≡ Menu

On Cisco ASA, You cannot have DHCPd and Relay configured at the same time.

  • You can either add a relay server and add the DHCP scopes.
  • You can add different DHCP scope to the ASA DHCPd.

IANA ROOT DNS Object-Group

The following object-group consists the latest IANA ROOT DNS Servers which can be used on the Cisco ASA firewalls.

IANA Root DNS Servers (IPv4/IPv6)
object-group network IANA-ROOT-DNS
 description IANA Root DNS Servers (IPv4/IPv6)
 network-object host 198.41.0.4
 network-object host 2001:503:ba3e::2:30
 network-object host 192.228.79.201
 network-object host 2001:500:84::b
 network-object host 192.33.4.12
 network-object host 2001:500:2::c
 network-object host 199.7.91.13
 network-object host 2001:500:2d::d
 network-object host 192.203.230.10
 network-object host 192.5.5.241
 network-object host 2001:500:2f::f
 network-object host 192.112.36.4
 network-object host 128.63.2.53
 network-object host 2001:500:1::803f:235
 network-object host 192.36.148.17
 network-object host 2001:7fe::53
 network-object host 192.58.128.30
 network-object host 2001:503:c27::2:30
 network-object host 193.0.14.129
 network-object host 2001:7fd::1
 network-object host 199.7.83.42
 network-object host 2001:500:3::42
 network-object host 202.12.27.33
 network-object host 2001:dc3::35

[click to continue…]

When it comes to firewall rules, there are a number of things I follow as best practice. To start with, you need to make sure you have all the necessary information in place before writing your firewall rules.

Ask yourself the following questions… If you don’t have the answers, go back to the drawing board and get all the necessary information.

  • Do you have all the necessary ports required for the firewall?
  • Do you have all the IP/Subnet information?

Make the ACLs short and sweet

It is always a best practice to avoid using IP addresses in ACLs.

  • Make sure that the ACLs are intuitive to anyone who is not familiar with your network.
  • You should be able to understand how the firewalling is done by reading the ACLs.

[click to continue…]

The following post shows how to specifically allow specific DNS servers on a Cisco ASA firewall. In this example, I am using Google DNS to be allowed through the firewall.

DNS Rules
object-group service DNS-PORTS
 service-object udp destination eq domain 

object-group network GOOGLE-DNS
 network-object host 8.8.8.8
 network-object host 8.8.4.4

access-list ACL_in extended permit object-group DNS-PORTS NETWORK 255.255.255.0 object-group GOOGLE-DNS

Filtering Unwanted Traffic From The Internet

The following post will explain one of the recommended method of filtering unwanted traffic from the internet to the internal network.

Most administrators filter RFC-1918 traversing from the internet to internal networks, while they are allowing a list of bogons prefixes which is defined in RFC-3330. These addresses are _not_ publically assigned, therefore should not see them as source IP destined to your internal network. Furthermore, it is a best practice from a security prospective to filter these ranges in case you are targeted with a spoofing attack.

As a reference to this post, please check RFC-3330 which contains all the prefixes in question.
[click to continue…]

When it comes to Cisco ASA, both Port-Object and Service-Object achieve the same result. However, application of extended Access Control List (ACL) and calling the Port-Object or Service-Object would differ in the ACL statement.

Below, we look at two tcp protocols, namely www and https defined using Port-Object and Service-Object as follows…

Port Object

object-group service WEB-PORTS tcp
 port-object eq www
 port-object eq https

[click to continue…]

Copyright © Nish Vamadevan 2002-2017. All Rights Reserved. Terms and Policies.