Cisco ZTP | PNP
http://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/concepts.html#23355
https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi
Categorie: Security
Security
Verzameling security tools:
http://www.databreaches.net/
Cisco IWAN
http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Jan2015/CVD-IWANDesignGuide-JAN15.pdf
Anti-DDOS
https://fastnetmon.com/
Google cloud gateway
https://cloud.google.com/compute/docs/vpn/advanced
https://cloud.google.com/files/CloudVPNGuide-UsingCloudVPNwithCiscoASA.pdf
heres a (final/working) config in case anyone else wants to do this:
===================
crypto ikev2 proposal gcp-ikev2-proposal-1
encryption aes-cbc-128 aes-cbc-192 aes-cbc-256
integrity sha1 sha256 sha384 sha512
group 2 5 14 15 16
!
crypto ikev2 policy gcp-ikev2-policy-1
match fvrf any
proposal gcp-ikev2-proposal-1
!
crypto ikev2 profile gcp-ikev2-profile-1
match identity remote address gcp.gcp.gcp.gcp 255.255.255.255
identity local address me.me.me.me
authentication remote pre-share key xxxxxxxxxxxx
authentication local pre-share key xxxxxxxxxxxx
lifetime 10800
!
crypto ipsec transform-set gcp-tset-1 esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile gcp-ipsec-profile-1
set transform-set gcp-tset-1
set pfs group14
set ikev2-profile gcp-ikev2-profile-1
!
interface Tunnel0
ip address 169.254.0.2 255.255.255.252
tunnel source me.me.me.me
tunnel mode ipsec ipv4
tunnel destination gcp.gcp.gcp.gcp
tunnel protection ipsec profile gcp-ipsec-profile-1
!
===================
And then configure BGP or maybe static routes as required.
After adding in the Tunnel0 interface config it just started working
straight away. So I guess my config was right all along, its just some
other aspect of IPSEC that wasnt happy with something missing… Yay
misleading debug output. :-/
Hope that helps someone else.
Tom
BGP attribute-download and VPNv4
Using “bgp attribute-download” to get source AS number into netflow, and use that for traffic analysis.
According to cisco this command “bgp attribute-download” is only available for IPv4 unicast address family.
Lora
http://openlora.com/forum/viewtopic.php?t=37
Cache DNS servers
PowerDNS is really fast, I’d also evaluate “unbound” as caching server. You can use powerdns’ loadbalancer “dnsdist” in front of whatever you end up using. All these are free.
> Concur 100%.
> You may also wish to consider two layers of caching – e.g., an aggregate cache in addition to caching on user-facing caches, along with dedicated resolvers. See this .jpg diagram:
> <https://app.box.com/s/72bccbac1636714eb611>
Tested similar topologies in anger and haven’t found that the benefit (which is fairly small) is worth it for the added complexity. I find that unbound with large cache sizes works very well – https://www.unbound.net/documentation/howto_optimise.html <https://www.unbound.net/documentation/howto_optimise.html> is a good primer. Collect stats with collectd and the unbound collectd python module from here:
https://github.com/tarnfeld/collectd-unbound <https://github.com/tarnfeld/collectd-unbound>
We get the stats out the end of our stats pipeline with Grafana, and have a detailed analytics dashboard that give us hints about what needs to be looked at. We chart queries per CPU%, recursion times, all sorts of good stuff.
ICMP
As far as I understand according to rfc by ietf, type 11 is ’time exceeded.’ And there are 2 codes with that type. Here is a link for the RFC792:
http://tools.ietf.org/html/rfc792
ICMP TYPE NUMBERS The Internet Control Message Protocol (ICMP) has many messages that are identified by a "type" field. Type Name Reference ---- ------------------------- --------- 0 Echo Reply [RFC792] 1 Unassigned [JBP] 2 Unassigned [JBP] 3 Destination Unreachable [RFC792] 4 Source Quench [RFC792] 5 Redirect [RFC792] 6 Alternate Host Address [JBP] 7 Unassigned [JBP] 8 Echo [RFC792] 9 Router Advertisement [RFC1256] 10 Router Selection [RFC1256] 11 Time Exceeded [RFC792] 12 Parameter Problem [RFC792] 13 Timestamp [RFC792] 14 Timestamp Reply [RFC792] 15 Information Request [RFC792] 16 Information Reply [RFC792] 17 Address Mask Request [RFC950] 18 Address Mask Reply [RFC950] 19 Reserved (for Security) [Solo] 20-29 Reserved (for Robustness Experiment) [ZSu] 30 Traceroute [RFC1393] 31 Datagram Conversion Error [RFC1475] 32 Mobile Host Redirect [David Johnson] 33 IPv6 Where-Are-You [Bill Simpson] 34 IPv6 I-Am-Here [Bill Simpson] 35 Mobile Registration Request [Bill Simpson] 36 Mobile Registration Reply [Bill Simpson] 37 Domain Name Request [Simpson] 38 Domain Name Reply [Simpson] 39 SKIP [Markson] 40 Photuris [Simpson] 41-255 Reserved [JBP]
Many of these ICMP types have a "code" field. Here we list the types
again with their assigned code fields.
Type Name Reference
---- ------------------------- ---------
0 Echo Reply [RFC792]
Codes
0 No Code
1 Unassigned [JBP]
2 Unassigned [JBP]
3 Destination Unreachable [RFC792]
Codes
0 Net Unreachable
1 Host Unreachable
2 Protocol Unreachable
3 Port Unreachable
4 Fragmentation Needed and Don't Fragment was Set
5 Source Route Failed
6 Destination Network Unknown
7 Destination Host Unknown
8 Source Host Isolated
9 Communication with Destination Network is
Administratively Prohibited
10 Communication with Destination Host is
Administratively Prohibited
11 Destination Network Unreachable for Type of Service
12 Destination Host Unreachable for Type of Service
13 Communication Administratively Prohibited [RFC1812]
14 Host Precedence Violation [RFC1812]
15 Precedence cutoff in effect [RFC1812]
4 Source Quench [RFC792]
Codes
0 No Code
5 Redirect [RFC792]
Codes
0 Redirect Datagram for the Network (or subnet)
1 Redirect Datagram for the Host
2 Redirect Datagram for the Type of Service and Network
3 Redirect Datagram for the Type of Service and Host
6 Alternate Host Address [JBP]
Codes
0 Alternate Address for Host
7 Unassigned [JBP]
8 Echo [RFC792]
Codes
0 No Code
9 Router Advertisement [RFC1256]
Codes
0 No Code
10 Router Selection [RFC1256]
Codes
0 No Code
11 Time Exceeded [RFC792]
Codes
0 Time to Live exceeded in Transit
1 Fragment Reassembly Time Exceeded
12 Parameter Problem [RFC792]
Codes
0 Pointer indicates the error
1 Missing a Required Option [RFC1108]
2 Bad Length
13 Timestamp [RFC792]
Codes
0 No Code
14 Timestamp Reply [RFC792]
Codes
0 No Code
15 Information Request [RFC792]
Codes
0 No Code
16 Information Reply [RFC792]
Codes
0 No Code
17 Address Mask Request [RFC950]
Codes
0 No Code
18 Address Mask Reply [RFC950]
Codes
0 No Code
19 Reserved (for Security) [Solo]
20-29 Reserved (for Robustness Experiment) [ZSu]
30 Traceroute [RFC1393]
31 Datagram Conversion Error [RFC1475]
32 Mobile Host Redirect [David Johnson]
33 IPv6 Where-Are-You [Bill Simpson]
34 IPv6 I-Am-Here [Bill Simpson]
35 Mobile Registration Request [Bill Simpson]
36 Mobile Registration Reply [Bill Simpson]
39 SKIP [Markson]
40 Photuris [Simpson]
ASA5500 and user with same login
There is an option for this –
group-policy GUEST attributes
vpn-simultaneous-logins 4
Can’t remember where this is in the ASDM
Google this:
” multiple ssl logins same user ASA”