Mar 27, 2013

arp permit-nonconnected


You have a NAT block on your firewall but it is not a directly connected subnet. It used to work, but after upgrading to 8.4 it doesn't work anymore. What happened?

Mar 21, 2013

Route-based IPsec VPN with OSPF

Some time ago, I wrote an article explaining how to setup a route-based VPN on an ASA. The reader wintermute000 asked me if would be possible to use dynamic routing instead of adding static routes for any subnet that we want to be reached through the VPN tunnel. I told him it is possible, and now I'm going to show how.

Feb 8, 2013

NAT Exemption for intra-interface traffic

Both sites A and B have IPsec L2L tunnels to HQ ASA. Remote users send traffic to the Web through the VPN tunnels and also communicate with each other.

HQ ASA has dynamic PAT rules to translate traffic coming from remote sites using the outside interface IP address before routing the traffic to the Web. It is also configured to allow intra-interface traffic:


nat (outside) 1 10.2.2.0 255.255.255.0
nat (outside) 1 10.3.3.0 255.255.255.0
nat (inside) 1 0 0
global (outside) 1 interface
same-security-traffic permit intra-interface


For traffic coming from a higher security level interface to a lower one (outbound traffic), you don't need to create a rule to exempt returning traffic from NAT:

Source: 172.16.1.0/24 (inside)
Destination: 10.2.2.0/24 (outside)

access-list inside-nonat permit ip 172.16.1.0 255.255.255.0 10.2.2.0 255.255.255.0
nat (inside) 0 access-list inside-nonat

However, if source and destination are routed through the same interface, you need to create two ACEs, otherwise returning traffic would match the PAT rule:

Feb 6, 2013

Multi-context FWSM ACL partition


When you convert a FWSM from single to multiple mode (security contexts), the system creates pools of resources (aka partitions). These pools limit the number of rules (ACEs, AAA rules, Policy NAT, and others) that can be created on each context. The FWSM uses 12 partitions by default (maximum value) and each context is assigned to its own partition, unless you have more than twelve contexts. In this case, the system will assign more than one context to each partition, sharing resources between them.