Cisco ASA 5500 – Deny a Single IP Address External Access
KB ID 0000743 Problem This got asked on Experts Exchange today, the poster specifically asked for an ASDM solution, so here goes. However I will also do the commands as well. Solution Block an IP via ASDM 1. Connect to the ASDM > Configuration > Firewall > Add ‘Network Object’. Note: You could create a Network Object Group, then add a Network Object to that group. This is handy if there are liable to be more IP...
Cisco ASA 5500 Allowing Tracert
KB ID 0000753 Problem I’d always assumed that as Tracert uses ICMP, and that simply adding ICMP inspection on the ASA would let Tracert commands work. A client of mine is having some comms problems and wanted to test comms from his remote DR site, he had enabled time-exceeded and unreachable on the ASA (for inbound traffic) and that had worked. I checked the default inspection map and found inspect ICMP was there? As it turns...
Configure Your Firewall for SNMP
KB ID 0001034 Problem Had a requirement to let SNMP traffic though a firewall this week, I have a client that has both SolarWinds and SCOM, and they need to monitor the external Citrix ADC load balancers. For SNMP we simply need UDP ports 161 and 162 (See below) but SolarWinds maintains ‘ping’ connectivity to the monitored assets, so ICMP also needs to be open. Inbound Ports Outbound Ports Solution As my ‘weapon of...
Cisco ASA – ‘access-group’ Warning
KB ID 0001035 Problem I’ve been writing Cisco ASA walkthroughs for years, and littered all over PeteNetLive you will see me warning readers every time I use access-group commands. So I’ve finally got round to putting this article up so I can reference it in future. What is an Access-Group command? You use an access-group command to apply an access-list to an interface, in a particular direction (in or out). Although I...