See the previous blog post which documents the steps to setup AnyConnect SSL-VPN and ISE integration. This blog post expands on the AnyConnect SSL-VPN configuration, adding support for IKEv2/IPSec and using double authentication (Username/Password and Certificate).
Create a Crypto Keypair
crypto key generate rsa label VPN_KEY modulus 2048
Create a CA Trustpoint
crypto ca trustpoint LAB_PKI
Continue reading “ASA AnyConnect IKEv2/IPSec VPN”
This blog post will document the steps to configure an IKEv2/IPSec Site-to-Site VPN between a Cisco ASA firewall (ASAv 9.9.1) and an IOS Router (v15.4) using a Pre-Shared Key (PSK).
ASA Firewall Configuration
Define IKEv2 Policy
crypto ikev2 policy 10
lifetime seconds 86400
Continue reading “IKEv2/IPSec Crypto Map between IOS Router and ASA Firewall”
In a botnet attack computers can become infected with malware, the infected hosts will attempt to contact the botnet command and control servers. When configured the Botnet filter on the Cisco ASA firewall can be leveraged to check incoming and outgoing connections against a dynamic SensorBase database (downloaded from cisco) which contains information of known bad domain names and IP addresses, and then logs/blocks any suspicious activity. In addition to the dynamic database you can define a static blacklist of domain names/IP addresses. You can make use of a whitelist to allow blacklisted addresses defined in the dynamic database downloaded from Cisco.
Continue reading “Cisco ASA Botnet Filtering”
An attacker can launch a DOS attack by flooding a host with thousands of TCP SYN packets, the source address would be spoofed with no way for the host server to respond, this would create half-open TCP connections on the host consuming resources until the host is overwhelmed and packets are dropped.
On the Cisco ASA you can configure the Modular Policy Framework (MPF) to restrict the number of TCP half-open connections (embryonic-conn-max). When enabled, the MPF policy will intercept the tcp SYN and only forward the connection once the 3-way handshake is complete.
This blog post describes the steps use in order to limit half-open connections and to demonstrate this in action using hping3 tool, to simulate an attack.
Continue reading “Prevent TCP attacks on a Cisco ASA”
IP Helper Address Command
Routers or Multilayer Switches cannot forward broadcasts, but enabling the IP Helper Address command allows it to forward UDP broadcasts and forward them as a unicast to the address specified. The command “ip helper-address” must be configured on the interface/VLAN receiving the broadcasts. On a MLS for all users in VLAN 10 then the IP Helper Address must be configured on the VLAN SVI.
interface vlan 10
ip helper-address 10.10.10.1
Continue reading “CCNP ROUTE 2.0: IP Helper Address, Debug IP Packet, Identifying Memory Issues & Core Dumps”
Telnet to VTY Line
As default the VTY lines are configured with the command “login”
line vty 0 4
If you attempt to telnet to the device without specifying a password on the VTY line you will get the error “Password required, but none set”. You must specify a password on the VTY line using the command “password XXXXXX” under the VTY line.
line vty 0 4
Continue reading “CCNP ROUTE 2.0: Telnet, VTY, AAA”