Cisco’s FlexVPN is a framework to configure IPSEC VPN’s on newer Cisco IOS devices, it was created to simplify the deployment of VPN solutions. It uses a common configuration template for all VPN types. FlexVPN is based on IKEv2 and does not support IKEv1. IKEv2 is a spoke and hub VPN technology. Example: R1 is the HUB, R2 & R3 are the spokes. We’ll use EIGRP as the routing protocol. Starting with the HUB, R1: !ipsec transform set crypto ipsec…
GETVPN is Cisco’s implementation of the GDOI standard (Group Domain of Interpretation). GDOI was originally created to allow for a less-cumbersome way to encrypt multicast traffic, an alternative to GRE over IPSEC tunnels. These days, GETVPN is used for private networks like MPLS where you use a single Security Association for all routers in a group. It gets around traditional IPSEC’s scaling issue (IPSEC being point to point) by issuing a single IPSEC SA for all routers in the group….
Site to Site VPN tunnels can be authenticated by using digital certificates instead of using pre-shared keys. With certificates, each peer gets a certificate from a centralized CA (certificate authority). When peers want to use IPsec they exchange the certificates to authenticate. The biggest advantage of using certificate based VPN’s is they are easier to scale up. Let’s say you have a home office and 3 branch offices connected via site to site VPN’s, and these VPN’s are protected using…
We’ve all used ping to test basic connectivity and we all know that command sends ICMP packets and waits for replies. On Cisco ASA’s you can also use an enhanced version of this command to send any TCP packet instead of just ICMP. This is awesome for troubleshooting purposes and verifying remote services/ports are up, running and reachable. It’s also a great trick to force traffic over a VPN connection to bring a tunnel up from the ASA! Let’s assume…
Cisco ASA Active/Active failover requires two identical Cisco ASA appliances talking to each other through a dedicated failover link and a dedicated stateful link (these can be the same interface). With Active/Active failover both appliances will carry traffic. Failover contexts and failover groups need to be created, the failover group is then applied to the Primary or Secondary ASA appliance. Example configuration parameters:ASA1 & ASA2 are the firewall names being used. Make sure the interfaces being used for the failover…
Active/Standby failover enables you to use a standby ASA to take over for a failed unit. When the active unit fails it changes to the standby state while the standby unit changes to the active state. The unit that becomes active assumes the IP addresses and the MAC addresses of the failed unit and starts passing traffic. In Active/Standby failover, failover occurs on a unit basis, even on systems running in multiple context mode, you can’t failover individual contexts. Aside…
What is a GRE tunnel? Generic Routing Encapsulation (GRE) is a tunneling protocol that lets you run a routing protocol between endpoints. This example will create a GRE tunnel between two routers and will run EIGRP between the two. Topology Summary: 192.168.13.0/24 will be the Tunnel Network IP block Router-1 lo0 10.1.1.0/24 e0/0 192.1.12.2 Router-2 lo0 10.2.2.0/24 e0/0 192.1.23.2 Router-1 interface tunnel1 ip address 192.168.13.1 255.255.255.0 tunnel source 192.1.12.1 tunnel destination 192.1.23.3 router eigrp 100 no auto-summ net 192.168.13.0 net…
Five steps to configuring an IPSec Site to Site VPN! Configure Phase I – ISAKMP Parameters Configure Phase II – ESP Parameters Configure the interesting traffic ACL Link the above parameters to each other using a Crypto Map Apply the Crpyto Map to the outbound interface Notes: Items below between < > are meant to be replaced with a value Phase 1 parameters: pre shared key: cisco123 Peer IP: 192.1.23.3 Phase 1 encryption: 3des Phase 1 hash: md5 Phase 1…
DNS-based Security Intelligence allows you to use your FirePOWER implementation to blacklist traffic based on the domain name lookup requested by a client workstation. What’s cool is that items configured here are blocked BEFORE access control rules so you can block bad traffic without wasting resources inspection it further based on the work Cisco has already done, and continues to do via the Cisco Talos Security Intelligence and Research Group. These lists we’ll select below are automatically updated as Cisco…
If you want to be notified of system alerts without having to stare at the dashboard then you need to configure an email server and external alerting. Configure Email Notification Navigate to System > Configuration > Email Notification Enter the Mail Relay Host, the port number, the encryption method, the from address and the authentication settings and click Save. Make sure to click Test Mail Server Settings to make sure they are working properly before proceeding.
To upgrade an ASA’s FirePOWER module to version 6 and get it ready to be integrated into FirePOWER Management Center is a bit of a process but thankfully most of it isn’t production impacting. First a few prerequisites. The ASA must have a SSD drive installed and functional. Do a show inventory from the CLI to make sure one is found before you get started, if you have a drive installed but it’s not showing up try rebooting the ASA….
This will cover Classic Licensing, not Smart Licensing for FirePOWER features. You’ll receive your PAK code from Cisco either electronically or on a paper card. From there you can goto https://cisco.com/go/license to register it and get the actual .LIC file. If you haven’t purchased a license yet, you can get a demo license from Cisco by working with your sales engineer. Before you head over there you will need the License Key from the FirePOWER Management Center since that’s where…
You have FirePOWER Management Center all fired up and configured and you are getting lots of information but rather then seeing what user is doing what, you are just getting source computer IP addresses. You can tie FirePOWER into Active Directory to report on actual users as well as being able to create policies based on AD users. This lets you get much more granular with your approach. There are two ways to accomplish this, active authentication and passive authentication….
This will review deploying the Cisco FirePOWER Management Center on ESXi. The Management Center makes it possible to manage multiple FirePOWER devices from a central server, allowing you to scale up more efficiently. Before we get started, a few prerequisites. Make sure you have a VMware host (ESXi or ESX). You will need capacity on this host for 8GB RAM, 4 vCPU’s and 250GB storage (thick provisioned) for the FirePOWER Management Center VM. You can deploy this thin provisioned if…