Configuring FlexVPN external AAA with RADIUS

This post will describe how to configure FlexVPN authorization using RADIUS AAA, ISE 2.4 will be used as the RADIUS server.

The Hub router will authenticate the spoke routers with RSA certificates. The spoke routers’ certificate will have an value in the OU (organisational unit) field which will identify the location e.g. US-Branch or UK-Branch.  An IKEv2 name-mangler will be used to extract the OU value from the certificate and use this in the authorization request to the RADIUS server. Depending on matching on location in the Authorization rules the RADIUS server will return different values per location.
Continue reading “Configuring FlexVPN external AAA with RADIUS”



See the previous blog post which documents the steps to setup AnyConnect SSL-VPN and ISE integration. This blog post expands on the AnyConnect SSL-VPN configuration, adding support for IKEv2/IPSec and using double authentication (Username/Password and Certificate).

ASA Configuration

Create a Crypto Keypair

crypto key generate rsa label VPN_KEY modulus 2048

Create a CA Trustpoint

crypto ca trustpoint LAB_PKI
keypair VPN_KEY
enrollment terminal
crl nocheck

Continue reading “CCNP SIMOS: ASA AnyConnect IKEv2/IPSec VPN”


This blog post will document how to configure an AnyConnect SSL-VPN on a Cisco ASA firewall using Cisco ISE (2.1 patch 5) as a AAA server for authentication.

ISE Configuration

It is assumed that ISE is installed and configured with the basics (IP addresses and integrated into AD).

Define the ASA as a Network Device

  • Navigate to Administration > Network Resources > Network Devices
  • Create new by clicking Add and define the ASA
  • Specify the INSIDE interface IP address of the ASA
  • Tick the RADIUS Authentication Settings box
  • Specify a shared secret, this will need to match on the ASA configuration
  • Click Save

Continue reading “CCNP SIMOS: ASA AnyConnect SSL-VPN”

CCNP SIMOS: IKEv2 Crypto Map between IOS Router and ASA Firewall

This blog post will document the steps to configure an IKEv2/IPSec Site-to-Site VPN between a Cisco ASA firewall (ASAv 9.9.1) and an IOS Router (v15.4) using a Pre-Shared Key (PSK).

Simple topology:

ASA Firewall Configuration

// Define IKEv2 Policy
crypto ikev2 policy 10
encryption aes-gcm
integrity null
group 5
prf sha256
lifetime seconds 86400

Continue reading “CCNP SIMOS: IKEv2 Crypto Map between IOS Router and ASA Firewall”

CCNP SENSS: Implementing ASA object groups

Cisco ASA and IOS devices support object-groups, which can be defined in place of IP addresses, services, security tags (Trustsec SGTs) etc. Object groups simplify configuration, reducing the number of ACEs in an ACL by referencing an object group consisting of multiple hosts/services etc. Configurations become easier to maintain, as you can modify the object group and this will be reflected in other sections of the configuration referencing it. Without object groups the parameters of the configuration may have to modified in multiple locations instead of just once.

Cisco ASA version 9.x supports 6 types of object group:

  • ICMP-type – consist of ICMP messages types.
  • Network – consist of group-objects which allow nesting of other network object groups and network-object which contain 1 or more host entries. Network object-groups can be used in the SRC and/or DST fields in an ACL.
    Continue reading “CCNP SENSS: Implementing ASA object groups”

CCNP SENSS: Block a TTL Expiry Attack

When a Cisco IOS device receives a packet with a TTL value of less or equal to 1 an ICMP Type 11, Code 0 (Time to Live exceeded) message is sent by the device, this subsequently has an impact on CPU. Greater CPU processing is required to respond with TTL exceed message than to forward a packet. Under normal conditions a default TTL of either 128 or 255 are used in most operating systems and network devices, when originating outbound packets, on that basis it is unlikely that an edge router should receive a packet with a low TTL value.

Cisco recommends filtering incoming packets on untrusted network boundaries (edge routers). Filtering low TTLs will eliminate a DoS attack vector and also prevent remote users from tracerouting into the network. To implement a TTL Expiry Attack the attacker would send packets with a low TTL causing the router to return ICMP Type, Code 0 TTL Exceeded messages eventually potentially overwhelming the router and causing a DoS.

Continue reading “CCNP SENSS: Block a TTL Expiry Attack”

CCNP SENSS: ASA Botnet Filtering

In a botnet attack computers can become infected with malware, the infected hosts will attempt to contact the botnet command and control servers. When configured the Botnet filter on the Cisco ASA firewall can be leveraged to check incoming and outgoing connections against a dynamic SensorBase database (downloaded from cisco) which contains information of known bad domain names and IP addresses, and then logs/blocks any suspicious activity. In addition to the dynamic database you can define a static blacklist of domain names/IP addresses. You can make use of a whitelist to allow blacklisted addresses defined in the dynamic database downloaded from Cisco.

Continue reading “CCNP SENSS: ASA Botnet Filtering”