msgbartop
msgbarbottom

11 Oct 12 Cisco ASA – DMZ access via cut through Proxy Authentication

Allowing DMZ access based on user login in a corporate network

So I’m sure every one knows that there is a way we can utilize Cisco ASA to limit the internet traffic using Cut through proxy authentication. I needed something similar however I needed to limited the RDP access to a server in our DMZ based on a user profile. Now there are multiple ways to accomplish this. Previously I have accomplished this by using the networks or IP addresses however in that case the whole network was setup with a strict tier level and more strict IP addressing scheme to comply with the PCI requirements. In this case certain group of users who needed access to that web server in the DMZ were getting their IP’s from the DHCP server and there were no reservations. So I couldn’t allow the whole network access to the server in the DMZ. I decided to utilize the Cisco ASA’s cut through proxy authentication. Note: Cisco ASA supports direct authentication for http (80), telnet (23), ftp (21), https (443). But it does not for other protocols such as RDP (in my case).

So in order to utilize this feature for un supported protocols first I had to get the users to authenticate using the virtual IP address on the Cisco ASA and then gain RDP access to the server in the DMZ.

I took the following steps to accomplish this:

  • Setup authentication prompts
  • auth-prompt prompt Authentication for Access to Server
    auth-prompt accept Authentication successful, now you can RDP to 192.168.1.10
    auth-prompt reject Authentication Failed please try again

  • Setup a Virtual IP address on the Cisco ASA
  • virtual http 10.1.1.10

  • Setup an access list on the Cisco ASA
  • access-list RDPAuth remark “This ACL is for RDP access to the servers in the DMZ”
    access-list RDPAuth extended permit tcp any eq 3389 host 192.168.1.10 gt 1023 (Server IP in DMZ)
    access-list RDPAuth extended permit tcp any gt 1023 host 192.168.1.10 eq 3389 (Server IP in DMZ)
    access-list RDPAuth extended permit tcp any host 10.1.1.10 eq www (Virtual IP for Cut Through Proxy Authentication)
    access-list RDPAuth extended permit tcp any host 10.1.1.10 eq https (Virtual IP for Cut Through Proxy Authentication)

  • Setup AAA Authentication statements
  • aaa authentication match RDPAuth inside RADIUS (Note: RADIUS must be setup prior to this, see )
    aaa authentication secure-http-client

    Now it is time to setup the Microsoft NPS Server

  • From the examples before simply clone one of the policy, name it something like RDPAuth
  • On the next tab Conditions add the groups from active directory that can access this resource
  • Under Settings Tab first option will be “Standard”. Make sure “Service-Type = Login”
  • Now last and important step configuring Vendor Specific attributes. In this case it would be “Cisco-AV-Pair”. This is where I configured the access list, same that is defined on the firewall, every line needs to match.
  • ip:inacl#2=permit tcp any eq 3389 host 192.168.1.10 gt 1023
    ip:inacl#3=permit tcp any gt 1023 host 192.168.1.10 eq 3389
    ip:inacl4=permit tcp any host 10.1.1.10 eq www
    ip:inacl5=permit tcp any host 10.1.1.10 eq https

  • Now if a user wants to RDP to the 192.168.1.10 DMZ Server they can gain that access by first going to https://10.1.1.10, authenticating on that page against Microsoft Active Directory using Cisco ASA Cut through Proxy and then running their RDP command

Resources:

  1. Limiting Internet Access Based on User Profile Using ASA and RADIUS
  2. I also recommend reading and understanding cut through proxy authentication vulnerability – CSCtx42746

Note:Use this as a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo 🙂

Tags: , ,

29 Aug 12 Fortinet SSL VPN issues after Microsoft Update

Fortinet SSL VPN issues after Microsoft Update

Recently I encountered an issue with some of our users not being able to access Fortinets’ SSL VPN through their browsers. After some research I found out that the issue is related to Microsoft Security Update KB2585542 – Vulnerability in SSL/TLS Could Allow Information DisclosureVulnerability in SSL/TLS Could Allow Information Disclosure (2643584). This vulnerability is effecting the protocol so it technically is not the Windows Operating System issue per Microsoft.

In order to resolve the issue there are multiple methods:

14 Sep 11 Utilizing Management Inteface Cisco ASA

Recently I had to work with ASA 5520’s with the IPS module. Now if you have the IPS module in Cisco ASA 5520 you can’t add any more ports in it. It comes with 4 10/100/1000 ports and one 10/100. Now the one 10/100 port is used for ASA’s Mangement only. However I wanted to use all the 4 gigabit ports on the ASA 5520 and not sure one of them for the failover. Solution was actually pretty easy use the management port. Now remember this requires a small configuration change on the ASA as management port won’t pass regular traffic. Simply use the following commands to make the management port on the Cisco ASA a regular port:

conf t
interface management 0/0
no management-only

Make sure you do a write memory to save your configuration and now that port is a regular port and in my case since it is only 10/100 I used it for Failover configuration :).

Tags: , ,

14 Sep 11 Adding/Configuring a Failover Cisco ASA

How to add/configure a Failover/Standby Cisco ASA Firewall

These are few notes basically outlining procedures on how to add/configure a Cisco ASA Firewall Failover. There are multiple ways to accomplish this and if you want to ready more about it, you can read the Full Article on Cisco’s Website. What I am writing here relates to, Cisco ASA 5520 being used for webvpn, running 8.2(4).

  • Lets say you have two interfaces configured on your Cisco ASA 5520
  • IP of gi0/0 = 192.168.1.1/24
  • IP of gi0/1 = 192.168.2.1/24
  • So on the main Cisco ASA 5520 firewall just enter the following commands:
  • interface gi0/0
    ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
    (Where 192.168.1.2 will be the IP of the secondary ASA)
    interface gi0/1
    ip address 192.168.2.1 255.255.255.0 standby 192.168.2.2
    (Where 192.168.2.2 will be the IP of the secondary ASA)

  • Now next step would be to actually setup the Primary ASA 5520 firewall to failover if there is an issue with it. Use the following commands:

    failover
    failover lan unit primary (Telling the firewall that this is the primary unit)
    failover lan interface failover interface-name
    failover link failover interface-name(This is for stateful failover)
    failover interface ip failover ip-address subnet-mask standby standby-ip
    example:
    failover interface ip failover 1.1.1.1 255.255.255.252 standby 1.1.1.2

  • In the example commands above “bold failover” is just the name I assigned to the dedicated interface for Cisco ASA’s failover
  • I highly recommend using a dedicated interface for the failover instead of using one of the data interfaces
  • Make sure you do a write memory after you are done configuring it. Now its time to configure the Cisco ASA 5520 that is going to be the stanby or secondary unit
  • Only thing I do on the secondary units is the following:

    failover
    failover lan unit secondary (Telling the firewall that this is the secondary unit)
    failover lan interface failover interface-name
    failover link failover interface-name(This is for stateful failover)
    failover interface ip failover ip-address subnet-mask standby standby-ip
    example:
    failover interface ip failover 1.1.1.1 255.255.255.252 standby 1.1.1.2
    write standby (This will start copying the configuration as well as all the certificates to the standby unit)

  • Now once done Cisco ASA secondary unit will show you if you are consoled into it that it has dedicated the primary unit and it will start to replicate the configuration
  • Once this was done what I had was an Active/Standby Stateful failover on the two Cisco ASA 5520 Firewalls

IMPORTANT:Please use these notes as a reference point, always test everything in the lab before you put it in production, never do anything that you can not undo, always have a backup/back out plan

Tags: , , , ,

29 Jun 11 Changing default SSH port on a Cisco Router

How to change the default SSH Port on a Cisco router?

Recently I ran into a scenario when a Cisco router was sitting behind another firewall and I needed access to that Cisco router via SSH – Port 22. I asked the customer to forward SSH – Port 22 to the internal IP address of the Cisco router. However because they were using a Juniper Firewall they were unable to do that because Juniper Firewalls use that port for management hence they don’t allow you to do that instead you get an error, “Port 22 is used for the management of this device”

Now you have two options, 1- Change the default SSH port on the Juniper firewall to something other than Port 22 or do it on the Cisco router. It was just easier for me to do that on a Cisco router so I used the following command to accomplish this:

conf t
ip ssh port Port number (2000 to 10,000)

Now lets say if you specified port number 2222 you will not be able to ssh to your router using that port over the WAN link as well as locally.

Tags: , , ,

13 May 11 OpenSSL on Windows 7

Windows 7 Open SSL

Update:So I got some questions from people about the files to download and use in order to install Open SSL on Windows 7. There are three sources I found when I was looking for it:

How to get OpenSSL to work on Windows 7 64bit? Recently working on my wireless project I had to load a third party valid SSL Certificate for the guest web authentication to work. Now in order to do that first step is to generate a CSR – Certificate Signing Request. Cisco WLC does not generate it, so you have to do it and then submit it to a third party such as Verisign or Entrust etc. I downloaded Open SSL for Windows 7 from the source I mentioned above. It is available for Windows as well as Linux, you can use which ever source you prefer. Since I am running Windows 7 64bit on my laptop I downloaded the appropriate version (Make sure you download the zip file for Windows 7 64bit), once you unzip it there is nothing to install simply move the “OpenSSL” folder to your C: Drive.

Next open up your command prompt and follow these steps:

  • Change directory to the OpenSSL foler and then switch to the bin folder
  • Now type openssl.exe and it will put you at openssl prompt
  • Next you will use the following command to start the process, “req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem”
  • Now if you get the following error message which I got, “can’t find openssl.cnf” file”, that means you just need to specify the path to the openssl.cnf file.
  • So here is what you will type with the path to openssl.cnf, “req -new -newkey rsa:1024 -nodes -config c:\openssl\openssl.cnf -keyout mykey.pem -out myreq.pem”
  • Now just follow the prompts to finish generating your CSR – Certificate Signing Request

Tags: , , , , , ,

WordPress SEO