Cut-Through Authentication proxy on the ASA is an excellent way to track and authorize users when they access resources on the network that you may not want them to access to originally. I have used it to track user activities, authorize users to different network devices from time to time that they really should not be accessing whenever they feel, and to provide a user a way to override the firewall policies that have been defined for a given subnet. In other words, it is a very useful function and I believe it’s function is vital for users as well as the network administrator. Just so you know, this feature is just like the Auth-Proxy or Network Admission technologies on an IOS router.
Here is the topology we will be working with. I have setup a PC so we can simulate a typical user experience.
Read more…
Well, I felt like my good friend Vybhav needed to have an interview done after interviewing a bunch of people including myself the past few months. He is a great study partner and I converse with him on a regular basis – almost daily in fact. I am not sure where he gets the time to do everything he does (blog, lab, study, play flight simulators) but he must have a great girlfriend. Vybhav and I are taking our labs on the same day and I know he will ace it first attempt. As I am sure all of you know, he has a great blog site @ tacack.com where he has a wealth of information in regards to the CCIE Security exam. So without further adieu, please read on to find out things you may not have known about our good friend!
Read more…
I manage several Cisco IOS devices with alot of VPN connections on them, one device has 100+. So what happens when 1 of the 100 peers is failing to establish. Well, I can tell you, whatever you do, don’t do a debug crypto isakmp or ipsec without any conditions… you will definately give a big tug to the CPU on the device. This tug could be to the point that you can’t recover by issueing u all command. So to this end, a router reload would probably be the only option left which would probably trigger resume updating.
So how do you go about picking the needle out of the haystack? Well, Cisco has given us an excellent tool to solve this issue with VPN conditional debugging. With conditional filtering for VPN’s, we can filter based on several different attributes such as peer, getvpn group, username, spi, or connid to name a few. This has definately helped me out in a pinch and I am now in the habit of using this instead of just debugging everything crypto within the IOS device.
So how do we implement this great feature you may ask. Well, quite easily, but then again everything is easy once you know what you are doing. So let’s head over to command line and take a look… Read more…
Regular expression matching is used for several different applications within the Modular Policy Framework (MPF). Regular expressions is basically text matching, either exact text or multiple variants of a text string. In most cases, whenever you run across named-based policies, you will more than likely need to configure regular expressions. The command “regex” is used to configure regular expressions within the security appliance. We will discuss some of the special characters called metacharacters used to create wildcard matching of text strings below. This is the majority of the metacharacters we will be dealing with.
Read more…
Well, it appears that Cisco IOS is slowly gaining features that I love on the ASA. Although I find the ASA is far superior when it comes to access-list technology, Cisco IOS is starting to make life easier in terms of updating and managing access-lists. One issue I always ran into when working with IOS ACL’s is the addition or deletion of the entries that made up the ACL. So a basic extended access-list would start like this:
Read more…
As per PacketU’s inquiry, static and dynamic VTI, L2TP over IPSec, and SSL VPN configurations work successfully within one router. I had one notebook running 3 different VPN clients at once; Cisco Anyconnect v2.4, Cisco VPN client v5, and Microsoft built-in client. It is interesting to note that with all 3 connected, the connection order in which traffic was encrypted was the Cisco VPN Client first, AnyConnect second, and Microsoft client third. Read more…
DNS Re-Write (DNS Doctoring) on the Cisco ASA
Refer to the following topology
Scenario
Host1 on the inside network and Host4 on the DMZ network use name-server 136.1.122.2 (Host2), which is located on the outside network, to resolve DNS queries. Both hosts are trying to reach DMZ Host3 by name. They send a DNS resolution request to Host2 server for Host3. Host2 responds to the request with the IP address 136.1.122.50. They receive the response and try to connect to Host3 but are unsuccessful. What can be done so that the DNS record stays as is on Host2 and both Host1 and Host4 can reach Host3 by name. Read more…
Enabling Telnet on the lowest security interface of the appliance has been one of things that many people just don’t do, but it is nice to know if it can be done and what is needed to do this in case you do need to utlilize it in your infrastructure. Cisco documentation states that telnet can only be enabled on the lowest security interface as long as IPSec is terminated on that same interface. Hmmm. Keith over at INE posted a blog entry that can be found here – Bob’s Challenge . In one of Keiths solutions (number 4), he does mention to enable IPSec on the tunnel interface, and one of the solutions shows how to do this.
This blog will discuss and show the ways that we can manage the device when connecting to the lowest security interface. Let’s observe the following, simple topology:
Interface F0/0 has been named outside and does have a default security-level of 0. The IP addresses have been configured on the devices as shown in the above diagram Read more…
Well, it has been busy these past few weeks but fun and challenging at the same time. My good friend Vybhav (tacack.com) is a great study buddy but I haven’t had time to really get on-line with him too much these past few weeks so I apologize to him for that. Hopefully I can get back on-track with him in the coming days (it really has been one heck of a week…).
So I focused largely on the IPS the past few weeks but feel that I still need more time with it. The only hands on I get is when I am going through my lab session which is only 8 hours a week for the next few weeks. I am still reading through the documentation though. I have a bunch of notes that I need to go through and make blog posts out of now. All in due time…
It is definitely a little overwhelming with the study process. I will be posting a new journal section quite soon that will be logging how many hours I am spending for study in the various technologies both labbing and theory. I would also like to Congratulate Paul Stewart, the latest CCIE Security guru, on completing his journey. He has been a great help/mentor and I enjoy his blog posts and work on the Cisco Learning Network. Please find his blog in regards to his recent success here – Paul Stewart, CCIE 26009
Onto troubleshooting RTBH with Vybhav now… still working on that fun and challenging technology…
Well, it appears that Cisco has officially released its 64 bit IPSec VPNClient. The package is also half the size as to earlier versions, although the 32bit package is 3MB larger than this 64bit package. Even though this is a very needed tool for remote access, I still prefer the AnyConnect package which rides over SSL.
I ran into another big benefit of using Anyconnect yesterday… I had a business with several users that I had setup remote access for mention that their IPSec VPNCLient wasn’t working. Doing some investigating, I found they had switched their method of connecting to the Internet now by using wireless air cards. The VPN client would connect just fine over this connection but we were unable to pass any encrypted traffic. It was narrowed down to the ISP blocking these encrypted packets over that aircard connection. However, we tested with Anyconnect which rides over SSL and it worked just fine.
Just remember that you need a CCO account to download this latest software.
