[c-nsp] FCIP and Cisco ASA5510

Primoz Jeroncic jp at softnet.si
Fri Oct 2 03:38:25 EDT 2009 

Hi

I'm trying to get fiber channel over IP, and people configuring FC boxes
have bunch of problems. At the moment I have Cisco ASA5510 on both 
locations with IPSec VPN between them. Normal IP traffic goes through
VPN fine, but their connection between their boxes is constantly 
dropping after second or two.

I got some recomendation from HP about settings of ASA, but I have
idea how to configure this.

Recommendations are following:

- "turn off" FCIP inspection of inside ethernet port
   ! based on this what I see, only standard inspection is configured (dns,
     ftp, h323, rsh, smtp...)

- configure service policy:
Global policy:
Service-policy: global_policy
Class-map: FCIP
Set connection policy: random-sequence-number disable
drop 0
Set connection timeout policy:
embryonic 12:00:00 half-closed 12:00:00 tcp 12:00:00
DCD: disabled, retry-interval 0:00:15, max-retries 5
DCD: client-probe 0, server-probe 0, conn-expiration 0

Would someone mind explaining, how to configure this, since I can't find
any at least a bit specific config for FCIP on CCO. 
I would also appreciate some sample config if anyone configured something
similar already.

PS: My current config on ASA looks like this (I will copy config of just one,
since other is pretty much same with reversed IP addresses of course):

interface Ethernet0/0
  description UPSTREAM
  nameif outside
  security-level 0
  ip address 20.1.1.2 255.255.255.252
!
interface Ethernet0/1
  description LAN
  nameif inside
  security-level 100
  ip address 10.1.1.1 255.255.255.128
!
ftp mode passive
dns server-group DefaultDNS
  domain-name xxxx.si
access-list outside-fw extended permit gre host x.x.x.x host y.y.y.y
access-list outside-fw extended permit esp host x.x.x.x host y.y.y.y
access-list outside-fw extended permit udp host x.x.x.x host y.y.y.y eq isakmp
access-list outside-fw extended permit udp host x.x.x.x host y.y.y.y eq 4500
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list vpn-lj extended permit ip 10.1.1.0 255.255.255.128 10.1.2.0 255.255.255.128
access-list vpn-lj extended permit esp 10.1.1.0 255.255.255.128 10.1.2.0 255.255.255.128
access-list vpn-lj extended permit gre 10.1.1.0 255.255.255.128 10.1.2.0 255.255.255.128
access-list vpn-lj extended permit igmp 10.1.1.0 255.255.255.128 10.1.2.0 255.255.255.128
pager lines 24
logging enable
logging monitor notifications
logging buffered notifications
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (lan2) 0 access-list nonat
access-group outside-fw in interface outside
route outside 0.0.0.0 0.0.0.0 20.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set cset-aes256-sha esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map cmap 1 match address vpn-lj
crypto map cmap 1 set peer x.x.x.x
crypto map cmap 1 set transform-set cset-aes256-sha
crypto map cmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
  authentication pre-share
  encryption aes-256
  hash sha
  group 1
  lifetime 3600
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
  pre-shared-key *
!
class-map inspection_default
  match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
  parameters
   message-length maximum 512
policy-map global_policy
  class inspection_default
   inspect dns preset_dns_map
   inspect ftp
   inspect h323 h225
   inspect h323 ras
   inspect rsh
   inspect rtsp
   inspect esmtp
   inspect sqlnet
   inspect skinny
   inspect sunrpc
   inspect xdmcp
   inspect sip
   inspect netbios
   inspect tftp
!

Thanks for all help in advance already. :)

Have fun,
Primoz Jeroncic
Support - IP Connectivity & Routing
-------------------------------------------------------------------
Softnet d.o.o.  tel:  +386 1 562 31 40   |
Borovec 2       fax:  +386 1 562 18 55   |       1 + 1 = 3
1236 Trzin      primoz(at)softnet.si     | for larger values of 1
Slovenija       http://flea.softnet.si/
-------------------------------------------------------------------

More information about the cisco-nsp mailing list