With other firewall vendors (i.e. Cisco) you can ping any interface you are ‘directly connected to‘. With Fortigate however you cannot (by default). That’s not the end of the world you can check connectivity using ARP (see below) which is what really cool network techs do instead! But if you want to be able to ping an interface (even for a short period of time). Here’s how to do it.
Solution
Fundamentally, the reason you can’t ping a Fortigate interface, is because ‘ping’ isn’t listed in the ‘allowaccess‘ section for that interface.
Let’s fix that;
[box]
config system interface
edit {port-name}
set allowances {Existing settings i.e. https http etc.} ping
end
[/box]
Using ARP to check connectivity
A lot of people assume that if you can’t ping something, you are not connected to it, that’s not the case at all. If you ‘think’ something is on the same layer 2 network segment as you, and you can’t ping it, then look in the ARP cache on your machine, (for Windows and Linux the command is arp -a).
Below: Shows you can see the MAC address of that IP address, even if you cannot receive a ping response!
However once ping is enabled, your ICMP responses will work fine.
Related Articles, References, Credits, or External Links
I had a client machine struggling to get an DHCP address, and when I looked in DHCP the scope it was full of this;
BAD_ADDRESS This address Is Already in Use
Solution
A tour of Google and forums is full of posts by people with this problem, and other than, ‘Oh I looked in the logs and fixed it’ (with no mention of what log, or where this log was), or ‘Yeah I used Wireshark and located a problem client‘, then no follow up on what they did, or scanned for. So I pretty much had to slog through and work it out for myself. I’ll detail each step I took below, most of which didn’t help, or sent me in the wrong direction, but for you that may be a better solution.
And I will give you enough information to at least be helpful!
Firstly Common Sense Check: If this has just happened what have you changed? Have you added any Wireless Controllers, or Access Points? Have you deployed any new Switches or Firewalls. In my case, it was my test network so it could have been happening for months!
The most frequent cause of this error is simply because someone has setup another DHCP server on the network. That will be easy to diagnose, simply ‘Stop’ your DHCP Server;
Then on a DHCP client, issue an ifconfig /release and ifconfig /renew, If it gets an IP address, issue an ifconfig /all and look for the IP of the DHCP server it’s using, that’s your culprit. However as you can see, mine didn’t get an IP address so this wasn’t my problem.
The next most popular suggestion is to enable ‘Conflict Detection‘, though in most places the information on where to find this, is incorrect, (as it’s been copied and pasted around the forums without actually checking it!) See below, you locate it on the properties of the Protocol not the Server > Advanced Tab > You are supposed to set it between 1 and 6 so I went for 5, (but after deleting all the BAD_ADDRESS entries, they were all back after 30 minutes or so, so this didn’t work for me either).
Look in the logs: Well they were useless also, DHCP creates a new log every day in C:\Windows\System32\Dhcp called ‘DHCPSrvLog-DAY.log’ as you can see it was not helpful.
At this point I put my networking head on, and ‘thought outside the box’, If DHCP is detecting these as BAD ADDRESSES, then they must be in the arp cache on the DHCP server right? Well look at this;
[box]
arp -a
[/box]
Well that’s encouraging, at least now I’ve got a suspect MAC address, lookup up that MAC address online, and it comes back as VMWare (which sent me off in the wrong direction, it was not a VMware virtual machine in my vSphere in the end). Ive got a decent Cisco Switch so I thought I’d see which interface it was connected to, (but it wasn’t there).
[box]
show mac address-table
[/box]
At this point I was still thinking it was a VMware virtual machine, so I used PowerCLI (Thats PowerShell for VMware), to query for that MAC address, but that revealed nothing.
So, my last hope was Wireshark, I fired it up on the DHCP server, and set the filter to;
[box]
bootp.option.type == 53
[/box]
Then I deleted all the BAD_ADDRESS entries, left Wireshark ‘sniffing’, and went for lunch. I returned to this (see below). Now 192,168,100,107 was one of the BAD_ADDRESS entries, and I did not know what it was. The other entries on there for 192.168.100.3 are understandable, (that’s my DHCP server!) So now I had a Layer 3 address to hunt.
When I RDP connected to it, I got prompted for a password, so now I know it’s a Windows box! I hunted all through my VMware virtual machines, it was not there. Just as an afterthought I remembered I have a Hyper-V server, could that be running a virtual machine? BOOM! There is a SCVMM server, I was using for some Zerto testing a couple of months ago! Turned it off, problem solved!
Hope you find your culprit quicker than I did!
Related Articles, References, Credits, or External Links
I networked some gear this afternoon, and I made a mental note of the ports I patched into on the switch. On the way back to the office I got side-tracked. By the time I got back to my desk I could not remember what port I had used, and I wanted to add a description to the port.
This is not my server room 🙂
So I knew the IP address but not the port number, how can you find that out?
Solution
1. My IP address is 192.168.1.141, let’s ping that from the switch.
[box]
Petes-Switch#ping 192.168.1.141
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.141, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/17 ms
Petes-Switch#
[/box]
2. Well I can ping it so, there must be an entry in my ARP cache, and I can find the MAC address for that IP.
[box]
Petes-Switch#show ip arp 192.168.1.141
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.141 5 0080.a394.e2de ARPA Vlan100
[/box]
3. Armed with the MAC address I can take a peek in the MAC Address table.
[box]
Petes-Switch#show mac address-table address 0080.a394.e2de
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
40 0080.a394.e2de DYNAMIC Gi0/40<<Boom! there it is!
Total Mac Addresses for this criterion: 1
Petes-Switch#
[/box]
Note: I knew that my device was a single device plugged into a port, but if you don’t know this, there is a chance that the physical port you track down, might just be the uplink to another switch, that your device is plugged into. Or you’re at the end of a lot of switches, this is just the next step towards your device). If that is the case you would have several MAC addresses on that physical port, like so;
[box]
Petes-Switch##show mac address-table interface GigabitEthernet 0/48
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
40 6412.25ea.ca80 DYNAMIC Gi0/48
40 d072.dcac.becc DYNAMIC Gi0/48
120 6412.25ea.ca80 DYNAMIC Gi0/48
120 d072.dcac.becc DYNAMIC Gi0/48
122 6412.25ea.ca80 DYNAMIC Gi0/48
122 d072.dcac.becc DYNAMIC Gi0/48
121 6412.25ea.ca80 DYNAMIC Gi0/48
121 d072.dcac.becc DYNAMIC Gi0/48
Total Mac Addresses for this criterion: 8
Petes-Switch#
[/box]
Related Articles, References, Credits, or External Links
Given the amount of ASA work I do it’s surprising that the first time I saw an ASA 5506-X was last week (I’ve been working on larger firewalls for a while). I’m probably going to have to do a few of these over the next couple of years so I’ll update this article as things surface.
Solution
Q: Can I just copy the config from an ASA 5505 to an ASA 5506-X?
A: No, that would be nice, truth be told if the 5505 is running an OS newer than 8.3, about 90% of the config can be copy/pasted if you know what you are doing.
The ASA 5506 Interfaces are different.
Unlike its predecessor (and just about all other Cisco equipment), the interfaces start at number 1 (the 5505 starts at 0).
The 5506 Interfaces are the opposite way round (left to right).
The 5506 has IP addresses applied to its physical interfaces. Where as the 5505 had IP addresses applied to VLANs and then the physical interfaces were added to the appropriate VLAN. Note: the 5506 still supports VLANs, (5 or 30 with a security plus license).*
*UPDATE: After version 9.7 This has changed (on the 5506-X) See the following article for an explanation;
So let’s say your 5505 has three interfaces called inside, outside, and DMZ, (yours might have different names, and you may only have two,) the relevant parts of the 5505 config would be;
VLAN Note: You might be wondering why no ports have been put into VLAN 1? By default all ports are in VLAN 1, So above, ports 0/1 and 0/3 to 0/7 are all in VLAN 1.
Outside IP Note: Yours may say ‘dhcp setroute’ if it does not have a static IP , that’s fine.
To convert that (Assuming you are NOT going to use the BVI interface, (see link above!);
If you use AnyConnect then prepare for a little hand wringing. The 5505 could support up to 25 SSLVPN connections. On a 5506 they are actually called AnyConnect now, and it supports up to 50.
There is no Essentials license for a 5506-X! Don’t bother looking, you need to get your head into AnyConnect 4 licensing, I’ve already written about that at length.
Q: Does this mean I can’t use my AnyConnect 3 (or earlier) packages in the new 5506?
A: Yes you can, but you will only get two connections, unless you purchase additional Apex/Plus licensing.
I’m working on the assumption that we are going to load in the AnyConnect 4 packages and use those. With that in mind if anyone manages to get them added to their Cisco profile without the ‘Additional Entitlement Required’ then contact me, and let me know how, (link at bottom). I have to ring Cisco and use my employers partner status to get the client software 🙁
In addition to getting new AnyConnect Packages and loading them into the new 5506. If you have an anyconnect XML profile, that will also need copying into the new firewalls flash drive before you can paste the AnyConnect settings in.
Below you can see I’ve got a profile on my 5505.
Tools > File Transfer > File Transfer > Between Local PC and Flash. (Do the reverse to get the file(s) into the new 5506).
Note: You can also do this from CLI by copying the file to a TFTP server.
Below is a typical AnyConnect config from an ASA 5505, I’ve highlighted the lines that will cause you problems.
[box]
ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
object network OBJ-ANYCONNECT-SUBNET
subnet 192.168.100.0 255.255.255.0
!
webvpn
enable outside
anyconnect-essentials<-REMOVE THIS IT'S OBSOLETEanyconnect-win-3.1.05152-k9.pkg 1 <-REPLACE WITH ANYCONNECT 4anyconnect image disk0:/anyconnect-macosx-i386-3.1.04063-k9.pkg 2<-REPLACE WITH ANYCONNECT 4 anyconnect profiles SSL-VPN-POLICY disk0:/PeteNetLive-Profile.xml<-COPY OVER FIRST
anyconnect enable
tunnel-group-list enable
!
access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0
!
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
vpn-tunnel-protocol ssl-client
dns-server value 10.0.0.10 10.0.0.11
wins-server none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value petenetlive.com
split-tunnel-all-dns enable
webvpn
anyconnect profiles value SSL-VPN-POLICY type user
!
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
address-pool ANYCONNECT-POOL
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable
!
nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET
OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
!
[/box]
ASA Transferring Certificates From One ASA to Another
I appreciate a lot of you wont be using certificates, and even if you use AnyConnect you just put up with the certificate error. That’s fine, but do me a favor? Before you do anything else go and generate the RSA keys on your new 5506 before you do anything else, (people forgetting to do this has cause me a LOT of grief over the years). So set the host name, domain-name, and then generate the keys like so;
[box]
ciscoasa# configure terminal
Petes-ASA(config)# hostname Petes-ASA
Petes-ASA(config)# domain-name petenetlive.com
Petes-ASA(config)# crypto key generate rsa modulus 2048
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
Petes-ASA(config)#
[/box]
OK, so if you are still reading this section, then you have at least one certificate, that you need to move to the new firewall. For each scenario here’s what I recommend you do;
Self Signed Certificate from your own PKI / CA Server : Just generate a new cert for the new firewall and import it the same as you did on the old firewall
Externally / Publicly signed certificate that you have paid for: This we will need to export then import onto the new 5506. (Note: If there’s not much time left to run on the validity, it may be easier to get onto the certificate vendor and have a new one reissued to save you having to replace it in a couple of months – just a thought).
If you have purchased a certificate you will have already gone though the process below;
The easiest option for you is to go where you purchased the cert, download it again, and import it into the new firewall. But here’s where you find out you forgot the username and password you used, or the guy who sorted this out has left the company etc. If that is the case all is not lost. You can export an identity certificate, either from the ADSM;
Cisco ASA Export Certificates From ASDM
Configuration > Device Management > Certificate Management > Identity Certificates > Select the certificate > Export > Choose a location and a ‘pass-phrase’.
Cisco ASA Export Certificates From Command Line.
To do the same at CLI the procedure is as follows;
[box]
Get Your Trustpoint(s) Names
Petes-ASA# show crypto ca trustpoints
Trustpoint ASDM_TrustPoint0:
Not authenticated.
Trustpoint PNL-Trustpoint-1:
Subject Name:
cn=PNL-DC-PROD-CA
dc=petenetlive
dc=com
Serial Number: 5ec427e4910fa2bf47e1269e7fdd7081
Certificate configured.
Then Export the Certificate(s) for that Trustpoint
Petes-ASA# configure terminal
Petes-ASA(config)# crypto ca export PNL-Trustpoint-1 pkcs12 Password123
Exported pkcs12 follows:
-----BEGIN PKCS12-----
MIISXwIBAzCCEhkGCSqGSIb3DQEHAaCCEgoEghIGMIISAjCCEf4GCSqGSIb3DQEH
BqCCEe8wghHrAgEAMIIR5AYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQId/f5
{{{{{{{LOTS OF OUTPUT REMOVED FOR THE SAKE OF BREVITY}}}}}}}}}}}
mLt/6QKDVig6ofxrnvP0tbh9Jmjwe4NkTsJUb+H+7JGvJoUsMD0wITAJBgUrDgMC
GgUABBRCPROoZsdSBfIpwVmvfSSoOxzNCAQUWJ/J9hTkuNd92u4Z3owgrrO3cYIC
AgQA
-----END PKCS12-----
Petes-ASA(config)#
[/box]
Cisco ASA Import Certificates From ASDM
Configuration > Device Management > Certificate Management > Identity Certificates > Add > Use the same Trustpoint name as the source firewall > Browse the file you exported earlier > Enter the passphrase > Add Certificate.
Cisco ASA Import Certificates From Command Line.
To do the same at CLI the procedure is as follows, Note: You need to paste in the text from the output.
[box]
Petes-ASA# configure terminal
Petes-ASA(config)# crypto ca import PNL-Trustpoint-1 pkcs12 Password123
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
-----BEGIN PKCS12-----
MIISXwIBAzCCEhkGCSqGSIb3DQEHAaCCEgoEghIGMIISAjCCEf4GCSqGSIb3DQEH
BqCCEe8wghHrAgEAMIIR5AYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQId/f5
{{{{{{{LOTS OF OUTPUT REMOVED FOR THE SAKE OF BREVITY}}}}}}}}}}}
mLt/6QKDVig6ofxrnvP0tbh9Jmjwe4NkTsJUb+H+7JGvJoUsMD0wITAJBgUrDgMC
GgUABBRCPROoZsdSBfIpwVmvfSSoOxzNCAQUWJ/J9hTkuNd92u4Z3owgrrO3cYIC
AgQA
-----END PKCS12-----
quit
INFO: Import PKCS12 operation completed successfully
Petes-ASA(config)#
[/box]
Assorted Firewall Migration ‘Gotchas’
Time (Clock Setting)
If you do any AAA via Kerberos or LDAP, then not having the time correct on the new ASA might get you locked out of it. I would always suggest setting up NTP so do that before you restart.
Not on the ASA, but on the devices the ASA is connecting to, (routers and switches etc). Unplug an ASA 5505 and plug in an ASA 5506, and nine times out of ten you will not get comms. This is because the device you are connecting to has cached the MAC address of the old firewall in its ARP cache. So either reboot the device, (or it thats not practical, lower the ARP cache to about 30 seconds).
ASA 5505 to 5506 Config To Copy And Paste
Below I’ll put a full config for an ASA 5505. If the text is normal,the commands can be copy and pasted directly into the new firewall. If the text is RED, then you can NOT, and I will have outlined the problems above.