Cisco ASA – Enrolling for Certificates with NDES
KB ID 0000948 Problem To get your ASA 5500 firewall to enroll, and obtain a certificate from a Windows Server running NDES, this is the procedure you need to follow. Solution When dealing with certificates, it’s important that your firewall is maintaining the correct time. You can set this manually, but I’d recommend setting up NTP. Cisco ASA – Configuring for NTP 1. Make sure the firewall can contact the NDES...
Cisco ASA 5500 – Throttling (Rate Limiting) Traffic
KB ID 0001001 Problem If you have one client that’s taking all your bandwidth, or a server that’s getting a lot of connections from external IP addresses, and that’s causing you performance problems, you can ‘throttle’ traffic from/to that client by ‘policing’ its traffic. Solution To demonstrate, I have a 30Mb connection at home, when I run a test on the download connection speed from my...
Cisco ASA 5585-X Port Numbering
KB ID 0001004 Problem Back at the beginning of the year I had to do a firewall design that included an ASA5585-X, I did some searching to find out how the ports were numbered but came up blank. So I took an (incorrect) educated guess. I unboxed and fired one up today, and ran though the port numbering and orientation, and discovered the correct numbering. Solution Note: This ASA5585-X also has a CX module fitted. The bottom...
ASA 5585-X Update the CX SSP Module
KB ID 0001005 Problem Every piece of documentation I found on upgrading CX SSP modules was for doing so on models other than the ASA5585-X. The (current) latest CLI guide says; “For the ASA 5585-X hardware module, you must install or upgrade your image from within the ASA CX module. See the ASA CX module documentation for more information.” Yeah good luck finding that! Solution Before I saw the information above I tried...
Cisco ASA – Global Access Lists
KB ID 0001019 Problem I’ve been working for a client that has a large firewall deployment, and they have twelve switches in their six DMZ’s. I wanted to take a backup of these switches (and all the other network devices). While I was bemoaning the amount of ACL’s that I would need to allow TFTP in from, (note: that’s UDP port 69 if you are interested). My colleague said “Why not use a global ACL?”,...
Cisco ASA 5500 – Adding New ‘Different Range’ Public IP Addresses
KB ID 0001006 Problem I got an email at work yesterday; “Hello Pete I have asked our ISP to give us two additional real IP addresses so that we can progress the following two projects: Microsoft DirectAccess Publishing documents to a web server from our internal DMS. {ISP Name} have come back and said that they don’t have the next available numbers in our current IP address range, but they do have two other numbers we could...
ASA Upgrading and Imaging a Hardware CX Module
KB ID 0001025 Problem Last time I had to do one of these the process was very straight forward, one command and the ASA got its new image from FTP, extracted it, and then installed it. I had a CX module fail last week, and Cisco shipped me out a replacement. After installing it and running the setup, I needed to upgrade it (it will be managed by PRSM). It was running version 9.0.2 (probably been on the shelf a while!). And every time...
Configure Your Firewall for SNMP
KB ID 0001034 Problem Had a requirement to let SNMP traffic though a firewall this week, I have a client that has both SolarWinds and SCOM, and they need to monitor the external Citrix ADC load balancers. For SNMP we simply need UDP ports 161 and 162 (See below) but SolarWinds maintains ‘ping’ connectivity to the monitored assets, so ICMP also needs to be open. Inbound Ports Outbound Ports Solution As my ‘weapon of...
Cisco ASA – ‘access-group’ Warning
KB ID 0001035 Problem I’ve been writing Cisco ASA walkthroughs for years, and littered all over PeteNetLive you will see me warning readers every time I use access-group commands. So I’ve finally got round to putting this article up so I can reference it in future. What is an Access-Group command? You use an access-group command to apply an access-list to an interface, in a particular direction (in or out). Although I...
Cisco ASA – Policy NAT
KB ID 0001042 Problem I’ve been working on a large firewall deployment for a client, each of their DMZ’s have both a production and a management network. nothing particularly strange about that, but each of their DMZ’s has its own firewalled management network and it’s routable from the LAN. So If I’m an admin and I want to talk to a Linux appliance in their DMZ via its management interface, my traffic...