ISP Failover by Cisco ASA(9.1)

ISP Failover by Cisco ASA: Cisco ASA can do fail-over between ISPs(Dual ISP configuration), it is failover not loadbalancing. Below are the pieces of configuration that make failover working.

1. interface configuration: Configure the interface for both the ISP with security level zero.

Example: 

interface GigabitEthernet0/1
speed 100
duplex full
nameif outside
security-level 0
ip address xxxxx

2. Configure SLA Monitor: This is required to check the availability of remote host based on configured protocol, we are using icmp for the same.

Example:

(config)# sla monitor 10
(config-sla-monitor)# type echo protocol ipIcmpEcho "Remote host IP" interface outside
(config-sla-monitor-echo)# num-packets 3
(config-sla-monitor-echo)# frequency 10
ASA(config-sla-monitor-echo)# timeout 1000
ASA(config)# sla monitor schedule 10 life forever start-time now 

3. Configure Tracking object: It is required to track the availability reported by SLA monitor.

Example:

(config)# track 5 rtr 10 reachability

4. Configure the route for both the ISPs.

example:

route outside 0.0.0.0 0.0.0.0 "ISP1_GW" 1 track 5
route backup_link 0.0.0.0 0.0.0.0 "ISP2_GW" 50

5. Now most important and confusing if using ASA 9.1 IOS: The nat statement has been change starting from 8.3, in older version we can configure "Global statement" to tell the ASA to nat with interface, and we can configure more than one Global statments but in new code(9.1) if we change nat statement under the "network object" it looses primary statements and put only single interface, I mean to say can not nat with more than one interface.

So I apply trick:

I made two dynamic nat statement above the existing dynamic nat statment, and configured them to outside and backup interface respectivly(ouside above than backup nat) and that trick work well for me. It is better to use ASDM to configure these nat rules, because ASDM make easy to place the rules at desired place.

Example:

Command Line:

object network Dynamic_failover_nat
nat (inside,outside) dynamic interface

object network Dynamic_failover_nat1
nat (inside,backup_link) dynamic interface

object network Dynamic_failover_nat
subnet 0.0.0.0 0.0.0.0

object network Dynamic_failover_nat1
subnet 0.0.0.0 0.0.0.0

Verify functionality:

ciscoasa# show sla monitor configuration
SA Agent, Infrastructure Engine-II
Entry number: 10
Owner:
Tag:
Type of operation to perform: echo
Target address: 109.176.83.53
Interface: outside
Number of packets: 3
Request size (ARR data portion): 28
Operation timeout (milliseconds): 1000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 10
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

iscoasa# show sla monitor operational-state
Entry number: 10
Modification time: 08:11:23.628 IST Mon Dec 29 2014
Number of Octets Used by this Entry: 2056
Number of operations attempted: 11
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 153
Latest operation start time: 08:13:03.629 IST Mon Dec 29 2014
Latest operation return code: OK
RTT Values:
RTTAvg: 153     RTTMin: 150     RTTMax: 160
NumOfRTT: 3     RTTSum: 460     RTTSum2: 70600

ciscoasa5515India# show track 5 ?

  |  Output modifiers
  <cr>
ciscoasa# show track 5
Track 5
  Response Time Reporter 10 reachability
  Reachability is Up
  1 change, last change 00:00:48
  Latest operation return code: OK
  Latest RTT (millisecs) 150
  Tracked by:
    STATIC-IP-ROUTING 0

ciscoasa# traceroute google.com

Type escape sequence to abort.
Tracing the route to 74.125.236.66

1   *
     xxxx.static-delhi.vsnl.net.in (xxxx) 0 msec 60 msec
2  172.29.251.34 40 msec 40 msec 40 msec
3   *  *  *
4  115.114.142.137.static-chennai.vsnl.net.in (115.114.142.137) 40 msec 40 msec 50 msec
5  121.240.1.50 50 msec 50 msec 50 msec
6  72.14.232.110 40 msec 40 msec 40 msec
7  209.85.249.235 40 msec 40 msec 40 msec
8  maa03s05-in-f2.1e100.net (74.125.236.66) 40 msec 50 msec 40 msec
ciscoasa5515India#
ciscoasa5515India#

ciscoasa# traceroute google.com

Type escape sequence to abort.
Tracing the route to 74.125.236.201

1  nsg-static-xxxx -airtel.com (xxxx) 0 msec 0 msec 0 msec
2  xxxx 0 msec 0 msec 0 msec
3  182.79.239.201 40 msec 60 msec 40 msec
4  72.14.242.178 40 msec 40 msec 40 msec
5  72.14.232.110 40 msec 40 msec 40 msec
6  209.85.240.147 40 msec 40 msec 40 msec
7  google.com (74.125.236.201) 40 msec 40 msec 40 msec

ciscoasa# ping backup_link google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.125.236.201, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/42/50 ms

ciscoasa# ping outside google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.125.236.201, timeout is 2 seconds:
Error: outside interface is shutdown

How to resolve Error: unspecified Error -ct-sensorapp.1186 not responding in IPS.

How to resolve Error: unspecified Error -ct-sensorapp.1186 not responding in IPS.

I was trying edit event action in IPS via IME when trying to save configuration, was getting error "unspecified Error -ct-sensorapp.1186 not responding" While login via SSH and configuring IPS was fine. I tried some trick but did not resolve the issue at the end I realised that sensor app is not started  and Reload of sensor worked fine.

Cause: ct-sensorapp.1186 was not responding.

Solution: Reload of IPS worked fine.

How to configure passive FTP in Windows server 2003:

How to configure passive FTP in Windows server 2003:

There are two types of FTP mode, Active and Passive, So here is question why passive mode required what is that?. Actually when FTP client connects to FTP server, there are two connections created, 1.Control Connection(tcp/20):used to transfer the commands and 2.Data connection(tcp/21): used to transfer the data and the process goes well.

So why the Passive mode is required: The passive mode is a solution if firewall/Router stops inbound connections, that means when server sends response to client the response drops at firewall and connections fails. but in passive mode client chose a random port greater than 1024 for control set and "control set port+1" for Data connection and both the port is opened by client from the inside of firewall, hence firewall does not have any objection and let the communication done. In active mode client sends PORT command to tell the server about port to use and map with tcp/20 and tcp/21, But in Passive mode client sends PASV command to tell the server that passive connection needs to built up, Hence server wait and respond to client given port and map it to tcp/20 and tcp/21.

Step to configure Passive mode in Server 2003:

1. Go to run command and type inetmgr.msc to open IIS management console.

2.Right Click on Local Computer--->Properties and select "Enable Direct Metabse Edit" check box.

3.open command prompt---cd c:\inetpub\AdminScripts---> Hit Enter.

4.Type the following command:cscript adsutil.vbs set /MSFTPSVC/PassivePortRange "5500-5700"

Below is the output of command:

C:\Inetpub\AdminScripts>cscript adsutil.vbs set /MSFTPSVC/PassivePortRange "5500-5700"
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

PassivePortRange                : (STRING) ""5500-5700"

5. Now you have to open mentioned port in Windows firewall not in Network firewall.

Now you have passive FTP configured and working at your site.