There are going to be several situations where you or a customer of yours may forget the password of a Cisco PIX firewall appliance. The following procedure will show you step by step how to recover the lost password. This works for all PIX models running versions 6.x

What you will need:

• A console connection from your PC to the PIX.
• An ethernet connection from your PC to one of the interfaces of PIX.
• A TFTP server program running on your PC. Continue Reading »
  How to recover the password on a Cisco PIX firewall

Question:

Hello. I have just implemented an ASA Active/Standby (A/S) failover configuration, and the config has successfully transferred to the standby unit.

However, I am not sure “best practice” on how to handle the management interface configuration.

Issue: Once the config transferred to the standby unit, the mgt interface now has the same IP address as the active unit mgt interface. What is the best method for maintaining separate IP addresses on these interfaces for remote manangement purposes without compromising the configs on each ASA (and ending the annoying console messages on the active unit too).

Answer:

The way you do this is to configure the standby IP addresses for all of your interfaces on the Active unit. This is done with the ’standby’ keyword. See example below:

ASA-Active-Unit(config-if)# ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2

The address used by the Standby interface must be in the same subnet as the Active address and cannot be in use anywhere else on your network.

Once you configure this on the Active unit, the configuration will be replicated down to the Standby unit so the changes will take affect (or you can use the ‘write standby’ command on the Active unit).

After the changes take affect, you can issue the ’show failover’ command to see that the Active and Standby interfaces have different IP addresses.

The following is taken from the Cisco NetPro discussion forum, regarding cisco wireless access points which are dropping clients randomly. I thought it might interest somone so I repost the issue here:

Problem:
I have anywhere from 5-20 access points drop up and down throughout the day out of a total of around 200. I am currently trying to go through and figure out why we our access points are having some many issues and how I might be able to resolve them.

One of the logs that I commonly see is:

AP ‘exp-p13′, interface ‘802.11a’ on Controller ‘10.2.192.25′. Channel changed to ‘44′ from ‘60′ due to ‘None’. Interference Energy before update is ‘0′ and after update is ‘0′. Noise before update is ‘0′ and after update is ‘0′. Interference before update is ‘0′ and after update is ‘0′.

Is there anyway to determine what the cause of this is?

Controller Firmware: 4.2.130.0.
AP Model AIR-LAP1242AG-A-K9
IOS Version 12.4(10b)JA4

Solution:
Sounds like it’s just the Radio Resource Management (RRM) on the controller. You can disable this if it’s dropping clients. Go to the wireless tab, look on the left, and click on the 802.11a/n or 802.11b/g/n dropdown. Then click on the RRM dropdown, and click on Auto RF.

My advice is to change both power and channel assignment algorithms to “On Demand”. You can invoke them as needed to maintain an optimum network. By default, it automatically invokes the update every 10 minutes.

Most Cisco ASA firewall models allow you to have a maximum number of VLANs greater than 100 (e.g 150, 200, 250). Each Layer 2 VLAN on the ASA is essentially a different security zone, with its own Security Level number. As we know, security levels can range from 0 to 100 (i.e we have 101 security levels). One obvious question arises here: How can we have lets say 150 VLANs on the firewall, but we have only 101 possible security levels?

The answer is simple: We can have the same security level number on different interfaces / subinterfaces (security zones). This feature will allow us to have more than 101 communicating interfaces on the firewall.

By default, interfaces with the same security level can not communicate between them. To allow traffic to flow freely between interfaces with same security level, use the following command:

ASA(config)# same-security-traffic permit inter-interface

There is another option also for this command:
ASA(config)# same-security-traffic permit intra-interface

The last command above allows traffic to enter and exit the same interface, which by default is not allowed. This is useful in networks where the ASA firewall acts as a HUB in a HUB-and-SPOKE VPN topology, where spokes need to communicate with each through the hub.