The ramblings of a computer geek
We had a rather irritating issue whereby we were seeing intermittent packet drops and connection failures on our Kemp Load Master. The Kemp Load Master sat inbetween a Palo Alto Firewall within a DMZ zone. Client connections from the Internet would be directed to the Kemp Load Master in the DMZ, which would then make … Read more
Had to do a bit of configuration on an HP c7000 blade chassis the other day. There was a need to have two separate uplink pairs going to two different pairs of switches from the single chassis. I needed to provide both uplink paths to each host within the chassis (they were ESXi hosts). Here … Read more
The changes to the ASA IOS post version 8.3 changes the way that NAT works. NAT Exemption is normally used to disable translation for certain addresses e.g. for VPN tunnelling. So for this example below you create an access-list containing the IP addresses that are to be exempted from NAT. So say these are the … Read more
On a Cisco ASA firewall you will probably want to use the DMZ for servers that are web facing, and also restrict/deny any access they have to the internal network. The idea being that a connection to a web server say in your DMZ would get into the DMZ, and if another connection is required … Read more
Pre version 8.3 to statically NAT an internal host to an external IP address you would use the following: This then means…… inside = the source interface for the NAT connection (assuming going from the inside to the outside) outside = the translated interface for the NAT connection 212.219.63.195 = External IP address to which … Read more
Okay a basic example with a Cisco ASA for the NAT rules. Lets say there is PC1 on the inside network that you want to have internet access. The IP address 192.168.1.100 can’t just connect to the Internet using that IP address as its not routable, so instead we need to translate it. In this … Read more
This was an interesting one, I was trying to download a IOS image to a switch but the connection was being denied. It turned out the connection was coming from a VLAN interface on the switch that did not have access to the TFTP server. You can force the VLAN interface used with this command: … Read more
Okay here’s a weird one, we had two identical clusters of firewalls running: ASA IOS: 9.0(2) ASDM: 7.1(2) One of the firewall clusters you could access https:// to get to the ASDM with no problem, the other one, you access you get page cannot be displayed with some error about SSL not working. Firstly I … Read more
Here’s something that came up, we are replacing a few switches and want to replace it will a couple of 3750s and a 3750e in a stack. The issue was that the 3750e has a different IOS to the 3750s but still must be the same version. After some playing around I found these versions … Read more
Look for these lines in the output: The first line that contains the red is the string identifying the VPN connection that we want to track; you may need some guess work and trial and error to find the correct one. Here there is also something to note, when there are multiple site to site … Read more