Cisco ASA – Site to Site IPSec VPN with dynamic IP address

Setting up a policy based site to site IPSec VPN tunnel with static IP address is quite stright forward in Cisco ASA, but what if one of the end point is using dymanic IP address?

In this lab, I will be using 2 virtual ASA (9.6(2)) to create a site to site IPSec VPN tunnel, as well as setting up Cisco VPN client in one of the ASA with static IP address.

The ASA-F14 is the one with static IP address, and the ASA-F16 is using dynamic IP address.

20161221-mpls-2vrfs

Continue reading

MPLS VPN – routes sharing between 2 different VRFs across the MPLS network

The beaut of MPLS VPN is to have multi tenants running over the same MPLS core network and each tenant are prevented to access other tenants networks. But what if the 2 different tenants want to connect to each other?

In the lab below, we have 2 different tenants and they are 1120020010 (RT:200010) in Router 12 and 1030010010 (RT:100010) in Router 03. By default, the ASAs connected to these VRFs cannot communicate since they are in 2 different VRF network. In this case, I will be using Cisco IOS and Juniper MX to let 2 different VRFs to connect together.

20161221-mpls-2vrfs

We could check the existing configuration and the route table in Router 03 and Router 12

Continue reading

Cisco ASA – simple 1 to 1 NAT and firewall policy setup

For those who had been working with Cisco routers, setting up a Cisco ASA stateful policy is as simple as setting up an ACL.  By default, ASA would drop any TCP connection that doesn’t have a session record created with a sync packet. In that case user doesn’t require to a setup ACL for return traffic like working with routers.

In this example, we have 192.168.104.250/32 as the server in the DMZ and have the have NAT 1 to 1 incoming traffic mapping applied to allow internet user accessing the http service only.

The IP address of the firewall is 10.50.2.10/29, and we will assign the mapping of the server to another external IP address of 10.50.2.11

20161215-vasa-lab-nat Continue reading

Networking – layer 2 communication.

Compute networking sometimes gives new ITers a feeling of confusion and complication when they start learning networking, this post will simply explain it in laymen terms and provide a basic concept and some basic configuration on Cisco productions for reference.

So what is layer 2 communication? What does it provide or allow us to do? What is networking HUB and what can it do? What is the different between network switches? What are LAN and what are VLANs? (This post will explain the ethernet network only) Continue reading

Cisco ASA – routing sample

In this post, I will show you guys how to setup a Cisco ASA firewall serves as a layer 3 packet transfer device. The example will be demonstrate with 192.168.3.10/32 machine accessing to 9.9.9.92/32 via IPerf. There is only simple routing and has no NAT involve.

In this setup, the ASA is acting as the gateway between office network and the internet. The 192.168.3.0/24 is the internal subnet and 10.0.0.20/30 is the internet. There are couple areas we have to handle, and they are routing, and policy. Since ASA is a stateful device, we have to apply policy to allow internal network to access external network, but not vise versa.
Continue reading

Cisco ASA – Checking information

Cisco ASA firewall is a security appliance that can perform packet inspection and with limited routing features. For those who are new to this product, it uses different ways to present its information than Cisco routers. There might have some difficulty at first, but since it is using syntax similar with other Cisco products, such as “show run”, and it is not too hard to pick up this product. I will list out some frequently  used commands for troubleshooting purpose.

  1. show run – this is to show the running configuration the cisco ASA is running with.
  2. show run all – this is to show the configuration users had input and as well the default settings that is being run by the ASA.
  3. show ip – this is similar with the “sho ip int br” from other Cisco products, and it displays the address information being set in the ASA.
  4. show nameif – this is to show the association of the interfaces and the “zone”. This “zone” used for differentiate the purpose of each interface, such as “DMZ”, “inside”, “outside”, and etc…
  5. show xlate – this is to show the NAT information with the translated flow. It shares some information with “show nat” too.
  6. show nat – similar with “show xlate”.
  7. show conn – it can be used to show sessions with.
  8. show version – it shows the information of the ASA, including RAM, CPU, serial number of the device, uptime, and license information.
  9. show crypto ikev1 sa – to check the ikev1 active tunnels info.
  10. show crypto ikev2 sa – to check the ikev2 active tunnels info.
  11. show ipsec sa – it shows the ipsec active tunnels info.
  12. show interface – it shows information for the physical interfaces including the MAC address, BW, duplex, speed, as well as CRC errors.

Commands above are for general use, and can be run under “config mode” without the “do”. I will demonstrate more command within my ASA posts.