tranmyphuc
06-06-2008, 02:43 PM
I am attending a New Horizons ASA/PIX course (SNPA version 5). I have mixed feelings about the course. I am pretty familiar with the PIX and ASA products. With respect to the basic operations of the firewall, I am confident in my abilities. With the more advanced features, I have to read and research before implementing. So the first couple of days have been largely a waste of my time. The course has covered access-lists, NAT and assigning interface IP addresses. Hopefully the second half of the course will of more value. During the first three days, I have noticed on several occasions the instructor has provided the class wrong information.
Example 1
Instructor…Before a UDP connection can establish a 3-way TCP handshake must occur. Therefore, you need to permit TCP and UDP through the firewall for a specific port if you want a UDP session to be established.
My interpretation…if you want to permit TFTP (UDP 69), you will also need to permit TCP 69. The instructor is wrong. No you don’t have to permit the corresponding TCP port for a UDP communication. If you want TFTP (UDP 69), you only need to permit UDP 69. Do not permit TCP 69. UDP does not do a 3-way hand shake. UDP is connectionless.
Example 2
Instructor…PAT is a bad thing and should only be used in SOHO environments. Instead of using PAT use a dynamic pool of addresses. The instructor’s example:
global (outside) 1 2.2.2.2-2.2.2.253
global (outside) 1 2.2.2.254
The instructor is concerned that the randomly selected source port assigned with PAT might also be used by an application, thus cause problems.
What??? PAT is a good thing. I can only think of a few scenarios where NATing every internal address to a single outside public address would not be desired.
1. If I had 15,000 plus hosts on my inside network, I would probably want to split the internal networks and use multiple PAT addresses:
nat (inside) 1 10.0.0.0 255.128.0.0
nat (inside) 2 10.128.0.0 255.128.0.0
global (outside) 1 2.2.2.2
global (outside) 2 2.2.2.3Of course, if you have 15,000 users, you probably have multiple connections to the internet and everyone using one PAT address is probably not an issue.
2. A unique public address is used to access some (public) server.
access-list specialhost permit ip 10.0.0.0 255.0.0.0 host 3.3.3.3
nat (inside) 2 access-list specialhost
global (outside) 2 2.2.2.4I use this a lot when I send traffic over a special connection: IPSEC VPN or b2b link.
Now that I am getting to the area of the class that I actually need to learn and get better, I don’t know how much confidence I should place in my instructor. I guess my solution will be to listen and learn then go read a book (not course material). If the information matches, I will commit it to memory. Yes, I have a wr mem function for my mind. Problem is that I am not authorized to issue the command. The moral of this story is to learn, check and verify. We are all humans thus we make mistakes whether is be an instructor or a book.
Example 1
Instructor…Before a UDP connection can establish a 3-way TCP handshake must occur. Therefore, you need to permit TCP and UDP through the firewall for a specific port if you want a UDP session to be established.
My interpretation…if you want to permit TFTP (UDP 69), you will also need to permit TCP 69. The instructor is wrong. No you don’t have to permit the corresponding TCP port for a UDP communication. If you want TFTP (UDP 69), you only need to permit UDP 69. Do not permit TCP 69. UDP does not do a 3-way hand shake. UDP is connectionless.
Example 2
Instructor…PAT is a bad thing and should only be used in SOHO environments. Instead of using PAT use a dynamic pool of addresses. The instructor’s example:
global (outside) 1 2.2.2.2-2.2.2.253
global (outside) 1 2.2.2.254
The instructor is concerned that the randomly selected source port assigned with PAT might also be used by an application, thus cause problems.
What??? PAT is a good thing. I can only think of a few scenarios where NATing every internal address to a single outside public address would not be desired.
1. If I had 15,000 plus hosts on my inside network, I would probably want to split the internal networks and use multiple PAT addresses:
nat (inside) 1 10.0.0.0 255.128.0.0
nat (inside) 2 10.128.0.0 255.128.0.0
global (outside) 1 2.2.2.2
global (outside) 2 2.2.2.3Of course, if you have 15,000 users, you probably have multiple connections to the internet and everyone using one PAT address is probably not an issue.
2. A unique public address is used to access some (public) server.
access-list specialhost permit ip 10.0.0.0 255.0.0.0 host 3.3.3.3
nat (inside) 2 access-list specialhost
global (outside) 2 2.2.2.4I use this a lot when I send traffic over a special connection: IPSEC VPN or b2b link.
Now that I am getting to the area of the class that I actually need to learn and get better, I don’t know how much confidence I should place in my instructor. I guess my solution will be to listen and learn then go read a book (not course material). If the information matches, I will commit it to memory. Yes, I have a wr mem function for my mind. Problem is that I am not authorized to issue the command. The moral of this story is to learn, check and verify. We are all humans thus we make mistakes whether is be an instructor or a book.