admin – Page 3 – Network Interview QnA

How to enable multiple context in the Cisco ASA firewall

Cisco ASA firewall is possibly already configured for multiple security contexts dependent upon how you ordered it from Cisco, but if you are upgrading then you might need to convert from single mode to multiple mode. The context mode (single or multiple) is not stored in the configuration file, even though it does endure reboots. [...]

How to setup the internet access through the Cisco ASA firewall?

Basic Guidelines for setting Internet through the Cisco ASA firewall: At first we need to configure the interfaces on the firewall. !— Configure the outside interface. interface GigabitEthernet0/0 nameif outside security-level 0 ip address 10.165.200.226 255.255.255.224 !— Configure the inside interface. interface GigabitEthernet0/1 nameif inside security-level 100 ip address 10.1.1.1 255.255.255.0 The nameif command gives [...]

What are the NAT syntax changes in the Cisco ASA firewall

There are major nat syntax changes after the ASA firewall iOS version 8.3. Regular static NAT: In the pre 8.3- static (inside,outside) 192.168.100.100 10.1.1.6 net mask 255.255.255.255 In the version 8.3 and later- object network obj-10.1.1.6 host 10.1.1.6 nat (inside,outside) static 192.168.100.100 Regular static PAT: In the pre 8.3- static (inside,outside) tcp 192.168.100.100 80 10.1.1.16 [...]

What is ICMP?

ICMP is Internet Control Message Protocol, a network layer protocol of the TCP/IP suite used by hosts and gateways to send notification of datagram problems back to the sender. It uses the echo test / reply to test whether a destination is reachable and responding. It also handles both control and error messages.

How to modify SSH/HTTP/Telnet time out in Cisco ASA firewall?

By default tcp idle timeout is 1:0:0 hh:mm:ss. If in case you need to modify it you can do it by MPF (Modular Policy Framework). Let us setup a custom timeout when traffic is coming from particular host 10.77.241.129. !— Match the traffic using the access-list —! object-group service DM_INLINE_TCP_1 tcp port-object eq www port-object [...]

What are the important topologies for networks?

There are five topologies for networks 1. Ring Topology 2. Star Topology. 3. Bus Topology. 4. Mess Topology. 5. Hybrid Topology.

What is difference between DoS vs DDoS attacks?

In a Denial of Service (DoS) attack, a hacker uses a single Internet connection to either exploit a software vulnerability or flood a target with fake requests—usually in an attempt to exhaust server resources (e.g., RAM and CPU). On the other hand, Distributed Denial of Service (DDoS) attacks are launched from multiple connected devices that [...]

What is DoS attack? How can it be prevented?

DoS (Denial of Service) attack can be generated by sending a flood of data or requests to a target system resulting in a consume/crash of the target system’s resources. The attacker often uses ip spoofing to conceal his identity when launching a DoS attack.

BIG-IP F5 LTM Load balancing methods

BIG-IP LTM provides a variety of load balancing methods to choose from. There are two types of load balancing methods. statistic load balancing method / mode. dynamic load balancing mode. 1. statistic load balancing mode:- There are two static load balancing modes. 1.Round robin 2.Ratio 2..Dynamic load balancing mode:- 1.least connections 2.fastest 3.observed 4.predictive 5.dynamic [...]

Please update your app otherwise you will not receive future updates!!

We recently upgraded our app. Please install the latest update or in few days you will not able to receive the updates for app.

What is the difference between the F5 LTM vs GTM?

The biggest difference between the GTM and LTM is traffic doesn’t actually flow through the GTM to your servers. The GTM is an intelligent name resolver, intelligently resolving names to IP addresses. Once the GTM provides you with an IP to route to you’re done with the GTM until you ask it to resolve another [...]

Acronyms

A • AAL: ATM Adaptation Layer • ABM: Asynchronous Balance Mode • ABR: Available Bit Rate • AC: Access Control • ACK: Acknowledgment • ADSL: Asymmetric Digital Subscriber Links • ANI: Automatic Number Identification • ANSI: American National Standards Institute • API: Application Programming Interface • ARM: Asynchronous Response Mode • ARP: Address Resolution Protocol [...]

How to troubleshoot access related problems in Cisco ASA

Cisco ASA has very powerful troubleshooting feature in ASA software version 7.2(1) or later that virtually eliminates the guesswork. Packet-tracer allows a firewall admins to inject a virtual packet into the security appliance and track the flow from ingress to egress. Along the way, the packet is evaluated against flow and route lookups, ACLs, protocol [...]

In IPSEC, If ESP provides both encryption and authentication, why is AH required.

ESP does not provide authentication to the outer IP header, which AH does.

What command displays a summary list of OSPF interfaces that includes a column for the cost of each interface?

R1#show ip ospf interface brief

BGP Quick notes

A transit AS is an AS that routes traffic from one external AS to another external AS The “show ip bgp” command is used to display entries in the BGP routing table. The AS-PATH attribute is used to prevent BGP routing loops. When receiving an BGP advertisement, the router checks the AS-PATH attribute, [...]

Passive interface (RIP,OSPF,EIGRP)

Passive-interface command is used in all routing protocols to disable sending updates out from a specific interface. However the command behavior varies from one protocol to another. RIP: In RIP this command will disable sending multicast updates via a specific interface but will allow listening to incoming updates from other RIP enabled neighbors.This simply means [...]

Quick notes for EIGRP

EIGRP is a Cisco proprietary protocol which means it will work only on Cisco routers. EIGRP is also called advanced distance vector or Hybrid routing protocol. Multicast or unicast is used for exchange of information. Multiple network layer protocols are supported. 100% loop-free. By default,EIGRP will limit itself to use no more than 50% of [...]

Memorising the BGP decision making process

1. Weight (Bigger is better) 2. Local preference (Bigger is better) 3. Self originated (Locally injected is better than iBGP/eBGP learned) 4. AS-Path (Smaller is better) 5. Origin 6. MED (Smaller is better) 7. External (Prefer eBGP over iBGP) 8. IGP cost (Smaller is better) 9. EBGP Peering (Older is better) 10. Router- ID

What is Multi VLAN port ?

The multi-VLAN port is a feature which allows switch for configuring a single port for two or more vlans. This feature allows users from different VLANs to access a server or router without implementing InterVLAN routing capability. A multi-VLAN port performs normal switching functions in all its assigned VLANs. Multi-VLAN port will not work when [...]

Cisco ASA troubleshooting commands

AAA debug radius debug tacacs show aaa-server protocol PROTOCOL_NAME test aaa-server Access Control Lists show access-list show run | include ACCESS_LIST_NAME show run object-group show run time-range Application Inspection show conn state STATE_TYPE detail show service-policy Configuring Interfaces show firewall show int show int ip brief show ip show mode show nameif show run interface [...]

OSPF Neighbourship conditions

What is the use of default route?

In computer networking, the default route is a setting on a computer that defines the packet forwarding rule to use when no specific route can be determined for a given Internet Protocol (IP) destination address. All packets for destinations not established in the routing table are sent via the default route. The default route generally [...]

SNMP

Simple Network Management Protocol (SNMP) is an application–layer protocol defined by the Internet Architecture Board (IAB) in RFC1157 for exchanging management information between network devices. It is a part of Transmission Control Protocol⁄Internet Protocol (TCP⁄IP) protocol suite. SNMP is one of the widely accepted protocols to manage and monitor network elements. Most of the professional–grade [...]

How ARP works?

ARP stands for Address Resolution Protocol. When you try to ping an IP address on your local network, say 192.168.1.1, your system has to turn the IP address 192.168.1.1 into a MAC address. This involves using ARP to resolve the address, hence its name. Systems keep an ARP look-up table where they store information about [...]

How Load balancer works?

A load balancer is a device that acts as a reverse proxy and distributes network or application traffic across a number of servers. Load balancers are used to increase capacity (concurrent users) and reliability of applications. They improve the overall performance of applications by decreasing the burden on servers associated with managing and maintaining application and [...]

TCP- Three way handshake

The Three-way handshake begins with the initiator sending a TCP segment with the SYN control bit flag set. TCP allows one side to establish a connection. The other side may either accept the connection or refuse it. If we consider this from application layer point of view, the side that is establishing the connection is [...]

SPAN

The SPAN feature, which is sometimes called port mirroring or port monitoring, selects network traffic for analysis by a network analyzer. The network analyzer can be a Cisco SwitchProbe device or other Remote Monitoring (RMON) probe.

How to troubleshoot access issues in Cisco ASA?

Using packet-tracer it is possible to trace the lifespan of a packet through the security appliance to see if it is behaving as expected. packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml] The packet-tracer command lets you do the following: -Debug all packet drops in production network. -Verify the configuration is working as [...]

How to configure Site-to-Site VPN on Cisco ASA?

Access-Lists Add the ACLs which we will need to NAT, the encryption domain and the group policy. access-list Example_Policy_ACL extended permit tcp object-group Local_LAN object-group Remote_LAN eq 80 access-list Example_Policy_ACL extended deny ip any any access-list Example_VPN_ACL permit ip object-group Local_LAN object-group Remote_LAN Group Policy Create your group policy which will restrict traffic between hosts [...]

How to troubleshoot if OSPF neighbors are stuck in the two-way state

When Open Shortest Path First (OSPF) is enabled on a router or when a router configured for OSPF is powered up, it tries to discover its OSPF neighbors and synchronize its database with them. Routers are said to be OSPF neighbors when they see their router ID in the received hello packet and the status [...]

What is PBR and How to configure it?

Introduction: Policy-Based Routing (PBR) provides a method to forward packets by overriding the information available in the IP routing table. By using PBR, customers can implement policies that selectively cause packets to take different paths. Traditional IP routing forwards packets based only on the destination IP address in the packet. PBR can be configured to [...]

How packet flow in Palo Alto Firewall?

Basic: Initial Packet Processing —-> Security Pre-Policy —-> Application —-> Security Policy —-> Post Policy Processing Advance: Initial Packet Processing —-> Source Zone/Source Address —-> Forward Lookup —-> Destination Zone/Destination Address —-> NAT policy evaluated Security Pre-Policy —-> Check Allowed Ports —-> Session Created Application —-> Check for Encrypted Traffic —-> Decryption Policy —-> Application Override Policy —-> Application ID [...]

How packet flows in Checkpoint firewall?

Checkpoint process the packet in the ingress and the egress using two CHAINS. Basic: -Physical layer – ingress interface -Data Link Layer/Ethernet -Inspect Driver [inspect Engine] -Network Layer/IP Routing -Inspect Driver -Data Link Layer/Ethernet -Physical layer – egress interface Advance: 1. NIC hardware -The network card receives electrical signalling from the link partner. 2. NIC [...]

What are basic steps in configuring SSL VPN on checkpoint firewall?

When you enable the SSL VPN blade in Checkpoint firewall: You are automatically given a 30 day trial license for 10 users. Start the SSL VPN Wizard: -Configure your firewall access rules to permit SSL VPN traffic. The actual rules needed depend on your configuration. -A rule allowing HTTPS (TCP/443) traffic is automatically added to [...]

How to configure QoS on Cisco ASA firewall

There are three steps for configuring the QoS on Cisco ASA firewall 1.Identify the traffic or define the traffic classes. To identify the traffic first create a new access-list to match the traffic. Once access-list is created call it in the class-map ciscoasa(config)#access-list qos extended permit tcp any any eq 25 ciscoasa(config)#class-map qos ciscoasa(config-cmap)#match access-list [...]

How configuration rollback feature works in Nexus Switches

The rollback feature allows you to take a snapshot, or user checkpoint, of the Cisco NX-OS configuration and then reapply that configuration to your device at any point without having to reload the device. This checkpoint can be extremely useful when a new change is being tested and want immediate return to an original/stable configuration [...]

Can two different VTP Domain communicate with each other. If yes then how

Two different VTP domains cannot exchange VLAN database information. In fact, splitting a switched network into more VTP domains is one of the few ways how to make one part of the network independent from another with respect to VTP. If two switches are supposed to synchronise their VLAN databases via VTP, they must be [...]

Cisco ASA firewall common troubleshooting commands part 1

Check the system status myfirewall/pri/act# show firewall Firewall mode: Router myfirewall/pri/act# show version Cisco Adaptive Security Appliance Software Version 9.1(1) Device Manager Version 7.1(1)52 Compiled on Wed 28-Nov-12 10:38 by builders System image file is “disk0:/asa911-k8.bin” Config file at boot was “startup-config” myfirewall up 218 days 1 hour failover cluster up 5 years 10 days [...]

Palo Alto-CLI cheat sheet

Device management: Show general system-health information –> show system info Show percent usage of disk partitions –> show system disk-space Show the maximum log file size –> show system logdb-quota Show running processes –> show system software status Show processes running in the management plane –> show system resources Show resource utilization in the dataplane [...]