10 Apr

Allowing tracert in Cisco ASA firewall

I was under impression that allowing icmp in the service policy will enable tracert to work. I was wrong. After scouting around I found below tweaks that will enable tracert to run correctly.

1. Set decrement TTL
ASA# configure terminal
ASA(config)# policy-map global_policy
ASA(config-pmap)# class class-default
ASA(config-pmap-c)# set connection decrement-ttl
ASA(config-pmap-c)# exit

2. Permit icmp control messages
ASA(config)# access-list inbound permit icmp any any time-exceeded
ASA(config)# access-list inbound permit icmp any any unreachable

3. Permit icmp connection, which you should already have 😀
ASA(config)# access-list outbound permit icmp any any

References:
http://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/12_4/sec_data_plane_12_4_book/sec_fwall_icmp_insp.html

http://www.petenetlive.com/KB/Article/0000753.htm

Incoming search terms:

  • asa tracertrt
  • cisco asa 5508 gui enable tracert
  • cisco asa 9 1 windows traceroute
  • unifi allow tracert
  • tracert not working asa the address translation slot was deleted
  • enable traceroute on asa
  • enable tracert on cisco ASA
  • allow traceroute through asa
  • allow tracert asa
  • asa tracert
  • can i tracert from asa
  • can you trace route from a cisco asa
  • cisco allow trace route asa
  • Cisco ASA 5525X allowing trace route
  • how enable traceroute on asa
01 Dec

Microsoft VPN PPTP client through Cisco ASA Firewall

Scenario:

Using Microsoft Windows built in VPN Client to connect to remote PPTP VPN server through Cisco ASA firewall.

Symptom:

Error 619

Solution:

In ASA Firewall, enter below command.
ASA-active#conf t
ASA-active(config)#policy-map global_policy
ASA-active(config-pmap)# class inspection_default
ASA-active(config-pmap-c)#inspect pptp
ASA-active(config-pmap-c)#exit
ASA-active(config)#access-list $Inbound_Interface_ACL permit gre $source_ip/network any
ASA-active(config)#access-list $Inbound_Interface_ACL permit permit tcp $source_ip/network any eq pptp

Common Troubleshooting in Windows VPN Client

1. Open VPN Properties window, go to Security tab.
2. Change “Type of VPN” to PPTP

Incoming search terms:

  • afteri53
  • cisco asa 5505 allow outbound pptp
  • https://yandex ru/clck/jsredir?from=yandex ru;search;web;;&text=&etext=1824 9gQOlAAQU8Ge1EAhKP2VZUIc2q-WZOPpgk2L5vc5h8a6hy9E0_6eGzzEaY1d0eFX 330323684685c4a6eaf848b4d4f0838c3e68e5c5&uuid=&state=_BLhILn4SxNIvvL0W45KSic66uCIg23qh8iRG98qeIXme
14 Jun

Cisco ASA firewall Mailguard feature and Exchange Server

Cisco Mailguard feature is to sanitizes SMTP traffic. This features is turned on by default, and can cause some SMTP traffic to be dropped for security reason.

Symptoms:

  • You cannot receive Internet-based e-mail messages.
  • You cannot send e-mail messages with attachments.
  • You cannot establish a telnet session with the Microsoft Exchange server on port 25.
  • When you send an EHLO command to the Exchange server, you receive a “Command unrecognized” or an “OK” response.
  • You cannot send or receive mail on specific domains.
  • Problems with Post Office Protocol version 3 (POP3) authentication – 550 5.7.1 relaying denied from local server.
  • Problems with duplicate e-mail messages being sent (sometimes five to six times).
  • You receive duplicate incoming Simple Mail Transfer Protocol (SMTP) messages.
  • Microsoft Outlook clients or Microsoft Outlook Express clients report an 0x800CCC79 error when trying to send e-mail.
  • There are problems with binary mime (8bitmime). You receive the following text in a non-delivery report (NDR):
    554 5.6.1 Body type not supported by Remote Host.
  • There are problems with missing or garbled attachments.
  • There are problems with the link state routing between routing groups when a Cisco PIX or Cisco ASA firewall device is between the routing groups.
  • The X-LINK2STATE verb is not passed.
  • There are authentication problems between servers over a routing group connector.

To determine whether Mailguard is running on your Cisco PIX or Cisco ASA firewall, Telnet to the IP address of the MX record, and then verify whether the response looks similar to the following:

220*******************************************************0*2******0*********************** 2002*******2***0*00

Solution:

ASA-FW(config)# no fixup protocol smtp 25 Verification: Telnet to SMTP on port 25, you should getting below response 220 mail.domain.com.ESMTP

References: http://support.microsoft.com/kb/320027 http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b2ecb.shtml http://www.cisco.com/warp/public/707/cisco-sa-20000927-pix-firewall-smtp-filter.shtml

Incoming search terms:

  • asa mail
  • cisco asa mailguard
  • cisco mailguard
  • disable mailguard cisco
  • asa mailguard
  • disable mailguard on asa
  • smtp mailgurd feature in cisco asa firewall
  • mailguard feature or esmtp check on cisco?
  • adsm how to check mailguard
  • birthdaydcd
  • cisco asa e smtp feature
  • cisco ASA Mailguard feature GUI
  • electric3lc
  • example of cisco mailguard
  • hollow9wc