NAC Appliance (Cisco Clean Access) In Band Virtual Gateway for Remote Access VPN Configuration Example
|
|
- Adrian Wright
- 6 years ago
- Views:
Transcription
1 NAC Appliance (Cisco Clean Access) In Band Virtual Gateway for Remote Access VPN Configuration Example Document ID: Contents Introduction Prerequisites Requirements Components Used Network Diagram Conventions NAC Appliance (Cisco Clean Access) Configuration Cisco ASA Configuration ASA CLI Configuration Verify Troubleshoot Related Information Introduction This document provides a step by step guide on how to configure the Cisco Network Admission Control (NAC) Appliance (formerly Cisco Clean Access) for remote access VPN in In band Virtual Gateway mode. The Cisco NAC Appliance is an easily deployed NAC product that uses the network infrastructure to enforce security policy compliance on all devices that seek to access network computing resources. With the NAC Appliance, network administrators can authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to network access. It identifies whether networked devices such as laptops, IP phones, or game consoles are compliant with the security policies of your network and repairs any vulnerabilities before access to the network is permitted. Prerequisites Requirements There are no specific requirements for this document. Components Used The information in this document is based on these software and hardware versions: Cisco Clean Access version Cisco Adaptive Security Appliance (ASA) version 7.2 The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
2 Network Diagram This document uses this network setup: Conventions Refer to the Cisco Technical Tips Conventions for more information on document conventions. NAC Appliance (Cisco Clean Access) Configuration Complete these steps in order to configure the NAC Appliance (Cisco Clean Access). 1. Login to the Clean Access Manager (CAM) using the administrative account. 2. Choose Device Management > CCA Servers and go to the New Server tab in order to add the Cisco Clean Access Server (CAS) to the Cisco CAM. In this example, the IP address of the CAS is Enter the server location for reference purposes. In this example, the CAS is located behind the Cisco ASA that is configured for remote access VPN. The Server Location information is VPN Remote Access CAS. Select Virtual Gateway for the Server Type. The CAS configured as a virtual gateway acts like a bridge for the managed network. The virtual gateway configuration is good when managed clients share a subnet with trusted clients and you do not want to modify the existing gateway or architecture. There is no need to define static routes on any of the routing devices.
3 3. The CAS appears under the List of Servers. Make sure that the Status reads Connected. Click on Manage in order to access the CAS configuration. Troubleshooting Tip: If the CAM fails to import the CAS, make sure that connectivity is not an issue. You can attempt to ping the CAS from the CAM CLI when you log in as root. You can also attempt an SSH connection from the CAM to the CAS. Make sure that you have done the initial configuration in the CAS. You can use the service perfigo config command in order to initialize the CAS via its CLI.
4 4. Go to the Network tab. The CAS is typically configured such that the untrusted interface is connected to a trunk port with multiple VLANs trunked to the port. In such a situation, the management VLAN ID is the VLAN ID of the VLAN to which the IP address of the CAS belongs. 5. Check Enable Layer 3 support in order to allow users to be more than one hop away from the CAS. Since this case is a VPN configuration, you need to enable this option.
5 6. Under the CCA Server Advanced tab click VLAN Mapping and enter the VLAN information in order to map VLAN 10 (untrusted) with VLAN 20 (trusted).
6 7. Create a filter for the Cisco ASA to be able to communicate with the protected network behind the CAS. Choose Device Management > Filters > Devices > New and add the MAC address and the IP address of the Cisco ASA (00:15:C6:FA:39:F7/ in this example).
7 8. The CAM on each CAS automatically adds devices to the Certified Devices list after the user authenticates and the device passes network scanning with no vulnerabilities found and/or meets Clean Access Agent requirements. Certified devices are considered clean until removed from the list. You can remove devices at a specified time or interval from the Certified Devices list in order to force them to repeat network scanning/agent checking. Note that devices for Clean Access Agent users are always scanned for requirements at each login. A floating device requires Clean Access certification at every login and is certified only for the duration of a user session. Floating devices are always added manually. In this case the CAS performs security posture for VPN Clients terminated on the Cisco ASA. The Cisco ASA needs to communicate with devices such as the Cisco Secure ACS server in the trusted side. It is recommended to add the ASA as a floating device. Click on Clean Access under Device Management and choose Certified Devices > Add Floating Device. Enter the MAC address of the ASA (00:15:C6:FA:39:F7 in this example). Set type to 1 to never exempt the ASA from certification list and enter a description.
8 9. In this example, you create two different roles (sales and engineering). Choose User Management > User Roles and click New Role in order to create a new role. Enter the Role Name and a Description. In this example, the Role Name is sales with its respective description. Click Create Role.
9 10. Repeat step 9 and create the engineering role. This window displays when you are done.
10 11. Choose User Management > User Roles and go to the Traffic Control tab in order to configure the policies used by each user role. Under the desired role click on Add Policy.
11 This window shows that the policy for the sales users is configured. The sales users should only have access to the /24 subnet. All TCP traffic to the SALES subnet is allowed in this example.
12 This window shows all the policies configured for each user role. Step 11 was repeated to allow UDP and TCP traffic for the sales and engineering users to their respective subnets. ICMP is also allowed for both groups. The Quarantined users only have access to a remediation server with the IP over TCP.
13 12. Choose Device Management > Clean Access, go to the General Setup tab, and click Agent Login. For each role, check Require use of Clean Access Agent. Requiring the use of the Clean Access Agent is configured per user role and operating system. When the Agent is required for a role, users in that role are forwarded to the Clean Access Agent download page after authenticating for the first time using web login. The user is then prompted to download and run the Agent installation file. At the end of the installation, the user is prompted to log into the network using the Agent.
14 13. The NAC Appliance (Cisco Clean Access) provides integration with Cisco VPN Concentrators and the Cisco ASA (in this example). Cisco Clean Access can enable Single Sign On (SSO) capability for VPN users. This functionality is achieved with the use of RADIUS accounting. The CAS can acquire the IP address of the client from either Framed_IP_address or Calling_Station_ID RADIUS attributes for SSO purposes. VPN users do not need to login to the web browser or the Clean Access Agent because the RADIUS accounting information sent to the CAS/CAM by the VPN Concentrator provides the user ID and IP address of users who log into the VPN Concentrator (RADIUS Accounting Start Message). In order to do this, you need to add the Cisco VPN device (Cisco ASA in this example) as an authentication server. a. Choose User Management > Auth Servers > New Server. b. Choose Cisco VPN Server from the drop down menu. c. Choose the user role assigned to users authenticated by the Cisco VPN Concentrator. Unauthenticated Role is selected in this example. This default role is used if not overridden by a role assignment based on MAC address or IP address, or if RADIUS mapping rules do not result in a successful match. d. Enter an optional description of the Cisco ASA for reference and click Add Server.
15 14. Choose User Management > Auth Servers > New Server and select RADIUS from the drop down menu in order to add the Cisco Secure ACS server (RADIUS server). This list provides a description of the settings on this window: Provider Name(optional) Type a unique name for this authentication provider. Enter a meaningful or recognizable name if web login users are able to select providers from the web login page. Server NameThe fully qualified host name (for example, auth.cisco.com) or IP address of the RADIUS authentication server is the IP address of the Cisco Secure ACS server in this example. Server PortThe port number on which the RADIUS server listens. RADIUS TypeThe RADIUS authentication method. Supported methods include EAPMD5, Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and Microsoft (MS CHAP). PAP is used in this example. Timeout (sec)the timeout value for the authentication request. Default RoleChoose the unauthenticated role as the user role assigned to users authenticated by this provider. This default role is used if not overridden by a role assignment based on MAC address or IP address, or if RADIUS mapping rules do not result in a successful match. Shared SecretThe RADIUS shared secret bound to the IP address of the specified client. NAS IdentifierThe NAS Identifier value to be sent with all RADIUS authentication packets. Either a NAS Identifier or a NAS IP Address must be specified to send the
16 packets. NAS IP AddressThe NAS IP Address value to be sent with all RADIUS authentication packets. Either a NAS IP Address or a NAS Identifier must be specified to send the packets. NAS PortThe NAS Port value to be sent with all RADIUS authentication packets. NAS Port TypeThe NAS Port Type value to be sent with all RADIUS authentication packets. Enable FailoverThis enables sending a second authentication packet to a RADIUS failover peer IP if the primary RADIUS authentication server response times out. Failover Peer IPThe IP address of the failover RADIUS authentication server. Allow Badly Formed RADIUS PacketsThis enables the RADIUS authentication client to ignore errors in badly formed RADIUS authentication responses as long as the responses contain a success or failure code. This can be required for compatibility with older RADIUS servers. 15. Complete these steps in order to enable Single Sign On (SSO) on the CAS. a. Choose Device Management > CCA Servers and select the server (in this case ). b. Go to the Authentication tab and choose VPN Auth. c. Check Single Sign On and Auto Logout and enter the RADIUS Accounting Port (only port 1813 is supported).
17 16. Under the VPN Concentrators sub tab enter the ASA information and click Add VPN Concentrator.
18 17. Under the Accounting Servers sub tab enter the RADIUS Accounting Server information and click Add Accounting Server.
19 18. Under the Accounting Mapping sub tab select the ASA from the VPN Concentrator pull down menu (asa1.cisco.com [ ] in this example) and select the Accounting Server (acs1.cisco.com [ :1813] in this example). Cisco ASA Configuration This section demonstrates how to configure the Cisco ASA using the Adaptive Security Device Manager (ASDM). The VPN wizard lets you configure basic LAN to LAN and remote access VPN connections. Use ASDM in order to edit and configure advanced features. 1. Choose Configuration > VPN and click Launch VPN Wizard in order to launch the VPN Wizard.
20 2. Use the VPN Tunnel Type panel in order to select the type of VPN tunnel to define, remote access or LAN to LAN, and to identify the interface that connects to the remote IPsec peer. Click Remote Access in order to create a configuration that achieves secure remote access for VPN Clients, such as mobile users. This option lets remote users securely access centralized network resources. When you select this option, the VPN Wizard displays a series of panels that let you enter the attributes a remote access VPN requires. Select the interface that establishes a secure tunnel with the remote IPsec peer (the outside interface is used in this example, since the VPN Clients connect from the Internet). If the Security Appliance has multiple interfaces, you need to plan the VPN configuration before you run this wizard and identify the interface to use for each remote IPsec peer with which you plan to establish a secure connection. Enable inbound IPsec sessions to bypass interface access lists. This enables IPsec authenticated inbound sessions to always be permitted through the Security Appliance (that is, without a check of the interface access list statements). Be aware that the inbound sessions bypass only the interface access control lists (ACLs). Configured group policy, user, and downloaded ACLs still apply. Click Next.
21 3. Select the remote access client type. Cisco VPN Client Release 3.x or higher, or other Easy VPN Remote product is used in this example, since the clients use the Cisco VPN Client. Click Next. 4. In this example, pre shared keys are used for tunnel authentication. Enter the pre shared key (cisco123 in this example) and the VPN Tunnel Group Name (vpngroup in this example). Click Next.
22 5. Use the Client Authentication panel in order to select the method by which the Security Appliance authenticates remote users. In this example, the VPN Clients are authenticated against a RADIUS server. Click New in order to configure a new AAA server group. 6. Provide this information in order to configure a new AAA server group that contains just one server:
23 Server Group NameType a name for the server group. You associate this name with users whom you want to authenticate using this server. The Server Group Name in this example is called authgroup. Authentication ProtocolSelect the authentication protocol the server uses. RADIUS is used in this example. Server IP AddressType the IP address for the AAA server. The RADIUS server is in this example. InterfaceSelect the Security Appliance interface on which the AAA server resides. The AAA server in this example is in the inside interface. Server Secret KeyType a case sensitive, alphanumeric keyword of up to 127 characters. The server and Security Appliance use the key to encrypt data that travels between them. The key must be the same on both the Security Appliance and server. You can use special characters, but not spaces. Confirm Server Secret KeyType the secret key again. 7. Configure an address pool for the addresses to be assigned to the VPN Clients. Click New in order to create a new pool.
24 8. Add the name of the pool, the range, and the subnet mask. 9. Use the Attributes Pushed to Client (Optional) window in order to have the Security Appliance pass information about DNS and WINS servers and the default domain name to remote access clients. Enter the Primary and Secondary DNS and WINS server information. Also enter the Default Domain Name.
25 10. Use the IKE Policy window in order to set the terms of the Phase 1 IKE negotiations. 3DES, SHA, and Diffie Hellman Group 2 are used in this example as the IKE policy for VPN Client connections. 11. Use this IPSec Encryption and Authentication window in order to select the encryption and authentication methods to use for Phase 2 IKE negotiations, which create the secure VPN tunnel. 3DES and SHA are used in this example.
26 12. Use the Address Translation Exemption (Optional) window in order to identify local hosts/networks which do not require address translation. By default, the Security Appliance hides the real IP addresses of internal hosts and networks from outside hosts by using dynamic or static Network Address Translation (NAT). NAT minimizes risks of attack by untrusted outside hosts, but might be improper for those who have been authenticated and protected by VPN. For example, an inside host that uses dynamic NAT has its IP address translated by matching it to a randomly selected address from a pool. Only the translated address is visible to the outside. Remote VPN Clients that attempt to reach these hosts by sending data to their real IP addresses cannot connect to these hosts, unless you configure a NAT exemption rule.
27 13. Verify that the information is accurate in the Summary window and click Finish. 14. This is a very important step. The Cisco ASA needs to send the RADIUS accounting messages to the CAS in order to do SSO and perform security posture checks. Complete these steps in order to add a new AAA Server Group.
28 a. Choose Configuration > Properties > AAA Setup > AAA Server Groups and click Add. b. Enter the Server Group name (CAS_Accounting in this example). c. Select RADIUS as the Protocol. d. Make sure that the Accounting Mode is Single and Reactivation Mode is Depletion. e. Click OK. 15. Add a new AAA Server entry. In this case the AAA server is the IP address of the CAS ( ) which resides in the inside interface. Configure the Server Authentication Port (1812) and Server Accounting Port (1813). Click OK.
29 The new AAA Server Group and AAA Server appears as this example window shows.
30 16. Complete these steps in order to add the CAS as the accounting server for the VPN group you configured (vpngroup in this example). a. Choose Configuration > VPN > General > Tunnel Group. b. Select the Tunnel Group. c. Click Edit. 17. Under the Accounting tab select the new AAA Server Group under the Accounting Server Group pull down menu (CAS_Accounting in this example).
31 ASA CLI Configuration ASA 1#show running config : Saved : ASA Version 7.2(1)! hostname ASA 1 domain name cisco.com enable password 8Ry2YjIyt7RRXU24 encrypted names dns guard! interface GigabitEthernet0/0 description Outside Interface Facing the Internet nameif outside security level 0 ip address ! interface GigabitEthernet0/1 description Inside Interface nameif inside security level 100 ip address ! interface GigabitEthernet0/2
32 shutdown no nameif no security level no ip address! interface GigabitEthernet0/3 shutdown no nameif no security level no ip address! interface Management0/0 nameif management security level 100 ip address ! passwd 2KFQnbNIdI.2KYOU encrypted boot system disk0:/asa721 k8.bin ftp mode passive dns server group DefaultDNS domain name cisco.com access list outside_cryptomap extended permit ip any access list something extended permit ip any any pager lines 24 mtu outside 1500 mtu inside 1500 mtu management 1500 ip local pool pool mask no failover icmp permit any inside icmp permit any management asdm image disk0:/asdm521.bin no asdm history enable arp timeout access group something in interface outside access group something in interface inside route inside route inside tunneled route outside route inside timeout xlate 3:00:00 timeout conn 1:00:00 half closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip invite 0:03:00 sip disconnect 0:02:00 timeout uauth 0:05:00 absolute aaa server authgroup protocol radius aaa server authgroup host timeout 5 key cisco123 authentication port 1812 accounting port 1813 aaa server test protocol radius aaa server test host key cisco123 accounting port 1813 aaa server CAS_Accounting protocol radius aaa server CAS_Accounting host key cisco123 authentication port 1812 accounting port 1813 radius common pw cisco123 group policy vpngroup internal group policy vpngroup attributes wins server value dns server value vpn tunnel protocol IPSec
33 default domain value cisco.com username cisco password ffirpgpdsojh9ylq encrypted http server enable http management no snmp server location no snmp server contact snmp server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform set ESP 3DES SHA esp 3des esp sha hmac crypto ipsec transform set FirstSet esp 3des esp sha hmac crypto dynamic map outside_dyn_map 20 set transform set ESP 3DES SHA crypto map outside_map 20 ipsec isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto map abcmap 1 set peer crypto isakmp enable outside crypto isakmp policy 1 authentication pre share encryption 3des hash sha group 2 lifetime tunnel group vpngroup type ipsec ra tunnel group vpngroup general attributes address pool pool1 authentication server group authgroup accounting server group CAS_Accounting default group policy vpngroup tunnel group vpngroup ipsec attributes pre shared key * telnet timeout 5 ssh management ssh timeout 5 console timeout 0! class map class_sip_tcp match port tcp eq sip class map class_sip_udp match port udp eq sip class map inspection_default match default inspection traffic!! policy map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect sqlnet inspect sunrpc inspect tftp inspect xdmcp class class_sip_tcp inspect sip class class_sip_udp inspect sip! service policy global_policy global prompt hostname context Cryptochecksum:8e30f7ade3dcb3d1ae0da79a9d94371e : end [OK]
34 Verify There is currently no verification procedure available for this configuration. Troubleshoot There is currently no specific troubleshooting information available for this configuration. Related Information Cisco NAC Appliance (Clean Access) Product Support Technical Support & Documentation Cisco Systems Contacts & Feedback Help Site Map Cisco Systems, Inc. All rights reserved. Terms & Conditions Privacy Statement Cookie Policy Trademarks of Cisco Systems, Inc. Updated: Oct 03, 2006 Document ID: 71573
PIX/ASA 7.x ASDM: Restrict the Network Access of Remote Access VPN Users
PIX/ASA 7.x ASDM: Restrict the Network Access of Remote Access VPN Users Document ID: 69308 Contents Introduction Prerequisites Requirements Components Used Related Products Network Diagram Conventions
More informationASA Version 7.2(4)30! hostname vpn domain-name hollywood.com enable password BO5OGdtIUElAVJc7 encrypted passwd BO5OGdtIUElAVJc7 encrypted names name
ASA Version 7.2(4)30 hostname vpn domain-name hollywood.com enable password BO5OGdtIUElAVJc7 encrypted passwd BO5OGdtIUElAVJc7 encrypted names name 172.30.232.128 XL description XL / idot name 172.28.28.0
More informationVPN Between Sonicwall Products and Cisco Security Appliance Configuration Example
VPN Between Sonicwall Products and Cisco Security Appliance Configuration Example Document ID: 66171 Contents Introduction Prerequisites Requirements Components Used Related Products Conventions Configure
More informationASA/PIX: Remote VPN Server with Inbound NAT for VPN Client Traffic with CLI and ASDM Configuration Example
ASA/PIX: Remote VPN Server with Inbound NAT for VPN Client Traffic with CLI and ASDM Configuration Example Contents Introduction Prerequisites Requirements Components Used Related Products Conventions
More informationIPSec tunnel for ER75i routers application guide
IPSec tunnel for ER75i routers application guide 1 Contents 1. Generally...3 2. IPSec limitation...3 3. Example of use IPSec tunnel Client side at ER75i...4 3.1. IPSec tunnel client side at ER75i...4 3.1.1.
More informationConfigure the ASA for Dual Internal Networks
Configure the ASA for Dual Internal Networks Document ID: 119195 Contributed by Dinkar Sharma, Bratin Saha, and Prashant Joshi, Cisco TAC Engineers. Aug 05, 2015 Contents Introduction Prerequisites Requirements
More informationDownloaded from: justpaste.it/i2os
: Saved : ASA Version 9.1(2) hostname ciscoasa enable password xxx encrypted names ip local pool poolvpn 192.168.20.10-192.168.20.30 mask 255.255.255.0 interface GigabitEthernet0/0 nameif inside security-level
More information: Saved : : Serial Number: JMX1813Z0GJ : Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz : Written by enable_15 at 09:21: UTC Thu Dec !
: Saved : : Serial Number: JMX1813Z0GJ : Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz : Written by enable_15 at 09:21:59.078 UTC Thu Dec 17 2015 ASA Version 9.2(2)4 hostname ciscoasa enable password
More informationTable of Contents. Cisco IPSec Tunnel through a PIX Firewall (Version 7.0) with NAT Configuration Example
Table of Contents IPSec Tunnel through a PIX Firewall (Version 7.0) with NAT Configuration Example...1 Document ID: 63881...1 Introduction...1 Prerequisites...2 Requirements...2 Components Used...2 Conventions...2
More informationTable of Contents. Cisco PIX/ASA 7.x Enhanced Spoke to Spoke VPN Configuration Example
Table of Contents PIX/ASA 7.x Enhanced Spoke to Spoke VPN Configuration Example...1 Document ID: 64692...1 Introduction...1 Prerequisites...1 Requirements...1 Components Used...1 Conventions...2 Configure...2
More informationTable of Contents. Cisco Enhanced Spoke to Client VPN Configuration Example for PIX Security Appliance Version 7.0
Table of Contents Enhanced Spoke to Client VPN Configuration Example for PIX Security Appliance Version 7.0...1 Document ID: 64693...1 Introduction...1 Prerequisites...1 Requirements...1 Components Used...1
More informationConfiguring the PIX Firewall and VPN Clients Using PPTP, MPPE and IPSec
Configuring the PIX Firewall and VPN Clients Using PPTP, MPPE and IPSec Document ID: 14095 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Configurations
More informationPIX/ASA as a DHCP Server and Client Configuration Example
PIX/ASA as a DHCP Server and Client Configuration Example Document ID: 70391 Contents Introduction Prerequisites Requirements Components Used Related Products Conventions Configure DHCP Server Configuration
More informationco Configuring PIX to Router Dynamic to Static IPSec with
co Configuring PIX to Router Dynamic to Static IPSec with Table of Contents Configuring PIX to Router Dynamic to Static IPSec with NAT...1 Introduction...1 Configure...1 Components Used...1 Network Diagram...1
More informationThis document is intended to give guidance on how to read log entries from a Cisco PIX / ASA. The specific model in this case was a PIX 501.
1.0 Overview This document is intended to give guidance on how to read log entries from a Cisco PIX / ASA. The specific model in this case was a PIX 501. 2.0 PIX Config The following is the PIX config
More informationPIX/ASA: PPPoE Client Configuration Example
PIX/ASA: PPPoE Client Configuration Example Contents Introduction Prerequisites Requirements Components Used Related Products Conventions Configure Network Diagram CLI Configuration ASDM Configuration
More informationDocument ID: Contents. Introduction. Prerequisites. Requirements. Introduction. Prerequisites Requirements
Products & Services ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example Document ID: 70559 Contents Introduction Prerequisites Requirements Components Used Related Products Conventions Background
More informationASA with WebVPN and Single Sign-on using ASDM and NTLMv1 Configuration Example
ASA with WebVPN and Single Sign-on using ASDM and NTLMv1 Configuration Example Contents Introduction Prerequisites Requirements Components Used Conventions Configure Add an AAA Server for Windows Domain
More informationASA/PIX 8.x: Radius Authorization (ACS 4.x) for VPN Access using Downloadable ACL with CLI and ASDM Configuration Example
ASA/PIX 8.x: Radius Authorization (ACS 4.x) for VPN Access using Downloadable ACL with CLI and ASDM Configuration Example Contents Introduction Prerequisites Requirements Components Used Related Products
More informationFWSM: Multiple Context Configuration Example
FWSM: Multiple Context Configuration Example Document ID: 107524 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information Context Configuration Files Unsupported
More informationFundamentals of Network Security v1.1 Scope and Sequence
Fundamentals of Network Security v1.1 Scope and Sequence Last Updated: September 9, 2003 This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document
More informationSSL VPN Configuration of a Cisco ASA 8.0
Published on Jisc community (https://community.jisc.ac.uk) Home > Advisory services > Multi-site Connectivity Advisory Service > Technical guides > Secure Virtual Private Networks > SSL VPN Configuration
More informationASA 7.2(2): SSL VPN Client (SVC) for Public Internet VPN on a Stick Configuration Example
ASA 7.2(2): SSL VPN Client (SVC) for Public Internet VPN on a Stick Configuration Example Document ID: 100894 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information
More informationPhysical Topology. Logical Topology
Physical Topology Logical Topology Please, note that the configurations given below can certainly be clean-up and tuned. Some commands are still embedded for testing purposes. Note also that the text highlighted
More informationHow to Configure the Cisco VPN Client to PIX with AES
How to Configure the Cisco VPN Client to PIX with AES Document ID: 42761 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information Configurations Network Diagram
More informationVirtual Private Network Setup
This chapter provides information about virtual private network setup. Virtual Private Network, page 1 Devices Supporting VPN, page 2 Set Up VPN Feature, page 2 Complete Cisco IOS Prerequisites, page 3
More informationPermitting PPTP Connections Through the PIX/ASA
Permitting PPTP Connections Through the PIX/ASA Contents Introduction Prerequisites Requirements Components Used Background Theory Conventions PPTP with the Client Inside and the Server Outside Network
More informationVirtual private network setup
Virtual private network setup This chapter provides information about virtual private network setup. Virtual private network, page 1 Devices supporting VPN, page 2 Set up VPN feature, page 2 Complete IOS
More informationChapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM
Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces. 2015 Cisco and/or its affiliates. All rights
More informationPIX/ASA Active/Standby Failover Configuration Example
PIX/ASA Active/Standby Failover Configuration Example Document ID: 77809 Contents Introduction Prerequisites Requirements Components Used Related Products Conventions Active/Standby Failover Active/Standby
More informationFirewalling Avid ISIS in a Cisco environment
Firewalling Avid ISIS in a Cisco environment Interoperability testing between Cisco ASA and ISIS results Francesca Martucci Consulting System Engineer for Security - Cisco David Shephard - Senior Network
More informationPIX/ASA 7.x and Later : Easy VPN with Split Tunneling ASA 5500 as the Server and Cisco 871 as the Easy VPN Remote Configuration Example
PIX/ASA 7.x and Later : Easy VPN with Split Tunneling ASA 5500 as the Server and Cisco 871 as the Easy VPN Remote Configuration Example Document ID: 68815 Contents Introduction Prerequisites Requirements
More informationCisco Meraki EMM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series
Cisco Meraki EMM Integration with Cisco Identity Service Engine Secure Access How -To Guides Series Author: Imran Bashir Date: March 2015 Table of Contents Mobile Device Management (MDM)... 3 Overview...
More informationLAN-to-LAN IPsec VPNs
A LAN-to-LAN VPN connects networks in different geographic locations. You can create LAN-to-LAN IPsec connections with Cisco peers and with third-party peers that comply with all relevant standards. These
More informationConfiguring LAN-to-LAN IPsec VPNs
CHAPTER 28 A LAN-to-LAN VPN connects networks in different geographic locations. The ASA 1000V supports LAN-to-LAN VPN connections to Cisco or third-party peers when the two peers have IPv4 inside and
More informationUser Management: Configuring Auth Servers
7 CHAPTER This chapter describes how to set up external authentication sources, configure Active Directory Single Sign-On (SSO), VLAN ID or attribute-based auth server mapping rules, and RADIUS accounting.
More informationUniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL
UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL Contents: UniNets CCNA Security LAB MANUAL Section 1 Securing Layer 2 Lab 1-1 Configuring Native VLAN on a Trunk Links Lab 1-2 Disabling
More informationSymbols. Numerics I N D E X
I N D E X Symbols /var/log/ha-debug log, 517 /var/log/ha-log log, 517 Numerics A 3500XL Edge Layer 2 switch, configuring AD SSO, 354 355 access to resources, troubleshooting issues, 520 access VLANs, 54
More informationChapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM
Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM This lab has been updated for use on NETLAB+ Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet Interfaces.
More informationChapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM
Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet Interfaces. 2016 Cisco and/or its affiliates. All
More informationCisco ASA 5500 LAB Guide
INGRAM MICRO Cisco ASA 5500 LAB Guide Ingram Micro 4/1/2009 The following LAB Guide will provide you with the basic steps involved in performing some fundamental configurations on a Cisco ASA 5500 series
More informationCISCO EXAM QUESTIONS & ANSWERS
CISCO 642-618 EXAM QUESTIONS & ANSWERS Number: 642-618 Passing Score: 800 Time Limit: 120 min File Version: 39.6 http://www.gratisexam.com/ CISCO 642-618 EXAM QUESTIONS & ANSWERS Exam Name: Deploying Cisco
More informationRouter Allows VPN Clients to Connect IPsec and Internet Using Split Tunneling Configuration Example
Router Allows VPN Clients to Connect IPsec and Internet Using Split Tunneling Configuration Example Document ID: 91193 Contents Introduction Prerequisites Requirements Components Used Conventions Background
More informationSecure ACS Database Replication Configuration Example
Secure ACS Database Replication Configuration Example Document ID: 71320 Introduction Prerequisites Requirements Components Used Related Products Conventions Background Information Scenario I Scenario
More informationConfiguration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example
Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example Document ID: 113337 Contents Introduction Prerequisites Requirements Components Used Conventions Configuration
More informationFTD: How to enable TCP State Bypass Configuration using FlexConfig Policy
FTD: How to enable TCP State Bypass Configuration using FlexConfig Policy Contents Introduction Prerequisites Requirements Components Used Background Information Configuration Step 1. Configure an Extended
More informationConfiguring Remote Access IPSec VPNs
CHAPTER 32 Remote access VPNs let single users connect to a central site through a secure connection over a TCP/IP network such as the Internet. This chapter describes how to build a remote access VPN
More informationVPN Connection through Zone based Firewall Router Configuration Example
VPN Connection through Zone based Firewall Router Configuration Example Document ID: 112051 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information Configure
More informationCisco PIX. Interoperability Guide
Cisco PIX Interoperability Guide Copyright 2004, F/X Communications. All Rights Reserved. The use and copying of this product is subject to a license agreement. Any other use is strictly prohibited. No
More informationCCNA Security 1.0 Student Packet Tracer Manual
1.0 Student Packet Tracer Manual This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and exclusive use by instructors
More informationVPN Configuration Guide. Cisco ASA 5500 Series
VPN Configuration Guide Cisco ASA 5500 Series 2015 equinux AG and equinux USA, Inc. All rights reserved. Under copyright law, this configuration guide may not be copied, in whole or in part, without the
More informationChapter 10 - Configure ASA Basic Settings and Firewall using ASDM
Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM This lab has been updated for use on NETLAB+ Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces.
More informationLab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance
Lab 9.4.10 Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance Objective Scenario Topology In this lab exercise, the students will complete the following tasks: Display the
More informationLAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example
LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example Document ID: 26402 Contents Introduction Prerequisites Requirements Components Used Conventions Configure
More informationConfiguration Examples
CHAPTER 4 Before using this chapter, be sure that you have planned your site s security policy, as described in Chapter 1, Introduction, and configured the PIX Firewall, as described in Chapter 2, Configuring
More informationMonitoring and Troubleshooting Agent Sessions
11 CHAPTER This chapter provides information on compiling and accessing various Cisco NAC Appliance Agent reports and log files and troubleshooting Agent connection and operation issues: Viewing Agent
More informationMediant MSBR. Version 6.8. Security Setup. Configuration Guide. Version 6.8. AudioCodes Family of Multi-Service Business Routers (MSBR)
Configuration Guide AudioCodes Family of Multi-Service Business Routers (MSBR) Mediant MSBR Security Setup Version 6.8 Version 6.8 May 2014 Document # LTRT-31640 Configuration Guide Contents Table of
More informationL2TP over IPsec. About L2TP over IPsec/IKEv1 VPN
This chapter describes how to configure /IKEv1 on the ASA. About /IKEv1 VPN, on page 1 Licensing Requirements for, on page 3 Prerequisites for Configuring, on page 4 Guidelines and Limitations, on page
More informationLab 8: Firewalls ASA Firewall Device
Lab 8: Firewalls ASA Firewall Device 8.1 Details Aim: Rich Macfarlane 2015 The aim of this lab is to investigate a Cisco ASA Firewall Device, its default traffic flows, its stateful firewalling functionality,
More informationConfiguring NAC Out-of-Band Integration
Prerequisites for NAC Out Of Band, page 1 Restrictions for NAC Out of Band, page 2 Information About NAC Out-of-Band Integration, page 2 (GUI), page 3 (CLI), page 5 Prerequisites for NAC Out Of Band CCA
More informationConfiguring Management Access
37 CHAPTER This chapter describes how to access the ASA for system management through Telnet, SSH, and HTTPS (using ASDM), how to authenticate and authorize users, how to create login banners, and how
More informationConfiguring Easy VPN Services on the ASA 5505
CHAPTER 67 Configuring Easy VPN Services on the ASA 5505 This chapter describes how to configure the ASA 5505 as an Easy VPN hardware client. This chapter assumes you have configured the switch ports and
More informationCCNA Security PT Practice SBA
A few things to keep in mind while completing this activity: 1. Do not use the browser Back button or close or reload any Exam windows during the exam. 2. Do not close Packet Tracer when you are done.
More informationupgrade-mp through xlate-bypass Commands
CHAPTER 33 upgrade-mp To upgrade the maintenance partition software, use the upgrade-mp command. upgrade-mp {http[s]://[user:password@]server[:port]/pathname tftp[://server/pathname]} tftp http[s] server
More informationASA/PIX Security Appliance
I N D E X A AAA, implementing, 27 28 access to ASA/PIX Security Appliance monitoring, 150 151 securing, 147 150 to websites, blocking, 153 155 access control, 30 access policies, creating for web and mail
More informationConfiguring High Availability (HA)
4 CHAPTER This chapter covers the following topics: Adding High Availability Cisco NAC Appliance To Your Network, page 4-1 Installing a Clean Access Manager High Availability Pair, page 4-3 Installing
More informationCisco Passguide Exam Questions & Answers
Cisco Passguide 642-648 Exam Questions & Answers Number: 642-648 Passing Score: 800 Time Limit: 120 min File Version: 61.8 http://www.gratisexam.com/ Cisco 642-648 Exam Questions & Answers Exam Name: Deploying
More informationDeploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels
Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels This article provides a reference for deploying a Barracuda Link Balancer under the following conditions: 1. 2. In transparent (firewall-disabled)
More informationInternet. SonicWALL IP Cisco IOS IP IP Network Mask
Prepared by SonicWALL, Inc. 9/20/2001 Introduction: VPN standards are still evolving and interoperability between products is a continued effort. SonicWALL has made progress in this area and is interoperable
More informationCisco Systems, Inc. IOS Router
RSA SecurID Ready Implementation Guide Partner Information Last Modified: January 27, 2014 Product Information Partner Name Cisco Systems, Inc. Web Site www.cisco.com Product Name Version & Platform 15.4
More informationI N D E X. Numerics. 3DES (triple Data Encryption Standard), 199
I N D E X Numerics A 3DES (triple Data Encryption Standard), 199 AAA (Authentication, Authorization, and Accounting), 111 114, 236 configuring, 114, 144 145 CSACS, 116 122 floodguard, 168 169 servers,
More informationIOS/CCP: Dynamic Multipoint VPN using Cisco Configuration Professional Configuration Example
IOS/CCP: Dynamic Multipoint VPN using Cisco Configuration Professional Configuration Example Document ID: 113265 Contents Introduction Prerequisites Requirements Components Used Conventions Background
More informationChapter 9 Lab A: Configuring ASA Basic Settings and Firewall Using CLI
A: Configuring ASA Basic Settings and Firewall Using CLI This lab has been updated for use on NETLAB+ Topology Note: ISR G2 devices use GigabitEthernet interfaces instead of FastEthernet interfaces. 2018
More informationASA/PIX 8.x: Block Certain Websites (URLs) Using Regular Expressions With MPF Configuration Example
ASA/PIX 8.x: Block Certain Websites (URLs) Using Regular Expressions With MPF Configuration Example Contents Introduction Prerequisites Requirements Components Used Related Products Conventions Background
More informationtcp-map through type echo Commands
CHAPTER 31 31-1 tcp-map Chapter 31 tcp-map To define a set of TCP normalization actions, use the tcp-map command in global configuration mode. The TCP normalization feature lets you specify criteria that
More informationPacket Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI
Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI Topology Addressing Table R1 R2 R3 Device Interface IP Address Subnet Mask Default Gateway Switch Port G0/0 192.168.1.1 255.255.255.0
More informationDefining IPsec Networks and Customers
CHAPTER 4 Defining the IPsec Network Elements In this product, a VPN network is a unique group of targets; a target can be a member of only one network. Thus, a VPN network allows a provider to partition
More informationMWA Deployment Guide. VPN Termination from Smartphone to Cisco ISR G2 Router
MWA Deployment Guide Mobile Workforce Architecture: VPN Deployment Guide for Microsoft Windows Mobile and Android Devices with Cisco Integrated Services Router Generation 2 This deployment guide explains
More informationLab 8.5.2: Troubleshooting Enterprise Networks 2
Lab 8.5.2: Troubleshooting Enterprise Networks 2 Topology Diagram Addressing Table Device Interface IP Address Subnet Mask Default Gateway Fa0/0 192.168.10.1 255.255.255.0 N/A R1 Fa0/1 192.168.11.1 255.255.255.0
More informationMigrating to the Cisco ASA Services Module from the FWSM
Migrating to the Cisco ASA Services Module from the FWSM Contents Information About the Migration, page 1 Migrating the FWSM Configuration to the ASA SM, page 2 Unsupported Runtime Commands, page 4 Configuration
More informationContents. Introduction. Prerequisites. Requirements. Components Used
Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram ASA ISE Step 1. Configure Network Device Step 2. Configure Posture conditions and policies Step 3. Configure Client
More information1.1 Configuring HQ Router as Remote Access Group VPN Server
Notes: 1.1 Configuring HQ Router as Remote Access Group VPN Server Step 1 Enable AAA model for local and remote access authentication. AAA will prompt extended authentication for remote access group VPN
More informationThis chapter covers the following exam topics for the Secure PIX Firewall Advanced Exam (CSPFA 9E0-511): 5. User interface 6. Configuring the PIX
This chapter covers the following exam topics for the Secure PIX Firewall Advanced Exam (CSPFA 9E0-511): 5. User interface 6. Configuring the PIX Firewall 8. Time setting and NTP support 13. DHCP server
More informationConfiguring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0. Issue th October 2009 ABSTRACT
Avaya CAD-SV Configuring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0 Issue 1.0 30th October 2009 ABSTRACT These Application Notes describe the steps to configure the Cisco VPN 3000 Concentrator
More informationCisco Exam Questions & Answers
Cisco 300-209 Exam Questions & Answers Number: 300-209 Passing Score: 800 Time Limit: 120 min File Version: 35.4 http://www.gratisexam.com/ Exam Code: 300-209 Exam Name: Implementing Cisco Secure Mobility
More informationVPN Auto Provisioning
VPN Auto Provisioning You can configure various types of IPsec VPN policies, such as site-to-site policies, including GroupVPN, and route-based policies. For specific details on the setting for these kinds
More informationConfiguring Dynamic Multipoint VPN Using GRE Over IPsec With OSPF, NAT, and Cisco IOS Firewall
Configuring Dynamic Multipoint VPN Using GRE Over IPsec With OSPF, NAT, and Cisco IOS Firewall Document ID: 43068 Contents Introduction Prerequisites Requirements Components Used Conventions Configure
More informationMediant MSBR. Version 6.8. Security Setup. Configuration Guide. Version 7.2. AudioCodes Family of Multi-Service Business Routers (MSBR)
Configuration Guide AudioCodes Family of Multi-Service Business Routers (MSBR) Mediant MSBR Security Setup Version 7.2 Version 6.8 May 2014 Document # LTRT-31640 Configuration Guide Contents Table of
More informationASA/PIX: Configure Active/Standby Failover in Transparent Mode Contents
ASA/PIX: Configure Active/Standby Failover in Transparent Mode Contents Introduction Prerequisites Requirements Components Used Related Products Conventions Active/Standby Failover Active/Standby Failover
More informationZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003
ZyWALL 70 Internet Security Appliance Quick Start Guide Version 3.62 December 2003 Introducing the ZyWALL The ZyWALL 70 is the ideal secure gateway for all data passing between the Internet and the LAN.
More informationSee the following screens for showing VPN connection data in graphical or tabular form for the ASA.
Connection Graphs, page 1 Statistics, page 1 Connection Graphs See the following screens for showing VPN connection data in graphical or tabular form for the ASA. Monitor IPsec Tunnels Monitoring> VPN>
More informationCisco Virtual Office: Easy VPN Deployment Guide
Cisco Virtual Office: Easy VPN Deployment Guide This guide provides detailed design and implementation information for deployment of Easy VPN in client mode with the Cisco Virtual Office. Please refer
More informationSetting General VPN Parameters
CHAPTER 62 The adaptive security appliance implementation of virtual private networking includes useful features that do not fit neatly into categories. This chapter describes some of these features. It
More informationCisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller
Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table
More informationChapter 9 Lab A: Configuring ASA Basic Settings and Firewall Using CLI
A: Configuring ASA Basic Settings and Firewall Using CLI Topology Note: ISR G2 devices use GigabitEthernet interfaces instead of FastEthernet interfaces. 2015 Cisco and/or its affiliates. All rights reserved.
More informationRemote Access IPsec VPNs
About, page 1 Licensing Requirements for for 3.1, page 2 Restrictions for IPsec VPN, page 3 Configure, page 3 Configuration Examples for, page 10 Configuration Examples for Standards-Based IPSec IKEv2
More informationSample Configurations
APPENDIXA This appendix illustrates and describes a number of common ways to implement the ASA, and includes the following sections: Example 1: Multiple Mode Firewall With Outside Access, page A-1 Example
More informationLab 9: VPNs IPSec Remote Access VPN
Lab 9: VPNs IPSec Remote Access VPN Rich Macfarlane 2015 Aim: Details The aim of this lab is to introduce Virtual Private Network (VPN) concepts, using an IPSec remote access VPN between a remote users
More informationWireless LAN Controller Web Authentication Configuration Example
Wireless LAN Controller Web Authentication Configuration Example Document ID: 69340 Contents Introduction Prerequisites Requirements Components Used Conventions Web Authentication Web Authentication Process
More informationshun through sysopt radius ignore-secret Commands
CHAPTER 30 shun through sysopt radius ignore-secret Commands 30-1 shun Chapter 30 shun To block connections from an attacking host, use the shun command in privileged EXEC mode. To disable a shun, use
More information