Migrating ASA NAT Exemption Configuration

NAT exemptions are often required when a single ASA appliance is performing NAT and terminating VPN connections.  In ASA configurations prior to 8.3 and 8.4, NAT exemptions were configured with “nat 0 access-list <acl name>” and a related access-list. Continue reading

Posted in security | Tagged | Leave a comment

ASA L2L VPN Spoke to Spoke Communication

It seems like some of the more challenging things to do on an ASA involve some sort of traffic being redirected out the same interface it was received on. This article addresses the requirement for spoke to hub to spoke communication for LAN to LAN VPNs.  This is less efficient and should not be used when there are massive amounts of traffic between to spokes.  However if your design requires fewer peers, a more compact configuration and you prefer a simple solution, this article can help you achieve those goals. Although this article specifically addresses the LAN to LAN VPN type, the methods used here can work with other types of VPNs as well (e.g. Anyconnect and IPSec Remote Access).

Continue reading

Posted in security | Tagged | Leave a comment

No SSH After Upgrading to 8.4

There are several changes when an ASA is upgraded from 8.2 to 8.4(2). The most notable of these are the ones dealing with the syntax of the NAT configuration. However, there is another gotcha that you might not be expecting. SSH will no longer work with the default username of “pix” like it did prior to the upgrade. This article addresses the simple configuration task of rectifying this issue. Ideally, these tasks would be performed prior to an upgrade to avoid the loss of remote connectivity. Continue reading

Posted in security | Tagged | 3 Comments

Typical NAT/PAT Configuration Comparison for ASA 8.4

A little while back, I posted an article that took a very simple ASA configuration and migrated it to 8.4. This article takes it a step further and focuses on NAT and PAT, as well as the related access control list changes. This only addresses typical static and dynamic source address translation scenarios. Policy based NAT and DMZ configuration will be address in future articles. This is an area of significant change in ASA 8.4.

Continue reading

Posted in security | Tagged | Leave a comment

ASA VPN with Address Overlap

More and more, the Internet is being used as a connection to business partners. Typically this requires building an IPSec Tunnel between two VPN capable endpoints. For me the device of choice is the Cisco ASA. Since we are connecting to a business partner, we likely have no choice of device on the other end. Furthermore, since we are connecting to an already established network there could be issues with IP address overlap. In this article, we address the configuration of a VPN with IP address overlap.  Continue reading

Posted in security | Tagged | 6 Comments

How Many Different Passwords Will Your Bank Accept?

Do you use upper and lower case letters in your Internet Banking passwords in an attempt to achieve additional security?  What if I told you that in many cases it did not even matter? The FFIEC (Federal Financial Institutions Examination Council), rightly makes the claim that upper and lower case characters in the password provide a stronger defense against password cracking programs (see citation below). The math suggests that using upper and lower case characters increases the entropy, and thus the password strength, by a factor of 26 for each character used in the password. The problem is that many Internet Banking sites do not enforce the original case. Continue reading

Posted in security | Leave a comment

Deep or Wide for 2012?

With the new year here, many make new years resolutions regarding health, family, religion or their career.  Technology is a particularly interesting area of study and career for many reasons.  One challenge is trying to determine whether to be a niche subject matter expert (SME) or an individual that seems to know something about everything in the field.  I have personally struggled with the challenge of going deep into a single area of technology or to continue down the broad path that seems to be conducive with the type of work I do. Continue reading

Posted in career | 1 Comment

How to Upgrade a Basic ASA Configuration to 8.4

The Cisco ASA has gone through a few major evolution regarding its functionality and configuration.  Version 8.4 (as well version 8.3) also results in major changes in some aspects of the configuration syntax.  This article is a first in a series that will compare and contrast the configuration of the more familiar 8.2 syntax to that of the now available 8.4.  This particular article starts out with the simplest possible ASA 8.2 configuration and looks at the upgrade process.  After the upgrade is complete, the post-upgrade configuration is compared to the pre-upgrade configuration.

Continue reading

Posted in security | Tagged | Leave a comment