IKEv2/IPSec VTI tunnel between ASA Firewall and IOS Router

Cisco introduced VTI to ASA Firewalls in version 9.7.1 as an alternative to policy based crypto maps. Cisco IOS routers have long supported VTI (sVTI, DVTI, DMVPN, FlexVPN etc). This post will describe the steps on how to configure a VTI between a Cisco ASA Firewall and a Cisco IOS Router.

Hardware/Software used:
Cisco ASAv (v9.9.1)
Cisco CSR1000v (v16.3.3)

Continue reading “IKEv2/IPSec VTI tunnel between ASA Firewall and IOS Router”


IKEv2/IPSec Crypto Map between IOS Router and ASA Firewall

This blog post will document the steps to configure an IKEv2/IPSec Site-to-Site VPN between a Cisco ASA firewall (ASAv 9.9.1) and an IOS Router (v15.4) using a Pre-Shared Key (PSK).

Simple topology:

ASA Firewall Configuration

Define IKEv2 Policy
crypto ikev2 policy 10
encryption aes-gcm
integrity null
group 5
prf sha256
lifetime seconds 86400

Continue reading “IKEv2/IPSec Crypto Map between IOS Router and ASA Firewall”

Implementing Cisco ASA object groups

Cisco ASA and IOS devices support object-groups, which can be defined in place of IP addresses, services, security tags (Trustsec SGTs) etc. Object groups simplify configuration, reducing the number of ACEs in an ACL by referencing an object group consisting of multiple hosts/services etc. Configurations become easier to maintain, as you can modify the object group and this will be reflected in other sections of the configuration referencing it. Without object groups the parameters of the configuration may have to modified in multiple locations instead of just once.

Cisco ASA version 9.x supports 6 types of object group:

  • ICMP-type – consist of ICMP messages types.
  • Network – consist of group-objects which allow nesting of other network object groups and network-object which contain 1 or more host entries. Network object-groups can be used in the SRC and/or DST fields in an ACL.
    Continue reading “Implementing Cisco ASA object groups”

Cisco ASA Botnet Filtering

In a botnet attack computers can become infected with malware, the infected hosts will attempt to contact the botnet command and control servers. When configured the Botnet filter on the Cisco ASA firewall can be leveraged to check incoming and outgoing connections against a dynamic SensorBase database (downloaded from cisco) which contains information of known bad domain names and IP addresses, and then logs/blocks any suspicious activity. In addition to the dynamic database you can define a static blacklist of domain names/IP addresses. You can make use of a whitelist to allow blacklisted addresses defined in the dynamic database downloaded from Cisco.

Continue reading “Cisco ASA Botnet Filtering”

Prevent TCP attacks on a Cisco ASA

An attacker can launch a DOS attack by flooding a host with thousands of TCP SYN packets, the source address would be spoofed with no way for the host server to respond, this would create half-open TCP connections on the host consuming resources until the host is overwhelmed and packets are dropped.

On the Cisco ASA you can configure the Modular Policy Framework (MPF) to restrict the number of TCP half-open connections (embryonic-conn-max). When enabled, the MPF policy will intercept the tcp SYN and only forward the connection once the 3-way handshake is complete.

This blog post describes the steps use in order to limit half-open connections and to demonstrate this in action using hping3 tool, to simulate an attack.
Continue reading “Prevent TCP attacks on a Cisco ASA”

Cisco ASA AnyConnect VPN with Static Client IP Address

When using a Cisco ASA with the AnyConnect VPN Client software in some instances it is useful to assign the same static IP address to a client whenever they connect to the VPN. Within Active Directory you can configure per user a static IP address and use this IP address whenever the user connects to the VPN. The RADIUS Server (in this instance Cisco ISE 2.0) can be configured to query the attribute in AD which is the” msRADIUSFramedIPAddress” value and assign to the client whenever they connect.

This blog post describes the steps to modify the configuration of ASA/ISE/AD and assumes the Cisco ASA is already properly configured and users can successfully authenticate using the AnyConnect VPN client and receive an IP address from the IP Address Pool. Cisco ISE is defined as the RADIUS Server with Active Directory defined as the External Identity Source.
Continue reading “Cisco ASA AnyConnect VPN with Static Client IP Address”

Configuring IKEv2 Site-to-Site VPN on Cisco ASA

This blog post provides the simple configuration information to setup a Site-to-Site VPN between two Cisco ASA firewalls using the IKEv2 protocol.

The following lab scenario was setup in GNS3 using the following images:

  • Cisco ASAv version 9.5(2)
  • Cisco IOS version 15.2(4)

A VPN will be setup between the 2 Cisco ASA firewalls (ASAv-1 and ASAv-2). The 2 routers (R1 and R2) will act as hosts in the local networks in order to generate traffic to initiate the VPN tunnel on demand.
Continue reading “Configuring IKEv2 Site-to-Site VPN on Cisco ASA”