—-For Site to Site VPN—- Suppose topology is 192.168.10.0/24 inside(ASA1)outside ===VPN=== outside(ASA2)inside 192.168.20.0/24 So on the ASA1 you can configure NAT Exception look like this object network local-obj subnet 192.168.10.0 255.255.255.0 object network remote-obj subnet 192.168.20.0 255.255.255.0 nat (inside,outside) 1 source static local-obj local-obj destination static remote-obj remote-obj —-For Remote VPN—- Suppose topology is 192.168.3.0/24 [...]

1) For  Point-to-point VPN Scenario is 192.168.1.x/24 inside(ASA1)outside ===VPN_tunnel===outside(ASA2)inside 192.168.2.0/24 If you were configuring ASA1 nat exemption for this site to site VPN tunnel, it would look like this: object network obj-local-subnet subnet 192.168.1.0 255.255.255.0object network obj-remote-subnet subnet 192.168.2.0 255.255.255.0 nat (inside,outside) 1 source static obj-local-subnet obj-local-subnet destination static obj-remote-subnet obj-remote-subnet 2)For Remote access VPN [...]

To check if the access is allowed through the ASA you can use the command packet-tracer packet-tracer input Inside tcp 10.1.1.10 80 (source address/port) 172.16.1.10 80 (Destination addree/port) detailed Packet-tracer will check multiple parameter such as nat,cal,route etc to check if the access is allowed or not. If something is blocking the access it will [...]

Traditionally a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its screened subnets. A transparent firewall on the other hand is a Layer 2 firewall that acts like a “stealth firewall” and is not seen as a router hop to connected devices. When the security [...]

ISAKMP can help in negotiation of SAs for security protocols at all the seven layers of the network stack. By centralizing the management of the security associations, ISAKMP reduces the amount of duplicated functionality within each security protocol. ISAKMP can also reduce connection setup time, by negotiating a whole stack of services at once. IPsec, [...]

1.)Cisco TrustSec integration: In this release, the ASA integrates with Cisco TrustSec to provide security group based policy enforcement based on the roles of source and destination devices rather than on network IP addresses. 2.)Cisco Cloud Web Security (ScanSafe): This feature provides content scanning and other malware protection service for web traffic. It can redirect [...]

First set up the hostname on the Firewall using the command hostname hostname sandysasa5510 Generate a key for SSH encryption to use ca generate rsa key 1024 Allow the desired host to connect to ASA/Pix firewall ssh [ip address] [mask] [interface name] ssh 192.168.1.0 255.255.255.0 inside Save cert ca save all Save all your configuration [...]

Yes. Third-party digital certificates which are used in HTTPS (ie. from Entrust, Verisign, Microdoft,etc) that are installed on the Active ASA are replicated to the Standby ASA in an active/standby failover configuration. However, the ASA’s local CA-generated certificates which are used for SSL VPN remote access are not replicated to the standby ASA.

In the older version of Cisco Pix firewalls the serial failover cable on the PIX Firewall is used for failover communication,this cable is limited to six feet. This is the only size serial failover cable that Cisco makes. As such, this is the only length supported. In the latest version firewalls i.e. Cisco ASA firewalls [...]

If a TCP connection has established between two hosts across the Cisco ASA, a TCP RESET-I in the log message means that the server from the inside is sending a reset to the PIX (which instructs the ASA firewall to drop the connection). The ASA then drops the connection and logs a RESET-I. If the [...]

If user has two ISPs terminating on the ASA, the ASA is configured for ISP redundancy. So in some cases users would like to use both ISP to send the traffic outside. In such scenarios the best solution would be to use the Router. Using route-map on the router, one can confgure routing in such [...]

The pre-shared on the Cisco ASA are encrypted to view them in plain text you need to use the command more system:running-config | beg tunnel-group  

The traffic we want to be inspected is defined with the use of an access-list. In this example output, the access-list permits all IP traffic from any source to any destination. Therefore, to-be-inspected traffic can be anything that passes through the ASA. ciscoasa(config)#access-list traffic_for_ips permit ip any any ciscoasa(config)#class-map ips_class_map ciscoasa(config-cmap)#match access-list traffic_for_ips ciscoasa(config)#policy-map global_policy [...]

DCD (Dead Connection Detection)  detects a dead connection and allows it to expire, without expiring connections that can still handle traffic. You can configure DCD when you want idle, but valid connections to persist. After a TCP connection times out, the ASA sends Dead Connection Detection probes to the end hosts to find out the [...]

Yes it is possible to setup Dead Peer Detection (DPD) on the Cisco VPN client (Cisco software client for connecting to remote VPN gateway). Cisco VPN Client sends its R-U-THERE message to a peer if it has sent traffic to the peer, but hasn’t received response back within ten seconds. This basically means that R-U-THERE [...]

Hair-pinning also called as ‘U-turn ‘.The ASA includes a feature that lets a VPN client send IPSec-protected traffic to another VPN user by allowing such traffic in and out of the same interface using the command ‘same-security-traffic permit intra-interface’ In another application, this feature can redirect incoming VPN traffic back out through the same interface [...]

Unicast Reverse Path Forwarding (uRPF) can be used to help limit malicious traffic on a network. This feature works by enabling a firewall to verify the reachability of the source address in packets being forwarded. This capability can limit the appearance of spoofed addresses on a network. If the source IP address is not valid, [...]

The ASA does the nat in following order 1. NAT exemption (nat 0 access-list)—In order, till the first match. Identity NAT is not included in this category; it is included in the regular static NAT or regular NAT category. 2. Static NAT and Static PAT (regular and policy) (static)—In order, till the first match. Static [...]

The ASA supports a feature that lets a VPN client send IPsec-protected traffic to another VPN user by allowing such traffic in and out of the same interface is called “hairpinning”, this feature can be thought of as VPN spokes (clients) connecting through a VPN hub (Cisco ASA firewall). In another application, this feature can [...]

Unicast Reverse Path Forwarding (Unicast RPF) to help in limit the malicious traffic on an enterprise network. This security feature will work by enabling a router to verify the reachability of the source address in packets being forwarded.This capability can limit the appearance of spoofed addresses on a network. If the source IP address is [...]

Firewall Services Module (FWSM) is a integrated firewall module for Cisco Catalyst 6500 switches and Cisco 7600 Series routers.Up to four FWSMs can be installed in a single chassis, providing scalability to 20 Gbps per chassis. Based on Cisco PIX Firewall technology. Right now FWSM is end of sale & end of life.

We know that the Cisco ASA drops the packets that exceed the MSS value advertised by the client. We can bypass this behaviors by MPF (Modular Policy Framework) ================================================= Cisco-ASA(config)#access-list select_traffic permit tcp any host 192.168.9.2 Cisco-ASA#configure terminal Cisco-ASA(config)#class-map cm_allow_mss Cisco-ASA(config-cmap)#match access-list select_traffic Cisco-ASA(config-cmap)#exit Cisco-ASA(config)#tcp-map mss-map Cisco-ASA(config-tcp-map)#exceed-mss allow Cisco-ASA(config-tcp-map)#exit Cisco-ASA(config)#policy-map pm_allow_mss Cisco-ASA(config-pmap)#class cm_allow_mss Cisco-ASA(config-pmap-c)#set connection [...]

Modular Policy Framework (MPF) configuration defines set of rules for applying firewall features, such as you can use Modular Policy Framework to create a timeout configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP applications Modular Policy Framework features: *QoS input policing *TCP normalization, TCP and [...]