Security

The video walks you through configuration of Easy VPN (EZVPN) with Certificate authentication on a Cisco headend router. The hardware client router is running Client Mode and configured to automatically connect. Headend router already has a certificate installed through SCEP (See SEC0014 - Certificate Installation on Router and ASA), while we demonstrate a manual certificate import on the hardware client. XAuth can also be enabled concurrently, although we have XAuth disabled in this lab. 

The video walks you through configuration of Easy VPN (EZVPN) with Pre-shared key authentication on a Cisco headend router. The hardware client router is running Client Mode and configured to automatically connect using a locally stored credential. We demonstrate unique characteristics of Client mode where connections can only be initiated from the remote client as the client router performs PAT to the source IP. Any resources local to the client is inaccessible from the headend side.

The video demonstrates how to install a SSL certificate on Cisco router and ASA firewall manually and via SCEP. Windows 2008 running Enterprise CA server is used in this lab to provide auto-enrollment. For manual enrollment, a Certificate Signing Request (CSR) is created on a network device and submitted to the CA through web enrollment. The issued certificate is then imported to the device. SCEP, on the other hand, automates the enrollment process into a single command through HTTP transaction given the CA is reachable to the devices.

The video presents an alternative to assigning IP address to DMVPN spoke tunnel interface using a centralized DHCP server. We look at this feature in a dual-hub environment, point out some routing caveats with return DHCP packet to the router acting as a relay agent, and a quick resolution.

The video demonstrates another method of achieving redundancy in your DMVPN deployment using NHS cluster and recovery backup feature. We look at how routing and EIGRP neighbor adjacency changes when a spoke registers to one or more NHS at a time in the same cluster, and observe the failover behavior. This feature provides a good compromise between failover time and routing simplicity.

The video presents you with various options to implement certificate Auto-Enrollment for network devices using SCEP. By default, a one-time challenge password needs to be generated and used per network device. This can be cumbersome and impractical in case the number of device is large. An alternative is to disable the use of challenge password entirely, but this could post security concern, although is potentially desirable in lab environment. An acceptable solution might be disabling auto-approval and have the CA admin approve certificate requests manually.

The video walks you through an installation of Cisco ACS 5.x (we use 5.3 for our demonstration) VMware version. We will guide you step-by-step through the installation process. At the end of this lab, you should have a working ACS server that you can use for RADIUS and TACACS+ authentication in future labs. No configuration, other than the setup process, is performed in this video. The video assumes that you have basic working knowledge of VMware ESXi.

The video walks you through an installation of Enterprise Certificate Authority (CA) and Network Device Enrollment Service (NDES) (aka SCEP) on a Windows 2008. We will test the server with a certificate request through web enrollment from a Windows client, as well as SCEP from a Cisco router. SCEP communication is captured and reviewed on Wireshark. At the end of the video, you should have a working CA server that you can use for certificate authentication in future labs.

The video combines the knowledge from our two previous videos on Object NAT and Twice NAT, and provides some guidelines on how to use them together on a single NAT table. We also discuss about pre-8.3 migration strategies and how the legacy command syntax (eg. nat, global, static, access-list) can be mapped to the new. We finish off the video with an experiment on the placement of destination NAT statement on the NAT table, and note its significance. We hope that you will have a better understanding on ASA 8.3 NAT by the end of this video.

The video looks at how to configure Twice NAT on a Cisco ASA 8.3. We go through NAT configuration syntax for different type of NAT scenarios and examine some characteristics specific to Twice NAT.