Category: Cisco Data Center Solutions
-
Verification – Cisco Virtual Private Network (VPN)
Verification This section assumes that end users between the headquarters and branch sites can communicate successfully over the IPsec tunnel. To verify the operations of an IPsec tunnel, you can use one of the hosts in the headquarters to connect to a host in the branch office. Sending a simple ICMP ping request, as shown…
-
Access Control Policy – Cisco Virtual Private Network (VPN)
Access Control Policy If end-user traffic is blocked by the access control policy, you can allow the traffic in two ways: Figure 19-25 Allowing End-User Traffic Specifically Between Two Sites Figure 19-26 Allowing All Traffic After Intrusion Inspection NAT Policy Network Address Translation is discussed in the aptly titled Chapter 17, “Network Address…
-
Configurations – Cisco Virtual Private Network (VPN)
Configurations When the prerequisites are fulfilled, use the following steps to configure a site-to-site VPN on Secure Firewall: Step 1. On your management center, navigate to Devices > VPN > Site To Site. The site-to-site VPN configuration page appears. Step 2. From the Add VPN drop-down, select Firepower Threat Defense Device. The Create New VPN…
-
Authentication – Cisco Virtual Private Network (VPN)
Authentication During the IKE negotiation process, the VPN peers can authenticate each other by using preshared keys. Preshared keys are simple to configure and feasible to deploy in a smaller network. However, they are not scalable in a large VPN deployment. For scalability, you can use digital certificates. The VPN peers can obtain digital certificates…
-
Remote Access VPN – Cisco Virtual Private Network (VPN)
Mode of Operation An IPsec tunnel between two VPN gateways can operate in two modes: You can configure the VPN peers with the AH or ESP protocol individually (such as only the AH protocol or only the ESP protocol), or in combination with both AH and ESP protocols at the same time. For example, Figure…
-
Remote Access VPN – Cisco Virtual Private Network (VPN)
Remote Access VPN In a remote access virtual private network, an endpoint device located in a remote network can connect to an organization’s internal network over the Internet via a secure channel. The endpoint device uses Cisco AnyConnect Secure Mobility Client to establish a secure tunnel with a threat defense, which is deployed in an…
-
Internal Certs Object – Cisco Traffic Decryption Policy
Internal Certs Object The internal certificate object represents the certificates of servers that your organization administers. To configure an internal certificate object, you upload the server certificate and private key. When you invoke this object in an SSL rule and select the Decrypt – Known Key action, Secure Firewall uses the uploaded private key to…
-
File Policy – Cisco Traffic Decryption Policy
File Policy Creating a file policy is not a requirement for traffic decryption; however, it allows you to experience the benefits of decryption. For example, if a file policy is deployed to block executable (EXE) files, but there is no SSL policy deployed on Secure Firewall, you can still transfer over protocols that support file…
-
Verification – Cisco Traffic Decryption Policy
Verification It’s time to test your configurations and see the magic—how a threat defense analyzes encrypted traffic and blocks a file despite its transfer over an encrypted session. This section assumes that your lab environment has a web server with the TLS protocol enabled. The web server is located at the outside zone of your…
-
“Do I Know This Already?” Quiz – Cisco Virtual Private Network (VPN)
“Do I Know This Already?” Quiz The “Do I Know This Already?” quiz enables you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read…