This is the Q&A from "Troubleshooting ASA Firewalls - Packet Flow,Upgrade best practices and Handling dual ISP links" session.
A. Yes it is possible to do that. You will need to enable the option called DNS rewrite, that will enable you do access a server on inside using public ip.
PIX/ASA: Perform DNS Doctoring with the static Command and Two NAT Interfaces Configuration Example
A. Source address NAT is the 6th stage in the packet flow - just prior to the IPS redirection.
A. The first NAT stage translates the destination IP address of the packet and determines the egress interface of the packet. The second NAT stage is for translating the source IP address.
A. That's a great question but unfortunately FWSMs do not support packet-tracer. We depend on the other tools (such as captures, and syslogs) to troubleshoot network problems.
A. That is completely understandable if you are new to this version of ASAs. Here are some documents that might help you understand this better: https://supportforums.cisco.com/docs/DOC-12690. There are some useful videos at the end of this doc.
A. The capture command has very little overhead on the CPU. It is important though to ensure that you are as specific as possible when working with packet captures.
A. The CLI command to backup certificates using CLI is "crypto ca export <trustpoint_name> pkcs12 <secret_key>".
More information about the command: http://www.cisco.com/en/US/docs/security/asa/command-reference/c7.html#wp2260393
If you are talking specifically about the AAA/VPN keys, you should use the command "more system:running-config".
A. FWSMs do not support packet-tracer. You can use other tools like syslogs and captures.
A. As we discussed, the first stage of packet-processing is does the packet match an existing connection. hence, if the DST is responding to a previous packet from the SRC, then yes, the ASA will allow it without an ACL.
A. One can not view the un-encrypted passwords of users using CLI. You can though, view the un-encrypted passwords for features like AAA or VPN using the "more system:running-config" and "show run all".
A. That is actually a TCP option and not the TCP flag. Most of the supported TCP options will be shown in the packet captures.
A: here you go: https://supportforums.cisco.com/docs/DOC-1222.
Video Recording