Apr 06
Below is shown example of typical L2L IPSec VPN tunnel configuration on Cisco ASA firewall. Note: There additional steps required to make VPN tunnel working: NAT configuration IKE protocol enabled on interface facing other end of VPN tunnel Properly configured routing table Remember to save configuration when you done TIP: Use “packet …
Jan 29
In this article are listed steps to upgrade Cisco ASA firewall setup in Active/Standby Failover Configuration. We assume that console connection is not available and only remote SSH connectivity is possible. Note: During reload and failover you may be disconnected Prep work: – New image (asa825-51-k8.bin) is already loaded into Active and Standby unit. Upgrading …
Oct 20
There’s number of ways to copy files to Cisco ASA firewall. Most common example is TFTP we all learned to use on CCNA course or reading articles on the Internet. There’s are two issues to this method: First problem is security as TFTP use clear text transmission is not preferred method from security standpoint . …
Oct 06
To permit any packets that come from an IPsec or SSL VPN tunnel without checking ACLs for the source and destination interfaces, enter the sysopt connection permit-vpn command in global configuration mode. You might want to bypass interface ACLs for IPsec or SSL VPN traffic if you use a separate VPN concentrator behind the ASA …
Aug 26
Identity NAT and NAT exempt are commonly considered the same kind of ‘no natting’ configuration when in practice both methods are configured slightly different as well as firewall’s internal processing. Identity NAT configuration nat (inside) 0 10.1.1.3 NAT Exempt configuration access-list NO_NAT extended permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0 nat(inside) 0 access-list NO_NAT Identity NAT: …
Aug 25
During troubleshooting connectivity issues on Cisco ASA firewall it’s useful to understand TCP flags displayed in connection table. Example of connection table: TCP connection stages with corresponding flags: Flag types with brief description available on ASA firewall:
Aug 24
Below are displayed ICMP messages and corresponding numbers on Cisco ASA. Note: Only echo-reply (0), unreachable (3), echo (8) and time-exceeded (11) are allowed directly in access list. In order to use other messages use object-group icmp-type
Aug 21
By default Cisco ASA design does not allow traffic to flow between two interfaces having the same security level not sourced and destined on the same interface. To ‘fix’ this issues there are two commands you can use. Configuration example: ASA# conf t ASA(config)# same-security-traffic permit ? configure mode commands/options: inter-interface Permit communication between different …
Aug 21
Cisco ASA by default inspects incoming packets and if it match one of standard audit signatures performs three actions “alarm”, “drop” and “reset”. This is definitely good thing as protects our network against potential attackers but cause one significant issue. Many companies require to pass PCI DSS compliance or other similar security checks. Typical security …
Aug 21
TCP timestamps, defined in RFC 1323, help TCP compute the round-trip time between the sender and receiver. Timestamp options include a 4-byte timestamp value, where the sender inserts its current value of its timestamp clock, and a 4-byte echo reply timestamp value, where the receiver generally inserts the most recent timestamp value that it has …
