Identity NAT and NAT exempt are commonly considered the same kind of ‘no natting’ configuration when in practice both methods are configured slightly different as well as firewall’s internal processing. Identity NAT configuration nat (inside) 0 10.1.1.3 NAT Exempt configuration access-list NO_NAT extended permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0 nat(inside) 0 access-list NO_NAT Identity NAT: …
Monthly Archive: August 2015
Aug 25
TCP connection flags on Cisco ASA
During troubleshooting connectivity issues on Cisco ASA firewall it’s useful to understand TCP flags displayed in connection table. Example of connection table: TCP connection stages with corresponding flags: Flag types with brief description available on ASA firewall:
Aug 25
POODLE attack
A POODLE attack is an exploit that takes advantage of the way some browsers deal with encryption. POODLE (Padding Oracle On Downgraded Legacy Encryption) is the name of the vulnerability that enables the exploit. POODLE can be used to target browser-based communication that relies on the Secure Sockets Layer (SSL) 3.0 protocol for encryption and …
Aug 24
Ports and purpose of these ports on Checkpoint firewall
PORT TYPE SERVICE DESCRIPTION 21 TCP ftp File transfer Protocol (control) 21 UDP ftp File transfer Protocol (control) 22 Both ssh SSH remote login 25 Both SMTP Simple Mail transfer Protocol 50 Encryption IP protocols esp – IPSEC Encapsulation Security Payload 51 Encryption IP protocols ah – IPSEC Authentication Header Protocol 53 Both Domain Name …
Aug 24
ICMP messages and corresponding numbers on Cisco ASA
Below are displayed ICMP messages and corresponding numbers on Cisco ASA. Note: Only echo-reply (0), unreachable (3), echo (8) and time-exceeded (11) are allowed directly in access list. In order to use other messages use object-group icmp-type
Aug 21
DHCP Snooping on Cisco Catalyst Switch
DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP servers. DHCP snooping performs the following activities: • Validates DHCP messages received from untrusted sources and filters out invalid messages. • Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses. • Uses the DHCP …
Aug 21
PCI DSS vulnerability for SSL negotiation on Brocade ADX
Hardware application accelerators also called load balancers are commonly used for SSL offload as provide hardware acceleration for SSL processing. Additionally in many implementations process Application Layer (ISO/OSI Layer 7) information which require access to clear test data. In many cases device administrators configure SSL profiles to use “all-cipher-suites” command which allows ADX to negotiate …
Aug 21
How to permit traffic on interfaces with the same security level on Cisco ASA
By default Cisco ASA design does not allow traffic to flow between two interfaces having the same security level not sourced and destined on the same interface. To ‘fix’ this issues there are two commands you can use. Configuration example: ASA# conf t ASA(config)# same-security-traffic permit ? configure mode commands/options: inter-interface Permit communication between different …
Aug 21
How to insert HTTP header X-Forwarded-Proto for SSL traffic of F5 LTM
In our scenario we do SSL offload on the load balancer before inserting header for incoming request from client to physical server behind LB. To insert protocol information header you can configure a custom HTTP profile with ‘Request Header Erase’ set to X-Forwarded-Proto and ‘Request Header Insert’ set to ‘X-Forwarded-Proto: https’. This ensures that any …
Aug 21
How to suppress reset flag for dropped packets on Cisco ASA firewall
Cisco ASA by default inspects incoming packets and if it match one of standard audit signatures performs three actions “alarm”, “drop” and “reset”. This is definitely good thing as protects our network against potential attackers but cause one significant issue. Many companies require to pass PCI DSS compliance or other similar security checks. Typical security …