Tag Archives: vpn

Cisco ASA — Minimizing Challenges with VPN and Management Traffic

The ASA appliance is a very popular choice for the branch office environment. It provides flexible security and is a good termination point for a VPN connection back to a headquarter location. One challenge that technicians often run into is … Continue reading

Posted in CCNA Security, Certification, Network, Security, Technology | Tagged , , , , | 1 Comment

Acronyms of the CCNA Security Part 1 — Concepts and General Terms

After spending some time reviewing other IINSv2 materials, it was apparent that there are a lot of acronyms. Thinking it may be beneficial to define expand and define the terms, the list quickly became huge. As a result, I decided … Continue reading

Posted in CCNA Security, Certification, Security, Technology | Tagged , , | Leave a comment

Using Route Based VPNs to Make Hairpinning More Logical

Last week we looked at the challenges of combining VPN and NAT on the same device while hairpinning VPN traffic back out to the Internet. That created some interesting challenges with NAT that required some duct tape and band-aids to … Continue reading

Posted in Network, Security, Technology | Tagged , , , | 13 Comments

Hairpinning Internet and VPN Traffic in Cisco IOS with NAT

This week I wanted to address a concept that comes up occasionally. This is the concept of hair-pinning Internet traffic through a VPN. For this particular case study, we will use an IOS based Cisco router to terminate both ends … Continue reading

Posted in Network, Security, Technology | Tagged , , , , , | 21 Comments

Old School Method of IOS Static NAT Exemption

Last week, I wrote an article that demonstrated the challenges of static NAT when combined with VPNs using RFC1918 address space. We created exemptions using route-maps within the static nat statements. Cisco didn’t introduce route-maps for static translations until 12.2(4)T. … Continue reading

Posted in Network, Security | Tagged , , , , , , , | 1 Comment

Exempting Static Translations in IOS NAT

Last week I wrote an article that defined the need for NAT exemption. This article used the example of a single device that terminated a VPN to a network that used the RFC1918 private address on the remote side. Additionally, … Continue reading

Posted in Network, Security | Tagged , , , , , , , | 3 Comments

Defining the Need for NAT Exemption

It recently occurred to me that we have often discussed various configurations of NAT exemption. However, we have never really discussed the typical need or use case for requiring this type of configuration. This article is meant as a general … Continue reading

Posted in CCIE Security, CCNA Security, Certification, Network, Security, Technology | Tagged , , , , , , | 4 Comments

Multiple Protocols over IPSec

Last week we examined a Cisco VPN construct called SVTI. This is basically using a “tunnel interface” in conjunction with an IPSec Protection profile. One of the limitations I mentioned was that, in comparison to GRE based tunnel interfaces, VTI … Continue reading

Posted in CCIE Security, Certification, Network, Security, Technology | Tagged , , , , | 4 Comments

Avantages of Using SVTI Based VPNs

Starting in version 12.3T (which is some time ago), Cisco started offering an alternative for configuring IOS based VPN’s. This method is called SVTI, or static virtual tunnel interfaces. SVTI is one category of VTI that is basically a configuration … Continue reading

Posted in CCIE Security, Certification, Network, Security, Technology | Tagged , , , , | 9 Comments

Protecting Insecure Protocols

Last week I wrote an article that demonstrated the grievous security oversight in the Telnet protocol. Telnet, being a clear text protocol, exposes the entire contents of any session to anyone who can gain access to the traffic. Telnet is … Continue reading

Posted in Network, Security, Technology | Tagged , , , , | Leave a comment

Changes Required for AnyConnect in 8.4

A few days ago I wrote an article that explained the configuration steps required to implement a basic AnyConnect environment. That article was based on a pre-8.3 version of the ASA OS. Many organizations are starting to implement ASA 8.4 … Continue reading

Posted in Security, Technology | Tagged , , | 5 Comments

ASA DSCP Preservation with IPSec

Cisco documents a feature called “DSCP Preservation” in regards to ToS Byte handling on the ASA. This basically means that the ToS Byte is left in tact as packets flow through the firewall. But what happens to the ToS Byte … Continue reading

Posted in CCIE Security, Certification, Network, Security, Technology | Tagged , , , | 1 Comment