[c-nsp] FCIP and Cisco ASA5510
Primoz Jeroncic
jp at softnet.si
Fri Oct 2 03:38:25 EDT 2009
Hi
I'm trying to get fiber channel over IP, and people configuring FC boxes
have bunch of problems. At the moment I have Cisco ASA5510 on both
locations with IPSec VPN between them. Normal IP traffic goes through
VPN fine, but their connection between their boxes is constantly
dropping after second or two.
I got some recomendation from HP about settings of ASA, but I have
idea how to configure this.
Recommendations are following:
- "turn off" FCIP inspection of inside ethernet port
! based on this what I see, only standard inspection is configured (dns,
ftp, h323, rsh, smtp...)
- configure service policy:
Global policy:
Service-policy: global_policy
Class-map: FCIP
Set connection policy: random-sequence-number disable
drop 0
Set connection timeout policy:
embryonic 12:00:00 half-closed 12:00:00 tcp 12:00:00
DCD: disabled, retry-interval 0:00:15, max-retries 5
DCD: client-probe 0, server-probe 0, conn-expiration 0
Would someone mind explaining, how to configure this, since I can't find
any at least a bit specific config for FCIP on CCO.
I would also appreciate some sample config if anyone configured something
similar already.
PS: My current config on ASA looks like this (I will copy config of just one,
since other is pretty much same with reversed IP addresses of course):
interface Ethernet0/0
description UPSTREAM
nameif outside
security-level 0
ip address 20.1.1.2 255.255.255.252
!
interface Ethernet0/1
description LAN
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.128
!
ftp mode passive
dns server-group DefaultDNS
domain-name xxxx.si
access-list outside-fw extended permit gre host x.x.x.x host y.y.y.y
access-list outside-fw extended permit esp host x.x.x.x host y.y.y.y
access-list outside-fw extended permit udp host x.x.x.x host y.y.y.y eq isakmp
access-list outside-fw extended permit udp host x.x.x.x host y.y.y.y eq 4500
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list vpn-lj extended permit ip 10.1.1.0 255.255.255.128 10.1.2.0 255.255.255.128
access-list vpn-lj extended permit esp 10.1.1.0 255.255.255.128 10.1.2.0 255.255.255.128
access-list vpn-lj extended permit gre 10.1.1.0 255.255.255.128 10.1.2.0 255.255.255.128
access-list vpn-lj extended permit igmp 10.1.1.0 255.255.255.128 10.1.2.0 255.255.255.128
pager lines 24
logging enable
logging monitor notifications
logging buffered notifications
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (lan2) 0 access-list nonat
access-group outside-fw in interface outside
route outside 0.0.0.0 0.0.0.0 20.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set cset-aes256-sha esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map cmap 1 match address vpn-lj
crypto map cmap 1 set peer x.x.x.x
crypto map cmap 1 set transform-set cset-aes256-sha
crypto map cmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 3600
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
Thanks for all help in advance already. :)
Have fun,
Primoz Jeroncic
Support - IP Connectivity & Routing
-------------------------------------------------------------------
Softnet d.o.o. tel: +386 1 562 31 40 |
Borovec 2 fax: +386 1 562 18 55 | 1 + 1 = 3
1236 Trzin primoz(at)softnet.si | for larger values of 1
Slovenija http://flea.softnet.si/
-------------------------------------------------------------------
More information about the cisco-nsp
mailing list