Cisco ASA – ICMP Inspect and the Connection Table

Recently I’ve discovered that there is, well, fairly limited information online around this point. In this short article we will explain how ICMP inspect, whether disabled or enabled, affects the connection table. What is ICMP Inspect? “The ICMP inspection engine allows ICMP traffic to be inspected like TCP and UDP traffic. Without the ICMP inspection … Read more

Cisco ASA – Traffic Sent Out Incorrect Interface Due to NAT

Problem Lets consider the following scenario. We have a firewall with 3 interfaces, Outside, Inside and DMZ. When traffic is sent to the DMZ segment, the NAT rule below is matched. This results in traffic being sent out of the outside interface, rather then out the DMZ interface. Surely this cant be right ! object-group … Read more

Configuring Service-Offload on the Juniper SRX

Service Offload Configuration Commands 1. First configure the FPC/PIC (I believe on the SRX1400 if the NP-IOC is in slot 2 it would be FPC2 PIC0 but you can confirm) 2. Then setup a policy from zone x to zone y to allow whatever addressing/protocol and permit services-offload feature for that traffic 3. Then confirm … Read more

GAIA CLISH Commands

Below are some of the most useful commands for the administration within the Gaia CLISH. show commands save config save the current configuration show commands shows all commands show allowed-client all show allowed clients show arp dynamic all displays the dynamic arp entries show arp proxy all shows proxy arp show arp static all displays … Read more

Cisco ASA 5585X Architecture Deep Dive

Introduction Within this article we will take an in-depth look into the architecture of the Cisco ASA 5585X. CHASSIS The Cisco ASA 558X is a chassis based firewall. The chassis consists of 2 slots, each slot can be populated with either an SSP (Security Services Processor) or Interface Module (ASA5585-NM-XX). The SSPs come in various … Read more

Juniper SRX – How to Create a ReadOnly Account

Within this article we will provide the necessary commands required to create a read-only account on a Juniper SRX. Within our example a user is created with the following attributes, A user with the username of ‘user1‘. ONLY allowed to use the show command. SNMP configuration is REMOVED from the configuration output. The policy-options and … Read more

Cisco ASA: TCP Normalization & Permitting TCP Option Headers

TCP Normalization To provide protection from attacks, the Cisco ASA provides a feature called TCP normalization. TCP normalization is enabled by default and can detect abnormal packets. Once detected these packets can be either allowed, dropped or cleared of its abnormalities. To configure the TCP normalizer changes are made within the tcp-map. The tcp-map is … Read more

Configuring IPv6 on a Juniper SRX

Within this article we will provide the steps required to enable IPv6 on a Juniper SRX device. IPv6 Forwarding First of all we enable IPv6 forwarding. Once this is added you will need to reboot the device. set security forwarding-options family inet6 mode flow-based You can confirm that IPv6 forwarding is enabled once the device … Read more

Configuring EtherChannel on an ASA Firewall

The ability to configure EtherChannels on ASA models 5510 and above was introduced within 8.4/8.6. An Etherchannel provides a method of aggregating multiple Ethernet links into a single logical channel. Within this article we will provide the steps required to create an Etherchannel link on the Cisco ASA along with providing the main troubleshooting/show commands. … Read more

Mitigating Network Attacks on the Juniper SRX

The Juniper SRX provides an extensive set of options to block and prevent both internal and external based network attacks. Within this article we will look at the various options and settings to block, Sweeps – Horizontal scans, i.e scans across an IP range. Port Scans – Vertical scans, i.e scans across multiple ports on … Read more

Cisco ASA Permit/Deny Traffic based on Domain Name (FQDN)

Introduction Introduced within Cisco ASA version 8.4(2), Cisco added the ability to allow traffic based on the FQDN (i.e domain name). This feature works by the ASA resolving the IP of the FQDN via DNS which it then stores within its cache. Traffic is then either denied or permitted accordingly. Within this article will look … Read more

Cisco ASA – SCP causes orphaned ssh_init processes

Issue This is a nasty little big I found the other day which hopefully you can avoid after reading this article. When using SCP to copy a file to/from the ASA that is over 100k the transfer stalls and then fails. This results in an orphaned ssh_init process. Each ssh_init process then still occupies a … Read more

Configuring Hairpin VPN with Double NAT on Cisco ASA 8.0

  Purpose The purpose of this article is to explain the configuration steps required in configuring a hairpinned VPN with double NAT on a Cisco ASA firewall (running 8.0). Terms Within this article there are 2 key terms that you will need to know. They are, Hairpinning (U-turn Traffic) – Hairpinning is a term to … Read more

Cisco ASA – Slow Memory Leak (CSCuh48577)

Issue You may experience a slow memory leak within your crypto based processes when running SNMP on your Cisco ASA device. Solution The bug has been resolved within 8.2(5)46 under caveat CSCuh48577.

Cisco ASA ERROR: Capture doesn’t support access-list containing mixed policies

Issue When trying to run a capture you experience the following error, asa-skyn3t(config)# access-list cap-acl permit ip any any asa-skyn3t(config)# capture inside interface inside access-list cap-acl ERROR: Capture doesn’t support access-list <cap> containing mixed policies Solution Within ASA 9.0 the ‘any’ keyword now represents all IPv4 and IPv6 traffic. And the new keywords ‘any4’ and … Read more

Cisco – How to configure an IKEv2 Site to Site IPSEC VPN ?

Within this article we will show you the steps required to build an IKEv2 IPSEC Site to Site VPN on a Cisco ASA firewall. IKEv2 provides a number of benefits of its predecessor IKEv1, such as ability for asymmetric authentication methods, greater protection over IKE DoS attacks, interoperability between vendors for DPD/NAT-T, and less overhead and … Read more

ASA – VPN Traffic is not being encrypted (CSCsd48512)

Issue Traffic is sent out from the ASA unencrypted. Cause This can be caused by a duplicate (stale) ASP crypto table entry, this prevents the ASA encrypting any traffic destined for the remote host. There are 2 commands which shows this behaviour. They are, Interface outside:!out id=0xd616fff0, priority=70, domain=encrypt, deny=false        hits=855899, user_data=0x473ccf4, cs_id=0xd5deba08, reverse, flags=0x0, … Read more

Cisco ASA 8.4/8.6 – Proxy ARP Gotcha

Issue You may observe the ASA incorrectly proxy ARPing for an IP address resulting in connectivity issues . Background Within 8.4(2) and 8.6(1) the following NAT changes were introduced.This basically states that Proxy ARP is enabled by default on both static and identity based NAT statements. Reference : http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/intro_intro.html Identity NAT configurable proxy ARP and … Read more

What is the difference between a Soft and Hard SA timeout ?

The are 2 main types of SA (Security Association) lifetimes ; soft and hard. Soft lifetime – The soft lifetime defines the number of seconds until the IKE process is informed that the SA is about to expire. This is to provide enough time for the creation of a new SA before the hard lifetime … Read more

Juniper SRX – High Availability (Active / Passive Simple)

The Juniper SRX offers 4 types of High Availability (HA) deployment, Active/Passive Simple Active/Passive Full Mesh Active/Active Deployment Active/Passive Transparent Mode Within this article we will look at Active/Passive Simple upon a SRX 240 series device. Summary Active/Passive is the most common type of HA deployment and consists of 2 firewall members. Whilst one node … Read more

Cisco ASA – How do VPN Filters work ?

Introduction Within this article we will look into how VPN filters work and also how to configure them on a Cisco ASA firewall. As the name suggests VPN filters provide the ability to permit or deny post-decrypted traffic after it exits a tunnel and pre-encrypted traffic before it enters a tunnel. Note : When the … Read more

Juniper SRX – How do I configure LACP (802.3ad) ?

IEEE 802.3ad (LACP) is a technology that provides a method of aggregating multiple Ethernet links into a single logical channel. Configuration To configure LACP the following commands are used. This example aggregates the interfaces fe-0/0/3 and fe-0/0/4 into a logical interface named ‘ae1’. This logical interface is then configured as an access port and assigned … Read more

Cisco ASA IPSEC VPN using Certificates via SCEP enrollment

Within this article we will be showing the various steps required in configuring a Cisco ASA IPSEC VPN using digital certificates. These certificates will be signed by a CA (Cisco Router) and downloaded by the Client/ASA using SCEP (Simple Certificate Enrollment Protocol). Time/Date On the client, router and firewall ensure that NTP is configured and … Read more

Cisco ASA ERROR: Certificate validation failed. Peer certificate key usage is invalid

Error When trying to connect using the Cisco VPN Client with certificate based authentication you receive the following error from you debug logs. CRYPTO_PKI: Certificate validation: Failed, status: 1873. Attempting to retrieve revocation status if necessary ERROR: Certificate validation failed. Peer certificate key usage is invalid, serial number: 210F2EDE0000000009AF, subject name: cn=xxxxx,ou=xxxx,o=xxxxx,c=xx CRYPTO_PKI: Certificate not … Read more

Cisco ASA – 8.3 and later NAT Tutorial

Introduction ASA 8.3 onwards brought a number of changes in how NAT is processed. First of all NAT is built around objects, this allows for IP`s to be changed and objects to be renamed much easier than previously. Also when configuring ACL`s the Real IP/Port address(s) are now used. Pre 8.3 access-list acl-outside extended permit … Read more

How to configure your ASA as a CA Server

Within this tutorial we will show you the nessecary steps in configuring your ASA as a CA server. Time/Date First of all we set the time and date.  asa-skyn3t(config)# show clock08:05:40.249 UTC Sun Sep 30 2012 Enable CA Next we enable the ASA as a CA server.  asa-skyn3t(config)# crypto ca serverasa-skyn3t(config-ca-server)# subject-name-default cn=skyn3tca, o=skyn3t, c=UKasa-skyn3t(config-ca-server)# … Read more

ASA – Anyconnect (Basic Setup)

Within this article we will configure a basic Anyconnect setup. The Anyconnect client provides the ability to securly connect to your LAN via TLS/DTLS (TLS over UDP). Enable WebVPN asa84(config)# webvpnasa84(config-webvpn)# enable outsideINFO: WebVPN and DTLS are enabled on ‘outside’.asa84(config-webvpn)# anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkgERROR: The specified AnyConnect Client image does not exist.asa84(config-webvpn)# anyconnect enableasa84(config-webvpn)# exit Create User … Read more

Juniper SRX – How to configure a trunk/access port

On the SRX Branch Series each interface can be configured as either layer 2 or layer 3. These are shown below : Routed Ports – Layer 3 (inet) Bridge – Layer 2 (only used for transparent mode) Ethernet-switching – Layer 2 (switchport) Within this article we will look at how to configure a trunk and … Read more

Cisco ASA – Twice NAT

Twice NAT allows you to NAT both the source and destination within a single rule. Scenario A scenario where this type of configuration would be required is shown below. To ensure that any traffic originating from the Internet isn’t sent back out to its default gateway (asymmetrically routed) the source IP is translated to an … Read more

Cisco ASA & Juniper Netscreen VPN Overlapping Encryption Domains

Purpose The purpose of this article is to describe the various steps required to create a site to site VPN between a Cisco ASA and a Juniper Netscreen when both sides have overlapping subnets. Example Within this example each side will have an endpoint of 192.168.10.0/24. Because of this both sides will present their endpoint … Read more

Cisco ASA – How do I generate a CSR ?

A Certificate Signing Request (CSR) is a base-64 encoded (PEM based) string which is generated using the users public key along with a number of attributes provided by the user such as DN, email, address etc. The CSR is then sent to the CA which it then uses to create a public certificate. The public … Read more

Juniper SRX – The Static NAT / Policy based VPN Problem

Purpose The purpose of this document is to explain the issues and problems surrounding the use of static NAT when using policy based VPN on a Juniper SRX Firewall. Background The issue, when using static NAT with a policy based VPN centres around how NAT is processed by the SRX, in that the Proxy ID`s … Read more

Juniper SRX Commands

Below shows some of the main Juniper SRX commands available. All commands are provided with the necessary mode in which they should be run from. Configuration Commands replace pattern expr1 with expr # configuration mode find and replace string within configuration show | compare rollback {1..5} # configuration mode compare the current configuration against roll … Read more

Cisco ASA – Group-policy assignment based on OU

Purpose The purpose of this document is to explain the configuration methods required to assign to a group-policy to a user based on their OU group. Summary The Cisco ASA firewall includes the ability to assign a user to a group policy based on their OU group. This is achieved via the use of the … Read more

Cisco ASA – Security Levels / NAT Control

Within the Cisco Firewall family (PIX/ASA) there are 2 security features known as Security Levels and NAT Control. Security Levels Security levels are numeric values (between 0 and 100) which are assigned to the firewalls interfaces and used to control traffic flows. Traffic is allowed to pass from a higher security level to a lower … Read more

Juniper SRX – Site to Site VPN using a Dynamic IP address

Within this article we will look at the commands required for configuring a Site to Site VPN when one peer is using a dynamic IP address. Note : This article does not include the VPN configuration in its entirety only the additional/amended commands required for this scenario. There are 3 configuration settings that are defined. … Read more

Juniper SRX – Dynamic VPN

Within this tutorial we will be showing you how to configure Remote Access VPN (Dynamic VPN) on the Juniper SRX. IKE Configure Aggressive Mode set security ike policy ike-dyn-vpn-policy mode aggressive set security ike policy ike-dyn-vpn-policy proposal-set standard Define Preshared Key set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text <PRE-SHARED KEY> Configure the IKE Gateway Here … Read more

Juniper SRX – How to configure a policy based VPN

Below shows the necessary steps/commands to create a policy based VPN on a Juniper SRX series gateway. The main difference with a policy based VPN is that the tunnel action is defined within each security policy. Note : For troubleshooting steps please see here This VPN is configured with the following : Remote Endpoint : … Read more

Juniper SRX – NAT

The Juniper SRX offers 3 main types of NAT. These are source, destination and static. In this article we will be providing explanations and configuration examples for each. Source NAT As the name suggests source NAT translates the source IP address. There are 2 main types of source NAT these are: Interface NAT – Traffic … Read more

Juniper SRX – How to configure a route based VPN

Below shows the necessary steps/commands to create a route based VPN on a Juniper SRX series gateway. The main difference with a route based VPN is that a tunnel interface is created and assigned to your external interface. Any traffic that you wish to encrypt is routed to this tunnel interface. Access to and from … Read more

How do I upgrade a Juniper SRX Series gateway

Within this tutorial we will be providing the steps required to upgrade your Juniper SRX firewall. Copy Image First of all we copy the image over to the SRX via the use of scp. In this case I have used putty’s pscp. C:\Windows\System32>pscp “C:\Users\admin\Downloads\junos-srxsme-11.4R1.6-domestic.tgz” root@[SRX IP]:/mfs Confirm Hash Next we confirm that the file is … Read more

Cisco ASA – How do I capture ARP`s ?

Below shows the necessary commands to capture ARP packets on a Cisco ASA Firewall. Syntax ASA(config)# capture arp ethernet-type arp interface dmz  Display ASA(config)# show capture arp2 packets captured 13:12:23.478229 arp who-has 10.1.1.1 tell 10.1.1.10013:12:26.784194 arp who-has 10.1.1.1 tell 10.1.1.1002 packets shown

Juniper SRX – Configuring Source NAT with pool

Below provides a short guide in configuring source NAT with an address pool on a Juniper SRX. The following example creates a pool with a 10.1.1.0/24 network. This pool of addresses are then used during the translation of source addresses. In addition to the pool we also configure the following options: set address-persistent – this … Read more

Running a packet capture on a Juniper SRX

Within this article we show you the required steps for obtaining a packet capture on your SRX series firewall. Note : Great care should be taken when applying captures to ensure that only the traffic that you want to capture is defined within the firewall filter. This is to prevent any unnecessary load being placed … Read more

How to define a port range on a Juniper SRX

To create a range of ports within the SRX the following command is used. This example creates an application object named UDP-PORT-RANGE with a UDP port range of 5000-6999. set applications application UDP-PORT-RANGE protocol udp destination-port 5000-6999 Once created you can then add this to a group. This group can then be added to the necessary … Read more

Mitigating DoS attacks on a Cisco ASA

Within this example we will configure modular policy framework to define a range of connection limits. This provides a basic means of protecting your environment against DoS attacks. Define Traffic First of all we define which traffic the MPF policy will be applied to. In the example below we exclude the host 8.8.8.8 whilst inspecting … Read more

How do I clear the Cisco ASA connection counters ?

Being that this command is slightly obscure I thought it was worth documenting. To clear the Cisco ASA connection counter the following command is used. cisco-asa(config)# clear resource usage resource conns

Cisco ASA: Traffic blocked when TCP syslog server is unreachable

Issue When the transport mechnism TCP is configured for Syslog (trap logging) and the Cisco ASA is unable to reach the designated syslog server, the security appliance will prevent any further new network sessions. Solution In order to ensure that the status of a TCP-based syslog server is irrelevant to new sessions the following command … Read more

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial