Archives For ASA

Cisco Adaptive Security Appliances

Since the version 8.3 Cisco ASA supports the unidirectional NAT. With the Unidirectional NAT you are able to determine the initialization direction which is already permitted to starts the connection.
The unidirectional NAT can be a part of your security policy to make sure that unsafe networks can’t access to your internal network.
I did crate a scenario which you can see the utilization and the usability for this opportunity.

In this example we have two networks:
unidire_NAT

My internal networks on the inside Interface of the ASA :

1
obj-192.168.17.0 ( 192.168.17.0 255.255.255.0)

And the remote peer network which came from outside interface :

1
obj-10.10.10.0 (10.10.10.0 255.255.255.0)

The NAT should realize the connection between these networks but only my internal networks (obj-192.168.17.0) should initialize the connection. Continue Reading…

The Web Cache Communication Protocol (WCCP) is a Cisco developed routing-protocol to maintain a transparent redirection of designate(or certain?) outbound traffics at the inbound Interface.

One or more Cache Proxy Server keep local copies of often “web” requested resources and answer the local request in real time that help in increasing your downstream bandwidth usage. The access and the download time of the web content will be improved significantly, you can also use the Cache proxy server as Web-Proxy-Server to control the internet traffic .

wccp

For a professional usage of WCCP you can use a security appliance like Sophos(Astaro) or BlueCoat ProxySG but you can also use a software based proxy server, I decided to use squid on a CentOS 64 Bit Linux machine, squid is most popular Linux proxy server for caching and filtering of websites, I know of some ISPs which are using squid and they are pretty pleased with it .

The Topology:

Before you begin you have to know that the Caching Proxy Server have to be in the same Interface  to the Clients , it is the only topology which ASA supported the WCCP , for example  you cannot run the Proxy Server in the management Network to use it for web redirection in the production Network . Many of problems regarding the WCCP located here, end of Configuration you realize that it does not work and believe me it is very disappointed. Continue Reading…

Generally Cisco ASA has one Management interface and four Gigabit Interfaces, but in modern systems and scalable Infrastructures you will need more than four Interfaces. To overcome this limitation you can configure some VLANs and trunk them to an Interfaces. This was a standard solution to this problem, however since ASA version 8.4.2 you are able to use Ether Channel to solve this problem.

The benefit of Ether Channel or Port Channel is that you are able to configure redundancy and load balancing in the same time; all four ASA Interfaces will be bundle to a link in the Layer 2 then you assign all VLANs directly to the Port Channel and so they applied to all Interfaces of ASA .

Continue Reading…