Category Archives: Cisco Systems

Android ASA VPN featured image

Cisco ASA Remote Access VPN for Android

The native Android IPsec VPN client supports connections to the Cisco ASA firewall. This even works without the “AnyConnect for Mobile” license on the ASA. If only a basic remote access VPN connection is needed, this fits perfectly. It uses the classical IPsec protocol instead of the newer SSL version. However, the VPN tunnel works anyway.

In this short post I am showing the configuration steps on the ASA and on the Android phone in order to establish a remote access VPN tunnel.

Continue reading Cisco ASA Remote Access VPN for Android

OSPFv3 Lab Featured Image

OSPFv3 for IPv6 Lab: Cisco, Fortinet, Juniper, Palo Alto, Quagga

Similar to my test lab for OSPFv2, I am testing OSPFv3 for IPv6 with the following devices: Cisco ASA, Cisco Router, Fortinet FortiGate, Juniper SSG, Palo Alto, and Quagga Router. I am showing my lab network diagram and the configuration commands/screenshots for all devices. Furthermore, I am listing some basic troubleshooting commands. In the last section, I provide a Tcpdump/Wireshark capture of an initial OSPFv3 run.

I am not going into deep details of OSPFv3 at all. But this lab should give basic hints/examples for configuring OSPFv3 for all of the listed devices.

Continue reading OSPFv3 for IPv6 Lab: Cisco, Fortinet, Juniper, Palo Alto, Quagga

Cisco ASA PBR - featured image

Policy Based Routing on a Cisco ASA

Cisco ASA 9.4 (and later) is now supporting Policy Based Routing. Yeah. Great news, since many customers are requesting something like “HTTP traffic to the left – VoIP traffic to the right”. Coming with a new Cisco ASA 5506-X I was happy to try the policy based routing feature.

The configuration steps through the ASDM GUI are not easy and full of errors, so I try to give some hints within this blog post.

Continue reading Policy Based Routing on a Cisco ASA

Firewall IPv6 Capabilities

Firewall IPv6 Capabilities: Cisco, Forti, Juniper, Palo

Since IPv6 gets more and more important, I am using it by default on all my test firewalls, which of course support IPv6. However, when comparing the different functions and administration capabilities, they vary significantly.

Here comes my short evaluation of the IPv6 functions on the following four firewalls: Cisco ASA, Fortinet FortiGate, Juniper SSG, and Palo Alto.

Continue reading Firewall IPv6 Capabilities: Cisco, Forti, Juniper, Palo

S2S VPN FortiGate - Cisco Router w VTI

IPsec Site-to-Site VPN FortiGate <-> Cisco Router

This blog post shows how to configure a site-to-site IPsec VPN between a FortiGate firewall and a Cisco router. The FortiGate is configured via the GUI – the router via the CLI. I am showing the screenshots/listings as well as a few troubleshooting commands.

Continue reading IPsec Site-to-Site VPN FortiGate < -> Cisco Router

ciscoasa.example.com_cfg-10_10_1_1_connectionsxlates-ys-l2

MRTG/Routers2: Template Cisco ASA

I constructed a MRTG/Routers2 configuration template for the Cisco ASA firewall which consists the OIDs (graphs) for the interfaces, CPU, memory, VPNs, connections, ping times, and traceroute hop counts. With only four search-and-replace changes as well as a few further specifications, the whole SNMP monitoring for that firewall is configured.

Continue reading MRTG/Routers2: Template Cisco ASA

Cisco vs. Palo Alto

Cisco ASA vs. Palo Alto: Management Goodies

You often have comparisons of both firewalls concerning security components. Of course, a firewall must block attacks, scan for viruses, build VPNs, etc. However, in this post I am discussing the advantages and disadvantages from both vendors concerning the management options: How to add and rename objects. How to update a device. How to find log entries. Etc.

Continue reading Cisco ASA vs. Palo Alto: Management Goodies

OSPF Lab Featured Image

OSPF for IPv4 Test Lab: Cisco Router & ASA, Juniper SSG & Palo Alto

I tested OSPF for IPv4 in my lab: I configured OSPF inside a single broadcast domain with five devices: 2x Cisco Router, Cisco ASA, Juniper SSG, and Palo Alto PA. It works perfectly though these are a few different vendors.

I will show my lab and will list all the configuration commands/screenshots I used on the devices. I won’t go into detail but maybe these listings help for a basic understanding of the OSPF processes on these devices.

Continue reading OSPF for IPv4 Test Lab: Cisco Router & ASA, Juniper SSG & Palo Alto

Cisco ASA Syslog Server

Grep Commands for Cisco ASA Syslog Messages

In a basic environment with a Cisco ASA firewall I am logging everything to a syslog-ng server. As there aren’t any reporting tools installed, I am using grep to filter the huge amount of syslog messages in order to get the information I want to know. In this blog post I list a few greps for getting the interesting data.

Continue reading Grep Commands for Cisco ASA Syslog Messages

S2S VPN Juniper ScreenOS - Cisco Router w VTI

IPsec Site-to-Site VPN Juniper ScreenOS <-> Cisco Router w/ VTI

And finally: A route-based VPN between a Juniper ScreenOS SSG firewall and a Cisco router with a virtual tunnel interface (VTI). Both sides with tunnel interfaces and IPv4 addresses. Both sides with a real routing entry in the routing table. Great. 😉

(The VPN between those two parties without a tunnel interface on the Cisco router is documented here. However, use the route-based VPN where you can. It is easier and more flexible. Routing decisions based on the routing table. This is how it should be.)

Continue reading IPsec Site-to-Site VPN Juniper ScreenOS < -> Cisco Router w/ VTI

S2S VPN Palo Alto - Cisco Router w VTI

IPsec Site-to-Site VPN Palo Alto <-> Cisco Router w/ VTI

One more VPN article. Even one more between a Palo Alto firewall and a Cisco router. But this time I am using a virtual tunnel interface (VTI) on the Cisco router which makes the whole VPN set a “route-based VPN”. That is: Both devices decide their traffic flow merely based on the routing table and not on access-list entries. In my opinion, this is the best way to build VPNs, because there is a single instance (the routing table) on which a network admin must rely on in order to investigate the traffic flow.

Note that I also wrote a blog post about the “policy-based VPN” between a Cisco router and the Palo Alto firewall. This here is mostly the same on the Palo Alto side while some other commands are issued on the Cisco router.

Continue reading IPsec Site-to-Site VPN Palo Alto < -> Cisco Router w/ VTI

S2S VPN Cisco Router - FritzBox

IPsec Site-to-Site VPN Cisco Router <-> AVM FRITZ!Box

Der Titel sagt eigentlich schon alles: Es geht um das Herstellen eines S2S-Tunnels zwischen einem Cisco Router (statische IPv4) und einer FRITZ!Box (dynamische IP). Ich liste nachfolgend alle Befehle für den IOS Router sowie die Konfigurationsdatei für die FRITZ!Box auf. Für eine etwas detaillierte Beschreibung des VPNs für die FRITZ!Box verweise ich auf diesen Artikel von mir, bei dem ich zwar ein VPN zu einem anderen Produkt hergestellt habe, aber etwas mehr auf die Schritte der Konfiguration eingegangen bin.

Continue reading IPsec Site-to-Site VPN Cisco Router < -> AVM FRITZ!Box

S2S VPN Juniper ScreenOS - Cisco Router

IPsec Site-to-Site VPN Juniper ScreenOS <-> Cisco Router

Similar to all my other site-to-site VPN articles, here are the configurations for a VPN tunnel between a Juniper ScreenOS SSG firewall and a Cisco IOS router. Due to the VPN Monitor of the SSG firewall, the tunnel is established directly after the configuration and stays active all the time without the need of “real” traffic.

I am using the policy-based VPN solution on the Cisco router and not the virtual tunnel interface (VTI) approach. That is: No route is needed on the router while the Proxy IDs must be set on the Juniper firewall. (However, I also documented the route-based VPN solution between a ScreenOS firewall and a Cisco router here.)

Continue reading IPsec Site-to-Site VPN Juniper ScreenOS < -> Cisco Router

S2S VPN Palo Alto - Cisco Router

IPsec Site-to-Site VPN Palo Alto <-> Cisco Router

This time I configured a static S2S VPN between a Palo Alto firewall and a Cisco IOS router. Here comes the tutorial:

I am not using a virtual interface (VTI) on the Cisco router in this scenario, but the classical policy-based VPN solution. That is, no route entry is needed on the Cisco machine. However, the Palo Alto implements all VPNs with tunnel interfaces. Hence, a route to the tunnel and Proxy IDs must be configured. (I also wrote a guide for a route-based VPN between a Cisco router and a Palo Alto firewall here.)

Continue reading IPsec Site-to-Site VPN Palo Alto < -> Cisco Router