Cisco ASA 5500 Active/Standby – Zero Downtime Upgrade
KB ID 0000733 Problem You have two ASA firewalls deployed in Active/Standby failover configuration, and need to upgrade either the operating system or the ASDM. As you already have a high availability solution you do not want any downtime. Before we start, we need to make sure we know the difference between primary, secondary, active and standby. From the rear (Active=Green, Standby=Amber) The Primary and Secondary firewalls are...
Cisco ASA 5500 – Deny a Single IP Address External Access
KB ID 0000743 Problem This got asked on Experts Exchange today, the poster specifically asked for an ASDM solution, so here goes. However I will also do the commands as well. Solution Block an IP via ASDM 1. Connect to the ASDM > Configuration > Firewall > Add ‘Network Object’. Note: You could create a Network Object Group, then add a Network Object to that group. This is handy if there are liable to be more IP...
Cisco ASA 5500 Allowing Tracert
KB ID 0000753 Problem I’d always assumed that as Tracert uses ICMP, and that simply adding ICMP inspection on the ASA would let Tracert commands work. A client of mine is having some comms problems and wanted to test comms from his remote DR site, he had enabled time-exceeded and unreachable on the ASA (for inbound traffic) and that had worked. I checked the default inspection map and found inspect ICMP was there? As it turns...
Cisco ASA 5500 – VPN Works in One Direction
KB ID 0000759 Problem The title of this article can cover a multitude of possible causes, however I recently had a strange problem where a client with a remote site protected by an ASA5505 had a VPN tunnel connected to their main site which had an ASA5510. The tunnel established at phase 1, and phase 2, the main site could talk to the remote site, but the remote site refused to talk back to the main site. Update 23/04/19: Seen again...
ASA TFTP Error – (Cannot allocate memory)
KB ID 0000787 Problem I updated my ASA to version 9.1(1) tonight, that went well, but when I tried to update the ASDM image to version 7.1(1)-52 this happened; Accessing tftp://10.254.254.109/asdm-711-52.bin…!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!...
Cisco Firewall (ASA/PIX) – Granting Access to an FTP Server
KB ID 0000772 Problem If you have an FTP server, simply allowing the FTP traffic to it wont work. FTP (in both active and passive mode) uses some random high ports that would normally be blocked on the firewall. So by actively inspecting FTP the firewall will know what ports to open and close. Solution How you ‘allow’ access to the FTP server will depend on weather you have a public IP address spare or not, if you only...
Boot Cisco ASA From TFTP (Upgrade from ROMMON)
KB ID 0000792 Problem If your firewall wont boot, either because the OS is corrupt, or you have a faulty flash memory. You can get up and running by booting the device from a TFTP server instead. Solution Before you start make sure you have your TFTP server running and the operating system in its root folder. Install and Use a TFTP Server 1. Power on the firewall, during the boot phase press ESC to boot to ROMMOM mode. 2. The...
Cisco ASA 5500 – Configuring PPPoE
KB ID 0000831 Problem Until very recently I’d never had to configure PPPoE. Most of my clients in that sort of connection speed range have ADSL with a router provided by their ISP. A Router that connects via PPPoA usually. Here in the UK the main ISP’s (BT and Virgin) are busy rolling out FTTC connections that terminate with a ‘modem’ that presents an RJ45 socket. So without the need for a router, you can get...
Cisco ASA – Find Out VPN Tunnel Uptime
KB ID 0000863 Problem I needed to get the Uptime/Duration of a particular VPN tunnel this week. It was for a client with multiple VPN tunnels that was having problems with just one. Solution Option 1 via Command Line 1. Connect to to the firewall > Go to enable mode and use the following command, replace 123.123.123.123 with the IP of your VPN endpoint. PetesASA> PetesASA> enable Password: ******** PetesASA# show...
Cisco ASA 5505 Routing Between Two (Internal) VLANS
KB ID 0000869 Problem I had to set this up for a client this week, I’ve setup a DMZ on a 5505 before and I’ve setup other VLANs to do other jobs, e.g. visitor Internet access. But this client needed a secondary VLAN setting up for IP Phones. In addition I needed to route traffic between both the internal VLANs. I did an internet search and tried to find some configs I could reverse engineer, the few I found were old (Pre version 8.3)...