Friday, January 2nd, 2009 at
7:34 am
QUESTION:
I am configuring a Cisco ASA5505 with DMZ. I have local lan 192.168.103/24 and DMZ 10.103.1.0/24. I am able to connect from LAN to DMZ using 10.103.1.0/24 address but not the other way around. I can add either a static or dymanic NAT for this.
I’m not sure how to configure the NAT to allow DMZ host to connect to 192.168.103.0/24. I will control access through ACL rather than trying to “hide” them via NAT.
ANSWER:
If you just want to connect from DMZ to real addresses on the inside:
static (inside,dmz) 192.168.103.0 192.168.103.0 netmask 255.255.255.0
and then as you say allow traffic with an acl on the dmz interface.
Friday, January 2nd, 2009 at
7:21 am
PROBLEM:
Network topology. Remote brach office with ASA firewall and VPN client on the remote LAN. Central Site with ASA firewall terminating the remote branch VPN client. I can not connect from inside my branch network to central network using VPN client. Earlier i had in my office FreeBSD and did not have this problem (I could connect to Central ASA using VPN client), when i changed FreeBSD to ASA this problem occur. VPN client is connected, tunnel is created but nothing more.
I get an error message :Syslog ID 305006 – regular translation creation failed for protocol 50 src inside:10.0.0.22 dst outside:6.168.y.x
SOLUTION:
On remote branch office ASA use:
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect ipsec-pass-thru
ciscoasa(config-pmap-c)#exit
On Central Office ASA use:
PIX/ASA 7.1 and earlier: pix(config)#isakmp nat-traversal 20
PIX/ASA 7.2(1) and later: securityappliance(config)#crypto isakmp nat-traversal 20
Tuesday, December 23rd, 2008 at
5:57 am
By default, the global policy used on a Cisco ASA firewall enables FTP inspection for all traffic passing through the appliance. Before discussing the usage of ftp inspection, let’s see how ftp works:
In Active FTP (which is the default mode), we need two ports for communication. Port 21 is used for Command and Control traffic and Port 20 is used for Data transfer. The FTP client connects from a random source port bigger than 1023 (N>1023) to the command port of the FTP server (port 21). Then the client starts listening to port N+1 and notifies the server that it will accept data to this port (N+1). The server then connects back to the specified data port of the client from its local data source port 20.
[ad#embedded-square]
Now, the above behavior works fine if there is no firewall between the FTP client and server. However, if there is a stateful firewall between the two ftp nodes, we have a problem. Specifically, when the FTP server will start its Data connection back to the client (in order to start sending traffic), the firewall will block this data communication because it will start from a different source port (20 instead of 21). The purpose therefore of the inspect ftp command on the Cisco ASA is to listen for the initial Command FTP traffic (on port 21) and dynamically open a secondary Data connection between FTP server and client (from port 20). This will allow FTP communication to work. If you disable FTP inspection with the no inspect ftp command, outbound users can start connections only in passive mode, and all inbound FTP is disabled.
The inspect ftp command is found under the global policy map:
policy-map global_policy
class inspection_default
inspect ftp
Thursday, December 18th, 2008 at
9:55 am
 |
 |
| CISCO ASA 5505 |
CISCO ASA 5510 |
The two smallest ASA Firewall models, the 5505 and the 5510, are the only ones that have two types of licenses. They can be ordered either with a Base License or a Security Plus License. Many customers of mine are always asking me what the difference is between the two licenses (except from the price of course), so I thought it would be useful to summarize below the differences between the two license types:
|
Cisco ASA 5505
|
|
Base License
|
Security Plus License
|
| 10,000 Maximum Firewall Connections |
25,000 Maximum Firewall Connections |
| 10 Maximum VPN Sessions (site-to-site and remote access) |
25 Maximum VPN Sessions (site-to-site and remote access) |
| 3 Maximum VLANs (Trunking Disabled)(2 regular zones and 1 restricted zone that can only communicate with 1 other zone) |
20 Maximum VLANs (Trunking enabled)(No restrictions of traffic flow between zones) |
| No High Availability (failover) supported |
Supports Stateless Active/Standby failover |
|
Cisco ASA 5510
|
|
Base License
|
Security Plus License
|
| 50,000 Maximum Firewall Connections |
130,000 Maximum Firewall Connections |
| 5×10/100Integrated Network Interfaces |
2×10/100/1000 and3×10/100
Integrated Network Interfaces |
| 50 Maximum VLANs |
100 Maximum VLANs |
| No High Availability (failover) supported |
Supports Active/Active andActive/Standby failover |
| No Security Contexts (Virtual Firewalls) |
Supports 2 Virtual Firewalls (included) and 5 maximum. |
| No Support for VPN Clustering and VPN Load Balancing |
Supports VPN Clustering and VPN Load Balancing |
Saturday, December 13th, 2008 at
5:08 am
As we mentioned in previous posts, the Cisco ASA 5500 appliance supports an Intrusion Detection/Intrusion Prevention plug-in module (AIP-SSM). However not all models support this. Specifically only the middle-range models support it. The lowest-end model (5505) and the highest-end models (5550, 5580) does not support the AIP-SSM IPS module.
ASA Models that support IPS Module:
- Cisco ASA 5510
- Cisco ASA 5520
- Cisco ASA 5540
Basically the ASA 5505 can not support the AIP-SSM because of its small size. Also, the 5550 can not support the module because its hardware is occupied with much more integrated network ports compared with other models (it has 8-10/100/1000 and 4 gigabit SFP ports). The highest-end 5580 does not support the module because an IPS inline module in the 5580 would decrease its packet forwarding performance (remember that the 5580 is usually used in high traffic environments).
