policy-map type inspect esmtp tls-esmtp
  parameters
    allow-tls
    no mask-banner     !! may only be required if you notice issues related to the banner

policy-map global_policy
  class inspection_default
    no inspect esmtp
    inspect esmtp tls-esmtp

Documentation

[ # ]

!! Enable the performance monitoring
asdm history enable

!! View data
show asdm history feature <all|blocks|cpu|failover|ids|interface|memory|perfmon|sas|tunnels|xlates>
show asdm history view <10m|60m|12h|5d|all> feature <all|blocks|cpu|failover|ids|interface|memory|perfmon|sas|tunnels|xlates>

Notes:

  • You can leave off the feature command to view ALL performance data

Documentation

[ # ]

show eigrp topology
show eigrp neighbors
debug eigrp neighbor
debug eigrp fsm

[ # ]

router eigrp <as-num>  !! as number must match on neighbors
 no auto-summary 
 eigrp router-id 10.0.150.3  !! Name for defining the eigrp, name after interface IP
 redistribute static  !! redistribute static routes, can use policy map instead so not ALL statics are distributed
 network 10.0.150.0 255.255.255.0   !! Directly connected network
 network 4.2.2.128 255.255.255.248  !! Directly connected network
 exit

!! configure static routes to point to the interface/IP that you want to monitor and stop advertising the routes when the interface goes down
route <int-to-watch> <network-to-advertise> <subnet> <ip-of-int-to-watch>

[ # ]

access-list no_inspect_ESMTP deny tcp <source> <destination> eq 25
access-list no_inspect_ESMTP permit tcp any any eq 25

class-map no_inspect_ESMTP
 match access-list no_inspect_ESMTP 
 exit

policy-map global_policy 
 class no_inspect_ESMTP 
  inspect ESMTP 
  exit 
 class inspection_default
  no inspect esmtp
  exit

Notes:

  • It's important that the last ACL is specific for port 25 and not all IP. Traffic will break if left as 'ip'

[ # ]

access-list <ACL Name> permit <protocol> <host> <host> eq port> inactive

Notes:

  • This will overwrite the previous ACL, if it exists
  • Re-issue ACL command without inactive to enable ACL again

Documentation

[ # ]

prompt hostname state

[ # ]

failover exec mate <command>

Documentation

[ # ]

!! Most SPLAT Devices
echo "<NAT-IP> <Physical-Interface-MAC-Address>" >> $FWDIR/conf/local.arp

!! SPLAT Devices with VMAC mode enabled
echo "<NAT-IP> <Virtual-MAC-Address>" <Physical-Int-IP> >> $FWDIR/conf/local.arp

Notes:

  • AutoNATs normally do not require a proxy arp. Ensure "merge manual proxy arp configuration" is enabled in the Global Properties -> NAT

[ # ]

cphaprob -d problem -s problem report  !! Performed on active firewall to failover
cphaprob -d problem unregister !! Unregister the problem

Notes:

  • The best place to perform a failover is within the policy. This is for temporary failover purposes. After removing the problem, if the configuration has not been updated, it is likely the firewalls will fail back.

[ # ]