Showing posts with label ccnp security. Show all posts
Showing posts with label ccnp security. Show all posts

Cisco ASA 8.4 IOS - Remote Access VPN

Below is the minimal configuration needed to implement remote access VPN's on a Cisco ASA 5505 running 8.4. Please keep in mind that the names that I used in my configuration is of my dog but it's best practice to use a name that describes what / who its for.


Enable ISAKMP on the interface:

ASA-2(config)# crypto ikev1 enable outside

ASA-2(config)# crypto ikev1 policy 1

ASA-2(config-ikev1-policy)# encryption 3des

ASA-2(config-ikev1-policy)# authentication pre-share

ASA-2(config-ikev1-policy)# hash md5

Setup your Group Policies & Tunnel Policies

ASA-2(config)# group-policy oscar_GP internal

ASA-2(config)# group-policy oscar_GP attributes

ASA-2(config-group-policy)# vpn-tunnel-protocol ikev1

ASA-2(config-group-policy)# address-pools value oscar_pool

 *******************

ASA-2(config)# tunnel-group oscar_tg type remote-access

ASA-2(config)# tunnel-group oscar_tg general-attributes

ASA-2(config-tunnel-general)# default-group-policy oscar_GP

ASA-2(config-tunnel-general)# authentication-server-group LOCAL 

ASA-2(config)# tunnel-group oscar_tg ipsec-attributes

ASA-2(config-tunnel-ipsec)# ikev1 pre-shared-key C1sc0

 *******************

ASA-2(config)# crypto ipsec ikev1 transform-set oscar_trans esp-3des esp-md5-hmac

ASA-2(config)# ip local pool oscar_pool 10.1.2.140-10.1.2.145 mask 255.255.255.0

ASA-2(config)# crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set oscar_trans

ASA-2(config)#username oscar password omEMDQBc9noujG1X encrypted privilege 15

ASA-2(config)# crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

ASA-2(config)# crypto map outside_map interface outside


From http://adrian-brayton.blogspot.com.ar/2011/07/cisco-asa-84-ios-remote-access-vpn.html
No comments:

Site to Site vpn config example ASA 8.4 or newer.

Just copy paste.
Mirror this config on the other side.

crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!
object network OBJ-SiteA
subnet 10.0.0.0 255.255.255.0
object network OBJ-SiteB
subnet 10.0.3.0 255.255.255.0
!
access-list VPN-TRAFIC extended permit ip object OBJ-SiteA object OBJ-SiteB
nat (inside,outside) source static OBJ-SiteA OBJ-SiteA destination static OBJ-SiteB OBJ-SiteB no-proxy-arp route-lookup
!
tunnel-group 200.200.200.200 type ipsec-l2l
tunnel-group 200.200.200.200 ipsec-attributes
pre-shared-key cisco123
isakmp keepalive threshold 10 retry 2 (Optional)
!
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-3des esp-md5-hmac
!
crypto map CRYPTO-MAP 1 match address VPN-TRAFIC
crypto map CRYPTO-MAP 1 set pfs group2 (Optional)
crypto map CRYPTO-MAP 1 set peer 200.200.200.200
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside



Related Article :

http://www.petenetlive.com/KB/Article/0000050.htm

No comments:

VPNs show commands 






S3-2513-2#show crypto map
Crypto Map "ToOtherRouter" 10 ipsec-isakmp
        Peer = 192.168.1.1
        Extended IP access list 101
            access-list 101 permit ip
                source: addr = 192.168.45.0/0.0.0.255
                dest:   addr = 192.168.3.0/0.0.0.255
        Connection Id = UNSET    (0 established,    0 failed)
        Current peer: 192.168.1.1
        Session key lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform proposals={ Elvis, Bubba, BarneyDino, }



















No comments:
  


































          

        

          

        

          

        









642-7627 IPS v7.0 Exam Topics (Blueprint)











  
Exam Description



Implementing Cisco  Intrusion Prevention System v7.0  (IPS v7.0) exam is associated with the  Cisco Certified Security Professional certification. This exam tests a  candidate's knowledge and skills needed to deploy Cisco IPS-based  security solutions. Successful graduates will be able to reduce risk to  the IT infrastructure and applications using Cisco IPS features, and  provide detailed operations support for the Cisco IPS. Candidates can  prepare for this exam by taking the Implementing Cisco Intrusion  Prevention System course.









Exam Topics



The  following information provides general guidelines for the content likely  to be included on the exam. However, other related topics may also  appear on any specific delivery of the exam. In order to better reflect  the contents of the exam and for clarity purposes the guidelines below  may change at any time without notice.





Pre-Production Design







Choose Cisco IPS technologies to implement HLD      

Choose Cisco products  to implement HLD      

Choose Cisco IPS features to implement HLD      

Integrate Cisco network security solutions with other security technologies      

Create and test initial Cisco IPS configurations for new devices/services     









Complex Support Operations







Optimize Cisco IPS security infrastructure device performance       

Create complex network security rules, to meet the security policy requirements      

Configure and verify the IPS features to identify threats and dynamically block them from entering the network      

Maintain, update and tune IPS signatures      

Use CSM and MARS for IPS management, deployment, and advanced event correlation.       

Optimize security functions, rules, and configuration     









Advanced Troubleshooting







Advanced Cisco IPS security software configuraiton fault finding and repairing

Advanced Cisco IPS sensor and module hardware fault finding and repairing      















No comments:
  










































642-647 VPN v1.0 Exam Topics (Blueprint)











  
Exam Description



Deploying Cisco ASA VPN  Solutions (VPN  v1.0) exam is associated with the CCSP, CCNP Security  and Cisco VPN Specialist certifications. This exam tests a candidate's  knowledge and skills needed to deploy Cisco ASA-based  VPN solutions. Successful graduates will be able to reduce risk to the  IT infrastructure and applications using Cisco ASA VPN features, and  provide detailed operations support for the Cisco ASA. Candidates can  prepare for this exam by taking the Deploying Cisco ASA VPN Solutions  course.





Exam Topics



The following information  provides general guidelines for the content likely to be included on the  exam. However, other related topics may also appear on any specific  delivery of the exam. In order to better reflect the contents of the  exam and for clarity purposes the guidelines below may change at any  time without notice.





Pre-Production Design







Choose ASA VPN technologies to implement HLD based on given requirements      

Choose the correct ASA model and license to implement HLD based on given performance requirements      

Choose the correct ASA VPN features to implement HLD based on given corporate security policy and network requirements      

Integrate ASA VPN solutions with other security technology domains (CSD, ACS, Device managers, Cert servers, etc.)     









Complex Operations Support







Optimize ASA VPN performance, functions, and configurations      

Configure and verify complex ASA VPN networks using features such as  DAP, CSD, Smart tunnels, Anyconnect SSLVPN, Clientless SSLVPN, Site-to-Site VPN, RA VPN, certificates, QOS, etc. to meet security policy requirements.       

Create complex ASA network security rules using such features as ACLs, DAP, VPN profiles, certificates, MPF, etc, to meet the corporate security policy     









Advanced Troubleshooting



Perform advanced ASA VPN configuration and troubleshooting















No comments:
  










































642-637 SECURE v1.0 Exam Topics (Blueprint)










Exam Description



The 642-637 Secure v1.0  Securing Networks with Cisco Routers and Switches exam is associated  with the CCSP, and CCNP Security certifications. This exam tests a  candidate's knowledge and skills needed to secure Cisco IOS Software  router and switch-based networks, and provide security services based on  Cisco IOS Software. Candidates can prepare for this exam by taking the  Securing Networks with Cisco Routers and Switches course.





Exam Topics



The  following information provides general guidelines for the content  likely to be included on the exam. However, other related topics may  also appear on any specific delivery of the exam. In order to better  reflect the contents of the exam and for clarity purposes the guidelines  below may change at any time without notice.





Pre-Production Design



Choose Cisco IOS technologies to implement HLD



Choose Cisco products to implement HLD



Choose Cisco IOS features to implement HLD 2

Integrate Cisco network security solutions with other security technologies

Create and test initial Cisco IOS configurations for new devices/services



Complex Operations Support







Optimize Cisco IOS security infrastructure device performance

Create complex network security rules to meet the security policy requirements

Optimize security functions, rules, and configuration

Configure & verify NAT to dynamically mitigate identified threats to the network

Configure & verify IOS Zone Based Firewalls including advanced application inspections and URL filtering

Configure & verify the IPS features to identify threats and dynamically block them from entering the network

Maintain, update and tune IPS signatures

Configure & verify IOS VPN features

Configure & verify Layer 2 and Layer 3 security features    





Advanced Troubleshooting



Advanced Cisco IOS security software configuraiton fault finding and repairing

Advanced Cisco routers and switches hardware fault finding and repairing














No comments:
  


































        

      









Subscribe to:
Posts (Atom)