Browsing All Posts published on »November, 2010«

Troubleshooting ASA high memory issues

November 23, 2010

0

Troubleshooting memory issues requires TAC support to get accurate result. 1. To identify a memory leak on pix, get the periodic (hourly) output of “show memory detail”. Send this to the TAC, they will see the memory utilisation divided per block size. Example: pixfirewall(config)# show memory detail Free memory:                     201811608 bytes (75%) Used memory: Allocated […]

Troubleshooting IOS Firewall Feature Set – CBAC

November 23, 2010

0

1, Get a config where CBAC is enabled and access-list are applied on the interfaces If the configuration of the CBAC and ACL is wrong then the following steps will show wrong results. Check the configuration of the router before you suggest the followings. 2, Check the “show commands” output 2.1 Check the inspection states […]

Certificate based RA VPN with openssl

November 22, 2010

1

The basic certificate based VPN is as easy as the VPN with pre-shared key. There is only some additional steps required from the ASA site. The problems arise if the clients starts to use certificates without knowing what and how they should do. As a Firewall administrator you can not have responsibility for all clients, […]

Create your own CA or root CA, subordinate CA

November 22, 2010

4

You can use openssl to create a self-signed Certificate or to create a Certificate Authority (CA) or to create Subordinate Certificate Authority as a full CA tree. All you need is the openssl package. The Document on openssl is not complete, but what we need is already documented. For all the commands I use I […]

Basic Site to Site VPN with pre-shared key

November 19, 2010

0

In the following example I configured a basic L2L VPN between 2 PIX firewall with pre-shared key. The Firewalls has different software versions, the sp2 is an old 6.3.4 version firewall (no more support..). sp1 (Cisco PIX Security Appliance Software Version 7.1(2), PIX-515E) E0 – ssw fa0/20 E1 – ssw fa0/12 sp2 (Cisco PIX Firewall […]

Configure multiple context

November 19, 2010

0

Follow the following order of the documents: 1. Enabling Multiple Context Mode 2. Adding and Managing Security Contexts 3. Configuring Failover 4. Configuring Active/Active Failover My Example contexts (Code 7.0.5) Topology Initial context configuration: 1, pixfirewall(config)# mode multiple 2, Create admin context (This is done while issuing “mode multiple” command by default): admin-context admin context […]

Configure Cisco ASA and SQUID or WAAS for WCCP

November 18, 2010

0

Cisco ASA wccp support for WAAS configuration guide. proxy server should accept requests on port 8080 and 80 Topology: IP addresses: ASA inside IP: 10.10.10.1/24 PC IP: 10.10.10.10 PROXY SRV IP: 10.10.10.251 Action Plan: WCCP Interaction with Other Features for PIX/ASA: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html#wp1094445 Here I have read the following: “The standard service is web-cache, which intercepts […]

AIP-SSM interface configuration

November 18, 2010

0

1. Assign interface to a sensor in AIP-SSM On the AIP-SSM you can configure interfaces for virtual sensors: SA1-AIP-SSM(config-ana-vir)# physical-interface ? GigabitEthernet0/0 GigabitEthernet0/0 physical interface. GigabitEthernet0/1 GigabitEthernet0/1 physical interface. This is only 2 no matter how many interface the ASA has. – GigabitEthernet0/0 can only be Command and Control Interface / Management /. – Alternate […]

Cisco ASA with AIP-SSM in failover

November 18, 2010

0

Both the ASA and the AIP-SSM is able to failover or at a minimum to bypass the traffic. ASA fail-open and fail-close commands is for determening to allow or deny the traffic that has to be analysed with IPS. 1. with the following configuration ==ASA== policy-map outside-policy class outside-class ips inline fail-open ==IPS== ByPass mode […]

U-turn traffic on Cisco ASA

November 17, 2010

0

On the Cisco ASA Firewall you can redirect the traffic on the incoming interface back to the incoming interface if you want. This feature is from Version 7.2.2 reachable. To demonstrate this feature I made a small test topology with a Cisco ASA Firewall and an internal router. Topology: Requirements: On the Topology the Test […]