As we know, there is no preemption in IPsec site-to-site VPN on Cisco ASA to the primary peer. If you configure a crypto map with two peers, one as the primary, and another as the secondary, the ASA will try always to initiate the tunnel with the primary peer. If the primary peer fails and become unreachable, then the ASA will initiate the tunnel with the secondary peer. When the primary comes back online, the ASA will not do anything as long as the secondary is reachable. In other words, the primary peer will not take over the control from the secondary; instead the tunnel will remain initiated with the secondary peer. In a different scenario, that would be an issue, because maybe the secondary peer is located at the edge of a disaster recovery site where you don’t have a complete mirror of your primary site, or maybe the device has less resources, or maybe the link where it is connected is slow.
We know Cisco ISE amazingly supports network devices administration through TACACS+ protocol which allows granting different access levels and managing what command sets could be run in each level. However, this feature requires an additional license called Device Administration to be installed on ISE. TACACS+ has a few advantages over RADIUS when it comes to devices administration. However, in some small/medium environments having different admins access levels might not be required, and the only requirement would be just to give privilege level 15 to all admins that are in a specific AD group. Now the question is, can we accomplish this with ISE without having the device administration through TACACS+ feature enabled?! let’s find out this together! 🙂
One of the security features Cisco ASA provides for new connections is to ensure the 3-Way Handshake is completed between two hosts before allowing any further tcp traffic between the two hosts. The 3-Way Handshake is simply exchanging the SYN, SYN-ACK and ACK between two hosts, each sends the relevant packets based if it acts as a sender or a receiver. If the ASA should see a SYN-ACK packet sent by a host to another before seeing the initial SYN packet, the traffic will be dropped. Similar if the ASA should see an ACK packet before seeing the previous two packets SYN and SYN-ACK exchanged between the two hosts. The ASA does this by inspecting each packet and creating a state for each connection. This a nice feature, however, in some legitimate scenarios it might create some issues and preventing the traffic from being delivered between the two hosts. Let’s see what would be an example scenario for this, and how to apply the fix.
Depending on ISE deployment if small, medium or large, you might need to add additional nodes with different Personas. The Persona in ISE cube is just a fancy name to define what services would be running on a node. The main three Personas are Administration (PAN), Policy Service (PSN) and Monitoring and Troubleshooting (MnT). The primary/secondary concept exists only with PAN and MnT Personas, however, this is not applicable with PSN Persona. The maximum number of PANs and MnTs in any ISE cube you can get is two, however, you can have plenty of PSNs.
As we know the Cisco ASA supports DHCP server feature but not the DNS server. The reason behind this would be to have less services running on the appliance that would expose any potential vulnerabilities that would be exploited which would turn in successful threats, especially when the running services are interacting directly with the internet. A scenario where having a DNS server running on the ASA would be handy would be when the DHCP server is running on the same appliance, and where the DNS server in use would be a public DNS, but to be honest the fact that the ASA does not support the DNS server is not an issue at all, because you can still push an external DNS server IP address through the DHCP lease managed by the ASA. However, let’s say hypothetically your requirement is to use the ASA as you DNS server for the hosts located on your internal segment, would that be possible? the answer is yes & no :). Although the ASA will never be acting as a real DNS server, you can still apply a little trick with NAT that would make the ASA to result as your hosts DNS server. From the hosts perspective they would think that the DNS server is the ASA, however, in reality the ASA would be just acting as a transporter of DNS requests between the internal hosts and the external public DNS server. Here is the trick of how you can accomplish this.
In this post I’m going to show you how to configure Windows AD as the external authentication server for Identity Services Engine (ISE) CLI access. When you deploy ISE for the first time, you use the command “setup” at the login prompt to start the bootstrap process which will take you through a list of required steps to complete the appliance initial configuration. Once that is completed, the appliance will be ready for the next level of configuration which will be done through the GUI. One of the required steps during the bootstrap process is to configure the CLI admin account. You can choose to create a new admin account or you can accept the default account which is “admin”. This default account cannot be deleted, it can be disabled or downgraded to a read-only account though.
If you ever come across a requirement to set up a VMware ESXi port in Trunk mode, then the steps to do that are really simple. Basically first step you would need to do after you are logged into vSphere Web Console is to go to Networking section and then create a new Port Group.
In this post I’m going to share with you how to fix the issue that you might have came through with ASAv images in EVE-NG that would prevent the ASAv from booting up.
Basically you would see the ASA getting stuck during the boot process at the very beginning and it won’t move on. Here is what you would see on the terminal screen when the ASAv is stuck:
In this post I’m going to talk about NAT exemption. As we know NAT plays a very important role in our networks today, however, with all the benefits we get from NAT’ing, sometimes we don’t need it, or more specifically we need to bypass it. A common case scenario would be for VPN traffic where we don’t want to translate the original IP addresses. In this post I’m going to show you how to exempt NAT by applying a tricky configuration on IOS without having to go through the common way of doing it.
You might have read many times during your studies that changing the native VLAN1 on Cisco switch trunk ports is highly recommended. Some documentations do not give any explanation about this recommendation, others might give a hint associating the recommendation to security, and still others might give a brief explanation referring to preventing VLAN Hopping Attack.