Apr 06
Below is shown example of typical L2L IPSec VPN tunnel configuration on Cisco ASA firewall. Note: There additional steps required to make VPN tunnel working: NAT configuration IKE protocol enabled on interface facing other end of VPN tunnel Properly configured routing table Remember to save configuration when you done TIP: Use “packet …
Jan 29
In this article are listed steps to upgrade Cisco ASA firewall setup in Active/Standby Failover Configuration. We assume that console connection is not available and only remote SSH connectivity is possible. Note: During reload and failover you may be disconnected Prep work: – New image (asa825-51-k8.bin) is already loaded into Active and Standby unit. Upgrading …
Oct 20
There’s number of ways to copy files to Cisco ASA firewall. Most common example is TFTP we all learned to use on CCNA course or reading articles on the Internet. There’s are two issues to this method: First problem is security as TFTP use clear text transmission is not preferred method from security standpoint . …
Oct 09
IPSec does not disturb the original IP header and can be routed as normal IP traffic. Routers and switches in the data path between the communicating hosts simply forward the packets to their destination. However, when there is a firewall or gateway in the data path, IP forwarding must be enabled at the firewall for …
Oct 06
To permit any packets that come from an IPsec or SSL VPN tunnel without checking ACLs for the source and destination interfaces, enter the sysopt connection permit-vpn command in global configuration mode. You might want to bypass interface ACLs for IPsec or SSL VPN traffic if you use a separate VPN concentrator behind the ASA …
Aug 26
Identity NAT and NAT exempt are commonly considered the same kind of ‘no natting’ configuration when in practice both methods are configured slightly different as well as firewall’s internal processing. Identity NAT configuration nat (inside) 0 10.1.1.3 NAT Exempt configuration access-list NO_NAT extended permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0 nat(inside) 0 access-list NO_NAT Identity NAT: …
Aug 25
During troubleshooting connectivity issues on Cisco ASA firewall it’s useful to understand TCP flags displayed in connection table. Example of connection table: TCP connection stages with corresponding flags: Flag types with brief description available on ASA firewall:
Aug 24
PORT TYPE SERVICE DESCRIPTION 21 TCP ftp File transfer Protocol (control) 21 UDP ftp File transfer Protocol (control) 22 Both ssh SSH remote login 25 Both SMTP Simple Mail transfer Protocol 50 Encryption IP protocols esp – IPSEC Encapsulation Security Payload 51 Encryption IP protocols ah – IPSEC Authentication Header Protocol 53 Both Domain Name …
Aug 24
Below are displayed ICMP messages and corresponding numbers on Cisco ASA. Note: Only echo-reply (0), unreachable (3), echo (8) and time-exceeded (11) are allowed directly in access list. In order to use other messages use object-group icmp-type
