Category Archives: Cisco ASA

DHCPv6 Relay Issue with Cisco ASA and Ubuntu

Some months ago, my co-worker and I ran into an interesting issue: a notebook with a newly installed Ubuntu 20.04 does only work with IPv4, but this office network is dual-stacked (IPv4 and IPv6). Other Linux clients as well as Windows and Mac systems still work fine. They all get an IPv4 configuration by DHCPv4 and an IPv6 configuration by stateful DHCPv6 from the same DHCP server, relayed by a Cisco ASA 5500-X. What’s wrong with Ubuntu 20.04?

Continue reading DHCPv6 Relay Issue with Cisco ASA and Ubuntu

Route-Based VPN Tunnel FortiGate <-> Cisco ASA

More than 6 years ago (!) I published a tutorial on how to set up an IPsec VPN tunnel between a FortiGate firewall and a Cisco ASA. As time flies by, ASA is now able to terminate route-based VPN tunnels (which is great!), we have IKEv2 running everywhere and enhanced security proposals. Hence, it’s time for an update:

Continue reading Route-Based VPN Tunnel FortiGate <-> Cisco ASA

Route-Based VPN Tunnel Palo Alto <-> Cisco ASA

More than 6 years ago (!) I published a tutorial on how to set up an IPsec VPN tunnel between a Palo Alto Networks firewall and a Cisco ASA. As time flies by, ASA is now able to terminate route-based VPN tunnels (which is great!), we have IKEv2 running everywhere and enhanced security proposals. Hence, it’s time for an update:

Continue reading Route-Based VPN Tunnel Palo Alto <-> Cisco ASA

Cisco ASA Remote Access VPN for Android

The native Android IPsec VPN client supports connections to the Cisco ASA firewall. This even works without the “AnyConnect for Mobile” license on the ASA. If only a basic remote access VPN connection is needed, this fits perfectly. It uses the classical IPsec protocol instead of the newer SSL version. However, the VPN tunnel works anyway.

In this short post I am showing the configuration steps on the ASA and on the Android phone in order to establish a remote access VPN tunnel.

Continue reading Cisco ASA Remote Access VPN for Android

OSPFv3 for IPv6 Lab: Cisco, Fortinet, Juniper, Palo Alto, Quagga

Similar to my test lab for OSPFv2, I am testing OSPFv3 for IPv6 with the following devices: Cisco ASA, Cisco Router, Fortinet FortiGate, Juniper SSG, Palo Alto, and Quagga Router. I am showing my lab network diagram and the configuration commands/screenshots for all devices. Furthermore, I am listing some basic troubleshooting commands. In the last section, I provide a Tcpdump/Wireshark capture of an initial OSPFv3 run.

I am not going into deep details of OSPFv3 at all. But this lab should give basic hints/examples for configuring OSPFv3 for all of the listed devices.

Continue reading OSPFv3 for IPv6 Lab: Cisco, Fortinet, Juniper, Palo Alto, Quagga

Policy Based Routing on a Cisco ASA

Cisco ASA 9.4 (and later) is now supporting Policy Based Routing. Yeah. Great news, since many customers are requesting something like “HTTP traffic to the left – VoIP traffic to the right”. Coming with a new Cisco ASA 5506-X I was happy to try the policy based routing feature.

The configuration steps through the ASDM GUI are not easy and full of errors so I am trying to give some hints within this blog post.

Continue reading Policy Based Routing on a Cisco ASA

Firewall IPv6 Capabilities: Cisco, Forti, Juniper, Palo

Since IPv6 gets more and more important, I am using it by default on all my test firewalls, which of course support IPv6. However, when comparing the different functions and administration capabilities, they vary significantly.

Here comes my short evaluation of the IPv6 functions on the following four firewalls: Cisco ASA, Fortinet FortiGate, Juniper SSG, and Palo Alto.

Continue reading Firewall IPv6 Capabilities: Cisco, Forti, Juniper, Palo

MRTG/Routers2: Template Cisco ASA

I constructed a MRTG/Routers2 configuration template for the Cisco ASA firewall which consists the OIDs (graphs) for the interfaces, CPU, memory, VPNs, connections, ping times, and traceroute hop counts. With only four search-and-replace changes as well as a few further specifications, the whole SNMP monitoring for that firewall is configured.

Continue reading MRTG/Routers2: Template Cisco ASA

Cisco ASA vs. Palo Alto: Management Goodies

You often have comparisons of both firewalls concerning security components. Of course, a firewall must block attacks, scan for viruses, build VPNs, etc. However, in this post, I am discussing the advantages and disadvantages from both vendors concerning the management options: How to add and rename objects. How to update a device. How to find log entries. Etc.

Continue reading Cisco ASA vs. Palo Alto: Management Goodies

OSPF for IPv4 Test Lab: Cisco Router & ASA, Juniper SSG & Palo Alto

I tested OSPF for IPv4 in my lab: I configured OSPF inside a single broadcast domain with five devices: 2x Cisco Router, Cisco ASA, Juniper SSG, and Palo Alto PA. It works perfectly though these are a few different vendors.

I will show my lab and will list all the configuration commands/screenshots I used on the devices. I won’t go into detail but maybe these listings help for a basic understanding of the OSPF processes on these devices.

Continue reading OSPF for IPv4 Test Lab: Cisco Router & ASA, Juniper SSG & Palo Alto

Grep Commands for Cisco ASA Syslog Messages

In a basic environment with a Cisco ASA firewall I am logging everything to a syslog-ng server. As there aren’t any reporting tools installed, I am using grep to filter the huge amount of syslog messages in order to get the information I want to know. In this blog post I list a few greps for getting the interesting data.

Continue reading Grep Commands for Cisco ASA Syslog Messages

IPsec Site-to-Site VPN Cisco ASA <-> AVM FRITZ!Box

Mit diesem Beitrag möchte ich zeigen, wie man ein Site-to-Site VPN von der FRITZ!Box zu einer Cisco ASA Firewall aufbaut. Mein Laboraufbau entspricht dabei dem typischen Fall, bei dem die FRITZ!Box hinter einer dynamischen IP hängt (klassisch: DSL-Anschluss), während die ASA eine statische IP geNATet bekommt.

Beide Geräte habe ein policy-based VPN implementiert, so dass das hier endlich mal ein Fall ist, wo man nicht durch den Mix einer route-based VPN-Firewall und einer policy-based VPN-Firewall durcheinander kommt. Man muss bei beiden Geräten einfach das eigene sowie das remote Netzwerk eintragen, ohne weitere Routen zu ändern.

Continue reading IPsec Site-to-Site VPN Cisco ASA <-> AVM FRITZ!Box

IPsec Site-to-Site VPN Juniper ScreenOS <-> Cisco ASA

This post describes the steps to configure a Site-to-Site VPN between a Juniper ScreenOS firewall and the Cisco ASA firewall. With the correct IKE and IPsec parameters as well as the correct Proxy IDs on both sides, the VPN establishment works without any problems. And since the Juniper firewall can ping an IPv4 address on the remote side through the tunnel (VPN Monitor), the VPN tunnel is established by the firewalls themselves without the need for initial traffic.

Continue reading IPsec Site-to-Site VPN Juniper ScreenOS <-> Cisco ASA

IPsec Site-to-Site VPN Palo Alto <-> Cisco ASA

I configured a static Site-to-Site IPsec VPN tunnel between the Cisco ASA firewall and the Palo Alto next-generation firewall. If the same phase 1 & 2 parameters are used and the correct Proxy IDs are entered, the VPN works without any problems though the ASA uses a policy-based VPN while the PA implements a route-based VPN.

I made a few screenshots from the VPN configuration of both firewalls which I will show here. I am also listing a few more hints corresponding to these two firewalls.

Continue reading IPsec Site-to-Site VPN Palo Alto <-> Cisco ASA