Cisco ASA

Last week I updated a Cisco ASA HA cluster within a work project. The customer runs about 200 EasyVPN and IPsec VPN Site2Site connections. Our goal was to update the Cisco ASA HA cluster without an interrupt. The installed firmware version was 8.6(1)2 and we wanted to go straight to 9.4(2)11. In this case I was using two … Read more

Today I wanted to configure a site2site VPN on my Cisco ASA in my laboratory. When I tried to configure the transform-set I received the following error message: Firewall(config)# crypto ipsec ikev1 transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac The 3DES/AES algorithms require a VPN-3DES-AES activation key. I’ve never saw this message before. It was very confusing seeing the 3DES-AES feature … Read more

Interesting project that I got some days ago: I need to connect a Cisco ASA redundantly to a HP Switch Switch cluster (clustered with IRF protocol) and VLAN tag support. I configured a bridge-aggregation interface at the HP 5920AF-24XG like this (VLANs were already configured): interface Bridge-Aggregation1 description Link to Cisco ASA interface Ten-GigabitEthernet1/0/8 port link-aggregation … Read more

As I explained 1:1 NAT (with example for PPTP passthrough) in this post you can also add more PAT just based on your access-list. I recognized a problem at one customer that FTP needs an inspection firewall entry. The customer runs a passive FTP server on tcp port 3002 which I forwarded to inside: object … Read more

I know that they take LSD (yes Lysergic acid diethylamide) at Cisco like Kevin Herbert but can they consume less? Every release of a new 8.x software version of the Cisco ASA has new NAT statements and logic. This week I replaced an old Cisco PIX 6.x with a new Cisco ASA 8.4(4)1 (asa844-1-k8.bin) and … Read more