Recently in PIX Category

Much thanks to Joshua Walton for forwarding this info over to me - handy reference:

====================
Packet Flow Sequence
====================
PIX/ASA - Inside (Higher Sec_Lev) to Outside (Lower SEC_Level)
---------------------------------------------------------------
Eg. Type - [Sub-Type] - Description
1. FLOW-LOOKUP - [] - Check for existing connections, if none found create a new connection.
2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
3. ACCESS-LIST - [log] - ACL Lookup
4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
5. IP-OPTIONS - [] -
6. NAT - [] - xlate
7. NAT - [host-limits] -
8. IP-OPTIONS - [] -
9. FLOW-CREATION - [] - If everything passes up until this point a connection is created.
10. ROUTE-LOOKUP - [output and adjacency] -

Now this is cool. Someone from the Phoenix Cisco Users Group gave me a link to a group who has virtualized the ASA platform. You can download a VMWare image (or self booting CD) that runs the full Cisco ASA software (fully functional).

Click here to check it out!

The latest Cisco TAC Newsletter had an interesting tip on recovering hidden pre-shared keys (which I've needed to do many times). So simple, it's brilliant :) here's the reprint:

There are times you will need to add configuration or make changes to a live PIX Firewall or ASA. It is common for the original pre-shared keys used in site-to-site VPNs to be mislaid or forgotten. For example, perhaps the previous manager has left the company. It is not possible to see a copy of the configuration with the keys viewable as they are hidden as ******. The answer is to save a copy of the configuration to a TFTP server. This file can then be viewed using any simple text document. It can also be used to re-configure the device back to its original state if necessary.

-Tony Holmes, Cistek Solutions Ltd, Cheltenham, Glos, England, UK

So here's the scenario I ran into...I just set up a new client for managed network services (where my company (AdTEC Networks) is doing the management). This client happened to have some fairly technical people on staff who wanted privileged mode access to the PIX firewall. No problemo...that is, until I received phone calls with people screaming, "THE NETWORK IS DOWN!!!"

There I am, feeling a cold drip of sweat trickling down the side of my face, scrolling through a running config on a PIX firewall. Aha! Who put that command there?!?! After removing the 'mystery' NAT statement, the network magically works again...now who's to blame...

For some reason, I seem to end up working with the PIX 7.x software lately. My best friend when working with this beast has been the PIX 7.1 Configuration Guide. I figured I'd hyperlink it here for my (and your) easy reference rather than digging around the Cisco website.