Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
Hi,I recently had the case at one of my customers that the ASA Service Module in their coreswitch was making trouble. The symptoms were massive packet-loss for valid connections and also problems with high-availablity (the failover-cluster fell apart...
Hello!I have a very simple (so I thought) requirement, which I want to solve with ZBF. Although it seems simple, I can't get it to work with Cisco IOS Zone-Based Firewalling (ZBF).The requirement is to simply filter HTTP-requests to a certain server....
Hello,Multi-Session/Per-Session PAT: I don't quite get the difference between those. Where is the technical difference? I read config-guide and command-reference, but the explanation is not clear enough for me. It only lists advantages and disadvanta...
Hi,it is common practice to configure a kind of "fallback-user" in case the "normal" way of AAA-checking is not working. For example, on the device you configure LOCAL fallback (with a locally configured fallbackuser), which is only used when the pri...
Hi,while configuring and understanding ASAs way of handling certificates, I encountered the command "validation-policy" in the command-reference of the ASA (8.2(2)):http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp155731...
Hi jcarvaja,thanks for your comment.Regarding your suggestions: TCP normalization stuff and connection limits are both not applicable. This is because the specific connection which triggered the failure was denied by the ASASM in the first place. So ...
Hello wyley.I also ran into this problem repeatedly, which is why I refrain from using the management-interface most of the time. It's just cumbersome to implement and makes things more difficult most of the time. I don't see any reason to use the ma...
Hello jcarvaja,the complete config from top to bottom (reverse way of configuring) is:policy-map type inspect SERVICES.ACCESS class type inspect PROTO.HTTP inspect service-policy http SERVERNAME.ONLY class type inspect PROTO.HTTPS inspect class ty...
Hi jcarvaja!I don't understand. Isn't your suggestion exactly how I tried it in my example 1?# Example 1policy-map type inspect http SERVERNAME.ONLYclass type inspect http SERVERNAME.SET allowclass type inspect http HTTP.ANY resetI can report that ...
OK Julio, thank you for this explanation. So it seems that only technical difference is the way of how termination of the PAT-sessions is done.Do you have an idea why only per-session PAT is supported in an ASA cluster? I suspect it might be somethin...
