How to setup the internet access through the Cisco ASA firewall?

Basic Guidelines for setting Internet through the Cisco ASA firewall: At first we need to configure the interfaces on the firewall. !— Configure the outside interface. interface GigabitEthernet0/0 nameif outside security-level 0 ip address 10.165.200.226 255.255.255.224 !— Configure the inside interface. interface GigabitEthernet0/1 nameif inside security-level 100 ip address 10.1.1.1 255.255.255.0 The nameif command gives [...]

What are the NAT syntax changes in the Cisco ASA firewall

There are major nat syntax changes after the ASA firewall iOS version 8.3. Regular static NAT: In the pre 8.3- static (inside,outside) 192.168.100.100 10.1.1.6 net mask 255.255.255.255 In the version 8.3 and later- object network obj-10.1.1.6 host 10.1.1.6 nat (inside,outside) static 192.168.100.100 Regular static PAT: In the pre 8.3- static (inside,outside) tcp 192.168.100.100 80 10.1.1.16 [...]

What is difference between DoS vs DDoS attacks?

In a Denial of Service (DoS) attack, a hacker uses a single Internet connection to either exploit a software vulnerability or flood a target with fake requests—usually in an attempt to exhaust server resources (e.g., RAM and CPU). On the other hand, Distributed Denial of Service (DDoS) attacks are launched from multiple connected devices that [...]

How to configure Site-to-Site VPN on Cisco ASA?

Access-Lists Add the ACLs which we will need to NAT, the encryption domain and the group policy. access-list Example_Policy_ACL extended permit tcp object-group Local_LAN object-group Remote_LAN eq 80 access-list Example_Policy_ACL extended deny ip any any access-list Example_VPN_ACL permit ip object-group Local_LAN object-group Remote_LAN Group Policy Create your group policy which will restrict traffic between hosts [...]

How packet flow in Palo Alto Firewall?

Basic: Initial Packet Processing —-> Security Pre-Policy —-> Application —-> Security Policy —-> Post Policy Processing Advance: Initial Packet Processing —-> Source Zone/Source Address —-> Forward Lookup —-> Destination Zone/Destination Address —-> NAT policy evaluated   Security Pre-Policy —-> Check Allowed Ports —-> Session Created   Application —-> Check for Encrypted Traffic —-> Decryption Policy —-> Application Override Policy —-> Application ID [...]

How packet flows in Checkpoint firewall?

Checkpoint process the packet in the ingress and the egress using two CHAINS. Basic: -Physical layer – ingress interface -Data Link Layer/Ethernet -Inspect Driver [inspect Engine] -Network Layer/IP Routing -Inspect Driver -Data Link Layer/Ethernet -Physical layer – egress interface Advance: 1. NIC hardware -The network card receives electrical signalling from the link partner. 2. NIC [...]

How to configure QoS on Cisco ASA firewall

There are three steps for configuring the QoS on Cisco ASA firewall 1.Identify the traffic or define the traffic classes. To identify the traffic first create a new access-list to match the traffic. Once access-list is created call it in the class-map ciscoasa(config)#access-list qos extended permit tcp any any eq 25 ciscoasa(config)#class-map qos ciscoasa(config-cmap)#match access-list [...]

Palo Alto-CLI cheat sheet

Device management: Show general system-health information –> show system info Show percent usage of disk partitions –> show system disk-space Show the maximum log file size –> show system logdb-quota Show running processes –> show system software status Show processes running in the management plane –> show system resources Show resource utilization in the dataplane [...]

Checkpoint firewall common commands part 2

For basic firewall informaton gathering: fgate stat-Status and statistics of Flood-Gate-1. fwaccel <stat|stats|conns> – View status, statistics or connection table of SecureXL. fw getifs-Show list of configured interfaces with IP and netmask. cpstat <app_flag> [-f flavour] -View OS, HW and CP application status. Issue cpstat without any options to see all possible application flags <app_flag> and [...]

How to setup NAT Excemption for Site to site and Remote VPN in Cisco ASA version 8.3

—-For Site to Site VPN—- Suppose topology is 192.168.10.0/24 inside(ASA1)outside ===VPN=== outside(ASA2)inside 192.168.20.0/24 So on the ASA1 you can configure NAT Exception look like this object network local-obj subnet 192.168.10.0 255.255.255.0 object network remote-obj subnet 192.168.20.0 255.255.255.0 nat (inside,outside) 1 source static local-obj local-obj destination static remote-obj remote-obj —-For Remote VPN—- Suppose topology is 192.168.3.0/24 [...]

How to configure NAT Exemption in version 8.3 for VPN in Cisco ASA?

1) For  Point-to-point VPN Scenario is 192.168.1.x/24 inside(ASA1)outside ===VPN_tunnel===outside(ASA2)inside 192.168.2.0/24 If you were configuring ASA1 nat exemption for this site to site VPN tunnel, it would look like this: object network obj-local-subnet subnet 192.168.1.0 255.255.255.0object network obj-remote-subnet subnet 192.168.2.0 255.255.255.0 nat (inside,outside) 1 source static obj-local-subnet obj-local-subnet destination static obj-remote-subnet obj-remote-subnet 2)For Remote access VPN [...]

Suppose server x is not able to reach server y through the ASA firewall how you will troubleshoot the connectivity?

To check if the access is allowed through the ASA you can use the command packet-tracer packet-tracer input Inside tcp 10.1.1.10 80 (source address/port) 172.16.1.10 80 (Destination addree/port) detailed Packet-tracer will check multiple parameter such as nat,cal,route etc to check if the access is allowed or not. If something is blocking the access it will [...]

What are the new features in the new Cisco ASA version 9?

1.)Cisco TrustSec integration: In this release, the ASA integrates with Cisco TrustSec to provide security group based policy enforcement based on the roles of source and destination devices rather than on network IP addresses. 2.)Cisco Cloud Web Security (ScanSafe): This feature provides content scanning and other malware protection service for web traffic. It can redirect [...]

What ports are used for the VPN?

Internet Protocol Security (IPSec) uses IP protocol 50 for ESP (Encapsulated Security Protocol), IP protocol 51 for Authentication Header (AH), and UDP port 500 for IKE Phase 1 negotiation and Phase 2 negotiations. UDP ports 500 and 4500 are used, if NAT-T is used for IKE Phase 1 negotiation and Phase 2 negotiations Secure Sockets [...]

Are digital certificates replicated in a Cisco ASA’s Active/Standby failover configuration?

Yes. Third-party digital certificates which are used in HTTPS (ie. from Entrust, Verisign, Microdoft,etc) that are installed on the Active ASA are replicated to the Standby ASA in an active/standby failover configuration. However, the ASA’s local CA-generated certificates which are used for SSL VPN remote access are not replicated to the standby ASA.