Firepower SSL Decryption

The Firepower SSL Decryption feature allows you to block encrypted traffic without inspection or inspect encrypted that would otherwise be unable to be inspected. In order for the FTD to decrypt the traffic the FTD must resign all certificates of websites, this is achieved by a Man in the Middle (MITM) attack. An internal CA must be used to issue a certificate using the Subordinate Certificate Authority template; Firepower will then dynamically create a certificate on the fly (spoofing the real certificate) thus allowing for decryption and inspection of the website. The client computer must trust the Internal CA so as not to receive any certificate errors.

In this scenario an FTD v6.2.2 is acting as the gateway that will decrypt the traffic, all configuration will be made on the FMC v6.2.2.
Continue reading “Firepower SSL Decryption”


Cisco TrustSec on ASA Firewall

In a previous post Cisco TrustSec was discussed and enforcement implemented on Cisco CSR1000v router using Cisco ISE to dynamically classify the traffic. In this post we will implement enforcement on a Cisco ASA Firewall. Unlike a Cisco switch or router when configuring TrustSec enforcement, when using the ASA as the enforcement point the TrustSec matrix on ISE is not utilised. Instead the ASA downloads the CTS environment data (SGTs), these are defined in a normal ASA access list as the source and destination.

The advantage of using an ASA Firewall for TrustSec enforcement over a Cisco switch or router is that the ASA firewall rules are stateful, unlike the ACLs on a switch or router which are not stateful.

In this blog post we will setup a simple lab, using ISE and ASAv. ISE will be configured with TrustSec SGTs’, SXP and a basic Authorization Policy. Secure communication between the ASA and ISE will be established by the use of a PAC file (Protected Access Credential). The ASA will use this secure channel to authenticate and establish a radius connection to ISE to download the CTS environment data, which contains the SGT table. An SXP connection between ISE and ASA will be established to transfer the static SXP bindings (the servers in the DC) and the dynamically assigned bindings for the authenticated users.

Basic configuration of ISE is not covered in this post. The posts below describe in greater detail configuration of ISE and TrustSec:-

Initial Cisco ISE Configuration – Basic configuration ISE
Configured Wired 802.1x/MAB authentication with Cisco ISE – Configuring dot1x authentication on ISE
Cisco TrustSec Enforcement using Cisco ISE – ISE configuration and enforcement on a Cisco CSR1000v router

Continue reading “Cisco TrustSec on ASA Firewall”

OpenSSL CA for VPN authentication

The purpose of this post is to describe the steps to setup and configure an OpenSSL Certificate Authority (CA) on an Ubuntu server. The CA will be used for VPN authentication for Windows Client authenticating against a Cisco Router. It is assumed that the Ubuntu server is already installed and configured. Important to note, time accuracy is important when using certificates, so ensure the Ubuntu servers’ time is correct.

The following software/hardware was utilised:-

Initial Cisco ISE Configuration

This post will describe the basic steps in order to install Cisco ISE 2.4 from ISO image, build a cluster and integrate with Active Directory.

  • Initial ISE Configuration
    • Installing ISE 2.4 from ISO image file
    • Initial configuration from CLI
  • Certificates
    • Admin and EAP Authentication Certificates
  • Deployment Roles
    • Minimum 1 x PAN (Policy Administration Node), 1 MnT (Management) and 1 x PSN (Policy Service Node)
    • Valid DNS entry for each ISE nodes
    • Valid certificates (Admin for establishing a secure connection for build the cluster)
  • External Identity Source Integration
    • Integration with Active Directory
  • Network Access Devices
  • Policy Sets

Continue reading “Initial Cisco ISE Configuration”

Allow ICMP/Traceroute through Cisco ASA

By default the ASA does permit ICMP replies TO any ASA interface, but does not
permit ICMP THROUGH the ASA. In other words you need to specifically configure the ASA to permit the ICMP replies. This can be achieved in 2 ways, either by enabling icmp inspection or by configuring an ACL inbound on the outside interface, permitting echo-reply.

From an LAN switch on the inside of the ASA we ping a device on the outside, with no specific configuration this should fail.

Continue reading “Allow ICMP/Traceroute through Cisco ASA”

ISE Dynamic Variables

Using Cisco ISE you can apply variables such Downloadable ACL (DACL) or VLAN from an External Identity Source (e.g Active Directory) and apply these values during authorization. For example instead of defining multiple authorization rules such as – If AD:ExternalGroup membership equals “GroupName” then assign static attributes”DACL_1″ and “VLAN_1”.

The same can be achieved by extracting the attributes from an External Identity Source such as AD, resulting in 1 authorization rule instead of multiple.

Continue reading “ISE Dynamic Variables”

FTD VPN with Certificate authentication

Using certificates to authenticate VPN peers is the most scalable authentication method. As of FTD 6.2.2 certificate enrolment is either via SCEP or manually using PKCS12. When using SCEP the FTD must have direct communication with the SCEP server in order to request the certificate, this may not be possible if the FTD is already deployed onsite. This leaves a PKCS12 file to import the signed certificate; this is a manual process, access to the console via SSH is all that is required.

This post will describe how to create a Certificate Template on a Windows CA, how to generate a certificate private key, csr and PKCS12 file and how to configure the VPN on the FMC.

Continue reading “FTD VPN with Certificate authentication”