Cisco ASA Redundant or Backup ISP Links with VPNs
KB ID 0000544 Problem This method provides failover to a redundant ISP link should your primary network connection go down. IT IS NOT going to load balance the traffic across both interfaces. In this example I’ve also got a VPN to a remote site and some port forwarding to contend with as well. Where we are at the start. Where we want to be Solution Before you go any further the ASA that will have the backup ISP line,...
Cisco ASA 5500 – Reset / Recycle VPN Tunnels
KB ID 0000586 Problem I’ve been asked this before and it came up on EE today, basically you have a site to site VPN tunnel and you either want to restart it or reset it. Solution Cisco ASA Reset ALL VPN Tunnels 1. Connect to your ASA, then to reset ALL your ISAKMP VPN tunnels use the following command; clear crypto isakmp sa In the example below I’ve reset ALL my tunnels. I had a constant ping running across the VPN, and...
Cisco ASA – Enrolling for Certificates with NDES
KB ID 0000948 Problem To get your ASA 5500 firewall to enroll, and obtain a certificate from a Windows Server running NDES, this is the procedure you need to follow. Solution When dealing with certificates, it’s important that your firewall is maintaining the correct time. You can set this manually, but I’d recommend setting up NTP. Cisco ASA – Configuring for NTP 1. Make sure the firewall can contact the NDES...
Cisco ASA – Global Access Lists
KB ID 0001019 Problem I’ve been working for a client that has a large firewall deployment, and they have twelve switches in their six DMZ’s. I wanted to take a backup of these switches (and all the other network devices). While I was bemoaning the amount of ACL’s that I would need to allow TFTP in from, (note: that’s UDP port 69 if you are interested). My colleague said “Why not use a global ACL?”,...
Cisco ASA – Changing the Outside IP Address
KB ID 0001081 Problem I see this question get asked a lot on forums, most people never touch the firewall, ‘if it’s working leave it alone’. And that’s great until you move offices, or get a newer faster (or cheaper) Internet connection. What if you have lots of public IP addresses? What if you have VPN’s (or AnyConnect clients). What’s the best way to do this with a minimum of downtime? Note: If...