Packet-Tracer Fails Subtype: rpf-check Result: DROP
KB ID 000904 Problem I love packet-tracer, I use it a lot, especially when I’ve been told that the firewall I’ve installed is stopping a particular port. I had set up a simple port forward the other day, and when I went to check it with packet-tracer this happened. Petes-ASA# packet-tracer input outside tcp 123.123.123.123 443 192.168.1.10 443 <——-Output removed——–> Phase: 7 Type: NAT...
Cisco ASA – I Cannot Ping External Addresses? (Troubleshooting ICMP)
KB ID 0000914 Problem Considering we use ICMP to test connectivity, the fact that it is not a stateful protocol can be a major pain! Last week one of my colleagues rang me up and said, “Can you jump on this firewall, I’ve got no comms, and I cant ping external IP addresses. I can ping the internet from the firewall and I can ping internal IP addresses form the firewall”. Solution 1. Before we start, lets get the basics...
Cisco ASA – Enrolling for Certificates with NDES
KB ID 0000948 Problem To get your ASA 5500 firewall to enroll, and obtain a certificate from a Windows Server running NDES, this is the procedure you need to follow. Solution When dealing with certificates, it’s important that your firewall is maintaining the correct time. You can set this manually, but I’d recommend setting up NTP. Cisco ASA – Configuring for NTP 1. Make sure the firewall can contact the NDES...
Cisco ASA 5500 – Throttling (Rate Limiting) Traffic
KB ID 0001001 Problem If you have one client that’s taking all your bandwidth, or a server that’s getting a lot of connections from external IP addresses, and that’s causing you performance problems, you can ‘throttle’ traffic from/to that client by ‘policing’ its traffic. Solution To demonstrate, I have a 30Mb connection at home, when I run a test on the download connection speed from my...
Cisco ASA 5585-X Port Numbering
KB ID 0001004 Problem Back at the beginning of the year I had to do a firewall design that included an ASA5585-X, I did some searching to find out how the ports were numbered but came up blank. So I took an (incorrect) educated guess. I unboxed and fired one up today, and ran though the port numbering and orientation, and discovered the correct numbering. Solution Note: This ASA5585-X also has a CX module fitted. The bottom...