The Packet University

I posted a couple of questions to Twitter this morning as both a challenge and a learning experience for myself and others. 

These two questions were as follows:

1. How does the ASA in transparent mode know which interface remote networks should be reached through?
2. What is permitted at layer 2 disregarding- layer 3 restrictions?

In addition, I’d like to pose one more question:

1. In what case does the ASA in Transparent mode drop the first packet?

I promised an answer, but Twitter just didn’t allow enough characters to describe the behavior well.  First of I have always assumed that the ASA in transparent mode acted like a bridge.  In other words if a frame was received at interface A, it must be destined to interface B.  While that seems logical, that is incorrect.  The ASA has a CAM table like a switch, but does not behave the same way as a switch when an entry is missing.  On a CAM miss, a switch floods the frames out all ports except the port the frame arrived on.  When the ASA has a CAM table miss, it does not flood the traffic.

The Cisco ASA has some interesting characteristics when dealing with traceroute.  With most traffic, including ICMP echo, outbound traffic can be inspected to allow the incoming traffic associated with the same flow.  Inspecting “ICMP” or even “ICMP Error” does not result in traceroute functioning through the ASA. 

Quick Tips 8/4/09--Zone based firewalls.

Zone based firewalls are incredibly flexible, but with flexibility comes complexity.

When inspecting, there is a process that is used to determine what type of inspection should be performed on a flow.

When inspecting keep in mind how the match will influence the inspection.  When a flow is analyzed against the class-map, it will be inspected based on what criteria is matched when there is enough information to arrive at a positive match.

match only access-group -- inspect based on PAM table

match not protocol -- inspect based on PAM table

match protocol tcp -- inspect tcp even if a L7 inspect exist

As most who follow this blog or my twitter account know, I am in pursuit of CCIE Security and plan to clear the v3 lab soon.  The purpose of this blog entry is a repository for two or three line "quick tips" that may help others pass their lab.  Explanations will not be well polished, but if you are also pursuing the lab, these will make sense.  Some you may already be familiar with, others you may not.  If you want to add to the list, please use the comment feature below.  Check back often as there will be new items added very regularly.  The most recent version will always be at the PacketU main page.

Quick Tips for 7/31/09

clear configure <section>--ASA commands to bulk remove sections of configuration

default <section>--IOS command to return a configuration to its default.  "NO" is not always the default.

test aaa--allows a quick and easy test of AAA servers from the ASA or IOS. 

test regex--the ASA has a test Regex that might come in useful for testing expressions used anywhere in the lab.