Wednesday, August 15, 2012

NAT NAT NAT and more NAT....


  • ASA can filter ICMP with a simple 'icmp' command. With this, you can permit/deny ICMP based on the ICMP type and interface. This applies to traffic traversing the firewall.
  • Filtering services was next ...
    • url-server (dmz) host 10.0.0.100 -  configures a websense filtering server on the specified interface
    • The filter command configures filtering services with many options. Interesting note - you can shorthand the any address - filter activex www 0 0 0 0 - which is source network, mask foreign network, mask.
    • There are options to allow the traffic in the event the URL Server is down. There are other options like proxy-block, interact-block, etc. I have read a lot of the cisco documentation on ASA but I would say this is an initial weak point. I will be hitting the documentation on filtering.
  • NAT is a very tricky subject. The lab blueprint states ASA 8.x, but with NAT there are different configurations depending on if it is 8.2 and below, or 8.3 or 8.4. It appears that 8.0.x is the version that is used in the lab....great, my ASA is running 8.4....now off to create 4 ASAs in my lab - two 8.0 and two 8.4...
    • nat-control requires that all traffic from a higher security interface to a lower security interfaces requires a nat rule before being allowed 
    • nat (global) creates pools
    • You assign NAT identifiers to the global pools
    • To complete the dynamic nat, just say what you want to nat, use the same NAT identifier and off you go..
      • global (outside) 1 136.1.122.100-136.1.122.110
      • nat (inside) 1 136.1.121.0 255.255.255.0
    • Static NAT has a similar configuration using the 'static' keyword
    • For some reason, I always transpose either the interfaces or the networks in a NAT statement. Taking a break from hands-on, and going to re-read the NAT configuration guide.
      • "static NAT allows a remote host to initiate a connection to a translated host (if an access list exists that allows it), while dynamic NAT does not. "
      • "clear local-host" is used to remove static NAT translations that are currently in use "clear xlate" is only used for dynamic translations
These were just some of the notes I took over a few days of studying. Other items such as failover and multi context firewalls seemed pretty straight forward. I still need to hunker down on NAT, because I still get confused with whats inside/outside and the syntax.
Still way to much time building/configuring/fixing things in my lab outside of the actual devices. I've made it through about 10% of INE volume 1. Overall, not too bad but the typos/mistakes/whatever-you-want-to-call them are extremely frustrating when you are trying to get something to work.
I hope to be back at it this Sunday for a couple of hours...
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)