(I) Apart from the default configuration on ASA, what features do you guys usually enable for extra protection? I already have another IPS hence not doing any 'ip audits'. Any suggestions would be appreciated
(II) I use these parameters for logging. Do they look okay?
(I) You can enable the anti-spoofing feature - ip verify reverse-path (Unicast RPF)
This is to guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table.
Normally applied on Outside interface facing internet/external network.
Command: ip verify reverse-path interface interface_name
But as per Cisco SAFE Blueprint suggestions, network security has to be in a form of multilayer of security, involving security-specific devices such as firewalls, IDS/IPS, secure remote access devices (IPSec VPN), identity authentication devices and non-security-specific devices such as routers and switches. It will be a good idea to incorporate them all, if possible.
(II) Looks fine, but you can also trim down the buffer logging level to 1 step lower to 'informational' or 'notification'level. This can help you to zoom to useful log information. Debugging is useful when perform troubleshooting. But no exact rules what level must be enabled/used. Without debugging level, you can save buffer space - no unwanted log info unless if needed.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :