Cisco ASA – Cioby's technical blog

Configuring IKEv1 IPSec site-to-site VPN with preshared-keys on Cisco ASA

February 11, 2018 Cristian Ciobanu One comment

7,596 views

Overview

Many companies have multiple remote offices which need secure network connectivity with the headquarters or between them. This can be achieved by using a site-to-site VPN setup which allows offices in multiple fixed locations to establish secure connections and share resources with each other over a public network such as the Internet. Cisco ASA supports the IPsec protocol for configuring an site-to-site VPN tunnel. IPsec works by authenticating and encrypting each IP packet of a communication session and uses the Internet Key Exchange (IKE) protocol to negotiate and establish a secure VPN tunnel. The original IKE version 1 is defined in RFC 2409 and the IKE version 2 (IKEv2) is defined in RFC 5996. Cisco introduced support for IKEv2 beginning with ASA version 8.4 but in this article we will focus only on the legacy IKEv1 implementation.

Cisco ASA, VPNs IKEv1, IPsec, preshared-key, Tunnel

Configuring Policy Based Routing on Cisco ASA

September 8, 2016 Cristian Ciobanu Leave a comment

17,433 views

Overview

Normally when a routing device receives a packet it decides where to forward it based on the destination address of the packet. Policy Based Routing (PBR) is a mechanism which allows you forward packets based on policies manually defined by network administrators. A good use case for PBR is when a company which has multiple outside connections to different ISPs needs to control how traffic can be distributed across these connections. Compared to traditional routing PBR allows you to implement routing policies based on different criterias like source or destination address, source or destination port, protocol, size of the packet, packet classification and so on. Cisco introduced this feature on Cisco ASA beginning with version 9.4(1). Let’s dive into the PBR configuration.

Cisco ASA, Cisco routing ASA, PBR, policy, routing

Configuring Cisco ASA active standby failover

July 11, 2016 Cristian Ciobanu 10 comments

38,573 views

Overview

In modern datacenters one of the most important things that needs to be addressed is uptime. Cisco ASA offers high availability mechanisms like failover in order to provide network uptime and redundancy. In order to configure failover we need two identical ASA devices connected to each other through a dedicated failover link and, optionally, a stateful failover link. There are two different failover modes that are supported on the ASA platform: active/standby and active/active. In this article we will focus only on configuring active/standby failover. In an active/standby failover setup only one unit called the active unit is passing traffic. The standby unit is used as a backup of the active unit and only accepts management connections (all transit traffic is dropped). When the active unit fails, it changes to the standby state while the standby unit changes to the active state.

Cisco ASA active, Cisco ASA, failover, standby