By default the ASA does permit ICMP replies TO any ASA interface, but does not
permit ICMP THROUGH the ASA. In other words you need to specifically configure the ASA to permit the ICMP replies. This can be achieved in 2 ways, either by enabling icmp inspection or by configuring an ACL inbound on the outside interface, permitting echo-reply.
From an LAN switch on the inside of the ASA we ping a device on the outside, with no specific configuration this should fail.
Continue reading “Allow ICMP/Traceroute through Cisco ASA”
This post will describe the process to install the FTD boot image and FTD system image v6.2.3 on a Cisco ASA 5506-X firewall. The images listed below will be required and can be downloaded from the Cisco website here.
In order to download the images to the ASA a TFTP, FTP or HTTP server will be required.
- TFTP Server (e.g. Solarwinds TFTP) required to load the Boot Image
- FTP or HTTP Server required to load the FTD System Image
Upgrade Boot Image
- Connect a console cable to the CONSOLE port on the ASA 5506-X
- Connect the MGMT interface into a switch on the same subnet as the TFTP/FTP/HTTP server and turn on the ASA
Continue reading “Install FTD 6.2.3 on Cisco ASA 5506-X”
Cisco introduced VTI to ASA Firewalls in version 9.7.1 as an alternative to policy based crypto maps. Cisco IOS routers have long supported VTI (sVTI, DVTI, DMVPN, FlexVPN etc). This post will describe the steps on how to configure a VTI between a Cisco ASA Firewall and a Cisco IOS Router.
Cisco ASAv (v9.9.1)
Cisco CSR1000v (v16.3.3)
Continue reading “IKEv2/IPSec VTI tunnel between ASA Firewall and IOS Router”
See the previous blog post which documents the steps to setup AnyConnect SSL-VPN and ISE integration. This blog post expands on the AnyConnect SSL-VPN configuration, adding support for IKEv2/IPSec and using double authentication (Username/Password and Certificate).
Create a Crypto Keypair
crypto key generate rsa label VPN_KEY modulus 2048
Create a CA Trustpoint
crypto ca trustpoint LAB_PKI
Continue reading “ASA AnyConnect IKEv2/IPSec VPN”
This blog post will document how to configure an AnyConnect SSL-VPN on a Cisco ASA firewall using Cisco ISE (2.1 patch 5) as a AAA server for authentication.
It is assumed that ISE is installed and configured with the basics (IP addresses and integrated into AD).
Define the ASA as a Network Device
- Navigate to Administration > Network Resources > Network Devices
- Create new by clicking Add and define the ASA
- Specify the INSIDE interface IP address of the ASA
- Tick the RADIUS Authentication Settings box
- Specify a shared secret, this will need to match on the ASA configuration
- Click Save
Continue reading “ASA AnyConnect SSL-VPN”
This blog post will document the steps to configure an IKEv2/IPSec Site-to-Site VPN between a Cisco ASA firewall (ASAv 9.9.1) and an IOS Router (v15.4) using a Pre-Shared Key (PSK).
ASA Firewall Configuration
Define IKEv2 Policy
crypto ikev2 policy 10
lifetime seconds 86400
Continue reading “IKEv2/IPSec Crypto Map between IOS Router and ASA Firewall”
Cisco ASA and IOS devices support object-groups, which can be defined in place of IP addresses, services, security tags (Trustsec SGTs) etc. Object groups simplify configuration, reducing the number of ACEs in an ACL by referencing an object group consisting of multiple hosts/services etc. Configurations become easier to maintain, as you can modify the object group and this will be reflected in other sections of the configuration referencing it. Without object groups the parameters of the configuration may have to modified in multiple locations instead of just once.
Cisco ASA version 9.x supports 6 types of object group:
- ICMP-type – consist of ICMP messages types.
- Network – consist of group-objects which allow nesting of other network object groups and network-object which contain 1 or more host entries. Network object-groups can be used in the SRC and/or DST fields in an ACL.
Continue reading “Implementing Cisco ASA object groups”