This is a question that I get from time to time in my work environment either from colleagues or customers. I will show you a couple of ways to do this. In ASA, for traffic to pass through interfaces, several conditions must be met. Since we are talking here for inside and outside interfaces, this […]
Cisco ASA Identity Firewall
What is Cisco ASA Identity Firewall? Traditionally, Cisco ASA policies and rules are enforced mainly using an Access Control List (ACL) which allows or denies access to certain network resources based on the source/destination IP addresses and port numbers. For example, lets say we want source IP 10.1.1.1 to be able to access server with […]
Series of Steps to Forward a packet in a Cisco ASA Firewall
A normal Layer3 Routing device, when receiving a packet on one of its ingress interfaces, first checks the destination IP address of the packet and then consults its routing table in order to forward the packet to the proper outgoing interface. This is the most basic operation of a router. A stateful firewall (like the […]
Site to Site VPN between Cisco ASA and Router
In this post we will configure Site-to-Site IPSEC VPN between a Cisco IOS Router and ASA Firewall. ASA configuration is not much different from Cisco IOS with regards to IPSEC VPN since the fundamental concepts are the same. Let’s start our LAB example and we’ll see how it’s done. Consider the following diagram. The first […]
Cisco ASA Active/Active Failover Configuration Example
The Cisco ASA failover configuration requires two identical security appliances connected to each other through a dedicated failover link and, optionally, a stateful failover link. The health of the active interfaces and units is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs. In case of Active/Active configuration […]
Preventing SQL Injection Attacks with Cisco ASA Firewall
Today I have stumbled upon an interesting technique from the Cisco Blog and Cisco Support Forum which is about defending an SQL injection using IPS, ASA or IOS firewall. I will concentrate on the ASA here to show you what you can do with this great device. Ofcourse what I will show works only for […]
New Cisco ASA version 8.4 introduced
In January 2011 Cisco announced the newest Cisco ASA 5500 version 8.4. This release is coming after almost one year from the previous major release (version 8.3 was introduced in Feb-March 2010). You can upgrade to version 8.4 from any previous ASA version but you should know that if your current software release is older […]
Cisco ASA 5500 Firewall Configuration-User Interface and Access Modes
This article describes the user interface and access modes and commands associated with the operation of Cisco ASA 5500 firewall appliances. We assume that you know how to connect to the appliance using a console cable (the blue flat cable with RJ-45 on one end, and DB-9 Serial on the other end) and a Terminal […]
Cisco ASA Firewall in Transparent Layer2 Mode
Traditionally, a network firewall is a routed hop that acts as a default gateway for hosts that connect to one of its screened subnets. A transparent firewall (or Layer 2 firewall), on the other hand, acts like a “stealth firewall” and is not seen as a Layer 3 hop to connected devices. The appliance connects […]
Configuring IPS Protection and IP Spoofing on Cisco ASA 5500 Firewalls
The Cisco ASA firewall appliance provides great security protection out-of-the box with its default configuration. However, to increase the security protection even further, there are several configuration enhancements that can be used to implement additional security features. Two of these features are IP Spoofing protection and basic Intrusion Prevention (IPS) support. IP Spoofing Protection IP […]
Cisco ASA and DNSSEC-Probable Issue with Packet Size
DNSSEC (DNS Security Extensions), a more secure DNS protocol is to be implemented on May 5th. With the rise of DNS Poisoning and Man-in-the-Middle attacks rising, the Domain Name System will be going to a secure version of DNS next month. The changes will add digital signatures to the DNS protocol. This will reduce the […]
Configure Cisco ASA 5505 to allow Remote Desktop access from Internet
A very popular scenario for small networks is to have a Cisco ASA 5505 as border firewall connecting the LAN to the Internet. Administrators in such networks are usually encountered with requests from their users that are not very security conscious. Such a request could be to allow Remote Desktop (RDP) access from the Internet […]
Cisco ASA version 8.3 is here
On March 8, 2010 Cisco announced the newest Cisco ASA 5500 firewall software version 8.3. This is a release with the most radical changes compared to the previous releases since version 7.x. The most important change regarding configuration is the way Network Address Translation (NAT) is implemented. Also, another big change regarding hardware is that […]