Jul 27, 2010
Debugging interface status on failover pairs
Should static routes interfere with the operation of ASA/PIX failover pairs? I don't think so. However, it is possible! So I'm going to describe a scenario where that issue might happen.
Jul 24, 2010
Simplifying ACEs using object-groups
In this post I will present some simplification to implement an ACE using object-group. This is not described in the ASA/PIX command reference (only in the configuration guide example of this configuration in the Cisco portal).
Jul 21, 2010
Configuring NAT on ASA/PIX
I've designed a network scenario where I could apply every NAT type supported by ASA/PIX. Below is what I got:
Jul 20, 2010
Controlling intra-interface traffic
If you need to allow unencrypted traffic to flow through the same interface (e.g., from inside to inside), you just need to enable the command below.
(config)# same-security-traffic permit intra-interface
Cisco published an article explaining that configuration. However, if the firewall policy has NAT rules, that configuration is not the only thing you should set to have it working. I will use as an example the following scenario, which is similar to the one presented in the Cisco's article.
(config)# same-security-traffic permit intra-interface
Cisco published an article explaining that configuration. However, if the firewall policy has NAT rules, that configuration is not the only thing you should set to have it working. I will use as an example the following scenario, which is similar to the one presented in the Cisco's article.
Jul 16, 2010
Syslog over IPSec
I've identified an issue when ASAs are configured to send syslog messages over an IPSec tunnel. For some unknown reason, I've seen some devices trying to establish the connection to the log server without forward the traffic through the tunnel. Thus, the log messages are not saved, since the remote peer blocks the unencrypted packets.
Jul 12, 2010
Active/Standby Failover - Swapping the units roles
One of the appliances in an Active/Standby failover configuration is set as the primary unit and the other the secondary one. Thus, the devices are able to negotiate which one will be Active after to complete the boot process (it will be the primary, whether everything has loaded fine).
If for some reason you need to swap the device roles (primary/secondary) without an outage, it will be necessary to break the cluster link. Otherwise both boxes would change to the Active state simultaneously, what results in a conflict making them lose the failover connectivity (HELLO messages are not sent/received properly). Furthermore, you'd create a lockout situation for one of the units, since both would be using the same IP addresses.
If for some reason you need to swap the device roles (primary/secondary) without an outage, it will be necessary to break the cluster link. Otherwise both boxes would change to the Active state simultaneously, what results in a conflict making them lose the failover connectivity (HELLO messages are not sent/received properly). Furthermore, you'd create a lockout situation for one of the units, since both would be using the same IP addresses.
References for ASA and PIX
- ASA Configuration Guides
- ASA Command References
- ASA Configuration Examples and Technotes
- ASA Error and System Messages
- ASA Release Notes
- PIX Configuration Guides
- PIX Command References
- PIX Configuration Examples and Technotes
- PIX Error and System Messages
- PIX Release Notes
asa(config)# end
asa# wr mem
My journey to CCIE Security
Although I like to write about technical subjects, I've never been a blogger because I don't like to feel me obligated to write within defined intervals or something like that. Yeah... this is/will be a blog about technical stuff. I decided to create it as a notebook for personal use while I'm getting prepared to try the CCIE Security exam, what I'm planning to do 'till the end of the next year. I should just make some text files and save them to my PC, however, blogging I make the notes always available to me and someone else who is interested.
The blog name "Packets Never Lie" is a quote by Laura Chappel. I got that maxim as the basis to do my job, since all network issues can be fixed if we understand what is going through the NICs, cables, switches, routers etc.
Perhaps, the intervals between the first posts won't be short, since I'm preparing myself to take other certification exams besides the CCIE. Nevertheless, I will blog only about topics related to the CCIE exam.
First of all, I will make some notes on ASA and PIX since I'm in touch with those devices everyday. While studying, I will write articles about routers and switches, IPS/IDS, security protocols, resources and technologies.
This will be my journey to CCIE Security... :)
asa(config)# end
asa# wr mem
The blog name "Packets Never Lie" is a quote by Laura Chappel. I got that maxim as the basis to do my job, since all network issues can be fixed if we understand what is going through the NICs, cables, switches, routers etc.
Perhaps, the intervals between the first posts won't be short, since I'm preparing myself to take other certification exams besides the CCIE. Nevertheless, I will blog only about topics related to the CCIE exam.
First of all, I will make some notes on ASA and PIX since I'm in touch with those devices everyday. While studying, I will write articles about routers and switches, IPS/IDS, security protocols, resources and technologies.
This will be my journey to CCIE Security... :)
asa(config)# end
asa# wr mem
Subscribe to:
Posts (Atom)