Sunday, May 28, 2017

how to : Cisco ASA same security level + ACLs








By default, interfaces on the same security level can not communicate with each other. Allowing communication between same security interfaces let's traffic flow freely between all same security interface without access-lists.

To enable interfaces on the same-security level so that they can communicate with each  other, enter the following command :
(config)#same-security-traffic permit inter-interface

But the question i have nerver asked myself is : what if we have 2 interfaces with the same security level and each having ACLs applied to each? Will the traffic still flow freely after typing the above command ? The answer is :

If you have "same-security-traffic permit inter-interface" configured and have 2 interfaces with same
"security-level" value and you have "access-list" configured on both interfaces then the ACLs will handle the decision of what traffic is allowed and what is not.

I found this answer right here, when i got this challenge of same-security level and ACLs.

Hope this will also help you.


Friday, May 26, 2017

How to identify what is blocking your traffic to pass through Cisco ASA



The packet-tracer comman can be used in privilege EXEC mode to generate packet against a firewall's current configurations.
It allows administrator to inject a virtual packet into the ASA and track the flow from ingress to egress, along the way, the packet is evaluated agains flow and route lookup, ACLs, protocol inspection, NAT, and IDS

If the traffic you are trying to get forwarded by an ASA from one of its interface to another of its interface is not working then "packet-tracer" tool can help you pinpoint exactly what in ASA is blocking your traffic to be forwarded. The power of this utility comes from the ability to simulate real-word traffic by specifying source and destination addresses with protocol and port information

The following link is an interesting  YOUTUBE video that  show how to use this tool using ASDM : Click Right Here To Access The Video

Wednesday, May 17, 2017

How to configure Cisco ASA interface Redundancy

By default, each physical ASA interface operates independently of any other interface. When an interface is down, the ASA can not send or receive any data through it. To keep an ASA interface up and active all the time, you can configure a logical interface having a pair of physical interfaces set aside for the same function and connected to the same network and only one is active at any given time, the other stays in a standby state. The pair physical interfaces must be the same type