Cisco PIX/ASA 8.3 Command Changes {NAT / Global / Access-List}
KB ID 0000247 Problem I posted to a forum the other day, the poster had a problem with their VPN, basically my response was, “Your Nat statements look bizarre – what is this config from?”. At this point I realised 8.3 had brought in some syntax changes. There are quite a few changes with the OS, this will touch on the things that I see on my clients firewalls so all eventualities are NOT covered. the main areas of...
Cisco Firewalls Changing the Web Management Port
Cisco 5500 Changing the ASDM Port Unable to Port Forward HTTPS KB ID 0000268 Problem You want to change the port that the Cisco ASDM runs over, or you are attempting to port forward https/ssl and see the following error Error: ERROR: unable to reserve port 443 for static PAT ERROR: unable to download policy You are trying to port forward (Create a static PAT entry) on a Cisco ASA for port 443 / https. This port is in use by the ASDM....
Cisco Remote (IPSEC) VPN Clients Timeout / Disconnect
KB ID 0000309 Problem By default, your remote VPN clients will timeout their connections after 300 seconds of inactivity, should you wish to increase that you can, on a user by user basis, however sometimes that does not work. To fix the problem you need to disable ISAKMP monitoring at the “Head End”. Solution Enable via Command Line (see below for ASDM instructions) 1. Connect to the the firewall (see here for...
ASA 5500 Adding a DMZ Step By Step
KB ID 0000316 Problem Assuming you have a working ASA 5500 and you want to add a DMZ to it, this is the process. Assumptions 1. Networks, a. Inside network is 10.1.0.0 255.255.0.0 b. Outside network is 123.123.123.120 255.255.255.248 c. DMZ network is 172.16.1.0 255.255.0.0 2. Interfaces, a. Inside Interface is 10.1.0.254 b. Outside Interface is 172.16.1.254 c. DMZ Interface is 172.16.1.254 3. The Web server in the DMZ will have the...
Blocking Google Talk (Cisco ASA)
KB ID 0000323 Problem You want to block access to Google Talk, but not disrupt other services like Google Search and Gmail. Solution Yes, you could write a REGEX and block it with an MPF, like I did here, to block Facebook. But Google Talk only runs on 4 servers and uses 4 ports. 1. Connect to the Cisco ASA, and go to configure terminal mode. PetesASA> PetesASA> en Password: ******** PetesASA# configure terminal...
Securing Cisco SSL VPN’s with Certificates
KB ID 0000335 Problem It’s been a while since I wrote a walk though on the Cisco AnyConnect/SSL VPN solution, and usually I secure these with Active Directory or simply using the local user database on the firewall. But what if you wanted to use certificates instead? Perhaps your users are too “technically challenged” to remember their passwords. Or you want to enable two factor authentication with...
Configure Cisco EasyVPN With Cisco ASA 5500
KB ID 0000337 Problem Site to site VPN’s are great for main office to branch office connections, but for remote workers in a SOHO environment obtaining a static IP address can be expensive and time consuming. Traditionally remote workers will use either AnyConnect or IPSEC Remote VPN’s. However Cisco have a system which lets you have a main site (or sites), with a static IP, that acts as the EasyVPN server, then remote...
Site to Site IPSEC VPN from SonicWALL to Cisco ASA
KB ID 0000357 Problem You want to put in a secure IPSEC VPN tunnel from a Cisco ASA Device to a Sonicwall Firewall. Note in this example we will use 3DES for encryption, SHA1 for Hashing, Diffie Hellman Group 2, PFS enabled, and we will use a shared secret (Pre Shared Key). SonicWALL used in this example is a PRO 3060. Solution The main two gotcha’s Update 12/03/11 Feedback from Wajma Omari: I would like to add that this...
Cisco ASA – Changing VPN IP Addresses
KB ID 0000391 Problem I had a client the other week with about 25 sites, his core site was changing ISP and therefore changing its IP address. On the main site this is pretty straightforward, just change the outside interfaces IP address, sub net mask and the default route (That’s the default gateway for non cisco-ites). All well and good, but what about his other 24 sites? They all had VPN’s back to the main site, and all...
Cisco ASDM – Accessing with Ubuntu
KB ID 0000396 Dtd 11/02/11 Problem Even though I prefer to use command line, there are times I need to manage Cisco firewalls from the ASDM. To do this from my Netbook running Ubuntu 10.10 it was not as straight forward as I was used to. Solution In my scenario I’m using Ubuntu 10.10 Desktop Edition, Chrome as my browser, and the ASDM is running version 6.3(1). 1. Before we start I’m assuming you know what the ASDM is and...