CCNP SIMOS: IKEv2 Crypto Map between IOS Router and ASA Firewall

This blog post will document the steps to configure an IKEv2/IPSec Site-to-Site VPN between a Cisco ASA firewall (ASAv 9.9.1) and an IOS Router (v15.4) using a Pre-Shared Key (PSK). Simple topology: ASA Firewall Configuration // Define IKEv2 Policy crypto ikev2 policy 10 encryption aes-gcm integrity null group 5 prf sha256 lifetime seconds 86400 //… Continue reading CCNP SIMOS: IKEv2 Crypto Map between IOS Router and ASA Firewall

CCNP SENSS: Implementing object groups

Cisco ASA and IOS devices support object-groups, which can be defined in place of IP addresses, services, security tags (Trustsec SGTs) etc. Object groups simplify configuration, reducing the number of ACEs in an ACL by referencing an object group consisting of multiple hosts/services etc. Configurations become easier to maintain, as you can modify the object… Continue reading CCNP SENSS: Implementing object groups

CCNP SENSS: ASA Botnet Filtering

In a botnet attack computers can become infected with malware, the infected hosts will attempt to contact the botnet command and control servers. When configured the Botnet filter on the Cisco ASA firewall can be leveraged to check incoming and outgoing connections against a dynamic SensorBase database (downloaded from cisco) which contains information of known… Continue reading CCNP SENSS: ASA Botnet Filtering

CCNP SENSS: Prevent TCP attacks on a Cisco ASA

An attacker can launch a DOS attack by flooding a host with thousands of TCP SYN packets, the source address would be spoofed with no way for the host server to respond, this would create half-open TCP connections on the host consuming resources until the host is overwhelmed and packets are dropped. On the Cisco… Continue reading CCNP SENSS: Prevent TCP attacks on a Cisco ASA

Cisco ASA AnyConnect VPN with Static Client IP Address

When using a Cisco ASA with the AnyConnect VPN Client software in some instances it is useful to assign the same static IP address to a client whenever they connect to the VPN. Within Active Directory you can configure per user a static IP address and use this IP address whenever the user connects to… Continue reading Cisco ASA AnyConnect VPN with Static Client IP Address

Configuring IKEv2 Site-to-Site VPN on Cisco ASA

This blog post provides the simple configuration information to setup a Site-to-Site VPN between two Cisco ASA firewalls using the IKEv2 protocol. The following lab scenario was setup in GNS3 using the following images: Cisco ASAv version 9.5(2) Cisco IOS version 15.2(4) A VPN will be setup between the 2 Cisco ASA firewalls (ASAv-1 and… Continue reading Configuring IKEv2 Site-to-Site VPN on Cisco ASA

Configuring Cisco ASA Active/Standby Failover

Identical Cisco ASA firewalls (same hardware, model, interfaces and RAM etc) can be configured for failover, thus allowing for uninterrupted network connectivity. The Cisco ASA supports 2 failover configurations Active/Active (both appliances pass traffic) and Active/Standby (only the active appliance passes traffic, whilst the other appliance is waiting for failure/failover to occur). The ASA appliances… Continue reading Configuring Cisco ASA Active/Standby Failover