Thursday, August 7, 2014

IPS Initial Setup

Cisco IPS Sensor Family

IPS 4200 Series Sensors





Device: IPS 4240, GNS3, Multilayer Switch, Windows 7

Special requirements: jre 1.7.~ (By default SSL 2.0 is disabled. It must be enabled in java advanced option in Windows 7 which is a management computer)

e0 port in GNS3 IDS 4240 is Out-of-Band Management port.

Boot up IPS -> ID & Password (by default Username: cisco, Password: cisco) -> change default Password

Type 'setup'
It will ask for ip address and default gateway, by default 192.168.1.2/24, 192.168.1.1.
Change to '192.168.2.120/24,192.168.2.1'
Next, set hostname 'MSensor'
Next, modify current access list, by default '192.168.1.0/24', delete 192.168.1.0/24 and permit 192.168.2.0/24.
Next, just Enter until 'Exit Option' shows up.
Type '2' which is save the configuration and exit.

Now you can connect IPS from Windows 7 (192.168.2.254/24)
Open internet explorer, and go to https://192.168.2.120


The certificate is self-signed certificate, and that's why there is certificate warning massage.

Click 'Run IDM'


Don't forget the java setting: enable SSL 2.0, and add 'https://192.168.2.120' to exception site list.



This is the Cisco IDM.

Tuesday, August 5, 2014

Varify all configuration: Clientless SSL VPN, Anyconnect SSL VPN, IPsec RA VPN, IPsec Site-to-site VPN



IPsec site-to-site VPN: IKEv2

IPsec Site-to-Site VPN
 Scenario: HQ(Public IP address: 192.168.1.141/24) wants to access to a branch office(Public IP address: 192.168.1.146/24). with secured connection.

Requirements: Two ASA 5520, ASDM, knowledge of cryptography.




Monday, August 4, 2014

IPsec Remote Access VPN: IKE v1

Scenario:
   
           Outside users want to connect inside network of MGK company by using IPsec Remote Access VPN. 

Friday, August 1, 2014

Clientless SSL VPN - Smart turnnel 2 (specific applications)

Smart tunnel 1 is for all applications to connect inside network.
This chapter will go to configure specific applications that can connect inside network using smart tunnel.

1. Add smart tunnel application lists: the name is Smart_List, and applications are RDP and Putty.


Clientless SSL VPN - Smart tunnel 1 (all applications)

Smart tunnel make internet users to use a variety of application locally with Clientless ssl vpn which is similar to plug-ins. However, there is a big difference that when you use smart tunnel function, you can use applications outside of web site.

1. Apply Smart Tunnel to Group Policy: This will open all application through Clientless vpn.

Uncheck Web acls for test purpose.


Clientless ssl VPN - plug-ins

Cisco plug-ins give more options to outside users to access inside devices such as Remote Desktop Access, VNC and SSH.

I'm going to add RDP, VNC and SSH plug-ins to ASA.
So that, people in internet with clientless ssl vpn can access inside network with more options.

First, add plug-ins to ASA. you have to copy the plug-ins from tftp to Flash.


ASA_VPN Clientless SSL VPN with Certifiate.

Topology ( Firewall is pre-configured )

ASA_VPN Network

VPN Test Network
Inside Network: 192.168.0.0/24
Management Network: 172.16.0.0/24
Internet Test PC: 192.168.1.151/24
Publick IP address: 192.168.1.141/24

Scenario: outside user(192.168.1.151 / Windows 7) connects inside network through VPNs to use inside  services such as Web, RDP (Remote Desktop Protocol), VNC, SSH and ftp services.

    Type of VPNs
               1. Web VPN (Clientless SSL VPN)
               2. Anyconnect SSL VPN
               3. IPsec Remote Access VPN
               4. Site to Site IPsec VPN

Monday, June 23, 2014

ASA routing

In the case of adding other network in inside, ASA needs to learn about the route.
Simply add static route on ASA like ' ip route 192.168.1.0 255.255.255.0 192.168.0.100 (interface ip address of Inside_net_offices.

Static route