Nov 5, 2012

Changing ISP through the outside interface

Sometimes the only way to get in to the firewall management console is through outside interface. If you have no console connection or management access to an internal interface, and you need to change the external IP address (the same used to SSH), then you have to setup SLA Monitor to recover management access after changing the external IP address.

Jun 8, 2012

Route-based IPsec VPN on ASA

IOS (and some appliances from other vendors) has a feature called VTI (virtual tunnel interface) that can be used to setup route-based IPsec VPNs. Therefore we just need to create a static route to reach the remote networks, without update the encryption domain (proxy ACL).

ASA doesn't support tunnel interfaces, however we still can setup route-based IPsec VPNs and that is what I am going to show.

Feb 28, 2012

What is the reason for the log %ASA-6-106015?

When the ASA receives a packet it checks the conn table and whether a connection entry is found for that packet, it is handled by the Fast Path and bypass the ACLs. It is true for any packet that doesn't require application inspection, otherwise it is handled by session management path or control plane path.

So what if you see the following logs:

Feb 20 2012 08:15:08: %ASA-6-302013: Built outbound TCP connection 7985447 for outside: ( to inside: (

Feb 20 2012 08:15:38: %ASA-6-302014: Teardown TCP connection 7985447 for outside: to inside: duration 0:00:30 bytes 0 SYN Timeout
Feb 20 2012 08:15:54: %ASA-6-106015: Deny TCP (no connection) from to flags SYN ACK  on interface outside

Feb 10, 2012

Disabling idle timeout for specific traffic

The ASA enforces a timeout for idle connections and the default value is one hour for TCP connections. It helps to save resources and avoid overloads, but it can also crash some applications. We can disable this feature at all, but it is not a good idea as it can impact the firewall performance. Thus the best thing to do when you are running some application which you expect to have idle connections for long time is disabling the idle control for that traffic only. We can do that with Advanced Connection Settings.