Tag Archives: ASA

Fire Jumper Stage 5 Network Security Systems Engineer

Cisco Fire Jumper program is composed by different tracks, and each has a Sales, Systems Engineer and Field role with dedicated videos, training, POV, Labs and exams to be accomplished. After completed all four stages, you need to ask your Manager to endorse and send en email to fire jumper team. Once accepted you are going to receive an certificate. I’ve focused on the Network Security System Engineer role where i achieved the Stage 5. Looking for the Elite now.

Dissecting the Different Tracks

Network Security: Firepower, ASA and Meraki

Advanced Threat: AMP for Endpoints and Threat Grid

Visibility & Enforcement: ISE, Stealthwatch and SDA

Cloud, Web & Email Security: Cisco Umbrella, Cloudlock, WSA and Email Security

At the moment you can only be Stage 5 in one track and Stage 4 on all of them. Once you achieve this you become Fire Jumper Elite.

Find below the relevant links for the program:

Fire Jumper Sales Engineer

Fire Jumper Systems Engineer

Fire Jumper Field Engineer

TFTP Backup ASA sobre Túnel VPN

Tudo o que envolve VPN´s LAN-2-LAN tem sempre água no bico. Neste caso a tarefa é efectuar backup da configuração de um Cisco ASA por dentro do túnel em que este é um dos extremos.

Neste exemplo a interface de Origem terá que ser a de LAN inside.

CiscoASA#conf t
CiscoASA(config)#tftp-server inside [ip-servidor-destino] /[nome-ficheiro]
CiscoASA#write tftp

ESMTP/TLS no Cisco ASA

A configuração do Cisco ASA tem diversos inspections por default, um dos problemas é justamente no inspection esmtp quando existe implementado SMTP sobre Transport Layer Security (TLS), todo o tráfego é negado. Após alguma pesquisa no site da Cisco, apartir da vesão 8.0 inclusivé é possível ter o inspection activo com suporte SMTP/TLS. No entanto na documentação da versão 7.2 indica que já é suportado. Vá-se lá perceber…..

Vamos ao que interessa.

Config c/ inspection activo

CiscoASA#conf t
CiscoASA(config)# policy-map type inspect esmtp esmtp_mapa
CiscoASA(config-pmap)# parameters
CiscoASA(config-pmap-p)# allow-tls
CiscoASA(config-pmap-p)# inspect esmtp esmtp_mapa
CiscoASA(config-pmap)# exit
CiscoASA(config)# exit
CiscoASA#wr mem

Caso a versão de firmware seja anterior à mencionada, deverá remover o inspection para que os emails sejam entregues.

Config c/ inspection inactivo

CiscoASA(config)#policy-map global_policy
CiscoASA(config-pmap)#class inspection_default
CiscoASA(config-pmap-c)#no inspect esmtp
CiscoASA(config-pmap-c)#exit
CiscoASA(config-pmap)#exit

Poderá consultar o link seguinte para mais informações.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008067cf3b.shtml#esmtp