Cisco ASA 5500 – Adding New ‘Different Range’ Public IP Addresses
KB ID 0001006 Problem I got an email at work yesterday; “Hello Pete I have asked our ISP to give us two additional real IP addresses so that we can progress the following two projects: Microsoft DirectAccess Publishing documents to a web server from our internal DMS. {ISP Name} have come back and said that they don’t have the next available numbers in our current IP address range, but they do have two other numbers we could...
Configure Your Firewall for SNMP
KB ID 0001034 Problem Had a requirement to let SNMP traffic though a firewall this week, I have a client that has both SolarWinds and SCOM, and they need to monitor the external Citrix ADC load balancers. For SNMP we simply need UDP ports 161 and 162 (See below) but SolarWinds maintains ‘ping’ connectivity to the monitored assets, so ICMP also needs to be open. Inbound Ports Outbound Ports Solution As my ‘weapon of...
Cisco ASA – ‘access-group’ Warning
KB ID 0001035 Problem I’ve been writing Cisco ASA walkthroughs for years, and littered all over PeteNetLive you will see me warning readers every time I use access-group commands. So I’ve finally got round to putting this article up so I can reference it in future. What is an Access-Group command? You use an access-group command to apply an access-list to an interface, in a particular direction (in or out). Although I...
Cisco ASA 5500 – Performing NAT for Two (or More) internal IP’s to a Spare Public IP
KB ID 0001057 Problem I was in the PIX/ASA area at EE last night, and a poster asked if they could perform NAT on a couple of internal IP addresses to a spare public IP that they had. I had done this for a client some time last year when I performed and upgrade from 8.2. Anyone who has ever done a large upgrade on an ASA to the ‘new’ NAT system, will appreciate this is usually the area where the upgrade has a problem. So...
Cisco ASA – Changing the Outside IP Address
KB ID 0001081 Problem I see this question get asked a lot on forums, most people never touch the firewall, ‘if it’s working leave it alone’. And that’s great until you move offices, or get a newer faster (or cheaper) Internet connection. What if you have lots of public IP addresses? What if you have VPN’s (or AnyConnect clients). What’s the best way to do this with a minimum of downtime? Note: If...