Cisco ASA 5500 – Adding New ‘Different Range’ Public IP Addresses
KB ID 0001006 Problem I got an email at work yesterday; “Hello Pete I have asked our ISP to give us two additional real IP addresses so that we can progress the following two projects: Microsoft DirectAccess Publishing documents to a web server from our internal DMS. {ISP Name} have come back and said that they don’t have the next available numbers in our current IP address range, but they do have two other numbers we could...
ASA Upgrading and Imaging a Hardware CX Module
KB ID 0001025 Problem Last time I had to do one of these the process was very straight forward, one command and the ASA got its new image from FTP, extracted it, and then installed it. I had a CX module fail last week, and Cisco shipped me out a replacement. After installing it and running the setup, I needed to upgrade it (it will be managed by PRSM). It was running version 9.0.2 (probably been on the shelf a while!). And every time...
Configure Your Firewall for SNMP
KB ID 0001034 Problem Had a requirement to let SNMP traffic though a firewall this week, I have a client that has both SolarWinds and SCOM, and they need to monitor the external Citrix ADC load balancers. For SNMP we simply need UDP ports 161 and 162 (See below) but SolarWinds maintains ‘ping’ connectivity to the monitored assets, so ICMP also needs to be open. Inbound Ports Outbound Ports Solution As my ‘weapon of...
Cisco ASA – ‘access-group’ Warning
KB ID 0001035 Problem I’ve been writing Cisco ASA walkthroughs for years, and littered all over PeteNetLive you will see me warning readers every time I use access-group commands. So I’ve finally got round to putting this article up so I can reference it in future. What is an Access-Group command? You use an access-group command to apply an access-list to an interface, in a particular direction (in or out). Although I...
Cisco ASA – Policy NAT
KB ID 0001042 Problem I’ve been working on a large firewall deployment for a client, each of their DMZ’s have both a production and a management network. nothing particularly strange about that, but each of their DMZ’s has its own firewalled management network and it’s routable from the LAN. So If I’m an admin and I want to talk to a Linux appliance in their DMZ via its management interface, my traffic...
Cisco ASA – ‘Prove it’s Not The Firewall!’
KB ID 0001049 Problem Yeah, it’s funny because it’s true! The article title might not sound like the most professional approach, but when the ‘Well it’s not working now’ finger gets pointed at the ‘firewall guy/girl’, they need to ascertain two things; 1. Is the problem actually the firewall, if not then help the frustrated party track down the actual problem. 2. If your problem IS the...
Cisco ASA – View The Contents of an Object and Object-Group
KB ID 0001043 Problem My colleague loves the ASDM, I put up with it and prefer command line. We were troubleshooting a problem the other day and he said, there this is why I prefer the ASDM, just ‘hover’ over an object-group and it will show you the contents of it. Now if (like my test firewall above) you only have a few hosts, then I don’t see the point, but if you have a very complicated config with hundreds of...
Cisco ASA – Disable SSLv3 (Force TLSv1.0) – Mitigate POODLE
KB ID 0001052 Problem By default the Cisco ASA will allow connection via SSLv3. The POODLE exploit works by forcing SSL to fall back to SSLv3 and then decrypting that communication. However you are still not completely protected as per this Threat Validation, so the ASA platform can still be attacked via TLSv1.0. Note: At time of writing TLSv1.2 is not supported, but it is on the road-map for version 9.3(2). So this procedure will not...
Cisco ASA ASDM – Packet Tracer Wont Work
KB ID 0001051 Problem I don’t usually use the graphical packet tracer tool, but I did this week, and this happened; Following error(s) occurred- packet-tracer input inside {protocol} inline-tag -l {source} {source port} {target} {target port} xml %Invalid input detected at ‘^’ marker Solution Well from CLI it worked fine, so I’m guessing it’s a fault in the ASDM. An Internet/forum search threw up a load...
Cisco ASA 5500 – Performing NAT for Two (or More) internal IP’s to a Spare Public IP
KB ID 0001057 Problem I was in the PIX/ASA area at EE last night, and a poster asked if they could perform NAT on a couple of internal IP addresses to a spare public IP that they had. I had done this for a client some time last year when I performed and upgrade from 8.2. Anyone who has ever done a large upgrade on an ASA to the ‘new’ NAT system, will appreciate this is usually the area where the upgrade has a problem. So...