Look at 6 7 8 for dual monitor!!!!
Policy NAT on Cisco ASA Firewall
As we know, the conventional NAT functionality on Cisco devices (routers, ASA firewalls etc) translates the SOURCE IP address to something else. There is also the so called “Destination based NAT” (or you may see it referred as “Reverse NAT”) which changes the destination IP address. Here we will deal with conventional source based NAT with a policy.
Sometimes we need to change the source IP address to another source address (lets call it “translated-A”) when we are communicating with “destination-A”, and also change the source IP to “translated-B” when we are communicating with “destination-B”.
So, to be clearer, the scenario is the following:
•When internal host 192.168.1.1 wants to communicate with external host 100.100.100.1, then the internal host must be translated to 50.50.50.1
•When the internal host 192.168.1.1 wants to communicate with external host 200.200.200.1, then the internal host must be translated to 50.50.50.2
We can achieve the functionality above with Policy-Based NAT.
Configuration Example:
Assume that the internal host 192.168.1.1 is connected to the inside interface of ASA. We have also in our possession the public IP range 50.50.50.0/24. We will use the public IP range to translate our internal host according to the destination.
! First create the access lists for the policy NAT
ASA(config)# access-list POLICYNAT-A extended permit ip host 192.168.1.1 host 100.100.100.1
ASA(config)# access-list POLICYNAT-B extended permit ip host 192.168.1.1 host 200.200.200.1
! Now create the static NAT translation for Destination-A
ASA(config)# static(inside,outside) 50.50.50.1 access-list POLICYNAT-A
! Now create the static NAT translation for Destination-B
ASA(config)# static(inside,outside) 50.50.50.2 access-list POLICYNAT-B
The above commands will do the following: When source address is 192.168.1.1 and destination address is 100.100.100.1, then change the source address to 50.50.50.1.
Similarly, when source address is 192.168.1.1 and destination is 200.200.200.1, then change the source address to 50.50.50.2.
The above static nat commands will only take effect if and only if the traffic is between the hosts referenced in the access-lists (either inbound or outbound traffic).
Sometimes we need to change the source IP address to another source address (lets call it “translated-A”) when we are communicating with “destination-A”, and also change the source IP to “translated-B” when we are communicating with “destination-B”.
So, to be clearer, the scenario is the following:
•When internal host 192.168.1.1 wants to communicate with external host 100.100.100.1, then the internal host must be translated to 50.50.50.1
•When the internal host 192.168.1.1 wants to communicate with external host 200.200.200.1, then the internal host must be translated to 50.50.50.2
We can achieve the functionality above with Policy-Based NAT.
Configuration Example:
Assume that the internal host 192.168.1.1 is connected to the inside interface of ASA. We have also in our possession the public IP range 50.50.50.0/24. We will use the public IP range to translate our internal host according to the destination.
! First create the access lists for the policy NAT
ASA(config)# access-list POLICYNAT-A extended permit ip host 192.168.1.1 host 100.100.100.1
ASA(config)# access-list POLICYNAT-B extended permit ip host 192.168.1.1 host 200.200.200.1
! Now create the static NAT translation for Destination-A
ASA(config)# static(inside,outside) 50.50.50.1 access-list POLICYNAT-A
! Now create the static NAT translation for Destination-B
ASA(config)# static(inside,outside) 50.50.50.2 access-list POLICYNAT-B
The above commands will do the following: When source address is 192.168.1.1 and destination address is 100.100.100.1, then change the source address to 50.50.50.1.
Similarly, when source address is 192.168.1.1 and destination is 200.200.200.1, then change the source address to 50.50.50.2.
The above static nat commands will only take effect if and only if the traffic is between the hosts referenced in the access-lists (either inbound or outbound traffic).
NAT Overview
In this table, when NAT performs the global to local, or local to global, translation is different in each flow.
|
Inside-to-Outside |
Outside-to-Inside |
|---|---|
|
|
PIX/ASA: Monitor and Troubleshoot
show interface—Shows interface statistics.
show traffic—Shows how much traffic passes through the PIX.
show xlate—Shows the current translations built through the PIX.
show conn—Shows the current connections through the PIX.
show traffic—Shows how much traffic passes through the PIX.
show xlate—Shows the current translations built through the PIX.
show conn—Shows the current connections through the PIX.
642-7627 IPS v7.0 Exam Topics (Blueprint)
Exam Description
Implementing Cisco Intrusion Prevention System v7.0 (IPS v7.0) exam is associated with the Cisco Certified Security Professional certification. This exam tests a candidate's knowledge and skills needed to deploy Cisco IPS-based security solutions. Successful graduates will be able to reduce risk to the IT infrastructure and applications using Cisco IPS features, and provide detailed operations support for the Cisco IPS. Candidates can prepare for this exam by taking the Implementing Cisco Intrusion Prevention System course.
Exam Topics
The following information provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes the guidelines below may change at any time without notice.
Pre-Production Design
Choose Cisco IPS technologies to implement HLD
Choose Cisco products to implement HLD
Choose Cisco IPS features to implement HLD
Integrate Cisco network security solutions with other security technologies
Create and test initial Cisco IPS configurations for new devices/services
Complex Support Operations
Optimize Cisco IPS security infrastructure device performance
Create complex network security rules, to meet the security policy requirements
Configure and verify the IPS features to identify threats and dynamically block them from entering the network
Maintain, update and tune IPS signatures
Use CSM and MARS for IPS management, deployment, and advanced event correlation.
Optimize security functions, rules, and configuration
Advanced Troubleshooting
Advanced Cisco IPS security software configuraiton fault finding and repairing
Advanced Cisco IPS sensor and module hardware fault finding and repairing
Implementing Cisco Intrusion Prevention System v7.0 (IPS v7.0) exam is associated with the Cisco Certified Security Professional certification. This exam tests a candidate's knowledge and skills needed to deploy Cisco IPS-based security solutions. Successful graduates will be able to reduce risk to the IT infrastructure and applications using Cisco IPS features, and provide detailed operations support for the Cisco IPS. Candidates can prepare for this exam by taking the Implementing Cisco Intrusion Prevention System course.
Exam Topics
The following information provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes the guidelines below may change at any time without notice.
Pre-Production Design
Choose Cisco IPS technologies to implement HLD
Choose Cisco products to implement HLD
Choose Cisco IPS features to implement HLD
Integrate Cisco network security solutions with other security technologies
Create and test initial Cisco IPS configurations for new devices/services
Complex Support Operations
Optimize Cisco IPS security infrastructure device performance
Create complex network security rules, to meet the security policy requirements
Configure and verify the IPS features to identify threats and dynamically block them from entering the network
Maintain, update and tune IPS signatures
Use CSM and MARS for IPS management, deployment, and advanced event correlation.
Optimize security functions, rules, and configuration
Advanced Troubleshooting
Advanced Cisco IPS security software configuraiton fault finding and repairing
Advanced Cisco IPS sensor and module hardware fault finding and repairing
642-647 VPN v1.0 Exam Topics (Blueprint)
Exam Description
Deploying Cisco ASA VPN Solutions (VPN v1.0) exam is associated with the CCSP, CCNP Security and Cisco VPN Specialist certifications. This exam tests a candidate's knowledge and skills needed to deploy Cisco ASA-based VPN solutions. Successful graduates will be able to reduce risk to the IT infrastructure and applications using Cisco ASA VPN features, and provide detailed operations support for the Cisco ASA. Candidates can prepare for this exam by taking the Deploying Cisco ASA VPN Solutions course.
Exam Topics
The following information provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes the guidelines below may change at any time without notice.
Pre-Production Design
Choose ASA VPN technologies to implement HLD based on given requirements
Choose the correct ASA model and license to implement HLD based on given performance requirements
Choose the correct ASA VPN features to implement HLD based on given corporate security policy and network requirements
Integrate ASA VPN solutions with other security technology domains (CSD, ACS, Device managers, Cert servers, etc.)
Complex Operations Support
Optimize ASA VPN performance, functions, and configurations
Configure and verify complex ASA VPN networks using features such as DAP, CSD, Smart tunnels, Anyconnect SSLVPN, Clientless SSLVPN, Site-to-Site VPN, RA VPN, certificates, QOS, etc. to meet security policy requirements.
Create complex ASA network security rules using such features as ACLs, DAP, VPN profiles, certificates, MPF, etc, to meet the corporate security policy
Advanced Troubleshooting
Perform advanced ASA VPN configuration and troubleshooting
Deploying Cisco ASA VPN Solutions (VPN v1.0) exam is associated with the CCSP, CCNP Security and Cisco VPN Specialist certifications. This exam tests a candidate's knowledge and skills needed to deploy Cisco ASA-based VPN solutions. Successful graduates will be able to reduce risk to the IT infrastructure and applications using Cisco ASA VPN features, and provide detailed operations support for the Cisco ASA. Candidates can prepare for this exam by taking the Deploying Cisco ASA VPN Solutions course.
Exam Topics
The following information provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes the guidelines below may change at any time without notice.
Pre-Production Design
Choose ASA VPN technologies to implement HLD based on given requirements
Choose the correct ASA model and license to implement HLD based on given performance requirements
Choose the correct ASA VPN features to implement HLD based on given corporate security policy and network requirements
Integrate ASA VPN solutions with other security technology domains (CSD, ACS, Device managers, Cert servers, etc.)
Complex Operations Support
Optimize ASA VPN performance, functions, and configurations
Configure and verify complex ASA VPN networks using features such as DAP, CSD, Smart tunnels, Anyconnect SSLVPN, Clientless SSLVPN, Site-to-Site VPN, RA VPN, certificates, QOS, etc. to meet security policy requirements.
Create complex ASA network security rules using such features as ACLs, DAP, VPN profiles, certificates, MPF, etc, to meet the corporate security policy
Advanced Troubleshooting
Perform advanced ASA VPN configuration and troubleshooting
642-637 SECURE v1.0 Exam Topics (Blueprint)
Exam Description
The 642-637 Secure v1.0 Securing Networks with Cisco Routers and Switches exam is associated with the CCSP, and CCNP Security certifications. This exam tests a candidate's knowledge and skills needed to secure Cisco IOS Software router and switch-based networks, and provide security services based on Cisco IOS Software. Candidates can prepare for this exam by taking the Securing Networks with Cisco Routers and Switches course.
Exam Topics
The following information provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes the guidelines below may change at any time without notice.
Pre-Production Design
Choose Cisco IOS technologies to implement HLD
Choose Cisco products to implement HLD
Choose Cisco IOS features to implement HLD 2
Integrate Cisco network security solutions with other security technologies
Create and test initial Cisco IOS configurations for new devices/services
Complex Operations Support
Optimize Cisco IOS security infrastructure device performance
Create complex network security rules to meet the security policy requirements
Optimize security functions, rules, and configuration
Configure & verify NAT to dynamically mitigate identified threats to the network
Configure & verify IOS Zone Based Firewalls including advanced application inspections and URL filtering
Configure & verify the IPS features to identify threats and dynamically block them from entering the network
Maintain, update and tune IPS signatures
Configure & verify IOS VPN features
Configure & verify Layer 2 and Layer 3 security features
Advanced Troubleshooting
Advanced Cisco IOS security software configuraiton fault finding and repairing
Advanced Cisco routers and switches hardware fault finding and repairing
The 642-637 Secure v1.0 Securing Networks with Cisco Routers and Switches exam is associated with the CCSP, and CCNP Security certifications. This exam tests a candidate's knowledge and skills needed to secure Cisco IOS Software router and switch-based networks, and provide security services based on Cisco IOS Software. Candidates can prepare for this exam by taking the Securing Networks with Cisco Routers and Switches course.
Exam Topics
The following information provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes the guidelines below may change at any time without notice.
Pre-Production Design
Choose Cisco IOS technologies to implement HLD
Choose Cisco products to implement HLD
Choose Cisco IOS features to implement HLD 2
Integrate Cisco network security solutions with other security technologies
Create and test initial Cisco IOS configurations for new devices/services
Complex Operations Support
Optimize Cisco IOS security infrastructure device performance
Create complex network security rules to meet the security policy requirements
Optimize security functions, rules, and configuration
Configure & verify NAT to dynamically mitigate identified threats to the network
Configure & verify IOS Zone Based Firewalls including advanced application inspections and URL filtering
Configure & verify the IPS features to identify threats and dynamically block them from entering the network
Maintain, update and tune IPS signatures
Configure & verify IOS VPN features
Configure & verify Layer 2 and Layer 3 security features
Advanced Troubleshooting
Advanced Cisco IOS security software configuraiton fault finding and repairing
Advanced Cisco routers and switches hardware fault finding and repairing
642-617 Deploying Cisco ASA Firewall Solutions Exam Topics (Blueprint)
Exam Description
The 642-617 Deploying Cisco ASA Firewall Solutions (FIREWALL v1.0) exam is associated with the CCSP, CCNP Security and Cisco Firewall Specialist certifications. This exam tests a candidate's knowledge and skills needed to implement and maintain Cisco ASA-based perimeter solutions. Successful graduates will be able to reduce risk to the IT infrastructure and applications using Cisco ASA features, and provide detailed operations support for the Cisco ASA. Candidates can prepare for this exam by taking the Deploying Cisco ASA Firewall Solutions course.
Exam Topics
The following information provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes the guidelines below may change at any time without notice.
Pre-Production Design
Choose ASA Perimeter Security technologies/features to implement HLD based on given security requirements
Choose the correct ASA model to implement HLD based on given performance requirements
Create and test initial ASA appliance configurations using CLI
Determine which ASA licenses will be required based on given requirements
Complex Operations Support
Optimize ASA Perimeter Security features performance, functions, and configurations
Create complex ASA security perimeter policies such as ACLs, NAT/PAT, L3/L4/L7 stateful inspections, QoS policies, cut-thru proxy, threat detection, botnet detection/filter using CLI and/or ASDM
Perform initial setup on the AIP-SSM and CSC-SSM using CLI and/or ASDM
Configure, verify and troubleshoot High Availability ASAs (A/S and A/A FO) operations using CLI and/or ASDM
Configure, verify and troubleshoot static routing and dynamic routing protocols on the ASA using CLI and/or ASDM
Configure, verify and troubleshoot ASA transparent firewall operations using CLI
Configure, verify and troubleshoot management access/protocols on the ASA using CLI and/or ASDM
Describe Advanced Troubleshooting
Advanced ASA security perimeter configuraiton/software/hardware troubleshooting using CLI and/or ASD fault finding and repairing
The 642-617 Deploying Cisco ASA Firewall Solutions (FIREWALL v1.0) exam is associated with the CCSP, CCNP Security and Cisco Firewall Specialist certifications. This exam tests a candidate's knowledge and skills needed to implement and maintain Cisco ASA-based perimeter solutions. Successful graduates will be able to reduce risk to the IT infrastructure and applications using Cisco ASA features, and provide detailed operations support for the Cisco ASA. Candidates can prepare for this exam by taking the Deploying Cisco ASA Firewall Solutions course.
Exam Topics
The following information provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes the guidelines below may change at any time without notice.
Pre-Production Design
Choose ASA Perimeter Security technologies/features to implement HLD based on given security requirements
Choose the correct ASA model to implement HLD based on given performance requirements
Create and test initial ASA appliance configurations using CLI
Determine which ASA licenses will be required based on given requirements
Complex Operations Support
Optimize ASA Perimeter Security features performance, functions, and configurations
Create complex ASA security perimeter policies such as ACLs, NAT/PAT, L3/L4/L7 stateful inspections, QoS policies, cut-thru proxy, threat detection, botnet detection/filter using CLI and/or ASDM
Perform initial setup on the AIP-SSM and CSC-SSM using CLI and/or ASDM
Configure, verify and troubleshoot High Availability ASAs (A/S and A/A FO) operations using CLI and/or ASDM
Configure, verify and troubleshoot static routing and dynamic routing protocols on the ASA using CLI and/or ASDM
Configure, verify and troubleshoot ASA transparent firewall operations using CLI
Configure, verify and troubleshoot management access/protocols on the ASA using CLI and/or ASDM
Describe Advanced Troubleshooting
Advanced ASA security perimeter configuraiton/software/hardware troubleshooting using CLI and/or ASD fault finding and repairing
ASA packet-tracer
Use the packet-tracer option.
From previous sections, the ASA administrator has learned enough information to use the packet-tracer option in the ASA.
Note: The ASA supports the packet-tracer command starting in version 7.2.
ciscoasa#packet-tracer input inside tcp 192.168.1.50 1025 172.22.1.1 http
!- This line indicates a source port of 1025. If the source
!- port is not known, any number can be used.
!- More common source ports typically range
!- between 1025 and 65535.
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.22.1.0 255.255.255.0 outside
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_acl in interface inside
access-list inside_acl extended permit tcp 192.168.1.0 255.255.255.0 any eq www
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 192.168.1.0 255.255.255.0
match ip inside 192.168.1.0 255.255.255.0 outside any
dynamic translation to pool 1 (172.22.1.254)
translate_hits = 6, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.1.50/1025 to 172.22.1.254/1028
using netmask 255.255.255.255
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 192.168.1.0 255.255.255.0
match ip inside 192.168.1.0 255.255.255.0 outside any
dynamic translation to pool 1 (172.22.1.254)
translate_hits = 6, untranslate_hits = 0
Additional Information:
Phase: 10
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 94, packet dispatched to next module
Phase: 15
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 172.22.1.1 using egress ifc outside
adjacency Active
next-hop mac address 0030.a377.f854 hits 11
!- The MAC address is at Layer 2 of the OSI model.
!- This tells the administrator the next host
!- that should receive the data packet.
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
The most important output of the packet-tracer command is the last line, which is Action: allow.
The three options in Step 3 each show the administrator that the ASA is not responsible for the application X issues. The application X traffic leaves the ASA and the ASA does not receive a reply from the application X server.
From previous sections, the ASA administrator has learned enough information to use the packet-tracer option in the ASA.
Note: The ASA supports the packet-tracer command starting in version 7.2.
ciscoasa#packet-tracer input inside tcp 192.168.1.50 1025 172.22.1.1 http
!- This line indicates a source port of 1025. If the source
!- port is not known, any number can be used.
!- More common source ports typically range
!- between 1025 and 65535.
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.22.1.0 255.255.255.0 outside
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_acl in interface inside
access-list inside_acl extended permit tcp 192.168.1.0 255.255.255.0 any eq www
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 192.168.1.0 255.255.255.0
match ip inside 192.168.1.0 255.255.255.0 outside any
dynamic translation to pool 1 (172.22.1.254)
translate_hits = 6, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.1.50/1025 to 172.22.1.254/1028
using netmask 255.255.255.255
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 192.168.1.0 255.255.255.0
match ip inside 192.168.1.0 255.255.255.0 outside any
dynamic translation to pool 1 (172.22.1.254)
translate_hits = 6, untranslate_hits = 0
Additional Information:
Phase: 10
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 94, packet dispatched to next module
Phase: 15
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 172.22.1.1 using egress ifc outside
adjacency Active
next-hop mac address 0030.a377.f854 hits 11
!- The MAC address is at Layer 2 of the OSI model.
!- This tells the administrator the next host
!- that should receive the data packet.
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
The most important output of the packet-tracer command is the last line, which is Action: allow.
The three options in Step 3 each show the administrator that the ASA is not responsible for the application X issues. The application X traffic leaves the ASA and the ASA does not receive a reply from the application X server.
Pix ASA Debug icmp
Debug
The debug icmp trace command is used to capture the ICMP traffic of the user.
ciscoasa#debug icmp trace
The user pings the inside interface of the ASA (ping 192.168.1.1). This output is displayed on the console.
ciscoasa#
!- Output is suppressed.
ICMP echo request from 192.168.1.50 to 192.168.1.1 ID=512 seq=5120 len=32
ICMP echo reply from 192.168.1.1 to 192.168.1.50 ID=512 seq=5120 len=32
!- The user IP address is 192.168.1.50.
In order to disable debug icmp trace, use one of these commands:
no debug icmp trace
undebug icmp trace
undebug all, Undebug all, or un all
Each of these three options helps the administrator to determine the source IP address. In this example, the source IP address of the user is 192.168.1.50. The administrator is ready to learn more about application X and determine the cause of the problem.
The debug icmp trace command is used to capture the ICMP traffic of the user.
ciscoasa#debug icmp trace
The user pings the inside interface of the ASA (ping 192.168.1.1). This output is displayed on the console.
ciscoasa#
!- Output is suppressed.
ICMP echo request from 192.168.1.50 to 192.168.1.1 ID=512 seq=5120 len=32
ICMP echo reply from 192.168.1.1 to 192.168.1.50 ID=512 seq=5120 len=32
!- The user IP address is 192.168.1.50.
In order to disable debug icmp trace, use one of these commands:
no debug icmp trace
undebug icmp trace
undebug all, Undebug all, or un all
Each of these three options helps the administrator to determine the source IP address. In this example, the source IP address of the user is 192.168.1.50. The administrator is ready to learn more about application X and determine the cause of the problem.
ASA Capture Feature
ASA Capture Feature
The administrator needs to create an access-list that defines what traffic the ASA needs to capture. After the access-list is defined, the capture command incorporates the access-list and applies it to an interface.
ciscoasa(config)#access-list inside_test permit icmp any host 192.168.1.1
ciscoasa(config)#capture inside_interface access-list inside_test interface inside
The user pings the inside interface of the ASA (ping 192.168.1.1). This output is displayed.
ciscoasa#show capture inside_interface
1: 13:04:06.284897 192.168.1.50 > 192.168.1.1: icmp: echo request
!- The user IP address is 192.168.1.50.
Note: In order to download the capture file to a system such as ethereal, you can do it as this output shows.
!- Open an Internet Explorer and browse with this https link format:
https://[ (pix_ip) / (asa_ip) ]/capture/(capture name)/pcap
Refer to ASA/PIX: Packet Capturing using CLI and ASDM Configuration Example in order to know more about Packet Capturing in ASA.
The administrator needs to create an access-list that defines what traffic the ASA needs to capture. After the access-list is defined, the capture command incorporates the access-list and applies it to an interface.
ciscoasa(config)#access-list inside_test permit icmp any host 192.168.1.1
ciscoasa(config)#capture inside_interface access-list inside_test interface inside
The user pings the inside interface of the ASA (ping 192.168.1.1). This output is displayed.
ciscoasa#show capture inside_interface
1: 13:04:06.284897 192.168.1.50 > 192.168.1.1: icmp: echo request
!- The user IP address is 192.168.1.50.
Note: In order to download the capture file to a system such as ethereal, you can do it as this output shows.
!- Open an Internet Explorer and browse with this https link format:
https://[ (pix_ip) / (asa_ip) ]/capture/(capture name)/pcap
Refer to ASA/PIX: Packet Capturing using CLI and ASDM Configuration Example in order to know more about Packet Capturing in ASA.
Pix ASA Basic Syslog logging
Basic Syslog
Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section.
Use these commands to enable logging, view logs, and view configuration settings.
logging enable—Enables the transmission of syslog messages to all output locations.
no logging enable—Disables logging to all output locations.
show logging—Lists the contents of the syslog buffer and the current logging configuration.
PIX can send syslog messages to various destinations. Use the commands in these sections to specify the location to which messages should be sent:
Internal Buffer
logging buffered severity_level
External software or hardware is not required when you store the syslog messages in the PIX internal buffer. Use the show logging to view the stored syslog messages.
Syslog Message Server
logging host interface_name ip_address [tcp[/port] | udp[/port]] [format emblem]
logging trap severity_level
logging facility number
A server that runs a syslog application is required in order to send syslog messages to an external host. PIX sends syslog on UDP port 514 by default.
E-mail Address
logging mail severity_level
logging recipient-address email_address
logging from-address email_address
smtp-server ip_address
An SMTP server is required when you send the syslog messages in e-mails. Correct configuration on the SMTP server is necessary in order to ensure that you can successfully relay e-mails from the PIX to the specified e-mail client.
Console
logging console severity_level
Console logging enables syslog messages to display on the PIX console (tty) as they occur. Use this command when you debug problems or when there is minimal load on the network. Do not use this command when the network is busy as it can degrade performance.
Telnet/SSH Session
logging monitor severity_level
terminal monitor
Logging monitor enables syslog messages to display as they occur when you access the PIX console with Telnet or SSH.
ASDM
logging asdm severity_level
ASDM also has a buffer that can be used to store syslog messages. Use the show logging asdm command in order to display the content of the ASDM syslog buffer.
SNMP Management Station
logging history severity_level
snmp-server host [if_name] ip_addr
snmp-server location text
snmp-server contact text
snmp-server community key
snmp-server enable traps
Users need an existing functional Simple Network Management Protocol (SNMP) environment in order to send syslog messages using SNMP.
Refer to Commands for Setting and Managing Output Destinations for a complete reference on the commands you can use to set and manage output destinations
Refer to Messages Listed by Severity Level for messages listed by severity level.
Example 1
This output shows a sample configuration for logging into the console with the severity level of debugging.
logging enable
logging buffered debugging
This is sample output.
%PIX|ASA-6-308001: console enable password incorrect for number tries (from 10.1.1.15)
Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section.
Use these commands to enable logging, view logs, and view configuration settings.
logging enable—Enables the transmission of syslog messages to all output locations.
no logging enable—Disables logging to all output locations.
show logging—Lists the contents of the syslog buffer and the current logging configuration.
PIX can send syslog messages to various destinations. Use the commands in these sections to specify the location to which messages should be sent:
Internal Buffer
logging buffered severity_level
External software or hardware is not required when you store the syslog messages in the PIX internal buffer. Use the show logging to view the stored syslog messages.
Syslog Message Server
logging host interface_name ip_address [tcp[/port] | udp[/port]] [format emblem]
logging trap severity_level
logging facility number
A server that runs a syslog application is required in order to send syslog messages to an external host. PIX sends syslog on UDP port 514 by default.
E-mail Address
logging mail severity_level
logging recipient-address email_address
logging from-address email_address
smtp-server ip_address
An SMTP server is required when you send the syslog messages in e-mails. Correct configuration on the SMTP server is necessary in order to ensure that you can successfully relay e-mails from the PIX to the specified e-mail client.
Console
logging console severity_level
Console logging enables syslog messages to display on the PIX console (tty) as they occur. Use this command when you debug problems or when there is minimal load on the network. Do not use this command when the network is busy as it can degrade performance.
Telnet/SSH Session
logging monitor severity_level
terminal monitor
Logging monitor enables syslog messages to display as they occur when you access the PIX console with Telnet or SSH.
ASDM
logging asdm severity_level
ASDM also has a buffer that can be used to store syslog messages. Use the show logging asdm command in order to display the content of the ASDM syslog buffer.
SNMP Management Station
logging history severity_level
snmp-server host [if_name] ip_addr
snmp-server location text
snmp-server contact text
snmp-server community key
snmp-server enable traps
Users need an existing functional Simple Network Management Protocol (SNMP) environment in order to send syslog messages using SNMP.
Refer to Commands for Setting and Managing Output Destinations for a complete reference on the commands you can use to set and manage output destinations
Refer to Messages Listed by Severity Level for messages listed by severity level.
Example 1
This output shows a sample configuration for logging into the console with the severity level of debugging.
logging enable
logging buffered debugging
This is sample output.
%PIX|ASA-6-308001: console enable password incorrect for number tries (from 10.1.1.15)
Router TERMINAL CONTROLS
Config# terminal editing – allows for enhanced editing commands
Config# terminal monitor – shows output on telnet session
Config# terminal ip netmask-format hexadecimal|bit-count|decimal – changes the format of subnet masks
Config# terminal monitor – shows output on telnet session
Config# terminal ip netmask-format hexadecimal|bit-count|decimal – changes the format of subnet masks
ASA/PIX Order of Operations and packet flow
====================
Packet Flow Sequence
====================
PIX/ASA - Inside (Higher Sec_Lev) to Outside (Lower SEC_Level)
Eg. Type - [Sub-Type] - Description
1. FLOW-LOOKUP - [] - Check for existing connections, if none found create a
new connection.
2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
3. ACCESS-LIST - [log] - ACL Lookup
4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
5. IP-OPTIONS - [] -
6. NAT - [] - xlate
7. NAT - [host-limits] -
8. IP-OPTIONS - [] -
9. FLOW-CREATION - [] - If everything passes up until this point a connection
is created.
10. ROUTE-LOOKUP - [output and adjacency] -
Much thanks to Joshua Walton for forwarding this info over to me - handy reference:
====================
Packet Flow Sequence
====================
PIX/ASA - Inside (Higher Sec_Lev) to Outside (Lower SEC_Level)
Eg. Type - [Sub-Type] - Description
1. FLOW-LOOKUP - [] - Check for existing connections, if none found create a
new connection.
2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
3. ACCESS-LIST - [log] - ACL Lookup
4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
5. IP-OPTIONS - [] -
6. NAT - [] - xlate
7. NAT - [host-limits] -
8. IP-OPTIONS - [] -
9. FLOW-CREATION - [] - If everything passes up until this point a connection
is created.
10. ROUTE-LOOKUP - [output and adjacency] -
PIX/ASA - VPN - Inside (Higher Sec_Lev) to Outside (Lower SEC_Level)
Eg. Type - [Sub-Type] - Description
1. FLOW-LOOKUP - [] - Check for existing connections, if none found
create a
new connection.
2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
3. ACCESS-LIST - [log] - ACL Lookup
4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
5. IP-OPTIONS - [] -
6. NAT - [] - xlate
7. NAT - [host-limits] -
8. VPN - [encrypt] -
9. VPN - [ipsec-tunnel-flow] -
10. IP-OPTIONS - [] -
11. FLOW-CREATION - [] - If everything passes up until this point a
connection
is created.
12. FLOW-LOOKUP - [] - On the new header
13. ACCESS-LIST - [] - On the new header
14. FLOW-CREATION - [] -
15. ROUTE-LOOKUP - [output and adjacency]
ASA/PIX - Outside (Lower SEC_Level) to Inside (Higher Sec_Lev)
1. FLOW-LOOKUP - [] - Check for existing connections, if none found
create a
new connection.
2. UN-NAT - [static] -
2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
3. ACCESS-LIST - [log] - ACL Lookup
4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
5. IP-OPTIONS - [] -
6. NAT - [rpf-check] -
7. NAT - [host-limits] -
8. IP-OPTIONS - [] -
9. FLOW-CREATION - [] - If everything passes up until this point a
connection
is created.
10. ROUTE-LOOKUP - [output and adjacency] -
=========================================================
Cisco Order of NAT Commands Used to Match Local Addresses
=========================================================
The security appliance matches real addresses to NAT commands in the following order:
1. NAT exemption (nat 0 access-list)?[Inbound or Outbound] - In order, until the first match. Identity NAT is not included in this category; it is included in the regular static NAT or regular NAT category. We do not recommend overlapping addresses in NAT exemption statements because unexpected results can occur.
2. Static NAT and Static PAT (regular and policy) (static)?[Inbound or Outbound] - In order, until the first match. Static identity NAT is included in this category.
3. Policy dynamic NAT (nat access-list)?[Inbound or Outbound] - In order, until the first match. Overlapping addresses are allowed.
4. Regular dynamic NAT (nat)?[Outbound Only] - Best match. Regular identity NAT is included in this category. The order of the NAT commands does not matter; the NAT statement that best matches the real address is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using overlapping statements; they use more memory and can slow the performance of the security appliance.
If you configure multiple global statements on the same NAT ID, the global statements are used in this order:
1. No global if using nat 0 (identity NAT).
2. Dynamic NAT global.
3. PAT global.
==================
Rules to implement
==================
===============================
Checked the routes [show route]
===============================
===================================================
Checked the interface security levels [show nameif]
===================================================
# Note the flow of traffic
-----------------------------------------------------------------------------------------
Traffic is going from lower/higher to lower/higher security level
-----------------------------------------------------------------------------------------
=======================================================
Checked the latest access-group [show run access-group]
=======================================================
# Check the current ACL's and determine what rules need to be added, add an explaination below and in the box(s) place the rules to be added
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
======================================================================================
Check for any existing rules that might already be in place [show access-list acl_xxx]
======================================================================================
=================================================
Checked the NATS [show run static] [show run nat]
=================================================
# Check the current NAT's and determine what needs to be added, add an explaination below and in the box(s) place the NAT's to be added
--------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------
===========================================================================================
Back up and save config [write mem] [write net :FWxxxxxx-YYYYMMDD--.cfg]
===========================================================================================
================================
Added the following to
================================
incremented the acl to
--------------------------------
Removed old acl's [clear configure access-list ]
---------------------------------------------------------
# Keep a maximum of 3 backup acl's, the current one plus three more.
===========================================================================================
Back up and save config [write mem] [write net :FWxxxxxx-YYYYMMDD--.cfg]
===========================================================================================
Subscribe to:
Posts (Atom)