Lessons Learned: Overriding routing in Cisco ASA

While at a client this week, I ran across a fundamental change in post 8.3 cisco ASA routing logic which blindsided me for a while. The scenario was that after changing some VPN tunnel endpoints and hence changing subnet locations, we started seeing errors in syslog along the lines of TCP session torn down, "no … Continue reading Lessons Learned: Overriding routing in Cisco ASA

Advertisements

Note on AAA when using cisco ASA

It’s common practice to have multiple users on a firewall, and each user may have different levels of access, such as admin accounts, while others may have just read-only accounts. The cisco ASA is no different and it is quite easy to setup a local AAA (authentication / authorization / accounting) server so you can … Continue reading Note on AAA when using cisco ASA

Lessons learnt : ASA 8.4 and NAT rules

- DNS doctoring via NAT policies DNS doctoring is an ASA feature wherein a client sends a DNS request for a particular website, say http://www.example.com. This DNS request gets inspected by the ASA, and the ASA can then control which IP gets returned to the client (in essence the ASA acts as a DNS proxy). … Continue reading Lessons learnt : ASA 8.4 and NAT rules

Configuring per user access w/ cisco ASA

Please note the below requires ASA v 8. or above. Per user access involves forcing users to login to the firewall before being allowed access to any resources. This has several benefits, including: Better user accountability Being able to define access on a user basis, rather than an IP basis (with some caveats) Implementing a … Continue reading Configuring per user access w/ cisco ASA