In Cisco ASA Software Version 8.3 and later, Cisco adds a feature aimed to make access policy configuration easier. This feature is called Global ACL. The global ACL applies access control to inbound traffic on all interfaces and is defined in the same manner as interface ACLs, just obviously completed in global configuration mode.

Cisco lists the following benefits for this new feature:

• When migrating to the Cisco ASA from a competitor appliance, you can maintain a global access rule policy instead of needing to apply an interface-specific policy on each interface.
• Global access control policies are not replicated on each interface, so they save memory space.
• Global access rules provides flexibility in defining a security policy; as long as a packet matches the source and destination IP addresses, the incoming interface is irrelevant
• Global access rules use the same architectural constructs as interface-specific access rules, so scalability and performance for global rules is the same as for interface-specific rules.

The Cisco ASA security appliance uses the following order to match access rules when only interface ACLs are configured:

1. Interface access list rules
2. Implicit deny ip any any interface access list rule

Note: The above is obvious and simple to remember as it reflects the Cisco ASA behavior before the introduction of global ACLs.

The Cisco ASA security appliance uses the following order to match access rules when both interface ACLs and the global ACL are configured:

1. Interface access list rules
2. Global access list rules
3. Implicit deny ip any any global access list rules

Anthony Sequeira CCIE, CCSI
Twitter: @compsolv
Facebook: http://www.facebook.com/compsolv

Print Friendly

Do you want to check out true next-generation video training and have some fun (yes, fun!) while you learn? Join Anthony Sequeira of StormWind.com’s Epic Live Training as he leads a free, live, online presentation regarding the configuration of zone-based firewalls.

What?
Zone-Based Firewalls – Part 1 of 2 – Configuration

Where?
http://stormwind.adobeconnect.com/cs007/
Log in as Guest using whatever name you like :)

When?
Friday, May 18, 2012, 3 PM EST USA

How Long?
1 hour

What to Bring?
For the best possible viewing results – consider installing the Adobe Connect Add-In for Windows or Macintosh – http://stormwind.com/hd; for the full Epic Live Requirements – check out http://stormwind.com/pdf/system-requirements.pdf

What If I Cannot Make It?
The HD video will be uploaded to YouTube immediately following the event and a link provided.

Are There Any Extras?
Feel free to arrive early and stay late chatting with our Guest CCIEs Narbik Kocharians of MicronicsTraining.com and Terry Vinson of IPexpert.com. A PDF of the event content is also provided free of charge.

Can I Bring A Friend?
Yes – there is no limit to the number of attendees!

What About Part 2?
Part 2 of this event will cover advanced configurations of the zone-based firewall as well as troubleshooting. The exact date and time will be announced.

Print Friendly

A unconfirmed source has informed IPexpert of the following. Note this information is consistent with what we initially reported:

• Written and Lab Exams available November 16, 2012
• Written Beta Exam available June 10, 2012 at Pearson Vue
• Products to be tested include:
  • Cisco ASA 5510
  • Cisco Catalyst 3750
  • Cisco IPS 4200
  • Cisco 1841
  • Cisco WSA
  • Cisco ISE 3315
  • Cisco 3825
  • Cisco 2951 ISR2

Print Friendly

There is buzz circulating on social media sites that the official announcement is coming very soon from Cisco Systems regarding the CCIE Security Version 4 written and lab exams. A November 2012 release for the written exam is discussed. This seems to make sense as this would be a 6 month window from Cisco Live 2012 San Diego which most see as a “deadline” for their announcement.

What products are likely to be tested in this revision of the popular written and lab exams? Most believe the following:

• Cisco IPS 4200 Series
• IronPort Web Security Appliances (WSA)
• Cisco Identity Services Engine (ISE)
• Cisco ASA Firewall

Of course we will continue to closely monitor the news here at blog.ipexpert.com and will post details the moment they are announced.

Print Friendly

My friend, and IPexpert Guest Speaker, Keith Barker always says, “friends should not let friends run RIP!” Yes, we agree Keith, but in this post we need to look at running RIP on the Cisco ASA. This is of course in the event that there is an area like this in the CCIE Security Practical Lab Exam.

First, the basics – let us configure basic RIP version 2 on the Cisco ASA:

ASA1# configure terminal
ASA1(config)# router rip
ASA1(config-router)# version 2
ASA1(config-router)# no auto-summary
ASA1(config-router)# network 10.0.0.0
ASA1(config-router)# passive-interface default
ASA1(config-router)# no passive-interface Inside
ASA1(config-router)# end
ASA1#

Notice this “best practices” configuration is just like how I would configure RIP on the router. The passive-interface default bit and then the no passive bit ensures that we are only sending updates out the interface that we want speaking RIP. There is still no method of configuring RIP under an interface on the ASA or a Cisco router.

Read Full Entry »

Print Friendly