ASA Access Control List
look at real IP address instead of global or mapped address
'Public Servers' option does NAT and access-list together
Normal mask in ACL; no wild card mask.
If there is global ACL, interace implicit deny is no longer effective. After interface ACL is checked and no match is found, traffic is checked against global ACL. If no match, then deny.
Choose 'Any' interface for Global ACL.
-------------
ASA Static route
The name of the interface we gonna use to reach that(advertised) network
-------------
clear config all -- clear running config
write erase -- clear startup config
Prioritization is always done outbound
Policing is inbound and outbound
Use TCP-map for TCP options
ASA performs ISN, Random sequence numbering
Use TCP-State Bypass option to ignore assymentric routing between source & destination
Use TCP Intercept for sync-flood attack. Set Half-formed session threshold limit, once it's above threshold, ASA intercept TCP Sync and respond on behalf of the server. If handshake is completed with the valid user, ASA send TCP 3 way handshake with the server.
ASA has a feature called TCP Sync cookies to handle DOS or Sync flood attack.
backtrack? for penetration testing
Layer 5-7 Advance application layer Inspection
policy-map type inspect ... match-all/match-any name
drop doesn't send a Reset packet. ASA does not allow any more packet for this session/connection.
No comments:
Post a Comment