Security PoC SXP ISE & ASAv 9.10 lab by UD

Moderator: mike

Post Reply
Uldis (UD)
Posts: 5148
Joined: Wed Mar 15, 2017 4:44 pm
Location: London
Contact:

Security PoC SXP ISE & ASAv 9.10 lab by UD

Post by Uldis (UD) » Wed Dec 12, 2018 11:10 pm

Created another security EVE-NG Pro lab to test newest ASAv 9.10, ISE 2.3 for SXP TrustSec.
Task:
1. Configure ASAv in HA active/standby
2. Configure CTS SXP peering between SW1 and ASAv. ASAv and SW1 are ISE TrustSec clients
3. VLAN 11 (inside) is SXP trusted communication between ASAv and SW1
4. ISE is configured with SGT Corp_DOT1X and Guest_MAB, dACL and authorization profiles VLAN 11 tag.
5. Authenticate PC1-MAB with ISE (mab) and authorize it in security group Guest_MAB
6. Authorize PC2-DOT1X with ISE (dot1x) and authorize it in security group Corp_DOT1X
7. PC1-MAB are able to reach http dmz1.eve.lab server only
8. PC2-DOT1X are able to reach http dmz2.eve.lab server and internet (ping 8.8.8.8 lo0 on ISP)
And here is result:
In screen below PC1-MAM after successfully authorized with ISE, match policies on ASAv and can reach only http://dmz1.eve.lab
ISE Policies:

Task test result:

Images used:
IOL SW 15.2 (version with mab, dot1x, cts/sxp support)
IOL L3 15.4.2T
ASAv 9.10 (demo lic)
ISE 2.3 (eval lic)
Winserver 2008 as DNS and AD server
Windows 7 32 bit as MAB and DOT1X hosts
EVE-PRO Docker server-gui as dmz servers and Mgmnt host
NTP server, simple L3 IOL router 15.4.2T
Cloud (cloud5) Mgmt100 is used simple EVE free cloud network to stretch mgmt vlan across lab and for better looking.
You do not have the required permissions to view the files attached to this post.

EKAEZO
Posts: 8
Joined: Wed Aug 16, 2017 11:24 pm

Re: Security PoC SXP ISE & ASAv 9.10 lab by UD

Post by EKAEZO » Thu Dec 13, 2018 1:28 pm

thank you . You rock UD

thebaptist
Posts: 2
Joined: Thu Sep 21, 2017 10:35 am

Re: Security PoC SXP ISE & ASAv 9.10 lab by UD

Post by thebaptist » Thu Dec 13, 2018 3:07 pm

Hi guys,

Which image is this exactly ? IOL SW 15.2 (version with mab, dot1x, cts/sxp support)

kindest regards,
John

Uldis (UD)
Posts: 5148
Joined: Wed Mar 15, 2017 4:44 pm
Location: London
Contact:

Re: Security PoC SXP ISE & ASAv 9.10 lab by UD

Post by Uldis (UD) » Thu Dec 13, 2018 7:03 pm

try to find this version:
vIOS
viosl2-adventerprisek9-m.cml.SSA.high_iron_20180510

IOL
i86bi_linux_l2-adventerprisek9-ms.SSA.high_iron_20180510

dmissai
Posts: 6
Joined: Wed Sep 20, 2017 11:16 am

Re: Security PoC SXP ISE & ASAv 9.10 lab by UD

Post by dmissai » Tue Dec 18, 2018 1:15 pm

Hi UD,

Thank You for the nice support to Security Candidates.
Do you have pre-configuration?

stevenjwilliams83
Posts: 77
Joined: Mon Mar 20, 2017 1:53 pm

Re: Security PoC SXP ISE & ASAv 9.10 lab by UD

Post by stevenjwilliams83 » Fri Mar 15, 2019 11:03 pm

the import doesnt include the top left dmz web servers. Anyone else have that issue?

Uldis (UD)
Posts: 5148
Joined: Wed Mar 15, 2017 4:44 pm
Location: London
Contact:

Re: Security PoC SXP ISE & ASAv 9.10 lab by UD

Post by Uldis (UD) » Sat Mar 16, 2019 9:00 am

stevenjwilliams83 wrote:
Fri Mar 15, 2019 11:03 pm
the import doesnt include the top left dmz web servers. Anyone else have that issue?
Because this lab is created on EVE Pro. EVE Pro has docker nodes where Community has not.
Thats why DMZ server does not appear on topology

byronLew
Posts: 8
Joined: Tue Apr 30, 2019 3:21 am
Location: Norway
Contact:

Security PoC SXP ISE ASAv 9 10 lab by UD

Post by byronLew » Fri May 03, 2019 7:50 pm

This seems to be changing for the better has already been passed the exam
It seems the future is dominated LAB3

Post Reply