Cisco ASA – ICMP Inspect and the Connection Table

Recently I’ve discovered that there is, well, fairly limited information online around this point. In this short article we will explain how ICMP inspect, whether disabled or enabled, affects the connection table. What is ICMP Inspect? “The ICMP inspection engine allows ICMP traffic to be inspected like TCP and UDP traffic. Without the ICMP inspection … Read more

Cisco ASA – Traffic Sent Out Incorrect Interface Due to NAT

Problem Lets consider the following scenario. We have a firewall with 3 interfaces, Outside, Inside and DMZ. When traffic is sent to the DMZ segment, the NAT rule below is matched. This results in traffic being sent out of the outside interface, rather then out the DMZ interface. Surely this cant be right ! object-group … Read more

Cisco ASA 5585X Architecture Deep Dive

Introduction Within this article we will take an in-depth look into the architecture of the Cisco ASA 5585X. CHASSIS The Cisco ASA 558X is a chassis based firewall. The chassis consists of 2 slots, each slot can be populated with either an SSP (Security Services Processor) or Interface Module (ASA5585-NM-XX). The SSPs come in various … Read more

Cisco ASA – TCP Normalization ; Permitting TCP Option Headers

TCP Normalization To provide protection from attacks, the Cisco ASA provides a feature called TCP normalization. TCP normalization is enabled by default and can detect abnormal packets. Once detected these packets can be either allowed, dropped or cleared of its abnormalities. To configure the TCP normalizer changes are made within the tcp-map. The tcp-map is … Read more

Configuring EtherChannel on an ASA Firewall

The ability to configure EtherChannels on ASA models 5510 and above was introduced within 8.4/8.6. An Etherchannel provides a method of aggregating multiple Ethernet links into a single logical channel. Within this article we will provide the steps required to create an Etherchannel link on the Cisco ASA along with providing the main troubleshooting/show commands. … Read more

Cisco ASA – How to Permit/Deny Traffic based on Domain Name (FQDN)

Introduction Introduced within Cisco ASA version 8.4(2), Cisco added the ability to allow traffic based on the FQDN (i.e domain name). This feature works by the ASA resolving the IP of the FQDN via DNS which it then stores within its cache. Traffic is then either denied or permitted accordingly. Within this article will look … Read more

Cisco ASA – SCP causes orphaned ssh_init processes

Issue This is a nasty little big I found the other day which hopefully you can avoid after reading this article. When using SCP to copy a file to/from the ASA that is over 100k the transfer stalls and then fails. This results in an orphaned ssh_init process. Each ssh_init process then still occupies a … Read more

Configuring a Hairpin VPN with Double NAT on a Cisco ASA running 8.0

  Purpose The purpose of this article is to explain the configuration steps required in configuring a hairpinned VPN with double NAT on a Cisco ASA firewall (running 8.0). Terms Within this article there are 2 key terms that you will need to know. They are, Hairpinning (U-turn Traffic) – Hairpinning is a term to … Read more

Cisco ASA – Slow Memory Leak (CSCuh48577)

Issue You may experience a slow memory leak within your crypto based processes when running SNMP on your Cisco ASA device. Solution The bug has been resolved within 8.2(5)46 under caveat CSCuh48577.

Cisco ASA – ERROR: Capture doesn’t support access-list containing mixed policies

Issue When trying to run a capture you experience the following error, asa-skyn3t(config)# access-list cap-acl permit ip any anyasa-skyn3t(config)# capture inside interface inside access-list cap-aclERROR: Capture doesn’t support access-list <cap> containing mixed policies Solution Within ASA 9.0 the ‘any’ keyword now represents all IPv4 and IPv6 traffic. And the new keywords ‘any4’ and ‘any6’ have … Read more

Cisco – How to configure an IKEv2 Site to Site IPSEC VPN ?

Within this article we will show you the steps required to build an IKEv2 IPSEC Site to Site VPN on a Cisco ASA firewall. IKEv2 provides a number of benefits of its predecessor IKEv1, such as ability for asymmetric authentication methods, greater protection over IKE DoS attacks, interoperability between vendors for DPD/NAT-T, and less overhead and … Read more

ASA – VPN Traffic is not being encrypted (CSCsd48512)

Issue Traffic is sent out from the ASA unencrypted. Cause This can be caused by a duplicate (stale) ASP crypto table entry, this prevents the ASA encrypting any traffic destined for the remote host. There are 2 commands which shows this behaviour. They are, Interface outside:!out id=0xd616fff0, priority=70, domain=encrypt, deny=false        hits=855899, user_data=0x473ccf4, cs_id=0xd5deba08, reverse, flags=0x0, … Read more

Cisco ASA 8.4/8.6 – Proxy ARP Gotcha

Issue You may observe the ASA incorrectly proxy ARPing for an IP address resulting in connectivity issues . Background Within 8.4(2) and 8.6(1) the following NAT changes were introduced.This basically states that Proxy ARP is enabled by default on both static and identity based NAT statements. Reference : http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/intro_intro.html Identity NAT configurable proxy ARP and … Read more

What is the difference between a Soft and Hard SA timeout ?

The are 2 main types of SA (Security Association) lifetimes ; soft and hard. Soft lifetime – The soft lifetime defines the number of seconds until the IKE process is informed that the SA is about to expire. This is to provide enough time for the creation of a new SA before the hard lifetime … Read more

Cisco ASA – How do VPN Filters work ?

Introduction Within this article we will look into how VPN filters work and also how to configure them on a Cisco ASA firewall. As the name suggests VPN filters provide the ability to permit or deny post-decrypted traffic after it exits a tunnel and pre-encrypted traffic before it enters a tunnel. Note : When the … Read more

ASA – IPSEC Remote access VPN (using Certificates via SCEP enrollment)

Within this article we will be showing the various steps required in configuring a Cisco ASA IPSEC VPN using digital certificates. These certificates will be signed by a CA (Cisco Router) and downloaded by the Client/ASA using SCEP (Simple Certificate Enrollment Protocol). Time/Date On the client, router and firewall ensure that NTP is configured and … Read more

Cisco ASA – Certificate based IPSEC VPN “ERROR: Certificate validation failed. Peer certificate key usage is invalid”

Error When trying to connect using the Cisco VPN Client with certificate based authentication you receive the following error from you debug logs. CRYPTO_PKI: Certificate validation: Failed, status: 1873. Attempting to retrieve revocation status if necessary ERROR: Certificate validation failed. Peer certificate key usage is invalid, serial number: 210F2EDE0000000009AF, subject name: cn=xxxxx,ou=xxxx,o=xxxxx,c=xx CRYPTO_PKI: Certificate not … Read more

Cisco ASA – 8.3 and later NAT Tutorial

Introduction ASA 8.3 onwards brought a number of changes in how NAT is processed. First of all NAT is built around objects, this allows for IP`s to be changed and objects to be renamed much easier than previously. Also when configuring ACL`s the Real IP/Port address(s) are now used. Pre 8.3 access-list acl-outside extended permit … Read more

How to configure your ASA as a CA Server

Within this tutorial we will show you the nessecary steps in configuring your ASA as a CA server. Time/Date First of all we set the time and date.  asa-skyn3t(config)# show clock08:05:40.249 UTC Sun Sep 30 2012 Enable CA Next we enable the ASA as a CA server.  asa-skyn3t(config)# crypto ca serverasa-skyn3t(config-ca-server)# subject-name-default cn=skyn3tca, o=skyn3t, c=UKasa-skyn3t(config-ca-server)# … Read more

ASA – Anyconnect (Basic Setup)

Within this article we will configure a basic Anyconnect setup. The Anyconnect client provides the ability to securly connect to your LAN via TLS/DTLS (TLS over UDP). Enable WebVPN asa84(config)# webvpnasa84(config-webvpn)# enable outsideINFO: WebVPN and DTLS are enabled on ‘outside’.asa84(config-webvpn)# anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkgERROR: The specified AnyConnect Client image does not exist.asa84(config-webvpn)# anyconnect enableasa84(config-webvpn)# exit Create User … Read more

Cisco ASA – Twice NAT

Twice NAT allows you to NAT both the source and destination within a single rule. Scenario A scenario where this type of configuration would be required is shown below. To ensure that any traffic originating from the Internet isn’t sent back out to its default gateway (asymmetrically routed) the source IP is translated to an … Read more

Cisco ASA – How do I generate a CSR ?

A Certificate Signing Request (CSR) is a base-64 encoded (PEM based) string which is generated using the users public key along with a number of attributes provided by the user such as DN, email, address etc. The CSR is then sent to the CA which it then uses to create a public certificate. The public … Read more

Cisco ASA – Group-policy assignment based on OU

Purpose The purpose of this document is to explain the configuration methods required to assign to a group-policy to a user based on their OU group. Summary The Cisco ASA firewall includes the ability to assign a user to a group policy based on their OU group. This is achieved via the use of the … Read more

Cisco ASA – Security Levels / NAT Control

Within the Cisco Firewall family (PIX/ASA) there are 2 security features known as Security Levels and NAT Control. Security Levels Security levels are numeric values (between 0 and 100) which are assigned to the firewalls interfaces and used to control traffic flows. Traffic is allowed to pass from a higher security level to a lower … Read more

Cisco ASA – How do I capture ARP`s ?

Below shows the necessary commands to capture ARP packets on a Cisco ASA Firewall. Syntax ASA(config)# capture arp ethernet-type arp interface dmz  Display ASA(config)# show capture arp2 packets captured 13:12:23.478229 arp who-has 10.1.1.1 tell 10.1.1.10013:12:26.784194 arp who-has 10.1.1.1 tell 10.1.1.1002 packets shown

Mitigating DoS attacks on a Cisco ASA

Within this example we will configure modular policy framework to define a range of connection limits. This provides a basic means of protecting your environment against DoS attacks. Define Traffic First of all we define which traffic the MPF policy will be applied to. In the example below we exclude the host 8.8.8.8 whilst inspecting … Read more

How do I clear the Cisco ASA connection counters ?

Being that this command is slightly obscure I thought it was worth documenting. To clear the Cisco ASA connection counter the following command is used. cisco-asa(config)# clear resource usage resource conns

Cisco ASA – Traffic blocked when TCP syslog server is unreachable

Issue When the transport mechnism TCP is configured for Syslog (trap logging) and the Cisco ASA is unable to reach the designated syslog server, the security appliance will prevent any further new network sessions. Solution In order to ensure that the status of a TCP-based syslog server is irrelevant to new sessions the following command … Read more

Cisco ASA – HTTP Filtering – Example 3

This example will provide the required configuration to allow a single IP address access to TCP port 80 when the HTTP Host Header matches either EXAMPLE1.DOMAIN.net or EXAMPLE2.DOMAIN.net. Note : In addition to the commands below you will also need to grant the relevant access via your interface based ACL`s. This is because your HTTP traffic … Read more

Cisco ASA 8.3 – No NAT / NAT Exemption

As we all know Cisco`s new ASA version 8.3 brings massive changes in NAT. This article describes and explains how NAT exemption (no NAT) is now configured. Below provides examples of both pre and post 8.3 no NAT configurations. Example Details Local LAN – 192.168.0.0/24 Remote LAN – 172.168.0.0/24 Traffic is arriving on the inside … Read more

Cisco ASA MPF URL Filtering

Within this tutorial will will look at 2 configuration examples in which we will use HTTP inspection within the Cisco ASA to allow access for certain hosts based on specific URL headers. EXAMPLE 1 This example will show the required syntax to allow access to yahoo.com for any host within the network 10.1.1.0 255.255.0.0. HTTP … Read more

How do i include the cluster state within the ASA hostname ?

The prompt state command was introduced within 7.1. This short example shows you how to configure your ASA to include the cluster state within its name : cisco-firewall# config t cisco-firewall (config)# prompt hostname state  cisco-firewall/act(config)#

How to clear an ASA`s configuration

You may find that there is a time in which you haven’t got access via the standard ASAOS CLI to change, amend or edit your current configuration. In this example we will show you the steps required for removing the configuration via ROMMON mode. Here are the steps : 1. Reboot the device2. On boot … Read more

ASA Capture Examples

Below are a couple of ASA caputre examples. This is meant for more of a copy and paste function then an overall capture tutorial. access-list based access-list capture1-acl permit ip host [ip] host [ip]capture capture1 type access-list capture1-acl interface [interface] host / port based capture capture2 [interface] match ip host [ip] host [ip]capture capture3 [interface] … Read more

Site 2 Site VPN Template

The main issue when creating a Site to Site VPN between parties is having the correct information on both sides. Below is a template for the information which is needed to build a VPN Site to2 Site tunnel. This template is designed to be copied and pasted and sent to the other parties. Please remember … Read more

ASA 5505 Example Configuration

Below is an example of a basic configuration for an ASA 5505 Firewall. The main difference between the other ASAs is that with the 5505 you have 10 ports which are not assigned to their own bridge groups. So you need to configure you VLANs and then assign you ports to your VLANs. Please Notes … Read more

ASA 8.3 – Auto NAT Examples

As you will have heard (and if not you will do soon) the new ASA 8.3 brings massive changes. The main change is the way in which the ASA handles NAT. Below provides a number of Auto NAT examples. Auto NAT is configured using the following steps: Create a network object. Within this object define … Read more

ASA L2L VPN is not passing traffic when a VPN Filter is applied

Within the Cisco Adaptive Security Appliance Software Version 8.2(2) you may find that when you have a group-policy (vpn filter) applied to your tunnel group that some traffic is not being allowed through the VPN. This is a bug with 8.2(2), to resolve the issue you will need add the destination ports to the group-policies … Read more

How do I configure shared licensing on an ASA ?

A shared license lets you purchase a large number of SSL VPN sessions and share the sessions as needed amongst a group of security appliances by configuring one of the security appliances as a shared licensing server, and the rest as shared licensing participants.Below shows the steps on how to configure a Shared License server. … Read more

What is ASP and how do I troubleshoot ASP drops on an ASA ?

What is the Accelerated Security Path ? The Accelerated Security Path (ASP) on the ASA appliance comprises of 2 components; The Fast Path and The Session Management Path. In addition to the Accelerated Security Paths there is also the Control Plane Path which is also covered below. The Session Management Path When a new connection … Read more

Configuring VPN Traffic Policing on an ASA

In this article we will show you how to set traffic policing on traffic which is tranversing a VPN. Please Note : The command usage has changed from 8.0.4 to 8.2.1. When matching on a tunnel-group and policing at the same time you will have to also configure the match flow ip destination-address command to … Read more

ASA – Site to Site VPN Example

In this article I will be showing you how to configure a Site 2 Site VPN on a ASA.Also included within this example is a group-policy (named “GROUPPOLICY100”) which we restrict access between the 2 endpoints to just tcp/80 traffic. Please Note : This example presumes that you have already created the object groups for … Read more

PIX / ASA – Display Encrypted Pre-Shared Keys.

To allow you to view your preshared keys on your PIX ASA use the command `more system:running-config`.  You can also view the preshared password with some versions of ASDM. Below shows the example of the command. pixfirewall# show run ! tunnel-group mytunnel type ipsec-rapre-shared-key * telnet timeout 5 Your preshared key ….. pixfirewall# more system:running-config! … Read more

ASA – How do I enable Netflow on an ASA?

NetFlow is a network protocol developed by Cisco Systems to run on a range of network devices for collecting IP traffic information. Previously only Cisco IOS routers and the Cisco 5580 ASA supported Netflow. But now with the introduction of Cisco ASA software 8.2, the complete ASA family now supports Netflow. There are 3 event … Read more

PIX – BGP Advanced Protocol Inspection

Summary When passing BGP traffic through a PIX you will need to configure the PIX to disable random sequence numbers to prevent MD5 Digest mismatches on either router. Please Note : Below presumes you all ready have a policy map defined with the name of global_policy and this has already been assigned to your device … Read more

PIX – ASDM Read Only Account

When trying to create a Read only account (Priv Level 5), and logging into the ASDM using your readonly account you receive the following error, you do not have sufficient privileges to execute commands required to load asdm Solution This is due to the privilege levels not being configured correctly. The following will give you … Read more

PIX / ASA – How to enable ICMP Inspect

Below shows you how to enable ICMP inspection on a PIX 8.0(4)28. Please Note : Below presumes you all ready have a policy map defined with the name of global_policy and this has already been assigned to your device using the service-policy command.  PIX(config-cmap)# policy-map global_policyPIX(config-pmap)# class inspection_defaultPIX(config-pmap-c)# inspect icmp

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial