Cisco ASA 5500 Allowing Tracert
KB ID 0000753 Problem I’d always assumed that as Tracert uses ICMP, and that simply adding ICMP inspection on the ASA would let Tracert commands work. A client of mine is having some comms problems and wanted to test comms from his remote DR site, he had enabled time-exceeded and unreachable on the ASA (for inbound traffic) and that had worked. I checked the default inspection map and found inspect ICMP was there? As it turns...
Cisco ASA 5500 – VPN Works in One Direction
KB ID 0000759 Problem The title of this article can cover a multitude of possible causes, however I recently had a strange problem where a client with a remote site protected by an ASA5505 had a VPN tunnel connected to their main site which had an ASA5510. The tunnel established at phase 1, and phase 2, the main site could talk to the remote site, but the remote site refused to talk back to the main site. Update 23/04/19: Seen again...
Cisco Firewall (ASA/PIX) – Granting Access to an FTP Server
KB ID 0000772 Problem If you have an FTP server, simply allowing the FTP traffic to it wont work. FTP (in both active and passive mode) uses some random high ports that would normally be blocked on the firewall. So by actively inspecting FTP the firewall will know what ports to open and close. Solution How you ‘allow’ access to the FTP server will depend on weather you have a public IP address spare or not, if you only...
Cisco ASA – Find Out VPN Tunnel Uptime
KB ID 0000863 Problem I needed to get the Uptime/Duration of a particular VPN tunnel this week. It was for a client with multiple VPN tunnels that was having problems with just one. Solution Option 1 via Command Line 1. Connect to to the firewall > Go to enable mode and use the following command, replace 123.123.123.123 with the IP of your VPN endpoint. PetesASA> PetesASA> enable Password: ******** PetesASA# show...
Cisco ASA 5505 Routing Between Two (Internal) VLANS
KB ID 0000869 Problem I had to set this up for a client this week, I’ve setup a DMZ on a 5505 before and I’ve setup other VLANs to do other jobs, e.g. visitor Internet access. But this client needed a secondary VLAN setting up for IP Phones. In addition I needed to route traffic between both the internal VLANs. I did an internet search and tried to find some configs I could reverse engineer, the few I found were old (Pre version 8.3)...