msgbartop
msgbarbottom

21 Nov 12 Internet traffic and Cisco AnyConnect

Routing Internet traffic when using Cisco AnyConnect – Cisco ASA 5520 Code 8.4

Previously I worked on Cisco AnyConnect VPN Configuration on Cisco ASA 5520 running 8.4 code. Now since everything is working good I was able to access all the internal resources however I was unable to access the Internet. Now I need to be able to give users access to the Internet. There are two ways of doing this:

  • Split tunneling
  • Tunnel All Traffic

If I do split tunneling users will be able to access the Internet when they are using Cisco AnyConnect VPN, however they will be using their local Internet and it is not considered very secure. So I decided to send their Internet Traffic via Cisco AnyConnect VPN as well so when they go out to the Internet they will be going out via the corporate connection. Here are quick examples of both:

Split Tunneling

If you want to do split tunneling then look at the screen shot below. Under Group Policy you will go to: “Advanced –> Split Tunneling”, then change the Policy to “Tunnel Network List Below”, under Network List change that to access list associated. Access List will look something like this:

“access-list ACL-NAME extended permit ip object-group INSIDE-NETWORK object-group REMOTE-VPN-NETWORK”.

Split Tunnel Cisco ASA 5520

Here is how the command line will look:
group-policy SPLIT-TUNNEL internal
group-policy SPLIT-TUNNEL attributes
banner value You are accessing a secure system, all activity will be logged.
wins-server value 192.168.0.2 192.168.0.13
dns-server value 192.168.0.2 192.168.0.12
vpn-simultaneous-logins 10
vpn-idle-timeout 240
vpn-session-timeout 1440
vpn-tunnel-protocol ikev2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL-ACL
default-domain value XXXX.COM
split-tunnel-all-dns enable

Tunnel All

Now with this method all traffic including the Internet traffic will traverse through the Cisco AnyConnect VPN and will utilize the corporate Internet Connection to go online. Group Policy will look look this:
Tunnel All Cisco ASA 5520

Here is how the command line will look like:
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 192.168.0.2 192.168.0.12
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelall
default-domain value xxx.com

Now there is a small step that I performed so that outgoing traffic from all the remote users will use a different Public IP address than what is defined on the outside interface. Also the key term here is that in order to Tunnel All Traffic all VPN traffic needs to be able to make a “U” turn i.e go out the same interface it came from. There are a couple of commands that were needed for that part such as:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Now for the NATing a different public IP here is what I did:

object network AnyConnect
subnet 172.16.0.128 255.255.255.128
nat (outside,outside) dynamic x.x.x.x

I took the AnyConnect network and made it go back out the outside interface with a different public IP

Tags: , , , , , , , ,

15 Nov 12 Configuring Netflow on Cisco ASA 5520

Cisco ASA 5520 Netflow Configuration Example

Cisco Netflow is a pretty awesome tool. It really gives you a deep insight into your network, bandwidth utilization. Recently I had to configure Netflow on a Cisco 5520 and just sharing my notes. There are basically 3 parts to it, 1- Create a destination and configure attributes, 2- Access list, 3- Creating a policy map. Correct me if I am wrong but I believe you need at least 8.2.x code on the ASA Firewall for Netflow V9. Anything below Netflow v9 is not supported on the Cisco ASA any ways.

So I was using Cisco ASA 5520, running 8.4.3 code. Here are my steps:

flow-export destination inside netflow-server-ip 2055 (2055 is the port)
flow-export delay flow-create 30 (Short identical flows as one)
flow-export template timeout-rate 1 (1 min is by default)
!
access-list netflow-hosts extended permit ip any any (Access list for netflow)
class-map netflow-traffic (Define a class for netflow)
match access-list netflow-hosts (Map the access list created earlier to the class)
!
policy-map global_policy (enter global policy)
class inspection_default
class netflow-traffic (This maps the class created earlier to the Policy)
flow-export event-type all destination netflow-server-ip (This tells the class to send all events to the destination)

So this is a pretty straightforward example of how I configured Netflow on the Cisco ASA 5520 running 8.4.3 code. Then I fired up wireshark on the Netflow server and I was able to see all the Netflow traffic. Under Protocol Column in Wireshark you will see it as CFLOW. I recommend that you can check out other resources on Cisco’s website or Google to get even better understanding of Cisco Netflow and how to implement it in different devices.

Tags: , , ,

05 Nov 12 Configure Microsoft NPS 2008 for Cisco AnyConnect VPN

Microsoft NPS 2008 Server configuration for Cisco AnyConnect VPN Client

Previously I explained how I configured Cisco AnyConnect VPN on the Cisco ASA 5520. In that configuration instead of using the Local Authentication I utilized RADIUS Authentication. In this article I am going to talk about how I configured the RADIUS Server – Microsoft NPS 2008 to provide Authentication for Cisco AnyConnect clients.

Since Cisco ASA configuration has already been explained I’m only putting the Microsoft NPS 2008 Server steps here:

  • I started with creating a new profile, under Overview I left the settings as shown in the picture below: (Note: you can name the policy whatever you like)
  • Next under Conditions, there are two things I had to add. 1) Windows Group that I wanted to allow to be able to use Cisco AnyConnect VPN, 2) NAS IPv4 Address = Cisco ASA’s inside interface IP
  • Next under Constraints, the only thing I changed was the Authentication Method I set it up for MS-CHAP-v2. There are other methods available as well but for now I just picked this
  • That is it after all these steps and saving my settings I added a test user into my AnyConnect group and was able to sign into the Cisco AnyConnect VPN. As soon as I took that user out of that group I was no longer able to sign in.

Note:Use this as a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo :).

Tags: , ,

05 Nov 12 Configuring Cisco Any Connect on Cisco ASA 8.4

Cisco Any Connect configuration on Cisco ASA 5520 – 8.4 code

As most of us know by now that Cisco has announced End of Sale and End of Life for Cisco VPN Client, Details Here. Our migration option from Cisco VPN Client is Cisco AnyConnect. Cisco AnyConnect is supported by 32 as well as 64 bit version of Windows. And yes there is licensing involved too. Here is some information on the Cisco ASA and Cisco AnyConnect Licensing. So now my notes on configuring Cisco AnyConnect VPN on Cisco ASA 5520 Firewall running 8.4 Code.

There are different ways to accomplish this i.e; Command Line or utilizing Cisco ASDM. I actually used a mixture of both. It is pretty easy and fast to configure Cisco AnyConnect profile via ASDM Wizard initially so I used that procedure:

  • After opening up the ASA’s ASDM form the top I picked the option Wizard –> VPN wizard –> AnyConnect VPN wizard. Here is what the first screen looks like:
  • Next you name the connection profile, now note here that multiple profiles can be created for different purposes such as a profile for the IT department, profile for the executives, profile for the regular users and give them access accordingly.
  • On the next screen under VPN Protocols – SSL/IPSec I picked out both protocols for now, however eventually I am going to change that as I will be getting the Essentials license which gives me Cisco AnyConnect IPSec license. But for now by default I have two SSL licenses so I wanted to use them at least for testing purposes. Also under Device Certificate I picked the self signed certificate for now however eventually I will be adding a valid third party SSL Certificate and will have a separate how to on that.
  • Next I had to specify the Cisco AnyConnect client image. I already had it loaded on the ASA 5520 Firewall, so I simply clicked on Browse Flash and added it from there, however you also have the option to upload it here if you do not have it already loaded on the Cisco ASA. I was using the latest version, file name: anyconnect-win-3.1.00495-k9.pkg.

  • Next screen asks for the Authentication Methods. Since I already have the Microsoft NPS 2008 server setup, I picked RADIUS. Note: I will have a separate how to on setting up the Microsoft NPS 2008 Server as RADIUS server for Cisco AnyConnect. You can also use other type of Authentication methods such as Kerberos, LDAP etc if you like.

  • Next screen asks for the DHCP Pool to be used for the Cisco AnyConnect VPN Clients. If there is one already defined that can be used I defined a new scope by clicking on the New button. This can also be created easily via command line as well in advance.

    ip local pool AnyConnect_DHCP 10.251.0.34-10.251.0.46 mask 255.255.255.240

  • In the next section I specified the DNS Servers that Cisco AnyConnect Clients will use after connecting
  • Next screen was for >NAT Exempt. Which means it was asking me if I want the Cisco AnyConnect VPN Clients network to be excluded from any kind of NAT. On the top first lines says, If network address translation is enabled on the ASA, the VPN traffic must b exempt from this translation. Well NAT is enabled so I check the box. If you forget to check it or leave it for now, it can easily be done via command line

    object-group network Inside_Net
    network-object 192.168.0.0 255.255.255.0
    network-object 192.168.1.0 255.255.255.0
    network-object 192.168.2.0 255.255.255.0
    !
    object network AnyConnect
    subnet 10.251.0.32 255.255.255.240
    !
    nat (inside,outside) source static Inside_Net Inside_Net destination static AnyConnect AnyConnect
    !
    object network VPN-Pool-internet
    subnet 10.251.0.32 255.255.255.240
    nat (outside,outside) dynamic second-public-ip (This is the outgoing Public IP for the VPN)

  • Next screen I checked the option to Allow Web Launch
  • Next screen is the last screen and just shows the summary of everything. I simply clicked on “Finish” and that is it

Article Resources

Note:Use this as a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo 🙂

Tags: , , , , ,

02 Nov 12 Cisco ASA 8.4 on GNS 3

Configure Cisco ASA 8.4 on GNS3

As most of the readers know that GNS3 is a pretty cool open source tool for network engineers to be able to emulate Cisco and Juniper software. I have been trying to get it working for a while here and there but just never had the time and patience to go through the whole setup. Today finally while I was watching a Video on You Tube about one of my other projects I came across a pretty cool video on how to get Cisco ASA 8.4 working with GNS3.

Two most important things were getting the right image and then getting the Qemu options configured properly.

Qemu Options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32
Kernel cmd line: Kernel cmd line: -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

I was able to use the following site to get the right files for this setup, XeruNetworks. Once you install GNS3 successfully here are some of the first steps:

  • Go to “Edit and then Preferences”, then click on “Qemu” (Left)
  • Click on “Test Settings” button and make sure that it passes
  • Now click on “ASA” and start filling in the information, it will look like this
  • Once you are done, add Cisco ASA icon to the GNS3 Lab and click Start, wait few seconds and then start the Console
  • Something very important here PATIENCE it will take it few minutes to boot up all the way, it will pause at one point as if it is froze, that is what I thought but the boot process started after like 2 or 3 minutes
  • I would really like to give credit to the two web sites and a You Tube video below for the instructions. If you can’t get it working from reading my quick notes I highly suggest visit those sites and that video.
  • Article Resources:

    Tags: , , ,

30 Oct 12 AnyConnect Error – No Address Available for SVC Connection

Cisco AnyConnect Client error message – No address available for SVC Connection

Recently working on a Cisco Any Connect project I ran into this error message. I was able to see that it is connecting and was letting me type my password in but it would then disconnect giving me the error message “No Address Available for SVC Connection. After looking around for a few min it was actually a pretty easy fix. I setup a Local DHCP Pool on the ASA for the Cisco Any Connect VPN but under Assignment Policy I forgot to check a button to allow the locally created DHCP Pool. See Screen shot below:

This was on Cisco ASA 5520 with 8.4 code

Tags: , ,

11 Oct 12 Cisco ASA – DMZ access via cut through Proxy Authentication

Allowing DMZ access based on user login in a corporate network

So I’m sure every one knows that there is a way we can utilize Cisco ASA to limit the internet traffic using Cut through proxy authentication. I needed something similar however I needed to limited the RDP access to a server in our DMZ based on a user profile. Now there are multiple ways to accomplish this. Previously I have accomplished this by using the networks or IP addresses however in that case the whole network was setup with a strict tier level and more strict IP addressing scheme to comply with the PCI requirements. In this case certain group of users who needed access to that web server in the DMZ were getting their IP’s from the DHCP server and there were no reservations. So I couldn’t allow the whole network access to the server in the DMZ. I decided to utilize the Cisco ASA’s cut through proxy authentication. Note: Cisco ASA supports direct authentication for http (80), telnet (23), ftp (21), https (443). But it does not for other protocols such as RDP (in my case).

So in order to utilize this feature for un supported protocols first I had to get the users to authenticate using the virtual IP address on the Cisco ASA and then gain RDP access to the server in the DMZ.

I took the following steps to accomplish this:

  • Setup authentication prompts
  • auth-prompt prompt Authentication for Access to Server
    auth-prompt accept Authentication successful, now you can RDP to 192.168.1.10
    auth-prompt reject Authentication Failed please try again

  • Setup a Virtual IP address on the Cisco ASA
  • virtual http 10.1.1.10

  • Setup an access list on the Cisco ASA
  • access-list RDPAuth remark “This ACL is for RDP access to the servers in the DMZ”
    access-list RDPAuth extended permit tcp any eq 3389 host 192.168.1.10 gt 1023 (Server IP in DMZ)
    access-list RDPAuth extended permit tcp any gt 1023 host 192.168.1.10 eq 3389 (Server IP in DMZ)
    access-list RDPAuth extended permit tcp any host 10.1.1.10 eq www (Virtual IP for Cut Through Proxy Authentication)
    access-list RDPAuth extended permit tcp any host 10.1.1.10 eq https (Virtual IP for Cut Through Proxy Authentication)

  • Setup AAA Authentication statements
  • aaa authentication match RDPAuth inside RADIUS (Note: RADIUS must be setup prior to this, see )
    aaa authentication secure-http-client

    Now it is time to setup the Microsoft NPS Server

  • From the examples before simply clone one of the policy, name it something like RDPAuth
  • On the next tab Conditions add the groups from active directory that can access this resource
  • Under Settings Tab first option will be “Standard”. Make sure “Service-Type = Login”
  • Now last and important step configuring Vendor Specific attributes. In this case it would be “Cisco-AV-Pair”. This is where I configured the access list, same that is defined on the firewall, every line needs to match.
  • ip:inacl#2=permit tcp any eq 3389 host 192.168.1.10 gt 1023
    ip:inacl#3=permit tcp any gt 1023 host 192.168.1.10 eq 3389
    ip:inacl4=permit tcp any host 10.1.1.10 eq www
    ip:inacl5=permit tcp any host 10.1.1.10 eq https

  • Now if a user wants to RDP to the 192.168.1.10 DMZ Server they can gain that access by first going to https://10.1.1.10, authenticating on that page against Microsoft Active Directory using Cisco ASA Cut through Proxy and then running their RDP command

Resources:

  1. Limiting Internet Access Based on User Profile Using ASA and RADIUS
  2. I also recommend reading and understanding cut through proxy authentication vulnerability – CSCtx42746

Note:Use this as a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo 🙂

Tags: , ,

24 Aug 12 Cisco ASA Management Authentication via Microsoft RADIUS Server

Cisco ASA Management Authentication using Microsoft RADIUS (NPS – Network Policy Server 2008) Server

Previously I talked about how to setup Microsoft Network Policy Server 2008 so that you can use that to log into Cisco Switches and Routers. This post I am going to go over the steps I used to setup Cisco ASA 5520 with 8.4.3 code to authenticate against Microsoft Active Directory using Microsoft RADIUS Server (NPS – Network Policy Server 2008). There are slightly different steps.

  • From the Network Policy Server expand Policies and right click on Network Policies
  • You can choose and start creating a whole new policy and go through all the steps, but I chose to just clone the one I made for Cisco Switches and Routers
  • So if you want to clone it simply right click on the existing policy and choose Duplicate Policy
  • Once the policy is duplicated it will show up as disabled. Before you enable it you need to configure it. So here is how I updated it so that it can work with Cisco ASA 5520
  • Go to the Settings and change the Service-Type to Administrative from Login
  • Under Settings click on Vendor Specific and I removed what was in there as with Cisco ASA you can’t automatically get to the Exec Priv level
  • That was it I just moved the Cisco ASA policy above the one for the Cisco Switches and Routers, added the firewall under RADIUS Clients
  • Now here are the configuration lines I used on the Cisco ASA itself so that it can go talk to the RADIUS Server:

    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host X.X.X.X
    timeout 25
    key XXXXXXXXXXXXXXXX
    !
    aaa authentication http console RADIUS LOCAL
    aaa authentication ssh console RADIUS LOCAL
    aaa authentication enable console RADIUS LOCAL
    aaa authentication serial console RADIUS LOCAL
    aaa-server RADIUS max-failed-attempts 1
    aaa-server RADIUS deadtime 1
    aaa-server RADIUS host X.X.X.X timeout 1

Note:Use this as a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo 🙂

Tags: , , , , ,

16 Jul 12 Cisco ASA Policy Based Static Source NAT

How to perform Policy Based Static Source NAT for an IPSec VPN between Cisco ASA and IOS Router

Setting up VPN Connectivity between multiple locations is a pretty common task these days. It is a very simple and straight forward setup unless NAT comes into the play, there are multiple offices with overlapping subnets etc. Usually in that scenario solution is simple both sides will perform NAT and present their internal network as something else to the other location in the VPN Tunnel.

Recently I had a unique situation. I was working on a firewall with multiple VPN’s and they pretty much all had a standard setup. There were couple of VPN’s that needed to be setup with a non standard setup because of the overlap in their network. This was the scenario:

  • Subnets on both sites were same i.e; 192.168.1.0/24
  • Site A had Cisco ASA and Site B had Cisco IOS Router
  • Site B was performing a NAT overload and presenting their internal subnet as another IP via the IPSec Tunnel
  • Site B needed to communicate with couple of hosts located at Site A (192.168.1.10 and 192.168.1.11)
  • Since 192.168.1.0/24 network was also being utilized at Site B, hosts at Site B couldn’t see those two hosts at Site A
  • What we needed was a to perform a static policy based source NAT on Cisco ASA so that hosts from Site B, instead of sending traffic to 192.168.1.10 and 192.168.1.11, they send traffic to other IP’s such as 1.1.1.1 and 2.2.2.2
  • Next issue was since there were multiple VPN’s on Cisco ASA and other remote sites were accessing those 192.168.1.11 and 192.168.1.10 hosts, I needed to setup NAT on my end in a way that it will only apply to this one site and not affect other VPN’s
  • Take a look at the picture below to get an idea and after that I will elaborate a bit more how I accomplished it

I’m not going to go deep into setting up the whole VPN on both ends because that is not the topic here. Basically on the Cisco Router at Site B, NAT Overload was utilized for the IPSec VPN and the whole internal network 192.168.1.0/24 was being NATed as 172.16.1.1 to the Cisco ASA at Site A. Now for the interesting traffic on both ends instead of 192.168.1.10 and 192.168.1.11 (1.1.1.1 and 2.2.2.2) was used.

Here are the Cisco ASA steps that I used to perform Policy Based Static Source NAT:

access-list POLICYNAT1 extended permit ip host 192.168.1.10 host 172.16.1.1
access-list POLICYNAT2 extended permit ip host 192.168.1.11 host 172.16.1.1
!
static (inside,outside) 1.1.1.1 access-list POLICYNAT1
static (inside,outside) 2.2.2.2 access-list POLICYNAT2

Don’t forget the crypto map on the Cisco ASA used the reverse of was setup on the Cisco IOS Router at Site B i.e; 1.1.1.1 to 172.16.1.1 and 2.2.2.2 to 172.16.1.1. So this basically allowed 192.168.1.10 and 192.168.1.11 to be translated into 1.1.1.1 and 2.2.2.2 every time source was 192.168.1.10 or 192.168.1.11 and destination was 172.16.1.1 (ONLY). Similarly when the hosts from Site B communicated with 1.1.1.1 or 2.2.2.2 Cisco ASA translated those IP’s to 192.168.1.10 and 192.168.1.11 and then back to 1.1.1.1 and 2.2.2.2. Hope this will help out some one else out there 🙂

Note: This example is for pre 8.3 code. Please keep in mind that this is a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo 🙂 .

Tags: ,

13 Apr 12 Clearing, resetting or erasing configuration on Cisco ASA

How to clear, reset or erase the configuration on Cisco ASA Firewalls

There are multiple different ways and options associated with them. I’m just going to mention a few that I generally use and interested in when I want to clear, reset or erase the configuration on Cisco ASA Firewall or set it to Factory Defaults.

  • configure factory-default or configure factory-default “ip-address mask”
  • Next you will do copy running-config to startup-config
  • Note that this applies to ASA code 7.0 and later

Note: This will also clear the boot system command. So after restoring the Cisco ASA Firewall to factory defaults when it reboots it will boot from the very first image that is in the flash, if there is no image then the security appliance will not boot.

Couple of other options are:

  • write erase (This will erase the startup-configuration on the Cisco ASA Firewall
  • clear configure all (This will erase the running-configuration on the Cisco ASA Firewall

NOTE: Always backup your configurations and your IOS images, never do anything that you can’t undo. And check out Cisco Command Lookup for more details on the commands for your specific needs 🙂

Tags: , , ,

WordPress SEO