Asa on Aaron's Worthless Words

A Simple Firewall Upgrade - A True Story

Thu, 20 Jun 2013 00:00:00 +0000

I just got through a big weekend. We upgraded our main production firewall, but the process had a few twists.

The old firewalls, a pair of ASA 5520s, were running at about 80% CPU during the day. That’s high enough that even I cringe when I saw the utilization in ASDM. It was obviously time to upgrade to something with more beef, but we also wanted something that will last for years. After looking around and getting some quotes (that made me jump back in my seat), we finally decided to go with a pair of 5555Xs. These guys give about 10 times the throughput of the 5520 with about 8 times the memory. Seems to match the requirements. Now for the complications we had to work through.

Stubby Post - Changing the Prompt on the ASA

Thu, 20 Jan 2011 00:00:00 +0000

RichardF commented on an article I wrote last November and mentioned the prompt command in the ASA. I never set aside any time to research it, but I finally took the time today while waiting for a maintenance window.

This is one of those little things in life that make me happy. Since the active ASA always has the same hostname and IP address, I find it hard to keep track of to which firewall I’m actually connected. That “configurtions are no long in sync” message you get when you conf t on the standby firewall really irks me. With the prompt command, I can see which firewall I’m on and in what state it is.

Running Commands on a Standby ASA from the Active

Mon, 22 Nov 2010 00:00:00 +0000

I was exploring commands on the ASA a while back and discovered that you can run commands on the standby unit from the active.

Configuring an Active/Passive ASA Pair

Sat, 20 Nov 2010 00:00:00 +0000

A buddy asked for some help on configuring a pair of ASAs in active/passive mode, and, by pure coincidence, my newest project is to set up the same. I’ve done it many time, but it’s one of those things that you don’t really do every day (unless you’re a VAR or something). These things always get covered in rust very quickly in my head, but, once I get one or two details back to the surface, it all comes flooding back. I better take the time to jot down the details.

SLA Monitoring on the PIX/ASA

Fri, 15 Oct 2010 00:00:00 +0000

We’re working on an data center design for a customer, and they’ve dropped in two ISP links - each with it’s own managed router and public IP space off one of the Ethernet interfaces. The idea is that they want to use the Internet links in an active-passive setup without getting their own IP addresses to avoid running BGP with the ISPs. To top it off, the headend of their control is an ASA cluster, so we wind up with two interface on the Internet to treat with a local security level. Oh, the joys of doing network design.

More ASA Objects and Object-groups

Mon, 05 Apr 2010 00:00:00 +0000

A few years ago, I developed a Perl-based application that take a template file and pukes out standardized access rules for new hosts as they’re added to the network. This works great for making sure that each host is able to be managed properly. This solution, however, is not very flexible. If I need to remove a host’s access, I may have to take out 20 rules individually. That’s not really cool, so, at the suggestion of a coworker, I’m working on a solution that uses objects, object-groups, and nested object-groups. This should minimize the configured rules and allow new host rules to be added and removed by simply adding hosts to object-groups.

ASA 8.3.1 – Smart Tunnel and NAT Changes

Fri, 12 Mar 2010 00:00:00 +0000

I’ll start off with a warning. I’ve been running 8.3.1 on my home 5505 for a few hours now. Not only is this not really enough time for a thorough review, it’s also not the environment to test enterprise-level configurations. There are also a lot of details missing that I just don’t know about yet, so please do some research on your own to figure out what’s going to break if you upgrade your ASA.