Site 2 Site VPN



    Here is a basic site to site IPsec VPN configuration for multi-vdom Fortigate unit and context based Cisco ASA.

Cisco ASA configuration

    Multiple context mode allows convert single ASA in to multiple independent devices with ist own configuration. When we enable multiple context the ASA create two new configuration files for system and admin context.

 mode multiple

    By default all contexts belongs to a default class, its provide unlimited access to resources except for the following limits:

  • telnet - 5 sessions
  • ssh - 5 sessions
  • ipsec - 5 sessions
  • mac addresses - 65,535 entries
  • anyconnect - 0 sessions
  • vpn site-to-site tunnels - 0 sessions

    So, we need to define a class to configure resources allocation to contexts.  Other VPN sessions include Site-to-Site, IKEv1 RA and L2tp Sessions. These are guaranteed for a context and shouldn't exceed.

 class vpn limit-resource VPN Other 1 

    Next create context, set class and allocate interfaces with aliases which will be used inside context configuration. A configuration file for the context will be stored in a local storage disk0:/s2svpn.

continue reading comments

Introduction to Troubleshooting



    Structured troubleshooting procedure:

  • Step 1. Problem report
  • Step 2. Collect information
  • Step 3. Examine collected information
  • Step 4. Eliminate potential causes
  • Step 5. Propose an hypothesis
  • Step 6. Verify hypothesis
  • Step 7. Problem resolution

    A Structured Approach:

Troubleshooting Methods

  • The top-down method
  • The bottom-up method
  • The divide-and-conquer method
  • Following the traffic path
  • Comparing configurations
  • Component Swapping

    Depending on your situation and the issue you are troubleshooting, you may use one or multiple methods.

continue reading comments

IPv6 in an EN


IPv6 Packet Header

  • Version - A 4-bit field, the same as in IPv4. For IPv6, this field contains the number 6. For IPv4, this field contains the number 4.
  • Traffic class - An 8-bit field similar to the Type of Service (ToS) field in IPv4. This field tags the packet with a traffic class that it uses in differentiated services (DiffServ) quality of service (QoS). These functionalities are the same for IPv6 and IPv4.
  • Flow label - This 20-bit field is new in IPv6. It can be used by the source of the packet to tag the packet as being part of a specific flow, allowing multilayer switches and routers to handle traffic on a per-flow basis rather than per-packet, for faster packet-switching performance.
continue reading comments

Routing Facilities



Configuring NAT

    We will use the ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} command to define a pool of IP addresses for NAT.

    The ip nat inside source {list {access-list-number | access-list-name} | route-map name} {interface type number | pool name} [overload] command. If static translation is preferred, the command is ip nat inside source {static {local-ip global-ip}.

  • list access-list-number - Number of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
  • list access-list-name - Name of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
  • route-map name - Specifies the named route map.
  • interface type number - Specifies the interface type and number for the global address.pool name Name of the pool from which global IP addresses are allocated dynamically.
continue reading comments