Cisco ASAv on ESXi Standalone

Cisco released their new ASAv virtual appliance, an updated virtual offering for the ASA platform. I suspect at least part of the driver for this is their work on Cisco Modeling Labs, a new tool to help build and simulate environments.

The ASAv copes well in terms of performance and allows for yet more physical devices to be virtualized, however it only supports VMware environments that make use of vCenter. This leaves those wishing to use the ASAv for their learning, or testing having to setup vCenter. For home labs this is going to eat up more memory and discourage some. Thankfully working around this if fairly straightforward if you have access to a vCenter environment to import and then export the VM from.
Continue reading Cisco ASAv on ESXi Standalone

How To – Enable Wake On Lan using a Cisco ASA

I wrote instructions for how to configure Wake On Lan forwarding using a Cisco IOS device, this article will focus on how to configure a Cisco ASA firewall.

Wake On LAN is an Ethernet standard that allows for a device to be powered on when receiving a specially crafted “magic packet”. The “magic packet” is a broadcast frame consisting of 6 bytes of 255 (FF FF FF FF FF FF) followed by sixteen repetitions of the 48-bit MAC address. Turned off computers receiving the broadcast don’t actually process the message up the protocol stack, they are just looking out for a matching 102-byte string.

From what I can tell, unlike Cisco IOS the ASA doesn’t support “IP Directed Broadcasts”, likely to prevent Smurf Attacks. However with some clever NAT rules it’s possible to achieve something similar by using NAT to translate the inbound unicast packet and send it on to the broadcast address for your internal subnet.
Continue reading How To – Enable Wake On Lan using a Cisco ASA

Cisco ASA NAT problems with TCP Port 2000

I came across a somewhat unusual issue earlier this week whilst trying to setup a NAT entry to forward HTTP traffic over port 2000. The firewalls being used were a pair of Cisco ASA 5505s. The relevant configuration was pretty straightforward:

object-group service AllowedPorts
 service-object tcp eq 2000 
access-list outside-in extended permit object-group AllowedPorts any host 1.1.1.1

When trying to pass HTTP traffic to 1.1.1.1 over port 2000, the TCP connection would establish and eventually a TCP RST would be received. But no data would actually be transferred. Running the service on a port other than 2000 worked fine.
Continue reading Cisco ASA NAT problems with TCP Port 2000