Cisco ASA iPhone VPN Config

I recently purchased a shiny new iPhone 3G and wanted to be able to connect back to my house where I have a Cisco ASA 5505.  I have noticed a lot of questions about how to get this to work, so here it is…

Continue reading ‘Cisco ASA iPhone VPN Config’


MSS Exceeded Workaround

After installing a new ASA 5520, I noticed that a few websites were loading very slowly or not at all. The problem seemed to be very intermittent, but reproducible by revisiting the websites at any time of the day. Browsing to the site from outside of the firewall showed the site to be responsive.

I started to watch the live log while browsing to the site and noticed packets being dropped. The log read:

Dropping TCP packet from outside: to inside: , reason: MSS exceeded, MSS 1260, data 1460

Apparently, this is a new security feature for the 7.0+ code for the ASA. Normally, the client and server send their MSS (Maximum Segment Size) while establishing the TCP connection. Once this occurs, neither the client or server should send a packet larger than their peer’s MSS. However, some HTTP servers do not recognize the MSS and send packets that are too large, and are thus dropped by the ASA.

The workaround for this is to allow the firewall to pass the packets whose data exceeds the MSS. Let’s say the server causing the problems ip is First, create and access-list for any host accessing that server.

access-list MSS_Exceeded_ACL permit tcp any host

And then create a class map.

class-map MSS_Exceeded_MAP
match access-list MSS_Exceeded_ACL
tcp-map mss-map
exceeded mss allow

Create the policy map.

policy-map MSS_Exceeded_MAP
class MSS_Exceeded_MAP
set connection advanced-options mss-map

Apply the map to the outside interface.

service-policy MSS_Exceeded_MAP interface outside

If there is more than one site, just add the additional sites to the MSS_Exceeded_ACL access list or change it to allow all sites.

access-list MSS_Exceeded_ACL permit tcp any any

For more information about MSS and logging these events, check out the document from Cisco.


Configure SSH Access on an ASA

If you have recently tried to setup SSH access on a new ASA, it might not have worked the way you wanted. That is because the RSA keys need to be generated first. To do that:

crypto key generate rsa
asa(config)# crypto key generate rsa
INFO: The name for the keys will be:
Keypair generation process begin. Please wait…

And then configure SSH to be allowed from the inside interface:

ssh inside

Now you will be able to login using the default username and password of pix/cisco, Or you can configure AAA and setup your own usernames. Doing this will make the pix username no longer work for SSH.

First, a username needs to be created:

username cisco password c1sc0

And then configure AAA:

aaa authentication ssh console LOCAL



Unable to download NAT policy for ACE

I was working on an ASA config and ran into an interesting error. I needed to not perform NAT on the traffic from the inside LAN to the DMZ. I configured an access-list:

access-list InsideNoNAT_ACL extended permit ip
access-list InsideNoNAT_ACL extended permit ip
access-list InsideNoNAT_ACL extended permit ip
access-list InsideNoNAT_ACL extended permit ip

And then specified to not perform NAT:

nat (inside) 0 access-list InsideNoNAT_ACL
nat (inside) 1

I then needed to add another line to the InsideNoNAT_ACL, and that is where I received the error.

(config)#access-list InsideNoNAT_ACL permit
Unable to download NAT policy for ACE

All this error message is saying is that the new line in the access-list was not added to the active NAT table, but was added to the access-list. Upon doing some searching, I read in several places that a reboot fixed the problem. While this is true, it is not necessary. All that needs to be done is to remove and reapply the nat statement.

(config)#no nat (inside) 0 access-list InsideNoNAT_ACL
(config)#nat (inside) 0 access-list InsideNoNAT_ACL

This rebuilds the NAT rules and applies all rules in the ACL. Much better than a reload!


Cisco ASA and ICMP Configurations

As I am sure many of you who have ever worked with a Cisco firewall know, ICMP is not allowed through the firewall by default. If you are just configuring the device, this can make it very difficult to troubleshoot connectivity issues. Thankfully, there are several ways to get around this.

Solution 1: Use access-lists to allow pings from inside/DMZ to the outside.
To allow pinging from the inside to the outside interfaces, you will need to configure an access-list for the outside interface.

access-list OUTSIDE_IN_ACL permit icmp any any echo-reply

Then apply the access-list to the outside interface.

access-group OUTSIDE_IN_ACL in interface outside

This will allow only ping. If you would like to allow trace route, you will also need to allow time-exceeded.

access-list OUTSIDE_IN_ACL permit icmp any any time-exceeded

Solution 2: Use access-list to allow ping and trace route from the internet to your dmz/inside servers.
To do this, we are going to build off of what we did above, so you should already have this in the config.

Continue reading ‘Cisco ASA and ICMP Configurations’


Cisco IOS to CatOS Etherchannel Configuration

Here are the relevant parts of the configuration to setup an etherchannel between an IOS device and a CatOS device. First lets start with the CatOS device, in this case a 6509. We will be using ports 3/9 and 3/10.

We first need to set the ports we want to use to be a trunk. Here we are forcing dot1q.

6509#set trunk 3/1-2 nonegotiate dot1q

Now we need to setup the port channels. These channels will be used as 1 and aggregate bandwidth between them.

6509#set port channel 3/9-10

Note: There is an option at the end of this command to specify the admin group. This is how the CatOS groups the ports. If you do not specify the admin group, the CatOS will automatically assign one. This is something to watch out for if you set each port separately.

Continue reading ‘Cisco IOS to CatOS Etherchannel Configuration’