A common attack found on TCP/IP networks is IP spoofing. This is usually used for Denial-of-Service, Identity hiding, or even to bypass firewalls or Access-Lists security rules. The spoofing attack works like that: A malicious attacker sends packets towards a target host. The attacker disguises itself by inserting a fake source IP into the packet. […]
Configuring Connection Limits on Cisco ASA Firewalls – Protect from DoS
The Cisco ASA firewall offers excellent protection for Denial of Service attacks, such as SYN floods, TCP excessive connection attacks etc. Using the new Policy Framework functionality, the ASA administrator can configure granular controls for TCP Connection limits and timeouts. For example, we can control and limit the maximum number of simultaneous TCP and UDP connections […]
Configuring AAA Authentication-Authorization-Accounting on Cisco ASA Firewall (TACACS+, RADIUS)
When it comes to authentication services in networking and IT systems in general, the best practice is to have a centralized authentication system which contains the user account credentials in a secure way and controls all authentication and authorization. This is why Active Directory in Microsoft environments is such a useful and powerful authentication scheme. […]
Cisco ASA Firewall Management Interface Configuration (with Example)
All Cisco ASA firewall models from 5510 and higher (including the newer generation of 5500-X appliances), include an extra dedicated Ethernet interface for management. In this article we will provide a basic example of configuring network settings to the dedicated management interface and also SSH access in order to connect to the appliance through the […]
How to Configure Access Control Lists on a Cisco ASA 5500/5500-X Firewall (with Examples)
The following article describes how to configure Access Control Lists (ACL) on Cisco ASA 5500 and 5500-X firewalls. An ACL is the central configuration feature to enforce security rules in your network so it is an important concept to learn. The Cisco ASA 5500 is the successor Cisco firewall model series which followed the successful […]
Cisco ASA Firewall Packet Tracer for Network Troubleshooting
One of the most useful troubleshooting features of Cisco ASA firewalls is to use the “packet-tracer” command to trace and simulate how a packet will traverse through the ASA appliance in order to identify possible problems (such as why a packet is blocked etc). The packet tracing feature was introduced in Cisco ASA firewall version […]
How to Pass BGP Sessions through Cisco ASA Firewall (BGP Pass Through)
The following article describes the proper way to allow BGP sessions between two routers to pass through a Cisco ASA firewall appliance. Especially if the BGP configuration between the two routers uses MD5 authentication (which is a good security practice), you need some special “treatment” on this session in order to pass it successfully through […]
Cisco ASA Virtual Firewall Configuration (with Config Example)
Device virtualization is one of the most popular topics in IT industry today and Cisco has been supporting this concept in the majority of its network devices. In this article we will talk about Cisco ASA virtualization, which means multiple virtual firewalls on the same physical ASA chassis. Virtual ASA is also known as “Security […]
Cisco ASA Master PassPhrase (How to Show Encrypted Password)
There are several configuration features on Cisco ASA that require some sort of password or secret-key that you need to enter. Some examples include: VPN pre-shared keys (either for site-to-site IPSEC VPN or for Remote Access). AAA server secret key when communicating with a RADIUS server. Routing Protocols keys (for OSPF, EIGRP). Secret key for […]
How to Configure Static Routing on Cisco ASA Firewall
Although the Cisco ASA appliance does not act as a router in the network, it still has a routing table and it is essential to configure static or dynamic routing in order for the appliance to know where to send packets. When a packet arrives to a network interface on the ASA firewall, the packet […]
Cisco ASA Active-Standby Failover Configuration Example
On my previous post I talked about Cisco ASA Active/Active configuration. In this post I will describe Active/Standby redundancy which is used much more frequently compared with the active/active scenario. ASA Active/Standby failover/redundancy means connecting two identical ASA firewall units via LAN cable so that when one device or interface fails then the second one […]
Configuring a Warning Login Banner on Cisco ASA Firewall
It is a good security practice to configure a Warning login banner on your Cisco ASA firewall appliance for unauthorized access attempts. In this article we will describe how to configure such a banner for different ways available for connecting to the appliance such as using the graphical interface (ASDM), session, login etc. The command […]
Cisco ASA NTP and Clock Configuration with Examples
The Cisco ASA appliance retains clock settings in memory via a battery on the device motherboard. Even if the device is turned off, the clock is retained in memory. Configuring accurate time settings on the appliance is important for logging purposes since syslog messages can contain a time stamp according to the device clock time […]