Boot Cisco ASA From TFTP (Upgrade from ROMMON)
KB ID 0000792 Problem If your firewall wont boot, either because the OS is corrupt, or you have a faulty flash memory. You can get up and running by booting the device from a TFTP server instead. Solution Before you start make sure you have your TFTP server running and the operating system in its root folder. Install and Use a TFTP Server 1. Power on the firewall, during the boot phase press ESC to boot to ROMMOM mode. 2. The...
Cisco ASA – Find Out VPN Tunnel Uptime
KB ID 0000863 Problem I needed to get the Uptime/Duration of a particular VPN tunnel this week. It was for a client with multiple VPN tunnels that was having problems with just one. Solution Option 1 via Command Line 1. Connect to to the firewall > Go to enable mode and use the following command, replace 123.123.123.123 with the IP of your VPN endpoint. PetesASA> PetesASA> enable Password: ******** PetesASA# show...
Cisco ASA 5505 Routing Between Two (Internal) VLANS
KB ID 0000869 Problem I had to set this up for a client this week, I’ve setup a DMZ on a 5505 before and I’ve setup other VLANs to do other jobs, e.g. visitor Internet access. But this client needed a secondary VLAN setting up for IP Phones. In addition I needed to route traffic between both the internal VLANs. I did an internet search and tried to find some configs I could reverse engineer, the few I found were old (Pre version 8.3)...
Packet-Tracer Fails Subtype: rpf-check Result: DROP
KB ID 000904 Problem I love packet-tracer, I use it a lot, especially when I’ve been told that the firewall I’ve installed is stopping a particular port. I had set up a simple port forward the other day, and when I went to check it with packet-tracer this happened. Petes-ASA# packet-tracer input outside tcp 123.123.123.123 443 192.168.1.10 443 <——-Output removed——–> Phase: 7 Type: NAT...
Cisco ASA – I Cannot Ping External Addresses? (Troubleshooting ICMP)
KB ID 0000914 Problem Considering we use ICMP to test connectivity, the fact that it is not a stateful protocol can be a major pain! Last week one of my colleagues rang me up and said, “Can you jump on this firewall, I’ve got no comms, and I cant ping external IP addresses. I can ping the internet from the firewall and I can ping internal IP addresses form the firewall”. Solution 1. Before we start, lets get the basics...