Cisco ASA – Administrative Distance and Metric

Family Christmas dinner at my oldest customer’s house. The experience is what you’d expect if George Carlin incorporated Gosford Park into one of his standup routines. Posh yet subversive. All the guests are aging counter-culture types. Hippies who run eco-friendly business empires. Artists who made it big with corporate patrons. Telling shaggy dog stories that get shaggier with every round of drinks.

As we stand around the kitchen, polishing off a particularly strong bottle of port, we participate in what appears to be the family tradition of Embarrass My Customer With Stories From His Misspent Youth. “Did you ever meet his fifth ex-wife? No? Well, let me tell you about how they met.” Everybody knows a slightly different version of the story. Everyone chimes in at different points in the story with contradictory details, embellished by alcohol, half-remembered rumors and just plain hyperbole.

The picture that emerges is not quite Dorian Gray. More like those grainy mugshots of celebrities on thesmokinggun.com. An alternate reality. An evil twin. A teenage Bill Gates grinning at the camera. My customer, assiduously bent over a tray of Oysters Rockefeller, is pink with suppressed laughter and embarrassment. In his novelty Christmas apron, he is the center of this warm little world. He’s lived a fascinating life, if you believe the stories.

The routing table on the Cisco ASA is a similar sort of information accretion. It builds a picture of the network, based on various different sources of information. Some vague, some specific. Some reliable, some more unreliable than Uncle Gerald who has been hitting the eggnog all afternoon.

Administrative Distance

Routing Protocol
Administrative Distance
Connected Interface
0
Static Route
1
EIGRP Summarized
5
Internal EIGRP
90
OSPF
110
RIP
120
External EIGRP
170
Unknown
255

If the ASA is configured for one or more routing protocols, the ASA can learn about different routes to the same destination. In which case, the ASA will prefer routes from the routing protocol with the lowest administrative distance. If a single routing protocol provides multiple routes to the same destination, the ASA will then look at the metric of each of those routes, and select the one with the lowest metric.

Lowest administrative distance first, then lowest metric.

So let’s say all the guests at the Christmas party are different routing protocols. Some are stone cold sober and utterly humorless. They talk the most sense and therefore have the lowest administrative distance. Some people are drunk off their ass and seeing pink elephants. They have the highest administrative distance.

But even the most sober of the guests might have heard various versions of the family legend of how my customer met ex-wife number five, and they may believe one version of the story more than the other versions. That’s like a routing protocol (the guest) knowing multiple routes to the same destination (multiple versions of the same story) and preferring the route with the shortest metric (believing the most likely story).

Static Routes

Let’s look at static routes and the metric parameter. Despite the name, the metric parameter in the route command actually refers to administrative distance.

For reference, the diagram below is the high-level topology of my test lab which I used in my last two posts, and is referenced in the commands below:

SLA Monitoring

SLA Monitoring

On my ASA, I have configured two static routes to the 6.6.6.0/24 network. I prefer to send the traffic via the outside interface, so I’ve configured a lower administrative distance (1) on the route that uses the outside interface, and a higher administrative distance (2) on the route that uses the redundantisp interface.

ciscoasa(config)# show running-config route
route outside 6.6.6.0 255.255.255.0 2.2.2.2 1
route redundantisp 6.6.6.0 255.255.255.0 5.5.5.2 2

For the 6.6.6.0 route, the ASA picks the route with the lower administrative distance and places it in the routing table.

ciscoasa(config)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
S    6.6.6.0 255.255.255.0 [1/0] via 2.2.2.2, outside
C    127.0.0.0 255.255.0.0 is directly connected, cplane

The numbers inside the square brackets refer to [administrative distance/metric]. The metric for static routes is 0, but you can set the administrative distance.

If the outside interface goes down, the route that uses the outside interface is no longer available. So the ASA removes it from the routing table, and the route that uses the redundantisp interface is put in the routing table instead.

ciscoasa(config)# int g 0/0
ciscoasa(config-if)# shutdown
ciscoasa(config-if)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
S    6.6.6.0 255.255.255.0 [2/0] via 5.5.5.2, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane

When the outside interface comes back up, the route that utilizes the outside interface is reinstated in the routing table because it uses a lower administrative distance than the route that utilizes the redundantisp interface.

ciscoasa(config-if)# int g 0/0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
S    6.6.6.0 255.255.255.0 [1/0] via 2.2.2.2, outside
C    127.0.0.0 255.255.0.0 is directly connected, cplane

If I add a route to the 6.0.0.0/8 network, the ASA considers that to be a different destination, and will place that in the routing table along with the 6.6.6.0/24 route.

ciscoasa(config-if)# route redundantisp 6.0.0.0 255.0.0.0 5.5.5.2
ciscoasa(config)# show running-config route
route redundantisp 6.0.0.0 255.0.0.0 5.5.5.2 1
route outside 6.6.6.0 255.255.255.0 2.2.2.2 1
route redundantisp 6.6.6.0 255.255.255.0 5.5.5.2 2
ciscoasa(config)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
S    6.0.0.0 255.0.0.0 [1/0] via 5.5.5.2, redundantisp
S    6.6.6.0 255.255.255.0 [1/0] via 2.2.2.2, outside
C    127.0.0.0 255.255.0.0 is directly connected, cplane

The ASA only compares the administrative distance for routes that specify the exact same destination, with the same subnet mask. That’s when the administrative distance and metric matters.

So, with two possible ways of reaching 6.6.6.2, both with the same administrative distance, the route with the longest subnet mask is used to make routing decisions.

ciscoasa(config)# debug icmp trace
debug icmp trace enabled at level 1
ciscoasa(config)# ping 6.6.6.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.2, timeout is 2 seconds:
ICMP echo request from 2.2.2.1 to 6.6.6.2 ID=4388 seq=24571 len=72
!ICMP echo reply from 6.6.6.2 to 2.2.2.1 ID=4388 seq=24571 len=72
ICMP echo request from 2.2.2.1 to 6.6.6.2 ID=4388 seq=24571 len=72
ICMP echo reply from 6.6.6.2 to 2.2.2.1 ID=4388 seq=24571 len=72
!ICMP echo request from 2.2.2.1 to 6.6.6.2 ID=4388 seq=24571 len=72
!ICMP echo reply from 6.6.6.2 to 2.2.2.1 ID=4388 seq=24571 len=72
ICMP echo request from 2.2.2.1 to 6.6.6.2 ID=4388 seq=24571 len=72
!ICMP echo reply from 6.6.6.2 to 2.2.2.1 ID=4388 seq=24571 len=72
ICMP echo request from 2.2.2.1 to 6.6.6.2 ID=4388 seq=24571 len=72
!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

As you can see, the ASA sends the traffic via the outside interface (2.2.2.1). If I shut down the outside interface, this is what the routing table looks like:

ciscoasa(config)# int g 0/0
ciscoasa(config-if)# shutdown
ciscoasa(config-if)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
S    6.6.6.0 255.255.255.0 [2/0] via 5.5.5.2, redundantisp
S    6.0.0.0 255.0.0.0 [1/0] via 5.5.5.2, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane

And the ping is sent via the redundantisp interface (5.5.5.1).

ciscoasa(config)# ping 6.6.6.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.2, timeout is 2 seconds:
ICMP echo request from 5.5.5.1 to 6.6.6.2 ID=4388 seq=3061 len=72
ICMP echo reply from 6.6.6.2 to 5.5.5.1 ID=4388 seq=3061 len=72
!ICMP echo request from 5.5.5.1 to 6.6.6.2 ID=4388 seq=3061 len=72
ICMP echo reply from 6.6.6.2 to 5.5.5.1 ID=4388 seq=3061 len=72
!ICMP echo request from 5.5.5.1 to 6.6.6.2 ID=4388 seq=3061 len=72
!ICMP echo reply from 6.6.6.2 to 5.5.5.1 ID=4388 seq=3061 len=72
ICMP echo request from 5.5.5.1 to 6.6.6.2 ID=4388 seq=3061 len=72
!ICMP echo reply from 6.6.6.2 to 5.5.5.1 ID=4388 seq=3061 len=72
ICMP echo request from 5.5.5.1 to 6.6.6.2 ID=4388 seq=3061 len=72
ICMP echo reply from 6.6.6.2 to 5.5.5.1 ID=4388 seq=3061 len=72
!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Remember, the metric parameter in the route command is really the administrative distance for that static route. So if the ASA is learning routes to that same destination from other routing protocols, you can tell the ASA to prefer the static route by giving it a lower administrative distance (via the metric parameter).

So, let’s say I enable RIP on my ASA. It starts picking up other advertised routes from its RIP neighbors. You can see the 7.0.0.0 network in its routing table below, marked with an “R” code. Note that RIP has an administrative distance of 120.

ciscoasa(config-router)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 5.5.5.2 to network 0.0.0.0

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
S    6.0.0.0 255.0.0.0 [1/0] via 5.5.5.2, redundantisp
S    6.6.6.0 255.255.255.0 [1/0] via 2.2.2.2, outside
R    7.0.0.0 255.0.0.0 [120/3] via 5.5.5.2, 0:00:18, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane
C    10.10.10.0 255.255.255.0 is directly connected, inside
R*   0.0.0.0 0.0.0.0 [120/1] via 5.5.5.2, 0:00:18, redundantisp

Note that the ASA still has that static route to the 6.0.0.0 network in the third line of its routing table:

S    6.0.0.0 255.0.0.0 [1/0] via 5.5.5.2, redundantisp

But if I remove that static route, the ASA replaces it with a route that it had learned via RIP. (That route is now marked with an “R” and has an administrative distance of 120.)

ciscoasa(config-router)# no route redundantisp 6.0.0.0 255.0.0.0 5.5.5.2 1
ciscoasa(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 5.5.5.2 to network 0.0.0.0

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
R    6.0.0.0 255.0.0.0 [120/1] via 5.5.5.2, 0:00:16, redundantisp
S    6.6.6.0 255.255.255.0 [1/0] via 2.2.2.2, outside
R    7.0.0.0 255.0.0.0 [120/3] via 5.5.5.2, 0:00:16, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane
C    10.10.10.0 255.255.255.0 is directly connected, inside
R*   0.0.0.0 0.0.0.0 [120/1] via 5.5.5.2, 0:00:16, redundantisp

If I add that route back with an administrative distance of 121, which is (duh) higher than 120, the ASA will still prefer the route learned via RIP because it prefers the route with a lower administrative distance.

ciscoasa(config)# route redundantisp 6.0.0.0 255.0.0.0 5.5.5.2 121
ciscoasa(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 5.5.5.2 to network 0.0.0.0

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
R    6.0.0.0 255.0.0.0 [120/1] via 5.5.5.2, 0:00:03, redundantisp
S    6.6.6.0 255.255.255.0 [1/0] via 2.2.2.2, outside
R    7.0.0.0 255.0.0.0 [120/3] via 5.5.5.2, 0:00:03, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane
C    10.10.10.0 255.255.255.0 is directly connected, inside
R*   0.0.0.0 0.0.0.0 [120/1] via 5.5.5.2, 0:00:03, redundantisp

However, if I give that static route an administrative distance of 119, the ASA places it in the routing table.

ciscoasa(config)# no route redundantisp 6.0.0.0 255.0.0.0 5.5.5.2 121
ciscoasa(config)# route redundantisp 6.0.0.0 255.0.0.0 5.5.5.2 119
ciscoasa(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 5.5.5.2 to network 0.0.0.0

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
S    6.0.0.0 255.0.0.0 [119/0] via 5.5.5.2, redundantisp
S    6.6.6.0 255.255.255.0 [1/0] via 2.2.2.2, outside
R    7.0.0.0 255.0.0.0 [120/3] via 5.5.5.2, 0:00:08, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane
C    10.10.10.0 255.255.255.0 is directly connected, inside
R*   0.0.0.0 0.0.0.0 [120/1] via 5.5.5.2, 0:00:08, redundantisp

So what if I give that static route an administrative distance of 120? That’s the same administrative distance as RIP. Which route will the ASA use?

ciscoasa(config-router)# no route redundantisp 6.0.0.0 255.0.0.0 5.5.5.2 119
ciscoasa(config)# sh ro

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 5.5.5.2 to network 0.0.0.0

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
R    6.0.0.0 255.0.0.0 [120/1] via 5.5.5.2, 0:00:01, redundantisp
S    6.6.6.0 255.255.255.0 [1/0] via 2.2.2.2, outside
R    7.0.0.0 255.0.0.0 [120/3] via 5.5.5.2, 0:00:01, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane
R*   0.0.0.0 0.0.0.0 [120/1] via 5.5.5.2, 0:00:01, redundantisp
ciscoasa(config)# route redundantisp 6.0.0.0 255.0.0.0 5.5.5.2 120
ciscoasa(config)# sh ro

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 5.5.5.2 to network 0.0.0.0

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
S    6.0.0.0 255.0.0.0 [120/0] via 5.5.5.2, redundantisp
S    6.6.6.0 255.255.255.0 [1/0] via 2.2.2.2, outside
R    7.0.0.0 255.0.0.0 [120/3] via 5.5.5.2, 0:00:21, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane
R*   0.0.0.0 0.0.0.0 [120/1] via 5.5.5.2, 0:00:21, redundantisp

The static route is inserted in the routing table instead of the RIP route because it has a lower metric. Notice the second number in the square brackets. That is the metric. The static route to 6.0.0.0 is designated with [120/0] whereas the RIP route to 6.0.0.0 is designated with [120/1]. Both routes have an administrative distance of 120. The static route has a metric of 0, which is lower than the RIP route’s metric of 1.

Lowest administrative distance first, then lowest metric.

Additional Information:

show running-config route command in the Cisco ASA 8.4 and 8.5 Command Reference.

interface command in the Cisco ASA 8.4 and 8.5 Command Reference.

shutdown command in the Cisco ASA 8.4 and 8.5 Command Reference.

ping command in the Cisco ASA 8.4 and 8.5 Command Reference.

show route command in the Cisco ASA 8.4 and 8.5 Command Reference.

route command in the Cisco ASA 8.4 and 8.5 Command Reference.

debug icmp command in the Cisco ASA 8.4 and 8.5 Command Reference.

Posted in geek, mecha, v4vendetta | Tagged , , , , , | 1 Response

Cisco ASA – More Static Route Tracking (SLA Monitoring)

Static route tracking (a.k.a SLA monitoring) is a simple method that the Cisco ASA uses to track the availability of a static route. It allows the Cisco ASA to remove static routes from its routing table if it thinks that the routes are not available.

The Cisco ASA monitors the “reachability” of an IP address (usually a router or server in a remote network, reachable via the static route). The ASA periodically pings that monitored IP address in order to see if can reach it. If the ASA gets a ping reply, it assumes that the static route is available. If it does not receive a reply from the monitored host (within the configured parameters), it assumes that the host is “unreachable”, and removes the associated static route(s) from its routing table.

In my previous post, I explained how to use SLA monitoring to set up redundant ISPs on a Cisco ASA.

These are the basic steps:

  1. Configure an SLA monitor process. Give it an ID number and tell it what IP address to ping.
  2. Configure one or more static routes and assign them a tracking ID.
  3. Associate the SLA monitor process in Step 1 with the tracking ID in Step 2.

Here are some more commands to verify and debug SLA monitoring. For reference, the diagram below is the high-level topology of my test lab which I used in my previous post, and is referenced in the commands below:

SLA Monitoring

SLA Monitoring

The show route command shows the routing table on the ASA. This includes any learned routes and directly connected routes.

ciscoasa# sh ro

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 5.5.5.2 to network 0.0.0.0

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane
S*   0.0.0.0 0.0.0.0 [2/0] via 5.5.5.2, redundantisp

The show run route command shows the routes that are configured in the running config on the ASA.

ciscoasa# sh ru ro
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1 track 1
route outside 6.6.6.0 255.255.255.0 2.2.2.2 1 track 1
route redundantisp 0.0.0.0 0.0.0.0 5.5.5.2 2

The show run sla monitor command shows you the SLA monitor-related configuration that is already in the running config. You can restrict the output to a specific SLA process by specifying a process ID.

ciscoasa# sh ru sla monitor
sla monitor 55
 type echo protocol ipIcmpEcho 6.6.6.2 interface outside
 timeout 1000
 frequency 3
sla monitor schedule 55 life forever start-time now

The show track command shows you info about the objects that are being tracked by tracking processes. If a track ID is not specified, then the output shows all tracked objects.

ciscoasa# sh track
Track 1
  Response Time Reporter 55 reachability
  Reachability is Down
  1 change, last change 00:01:05
  Latest operation return code: Timeout
  Tracked by:
    STATIC-IP-ROUTING 0

The show sla monitor configuration command shows more details about the SLA configuration than the show run sla monitor command.

ciscoasa# sh sla mon c
SA Agent, Infrastructure Engine-II
Entry number: 55
Owner:
Tag:
Type of operation to perform: echo
Target address: 6.6.6.2
Interface: outside
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 1000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 3
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

The show sla monitor operational-state command shows the state of the SLA operations.

ciscoasa# sh sla mon o
Entry number: 55
Modification time: 00:00:57.402 UTC Wed Jan 1 2003
Number of Octets Used by this Entry: 1480
Number of operations attempted: 287
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: TRUE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): NoConnection/Busy/Timeout
Latest operation start time: 00:15:12.403 UTC Wed Jan 1 2003
Latest operation return code: Timeout
RTT Values:
RTTAvg: 0       RTTMin: 0       RTTMax: 0
NumOfRTT: 0     RTTSum: 0       RTTSum2: 0

The debug sla monitor command shows debugging messages for SLA. By default, both trace and error messages are shown, but you can restrict the output to just the trace or error messages. If you specify a SLA process ID, the ASA will only cough up the debug messages for that process ID. In the output below, you can see that the monitored IP address is not responding. To disable the debugging, use the no debug sla monitor command.

ciscoasa# debug sla monitor trace
IP SLA Monitor TRACE debugging for all operations is on
ciscoasa# IP SLA Monitor(55) Scheduler: Starting an operation
IP SLA Monitor(55) echo operation: Sending an echo operation
IP SLA Monitor(55) echo operation: Timeout
IP SLA Monitor(55) Scheduler: Updating result
IP SLA Monitor(55) Scheduler: Starting an operation
IP SLA Monitor(55) echo operation: Sending an echo operation
IP SLA Monitor(55) echo operation: Timeout
IP SLA Monitor(55) Scheduler: Updating result
IP SLA Monitor(55) Scheduler: Starting an operation
IP SLA Monitor(55) echo operation: Sending an echo operation
IP SLA Monitor(55) echo operation: Timeout
IP SLA Monitor(55) Scheduler: Updating result
no debug sla monitor trace
IP SLA Monitor TRACE debugging for all operations is off

Additional Information:

show running-config sla monitor command in the Cisco ASA 8.4 and 8.5 Command Reference.

show running-config track command in the Cisco ASA 8.4 and 8.5 Command Reference.

show track command in the Cisco ASA 8.4 and 8.5 Command Reference.

show sla monitor configuration command in the Cisco ASA 8.4 and 8.5 Command Reference.

show sla monitor operational-state command in the Cisco ASA 8.4 and 8.5 Command Reference.

debug sla monitor command in the Cisco ASA 8.4 and 8.5 Command Reference.

sla monitor command in the Cisco ASA 8.4 and 8.5 Command Reference.

sla monitor schedule command in the Cisco ASA 8.4 and 8.5 Command Reference.

track rtr command in the Cisco ASA 8.4 and 8.5 Command Reference.

shutdown command in the Cisco ASA 8.4 and 8.5 Command Reference.

ping command in the Cisco ASA 8.4 and 8.5 Command Reference.

show route command in the Cisco ASA 8.4 and 8.5 Command Reference.

route command in the Cisco ASA 8.4 and 8.5 Command Reference.

Posted in geek, mecha, v4vendetta | Tagged , , , | 1 Response

Cisco ASA – SLA Monitoring

SHELDON
[Reciting a ditty as he walks down the stairs.]
Proxima Centauri’s the nearest star.
The celestial bodies that follow are:
Alpha Centauri A, Toli, Barnard’s Star,
Wolf 359, Laland 21185,
Sirius A, Sirius B, BL Ceti, UV Ceti,
Ross 154, Ross 248,
Epsilon Eridani, Lac 9352,
Ross 128, Procyon A…
Oh, darn! That’s wrong!
[Sheldon huffs, and climbs back up the stairs to start the recital all over again.]

[Cut to later. Sheldon reaches the ground floor on his second attempt.]
…EZ Aquarii A, EZ Aquarii B,
EZ Aquarii C, Procyon A.
Those are the stars that are nearest to me.
Tra La La and Fiddle Dee Dee.

– The Big Bang Theory

On The Big Bang Theory, the elevator in the apartment building has been broken for years. It’s one of the running gags on the show. Even if the elevator gets fixed someday, none of the regular characters would notice because they they just automatically take the stairs. That’s the main disadvantage of static routes (as opposed to dynamic routing protocols). You don’t automatically take the best route available. You just schlep up and down the stairs because you don’t know any better.

Static routes are manually entered into the routing table of the Cisco ASA. There is little overhead; no need to configure dynamic routing protocols, no neighbors to talk to, no routing updates to send and receive. The downside is, the routing table must be manually changed if there is a change in the routing.

SLA monitoring is a method of tracking whether or not a particular static route is available, and automatically removing that route from the routing table if it is not available. So what makes a route “available”? You set up an SLA process that monitors whether or not a particular IP address is reachable via ping. This can be the actual destination host, or an ISP’s server, or a router along the route that has good uptime and is fairly reliably pingable. Something that is a good indicator of whether or not you can reach your destination via this route.

You can tell the ASA how often to ping the monitored IP address, and you can also define how long to wait for a ping reply, and how many missed ping replies constitutes “unreachable”. Then you tie this SLA process with one or more static routes. As soon as the monitored IP address is “unreachable”, the routes that you’ve associated with the SLA process are removed from the routing table.

This is useful if you have multiple static routes to the same destination. The preferred route should be given a lower metric and also tied to an SLA track. You should give the less-preferred routes a higher metric so that they will only be used if the preferred route is not available. So what will happen is, the preferred route is placed in the routing table and remains in use until something gets buggered along the route and the SLA process cannot reach the monitored IP address. Then, if the monitored IP address is unpingable long enough for it to be deemed “unreachable”, the preferred route is removed from the routing table and is replaced with the less-preferred route. As soon as the monitored IP address becomes reachable again, the preferred route is inserted back into the routing table.

You can get set up some pretty complex route selection with multiple SLA processes, and with multiple routes tied to each SLA process.

So let’s see a simple example:

SLA Monitoring

SLA Monitoring

On my ASA, I’ve configured IP addresses on 3 interfaces. As soon as I’ve cabled up the interfaces to the subnets and brought the interfaces up, these directly-connected subnets are added to the ASA’s routing table and are designated with a C.

ciscoasa# sh ro

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane
C    10.10.10.0 255.255.255.0 is directly connected, inside

I have 2 ISP connections:

  • The outside interface is connected to my primary ISP
  • The redundantISP interface is connected to my secondary ISP

Until I set up a default route, the ASA will only route traffic to these directly-connected subnets. 6.6.6.2 is a server that resides on a subnet several hops away.

ciscoasa# ping 6.6.6.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.2, timeout is 2 seconds:
No route to host 6.6.6.2

Success rate is 0 percent (0/1)

Once I add a default route (via the outside interface), I can ping 6.6.6.2

ciscoasa# conf t
ciscoasa(config)# route outside 0 0 2.2.2.2
ciscoasa(config)# sh ro

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 2.2.2.2 to network 0.0.0.0

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane
C    10.10.10.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 2.2.2.2, outside
ciscoasa(config)# ping 6.6.6.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

I can add a second default route (via the redundantisp interface), with a higher metric:

ciscoasa(config)# route redundantisp 0 0 5.5.5.2 2
ciscoasa(config)# sh ro

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 2.2.2.2 to network 0.0.0.0

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane
C    10.10.10.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 2.2.2.2, outside

The default route (via outside interface) is preferred because it has a lower metric, so it remains in the routing table. If the outside interface ever goes down, the redundant default route is placed in the routing table. I can simulate that by administratively shutting down the outside interface:

ciscoasa(config-if)# int g 0/0
ciscoasa(config-if)# shut
ciscoasa(config-if)# sh ro

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 5.5.5.2 to network 0.0.0.0

C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane
C    10.10.10.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [2/0] via 5.5.5.2, redundantisp

And a ping to 6.6.6.2 still succeeds because the ASA send the ping traffic via the redundantISP interface.

ciscoasa(config-if)# ping 6.6.6.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

As soon as the outside interface comes back up, the preferred default route is inserted into the routing table again:

ciscoasa(config-if)# in g 0/0
ciscoasa(config-if)# no shut
ciscoasa(config-if)# sh ro

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 2.2.2.2 to network 0.0.0.0

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane
C    10.10.10.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 2.2.2.2, outside

So, what if there is a problem with the primary ISP a hop or two away? The ASA will only know that its directly-connected links are up, and it will be unaware of the problem. It will continue to send traffic via the preferred default route. Unlike dynamic routing protocols, where routing updates can inform you of a connectivity problem, static routes are not removed from the routing table unless the connected link is down.

This is where SLA monitoring is useful.

Let’s start again, and remove those default routes. All the ASA knows how to reach is the directly-connected subnets.

ciscoasa(config)# no route outside 0 0 2.2.2.2 1
ciscoasa(config)# no route redundantisp 0 0 5.5.5.2 2
ciscoasa(config)# sh ro

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane
C    10.10.10.0 255.255.255.0 is directly connected, inside
ciscoasa(config)# ping 6.6.6.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.2, timeout is 2 seconds:
No route to host 6.6.6.2

Now we will configure an SLA monitoring process that will ping 6.6.6.2 via the outside interface. I’ve used an SLA monitor ID of 55.

ciscoasa(config)# sla monitor 55
ciscoasa(config-sla-monitor)# type echo protocol ipIcmpEcho 6.6.6.2 interface outside
ciscoasa(config-sla-monitor-echo)# timeout 1000
ciscoasa(config-sla-monitor-echo)# frequency 3
ciscoasa(config-sla-monitor-echo)# sla monitor schedule 55 life forever start-time now

At this point, the monitored host starts receiving pings from the ASA. Now I’ll associate a tracking ID (1) with the SLA monitor ID (55). I’ll also add two routes. The preferred route is via the outside interface. it has a lower metric (1) and it is tied to track 1. The less-preferred route is via the redundant ISP interface, and it has a metric of 2.

ciscoasa(config)# track 1 rtr 55 reachability
ciscoasa(config)# route outside 0 0 2.2.2.2 1 track 1
ciscoasa(config)# route redundantisp 0 0 5.5.5.2 2

So now if that SLA monitoring process is unable to ping 6.6.6.2 via the outside interface, the ASA removes the tracked route from the routing table, and inserts the redundant default route via the redundantisp interface.

If 6.6.6.2 is reachable via the outside interface, the preferred route is in the routing table, designated with an S:

ciscoasa(config)# sh ro

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 2.2.2.2 to network 0.0.0.0

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane
C    10.10.10.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 2.2.2.2, outside

As soon as I unplug the router a few hops away, the Cisco ASA misses 3 ping replies from 6.6.6.2 and removes the tracked route from its routing table. The less-preferred route is inserted in the routing table in its place.

ciscoasa(config)# sh ro

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 5.5.5.2 to network 0.0.0.0

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane
C    10.10.10.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [2/0] via 5.5.5.2, redundantisp

I can link multiple static routes to this SLA process. All I have to do is add the static route to the routing table with the “track 1” parameter.

ciscoasa(config)# route outside 6.6.6.0 255.255.255.0 2.2.2.2 1 track 1
ciscoasa(config)# sh ru ro
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1 track 1
route outside 6.6.6.0 255.255.255.0 2.2.2.2 1 track 1
route redundantisp 0.0.0.0 0.0.0.0 5.5.5.2 2
ciscoasa(config)# sh ro

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 2.2.2.2 to network 0.0.0.0

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
S    6.6.6.0 255.255.255.0 [1/0] via 2.2.2.2, outside
C    127.0.0.0 255.255.0.0 is directly connected, cplane
C    10.10.10.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 2.2.2.2, outside

If the SLA monitoring process cannot reach 6.6.6.2, it removes all the routes that are linked to track 1. If there is another candidate route (e.g. with a higher metric) for a route that is removed, this less-preferred route is inserted in the routing table. For example, the 6.6.6.0 route is removed, but there is no other route to replace it in the routing table. The 0.0.0.0 route (with metric 1) is removed and replaced with the less-preferred route with metric 2 (via the redundantisp interface).

ciscoasa(config)# sh ro

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 5.5.5.2 to network 0.0.0.0

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane
C    10.10.10.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [2/0] via 5.5.5.2, redundantisp

Additional Information:

sla monitor command in the Cisco ASA 8.4 and 8.5 Command Reference.

sla monitor schedule command in the Cisco ASA 8.4 and 8.5 Command Reference.

track rtr command in the Cisco ASA 8.4 and 8.5 Command Reference.

shutdown command in the Cisco ASA 8.4 and 8.5 Command Reference.

ping command in the Cisco ASA 8.4 and 8.5 Command Reference.

show route command in the Cisco ASA 8.4 and 8.5 Command Reference.

route command in the Cisco ASA 8.4 and 8.5 Command Reference.

Posted in geek, mecha, v4vendetta | Tagged , , , , , | 3 Responses

Cisco PIX – Password Recovery

Blast from the past.

Sunday morning, recreationally rummaging through a box of old equipment, I find a tiny PIX 501. And it still powers up!

This PIX has probably been retired from the field, so there’s a password, of course. On a console connection, the first thing to try is the default username (pix) and the default password (password). Oooh, denied. OK, let’s try to connect over the network via Telnet or SSH with default password of cisco. Nope, you shall not pass, my little Balrog.

Fortunately, the password is easily reset using the PIX Password Lockout Utility which resets passwords, but not the PIX config. Cisco.com has the downloadable utility for all versions of the PIX OS up to version 7.x. The procedure is similar to that of resetting the password on a Cisco ASA.

This is what you need:

  • Computer running terminal emulator software to talk to the PIX
  • Console cable connected from computer to console port of the PIX
  • TFTP server
  • Straight-through Ethernet cable to connect the PIX to the network (or directly to the TFTP server)
  • PIX Password Lockout Utility for the version of the PIX OS that is installed on the PIX

So, first thing to do is find out what version IOS is running on the PIX. On a console connection, you can do a show version command, or power cycle the PIX and look for the version information that appears right after the retro Golden Gate bridge logo.


  -----------------------------------------------------------------------
                               ||        ||
                               ||        ||
                              ||||      ||||
                          ..:||||||:..:||||||:..
                         c i s c o S y s t e m s
                        Private Internet eXchange
  -----------------------------------------------------------------------
                        Cisco PIX Firewall

Cisco PIX Firewall Version 6.3(5)

Now that I know what version of the PIX OS is installed, I go to this page at cisco.com and download the utility file. In my case, I download np63.bin to my laptop.

My laptop has TFTPD32 installed on it, so it can double as the TFTP server.

I give my laptop a static IP address and connect it to one of the Ethernet ports on the PIX.

Then I reboot the PIX and hit the BREAK or ESC key when prompted.

Cisco Secure PIX Firewall BIOS (4.2) #6: Mon Aug 27 15:09:54 PDT 2001
Platform PIX-501
Flash=E28F640J3 @ 0x3000000

Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Flash boot interrupted.
0: i8255X @ PCI(bus:0 dev:17 irq:9 )
1: i8255X @ PCI(bus:0 dev:18 irq:10)

10 years? Jeepers.

I’ve connected my laptop to the inside interface, so that is interface 1.

monitor> interface 1
0: i8255X @ PCI(bus:0 dev:17 irq:9 )
1: i8255X @ PCI(bus:0 dev:18 irq:10)

I configure a temporary IP address for interface 1 on the PIX (6.6.6.1), and tell it that the TFTP server is at 6.6.6.2. I don’t need to specify a gateway since my laptop (the TFTP server) is directly connected to the inside interface of the PIX.

Using 1: i82557 @ PCI(bus:0 dev:18 irq:10), MAC: x0x0.x0x0.x0x0
monitor> address 6.6.6.1
address 6.6.6.1
monitor> server 6.6.6.2
server 6.6.6.2

I tell the PIX that it should retrieve the file np63.bin from the TFTP server, and I test connectivity with a ping.

monitor> file np63.bin
file np63.bin
monitor> ping 6.6.6.2
Sending 5, 100-byte 0xbbf7 ICMP Echoes to 6.6.6.2, timeout is 4 seconds:
!!!!!
Success rate is 100 percent (5/5)

The tftp command tells the PIX to download the np63.bin file from my laptop. Then I am prompted to pick which passwords I want removed.

monitor> tftp
tftp np63.bin@6.6.6.2.....................................................................................................................................................................................
Received 92160 bytes

Cisco Secure PIX Firewall password tool (3.0) #0: Thu Jul 17 08:01:09 PDT 2003
Flash=E28F640J3 @ 0x3000000
BIOS Flash=E28F640J3 @ 0xD8000

Do you wish to erase the passwords? [yn] y
The following lines will be removed from the configuration:
        enable password blahblahblah encrypted
        passwd blahdeblahblah encrypted
        aaa authentication serial console LOCAL
        aaa authentication telnet console LOCAL
        aaa authentication ssh console LOCAL
        aaa authentication http console LOCAL
        aaa authentication enable console LOCAL
        aaa authorization command LOCAL

Do you want to remove the commands listed above from the configuration? [yn] y
Passwords and aaa commands have been erased.

Rebooting....

Upon reboot, there is no Username prompt, and I can get into enable mode with a blank password.

BranchPix501> en
Password:
BranchPix501# 502103: User priv level changed: Uname: enable_1 From: 1 To: 15
111008: User 'enable_1' executed the 'enable' command.

Additional Information:

Cisco.com: Password Recovery and AAA Configuration Recovery Procedure for the PIX.

gom jabbar: How To Break Into A Cisco ASA If You Do Not Have The Enable Password.

The Cisco PIX Firewall Command Reference, Version 6.3.

TFTPD32, a free TFTP/DHCP/Syslog server for Windows.

Posted in geek, mecha, v4vendetta | Tagged , , , , , | 3 Responses

Cisco ASA – Redundant Default Routes

Early November. We are at the tail end of hurricane season in the Caribbean.

Last night, I am swaddled in waterproof raingear and Doc Martens, put-putting between customer sites on my little scooter. A tropical storm is doing the fandango a hundred miles offshore, and our surf churns white. The storm is supposed to hit around 1 a.m., but by noon, the outer edges of the storm begin to swish past, lashing the island with bands of heavy rain.

Overhead, telephone cables swing about in gale force winds, and I wonder if my cable TV will be out when I get home. Taxis zoom past my little scooter, filled with travelers headed to the airport. Tomorrow’s flights have been rescheduled for tonight. It’s not an especially big storm, but with the potential for wind damage, the airlines are getting out of Dodge. The power grid in my neighborhood is so shaky, the electricity goes out if you sneeze in the general direction of the substation. I suspect that dinner will be a pint of semi-melted ice-cream (rescued from the fridge) while reading an Asimov paperback by candlelight.

One of my customers is a big box store. Kinda like S-Mart from the Evil Dead movies. They sell damned near everything. The day before a hurricane hits, the store is packed with shoppers buying hurricane supplies. Cash registers ring merrily, and the takings rival the Christmas shopping season. Whereas my corporate clients have battened down the hatches for the duration of the storm, this customer stays open all day. After the storm passes, we will need to open up first thing the next morning because folks will be lining up to buy tools and supplies to clear up the mess.

The credit card system needs Internet access in order to process each transaction. No Internet means no credit card sales. Sure, we have manual workarounds. Customers who do not have a store account can always pay by cash or check. But if the WAN infrastructure is severely damaged by downed trees, it may take days for the work crews to turn up and fix the lines. So what do you do? You hook up a redundant WAN link. Different ISP, different medium. Eliminate as many commonalities as possible. Where possible, we want to avoid a single point of failure.

The main store has redundant ISPs, but the smaller retail locations each have a single DSL line to connect to the payment servers on the Internet. For a quick fix, we hook up a wireless Internet modem that works anywhere, even at the beach. If high winds take down the phone lines, we lose the DSL line. But the wireless link will remain up.

So. We have the inside and outside interfaces already configured. The inside interface connects to the 10.10.10.0 LAN network, where all our cash registers reside. The outside interface (11.11.11.1) is connected to the DSL router.

Cisco ASA 5505 with Redundant ISPs

Cisco ASA 5505 with Redundant ISPs

We just need to configure an additional interface for the second WAN link:

ciscoasa(config)# conf t
ciscoasa(config)# interface Ethernet0/2
ciscoasa(config-if)# nameif wireless
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# ip address 5.5.5.1 255.255.255.0
ciscoasa(config-if)# no shut

Configure NAT and access lists for the wireless interface, if needed. Then we add a second default route (with a higher metric) that uses this wireless WAN link:

ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 11.11.11.2 1
ciscoasa(config)# route wireless 0.0.0.0 0.0.0.0 5.5.5.2 2

Now all traffic that is destined for the Internet is sent via the outside interface, same as always. But if the outside interface goes down, the Internet traffic is sent via the wireless interface instead.

With both the outside and wireless interfaces up and running, a show route command coughs up the routing table on the ASA:

ciscoasa(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 11.11.11.2 to network 0.0.0.0

C    5.5.5.0 255.255.255.0 is directly connected, wireless
C    127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C    10.10.10.0 255.255.255.0 is directly connected, inside
C    11.11.11.0 255.255.255.0 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 11.11.11.2, outside

The default route (with metric 1) uses the outside interface.

From one of the cash registers on the 10.10.10.0 network, I can ping the payment server (6.6.6.2) out on the Internet. The ICMP traffic is sent via the outside interface:


ciscoasa(config)# ping 6.6.6.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

If the outside interface goes down (physically or administratively), the default route changes to the wireless interface (with metric 2):

ciscoasa(config-if)# int Ethernet0/0
ciscoasa(config-if)# shutdown
ciscoasa(config-if)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 5.5.5.2 to network 0.0.0.0

C    5.5.5.0 255.255.255.0 is directly connected, wireless
C    127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C    10.10.10.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [2/0] via 5.5.5.2, wireless

But a ping to 6.6.6.2 still succeeds because the traffic is sent out via the wireless interface.


ciscoasa(config-if)# ping 6.6.6.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

This config is only useful if we think we might lose

  • the outside interface of the ASA,
  • the link to the DSL modem (11.11.11.2), or
  • the DSL modem itself

If a falling tree branch takes down the line, even a single hop beyond the DSL modem, the ASA won’t know about it, and will continue to think that its default route is valid. To mitigate that sort of failure, we need to implement SLA route monitoring, where we keep tabs on the reachability of something several hops down the line, such as the ISP’s DNS servers.

Shop Smart. Shop S-Mart.

Additional Information:

nameif command in the Cisco ASA 8.4 and 8.5 Command Reference.

ip address command in the Cisco ASA 8.4 and 8.5 Command Reference.

security-level command in the Cisco ASA 8.4 and 8.5 Command Reference.

shutdown command in the Cisco ASA 8.4 and 8.5 Command Reference.

ping command in the Cisco ASA 8.4 and 8.5 Command Reference.

show route command in the Cisco ASA 8.4 and 8.5 Command Reference.

route command in the Cisco ASA 8.4 and 8.5 Command Reference.

Posted in geek, mecha, v4vendetta | Tagged , , , , , | 3 Responses