Pages

Thursday, May 6, 2021

URL Blocking Cisco ASA

URL Blocking on Cisco ASA

Topology
User access will be blocked while access the urls matching on configured regular expression


ASA Configuration
!
object-group user TEST-USER
 user LOCAL\test
 user LOCAL\test1
object-group service USER-SERVICE tcp
 port-object eq www
 port-object eq https
!
access-list USER-TRAFFIC extended permit tcp object-group-user TEST-USER any any object-group USER-SERVICE
!
regex cisco.com "cisco\.com"
!
class-map type inspect http match-any CMAP-MATCH-URL
 match request header host regex cisco.com
class-map CMAP-MATCH-HTTP
 match access-list USER-TRAFFIC
!
policy-map type inspect http PMAP-MATCH-URL
 parameters
 class CMAP-MATCH-URL
  drop-connection log
policy-map PMAP-BLOCK-URL
 class CMAP-MATCH-HTTP
  inspect http PMAP-MATCH-URL
!
service-policy PMAP-BLOCK-URL interface outside

IP host entry is configured on user machine with IP of router CSR3

CSR2
!
ip host cisco.com 192.168.12.2

ip dhcp excluded-address 192.168.10.1 192.168.10.11
!
ip dhcp pool POOL1
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1
 dns-server 192.168.10.1
!
interface GigabitEthernet1
 ip address 192.168.11.2 255.255.255.0
 negotiation auto
!
interface GigabitEthernet2
 ip address 192.168.10.1 255.255.255.0
 negotiation auto

CSR3
!
interface GigabitEthernet1
 ip address 192.168.12.2 255.255.255.0
 negotiation auto
!
ip http server
ip http authentication local

User will try to access cisco.com on http from machine having host entry of csr3 ip(192.168.12.2)














at No comments:

Cut-through proxy on ASA

Authentication proxy is a feature that allows to force users to authenticate to the ASA before users are allowed access through the device

A cut-through proxy is a rule applied to an ASA that enables the ASA to, on behalf of another device, stop traffic as it's coming in, authenticate its originator


Configuration

username test password test

access-list AUTH-MATCH extended permit tcp any any eq https

access-list AUTH-MATCH extended permit tcp any any eq www

aaa authentication match AUTH-MATCH inside LOCAL





#show access-list

access-list AUTH-MATCH line 2 extended permit tcp any any eq www (hitcnt=4) 0x84bfd1a4






at No comments:

Monday, January 4, 2021

IPSec VPN with CA Certificate

 

 

 

 

 clock timezone UTC +5 30
 do clock set 17:30:00 4 Jan 2021

ip http server
!
crypto pki server CERT
  database url flash:
  issuer-name CN=ABC CA Server O=ABC OU=Training L=India C=IN
  grant auto
  no shu

 R2

crypto key generate rsa

!

=>Pointer towards CA server
crypto ca trustpoint III
enrollment url http://1.1.1.1:80
revocation-check none

 =>Download root certificate from CA Server
crypto ca authenticate III

=>Enroll public key with the CA Server and get a certificate issued
crypto ca enroll III

 

crypto isakmp policy 10
auth rsa-sig
hash md5
enc 3des
group 2
!
crypto ipsec transform-set TSET  esp-3des esp-sha-hmac
!
access-list 101 permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255
!
crypto map CMAP 10 ipsec-isakmp
match address 101
set peer 192.168.23.3
set transform-set TSET
!
int f1/0
crypto map CMAP

=======================================================

 R3

crypto isakmp policy 10
auth rsa-sig
hash md5
enc 3des
group 2
!
crypto ipsec transform-set TSET  esp-3des esp-sha-hmac
!
access-list 101 permit ip 3.3.3.0 0.0.0.255 2.2.2.0 0.0.0.255
!
crypto map CMAP 10 ipsec-isakmp
match address 101
set peer 192.168.23.2
set transform-set TSET
!
int f1/0
crypto map CMAP

 


 

 

 

 

 

 

 

 

 

 

at No comments: