Cisco ASA – View The Contents of an Object and Object-Group
KB ID 0001043 Problem My colleague loves the ASDM, I put up with it and prefer command line. We were troubleshooting a problem the other day and he said, there this is why I prefer the ASDM, just ‘hover’ over an object-group and it will show you the contents of it. Now if (like my test firewall above) you only have a few hosts, then I don’t see the point, but if you have a very complicated config with hundreds of...
Cisco ASA – Disable SSLv3 (Force TLSv1.0) – Mitigate POODLE
KB ID 0001052 Problem By default the Cisco ASA will allow connection via SSLv3. The POODLE exploit works by forcing SSL to fall back to SSLv3 and then decrypting that communication. However you are still not completely protected as per this Threat Validation, so the ASA platform can still be attacked via TLSv1.0. Note: At time of writing TLSv1.2 is not supported, but it is on the road-map for version 9.3(2). So this procedure will not...
Cisco ASA ASDM – Packet Tracer Wont Work
KB ID 0001051 Problem I don’t usually use the graphical packet tracer tool, but I did this week, and this happened; Following error(s) occurred- packet-tracer input inside {protocol} inline-tag -l {source} {source port} {target} {target port} xml %Invalid input detected at ‘^’ marker Solution Well from CLI it worked fine, so I’m guessing it’s a fault in the ASDM. An Internet/forum search threw up a load...
Cisco ASA 5500 – Performing NAT for Two (or More) internal IP’s to a Spare Public IP
KB ID 0001057 Problem I was in the PIX/ASA area at EE last night, and a poster asked if they could perform NAT on a couple of internal IP addresses to a spare public IP that they had. I had done this for a client some time last year when I performed and upgrade from 8.2. Anyone who has ever done a large upgrade on an ASA to the ‘new’ NAT system, will appreciate this is usually the area where the upgrade has a problem. So...
Cisco ASA 5500 – Sub Interfaces and VLANS
KB ID 0001085 Problem You can take the physical interface of a Cisco ASA firewall, (or an ether channel) and split it down into further sub-interfaces. This way you can set multiple VLANs to use this interface as a gateway at the same time whilst still separating the traffic. In this scenario I’m going to have two VLANs, one for my wired clients, and one for a ‘Guest WiFi’ that I’m setting up. I want the guest...