Configuring Cisco ASAv in GNS3

I was looking for a new convenient lab solution to run on natively on my PC rather than fire up my noisy dedicated HP Proliant Lab server, in order to use the Cisco ASAv. I’ve used GNS3 for IOS devices regularly but never had the chance to use the ASAv. This blog post details the configuration steps I took in order to configure Cisco ASAv with GNS3.
Continue reading Configuring Cisco ASAv in GNS3

Configuring Cisco FlexVPN Hub-and-Spoke

In a FlexVPN Hub and Spoke design spoke routers are configured with a normal static VTI with the tunnel destination of the Hub’s IP address, the Hub however is configured with a Dynamic VTI. The DVTI on the Hub router is not configured with a static mapping to the peer’s IP address. The VTI on the Hub is created dynamically from a preconfigured tunnel template “virtual-template” when a tunnel is initiated by the spoke router/peer. The dynamic tunnel spawns a separate “virtual-access” interface for each spoke tunnel, inheriting the configuration from the cloned the template.

Continue reading Configuring Cisco FlexVPN Hub-and-Spoke

Configuring Cisco FlexVPN SVTI

As mentioned in the previous blog post when configuring FlexVPN configuration can be minimized by using the Smart Defaults, they comprises of default configurations for IKEv2 Proposal, IKEv2 Policy, IPSec Profile and Transform Set. This post provides a simple configuration example when using Smart Defaults and when using custom configurations.

Configuration Example – FlexVPN SVTI with Smart Defaults

This simple lab configuration is to setup a SVTI Site-to-Site VPN between 2 Cisco IOS routers.

Continue reading Configuring Cisco FlexVPN SVTI

Cisco FlexVPN Overview

FlexVPN is a framework to configure IPSec VPNs on Cisco IOS devices; it was created to simplify the deployment of VPN solutions of all type (Site-to-Site, Remote Access etc). It uses a common configuration template for all VPN types. FlexVPN is based on IKEv2 and does not support IKEv1.

IKEv2 Features

  • IKEv2 is more secure than IKEv1 because it supports the latest Suite B cryptographic algorithms
  • Built-in support for Dead Peer Detection (DPD) and NAT-Traversal
  • Is resistant to DoS attacks
  • Consolidated IKEv1 main and aggressive modes into one method, called “initial”
  • Supports more authentication methods; in addition to PSK, certificates it also supports EAP authentication.
  • XAUTH not used in IKEv2, EAP is used for authentication instead: EAP Tunneling: EAP-TLS, EAP-PEAP, EAP-PSK, EAP Non-Tunnelling: EAP-MSCHAPv2, EAP-MD5, EAP-GTC and
    EAP Anyconnect
    Continue reading Cisco FlexVPN Overview

Configuring a Cisco IOS VTI based tunnel

IPSec VTIs (Virtual Tunnels Interfaces) simplifies the configuration of a VPN compared to using crypto maps or GRE IPSec Tunnels. A benefit of using VTIs does not require of tying a configuration to a physical interface, rather allowing bespoke configuration per VTI. You can use a dynamic routing protocol (EIGRP, OSPF etc) or QoS defined per VTI.

VTI Configuration Example using defaults

To setup a basic VTI based site-to-site VPN you can use the Crypto defaults (ISAKMP Policy, IPSec Transform Set and IPSec Profile), in addition to the VTI the only crypto configuration needs to be a Pre-Shared Key.

Step 1 – Define a Pre-Shared Key

R1(config)# crypto isakmp key cisco123 address

Step 2 – Configure Tunnel Interface

R1(config)# interface tunnel 0
R1(config-if)# ip address
R1(config-if)# tunnel source fastethernet 0/0
R1(config-if)# tunnel destination
R1(config-if)# tunnel mode ipsec ipv4
R1(config-if)# tunnel protection ipsec profile default

Continue reading Configuring a Cisco IOS VTI based tunnel


  • Uses the DUAL algorithm, which determines a loop free network topology
  • When a change occurs only the routing table changes are propagated, NOT the entire routing table.
  • Only routers affected by a topology change update their topology
  • Backup routes means fast convergence – Hybrid, only knows what networks it is connect to, this means faster convergence.
  • Simple configuration doesn’t require multiple areas unlike OSPF.
  • Can summarise from anywhere on the network, unlike OSPF which can only summarise on ABR or ASBR
  • Unequal cost load balancing
  • Rapid convergence
    Continue reading CCNP ROUTE 2.0: EIGRP

CCNP ROUTE 2.0: IP Helper Address, Debug IP Packet, Identifying Memory Issues & Core Dumps

IP Helper Address Command

Routers or Multilayer Switches cannot forward broadcasts, but enabling the IP Helper Address command allows it to forward UDP broadcasts and forward them as a unicast to the address specified. The command “ip helper-address” must be configured on the interface/VLAN receiving the broadcasts. On a MLS for all users in VLAN 10 then the IP Helper Address must be configured on the VLAN SVI.

interface vlan 10
ip helper-address
Continue reading CCNP ROUTE 2.0: IP Helper Address, Debug IP Packet, Identifying Memory Issues & Core Dumps

The Packet University

What's on your wire[s]?


Just another site


My CCIE Wireless Journey & More.....

CCIE or Null!

My journey to CCIE!

Daniels networking blog

Networking articles by CCIE #37149


Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

Danielhertzberg's Blog

My name is Daniel Hertzberg CCIE#37401 I blog about all things Network!


Network & Wireless Engineering