Category Archive: Firewall

Apr 06

IPSec VPN on Cisco ASA


Below is shown example of typical L2L IPSec VPN tunnel configuration on Cisco ASA firewall.   Note: There additional steps required to make VPN tunnel working: NAT configuration IKE protocol enabled on interface facing other end of VPN tunnel Properly configured routing table   Remember to save configuration when you done   TIP: Use “packet …

Continue reading »

Apr 06

Palo Alto (PanOS) CLI Reference


Jan 29

Upgrading an Active/Standby Failover Configuration on Cisco ASA

In this article are listed steps to upgrade Cisco ASA firewall setup in Active/Standby Failover Configuration. We assume that console connection is not available and only remote SSH connectivity is possible. Note: During reload and failover you may be disconnected Prep work: – New image (asa825-51-k8.bin) is already loaded into Active and Standby unit. Upgrading …

Continue reading »

Oct 20

How to copy files to cisco ASA via SSH

There’s number of ways to copy files to Cisco ASA firewall. Most common example is TFTP we all learned to use on CCNA course or reading articles on the Internet. There’s are two issues to this method: First problem is security as TFTP use clear text transmission is not preferred method from security standpoint . …

Continue reading »

Oct 09

How to Enable IPSec Traffic Through a Firewall

IPSec does not disturb the original IP header and can be routed as normal IP traffic. Routers and switches in the data path between the communicating hosts simply forward the packets to their destination. However, when there is a firewall or gateway in the data path, IP forwarding must be enabled at the firewall for …

Continue reading »

Oct 06

Configuring IPsec or SSL VPN to Bypass ACLs

To permit any packets that come from an IPsec or SSL VPN tunnel without checking ACLs for the source and destination interfaces, enter the sysopt connection permit-vpn command in global configuration mode. You might want to bypass interface ACLs for IPsec or SSL VPN traffic if you use a separate VPN concentrator behind the ASA …

Continue reading »

Aug 26

Identity NAT vs NAT exempt on Cisco ASA

Identity NAT and NAT exempt are commonly considered the same kind of ‘no natting’ configuration when in practice both methods are configured slightly different as well as firewall’s internal processing. Identity NAT configuration nat (inside) 0 NAT Exempt configuration access-list NO_NAT extended permit ip nat(inside) 0 access-list NO_NAT Identity NAT: …

Continue reading »

Aug 25

TCP connection flags on Cisco ASA


During troubleshooting connectivity issues on Cisco ASA firewall it’s useful to understand TCP flags displayed in connection table. Example of connection table: TCP connection stages with corresponding flags: Flag types with brief description available on ASA firewall:

Aug 24

Ports and purpose of these ports on Checkpoint firewall

PORT TYPE SERVICE DESCRIPTION 21 TCP ftp File transfer Protocol (control) 21 UDP ftp File transfer Protocol (control) 22 Both ssh SSH remote login 25 Both SMTP Simple Mail transfer Protocol 50 Encryption IP protocols esp – IPSEC Encapsulation Security Payload 51 Encryption IP protocols ah – IPSEC Authentication Header Protocol 53 Both Domain Name …

Continue reading »

Aug 24

ICMP messages and corresponding numbers on Cisco ASA


Below are displayed ICMP messages and corresponding numbers on Cisco ASA. Note: Only echo-reply (0), unreachable (3), echo (8) and time-exceeded (11) are allowed directly in access list. In order to use other messages use object-group icmp-type

Older posts «