Cisco ASA 5500 Active/Standby – Zero Downtime Upgrade
KB ID 0000733 Problem You have two ASA firewalls deployed in Active/Standby failover configuration, and need to upgrade either the operating system or the ASDM. As you already have a high availability solution you do not want any downtime. Before we start, we need to make sure we know the difference between primary, secondary, active and standby. From the rear (Active=Green, Standby=Amber) The Primary and Secondary firewalls are...
Cisco ASA 5500 – Deny a Single IP Address External Access
KB ID 0000743 Problem This got asked on Experts Exchange today, the poster specifically asked for an ASDM solution, so here goes. However I will also do the commands as well. Solution Block an IP via ASDM 1. Connect to the ASDM > Configuration > Firewall > Add ‘Network Object’. Note: You could create a Network Object Group, then add a Network Object to that group. This is handy if there are liable to be more IP...
Cisco ASA 5500 Allowing Tracert
KB ID 0000753 Problem I’d always assumed that as Tracert uses ICMP, and that simply adding ICMP inspection on the ASA would let Tracert commands work. A client of mine is having some comms problems and wanted to test comms from his remote DR site, he had enabled time-exceeded and unreachable on the ASA (for inbound traffic) and that had worked. I checked the default inspection map and found inspect ICMP was there? As it turns...
Cisco ASA 5500 – VPN Works in One Direction
KB ID 0000759 Problem The title of this article can cover a multitude of possible causes, however I recently had a strange problem where a client with a remote site protected by an ASA5505 had a VPN tunnel connected to their main site which had an ASA5510. The tunnel established at phase 1, and phase 2, the main site could talk to the remote site, but the remote site refused to talk back to the main site. Update 23/04/19: Seen again...
Cisco Firewall (ASA/PIX) – Granting Access to an FTP Server
KB ID 0000772 Problem If you have an FTP server, simply allowing the FTP traffic to it wont work. FTP (in both active and passive mode) uses some random high ports that would normally be blocked on the firewall. So by actively inspecting FTP the firewall will know what ports to open and close. Solution How you ‘allow’ access to the FTP server will depend on weather you have a public IP address spare or not, if you only...