Browsing All Posts filed under »Cisco«

The nine

February 15, 2013


Normally I do not write about new releases from security product manufacturers, but this Cisco ASA version resolves some disadvantages against Checkpoint. IT IS And I would be glad to test those since I am a Cisco fun :-) The HW models are all supported, the question is if the features make it too: … […]

Migrate Cisco ASA configuration, certificates and private keys

November 4, 2012


The fact I wrote this post is to clear what happens with the RSA keys if I move the whole configuration and certificates and their private keys to another firewall with the same IP Address. IF the IP has changed the migration ofthe certificate has not much sense if the certificate is based on IP. […]

Certficate renewal – how was it after years?

April 18, 2012


Actually you cannot renew an existing certificate, but you can generate a new one with the same subject and same mandatory fields. For that you have to generate a certificate request again within a new trustpoint and not with the old one. The issuer of the previous certificate should sign the new certificate request and […]

Export and import the trustpoint

March 16, 2012


To test something in a Lab with another firewall or migrate a whole VPN with certificate to another ASA firewall we have a possibility to migrate the certificate of the firewall to another one. To do it so easily on a Checkpoint firewall  will be always just a dream… The exported data holds the followings: […]

Certificate mapping to anyconnect tunnel-group II. – Special mapping

August 22, 2011


The users connects with Anyconnect client with IPSec to the ASA firewall. Lets say we have 2 Certificate Authorities (with the issuername IssuerA and IssuerB) and the users are mapped to tunnel-groups according to the issuer. A user called Terry Wood needs SSL as he works in a Hotel and the local proxy enables only […]

The nat-control is over

July 17, 2011


In the old version of cisco firewalls – Version 6.x – it was not possible to disable nat control. After that cisco gave us the possibility to control it on our own with the command nat-control. This year in Version 8.3 not only the command nat-control, but the commands global, static and alias were deleted […]

Certificate authentication and LDAP authorization with Anyconnect

July 15, 2011


This is a log analysis of a successful login with cisco Anyconnect. If the configuration is ready it is always useful to make a successful test with the system and raise the logging to the highest level in the meantime and save it before the first problem comes. It will come… From this log analysis […]

Certificate mapping to anyconnect tunnel-group I.

July 15, 2011


I try to configure the ASA to find the tunnel for anyconnect users according the certificate details. The command look like following: firewall(config)# crypto ca certificate map <certificate-map-name> <sequencenumber> Where the sequencenumber is the Sequence to insert into certificate map entry firewall(config)# webvpn firewall(config-webvpn)# certificate-group-map <certificate-map-name> <certificate-map-index> <tunnel-group name> Where the certificate-map-index is the index […]

Configuring remote access vpn with IKEv1, IKEv2 and SSL in the same time

March 9, 2011


With the following configuration and with sufficient license we should be able to connect to our Cisco ASA firewall with Cisco Anyconnect and with the new Anyconnect Secure Mobility Client (the first Cisco IKEv2 client) and with the old Cisco VPN client with IKEv1, that is natively supported on some Apple devices, like an IPad. […]

RA VPN keepalives and timouts

December 13, 2010


RA VPN timeouts 1. Session timeouts 2. IPSec SA lifetimes 3. ISAKMP lifetimes and Nat-T keepalive interval 4. Timeout in the group policy 5. DPD timeouts. 1. Session timeouts As the VPN may go through many Firewall till it reaches the VPN gateway it can happen that the session is broken before the timouts here […]