Jul 27, 2010

Debugging interface status on failover pairs

Should static routes interfere with the operation of ASA/PIX failover pairs? I don't think so. However, it is possible! So I'm going to describe a scenario where that issue might happen.

Jul 24, 2010

Simplifying ACEs using object-groups

In this post I will present some simplification to implement an ACE using object-group. This is not described in the ASA/PIX command reference (only in the configuration guide example of this configuration in the Cisco portal).

Jul 21, 2010

Configuring NAT on ASA/PIX

I've designed a network scenario where I could apply every NAT type supported by ASA/PIX. Below is what I got:

Jul 20, 2010

Controlling intra-interface traffic

If you need to allow unencrypted traffic to flow through the same interface (e.g., from inside to inside), you just need to enable the command below.

(config)# same-security-traffic permit intra-interface

Cisco published an article explaining that configuration. However, if the firewall policy has NAT rules, that configuration is not the only thing you should set to have it working. I will use as an example the following scenario, which is similar to the one presented in the Cisco's article.

Jul 16, 2010

Syslog over IPSec

I've identified an issue when ASAs are configured to send syslog messages over an IPSec tunnel. For some unknown reason, I've seen some devices trying to establish the connection to the log server without forward the traffic through the tunnel. Thus, the log messages are not saved, since the remote peer blocks the unencrypted packets.

Jul 12, 2010

Active/Standby Failover - Swapping the units roles

One of the appliances in an Active/Standby failover configuration is set as the primary unit and the other the secondary one. Thus, the devices are able to negotiate which one will be Active after to complete the boot process (it will be the primary, whether everything has loaded fine).

If for some reason you need to swap the device roles (primary/secondary) without an outage, it will be necessary to break the cluster link. Otherwise both boxes would change to the Active state simultaneously, what results in a conflict making them lose the failover connectivity (HELLO messages are not sent/received properly). Furthermore, you'd create a lockout situation for one of the units, since both would be using the same IP addresses.

My journey to CCIE Security

Although I like to write about technical subjects, I've never been a blogger because I don't like to feel me obligated to write within defined intervals or something like that. Yeah... this is/will be a blog about technical stuff. I decided to create it as a notebook for personal use while I'm getting prepared to try the CCIE Security exam, what I'm planning to do 'till the end of the next year. I should just make some text files and save them to my PC, however, blogging I make the notes always available to me and someone else who is interested.

The blog name "Packets Never Lie" is a quote by Laura Chappel. I got that maxim as the basis to do my job, since all network issues can be fixed if we understand what is going through the NICs, cables, switches, routers etc.

Perhaps, the intervals between the first posts won't be short, since I'm preparing myself to take other certification exams besides the CCIE. Nevertheless, I will blog only about topics related to the CCIE exam.

First of all, I will make some notes on ASA and PIX since I'm in touch with those devices everyday. While studying, I will write articles about routers and switches, IPS/IDS, security protocols, resources and technologies.

This will be my journey to CCIE Security... :)

