ASA VPN with Address Overlap

Posted on January 2, 2012 by Paul Stewart, CCIE 26009 (Security)

More and more, the Internet is being used as a connection to business partners. Typically this requires building an IPSec Tunnel between two VPN capable endpoints. For me the device of choice is the Cisco ASA. Since we are connecting to a business partner, we likely have no choice of device on the other end. Furthermore, since we are connecting to an already established network there could be issues with IP address overlap. In this article, we address the configuration of a VPN with IP address overlap.  Continue reading

Posted in security | Tagged | 10 Comments

How Many Different Passwords Will Your Bank Accept?

Posted on January 2, 2012 by Paul Stewart, CCIE 26009 (Security)

Do you use upper and lower case letters in your Internet Banking passwords in an attempt to achieve additional security?  What if I told you that in many cases it did not even matter? The FFIEC (Federal Financial Institutions Examination Council), rightly makes the claim that upper and lower case characters in the password provide a stronger defense against password cracking programs (see citation below). The math suggests that using upper and lower case characters increases the entropy, and thus the password strength, by a factor of 26 for each character used in the password. The problem is that many Internet Banking sites do not enforce the original case. Continue reading

Posted in security | Leave a comment

Deep or Wide for 2012?

Posted on January 1, 2012 by Paul Stewart, CCIE 26009 (Security)

With the new year here, many make new years resolutions regarding health, family, religion or their career.  Technology is a particularly interesting area of study and career for many reasons.  One challenge is trying to determine whether to be a niche subject matter expert (SME) or an individual that seems to know something about everything in the field.  I have personally struggled with the challenge of going deep into a single area of technology or to continue down the broad path that seems to be conducive with the type of work I do. Continue reading

Posted in career | 1 Comment

How to Upgrade a Basic ASA Configuration to 8.4

Posted on December 26, 2011 by Paul Stewart, CCIE 26009 (Security)

The Cisco ASA has gone through a few major evolution regarding its functionality and configuration.  Version 8.4 (as well version 8.3) also results in major changes in some aspects of the configuration syntax.  This article is a first in a series that will compare and contrast the configuration of the more familiar 8.2 syntax to that of the now available 8.4.  This particular article starts out with the simplest possible ASA 8.2 configuration and looks at the upgrade process.  After the upgrade is complete, the post-upgrade configuration is compared to the pre-upgrade configuration.

Continue reading

Posted in security | Tagged | Leave a comment

Merry Christmas and a Happy New Year

Posted on December 23, 2011 by Paul Stewart, CCIE 26009 (Security)

As the face behind PacketU.com, I wish all of my readers a very Merry Christmas and a Happy New Year. I encourage everyone to forget about Packets this season in order to enjoy time with family. Most importantly keep the true meaning in Christmas.

Posted in Uncategorized | Leave a comment

Using an ASA to Establish a Guest Network

Posted on December 19, 2011 by Paul Stewart, CCIE 26009 (Security)

It is not uncommon to visit a small to medium sized customer for a first time and find a wireless and/or guest network that compromises security for the rest of the network. Organizations that lack policies and procedures for their network tend to pick up consumer grade wireless routers and connect them exactly as they would at home. In this article, we will look at a how we can rectify two important issues using the DMZ interface on an ASA5505 to create an isolated guest network.

Continue reading

Posted in security | Tagged | Leave a comment

Saving Time with CLI Filters

Posted on December 12, 2011 by Paul Stewart, CCIE 26009 (Security)

If you have dealt with routers or switches for any time at all, you realize how long and cumbersome the configuration can get. This is especially true when dealing with router configurations that include voice, zone-based firewall or anything else that pushes a router beyond its intended purpose. Fortunately, Cisco provides some tools to help us see what we need to see and filter the excess. You can get a glimpse into some of these filters by typing the “show run” command and using our context sensitive help (aka the ?). Continue reading

Posted in network | Tagged , | Leave a comment

Using Only the Cisco CLI to Decode Type 7 Passwords

Posted on December 5, 2011 by Paul Stewart, CCIE 26009 (Security)

For various reasons, I often find myself needing to decode a type 7 cisco password. There are many third party tools that can do this for you. This article describes a way to get IOS based routers to show the clear text type 7 password without the need for any third party applications. Continue reading

Posted in network | Tagged | Leave a comment

Egress Interface Selection on the Cisco ASA

Posted on November 28, 2011 by Paul Stewart, CCIE 26009 (Security)

One of the frustrating things about the Cisco ASA is that it does not support policy based routing, or pbr.  With pbr, an administrator can get very granular with routing IP traffic.  For example, an access-list can match traffic and steer it to an alternative next hop based on things like TCP/UDP port or IP source address.  The ASA does not have the same level of granularity.  However, a solid understanding of the interface selection process will allow an administrator to get creative and achieve some of the same results. Continue reading

Posted in security | Tagged | 6 Comments

Classful Routing With–no ip classless

Posted on November 21, 2011 by Paul Stewart, CCIE 26009 (Security)

A little while back I wrote an article that talked about the “ip subnet-zero” command.  In many ways, the “ip classless” command is similar.  The similarity is in history, not in function.  The “ip classless” command was first introduced in IOS Release 10.  At that time, it was disabled by default.  Starting at version 11.3, the “ip classless” default was changed to enabled.  To disable it, an administrator would enter “no ip classless”. Disabling “ip classless” changes how a router looks at the default network.  In modern networks, there is no reason to disable it. Continue reading

Posted in network | Tagged | 1 Comment

The “ip subnet-zero” Command

Posted on November 14, 2011 by Paul Stewart, CCIE 26009 (Security)

For those who haven’t worked with IOS versions prior to 12.0, the ip subnet-zero command might be quite mysterious.  It is actually straightforward and easy to grasp.  First though, a little background must be discussed.  Most importantly to understanding this command is the definition of a zero subnet.  To understand this, let’s review what a subnet actually is. Continue reading

Posted in network | Tagged | 2 Comments

The ASA’s ARP Behavior

Posted on November 7, 2011 by Paul Stewart, CCIE 26009 (Security)

I think anyone who has dealt with the ASA has to admit that it sometimes doesn’t behave as they’d expect.  One of the more memorable times for me was when I used the alias command to do dns translation.  Unfortunately, I didn’t disable proxy arp on the applicable interface.  The technical result was that the ASA responded to ARP requests for the IP address specified as the internal address with the alias command. Continue reading

Posted in security | Tagged | 2 Comments