Equipment Support > Hardware By Brand > Cisco > ASA vs ZBFW

ASA vs ZBFW

Can you post the ZBFW config for review?

Also, I know there's nothing to 'configure' in terms of the ASA 'firewall,' but if possible could you also post
that as well?

Off the top of my head, I've never figured out what / how MS determines strict NAT versus moderate NAT versas any NAT...
NAT is nat, from a network perspective. From what little I've read about getting XBOX to work with a non-UPNP
router config-wise is no different than the port-forwarded days of yore, and AFAIK, both ASA (the Adaptive Security
ALGORITHM) and ZBFW are intrinsically stateful, so all the XBOX should have to do is say 'ASA / ZBFW, I am making
a connection to x.x.x.x on port yyy."

My 00000010bits.

Regards

reply to RyanG1
yea if i do a port forward it reports Open on the one but the others report strict. Im really not even trying to do this to fix the handful of xboxs in the house... its more so to understand what the difference is. Im also kinda of wondering if the ASA is tricking the xbox service into thinking the connection is open... but im not sure and i have no evidence to support it. I personally believe the ASA is superior to ZFW but that's a biased opinion =p

Heres the ZFW config:

ip access-list extended acl_all_protocols_v4
 permit gre any any
 permit tcp any any
 permit udp any any
 permit icmp any any
ip access-list extended acl_fw_fpx_outside_in
 permit icmp any any
 permit tcp any any established
 permit tcp any eq bgp any
 permit tcp any any eq bgp
 deny   ip any any
ip access-list extended acl_fw_outside_ports_in
 permit tcp any any eq 9990
 permit tcp any any range 5500 5510
 permit tcp any any eq 4490
 permit tcp any any eq 3389
 permit udp any any gt 1024
 permit tcp any any eq 3074
 permit udp any any eq 88
class-map type inspect match-any cmap_all_protocols
 match access-group name acl_all_protocols_v6
 match access-group name acl_all_protocols_v4
class-map type inspect match-any cmap_outside_self_in
 match access-group name acl_fw_outside_self_in
class-map match-any cmap_qos_bw_high
 match access-group name acl_qos_bw_high
class-map match-any cmap_qos_bw_low
 match access-group name acl_qos_bw_low
class-map match-any cmap_qos_bw_med
 match access-group name acl_qos_bw_med
class-map match-any cmap_police_bw_ftps
 match access-group name acl_police_bw_ftps
class-map type inspect match-any cmap_outside_ports_in
 match access-group name acl_fw_outside_ports_in
class-map match-any cmap_qos_bw_other
 match access-group name acl_qos_bw_other
class-map type inspect match-any cmap_fpx_outside_in
 match access-group name acl_fw_fpx_outside_in
 match access-group name acl_fw_fpx_outside_in_v6
class-map match-any cmap_qos_priority
 description priority traffic queue
 match access-group name acl_qos_priority
class-map type inspect match-any cmap_fpx_in
 match access-group name fpx_in
!
!
policy-map type inspect Inside2FPX-Outside
 class type inspect cmap_all_protocols
  inspect
 class class-default
  drop log
policy-map type inspect FPX-Outside2Inside
 class type inspect cmap_fpx_outside_in
  inspect
 class class-default
  drop log
policy-map type inspect Inside2Outside
 class type inspect cmap_all_protocols
  inspect 
 class class-default
  drop log
policy-map type inspect Outside2Inside
 class type inspect cmap_outside_ports_in
  inspect 
 class type inspect cmap_all_protocols
  inspect 
 class class-default
  drop log
policy-map type inspect Outside2Self
 class type inspect cmap_outside_self_in
  inspect 
 class class-default
  drop log
policy-map type inspect Self2Outside
 class type inspect cmap_all_protocols
  inspect 
 class class-default
  drop log
  
zone security inside
 description inside zone
zone security outside
 description outside zone
zone security FPX-Outside
 description fpx tunnel
zone-pair security Inside2Outside source inside destination outside
 service-policy type inspect Inside2Outside
zone-pair security Outside2Inside source outside destination inside
 service-policy type inspect Outside2Inside
zone-pair security Inside2FPX-Outside source inside destination FPX-Outside
 service-policy type inspect Inside2FPX-Outside
zone-pair security FPX-Outside2Inside source FPX-Outside destination inside
 service-policy type inspect FPX-Outside2Inside
 

: Saved
: Written by ryan.sa at 19:05:51.106 cdt Fri Nov 2 2012
!
ASA Version 8.2(5)6 
!
hostname fw-nat1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 description to modem
 switchport access vlan 99
!
interface Ethernet0/1
 switchport access vlan 100
!
interface Ethernet0/2
 switchport access vlan 100
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan99
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan100
 description to managed gig switch
 nameif inside
 security-level 100
 ip address 192.168.6.1 255.255.255.248 
 ospf hello-interval 1
 ospf dead-interval 3
!
boot system disk0:/asa825-6-k8.bin
ftp mode passive
clock timezone cst -6
clock summer-time cdt recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service outside_allow_ports_in
 service-object tcp eq 5500 
 service-object tcp eq 5501 
 service-object tcp eq 5502 
 service-object tcp eq 5503 
 service-object tcp eq 5504 
 service-object tcp eq 5505 
 service-object tcp eq 5506 
 service-object tcp eq 5507 
 service-object tcp eq 5508 
 service-object tcp eq 5509 
 service-object tcp eq 5510 
 service-object tcp eq 3074 
 service-object tcp eq 9990 
 service-object gre 
 service-object 41 
 service-object udp gt 1024 
 service-object esp 
 service-object udp eq 4500 
 service-object udp eq isakmp 
 service-object tcp eq 4490 
 service-object tcp eq 4491 
 service-object tcp eq 4489 
 service-object tcp eq 25565
 service-object tcp range 6784 6786 
object-group network deny-ip-in
 network-object host 187.114.255.224
 network-object 0.0.0.0 255.0.0.0
 network-object 127.0.0.0 255.0.0.0
 network-object 169.254.0.0 255.255.0.0
 network-object 192.0.0.0 255.255.255.0
 network-object 192.0.2.0 255.255.255.0
 network-object 198.18.0.0 255.254.0.0
 network-object 198.51.100.0 255.255.255.0
 network-object 203.0.113.0 255.255.255.0
 network-object 224.0.0.0 240.0.0.0
 network-object 240.0.0.0 240.0.0.0
 network-object host 166.87.181.113
object-group icmp-type icmp-allowed
 description "default ICMP types allowed"
 icmp-object echo-reply
 icmp-object unreachable
 icmp-object echo
 icmp-object time-exceeded
 icmp-object traceroute
access-list nat_acl extended permit ip 192.168.10.0 255.255.255.0 any 
access-list nat_acl extended permit ip 192.168.11.0 255.255.255.0 any 
access-list nat_acl extended permit ip 192.168.6.0 255.255.255.0 any 
access-list outside_in extended deny ip any object-group deny-ip-in log 
access-list outside_in extended deny ip object-group deny-ip-in any log 
access-list outside_in extended permit icmp any any object-group icmp-allowed 
access-list outside_in extended permit ip 192.168.6.248 255.255.255.248 192.168.10.0 255.255.255.0 
access-list outside_in extended permit object-group outside_allow_ports_in any any 
access-list outside_in extended deny tcp any any log 
access-list outside_in extended deny udp any any log 
access-list outside_in extended deny ip any any log 
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 host 172.32.2.1 
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.6.0 255.255.255.0 
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.237.0 255.255.255.0 
access-list nonat extended permit ip 192.168.6.0 255.255.255.248 host 172.32.2.1 
access-list nonat extended permit ip 192.168.6.0 255.255.255.248 host 172.31.2.1 
access-list nonat extended permit ip 192.168.237.0 255.255.255.0 192.168.6.0 255.255.255.0 
access-list nonat extended permit ip 192.168.6.0 255.255.255.0 192.168.237.0 255.255.255.0 
access-list acl-qos-rdp extended permit tcp any any eq 3389 
access-list acl-qos-rdp extended permit tcp any any eq 4489 
access-list acl-qos-rdp extended permit tcp any any eq 4490 
access-list acl-qos-rdp extended permit tcp any eq 3389 any 
access-list acl-qos-rdp extended permit tcp any eq 4489 any 
access-list acl-qos-rdp extended permit tcp any eq 4490 any 
access-list acl-qos-rdp extended permit tcp any eq 4491 any 
access-list acl-qos-xboxlive extended permit udp any any eq 3074 
access-list acl-qos-halflife extended permit udp any any range 27000 27500 
access-list torrent_conn_limit extended permit udp any gt 28000 any 
access-list torrent_conn_limit extended permit udp any any gt 28000 
access-list torrent_conn_limit extended permit tcp any any gt 28000 
access-list acl-qos-ip extended permit ip any host 4.2.2.2 
access-list acl-qos-ip extended permit ip any host 50.56.228.65 
access-list acl-qos-ip extended permit ip host 50.56.228.65 any 
access-list acl-qos-ftps extended permit tcp any range 5500 5510 any 
access-list CLIENTVPN extended permit ip 192.168.10.0 255.255.255.0 192.168.237.0 255.255.255.0
access-list CLIENTVPN extended permit ip 192.168.6.0 255.255.255.0 192.168.237.0 255.255.255.0 
access-list nat_acl_outside extended permit ip 192.168.237.0 255.255.255.0 any 
access-list ipsec11 extended permit ip 192.168.6.0 255.255.255.248 host 172.32.2.1 
access-list ipsec11 extended permit gre 192.168.6.0 255.255.255.248 host 172.32.2.1 
access-list inside_in extended permit ip any any 
access-list ipsec12 extended permit ip 192.168.6.0 255.255.255.248 host 172.31.2.1 
access-list ipsec12 extended permit gre 192.168.6.0 255.255.255.248 host 172.31.2.1 
access-list LABVPN extended permit ip host 192.168.10.254 192.168.237.0 255.255.255.0 
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging buffered notifications
logging trap warnings
logging history warnings
logging host inside 192.168.10.254
logging message 302014 level debugging
flow-export destination inside 192.168.10.254 2055
flow-export template timeout-rate 1
flow-export delay flow-create 60
mtu outside 1500
mtu inside 1500
ip local pool IPPOOL 192.168.237.1-192.168.237.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 10 burst-size 5
icmp deny any outside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 1 access-list nat_acl_outside
nat (inside) 0 access-list nonat
nat (inside) 1 access-list nat_acl
static (inside,outside) tcp interface 4491 192.168.10.254 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 9990 192.168.10.254 9990 netmask 255.255.255.255 
static (inside,outside) tcp interface 5500 192.168.10.254 5500 netmask 255.255.255.255 
static (inside,outside) tcp interface 5501 192.168.10.254 5501 netmask 255.255.255.255 
static (inside,outside) tcp interface 5502 192.168.10.254 5502 netmask 255.255.255.255 
static (inside,outside) tcp interface 5503 192.168.10.254 5503 netmask 255.255.255.255 
static (inside,outside) tcp interface 5504 192.168.10.254 5504 netmask 255.255.255.255 
static (inside,outside) tcp interface 5505 192.168.10.254 5505 netmask 255.255.255.255 
static (inside,outside) tcp interface 5506 192.168.10.254 5506 netmask 255.255.255.255 
static (inside,outside) tcp interface 5507 192.168.10.254 5507 netmask 255.255.255.255 
static (inside,outside) tcp interface 5508 192.168.10.254 5508 netmask 255.255.255.255 
static (inside,outside) tcp interface 5509 192.168.10.254 5509 netmask 255.255.255.255 
static (inside,outside) tcp interface 5510 192.168.10.254 5510 netmask 255.255.255.255 
static (inside,outside) tcp interface 25565 192.168.10.254 25565 netmask 255.255.255.255 
static (inside,outside) tcp interface 6784 192.168.10.101 6784 netmask 255.255.255.255 
static (inside,outside) tcp interface 6785 192.168.10.101 6785 netmask 255.255.255.255 
static (inside,outside) tcp interface 6786 192.168.10.101 6786 netmask 255.255.255.255 
static (inside,outside) tcp interface 4490 192.168.10.101 3389 netmask 255.255.255.255 
access-group outside_in in interface outside
access-group inside_in in interface inside
!
!
router ospf 2004
 network 192.168.6.0 255.255.255.248 area 11
 log-adj-changes
 default-information originate metric-type 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server radius-auth protocol radius
 reactivation-mode timed
aaa-server radius-auth (inside) host 192.168.10.253
 key test
aaa-server TACACS+ protocol tacacs+
 reactivation-mode timed
aaa-server TACACS+ (inside) host 192.168.10.253
 timeout 2
 key ZaQ1@wSx#
aaa authentication http console LOCAL 
aaa authentication telnet console LOCAL 
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command LOCAL 
http server enable 8443
http 192.168.10.0 255.255.255.0 inside
snmp-server host inside 192.168.10.254 poll community home.lan! version 2c
no snmp-server location
no snmp-server contact
snmp-server community home.lan!
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map home 65535 set transform-set ESP-AES-SHA
crypto dynamic-map home 65535 set reverse-route
crypto map ipsec-vpn 11 match address ipsec11
crypto map ipsec-vpn 11 set peer 108.166.74.130 
crypto map ipsec-vpn 11 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-AES-SHA
crypto map ipsec-vpn 11 set reverse-route
crypto map ipsec-vpn 12 match address ipsec12
crypto map ipsec-vpn 12 set peer 198.101.196.211 
crypto map ipsec-vpn 12 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-AES-SHA
crypto map ipsec-vpn 12 set reverse-route
crypto map ipsec-vpn 65535 ipsec-isakmp dynamic home
crypto map ipsec-vpn interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 12
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 15
 authentication pre-share
 encryption 3des
 hash md5
 group 5
 lifetime 86400
telnet timeout 15
ssh 192.168.237.0 255.255.255.0 outside
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.11.0 255.255.255.0 inside
ssh 192.168.237.0 255.255.255.0 inside
ssh 192.168.6.0 255.255.255.248 inside
ssh timeout 15
console timeout 5
management-access inside
 
priority-queue outside
  queue-limit   300
  tx-ring-limit 128
no threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
no threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate scanning-threat rate-interval 600 average-rate 15 burst-rate 30
threat-detection rate scanning-threat rate-interval 3600 average-rate 12 burst-rate 24
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.10.0 255.255.255.0
threat-detection scanning-threat shun duration 7200
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.10.254 source inside prefer
username enable15 password 1fU1phQraSx9fmtJ encrypted privilege 15
tunnel-group 108.166.74.130 type ipsec-l2l
tunnel-group 108.166.74.130 ipsec-attributes
 pre-shared-key test
class-map qos-halflife
 match access-list acl-qos-halflife
class-map qos-ftps
 match access-list acl-qos-ftps
class-map qos-ip
 match access-list acl-qos-ip
class-map qos-xboxlive
 match access-list acl-qos-xboxlive
class-map cmap_torrent_conn_limit
 match access-list torrent_conn_limit
class-map qos-rdp
 match access-list acl-qos-rdp
class-map inspection_default
 match default-inspection-traffic
class-map global_class
 match access-list global_mpc
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 4096
policy-map qos_traffic_policy
 class qos-xboxlive
  priority
 class qos-halflife
  priority
 class qos-ip
  priority
 class qos-rdp
  priority
policy-map inside_policy
 class cmap_torrent_conn_limit
  set connection per-client-max 3072 
  set connection timeout embryonic 0:00:10 
  set connection decrement-ttl
 class class-default
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect tftp 
  inspect sip  
  inspect http 
  inspect icmp 
  inspect ip-options 
 class class-default
  set connection decrement-ttl
policy-map outside_policy
 class qos-ftps
  police output 4096000
 class class-default
  shape average 4960000
  service-policy qos_traffic_policy
!
service-policy global_policy global
service-policy outside_policy interface outside
service-policy inside_policy interface inside
privilege show level 1 mode exec command running-config
prompt hostname domain 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:423d1d15db9feac71b1ef6f3979c544d
: end
 

reply to RyanG1
well ive come to the conclusion that this must be some inherent difference in how its handling the connections that cannot be duplicated with ZBFW... or.... the asa is causing a false positive....im leaning towards this one but i dont have evidence to support it one way or the other...

Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams

reply to RyanG1
Couldnt tell you either RyanG1. Unfortunately I don't have the nuts and bolts into either IOS or ASA-OS to tell how
they work. Only way to know possibly would be to go into debug mode -- don't know if you want to try that or not.

I haven't run ASA much of late, but I do agree while CBAC / ZBFW just works, ya can't beat the ASA for security.

Regards

reply to RyanG1
Yea i ran a debug on both and logged all traffic and the only difference is that the asa doesnt bind the global public port to the same inside local port and IOS does. I dont think this is the reasoning behind it and i may just put my ASA back in front and have it handle all NAT.

Honestly if i could find even one shred of info as to how the xbox live service tests, im sure i could find the reasoning to whats going on here but... meh... nothing.

I just hate situations where it feels like a simple issue but the lack of information about the problem grinds everything to a halt. It also bugs me since i cant figure it out lol.

Who knows maybe someone will google search this and come up with an answer to this burning question...and should i come across the solution ill post it =)

I agree though, the asa product is a rather nice piece of hardware and i find it very simple to manage compared to the ordeal of ZBFW haha.

Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams

reply to RyanG1
yea i captured traffic coming inbound on the WAN interface and its identical for the most part.

Im just going to shelve this for now and revisit later.

reply to RyanG1
So just to come full circle on this... i figured out what was going on.

the router is not tracking the connections properly and anything that was coming back was being denied (but not logged as a deny!)... i figured the only thing i had not done was bump to a higher rev IOS... that did the trick. All consoles now report as open connectivity and ZBFW is processing the traffic just as the ASA does (cpu load is decreased now as well when maxing out my internet download).... i could not find any bugs on this at all from any source.....

went from c890-universalk9-mz.152-2.T1 to c890-universalk9-mz.152-3.T

*shrug*

i should have tried that first but whatever... i hope this helps someone else in the future =)

ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams