Ok, so I changed the size of a network on one of my DMZ's. So I remove all the ACL entries and re-paste them with the new subnet mask. Now I can't get to my DNS server (which is in a different DMZ).
Ok, look through my ACLs, make sure the DNS lines are still there, pasted correctly etc. Everything looks ok, so I run packet tracer and it ends with: blocked by access-list .... implicit deny.
Now, my only grudge about packet tracer is that it doesn't list WHICH ACL blocked it, but I'm pretty sure it should only be hitting the one. I try adding a ip any any on the end of the ACL... Still blocked. I try adding an permit ip any DNSIP to line 1 of the acl... Still blocked. Starting to want to pull my hair out, I know it should be hitting this ACL and I have to correct entries!
(Now this dmz is also my wireless network, so I'm doing some troubleshooting on the WLCs and laptops etc. to be sure but I can't imagine it is anything other than that ACL I just changed on the firewall. It had worked after changing the subnet mask on both the interface and nat pool...
So finally, I just sit back and decide to stop doing pipes and look at the entire show run. I crawl through my entire ASA config line by line until at the bottom I notice, the ACL for that dmz isn't applied.... Apparently when you remove all lines of the ACL it removes it from the interface (and fails closed to an implicit deny). So I re-add the ACL to the Interface and Magically everything is working again!
So - when you remove all lines of an ACL - the ASA also removes the
access-group dmzACL in interface DMZ
command from your running config as well.
Lesson learned!
Friday, October 15, 2010
Thursday, October 14, 2010
ASA 8.3
The new 8.3 ASA code has made some MAJOR configuration changes, particularly concerning natting. Take a peak at http://www.petenetlive.com/KB/Article/0000247.htm
and of course the migration guide: http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html to start seeing what all is changing.
Is there a reason Cisco now has us permit incoming traffic to the inside address rather than the public IP? No more Nat0??? I feel like I am going to need to learn natting all over again.
and of course the migration guide: http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html to start seeing what all is changing.
Is there a reason Cisco now has us permit incoming traffic to the inside address rather than the public IP? No more Nat0??? I feel like I am going to need to learn natting all over again.
Friday, October 1, 2010
I love marketing
"Able to transmit the DNA sequence of 56,000 people in a second" - Way to use an analogy that I have no idea how big that is. I suppose DNA sequences are fairly large, but it would just be a text file of info... I suppose I really just have no idea what size this is and whether that is truly fast or just pretty fast.
"Able to move the entire printed library of congress in a second" ... ok, so is that in txt files, pdfs, e-pubs. This one is a little better but once again, it sounds like a good bit but I have no idea how many books that actually is, how many gigs or terabytes you are moving.
322 Terabyte performance - Awww, now there is something I recognize, but of course they aren't going to mention any specifics beyond their biggest number! What exactly is that a measure of? How are you defining "performance"?
Aw well, I suppose if I was a sales guy I might not be able to do much better, it is why marketers should always have a tech with them.
"Able to move the entire printed library of congress in a second" ... ok, so is that in txt files, pdfs, e-pubs. This one is a little better but once again, it sounds like a good bit but I have no idea how many books that actually is, how many gigs or terabytes you are moving.
322 Terabyte performance - Awww, now there is something I recognize, but of course they aren't going to mention any specifics beyond their biggest number! What exactly is that a measure of? How are you defining "performance"?
Aw well, I suppose if I was a sales guy I might not be able to do much better, it is why marketers should always have a tech with them.
Subscribe to:
Posts (Atom)
