Cisco ASA - Popular Questions, Answers, Tips & Manuals
ASA VPN setup
this has been nicely explained here:http://www.computerfreetips.com/Cisco_router_tips/ASA-VPN-tunnel.html
2/23/2012 8:28:07 PM •
Cisco ASA...
•
433 views • 0 helpful votes
1. I have a ASA
HI,
You shall do the same with MPF. Create a regex filter to identify the types of files you would like to block,
e.g.
1
2
3
4
5
regex archive-type1 ".*\.([Zz][Ii][Pp]'[Tt][Aa][Rr]'[Tt][Gg][Zz]) HTTP/1.[01]"
regex archive-type2 ".*\.([Tt][Aa][Rr].([Gg][Zz]'[Bb][Zz]2)'7[Zz]) HTTP/1.[01]"
regex doc-type1 ".*\.([Dd][Oo][Cc]'[Xx][Ll][Ss]'([Pp]){2}[Tt]) HTTP/1.[01]"
regex doc-type2 ".*\.([Pp][Dd][Ff]'[Oo][Dd][Tt]) HTTP/1.[01]"
regex exe-type1 ".*\.([Ee][Xx][Ee]'[Vv][Bb][Ss]'[Vv][Bb][Aa]) HTTP/1.[01]"
Create regex for Content-Type Application/*
1
2
regex application-header "application/*"
regex content-type "Content-Type"
Classify regex that matches the extension types
class-map type regex match-any ext-types
match regex doc-type1
match regex doc-type2
match regex archive-type2
match regex archive-type1
match regex exe-type1
Capture the http response that contains content-type and application/* header
2
class-map type inspect http match-all http-header-response
match response header regex content-type regex application-header
Capture http request packet that matches the class ext-types
1
2
class-map type inspect http match-all http-request
match request uri regex class ext-types
HTTP is the interesting traffic
1
2
3
4
access-list http-traffic extended permit tcp any any eq www
access-list http-traffic extended permit tcp any any eq 8080
class-map http-traffic-class
match access-list http-traffi
Create policy to prevent download attempt via http request
1
2
3
4
5
6
7
policy-map type inspect http block-http-download
parameters
protocol-violation action drop-connection log
class http-header-response
drop-connection log
class http-request
reset log
Apply policy on the interesting traffic
1
2
3
policy-map inside-http
class http-traffic-class
inspect http block-http-download
Apply the policy onto interface to take effect
1
service-policy inside-http interface inside
Hope this would help.
I want to block social
1. Load your Internet explorer
2. Click Tools
3. Click Internet Options
4. Click the Privacy tab
5. Under the Privacy window, Click Sites
6. Type in the site address that you want to Block and Click OK. Remember this technique only blocks on one site at a time. Parental control software will allow you to block multiple sites and categories.
And in the case of Mozila Firefox you have to download a addon(plugin) called 'Foxfilter' to block certain websites
I desire to block video
You can not do content filtering with ASA firewalls with IOS. You will need to buy a content filtering solution, or sign up for a inexpensive content filtering with OpenDNS.org. This is a good content filtering basic system with white and black listing capability.
Good luck!
How to export log from CISCOASA?like other cisco
ASA's log is usualy stored localy on ASA itself, so easiest way to export that log is to go with telnet/ssh/console on it, do a command : show logging and copy/paste output into a new file.
but beware - this log is really short and as soon as ASA is rebooted - it's gone.
you could set asa to log to a syslog server (free on linux/freebsd or for windows use KIWI app).
that way all ASA log output is stored on pc/server running your syslog server.
I have configured Cisco ASA Firewall and I have
HI,
·
Please check
the whether the security level for DMZ and outside interface, If DMZ is high
security level. Please do the NAT configuration
· If it's having the same security level. Please issue the command "same-security-traffic permit inter-interface "in the global config mode.
What command do i run to show IpSec tunnel status
show ipsec stats
this command was introduced in code 7.0
it will show the active tunnels, the previous tunnels and several other stats of inbound and outbound packets.....
for example:-
IPsec Global Statistics
-----------------------
Active tunnels: 2
Previous tunnels: 9
Inbound
Bytes: 4933013
Decompressed bytes: 4933013
Packets: 80348
Dropped packets: 0
Replay failures: 0
Authentications: 80348
Authentication failures: 0
Decryptions: 80348
Decryption failures: 0
Decapsulated fragments needing reassembly: 0
Outbound
Bytes: 4441740
Uncompressed bytes: 4441740
Packets: 74029
Dropped packets: 0
Authentications: 74029
Authentication failures: 0
Encryptions: 74029
Encryption failures: 0
Fragmentation successes: 3
Pre-fragmentation successes:2
Post-fragmentation successes: 1
Fragmentation failures: 2
Pre-fragmentation failures:1
Post-fragmentation failures: 1
Fragments created: 10
PMTUs sent: 1
PMTUs recvd: 2
Protocol failures: 0
Missing SA failures: 0
System capacity failures: 0
How do I backup the
Easiest way to is so issue the following command on the cli:
more system:/run
This will get any preshared keys you have in the config.
My cisco asa 5505 lost it image file ... how can i
if it is really deleted from FLASH, you will need to connect to ASA with a console cable, start up TFTP server on your pc, and in TFTP copy your ASA image file (.bin - on your CD that you got with ASA) so that you can get it from pc to asa.
then use tftpdnld command to set all the parameters on asa and start the download of the file from your pc .... after it has been done - just reboot asa :)
I want to block URL
Hi!
Unfortunately, it's not possible with your firewall model...
You will need at least an ASA 5510 with an CSC-SSM module to filter URLs.
You can use an external URL filtering device with that ASA like WebSense/SmartFilter... For more info look
here.
In case of a problem or clarification, don't hesitate to post me a reply before rejecting my answer.
If you are satisfied, rate my solution with the "thumbs" or (even better) add a testimonial.
Best regards,
Pelu.
I have some problems with
What version of software are you running? I have noticed issue with ssh on version 8.2(3) and below.
You can try to remove all ssh access and then add it back.
Also you can try zeroizing and regenerating the crypto key.
Not finding what you are looking for?