Saturday, January 30, 2010

Cisco Mobile Lab in Nigeria

The CCIE Mobile Lab would be in Nigeria between June 14 and 18. There are 6 R&S slots and a security slot per day.
I hope I would be ready for my security lab by then :-)
More info can be found here.

It's time to quit playing around and get into hardcore studying. This is barely 4 months away.

Wish you all the best with your studies. CCIE Security - here I come!


Monday, January 25, 2010

Cisco Updates CCNP and introduces new Service Operations Track

Hi All,

Today, Cisco announced a big change in the Certifications path.
The CCNP has been entirely revised. There are now 3 exams;
Route - Replaces the BSCI
Switch - Replaces BCMSN
TShoot - Brings back troubleshooting into the game.

All exams would be 120mins long and cost $200
While the BSCI and BCMSN exams are stil a valid for 3 years, the ISCW and ONT are only valid (count towards the completion of your CCNP) till end of July.

The Tshoot exam would a hands-on exam - barely 10% theory.
The exam focuses more on Routing and Switching and is a lot deeper. IPV6 also has its fair share on the exam.

Finally, My favorite Authors get to write the Cisco Press Cert guide: Wendell Odom, David Hucaby and Kevin Wallace

The SP Operations track focuses on IP Carrier Ethernet NGN Networks. The SP Operations is a full track with Associate, Professional and Expert level Exams. Yes, anothe CCIE. Oh Damn Cisco! More info on the Cisco Learning Network.

Right now, It's tiime to focus on getting the CCIE Security before I am old enough to rent a car.

Study hard, Learn stuff and most importantly, have fun!



Monday, January 11, 2010

ASA Transparent mode NAT

The ASA transparent mode acts as a bump in the wire (Placed in the layer 2 path of the traffic). There is no interface IP addressing with transparent mode. The ASA can be assigned an IP address for remote management and testing. In the transparent mode, there are still access rules and inspection rules. There are a few exceptions though. For instance, ARP and BPDU is allowed from lower security level interfaces by default.

With the ASA 7.x code and lower, the ASA did not support address translation in transparent mode. In fact, the 'nat' and 'global' commands were disabled. The static command was available but the real and translated addresses must be the same. IMO, the command was enabled so that the static options can be used. An example would be the 'norandomseq' keyword that is used in BGP authentication.

With the ASA code 8.x code, there is now support for NAT in transparent mode.
The NAT implementation has a few caveats:
1. The alias command is NOT supported.
2. Since there is no interface address, interface PAT is not allowed.
3. Arp Inspection is not allowed
4. Since the inside and outside interfaces are on the same 'subnet', if any of the addresses (real or translated) is NOT on the subnet, then static routes have to be used to point to the address so that routing can take place. This is from the configuration guide:

"When the mapped addresses are not on the same network as the transparent firewall, then on the upstream router, you need to add a static route for the mapped addresses that points to the downstream router (through the security appliance)

If the real destination address is not directly-connected to the security appliance, then you also need to add a static route on the security appliance for the real destination address that points to the downstream router. Without NAT, traffic from the upstream router to the downstream router does not need any routes on the security appliance because it uses the MAC address table. NAT, however, causes the security appliance to use a route lookup instead of a MAC address lookup, so it needs a static route to the downstream router."

With the Routing fixed, NAT with the ASA transparent mode should not be too different from the regular routed mode NAT.

Further Reading:
ASA Configuration Guide: NAT in Transparent mode