Cisco ASA – Global Access Lists
KB ID 0001019 Problem I’ve been working for a client that has a large firewall deployment, and they have twelve switches in their six DMZ’s. I wanted to take a backup of these switches (and all the other network devices). While I was bemoaning the amount of ACL’s that I would need to allow TFTP in from, (note: that’s UDP port 69 if you are interested). My colleague said “Why not use a global ACL?”,...
Configure Your Firewall for SNMP
KB ID 0001034 Problem Had a requirement to let SNMP traffic though a firewall this week, I have a client that has both SolarWinds and SCOM, and they need to monitor the external Citrix ADC load balancers. For SNMP we simply need UDP ports 161 and 162 (See below) but SolarWinds maintains ‘ping’ connectivity to the monitored assets, so ICMP also needs to be open. Inbound Ports Outbound Ports Solution As my ‘weapon of...
Cisco ASA – ‘access-group’ Warning
KB ID 0001035 Problem I’ve been writing Cisco ASA walkthroughs for years, and littered all over PeteNetLive you will see me warning readers every time I use access-group commands. So I’ve finally got round to putting this article up so I can reference it in future. What is an Access-Group command? You use an access-group command to apply an access-list to an interface, in a particular direction (in or out). Although I...
Cisco ASA – Changing the Outside IP Address
KB ID 0001081 Problem I see this question get asked a lot on forums, most people never touch the firewall, ‘if it’s working leave it alone’. And that’s great until you move offices, or get a newer faster (or cheaper) Internet connection. What if you have lots of public IP addresses? What if you have VPN’s (or AnyConnect clients). What’s the best way to do this with a minimum of downtime? Note: If...
Cisco ASA 5500 – Sub Interfaces and VLANS
KB ID 0001085 Problem You can take the physical interface of a Cisco ASA firewall, (or an ether channel) and split it down into further sub-interfaces. This way you can set multiple VLANs to use this interface as a gateway at the same time whilst still separating the traffic. In this scenario I’m going to have two VLANs, one for my wired clients, and one for a ‘Guest WiFi’ that I’m setting up. I want the guest...