23. June 2013 · Comments Off on MicroNugget – ASA VPN Connection Profiles · Categories: Cisco · Tags: , , , , , , ,

04. June 2013 · Comments Off on DNS dropped because packets to big for configured 512? · Categories: Cisco · Tags: , , , ,

6-4-2013 12-02-03 PM

you can safely increase the dns packet length to 1500 ,  512 is the default.

“fixup protocol dns maximum-length 1500 ”

Background on fixup protocol dns

Use the fixup protocol dns command to specify the maximum DNS packet length. DNS requires application inspection so that DNS queries are not subject to the generic UDP handling based on activity timeouts. Instead, UDP connections associated with DNS queries and responses are torn down as soon as a reply to a DNS query has been received.

The port assignment for the Domain Name System (DNS) is not configurable.

Set the maximum length for the DNS fixup as shown in the following example:

pixfirewall(config)# fixup protocol dns maximum-length 1500

pixfirewall(config)# show fixup protocol dns

fixup protocol dns maximum length 1500

17. November 2012 · Comments Off on Cisco ASA 5500 Dual ISP Connection [Failback] · Categories: Cisco · Tags: , , , , ,

Starting from version 7.2(1) and upwards, the Cisco ASA 5500 series firewall supports now the Dual-ISP capability. You can connect two interfaces of the firewall to two different ISPs and use the new “SLA Monitor” feature (SLA=Service Level Monitoring) to monitor the link to the primary ISP, and if that fails, the traffic is routed to the Backup ISP.

asa 5500 dual isp connection

Assume that the Primary ISP (ISP-1) has assigned to us the public IP address 100.100.100.1 with gateway 100.100.100.2. Also, the Backup ISP (ISP-2) has assigned us the public IP 200.200.200.1 with gateway 200.200.200.2. Normally all traffic should flow through ISP-1, but if the physical link (or route) to that ISP fails, then traffic should be redirected to the Backup ISP. We can configure an SLA monitor service which will be checking every 30 seconds (using a ping echo request) the availability of the primary Gateway IP address (100.100.100.2). If there is no response in 20000 milliseconds (20 sec), then the default route will be redirected to the Backup ISP. The configuration is shown below:

asa5500(config)# sla monitor 100
asa5500(config-sla-monitor)# type echo protocol ipIcmpEcho 100.100.100.2 interface outside
asa5500(config-sla-monitor-echo)# timeout 20000
asa5500(config-sla-monitor-echo)# frequency 30
asa5500(config)# sla monitor schedule 100 life forever start-time now
asa5500(config)# track 1 rtr 100 reachability
asa5500(config)# route outside 0.0.0.0 0.0.0.0 100.100.100.2 1 track 1
asa5500(config)# route backup-isp 0.0.0.0 0.0.0.0 200.200.200.2 254

Of course the configuration above assumes that you have already configured two interfaces connected to the ISPs, the first one with name ‘outside’ (security level 0) and the second one with name ‘backup-isp’ (security level 1).

07. August 2012 · Comments Off on Recovering Passwords for the ASA 5500 Series Adaptive Security Appliance · Categories: Cisco · Tags: , , ,

To recover passwords for the ASA, perform the following steps:

Step 1 Connect to the ASA console port according to the instructions in “Accessing the Appliance Command-Line Interface” section.

Step 2 Power off the ASA, and then power it on.

Step 3 After startup, press the Escape key when you are prompted to enter ROMMON mode.

Step 4 To update the configuration register value, enter the following command:

rommon #1> confreg 0x41

Update Config Register (0x41) in NVRAM…

Step 5 To set the ASA to ignore the startup configuration, enter the following command:

rommon #1> confreg

More »