About James Leinweber

James Leinweber · 03-31-2017

Most of the current ASA/Firepower firmwares have a bug where the stop processing ARP packets after 213 days of uptime. Bit me Wednesday, ouch! The workaround is to schedule a reload before that happens. No security implications. Field notice: h...

James Leinweber · 04-05-2016

I have a 5525-x firewall running ASA firmware 9.4.2(6) on which I'd like to renumber a trunked subinterface to a different IPv4 subnet. This would be most conveniently done if I could have both the old and new subnets active simultaneously on the sa...

James Leinweber · 09-25-2015

As widely anticipated, the ARIN free pool was exhausted on Thursday 9/24/2015:https://www.arin.net/announcements/2015/20150924.htmlAlthough ARIN was only the 4th RIR to run out of v4, there are policy differences between the various registries such t...

James Leinweber · 07-17-2013

I have an IPsec L2L tunnel between two ASA 5525-x firewalls running 9.0(2), negotiating IKEv2 with certificate authentication of the endpoints. Frequently, as expected, SA's will rekey due to time or data rollover, logging things like %ASA-7-702307 ...

James Leinweber · 06-10-2013

In ASA 8.2 in single-context routed mode I had multicast stub forwarding working with igmp forward interface outsideon relevant inside interfaces with public-scoped IP addresses (no NAT), plus access rules on the outside interface such as access...

James Leinweber · 03-19-2018

The answer is a little complicated, but basically, yes, you might need a second rule. It depends on how many access-lists you have applied to the interfaces and what the interface security levels rare. In a trivial firewall setup with ingress rules...

James Leinweber · 03-19-2018

The first step is to crank up the logging and see what is hitting it. Then add rules in front of it for traffic you want to allow. When the usage count of the "permit any any" rule stops increasing, or all the remaining traffic is something you hat...

James Leinweber · 03-15-2018

I wouldn't think that expired certificates would cause a problem, but have no experience of that; I tend to install new certificates, update all the statements using them, then delete the old ones. Usually before they expire.

James Leinweber · 03-14-2018

So now you want to be running firmware new enough that it copes well with DHCPv6 prefix delegation. Upstream (cox.net?) will be sending you ICMPv6 router advertisements (RA), which will probably have the "managed configuration" flag on, meaning you ...

James Leinweber · 02-23-2018

Q1) Should i allow these Time Exceeded messages ? Probably; I do. Q2) Are there any ICMP types that should be denied - For security reasons, like allowing external hosts to probe for topology, hosts or alike ? For proper operation of your interne...

Member Since	‎02-02-2013 08:36 AM
Date Last Visited	‎11-07-2018 10:41 AM
Posts	284
Total Helpful Votes Received	300

User Statistics

User Activity

uptime of 213 days considered harmful

migrating to new IPv4 subnet - can we run two at once?

ARIN exhausts v4 free pool - time to get serious about v6

IKEv2 L2L tunnel SA rekey sporadically failing

does anyone have a working 9.x igmp stub multicast configuration?

Re: Bidirectional rule for ASA 5585 Access-rule

Re: Suggestions for Narrowing Down Permit Any Any Rule

Re: ASA 5550 Upgrade from 8.4(7) to 9.1(7)

Re: IPv6 on vlans

Re: Allow ICMP type 11 on outside_in ???