Packet-Tracer Fails Subtype: rpf-check Result: DROP
KB ID 000904 Problem I love packet-tracer, I use it a lot, especially when I’ve been told that the firewall I’ve installed is stopping a particular port. I had set up a simple port forward the other day, and when I went to check it with packet-tracer this happened. Petes-ASA# packet-tracer input outside tcp 123.123.123.123 443 192.168.1.10 443 <——-Output removed——–> Phase: 7 Type: NAT...
Cisco ASA – I Cannot Ping External Addresses? (Troubleshooting ICMP)
KB ID 0000914 Problem Considering we use ICMP to test connectivity, the fact that it is not a stateful protocol can be a major pain! Last week one of my colleagues rang me up and said, “Can you jump on this firewall, I’ve got no comms, and I cant ping external IP addresses. I can ping the internet from the firewall and I can ping internal IP addresses form the firewall”. Solution 1. Before we start, lets get the basics...
Cisco ASA 5500 – Throttling (Rate Limiting) Traffic
KB ID 0001001 Problem If you have one client that’s taking all your bandwidth, or a server that’s getting a lot of connections from external IP addresses, and that’s causing you performance problems, you can ‘throttle’ traffic from/to that client by ‘policing’ its traffic. Solution To demonstrate, I have a 30Mb connection at home, when I run a test on the download connection speed from my...
Cisco ASA 5585-X Port Numbering
KB ID 0001004 Problem Back at the beginning of the year I had to do a firewall design that included an ASA5585-X, I did some searching to find out how the ports were numbered but came up blank. So I took an (incorrect) educated guess. I unboxed and fired one up today, and ran though the port numbering and orientation, and discovered the correct numbering. Solution Note: This ASA5585-X also has a CX module fitted. The bottom...
ASA 5585-X Update the CX SSP Module
KB ID 0001005 Problem Every piece of documentation I found on upgrading CX SSP modules was for doing so on models other than the ASA5585-X. The (current) latest CLI guide says; “For the ASA 5585-X hardware module, you must install or upgrade your image from within the ASA CX module. See the ASA CX module documentation for more information.” Yeah good luck finding that! Solution Before I saw the information above I tried...