Asymmetric routing in ASA – TCP state bypass

Today I continued my work to fully understand MPF (Modular Policy Framework) and found a new cool feature in ASA 8.2: TCP State Bypass. By bypassing TCP state machine for certain traffic you can get around problems with asymettricrouting. In my home lab I built this scenario:

On my inside network I have this client host [...]

<--- More --->

Read the entire lab first and make a good diagram!

The main challenge and discoveries during the last days of my “labbing” had nothing to do with technologies, TLA:s or ETLA:s. It has all been about finding out how to attack the lab. How to work focused and be well prepared before beginning to configuring boxes.
I have read on several different places that everyone recommends [...]

<--- More --->

IOS Archive feature

What changes have been done since last “wr mem”? Or more like; what differences are there between running-config and startup-config?
Use the archive-feature!

r2#sh arch conf diff nvram:startup-config system:running-config
Contextual config diffs:
line vty 0 4
+transport input all
+transport output all
line vty 0 4
-transport input telnet
-transport output all

Wanna make periodic backups of the router config to local flash?
Use the archive-feature!

r1#sh [...]

<--- More --->

IOS overlapping NAT

There are not many situations where the ordering of lines in the router configuration really matters (except from inside acl:s or different kind of “maps”). But when dealing with address translations it´s really important because they are processed in the same order as they were added in the running-config.
Lets say that I want to hide [...]

<--- More --->

CBAC – Make the Cisco router stateful

CBAC is a simple way to turn a Cisco-router from being a stupid packet-filter into an stateful firewall with protocol inspection.
The following example explains how to configure CBAC to allow return-traffic back when an inside web-client http to an external web-server.
Topology:

First I have my inside acl specifying what outbound traffic to allow (http and dns).

ip [...]

<--- More --->

Going English…

This blog is transforming from a swedish all-purpose blog into a english-speaking tech-blog. The reason for that is my preparations for the CCIE Security certification lab. All old swedish posts are still here, just click on the swedish/English categories-link above to filter.

<--- More --->

Cisco ACL logging with cookies

The cookie-feature of logging in router access-lists is new for me and I fell in love with it at first sight! I don´t know how often I debug complexe acls trying to find where specific traffic hits. By adding a “cookie” after the log-statement in an ace you get that cookie tagged to all log-events. [...]

<--- More --->

ASA built-in help

Did you know that the kind coders at Cisco has put a lot of help for us into the CLI of ASA firewall? Here are two examples:

vpnsetup todo-list
With the vpnsetup-command you can see a list of configuration tasks needed for setting up different types of VPN:

fw2(config)# vpnsetup ?
configure mode commands/options:
ipsec-remote-access Display IPSec [...]

<--- More --->

CCIE Security – filter output of show commands

Did you know that you can use multiple arguments when piping IOS output thru include?
Works great on switches:

sw1#sh int | incl FastEthernet|input errors
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
FastEthernet0/1 is up, [...]

<--- More --->

CCIE Security – Creating vlans on a router

I just tried to create a third L3-interface in one of my C1811-routers. These are equipped with two FastEthernet router-interfaces and one 8-port FastEthernet-switch. Since the latter are L2-interfaces I need to create a vlan and tie that to one of the switchports rather than configuring IP-addressing directly on the interface like I´ve done on [...]

<--- More --->

← Previous Entries

Next Entries →