Recently I’ve discovered that there is, well, fairly limited information online around this point. In this short article we will explain how ICMP inspect, whether disabled or enabled, affects the connection table. What is ICMP Inspect? “The ICMP inspection engine allows ICMP traffic to be inspected like TCP and UDP traffic. Without the ICMP inspection … Read more
Problem Lets consider the following scenario. We have a firewall with 3 interfaces, Outside, Inside and DMZ. When traffic is sent to the DMZ segment, the NAT rule below is matched. This results in traffic being sent out of the outside interface, rather then out the DMZ interface. Surely this cant be right ! object-group … Read more
Introduction Within this article we will take an in-depth look into the architecture of the Cisco ASA 5585X. CHASSIS The Cisco ASA 558X is a chassis based firewall. The chassis consists of 2 slots, each slot can be populated with either an SSP (Security Services Processor) or Interface Module (ASA5585-NM-XX). The SSPs come in various … Read more
TCP Normalization To provide protection from attacks, the Cisco ASA provides a feature called TCP normalization. TCP normalization is enabled by default and can detect abnormal packets. Once detected these packets can be either allowed, dropped or cleared of its abnormalities. To configure the TCP normalizer changes are made within the tcp-map. The tcp-map is … Read more
The ability to configure EtherChannels on ASA models 5510 and above was introduced within 8.4/8.6. An Etherchannel provides a method of aggregating multiple Ethernet links into a single logical channel. Within this article we will provide the steps required to create an Etherchannel link on the Cisco ASA along with providing the main troubleshooting/show commands. … Read more
Introduction Introduced within Cisco ASA version 8.4(2), Cisco added the ability to allow traffic based on the FQDN (i.e domain name). This feature works by the ASA resolving the IP of the FQDN via DNS which it then stores within its cache. Traffic is then either denied or permitted accordingly. Within this article will look … Read more
Issue This is a nasty little big I found the other day which hopefully you can avoid after reading this article. When using SCP to copy a file to/from the ASA that is over 100k the transfer stalls and then fails. This results in an orphaned ssh_init process. Each ssh_init process then still occupies a … Read more
Purpose The purpose of this article is to explain the configuration steps required in configuring a hairpinned VPN with double NAT on a Cisco ASA firewall (running 8.0). Terms Within this article there are 2 key terms that you will need to know. They are, Hairpinning (U-turn Traffic) – Hairpinning is a term to … Read more
Issue You may experience a slow memory leak within your crypto based processes when running SNMP on your Cisco ASA device. Solution The bug has been resolved within 8.2(5)46 under caveat CSCuh48577.
Issue When trying to run a capture you experience the following error, asa-skyn3t(config)# access-list cap-acl permit ip any any asa-skyn3t(config)# capture inside interface inside access-list cap-acl ERROR: Capture doesn’t support access-list <cap> containing mixed policies Solution Within ASA 9.0 the ‘any’ keyword now represents all IPv4 and IPv6 traffic. And the new keywords ‘any4’ and … Read more
Within this article we will show you the steps required to build an IKEv2 IPSEC Site to Site VPN on a Cisco ASA firewall. IKEv2 provides a number of benefits of its predecessor IKEv1, such as ability for asymmetric authentication methods, greater protection over IKE DoS attacks, interoperability between vendors for DPD/NAT-T, and less overhead and … Read more
Issue Traffic is sent out from the ASA unencrypted. Cause This can be caused by a duplicate (stale) ASP crypto table entry, this prevents the ASA encrypting any traffic destined for the remote host. There are 2 commands which shows this behaviour. They are, Interface outside:!out id=0xd616fff0, priority=70, domain=encrypt, deny=false hits=855899, user_data=0x473ccf4, cs_id=0xd5deba08, reverse, flags=0x0, … Read more
Issue You may observe the ASA incorrectly proxy ARPing for an IP address resulting in connectivity issues . Background Within 8.4(2) and 8.6(1) the following NAT changes were introduced.This basically states that Proxy ARP is enabled by default on both static and identity based NAT statements. Reference : http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/intro_intro.html Identity NAT configurable proxy ARP and … Read more
The are 2 main types of SA (Security Association) lifetimes ; soft and hard. Soft lifetime – The soft lifetime defines the number of seconds until the IKE process is informed that the SA is about to expire. This is to provide enough time for the creation of a new SA before the hard lifetime … Read more
To configure a Site to Site VPN between 2 Peers ; one with a Dynamic IP and the other with a static IP a dynamic crypto map is used. However as the static based peer will be unaware of the remote peers IP the VPN can only be initated from the dynamic side. Note : … Read more
Introduction Within this article we will look into how VPN filters work and also how to configure them on a Cisco ASA firewall. As the name suggests VPN filters provide the ability to permit or deny post-decrypted traffic after it exits a tunnel and pre-encrypted traffic before it enters a tunnel. Note : When the … Read more
Within this article we will be showing the various steps required in configuring a Cisco ASA IPSEC VPN using digital certificates. These certificates will be signed by a CA (Cisco Router) and downloaded by the Client/ASA using SCEP (Simple Certificate Enrollment Protocol). Time/Date On the client, router and firewall ensure that NTP is configured and … Read more
Error When trying to connect using the Cisco VPN Client with certificate based authentication you receive the following error from you debug logs. CRYPTO_PKI: Certificate validation: Failed, status: 1873. Attempting to retrieve revocation status if necessary ERROR: Certificate validation failed. Peer certificate key usage is invalid, serial number: 210F2EDE0000000009AF, subject name: cn=xxxxx,ou=xxxx,o=xxxxx,c=xx CRYPTO_PKI: Certificate not … Read more
Introduction ASA 8.3 onwards brought a number of changes in how NAT is processed. First of all NAT is built around objects, this allows for IP`s to be changed and objects to be renamed much easier than previously. Also when configuring ACL`s the Real IP/Port address(s) are now used. Pre 8.3 access-list acl-outside extended permit … Read more
Within this tutorial we will show you the nessecary steps in configuring your ASA as a CA server. Time/Date First of all we set the time and date. asa-skyn3t(config)# show clock08:05:40.249 UTC Sun Sep 30 2012 Enable CA Next we enable the ASA as a CA server. asa-skyn3t(config)# crypto ca serverasa-skyn3t(config-ca-server)# subject-name-default cn=skyn3tca, o=skyn3t, c=UKasa-skyn3t(config-ca-server)# … Read more
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial