By default Cisco ASA design does not allow traffic to flow between two interfaces having the same security level not sourced and destined on the same interface. To ‘fix’ this issues there are two commands you can use. Configuration example: ASA# conf t ASA(config)# same-security-traffic permit ? configure mode commands/options: inter-interface Permit communication between different …
Category Archive: Firewall
Aug 21
How to suppress reset flag for dropped packets on Cisco ASA firewall
Cisco ASA by default inspects incoming packets and if it match one of standard audit signatures performs three actions “alarm”, “drop” and “reset”. This is definitely good thing as protects our network against potential attackers but cause one significant issue. Many companies require to pass PCI DSS compliance or other similar security checks. Typical security …
Aug 21
How to remove TCP time stamp from packets on Cisco ASA
TCP timestamps, defined in RFC 1323, help TCP compute the round-trip time between the sender and receiver. Timestamp options include a 4-byte timestamp value, where the sender inserts its current value of its timestamp clock, and a 4-byte echo reply timestamp value, where the receiver generally inserts the most recent timestamp value that it has …
Aug 20
Hybrid solution using RackConnect – how it works
Hosting environments can be Dedicated or Cloud based. In recent years more and more organizations combine both architectures to achieve scalability, performance and cost reduction. Hosting company called Rackspace who developed Open Stack and is one of leading providers of Cloud solutions offers hybrid solution called RackConnect. In summary RackConnect provides physical link between dedicated …
Aug 20
Limiting connections rate for traffic destined on HTTP and HTTPS
In our example we going to restrict number of connection coming from outside interface (Internet) on port 80 and 443 to local environment. Setting up limitation will protect internal WEB servers against receiving too many connections such as DDOS attacks and SYN attacks. We limit maximum number of established connections to 1000. Embryonic (half-open) connection …
Aug 17
Reset-O on ASA/FWSM
Reset-O TCP flag means that the Reset is from the Outside. Here is the syslog messages reference: http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/system/message/logmsgs_external_docbase_0900e4b18059d73b_4container_external_docbase_0900e4b180ef4f45.html#wp1280675
Jul 30
Palo Alto Firewall – Split-brain issue
High Availability (HA) configuration is recommended to ensure availability of the network and most companies and organizations use device pairs to achieve this goal. In some instances HA may cause unexpected issues even configuration and physical cabling is correct. One of the most common issues is called Split-brain. Palo Alto Networks uses a private heartbeat …
Jul 30
Troubleshooting ISAKMP (IKE Phase 1) Negotiation on Cisco ASA
Troubleshooting VPN issues may be time consuming and frustrating task. In most cases firewall will help us fix the issue but we have to know how to read messages provided by the firewall. We will look into ISAKMP Phase 1 negotiation sates and possible reasons for problem establishing association on Cisco ASA firewall. In order …
Jul 29
Palo Alto Firewall SSL Decryption (Proxy) – Supported Cipher Suites
Palo Alto Networks devices decrypts and supports the five cipher suites shown below: RSA-AES256-CBC-SHA Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) RSA-AES128-CBC-SHA Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) RSA-3DES-EDE-CBC-SHA Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) RSA-RC4-128-MD5 Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) RSA-RC4-128-SHA Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Note: TLS 1.2 support has been added starting with PAN-OS 6.0, with the addition of the following …