Cisco ASA 5500 – Deny a Single IP Address External Access
KB ID 0000743 Problem This got asked on Experts Exchange today, the poster specifically asked for an ASDM solution, so here goes. However I will also do the commands as well. Solution Block an IP via ASDM 1. Connect to the ASDM > Configuration > Firewall > Add ‘Network Object’. Note: You could create a Network Object Group, then add a Network Object to that group. This is handy if there are liable to be more IP...
Cisco ASA 5500 Allowing Tracert
KB ID 0000753 Problem I’d always assumed that as Tracert uses ICMP, and that simply adding ICMP inspection on the ASA would let Tracert commands work. A client of mine is having some comms problems and wanted to test comms from his remote DR site, he had enabled time-exceeded and unreachable on the ASA (for inbound traffic) and that had worked. I checked the default inspection map and found inspect ICMP was there? As it turns...
Cisco ASA 5500 – Throttling (Rate Limiting) Traffic
KB ID 0001001 Problem If you have one client that’s taking all your bandwidth, or a server that’s getting a lot of connections from external IP addresses, and that’s causing you performance problems, you can ‘throttle’ traffic from/to that client by ‘policing’ its traffic. Solution To demonstrate, I have a 30Mb connection at home, when I run a test on the download connection speed from my...
Cisco ASA – Global Access Lists
KB ID 0001019 Problem I’ve been working for a client that has a large firewall deployment, and they have twelve switches in their six DMZ’s. I wanted to take a backup of these switches (and all the other network devices). While I was bemoaning the amount of ACL’s that I would need to allow TFTP in from, (note: that’s UDP port 69 if you are interested). My colleague said “Why not use a global ACL?”,...
Configure Your Firewall for SNMP
KB ID 0001034 Problem Had a requirement to let SNMP traffic though a firewall this week, I have a client that has both SolarWinds and SCOM, and they need to monitor the external Citrix ADC load balancers. For SNMP we simply need UDP ports 161 and 162 (See below) but SolarWinds maintains ‘ping’ connectivity to the monitored assets, so ICMP also needs to be open. Inbound Ports Outbound Ports Solution As my ‘weapon of...