CCIE Quest

 If you are studying for CCIE Security v4 Lab Exam or written for that matter, you need to brush up your skills & learn to test & deploy FlexVPNs. Not only in Lab studies, in production enviroment, FlexVPN is the cisco’s way of integrating all major VPNs into one Umbrella i.e FlexVPN or Unified Overlay VPN

FlexVPN is a way to combine multiple frameworks (crypto maps, ezvpn, DMVPN) into single, comprehensible set of CLI and bind it together with something offering more flexibility and means to extend functionality in future.

FlexVPN is Cisco’s implementation of the IKEv2 standard featuring a unified paradigm and CLI that combines site to site, remote access, hub and spoke topologies and partial meshes (spoke to spoke direct).FlexVPN offers a simple but modular framework that extensively uses the tunnel interface paradigm while remaining compatible with legacy VPN implementations using crypto maps. Read more about An overview of FlexVPN »

In response to several queries about the Product – Cisco Secure ACS 5.X Product Deployment/Lab Guide , a product preview SAMPLE is now available on the website. This sample is a sub-set of the Original Detailed Product ( ~ 700+ pages ).

For those preparing for CCIE Security Version 4 LAB exam, CS-ACS5.X Guide will come handy. It covers detailed topics covering CCIE Sec v4 LAB as well as extending beyond & covering Active Directory Integration & Enhanced VPN Scenarios.

If you wish to view detailed Table of Contents & Scenarios/Technologies covered , Refer to the link below :

In order to preview  CS-ACS5.X Guide SAMPLE, click link below.

To Your Success,
Tariq A. Sheikh
CCIEx2 # 26141
(Voice,Security)

(TO REQUEST A COPY OF PDF SAMPLE VIA EMAIL , LEAVE A COMMENT BELOW WITH YOUR E-MAIL ADDRESS)

   Send article as PDF   

IKEv2 Smart Defaults feature minimizes the FlexVPN configuration by covering most of the use cases. IKEv2 smart defaults can be customized for specific use cases, though this is not recommended.The following rules apply to the IKEv2 Smart Defaults feature:

• A default configuration is displayed in the corresponding show command with default as a keyword and with no argument. For example, the show crypto ikev2 proposal default command displays the default IKEv2 proposal and the show crypto ikev2 proposal command displays the default IKEv2 proposal, along with any user-configured proposals.

•  A default configuration is displayed in the show running-config all command; it is not displayed in the show running-config command.

•  You can modify the default configuration, which is displayed in the show running-config all command.

•  A default configuration can be disabled using the no form of the command; for example, no crypto ikev2 proposal default. A disabled default configuration is not used in negotiation but the configuration is displayed in the show running-config command. A disabled default configuration loses any user modification and restores system-configured values.

•  A default configuration can be reenabled using the default form of the command, which restores system-configured values; for example, default crypto ikev2 proposal.

• The default mode for the default transform set is transport; the default mode for all other transform sets is tunnel.

FlexVPN Lab Guide/Handbook

Here is the list of commands that are enabled with the IKEv2 Smart Defaults feature, along with the default values.

 IKEv2 default Authorization Policy

IKEv2 default Proposal

Read more about Understanding FlexVPN IKEv2 Smart Defaults »

This post will address process to install Latest Patches to your Cisco Secure ACS 5.X installation. Refer to ACS Release notes for information on new patches & bugs/issues fixed in current release.Before beginning, It is highly recommended that you you backup the Cisco Secure ACS 5.x configuration data in timely fashion in order to restore the same backup if ACS 5.x crashes, or, if you need to build a new system from scratch.

You can get latest patches from the download link (CCO login Required) on Cisco.com

Network Management > Security > Identity Management > Cisco Secure Access Control System > Cisco Secure Access Control System 5.3.

Before applying cummulative patch on the ACS 5.x ,you will need to create a repository that will specify the protocol and the location where the patch file is located. Generally, in ACS5.3, you might run into issues with TFTP protocol. So,its recommended to use FTP instead for all backup & patch updates.

Create a Repository

Now, lets first create a Repository using FTP as the communication protocol.

Navigate to System Administration > Operations > Software Repositories to create the specified Repository.

Read more about ACS 5.x: How to create Software Repository & Install Latest Patches »

In this blog post, i will cover in detail how you can setup QEMU settings under GNS3 to emulate ASA 8.4(2). It has been made possible by a user “dmz” from 7200emu.hacki forum. Credit goes to him . Basically we will be using a patch which will automatically extract the kernel and initrd of ASA version 8.4(2). You can use resulting ASA initrd & kernel on any OS where you have installed GNS3.

DISCLAIMER: All information provided here are solely for self-education and investigation purposes. Provided AS-IS without any warranties.

I’m using Ubuntu 10.04 (LTS) although you can use pretty much any Linux Distros available out there.

Cisco Secure ACS 5.X Deployment Guide E-Book

Software Versions Used:

Here we are using latest GNS3 build 0.8.2. Cisco Software Versions you need (download from you CCO account ) are :

• asa842-k8.bin
• asdm-645-206.bin

 Step 1: Read more about GNS3 : How to emulate ASA 8.4(2) under QEMU »

If you are running ASA 8.4 code & have existing IKEv1 VPN sessions (Remote Access VPNs or Site to Site Tunnels) , you might want to take advantage of benefits offered by IKEv2 (Internet Key Exchange version 2 – RFC 4306) & migrate those existing sessions for better network resiliency / improvements in SA negotiation & many other benefits. First, we will look at IKEv2 benefits & then run migration command (yes, a single command) & then add additional features to the mix. IKEv2 support was introduced in ASA 8.4 & AnyConnect 3.0 Code.

IKEv2 Benefits :

There are several benefits to running IKEv2 as compared to IKEv1 . IKEv2 offers

• Improving Network Attack Resiliency :IKEv2 offers Denial of Service prevention using cookies
• Less Overhead : IKEv2 requires fewer negotiation messages
• Reducing complexity in IPSec establishment : IKEv2 offers features like Built-in Dead Peer Detection , NAT Traversal (NAT-T) , Initial Contact etc.  built into the protocol
• Faster Rekey Time : IKEv2 offers Better rekeying and collision handling
• Authentication : IKEv2 offers Built-in Configuration Payload and User Authentication (using EAP) & it allows unidirectional authentication as well.

Interoperability Issues :

Some interoperability issues need to be kept in mind

• IKEv2 does not interoperate with IKEv1
• IPSec VPN cannot be established between a crypto device using IKEv2 and another crypto device using IKEv1 for security reasons.

IKEv2 Migration Benefits: Read more about ASA 8.4 : Migrating IKEv1 VPN Sessions to IKEv2 »