cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

173
Views
5
Helpful
2
Replies
Highlighted

security

What do each of these terminologies mean? Object Network, Mpf(modular policy framework), embryonic 

What does this command do?      set connection per-client-max "" per-client-embryonic ""

Why is inspection disabled for ICMP & Traceroute by default in ASA?

What's the differenxce between show nat & show xlate?

I wish to give me an example of NAT that shows translated ip in the following command: show user

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Mentor

Re: security

Most of your queries are related to Learning and most of them arleady well documented. ( also if you taking any training you should explore with your instructor for better understanding and practice it in Lab).

 

I have some notes for you where i have pulled from notes, which help you. (some may be old way back many many years back).

 

What do each of these terminologies mean? Object Network, Mpf(modular policy framework), embryonic

 

Object Network -

 

Network is used to select IP addresses and/or network addresses.

 

Mpf -

The Cisco ASA Modular Policy Framework (MPF) allows flexible policies to be created to serve a wide range of needs. The outbound traffic can be classified according to user name, user group, source, or destination. The destination aspect can be further classified into three broad categories:

  Approved traffic: Traffic from known safe websites is approved by corporate policy.

 VPN traffic: Traffic flows through a site-to-site VPN tunnel.

 Traffic redirected to Cisco Cloud Web Security: Traffic is sent to Cisco Cloud Web Security for precise web policy control,   including URL filtering, antivirus scanning, web content-scanning ScanSafe scanlets, and web application visibility and control.

The traffic classification criteria can also be mixed and matched (for example, a group of users such as guests, vendors, or interns can be selected for Cisco Cloud Web Security inspection).

 

embryonic

 

embryonic connection is also known as a half open connection. It means a SYN is a received, a SYN-ACK was sent back to the source, and we are waiting for the ACK back from the source. A lot of these indicates a DOS, or misconfiguration or another type of attack

 

What does this command do? set connection per-client-max "" per-client-embryonic ""

 

where the conn-max n argument sets the maximum number of simultaneous TCP and/or UDP connections that are allowed, between 0 and 65535.

The embryonic-conn-max n argument sets the maximum number of simultaneous embryonic connections allowed, between 0 and 65535.

The per-client-embryonic-max n argument sets the maximum number of simultaneous embryonic connections allowed per client, between 0 and 65535.

The per-client-max n argument sets the maximum number of simultaneous connections allowed per client, between 0 and 65535.

 

Why is inspection disabled for ICMP & Traceroute by default in ASA?

 

On the ASA, ICMP is handled differently than TCP or UDP. By default, the ASA does not track an ICMP session, making it stateless. Being stateless, a return ICMP packet (such as an echo-reply) is not automatically allowed through the ASA, and will be dropped unless an ACL specifically allows it.

 

What's the differenxce between show nat & show xlate?

show nat command can be used in order to understand which NAT rules are hit by new connections
show xlate table which you can view and this is a record of all NAT translations done by the firewall/Router.


I wish to give me an example of NAT that shows translated ip in the following command: show user

- you can find many exmaples on Google - it is good to learn by practicing yourself so you understand better.

BB
*** Rate All Helpful Responses ***

View solution in original post

2 REPLIES 2
Highlighted
VIP Mentor

Re: security

Most of your queries are related to Learning and most of them arleady well documented. ( also if you taking any training you should explore with your instructor for better understanding and practice it in Lab).

 

I have some notes for you where i have pulled from notes, which help you. (some may be old way back many many years back).

 

What do each of these terminologies mean? Object Network, Mpf(modular policy framework), embryonic

 

Object Network -

 

Network is used to select IP addresses and/or network addresses.

 

Mpf -

The Cisco ASA Modular Policy Framework (MPF) allows flexible policies to be created to serve a wide range of needs. The outbound traffic can be classified according to user name, user group, source, or destination. The destination aspect can be further classified into three broad categories:

  Approved traffic: Traffic from known safe websites is approved by corporate policy.

 VPN traffic: Traffic flows through a site-to-site VPN tunnel.

 Traffic redirected to Cisco Cloud Web Security: Traffic is sent to Cisco Cloud Web Security for precise web policy control,   including URL filtering, antivirus scanning, web content-scanning ScanSafe scanlets, and web application visibility and control.

The traffic classification criteria can also be mixed and matched (for example, a group of users such as guests, vendors, or interns can be selected for Cisco Cloud Web Security inspection).

 

embryonic

 

embryonic connection is also known as a half open connection. It means a SYN is a received, a SYN-ACK was sent back to the source, and we are waiting for the ACK back from the source. A lot of these indicates a DOS, or misconfiguration or another type of attack

 

What does this command do? set connection per-client-max "" per-client-embryonic ""

 

where the conn-max n argument sets the maximum number of simultaneous TCP and/or UDP connections that are allowed, between 0 and 65535.

The embryonic-conn-max n argument sets the maximum number of simultaneous embryonic connections allowed, between 0 and 65535.

The per-client-embryonic-max n argument sets the maximum number of simultaneous embryonic connections allowed per client, between 0 and 65535.

The per-client-max n argument sets the maximum number of simultaneous connections allowed per client, between 0 and 65535.

 

Why is inspection disabled for ICMP & Traceroute by default in ASA?

 

On the ASA, ICMP is handled differently than TCP or UDP. By default, the ASA does not track an ICMP session, making it stateless. Being stateless, a return ICMP packet (such as an echo-reply) is not automatically allowed through the ASA, and will be dropped unless an ACL specifically allows it.

 

What's the differenxce between show nat & show xlate?

show nat command can be used in order to understand which NAT rules are hit by new connections
show xlate table which you can view and this is a record of all NAT translations done by the firewall/Router.


I wish to give me an example of NAT that shows translated ip in the following command: show user

- you can find many exmaples on Google - it is good to learn by practicing yourself so you understand better.

BB
*** Rate All Helpful Responses ***

View solution in original post

Highlighted

Re: security

Hi sir,
Thanks for your marvelous reply. But you didn't reply correctly the reason why ICMP & Traceroute commands are disabled for inspection by default.
Thanks again