CCIE Help
Thursday, May 6, 2021
URL Blocking Cisco ASA
Cut-through proxy on ASA
Authentication proxy is a feature that allows to force users to authenticate to the ASA before users are allowed access through the device
A cut-through proxy is a rule applied to an ASA that enables the ASA to, on behalf of another device, stop traffic as it's coming in, authenticate its originator
Configuration
username test password test
access-list AUTH-MATCH extended permit tcp any any eq https
access-list AUTH-MATCH extended permit tcp any any eq www
aaa authentication match AUTH-MATCH inside LOCAL
#show access-list
access-list AUTH-MATCH line 2 extended permit tcp any any eq www (hitcnt=4) 0x84bfd1a4
Monday, January 4, 2021
IPSec VPN with CA Certificate
clock timezone UTC +5 30
do clock set 17:30:00 4 Jan 2021
ip http server
!
crypto pki server CERT
database url flash:
issuer-name CN=ABC CA Server O=ABC OU=Training L=India C=IN
grant auto
no shu
R2
crypto key generate rsa
!
=>Pointer towards CA server
crypto ca trustpoint III
enrollment url http://1.1.1.1:80
revocation-check none
=>Download root certificate from CA Server
crypto ca authenticate III
=>Enroll public key with the CA Server and get a certificate issued
crypto ca enroll III
crypto isakmp policy 10
auth rsa-sig
hash md5
enc 3des
group 2
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
access-list 101 permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255
!
crypto map CMAP 10 ipsec-isakmp
match address 101
set peer 192.168.23.3
set transform-set TSET
!
int f1/0
crypto map CMAP
=======================================================
R3
crypto isakmp policy 10
auth rsa-sig
hash md5
enc 3des
group 2
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
access-list 101 permit ip 3.3.3.0 0.0.0.255 2.2.2.0 0.0.0.255
!
crypto map CMAP 10 ipsec-isakmp
match address 101
set peer 192.168.23.2
set transform-set TSET
!
int f1/0
crypto map CMAP