Cisco ASA 5505

Cisco ASA 5505

I recently had to try and determine the cause of random drop outs of customer’s Cisco ASA IPsec VPN between two Cisco ASA 5505s.  Both ASAs were NAT’d behind ADSL routers and ports forwarded to the firewall.  I know this *shouldn’t* cause a problem and modern implementations of the IPsec stack are much better at traversing NAT than they used to be.  One router was a Cisco/Linksys something and the other was a NetGear DGN1000.

Symptoms: Tunnel would intermittently drop after 10-30 minutes, regardless of whether traffic was passing over the link (constant PING) or not.

More »

PAT can be accomplished 2 ways – by network object or by service object.

These notes are based on trying to get a port or group of ports to forward from the outside interface to a host behind the DMZ interface on a 5505 running 8.4:

Single Port – web server example

Use network object.  Add an access list rule with:


Source: any

Destination: LAN IP address of server (i.e. your internal IP address of the web server, etc)

Service: www

Now add a NAT rule – Add Network Object Rule

Name: something descriptive More »

If you have intermittent internet connectivity, or IPSEC tunnels refusing to build after a reboot of either end (we get this a lot with a PIX 501 and a WatchGuard X15e), the Cisco PIX can become extremely annoyed and decide to screw up it’s security key(s) for remote access. You need to regenerate your rsa key(s).

If you can’t access the device remotely, you must use the serial console. (blue cable) Attach it to a serial port on a workstation and launch the terminal emulator on your system.

Boot up the PIX.

Login to configure terminal mode.

ca zeroize rsa
ca generate rsa key <keysize>
ca save all

Where <keysize> is a size in bits, eg 1024.

Reboot the device:

Just a few quick notes on my experience with Vista – the main reason I was forced onto Vista was because a customer had some Vista remote laptops and we needed to provide a hardware VPN solution.  As it was a small setup we normally just shove a WatchGuard in there as they are simple and do the job,  however WG were dragging their heels with a Vista compatible vpn client.

Cisco on the other hand, were already there.  Although only in Beta at the time of testing it worked straight away and connected up to the ASA.  From there after testing I left it on my laptop, instead of reverting back to XP.  I still use mainly XP as my main partition, and use Vista as the secondary.  The main reason is familiarity – when I’m out at a customer’s site troubleshooting a server or connectivity issue I don’t want to be learning a new OS at the same time!  So I thought I’d leave it on there and use it at my own will….which didn’t happen much.  In the end I started delving more into *nix.