The Cisco ASA firewall offers excellent protection for Denial of Service attacks, such as SYN floods, TCP excessive connection attacks etc. Using the new Policy Framework functionality, the ASA administrator can configure granular controls for TCP Connection limits and timeouts. For example, we can control and limit the maximum number of simultaneous TCP and UDP connections that are allowed towards a specific host (or subnet), the maximum number of simultaneous embryonic connections allowed (for SYN flood attacks), the per-client max number of connections allowed etc.

Configuration Example

STEP1: Identify the traffic to apply connection limits using a class map

ASA(config)# access list CONNS-ACL extended permit ip any 10.1.1.1 255.255.255.255
ASA(config)# class-map CONNS-MAP
ASA(config-cmap)# match access-list CONNS-ACL

STEP2: Add a policy map to set the actions to take on the class map traffic

ASA(config)# policy-map CONNS-POLICY
ASA(config-pmap)# class CONNS-MAP
! The following sets connection number limits
ASA(config-pmap-c)# set connection {[conn-max n] [embryonic-conn-max n]
[per-client-embryonic-max n] [per-client-max n] [random-sequence-number {enable | disable}]}

where the conn-max n argument sets the maximum number of simultaneous TCP and/or UDP connections that are allowed, between 0 and 65535. 

The embryonic-conn-max n argument sets the maximum number of simultaneous embryonic connections allowed, between 0 and 65535. 

The per-client-embryonic-max n argument sets the maximum number of simultaneous embryonic connections allowed per client, between 0 and 65535. 

The per-client-max n argument sets the maximum number of simultaneous connections allowed per client, between 0 and 65535.

! The following sets connection timeouts
ASA(config-pmap-c)# set connection timeout {[embryonic hh:mm:ss] {tcp hh:mm:ss
[reset]] [half-closed hh:mm:ss] [dcd hh:mm:ss [max_retries]]}

STEP3: Apply the Policy on one or more interfaces or Globaly

ASA(config)# service-policy CONNS-POLICY {global | interface interface_name}

The Cisco VPN Software Client is the most popular “Remote Access tool” for teleworkers and for remote mobile employees for any organization. It allows the user to establish a secure IPSec tunnel from any internet connection towards a central location (usually the user’s corporate central network). Once the tunnel is established, the user is attached to the central network and has full connectivity just like as he was connected locally.

The latest release (at the time of writing) is 5.0.03. This release can be installed on the following operating systems: 

• Windows 2000
• Windows XP
• Windows Vista (x86 / 32-bit only)
• Linux (Intel based)
• Mac OS X 10.4
• Solaris UltraSparc (32 and 64-bit)

Furthermore, the Cisco VPN Client is compatible with all Cisco VPN hardware products as listed below:

• Cisco Firewall ASA 5500 Series Software Version 7.0 and higher.
• Cisco Firewall PIX Security Appliance Software Version 6.0 and later.
• Cisco VPN 3000 Series Concentrator Software Version 3.0 and later.
• Cisco Routers with VPN IOS support Software Release 12.2(8)T and later.
• Cisco 6500 / 7600 IPSec VPNSM and VPN SPA IOS Software Release 12.2SX and later.

To obtain the Cisco VPN Client software you need a Cisco SMARTNet support contract and you can download the client from Cisco Software Center. Also, a CD with the VPN software client comes with any purchase of a Cisco ASA 5500 series firewall (except ASA 5505).

Which command will set the default route for an adaptive security appliance to the IP Address 10.10.10.1?

A. route outside 0 0 10.10.10.1
B. route add default 0 10.10.10.1
C. route management 10.10.10.0 0.0.0.255 10.10.10.1.1
D. route 0 0 10.10.10.1.1
Answer: A

Which of the following statements about adaptive security appliance failover is true?

A. The PIX adaptive security appliance only supports LAN-based failover
B. The PIX adaptive security appliance supports LAN-based and cable-based failover
C. The Cisco ASA security appliance only supports cable-based failover
D. The Cisco ASA and PIX security appliance support LAN-based and cable-based failover
Answer: B

Which three of these are encryption algorithms used by Cisco ASA security appliances? (Choose three.)

A. RC4
B. DES
C. Diffie-Hellman Group 5
D. AES
E. Blowfish
F. 3DES
Answer: B,D,F

Which command configures the adaptive security appliance interface as a DHCP client and sets the default route to be the default gateway parameter returned from the DHCP server?

A. ip address dhcp
B. ip address dhcp default route
C. ip address dhcp setroute
D. dhcp setroute
Answer: C

Which commands are necessary in order to add a port for DNS inspection?

A. class-map, match, policy-map, class, inspect
B. class-map, fixup, policy-map
C. fixup
D. class-map,match,fixup, policy-map, inspect
Answer: A

For Network Engineers, the ability to mirror switch traffic and send it to a sniffer for analysis is an essential troubleshooting technique. All Cisco Catalyst switches support the Switched Port Analyzer (SPAN) feature which copies traffic from specified switch source ports or VLANs and mirrors this traffic to a specified destination switch port (SPAN port). Then, you can connect your PC having a sniffer tool (like WireShark) on the destination SPAN port to capture all mirrored traffic. The diagram below shows this:

To utilize the switch SPAN mirroring feature configure the following on the catalyst switch:

Configuration Example - Monitoring an entire VLAN traffic
c3750(config)#monitor session 1 source vlan 5
c3750(config)#monitor session 1 destination interface fastethernet 0/3

The configuration above will capture all traffic of VLAN 5 and send it to SPAN port fastethernet 0/3.

Configuration Example - Monitoring traffic from a specific interface
c3750(config)#monitor session 1 source interface fastethernet 0/1
c3750(config)#monitor session 1 destination interface fastethernet 0/2

The configuration above will capture all traffic from interface 0/1 and send it to SPAN port fastethernet 0/2.

Use the command show monitor session 1 to verify your configuration.