If you made an error in a access list and cannot access the cisco box, what do you do?
An easy solution could be just to restart the box, but then it has to be physically available to you.
Before you make changes, schedue an restart and then if everything works out, cancel the restart.
access-list allow_inbound extended permit icmp any any echo-reply
access-list allow_inbound extended permit icmp any any time-exceeded
access-list allow_inbound extended permit icmp any any unreachable
access-group allow_inbound in interface outside
By default you can block domains with a Cisco ASA.
It simply blocks the typed DNS domain names.
Be aware that the IP (ex: http://80.80.80.80) can be accessed until you deny this in an access-list.
regex domainlist1 “\.dating\.dk”
regex domainlist2 “\.facebook\.dk”
regex domainlist3 “\.facebook\.com”
!
access-list inside_mpc extended permit tcp any any eq www
access-list inside_mpc extended permit tcp any any eq 8080
!
class-map type regex match-any DomainBlockList
match regex domainlist1
match regex domainlist2
match regex domainlist3
!
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
class-map inspection_default
match default-inspection-traffic
class-map httptraffic
match access-list inside_mpc
!
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection <— XX
match request method connect
drop-connection log
class BlockDomainsClass
reset log
!
policy-map inside-policy
class httptraffic
inspect http http_inspection_policy
!
service-policy inside-policy interface inside
Block all domains containing the word “facebook” ex: myfacebook.com
By default clients inside a network protected by a Cisco ASA cannot dial up with an PPTP connection.
But if you add this to the configuation it can.
Â
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect pptp
!
service-policy global_policy global
———-
PPTP uses IP protocol 47 (General Routing Encapsulation / GRE) for data.
Allowing connections to be established – port 1723
By default all clients on the LAN can act as a mail server. Maybe you have a ârealâ mail server. Now a hacker steals one of your client pc’s and uses it to send out SPAM.
How do you configure the firewall so only the ârealâ mail server can send out emails?
You do it with an access-list on the inside interface. This way you can control the outgoing smtp traffic and only allow one LAN IP to send out emails.
access-list acl_out permit tcp host 10.0.0.2 any eq 25
access-list acl_out deny tcp any any eq 25
access-list acl_out permit ip any any
access-list acl_out permit icmp any any
access-group acl_out in interface inside
PIX hostname myPIX
domain-name mydom.dom
ca gen rsa key 1024
ssh 123.123.123.123 255.255.255.255 outside
ssh timeout 60
passwd my_code
ca save all
write mem
If an error occurs on your network, the professional series of Cisco switches would probably shutdown the the network port where the error is detected.
Even if the error on the network is corrected, the network port is still down. You have to enable it manually.
The switch is able to automatically enable the port. If the root error on the network remains, the port is immediately shutdown again.
To check the configuration, use this command:
show errdisable recovery
If something is disabled, it means you manually have to activate the port if this specific error has occurred.
It can all be done automatically with this commands:
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause unicast-flood
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause loopback
errdisable recovery cause sfp-config-mismat
One of the most common tasks is to configure a router to deliver trafic from the outside Internet to the inside LAN. How is that done on a PIX or ASA?
1.
Add the basic NAT rule that makes NAT from the outside works.
static (inside,outside) tcp interface 3389 192.168.0.10 3389 255.255.255.255 0 0
In this example Remote Desktop (port 3389) is NAT’ed to 192.168.0.10
If you want to use a different port from the outside just change the line to
static (inside, outside) tcp interface 3390 192.168.0.10 3389 255.255.255.255 0 0
port 3390 is delivered to 192.168.0.10:3389
2.
Now add an access rule that describes who has access. If everyone should have access use this line
access-list allow_inbound permit tcp any interface outside eq 3389
3.
Finally, activate the new access-list to the outside interface.Â
access-group allow_inbound in interface outside
What do you do if you have three webserveres all listening on port 80 and three public IP’s, but only have one firewall/router?
You do not need three routers but if you have a Cisco ASA it all can be done on that.
1. If a Internet user types 111.222.333.2 he ends up on WEB01. 111.222.333.3 end up on WEN02 and so on.
2. All the webservers acts on the Internet with thire own public IP
