My Network Security Journal: 2020

Sunday, December 6, 2020

Configure Cisco AnyConnect in ASA Multiple Context Mode

I tried the popular Beef Wellington (English meat pie) at Bread Street Kitchen Marina Bay Sands, which is owned by celebrity chef Gordon Ramsay. The dining experience was nice and had free bread while waiting for my order. The serving was generous and the meat was very tender (ordered medium rare). I strolled around Garden's By the Bay afterwards and noticed most of the attractions such as the Floral Fantasy, Flower Dome and Supertree Skyway would need pre-purchased online tickets (no more walk-ins) due to COVID-19 crowd control and physical distancing.

You'll need to apply first the AnyConnect Apex license SKU/part: L-AC-APX-LIC= under the System context, which is a term based of 1-, 3- or 5-year subscription. The Apex license would take effect immediately and doesn't require a reboot. Also note the Total VPN peers supported on the specific platform (in this case 2500 max VPN sessions).

You can't use the default AnyConnect Premium Peers as it will display an error requiring for an Apex license.

ciscoasa/pri/act(config)# class AnyConnect

ciscoasa/pri/act(config-class)# limit-resource VPN AnyConnect 4

WARNING: Multi-mode remote access VPN support requires an AnyConnect Apex license

ciscoasa/pri/act/admin# changeto system

ciscoasa/pri/act# show version

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 300 perpetual

Inside Hosts : Unlimited perpetual

Failover : Active/Active perpetual

Encryption-DES : Enabled perpetual

Encryption-3DES-AES : Enabled perpetual

Security Contexts : 10 perpetual

Carrier : Disabled perpetual

AnyConnect Premium Peers : 2 perpetual // ANYCONNECT APEX LICENSE

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 2500 perpetual

Total VPN Peers : 2500 perpetual // TOTAL VPN SESSION SUPPORTED ON THE PLATFORM

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

Shared License : Disabled perpetual

Total TLS Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

IPS Module : Disabled perpetual

Cluster : Enabled perpetual

Cluster Members : 2 perpetual

This platform has an ASA5545 VPN Premium license.

Failover cluster licensed features for this platform: // ACTIVE-STANDBY FAILOVER PAIR

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 300 perpetual

Inside Hosts : Unlimited perpetual

Failover : Active/Active perpetual

Encryption-DES : Enabled perpetual

Encryption-3DES-AES : Enabled perpetual

Security Contexts : 12 perpetual

Carrier : Disabled perpetual

AnyConnect Premium Peers : 4 perpetual // 2x FROM ACTIVE FW + 2x FROM STANDBY FW

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 2500 perpetual

Total VPN Peers : 2500 perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

Shared License : Disabled perpetual

Total TLS Proxy Sessions : 4 perpetual

Botnet Traffic Filter : Disabled perpetual

IPS Module : Disabled perpetual

Cluster : Enabled perpetual

This platform has an ASA5545 VPN Premium license.

ciscoasa/pri/act# configure terminal

ciscoasa/pri/act(config)# activation-key 1c05d652 e83add97 3573e568 dcfc1234 07335678

Validating activation key. This may take a few minutes...

Both Running and Flash permanent activation key was updated with the requested key.

ciscoasa/pri/act(config)#

ciscoasa/pri/act(config)# show version

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 300 perpetual

Inside Hosts : Unlimited perpetual

Failover : Active/Active perpetual

Encryption-DES : Enabled perpetual

Encryption-3DES-AES : Enabled perpetual

Security Contexts : 10 perpetual

Carrier : Disabled perpetual

AnyConnect Premium Peers : 2500 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 2500 perpetual

Total VPN Peers : 2500 perpetual

AnyConnect for Mobile : Enabled perpetual

AnyConnect for Cisco VPN Phone : Enabled perpetual

Advanced Endpoint Assessment : Enabled perpetual

Shared License : Disabled perpetual

Total TLS Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

IPS Module : Disabled perpetual

Cluster : Enabled perpetual

Cluster Members : 2 perpetual

This platform has an ASA5545 VPN Premium license.

Failover cluster licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 300 perpetual

Inside Hosts : Unlimited perpetual

Failover : Active/Active perpetual

Encryption-DES : Enabled perpetual

Encryption-3DES-AES : Enabled perpetual

Security Contexts : 12 perpetual

Carrier : Disabled perpetual

AnyConnect Premium Peers : 2500 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 2500 perpetual

Total VPN Peers : 2500 perpetual

AnyConnect for Mobile : Enabled perpetual

AnyConnect for Cisco VPN Phone : Enabled perpetual

Advanced Endpoint Assessment : Enabled perpetual

Shared License : Disabled perpetual

Total TLS Proxy Sessions : 4 perpetual

Botnet Traffic Filter : Disabled perpetual

IPS Module : Disabled perpetual

Cluster : Enabled perpetual

This platform has an ASA5545 VPN Premium license.

Create a VPN Resource Class and allocate the number of AnyConnect license under System context. You can divide the AnyConnect resource to other Resource Class but make sure their total equals to the maximum VPN count the platform supports. Since this is the only context using AnyConnect, I gave it the full 2500 count with a burst of up to 1500.

ciscoasa/pri/act(config)# class AnyConnect

ciscoasa/pri/act(config-class)# limit-resource VPN ?

class mode commands/options:

AnyConnect AnyConnect Premium license limit. These are guaranteed for a

context and shouldn't exceed the system capacity when combined

across all contexts.

Burst Burst limit over the configured limit. This burst limit is not

guaranteed. The context may take this resource if it is available

on the device at run time.

Other Other VPN sessions which include Site-to-Site, IKEv1 RA and L2tp

Sessions. These are guaranteed for a context and shouldn't exceed

the system capacity when combined across all contexts.

ikev1 Configure IKEv1 specific resources.

ciscoasa/pri/act(config-class)# limit-resource VPN AnyConnect ?

class mode commands/options:

WORD Value of resource limit (in <value> or <value>%)

ciscoasa/pri/act(config-class)# limit-resource VPN AnyConnect 2500

ciscoasa/pri/act(config-class)# limit-resource VPN Burst AnyConnect 1500

Create a new directory (I named it shared). Configure the new context to use/point on this new storage and add the AnyConnect Resource Class under the System context.

ciscoasa/pri/act(config)# mkdir shared

Create directory filename [shared]?

Created dir disk0:/shared

ciscoasa/pri/act(config)# context RA-VPN

Creating context 'RA-VPN'... Done. (1)

ciscoasapri/act(config-ctx)# member AnyConnect

ciscoasa/pri/act(config-ctx)# description FOR ANYCONNECT RA VPN

ciscoasa/pri/act(config-ctx)# allocate-interface GigabitEthernet0/0

ciscoasa/pri/act(config-ctx)# allocate-interface GigabitEthernet0/1.50

ciscoasa/pri/act(config-ctx)# config-url disk0:/RA-VPN.cfg

WARNING: Could not fetch the URL disk0:/RA-VPN.cfg

INFO: Creating context with default config

ciscoasa/pri/act(config-ctx)# storage-url shared disk0:/shared shared

Transfer the AnyConnect image from the main flash/disk0 space to the new shared directory.

ciscoasa/pri/act(config)# copy disk0:/anyconnect-win-4.8.03052-webdeploy-k9.pkg disk0:/shared

Source filename [anyconnect-win-4.8.03052-webdeploy-k9.pkg]?

Destination filename [/shared/anyconnect-win-4.8.03052-webdeploy-k9.pkg]?

Copy in progress...CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

ciscoasa/pri/act(config)# dir shared/

Directory of disk0:/shared/

107 -rwx 72771616 01:56:18 Oct 27 2020 anyconnect-win-4.8.03052-webdeploy-k9.pkg

Configure AnyConnect (webvpn) and the rest of the config in the new Context.

ciscoasa/pri/act(config)# changeto context RA-VPN

ciscoasa/pri/act/RA-VPN(config)# webvpn

ciscoasa/pri/act/RA-VPN(config-webvpn)# enable outside

ciscoasa/pri/act/RA-VPN(config-webvpn)# anyconnect enable

ciscoasa/pri/act/RA-VPN(config-webvpn)# anyconnect image shared:/anyconnect-win-4.8.03052-webdeploy-k9.pkg 1

Sunday, October 4, 2020

Cisco ASA Firewall 'no-proxy-arp' Command

I was troubleshooting a Context-based (Multiple Mode) Cisco ASA Firewall and noticed the upstream Internet edge router had duplicate ARP entries or MAC address coming from the ASA Context "outside" interfaces. This caused the traffic on some downstream devices to be intermittent or unstable. I initially thought it was a software bug since I recently upgraded the ASA version but most of the time, an issue or an outage might be caused by a recent configuration change.

I discovered one of the newly created ASA Context had an Identity NAT from "all source" to "all destination" was misconfigured by one of the admin (scary command!). I suspected it was configured as such since both the "inside" and "outside" interfaces were configured with a public IP address and thought of the old 8.2 NAT (NAT exemption). So I put the NAT keyword no-proxy-arp at the end, cleared the ARP table and issue was resolved.

The behavior in a Cisco ASA NAT is that it can respond to ARP requests for IP addresses other than the ASA's interface IP address. If you add the keyword no-proxy-arp to specific NAT commands (best practice), the ASA will not respond to ARP requests for the global IP subnet identified in those NAT statements.

INTERNET_ROUTER#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 80.25.22.150 118 a20f.0c00.0004 ARPA TenGigabitEthernet0/0/0
Internet 80.25.22.151 118 a20f.0c00.0005 ARPA TenGigabitEthernet0/0/0
Internet 80.25.22.152 225 a20f.0c00.00f8 ARPA TenGigabitEthernet0/0/0
Internet 80.25.22.153 162 a20f.0c00.00f8 ARPA TenGigabitEthernet0/0/0
Internet 80.25.22.154 118 a20f.0c00.0020 ARPA TenGigabitEthernet0/0/0
Internet 80.25.22.155 118 a20f.0c00.0021 ARPA TenGigabitEthernet0/0/0
Internet 80.25.22.156 248 a20f.0c00.00f8 ARPA TenGigabitEthernet0/0/0
Internet 80.25.22.157 231 a20f.0c00.00f8 ARPA TenGigabitEthernet0/0/0

ciscoasa/pri/act/CUSTA# show arp
outside 80.25.22.130 a03d.6f2e.7000 6
outside 80.25.22.129 0000.0c9f.f004 6
outside 80.25.22.235 001b.1700.0110 32
outside 80.25.22.151 a20f.0c00.0005 158
outside 80.25.22.147 a20f.0c00.0017 158
outside 80.25.22.135 a20f.0c00.000b 158
outside 80.25.22.149 a20f.0c00.001b 158
outside 80.25.22.159 a20f.0c00.0025 158
outside 80.25.22.155 a20f.0c00.0021 158
outside 80.25.22.139 a20f.0c00.0029 158
outside 80.25.22.169 a20f.0c00.002d 158
inside 80.25.21.67 5087.89b8.db00 13196
inside 80.25.21.66 a20f.0c00.00fb 13706

ciscoasa/pri/act/CUSTA# show run nat
nat (inside,outside) source static all all destination static all all
ciscoasa/pri/act/CUSTA#
ciscoasa/pri/act/CUSTA# configure terminal
ciscoasa/pri/act/CUSTA(config)# nat (inside,outside) source static all all destination static all all ?
configure mode commands/options:
description     Specify NAT rule description
inactive        Disable a NAT rule
net-to-net      Net to net mapping of IPv4 to IPv6
no-proxy-arp    Disable proxy ARP on egress interface
route-lookup    Perform route lookup for this rule
service         NAT service parameters
unidirectional Enable per-session NAT
<cr>

ciscoasa/pri/act/CUSTA(config)# nat (inside,outside) source static all all destination static all all no-proxy-arp
ciscoasa/pri/act/CUSTA(config)# show run nat
nat (inside,outside) source static all all destination static all all no-proxy-arp

ciscoasa/pri/act/CUSTA(config)#
ciscoasa/pri/act/CUSTA(config)# clear arp
ciscoasa/pri/act/CUSTA(config)#
ciscoasa/pri/act/CUSTA(config)# show arp
ciscoasa/pri/act/CUSTA(config)# <BLANK>

Saturday, September 5, 2020

Enabling coredump on a Cisco ASA Firewall

Here's a nice link in configuring a coredump in a Cisco ASA Firewall. This feature takes a snapshot of the ASA memory when a system crash occur, which can give useful information to Cisco TAC engineer in their troubleshooting.

LAB-ASA5515x# show coredump filesystem

'disk0:' has no coredump filesystem

LAB-ASA5515x# conf t

LAB-ASA5515x(config)# coredump ?

configure mode commands/options:

enable Enable coredump generation to filesystem

LAB-ASA5515x(config)# coredump enable

WARNING: Enabling coredump on an ASA5515 platform will delay the reload of

the system by up to 30 minutes in the event of software forced reload.

The exact time depends on the size of the coredump generated.

Proceed with coredump filesystem allocation of 1000 MB

on 'disk0:' (Note this may take a while) ? [confirm]

filesys_image created ok: disk0:coredumpfsysimage.bin

Making coredump file system image!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Coredump file system image created & mounted successfully

/dev/loop0 on /mnt/disk0/coredumpfsys type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)

LAB-ASA5515x(config)# dir

Directory of disk0:/

95 -rwx 111550464 06:02:40 Oct 15 2019 asa984-10-smp-k8.bin

96 -rwx 33696792 06:04:16 Oct 15 2019 asdm-7122.bin

11 drwx 4096 06:08:18 Oct 15 2019 log

22 drwx 4096 06:08:58 Oct 15 2019 crypto_archive

25 drwx 4096 06:09:04 Oct 15 2019 coredumpinfo

98 -rwx 4799 05:14:28 Oct 26 2019 oldconfig_2019Oct26_0514.cfg

23 drwx 4096 05:25:12 Nov 24 2019 snmp

104 -rwx 72771616 04:22:02 May 20 2020 anyconnect-win-4.8.03052-webdeploy-k9.pkg

105 -rwx 111624192 04:22:42 May 20 2020 asa984-20-smp-k8.bin

110 -rwx 1048576000 03:28:09 Jul 29 2020 coredumpfsysimage.bin

1 drwx 16384 03:27:39 Jul 29 2020 coredumpfsys

6 file(s) total size: 1378223863 bytes

7994437632 bytes total (6615339008 bytes free/82% free)

LAB-ASA5515x(config)# no coredump enable

LAB-ASA5515x(config)# dir

Directory of disk0:/

95 -rwx 111550464 06:02:40 Oct 15 2019 asa984-10-smp-k8.bin

96 -rwx 33696792 06:04:16 Oct 15 2019 asdm-7122.bin

11 drwx 4096 06:08:18 Oct 15 2019 log

22 drwx 4096 06:08:58 Oct 15 2019 crypto_archive

25 drwx 4096 06:09:04 Oct 15 2019 coredumpinfo

98 -rwx 4799 05:14:28 Oct 26 2019 oldconfig_2019Oct26_0514.cfg

23 drwx 4096 05:25:12 Nov 24 2019 snmp

104 -rwx 72771616 04:22:02 May 20 2020 anyconnect-win-4.8.03052-webdeploy-k9.pkg

105 -rwx 111624192 04:22:42 May 20 2020 asa984-20-smp-k8.bin

110 -rwx 1048576000 03:28:09 Jul 29 2020 coredumpfsysimage.bin

1 drwx 16384 03:27:39 Jul 29 2020 coredumpfsys

6 file(s) total size: 1378223863 bytes

7994437632 bytes total (6615339008 bytes free/82% free)

LAB-ASA5515x(config)# delete disk0:/coredumpfsysimage.bin

Delete filename [coredumpfsysimage.bin]?

Delete disk0:/coredumpfsysimage.bin? [confirm]

LAB-ASA5515x(config)# delete disk0:/coredumpfsys

Delete filename [coredumpfsys]?

Delete disk0:/coredumpfsys? [confirm]

%Error deleting disk0:/coredumpfsys (Device or resource busy)

LAB-ASA5515x(config)# delete ?

exec mode commands/options:

/noconfirm Do not prompt for confirmation

/recursive Recursive delete

/replicate Execute delete operation on standby unit as well

disk0: File to be deleted

disk1: File to be deleted

flash: File to be deleted

LAB-ASA5515x(config)# delete /recursive ?

exec mode commands/options:

/noconfirm Do not prompt for confirmation

/replicate Execute delete operation on standby unit as well

disk0: File to be deleted

disk1: File to be deleted

flash: File to be deleted

LAB-ASA5515x(config)# delete /recursive disk0:/coredumpfsys

Delete filename [coredumpfsys]?

Examine files in directory disk0:/coredumpfsys? [confirm]

Delete disk0:/coredumpfsys? [confirm]

%Error Removing dir disk0:/coredumpfsys (Device or resource busy)

LAB-ASA5515x(config)# rmdir coredumpfsys

Remove directory filename [coredumpfsys]?

Delete disk0:/coredumpfsys? [confirm]

%Error Removing dir disk0:/coredumpfsys (Device or resource busy)

Friday, August 14, 2020

Configuration Backup and Restore in a Cisco ASA Firewall

There's an easy way to backup and restore the configuration file in a Cisco ASA Firewall using ASDM.

To backup the ASA config, go to Tools > Backup Configurations.

Click Browse Local > select a folder/directory on local PC > type a file name.

Unselect Backup All > select Running-configuration > click Backup.

Click Close when finished.

The backup is a zip/compressed file.

I tried to opened running-config.cfg with Notepad.

I tried to change the hostname and saved the config.

LAB-ASA5515x# configure terminal

LAB-ASA5515x(config)# hostname TEST-ASA5515x

TEST-ASA5515x(config)# write memory

Building configuration...

Cryptochecksum: 749bb846 da22d270 e721ff08 18564731

5995 bytes copied in 0.760 secs

[OK]

In order to restore or revert back the ASA config, go to Tools > Restore Configurations

Click Browse Local > select the backup zip file created earlier > click Next.

Select Running configuration > Restore.

I'm not running ASA failover (HA). Click Yes to Continue.

Click Replace.

I re-login to ASDM and notice the hostname was reverted back to LAB-ASA5515x.

The ASA restore feature doesn't need a device reboot. Notice the Device Uptime didn't reset.

Friday, July 3, 2020

Cisco ASA Firewall Verify Command

I had an incident wherein an image was successfully transferred to a Cisco device but the file size was slightly different. You can use the ASA verify command in order to check the integrity of an image file and ensure it wasn't corrupted during the file transfer.

To view the ASA MD5 or SHA-512 hash published in Cisco's website, just hover on the file name (a hyperlink) > click on the clipboard icon. Below is the complete SHA-512 hash which should be the same output with the verify command.

8b77f39037e74bbcd396d78faf4f337c998bd7a8143ed599a48194597ffb064b70f2fb068be757109d80f2b3dcbc53ce9e2a944328ac95e8a4af9f4aa3e98e64

ciscoasa# dir

Directory of disk0:/

<SNIP>

159 -rwx 111919104 14:54:42 Jun 13 2019 asa992-52-smp-k8.bin

14 file(s) total size: 676519403 bytes

8238202880 bytes total (4337901568 bytes free/52% free)

The ASA verify command will perform a SHA-512 hash calculation by default.

ciscoasa# verify ?

/md5      Compute an MD5 signature for a file
/sha-512 Compute a SHA-512 signature for a file
disk0:    File to be verified
disk1:    File to be verified
flash:    File to be verified

ciscoasa# verify disk0:/asa992-52-smp-k8.bin

Verifying file integrity of disk0:/asa992-52-smp-k8.bin

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Done!

Embedded Hash SHA-512: 5c5c0b42f5d6dc467aee47df48fdc21ab64a47be2e8098c6579b0287094feed3d609849b423f1748432f5a0173934f395bd741fbd2a1464cc796e482b91300c9

Computed Hash SHA-512: 5c5c0b42f5d6dc467aee47df48fdc21ab64a47be2e8098c6579b0287094feed3d609849b423f1748432f5a0173934f395bd741fbd2a1464cc796e482b91300c9

CCO Hash SHA-512:

8b77f39037e74bbcd396d78faf4f337c998bd7a8143ed599a48194597ffb064b70f2fb068be757109d80f2b3dcbc53ce9e2a944328ac95e8a4af9f4aa3e98e64
Signature Verified

Sunday, June 21, 2020

Clear Cisco ASA AnyConnect and Site-to-Site VPN Sessions Counters

You can monitor and clear the VPN session counters or statistics in a Cisco ASA Firewall using: show vpn-sessiondb summary and clear vpn-sessiondb statistics global commands, respectively.

ciscoasa# show vpn-sessiondb summary
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
                               Active : Cumulative : Peak Concur : Inactive
                             ----------------------------------------------
AnyConnect Client            :      0 :        660 :           2 :        0
SSL/TLS/DTLS               :      0 :        660 :           2 :        0
IKEv1 IPsec/L2TP IPsec       :      0 :        206 :           5
Site-to-Site VPN             :      7 :      50169 :          11
IKEv1 IPsec                :      7 :      50169 :          11
---------------------------------------------------------------------------
Total Active and Inactive    :      7             Total Cumulative : 51035
Device Total VPN Capacity    :    250
Device Load                  :     3%
---------------------------------------------------------------------------

ciscoasa# clear vpn-sessiondb statistics global
INFO: Global session data cleared

ciscoasa# show vpn-sessiondb summary

No sessions to display.

Statistics have been cleared 1 time(s) since reboot

Friday, May 22, 2020

File Transfer Between Local PC and Cisco ASA Flash via ASDM

Aside from FTP, TFTP and SCP file transfers, there's an alternative way of transferring ASA files (OS, ASDM, AnyConnect images, etc.) to the Cisco ASA flash memory (disk0:) via ASDM. The file transfer is slow compared to an FTP but it gets the job done. You can transfer files from your local PC to the ASA flash via ASDM by going to Tools > File Management.

Select File Transfer > Between Local PC and Flash.

Select a file > select disk0: (ASA flash) > click the right arrow.

As best practice, validate the ASA image file using either the MD5 or SHA-512 hash file validation command to ensure the file wasn't compromised. You can compare the output from Cisco's download page.

ciscoasa# verify /md5 disk0:/asa9xyz-smp-k8.bin

<OUTPUT TRUNCATED>

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Done!
verify /MD5 (disk0:/asa9xyz-smp-k8.bin) = b6d183a5e0b273b5fd40fd8a3ac76bed

Saturday, April 4, 2020

Cisco ASA Firewall clear xlate Command

When you change the route and NAT policy on the ASA firewall, you'll sometimes need to forcefully clear the NAT table using the clear xlate command. This will re-establish the connection on the remote firewall or a VPN device where the remote admin is unavailable or doesn't want to reboot or clear their device.

ciscoasa# show conn | inc 192.168.26.2
<BLANK>

ciscoasa# clear xlate ?

debug      Enter this keyword for debug information
detail     Enter this keyword for detailed information
global     Enter this keyword to specify global ip range
gport      Enter this keyword to specify global port(s)
interface Enter this keyword to specify an interface
local      Enter this keyword to specify local ip range
lport      Enter this keyword to specify local port(s)
state      Enter this keyword to specify state
<cr>

ciscoasa# clear xlate global 200.11.10.5 local 192.168.26.2

ciscoasa# show conn | inc 192.168.26.2
TCP outside 123.21.13.11:50810 CUSTOMER 192.168.26.2:445, idle 0:00:04, bytes 0, flags SaAB
TCP outside 185.176.2.10:40872 CUSTOMER 192.168.26.2:33392, idle 0:00:05, bytes 0, flags SaAB
TCP outside 185.176.2.2:59627 CUSTOMER 192.168.26.2:3375, idle 0:00:22, bytes 0, flags SaAB
UDP outside 128.223.5.10:61677 CUSTOMER 192.168.26.2:33523, idle 0:01:19, bytes 0, flags -

<OUTPUT TRUNCATED>