How to setup the internet access through the Cisco ASA firewall?

Basic Guidelines for setting Internet through the Cisco ASA firewall: At first we need to configure the interfaces on the firewall. !— Configure the outside interface. interface GigabitEthernet0/0 nameif outside security-level 0 ip address !— Configure the inside interface. interface GigabitEthernet0/1 nameif inside security-level 100 ip address The nameif command gives [...]

What are the NAT syntax changes in the Cisco ASA firewall

There are major nat syntax changes after the ASA firewall iOS version 8.3. Regular static NAT: In the pre 8.3- static (inside,outside) net mask In the version 8.3 and later- object network obj- host nat (inside,outside) static Regular static PAT: In the pre 8.3- static (inside,outside) tcp 80 [...]

How to configure Site-to-Site VPN on Cisco ASA?

Access-Lists Add the ACLs which we will need to NAT, the encryption domain and the group policy. access-list Example_Policy_ACL extended permit tcp object-group Local_LAN object-group Remote_LAN eq 80 access-list Example_Policy_ACL extended deny ip any any access-list Example_VPN_ACL permit ip object-group Local_LAN object-group Remote_LAN Group Policy Create your group policy which will restrict traffic between hosts [...]

How to setup NAT Excemption for Site to site and Remote VPN in Cisco ASA version 8.3

—-For Site to Site VPN—- Suppose topology is inside(ASA1)outside ===VPN=== outside(ASA2)inside So on the ASA1 you can configure NAT Exception look like this object network local-obj subnet object network remote-obj subnet nat (inside,outside) 1 source static local-obj local-obj destination static remote-obj remote-obj —-For Remote VPN—- Suppose topology is [...]

How to configure NAT Exemption in version 8.3 for VPN in Cisco ASA?

1) For  Point-to-point VPN Scenario is 192.168.1.x/24 inside(ASA1)outside ===VPN_tunnel===outside(ASA2)inside If you were configuring ASA1 nat exemption for this site to site VPN tunnel, it would look like this: object network obj-local-subnet subnet network obj-remote-subnet subnet nat (inside,outside) 1 source static obj-local-subnet obj-local-subnet destination static obj-remote-subnet obj-remote-subnet 2)For Remote access VPN [...]

Suppose server x is not able to reach server y through the ASA firewall how you will troubleshoot the connectivity?

To check if the access is allowed through the ASA you can use the command packet-tracer packet-tracer input Inside tcp 80 (source address/port) 80 (Destination addree/port) detailed Packet-tracer will check multiple parameter such as nat,cal,route etc to check if the access is allowed or not. If something is blocking the access it will [...]

What are the new features in the new Cisco ASA version 9?

1.)Cisco TrustSec integration: In this release, the ASA integrates with Cisco TrustSec to provide security group based policy enforcement based on the roles of source and destination devices rather than on network IP addresses. 2.)Cisco Cloud Web Security (ScanSafe): This feature provides content scanning and other malware protection service for web traffic. It can redirect [...]

Are digital certificates replicated in a Cisco ASA’s Active/Standby failover configuration?

Yes. Third-party digital certificates which are used in HTTPS (ie. from Entrust, Verisign, Microdoft,etc) that are installed on the Active ASA are replicated to the Standby ASA in an active/standby failover configuration. However, the ASA’s local CA-generated certificates which are used for SSL VPN remote access are not replicated to the standby ASA.

In Cisco ASA how to send the firewall traffic to AIP SSM module for inspection?

The traffic we want to be inspected is defined with the use of an access-list. In this example output, the access-list permits all IP traffic from any source to any destination. Therefore, to-be-inspected traffic can be anything that passes through the ASA. ciscoasa(config)#access-list traffic_for_ips permit ip any any ciscoasa(config)#class-map ips_class_map ciscoasa(config-cmap)#match access-list traffic_for_ips ciscoasa(config)#policy-map global_policy [...]

What is FWSM?

Firewall Services Module (FWSM) is a integrated firewall module for Cisco Catalyst 6500 switches and Cisco 7600 Series routers.Up to four FWSMs can be installed in a single chassis, providing scalability to 20 Gbps per chassis. Based on Cisco PIX Firewall technology. Right now FWSM is end of sale & end of life.

In logging if Cisco ASA is showing “MSS Exceeded” error message what you will do?

We know that the Cisco ASA drops the packets that exceed the MSS value advertised by the client. We can bypass this behaviors by MPF (Modular Policy Framework) ================================================= Cisco-ASA(config)#access-list select_traffic permit tcp any host Cisco-ASA#configure terminal Cisco-ASA(config)#class-map cm_allow_mss Cisco-ASA(config-cmap)#match access-list select_traffic Cisco-ASA(config-cmap)#exit Cisco-ASA(config)#tcp-map mss-map Cisco-ASA(config-tcp-map)#exceed-mss allow Cisco-ASA(config-tcp-map)#exit Cisco-ASA(config)#policy-map pm_allow_mss Cisco-ASA(config-pmap)#class cm_allow_mss Cisco-ASA(config-pmap-c)#set connection [...]

What is MPF in Cisco ASA?

Modular Policy Framework (MPF) configuration defines set of rules for applying firewall features, such as you can use Modular Policy Framework to create a timeout configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP applications Modular Policy Framework features: *QoS input policing *TCP normalization, TCP and [...]

In Cisco ASA firewall how to check if it’s under the TCP Syn Flood attack? If it’s under attack what are the counter measures?

In Cisco ASA by running ‘sh connection count’ we can check the number of open connections. By default value for half open connection is 100000 . ciscoasa# show conn count 1931 in use, 3139 most used We can configure the ASA to lower that value by creating class map to select the traffic class-map SYN_Flood_Attack [...]

What is AAA?

AAA stands for authentication, authorization and accounting, used to control user’s rights to access network resources and to keep track of the activity of users over a network. The current standard by which devices or applications communicate with an AAA server is the Remote Authentication Dial-In User Service (RADIUS).