Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
Most of the current ASA/Firepower firmwares have a bug where the stop processing ARP packets after 213 days of uptime. Bit me Wednesday, ouch! The workaround is to schedule a reload before that happens. No security implications.
Field notice:
h...
I have a 5525-x firewall running ASA firmware 9.4.2(6) on which I'd like to renumber a trunked subinterface to a different IPv4 subnet. This would be most conveniently done if I could have both the old and new subnets active simultaneously on the sa...
As widely anticipated, the ARIN free pool was exhausted on Thursday 9/24/2015:https://www.arin.net/announcements/2015/20150924.htmlAlthough ARIN was only the 4th RIR to run out of v4, there are policy differences between the various registries such t...
I have an IPsec L2L tunnel between two ASA 5525-x firewalls running 9.0(2), negotiating IKEv2 with certificate authentication of the endpoints. Frequently, as expected, SA's will rekey due to time or data rollover, logging things like %ASA-7-702307 ...
In ASA 8.2 in single-context routed mode I had multicast stub forwarding working with igmp forward interface outsideon relevant inside interfaces with public-scoped IP addresses (no NAT), plus access rules on the outside interface such as access...
The answer is a little complicated, but basically, yes, you might need a second rule. It depends on how many access-lists you have applied to the interfaces and what the interface security levels rare. In a trivial firewall setup with ingress rules...
The first step is to crank up the logging and see what is hitting it. Then add rules in front of it for traffic you want to allow. When the usage count of the "permit any any" rule stops increasing, or all the remaining traffic is something you hat...
I wouldn't think that expired certificates would cause a problem, but have no experience of that; I tend to install new certificates, update all the statements using them, then delete the old ones. Usually before they expire.
So now you want to be running firmware new enough that it copes well with DHCPv6 prefix delegation. Upstream (cox.net?) will be sending you ICMPv6 router advertisements (RA), which will probably have the "managed configuration" flag on, meaning you ...
Q1) Should i allow these Time Exceeded messages ?
Probably; I do.
Q2) Are there any ICMP types that should be denied - For security reasons, like allowing external hosts to probe for topology, hosts or alike ?
For proper operation of your interne...
