[c-nsp] ASA 8.3

Antonio Soares amsoares at netcabo.pt
Wed Jul 14 05:32:47 EDT 2010


We have the default service-policy applied so we have the default sip inspection enabled.
 
We have enabled "debug sip" and all the types of logging and we didn't see absolutely nothing.
 
I'm trying to get the output you mentioned.
 
 
Thanks.
 
Regards,
 
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt
 

  _____  

From: Pete Lumbis [mailto:alumbis at gmail.com] 
Sent: quarta-feira, 14 de Julho de 2010 3:09
To: Antonio Soares
Cc: cisco-nsp
Subject: Re: [c-nsp] ASA 8.3


Do you have SIP inspection on? 

Do you see anything in debug level logs?

Look for anything increasing in "show asp drop" that might give you something. 




On Tue, Jul 13, 2010 at 7:14 PM, Antonio Soares <amsoares at netcabo.pt> wrote:


I have a customer running 8.3.1 that is facing a very strange issue. Some SIP packets are silenty dropped. This seems to be random.
The SIP packets are of type "request:options". The source and destination ports are the same: 5060. The outside interface has an ACL
permitting this traffic. We also have the default service-policy applied. Anyone has seen something like this ? Any ideas of how to
troubleshoot this ?


Thanks.

Regards,

Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ryan West
Sent: quarta-feira, 12 de Maio de 2010 13:40
To: Ivan; cisco-nsp
Subject: Re: [c-nsp] ASA 8.3

Ivan,

> -----Original Message-----
> Sent: Wednesday, May 12, 2010 4:12 AM
> To: cisco-nsp
> Subject: [c-nsp] ASA 8.3
>
> Hi All,
>
> Shortly I will be deploying some new ASAs and came across the 8.3
> release.  I didn't expect that a minor release would have quite so many
> fundamental changes.  Without looking at the release notes, migration
> notes
> (http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html)
> and various blogs etc on the Internet I would have expected things to be
> not too different than 8.2 which I have used recently.
>
> I would appreciate any feedback from those who have deployed 8.3 as a
> new install or migration.  I will eventually have to decide if it is
> better to stick with the known 8.2 or the new 8.3 (new features and new
> bugs) to save the pain of an update later.
>

The structure of NAT has changed so much that any non vanilla implementations are going to be very touchy.  If you're using a large
pool of NAT exempt addresses and calling them from a object-group, this will be expanded per entry into statements like:

Nat (inside,any) source static <new generated object network (not an object-group)> <new generated object network (not an
object-group)> destination static <object-group name> <object-group name>

So, seeing that for the first time might come as a surprise.  I ran into two NAT bugs during a migration with PAT and order of
operations.  CSCtf89372 is one of them, which still is not fixed in the interim.
A manual re-ordering of NAT rules fixes the issues, I thought Cisco had moved on from the PIX 6.3 days, guess not.

-ryan


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/





More information about the cisco-nsp mailing list