Replace an ASA 5505 with an ASA 5506-X
KB ID 0001091 Problem Given the amount of ASA work I do it’s surprising that the first time I saw an ASA 5506-X was last week (I’ve been working on larger firewalls for a while). I’m probably going to have to do a few of these over the next couple of years so I’ll update this article as things surface. Solution Q: Can I just copy the config from an ASA 5505 to an ASA 5506-X? A: No, that would be nice, truth be...
Download Cisco VPN Client Software
KB ID 0001098 Problem The Cisco VPN client software (CVPN-CL-IPSEC-ALL) is no longer available from Cisco. Milestone Definition Date End-of-Llfe Announcement Date The date the document that announces the end of sale and end of life of a product is distributed to the general public. July 29, 2011 End-of-Availability Date The last date to download the product from Cisco.com. The product is no longer for download after this date. July...
Cisco FireSIGHT – Enable Active Directory (LDAP) Authentication
KB ID 0001102 WARNING this is for older versions of the FirePOWER Management Platform, go to the following link for newer versions Cisco FirePOWER Management Appliance – Allowing Domain Authentication Problem To save you creating multiple users on your FireSIGHT appliance, and assigning roles to them you can utilise your existing Active Directory. In fact FireSIGHT does a good job of enabling granular administration based on AD...
Cisco ASA 5500-X Restart the FirePOWER Service Module
KB ID 0001101 Problem I’ve only just recently started to work with these, the advantage of them is they are great for SOHO and SMB, and they don’t need additional SSD drives installing. Note: This also procedure works on the larger ASA5500-X firewalls that have Firepower installed on an internal SSD drive, (i.e. 5512,5515,5525, and 5545 etc.) While getting them to work with a Sourcefire appliance, I had to...
Cisco AnyConnect – PAT External VPN Pool To An Inside Address
KB ID 0001104 Problem I got sent to Holland this week to look at a firewall deployment, and while I was sat in the Airport, I was going over the job I had to do, when I realised the solution I had suggested had a problem see below; My brief was to provide remote AnyConnect VPN into the network so the client could get their network setup, and manage things remotely. However as I drew the network out in my head I realised that the...
Cisco ASA – Cannot Get To Enable Mode?
KB ID 0001105 Problem After setting up some firewalls last week I quickly jumped on them whilst VPN’d into the my work network to make sure I’d be able to log into and administer them remotely via SSH, and ASDM (in case anyone else wanted to use it). SSH gave me the new certificate prompt and logged me in, ADSM logged in. I left site a happy chap. I went to login today via SSH and I could logon fine but I could not get to...
Cisco ASA – Cannot Enable Third Party Certificate (9.4 and later)
KB ID 0001106 Problem I installed a third party certificate for a client on their ASA (from Digicert). And followed my usual procedure. I enabled it on the outside interface and tested AnyConnect, it wasn’t working. The ASA refused to present anything other than its self signed certificate. Solution This is because after 9.4 the ASA will automatically present a certificate that has an elliptical curve cipher. Even if the ASA has...
Cisco ASA (acl-drop) Flow is Denied by Configured Rule
KB ID 0001108 Problem Packet-tracer is a brilliant troubleshooting tool, but sometimes interpreting the output proves to be more difficult that actually fixing the problem. If your output fails at the access-list section this is the sort of thing you will see; Petes-ASA# packet-tracer input inside tcp 10.2.2.10 80 123.123.123.123 80 —-Output removed for the sake of brevity— Type: ACCESS-LIST Subtype: Result: DROP Config:...