February 9, 2012

Posts Comments

You are here: Home / Archives for ASA

IKEv1 Aggressive Mode vs. IKEv1 Main Mode

April 20, 2011 By Leave a Comment

The question often comes up regarding the differences between IKE aggressive mode and IKE main mode. The answer is pretty simple. In this post we break down IKEv1 aggressive mode and main mode differences and provide a recommendation based on using the more scalable and more secure solution.

The Breakdown

Aggressive mode requires two exchanges totaling three messages whereas Main mode requires three exchanges totaling six messages. If you’re wondering what the difference is, or why you would even care, it all boils down to the level of security you desire. While the two offer the same services its Main mode that protects the identity of the communicating parties. Aggressive mode does not provide protection for the communicating parties. This means that the peers have to exchange information prior to establishing a secure SA.
In the end, Main mode is slower because of the more lengthy exchange. But alas, it is more secure.

What Should I Do?

You may wish to disable IKEv1 aggressive mode. If you do there is something else to consider. If using a Cisco IPsec VPN Client you will no longer be able to authenticate using pre-shared keys. So, if you don’t mind using digital certificates then go for it.

To disable IKEv1 aggressive mode you will need to type the following: 

crypto ikev1 am-disable

Filed Under: CCSP Study, Security, Studies In VPN Tagged With: , , , ,

Configuring Etherchannel on Cisco ASA 8.4

February 17, 2011 By 1 Comment

With the recent release of Cisco ASA 8.4 code a new feature has emerged. Yes, Etherchannel. I’ll spare you the gory details of how etherchannel works. Rather lets just get right into how you set it up.

Lets begin with the switch configuration:

Rack1SW1# sh run int f0/1
Building configuration...



Current configuration : 109 bytes
!
interface FastEthernet0/1
 switchport access vlan 146
 switchport mode access
 channel-group 1 mode active
 spanning-tree portfast
end



Rack1SW1# sh run int f0/2
Building configuration...
 [Read more...]

Filed Under: CCIE Security, Firewalls Tagged With: , ,

Bypassing NAT on Cisco ASA 8.2

January 31, 2011 By Leave a Comment

There are a number of ways to bypass NAT using a Cisco ASA. I suppose the easiest way would be to leave it alone when you install it and don’t use NAT at all. Why? Because the ASA does not have NAT-Control enabled by default. This means that you can configure you ASA just as you would a router and exchange routes between the inside and outside. Aside from needing an ACL on the outside interface, applied in an inbound direction, you should notice that if functions very similar to what you would expect a router to function like.

However, for most of us, this is not feasible. Because of the use of RFC 1918 addresses we are required to use NAT or PAT when we make connections to the Internet. Still situations may arise where you have NAT configured but for some reason you need to bypass it. Here are a few examples of how to do this along with the terminology that these methods are referred to in ASA 8.2.

Identity NAT

When you use Identity NAT the connections can only be originated by the address that’s covered in the statement. Of course, return traffic will be allowed, but you can’t originate an outside connection into the address in the NAT statement.

Here is how you configure it:

ASA1(config)# nat (inside) 0 10.1.1.0 255.255.255.0

In this code example you can initiate an outbound connection from addresses on the 10.1.1.0/24 subnet and it will not translate the source.

Static Identity NAT

A Static Identity NAT Translation is always active. This means that a connection can be initiated into this address, provided there is an ACL inbound on the lower security-level interface that permits the connection. You can also originate connections from the address defined in the statement for outbound connections and the ASA will not Translate the source. [Read more...]

Filed Under: CCIE Security, Cisco ASA, Security, TipTorials Tagged With: , , , , ,
« Older Posts