Are you over 18 and want to see adult content?
More Annotations
A complete backup of historyshots.com
Are you over 18 and want to see adult content?
A complete backup of intercityhoteis.com.br
Are you over 18 and want to see adult content?
A complete backup of vintagekitty.com
Are you over 18 and want to see adult content?
A complete backup of ourbitcoinnews.com
Are you over 18 and want to see adult content?
Favourite Annotations
A complete backup of cialiswithoutprescription.com
Are you over 18 and want to see adult content?
A complete backup of tedownzentlani.cf
Are you over 18 and want to see adult content?
A complete backup of hayeshandpiece.com
Are you over 18 and want to see adult content?
A complete backup of globalinformationnetwork.com
Are you over 18 and want to see adult content?
Text
computer sends 3 x
FTD CONFIGURATION USING FDM Cisco Firepower Threat Defense (FTD) firewall can be managed centrally using either Firepower Management Centre (FMC) or Cisco Defense Orchestrator (CDO), or locally using Firepower Device Manager. This post will describe how to configure the FTD using FDM and setup basic outbound internet access and permit inbound access to a hostedwebserver.
RECOMMENDED IKEV2 PROPOSAL Recommended IKEv2 Proposal. IKEv2 is an important protocol used in IPSec VPNs, it is used to securely authenticate peers by setting up security associations (SAs). Cisco IOS routers have predefined default encryption, integrity (hashing), DH group and PRF algorithms, some of these algorithms are no longer considered secure and therefore not ASA POLICY BASED ROUTING ASA SPLIT TUNNELLING When using the ASA as the VPN headend device with the AnyConnect client you can use split tunnelling feature, which can be configured to include or exclude certain networks from the VPN tunnel. The basic configuration of a Remote Access VPN to tunnel all traffic back to the ASA. group-policy GP-1 internal. group-policy GP-1 attributes. FLEXVPN IKEV2 ROUTING FlexVPN supports the use of Dynamic Routing protocols such as EIGRP, BGP and OSPF. FlexVPN also has the ability to advertise routes in the IKEv2 SA's. In order to do this we must configure an IKEv2 Authorization Policy, this policy can be configured CHECK POINT GAIA CLI COMMANDS Below is a collection of useful Check Point R75 Gaia commands for configuring the basic operating system settings such as hostname, interfaces, DNS, NTP, SNMP etc. Configuring SNMPv3 set snmp agent onset snmp contact ""set snmp location ""add snmp address ""set snmp agent-version v3-only add snmp usm user security CCNP SWITCH: VLAN ACCESS CONTROL LISTS (VACL) CCNP SWITCH: VLAN Access Control Lists (VACL) VLAN ACLs (VACLs) provide traffic filtering for all packets within the same VLAN or that are routed into or out of the VLAN, where as a normal ACL can only be applied to routed packets only. VACLs are also known as VLAN access-maps, they are similar to route maps and use route-mapconventions in
SPANNING TREE IMPLEMENTATIONS ON HP PROCURVE SWITCHES Additional Spanning Tree Protocol (STP) commands such as BPDU Protection, BPDU Filtering, Admin-Edge and Loop Protection exist to enhance implementations of STP and ensure a loop free network. Enable Spanning Tree spanning-tree spanning-tree priority 0 spanning-tree force-version RSTP-operation Enable spanning tree on the switch, set the priority and force the version to Rapid FTD POLICY BASED ROUTING FTD ALLOW ICMP/TRACEROUTE Ping and traceroute are tools used by engineers to troubleshoot network connectivity. In order to permit an outbound ping permit ICMP echo-request, to allow a reply through a firewall the ACL on the OUTSIDE interface must specifically permit an echo-reply inbound. Traceroute usually uses UDP probes and ICMP replies, the clientcomputer sends 3 x
FTD CONFIGURATION USING FDM Cisco Firepower Threat Defense (FTD) firewall can be managed centrally using either Firepower Management Centre (FMC) or Cisco Defense Orchestrator (CDO), or locally using Firepower Device Manager. This post will describe how to configure the FTD using FDM and setup basic outbound internet access and permit inbound access to a hostedwebserver.
RECOMMENDED IKEV2 PROPOSAL Recommended IKEv2 Proposal. IKEv2 is an important protocol used in IPSec VPNs, it is used to securely authenticate peers by setting up security associations (SAs). Cisco IOS routers have predefined default encryption, integrity (hashing), DH group and PRF algorithms, some of these algorithms are no longer considered secure and therefore not ASA POLICY BASED ROUTING ASA SPLIT TUNNELLING When using the ASA as the VPN headend device with the AnyConnect client you can use split tunnelling feature, which can be configured to include or exclude certain networks from the VPN tunnel. The basic configuration of a Remote Access VPN to tunnel all traffic back to the ASA. group-policy GP-1 internal. group-policy GP-1 attributes. FLEXVPN IKEV2 ROUTING FlexVPN supports the use of Dynamic Routing protocols such as EIGRP, BGP and OSPF. FlexVPN also has the ability to advertise routes in the IKEv2 SA's. In order to do this we must configure an IKEv2 Authorization Policy, this policy can be configured CHECK POINT GAIA CLI COMMANDS Below is a collection of useful Check Point R75 Gaia commands for configuring the basic operating system settings such as hostname, interfaces, DNS, NTP, SNMP etc. Configuring SNMPv3 set snmp agent onset snmp contact ""set snmp location ""add snmp address ""set snmp agent-version v3-only add snmp usm user security CCNP SWITCH: VLAN ACCESS CONTROL LISTS (VACL) CCNP SWITCH: VLAN Access Control Lists (VACL) VLAN ACLs (VACLs) provide traffic filtering for all packets within the same VLAN or that are routed into or out of the VLAN, where as a normal ACL can only be applied to routed packets only. VACLs are also known as VLAN access-maps, they are similar to route maps and use route-mapconventions in
SPANNING TREE IMPLEMENTATIONS ON HP PROCURVE SWITCHES Additional Spanning Tree Protocol (STP) commands such as BPDU Protection, BPDU Filtering, Admin-Edge and Loop Protection exist to enhance implementations of STP and ensure a loop free network. Enable Spanning Tree spanning-tree spanning-tree priority 0 spanning-tree force-version RSTP-operation Enable spanning tree on the switch, set the priority and force the version to Rapid FTD POLICY BASED ROUTING This post describes how to configure Policy Based Routing (PBR) on Cisco Firepower Threat Defense (FTD) firewall. PBR is used to make routing decisions based on policies set by the administrator. This is generally used to route certain source traffic via a different interface. In the scenario described below, the FTD has two (2)outside
ASA MULTI-PEER IKEV2 VPN Overview High Availability VPN can be achieved on a Cisco ASA firewall using multi-peer crypto map, previously this feature was only supported on the ASA using IKEv1/ISAKMP not IKEv2. As of ASA version 9.14 this feature is now supported on IKEv2. Multi-peer crypto map allows the configuration of up to a maximum of 10 peerFTD FACTORY RESET
The command to reset a Cisco Firepower Threat Defense (FTD) appliance to factory defaults without completely re-imaging the device is configure manager delete. This will erase the entire configuration (firewall rules, data interfaces, routing etc). The only settings NOT erased is the management configuration IP address and routing, therefore the appliance can be re-configured FTD DUAL ISP FAILOVER This post describes how to configure a Cisco Firepower Threat Defence (FTD) Firewall managed by the Firepower Management Centre (FMC) for redundant/dual ISP connections, using the SLA Monitor and track features. IP SLA Monitor will be configured in conjunction with the track feature to monitor the connection/reachability to the PrimaryISP connection.
CCNP SWITCH: VLAN ACCESS CONTROL LISTS (VACL) CCNP SWITCH: VLAN Access Control Lists (VACL) VLAN ACLs (VACLs) provide traffic filtering for all packets within the same VLAN or that are routed into or out of the VLAN, where as a normal ACL can only be applied to routed packets only. VACLs are also known as VLAN access-maps, they are similar to route maps and use route-mapconventions in
FIREPOWER SSL DECRYPTION The Firepower SSL Decryption feature allows you to block encrypted traffic without inspection or inspect encrypted that would otherwise be unable to be inspected. In order for the FTD to decrypt the traffic the FTD must resign all certificates of websites, this is achieved by a Man in the Middle (MITM) attack. An internal CA CONFIGURING WINDOWS SUPPLICANT FOR 802.1X When using 802.1x authentication (wired or wireless) on a Windows computer joined to an Active Directory Domain, Windows Group Policies Objects (GPO) can deploy the Native Supplicant configuration. The native supplicant can use different authentication methods, the common method being PEAP/MSCHAPv2 which uses Username and Passwordauthentication.
IKEV2/IPSEC VTI TUNNEL BETWEEN ASA FIREWALL AND IOS ROUTER IKEv2/IPSec VTI tunnel between ASA Firewall and IOS Router. Cisco introduced VTI to ASA Firewalls in version 9.7.1 as an alternative to policy based crypto maps. Cisco IOS routers have long supported VTI (sVTI, DVTI, DMVPN, FlexVPN etc). This post will describe the steps on how to configure a VTI between a Cisco ASA Firewall and a Cisco IOSRouter.
CONFIGURING CHECK POINT GAIA WITH WINDOWS NPS RADIUS This post describes how to configure Check Point Gaia (R75.46) and Windows 2008 R2 NPS server to authenticate management access to the Check Point CLI or Web GUI. Please refer to the previous post to configure the Active Directory Groups and NPS Policies. 2 roles will be created in the Check Point Web GUI, one REDISTRIBUTE EIGRP STATIC ROUTES USING A PREFIX-LIST AND A In some instances you may have a core switch with a link to a WAN router exchanging routes using a dynamic routing protocol such as EIGRP, static routes to other routers and a default route to the internet firewall. You may not have the ability to run a routing protocol on the other routers soINTEGRATING IT
The Cisco ASA software supports two firewall modes, routed and transparent. A transparent firewall is a layer 2 firewall that acts like a stealth firewall and is not seen as a router hop betweenconnected devices.
FTD POLICY BASED ROUTING FTD ROUTE-BASED VPN (VTI) In November 2020 Cisco released the Firepower Threat Defence (FTD) and Firepower Management Centre (FMC) version 6.7. Supported from this version is the long-awaited Virtual Tunnel Interface (VTI) for route-based site-to-site VPNs. Prior to this version FTD/FMC only supported policy-based VPNs, which required configuring a crypto map with static access lists. FTD ALLOW ICMP/TRACEROUTE Ping and traceroute are tools used by engineers to troubleshoot network connectivity. In order to permit an outbound ping permit ICMP echo-request, to allow a reply through a firewall the ACL on the OUTSIDE interface must specifically permit an echo-reply inbound. Traceroute usually uses UDP probes and ICMP replies, the clientcomputer sends 3 x
FTD CONFIGURATION USING FDM Cisco Firepower Threat Defense (FTD) firewall can be managed centrally using either Firepower Management Centre (FMC) or Cisco Defense Orchestrator (CDO), or locally using Firepower Device Manager. This post will describe how to configure the FTD using FDM and setup basic outbound internet access and permit inbound access to a hostedwebserver.
CONFIGURING CISCO ASAV IN GNS3 I was looking for a new convenient lab solution to run on natively on my PC rather than fire up my noisy dedicated HP Proliant Lab server, in order to use the Cisco ASAv. I've used GNS3 for IOS devices regularly but never had the chance to use the ASAv. This blog postdetails the
CHECK POINT GAIA CLI COMMANDS Below is a collection of useful Check Point R75 Gaia commands for configuring the basic operating system settings such as hostname, interfaces, DNS, NTP, SNMP etc. Configuring SNMPv3 set snmp agent onset snmp contact ""set snmp location ""add snmp address ""set snmp agent-version v3-only add snmp usm user security CISCO IOS CERTIFICATE ENROLLMENT VIA SCEP OR MANUAL The intention of this blog post is to describe how to configure a Cisco IOS router to request a certificate from a Microsoft SCEP (NDES) server to use for VPN authentication. A Windows Server must be configured as a Certificate Authority and with "Network Device Enrollment Service". In the lab a Windows 2008 R2 server SPANNING TREE IMPLEMENTATIONS ON HP PROCURVE SWITCHES Additional Spanning Tree Protocol (STP) commands such as BPDU Protection, BPDU Filtering, Admin-Edge and Loop Protection exist to enhance implementations of STP and ensure a loop free network. Enable Spanning Tree spanning-tree spanning-tree priority 0 spanning-tree force-version RSTP-operation Enable spanning tree on the switch, set the priority and force the version to Rapid CONFIGURING WINDOWS SUPPLICANT FOR 802.1X When using 802.1x authentication (wired or wireless) on a Windows computer joined to an Active Directory Domain, Windows Group Policies Objects (GPO) can deploy the Native Supplicant configuration. The native supplicant can use different authentication methods, the common method being PEAP/MSCHAPv2 which uses Username and Passwordauthentication.
INTEGRATING IT
The Cisco ASA software supports two firewall modes, routed and transparent. A transparent firewall is a layer 2 firewall that acts like a stealth firewall and is not seen as a router hop betweenconnected devices.
FTD POLICY BASED ROUTING FTD ROUTE-BASED VPN (VTI) In November 2020 Cisco released the Firepower Threat Defence (FTD) and Firepower Management Centre (FMC) version 6.7. Supported from this version is the long-awaited Virtual Tunnel Interface (VTI) for route-based site-to-site VPNs. Prior to this version FTD/FMC only supported policy-based VPNs, which required configuring a crypto map with static access lists. FTD ALLOW ICMP/TRACEROUTE Ping and traceroute are tools used by engineers to troubleshoot network connectivity. In order to permit an outbound ping permit ICMP echo-request, to allow a reply through a firewall the ACL on the OUTSIDE interface must specifically permit an echo-reply inbound. Traceroute usually uses UDP probes and ICMP replies, the clientcomputer sends 3 x
FTD CONFIGURATION USING FDM Cisco Firepower Threat Defense (FTD) firewall can be managed centrally using either Firepower Management Centre (FMC) or Cisco Defense Orchestrator (CDO), or locally using Firepower Device Manager. This post will describe how to configure the FTD using FDM and setup basic outbound internet access and permit inbound access to a hostedwebserver.
CONFIGURING CISCO ASAV IN GNS3 I was looking for a new convenient lab solution to run on natively on my PC rather than fire up my noisy dedicated HP Proliant Lab server, in order to use the Cisco ASAv. I've used GNS3 for IOS devices regularly but never had the chance to use the ASAv. This blog postdetails the
CHECK POINT GAIA CLI COMMANDS Below is a collection of useful Check Point R75 Gaia commands for configuring the basic operating system settings such as hostname, interfaces, DNS, NTP, SNMP etc. Configuring SNMPv3 set snmp agent onset snmp contact ""set snmp location ""add snmp address ""set snmp agent-version v3-only add snmp usm user security CONFIGURING WINDOWS SUPPLICANT FOR 802.1X When using 802.1x authentication (wired or wireless) on a Windows computer joined to an Active Directory Domain, Windows Group Policies Objects (GPO) can deploy the Native Supplicant configuration. The native supplicant can use different authentication methods, the common method being PEAP/MSCHAPv2 which uses Username and Passwordauthentication.
CISCO IOS CERTIFICATE ENROLLMENT VIA SCEP OR MANUAL The intention of this blog post is to describe how to configure a Cisco IOS router to request a certificate from a Microsoft SCEP (NDES) server to use for VPN authentication. A Windows Server must be configured as a Certificate Authority and with "Network Device Enrollment Service". In the lab a Windows 2008 R2 server SPANNING TREE IMPLEMENTATIONS ON HP PROCURVE SWITCHES Additional Spanning Tree Protocol (STP) commands such as BPDU Protection, BPDU Filtering, Admin-Edge and Loop Protection exist to enhance implementations of STP and ensure a loop free network. Enable Spanning Tree spanning-tree spanning-tree priority 0 spanning-tree force-version RSTP-operation Enable spanning tree on the switch, set the priority and force the version to Rapid FTD CONFIGURATION USING FDM Cisco Firepower Threat Defense (FTD) firewall can be managed centrally using either Firepower Management Centre (FMC) or Cisco Defense Orchestrator (CDO), or locally using Firepower Device Manager. This post will describe how to configure the FTD using FDM and setup basic outbound internet access and permit inbound access to a hostedwebserver.
SECURING ASA TLS CIPHERS When using a Cisco ASA firewall for SSL/TLS Remote Access VPN or managing the device using ASDM, the appliance is enabled by default with TLS versions 1.0, 1.1 and 1.2. TLS versions 1.0 and 1.1 are considered insecure and depreciated in most browsers/operating systems. Most modern operating systems such as Windows 10 come withTLS
ASA MULTI-PEER IKEV2 VPN Overview High Availability VPN can be achieved on a Cisco ASA firewall using multi-peer crypto map, previously this feature was only supported on the ASA using IKEv1/ISAKMP not IKEv2. As of ASA version 9.14 this feature is now supported on IKEv2. Multi-peer crypto map allows the configuration of up to a maximum of 10 peer ASA SPLIT TUNNELLING When using a Cisco ASA for Remote Access VPN (SSL-VPN or IKEv2/IPSec) with the AnyConnect client, in most typical scenarios ALL traffic from the AnyConnect VPN client is encrypted and tunnelled back to the ASA. When using the ASA as the VPN headend device with the AnyConnect client you can use split tunnelling feature, which ASA EXPORT/IMPORT CERTIFICATE This post provides step-by-step procedure to export/import the SSL certificate used by the Cisco ASA using CLI and ASDM. Export/Import via CLI View the current CA/Identity certificate and identify the Trustpoint. show crypto ca certificates Export the Trustpoint configuration, keys and certificates in PKCS12 with a password. Save the output into a file. crypto ca ASA POLICY BASED ROUTING This post describes how to configure a Cisco ASA firewall to support Policy Based Routing (PBR). PBR allows an administrator to define routing based on source address, source port, destination address, destination port, protocol or a combination of all these. This is useful in a scenario when a customer requires multiple internetconnections.
ASA ANYCONNECT SBL
This post describes how to configure the Cisco ASA and AnyConnect VPN to use the Start-Before Logon (SBL) feature. This allows the user to connect to the VPN before logging onto Windows, thus allowing login scripts and Windows Group Policies to be applied. Create/Modify the AnyConnect Profile Open the AnyConnect VPN Profile EditorOpen theexisting
CCNP SWITCH: VLAN ACCESS CONTROL LISTS (VACL) VLAN ACLs (VACLs) provide traffic filtering for all packets within the same VLAN or that are routed into or out of the VLAN, where as a normal ACL can only be applied to routed packets only. VACLs are also known as VLAN access-maps, they are similar CONFIGURING DHCP SNOOPING ON HP PROCURVE DHCP snooping is a security feature that provides security by filtering untrusted DHCP messages. DHCP snooping functions when all DHCP servers connected to the switch are configured as trusted interfaces, when a rogue DHCP server is connected to untrusted interface DHCP snooping will drop the DHCP packets. This post describes configuration of DHCP snooping on CONFIGURING CHECK POINT GAIA WITH WINDOWS NPS RADIUS This post describes how to configure Check Point Gaia (R75.46) and Windows 2008 R2 NPS server to authenticate management access to the Check Point CLI or Web GUI. Please refer to the previous post to configure the Active Directory Groups and NPS Policies. 2 roles will be created in the Check Point Web GUI, one FTD POLICY BASED ROUTING FTD ALLOW ICMP/TRACEROUTE Ping and traceroute are tools used by engineers to troubleshoot network connectivity. In order to permit an outbound ping permit ICMP echo-request, to allow a reply through a firewall the ACL on the OUTSIDE interface must specifically permit an echo-reply inbound. Traceroute usually uses UDP probes and ICMP replies, the clientcomputer sends 3 x
FTD CONFIGURATION USING FDM Cisco Firepower Threat Defense (FTD) firewall can be managed centrally using either Firepower Management Centre (FMC) or Cisco Defense Orchestrator (CDO), or locally using Firepower Device Manager. This post will describe how to configure the FTD using FDM and setup basic outbound internet access and permit inbound access to a hostedwebserver.
ASA POLICY BASED ROUTING ASA MULTI-PEER IKEV2 VPN RECOMMENDED IKEV2 PROPOSAL Recommended IKEv2 Proposal. IKEv2 is an important protocol used in IPSec VPNs, it is used to securely authenticate peers by setting up security associations (SAs). Cisco IOS routers have predefined default encryption, integrity (hashing), DH group and PRF algorithms, some of these algorithms are no longer considered secure and therefore not FIREPOWER SSL DECRYPTION The Firepower SSL Decryption feature allows you to block encrypted traffic without inspection or inspect encrypted that would otherwise be unable to be inspected. In order for the FTD to decrypt the traffic the FTD must resign all certificates of websites, this is achieved by a Man in the Middle (MITM) attack. An internal CA CHECK POINT GAIA CLI COMMANDS Below is a collection of useful Check Point R75 Gaia commands for configuring the basic operating system settings such as hostname, interfaces, DNS, NTP, SNMP etc. Configuring SNMPv3 set snmp agent onset snmp contact ""set snmp location ""add snmp address ""set snmp agent-version v3-only add snmp usm user security CCNP SWITCH: VLAN ACCESS CONTROL LISTS (VACL) CCNP SWITCH: VLAN Access Control Lists (VACL) VLAN ACLs (VACLs) provide traffic filtering for all packets within the same VLAN or that are routed into or out of the VLAN, where as a normal ACL can only be applied to routed packets only. VACLs are also known as VLAN access-maps, they are similar to route maps and use route-mapconventions in
SPANNING TREE IMPLEMENTATIONS ON HP PROCURVE SWITCHES Additional Spanning Tree Protocol (STP) commands such as BPDU Protection, BPDU Filtering, Admin-Edge and Loop Protection exist to enhance implementations of STP and ensure a loop free network. Enable Spanning Tree spanning-tree spanning-tree priority 0 spanning-tree force-version RSTP-operation Enable spanning tree on the switch, set the priority and force the version to Rapid FTD POLICY BASED ROUTING FTD ALLOW ICMP/TRACEROUTE Ping and traceroute are tools used by engineers to troubleshoot network connectivity. In order to permit an outbound ping permit ICMP echo-request, to allow a reply through a firewall the ACL on the OUTSIDE interface must specifically permit an echo-reply inbound. Traceroute usually uses UDP probes and ICMP replies, the clientcomputer sends 3 x
FTD CONFIGURATION USING FDM Cisco Firepower Threat Defense (FTD) firewall can be managed centrally using either Firepower Management Centre (FMC) or Cisco Defense Orchestrator (CDO), or locally using Firepower Device Manager. This post will describe how to configure the FTD using FDM and setup basic outbound internet access and permit inbound access to a hostedwebserver.
ASA POLICY BASED ROUTING ASA MULTI-PEER IKEV2 VPN RECOMMENDED IKEV2 PROPOSAL Recommended IKEv2 Proposal. IKEv2 is an important protocol used in IPSec VPNs, it is used to securely authenticate peers by setting up security associations (SAs). Cisco IOS routers have predefined default encryption, integrity (hashing), DH group and PRF algorithms, some of these algorithms are no longer considered secure and therefore not FIREPOWER SSL DECRYPTION The Firepower SSL Decryption feature allows you to block encrypted traffic without inspection or inspect encrypted that would otherwise be unable to be inspected. In order for the FTD to decrypt the traffic the FTD must resign all certificates of websites, this is achieved by a Man in the Middle (MITM) attack. An internal CA CHECK POINT GAIA CLI COMMANDS Below is a collection of useful Check Point R75 Gaia commands for configuring the basic operating system settings such as hostname, interfaces, DNS, NTP, SNMP etc. Configuring SNMPv3 set snmp agent onset snmp contact ""set snmp location ""add snmp address ""set snmp agent-version v3-only add snmp usm user security CCNP SWITCH: VLAN ACCESS CONTROL LISTS (VACL) CCNP SWITCH: VLAN Access Control Lists (VACL) VLAN ACLs (VACLs) provide traffic filtering for all packets within the same VLAN or that are routed into or out of the VLAN, where as a normal ACL can only be applied to routed packets only. VACLs are also known as VLAN access-maps, they are similar to route maps and use route-mapconventions in
SPANNING TREE IMPLEMENTATIONS ON HP PROCURVE SWITCHES Additional Spanning Tree Protocol (STP) commands such as BPDU Protection, BPDU Filtering, Admin-Edge and Loop Protection exist to enhance implementations of STP and ensure a loop free network. Enable Spanning Tree spanning-tree spanning-tree priority 0 spanning-tree force-version RSTP-operation Enable spanning tree on the switch, set the priority and force the version to Rapid FTD ROUTE-BASED VPN (VTI) In November 2020 Cisco released the Firepower Threat Defence (FTD) and Firepower Management Centre (FMC) version 6.7. Supported from this version is the long-awaited Virtual Tunnel Interface (VTI) for route-based site-to-site VPNs. Prior to this version FTD/FMC only supported policy-based VPNs, which required configuring a crypto map with static access lists. SECURING FTD TLS CIPHERS When using a Cisco FTD firewall for SSL/TLS Remote Access VPN, the appliance is enabled by default with TLS versions 1.0, 1.1 and 1.2. TLS versions 1.0 and 1.1 are considered insecure and depreciated in most browsers/operating systems. Most modern operating systems such as Windows 10 come with TLS version 1.2 support as default, so FIREPOWER SSL DECRYPTION The Firepower SSL Decryption feature allows you to block encrypted traffic without inspection or inspect encrypted that would otherwise be unable to be inspected. In order for the FTD to decrypt the traffic the FTD must resign all certificates of websites, this is achieved by a Man in the Middle (MITM) attack. An internal CAFTD FACTORY RESET
The command to reset a Cisco Firepower Threat Defense (FTD) appliance to factory defaults without completely re-imaging the device is configure manager delete. This will erase the entire configuration (firewall rules, data interfaces, routing etc). The only settings NOT erased is the management configuration IP address and routing, therefore the appliance can be re-configured CCNP SWITCH: VLAN ACCESS CONTROL LISTS (VACL) CCNP SWITCH: VLAN Access Control Lists (VACL) VLAN ACLs (VACLs) provide traffic filtering for all packets within the same VLAN or that are routed into or out of the VLAN, where as a normal ACL can only be applied to routed packets only. VACLs are also known as VLAN access-maps, they are similar to route maps and use route-mapconventions in
FLEXVPN IKEV2 ROUTING FlexVPN supports the use of Dynamic Routing protocols such as EIGRP, BGP and OSPF. FlexVPN also has the ability to advertise routes in the IKEv2 SA's. In order to do this we must configure an IKEv2 Authorization Policy, this policy can be configured CONFIGURING WINDOWS SUPPLICANT FOR 802.1X When using 802.1x authentication (wired or wireless) on a Windows computer joined to an Active Directory Domain, Windows Group Policies Objects (GPO) can deploy the Native Supplicant configuration. The native supplicant can use different authentication methods, the common method being PEAP/MSCHAPv2 which uses Username and Passwordauthentication.
IKEV2/IPSEC VTI TUNNEL BETWEEN ASA FIREWALL AND IOS ROUTER IKEv2/IPSec VTI tunnel between ASA Firewall and IOS Router. Cisco introduced VTI to ASA Firewalls in version 9.7.1 as an alternative to policy based crypto maps. Cisco IOS routers have long supported VTI (sVTI, DVTI, DMVPN, FlexVPN etc). This post will describe the steps on how to configure a VTI between a Cisco ASA Firewall and a Cisco IOSRouter.
CONFIGURING CHECK POINT GAIA WITH WINDOWS NPS RADIUS This post describes how to configure Check Point Gaia (R75.46) and Windows 2008 R2 NPS server to authenticate management access to the Check Point CLI or Web GUI. Please refer to the previous post to configure the Active Directory Groups and NPS Policies. 2 roles will be created in the Check Point Web GUI, one REDISTRIBUTE EIGRP STATIC ROUTES USING A PREFIX-LIST AND A In some instances you may have a core switch with a link to a WAN router exchanging routes using a dynamic routing protocol such as EIGRP, static routes to other routers and a default route to the internet firewall. You may not have the ability to run a routing protocol on the other routers so FTD ALLOW ICMP/TRACEROUTE Ping and traceroute are tools used by engineers to troubleshoot network connectivity. In order to permit an outbound ping permit ICMP echo-request, to allow a reply through a firewall the ACL on the OUTSIDE interface must specifically permit an echo-reply inbound. Traceroute usually uses UDP probes and ICMP replies, the clientcomputer sends 3 x
FTD CONFIGURATION USING FDM Cisco Firepower Threat Defense (FTD) firewall can be managed centrally using either Firepower Management Centre (FMC) or Cisco Defense Orchestrator (CDO), or locally using Firepower Device Manager. This post will describe how to configure the FTD using FDM and setup basic outbound internet access and permit inbound access to a hostedwebserver.
ASA MULTI-PEER IKEV2 VPN ASA POLICY BASED ROUTING ASA EXPORT/IMPORT CERTIFICATE This post provides step-by-step procedure to export/import the SSL certificate used by the Cisco ASA using CLI and ASDM. Export/Import via CLI View the current CA/Identity certificate and identify the Trustpoint. show crypto ca certificates Export the Trustpoint configuration, keys and certificates in PKCS12 with a password. Save the output into a file. crypto ca FTD REGISTRATION WITH FMC Confirm the FTD can ping the FMC (assuming icmp is permitted inbound to the FMC), enter the command ping system ; If connectivity is confirmed, the next place to check is the message log file, enter the command sudo tail -f /ngfw/var/logs/messages; In the screenshot below, the errors Peer 192.168.10.40 send bad hash indicates that the FMC sent the incorrect registration key, thereforeASA ANYCONNECT SBL
This post describes how to configure the Cisco ASA and AnyConnect VPN to use the Start-Before Logon (SBL) feature. This allows the user to connect to the VPN before logging onto Windows, thus allowing login scripts and Windows Group Policies to be applied. Create/Modify the AnyConnect Profile Open the AnyConnect VPN Profile EditorOpen theexisting
CCNP SWITCH: VLAN ACCESS CONTROL LISTS (VACL) VLAN ACLs (VACLs) provide traffic filtering for all packets within the same VLAN or that are routed into or out of the VLAN, where as a normal ACL can only be applied to routed packets only. VACLs are also known as VLAN access-maps, they are similar CHECK POINT GAIA CLI COMMANDS Below is a collection of useful Check Point R75 Gaia commands for configuring the basic operating system settings such as hostname, interfaces, DNS, NTP, SNMP etc. Configuring SNMPv3 set snmp agent onset snmp contact ""set snmp location ""add snmp address ""set snmp agent-version v3-only add snmp usm user security SPANNING TREE IMPLEMENTATIONS ON HP PROCURVE SWITCHES Additional Spanning Tree Protocol (STP) commands such as BPDU Protection, BPDU Filtering, Admin-Edge and Loop Protection exist to enhance implementations of STP and ensure a loop free network. Enable Spanning Tree spanning-tree spanning-tree priority 0 spanning-tree force-version RSTP-operation Enable spanning tree on the switch, set the priority and force the version to Rapid FTD ALLOW ICMP/TRACEROUTE Ping and traceroute are tools used by engineers to troubleshoot network connectivity. In order to permit an outbound ping permit ICMP echo-request, to allow a reply through a firewall the ACL on the OUTSIDE interface must specifically permit an echo-reply inbound. Traceroute usually uses UDP probes and ICMP replies, the clientcomputer sends 3 x
FTD CONFIGURATION USING FDM Cisco Firepower Threat Defense (FTD) firewall can be managed centrally using either Firepower Management Centre (FMC) or Cisco Defense Orchestrator (CDO), or locally using Firepower Device Manager. This post will describe how to configure the FTD using FDM and setup basic outbound internet access and permit inbound access to a hostedwebserver.
ASA MULTI-PEER IKEV2 VPN ASA POLICY BASED ROUTING ASA EXPORT/IMPORT CERTIFICATE This post provides step-by-step procedure to export/import the SSL certificate used by the Cisco ASA using CLI and ASDM. Export/Import via CLI View the current CA/Identity certificate and identify the Trustpoint. show crypto ca certificates Export the Trustpoint configuration, keys and certificates in PKCS12 with a password. Save the output into a file. crypto ca FTD REGISTRATION WITH FMC Confirm the FTD can ping the FMC (assuming icmp is permitted inbound to the FMC), enter the command ping system ; If connectivity is confirmed, the next place to check is the message log file, enter the command sudo tail -f /ngfw/var/logs/messages; In the screenshot below, the errors Peer 192.168.10.40 send bad hash indicates that the FMC sent the incorrect registration key, thereforeASA ANYCONNECT SBL
This post describes how to configure the Cisco ASA and AnyConnect VPN to use the Start-Before Logon (SBL) feature. This allows the user to connect to the VPN before logging onto Windows, thus allowing login scripts and Windows Group Policies to be applied. Create/Modify the AnyConnect Profile Open the AnyConnect VPN Profile EditorOpen theexisting
CCNP SWITCH: VLAN ACCESS CONTROL LISTS (VACL) VLAN ACLs (VACLs) provide traffic filtering for all packets within the same VLAN or that are routed into or out of the VLAN, where as a normal ACL can only be applied to routed packets only. VACLs are also known as VLAN access-maps, they are similar CHECK POINT GAIA CLI COMMANDS Below is a collection of useful Check Point R75 Gaia commands for configuring the basic operating system settings such as hostname, interfaces, DNS, NTP, SNMP etc. Configuring SNMPv3 set snmp agent onset snmp contact ""set snmp location ""add snmp address ""set snmp agent-version v3-only add snmp usm user security SPANNING TREE IMPLEMENTATIONS ON HP PROCURVE SWITCHES Additional Spanning Tree Protocol (STP) commands such as BPDU Protection, BPDU Filtering, Admin-Edge and Loop Protection exist to enhance implementations of STP and ensure a loop free network. Enable Spanning Tree spanning-tree spanning-tree priority 0 spanning-tree force-version RSTP-operation Enable spanning tree on the switch, set the priority and force the version to RapidINTEGRATING IT
The Cisco ASA software supports two firewall modes, routed and transparent. A transparent firewall is a layer 2 firewall that acts like a stealth firewall and is not seen as a router hop betweenconnected devices.
FTD POLICY BASED ROUTING This post describes how to configure Policy Based Routing (PBR) on Cisco Firepower Threat Defense (FTD) firewall. PBR is used to make routing decisions based on policies set by the administrator. This is generally used to route certain source traffic via a different interface. In the scenario described below, the FTD has two (2)outside
FTD ROUTE-BASED VPN (VTI) In November 2020 Cisco released the Firepower Threat Defence (FTD) and Firepower Management Centre (FMC) version 6.7. Supported from this version is the long-awaited Virtual Tunnel Interface (VTI) for route-based site-to-site VPNs. Prior to this version FTD/FMC only supported policy-based VPNs, which required configuring a crypto map with static access lists. SECURING FTD TLS CIPHERS When using a Cisco FTD firewall for SSL/TLS Remote Access VPN, the appliance is enabled by default with TLS versions 1.0, 1.1 and 1.2. TLS versions 1.0 and 1.1 are considered insecure and depreciated in most browsers/operating systems. Most modern operating systems such as Windows 10 come with TLS version 1.2 support as default, so FTD REMOTE ACCESS VPN WITH POSTURE As of Cisco Firepower FTD version 6.3 CoA (Change of Authorization) is now supported, this means FTD now supports ISE Posture. Firepower FTD Configuration This post does not describe how to configure the basics such as registering the FTD to FMC, IPS, configuring interfaces and routing etc. The post describes how to configure Remote Access ASA EXPORT/IMPORT CERTIFICATE This post provides step-by-step procedure to export/import the SSL certificate used by the Cisco ASA using CLI and ASDM. Export/Import via CLI View the current CA/Identity certificate and identify the Trustpoint. show crypto ca certificates Export the Trustpoint configuration, keys and certificates in PKCS12 with a password. Save the output into a file. crypto ca CCNP SWITCH: VLAN ACCESS CONTROL LISTS (VACL) VLAN ACLs (VACLs) provide traffic filtering for all packets within the same VLAN or that are routed into or out of the VLAN, where as a normal ACL can only be applied to routed packets only. VACLs are also known as VLAN access-maps, they are similar FTD REGISTRATION WITH FMC Confirm the FTD can ping the FMC (assuming icmp is permitted inbound to the FMC), enter the command ping system ; If connectivity is confirmed, the next place to check is the message log file, enter the command sudo tail -f /ngfw/var/logs/messages; In the screenshot below, the errors Peer 192.168.10.40 send bad hash indicates that the FMC sent the incorrect registration key, therefore RECOMMENDED IKEV2 PROPOSAL IKEv2 is an important protocol used in IPSec VPNs, it is used to securely authenticate peers by setting up security associations (SAs). Cisco IOS routers have predefined default encryption, integrity (hashing), DH group and PRF algorithms, some of these algorithms are no longer considered secure and therefore not recommended. As of CiscoIOS-XE v16.8.1 the
CONFIGURING WINDOWS SUPPLICANT FOR 802.1X When using 802.1x authentication (wired or wireless) on a Windows computer joined to an Active Directory Domain, Windows Group Policies Objects (GPO) can deploy the Native Supplicant configuration. The native supplicant can use different authentication methods, the common method being PEAP/MSCHAPv2 which uses Username and Passwordauthentication.
Skip to content
INTEGRATING IT
ISE WIRED DOT1X POSTUREi
Rate This
Cisco ISE Posture validation is used to determine the health status of the endpoint authenticating to the network. A set of conditions and requirements are defined, consisting of security applications (Anti-Virus, Anti-Malware, Personal Firewall, Hotfixes, Disk Encryption, Registry entry etc) that should be running on the endpoint, these are defined by the organisation. The Cisco AnyConnect ISE Posture agent runs on the endpoint. Upon initial connection the client authenticates to ISE and is matched against a Posture Unknown Authorization Policy, the AnyConnect module connects to ISE and receives the posture requirements. The AnyConnect client then performs a posture data collection and compares the results against the ISE Policy it downloaded, before sending the assessment results back to ISE. ISE determines whether the endpoint client is compliant or not. At which point a CoA (Change of Authorization) is sent and the client is re-authorized either as Compliant or Non-Compliant. This document covers the configuration of ISE regarding Posture, Authorization Policies and DACLS and does not specifically cover configuring the basic ISE settings such as External Identity Groups, Certificates. Refer to the following posts, which cover in more detail the configuration of Wired dot1x. Initial Cisco ISE Configuration Configuring Wired 802.1x authentication with ISE Configuring Windows GPO for 802.1x authentication Continue reading “ISE Wired dot1x Posture”Advertisements
Report this ad
Report this ad
SHARE THIS:
* Click to share on Twitter (Opens in new window) * Click to share on Facebook (Opens in new window)*
LIKE THIS:
Like Loading... Author integratingitPosted on
August 17, 2019August 17, 2019Categories
Cisco , ISE
Tags 802.1x
, AnyConnect
, Cisco
, DACL
, ISE
, Posture
Leave a comment on
ISE Wired dot1x PostureFTD DNS SECURITY
i
Rate This
Cisco FTD DNS based Security Intelligence allows you to identify a suspicious DNS query and blacklist the resolution of the dubious domain. When using DNS security provided by the FTD, it blocks the request for the suspicious domain before an HTTP connection is even established, saving resources. DNS Filtering can be performed in 3 ways: – * Cisco TALOS maintains a database of known bad DNS domains, these are updated and downloaded regularly by the FMC as a feed. * Filtered manually from the FMC Connection Events page using Global DNS Whitelist and Global DNS Blacklist. * A custom DNS Feed/List A DNS Policy is defined which can take the following actions: – Continue reading “FTD DNS Security”SHARE THIS:
* Click to share on Twitter (Opens in new window) * Click to share on Facebook (Opens in new window)*
LIKE THIS:
Like Loading... Author integratingitPosted on
August 9, 2019August 9, 2019Categories
Cisco , Firepower
Tags
Cisco , DNS
, FMC
, FTD
, Sinkhole
Leave a comment on
FTD DNS Security
FTD REMOTE ACCESS VPN WITH POSTUREi
Rate This
As of Cisco Firepower FTD version 6.3 CoA (Change of Authorization) is now supported, this means FTD now supports ISE Posture. FIREPOWER FTD CONFIGURATION This post does not describe how to configure the basics such as registering the FTD to FMC, IPS, configuring interfaces and routing etc. The post describes how to configure Remote Access VPN and how to integrate with ISE for authentication. CONFIGURE VPN ADDRESS POOL * Navigate to _OBJECTS > OBJECT MANAGEMENT > ADDRESS POOLS > IPV4POOLS_
* Click _ADD IPV4 POOLS_ * Create a pool with a suitable _NAME_ and define the _IPV4 ADDRESSRANGE_
* Click _SAVE_ once complete Continue reading “FTD Remote Access VPN with Posture”SHARE THIS:
* Click to share on Twitter (Opens in new window) * Click to share on Facebook (Opens in new window)*
LIKE THIS:
Like Loading... Author integratingitPosted on
July 25, 2019July 25, 2019Categories
Cisco , Firepower
, ISE
, VPN
Tags Cisco
, CoA
, FTD
, ISE
, Posture
, VPN
Leave a comment on FTD Remote Access VPN with Posture CONFIGURING WINDOWS GPO FOR 802.1X AUTHENTICATIONi
Rate This
When using 802.1x authentication (wired or wireless) on a Windows computer joined to an Active Directory Domain, Windows Group Policies Objects (GPO) can deploy the Native Supplicant configuration. The native supplicant can use different authentication methods, the common method being PEAP/MSCHAPv2 which uses Username and Password authentication. Slightly less common due to the perceived complexity is EAP-TLS which uses computer and/or user certificates. This blog post describes the configuration of PEAP/MSCHAPv2, this requires only valid username and password for successfulauthentication.
Continue reading “Configuring Windows GPO for 802.1x authentication”SHARE THIS:
* Click to share on Twitter (Opens in new window) * Click to share on Facebook (Opens in new window)*
LIKE THIS:
Like Loading... Author integratingitPosted on
July 13, 2019July 25, 2019Categories
ISE ,
Microsoft
Tags 802.1x
, GPO
, ISE
, Native Supplicant
, PEAP
, RADIUS
, Windows
1 Comment on
Configuring Windows GPO for 802.1x authentication COMPARING DMVPN PHASE CONFIGURATIONi
Rate This
Cisco DMVPN has 3 Phases; this post will simply cover the basic commands for each DMVPN Phase. This previous blog post will describe DMVPN on more detail:- DMVPNPhase 3 Dual Hub
BASIC CONFIGURATION
Continue reading “Comparing DMVPN Phase configuration”SHARE THIS:
* Click to share on Twitter (Opens in new window) * Click to share on Facebook (Opens in new window)*
LIKE THIS:
Like Loading... Author integratingitPosted on
May 18, 2019May 18, 2019Categories
Cisco , DMVPN
, VPN
Tags Cisco
, Comparison
, DMVPN
, Phase
, VPN
Leave a comment on
Comparing DMVPN Phase configurationFLEXVPN VRF
i
3 Votes
VRFs can be used on a router acting as a VPN gateway in order to isolate the routing tables of encrypted and cleartext traffic. As default when not using VRFs all routes are within the global routing table. A Frontdoor VRF (FVRF) can be defined on the outside/WAN interface; all traffic within this VRF would be encrypted. An Inside VRF (IVRF) would be used for cleartext traffic defined on the interface(s) on the inside of the network. In this blogpost scenario the Hub and Spoke routers will be configuredas follows:-
SUMMARY
* The Hub router will use a DVTI (Virtual-Template) * The Spoke router(s) will be configured with an SVTI Tunnel Interface per IVRF (in this scenario 2 IVRFs will be used). * The Hub router will not accept more than 1 tunnel from the same source peer address, therefore a loopback interface per tunnel is defined on the spoke routers’ – this must be routable over theinternet/WAN.
* RSA Certificates will be used for authentication. The spoke routers’ will require a unique certificate per VRF * Authorization will be performed on the Hub, a unique value in the OU field will distinguish between the spoke tunnels, with the IKEv2 name-mangler feature extracting the OU value. * Multiple Local IKEv2 Authorization Policies will be defined on the Hub, the Policy name matching the exact value in the OU field in the spokes’ certificate. In this instance the OU value is the same as the IVRF, it does not need to the same name as the IVRF. * The Hub’s IKEv2 Authorization Profile will reference a unique AAA Attribute list, which will define the unique VRF to be assigned to the Virtual-Access interface dynamically created on the Hub. * The spoke router(s) will also perform Authorization, but the policy will be static configured (name-mangler not required) * IKEv2 Routing will be used for one VRF and EIGRP will be used forthe other
This post does not cover the full configuration of FlexVPN, refer to the previous blog posts for more information:- FlexVPN Hub and Spoke FlexVPN Local Authorization FlexVPN IKEv2 Routing FlexVPN Certificate Authentication Continue reading “FlexVPN VRF”SHARE THIS:
* Click to share on Twitter (Opens in new window) * Click to share on Facebook (Opens in new window)*
LIKE THIS:
Like Loading... Author integratingitPosted on
April 22, 2019April 22, 2019Categories
Cisco , FlexVPN
Tags AAA
, Authorization
, Cisco
, FlexVPN
, IKEv2
, VPN
, VRF
Leave a comment on
FlexVPN VRF
CISCO IOS CERTIFICATE AUTHORITYi
Rate This
A Cisco IOS Router can be configured as a Certificate Authority (CA), distributing and managing (revoking) digital certificates. IOS routers enrol with the PKI Server and issued a certificate for use during the authentication phase when establishing a VPN tunnel. When authenticating peers exchange certificates and validate the identity of the peer and if successful establish a secure IKE Security Association, through which an IPSec SA can be established. The purpose of this post is to describe the steps to configure a basic PKI/CA Server on a Cisco IOS router. Continue reading “Cisco IOS Certificate Authority”SHARE THIS:
* Click to share on Twitter (Opens in new window) * Click to share on Facebook (Opens in new window)*
LIKE THIS:
Like Loading... Author integratingitPosted on
March 26, 2019March 26, 2019Categories
Cisco , VPN
Tags CA
, Certificate Authority,
Certificates ,
Cisco , DMVPN
, FlexVPN
, PKI
, VPN
Leave a comment on Cisco IOS Certificate AuthorityPOSTS NAVIGATION
Page 1 Page 2 … Page14 Next page
PAGES
* About
RECENT POSTS
* ISE Wired dot1x Posture* FTD DNS Security
* FTD Remote Access VPN with Posture * Configuring Windows GPO for 802.1x authentication * Comparing DMVPN Phase configurationCATEGORIES
* Check Point
(12)
* Cisco (77)
* ASA (17)
* CCNP Study
(19)
* DMVPN
(3)
* Firepower
(7)
* FlexVPN
(10)
* ISE (22)
* TrustSec
(3)
* Citrix (2)
* Lab (2)
* Microsoft
(2)
* ProCurve
(7)
* VPN (25)
TAGS
* 802.1x
* AAA
* ACL
* AnyConnect
* ASA
* CCNP
* Certificates
* Check Point
* Cisco
* DMVPN
* FlexVPN
* IKEv2
* ISE
* ProCurve
* R75
* RADIUS
* ROUTE 2.0
* Switch
* VLAN
* VPN
RSS FEED
RSS - Posts
FOLLOW BLOG VIA EMAIL Enter your email address to follow this blog and receive notifications of new posts by email.Follow
Advertisements
Report this ad
integrating IT Blog atWordPress.com.
integrating IT
Create a free website or blog at WordPress.com.Post to
Cancel
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use. To find out more, including how to control cookies, see here: CookiePolicy
* Follow
*
* integrating IT
* Customize
* Follow
* Sign up
* Log in
* Report this content * Manage subscriptions* Collapse this bar
%d bloggers like this:Report this ad
Details
Copyright © 2024 ArchiveBay.com. All rights reserved. Terms of Use | Privacy Policy | DMCA | 2021 | Feedback | Advertising | RSS 2.0