Entries by talebi_it@yahoo.com

Cisco ASA FirePOWER Services: how to install FMC?

Technology: Network Security Area: Next Generation Firewalls Vendor: Cisco Software: 8.X, 9.X, FMC 5.X, 6.X, SFR module 5.X , 6.X Platform: Cisco ASA, Firepower Management Center VM Firepower Management Center installation steps 1. Deployment from OVF   2. Assign the hostname for VM 3. Choose the right ovf and vmdk files   4. Select proper vNIC (the one you will […]

Migrating ASA to FTD

For this post, we will be discussing migrating an ASA with FirePOWER services to a Firepower Threat Defense (FTD) image on an ASA 5506-X appliance. At a high level, you reimage the ASA unit with a FTD then use the migration tool (if you have an existing ASA configuration) to import the ASA configuration into […]

DVTI on Hub-Spoke IKEV2

R1 —————– (config)#crypto pki certificate map CAMP 1 #issuer-name co talebi (config)# default crypto ikev2 proposal (config)# crypto ikev2 proposal default # encryption aes-cbc-256 # integrity sha256 # group 14 (config)# default crypto ikev2 policy (config)# crypto ikev2 profile IKEV2-Profile # identity local dn # match certificate CMAP # authentication remote rsa-sig # authentication local […]

FlexVPN – Part 2

-Proposal ==>Dephi Helman Group – Encryption – Integrity -Policy -Profile (match), (keyring) show crypto ikev2 proposal default show crypto ikev2 policy default show crypto ikev2 transform-set default show crypto ipsec profile default Changing the default proposal (config)# crypto ikev2 proposal default (config-ikev2-proposal)# encryption aes-cbc-256 (config-ikev2-proposal)# integrity sha256 (config-ikev2-proposal)# group 2 revert back the default proposal […]

FlexVPN: IKEV2 – Part 1

FlexVPN = IKEV2 + NGE(Next Generation Encryption) IKEV1 = phase 1 => negotiate phase 2 => IPSec Tunnel IKEV2 => Initial neogtiation + IPSec Tunnel => proposals, key ring, policy, profile #show crypto ikev2 proposal default #show crypto ikev2 policy default (config)# crypto ikev2 keyring HRT-keyring peer container1 address 192.168.10.2 identity fqdn r2.test.local pre-shared-key local […]

Dynamic Virtual Tunnel Interfaces (VTIs)

Branches with Static VTI Hub : Dynamic VTI – ISAKMP Profile – Key ring with PSKs – Virtual Template R1(Hub) — (config)# crypto isakmp policy 1 (config-isakmp)# encr aes 192 (config-isakmp)# authentication pre-share (config-isakmp)# group 5 (config)# crypto keyring HRT-PSKS (config-keyrings)# pre-shared-key address 0.0.0.0(remote IP or all) key cisco123 (config)# crypto ipsec transform-set HRT-SET esp-aes […]

Site to Site- Static VTI IPSEC

R1 — (config)#crypto ipsec tranform-set HRT esp-aes 256 esp-sha-hmac (cfg-crypto-trans)# mode tunnel (config)#crypto ipsec profile P2P-PROFILE (ipsec-profile)# set transform-set HRT (config)#crypto isakmp policy 15 #encr aes 256 #authentication pre-share #group 14 (config)#crypto isakmp key cisco123 address 0.0.0.0 (config)#int tunnel 1 (config-if)# tunnel source serial 1/0 (config-if)# tunnel destination 35.0.0.3 (config-if)# tunnel mode ipsec ipv4 (config-if)# […]

DMVPN IKE Call Admission Control

DMVPN IKE Call Admission Control – To mitigate attack IKE Phase 1 Negotiation CAC protection -In Negotiation limit -SA limit # show crypto call admission statistics (config)# crypto call admission limit ike sa 2 (config)# crypto call admission limit ike in-negotiation-sa 10

DMVPN Commands

R1 int tunnel 0 tunnel source gi1/0 tunnel destination mode gre multipoint tunnel key HRT //should be the same ip nhrp network-id 1 //should be the same ip nhrp authentication cisco123 //should be the same ip nhrp map multicast dynamic ip nhrp shortcut //phase 3 ip nhrp redirect //phase 3 – we write it in […]

Configure the network settings for FMC

Configure the Network Settings On the Sourcefire3D login prompt, use these credentials to log in:For version 5.x Username: admin Password: Sourcefire For version 6.x and later Username: admin Password: Admin123 Tip: You will be able to change the default password in the initial setup process in the GUI. Initial configuration of the network is done with a script. You need to run the script […]