Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About RJI
RJI
.jpg){kind=icon}
VIP Advocate
IT contractor based in the UK, specialising in design and implementation of network/security solutions. CCDA, CCNP (Security and Routing & Switching)
Awards
1
Cisco Designated VIPs 2019 VPN, Policy and Access, Firewalls
Recent Badges
Stats
Member since
12-05-2010
1979
Posts
2477
Helpful
310
Solutions
08-09-2019
07:01 AM
Hi, If you aren't using a routing protocol to redistribute those VPN routes then it probably isn't necessary - it's just creating static routes for each VPN network, but doing nothing with them. If you had a redundant configuration and using routing to failover it would be useful. HTH
... View more
08-09-2019
02:53 AM
Hi,
The user must fully authenticate using whatever method you configured, upon first connection every users posture state will be unknown until the posture scan is run and then the state will change to either non-compliant or compliant.
There will be 3 ISE authorization rules:- unknown, non-compliant and compliant, these refer to the posture states. Here is ISE VPN Configuration guide.
You don't need to have the certificate authentication, it could be used to determine whether the computer has a valid certificate. You could check a registry setting on ISE to determine whether the computer is joined to an AD domain instead. Self certificates is possible, but not scalable.
HTH
... View more
08-09-2019
12:34 AM
Hi,
Upon first connection the user's computer will be in a posture unknown state, the user will be authenticated and authorized and received an IP address from the VPN Pool. Normally you would restrict access by using a DACL (providing access to ISE, ICMP and DNS) in order for the posture checks to be run. Upon successful posturing, the state would change to compliant at which point a CoA (change of authorization) is sent and the user is re-authorized, providing full access.
ISE Posturing can check for Anti-Virus, Anti-Malware, OS, Hotfix, Personal Firewall etc. If posturing is sucessful then full access is granted, if un-sucessful the device can be quarantined, restricting access.
If you want only your domain computers to connect to the VPN, then you can use double authentication on the FW (I assume ASA). You can user certificates issued from your Internal CA (which only your domain computers trust) for the first authentication, this will be mutually authenticated between the VPN client and the ASA. The 2nd authentication will be RADIUS to ISE.
No you don't need Hostscan.
HTH
... View more
Created by
RJI
in Other Security Subjects
RJI
in Other Security Subjects
08-08-2019
04:04 PM
08-08-2019
04:04 PM
Hi, Normally you would use a separate physical switch for the DMZ, connected to separate interface on the firewall. You would control traffic to/from the DMZ on the firewall, not on an ACL on the switch. HTH
... View more
Created by
RJI
in VPN and AnyConnect
RJI
in VPN and AnyConnect
08-07-2019
08:25 AM
08-07-2019
08:25 AM
Hi,
On R1 which is acting as the Hub you need to reference the Virtual-Template under the IKEv2 Profile. e.g.
crypto ikev2 profile IKEv2-Profile match certificate CMAP identity local dn authentication remote rsa-sig authentication local rsa-sig pki trustpoint Trusted-CA
virtual-template 1
You also don't need to reference the tunnel destination
interface Virtual-Template1 type tunnel no tunnel destination dynamic
HTH
... View more
Created by
RJI
in VPN and AnyConnect
RJI
in VPN and AnyConnect
08-06-2019
10:37 AM
08-06-2019
10:37 AM
Ok, the problem is your dynamic NAT rule (rule number 2) is above the nat exemption rule you have defined between APDO and POM (rule number 8). Therefore the traffic is being natted behind the outside interface.
2 (Inside) to (Outside) source dynamic any interface translate_hits = 15695867, untranslate_hits = 2052342
|
|
8 (Inside) to (Outside) source static APDO APDO destination static POMS POMS no-proxy-arp route-lookup translate_hits = 0, untranslate_hits = 0
Move the dynamic rule to Manual NAT Section 3 (after-auto)
HTH
... View more
08-06-2019
02:35 AM
You can do it your way, or alternatively:-
object network SRV1 host 10.2.2.5 nat (inside,outside) static 1.1.1.1 service tcp 80 80
NOTE - in this instance the nat is configured under the network object, not globally.
HTH
... View more
08-06-2019
02:00 AM
Hi, On ASA v 9.x you need to reference the Real IP address (private IP address) in the ACLs rather than the Public (NATTED) IP address. Make the changes and if that doesn't work, please provide the output of packet-tracer. HTH
... View more
Created by
RJI
in VPN and AnyConnect
RJI
in VPN and AnyConnect
08-06-2019
12:50 AM
08-06-2019
12:50 AM
Hi @Florin Barhala
I don't know about the Clearpass configuration, but you'll need to use the msRADIUSFramedIPAddress attribute and return that as part of authorization. This example covers what you want, it's for ISE not Clearpass, but should hopefully point you in the right direction.
HTH
... View more
Created by
RJI
in VPN and AnyConnect
RJI
in VPN and AnyConnect
08-05-2019
02:10 PM
08-05-2019
02:10 PM
Hi, Have you defined a nat exemption rule, to ensure traffic is not natted between the main site and the branch? If you already have, it could be traffic is hitting a dynamic nat rule and not the nat exemption rule. Can you provide the output of "show nat" HTH
... View more
08-05-2019
01:49 PM
Hi, If you aren't changing the Crypto Map configuration then you can apply this to another interface, nothing will happen until traffic is routed out that interface.
... View more
08-04-2019
11:53 AM
Hi,
If the router is for a branch site then you'll probably be fine with an ISR router, either 1000 or 4000 series. They both support Zone-Based Firewall and IPSec VPN (crypto map, DMVPN, FlexVPN, GETVPN etc).
Datasheets for 4000 and 1000.
HTH
... View more
08-04-2019
01:20 AM
Hi,
Examples on how to configure a Site-to-Site VPN on Cisco routers, here and here.
HTH
... View more
08-03-2019
08:54 AM
Hi,
Congrats on the CCNA. If you were planning on doing the CCNA Security, be aware the certification changes coming Feb 2020, there will only be 1 new CCNA. Reference here.
As you are just starting out configuring the router, you should perhaps look at using Zone Based Firewall (ZBF) rather than CBAC, which is considered legacy now. Certainly only ZBF is on the CCIE Security blueprint, so no point learning something most people will no longer deploy.
If you are looking for some future projects on the IOS router, I'd suggest looking at FlexVPN for Remote Access VPN, example here.
I'd recommend not using Type 7 passwords, they are not secure. Use "enable secret YourPassword" rather than "enable password YourPassword"
HTH
... View more
Created by
RJI
in Other Security Subjects
RJI
in Other Security Subjects
08-03-2019
04:59 AM
08-03-2019
04:59 AM
You'll want to change the fqdn and subject-name to be more relevant to your company.
The trustpoint name <TRUSTPOINT_NAME> would need to match the real name of whatever you define the trustpoint. In your doc you re-used the example from the link I provided, which was LAB_PKI. So whenever you see <TRUSTPOINT_NAME> replace with LAB_PKI are whatever you plan on calling it.
HTH
... View more
08-09-2019
Hi,If you aren't using a routing protocol to redistribute those VPN
routes then it probably isn't ne...
08-09-2019
Hi, The user must fully authenticate using whatever method you
configured, upon first connection eve...
08-09-2019
Hi, Upon first connection the user's computer will be in a posture
unknown state, the user will be a...
Created by
RJI
in Other Security Subjects
08-08-2019
08-08-2019
Hi,Normally you would use a separate physical switch for the DMZ,
connected to separate interface on...
Created by
RJI
in VPN and AnyConnect
08-07-2019
08-07-2019
Hi, On R1 which is acting as the Hub you need to reference the
Virtual-Template under the IKEv2 Prof...
08-06-2019
Ok, the problem is your dynamic NAT rule (rule number 2) is above the
nat exemption rule you have de...
08-06-2019
You can do it your way, or alternatively:- object network SRV1 host
10.2.2.5 nat (inside,outside) st...
08-06-2019
Hi,On ASA v 9.x you need to reference the Real IP address (private IP
address) in the ACLs rather th...
Created by
RJI
in VPN and AnyConnect
08-06-2019
08-06-2019
Hi @Florin Barhala I don't know about the Clearpass configuration, but
you'll need to use the msRADI...
08-05-2019
Hi,Have you defined a nat exemption rule, to ensure traffic is not
natted between the main site and ...
08-05-2019
Hi,If you aren't changing the Crypto Map configuration then you can
apply this to another interface,...
08-04-2019
Hi, If the router is for a branch site then you'll probably be fine with
an ISR router, either 1000 ...
08-04-2019
Hi, The ACP doesn't control whether the VPN is enabled on the outside
interface. When you run the Re...
Public Statistics
| Date Registered | 12-05-2010 06:35 AM |
| Date Last Visited | |
| Total Messages Posted | 1,979 |
| Total Helpful Votes Received | 2477 |
Helpful Votes Given To
Helpful Votes From
| User | Helpful Count |
|---|---|
| 20 | |
| 10 | |
| 10 | |
| 10 | |
| 220 |
Awards
Cisco Designated VIPs
2019 VPN, Policy and Access, Firewalls
