NAT order of operations to prevent conflict between different NAT policies the

security appliance prioritizes certain nat rules.

ACL are used for: packet identification for NAT and VPN encryption. Route
redistribution. Qos packet classification. Access control. An interface acl overrides
a global acl. Globals look at all traffic passing the asa. Throughthebox- asa checks
nat before acl.
Asa considers dhcp,eigrp,ospf, rip, multicast as special types of traffic, meaning
they are considered connectionless traffic types. Therefore an extended acl must
be applied on both interfaces for communication.
Object groups: using obj you can heavily decrease the number of ACEs. One ace
could consist of an obj in every field. That ace would represent many more than a
regular one.
The decreased number o faces used is only visual. Using too large obj could
unexpectedly affect multiple aces.
Protocol,network,icmp-type, service, local user group, security group.
Transparent firewalls can filter l2 and higher, segregates one ip-subnet. Uses bvi
for self-generated packets. Asa works as a switch, l2f entries are learned
dynamically when packets traverse.
Arp inspection- enable per interface. Relis heavily on static arp entries.
Virtualization cost, segregation, different security policies, integration.
System con non network settings or connectivity. Config location for the
different contexts.
Admin con provides connectivity to network resources. Mgmt interface. Must be
created before you define other contexts.
User con number of cons depends on the activation key and platform.
Clientless rmote client needs only an ssl enabled browser to access resources
on private networks.
Thin client java based applet must be installed by the remote client to establish
a secure connection. Ssh + telnet added.
Full tunnel ssl vpn client is required to gain access to the secure network over
an ssl tunnel. Ip unicast traffic can be sent over the tunnel such as tcp,udp,and
icmp based traffic.
NAT o AAA
Konfigurerad vilans on the Assam Will remin inaktive intill the host-chassi
assen Tham to the moduler.
Keeper in mind tjat Oyu Ohly extern connectivity to a particular vlan to the
asasm upon assignment. It is still necessary to create and configure the
vlan interface on the assam as well as remaining basic config to allow
traffic to flow.
You can add or remove vlans to a groups as necessary without affecting
other vlans in a group. The chassis simply updates the asasm with the
current list of active vlans upon any change.

Use the show vlan command on an asasm to display the current list of
assigned vlans.
Common deployment scenarios for sm
Protecting the internal segment from the external network
Protecting a fragile network from other internal networks

Different usages for nat

One to one mapping
Assigned static or by a pool of addresses
Inside to outside
Higher security zone to lower
Methods of nat/pat
Static nat server
Dynamic nat protocols without l4 info. Gre
Dynamic pat source IP, ports , tcp/udp
Policy nat acls define if the traffic should be translated or not
Identity nat mainly for nat exemption. You nat a network to itself to exclude it
from another nat function.
Why use nat hides the original IP-address.
TCP intercept prevents dos traffic by setting a max of tcp/udp connections
Auto nat: configure inside an object, does not take consideration in the
destination.
Manual nat: configured in global mode, makes it possible to translate and address
differently
This take destination into consideration. Example nat exemption for vpns.
Nat order of operations to prevent conflict between different nat policies the
security appliance prioritizes certain nat rules.
1. Nat exemptions
2. Static nat
3. Static pat
4. Policy nat/pat
5. Identity nat
6. Dynamic nat
7. Dynamic pat
Aaa services
Servers for aaa:
Internal server supports aa_ for remote access vpn, admin session
authentication, firewall session.
RADIUS supports aaa. Is a widely implemented protocol with client/server
model. Referred to as network access server. Nas is responsible for passing
user information to the radius server. Asa acts as nat and authenticates
users based on radius response. Radius proxy is AA_ combined in a single
request, the asa authenticates itself towards the server using a
preconfigured shared secret which is never sent over the network.
RADIUS authentication process:
1. User attempts to connect to asa

2.
3.
4.
5.
6.

Asa prompts the user for username and pw

Credentials are sent to the asa from the user.
Asa send authentication request to the radius server.
Access- accept/reject is sent back from the radius server.
Asa responds to user

TACACS supports aaa

Provides a centralized validation of users gaining access to nas. Primary goal is to
supply complete AAA support for managing multiple network devices. Uses port
tcp/udp 49. Authentication concept similar to radius.
RSA securID
Windows NT
Kerberos
Lightweight directory access protocol LDAP
Controlling the network access:
Cisco asa protects the networks inside and dmz by inpsecting traffic that passes
through it. An acl is a collection of security rules and policies that allows or denies
packets after looking at packet headers and attributes.
Acl is used for: packet identification for nat and vpn encryption, route
redistribution, qos packet classification, access control.
One entry in an acl is called ACE. An ACE classifies packets by inspecting headers
for a number of parameters: l2, l3 protocol info, l3/l4 header info, l7 info
Global ACLs look at ALL traffic passing the ASA: an interface acl overrides a global
acl.
Through-the-box trffic filtering: traffic sourcing from the outside going to the
inside network, traffic passing through the asa, asa checks nat before acl.
To-the-box traffic filtering: traffic going to the asa, apply using control-plane
keyword.
Normally, traffic originating from a high-level zone and goes to a lower-level-zone
is allowed, however: the asa considers dhcp, eigrp, ospf, multicast and rip as
special types of traffic, meaning they are considered connectionless traffic types.
Therefore an extended acl must be applied on both interfaces for communication.
4 types of acl:
Standard acl identifies based on sourced ip addresses
Extended acl identifies on: source and dest ip addressses, l3 protocols, s/d tcp
and udp ports, dest icmp type for icmp packets.
Can be usef for:
Interface packet filtering
Qos packet classification
Packet identification for ant/vpn encryption
Ipv6 compatible.
Ethertype acl
Filters ip and non-ip based traffic by checking the ethernet type code filed
in l2 header.
Works only in transparent mode.

Web-type acl
Mainly for restrict traffic coming through ssl vpn tunnels.
Object groups
Using object grouping you can heavily decrease the number o faces. It is possible
using both asdm and cli. One ace could consist of an object group in every field.
That ace would represent many more than a regular one. The decreased number
of aces used is only visual. Using too large object groups could unexpectedly
affect multiple aces.
Different group types.
Protocol gives the ability to group together different protocol types.
Useful when more than one protocol involved for the same S/D.
Network sourve and dest purposes 2 hosts/networks can be grouped
together.
Service http, dns. DMZ might have several services available, bundle
those together for one ace.
Local user group used when identity-based firewall is deployed.
Security group used within cisco trustsec. Filter traffic based on
information downloaded from external identity repository.
Icmp type bind the various types of control messages together.
Time-based acl:
Implemented when traffic needs to be filtered at ceratin times.
2 parameters are used: absolute, a one time happning only. Periodic, for
re-occuring events (everyday).
These acls can be combined, however the absolute is prioritized.
Downloadable acl: compatible with radius or tacacs. The server maintains acl
which server downloads and applies to itself for when a user authenticates and
connects and handles the host traffic according to the downloaded acl.
Routed firewalls separated two ip-subnets, can filter l3 and higher. Can not filter
on l2.
Tranparent firewalls can filter l2 and higher. Segregates one IP-subnet, uses
bridge virtual interfaves for self-generated packets, do switchover through
console with firewall transparent command, because you will lose telnet and ssh.
The asa works as a switch, l2f entries are learned dynamically when packets
traverse.
Arp inspection arp packets are generally not filtered, however ethertype acl can
block it. Arp spoofing = attacker sends fake arp messages. Wants to associate his
mac address with IP address of host on lan. Transparent mode provides a way to
prevent attacks related to arp spoofing. Enable per interface. Relies heavily on
static arp entries.
Virtualization partitions a physical firewall into multiple standalone firewalls.
Good for cost, segregation, different security policies, integration.
System execution space also known as system context. No network settings or
connectivity. Mainly used to define the settings of other contexts.

Important settings : context name, location of contexts startup config. Interface

allocation. Additional features: banner, actiovation key, reousrce mgmt, firewall
mode, clustering, transparent mode, fialover, ntp and mac-address.
Configuration location for the different contexts: systemn execution space:
nvram.
Security contexts: flash or other network-bsed storage (FTP,http)
Admin context provides connectivity to network resources. Best practice to
assign the mgmt interface of the asa to the admin context. With admin context
you can switch to other contexts and manage them. Must be created before you
define other contexts. Network-related config is saved into the admin context
when converting from single to multiple mode. Can be used as a regular context,
but not recommended.
User context features: IPS functionality, dynamic routing, packet filtering, nat,
site-to-site vpn. Ipv6 and device mgmt. The number of contexts depends on the
activation key and platform.
Packet classification sharing of resources. Chooses packet classifyin criteria to
identify context before forwarding packet. Processed based on the security
policies configured in that context. Non-shared interface contexts use unique
physical or logical subint to make packet classification easier.
Shared interface share one or more interface between the security context.
Destination IP or unique MAC address to classify the packet to the correct
context.
Configuration of multiple mode:
Enable multiple security context globally mode multiple
Set up the system execution space auto set up when mode multiple is enabled
Assign interfaces to a context
Specify a configuration URL context A, config-url disk0 . cfg
Configure an admin context
Configure a user context.
Asa failover a primary device that has got a backup device ready to replace it in
case of failure.
Stateless failover active device synchronizes the conf to the standby device. All
connections stay local to the primary device. IOF all connections must be reestablished.
Stateful failover link must be configured which synchronizes:
Tcp and udp, arp table and bridge-group mac mapping table. Routing table. Vpn
data-structres. All to make sure seamless connectivity IOF.
Active/active and active/standby Failover.
Two different modes of failover. a/a all asa models support a/a FO in multiple
context mode. The traffic can be and should be load balanced between the
devices using app contexts which is assigned to one of the two context groups.
a/s FO the primary device is active and the secondary is standby. For a failover
to occur, the health of the primary device must be worse than the standbys. The
preferred deployment model for failover. Does not have preempt.
Failover interfaces.

A failover interface/link is a dedicated medium for transferring data for keeping

the secondary device up to date with all necessary info to minimize the data
transferring interruption. Same interfaces must be used on both sides of the
failover link. G0/1-g0/1. Control traffic: peer discovery and negotiation, config
replication, health monitorin.
Backto back: cheaper, less prone to fail, harder to tshoot, i flink goes down, both
asas battle each other for being active.
Lan: tshooting is good, more expensive, more prone to fail, security.
Best practice for failover links is two dedicated links: one failover statful link. One
control link.
Failover health monitorin: conditions for failure: one of the internal interfaces
goes down, interface expansion card fails. An ips, csc, or cx app module fails.
If hold time expires: count the numbers of interfaces in UP state. Generate a
message towards the peer containing the local number of interfaces in UP state.
When a peer receives the message it responds by sending local number of
operationl interfaces. If the active unit respons with the fewer operational
interfces than the standby the standby unit takes over.
If the active unit does not responad at all a switchover occurs and the standby
device becomes the active.
By default, only physical interfaces are monitored, however it is possible to
monitor other types of interfaces using the monitor-interfaces command. Failover
only monitors on a logical level, so on redundant etherchannel links only the link
as a whole is monitored and not individual links.
Monitoring data interfaces by default, only physical interfaces are monitored.
State and role transition listen on the control link for keepalives from a peer for
at least 50 sec in the negotiation. If the uit detects an active peer during
negotiation phase, it starts the sync process in order to asume the standby state
for the entire system. If the asa detects no active peer during negotiation state, it
progresses through just active.
Prereqs for failover: appropriate licenses, pick separate interfaces for failover
control traffic, use an isolated subnet for the failover control interfaces, identify a
standby ip address for each data interface you intend to monitor.
Cisco IPS supports integrated softwarem hardware modules.
Basic operation of an ips redirects matching traffic to the module, cips is
processing traffic locally, ability to ask asa to drop packets or reset connection.
Config. Cips features are configured separately from asa. Asdm is used to mange
both.
Internal-control. Allows access to the module mgmt interfaces from the asa.
Control communication module init, health monitoring keepalives. Basic config,
clock sync, policy decision notification.
Internal-data: IPS module receives redirected traffic. Asa sends periodic
keepalives to verify opertional status of module. Asa tags packets with a special
header. Provides additional metadata.

Mgmt interface referred to as command and control interface by cips: dedicated

interface for ips functions. This interface is used for connecting and configuring
the module over the network. Used by cips to send snmp traps. Can be used as
span dest.
Inline mode: allows the ips to immediately respond to security threats against the
network. All traffic matching the inline ips redirection policy must pass through
the ips module.
Inline asa ips operation: asa receives an ip packet from the internet, the packet
matches an inline ips redirection policy. The asa forward the packet to the ips
module for analysis. Acls may block packets. Cips analyzes the packet, if
malicious, packet is dropped. If the packet gets passed control the packet is
forwarded as normal.
Promiscuous mode. The asa forwards tto the ips but the original packet continues
to the internal network. Typically uused to avoid extra latency. Regardless of
mode the asa sofrtware performs tcp packet reordering and may in rare
circumstances degrade throughput, even in promiscuous mode.
Promiscuous ips operation.
Asa receives an ip packet. Sends a copy of a packet to the ips and then forwards
it to the destination. Ips module analyzes the copy of the packet and alerts the
admin or takes actions if the packet is malicious. But the original packet has
already reached the destination. This is why promiscuous mode is not very
effective against network attacks.
Cips software architecture. Uses the sdee protocol. Asdm and other remote apps
can retrieve events from the sensor using the sdee.
Major

cips components.
Interprocess communication api
Mainapp
Sensorapp
Collaborationapp
Eventstore
CLI.

Installing the cips system software.

Download image file from cisco.com
Place image on a tftp server.
Connect and config the physical cips mgmt interface.
Start configuring.
A cips license key is required for signature package updates, global correlation.
Configuring CIPS software based.
The asa offers immediate protection. You just need to:
1. Associate the default virtual sensor with ASA backplane
2. Configure IPS traffic redirection on the host ASA.
The CIPS supports up to four virtual sensors, each sensor can have different
policies:

Signature definition, event action rules, anomaly detection policies.

Remote blocking asa ips can interact with IOS routers and switches to block or
rate-limit traffic. CIPS applies ACLs on IOS devices.
Anomaly Detection the ips learns the normal network activity and based on that
it detects anomaly traffic. To increase efficiency of anomaly detection, assign ip
addresses to different traffic profile zones: internal, illegal, external.
Global correlation if enabled the IPS connects to cisco sensorbase netowrk to
download updated info about malicious activity in the world wide network. One
specific host might get a warning flag, the IPS will download the updated
information from the sensorbase and inspect traffic related to this host deeper or
even block it entirely. This is updated every 5 minutes by default, requires a valid
DNS server and internet connection.
A botnet definition: a botnet is a group of bots that runs malicious software, often
operated by different criminal entities.
Botnet traffic filter: not an exclusive asa ips feature. Complements IPS global
correlation. Requires a time-based BTF license.
3 components: dynamic/manually defined blacklist data, dns snooping, traffic
classification/selection.
The asa compares the S/D ip addresses in transit connections against the IPs in
the blacklists and the reverse DNS cachse.
User account administration:
Admin, operator, viewer, service.
Signatures upgraded using FTP,http, scp, ips updates. One time upgrades,
scheduled upgrades.
IPS redirection conf for asdm. Launch the service policy wizard, add service policy
rules. Choose which policy to use. Define a class of traffic for IPS redirection.
Tuning and monitoring IPS.
True is good, flase is bad.
Positive means alarm is triggered.
Negative means no alarm.
Site-to-Site IPSEC VPN.
Ivev1 and v2. Validates ip address of the connection initiator. Enhanced
interoperability between vendors. Asymmetric authentication. Support for
connections that change ip address frequently. Faster rekey time.
Ikev1 vs ikev2. V2 uses ack and sequence numbers while v1 uses neither. V1 has
no native authentication while v2 uses EAP. V2 supports suite B cryptographics
standards.
Ikev2 limitaions. Third party firewalls, network admission control. L2tp over
IPSEC. Reauthentication, peer id check. Preshared-key authentication or client or
server.

Asa vs router configuration

Enable isakmp enabled by default on routers.
Create the isakmp policy
Set up the tunnel groups maps attributes that are assigned to a specifi IPsec
peer. Not available on routers.
Define IPSEC policy
Create a crypto map
Traffic filtering no sysopt connection permit-vpn. All traffic from a vpn is allowed
by default. Ignoring eventual acls.
Bypass nat specify traffic not to be translated. Identify this traffic on object
groups. One object for source and one for dest network. If you dont bypass nat,
the crypto acl must match the public IP on peer.
PFS. Perfect forward secrecy is a cryptographic tecchnique.
Ipsec supports unicast only. OSPF uses multicast addresses however static
neighbours uses unicast. Ospf over ipsec works only between two cisco ASA.
Reverse route injection distribute remote network information into the local
network. Uses static routes which aret hen redistributed into the IGP.
Nat-traversal. Encapsulates esp packets into udp port 4500. Dynamically
negotiated if the following two conditions are met: both vpn peers are NAT-t
capable. There is a NAT or PAT device between the peers.
Can be configured to send keepalives to prevent the connection from timing out.
Globally enabled by default.
Tunnel default gateway: route inside 0 0 192.168.10.2 tunneled.
Mgmt access: asa does not allow mgmt over the vpn by default, however it can
be configured. Mgmt include asdm, ssh, ping, ntp syslog. Enabled with
management-access interface. Make sure you configure nat exempt with the
route lookup keyword.
Fragmentation policies:
Fragmentation after encryption is the most common way. Can however be
fragmented before encryption which saves cpu overhead. Packets with the DONT
frgamtn. Bit set wont be fragmenetd and might be dropped.
Common confi problems. isakmp proposal uanceptabplke. Mismatched preshared key. Incomptanle transofmr set. Mismatche crypto acl.
Ipsec remote-access vpn. Any connect only supports IKEv2. Ike v1 is now
considered EoL end of life. Configured with wizard, asdm manual or CLI. Two
connection modes are supported by hardware-based vpn clients. Client mode and
Network extension mode.
SSL VPN complements existing ipsec remote-acdess deployment. Data
encryption and decryption occurs at the application layer. Non need to install
software or hardware.
Ssl vpn on cisco asa:

Clientless remote client needs only an ssl-enabled browser to access resources

on private networks. Can access resources such as http/s and windows files over
an ssl tunnel.
Thin client java based applet must be installed by the remote client to establigh
a secure connection. Ssl client gains access to resources such as http,s, ssh and
telnet servers on the secure netowrk.
Full tunnel ssl vpn client is required to gain access to the secure network over
an ssl tunnel. Ip unicast traffic can be sent over the tunnel such as tcp udp and
icmp-nased traffic. Vpn clients can be automatically pushed to a user after
successful authentication.
Considretations before implementins ssl vpn services: analyze your environment.
Determine features and modes best suitable for your implementation. User
connectivity. Asa feateure set. Infrastructural planning. Implementation scope
clustering and load balancing techniques can help accomodate the increased
number of remote users if one asa is not enough.
Software reqs browser need java version6. Uaws by aal cpn for port forwarding
and smart tunnels. activeX if you use internet explorer.
Infrastructural reqs: user aaccounts, admin privileges.
Inheritance model. You can configure policies at the following locations. Def group
group policy- user policy user specific attributes.
Transparent firewall.
1. Change firewall mode to transparent
2. Define vlans and bind bridge-groups to vlan
3. Create bvi
4. Bind physical interfaces to vlan.
Configure failover
1. Enable failover
2. Configure primary unit for failover defining failover, statelink and role
3. Config secondary unit for failover defining failover, statelink and role.
4. Create the failover group and define locals device role.
5. Go into user context and configure it to join failover group x.
Configure context.
1. Configure system execution space (system)
a. Enable interfaces. Assign vlans to interfaces
b. Specify config url for all context
c. Assign admin context
2. Create admin context.
a. Allocate interfaces.
3. Create member context
4. Use the contexts as you wish.
Configure IPS.
1. Set up asdm for ips mgmt
2. Install the CIPS license key
3. Configure IPS
4. Redirect traffic on ASA.
Default ips settings enable immediate protection, but you need to:

Associate virtual sensor with asa backplane

Configure IPS traffic redirection on the ASA.

Site-to-Site VPN
1. Enable ikev1/v2
2. Create isakmp policy
3. Set up tunnel groups
4. Define interesting traffic
5. Define ipsec policy
6. Create crypto map.
Different useages for nat
1 to 1 mapping. Assigned static or by a pool of addresses. Inside to outside.
Higher sec zone to lower.
Methods of nat/pat
Static NAT: dns, email
Dynamic nat: protocols without l4 info. GRE DDP
Dynamic PAT: source IP, source ports. Tcp/udp.
Policy: acls define if the traffic should be translated or not.
Identity: mainly for nat exemption, you nat a network to itself to exclude it from
another nat function.
Nat hides the original ip-address. Limits the number of public ip addresses a
company must use for both economy and security purposes.
TCP intercept: prevents dos traffic by setting a maximum of TCP/udp connections.
Auto NAT: configure inside an object, does not take consideration in the
destination.
Manual nat: configured in global mode, makes it possible to translate and address
differently.
NAT order of operations to prevent conflict between different NAT policies, the
security appliance prioritizes certain nat rules.
Nat exemptions, static nat, staic pat, policy nat/pat, identity nat, dynamic nat,
dynamic pat.
AAA- radius. Is a widely implemented protocol with client/server model. Network
access server. Asa acts as nas and authenticates users bsed on radius response.
Radius authentication process.
User attempts to connect to asa. Asa prompts the user for username and pw.
Credentials are sent to the asa from the user. Asa send authentication request to
the radius server. Acc/acc or acc/rej is sent back from the radius server. Asas
responds to user.
Tacacs.
Kerberos
Windows nt
Rsa securid
LDAP.

Cisco asa protects the networks inside and in dmz by inspecting traffic that
passes through it. An acl is a collection of security rules and policies that allows
or denies packets after looking at packet headers and attributes.
Acls are used for: packet identification for nat and VPN encryption. Route
redistribution. Qos packet classification. Access control.
One entry in an ACL is called ACE. Classifies packets by inspecting headers for a
number of parameters. L2,3 protocol info. L3,4 header info. L7 info.
An interface ACL overrides a global ACL. Global acl look at all traffic passing the
asa.
Through-the-box traffic filtering: traffic sourcing from the outside going to the
inside network. Traffic passing through the asa. Asa check nat before acl.
To-the-box traffic filtering: traffic going to the asa. Apply using control-plane
keyword.
Traffic from high sec zone going to a lower sec zone is allowed. However: the asa
considers DHCP,eigrp,ospf, multicast and rip as special types of traffic. Meaning
they are considered connectionless traffic types. Therefore an extended acl must
be applied on both interfaces for communication.
4 types of acl.
Standard, extend, ethertype, web-type.
Ethertype works only in transparent mode.
Object groups. Using object grouping you can heavily decrease the number o
faces. It is possible using both adm and cli. One ace could consist of an object
group in every field. That ace would represent many more than a regular one.
The decreased number o faces used is only visual. Using too large object groups
could unexpectedly affect multiple aces.
Different group types: protocol, network, service, icmp type, local user group,
security group.
Time-based acl: implemented when traffic needs to be filtered at ceratin times.
Absolute or periodic.
Routed firewalls: separates two ip-subnets can filter L3 and higher. Can not filter
on L2.
Transparent firewalls: can filter L2 and higher. Segregates on IP-subnet. Uses BVIs
for self-generated packets. Do switchover through console with firewall
transparent command. Because you will lose telnet and ssh.
Arp packets are generally not filtered, however ethertype acls can block it.
Transparent mode provides a way to prevent attacks related to ARP spoofing.
Virtualization: partitions a physical firewall into multiple standalone firewalls.
Cost, segregation, different security policies. Integration.

System context: no network settings or connectivity. Mainly used to define the

settings of other contexts. Configuration location for the different contexts.
Admin context. Provides connectivity to network resources. Best practice to
assign the mgmt interface of the asa to the admin context. With admin context
you can switch to other contexts and manage them. Must b created before you
define other contexts. Network-related configuration is saved into the admin
context when converting from single to multiple mode. Can be used as a regular
context, but not recommended.
Config of multiple mode:
1. Enable mutliple security context globally
2. Setup the system execution space
3. Assign interfaces to a context
4. Specify a configuration URL
5. Configure an admin context
6. Configure a user context.
ASA failover a primary device that has got a backup device ready to replace it
IOF.
Stateless failover active device syncs the conf to the standby device. All
connections stay local to the primary device. IOF all connections must be reestablished.
Stateful failover: a stateful failover link must be configured which syncs the
connections, all to make sure seamless connectivity IOF.
Active/active and /standby FO
Two different modes of failover. a/a: all asa models support a/a in multiple context
mode. The traffic can be and should be load balanecd between the devices using
application contexts which is assigned to one of the context groups.
a/s: the primary device is active and sec device is standby. For a fialover to occur
the health of the primary device must be worse than the standbys. The preferred
deployment model for failover. Does not have preempt.
Failover interfaces: a failover link is a dedicated medium for transferring data for
keeping the secondary device up to date with all necessary info to minimize the
data transferring interruption.
Same interfaces must be used on both sides of the failover link.
Control traffic: peer discovery and negotiation, configuration replication, health
monitorin.
Best practice for failover links is two dedicated links: one failover stateful link one
control link.
Prereqs for failover
Appropriate licenses
Pick separate interfaces for failover control traffic
Use an isolated subnet for the failover control interfaces
Identify a standby IP address for each data interface you intened to
monitor.
Basic operation of an IPS is:
Redirects matching traffic to the module

CIPS is processing traffic locally

Ability to ask asa to drop packets or reset connection
Inline mode: all traffic matching the inline ips redirection policy must pass
through the IPS module.
Allows the IPS to immediately respond to security threats against the network.
Drop packets, generate alarms, reset connections.
Promisc mode. The asa forwards to the ips but the original packet continues to
the internal network. Typically used to avoid extra latency.
Major CIPS components
mainApp: responsible for system clock, scheduling, downloading and updating
software, shutting down and restarting CIPS services.
interprocess communication
sensorapp
collaborationapp
eventstore
CLI
Packet filtering: grs med vanliga accesslistor som kontrollerar lager 2,3,4.
Ethertype, protokoll, adresser, avsndare.
P en asa r det alltid bara frsta paketet som kollas.
Application proxy firewall controls input output and access from, to, or by an
app or service.
abcd-

Paketfiltrering undersker p L3,4 source och destination ip, port o prtokoll.

Applikationsproxy r mellanhand som tar skulden ifall www r malware
Stateful packet inspection undersker L3,4,7 och hller koll p sessioner.
Deep packet inspection undersker ven datadelen av paketet fr att
blocka t.ex. p2p p port 80.

3. IDS med terkoppling p ACL. IDS sger till ACL att blocka framtida
anslutningar av denna typ. Den sger till ASA att inte slppa in mer av en
viss trafik om den upptcker att den r bogus.
4. HIDS = p en host. NIDS= tar han om hela ntet.
1. Mnstermatching signaturebased. Kollar mnster/pattern i filer som gr
igenom.
2. Protokoll analys baseline och tar ut onormala frhllanden.
3. Heuristisk analys utgende frn erfarenhet och vrderingar. kolla alla
ryska packets
4. Anomalitetsdetektering filtrerar all ny och ovanlig trafik.
Anledningar till NAT: skerhet, brist p addresser, utan NAT kommer du
ingenstans.
b. PAT delar upp en address ytterligare genom att lgga en slumpgenererad
port p slutet.

Class map: specificerar trafik

Policy map : stter action
Service policy: vart ska den ta action.

System: skapar contexts. Assignar interface och skvg till fil. Configurl.disk0: .cfg
Admin: kan komma t allt
User: the users context. They can conf the things that has been applied to
them.
Frdelar: den filtrerar p lager 2, extra skerhet p insidan, den r osynlig
fr boven. Arp inspection.
Inga vpns, ingen routing, kan inte ta emot multicast, hard to troubleshoot.

Syncar conf, keepalives, hellos

Ett interface gr ner, NTP fail, Health r smre n standbys. Svarar inte p
hold time.
Stateful = sharar tables o info
Stateless = sharar inte info

Crypto map: set peer, set transform set. Match address ACL.