ASA AnyConnect IKEv2/IPSec VPN


See the previous blog post which documents the steps to setup AnyConnect SSL-VPN and ISE integration. This blog post expands on the AnyConnect SSL-VPN configuration, adding support for IKEv2/IPSec and using double authentication (Username/Password and Certificate).

ASA Configuration

Create a Crypto Keypair

crypto key generate rsa label VPN_KEY modulus 2048

Create a CA Trustpoint

crypto ca trustpoint LAB_PKI
fqdn asa-1.lab.net
subject-name CN=asa-1.lab.net,OU=LAB,ST=London,C=GB
keypair VPN_KEY
enrollment terminal
crl nocheck
Continue reading “ASA AnyConnect IKEv2/IPSec VPN”
Advertisements

IKEv2/IPSec Crypto Map between IOS Router and ASA Firewall


This blog post will document the steps to configure an IKEv2/IPSec Site-to-Site VPN between a Cisco ASA firewall (ASAv 9.9.1) and an IOS Router (v15.4) using a Pre-Shared Key (PSK).

Simple topology:

ASA Firewall Configuration

Define IKEv2 Policy

crypto ikev2 policy 10
encryption aes-gcm
integrity null
group 5
prf sha256
lifetime seconds 86400
Continue reading “IKEv2/IPSec Crypto Map between IOS Router and ASA Firewall”

Cisco ASA Botnet Filtering


In a botnet attack computers can become infected with malware, the infected hosts will attempt to contact the botnet command and control servers. When configured the Botnet filter on the Cisco ASA firewall can be leveraged to check incoming and outgoing connections against a dynamic SensorBase database (downloaded from cisco) which contains information of known bad domain names and IP addresses, and then logs/blocks any suspicious activity. In addition to the dynamic database you can define a static blacklist of domain names/IP addresses. You can make use of a whitelist to allow blacklisted addresses defined in the dynamic database downloaded from Cisco.


The ASA monitors DNS queries for known bad domain names/IP addresses; this information is added to the DNS reverse lookup cache. When a connection is made the ASA will compare DNS replies against the database, if it matches a known bad domain name/IP address the connection is dropped and a syslog message is generated.

Continue reading “Cisco ASA Botnet Filtering”

Prevent TCP attacks on a Cisco ASA


An attacker can launch a DOS attack by flooding a host with thousands of TCP SYN packets, the source address would be spoofed with no way for the host server to respond, this would create half-open TCP connections on the host consuming resources until the host is overwhelmed and packets are dropped.

On the Cisco ASA you can configure the Modular Policy Framework (MPF) to restrict the number of TCP half-open connections (embryonic-conn-max). When enabled, the MPF policy will intercept the tcp SYN and only forward the connection once the 3-way handshake is complete.

This blog post describes the steps use in order to limit half-open connections and to demonstrate this in action using hping3 tool, to simulate an attack.

Continue reading “Prevent TCP attacks on a Cisco ASA”

CCNP ROUTE 2.0: EIGRP


  • Uses the DUAL algorithm, which determines a loop free network topology
  • When a change occurs only the routing table changes are propagated, NOT the entire routing table.
  • Only routers affected by a topology change update their topology
  • Backup routes means fast convergence – Hybrid, only knows what networks it is connect to, this means faster convergence.
  • Simple configuration doesn’t require multiple areas unlike OSPF.
  • Can summarise from anywhere on the network, unlike OSPF which can only summarise on ABR or ASBR
  • Unequal cost load balancing
  • Rapid convergence

Continue reading “CCNP ROUTE 2.0: EIGRP”

CCNP ROUTE 2.0: IP Helper Address, Debug IP Packet, Identifying Memory Issues & Core Dumps


IP Helper Address Command

Routers or Multilayer Switches cannot forward broadcasts, but enabling the IP Helper Address command allows it to forward UDP broadcasts and forward them as a unicast to the address specified. The command “ip helper-address” must be configured on the interface/VLAN receiving the broadcasts. On a MLS for all users in VLAN 10 then the IP Helper Address must be configured on the VLAN SVI.

interface vlan 10
ip helper-address 10.10.10.1

The command forwards 8 UDP broadcasts by default

  • Time (37)
  • TACACS (49)
  • DNS (53)
  • BOOTP (DHCP Server) (67)
  • BOOTP (DHCP Client) (68)
  • TFTP (69)
  • NetBIOS Name Service (137)
  • NetBIOS Datagram Service (138)

You can specify additional UDP protocols to forward using the command “ip forward-protocol udp“, you can remove protocols using the command “no ip forward-protocol udp

Debug IP Packet

Just issuing the command “debug ip packet” will debug everything and could potentially overload the router. You can create an ACL to filter the source/destination of the traffic eg

Create the ACL “access-list 100 permit ip 192.168.250.2 0.0.0.0 any log
Enable debug utilising the ACL 100 “debug ip packet 100

Identifying Memory Issues
Signs of a memory problem with a router:

  • Router hanging when connecting via the console cable
  • If router rejects telnet sessions the router may have a memory issue
  • If the router displays memory issues on the console
  • If the router tells you it is low on memory
  • If there is no output from a show command

If the router is hanging Cisco recommends disconnecting the network cables to the router and try again.

Use the “show memory allocating-process totals” or “show memory summary

Core Dumps

A core dump is a copy of the router’s entire memory, not just the memory that is in use.
A core dump can disrupt the operation of the device, do not run the command during heavy load or run from direction from Cisco TAC.
The core dump can be created via either FTP, RCP (Remote Copy Protocol), TFTP or to flash disk.

Requires the use of the “exception core-file” and “exception region-size” commands

The “exception core-file” command changes the default name of the core dump, the default would be the router name followed by –core. E.g “CORE-ROUTER-core”. The “exception region-size” command reserves some memory to be used by the core dump in case the memory pool is corrupted, the default is 16384 bytes.

You specify which protocol to use using the command “exception protocol“, then select ftp, rcp or tftp.

Configure Core Dump using FTP

ip ftp username
ip ftp password
exception protocol ftp
exception region-size 65536
exception dump 10.10.0.1

Configure Core Dump using RCP

ip rcmd remote-username
exception protocol rcp
exception region-size 65536
exception dump 10.10.0.1

Core Dump using TFTP

exception protocol tftp
exception region-size 65536
exception dump 10.10.0.1

Configure Core Dump to Flash Disk

exception flash procmem|iomem|all device_name [:partition_number]

You can test a core dump by executing the command “write core

CCNP ROUTE 2.0: Telnet, VTY, AAA


Telnet to VTY Line

As default the VTY lines are configured with the command “login”

line vty 0 4
login

If you attempt to telnet to the device without specifying a password on the VTY line you will get the error “Password required, but none set”. You must specify a password on the VTY line using the command “password XXXXXX” under the VTY line.

line vty 0 4
password XXXXXX
login

If you then telnet to the device you can login using the password specified, you are placed in User EXEC mode. In order to login to Global Config mode you must then enter the enable secret/password.

enable secret” – the enable secret is ENCRYPTED (in the running config) and takes precedence over the enable password
enable password” – unencrypted password (in cleartext in the running config)

Not a good idea to share a VTY and enable password amongst a team, no accountability and a security hole. Better to use an AAA database.

Local AAA database (self contained deployment)

Configure the VTY Line to use the local database

line vty 0 4
login local

Specify a local database by creating local user accounts

Create a username with either a cleartext/unencrypted (password) or encrypted password (secret). When you login to telnet you will be logged into User EXEC mode.

username ADMIN password PASSWORD"
username ADMIN secret SECRETPASSWORD

To log straight into Global Config mode when you telnet to a device, specify the privilege level of 15 when creating the account.

username ADMIN privilege 15 password PASSWORD

Hashes the local and enable cleartext passwords in the running configuration

service password-encryption

Central Authentication using RADIUS/TACACS+

AAA allows the ability to grant access and tracks the actions of an administrator when managing a device; you can use either RADIUS or TACACS+. Each device (switch/router/firewall etc) is configured with a pre-shared key to establish communication between the device and the AAA server.

Authentication – identifies the users (username/password)
Authorization – determine what rights the user has or what they can do once logged into the device
Accounting – logging the connection information, what user, what time, what device, what client IP, if TACACS+ what commands they used.

A central AAA server has the following advantages over a local AAA database:

  • Central database of contain users, no need to update username/passwords when an administrator starts/leaves
  • Accounting functionality allows you to report on what the user did

TACACS+

  • Cisco proprietary
  • TCP port 49
  • Encrypts the entire packet

RADIUS

  • Open standard
  • UDP 1812/1813
  • Encrypts only the password

Configure AAA Server

Enable AAA (for either RADIUS/TACACS+) globally on a device using the command

aaa new-model

Define the TACACS+ or RADIUS server (depending on which one you are using) with a shared secret password

tacacs-server host key 
radius-server host key

Define an Exec Mode login authentication method

aaa authentication login default group radius local
aaa authentication login default group tacacs+ local
line vty 0 15
login authentication default

Instead of using a default method list you can define a named list using the same parameters

aaa authentication login VTY group radius group tacacs+ local
line vty 0 15
login authentication VTY

If no method list is specified then the default method list will be used. A defined named method list overrides the default method list.

NOTE – The command “local” applied after radius/tacacs+ is a secondary authentication method and is useful in the event of the AAA server failing