Page 1 of 1

Security PoC SXP ISE & ASAv 9.10 lab by UD

Posted: Wed Dec 12, 2018 11:10 pm
by Uldis (UD)
Created another security EVE-NG Pro lab to test newest ASAv 9.10, ISE 2.3 for SXP TrustSec.
Task:
1. Configure ASAv in HA active/standby
2. Configure CTS SXP peering between SW1 and ASAv. ASAv and SW1 are ISE TrustSec clients
3. VLAN 11 (inside) is SXP trusted communication between ASAv and SW1
4. ISE is configured with SGT Corp_DOT1X and Guest_MAB, dACL and authorization profiles VLAN 11 tag.
5. Authenticate PC1-MAB with ISE (mab) and authorize it in security group Guest_MAB
6. Authorize PC2-DOT1X with ISE (dot1x) and authorize it in security group Corp_DOT1X
7. PC1-MAB are able to reach http dmz1.eve.lab server only
8. PC2-DOT1X are able to reach http dmz2.eve.lab server and internet (ping 8.8.8.8 lo0 on ISP)
And here is result:
In screen below PC1-MAM after successfully authorized with ISE, match policies on ASAv and can reach only http://dmz1.eve.lab
ISE Policies:

Task test result:

Images used:
IOL SW 15.2 (version with mab, dot1x, cts/sxp support)
IOL L3 15.4.2T
ASAv 9.10 (demo lic)
ISE 2.3 (eval lic)
Winserver 2008 as DNS and AD server
Windows 7 32 bit as MAB and DOT1X hosts
EVE-PRO Docker server-gui as dmz servers and Mgmnt host
NTP server, simple L3 IOL router 15.4.2T
Cloud (cloud5) Mgmt100 is used simple EVE free cloud network to stretch mgmt vlan across lab and for better looking.

Re: Security PoC SXP ISE & ASAv 9.10 lab by UD

Posted: Thu Dec 13, 2018 1:28 pm
by EKAEZO
thank you . You rock UD

Re: Security PoC SXP ISE & ASAv 9.10 lab by UD

Posted: Thu Dec 13, 2018 3:07 pm
by thebaptist
Hi guys,

Which image is this exactly ? IOL SW 15.2 (version with mab, dot1x, cts/sxp support)

kindest regards,
John

Re: Security PoC SXP ISE & ASAv 9.10 lab by UD

Posted: Thu Dec 13, 2018 7:03 pm
by Uldis (UD)
try to find this version:
vIOS
viosl2-adventerprisek9-m.cml.SSA.high_iron_20180510

IOL
i86bi_linux_l2-adventerprisek9-ms.SSA.high_iron_20180510

Re: Security PoC SXP ISE & ASAv 9.10 lab by UD

Posted: Tue Dec 18, 2018 1:15 pm
by dmissai
Hi UD,

Thank You for the nice support to Security Candidates.
Do you have pre-configuration?

Re: Security PoC SXP ISE & ASAv 9.10 lab by UD

Posted: Fri Mar 15, 2019 11:03 pm
by stevenjwilliams83
the import doesnt include the top left dmz web servers. Anyone else have that issue?

Re: Security PoC SXP ISE & ASAv 9.10 lab by UD

Posted: Sat Mar 16, 2019 9:00 am
by Uldis (UD)
stevenjwilliams83 wrote:
Fri Mar 15, 2019 11:03 pm
the import doesnt include the top left dmz web servers. Anyone else have that issue?
Because this lab is created on EVE Pro. EVE Pro has docker nodes where Community has not.
Thats why DMZ server does not appear on topology

Security PoC SXP ISE ASAv 9 10 lab by UD

Posted: Fri May 03, 2019 7:50 pm
by byronLew
This seems to be changing for the better has already been passed the exam
It seems the future is dominated LAB3