ASA AnyConnect IKEv2/IPSec VPN

See the previous blog post which documents the steps to setup AnyConnect SSL-VPN and ISE integration. This blog post expands on the AnyConnect SSL-VPN configuration, adding support for IKEv2/IPSec and using double authentication (Username/Password and Certificate).

ASA Configuration

Create a Crypto Keypair

crypto key generate rsa label VPN_KEY modulus 2048

Create a CA Trustpoint

crypto ca trustpoint LAB_PKI
fqdn asa-1.lab.net
subject-name CN=asa-1.lab.net,OU=LAB,ST=London,C=GB
keypair VPN_KEY
enrollment terminal
crl nocheck

Continue reading “ASA AnyConnect IKEv2/IPSec VPN”

Advertisements

IKEv2/IPSec Crypto Map between IOS Router and ASA Firewall

This blog post will document the steps to configure an IKEv2/IPSec Site-to-Site VPN between a Cisco ASA firewall (ASAv 9.9.1) and an IOS Router (v15.4) using a Pre-Shared Key (PSK).

Simple topology:


ASA Firewall Configuration

Define IKEv2 Policy
crypto ikev2 policy 10
encryption aes-gcm
integrity null
group 5
prf sha256
lifetime seconds 86400

Continue reading “IKEv2/IPSec Crypto Map between IOS Router and ASA Firewall”

Cisco ASA Botnet Filtering

In a botnet attack computers can become infected with malware, the infected hosts will attempt to contact the botnet command and control servers. When configured the Botnet filter on the Cisco ASA firewall can be leveraged to check incoming and outgoing connections against a dynamic SensorBase database (downloaded from cisco) which contains information of known bad domain names and IP addresses, and then logs/blocks any suspicious activity. In addition to the dynamic database you can define a static blacklist of domain names/IP addresses. You can make use of a whitelist to allow blacklisted addresses defined in the dynamic database downloaded from Cisco.

Continue reading “Cisco ASA Botnet Filtering”

Prevent TCP attacks on a Cisco ASA

An attacker can launch a DOS attack by flooding a host with thousands of TCP SYN packets, the source address would be spoofed with no way for the host server to respond, this would create half-open TCP connections on the host consuming resources until the host is overwhelmed and packets are dropped.

On the Cisco ASA you can configure the Modular Policy Framework (MPF) to restrict the number of TCP half-open connections (embryonic-conn-max). When enabled, the MPF policy will intercept the tcp SYN and only forward the connection once the 3-way handshake is complete.

This blog post describes the steps use in order to limit half-open connections and to demonstrate this in action using hping3 tool, to simulate an attack.
Continue reading “Prevent TCP attacks on a Cisco ASA”

CCNP ROUTE 2.0: EIGRP

  • Uses the DUAL algorithm, which determines a loop free network topology
  • When a change occurs only the routing table changes are propagated, NOT the entire routing table.
  • Only routers affected by a topology change update their topology
  • Backup routes means fast convergence – Hybrid, only knows what networks it is connect to, this means faster convergence.
  • Simple configuration doesn’t require multiple areas unlike OSPF.
  • Can summarise from anywhere on the network, unlike OSPF which can only summarise on ABR or ASBR
  • Unequal cost load balancing
  • Rapid convergence
    Continue reading “CCNP ROUTE 2.0: EIGRP”

CCNP ROUTE 2.0: IP Helper Address, Debug IP Packet, Identifying Memory Issues & Core Dumps

IP Helper Address Command

Routers or Multilayer Switches cannot forward broadcasts, but enabling the IP Helper Address command allows it to forward UDP broadcasts and forward them as a unicast to the address specified. The command “ip helper-address” must be configured on the interface/VLAN receiving the broadcasts. On a MLS for all users in VLAN 10 then the IP Helper Address must be configured on the VLAN SVI.


interface vlan 10
ip helper-address 10.10.10.1
Continue reading “CCNP ROUTE 2.0: IP Helper Address, Debug IP Packet, Identifying Memory Issues & Core Dumps”

CCNP ROUTE 2.0: Telnet, VTY, AAA

Telnet to VTY Line

As default the VTY lines are configured with the command “login”

line vty 0 4
login

If you attempt to telnet to the device without specifying a password on the VTY line you will get the error “Password required, but none set”. You must specify a password on the VTY line using the command “password XXXXXX” under the VTY line.

line vty 0 4
password XXXXXX
login
Continue reading “CCNP ROUTE 2.0: Telnet, VTY, AAA”