Menu Close

FMC External Authentication with RADIUS

In this post, I am going to show you how to set up FMC external authentication with RADIUS. Why we would need that?!, simply put, to have a scalable solution in our environment that will allow us to manage accesses to our FMC appliance. Even if we configure the FMC with an external authentication server, we do still have the local admin account enabled that we can use in case the external authentication server is down.

Packet Capture in FMC

In this post, I am going to show you how to run a packet capture on Cisco Firepower Management Center (FMC). As we know, both FTD and FMC are Linux based which means we can rely on a few tools that are embedded in Linux operating system. In fact, when you log into the FMC or when you go into Expert mode on FTD, you will see that the majority of the commands you use are simply Linux commands.

Crypto Keypair without Domain Name

In this post I am going to show you how to configure crypto keypair without configuring host name or domain name on Cisco devices. A few network admins still have some confusion about if configuring the domain name on Cisco devices is a requirement to generate a crypto keypair or not. I believe this confusion comes from the error we get when we try to create a crypto keypair on Cisco devices before we’ve configured the domain name. The error would explicitly ask us to define the domain name first to generate the crypto keypair.

Snort HOME_NET and EXTERNAL_NET Variables

What are the Snort HOME_NET and EXTERNAL_NET Variables?! To know that let’s see how Snort rules work. Snort rules rely on variables to know what traffic they should inspect and what to ignore. Each Snort rule has a header where a bunch of variables are defined such as the action to be taken, protocol, source IP, source port, destination IP and destination port. The most important two bits among these variables are the source and destination IP addresses.

FDM Multiple Admin Accounts

In this post, I am going to show you how creating multiple admin accounts on FDM for GUI accesses can be possible by using some tools you would most likely have in your environment. First, as we know Firepower Device Management (FDM) does not support creating multiple admin accounts for FDM GUI accesses. This is a known limitation and as a result it would mean that all the admins will use the same admin account to log into the FTD. Of course this would lead to share the admin account credentials between the admins which could potentially breach our security.

ASA Site-to-Site VPN Failover “Preemption”

As we know, Cisco ASA IPsec site-to-site VPN preemption is not supported on Cisco ASA. Therefore, this means if the primary VPN peer recovers from a failure the VPN tunnel will remain active with the secondary VPN peer. In other words, if you configure a site-to-site VPN tunnel crypto map with two peers, one as the primary, and another as the secondary, the ASA will always try to initiate the tunnel with the primary peer first. If the primary peer fails and become unreachable, then the ASA will initiate the tunnel with the secondary peer.

Privilege Level 15 with Cisco ISE

In this post, I’m going to show you how to assign privilege level 15 with Cisco ISE through RADIUS. We know Cisco ISE amazingly supports network devices administration through TACACS+ protocol which allows granting different access levels and managing what command sets could be run in each level. However, this feature requires an additional license called Device Administration to be installed on ISE.

ASA TCP State Bypass

One of the security features Cisco ASA provides for new connections is to ensure the 3-Way Handshake is completed between two hosts before allowing any further tcp traffic between the two hosts. The 3-Way Handshake is simply exchanging the SYN, SYN-ACK and ACK between two hosts, each sends the relevant packets based if it acts as a sender or a receiver. If the ASA should see a SYN-ACK packet sent by a host to another before seeing the initial SYN packet, the traffic will be dropped. Similar if the ASA should see an ACK packet before seeing the previous two packets SYN and SYN-ACK exchanged between the two hosts. The ASA does this by inspecting each packet and creating a state for each connection. This a nice feature, however, in some legitimate scenarios it might create some issues and preventing the traffic from being delivered between the two hosts. Let’s see what would be an example scenario for this, and how to apply the fix.

Adding a Secondary ISE Node

Depending on ISE deployment if small, medium or large, you might need to add additional nodes with different Personas. The Persona in ISE cube is just a fancy name to define what services would be running on a node. The main three Personas are Administration (PAN), Policy Service (PSN) and Monitoring and Troubleshooting (MnT). The primary/secondary concept exists only with PAN and MnT Personas, however, this is not applicable with PSN Persona. The maximum number of PANs and MnTs in any ISE cube you can get is two, however, you can have plenty of PSNs.

ASA DNS Server

As we know the Cisco ASA supports DHCP server feature but not the DNS server. The reason behind this would be to have less services running on the appliance that would expose any potential vulnerabilities that would be exploited which would turn in successful threats, especially when the running services are interacting directly with the internet. A scenario where having a DNS server running on the ASA would be handy would be when the DHCP server is running on the same appliance, and where the DNS server in use would be a public DNS, but to be honest the fact that the ASA does not support the DNS server is not an issue at all, because you can still push an external DNS server IP address through the DHCP lease managed by the ASA.

>
Scroll To Top