When using a Cisco ASA with the AnyConnect VPN Client software in some instances it is useful to assign the same static IP address to a client whenever they connect to the VPN. Within Active Directory you can configure per user a static IP address and use this IP address whenever the user connects to the VPN. The RADIUS Server (in this instance Cisco ISE 2.0) can be configured to query the attribute in AD which is the” msRADIUSFramedIPAddress” value and assign to the client whenever they connect.
This blog post describes the steps to modify the configuration of ASA/ISE/AD and assumes the Cisco ASA is already properly configured and users can successfully authenticate using the AnyConnect VPN client and receive an IP address from the IP Address Pool. Cisco ISE is defined as the RADIUS Server with Active Directory defined as the External Identity Source.
Continue reading Cisco ASA AnyConnect VPN with Static Client IP Address
The purpose of this blog post is to document the configuration steps required to configure Wired 802.1x and MAB authentication on Cisco Catalyst switches using Cisco ISE 2.0 as the RADIUS server. ISE will be configured to use Microsoft AD as the External Identity Store to authenticate the users and computer onto the AD domain.
The switch is already configured for VLAN, Routing etc and any device plugged into the switch will be able to access the network. Basic ISE functionality has already been configured (integration with AD/PKI).
Cisco Catalyst 3650 – IP Services 12.2(55)SE4
Cisco ISE 2.0 with patch 2
Microsoft Server 2008 R2 (Domain Controller, DNS, DHCP)
Continue reading Configuring Wired 802.1x/MAB Authentication with Cisco ISE
This post details the configuration on how to configure a DMVPN Phase 3 VPN in a Dual Hub Single Cloud. I previously wrote a post on configuring DMVPN Phase 2, refer to this post for more detailed information on configuring DMVPN.
As per most previous posts GNS3 was used to lab the configuration. I had to use the Advanced Security IOS image “c7200-advsecurityk9-mz.152-4.M7” instead of my normal Advanced IP Services IOS image “c7200-advipservicesk9-mz.152-4.S4” because that version does not support NHRP redirect required for DMVPN Phase 3. The error received when configuring NHRP redirect is: % NHRP-WARNING: ‘ip nhrp redirect’ failed to initialise.
This post covers the following:
Front Door VRF
Dual DMVPN Hub configuration
DMVPN Spoke configuration
DMVPN NHS Clustering (dual active Hubs and Active/Standby Hub)
- DMVPN Phase 3
The router default ISAKMP Policy, IPSec Transform Set and IPSec Profile were used and therefore not covered in this post. This previous post covers ISAKMP and IPSec Policy/Profile creation.
The lab scenario has 6 x Cisco IOS 15.2(4) routers as represented in the diagram below.
Continue reading Configuring DMVPN Phase 3 Dual Hub
This blog post provides the simple configuration information to setup a Site-to-Site VPN between two Cisco ASA firewalls using the IKEv2 protocol.
The following lab scenario was setup in GNS3 using the following images:
- Cisco ASAv version 9.5(2)
- Cisco IOS version 15.2(4)
A VPN will be setup between the 2 Cisco ASA firewalls (ASAv-1 and ASAv-2). The 2 routers (R1 and R2) will act as hosts in the local networks in order to generate traffic to initiate the VPN tunnel on demand.
Continue reading Configuring IKEv2 Site-to-Site VPN on Cisco ASA
Identical Cisco ASA firewalls (same hardware, model, interfaces and RAM etc) can be configured for failover, thus allowing for uninterrupted network connectivity. The Cisco ASA supports 2 failover configurations Active/Active (both appliances pass traffic) and Active/Standby (only the active appliance passes traffic, whilst the other appliance is waiting for failure/failover to occur).
The ASA appliances are connected to each other through a dedicated failover link, this can be any spare interface not currently used. Stateful failover can also be configured; this replicates the firewall state information to the standby appliance.
Continue reading Configuring Cisco ASA Active/Standby Failover
I was looking for a new convenient lab solution to run on natively on my PC rather than fire up my noisy dedicated HP Proliant Lab server, in order to use the Cisco ASAv. I’ve used GNS3 for IOS devices regularly but never had the chance to use the ASAv. This blog post details the configuration steps I took in order to configure Cisco ASAv with GNS3.
Continue reading Configuring Cisco ASAv in GNS3
In a FlexVPN Hub and Spoke design spoke routers are configured with a normal static VTI with the tunnel destination of the Hub’s IP address, the Hub however is configured with a Dynamic VTI. The DVTI on the Hub router is not configured with a static mapping to the peer’s IP address. The VTI on the Hub is created dynamically from a preconfigured tunnel template “virtual-template” when a tunnel is initiated by the spoke router/peer. The dynamic tunnel spawns a separate “virtual-access” interface for each spoke tunnel, inheriting the configuration from the cloned the template.
Continue reading Configuring Cisco FlexVPN Hub-and-Spoke