• Home
  • Cisco
  • Exchange
  • Linux
  • Navision
  • Network
  • Virtualization
  • Windows
  • About

    Site to site VPN – Monowall and ASA5500

    November 14th, 2011

    This is an example how to create an site to site VPN between monowall and ASA

    Monowall 1.33





























    access-list outside_20_cryptomap extended permit ip
    access-list inside_nat0_outbound extended permit ip
    nat (inside) 0 access-list inside_nat0_outbound

    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000

    crypto map outside_map 20 match address outside_20_cryptomap
    crypto map outside_map 20 set pfs
    crypto map outside_map 20 set peer
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 20 set security-association lifetime seconds 28800
    crypto map outside_map 20 set security-association lifetime kilobytes 4608000
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400

    tunnel-group type ipsec-l2l
    tunnel-group ipsec-attributes
    pre-shared-key securepass

    NAT range of ports on Cisco ASA

    August 11th, 2011

    NAT a range of ports on a Cisco ASA for FTP use.
    In this example I need SSL support, passive ports.

    object-group service PassiveFTP tcp
    port-object range 60000 60015
    static (inside,outside) tcp interface ftp ftp netmask
    access-list allow_inbound extended permit tcp host host object-group PassiveFTP
    access-list allow_inbound extended permit tcp host interface outside eq ftp

    static (inside,outside) tcp interface 60000 60000 netmask
    static (inside,outside) tcp interface 60001 60001 netmask
    static (inside,outside) tcp interface 60002 60002 netmask
    static (inside,outside) tcp interface 60003 60003 netmask
    static (inside,outside) tcp interface 60004 60004 netmask
    static (inside,outside) tcp interface 60005 60005 netmask
    static (inside,outside) tcp interface 60006 60006 netmask
    static (inside,outside) tcp interface 60007 60007 netmask
    static (inside,outside) tcp interface 60008 60008 netmask
    static (inside,outside) tcp interface 60009 60009 netmask
    static (inside,outside) tcp interface 60010 60010 netmask
    static (inside,outside) tcp interface 60011 60011 netmask
    static (inside,outside) tcp interface 60012 60012 netmask
    static (inside,outside) tcp interface 60013 60013 netmask
    static (inside,outside) tcp interface 60014 60014 netmask
    static (inside,outside) tcp interface 60015 60015 netmask

    Cisco – Delayed restart

    September 20th, 2010

    If you made an error in a access list and cannot access the cisco box, what do you do?
    An easy solution could be just to restart the box, but then it has to be physically available to you.

    Before you make changes, schedue an restart and then if everything works out, cancel the restart.

    reload in 10
    (Reboot in 10 min)

    reload cancel

    Upgrade IOS on Cisco ASA 5500

    May 12th, 2010

    boot system disk0:/asa831-k8.bin
    asdm image disk0:/asdm-631.bin

    asa icmp reply

    October 13th, 2009

    access-list allow_inbound extended permit icmp any any echo-reply
    access-list allow_inbound extended permit icmp any any time-exceeded
    access-list allow_inbound extended permit icmp any any unreachable
    access-group allow_inbound in interface outside

    Block domains on a Cisco ASA

    December 30th, 2008

    By default you can block domains with a Cisco ASA.
    It simply blocks the typed DNS domain names.
    Be aware that the IP (ex: can be accessed until you deny this in an access-list.

    regex domainlist1 “\.dating\.dk”
    regex domainlist2 “\.facebook\.dk”
    regex domainlist3 “\.facebook\.com”
    access-list inside_mpc extended permit tcp any any eq www
    access-list inside_mpc extended permit tcp any any eq 8080
    class-map type regex match-any DomainBlockList
    match regex domainlist1
    match regex domainlist2
    match regex domainlist3
    class-map type inspect http match-all BlockDomainsClass
    match request header host regex class DomainBlockList
    class-map inspection_default
    match default-inspection-traffic
    class-map httptraffic
    match access-list inside_mpc
    policy-map type inspect http http_inspection_policy
    protocol-violation action drop-connection <— XX
    match request method connect
    drop-connection log
    class BlockDomainsClass
    reset log
    policy-map inside-policy
    class httptraffic
    inspect http http_inspection_policy
    service-policy inside-policy interface inside

    Block all domains containing the word “facebook” ex: myfacebook.com

    regex domainlist1 “.*facebook.*”

    Allow PPTP through Cisco ASA

    December 29th, 2008

    By default clients inside a network protected by a Cisco ASA cannot dial up with an PPTP connection.
    But if you add this to the configuation it can.

    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
    inspect pptp
    service-policy global_policy global

    PPTP uses IP protocol 47 (General Routing Encapsulation / GRE) for data.
    Allowing connections to be established – port 1723

    Block outgoing emails except from the mail server

    December 8th, 2008

    By default all clients on the LAN can act as a mail server. Maybe you have a “real” mail server. Now a hacker steals one of your client pc’s and uses it to send out SPAM.

    How do you configure the firewall so only the “real” mail server can send out emails?

    You do it with an access-list on the inside interface. This way you can control the outgoing smtp traffic and only allow one LAN IP to send out emails.

    access-list acl_out permit tcp host any eq 25
    access-list acl_out deny tcp any any eq 25
    access-list acl_out permit ip any any
    access-list acl_out permit icmp any any
    access-group acl_out in interface inside

    Show console log messages in telnet

    June 24th, 2008

    The console shows information from the system by default.
    It can also be viewed from a telnet session by this command:

    terminal monitor

    Configuring Cisco devices to use NTP

    June 11th, 2008

    ntp server

    sh ntp status
    sh clock

    SSH access – PIX/ASA

    February 24th, 2008

    hostname myPIX
    domain-name mydom.dom
    ca gen rsa key 1024
    ssh outside
    ssh timeout 60
    passwd my_code
    ca save all
    write mem

    crypto key generate rsa
    In ASDM
    crypto key zeroize rsa noconfirm
    crypto key generate rsa noconfirm

    show crypto engine
    show crypto ipsec sa

    pm-4-err_disable – the switchport is down

    February 11th, 2008

    If an error occurs on your network, the professional series of Cisco switches would probably shutdown the the network port where the error is detected.
    Even if the error on the network is corrected, the network port is still down. You have to enable it manually.
    The switch is able to automatically enable the port. If the root error on the network remains, the port is immediately shutdown again.

    To check the configuration, use this command:
    show errdisable recovery

    If something is disabled, it means you manually have to activate the port if this specific error has occurred.

    It can all be done automatically with this commands:

    errdisable recovery cause udld
    errdisable recovery cause bpduguard
    errdisable recovery cause security-violation
    errdisable recovery cause channel-misconfig
    errdisable recovery cause pagp-flap
    errdisable recovery cause dtp-flap
    errdisable recovery cause link-flap
    errdisable recovery cause gbic-invalid
    errdisable recovery cause psecure-violation
    errdisable recovery cause dhcp-rate-limit
    errdisable recovery cause unicast-flood
    errdisable recovery cause vmps
    errdisable recovery cause storm-control
    errdisable recovery cause loopback
    errdisable recovery cause sfp-config-mismat

    NAT to local IP

    August 2nd, 2007

    One of the most common tasks is to configure a router to deliver trafic from the outside Internet to the inside LAN. How is that done on a PIX or ASA?

    Add the basic NAT rule that makes NAT from the outside works.
    static (inside,outside) tcp interface 3389 3389 0 0
    In this example Remote Desktop (port 3389) is NAT’ed to

    If you want to use a different port from the outside just change the line to
    static (inside, outside) tcp interface 3390 3389 0 0
    port 3390 is delivered to

    Now add an access rule that describes who has access. If everyone should have access use this line
    access-list allow_inbound permit tcp any interface outside eq 3389

    Finally, activate the new access-list to the outside interface. 
    access-group allow_inbound in interface outside

    clear xlate

    More than one public IP on a Cisco ASA

    July 27th, 2007

    What do you do if you have three webserveres all listening on port 80 and three public IP’s, but only have one firewall/router?

    You do not need three routers but if you have a Cisco ASA it all can be done on that.

    1. If a Internet user types 111.222.333.2 he ends up on WEB01. 111.222.333.3 end up on WEN02 and so on.
    2. All the webservers acts on the Internet with thire own public IP

    All you need is a Static and an access roule.

    static (inside,outside) <public ip> <local ip>
    access-list allow_inbound permit tcp any host <public ip> eq www

    To follow the example above, just add these lines.

    access-list allow_inbound permit tcp any host 111.222.333.2 eq www
    access-list allow_inbound permit tcp any host 111.222.333.3 eq www
    access-list allow_inbound permit tcp any host 111.222.333.4 eq www

    static (inside,outside) 111.222.333.2
    static (inside,outside) 111.222.333.3
    static (inside,outside) 111.222.333.4

    Exit mobile version