ACLS:

1) OBJECT NETWORK POCOAPP1

HOST 10.10.10.10
OBJECT IN 2 TYPES
1) NETWORK
HOST
SUBNET
2) SERVER
-------------
NETWORK OBJECT CREATION
object network <name>
config-network-object# host 10.10.10.10
#sh run obj in-line | i name
---------
object-group network <name>
network-object object <name>
#show object-group id <groud-id NAME>
# show run access-group
OBJECTS AND OBJECT GROUPS
-------------------------
object network <abc-name>
host 10.10.10.10
object netwoek <cdf-name>
host 192.168.10.10
object-group network <source-abc>
network-object object <abc-name>
object-group network <destination-cdf>
network-object network <cdf-name>
ACCESS-LIST AND ACCESS-GROUPS
-----------------------------
access-list <name> <standard/extended> <permit/deny> <tcp/udp/icmp> <source-IP& source-abc > <s-port>
<destination-cdf> eq 443 or www
access-group <name-out-in> input interface <interface gig 0/0(nameif) or inside
FIREWALL: Protect zone/network from unauthorized access from other zones
1) Network Security Appliance (they have one mechanism)
2) Firewall what they do it will tell who can access they network. (its likes SVI)
3) It filtered the traffic who can access who cannot access can decided in firewall
Security: protect from unauthorized access usage
1) Cyber
2) Network
3) Information
4) Application
Network Security: Protecting Networking from Unauthorized access/usage
Traditional Firewall:
ASA – CISCO (ACL)
Advanced Firewalls:
1) Palo Alto (Security Policy)
2) Fortigate

ACL:
If the source is 192.168.10.11
Destination 10.10.20.11
Protocol is ICMP
 When allow the shh/telnet
Else it is correct or block
Allow or deny
DMZ (OUTSIDE-ZONE): Managed by company and used by outside by world ~to expose his market business

*Firewall can do create a Zones.

*switches can do to read mac-address
*router can do route-tables it will form packets
BEST PATH Mechanism
1) Longest prefix
2) AD
3) Metric

STATELESS FIREWALL
In the firewall to write the ACL’s for traffic SEND the Routes Source to Destination to check the all packets and
received the process to check the packets again. They have store huge data. So Router can do their performance has
slow. It does not maintain Route-table.
NOTE: IT WILL ALLOW THE TRAFFIC WHEN ACL’S ARE PRESENT IN INBOUND & OUTBOUND TRAFFIC. IT DOES NOT
MAINTAIN THE ANY CONNECTION TABLE OR ROUTE TABLE IN SOURCE IP, DESTINATION IP, PORT, INTERFACE, FLAG

STATEFULL FIREWALL: (State Table, Route-table, Connection-Table)

In the firewall to write the ACL’s for traffic Routes Source to Destination.it will send the packet .it will maintain the
ROUTE_TABLE & then packet received in the process to check the route table they will get receive the short period
of time. They have small amount of data. So Router can do their performance has fast.
1) We need to write ACL’s source to destination. It will check all ACL list to find the packet. Then automatically
find out received the packet from destination to source. It will check route table, state table
NOTE:
IT WILL MONITORING THE INBOUND AND OUTBOUND SECTIONS .WE NEED TO WRITE ACL’S FROM ONE
DIRECTION NEAR TO SOURCE & RETUEN THE TRAFFIC BY DEAFULT AUTOMATICLLY
 Inside – LAN = company network
Outside –WAN = Not OUR company
DMZ – HOSTING Services to Public
 In ASA We Have Concept Of Security Level
 Highest Level =LAN – 100
 DMZ = 50
 Lowest Level – internet =0
 MODEL 5345
High to low Can Access The Server By Deafult

When we Write an ACL’s to Bind it. Then it will work. Who can be access & who
cannot access

ACL + INTIGRATE
ASA = Access List + interface = Access Group

In ASA Brand new Firewall By deafult some security Level is already there
EX: Inside 100, DMZ 50, Outside 0 Based On the we Can Change the Number
Took Inside LAN 10 , DMZ 9, Outside WAN 8

NOTE: WHEN WE NOT WRITE ACL’S

 IN A SECURITY LEVEL HIGH TO LOW ALLOWED
 IN A SECURITY LEVEL LOW TO HIGH IT WILL DROPED
 WHEN WE WRITE THE ACL’S THE SECURITY LEVEL CANNOT BE WORK .IT WILL EORK ON ACL’S
 ASA Have Security Level Firewall = 5500
 PALOALTO Have Zone-Based Firewall =

STATELESS
FIREWALL HAVE 2 STATES TRADITIONAL

STATEFULL NEXTGENERATION
NOTE: DIFFERENCE B/W ASA & PALO ALTO
1) ASA : IT IS A SECURITY BASED FIREWALL IT WORKS ON SECURITY BASED LEVEL LIKE (Inside, Outside, DMZ)
HAS ONLY READ LAYER 4 INFORMATION SUCH AS IP ADDRESS, PORT NUMBER
2) THEY HAVE UPGRADE TO USE CISCO FIRE POWER MODULE. IT CAN BE READ LAYER-7 BUT IT DOES NOT
NO. BUT IT CAN NOT READ APPLICATION LEVEL.
3) ASA CAN ADD ONLY ONE SINGLE INTERFACE IN A SECURITY LEVEL
PALO-ALTO :
1) IT IS ZONE BASED FIREWALL IT WORKS BASED ON ZONES.
2) IT IS A NEXT GENERATION FIREWALL IT CAN READ LAYER-7 INFORMATION, AND ALSO THEY HAVE SOME
ADVANCED FEATURES LIKE app-id, user-id, content-id. Also it has features like malware filtering, DDOS
Protection filtering, Anti-virus Filtering, File Blocking like that.
3) IT CAN ADD MULTIPLE INTERFACE IN A ZONE

FIREWALL CONFIGURATION (Inside 100, Outside 0, DMZ 50)

INTERFACES (0/0 OUT, 0/1 INSIDE, INTERFACES (0/0 OUT, 0/1 INSIDE, INTERFACES (0/0 OUT, 0/1 INSIDE,
0/2 DMZ) 0/2 DMZ) 0/2 DMZ)
HOSTNAME HYD: HOSTNAME HYD: HOSTNAME HYD:
1)OUTSIDE 1)INSID 1)DMZ
HYD # conf t HYD # conf t HYD # conf t
HYD (config) # interface gig 0/0 HYD (config) # interface gig 0/1 HYD (config) # interface gig 0/2
(public ip) Private-IP) (public ip)
 HYD (config-if) # nameif outside HYD (config-if) # nameif inside HYD (config-if) # nameif DMZ
HYD (config-if) # security-level 0 HYD (config-if) # security-level HYD (config-if) # security-level 50
HYD (config-if) # ip address HYD (config-if) # ip address 10.1.1.1 HYD (config-if) # ip address
192.168.0.56 255.255.255.0 255.255.255.0 172.16.1.1 255.255.255.0
HYD (config-if) # no shutdown HYD (config-if) # no shutdown HYD (config-if) # no shutdown

NOTE: FIREWALL IN STATIC ROUTE CONFIGURSTION

Firewall to pc ping > Destination network 10.1.20.0 Next Hop 10.1.1.2
HYD (config) : route inside 10.1.20.0 255.255.255.0 10.1.1.2

#VERIFICATION FIREWALL: PC’S :

1) Show nat VPCS > ip 10.1.20.10 10.1.20.1
2) Show dmz VPCS > ip dns 192.168.0.1 (NETWORK)
3) show ip #VERIFY : ping 10.1.20.1 (PC – GATEWAY)
4) show interface ip brief
5) show nameif
6) ping 10.1.20.10 (PC) FIREWALL - PC

CORE (0/0, 0/1) :

CORE(config) # interface e 0/0
192.168.0.0/24 CORE(config-if) # ip address 10.1.1.2 255.255.255.252
CORE(config-ip) # no sh

172.16.1.0/24 CORE(config) # interface e 0/1

CORE(config-if) # ip address 10.1.20.1 255.255.255.0
1 CORE(config-ip) # no sh

2 10.1.1.0/30 CORE(config) # ip route 0.0.0.0 0.0.0.0 10.1.1.1

#verify : # show ip route

# show ip cef 8.8.8.8

20.1 10.1.20.0/24

20.10

NOTE:
1) Object-network-object 10.1.20.0
FIREWALL (CONFIG-NETWORK-OBJECT) # subnet 10.1.20.0 255.255.255.0
nat (inside, outside) static interface
INTER-INTERFACE
intra --- all security level are same with the same interface
1) same-security-traffic permit intra-interface
INTER-INTERFACE
 inter - interface = in interface, we have multiple security Levels .we use
 same-security-traffic permit inter-interface
CERATE ACL:
WE NEED:
2) DESTINATION
3) PORT NUMBER
4) SOURCE IP
access-list <name> in/out interface <destination bind>
ACL: access-list <name(acl)> in extended permit host <10.1.20.10> host <destination ip> eq 80
WE HAVE BIND THE ACL FROM ACCESS GROUP
access-group acl_in inside interface inside
Show xlate | in 10.174.11.4
Sh access-list 101 |

Packet-tracer input outside tcp 193.93.1.192 <source port 1234> <destination IP> <dest_port>
NOTE: PING IS NOTHING BUT <ICMP>
TROUBLESHOOTING:
1) Check the source Ip route
sh route IP Address
sh route 10.174.9.8
Routing entry for 10.174.9.0 255.255.255.0
Known via "connected", distance 0, metric 0 (connected, via interface)
Advertised by bgp 65406
Routing Descriptor Blocks:
* directly connected, via dr
Route metric is 0, traffic share count is 1
2) check the destination IP route
show route destination IP
3) check the source IP acl name bind Interface
Sh run access-group
example:
access-group dr_acl_in in interface dr
4) check Whether access is allowed or not. (Only for Verification Purpose)
packet-tracer input dr tcp 10.174.9.8 1234 10.174.8.10 443
5) Check the deny Rule in acl
sh access-list dr_acl_in | in deny
FW-5002032-1125674# sh access-list dr_acl_in | in deny
access-list dr_acl_in line 27 extended deny ip any object-group FW-SEGMENTS (hitcnt=356) 0xb98b7f76
access-list dr_acl_in line 27 extended deny ip any 10.174.8.0 255.255.255.0 (hitcnt=179) 0x45ab89fa
access-list dr_acl_in line 27 extended deny ip any 10.174.9.0 255.255.255.0 (hitcnt=0) 0x003a09e7
access-list dr_acl_in line 27 extended deny ip any 10.178.8.0 255.255.255.0 (hitcnt=177) 0x4b4f1ca4
access-list dr_acl_in line 27 extended deny ip any 10.178.9.0 255.255.255.0 (hitcnt=0) 0x66e7f1e1
access-list dr_acl_in line 27 extended deny ip any 10.178.8.0 255.255.255.0 (hitcnt=0) 0x4b4f1ca4
access-list dr_acl_in line 27 extended deny ip any 10.174.11.8 255.255.255.248 (hitcnt=0) 0x67791ebb
access-list dr_acl_in line 29 extended deny ip any object-group RFC1918 (hitcnt=518830543) 0xd94224b0
access-list dr_acl_in line 29 extended deny ip any 10.0.0.0 255.0.0.0 (hitcnt=421994785) 0x374175fb
access-list dr_acl_in line 29 extended deny ip any 192.168.0.0 255.255.0.0 (hitcnt=1491606) 0x721c4df2
access-list dr_acl_in line 29 extended deny ip any 172.16.0.0 255.240.0.0 (hitcnt=95344152) 0x9e95ae86
access-list dr_acl_in line 34 extended deny ip any any (hitcnt=1887280) 0x17d37bbb
FW-5002032-1125674#
6) configure the ACL rule on DENY rule above.
access-list dr_acl_in line 15 extended permit tcp host 10.174.9.8 host 10.174.8.10 eq 443
7) check Whether access is allowed or not. ( only for Verification Purpose )
packet-tracer input dr tcp 10.174.9.8 1234 10.174.8.10 443

EXAMPLES :
# Interface Configurations
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.0.54 255.255.255.0
no shutdown

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.20.10 255.255.255.0
no shutdown

interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 172.168.0.1 255.255.255.0
no shutdown

# ACLs
access-list NAME line 15 extended permit tcp any 1234 host 172.168.0.100 eq 80
access-list NAME line 15 extended permit tcp 10.1.20.0 255.255.255.0 1234 host 172.168.0.100 eq 22

# Apply ACLs
access-group NAME in interface outside
access-group NAME in interface inside

# NAT Configuration
object network DMZ_SERVER
host 172.168.0.100
nat (DMZ,outside) static 192.168.0.100

object network INSIDE_NET

subnet 10.1.20.0 255.255.255.0
nat (inside,outside) dynamic interface

In a company we have 4 Levels are there like, P1, P2, P3, P4..
P3, P4 are user Task’s

Ping 10.10.10.10 repeat 100 …

13/12/2024

CISCO MODELS 5525, 5515, 5508 … Cisco can start the models at series of 5000.
Like 5515x, 5525x, 5508x

When we took redundancy to configure on stack ... We will take same device and same model and same port and
same interface. And same as well as configure on same device.

# show failover – it will tell

When we take 2 devices at the
it will show on.
it will tell who is active and
who is standby they show.

1) When we not take any

redundancy they
failover show off.
#show run failover
When we configure Failover they will show like this When we don’t configure in cisco device . they
automatically deafult configuration on the
device

In a firewall they have * 8 * interfaces are there and its range is 0-7
#to check the interfaces in firewall
# show ip
It will shown interfaces
# show ip interface brief

Note:
When we configure on sub interfaces on outside interface they did not handle huge of data. We configure only
physical link on outside

Every Interface have one ip

NOTE:
When we configure on Redundancy purpose firewall we will check the model and its versions and same interface
and… everything same on each other.

This is image

To check the image on firewall

1) Show flash:

Failover configuration:
# Show disk0: or # show flask: are same commands >>> show the image of firewall
# show run interface
TO LOG IN THE STANDBY DEVIC
# When we log in on standby device. We are inside the network or through the console from the company network
# show run ssh >>>>to log in any ip from the firewall
# show xlate | I <SOURCE IP> >>>>>>>> It will say. private to public or public to private IP tells us & while says
which interface to from the packets and it’s destination
# it will says which interface have the form a packets from source to destination . when it will configure at he same

WHEN IN PACKET TRACKER IT WILL SHOWS IP in tell. IN THEY HAVE TCP,UDP,ICMP ALL ARE AVAILABLE ARE THERE

NOTE: IP Means {tcp, UDP, ICMP} any means any source and {object-group means destination IP} {FE-SEG means
port Number}

IN ASA Firewall have 2 modes what is that

Router Mode
Transparent Mode
Firewall By deafult comes to Route Mode.

Any connect Configuration

VPN
NAT
Implicit rules Configurations
ASA appliance 2 types
1) Base Licenses
2) Security License
NAT (Network Address Translate): to converting Public ip to private.
>>>>
TCP <OUT-SIDE-INTERFACE NAME> <PUBLIC IP> <source port> <INSIDE OR DMZ> <PRIVATE IP> <PORTNUMBER>
# Flags
 OUTSIDE TO INSIDE
 UIOB {its means successful }
 It means When entering outside to inside. If the packets sent to success. Is called UIOB

 INSIDE TO OUTSIDE

 UIO <IT MEANS INSIDE TO OUTSIDE CONNECTION SENT THE PACKETS ARE SUCCESSFULL

TCP in how many layers:

# SHOW CONN
They tell how many connect to the firewall
# SHOW XLATE
It will tell NAT public to Private ip
# PACKET-TRACER INPUT <INTERFACE> <PROTOCOL> <SOURCE-IP> <SOURCE-PORT> <DEST-IP> <DEST-PORT>
If the connection is allowed or not
# PING TCP 10.174.12.76:80
Ping firewall to internet ping
>>>
Inbound-Connection
When SYN set one Message
But SYN+ACK Cannot be reply THEN WHAT I DO
TAKE user to Source IP and Port Number
1) # show conn | in IP # To Check the Flags (Where to Where can From the Packets)
2) # show xlate | i private IP >>> to check private IP TO Public IP or # show nat | I private IP
TO check it will allow or Not
3) # packet-tracer input <out-dmz-inaterfaceNAME> TCP <SOURCE IP> <SOUR-PORT> <DESTINATION IP>
<DEST-PORT>
OBJECTS AND OBJECT GROUPS

object network <abc-name>

host 10.10.10.10
object netwoek <cdf-name>
host 192.168.10.10
object-group network <source-abc>
network-object object <abc-name>
object-group network <destination-cdf>
network-object network <cdf-name>
ACCESS-LIST AND ACCESS-GROUPS

access-list <name> <standard/extended> <permit/deny> <tcp/udp/icmp> <source-IP& source-abc > <s-port>

<destination-cdf> eq 443 or www
access-group <name-out-in> input interface <interface gig 0/0(nameif) or inside

NOTE: WHEN WE CONFIGURE ON DENY RULE AFTER THEY DID NOT WORK. WE CONFIGURE IT ON DENY BEFORE LINE
# show access-list acl-in >>>> they will show the deny line

EX:
access-list name line 1 extended permit tcp 10.10.10.10 1234 10.10.10.1 eq 80

# show access-list acl-in | I deny.*any

NAT: Network Address Translator in the network layer Address which is called ip.

NAT:
1) STATIC NAT
2) DYNAMIC NAT
3) PAT(PORT ADDRESS TRASLATOR
AAA IN 2 TYPES
RADIATION AND AAA

#Show run access-group

To check acl which interface binding

#show run access-list prod-acl | i deny

#show arp

To check the tunneling UP or Not

VPN Tsooting :

when Vpn in Phases are up or not (thay have 2 Levle's IKE1 & IKE2)

TO check Phase !

1)show isakmp sa

To check the only our destinaion

1) sh isakmp sa | i <public IP>

>>> troubleshoot in team call.

#to check vpn status

sh vpn-sessiondb de l2l filter ipaddress 65.200.165.123

Phases are 2 types.

1) phase 1

2) phase 2

In phase 1 have 5 Level's

1)Encryption

2) Hash

3) DH Group

4) Life Time

5) Authentication

6) IKE version (V1 or V2 )

>> to verify below are the commands using to find Phase 2 Mode In ipsec.

# show crypto ipsec sa peer <IP>

when Vpn in up or not

TO check Phase !

1)show isakmp sa

To check the only our destinaion

1) sh isakmp sa | i <public IP>

# sh vpn-sessionidb detail l2l filter ipaddress <IP>

# packet-tracer i <name> tcp host <ip> host <ip> eq <port>

# show run map | b <ip>

>> if the tx packets are showing but no Rx packets then inform to customer or

>> if Rx packets are showing but no TX packets then please we have to tshoot

1) RUN paackets tracer <to check where is drop to find it>

2) verify ACL

3) Verify NAT

FOr Route based VPN Tshoot

>.# check the route whether static or dynamix

sh route 10.10.10.30

sh route bgp | in 10.10.10

VPN TUNNELING BACK UP :
1ST match Parameter Are 5:
VPN configuration Route Based: