Cisco ASA – ‘access-group’ Warning
KB ID 0001035 Problem I’ve been writing Cisco ASA walkthroughs for years, and littered all over PeteNetLive you will see me warning readers every time I use access-group commands. So I’ve finally got round to putting this article up so I can reference it in future. What is an Access-Group command? You use an access-group command to apply an access-list to an interface, in a particular direction (in or out). Although I...
Cisco ASA – Policy NAT
KB ID 0001042 Problem I’ve been working on a large firewall deployment for a client, each of their DMZ’s have both a production and a management network. nothing particularly strange about that, but each of their DMZ’s has its own firewalled management network and it’s routable from the LAN. So If I’m an admin and I want to talk to a Linux appliance in their DMZ via its management interface, my traffic...
Cisco ASA – ‘Prove it’s Not The Firewall!’
KB ID 0001049 Problem Yeah, it’s funny because it’s true! The article title might not sound like the most professional approach, but when the ‘Well it’s not working now’ finger gets pointed at the ‘firewall guy/girl’, they need to ascertain two things; 1. Is the problem actually the firewall, if not then help the frustrated party track down the actual problem. 2. If your problem IS the...
Cisco ASA – View The Contents of an Object and Object-Group
KB ID 0001043 Problem My colleague loves the ASDM, I put up with it and prefer command line. We were troubleshooting a problem the other day and he said, there this is why I prefer the ASDM, just ‘hover’ over an object-group and it will show you the contents of it. Now if (like my test firewall above) you only have a few hosts, then I don’t see the point, but if you have a very complicated config with hundreds of...
Cisco ASA – Disable SSLv3 (Force TLSv1.0) – Mitigate POODLE
KB ID 0001052 Problem By default the Cisco ASA will allow connection via SSLv3. The POODLE exploit works by forcing SSL to fall back to SSLv3 and then decrypting that communication. However you are still not completely protected as per this Threat Validation, so the ASA platform can still be attacked via TLSv1.0. Note: At time of writing TLSv1.2 is not supported, but it is on the road-map for version 9.3(2). So this procedure will not...