This post will describe how to configure FlexVPN authorization using RADIUS AAA, ISE 2.4 will be used as the RADIUS server.
The Hub router will authenticate the spoke routers with RSA certificates. The spoke routers’ certificate will have an value in the OU (organisational unit) field which will identify the location e.g. US-Branch or UK-Branch. An IKEv2 name-mangler will be used to extract the OU value from the certificate and use this in the authorization request to the RADIUS server. Depending on matching on location in the Authorization rules the RADIUS server will return different values per location.
Continue reading “Configuring FlexVPN external AAA with RADIUS”
See the previous blog post which documents the steps to setup AnyConnect SSL-VPN and ISE integration. This blog post expands on the AnyConnect SSL-VPN configuration, adding support for IKEv2/IPSec and using double authentication (Username/Password and Certificate).
Create a Crypto Keypair
crypto key generate rsa label VPN_KEY modulus 2048
Create a CA Trustpoint
crypto ca trustpoint LAB_PKI
Continue reading “CCNP SIMOS: ASA AnyConnect IKEv2/IPSec VPN”
This blog post will document how to configure an AnyConnect SSL-VPN on a Cisco ASA firewall using Cisco ISE (2.1 patch 5) as a AAA server for authentication.
It is assumed that ISE is installed and configured with the basics (IP addresses and integrated into AD).
Define the ASA as a Network Device
- Navigate to Administration > Network Resources > Network Devices
- Create new by clicking Add and define the ASA
- Specify the INSIDE interface IP address of the ASA
- Tick the RADIUS Authentication Settings box
- Specify a shared secret, this will need to match on the ASA configuration
- Click Save
Continue reading “CCNP SIMOS: ASA AnyConnect SSL-VPN”
This blog post will document the steps to configure an IKEv2/IPSec Site-to-Site VPN between a Cisco ASA firewall (ASAv 9.9.1) and an IOS Router (v15.4) using a Pre-Shared Key (PSK).
ASA Firewall Configuration
// Define IKEv2 Policy
crypto ikev2 policy 10
lifetime seconds 86400
Continue reading “CCNP SIMOS: IKEv2 Crypto Map between IOS Router and ASA Firewall”
Cisco ASA and IOS devices support object-groups, which can be defined in place of IP addresses, services, security tags (Trustsec SGTs) etc. Object groups simplify configuration, reducing the number of ACEs in an ACL by referencing an object group consisting of multiple hosts/services etc. Configurations become easier to maintain, as you can modify the object group and this will be reflected in other sections of the configuration referencing it. Without object groups the parameters of the configuration may have to modified in multiple locations instead of just once.
Cisco ASA version 9.x supports 6 types of object group:
- ICMP-type – consist of ICMP messages types.
- Network – consist of group-objects which allow nesting of other network object groups and network-object which contain 1 or more host entries. Network object-groups can be used in the SRC and/or DST fields in an ACL.
Continue reading “CCNP SENSS: Implementing ASA object groups”
When a Cisco IOS device receives a packet with a TTL value of less or equal to 1 an ICMP Type 11, Code 0 (Time to Live exceeded) message is sent by the device, this subsequently has an impact on CPU. Greater CPU processing is required to respond with TTL exceed message than to forward a packet. Under normal conditions a default TTL of either 128 or 255 are used in most operating systems and network devices, when originating outbound packets, on that basis it is unlikely that an edge router should receive a packet with a low TTL value.
Cisco recommends filtering incoming packets on untrusted network boundaries (edge routers). Filtering low TTLs will eliminate a DoS attack vector and also prevent remote users from tracerouting into the network. To implement a TTL Expiry Attack the attacker would send packets with a low TTL causing the router to return ICMP Type, Code 0 TTL Exceeded messages eventually potentially overwhelming the router and causing a DoS.
Continue reading “CCNP SENSS: Block a TTL Expiry Attack”
In a botnet attack computers can become infected with malware, the infected hosts will attempt to contact the botnet command and control servers. When configured the Botnet filter on the Cisco ASA firewall can be leveraged to check incoming and outgoing connections against a dynamic SensorBase database (downloaded from cisco) which contains information of known bad domain names and IP addresses, and then logs/blocks any suspicious activity. In addition to the dynamic database you can define a static blacklist of domain names/IP addresses. You can make use of a whitelist to allow blacklisted addresses defined in the dynamic database downloaded from Cisco.
Continue reading “CCNP SENSS: ASA Botnet Filtering”