Trunk and MTU configuration on ASA firewall
::Trunks on ASA 5510 and higher::
Ø
An ASA trunk link supports only the IEEE 802.1q
trunk encapsulation method.
Ø
As each packet is sent over a trunk link, it is
tagged with its source VLAN number.
Ø
As packets are removed from the trunk, the tag
is examined and removed so that the packet can be forwarded to their
appropriate VLANs.
Ø
By default, only packets that are sent out the
ASA’s physical interface itself are not tagged, and they appear to use the
trunk’s native VLAN.
Ø
Packets that are sent out a sub-interface do
receive a VLAN tag.
Ø
IEEE 802.1q trunk links support the concept of a
native VLAN. Frames coming from the native VLAN are sent over the trunk link
without a tag, while frames from other VLANs have a tag added while in the
trunk.
Ø
An ASA trunk link is either on or off, according
to the sub-interface configuration.
Ciscoasa(config)# interface hardware_id.subinterface
Ciscoasa(config-subif)# vlan vlan_id
Configure
a Trunk Link on an ASA:::
ciscoasa(config)# interface e0/0
ciscoasa(config-if)# no shutdown
ciscoasa(config)# int e0/0.1
ciscoasa(config-subif)# vlan 10
ciscoasa(config)# int e0/0.2
ciscoasa(config-subif)# vlan 20
CASE:
Problem: TRUNK CONNECTION PROBLEM BETWEEN ASA and Switch
OF CISCO
Whenever, we have setup a trunk link between a cisco ASA (5505
and above)and a cisco switch (2960,3560). However, we do not able to establish
a connection between them at either Layer 2 or 3.
If we look at the interface counters on firewall, we may
notice that we are piling up a bunch of “L2 decode Drops” errors.
Solution:
Ø The most likely cause is the native VLAN on
the switch side of the trunk .
Ø We have a sub-interface on the ASA that is
supposed to route for the native vlan.
Ø When switch sends out a frame from the native
VLAN, it does not tag it.
Ø However, if the ASA has a sub-interface for
that VLAN, it expects tagged frames only for it, so communications for the
particular VLAN will fail between the switch and the ASA.
Base:
Ø If we have a sub-interface for a VLAN on the
ASA, then it can not also be used as the native VLAN on the switch’s trunk
port.
Ø Any VLAN setup as such will not work.
Ø For solve this, the sub-interface/ VLAN
configuration on the ASA to avoid the switch port’s native VLAN , or change the
native VLAN on the switch to something else.
::ASA Firewall
Interface MTU::
Ø Ethernet interface has its maximum
transmission unit (MTU) size set to 1500 bytes by default.
Ø If a packet is larger than the MTU must be
fragmented before being transmitted.
Ø And before the packet can be presented at the
destination, all of its fragments must be reassembled in their proper order.
Ø The fragmentation and reassembly process
takes time, memory, and CPU resources, so it must be avoided if possible.
Ø Various IEEE standards use expanded frame
sizes to carry additional information. Data centers often leverage
Ethernet “Giant” or “jumbo” frames, which are much larger than
normal, to move large amounts of data efficiently.
Ø We uses the command for adjust the MTU on an
ASA interface:
Ciscoasa(config)#
mtu <nameif> <bytes>
Ø The transmitted MTU can be sized from 64 to 9216 bytes.
Ø We should also use the command to enable
jumbo frame processing as frames are received on an interface:
Ciscoasa(config-if)#
jumbo-frame reservation
Ø
When we
increase the MTU size on any ASA, always remember that the jumbo-frame
reservation command is supported only on the ASA 5580.
File System of Cisco ASA
::The Factory Default Configuration::
Ø
At first time of Boots, ASA comes up running a
factory default or initial configuration.
Ø
The initial configuration brings up the
following basic functions:
·
One interface is set as a protected “management”
network, where a PC will connect.
·
A DHCP server is enabled on management network,
at connected have to automatically provide an IP address to PC.
·
An HTTP server also running on management
network, to allow the PC to access ASDM with the ASA via TCP port 443.
·
Management interface have IP address 192.168.1.1
and CIDR 24.
·
DHCP server allowed to provide address from a
range of 192.168.1.2 to 192.168.1.254
·
HTTP server configured with subnet
192.168.1.0/24 for allow ASDM.
·
ASA’s interface 0/0 works as Management interface at initial
configuration.
·
For return to factory default configuration by
entering the command:
Ciscoasa(config)# configure
factory-default
::Working With Configuration Files::
Ø
An ASA keeps a “startup” configuration file in
flash memory.
Ø
The configuration commands in the startup
configuration are not lost after a reload or power failure.
Ø
When ASA boots, the Startup Configuration
commands are copied to “running” configuration file in RAM.
Ø
ASA have Volatile RAM memory.
Ø
# show startup-config command used to see
contents of the startup configuration.
Ø
We can see the running configuration content by
entering the # show running-config
Ø
ASA platforms can maintain one or more startup
configuration files in flash, depends on space.
Ø
Only one of these can be used at boot time.
Ø
The startup conf contents can be saved in one
file during the time that the firewall configuration is stable. If major conf
changes need to be made, the new, updated running configuration can be saved to
a new , different startup configuration file.
Ø
The next time the ASA is booted, it can use the
new startup configuration file.
Ø
If we encounter problems with the new conf, we
can force the firewall to roll back or use previous startup configuration in
flash memory.
Ø
We can see the startup-conf file by command: #show
startup-configuration
Ø
To force the ASA to use different startup conf
file, use the command:
Ciscoasa(config)# boot config
<url>
Here url represents the location of the
startup configuration file. It can be
·
flash: path
·
disk0: path
·
disk1: path
Where path is directory path. When
use above command, be sure to save the running configuration with the “ # copy
running-config startup-config ” command.
Ø
We can see the current startup configuration
file by #show bootvar
Clear an
ASA Configuration::
1.
Clear configure all : Clear the entire
running configuration.
2.
Clear configure primary : Clear all
commands related to connectivity, including ip address, mtu , monitor-interface
, boot, route, failover, tftp-server , and shun .
3.
Clear configure secondary : Clears all
commands not related to ASA connectivity.
4.
Clear configure command: Clear all
commands that use the command keyword.
::Working with the ASA File System::
Ø
A Cisco ASA has a built-in flash
(non-volatile) memory file system that contains file such as an operating
system image, a management application image , and firewall configuration .
Ø
When an ASA boots, it uncompresses and copies an
executable OS image from flash to RAM.
Ø
This image actually run from RAM.
Ø
While an image is being run, a different image
can be copied or written into flash memory.
Ø
The running image can be safely overwritten in
flash.
Navigating
an ASA Flash File System:
Ø
ASA flash file system much like a IOS file
system.
Ø
Contain a tree of directories, each containing
arbitrary files.
Ø
ASA offers a disk0: and a flash: device.
These both refer to the same internal flash memory file system.
Ø
When we connect to an ASA , our session
begins in the disk0:/root directory. This directory can contain other files
or sub-directories.
Ø
ASA also support a disk1: device, which is a
removable flash drive.
Ø
To view the contents of a flash directory, use
the #dir [device:][path] command. Example : ciscoasa# dir disk0:/
Working
with Files in an ASA File System::
Ø
We can manipulate any files that are stored in
an ASA’s file system.
Ø
To view the contents of a file , use command:
More [ / ascii | / binary | / ebcdic ] [
device : ] path
Ø By
default, the file contents are shown as plain text.
Ø We
can add the /ascii or /binary option to display both hex and ASCII represents
of the file contents.
Ø As
same , /ebcdic option displays the contents in both EBCDIC and ASCII.
Copy
Command:::
Ø
There are 3 different use of the COPY command.
Ø
First, an ASA image file asa823-k8.bin is copied
from a TFTP server to the ASA’s disk0: file system.
Ø
Second, an ASDM image file is copied from a TFTP
server to flash.
Ø
Final, the running conf is copied from the ASA
to a TFTP server.
To Rename
an Existing File in Flash ::
Ø
To rename an existing file in a flash file
system, we can use the following command:
Ciscoasa# rename [/noconfirm] [device: ] source-path [ device: ]
destination-path
Ø Example , the file backup-config is
renamed to config-old , Because the CLI session begins in the disk0:/ directory
.
Delete files from an ASA file System::
Ø
You can delete files from an ASA file system
with the following command:
Ciscoasa# delete [ /noconfirm ] [
/recursive ] [ device:] path
Ø
Every file, including image files, configuration
files , and licensing files, is overwritten with a 0xFF data pattern so
that it is completely removed.
Ø
When flash file system is erased, the ASA can
continue to operate because its image file and running configuration are
already loaded into RAM.
Ø
However, once the ASA is rebooted, its
operation will be affected.
Reloading
an ASA:::
Ø
An ASA allows one or more OS images to be stored
in flash memory.
Ø
Only one of the image files can be running on
the firewall at any time.
Ø
So we can select one file for use by command:
Ciscoasa(config)# boot system device:path
Ø
If image file does not exist, then it given
warning message.
Ø
The boot system command is stored in the
running configuration after it is entered.
Ø
It should also be written into the startup
configuration so that the image can be identified during the next reload or
bootup sequence.
Upgrading
the ASA software at the Next Reload::
The upgrade procedure is straight forward by following these
steps:
1 .
Copy a new OS image file onto the flash file
system.
2 .
Use the boot system command to point to
the new image file.
3 .
Save the running conf with the copy
running-config startup-config command.
4 .
Reload the ASA.
Ø
We can see the current boot image setting with
the command:
show
bootvar
Example: An ASA has two OS image files in the disk0: file
system. ASA is currently running the asa802-k8.bin image file . A new
image file named asa823-k8.bin has been copied onto the disk0: file
system.
Ø
In example, begins with an empty BOOT variable.
Ø
The asa802-k8.bin image was the only valid image
found at bootup time.
Ø
The
boot system disk0:/asa823-k8.bin command is then entered so that the ASA
will run an upgrade image after its next reload.
Ø
Immediately afterward, the current BOOT variable
line indicates that the new image has been identified, but will not yet be
used.
Ø
Finally, the running configuration is saved to
the startup configuration.
Ø
At that point, the BOOT variable= line shows
that the new image file will be booted at the next ASA reload.
Performing
a Reload::
Ø
We can force an ASA to reload immediately by
issuing the reload command alone.
Ø
ASA will check to see if the running
configuration has already been saved or not.
Ø
We can also schedule a reload for a specific
date and time by using command:
Ciscoasa# reload at hh:mm [ day
month | month day ]
Ø
To schedule a reload after a time interval:
Ciscoasa# reload in { mm | hhh:mm }
Manually
Upgrading the ASA software during Reload::
Ø
We want to install or upgrade the OS image file
on an ASA before it fully boots.
Ø
We can do this by downloading an image file from
a TFTP server when the ASA has booted into its ROMMON mode.
Ø
The Parameter you enter are used only
temporarily until the ASA can download and run the new image file.
Ø
In below example shows a image download. The ASA
interface ethernet0/0 is used because the TFTP server is connected there.
Ø
Interface given IP address 192.168.100.5
Ø
The TFTP server is found at IP address
192.168.100.10 and new image file is called asa823-k8.bin.
Ø
As soon as the tftpdnld command is
entered, the TFTP file transfer begins.
Ø
Image file is downloaded and executed by the
ASA, it is not permanently stored anywhere. After the ASA finishes booting, you
should copy the same image file onto a flash file system by using the “copy” command.
