Entries by talebi_it@yahoo.com

CentOS network configuration

You can configure network interface by editing configuration files stored in /etc/sysconfig/network-scripts/ directory. Lets configure the first network interface eth0. Edit the interface configuration file. # vi /etc/sysconfig/network-scripts/ifcfg-eth0 (if file doesn’t exist, create it with name of ifcfg-ethx) Append/Modify as follows: For a system using a Static IP Address DEVICE=”eth0″ BOOTPROTO=”none” ONBOOT=”yes” IPADDR=”192.168.1.15″ NETMASK=”255.255.255.0″ GATEWAY=”192.168.1.1″ For a […]

Cisco ASA FirePOWER Services: how to install FMC?

Technology: Network Security Area: Next Generation Firewalls Vendor: Cisco Software: 8.X, 9.X, FMC 5.X, 6.X, SFR module 5.X , 6.X Platform: Cisco ASA, Firepower Management Center VM Firepower Management Center installation steps 1. Deployment from OVF   2. Assign the hostname for VM 3. Choose the right ovf and vmdk files   4. Select proper vNIC (the one you will […]

Migrating ASA to FTD

For this post, we will be discussing migrating an ASA with FirePOWER services to a Firepower Threat Defense (FTD) image on an ASA 5506-X appliance. At a high level, you reimage the ASA unit with a FTD then use the migration tool (if you have an existing ASA configuration) to import the ASA configuration into […]

DVTI on Hub-Spoke IKEV2

R1 —————– (config)#crypto pki certificate map CAMP 1 #issuer-name co talebi (config)# default crypto ikev2 proposal (config)# crypto ikev2 proposal default # encryption aes-cbc-256 # integrity sha256 # group 14 (config)# default crypto ikev2 policy (config)# crypto ikev2 profile IKEV2-Profile # identity local dn # match certificate CMAP # authentication remote rsa-sig # authentication local […]

FlexVPN – Part 2

-Proposal ==>Dephi Helman Group – Encryption – Integrity -Policy -Profile (match), (keyring) show crypto ikev2 proposal default show crypto ikev2 policy default show crypto ikev2 transform-set default show crypto ipsec profile default Changing the default proposal (config)# crypto ikev2 proposal default (config-ikev2-proposal)# encryption aes-cbc-256 (config-ikev2-proposal)# integrity sha256 (config-ikev2-proposal)# group 2 revert back the default proposal […]

FlexVPN: IKEV2 – Part 1

FlexVPN = IKEV2 + NGE(Next Generation Encryption) IKEV1 = phase 1 => negotiate phase 2 => IPSec Tunnel IKEV2 => Initial neogtiation + IPSec Tunnel => proposals, key ring, policy, profile #show crypto ikev2 proposal default #show crypto ikev2 policy default (config)# crypto ikev2 keyring HRT-keyring peer container1 address 192.168.10.2 identity fqdn r2.test.local pre-shared-key local […]

Dynamic Virtual Tunnel Interfaces (VTIs)

Branches with Static VTI Hub : Dynamic VTI – ISAKMP Profile – Key ring with PSKs – Virtual Template R1(Hub) — (config)# crypto isakmp policy 1 (config-isakmp)# encr aes 192 (config-isakmp)# authentication pre-share (config-isakmp)# group 5 (config)# crypto keyring HRT-PSKS (config-keyrings)# pre-shared-key address 0.0.0.0(remote IP or all) key cisco123 (config)# crypto ipsec transform-set HRT-SET esp-aes […]

Site to Site- Static VTI IPSEC

R1 — (config)#crypto ipsec tranform-set HRT esp-aes 256 esp-sha-hmac (cfg-crypto-trans)# mode tunnel (config)#crypto ipsec profile P2P-PROFILE (ipsec-profile)# set transform-set HRT (config)#crypto isakmp policy 15 #encr aes 256 #authentication pre-share #group 14 (config)#crypto isakmp key cisco123 address 0.0.0.0 (config)#int tunnel 1 (config-if)# tunnel source serial 1/0 (config-if)# tunnel destination 35.0.0.3 (config-if)# tunnel mode ipsec ipv4 (config-if)# […]