From ASA Command Reference:
For models with a built-in switch, such as the ASA 5505 adaptive security appliance, use the forward interface command in interface configuration mode to restore connectivity for one VLAN from initiating contact to one other VLAN. To restrict one VLAN from initiating contact to one other VLAN, use the no form of this command. You might need to restrict one VLAN depending on how many VLANs your license supports.
Dec 29, 2010
Dec 9, 2010
Static route issue
If you made a typo when setting up static routes, it could result in a persistent route. For example, if you want to implement a static route for 10.10.10.0/24 but you write a wrong netmask, you are not able to remove that route:
asa(config)# route inside 10.10.10.0 255.255.25.0 192.168.100.254
asa(config)# no route inside 10.10.10.0 255.255.25.0 192.168.100.254
%No matching route to delete
asa(config)# no route inside 10.10.10.0 255.255.25.0 192.168.100.254
%No matching route to delete
Nov 24, 2010
Tips on output filtering
During troubleshooting sessions, you execute several show commands to collect information. Oftentimes you don't need all the output, then you use the vertical bar (aka pipe symbol) to filter. In this article I will show some useful filtering expressions.
Oct 6, 2010
Forwarding services through a secondary ISP
In this post I'm going to show how to implement a policy to forward some specific service through a secondary ISP. A dual-ISP scenario was described in my post about redundancy.
Sep 22, 2010
The gateway address is wrong, but I have access to the Internet. Why?
In order to reach unknown networks, a host needs to use a gateway to forward the traffic. The gateway is some device connected to the local network and at least one external network. That device should be able to route packets, then it can forward the traffic to reach unknown destinations. Ok, we know that. What's the big news?
Is it possible to reach the Internet whether the gateway address is wrong? Yes. Maybe. I will demonstrate how, using the following scenario:
Is it possible to reach the Internet whether the gateway address is wrong? Yes. Maybe. I will demonstrate how, using the following scenario:
Sep 17, 2010
How to view historical performance data on PIX/ASA?
Recent performance data can be collected with some show commands (show cpu, show memory, etc.). For historical performance data, however, ASDM History Tracking is required. This feature was introduced in OS 7.0(1) to replace the PDM History feature.
Sep 15, 2010
How to control webmail traffic?
Sender Policy Framework is an open standard that can be used to hinder activities of spammers. Using SPF, domain administrators can specify which mail servers they use to send mail from their domain, then receivers can check whether the message came from a valid server.
Also, it is useful when we need to implement access rules to control traffic going to or coming from webmail servers.
Also, it is useful when we need to implement access rules to control traffic going to or coming from webmail servers.
Sep 6, 2010
How to bypass SMTP Inspection?
The default SMTP Inspection policy blocks messages that match one of the following conditions:
- Method line length greater than 512 bytes
- More than 100 recipient email addresses set
- Body line length greater than 998 bytes
- Header line length greater than 998 bytes
- Sender email address length greater than 320 bytes
- Mime filename length greater than 255 bytes
Sep 1, 2010
Blocking WebDAV methods
WebDAV is an extension to the HTTP protocol described in the RFC 2518. There are vulnerabilities in Windows applications that could be exploited over WebDAV. Therefore, blocking outbound WebDAV traffic is a best practice technique.
Aug 28, 2010
Static NAT - Does the order of commands matter?
I've implemented the following scenario to demonstrate the behavior of the ASA/PIX that we could see after to change the order of the Static NAT rules.
Aug 13, 2010
DNS Rewrite
DNS Rewrite is a feature of the ASA and PIX that enable the firewall to rewrite DNS A queries when the destination server is located at the same network that the client or, for example, if the public IP address of that server is statically mapped to some DMZ address. I've implemented the following scenario using DNS Rewrite and a router running IOS as the DNS server.
Aug 7, 2010
Steps to setup a VPN on ASA/PIX
You should read the configuration guides and command references to know how to setup a VPN on ASA/PIX. However, if you don't have access to those documments, what wil you do?
Aug 1, 2010
Jul 27, 2010
Debugging interface status on failover pairs
Should static routes interfere with the operation of ASA/PIX failover pairs? I don't think so. However, it is possible! So I'm going to describe a scenario where that issue might happen.
Jul 24, 2010
Simplifying ACEs using object-groups
In this post I will present some simplification to implement an ACE using object-group. This is not described in the ASA/PIX command reference (only in the configuration guide example of this configuration in the Cisco portal).
Jul 21, 2010
Configuring NAT on ASA/PIX
I've designed a network scenario where I could apply every NAT type supported by ASA/PIX. Below is what I got:
Jul 20, 2010
Controlling intra-interface traffic
If you need to allow unencrypted traffic to flow through the same interface (e.g., from inside to inside), you just need to enable the command below.
(config)# same-security-traffic permit intra-interface
Cisco published an article explaining that configuration. However, if the firewall policy has NAT rules, that configuration is not the only thing you should set to have it working. I will use as an example the following scenario, which is similar to the one presented in the Cisco's article.
(config)# same-security-traffic permit intra-interface
Cisco published an article explaining that configuration. However, if the firewall policy has NAT rules, that configuration is not the only thing you should set to have it working. I will use as an example the following scenario, which is similar to the one presented in the Cisco's article.
Jul 16, 2010
Syslog over IPSec
I've identified an issue when ASAs are configured to send syslog messages over an IPSec tunnel. For some unknown reason, I've seen some devices trying to establish the connection to the log server without forward the traffic through the tunnel. Thus, the log messages are not saved, since the remote peer blocks the unencrypted packets.
Jul 12, 2010
Active/Standby Failover - Swapping the units roles
One of the appliances in an Active/Standby failover configuration is set as the primary unit and the other the secondary one. Thus, the devices are able to negotiate which one will be Active after to complete the boot process (it will be the primary, whether everything has loaded fine).
If for some reason you need to swap the device roles (primary/secondary) without an outage, it will be necessary to break the cluster link. Otherwise both boxes would change to the Active state simultaneously, what results in a conflict making them lose the failover connectivity (HELLO messages are not sent/received properly). Furthermore, you'd create a lockout situation for one of the units, since both would be using the same IP addresses.
If for some reason you need to swap the device roles (primary/secondary) without an outage, it will be necessary to break the cluster link. Otherwise both boxes would change to the Active state simultaneously, what results in a conflict making them lose the failover connectivity (HELLO messages are not sent/received properly). Furthermore, you'd create a lockout situation for one of the units, since both would be using the same IP addresses.
References for ASA and PIX
- ASA Configuration Guides
- ASA Command References
- ASA Configuration Examples and Technotes
- ASA Error and System Messages
- ASA Release Notes
- PIX Configuration Guides
- PIX Command References
- PIX Configuration Examples and Technotes
- PIX Error and System Messages
- PIX Release Notes
asa(config)# end
asa# wr mem
My journey to CCIE Security
Although I like to write about technical subjects, I've never been a blogger because I don't like to feel me obligated to write within defined intervals or something like that. Yeah... this is/will be a blog about technical stuff. I decided to create it as a notebook for personal use while I'm getting prepared to try the CCIE Security exam, what I'm planning to do 'till the end of the next year. I should just make some text files and save them to my PC, however, blogging I make the notes always available to me and someone else who is interested.
The blog name "Packets Never Lie" is a quote by Laura Chappel. I got that maxim as the basis to do my job, since all network issues can be fixed if we understand what is going through the NICs, cables, switches, routers etc.
Perhaps, the intervals between the first posts won't be short, since I'm preparing myself to take other certification exams besides the CCIE. Nevertheless, I will blog only about topics related to the CCIE exam.
First of all, I will make some notes on ASA and PIX since I'm in touch with those devices everyday. While studying, I will write articles about routers and switches, IPS/IDS, security protocols, resources and technologies.
This will be my journey to CCIE Security... :)
asa(config)# end
asa# wr mem
The blog name "Packets Never Lie" is a quote by Laura Chappel. I got that maxim as the basis to do my job, since all network issues can be fixed if we understand what is going through the NICs, cables, switches, routers etc.
Perhaps, the intervals between the first posts won't be short, since I'm preparing myself to take other certification exams besides the CCIE. Nevertheless, I will blog only about topics related to the CCIE exam.
First of all, I will make some notes on ASA and PIX since I'm in touch with those devices everyday. While studying, I will write articles about routers and switches, IPS/IDS, security protocols, resources and technologies.
This will be my journey to CCIE Security... :)
asa(config)# end
asa# wr mem
Subscribe to:
Posts (Atom)