Menu Close

ASA Privilege Level 15

On Cisco IOS devices, we can set the privilege level 15 on the VTY lines to allow the users to go into privilege level 15 as soon as they connect to the device. The commands we used on the IOS devices are not applicable on the ASA code. However, on the ASA we can use a different command which gives us similar result. This command is part of the aaa configuration on the ASA.

ASA Site-to-Site VPN Failover “Preemption”

As we know, Cisco ASA IPsec site-to-site VPN preemption is not supported on Cisco ASA. Therefore, this means if the primary VPN peer recovers from a failure the VPN tunnel will remain active with the secondary VPN peer. In other words, if you configure a site-to-site VPN tunnel crypto map with two peers, one as the primary, and another as the secondary, the ASA will always try to initiate the tunnel with the primary peer first. If the primary peer fails and become unreachable, then the ASA will initiate the tunnel with the secondary peer.

ASA TCP State Bypass

One of the security features Cisco ASA provides for new connections is to ensure the 3-Way Handshake is completed between two hosts before allowing any further tcp traffic between the two hosts. The 3-Way Handshake is simply exchanging the SYN, SYN-ACK and ACK between two hosts, each sends the relevant packets based if it acts as a sender or a receiver. If the ASA should see a SYN-ACK packet sent by a host to another before seeing the initial SYN packet, the traffic will be dropped. Similar if the ASA should see an ACK packet before seeing the previous two packets SYN and SYN-ACK exchanged between the two hosts. The ASA does this by inspecting each packet and creating a state for each connection. This a nice feature, however, in some legitimate scenarios it might create some issues and preventing the traffic from being delivered between the two hosts. Let’s see what would be an example scenario for this, and how to apply the fix.

ASA DNS Server

As we know the Cisco ASA supports DHCP server feature but not the DNS server. The reason behind this would be to have less services running on the appliance that would expose any potential vulnerabilities that would be exploited which would turn in successful threats, especially when the running services are interacting directly with the internet. A scenario where having a DNS server running on the ASA would be handy would be when the DHCP server is running on the same appliance, and where the DNS server in use would be a public DNS, but to be honest the fact that the ASA does not support the DNS server is not an issue at all, because you can still push an external DNS server IP address through the DHCP lease managed by the ASA.

ASA Gets Stuck on Boot in EVE-NG

In this post I’m going to share with you how to fix the issue that you might have came through with ASAv images in EVE-NG that would prevent the ASAv from booting up.

Basically you would see the ASA getting stuck during the boot process at the very beginning and it won’t move on. Here is what you would see on the terminal screen when the ASAv is stuck:

>
Scroll To Top