When a customer calls with a problem or request I often see a chance to investigate a technology, learn something new or apply random skills to find a creative solution. This time is about an ASA, customer noticed too much traffic on the Internet facing interface. Syslog, Netflow, bandwidth monitoring and any other useful tools are totally missing, only the old good CLI to help. The MVP We can get a list of all active connections from ASA with
ASA doesn’t boot: Launching BootLoader... Default configuration file contains 1 entry. Searching / for images to boot. Loading /asa825-k8.bin... Booting... Press ESC to interrupt boot: Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately. We’re now in rommon: rommon #0> Check variables: rommon #3> set ROMMON Variable Settings: ADDRESS=0.0.0.0 SERVER=0.0.0.0 GATEWAY=0.0.0.0 PORT=Ethernet0/0 VLAN=untagged IMAGE= CONFIG= LINKTIMEOUT=20 PKTTIMEOUT=4 RETRY=20 Config network parameters. rommon #8>ADDRESS=10.
Office 365 is widely used between many customers. Some of them happen to manage all the Internet connections through a Cisco ASA, not the fancy ASA-X with Firepower, just the plain old 5510. I was asked to allow Office 365 traffic, looks easy huh? Step 1: know your enemy After some Google-fu I found Microsoft kindly provides an update list of the IP/subnet/URLs necessary to access various services including Office 365, Lync, OneNOte etc.
IP addressing design is a topic that follows every networker from the basic to the architect level of experience. Usually we just pick a random range from RFC1918 and address all the devices. But then VPN happens, and with VPN comes the risk of overlapping. How do we fix overlapping? With NAT of course! In this post I’ll show how to use twice NAT to allow VPN connections with overlapping addresses.
Today a customer called to change the IP address of a L2L VPN peer on his Cisco ASA 8.3(2)4. The task can be divided in 3 steps: 1) Get the VPN password. It should be written somewhere in the network documentation, as stated by rule 7, but you know, password sometimes just get lost. 2) Find and update crypto map asa# sh run | b peer 126.96.36.199 You should get a line like
A customer called today for a strange issue on their Cisco ASA. They have 60Mbit internet connection and a big event is filling the bandwidth. The session graph is what they are worried about: This is a perfect example of TCP Sync, well explained HERE. The ISP applies a basic rate-limit rule on the router that causes the packet drops. Since ISP uses a Cisco router as CPE I’ll try to negotiate some QoS policy to avoid the TCP sync behaviour.