Cisco ASA 8.3, 8.4 Hairpinning NAT Configuration

Cisco ASA configuration may be a frustrating issue for many Cisco users. In fact, everyone has his own troublesome condition. Here Ethan Banks, a network engineer, share his experience of helping his VPN client access a remote office, as well as an example of Cisco ASA 8.3, 8.4 Hairpinning NAT Configuration.

Let’s share the case:

“I ran into an issue over the weekend where a VPN client was unable to access a remote office connected via an L2L tunnel terminated on the same firewall. The symptoms were straightforward enough. The client was unable to either ping or open a URL at a specific server at the remote office, although this connectivity used to work. In this example, VPN client 192.168.100.100 was not able to access server 10.11.12.1, although access to resources in the 10.10.0.0/16 network was fine.

I confirmed the remote office firewall was unlikely to be the issue; the remote firewall had seen no changes. As I knew the headquarters Cisco ASA firewall HAD seen a few changes, that’s where I focused my attention. After reviewing the headquarters firewall rulebase, I knew that the VPN client IP pool had permission to access resources in the remote office.

Monitoring the firewall logs, I spotted several “110003: Routing failed to locate next-hop for protocol from src interface:src IP/src port to dest interface:dest IP/dest port” messages tied directly to the VPN client trying to open a socket to 10.11.12.1. So, I reviewed the firewall routing table with “show route” and “show asp table routing” and found no issues…not that I expected to. If the routing table was having a problem, connectivity issues would have been more widespread.

Of course, NAT sprung to mind as a potential issue, but I couldn’t see an obvious problem. There was a NAT that exempted the entire VPN client pool from being translated to any RFC1918 destinations. As this clearly covered the remote office IP range, I was a little stumped. This confusion was compounded by the fact that the connectivity used to work. A perplexing issue.

Take a read “Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6-Setting General VPN Parameters”. A couple of highlights caught my eye:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_params.html#wp1042114

• The “same-security-traffic permit intra-interface” is required. Fair enough, easy to implement, makes sense, and I’d already done that. No problem.
• Now the documentation got confusing because of two conflicting statements:

1. “When the ASA sends encrypted VPN traffic back out this same interface NAT is optional. The VPN-to-VPN hairpinning works with or without NAT.” Okay – so I don’t need to write a NAT statement for the hairpinned traffic. NAT is optional, right? But then you next read…
2. “To exempt the VPN-to-VPN traffic from NAT, add commands that implement NAT exemption for VPN-to-VPN traffic.” Uh, hang on. So I *do* need a NAT statement?

From my experience, I believe that, yes, you need a NAT exemption statement. I think all Cisco is trying to say is that you don’t have to actually translate the source or destination address into something else to be able to get through the hairpin.

Writing a NAT exemption statement is not an unusual thing to have to do in an ASA, but the magic in the context of hairpinning is in defining the ingress and egress interfaces. In a hairpin path, the traffic flows in and out the same interface. While I did have a NAT statement that matched source and destination addresses in question, the interfaces were only suitable for handling source VPN client to destination headquarters network traffic…not traffic headed from VPN client to the remote office network. Therefore, I needed a NAT statement like this: “nat (outside,outside) source static client_vpn_pool client_vpn_pool destination static remote_office_net remote_office_net“.

The order of the NAT statement also mattered, as NAT statements are processed in order. Once I moved my new NAT statement to the top of the list, the issue was resolved.”

More Related Cisco Contents http://blog.router-switch.com/category/cisco-certification/ccie/

 

Cisco Unified IP Phone 7942G: Enhanced Sound Quality

Cisco Unified Communications Solutions unify voice, video, data, and mobile applications on fixed and mobile networks, delivering a media-rich collaboration experience across business, government agency, and institutional workspaces. These applications use the network as the platform to enhance comparative advantage by accelerating decision time and reducing transaction time. The security, resilience, and scalability of the network enable users in any workspace to easily connect anywhere, anytime, and anyplace, using any media, device or operating system. Cisco Unified Communications is part of a comprehensive solution that includes network infrastructure, security, wireless, management applications, lifecycle services, flexible deployment and outsourced management options, and third-party applications.

The Cisco Unified IP Phone 7942G (Figure 1) is a full-featured IP phone with speakerphone and handset designed for wideband audio. It is intended to meet the needs of needs of transaction-type workers with significant phone traffic. It has two programmable backlit line/feature buttons and four interactive soft keys that guide you through all call features and functions. The phone has a large, 4-bit grayscale graphical LCD (Figure 2) that provides features such as date and time, calling party name, calling party number, digits dialed, and presence information. The crisp graphic capability of the display allows for the inclusion of higher value, more visibly rich Extensible Markup Language (XML) applications, and support for localization requiring double-byte Unicode encoding for fonts. A hands-free speakerphone and handset designed for hi-fidelity wideband audio are standard on the Cisco Unified IP Phone 7942G, as is a built-in headset connection and an integrated Ethernet switch.

Figure 1. CiscoUnified IP Phone 7942G

Figure 2. Close-Up of Display and Lighted Line Keys

Features and Benefits

The Cisco Unified IP Phone 7942G is designed to grow with your organization and enhancements to your system capabilities. The dynamic feature set allows the phone to keep pace with your requirements through regular software updates. Firmware changes can be downloaded from Cisco.com. No hands-on moves and changes are required with the phone-you can simply pick up the phone and move to a new location anywhere on your network. The Cisco Unified IP Phone 7942G also provides many accessibility features. Table 1 lists the phone's features.

More details: Cisco Unified IP Phone 7942G Features, Cisco Unified IP Phone 7942G Product Specifications, Temperature Ratings, etc., you can visit cisco.com-Cisco Unified IP Phone 7942G

http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/phones/ps379/ps8535/product_data_sheet0900aecd8069bb68.html

More Cisco Unified IP Phone Info:

Quick Reference Guide: Overview of Cisco7942/7962 IP Phone

Q and A: Cisco Unified IP Phone 7942G andCisco Unified IP Phone 7962G

How to Configure a Cisco Unified IP Phone7921 with Call Manager Express?

How to Connect Cisco IP Phones?

Cisco SMARTnet Service Overview

What is Cisco SMARTnet Service?

Cisco SMARTnet Service is an award-winning technical support service that can give your IT staff direct, anytime access to Cisco experts and online self-help resources required to resolve issues with most Cisco products. With SMARTnet Service, you can choose from a broad range of service delivery options for Cisco products.

What is included with Cisco SMARTnet Service?

Cisco SMARTnet Service provides the following device-level support:

• Direct access 24 hours a day, 365 days a year to specialized experts in the Cisco Technical Assistance Center (TAC).

• Extensive self-help support through Cisco’s online knowledge base, communities, resources, and tools.

• Smart, proactive diagnostics and immediate alerts on select devices enabled with Cisco Smart Call Home feature.

• Operating system (OS) software updates, including both minor and major releases within your licensed feature set.

• Advance hardware replacement options, including 2-hour, 4-hour, and next-business-day (NBD) replacement, as well as return for repair (RFR).

• Optional onsite service that provides a field engineer who can install replacement parts at your location.

• Increase ROI by up to 192 percent having access to Cisco operating system software enhancements

• Expedite time to repair with the right parts at the right time to resolve issues quickly

• Better manage scarce internal expert resources at all locations when utilizing the proactive diagnostics and realtime alerts available with Smart Call Home, on select devices

• Empower your IT staff and improve productivity and revenue per employee with access to tools and technical support documentation that can increase self-sufficiency and technical knowledge

Why should you purchase Cisco SMARTnet Service?

By covering networking devices with a Cisco SMARTnet contract, you can:

•Improve network availability, reliability, stability, and security with direct access to networking engineers at Cisco

•Reduce the cost of network ownership by using Cisco expertise, knowledge, and availability

Is Cisco SMARTnet Service only limited to break/fix insurance?

No. The Cisco SMARTnet Service offers you help handling complex network operation and management issues such as:

•Advance software configuration

•Interoperability and upgrade questions

•Hardware and software information

In addition, Cisco SMARTnet Service helps you protect your network investments and minimize risks by:

•Keeping your networking technology up-to-date with the latest OS software features and system improvements within your licensed feature set

•Supplementing your network support organization to help ensure the availability of the knowledge and skills necessary to address rapidly changing technologies

•Providing access to knowledgeable resources and tools for rapid resolution of issues

•Eliminating the challenges of carrying replacement hardware in inventory and delivering them to remote sites

•Providing optional trained field engineering resources to perform replacement services when and where you need them

•Troubleshooting Call Home-capable devices in real time and reporting details back to you using a web portal and alerts using Smart Call Home

What additional features are available under the Cisco SMARTnet onsite option?

Cisco SMARTnet onsite includes the same capabilities as Cisco SMARTnet, with the addition of an onsite technician for parts replacement and installation. It is available with all SMARTnet advance hardware replacement service levels.

How should you choose between Cisco SMARTnet and Cisco SMARTnet onsite?

Cisco SMARTnet onsite support is the appropriate choice when:

•You do not have the appropriate expert resources at a given site, such as a remote site.

•Trained personnel are not readily available to react quickly to a network issue. The Cisco SMARTnet onsite service option provides rapid replacement of hardware.

Features and Benefits: Service Capabilities

What are service capabilities for SMARTnet?

Table 1 illustrates SMARTnet’s five main service capabilities.

Table 1. Cisco SMARTnet Service Capabilities

1. Return for repair on select video products only.

•Expert assistance: To complement your in-house resources, the Cisco TAC employs a highly skilled staff that offers you years of networking experience, including many customer support engineers with networking and CCIE certifications as well as research and development engineers. Cisco engineers hold more than 800 U.S.-issued patents and have authored numerous industry white papers and books.

•Faster resolution: The Cisco TAC provides constant measurement of customer satisfaction and time-toresolution tracking, including an automated escalation sequence beginning one hour after submittal of severity 1 and severity 2 issues, resulting in CEO intervention by John Chambers after 48 hours for any severity 1 problem.

For more information, view the Cisco Severity and Escalation Guidelines.

http://www.cisco.com/web/about/doing_business/legal/service_descriptions/docs/Cisco_Severity_and_Escalation_Guidelines.pdf

•Visibility into issue resolution status: You are kept up-todate on all changes to your case through email notifications and personalized handoffs between you and Cisco engineers if your case warrants a move to a new specialization due to the nature of the issue, or a change occurs in work shift.

•Networking expertise: The Cisco TAC offers depth and breadth of knowledge and experience with Cisco devices and operating system software, as well as a broad range of networking environments and technologies. Cisco TAC engineers have a minimum of five years of industry experience, and Cisco provides continuous training to help ensure our technical staff stays current with the latest technologies.

•Support 24 hours a day, 365 days a year in multiple languages: By telephone, web, or email, the Cisco TAC is there when you need it.

•Tested and proven resolution methods: Cisco uses a powerful virtual lab as an invaluable engineering resource and knowledge base for testing of network problems and recommended resolutions.

Can I get support from the Cisco TAC if I do not have a service contract?

Yes. The Cisco TAC will help you if you do not have a Cisco service contract, but you will be requested to pay a “perincident fee” or to purchase a service contract.

How does the Cisco TAC prioritize service requests?

Cisco processes allow for you to designate the severity of every service request reported. Problems are reported in a standard format using the following problem severity definitions:

•Severity 1: When an existing network or environment is down or there is a critical impact on the end user’s business operations. Cisco and the end user will commit full-time resources to resolve the situation.

•Severity 2: When the operation of an existing network or environment is severely degraded or significant aspects of the end user’s business operation are being negatively affected by unacceptable network performance. Cisco and the end user will commit full-time resources during standard business hours to resolve the situation.

•Severity 3: When the operational performance of the network or environment is impaired while most business operations remain functional. Cisco and the end user are willing to commit resources during standard business hours to restore service to satisfactory levels.

•Severity 4: When information is required on Cisco product capabilities, installation, or configuration and there is little or no effect on the end user’s business operation. Cisco and the customer are willing to provide resources during standard business hours to provide information or assistance as requested.

Cisco SMARTnet Service-IMPROVE NETWORK & IT INFRASTRUCTURE PRODUCT AVALABILITY

Cisco Unified IP Phone 7962G Increases Audio Fidelity

Cisco Unified Communications Solutions unify voice, video, data, and mobile applications on fixed and mobile networks, delivering a media-rich collaboration experience across business, government agency, and institutional workspaces. These applications use the network as the platform to enhance comparative advantage by accelerating decision time and reducing transaction time. The security, resilience, and scalability of the network enable users in any workspace to easily connect anywhere, anytime, and anyplace, using any media, device or operating system. Cisco Unified Communications is part of a comprehensive solution that includes network infrastructure, security, wireless, management applications, lifecycle services, flexible deployment and outsourced management options, and third-party applications.

The Cisco Unified IP Phone 7962G (Figure 1) is a full-featured IP phone with speakerphone and handset designed for wideband audio. It is intended to meet the needs of managers and administrative assistants. It has six programmable backlit line/feature buttons and four interactive soft keys that guide you through all call features and functions. The phone has a large, 4-bit grayscale graphical LCD (Figure 2) that provides features such as date and time, calling party name, calling party number, digits dialed, and presence information. The crisp graphic capability of the display allows for the inclusion of higher value, more visibly rich Extensible Markup Language (XML) applications, and support for localization requiring double-byte Unicode encoding for fonts. A hands-free speakerphone and handset designed for hi-fidelity wideband audio are standard on the Cisco Unified IP Phone 7962G, as is a built-in headset connection and an integrated Ethernet switch.

Figure 1. CiscoUnified IP Phone 7962G

Figure 2. Close-Up of Display and Lighted Line Keys

Features and Benefits

The Cisco Unified IP Phone 7962G is designed to grow with your organization and enhancements to your system capabilities. The dynamic feature set allows the phone to keep pace with your requirements through regular software updates. Firmware changes can be downloaded from Cisco.com. No hands-on moves and changes are required with the phone-you can simply pick up the phone and move to a new location anywhere on your network. The Cisco Unified IP Phone 7962G also provides many accessibility features. Table 1 lists the phone's features.

More Cisco IP Phone Info and Tips:

Cisco IP Phone Recommendation: CiscoUnified IP Phone 7942G-Enhanced Sound Quality

Q and A: Cisco Unified IP Phone 7942G andCisco Unified IP Phone 7962G

Quick Reference Guide: Overview of Cisco7942/7962 IP Phone

How to Connect Cisco IP Phones?

Difference & Features: Routers Vs. Layer 3 Switches

When a router receives a packet, it looks at the Layer 3 source and destination addresses to determine the path the packet should take. A standard switch relies on the MAC addresses to determine the source and destination of a packet, which is Layer 2 (Data) networking.

Generally speaking, a Layer-3 switch (routing switch) is primarily a switch (a Layer-2 device) that has been enhanced or taught some routing (Layer 3) capabilities. A router is a Layer-3 device that simply do routing only. In the case of a switching router, it is primarily a router that may use switching technology (high-speed ASICs) for speed and performance (as well as also supporting Layer-2 bridging functions).

The fundamental difference between a routerand a Layer 3 switch is that Layer 3 switches have optimized hardware to pass data as fast as Layer 2 switches, yet they make decisions on how to transmit traffic at Layer 3, just like a router. Within the LAN environment, a Layer 3 switch is usually faster than a router because it is built on switching hardware. In fact, many of Cisco's Layer 3 switches are actually routers that operate faster because they are built on "switching" hardware with customized chips inside the box.

Examples: Layer 2 switches, Layer-3 switches or routing switches and Routers

Layer-2 switches
Cisco: Catalyst 2950, 2960 series

Layer-3 switches or routing switches
Cisco: Catalyst 3550, Cisco 3560, 3750, 4500, Cisco 6500 series
Juniper: EX series

Routers (with some bridging and/or security features) or switching routers
Cisco: 1800, 1900, 2600, 2800, 2900, 3700, 3800, 3900, 7200, 7600, ASR 1000 series
Juniper: MX series, J series, M series

Notes: The current Cisco Catalyst layer-3 switches are 3560, 3750, 4500 series, 4900 series, and 6500 series.

To understand better of switching router and routing switch differences, following is an illustration. In early Cisco switches (i.e. Catalyst 3500 switches), there are only basic Layer-2 capabilities such as bridging and switching. With newer models (i.e. Catalyst 3550 or 3560 switches), there are also some routing capabilities such as terminating multiple Layer-3 interfaces and running dynamic routing protocol. In router world, early Cisco routers (i.e. 1600 or 2500 model), there are only basic Layer-3 capabilities such as running dynamic routing protocol, terminating Serial ports, and running non-IP protocols such as IPX and SNA. With newer models (i.e. 1700, 1800, 2600 or 2800 models), there are also some Layer-2 capabilities such as bridging and switching. In addition there are some WIC (WAN Interface Cards) and NM (Network Modules) with Ethernet ports supporting bridging and switching in those newer router models even further such as WIC-4ESW Ethernet Switching card for 1700 series, HWIC-4ESW High-Density Ethernet Switching card for 1800 and 2800 series, and NM-16ESW Ethernet Switching module for 2600 and 2800 series.

As a broad category, routing switches use hardware to create shortcut paths through the middle of the network, by bypassing the traditional software-based router. However, unlike traditional routers that utilize general-purpose CPUs for both control-plane and data-plane functions, Layer-3 switches use high-speed application specific integrated circuits (ASICs) in the data plane. By removing CPUs from the data-plane forwarding path, wire-speed performance can be obtained. This results in a much faster version of the traditional router. In Cisco world, this routing switch ASIC technology implementation as example applies to Catalyst 6500 switch series. These kind of switches are typically blade or module based switch which you have to specify which "switch brain" (called Supervisor Engine in Cisco world) and which port modules you like the switch to have.

In the case of a switching router as primarily a router that uses switching technology (high-speed ASICs) for speed and performance (as well as also supporting Layer-2 bridging functions), there are Cisco 7600 series and Juniper MX series routers as examples. These kind of routers are typically blade or module-based router which you have to specify which "router brain" (also called Supervisor Engine in Cisco world) and which port modules you like the router to have.

Further, the Cisco 7600 series router Supervisor Engine modules are compatible with the Cisco Catalyst 6500 series switch due to identical architecture between the router and the switch. In other words, you could use the same Supervisor Engine model on either Cisco 7600 series router or Catalyst 6500 series switch.

Discussion: Router vs. Layer 3 Switches   ---from Cisco learning home

Q: As we all know that Layer 3 switch can perform the routing tasks if routing is enabled. But I`ve some questions regarding this:

 1. What is the main difference between this two?

 2. What is the choosing criteria between this two i.e. when should I use which one? What’s about the cost effects?

 3. Why router is needed if there is existence of Layer 3 Switch?

Re1: L3 switches do not have WAN interfaces.

You can connect Ethernet circuits to a switch so you only need a router if you want to connect traditional circuits such as E1 E1 SDH or old technology such as X21 V35 or async circuits. As far as I know Call Manager Express does not run on a switch but does on a router. Switches support Wi-Fi controller, Firewall so are quite powerful. So you need to understand the business requirement before deciding router or switch. Also routers can include switch modules.

Re2: If it routes, it's a router.  

L3-switch is a marketing term.  It's a router with only Ethernet interfaces and lots of them.  It also has a switching function to it. Which makes it both a router and a switch? The differences will vary based on model.  It depends...  Cost varies as well, everywhere from inexpensive to very expensive! And truly there isn't a "need". You need an L3 device of some sort to exit your subnet. How you design that, or what specific piece you use is entirely up to you.

Re3: Traditionally, Routers were devices that connected the LAN to the WAN and switches were just LAN devices and you may add a layer 3 switch to the lan if you had some vlans and didn't want to use a router.

However, as technology changes, the tradition of the WAN and LAN are fading.  My "WAN" links are actually 1 gig single mode fiber circuits that terminate to an ethernet fiber interface on a Layer 3 switch, a 6500, 4500, 3750 or even a 3560.  Now some will say that I have a MAN with those kinds of links.  It seems that as Scott said, Cisco Marketing is still stuck on calling a router a device that terminates a traditional WAN link,  I do agree that if the device routes, it is a router.... to some degree.

One thing I did notice regarding routers and layer 3 switches, and I will admit that router model and IOS version may play very heavily into this, and that is Routers seem to support more traffic monitoring features, such as netflow and nbar where as Layer 3 switches don't seem to have that kind of support.... until you get to the 6500.

Re4: Technically, the differences are:

1- L3 Switch do switching at layer 3 by preserving the source and destination mac and preserving the TTL value of the IP header of the 1st routed packet, so the first packet is routed using normal routing lookup, but after that all packet are switched.

2- router do normal routing lookup, but by introducing fast switching and CEF, packets are also now switched on a router.

3- Switches doesnt support some QoS features.

4- Switches doesnt support NAT.

5- The forwarding on switches is done on ASIC (Application Specific Integrated Circuits) which is done in hardware rather than a software.

6- Forwarding on routers is done in a software.

7- Router supports different WAN technologies (modules) unlike switches.

Re5: I was just thinking about this.  I didn't learn about Layer 3 switches until the bcmsn.  I know in CCNA they were still really pushing the router vs switch concept.  Talk about throwing a monkey wrench into things when you throw in the concept of Layer 3 switch.

So to review:

1. A pure router will do just that, typically no switch ports, in today’s cisco world I don't even know if they make one of these, wouldn't that be something like an ASA with 1 or (2) 100 mb or gig ports with a serial port or similiar?

2.  A switch will just allow connections to edge devices, a true layer 2 switch like a 2960, Int vlan's is what allows management of the switch at layer 3.  No routing between vlans, this is where router on a stick comes into play.

3.  A layer 3 switch integrates both abilities, but it depends on the model on how integrated and featurific it is.  Will it support netflow?  Will it route between vlans?  If you do a show ip route what will be displayed?  How does it implement vlans, is it traditional vlan.dat file or will it do the switching way with show vlan? -- The simplest true layer 3 switch will support all switching features, but have the ability to do routed ports and route between the vlans.  I have had a Integrated services router like a 1760 or 3725 or similiar where they had a small switch module, say 4-24 (100).

The definition of a layer 3 switch also may include the ability for a port to be either a routed port or a switched port, the commands switch port vs no switch port followed by having to assign it an ip address.

This is another point that also took some getting used to.  In a port that can be either layer 2 or layer 3, or strictly layer 3 or layer 2.    Example, a router can only do layer 3, so to do inter vlan routing  while connecting to another switch via  trunk port you have to give it sub interfaces to a physical switch port, give each one its own ip address and tag it with the encapsulation dot1q #.  Router on a stick, vs. switchport mode trunk command with layer 3 interfaces via the "int vlan 1" with an ip address assignment.

While I understand the ccna approach to teaching fundamentals and where thing started, it no doubts confuses someone especially when a question asks about the differences between a hub/switch/router.  In today’s world, hubs don't really exist, and in a large company odds are you’re going to be using a layer 3 switch.

Re6: Not sure that is accurate. I think most layer 3 switches can handle BGP, but to what extent? Full tables? Probably not. Dishing out money for 2 Cisco 2821's or Cisco 2921's is going to be way cheaper than purchasing another Cisco 6500 for our network....not to mention our Catalyst 6500 already does a lot of work...and now I am going to throw BGP at it....AH it would just shut off and give me the middle line card!

More Routers and Layer 3 Switches you can visit: http://blog.router-switch.com/