<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Networking Reviews</title>
	<atom:link href="https://www.networkingreviews.com/category/troubleshooting/feed/" rel="self" type="application/rss+xml" />
	<link>https://www.networkingreviews.com</link>
	<description></description>
	<lastBuildDate>Wed, 24 Sep 2008 06:01:43 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=6.9.1</generator>
	<item>
		<title>Using Cisco Access Control List to block a subnet</title>
		<link>https://www.networkingreviews.com/using-cisco-access-control-list-to-block-a-subnet/</link>
					<comments>https://www.networkingreviews.com/using-cisco-access-control-list-to-block-a-subnet/#respond</comments>
		
		<dc:creator><![CDATA[Admin]]></dc:creator>
		<pubDate>Wed, 24 Sep 2008 06:01:43 +0000</pubDate>
				<category><![CDATA[Troubleshooting]]></category>
		<category><![CDATA[access control list]]></category>
		<category><![CDATA[acl]]></category>
		<category><![CDATA[cisco]]></category>
		<category><![CDATA[subnet]]></category>
		<guid isPermaLink="false">https://www.networkingreviews.com/?p=251</guid>

					<description><![CDATA[Question: I have the following ClassB network 172.31.0.0/16 that I&#8217;m trying to create an access list for. I&#8217;d like to allow 172.31.240.0/24 but deny all else, so I&#8217;m looking the best way to accomplish this with 2 acl lines. Answer: The best way to accomplish the above is to explicitly allow the subnet you want and then [&#8230;]]]></description>
										<content:encoded><![CDATA[<p><strong><span style="text-decoration: underline;">Question:</span></strong></p>
<p>I have the following ClassB network 172.31.0.0/16 that I&#8217;m trying to create an access list for. I&#8217;d like to allow 172.31.240.0/24 but deny all else, so I&#8217;m looking the best way to accomplish this with 2 acl lines.</p>
<p><strong><span style="text-decoration: underline;">Answer:</span></strong></p>
<p>The best way to accomplish the above is to explicitly allow the subnet you want and then deny the whole Class B network as following:</p>
<p>access-list 110 permit ip 172.31.240.0 0.0.0.255<br />
access-list 110 deny ip 172.31.0.0 0.0.255.255</p>
<p>Another option with just one ACL entry would be to permit only the subnet 172.31.240.0/24 and thats it. No other ACL entries are needed since there is an implicit deny at the end of the access list statement.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://www.networkingreviews.com/using-cisco-access-control-list-to-block-a-subnet/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>FTP Disconnects Through Cisco ASA Firewall. MSS Exceeded Problem.</title>
		<link>https://www.networkingreviews.com/ftp-disconnects-through-cisco-asa-firewall-mss-exceeded-problem/</link>
					<comments>https://www.networkingreviews.com/ftp-disconnects-through-cisco-asa-firewall-mss-exceeded-problem/#respond</comments>
		
		<dc:creator><![CDATA[Admin]]></dc:creator>
		<pubDate>Fri, 29 Feb 2008 21:19:22 +0000</pubDate>
				<category><![CDATA[Troubleshooting]]></category>
		<category><![CDATA[ftp asa]]></category>
		<category><![CDATA[ftp cisco firewall]]></category>
		<category><![CDATA[ftp pix asa firewall]]></category>
		<guid isPermaLink="false">https://www.networkingreviews.com/blog/2008/02/29/ftp-disconnects-through-cisco-asa-firewall-mss-exceeded-problem/</guid>

					<description><![CDATA[Each TCP device on a network has an associated &#8216;ceiling&#8217; on TCP Data Size, called the MSS (Maximum Segment Size). The TCP MSS is negotiated between two communicating devices via the TCP SYN and SYN-ACK packets. After this negotiation, each TCP device must comply with the advertised MSS of the peer device, and should not [&#8230;]]]></description>
										<content:encoded><![CDATA[<p>Each TCP device on a network has an associated &#8216;ceiling&#8217; on TCP Data Size, called the MSS (Maximum Segment Size). The TCP MSS is negotiated between two communicating devices via the TCP SYN and SYN-ACK packets. After this negotiation, each TCP device must comply with the advertised MSS of the peer device, and should not send data on the segment that is larger than the advertised MSS of the device to which it is sending.</p>
<p>Unfortunately, there are cases that even if the two TCP endpoints negotiate a certain size of TCP MSS, one of the devices sends data to the other device which is larger than the MSS. With the new version of the Cisco ASA (or PIX) firewall with software version 7.x and up, the above situation is not accepted by the firewall which drops the packets that do not adhere to the negotiated MSS size. The firewall does this to protect the devices from buffer overflow attacks.</p>
<p>The problem addressed here is when an FTP Client located on the INSIDE of a Cisco ASA firewall, can not access an FTP Server machine located on the OUTSIDE of the firewall, as shown on the diagram below. The same problem can also happen with any TCP application (e.g HTTP), not just FTP.</p>
<p align="center"><img fetchpriority="high" decoding="async" src="/images/asa-mss.jpg" alt="ASA MSS Exceeded" width="427" height="148" /></p>
<p><span id="more-13"></span>The initial firewall configuration is as following</p>
<p>pixfirewall(config)#<strong>interface Ethernet0</strong><br />
pixfirewall(config-if)#<strong>speed 100</strong><br />
pixfirewall(config-if)#<strong>duplex full</strong><br />
pixfirewall(config-if)#<strong>nameif outside</strong><br />
pixfirewall(config-if)#<strong>security-level 0</strong><br />
pixfirewall(config-if)#<strong>ip address 192.168.9.30 255.255.255.0</strong><br />
pixfirewall(config-if)#<strong>exit</strong><br />
pixfirewall(config)#<strong>interface Ethernet1</strong><br />
pixfirewall(config-if)#<strong>speed 100</strong><br />
pixfirewall(config-if)#<strong>duplex full</strong><br />
pixfirewall(config-if)#<strong>nameif inside</strong><br />
pixfirewall(config-if)#<strong>security-level 100</strong><br />
pixfirewall(config-if)#<strong>ip address 10.0.0.1 255.255.255.0</strong><br />
pixfirewall(config-if)#<strong>exit</strong><br />
pixfirewall(config)#<strong>global (outside) 1 interface</strong><br />
pixfirewall(config)#<strong>nat (inside) 1 10.0.0.0 255.0.0.0</strong><br />
pixfirewall(config)#<strong>route outside 0.0.0.0 0.0.0.0 192.168.9.2 1</strong></p>
<p>The problem is observed when looking at the logs of the firewall:<br />
<!--adsense--><br />
Show log:</p>
<p><strong>Sep 19 2007 06:55:58: %ASA-4-419001: Dropping TCP packet from INSIDE:10.0.0.2/38003 to OUTSIDE:192.168.9.2/21, reason: MSS exceeded, MSS 1390, data 1460</strong></p>
<p>The log output above shows that the FTP client and server negotiated an MSS value of 1390, but the data sent is 1460, therefore the firewall drops the packet.</p>
<p>There are two solutions for the MSS exceeded problem, one which can be applied globally on the ASA firewall, and one which can be applied for the specific connection only:</p>
<p><strong><span style="text-decoration: underline;">Solution A (Applied Globally on Firewall)</span></strong></p>
<p>There is a global command on the ASA firewall with which you can override the MSS value negotiated between the TCP devices. This command is shown below:</p>
<p>firewall(config)#<strong>sysopt connection tcpmss</strong> [<strong>minimum</strong>]<strong> </strong>bytes</p>
<p>The <strong>[minimum]</strong> keyword overrides the maximum segment size negotiated between the two devices to be no less than <span style="text-decoration: underline;">&#8216;bytes&#8217;</span>. So to solve the problem above, configure the following:</p>
<p>firewall(config)#<strong>sysopt connection tcpmss</strong> <strong>minimum</strong> 1460</p>
<p>This will force the two devices to negotiate an MSS value to be no less than 1460, therefore the data sent can go through with no problems.</p>
<p><strong><span style="text-decoration: underline;">Solution B (Applied on the specific connection only)</span></strong></p>
<p>The second workaround solution uses an access-list, a class map and a tcp-map to identify the specific FTP traffic between the client and the server, and allow the MSS to be exceeded only for this specific connection.</p>
<p>The configuration commands are shown below:</p>
<p>pixfirewall(config)#<strong>access-list ftp-list permit tcp host 10.0.0.2 host 192.168.9.2</strong><br />
pixfirewall(config)#<br />
pixfirewall#<strong>configure terminal</strong><br />
pixfirewall(config)#<br />
pixfirewall(config)#<strong>class-map ftp-map</strong><br />
pixfirewall(config-cmap)#<strong>match access-list ftp-list</strong><br />
pixfirewall(config-cmap)#<strong>exit</strong><br />
pixfirewall(config)#<strong>tcp-map mss-map</strong><br />
pixfirewall(config-tcp-map)#<strong>exceed-mss allow</strong><br />
pixfirewall(config-tcp-map)#<strong>exit</strong><br />
pixfirewall(config)#<strong>policy-map ftp-map</strong><br />
pixfirewall(config-pmap)#<strong>class ftp-map</strong><br />
pixfirewall(config-pmap-c)#<strong>set connection advanced-options mss-map</strong><br />
pixfirewall(config-pmap-c)#<strong>exit</strong><br />
pixfirewall(config-pmap)#<strong>exit</strong><br />
pixfirewall(config)#<strong>service-policy ftp-map interface outside</strong><br />
pixfirewall#</p>
<p>The configuration above will allow the MSS to be exceeded only between the FTP client and FTP server connections.</p>
<p style="text-align: center;"><strong>If you want to learn how to configure and implement any Cisco ASA 5500 v7.x and v8.x Firewall, check out the following excellent Book:</strong></p>
<p style="text-align: center;"><a href="http://www.cisco-tips.com/ciscoasaebook.php" target="_self" rel="noopener"><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/download.jpg" alt="download" width="116" height="111" /></a></p>
<p style="text-align: center;"><a href="http://www.cisco-tips.com/ciscoasaebook.php" target="_self" rel="noopener"><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/Cisco-Firewall-Fundamentals.png" alt="Cisco ASA Firewall eBook" width="330" height="300" /></a></p>
<p><strong><span style="text-decoration: underline;">Whats Included in the eBook</span></strong></p>
<table border="0">
<tbody>
<tr>
<td><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/checkbox.jpg" alt="" /></td>
<td>Getting Started with Cisco Firewalls (User Interface, Access Modes)</td>
</tr>
<tr>
<td><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/checkbox.jpg" alt="" /></td>
<td>File Management</td>
</tr>
<tr>
<td><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/checkbox.jpg" alt="" /></td>
<td>Security Levels (Traffic Flow between Security Levels)</td>
</tr>
<tr>
<td><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/checkbox.jpg" alt="" /></td>
<td>Basic Firewall Configuration (Basic Configuration Steps)</td>
</tr>
<tr>
<td><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/checkbox.jpg" alt="" /></td>
<td>Configuring Network Address Translation (NAT, PAT, Static NAT, Port Redirection)</td>
</tr>
<tr>
<td><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/checkbox.jpg" alt="" /></td>
<td>Using Access Control Lists (ACLs)</td>
</tr>
<tr>
<td><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/checkbox.jpg" alt="" /></td>
<td>Controlling Inbound and Outbound Traffic with ACLs</td>
</tr>
<tr>
<td><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/checkbox.jpg" alt="" /></td>
<td>ACL Object Groups</td>
</tr>
<tr>
<td><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/checkbox.jpg" alt="" /></td>
<td>Configuring VLANs and Subinterfaces</td>
</tr>
<tr>
<td><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/checkbox.jpg" alt="" /></td>
<td>IPSEc VPNs (site-to-site VPN, Remote Access VPN, VPN client)</td>
</tr>
<tr>
<td><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/checkbox.jpg" alt="" /></td>
<td>Configuring Active/Standby Stateful Failover</td>
</tr>
</tbody>
</table>
<h4 style="text-align: center;"><a href="http://www.cisco-tips.com/ciscoasaebook.php" target="_self" rel="noopener"><strong><span style="color: #ff0000;">GET YOUR EBOOK HERE</span></strong></a></h4>
]]></content:encoded>
					
					<wfw:commentRss>https://www.networkingreviews.com/ftp-disconnects-through-cisco-asa-firewall-mss-exceeded-problem/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Troubleshooting IPSEC VPN</title>
		<link>https://www.networkingreviews.com/troubleshooting-ipsec-vpn/</link>
					<comments>https://www.networkingreviews.com/troubleshooting-ipsec-vpn/#respond</comments>
		
		<dc:creator><![CDATA[Admin]]></dc:creator>
		<pubDate>Fri, 29 Feb 2008 20:54:12 +0000</pubDate>
				<category><![CDATA[Troubleshooting]]></category>
		<guid isPermaLink="false">https://www.networkingreviews.com/blog/2008/02/29/troubleshooting-ipsec-vpn/</guid>

					<description><![CDATA[This post discusses the most basic steps needed to troubleshoot a LAN-to-LAN IPSEC tunnel between Cisco Routers. A Cisco Router with the proper IOS version can make an excellent IPSEC VPN termination device, and can be used to securely connect two distant LANs over an untrusted network, such as the Internet. In our example below, we [&#8230;]]]></description>
										<content:encoded><![CDATA[<p>This post discusses the most basic steps needed to troubleshoot a LAN-to-LAN IPSEC tunnel between Cisco Routers.</p>
<p>A Cisco Router with the proper IOS version can make an excellent IPSEC VPN termination device, and can be used to securely connect two distant LANs over an untrusted network, such as the Internet. In our example below, we use two Cisco 800 series broadband routers to create an IPSEC VPN tunnel between two offices over a DSL broadband connection via the Internet.</p>
<p><img loading="lazy" decoding="async" border="0" align="middle" width="531" src="/images/ipsec-vpn.jpg" alt="ipsec vpn" height="231" /></p>
<p><span id="more-1957"></span>A sample of the configuration concerning the example above is shown below:</p>
<p><em>hostname siteA</em><em>  !<br />
  crypto isakmp policy 1<br />
 encr 3des<br />
 authentication pre-share<br />
 group 2<br />
  crypto isakmp key ciscokey address 200.200.200.1<br />
  !<br />
  crypto ipsec transform-set TRANSFORM esp-3des esp-sha-hmac<br />
  !<br />
  crypto map VPN 10 ipsec-isakmp<br />
 set peer 200.200.200.1<br />
 set transform-set TRANSFORM<br />
 match address 100<br />
  !<br />
  interface FastEthernet0<br />
  !<br />
  interface FastEthernet1<br />
  !<br />
  interface FastEthernet2<br />
  !<br />
  interface FastEthernet3<br />
  !        <br />
  interface FastEthernet4<br />
 ip address 200.200.100.1 255.255.255.0<br />
 ip nat outside<br />
 ip virtual-reassembly<br />
 duplex auto<br />
 speed auto<br />
 crypto map VPN<br />
  !<br />
  interface Vlan1<br />
 ip address 10.10.149.1 255.255.255.0<br />
 ip nat inside<br />
 ip virtual-reassembly<br />
  !<br />
  ip classless<br />
  ip route 0.0.0.0 0.0.0.0 200.200.100.2<br />
  !<br />
  ip nat inside source list 101 interface FastEthernet4 overload<br />
  !<br />
  access-list 100 permit ip 10.10.149.0 0.0.0.255 10.10.1.0 0.0.0.255<br />
  access-list 101 deny   ip 10.10.149.0 0.0.0.255 10.10.1.0 0.0.0.255<br />
  access-list 101 permit ip 10.10.149.0 0.0.0.255 any</em></p>
<p><!--adsense--><br />
When using the IPSEC Key Exchange (IKE) mechanism for setting up the VPN tunnel, there are two Phases in the ISAKMP (Internet Security Association and Key Management Protocol) operation:</p>
<ul>
<li><strong><u>Phase 1</u></strong>: In this phase the two nodes verify their identity and establish an initial secure communication channel for further IKE communication. The parameters negotiated in this Phase include the Encryption algorithm (e.g 3DES), a hash algorithm (MD5 or SHA), an authentication method (e.g pre-shared keys), and a Diffie-Hellman group.</li>
<li><strong><u>Phase 2</u></strong>: Using the secure communication channel established in Phase 1, the two nodes in Phase 2 negotiate Security Associations (SA) for IPSEC Transforms (AH for authentication or ESP for Encryption).</li>
</ul>
<p>Therefore, in order to efficiently troubleshoot the IPSEC VPN operation, we need to check the two phases independently, starting always with Phase 1 to see if it has been established correctly, and then verifying Phase 2 establishment.</p>
<p><u>Phase 1:</u></p>
<p>The following command shows the status of Phase 1 negotiation:</p>
<p><strong><em>SiteA#show crypto isakmp sa</em></strong></p>
<p>  IPv4 Crypto ISAKMP SA</p>
<p>  dst                                src             state                  conn-id slot status</p>
<p>  200.200.200.1    200.200.100.1    QM_IDLE           1001    0 ACTIVE</p>
<p>  From the output above we can see the public IP addresses 200.200.200.1 and 200.200.100.1 used as source and destination between the two Site Routers. The most important field to check here is the ‘state’ field which must be ‘QM_IDLE’ in order for Phase 1 to be correctly established. Other possible states in this field are:</p>
<table border="1" align="center" width="80%" cellPadding="0" cellSpacing="0">
<tr>
<td vAlign="bottom"><strong>State </strong></td>
<td vAlign="bottom"><strong>Explanation </strong></td>
</tr>
<tr>
<td vAlign="top">MM_NO_STATE</td>
<td vAlign="top">The ISAKMP SA has been created, but nothing else has happened yet. It is &#8220;larval&#8221; at this stage—there is no state.</td>
</tr>
<tr>
<td vAlign="top">MM_SA_SETUP</td>
<td vAlign="top">The peers have agreed on parameters for the ISAKMP SA.</td>
</tr>
<tr>
<td vAlign="top">MM_KEY_EXCH</td>
<td vAlign="top">The peers have exchanged Diffie-Hellman public keys and have generated a shared secret. The ISAKMP SA remains unauthenticated.</td>
</tr>
<tr>
<td vAlign="top">MM_KEY_AUTH</td>
<td vAlign="top">The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to QM_IDLE, and a Quick Mode exchange begins.</td>
</tr>
</table>
<p><u>Phase 2:</u></p>
<p>To verify Phase 2 operation use the following command:</p>
<p><strong><em>SiteA#show crypto ipsec sa</em></strong></p>
<p><em>interface: FastEthernet4</em><br />
  <em>    Crypto map tag: VPN, local addr 200.200.100.1</em><br />
<em>   protected vrf: (none)</em><br />
  <em>   local  ident (addr/mask/prot/port): (10.10.149.0/255.255.255.0/0/0)</em><br />
  <em>   remote ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0/0)</em><br />
  <em>   current_peer 200.200.200.1 port 500</em><br />
  <em>     PERMIT, flags={origin_is_acl,}</em><br />
  <em>    #pkts encaps: 1843, #pkts encrypt: 1843, #pkts digest: 1843</em><br />
  <em>    #pkts decaps: 2618, #pkts decrypt: 2618, #pkts verify: 2618</em><br />
  <em>    #pkts compressed: 0, #pkts decompressed: 0</em><br />
  <em>    #pkts not compressed: 0, #pkts compr. failed: 0</em><br />
  <em>    #pkts not decompressed: 0, #pkts decompress failed: 0</em><br />
  <em>    #send errors 0, #recv errors 0</em><br />
<em>     local crypto endpt.: 200.200.100.1, remote crypto endpt.: 200.200.200.1</em><br />
  <em>     path mtu 1500, ip mtu 1500</em><br />
  <em>     current outbound spi: 0x8BF4C2A1(2348073633)</em><br />
<em>     inbound esp sas:</em><br />
  <em>      spi: 0x812A50F7(2167034103)</em><br />
  <em>transform: esp-3des esp-sha-hmac ,</em></p>
<p>The important points to watch in the output above are the <u>pkts encrypt</u> and <u>pkts decrypt</u>. These values show if packets are successfully encrypted and decrypted inside the VPN tunnel. The output above shows that Phase 2 is succesfuly established.</p>
<p>If you see only packets encrypted without any decrypted packets (or vice-versa), this means that the VPN tunnel works only one-way, which is not correct. You can then use the command: <u>debug crypto ipsec</u> to get a more detailed explanation why Phase 2 failed.</p>
<p><!-- InstanceEndEditable --></p>
]]></content:encoded>
					
					<wfw:commentRss>https://www.networkingreviews.com/troubleshooting-ipsec-vpn/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
	</channel>
</rss>
