regex BlockedURLs “\.microsoft\.com|\.msn\.com|\.cnbc\.com”

access-list inside-traffic-filter deny <filter-bypass-IPs> any eq www
access-list inside-traffic-filter permit tcp any any eq www

class-map type inspect http match-all BlockedDomainsClass
  match request header host regex BlocedkDomainsList
  exit
class-map httptraffic
  match access-list inside-traffic-filter
  exit
policy-map type inspect http http_inspection_policy
  parameters
    match request method connect
      drop-connection log

policy-map url-packet-filter
  class httptraffic
    inspect http http_inspection_policy
service-policy <interface-to-apply-to>-policy interface <interface-to-apply-to>

Notes:

  • Untested
  • For 8.4(2)+, look into FQDN Network Objects if resources permit

[ # ]

threat-detection basic-threat
threat-detection scanning-threat shun except ip-address XXX.XXX.XXX.XXX 255.255.255.255   !! Exceptions, if needed
threat-detection scanning-threat shun duration 3600

Documentation

[ # ]

snmp-server location <location-information>
snmp-server contact <contact-information>
snmp-server host <interface> <ip> trap community <community-string>    !! Device only sent traps, no polling
snmp-server host <interface> <ip> poll community <community-string>    !! Device only polling, no traps
snmp-server enable traps

Notes:

  • You can leave off 'poll' and 'trap' to allow both

Documentation

[ # ]

failover exec mate <command>

Documentation

[ # ]

configure terminal
config factory-default
write memory

[ # ]

interface GigabitEthernet0/2
  description <optional description>
  vlan 40  !! optional
  nameif <name for interface>
  security-level <0-100>
  ip address <ip> <netmask> standby <standby ip>
  exit

Notes:

  • The 'standby' portion of the IP address can be omitted if this is not part of a High Availability pair of firewalls

[ # ]

interface redundant <1-8>
  member-interface <active interface>
  member-interface <standby interface>
  no shutdown
  exit
show interface redundant<1-8>        !! View active/standby interface information
redundant-interface redundant<1-8> active-member <desired-active-interface>        !! Change the active interface

Notes:

  • By default, the first interface added to the redundant interface will be the active interface
  • This is Cisco's recommendation for a failover configuration

Documentation

[ # ]

show ospf database
show ospf neighbor
debug ospf events

[ # ]

interface Ethernet0/1                !! inside for instance
 ospf cost 10
 ospf message-digest-key 1 md5 <md5 key>
 ospf authentication message-digest
interface Ethernet0/2                !! outside for instance
 ospf cost 10
 exit
router ospf 1
 network <internal ip> <internal network> area <area number>  !! Each network that we will advertise
 log-adj-changes
 redistribute rip subnets        !! redistribute RIP if needed !
 exit

[ # ]

!! NAT order: nat 0 -> Statics -> globals + nats (version 6 - 8.2)
!! nat-control - When enable, NAT is required from low to high security level

!! NONAT - Pix 6 - 8.2
access-list nonat permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0
nat (inside) 0 access-list nonat

!! NONAT - Pix 8.3+
!! For each encryption network, create a "nat" statement like the one below
object network Local_LAN
  subnet 192.168.0.0 255.255.0.0
object network Remote_LAN
  subnet 172.16.0.0 255.255.0.0
nat (inside,outside) source static Local_LAN Local_LAN destination static Remote_LAN Remote_LAN

!! Dynamic NAT - Pix 8.3+
object network HideNATRange
  range 2.2.2.1 2.2.2.10
object network Local_LAN
  subnet 192.168.0.0 255.255.255.0
nat (inside,outside) dynamic HideNATRange

!! Hide NAT (Dynamic PAT) - Pix 6 - 8.2
nat (inside) 1 192.168.0.0 255.255.0.0
global (outside) 1 interface

!! Hide NAT (Dynamic PAT) - Pix 8.3+
object network Local_LAN
  subnet 192.168.0.0 255.255.0.0
nat (inside,outside) dynamic interface

!! Hide NAT Alternative - Pix 8.3+
object network inside-ANY
  subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic outside

!! Static NAT - Pix 6 - 8.2
static (inside,outside) 2.2.2.2 192.168.0.1 net mask 255.255.255.255
access-list outside permit ip any host 2.2.2.2

!! Static NAT - Pix 8.3+
object network 192.168.0.1
  host 192.168.0.1
nat (inside,outside) static 2.2.2.2
access-list outside permit ip any host 192.168.0.1

!! Static NAT with Port Translation - Pix 6 - 8.2
static (inside,outside) tcp interface 8080 192.168.0.1 80 net mask 255.255.255.255

!! Static NAT with Port Translation - Pix 8.3+ (ACL should reflect real ip and real port)
object network http-server
  host 192.168.0.1
nat (inside,outside) static interface service tcp 80 8080
access-list outside permit tcp any host 192.168.0.1 eq 8080

Notes:

  • REGARDING 8.3+ NATS Auto Nat
  • Specified within the object
  • Cannot specify nat conditions based on source and destination together

  • REGARDING 8.3+ NATS Manual Nat
  • Specified outside the object
  • Allows for specifying translating the source and destination based on the source / destination (ie an ACL NAT with nat/global on pre-8.3)

[ # ]