It teaches you how to work and play with devices like the Cisco ASA family, and works as a definitive guide to all forms of network security features. The publication is a master class in itself. Not only does it inform us about each Cisco ASA device, but also skilfully explains various types of network security flaws, weaknesses, points of security failures and attacks. Then it goes about explaining how such network security issues can be dealt with by showing a corresponding firewall feature to counter such risks. Features As mentioned, the formative chapters of this publication are spent on explaining various network security flaws, weaknesses, points of security failures and attacks. But, before that, there is an introductory chapter on firewalls.

Author:Zur Daizil
Language:English (Spanish)
Published (Last):21 November 2011
PDF File Size:5.54 Mb
ePub File Size:10.40 Mb
Price:Free* [*Free Regsitration Required]

He has designed, implemented, and maintained multiple large enterprise networks, covering the Cisco security, routing, switching, service provider, and wireless portfolios of products. He also has a masters of science degree in Information Technology with a focus in Network Architecture and Design, a masters of science degree in Organizational Management, a masters certicate in Network Security, a bachelors of science degree in Computer Networking, and an associates degree of Applied Science in Computer Information systems.

In addition to working as a consultant, Sean spends a lot of his time as a technical writer and editor for various companies. Dedications To Bianca Mihaela, a beautiful and lovely girl who actually became my wife in Thank you for loving and supporting me throughout all these years.

Your morning smile makes my day. To Petr Lapukhov from Internetwork Expert. His technical mentoring and level of knowledge are purely outstanding. I am still waiting for a book release from him; it should break all frontiers. All rights reserved. This publication is protected by copyright. Please see page for more details. This is important to consider because ASA suffered major changes from a command-line interface CLI and functionality perspective starting with Version 8.

This chapter reviews the basic functionalities of the ASA, examines how these might interact with VPN technologies, and covers some common configuration concepts generally applicable to all VPN scenarios.

The hardware architectures were also engineered with performance, reliability, and scalability in mind. Starting with Version 8. Cisco ASA , , , and use the same physical chassis and architecture, but distinct CPU and RAM, leading to performance differences, and are targeted for medium to large enterprises.

Cisco ASA X series, the newest products, were designed for large datacenters and campus environments and embrace the latest hardware architecture. All Cisco ASA VPN solutions are supported and configured in the same way, regardless of the model, thus making this writing generally applicable.

To fully understand the VPN functions available on Cisco ASA, you first need a basic understanding of how this platform manages traffic flow. While the stateful packet filtering is performing intelligent traffic manipulation at OSI Layers 3 and 4, the AIC functionality analyzes the application layer for conformity with protocol standards and adherence to an acceptable use policy as dictated by configured rules.

A value of 0 means it is least trusted, whereas a value of means it is most trusted. On Cisco ASA, for an interface to pass traffic, the following conditions need to be satisfied: IP address and mask are congured. Logical name is congured. Security level is assigned. Interface must be enabled, removed from administratively down state.

If the logical name congured has any other value for example, outside , the default security level assigned is 0. Based on the security levels assigned to interfaces, the following rules for passing traffic apply: By default, trafc from higher security level interfaces to lower security level interfaces is allowed; this is called outbound trafc.

By default, trafc from lower security level interfaces to higher security level interfaces is denied. To pass it needs to be allowed in an access list applied inbound on the lower security level interface; this is called inbound trafc. Trafc between interfaces with same security level is by default denied and can be allowed to pass by enabling samesecurity-trafc permit inter-interface globally on the appliance.

You can apply ACLs both in the inbound and outbound direction of an interface, thus restricting traffic entering or exiting that interface. Once the packet is allowed, the flow is created in the ASA connection table, and all further packets in the flow are permitted based on the connection entry, bypassing the ACL check. You can use the show conn command to view the connection table. It is not recommended to use both inbound and outbound ACLs on same interface because it adds unnecessary overload without any added security benefit.

Generally, inbound filtering is implemented because you can filter traffic in one place regardless of the exit interface. Starting with ASA Version 8. There can be only one ACL applied globally, which applies only to traffic traversing the ASA regardless of the incoming or outgoing interface.

NAT Refresher On Cisco ASA, when traffic passes from one interface to another and is subject to a NAT rule, we can say that ASA is performing inside NAT when trafc ows from high security level to low security level and inside local is the original address reachable via the high security level interface; inside global is the translated address as seen over the low security level interface.

Dynamic Port Address Translation PAT dynamically translates a group of original addresses into a single mapped address by translating both source address and port. Static NAT is a xed one-to-one mapping between an original address and a mapped address.

In Version 6 of the PIX OS, for a flow to traverse the appliance it was mandatory to match on a translation rule; otherwise, packets were dropped. This behavior was applicable regardless of the traffic direction, from low to high security level or from high to low security level.

Since Version 7. Traffic is allowed to pass as long as the default security level allows it, or when ACLs have been applied if traffic first matches a permit entry. To reenable the old behavior, we need to globally enable NAT control on the appliance with the global command nat-control. Trafc owing from low- to high-security interfaces does not need to match any NAT rule. An exception applies when dynamic NAT or PAT is congured on the same security level interface; then, all trafc from that interface to the samesecurity or lower-security interface needs to match a NAT rule.

Static identity NAT static command or static identity policy NAT is a special use of static NAT, where the address is statically translated to itself for trafc between chosen interfaces or between chosen source-destination pairs. Cisco ASA also allows for same-interface NAT, meaning that traffic enters and exits the same interface but needs to be translated and is functional if the following conditions are satisfied: The same-security-trafc permit intra-interface command is globally enabled on the appliance.

The interface becomes both inside and outside from the NAT conguration perspective nat and global commands applied on the same interface for pre These protocols are supported when the appliance functions in routed mode.

In transparent mode, only static routes are supported, and these are applicable for control-plane traffic only. In terms of static routing, the following rules apply: The static route is active as long as the interface it is associated with is in the up state and has a nameif congured. ASA does not support equal-cost load balancing over multiple interfaces. Therefore, for any given unique destination prex, you cannot route over multiple interfaces.

ASA supports equal-cost load balancing over the same interface, with a maximum of three routes supported. Floating static routing is supported. Static routing redundancy is supported by tracking the availability of a primary route and installing a secondary one if the primary fails.

This is achieved by associating the primary route with a dened monitoring target with which connectivity is tested by means of Internet Control Message Protocol ICMP echo Cisco service level agreement [SLA] technology. As long as the target responds with ICMP echo reply within a congured time interval, the primary route is kept in the routing table.

Otherwise, the backup route with higher administrative distance is installed. This functionality is preemptive: When the monitoring target starts responding, the primary route is reinstalled and used for trafc forwarding. Select the egress interface. STEP 2. Select the next hop.

The egress interface on the ASA is not based on route-recursion process like on routers because each IPv4 unicast route, be it static or dynamic, has an interface associated with.

If there is no existing IP destination translation in the XLATE table, but it matches a congured static translation rule, the routing table is not checked, and the egress interface is selected from the static translation.

As soon as the packet is placed on the selected egress interface buffer, the next hop needs to be selected. Only the routing table is checked to find the longest prefix match for the destination IP of the packet, and from the selected route the next hop is found. Only routes pointing to the respective egress interface are inspected; if none are found, the packet is dropped.

ASA supports a tunneled default static route for routing tunneled traffic. When the default tunnel route is configured and no specific routes for the destination of incoming VPN traffic exist, tunnel traffic is routed through the default tunnel route because it overrides any existing regular default routes. The following restrictions apply: Only one default tunnel route can be congured. TCP intercept is not supported on the egress interface of the tunneled default route.

Unicast reverse path forwarding uRPF on the egress interface of the tunneled route is not supported. Automatic summarization Route information ltering with access lists Default route origination Link-state routing protocol Two concurrent OSPF processes An interface cannot participate in both processes. You can find a more updated AAA services matrix based on 8.


CCNP Security VPN 642-648 Quick Reference



CCNP Security VPN 642-648 Quick Reference May-2012


Related Articles