Dec 29, 2010

Command: forward interface

From ASA Command Reference:

For models with a built-in switch, such as the ASA 5505 adaptive security appliance, use the forward interface command in interface configuration mode to restore connectivity for one VLAN from initiating contact to one other VLAN. To restrict one VLAN from initiating contact to one other VLAN, use the no form of this command. You might need to restrict one VLAN depending on how many VLANs your license supports.

Dec 9, 2010

Static route issue

If you made a typo when setting up static routes, it could result in a persistent route. For example, if you want to implement a static route for but you write a wrong netmask, you are not able to remove that route:

asa(config)# route inside
asa(config)# no route inside
%No matching route to delete

Nov 24, 2010

Tips on output filtering

During troubleshooting sessions, you execute several show commands to collect information. Oftentimes you don't need all the output, then you use the vertical bar (aka pipe symbol) to filter. In this article I will show some useful filtering expressions.

Oct 6, 2010

Forwarding services through a secondary ISP

In this post I'm going to show how to implement a policy to forward some specific service through a secondary ISP. A dual-ISP scenario was described in my post about redundancy.

Sep 22, 2010

The gateway address is wrong, but I have access to the Internet. Why?

In order to reach unknown networks, a host needs to use a gateway to forward the traffic. The gateway is some device connected to the local network and at least one external network. That device should be able to route packets, then it can forward the traffic to reach unknown destinations. Ok, we know that. What's the big news?

Is it possible to reach the Internet whether the gateway address is wrong? Yes. Maybe. I will demonstrate how, using the following scenario:

Sep 17, 2010

How to view historical performance data on PIX/ASA?

Recent performance data can be collected with some show commands (show cpu, show memory, etc.). For historical performance data, however, ASDM History Tracking is required. This feature was introduced in OS 7.0(1) to replace the PDM History feature.

Sep 15, 2010

How to control webmail traffic?

Sender Policy Framework is an open standard that can be used to hinder activities of spammers. Using SPF, domain administrators can specify which mail servers they use to send mail from their domain, then receivers can check whether the message came from a valid server.

Also, it is useful when we need to implement access rules to control traffic going to or coming from webmail servers.

Sep 6, 2010

How to bypass SMTP Inspection?

The default SMTP Inspection policy blocks messages that match one of the following conditions:
  • Method line length greater than 512 bytes
  • More than 100 recipient email addresses set
  • Body line length greater than 998 bytes
  • Header line length greater than 998 bytes
  • Sender email address length greater than 320 bytes
  • Mime filename length greater than 255 bytes

Sep 1, 2010

Blocking WebDAV methods

WebDAV is an extension to the HTTP protocol described in the RFC 2518. There are vulnerabilities in Windows applications that could be exploited over WebDAV. Therefore, blocking outbound WebDAV traffic is a best practice technique.

Aug 28, 2010

Static NAT - Does the order of commands matter?

I've implemented the following scenario to demonstrate the behavior of the ASA/PIX that we could see after to change the order of the Static NAT rules.

Aug 13, 2010

DNS Rewrite

DNS Rewrite is a feature of the ASA and PIX that enable the firewall to rewrite DNS A queries when the destination server is located at the same network that the client or, for example, if the public IP address of that server is statically mapped to some DMZ address. I've implemented the following scenario using DNS Rewrite and a router running IOS as the DNS server.

Aug 7, 2010

Steps to setup a VPN on ASA/PIX

You should read the configuration guides and command references to know how to setup a VPN on ASA/PIX. However, if you don't have access to those documments, what wil you do?

Aug 1, 2010

High availability using ASA/PIX

I've implemented the scenario below using all ASA/PIX features for high availability.

Jul 27, 2010

Debugging interface status on failover pairs

Should static routes interfere with the operation of ASA/PIX failover pairs? I don't think so. However, it is possible! So I'm going to describe a scenario where that issue might happen.

Jul 24, 2010

Simplifying ACEs using object-groups

In this post I will present some simplification to implement an ACE using object-group. This is not described in the ASA/PIX command reference (only in the configuration guide example of this configuration in the Cisco portal).

Jul 21, 2010

Configuring NAT on ASA/PIX

I've designed a network scenario where I could apply every NAT type supported by ASA/PIX. Below is what I got:

Jul 20, 2010

Controlling intra-interface traffic

If you need to allow unencrypted traffic to flow through the same interface (e.g., from inside to inside), you just need to enable the command below.

(config)# same-security-traffic permit intra-interface

Cisco published an article explaining that configuration. However, if the firewall policy has NAT rules, that configuration is not the only thing you should set to have it working. I will use as an example the following scenario, which is similar to the one presented in the Cisco's article.

Jul 16, 2010

Syslog over IPSec

I've identified an issue when ASAs are configured to send syslog messages over an IPSec tunnel. For some unknown reason, I've seen some devices trying to establish the connection to the log server without forward the traffic through the tunnel. Thus, the log messages are not saved, since the remote peer blocks the unencrypted packets.

Jul 12, 2010

Active/Standby Failover - Swapping the units roles

One of the appliances in an Active/Standby failover configuration is set as the primary unit and the other the secondary one. Thus, the devices are able to negotiate which one will be Active after to complete the boot process (it will be the primary, whether everything has loaded fine).

If for some reason you need to swap the device roles (primary/secondary) without an outage, it will be necessary to break the cluster link. Otherwise both boxes would change to the Active state simultaneously, what results in a conflict making them lose the failover connectivity (HELLO messages are not sent/received properly). Furthermore, you'd create a lockout situation for one of the units, since both would be using the same IP addresses.

References for ASA and PIX

asa(config)# end
asa# wr mem

My journey to CCIE Security

Although I like to write about technical subjects, I've never been a blogger because I don't like to feel me obligated to write within defined intervals or something like that. Yeah... this is/will be a blog about technical stuff. I decided to create it as a notebook for personal use while I'm getting prepared to try the CCIE Security exam, what I'm planning to do 'till the end of the next year. I should just make some text files and save them to my PC, however, blogging I make the notes always available to me and someone else who is interested.

The blog name "Packets Never Lie" is a quote by Laura Chappel. I got that maxim as the basis to do my job, since all network issues can be fixed if we understand what is going through the NICs, cables, switches, routers etc.

Perhaps, the intervals between the first posts won't be short, since I'm preparing myself to take other certification exams besides the CCIE. Nevertheless, I will blog only about topics related to the CCIE exam.

First of all, I will make some notes on ASA and PIX since I'm in touch with those devices everyday. While studying, I will write articles about routers and switches, IPS/IDS, security protocols, resources and technologies.

This will be my journey to CCIE Security... :)

asa(config)# end
asa# wr mem