh 192.168.237.0 255.255.255.0 outsidessh 192.168.10.0 255.255.255.0 insidessh 192.168.11.0 255.255.255.0 insidessh 192.168.237.0 255.255.255.0 insidessh 192.168.6.0 255.255.255.248 insidessh timeout 15console timeout 5management-access inside priority-queue outside  queue-limit   300  tx-ring-limit 128no threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10no threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8threat-detection rate scanning-threat rate-interval 600 average-rate 15 burst-rate 30threat-detection rate scanning-threat rate-interval 3600 average-rate 12 burst-rate 24threat-detection basic-threatthreat-detection scanning-threat shun except ip-address 192.168.10.0 255.255.255.0threat-detection scanning-threat shun duration 7200threat-detection statistics access-listno threat-detection statistics tcp-interceptntp server 192.168.10.254 source inside preferusername enable15 password 1fU1phQraSx9fmtJ encrypted privilege 15tunnel-group 108.166.74.130 type ipsec-l2ltunnel-group 108.166.74.130 ipsec-attributes pre-shared-key testclass-map qos-halflife match access-list acl-qos-halflifeclass-map qos-ftps match access-list acl-qos-ftpsclass-map qos-ip match access-list acl-qos-ipclass-map qos-xboxlive match access-list acl-qos-xboxliveclass-map cmap_torrent_conn_limit match access-list torrent_conn_limitclass-map qos-rdp match access-list acl-qos-rdpclass-map inspection_default match default-inspection-trafficclass-map global_class match access-list global_mpc!!policy-map type inspect dns preset_dns_map parameters  message-length maximum client auto  message-length maximum 4096policy-map qos_traffic_policy class qos-xboxlive  priority class qos-halflife  priority class qos-ip  priority class qos-rdp  prioritypolicy-map inside_policy class cmap_torrent_conn_limit  set connection per-client-max 3072   set connection timeout embryonic 0:00:10   set connection decrement-ttl class class-defaultpolicy-map global_policy class inspection_default  inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect netbios   inspect rsh   inspect rtsp   inspect esmtp   inspect tftp   inspect sip    inspect http   inspect icmp   inspect ip-options  class class-default  set connection decrement-ttlpolicy-map outside_policy class qos-ftps  police output 4096000 class class-default  shape average 4960000  service-policy qos_traffic_policy!service-policy global_policy globalservice-policy outside_policy interface outsideservice-policy inside_policy interface insideprivilege show level 1 mode exec command running-configprompt hostname domain no call-home reporting anonymouscall-home profile CiscoTAC-1  no active  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService  destination address email callhome@cisco.com  destination transport-method http  subscribe-to-alert-group diagnostic  subscribe-to-alert-group environment  subscribe-to-alert-group inventory periodic monthly  subscribe-to-alert-group configuration periodic monthly  subscribe-to-alert-group telemetry periodic dailyCryptochecksum:423d1d15db9feac71b1ef6f3979c544d: end

--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams

Re: ASA vs ZBFW

Tue, 13 Nov 2012 02:18:26 EDT

HELLFIRE posted : Can you post the ZBFW config for review?

Also, I know there's nothing to 'configure' in terms of the ASA 'firewall,' but if possible could you also post
that as well?

Off the top of my head, I've never figured out what / how MS determines strict NAT versus moderate NAT versas any NAT...
NAT is nat, from a network perspective. From what little I've read about getting XBOX to work with a non-UPNP
router config-wise is no different than the port-forwarded days of yore, and AFAIK, both ASA (the Adaptive Security
ALGORITHM) and ZBFW are intrinsically stateful, so all the XBOX should have to do is say 'ASA / ZBFW, I am making
a connection to x.x.x.x on port yyy."

My 00000010bits.

Regards

ASA vs ZBFW

Mon, 12 Nov 2012 15:44:53 EDT

RyanG1 posted : So i have an 891 doing ZBFW and a handful of xboxes behind them (no port forwarding) and im getting the expected issues where 1 is showing moderate and the others show strict for the nat type. The interesting part of this issue is that the ASA that was in its place had no port forwarding either but the nat type showed as open (as if it was correctly port forwarded).

Now i know the ASA does not support UPNP and i cannot quite figure out this behavior. Ive tried to duplicate it in the ZBFW config but it does not work compared to the asa config.

Just wondering if anyone has any thoughts on this when comparing the stateful firewalls of the ASA and IOS' ZBFW.

Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams