Wednesday, January 20, 2010


1) to see ASA as a hop during traceroute you need to:

policy-map global_policy
class class-default
set connection ttl-decrement

2) interface: port-channel & redundant

a) port channel - active - active mode (port channel on switch is required)

b) redundant - active/passive mode (default settings on switch because only one port is active

3) traceroute

linux/cisco version:
a) router send udp packet on port 33434 -> send to destination with ttl 1 (3 times)
b) icmp time-exceeded -> because of ttl=0
c) udp on port 33437 -> send with incremented ttl+1 (ttl=2)
d) and so on till it reach the destination
e) destination sends icmp port unreachable  

windows version:
a) icmp echo request ->
b) icmp time exceeded  <-
c) and so on
d) icmp echo reply

4) global access-list

Starting with code 8.3(1), you can also apply one IPv4 and one IPv6 ACL globally, configured with the command access-group global; the global access-list is always interpreted as an inbound ACL. When the global ACL is applied, the implicit deny ip any any rule is removed from any ACL applied inbound on any interfaces, so that the global ACL is inspected. Assuming all ACLs are configured, and assuming a packet enters the inside interface and exits the outside interface, the rules are:

-Traffic is matched against the inbound ACL applied on the inside interface. If there is a match, the action is taken; if not, it will match on the default deny ip any any unless global ACL is configured.

-Traffic is matched against the global ACL. If there is a match, the action is taken; if not, it will match on the default deny ip any any rule.

-Traffic is matched against the outbound ACL applied on the outside interface. If there is a match, the action is taken; if not, it will match on the default deny ip any any rule.

5) objects

You can specify an object with different protocols (i.e. tcp and udp) and use it for protocol specification, you don’t need to specify ports numbers again:
object-group service OTHER_PORTS
 service-object tcp destination eq 21
 service-object udp destination eq 123
access-list VLAN29_INBOUND extended permit object-group OTHER_PORTS object-group R2 object-group ALL_DESTINATIONS

6) routing

You can send default route and metric can be changed by a route-map (default is 1):
route-map RIP_DEFAULT_ROUTE permit 10
 set metric 10
router rip
 default-information originate route-map RIP_DEFAULT_ROUTE
 no auto-summary

7) EIGRP - prefix filtering

I’d like to stop sending prefix
access-list EIGRP standard deny 
access-list EIGRP standard permit any 
router eigrp 100
 no auto-summary
 distribute-list EIGRP out

8) NAT

old way:
static (inside,outside) tcp interface 2023 telnet netmask 

new way:
object network TELNET-R
 nat (inside,outside) static interface service tcp telnet 2023 
object network TELNET-R

9) Policy NAT


access-list NAT1 extended permit ip host host 
nat (outside) 1 access-list NAT1 outside
global (inside) 1

object network R1-LO
object network R3-LO
object network R3-LO-N
access-list OUT extended permit ip host host 
nat (outside,inside) source static R3-LO R3-LO-N destination static R1-LO R1-LO


object network R1-LAN
object network R1-LAN-N-POOL
object network R1-LAN-N-POOL-PAT
nat (inside,outside) source dynamic R1-LAN R1-LAN-N-POOL
nat (inside,outside) source dynamic R1-LAN pat-pool R1-LAN-N-POOL-PAT
nat (VLAN19,any) source dynamic R1_LO0_REAL pat-pool PAT_POOL round-robin

asa2(config)# sh run nat
nat (inside) 2 access-list NAT2
asa2(config)# sh run global
global (outside) 2 netmask
global (outside) 2 netmask


Let’s assume we accept only telnet request on port 2023 (ASA will rewrite it to 23) and we want to change source IP go global IP (static):

static (outside,inside) tcp 2023 telnet netmask

access-list TELNET1 extended permit tcp host host eq 2023 

nat (inside) 2 access-list TELNET1
global (outside) 2

and I tested it:
telnet 2023
asa2# sh xlate 
2 in use, 3 most used
PAT Global Local 
PAT Global Local 

nat (inside,outside) source dynamic R1-int-R R1-int-N interface service TELNET-2023 TELNET-23

nat (inside,outside) source static R1-lo0-R interface service TELNET-2023 TELNET-23

10) Asymmetric traffic (multicontext)
hostname/ctx(config)# interface phy_if

hostname/ctx(config-if)# asr-group num

11) QOS

Configure priority queuing for shaped VoIP bearer and GETVPN signaling traffic on ASA1:

-GETVPN signaling is defined as GDOI exchange on the default port. -VoIP bearer traffic is marked with the DSCP value of EF. -All other traffic should receive best-effort service. -Adjust traffic-shaping interval to provide minimum delay for VoIP traffic.
class-map VPN
 match port udp eq 848
class-map VOICE
 match dscp ef
policy-map CHILD_POLICY
 class VPN
 class VOICE
policy-map SHAPER
 class class-default
  shape average 512000 5120
  service-policy CHILD_POLICY
service-policy SHAPER interface VLAN49

2nd example:
hostname(config)# access-list ike permit udp any any eq 500 
hostname(config)# class-map ike
hostname(config-cmap)# match access-list ike
hostname(config-cmap)# class-map voice_traffic
hostname(config-cmap)# match dscp EF AF13
hostname(config-cmap)# policy-map qos_class_policy
hostname(config-pmap)# class voice_traffic
hostname(config-pmap-c)# priority
hostname(config-pmap-c)# class ike
hostname(config-pmap-c)# priority
hostname(config-pmap-c)# policy-map qos_outside_policy
hostname(config-pmap)# class class-default
hostname(config-pmap-c)# shape average 2000000 16000
hostname(config-pmap-c)# service-policy qos_class_policy
hostname(config-pmap-c)# service-policy qos_outside_policy interface outside

12) MFP - SMTP
regex UNWANTED “(|”
policy-map type inspect esmtp SMTP_INSPECT
   mail-relay action drop-connection
 match invalid-recipients count gt 3
 match sender-address regex UNWANTED
access-list SMTP_SERVER permit tcp any host eq 25
class-map SMTP_SERVER
 match access-list SMTP_SERVER
policy-map VLAN19
  set connection conn-max 100
  set connection embryonic-conn-max 50
  inspect esmtp SMTP_INSPECT
service-policy VLAN19 interface VLAN19

13) MFP - TCP
asa1(config)# tcp-map TEST
asa1(config-tcp-map)# ?

TCP-map configuration commands:
  check-retransmission    Check retransmit data, disabled by default
  checksum-verification   Verify TCP checksum, disabled by default
  default                 Set a command to its defaults
  exceed-mss              Packet that exceed the Maximum Segment Size set by
                          peer, default is to allow packet
  invalid-ack             Packets with invalid ACK, default is to drop packet
  no                      Negate a command or set its defaults
  queue-limit             Maximum out-of-order packets queued for a connection,
                          default is 0 packets
  reserved-bits           Reserved bits in TCP header are set, default is to
                          allow packet
  seq-past-window         Packets that have past-window seq numbers, default is
                          to drop packet
  syn-data                TCP SYN packets that contain data, default is to
                          allow packet
  synack-data             TCP SYN-ACK packets that contain data, default is to
                          drop packet
  tcp-options             Options in TCP header
  ttl-evasion-protection  Protection against time to live (TTL) attacks,
                          enabled by default
  urgent-flag             Urgent flag and urgent offset set, default is to
                          clear flag and offset
  window-variation        Unexpected window size variation, default is to allow

14) MFP - management
class-map type management c1
  match port udp eq radius-acct

policy-map type inspect radius-accounting radius_accounting_map
    host inside key 123456789
    send response
    validate-attribute 26

policy-map type management global_policy
  class c1
    inspect radius-accounting radius_accounting_map

15) SNMP
snmp-map SNMP_VERSION_1
 deny version 1
policy-map global_policy
 class inspection_default
   inspect snmp SNMP_VERSION_1


Configure ASA1 to quickly terminate the IDENT lookup sessions going from VLAN 49 for TCP sessions initiated by VLAN 59 users. Consider both users translated using identity mappings the outside interface IP address.
service resetinbound
service resetoutside

17) BGP through ASA
class-map BGP
 match port tcp eq 179
tcp-map BGP
 tcp-options range 19 19 allow
policy-map global_policy
 class BGP
  set connection random-sequence-number disable
  set connection advanced-options BGP

No comments:

Post a Comment