How to setup NAT Excemption for Site to site and Remote VPN in Cisco ASA version 8.3

—-For Site to Site VPN—- Suppose topology is 192.168.10.0/24 inside(ASA1)outside ===VPN=== outside(ASA2)inside 192.168.20.0/24 So on the ASA1 you can configure NAT Exception look like this object network local-obj subnet 192.168.10.0 255.255.255.0 object network remote-obj subnet 192.168.20.0 255.255.255.0 nat (inside,outside) 1 source static local-obj local-obj destination static remote-obj remote-obj —-For Remote VPN—- Suppose topology is 192.168.3.0/24 [...]

How to configure NAT Exemption in version 8.3 for VPN in Cisco ASA?

1) For  Point-to-point VPN Scenario is 192.168.1.x/24 inside(ASA1)outside ===VPN_tunnel===outside(ASA2)inside 192.168.2.0/24 If you were configuring ASA1 nat exemption for this site to site VPN tunnel, it would look like this: object network obj-local-subnet subnet 192.168.1.0 255.255.255.0object network obj-remote-subnet subnet 192.168.2.0 255.255.255.0 nat (inside,outside) 1 source static obj-local-subnet obj-local-subnet destination static obj-remote-subnet obj-remote-subnet 2)For Remote access VPN [...]

Suppose server x is not able to reach server y through the ASA firewall how you will troubleshoot the connectivity?

To check if the access is allowed through the ASA you can use the command packet-tracer packet-tracer input Inside tcp 10.1.1.10 80 (source address/port) 172.16.1.10 80 (Destination addree/port) detailed Packet-tracer will check multiple parameter such as nat,cal,route etc to check if the access is allowed or not. If something is blocking the access it will [...]

What are the new features in the new Cisco ASA version 9?

1.)Cisco TrustSec integration: In this release, the ASA integrates with Cisco TrustSec to provide security group based policy enforcement based on the roles of source and destination devices rather than on network IP addresses. 2.)Cisco Cloud Web Security (ScanSafe): This feature provides content scanning and other malware protection service for web traffic. It can redirect [...]

What ports are used for the VPN?

Internet Protocol Security (IPSec) uses IP protocol 50 for ESP (Encapsulated Security Protocol), IP protocol 51 for Authentication Header (AH), and UDP port 500 for IKE Phase 1 negotiation and Phase 2 negotiations. UDP ports 500 and 4500 are used, if NAT-T is used for IKE Phase 1 negotiation and Phase 2 negotiations Secure Sockets [...]

Are digital certificates replicated in a Cisco ASA’s Active/Standby failover configuration?

Yes. Third-party digital certificates which are used in HTTPS (ie. from Entrust, Verisign, Microdoft,etc) that are installed on the Active ASA are replicated to the Standby ASA in an active/standby failover configuration. However, the ASA’s local CA-generated certificates which are used for SSL VPN remote access are not replicated to the standby ASA.

In Cisco ASA how to send the firewall traffic to AIP SSM module for inspection?

The traffic we want to be inspected is defined with the use of an access-list. In this example output, the access-list permits all IP traffic from any source to any destination. Therefore, to-be-inspected traffic can be anything that passes through the ASA. ciscoasa(config)#access-list traffic_for_ips permit ip any any ciscoasa(config)#class-map ips_class_map ciscoasa(config-cmap)#match access-list traffic_for_ips ciscoasa(config)#policy-map global_policy [...]

What is Anti-replay in IPSEC

IPSec provides anti-replay protection against an attacker who duplicates encrypted packets with the assignment of a monotonically increasing sequence number to each encrypted packet. The receiving IPSec endpoint keeps track of which packets it has already processed on the basis of these numbers with the use of a sliding window of all acceptable sequence numbers. [...]

Can you give an overview of various components in IPSec?

The IPsec suite is an open standard. IPsec uses the following protocols Authentication Headers (AH)– provide connectionless integrity and data origin authentication for IP datagrams and provides protection against replay attacks. Encapsulating Security Payloads (ESP)– provide confidentiality, data-origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic-flow confidentiality. Security [...]

What is Symmetric & Asymmetric encryption?

Symmetric encryption-In symmetric encryption, a single key is used both to encrypt and decrypt traffic.Common symmetric encryption algorithms include DES, 3DES, AES, and RC4. 3DES and AES are commonly used in IPsec and other types of VPNs. Symmetric encryption algorithms are extremely fast & their relatively low complexity allows for easy implementation in hardware. However, [...]

What is FWSM?

Firewall Services Module (FWSM) is a integrated firewall module for Cisco Catalyst 6500 switches and Cisco 7600 Series routers.Up to four FWSMs can be installed in a single chassis, providing scalability to 20 Gbps per chassis. Based on Cisco PIX Firewall technology. Right now FWSM is end of sale & end of life.

In logging if Cisco ASA is showing “MSS Exceeded” error message what you will do?

We know that the Cisco ASA drops the packets that exceed the MSS value advertised by the client. We can bypass this behaviors by MPF (Modular Policy Framework) ================================================= Cisco-ASA(config)#access-list select_traffic permit tcp any host 192.168.9.2 Cisco-ASA#configure terminal Cisco-ASA(config)#class-map cm_allow_mss Cisco-ASA(config-cmap)#match access-list select_traffic Cisco-ASA(config-cmap)#exit Cisco-ASA(config)#tcp-map mss-map Cisco-ASA(config-tcp-map)#exceed-mss allow Cisco-ASA(config-tcp-map)#exit Cisco-ASA(config)#policy-map pm_allow_mss Cisco-ASA(config-pmap)#class cm_allow_mss Cisco-ASA(config-pmap-c)#set connection [...]

What is MPF in Cisco ASA?

Modular Policy Framework (MPF) configuration defines set of rules for applying firewall features, such as you can use Modular Policy Framework to create a timeout configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP applications Modular Policy Framework features: *QoS input policing *TCP normalization, TCP and [...]