LTLnetworker | IT hálózatok, biztonság, Cisco

               IT networks, security, Cisco

Archive for the ‘ASA’ Category

TLS Experiences with Elliptic Curve Algorithms on Cisco ASA

Posted by ltlnetworker on December 18, 2016

Elliptic Curve Cryptography (ECC) is a newer approach to public cryptography. EC algorithms were introduced in NSA Suite B. Cisco uses the broad term Next Generation Encryption (NGE) for Suite B. Why are elliptic curve keys and such certificates important? As the use of elliptic curve keys are more efficient than RSA keys, it is expected that elliptic keys will gain popularity. (However, there are some intentions of replacing Suite B with an even newer CNSA Suite which contains even stronger ECDH and ECDSA algorithms.) EC algorithms are capable of providing the same level of cryptographic strength using shorter key length than RSA keys.

Elliptic curve TLS ciphers and certificates are supported from

  • ASA version 9.4(1)
  • Windows 7
  • Windows 2008 Server

Read the rest of this entry »

Posted in ASA, Cisco | Tagged: , , , , , | 3 Comments »

Management network topology and asymmetric routing

Posted by ltlnetworker on August 16, 2015

We all want a management network or at least a management VLAN. Regarding those who say they have none, actually they do have a VLAN for management, it is probably just shared with ordinary users (i. e. it is not dedicated). But most IT people prefer a dedicated VLAN that is not used for other kind of traffic and preferably not reachable for users.

In this article we use this definition:
a management VLAN or management network is a dedicated segment for network management traffic which can be used for:

  • administering your network devices (aka device access: switches, routers, firewalls via telnet, ssh, https etc.)
  • collecting monitoring information (syslog, SNMP etc.)
  • hosting syslog, monitoring and management servers (Nagios, Tivoli, Cisco Prime etc.)
  • AAA traffic (RADIUS or TACACS+ to Cisco ACS/ISE)

Read the rest of this entry »

Posted in ASA, Check Point, Cisco, F5, Fortinet, routing, switch | Tagged: , , , , , | 3 Comments »

Using Cisco ISE as a generic RADIUS server

Posted by ltlnetworker on August 31, 2014

Cisco ISE is an identity-based policy server featuring a wide range of functions from RADIUS CLI authentication to workstation posturing. With just a base license it includes a full-featured RADIUS server and it is capable of performing trivial RADIUS tasks which would not require such a sophisticated product themselves. For the functions described in this article Cisco Secure ACS could have been commonly chosen some years earlier. ISE’s policy logic and web interface is quite different.

The following use cases are described:

Posted in AAA, ASA, Cisco, IPsec, ISE, remote access, router IOS, switch | Tagged: , , , | 8 Comments »

Smart tunnels on Cisco ASA

Posted by ltlnetworker on January 17, 2014

Sometimes we have to provide secure remote access for users whose computers we don’t have any influence at all on. These computers don’t have AnyConnect or Cisco VPN client and the users may not have administrator rights so browser-based AnyConnect installation is not an option either. We can set up a WebVPN portal for such users on Cisco ASA with the clientless SSL VPN feature.

Clientless SSL VPN provides a web portal with various services such as intenal websites, CIFS links, Outlook Web Access etc. which are all accessed via the browser. The ASA software provides HTTPS service to the client and proxies the internal server’s material. The SSL core rewriter (or content rewriter) does application proxying therefore not all websites are guaranteed to work properly. For example, as of 9.1(3) the ASA software does not support Microsoft Sharepoint 2013 portal and some tricky content is not displayed. Read the rest of this entry »

Posted in ASA, Cisco, remote access | Tagged: , | 2 Comments »

Unreachable network behind TMG

Posted by ltlnetworker on February 3, 2013

I was asked to troubleshoot Active Directory DC synchronization network issues. Two DC’s are behind TMG, the third is in an ASA DMZ so the path is :

                  DC0  —            ASA   —                          TMG — DC73

         — ASA — — TMG —

The TMG performs no NAT for these networks so it’s plain routing. TMG has a default gateway set to ASA and ASA has a static route pointing to TMG’s outside address .

Connectivity was completely broken (no ping, AD sync fail). On the ASA we could see half-open TCP connections:
Read the rest of this entry »

Posted in ASA, Cisco | Tagged: , , | Leave a Comment »

ASA throughput depends on port location

Posted by ltlnetworker on January 25, 2011

I can hardly believe my own test results. I’m making performance tests with ASA 5550 (the one with a factory-installed 4GE module) and there is an interface pair where throughput is smaller than on other pairs.
Read the rest of this entry »

Posted in ASA, Cisco | Tagged: , , | 2 Comments »