Cisco ASA 9.4.1 PBR Configuration



Finally we have PBR on Cisco ASA’s!!

I normally don’t need this feature but we have a few clients with multiple connections and this now means I can do all the traffic control from an ASA without the needing to use a Cisco ISR.

This is straight forward to do in ASDM but I will explain how to do on CLI as its not very complicated and far quicker.

I am assuming you have two working internet connections already connected to the Cisco ASA. I have my normal default route set to Priority 1 and the 2nd connection set to 2.

First create the Access-List for the traffic you want to redirect. Below I have an ACL called PBR and Im interested in traffic coming from 4 servers:

CiscoASA5512X# sh access-list PBR
access-list PBR; 4 elements; name hash: 
access-list PBR line 1 extended permit ip host any
access-list PBR line 2 extended permit ip host any
access-list PBR line 3 extended permit ip host any
access-list PBR line 4 extended permit ip host any


Create the PBR like so:

route-map PBR permit 2
match ip address PBR
set ip next-hop recursive X.X.X.X
set interface DSL1

Note I have used “set ip next-hop recursive”. This is because I actually have a little Draytek 120 connected with an ADSL connection and if you do not use recursive you will get a match on the PBR but you will not get traffic to flow through the 2nd interface. This is because its not directly connected. Please see this link for more info (

If your connection is directly connected use “set ip next-hop X.X.X.X

Once you have the PBR created you just need to assign to the LAN or inside interface like so:

interface GigabitEthernet0/0
nameif LAN
security-level 100
ip address
policy-route route-map PBR

If I then run the packet-tracer you will see it exit out of the 2nd interface Successfully:

CiscoASA5512X# packet-tracer input LAN tcp 443 443


Phase: 3
Type: NAT
Result: ALLOW
nat (LAN,DSL1) after-auto source dynamic any interface
Additional Information:
Dynamic translate to X.X.X.X.X/23

input-interface: LAN
input-status: up
input-line-status: up
output-interface: DSL1
output-status: up
output-line-status: up
Action: allow


Please make sure you have a Dynamic NAT Configured for the 2nd interface (just in case you forget)


Splunk Cisco Centralized Reporting and PCI Compliance


Recently needed to look into multiple vendors for PCI Compliance and all the big players want in excess of £50k (RRP) to get an appliance to handle all the logs as the PCI Compliance requirements are quite demanding if you do these checks manually.

There are many SIEM solutions available however I was impressed with the free offering from Splunk which can be used to centralize secuirty data from multiple Cisco solutions.

A SIEM is a Security Information and Event Monitoring tool and its just a software solution to sorting information and able to identify and react to events.

Splunk have a extensive application library which has been developed by customers and Splunk engineers.

They seem to be staying current as they have support for Cisco ASA SourceFire which hasn’t long been released.

Below you can see a dashboard overview of Splunk for Cisco Security



You can go even deeper to find a breakdown of the traffic:


Here you can see a Firewall Event Search and you can bring up all information.




You can also do searches for Usernames or IP Addresses across multiple Cisco Devices to find all information in one place:



Here you can find the Cisco Security Suite so you can install into your Splunk installation:



Splunk Video for PCI Compliance and how it meets the requirements (worth a watch)

If you happen to have a team of developers as I do then it shouldn’t be too much work to customize for your system/setup.


Cisco ASA CX PRSM Next Generation IPS Configuration / Tweaking


Recently had an issue with the NGIPS module and my engineers were unable to find how to modify and finetune the IPS module as when you create the Object you seem to get basic settings like the below:


ASA CX PRSM –> Configurations –> Policies/Settings –> Intrusion Prevention:
NOTE: “Default NG IPS Module” cannot be edited so please create a custom one before you continue



To make changes you need to go to:

Components –> Objects –> Filter for “IPS” or whatever you may of called your custom IPS:

Highlight and Select “Edit Object”



You can also add Exception for specific threats (IBM Symphony example) below:

You can “allow and don’t monitor” or “allow and monitor”.



You can also adjust the sliding scale if you think the default values are too low:





Wireless Client frequent disconnects RLDP and/or Rogue Containment


Recently had an issue with a Cisco 5508 WLC where RLDP was enabled and the clients were complaining of being disconnected several times a day.


Jumped directly onto the AP via SSH and went through the logs and could see message’s like the following every 2/3 minutes:


*Oct 15 10:37:20.851: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Oct 15 10:37:34.983: %LWAPP-5-RLDP: RLDP stopped on slot 0.
*Oct 15 10:37:35.043: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Oct 15 10:37:35.287: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Oct 15 10:37:36.043: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Oct 15 10:37:36.279: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Oct 15 10:37:37.279: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Oct 15 10:39:14.483: %LWAPP-5-RLDP: RLDP started on slot 0.
*Oct 15 10:39:14.959: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Oct 15 10:39:14.999: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Oct 15 10:39:15.967: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Oct 15 10:39:15.987: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Oct 15 10:39:15.991: 000f.7de8.XXXX-no legacy rates; default to lowest CCK/OFDM rate
*Oct 15 10:39:16.987: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Oct 15 10:39:31.175: %LWAPP-5-RLDP: RLDP stopped on slot 0.
*Oct 15 10:39:31.235: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Oct 15 10:39:31.479: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Oct 15 10:39:32.235: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Oct 15 10:39:32.471: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Oct 15 10:39:33.471: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up


The Fix is too disable RLDP or enable only for MonitorOnly (Listen) APs:

If you go Security Tab –> Wireless Protection Policies –> Rogue Policies –> General

You will find the following setting:


Either mark for Disable or MonitorModeAPs

Enabling Audit logging on Cisco Router


Enabling Audit logging on Cisco Router

Enable logging on the Router:

Define logging level:
CiscoR1(config)#logging trap

Loggin to Cisco router via telnet or ssh(preferred)

Enter into Global configuration mode :
CiscoR1# conf t

Type archive to enter archive configuration mode:
CiscoR1(config)# archive

Enter into log config mode:
CiscoR1(config-archive)#log config

Enable archive logging:
CiscoR1(config-archive-log-cfg)#logging enable

Specifies the maximum number of entries retained in the configuration log:
CiscoR1(config-archive-log-cfg)#logging size < any number from 0-1000, default:100, recommended 500 >

Suppresses the display of password information in configuration log files:

Enables the sending of notifications of configuration changes to a remote syslog server.
CiscoR1(config-archive-log-cfg)#notify syslog

Exits to privileged EXEC mode.

Cisco ASA 5515 Next Gen – Active / Passive Failover Configuration Setup


Recently took delivery of 2 x Cisco 5515 ASA’s for one of my clients. Simple configuration guide for setting these up in an Active/Passive design.

Brief Overview:

Port0 = LAN
Port1-3 = NOT USED
Port 4 – Failover Link
Port 5 – WAN

Hardware on both ASA firewalls are identical
The same software versions are installed on both firewalls.
PRIMARY firewall is setup (not massively important as I did this project from scratch)

IP Address:
Main –
Standby –

Main –
Standby –

Cable directly connected on G0/4 on both ASA’s

LAN cable goes into our core switches and the WAN link is a dual link supplied by our supplier at the Datacentre.

Take backup of the Main firewall running config if you do not already. (copy run flash)

Primary Firewall

CiscoASA(config)# clear configure interface G0/4
CiscoASA(config)# int g0/4
CiscoASA(config-if)# no shut

CiscoASA(config)# interface g0/5
CiscoASA(config-if)# speed 100
CiscoASA(config-if)# duplex full
CiscoASA(config-if)# nameif Outside
CiscoASA(config-if)# security-level 0
CiscoASA(config-if)# ip address standby
CiscoASA(config-if)# interface g0/0
CiscoASA(config-if)# speed 100
CiscoASA(config-if)# duplex full
CiscoASA(config-if)# speed 100
CiscoASA(config-if)# duplex full
CiscoASA(config-if)# nameif Inside
CiscoASA(config-if)# security-level 100
CiscoASA(config-if)# ip address standby

CiscoASA(config)# failover lan interface LANFAIL GigabitEthernet0/4
CiscoASA(config)# failover interface ip LANFAIL standby

CiscoASA(config)# failover key 222333444

CiscoASA(config)# failover lan unit primary

CiscoASA(config)# failover

CiscoASA(config)# failover link failover GigabitEthernet0/4
CiscoASA(config)# wr

Secondary Firewall

Ensure Cabling correct on primary and secondary firewall

CiscoASA(config)# clear configure interface G0/4
CiscoASA(config)# int g0/4
CiscoASA(config-if)# no shut

CiscoASA(config)# failover lan interface LANFAIL GigabitEthernet0/4

CiscoASA(config)# failover interface ip LANFAIL standby

CiscoASA(config)# failover key 222333444

CiscoASA(config)# failover lan unit secondary

CiscoASA(config)# failover

You should see this on the console:

Detected an Active mate
Beginning configuration replication from mate.

CiscoASA# show failover

CiscoASA5515# show failover
Failover On
Failover unit Primary
Failover LAN Interface: LANFAIL GigabitEthernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 3 seconds
Interface Poll frequency 3 seconds, holdtime 15 seconds
Interface Policy 1
Monitored Interfaces 2 of 114 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 05:54:13 GMT Sep 2 2014

The failover timers can be played with as they are a bit too safe so here is my recommendation:

CiscoASA(config)# failover poll 1 hol 3
CiscoASA(config)# failover poll interface 3
CiscoASA(config)# int g0/4
CiscoASA(config-if)# failover poll interface 3

Cisco 4G LTE Setup – EE UK Configuration


This was setup using a Cisco 1911 Router and the 4G Card (EHWIC-4G-LTE-G)

The EHWIC-4G-LTE-G actually turns up with the antennas and the extended cables for the Antennas which i am surprised at as normally Cisco charge extra.

This particular example the Sim Card was for the EE Network in the UK (Orange,T-Mobile,EE)

I thing to note always you cannot bridge the cellular interface if anyone is thinking of handing this off to a ASA or similar firewall you will need to double NAT. If anyone has found a way please do email or drop me a comment.

Below is just the selected bits of the config to get the connection working:

Router#(config)chat-script lte “” “AT!CALL1″ TIMEOUT 30 “OK”


controller Cellular 0/0


interface Cellular0/0/0

ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string lte
dialer-group 1
async mode interactive

interface Dialer1
no ip address

ip nat inside source list 101 interface Cellular0/0/0 overload
ip route Cellular0/0/0


access-list 101 permit ip any
dialer-list 1 protocol ip permit

line 0/0/0
script dialer lte
modem InOut
no exec
rxspeed 100000000
txspeed 50000000





Cisco IOS Transparent Bridged Mode Inspection/ACL


Recently I needed to install a small Cisco 2811 Router in front on my Lync 2013 setup as the Mediation/FrontEnd server didnt like the 1:1 NAT and the Cisco IOS would either cause a 1 way audio or no call connection so I decided on this route.

I have a layer 2 switch which has the internet feed, Main Firewall feed and a feed going to port F0/0 on the 2811.

I basically am going to create a bridge between F0/0 and F0/1 and enable inspection and some access-lists in order to protect the SIP Trunk.

Create the Bridge Group:
Router(config)# bridge 1 irb
Router(config)# bridge 1 protocol ieee

Assign Interfaces to Bridge Group:
Router(config)# interface f0/0
Router(config-if)# bridge-group 1

Router(config)# interface f0/1
Router(config-if)# bridge-group 1

You can create the Bridge Virtual Interface but I haven’t

Router(config)# interface bvi 1
Router(config-if)# ip address
Router(config-if)# no shut

Router(config)# sh bridge group

Bridge Group 1 is running the IEEE compatible Spanning Tree protocol

Port 2 (FastEthernet0/0) of bridge group 1 is forwarding
Port 3 (FastEthernet0/1) of bridge group 1 is forwarding

Inspection Configuration

Router(config)#  ip inspect name LYNC-IN tcp
Router(config)#  ip inspect name LYNC-IN udp
Router(config)#  ip inspect name LYNC-IN icmp

Create ACL (permit ip any any is just for show put in what you need)

Router(config)# ip access-list extended LYNC-IN
Router(config-ext-nacl)# permit ip any any

My first draft ACL was like this as X.X.X.X is my SIP provider and I wanted to block 5060 tcp/udp from everywhere else.

Extended IP access list LYNC-IN
10 permit tcp host X.X.X.X any eq 5060 (179 matches)
20 permit udp host X.X.X.X any range 20000 60000 (8438 matches)
180 deny tcp any any eq 5060
181 deny udp any any eq 5060 (26 matches)
200 permit ip any any (475520 matches)

Now Apply to the Interface: (F0/0 is my external Interface)

interface FastEthernet0/0
no ip address
ip access-group LYNC-IN in
ip inspect LYNC-IN in
ip virtual-reassembly in
duplex auto
speed auto
bridge-group 1

interface FastEthernet0/1
description **WIZLYNC13 – Server**
no ip address
ip virtual-reassembly in
duplex auto
speed auto
bridge-group 1

I have used this example specifically to secure a Lync 2013 Mediation server but a Transparent IOS Firewall can be used for many purposed.





Cisco CME/CUCME SIP Trunk Configuration Guide/Setup


This is a quick post on how to configure a SIP trunk in CME as I have had a few emails now requesting it.

SIP trunk configuration is very simple as you only need to find a SIP Provider and in this example I use a company called OrbTalk (I am based in the UK)

All the configuration is done in SIP-UA under global configuration mode:

credentials username USERNAME password 0 PASSWORD realm orbtalk
authentication username USERNAME password 0 PASSWORD
no remote-party-id
retry invite 2
retry register 10
retry options 1
timers connect 100
registrar expires 1800

You can check the SIP registration status by using this command:

Show Sip-ua register status and it should show the following:

Cisco2901#show sip-ua register status
Line                                                                           peer                    expires(sec)           registered           P-Associ-URI
================================ ========== ============ ========== ============
USERNAME                                                                -1                      38                           yes

What you are looking for is registered = yes.

Although I have an expires of 1800 second Orbtalk have 60 seconds so we always go by the shortest time.

You then need a dial-peer, voice translation-rules and profile and you can start getting calls sent to the SIP provider.


Internal / External Call Forwarding Cisco CCME/CME Call Manager Express SIP Trunk


I have a client who has a Cisco 2921 Router running CCME and the simplest task would not work which is to call forward to a mobile phone.

When I say internal and external what I mean is the following two scenarios:


0207 888 8888 dials 0203 555 1007 this call forwards to 07540111222

We got this working by adding “calling-number local secondary” to the telephony-service.

But then internal call forwards would not work. Example:

Internal Extension 1010 dials 1007 this call forward to 07540111222 (we would just get a busy tone)

The problem was the SIP trunk provider was getting the SIP header information incorrect so I called Cisco TAC and this is the solution they came up with:

Create a new SIP Call Profile:

voice class sip-profiles 7
request INVITE sip-header Diversion copy “.*<sip:(.*)@.*” u01
request INVITE sip-header From copy “.*<sip:(.*)@.*” u02
request INVITE sip-header From modify “(.*)<sip:1…@(.*)” “\1<sip:44203555\u01@\2″
request INVITE sip-header From modify “(.*)<sip:0.*@(.*)” “\1<sip:\u01@\2″
request INVITE sip-header From modify “(.*)<sip:@(.*)” “\1<sip:\u02@\2″

New voice translation rules and profiles created like below:

voice translation-rule 20
rule 1 /\(^10..\)/ /44203555\1/

voice translation-rule 3
rule 2 /^999$/ /999/
rule 5 /^9\(.*\)/ /\1/

voice translation-profile SIPPrefix
translate calling 20
translate called 3

On the Dial-peer for outgoing calls reference this voice class:

dial-peer voice 3 voip
description **Outgoing Calls to Any Number **
translation-profile outgoing SIPPrefix
destination-pattern 9T
session protocol sipv2
session target sip-server
incoming called-number .
voice-class sip profiles 7
dtmf-relay rtp-nte
codec g711ulaw
no vad

I don’t yet fully understand the logic for the above as I have never written anything like this but as far as I can tell u01 and u02 are used for storing variables.

The logic behind this is the call-forwarding number has to start with 0 and can be any number of digits (look at the line below)
request INVITE sip-header From modify “(.*)<sip:0.*@(.*)” “\1<sip:\u01@\2″

The last line is for normal outgoing calls to allow anything as normal.

Once I research into this some more ill write up a deeper explanation.

Go to Top