msgbartop
msgbarbottom

21 Nov 12 Internet traffic and Cisco AnyConnect

Routing Internet traffic when using Cisco AnyConnect – Cisco ASA 5520 Code 8.4

Previously I worked on Cisco AnyConnect VPN Configuration on Cisco ASA 5520 running 8.4 code. Now since everything is working good I was able to access all the internal resources however I was unable to access the Internet. Now I need to be able to give users access to the Internet. There are two ways of doing this:

  • Split tunneling
  • Tunnel All Traffic

If I do split tunneling users will be able to access the Internet when they are using Cisco AnyConnect VPN, however they will be using their local Internet and it is not considered very secure. So I decided to send their Internet Traffic via Cisco AnyConnect VPN as well so when they go out to the Internet they will be going out via the corporate connection. Here are quick examples of both:

Split Tunneling

If you want to do split tunneling then look at the screen shot below. Under Group Policy you will go to: “Advanced –> Split Tunneling”, then change the Policy to “Tunnel Network List Below”, under Network List change that to access list associated. Access List will look something like this:

“access-list ACL-NAME extended permit ip object-group INSIDE-NETWORK object-group REMOTE-VPN-NETWORK”.

Split Tunnel Cisco ASA 5520

Here is how the command line will look:
group-policy SPLIT-TUNNEL internal
group-policy SPLIT-TUNNEL attributes
banner value You are accessing a secure system, all activity will be logged.
wins-server value 192.168.0.2 192.168.0.13
dns-server value 192.168.0.2 192.168.0.12
vpn-simultaneous-logins 10
vpn-idle-timeout 240
vpn-session-timeout 1440
vpn-tunnel-protocol ikev2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL-ACL
default-domain value XXXX.COM
split-tunnel-all-dns enable

Tunnel All

Now with this method all traffic including the Internet traffic will traverse through the Cisco AnyConnect VPN and will utilize the corporate Internet Connection to go online. Group Policy will look look this:
Tunnel All Cisco ASA 5520

Here is how the command line will look like:
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 192.168.0.2 192.168.0.12
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelall
default-domain value xxx.com

Now there is a small step that I performed so that outgoing traffic from all the remote users will use a different Public IP address than what is defined on the outside interface. Also the key term here is that in order to Tunnel All Traffic all VPN traffic needs to be able to make a “U” turn i.e go out the same interface it came from. There are a couple of commands that were needed for that part such as:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Now for the NATing a different public IP here is what I did:

object network AnyConnect
subnet 172.16.0.128 255.255.255.128
nat (outside,outside) dynamic x.x.x.x

I took the AnyConnect network and made it go back out the outside interface with a different public IP

Tags: , , , , , , , ,

15 Nov 12 Configuring Netflow on Cisco ASA 5520

Cisco ASA 5520 Netflow Configuration Example

Cisco Netflow is a pretty awesome tool. It really gives you a deep insight into your network, bandwidth utilization. Recently I had to configure Netflow on a Cisco 5520 and just sharing my notes. There are basically 3 parts to it, 1- Create a destination and configure attributes, 2- Access list, 3- Creating a policy map. Correct me if I am wrong but I believe you need at least 8.2.x code on the ASA Firewall for Netflow V9. Anything below Netflow v9 is not supported on the Cisco ASA any ways.

So I was using Cisco ASA 5520, running 8.4.3 code. Here are my steps:

flow-export destination inside netflow-server-ip 2055 (2055 is the port)
flow-export delay flow-create 30 (Short identical flows as one)
flow-export template timeout-rate 1 (1 min is by default)
!
access-list netflow-hosts extended permit ip any any (Access list for netflow)
class-map netflow-traffic (Define a class for netflow)
match access-list netflow-hosts (Map the access list created earlier to the class)
!
policy-map global_policy (enter global policy)
class inspection_default
class netflow-traffic (This maps the class created earlier to the Policy)
flow-export event-type all destination netflow-server-ip (This tells the class to send all events to the destination)

So this is a pretty straightforward example of how I configured Netflow on the Cisco ASA 5520 running 8.4.3 code. Then I fired up wireshark on the Netflow server and I was able to see all the Netflow traffic. Under Protocol Column in Wireshark you will see it as CFLOW. I recommend that you can check out other resources on Cisco’s website or Google to get even better understanding of Cisco Netflow and how to implement it in different devices.

Tags: , , ,

05 Nov 12 Configure Microsoft NPS 2008 for Cisco AnyConnect VPN

Microsoft NPS 2008 Server configuration for Cisco AnyConnect VPN Client

Previously I explained how I configured Cisco AnyConnect VPN on the Cisco ASA 5520. In that configuration instead of using the Local Authentication I utilized RADIUS Authentication. In this article I am going to talk about how I configured the RADIUS Server – Microsoft NPS 2008 to provide Authentication for Cisco AnyConnect clients.

Since Cisco ASA configuration has already been explained I’m only putting the Microsoft NPS 2008 Server steps here:

  • I started with creating a new profile, under Overview I left the settings as shown in the picture below: (Note: you can name the policy whatever you like)
  • Next under Conditions, there are two things I had to add. 1) Windows Group that I wanted to allow to be able to use Cisco AnyConnect VPN, 2) NAS IPv4 Address = Cisco ASA’s inside interface IP
  • Next under Constraints, the only thing I changed was the Authentication Method I set it up for MS-CHAP-v2. There are other methods available as well but for now I just picked this
  • That is it after all these steps and saving my settings I added a test user into my AnyConnect group and was able to sign into the Cisco AnyConnect VPN. As soon as I took that user out of that group I was no longer able to sign in.

Note:Use this as a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo :).

Tags: , ,

05 Nov 12 Configuring Cisco Any Connect on Cisco ASA 8.4

Cisco Any Connect configuration on Cisco ASA 5520 – 8.4 code

As most of us know by now that Cisco has announced End of Sale and End of Life for Cisco VPN Client, Details Here. Our migration option from Cisco VPN Client is Cisco AnyConnect. Cisco AnyConnect is supported by 32 as well as 64 bit version of Windows. And yes there is licensing involved too. Here is some information on the Cisco ASA and Cisco AnyConnect Licensing. So now my notes on configuring Cisco AnyConnect VPN on Cisco ASA 5520 Firewall running 8.4 Code.

There are different ways to accomplish this i.e; Command Line or utilizing Cisco ASDM. I actually used a mixture of both. It is pretty easy and fast to configure Cisco AnyConnect profile via ASDM Wizard initially so I used that procedure:

  • After opening up the ASA’s ASDM form the top I picked the option Wizard –> VPN wizard –> AnyConnect VPN wizard. Here is what the first screen looks like:
  • Next you name the connection profile, now note here that multiple profiles can be created for different purposes such as a profile for the IT department, profile for the executives, profile for the regular users and give them access accordingly.
  • On the next screen under VPN Protocols – SSL/IPSec I picked out both protocols for now, however eventually I am going to change that as I will be getting the Essentials license which gives me Cisco AnyConnect IPSec license. But for now by default I have two SSL licenses so I wanted to use them at least for testing purposes. Also under Device Certificate I picked the self signed certificate for now however eventually I will be adding a valid third party SSL Certificate and will have a separate how to on that.
  • Next I had to specify the Cisco AnyConnect client image. I already had it loaded on the ASA 5520 Firewall, so I simply clicked on Browse Flash and added it from there, however you also have the option to upload it here if you do not have it already loaded on the Cisco ASA. I was using the latest version, file name: anyconnect-win-3.1.00495-k9.pkg.

  • Next screen asks for the Authentication Methods. Since I already have the Microsoft NPS 2008 server setup, I picked RADIUS. Note: I will have a separate how to on setting up the Microsoft NPS 2008 Server as RADIUS server for Cisco AnyConnect. You can also use other type of Authentication methods such as Kerberos, LDAP etc if you like.

  • Next screen asks for the DHCP Pool to be used for the Cisco AnyConnect VPN Clients. If there is one already defined that can be used I defined a new scope by clicking on the New button. This can also be created easily via command line as well in advance.

    ip local pool AnyConnect_DHCP 10.251.0.34-10.251.0.46 mask 255.255.255.240

  • In the next section I specified the DNS Servers that Cisco AnyConnect Clients will use after connecting
  • Next screen was for >NAT Exempt. Which means it was asking me if I want the Cisco AnyConnect VPN Clients network to be excluded from any kind of NAT. On the top first lines says, If network address translation is enabled on the ASA, the VPN traffic must b exempt from this translation. Well NAT is enabled so I check the box. If you forget to check it or leave it for now, it can easily be done via command line

    object-group network Inside_Net
    network-object 192.168.0.0 255.255.255.0
    network-object 192.168.1.0 255.255.255.0
    network-object 192.168.2.0 255.255.255.0
    !
    object network AnyConnect
    subnet 10.251.0.32 255.255.255.240
    !
    nat (inside,outside) source static Inside_Net Inside_Net destination static AnyConnect AnyConnect
    !
    object network VPN-Pool-internet
    subnet 10.251.0.32 255.255.255.240
    nat (outside,outside) dynamic second-public-ip (This is the outgoing Public IP for the VPN)

  • Next screen I checked the option to Allow Web Launch
  • Next screen is the last screen and just shows the summary of everything. I simply clicked on “Finish” and that is it

Article Resources

Note:Use this as a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo 🙂

Tags: , , , , ,

02 Nov 12 Cisco ASA 8.4 on GNS 3

Configure Cisco ASA 8.4 on GNS3

As most of the readers know that GNS3 is a pretty cool open source tool for network engineers to be able to emulate Cisco and Juniper software. I have been trying to get it working for a while here and there but just never had the time and patience to go through the whole setup. Today finally while I was watching a Video on You Tube about one of my other projects I came across a pretty cool video on how to get Cisco ASA 8.4 working with GNS3.

Two most important things were getting the right image and then getting the Qemu options configured properly.

Qemu Options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32
Kernel cmd line: Kernel cmd line: -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

I was able to use the following site to get the right files for this setup, XeruNetworks. Once you install GNS3 successfully here are some of the first steps:

  • Go to “Edit and then Preferences”, then click on “Qemu” (Left)
  • Click on “Test Settings” button and make sure that it passes
  • Now click on “ASA” and start filling in the information, it will look like this
  • Once you are done, add Cisco ASA icon to the GNS3 Lab and click Start, wait few seconds and then start the Console
  • Something very important here PATIENCE it will take it few minutes to boot up all the way, it will pause at one point as if it is froze, that is what I thought but the boot process started after like 2 or 3 minutes
  • I would really like to give credit to the two web sites and a You Tube video below for the instructions. If you can’t get it working from reading my quick notes I highly suggest visit those sites and that video.
  • Article Resources:

    Tags: , , ,

12 Oct 12 Windows specify source ping (ICMP) Interface and IP

How to specify or change source interface and IP of ping (ICMP) packet in Windows with multiple NIC’s

This is something that has come up multiple times especially when working and dealing with network related tasks. Many times server engineers would contact us and complain about network traffic or VPN related issues or more recently I had to test VPN Connectivity from a server to other remote sites. However this server had 2 Network Cards. Both of them had different IP’s. Here is how the setup was:

    VLAN100 = NIC1 = 192.168.100.10
    VLAN200 = NIC2 = 192.168.200.10

Now I needed to ping the remote sites but I needed the source to be VLAN200 = NIC2 = 192.168.200.10. I opened up wireshark and did a simple ping and that showed traffic going out of VLAN100 = NIC1 = 192.168.100.10. Well that wasn’t going to help me because 192.168.100.10 was not part of the interesting traffic on the Cisco ASA. After a little digging I found out that I found out that there is a utility called NPing, that comes with NMap will allow me to accomplish that. I already had NMap installed on this server so I opened up the command prompt and typed:

nping

I got many options and the two options I was interested in were -e and -S.

  1. -e lets you specify the network interface you want to source the ICMP packet from
  2. -S lets you specify the IP Address of that network interface you want to source the ICMP packet from
  3. In my case I needed to source the ping (ICMP) from the second Network Card using the IP address of 192.168.200.10
  4. Now an important point to remember over here is that nping will not see the name of your network interface as it is in windows like “local area connection” etc. It uses the Linux way. So now I found out that mapping by utilizing the following command:
  5. nmap –iflist

  6. It produced bunch of data towards the top second or third line was *************************INTERFACES************************
  7. Right under this line it shows all the network interfaces mapped in Linux style with the IP address. So the first interface was eth0, second was eth1
  8. I picked out the the interface I needed in my case it was eth1 and then ran the following command?
  9. nping -e eth1 -S 192.168.200.10 10.1.1.10
    nping -e eth0(1) -S source-ip target-ip

  10. Now looking at the wireshark capture I was able to see that the ICMP packets were going out of the second network card and on the Cisco ASA Firewall I was able to see the VPN Traffic
  11. nping offers so many more options to work with for troubleshooting purposes, in general NMAP is a great and must have utility for network and systems engineers

Tags: , , , ,

11 Oct 12 Cisco ASA – DMZ access via cut through Proxy Authentication

Allowing DMZ access based on user login in a corporate network

So I’m sure every one knows that there is a way we can utilize Cisco ASA to limit the internet traffic using Cut through proxy authentication. I needed something similar however I needed to limited the RDP access to a server in our DMZ based on a user profile. Now there are multiple ways to accomplish this. Previously I have accomplished this by using the networks or IP addresses however in that case the whole network was setup with a strict tier level and more strict IP addressing scheme to comply with the PCI requirements. In this case certain group of users who needed access to that web server in the DMZ were getting their IP’s from the DHCP server and there were no reservations. So I couldn’t allow the whole network access to the server in the DMZ. I decided to utilize the Cisco ASA’s cut through proxy authentication. Note: Cisco ASA supports direct authentication for http (80), telnet (23), ftp (21), https (443). But it does not for other protocols such as RDP (in my case).

So in order to utilize this feature for un supported protocols first I had to get the users to authenticate using the virtual IP address on the Cisco ASA and then gain RDP access to the server in the DMZ.

I took the following steps to accomplish this:

  • Setup authentication prompts
  • auth-prompt prompt Authentication for Access to Server
    auth-prompt accept Authentication successful, now you can RDP to 192.168.1.10
    auth-prompt reject Authentication Failed please try again

  • Setup a Virtual IP address on the Cisco ASA
  • virtual http 10.1.1.10

  • Setup an access list on the Cisco ASA
  • access-list RDPAuth remark “This ACL is for RDP access to the servers in the DMZ”
    access-list RDPAuth extended permit tcp any eq 3389 host 192.168.1.10 gt 1023 (Server IP in DMZ)
    access-list RDPAuth extended permit tcp any gt 1023 host 192.168.1.10 eq 3389 (Server IP in DMZ)
    access-list RDPAuth extended permit tcp any host 10.1.1.10 eq www (Virtual IP for Cut Through Proxy Authentication)
    access-list RDPAuth extended permit tcp any host 10.1.1.10 eq https (Virtual IP for Cut Through Proxy Authentication)

  • Setup AAA Authentication statements
  • aaa authentication match RDPAuth inside RADIUS (Note: RADIUS must be setup prior to this, see )
    aaa authentication secure-http-client

    Now it is time to setup the Microsoft NPS Server

  • From the examples before simply clone one of the policy, name it something like RDPAuth
  • On the next tab Conditions add the groups from active directory that can access this resource
  • Under Settings Tab first option will be “Standard”. Make sure “Service-Type = Login”
  • Now last and important step configuring Vendor Specific attributes. In this case it would be “Cisco-AV-Pair”. This is where I configured the access list, same that is defined on the firewall, every line needs to match.
  • ip:inacl#2=permit tcp any eq 3389 host 192.168.1.10 gt 1023
    ip:inacl#3=permit tcp any gt 1023 host 192.168.1.10 eq 3389
    ip:inacl4=permit tcp any host 10.1.1.10 eq www
    ip:inacl5=permit tcp any host 10.1.1.10 eq https

  • Now if a user wants to RDP to the 192.168.1.10 DMZ Server they can gain that access by first going to https://10.1.1.10, authenticating on that page against Microsoft Active Directory using Cisco ASA Cut through Proxy and then running their RDP command

Resources:

  1. Limiting Internet Access Based on User Profile Using ASA and RADIUS
  2. I also recommend reading and understanding cut through proxy authentication vulnerability – CSCtx42746

Note:Use this as a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo 🙂

Tags: , ,

24 Aug 12 Cisco ASA Management Authentication via Microsoft RADIUS Server

Cisco ASA Management Authentication using Microsoft RADIUS (NPS – Network Policy Server 2008) Server

Previously I talked about how to setup Microsoft Network Policy Server 2008 so that you can use that to log into Cisco Switches and Routers. This post I am going to go over the steps I used to setup Cisco ASA 5520 with 8.4.3 code to authenticate against Microsoft Active Directory using Microsoft RADIUS Server (NPS – Network Policy Server 2008). There are slightly different steps.

  • From the Network Policy Server expand Policies and right click on Network Policies
  • You can choose and start creating a whole new policy and go through all the steps, but I chose to just clone the one I made for Cisco Switches and Routers
  • So if you want to clone it simply right click on the existing policy and choose Duplicate Policy
  • Once the policy is duplicated it will show up as disabled. Before you enable it you need to configure it. So here is how I updated it so that it can work with Cisco ASA 5520
  • Go to the Settings and change the Service-Type to Administrative from Login
  • Under Settings click on Vendor Specific and I removed what was in there as with Cisco ASA you can’t automatically get to the Exec Priv level
  • That was it I just moved the Cisco ASA policy above the one for the Cisco Switches and Routers, added the firewall under RADIUS Clients
  • Now here are the configuration lines I used on the Cisco ASA itself so that it can go talk to the RADIUS Server:

    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host X.X.X.X
    timeout 25
    key XXXXXXXXXXXXXXXX
    !
    aaa authentication http console RADIUS LOCAL
    aaa authentication ssh console RADIUS LOCAL
    aaa authentication enable console RADIUS LOCAL
    aaa authentication serial console RADIUS LOCAL
    aaa-server RADIUS max-failed-attempts 1
    aaa-server RADIUS deadtime 1
    aaa-server RADIUS host X.X.X.X timeout 1

Note:Use this as a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo 🙂

Tags: , , , , ,

17 Aug 12 Cisco Authentication through Microsoft RADIUS Server

Configure AAA on Cisco switch and a router with Microsoft RADIUS Server 2008

I recently started a new job and found out that there was no AAA setup on any of the Cisco Network Gear – Switches, Routers and firewalls. Each one of them were using their local authentication methods, which to me is not acceptable. I like the single sign on and the ability to control access and log access from a central location. We discussed Cisco ACS which is really cool and gives you all kinds of features however I only needed the following features:

  • Single Sign on using Microsoft Active Directory
  • Control access from one single location
  • Ability to log access to all the Cisco Network equipment

To accomplish those tasks I didn’t see myself spending all that money on Cisco ACS instead I decided to save some money for my company and utilize our existing infrastructure and deploy a Microsoft RADIUS Server for AAA configuration on the Cisco Switches, Routers and Firewalls. Proper name would be Microsoft NPS (Network Policy Server) 2008. It offers many features and lots of configuration options. I just configured it for what I needed it for.

Here are the configuration steps for deploying the Microsoft NPS 2008 Server for Cisco device authentication:

  • First thing make sure you join it to the domain
  • Next from the control panel and Turn windows features on or off, right click on “Server Manager” and then hit Next
  • On the next screen choose Network Policy and Access Services and click Next
  • Now Next Screen will just show you the confirmation of what you are installing, go ahead and click on the “Install” button. Once the install finishes up and you fire up the Network Policy Server 2008 snap in, right click on the NPS (Local) icon and choose Register server in Active Directory
  • So I was done with the initial install and it was pretty simple. Now next phase for me was to configure it so that I can get Cisco Switches and routers to use this server and authenticate users from Microsoft Active Directory
  • I expanded Policies and then right clicked on Network Policies and then from the menu choose New and a new policy wizard comes up.
  • I named my policy CiscoAuth, under Type of network access server leave “Unspecified” and click on next:
  • Next screen will ask you to Specify Conditions. So since I wanted users to authenticate against Microsoft Active Directory and from a certain group I added that group under here:


  • Once that is done click Next and from that screen choose Access Granted:
  • Next I needed to configure the Authentication Methods, once you are on that screen you will have to check Unencrypted Authentcation (PAP,SPAP) as that is what is supported by Cisco IOS. Un check rest. You will get a pop up telling you that you have selected one or more insecure authentication methods….”. Just hit “Yes” on it and click Next:
  • Next screen asks about Idle Timeout. I set mine up for 5 min:
  • On the next screen under Standard you will see RADIUS Standard Attributes. There will be two already in there Framed-Protocol and Service-Type. I removed both of them and added Service-Type as Login:


  • Next screen under Vendor Specific I defined an attribute so that users can login and straight go to the privilege EXEC. So click on the Add button and then from the Vendor drop down choose Cisco. Cisco-AV-Pair will be there click on Add.
  • Next I clicked on Edit and updated the Value as shell:priv-lvl=15:

  • That is it I just hit next and everything was all set, next I added my RADIUS client under RADIUS Clients and Servers –> RADIUS Clients. Simply right click, choose New.
  • Client screen that comes up I made sure Enable this RADIUS client is checked. Then in the friendly name I just like to use the host name of the device, IP Address of the device and the shared secret:
  • Now I was done with the RADIUS part and it was time to configure the Cisco Switch to talk to the Microsoft NPS Server 2008 using the RADIUS protocol and allow users to log in with Microsoft Active Directory credentials
  • I used the following configuration lines on the Cisco Switch so that it allows users to log in using their Microsoft Active Directory Credentials:


    aaa new-model
    !
    !
    aaa authentication login vtylogin group radius local
    aaa authentication login conlogin group radius local
    aaa authentication enable default group radius enable
    aaa authorization console
    aaa authorization exec vtylogin group radius local
    aaa authorization exec conlogin group radius local
    !
    radius-server host 10.1.5.236 key xxxomittedxxxx
    !
    line con 0
    exec-timeout 5 0
    authorization exec conlogin
    logging synchronous
    login authentication conlogin
    line vty 0 4
    exec-timeout 0 0
    authorization exec vtylogin
    login authentication vtylogin
    transport input ssh
    line vty 5 15
    exec-timeout 0 0
    authorization exec vtylogin
    login authentication vtylogin
    transport input ssh

Now I was able to log into all my switches using my Microsoft Active Directory Credentials as well as rest of the users that were added earlier on the RADIUS server

Note:Use this as a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo 🙂

Tags: , , ,

21 Apr 12 Some Important Port Numbers

Listing of some widely used important Port Numbers

  • HTTP: TCP 80
  • HTTPS: TCP 443
  • FTP Data/Control: TCP 20/21
  • TELNET: TCP 23
  • SSH: TCP 22
  • DNS: UDP 53
  • TFTP: TCP 69
  • RDP: TCP 3389
  • NTP: UDP 123
  • POP3: TCP 110
  • SMTP: TCP 25
  • BootP: UDP 67,68
  • CAPWAP: UDP 5246, 5247

Tags: ,

WordPress SEO