Thursday, May 6, 2021

URL Blocking Cisco ASA

URL Blocking on Cisco ASA

Topology
User access will be blocked while access the urls matching on configured regular expression


ASA Configuration
!
object-group user TEST-USER
 user LOCAL\test
 user LOCAL\test1
object-group service USER-SERVICE tcp
 port-object eq www
 port-object eq https
!
access-list USER-TRAFFIC extended permit tcp object-group-user TEST-USER any any object-group USER-SERVICE
!
regex cisco.com "cisco\.com"
!
class-map type inspect http match-any CMAP-MATCH-URL
 match request header host regex cisco.com
class-map CMAP-MATCH-HTTP
 match access-list USER-TRAFFIC
!
policy-map type inspect http PMAP-MATCH-URL
 parameters
 class CMAP-MATCH-URL
  drop-connection log
policy-map PMAP-BLOCK-URL
 class CMAP-MATCH-HTTP
  inspect http PMAP-MATCH-URL
!
service-policy PMAP-BLOCK-URL interface outside

IP host entry is configured on user machine with IP of router CSR3

CSR2
!
ip host cisco.com 192.168.12.2

ip dhcp excluded-address 192.168.10.1 192.168.10.11
!
ip dhcp pool POOL1
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1
 dns-server 192.168.10.1
!
interface GigabitEthernet1
 ip address 192.168.11.2 255.255.255.0
 negotiation auto
!
interface GigabitEthernet2
 ip address 192.168.10.1 255.255.255.0
 negotiation auto

CSR3
!
interface GigabitEthernet1
 ip address 192.168.12.2 255.255.255.0
 negotiation auto
!
ip http server
ip http authentication local

User will try to access cisco.com on http from machine having host entry of csr3 ip(192.168.12.2)














Cut-through proxy on ASA

Authentication proxy is a feature that allows to force users to authenticate to the ASA before users are allowed access through the device

A cut-through proxy is a rule applied to an ASA that enables the ASA to, on behalf of another device, stop traffic as it's coming in, authenticate its originator


Configuration

username test password test

access-list AUTH-MATCH extended permit tcp any any eq https

access-list AUTH-MATCH extended permit tcp any any eq www

aaa authentication match AUTH-MATCH inside LOCAL





#show access-list

access-list AUTH-MATCH line 2 extended permit tcp any any eq www (hitcnt=4) 0x84bfd1a4






Monday, January 4, 2021

IPSec VPN with CA Certificate

 

 

 

 

 clock timezone UTC +5 30
 do clock set 17:30:00 4 Jan 2021

ip http server
!
crypto pki server CERT
  database url flash:
  issuer-name CN=ABC CA Server O=ABC OU=Training L=India C=IN
  grant auto
  no shu

 R2

crypto key generate rsa

!

=>Pointer towards CA server
crypto ca trustpoint III
enrollment url http://1.1.1.1:80
revocation-check none

 =>Download root certificate from CA Server
crypto ca authenticate III

=>Enroll public key with the CA Server and get a certificate issued
crypto ca enroll III

 

crypto isakmp policy 10
auth rsa-sig
hash md5
enc 3des
group 2
!
crypto ipsec transform-set TSET  esp-3des esp-sha-hmac
!
access-list 101 permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255
!
crypto map CMAP 10 ipsec-isakmp
match address 101
set peer 192.168.23.3
set transform-set TSET
!
int f1/0
crypto map CMAP

=======================================================

 R3

crypto isakmp policy 10
auth rsa-sig
hash md5
enc 3des
group 2
!
crypto ipsec transform-set TSET  esp-3des esp-sha-hmac
!
access-list 101 permit ip 3.3.3.0 0.0.0.255 2.2.2.0 0.0.0.255
!
crypto map CMAP 10 ipsec-isakmp
match address 101
set peer 192.168.23.2
set transform-set TSET
!
int f1/0
crypto map CMAP