Setting up a Cisco Switch from Scratch

This blog is probably going to be really “no-duh” for most people. But I’ve had questions over the years on how to setup a switch from scratch and how to enable management from it remotely. So, I wiped my switch config and started over. After reloading the switch I was brought to the “Initial Configuration Dialog”. You can either choose to go through that or not. The initial config is basically just getting an IP address setup for management, setting up a username and setting up the “enable” password. You can see below what the init dialog looks like.

init-config

From there, you’ll have just a few more things to do in order to have a base config up and running, and enable remote access. We need to create a certificate, specify the domain name, secure SSH, and then setup the VTY lines. Let’s get that done here:

Erdmanor3750G#  conf t
Erdmanor3750G(config)#  
Erdmanor3750G(config)#  ip domain-name erdmanor.com
Erdmanor3750G(config)#  
Erdmanor3750G(config)#  crypto key generate rsa general-keys modulus 2048
The name for the keys will be: Erdmanor3750G.erdmanor.com

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys... [OK]
00:15:32 %SSH-5-ENABLED: SSH 1.99 has been enabled

Erdmanor3750G(config)#  
Erdmanor3750G(config)#  ip ssh version 2
Erdmanor3750G(config)#  
Erdmanor3750G(config)#  line vty 0 15
Erdmanor3750G(config-line)#  
Erdmanor3750G(config-line)#  transport input ssh
Erdmanor3750G(config-line)#  login local
Erdmanor3750G(config-line)#  exit
Erdmanor3750G(config)#  
Erdmanor3750G(config)#  username steve privilege 15 password MyP@ssW0rd
Erdmanor3750G(config)#  
Erdmanor3750G(config)#  service password-encryption
Erdmanor3750G(config)#


Now we can go back to our Linux box and log in from the command line.

steve @ debianvm ~ :) ##   ssh 3
The authenticity of host '192.168.86.3 (192.168.86.3)' can't be established.
RSA key fingerprint is 11:4e:b6:34:72:23:9a:0f:03:28:f0:e2:c9:b7:cc:20.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.86.3' (RSA) to the list of known hosts.
steve@192.168.86.3's password:
Erdmanor3750G#
Erdmanor3750G#exit
Connection to 192.168.86.3 closed.
steve @ debianvm ~ :) ##


Hope this was helpful!



http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/configuration/guide/2960scg/swauthen.html

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Cisco AnyConnect on Cisco ASA 5500 running IOS 9.1.5

Cisco AnyConnect is a great VPN client because it runs over SSL/TLS and is very mature at this point in time. So, because of this, and the fact that I had a lot of questions come up about this in the past month (for one of my clients), I decided to write a blog on how to implement Cisco AnyConnect on a Cisco ASA 5515, running IOS 9.1.5. While I’m using a ASA-5515, I have also tested this to work on my 5505 and my 5510 test machines. So let’s get configuring!

We’ll start by downloading all the software from Cisco. For this you’ll need Cisco IOS version 9.1.5, ASDM version 7.x, and AnyConnect Version 2.5 or higher. To get this software legally, you’ll need to have a valid CCO ID (Cisco account), and you’ll need a valid SmartNet or SmartCare contract on your ASA.

Once you’ve obtained your software, we’ll need to upload it to your ASA. So let’s do that right now. If you don’t have a TFTP server, you’ll need one. If you need one that is simple to setup and use, check out my blog on setting up a Linux TFTP server.


Below, I am uploading the new IOS 9.1.5.

erdmanor-5510# copy tftp flash

Address or name of remote host []? 192.168.1.10

Source filename []? asa915-k8.bin

Destination filename [asa915-k8.bin]?

Accessing tftp://192.168.1.10/asa915-k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asa915-k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
27113472 bytes copied in 39.670 secs (695217 bytes/sec)
erdmanor-5510#
erdmanor-5510# conf t
erdmanor-5510(config)# boot system disk0:/asa915-k8.bin
erdmanor-5510(config)# sh run boot
boot system disk0:/asa915-k8.bin
erdmanor-5510(config)#
erdmanor-5510(config)# wr
Building configuration...
Cryptochecksum: fdee857f 734e0f13 a5fda71e e6bc2320
9154 bytes copied in 3.250 secs (3051 bytes/sec)
[OK]
erdmanor-5510(config)#
erdmanor-5510(config)# exit
erdmanor-5510# reload
Proceed with reload? [confirm]
erdmanor-5510#

***
*** --- START GRACEFUL SHUTDOWN ---


Now lets get the new ASDM uploaded along with our SSLVPN client.

erdmanor-5510# copy tftp flash

Address or name of remote host []? 192.168.1.10

Source filename []? asdm-743.bin

Destination filename [asdm-743.bin]?

Accessing tftp://192.168.1.10/asdm-743.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing current ASDM file disk0:/asdm-743.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
24810876 bytes copied in 34.30 secs (729731 bytes/sec)
erdmanor-5510# copy tftp flash

Address or name of remote host [192.168.1.10]?

Source filename [asdm-743.bin]? anyconnect-win-2.5.2014-k9.pkg

Destination filename [anyconnect-win-2.5.2014-k9.pkg]?

Accessing tftp://192.168.1.10/anyconnect-win-2.5.2014-k9.pkg...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-2.5.2014-k9.pkg...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
4678691 bytes copied in 6.460 secs (779781 bytes/sec)

erdmanor-5510# dir

Directory of disk0:/

107    -rwx  27113472     13:27:06 Nov 03 2015  asa915-k8.bin
113    -rwx  24810876     13:40:12 Nov 03 2015  asdm-743.bin
115    -rwx  4678691      13:41:07 Nov 03 2015  anyconnect-win-2.5.2014-k9.pkg

62904320 bytes total (5550080 bytes free)
erdmanor-5510#


Great. Now that we have our software, let’s start setting up our environment.

When dealing with SSL, you need to have some kind of certificate installed on your server in order to create a secure connection. If this is a company, you should setup a real certificate from a real vendor like Verisign/Symantec, but for this instance I’m just going to setup a self-signed certificate. Keep in mind that self-signed certs are less secure and that they will prompt your end users with security warnings whenever your users connect.

So lets get a certificate setup for our ASA’s Outside interface, since that’s where our outside users will be connecting from.

erdmanor-5510(config)#
erdmanor-5510(config)# crypto key generate rsa label ErdmanorSSLCert modulus 2048

Keypair generation process begin. Please wait...
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# crypto ca trustpoint ErdmanorSSLTrustpoint
erdmanor-5510(config-ca-trustpoint)# enrollment self
erdmanor-5510(config-ca-trustpoint)# fqdn sslvpn.erdmanor.com
erdmanor-5510(config-ca-trustpoint)# subject-name CN=sslvpn.erdmanor.com
erdmanor-5510(config-ca-trustpoint)# keypair ErdmanorSSLCert
erdmanor-5510(config-ca-trustpoint)# crypto ca enroll ErdmanorSSLTrustpoint
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.

Would you like to continue with this enrollment? [yes/no]: yes

% The fully-qualified domain name in the certificate will be: sslvpn.erdmanor.com

% Include the device serial number in the subject name? [yes/no]: no

Generate Self-Signed Certificate? [yes/no]: yes
erdmanor-5510(config)#
erdmanor-5510(config)# ssl trust-point ErdmanorSSLTrustpoint Outside
erdmanor-5510(config)#
erdmanor-5510(config)# wr
Building configuration...
Cryptochecksum: 9be339e8 0522dd14 a192370f 5e9c6bf4

7969 bytes copied in 3.240 secs (2656 bytes/sec)
[OK]
erdmanor-5510(config)#


Now we need to configure WebVPN to work on our ASA, and allow it to present the AnyConnect VPN client to our connecting users.

erdmanor-5510(config)# webvpn
erdmanor-5510(config-webvpn)# enable Outside
INFO: WebVPN and DTLS are enabled on 'Outside'.
erdmanor-5510(config-webvpn)#
erdmanor-5510(config-webvpn)#
erdmanor-5510(config-webvpn)# anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg
erdmanor-5510(config-webvpn)# anyconnect enable
erdmanor-5510(config-webvpn)#
erdmanor-5510(config-webvpn)# exit
erdmanor-5510(config)# wr
Building configuration...
Cryptochecksum: aa7a52ab 38eb7e98 3e15d522 856eae67

8069 bytes copied in 3.250 secs (2689 bytes/sec)
[OK]
erdmanor-5510(config)#


Before we go any further, you have to make a determination here on how you’re going to perform DHCP addressing for your VPN users. There are two primary options:
1. Host the DHCP pool on the ASA
2. Forward DHCP requests to a DHCP server (like a Windows Domain Controller)

For this case, I’ve opted to host the DHCP pool locally on the ASA. But for a business environment, I would suggest that you forward these requests to your domain controller. Especially if you’re running other Microsoft services such as Exchange, SCCM, SCOM and others. I’ll go over both methods, but I’m going to be using the local DHCP server.

erdmanor-5510(config)#
erdmanor-5510(config)# ip local pool AnyConnectIPPool 192.168.2.1-192.168.2.200 mask 255.255.255.0
erdmanor-5510(config)#


I will update this section of the DHCP forwarding at a later time. Please check back!
For now, here is what Cisco has on this: http://www.cisco.com/c/en/us/td/docs/security/asa/asa70/configuration/guide/config/vpnadd.html#wp999516



In the Microsoft world, Group Policies are a group of settings that are applied to a Windows operating system in a domain. For instance, if you wanted all the desktop backgrounds to be a picture of your company logo, you could roll that our via MS Group Policy.

In the same fashion, Cisco has begun using Group Policies in order to set certain parameters and settings to their clients that connect. Group Policies are actually a pretty good idea in order to group a list of settings together that would apply to one connection type. In this case, that connection type is Cisco’s AnyConnect users.

So, let’s get our Group Policy setup for our users. This policy will be extremely basic, but please understand that Cisco’s Group Policies can get very in-depth.

erdmanor-5510(config)#
erdmanor-5510(config)# group-policy AnyConnectPolicy Internal
erdmanor-5510(config)# group-policy AnyConnectPolicy attributes
erdmanor-5510(config-group-policy)#
erdmanor-5510(config-group-policy)# dns-server value 192.168.1.5 192.168.1.6
erdmanor-5510(config-group-policy)#
erdmanor-5510(config-group-policy)# vpn-tunnel-protocol ssl-client
erdmanor-5510(config-group-policy)# default-domain value erdmanor.com
erdmanor-5510(config-group-policy)#
erdmanor-5510(config-group-policy)# address-pools value AnyConnectIPPool
erdmanor-5510(config-group-policy)#


The next thing we need to do is allow our SSL VPN users to bypass outside access lists so they can get to the Internal network. If this isn’t put in there, then you’ll have to write up ACLs on your Outside access list that specifically allow your VPN users to access certain network locations. This can turn into an administration overhead nightmare. The easiest thing to do is allow your users to bypass the Outside ACL, and then manage the ACL from the inside. It’s cleaner, and causes less headaches.

erdmanor-5510(config)# sysopt connection permit-vpn


Now we need to create our AnyConnect connection profile. This profile is what users will see when they connect to the Outside interface of our ASA. To do this we need to create what is named a, “tunnel-group” in Cisco terminology. This tunnel-group will contain all of the connection profile settings that will be applied to any user successfully connecting with the AnyConnect client. When you’re going through this configuration, please make sure to see what config mode you’re in. You’ll start in normal config and progress through “config-tunnel-general“, “config-tunnel-webvpn“, and “config-webvpn“. Make sure to ? each of those and check out the other commands in there.

erdmanor-5510(config)#
erdmanor-5510(config)# tunnel-group AnyConnectPolicy type remote-access
erdmanor-5510(config)# tunnel-group AnyConnectPolicy general-attributes
erdmanor-5510(config-tunnel-general)#
erdmanor-5510(config-tunnel-general)# default-group-policy AnyConnectPolicy
erdmanor-5510(config-tunnel-general)# tunnel-group AnyConnectPolicy webvpn-attributes
erdmanor-5510(config-tunnel-webvpn)#
erdmanor-5510(config-tunnel-webvpn)# group-alias Erdmanor-VPN enable
erdmanor-5510(config-tunnel-webvpn)#
erdmanor-5510(config-tunnel-webvpn)# webvpn
erdmanor-5510(config-webvpn)#
erdmanor-5510(config-webvpn)#
erdmanor-5510(config-webvpn)# tunnel-group-list enable
erdmanor-5510(config-webvpn)# exit
erdmanor-5510(config)# exit
erdmanor-5510# wr
Building configuration...
Cryptochecksum: 52d129a7 a5d58820 28b2f420 29226a32

8622 bytes copied in 3.240 secs (2874 bytes/sec)
[OK]
erdmanor-5510#


Since we’re going to be using Split Tunneling for our VPN connection, we need to ensure that our VPN users get the proper routing updates they need so that when they try to access a resource on our corporate network, their computers will send that traffic down the SSL VPN tunnel to our office or Data Center. We should discuss what we mean by Split tunneling as well. There are three options here, as you can see below, and here is more information from Cisco on Split-Tunneling.

erdmanor-5510(config-group-policy)# split-tunnel-policy ?              

group-policy mode commands/options:
  excludespecified  Exclude only networks specified by split-tunnel-network-list
  tunnelall         Tunnel everything
  tunnelspecified   Tunnel only networks specified by split-tunnel-network-list


To configure the network routes that our end user will see, we’ll create an access list and then specify that ACL in the group-policy configuration. We’ll also specify that our tunnel is a Split-Tunnel, and we’ll provide our internal domain name so any DNS resolution works as well.

erdmanor-5510(config)#
erdmanor-5510(config)# access-list split-tunnel-network-acl standard permit 192.168.1.0 255.255.255.0
erdmanor-5510(config)# access-list split-tunnel-network-acl standard permit 10.10.10.0 255.255.255.0
erdmanor-5510(config)#                                                                                
erdmanor-5510(config)# group-policy AnyConnectPolicy attributes    
erdmanor-5510(config-group-policy)# split-tunnel-policy tunnelspecified
erdmanor-5510(config-group-policy)# split-tunnel-network-list value split-tunnel-network-acl
erdmanor-5510(config-group-policy)# split-dns value erdmanor.com
erdmanor-5510(config-group-policy)# exit
erdmanor-5510(config)#


Now we need to fix up the NAT’ing to ensure that our users are able to communicate to the rest of the network as well as get Internet access. To enable that functionality, we’re actually going to be creating two NAT statements here. The first NAT that we’re going to create is a dynamic NAT that will translate connections from the VPN users and allow them Internet access. Remember that in order for this to work, you still need an ACL to allow the access to specific locations. Also, another point is that we are allowing split tunnelling, so technically we don’t need to allow them Internet access here, but I’m covering it anyway just in case you need to tunnel all traffic from your end users back to your internal network for security reasons.

First let’s get our dynamic NAT created. Since our internal network is on 192.168.1.0/24, we put our VPN users on 192.168.2.0/24. So here we’ll create an object-group for our VPN users and then we can create our dynamic NAT.

erdmanor-5510(config)#
erdmanor-5510(config)# object-group network VPN-Users                        
erdmanor-5510(config-network-object-group)# network-object 192.168.2.0 255.255.255.0
erdmanor-5510(config)# nat (Outside,Outside) source dynamic VPN-Users interface
erdmanor-5510(config)#


Now let’s get our static NAT configured. This one is what Cisco refers to as a “Identity NAT”. According to Cisco, “You might have a NAT configuration in which you need to translate an IP address to itself. For example, if you create a broad rule that applies NAT to every network, but want to exclude one network from NAT, you can create a static NAT rule to translate an address to itself. Identity NAT is necessary for remote access VPN, where you need to exempt the client traffic from NAT.

So based on this information, we know that we need an Identity NAT. So let’s get that going.

erdmanor-5510(config)#
erdmanor-5510(config)# nat (Inside,Outside) source static Internal-Network Internal-Network destination static VPN-Users VPN-Users no-proxy-arp route-lookup
erdmanor-5510(config)#


Also, let’s say for instance that we have a Site-to-Site VPN tunnel to our sister data center, or a partner company, which our end users will need access to. While we’re talking about NATs, let’s walk through NATing this traffic as well.

We’ll start by assuming that we already have a S2S VPN already up and running. Let’s say it’s to the Amazon Cloud (AWS). Since this is already setup, we just need to allow our users access to this. Remember, you’ll need to setup ACLs to allow the traffic, this is just ensuring that NAT’ing is setup properly. Here, we’re assuming we already have an Object-Group named “AWS-Network“. But the NAT is nearly the same as before, but the difference is that this is what Cisco refers to as a Hairpin Nat. For this to work properly, you’ll need to enable “intra-interface” traffic. The “Inter-Interface” traffic is for different interfaces, while the “Intra-Interface” allows communication into and back out the SAME interface. See here:

erdmanor-5510(config)# same-security-traffic permit ?              

configure mode commands/options:
  inter-interface  Permit communication between different interfaces with the same security level
  intra-interface  Permit communication between peers connected to the same interface
erdmanor-5510(config)#


So let’s get this Hairpin NAT started. First you’ll notice that the Interface is the same (Outside,Outside). Remember, AnyConnect users are coming in from the “Outside” interface, and they’re communicating across a VPN tunnel that is also connected to the “Outside” interface.

erdmanor-5510(config)#
erdmanor-5510(config)# same-security-traffic permit intra-interface
erdmanor-5510(config)# nat (Outside,Outside) source static VPN-Users VPN-Users destination static AWS-Network AWS-Network no-proxy-arp route-lookup
erdmanor-5510(config)#


Okay moving right along here! Now we’ll create a user account and test logging into our system.

erdmanor-5510(config)#
erdmanor-5510(config)# username vpnsteve password NotMyP@ssw0rd
erdmanor-5510(config)# username vpnsteve attributes        
erdmanor-5510(config-username)# service-type remote-access
erdmanor-5510(config-username)# exit
erdmanor-5510(config)#


I’ll have to get this thing actually setup on the Internet so that I can connect to it, but I know the configuration works from here. I’ve set this up a few times this month alone for clients, so I’m confident in it running properly for you as well. When I can, I’ll get some screenshots posted here to show it works.

Thanks for reading!




http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/anyconnectadmin30.pdf
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect24/administration/guide/anyconnectadmin24/ac03features.html#wp1064149
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
http://www.databasemart.com/HowTo/Cisco_VPN_Remote_Access_Setup_ASA5500.aspx
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_rules.html
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_overview.html#25608
http://www.cisco.com/c/en/us/td/docs/security/asa/asa70/configuration/guide/config/vpnadd.html#wp999516
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/dhcp.html
http://www.petenetlive.com/KB/Article/0001050.htm
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html
http://www.techrepublic.com/blog/data-center/eight-easy-steps-to-cisco-asa-remote-access-setup/

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Cisco ASA 8.3(and up) packet capturing

In the course of time, it becomes necessary to run packet captures in order to understand where issues are within a network. In this case, I’ve done this so many times I figured it would be easy enough to write a quick blog on it.

DISCLAIMER: Make sure you know what access-list or lists you’re modifying in Config mode.

######################################
###   Here we will go over exactly how
###   to create a packet capture and
###   how to view it via the CLI as well as
###   how to download it in PCAP file
######################################


##########
### enter system global config mode
##########
Configure terminal
conf t

##########
### START with creating an access list that is going to capture data from ALL directions needed
###
### Make sure that if you're just monitoring traffic between two hosts, that you setup your ACL like this:
##########


ErdmanorASA(config)# access-list temp_packet_capture permit ip host 192.168.1.10 host 8.8.8.8 log error
ErdmanorASA(config)# access-list temp_packet_capture permit ip host 8.8.8.8 host 192.168.1.10 log error


### you may need to know some interface specific information, so don’t forget to:
ErdmanorASA(config)# sh ip add
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside                1.1.1.1         255.255.255.0   CONFIG
GigabitEthernet0/1       inside                 192.168.1.1     255.255.255.0   CONFIG
GigabitEthernet0/2       DMZ                    10.1.1.1        255.255.255.0   CONFIG
GigabitEthernet0/3.1     failover               169.254.0.1     255.255.255.252 unset
GigabitEthernet0/3.2     failover-state         169.254.0.5     255.255.255.252 unset
Management0/0            TESTDMZ                10.2.2.2        255.255.255.0   CONFIG
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside                1.1.1.1         255.255.255.0   CONFIG
GigabitEthernet0/1       inside                 192.168.1.1     255.255.255.0   CONFIG
GigabitEthernet0/2       DMZ                    10.1.1.1        255.255.255.0   CONFIG
GigabitEthernet0/3.1     failover               169.254.0.2     255.255.255.252 unset
GigabitEthernet0/3.2     failover-state         169.254.0.6     255.255.255.252 unset
Management0/0            TESTDMZ                10.2.2.2        255.255.255.0   CONFIG


############
### Here we are going to apply the packet capture on an interface (in this case the “inside” interface”)
### we’re specifying to capture the last 10000000 packets
ErdmanorASA(config)# capture steve interface inside access-list temp_packet_capture buffer 10000000 packet-length 1522


############
### this command shows any current captures that are taking place (your capture should be in there if you set one up)
ErdmanorASA(config)# sh capture
capture steve type raw-data access-list temp_packet_capture buffer 10000000 packet-length 1522 interface Inside [Capturing - 301082 bytes]
capture steve2 type raw-data access-list temp_packet_capture buffer 10000000 packet-length 1522 interface Ouside [Capturing - 298168 bytes]

############
### show the capture you just made
ErdmanorASA(config)# sh capture temp_packet_capture


ErdmanorASA(config)# show cap steve

2024 packets captured

   1: 16:30:31.895690 192.168.1.10.44441 > 8.8.8.8.5120: S 4293989912:4293989912(0) win 14600 <mss 1380,sackOK,timestamp 408760499 0,nop,wscale 9>
   2: 16:30:31.895903 8.8.8.8.5120 > 192.168.1.10.44441: S 4128260078:4128260078(0) ack 4293989913 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 173100302 408760499>
   3: 16:30:31.896193 192.168.1.10.44441 > 8.8.8.8.5120: . ack 4128260079 win 29 <nop,nop,timestamp 408760499 173100302>
   4: 16:30:31.896514 192.168.1.10.44441 > 8.8.8.8.5120: P 4293989913:4293990409(496) ack 4128260079 win 29 <nop,nop,timestamp 408760499 173100302>
   5: 16:30:32.097300 192.168.1.10.44441 > 8.8.8.8.5120: P 4293989913:4293990409(496) ack 4128260079 win 29 <nop,nop,timestamp 408760550 173100302>
   6: 16:30:32.097452 10.52.11.6.5120 > 192.168.1.10.44441: . ack 4293990409 win 256 <nop,nop,timestamp 173100322 408760499,nop,nop,sack sack 1 {4293989913:4293990409} >
   7: 16:30:32.469412 10.52.11.6.5120 > 192.168.1.10.44441: P 4128260079:4128260495(416) ack 4293990409 win 256 <nop,nop,timestamp 173100359 408760499>
   8: 16:30:32.469564 192.168.1.10.44441 > 8.8.8.8.5120: . ack 4128260495 win 31 <nop,nop,timestamp 408760643 173100359>
   9: 16:30:32.469625 192.168.1.10.44441 > 8.8.8.8.5120: P 4293990409:4293990490(81) ack 4128260495 win 31 <nop,nop,timestamp 408760643 173100359>
  10: 16:30:32.469824 192.168.1.10.44441 > 8.8.8.8.5120: P 4293990490:4293990572(82) ack 4128260495 win 31 <nop,nop,timestamp 408760643 173100359>
...
...


ErdmanorASA(config)#   sh log | grep 192.168.1.10
%ASA-6-302014: Teardown TCP connection 1082311710 for outside:8.8.8.8/443 to inside:192.168.1.10/54210 duration 0:00:00 bytes 7295 TCP Reset-I
%ASA-6-302014: Teardown TCP connection 1082311788 for outside:8.8.8.8/443 to inside:192.168.1.10/54211 duration 0:00:00 bytes 5856 TCP FINs
ErdmanorASA(config)#   sh log | grep 192.168.1.10
%ASA-6-302014: Teardown TCP connection 1082312752 for outside:8.8.8.8/443 to inside:192.168.1.10/54212 duration 0:00:00 bytes 7295 TCP Reset-I
%ASA-6-302014: Teardown TCP connection 1082312815 for outside:8.8.8.8/443 to inside:192.168.1.10/54213 duration 0:00:00 bytes 5856 TCP FINs



##############
###To clean-up the ASA when you're done
##############



##############
### to kill the capture you created
no capture temp_packet_capture


##############
###
ErdmanorASA(config)# access-list temp_packet_capture permit ip host 192.168.1.10 host 8.8.8.8 log error
ErdmanorASA(config)# access-list temp_packet_capture permit ip host 8.8.8.8 host 192.168.1.10 log error

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

How-to: SCP files from ASA

This is a quick and simple blog. Just notes really on how to use SCP/SSH to download files off of an ASA. It comes in handy for scripting purposes, but I thought I would at least share for everyone to see.

First things first, we need to enable SSH and SCopy on our ASA. We can accomplish this by entering config mode, and then issuing 2 different “ssh” commands:

steve @ phiberoptiklmde ~ :) ##  ssh steve@1.1.1.1
pomeroy@1.1.1.1's password:
Type help or '?' for a list of available commands.
MyASA5510> en
Password: ***********
MyASA5510# conf t
MyASA5510(config)#ssh 0.0.0.0 0.0.0.0 Inside
MyASA5510(config)#ssh scopy enable
MyASA5510(config)#wr
Cryptochecksum: 0d46cc75 79177ae7 9069c9a8 94153d78

8184 bytes copied in 0.690 secs
[OK]
MyASA5510(config)#exit
MyASA5510#exit

The first “ssh” command allows anyone to connect to this from the “Inside” interface of our ASA. This is NOT secure. In a real production environment, we should lock this down to a specific IP address, a handful of IP addresses, or a management network.

The second “ssh” command tells the ASA to enable “scopy”. Which basically means that you can connect to the ASA with a SCP client and download files.

From here we can just use our Linux machine to download the file to whatever folder you want to save your files to. See below on how to do that.
Start with “scp”, then your user account at the IP of the machine: “scp steve@1.1.1.1”.
From here, it needs to call an actual file that exists on the ASA. If you log into the ASA and issue the “dir” command from enable mode, you can get a listing of all files on the local flash drive on the machine.
Lastly, you just need to specify the path that you want to save the file to.

It’s that easy!

steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-win-3.1.05152-k9.pkg /home/steve/Desktop/anyconnect-win-3.1.05152-k9.pkg
serdman@1.1.1.1's password:
anyconnect-win-3.1.05152-k9.pkg                                                                                                                                                                           100%   34MB 212.0KB/s   02:42    
Connection to 1.1.1.1 closed by remote host.
steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-macosx-i386-3.1.02040-k9.pkg /home/steve/Desktop/penvpn01-anyconnect/anyconnect-macosx-i386-3.1.02040-k9.pkg
serdman@1.1.1.1's password:
anyconnect-macosx-i386-3.1.02040-k9.pkg                                                                                                                                                                   100%   11MB 226.7KB/s   00:48    
Connection to 1.1.1.1 closed by remote host.
steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-linux-3.1.02040-k9.pkg /home/steve/Desktop/anyconnect-linux-3.1.02040-k9.pkg
serdman@1.1.1.1's password:
anyconnect-linux-3.1.02040-k9.pkg                                                                                                                                                                         100%   11MB 317.9KB/s   00:34    
Connection to 1.1.1.1 closed by remote host.
steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-linux-64-3.1.02040-k9.pkg /home/steve/Desktop/anyconnect-linux-64-3.1.02040-k9.pkg
serdman@1.1.1.1's password:
anyconnect-linux-64-3.1.02040-k9.pkg                                                                                                                                                                      100% 9735KB 314.0KB/s   00:31    
Connection to 1.1.1.1 closed by remote host.
steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-macosx-i386-3.1.05152-k9.pkg /home/steve/Desktop/anyconnect-macosx-i386-3.1.05152-k9.pkg
serdman@1.1.1.1's password:
anyconnect-macosx-i386-3.1.05152-k9.pkg                                                                                                                                                                   100%   11MB 334.6KB/s   00:34  
Connection to 1.1.1.1 closed by remote host.  
steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-linux-64-3.1.05152-k9.pkg /home/steve/Desktop/anyconnect-linux-64-3.1.05152-k9.pkg
serdman@1.1.1.1's password:
anyconnect-linux-64-3.1.05152-k9.pkg                                                                                                                                                                      100%   10MB 343.9KB/s   00:31  
Connection to 1.1.1.1 closed by remote host.
steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-linux-3.1.05152-k9.pkg /home/steve/Desktop/anyconnect-linux-3.1.05152-k9.pkg
serdman@1.1.1.1's password:
anyconnect-linux-3.1.05152-k9.pkg                                                                                                                                                                         100%   10MB 341.5KB/s   00:31    
Connection to 1.1.1.1 closed by remote host.
steve @ phiberoptiklmde ~ :) ##

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Cisco ASAs: Baseline Configurations


So, I’ve been dabbling around in the Cisco field for many years now. I started taking Cisco Academy courses at a local college in the Fall of 2002 and since then I’ve completed all the CCNA, CCNP and most recently the CCNA Security courses. By no means am I calling myself an expert, the best Cisco Engineer on the planet, or even on par with a Cisco engineer that’s been in the field for at least a year or so. But what I am saying is that, I feel that I’ve got a decent background.

I bought a Cisco ASA 5505 a few years ago, played with it for a while and then got side tracked with other work. I even forgot I even owned the device for a while, until I took my CCNA Security course in the Fall of 2012.

Again, my purpose of this blog site is to help give back to the community. So I just want to throw down a little ASA knowledge for anyone interested in buying an ASA for home use. This stuff is even transferable to the high class 5510’s up to the 5585’s.

Now, I host my own services for many reasons; mail, web, remote access, etc… Mainly the reason I do this is because for every service I run out of my house, the more knowledge I gain in IT management, Securing networks, and knowing what it takes to run both sides of the house (IT and Security). What I want to do here is go over how to create a baseline configuration for a Cisco ASA unit. It really is easier than you think.

 

So lets get going here!

 

If you’ve got a brand new Cisco ASA, right out of the box and you’re about to plug it in, you’re in a perfect spot. If you bought one off eBay or something like that, you’ll want to wipe the configuration on the device.

In order to wipe an ASA you need to know the enable password to the device, or you need to boot it into recovery mode. If you’re having issues with the password, I recommend you just reset it with the information on Cisco’s website.

I’m doing this work from a Debian box, but you can do this from virtually any OS. You’ll need a Cisco serial cable, which you should’ve gotten with your purchase of an ASA. For those of you who haven’t seen one, they look like this:
Cisco Serial Cable

And if you’re connecting with a laptop made in the last few years you’ll need a USB to serial adapter. Many computers don’t even have Serial ports anymore, so this adapter is essential.
USB to Serial (RS-232)

To connect to the Cisco ASA, connect your USB connector to your computer, and the Cisco serial cable to your ASA device. Then the easiest thing to use is Putty, which you can get from the Putty Website. There is the installer for pretty much every Windows OS as well as the source code that you can compile on just about every Unix/Linux platform out there.

After you get Putty installed and running, you can modify the settings to your liking. I like being able to see all the scroll-back of my sessions, so I normally set that to “999999” or something like that, and I also save all session output to putty.log on the Desktop of whatever OS I’m on at the time.

To connect to your Cisco ASA, on the main screen, click on “Serial” verify that your serial port is properly setup and click “Connect”. For Windows based machines, your USB to Serial connector usually will create a COM port that you’ll have to verify in the “Device Manager”. In Linux, the USB to Serial Adapter creates a device in your “/dev” directory, usually named “/dev/ttyUSB0”, but again, you’ll want to verify that. Also, most Linux distro’s require that you access that device as Root. You may have to start Putty from the Command line like this:

sudo putty

 

You should see this window appear after a few seconds:

Putty Screen in Linux

 

Alright enough messing around. Connect to your ASA and then power it on. You’ll see a bunch of scroll back as your device is starting. Like this:

CISCO SYSTEMS
Embedded BIOS Version 1.0(12)6 08/21/06 17:26:53.43

Low Memory: 632 KB
High Memory: 251 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
 00  01  00   1022   2080  Host Bridge        
 00  01  02   1022   2082  Chipset En/Decrypt 11
 00  0C  00   1148   4320  Ethernet           11
 00  0D  00   177D   0003  Network En/Decrypt 10
 00  0F  00   1022   2090  ISA Bridge        
 00  0F  02   1022   2092  IDE Controller    
 00  0F  03   1022   2093  Audio              10
 00  0F  04   1022   2094  Serial Bus         9
 00  0F  05   1022   2095  Serial Bus         9

Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(12)6) #0: Mon Aug 21 19:34:06 PDT 2006

Platform ASA5505

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
                                               
Launching BootLoader...
Default configuration file contains 1 entry.

Searching / for images to boot.

Loading /asa845-k8.bin... Booting...
Platform ASA5505

Loading...
IO memory blocks requested from bigphys 32bit: 9672
�dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/hda1: 96 files, 10581/31033 clusters
dosfsck(/dev/hda1) returned 0
Processor memory 109051904, Reserved memory: 41943040

Total SSMs found: 0

Total NICs found: 10
88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002
88E6095 rev 2 Ethernet @ index 08 MAC: 0019.0724.43f6
88E6095 rev 2 Ethernet @ index 07 MAC: 0019.0724.43f5
88E6095 rev 2 Ethernet @ index 06 MAC: 0019.0724.43f4
88E6095 rev 2 Ethernet @ index 05 MAC: 0019.0724.43f3
88E6095 rev 2 Ethernet @ index 04 MAC: 0019.0724.43f2
88E6095 rev 2 Ethernet @ index 03 MAC: 0019.0724.43f1
88E6095 rev 2 Ethernet @ index 02 MAC: 0019.0724.43f0
88E6095 rev 2 Ethernet @ index 01 MAC: 0019.0724.43ef
y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 0019.0724.43f7
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
Verify the activation-key, it might take a while...
Running Permanent Activation Key:  

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
Inside Hosts                      : 50             perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has a Base license.


Cisco Adaptive Security Appliance Software Version 8.4(5)

  ****************************** Warning *******************************
  This product contains cryptographic features and is
  subject to United States and local country laws
  governing, import, export, transfer, and use.
  Delivery of Cisco cryptographic products does not
  imply third-party authority to import, export,
  distribute, or use encryption. Importers, exporters,
  distributors and users are responsible for compliance
  with U.S. and local country laws. By using this
  product you agree to comply with applicable laws and
  regulations. If you are unable to comply with U.S.
  and local laws, return the enclosed items immediately.

  A summary of U.S. laws governing Cisco cryptographic
  products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

  If you require further assistance please contact us by
  sending email to export@cisco.com.
  ******************************* Warning *******************************

Copyright (c) 1996-2012 by Cisco Systems, Inc.

                Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

Reading from flash...
Flash read failed

Cryptochecksum (changed):  

Pre-configure Firewall now through interactive prompts [yes]?

 

From here the ASA is going to ask a series of questions in order to get a very minimal configuration setup. You can go through them or not. Either way will be fine. I’m going to go through the prompts just to show what questions are asked:

Pre-configure Firewall now through interactive prompts [yes]?
Firewall Mode [Routed]: Routed
Enable password [<use current password>]: {strong-password-here}
Allow password recovery [yes]?
Clock (UTC):
  Year [2012]:
  Month [Dec]:
  Day [21]:
  Time [22:57:31]: 18:00:35
Management IP address: 172.27.128.56
Management network mask: 255.255.255.0
Host name: Erdmanor-ASA
Domain name: erdmanor.com
IP address of host running Device Manager:

The following configuration will be used:
Enable password:
Allow password recovery: yes
Clock (UTC): 18:00:35 Dec 21 2012
Firewall Mode: Routed
Management IP address: 172.27.128.56
Management network mask: 255.255.255.0
Host name: Erdmanor-ASA
Domain name: erdmanor.com

Use this configuration and write to flash? yes
INFO: Security level for "management" set to 0 by default.
Cryptochecksum: e661f916 9e00a961 ba015bae 20f4d894

2081 bytes copied in 1.50 secs (2081 bytes/sec)

 

It’s very import here that you setup your ASA with Routed mode. The reason why is that the only way to have an Internal, External and DMZ interface on your network with a base licensed ASA is to have it in Routed mode. According to Cisco, “For the Base license, allow this interface to be the third VLAN by limiting it from initiating contact to one other VLAN using the following command:

hostname(config-if)# no forward interface vlan number

Where number specifies the VLAN ID to which this VLAN interface cannot initiate traffic.

With the Base license, you can only configure a third VLAN if you use this command to limit it.

For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an inside business network, and a third VLAN assigned to your home network. The home network does not need to access the business network, so you can use the no forward interface command on the home VLAN; the business network can access the home network, but the home network cannot access the business network.

If you already have two VLAN interfaces configured with a nameif command, be sure to enter the no forward interface command before the nameif command on the third interface; the adaptive security appliance does not allow three fully functioning VLAN interfaces with the Base license on the ASA 5505 adaptive security appliance.”

 

My suggestion here is that our Outside interface should never initiate traffic to the Internal network. The purpose of the Internal network is to communicate with Internet Hosts and the DMZ. It is the most secure network we have, therefore we should never accept incoming traffic. The DMZ will accept all incoming traffic and if there are any reverse proxies, then the DMZ will hold all of those systems and communicate to the internal for any Internet host. A few examples of this would be a Reverse SMTP Proxy or a HTTP or HTTPS Reverse Proxy. There is NEVER a reason for the Internal network to accept Internet traffic…… unless you have a lazy admin, or your company doesn’t know shit about security.

 

By default, interfaces on the same security level cannot communicate with each other. Allowing communication between same security interfaces lets traffic flow freely between all same security interfaces without access lists. If you enable NAT control, you do not need to configure NAT between same security level interfaces. If you enable same security interface communication, you can still configure interfaces at different security levels as usual. While I highly discourage this!, if you want to enable interfaces on the same security level so that they can communicate with each other, enter the following command:

hostname(config)# same-security-traffic permit inter-interface

 

So let’s see. What should we start with? Well, if you saw my blog on network architecture you’ll know that we should start things off securely. Let’s get a DMZ up and running as well as our internal and external interfaces.

enable
conf t
(config)# interface vlan 1
(config-if)# ip address (192.168.0.1) 255.255.255.0 ### Change this to match your internal network
(config-if)# nameif Inside
(config-if)# security-level 100
(config-if)# no shut
(config-if)# exit
(config)# interface vlan 100
(config-if)# ip address (outside IP) 255.255.255.248 ### Change this to match your ISP Static IP Address
(config-if)# nameif Outside
(config-if)# security-level 0
(config-if)# no shut
(config-if)# exit
(config)# interface vlan 200
(config-if)# ip address (172.16.0.1) 255.255.255.0 ### Change this to match your DMZ network
(config-if)# nameif DMZ
(config-if)# security-level 50
(config-if)# no forward interface vlan 100
(config-if)# end
write mem

What we’ve done here is setup the three VLANs that we’ll be using in our network. Once you setup these VLANs, issue the “end” command followed by the “write mem” command to save your current running config. Then issue the “show run” command to view your config.

 

Now, let’s get rid of some junk configurations that Cisco throws in there.

conf t
(config)# no service-policy global_policy global
(config)# clear config call-home
(config)# no ftp mode passive
(config)# no snmp-server enable
(config)# no telnet timeout 5
(config)# end
wr mem

 

Now you can go back and check your config again by issuing the “show run” command.

So, let’s get off this console connection and get our SSH running. Once SSH is running we can not only access our Cisco ASA from the Linux command line where most of us are more comfortable, but we can also build up some pretty sweet Python scripts that we can use to manage our ASA much easier. My coworker Adrian, (AKA, IronGeek), wrote up some pretty bad ass Python scripts to do some various management tasks on some higher end 5500 Series ASA’s (fully tested on 5510, 5520 and 5540’s).

(config)# crypto key generate rsa modulus 2048
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.

Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...
(config)# ssh 192.168.0.0 255.255.255.0 inside
(config)# ssh timeout 45
(config)# ssh version 2
(config)# aaa aut
(config)# aaa authen
(config)# aaa authentication ssh console LOCAL
WARNING: local database is empty! Use 'username' command to define local users.
(config)# aaa authentication enable console LOCAL
WARNING: local database is empty! Use 'username' command to define local users.
(config)# username steve password MyP@ssw0rd! privilege 15

You got 2 warning messages here. The first command that warned you the local user database was empty was telling the ASA to look at the local user database for authentication. The second warning was for the same reason, but the command was telling the ASA that you also wanted user authentication for the “enable” command.

 

Perfect, now lets get out of this console connection and configure this thing over SSH.

ssh steve@192.168.0.1
The authenticity of host '192.168.0.1 (192.168.0.1)' can't be established.
RSA key fingerprint is 54:df:df:3e:we:5b:yj:20:ng:46:f4:a7:9p:a3:e6:8x.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.1' (RSA) to the list of known hosts.
steve@192.168.0.1's password:
Type help or '?' for a list of available commands.
Erdmanor-ASA> en
Password: *********
Erdmanor-ASA#

 

Now that we’ve got management access setup, let’s get a real config going on this thing. The first way that’s going to be possible is if we give it a Default Gateway so that it knows where to send traffic. Your Internet Service Provider (ISP) should have given you a default gateway IP Address. If they haven’t, it is usually your ISP’s on-site equipment; usually some type of router.

 

Now lets start creating our Object groups. Beginning with ASA version 8.3, network objects are used to configure all forms of NAT. A network object is created and it is within this object that NAT is configured. In this step, network object “inside-net” is used to translate the inside network addresses 192.168.0.0/24 to the global address of the outside ASA interface. Cisco says that this type of object configuration is called Auto-NAT.

 

You’re really going to want to create as MANY object groups as you can think of for all of your network segments. There’s a LOT of overhead here. You’re better off starting out making a list of all your servers, their functions, their open ports and what needs to be accessed from the Internet, then coming back and making your object groups. I went through all this crap when I put this together, you can do the same (it’s really not that difficult, and if you’re at a business and you dont already have this stuff documented, shame on you!).

 

Let’s start with the default “quad-zero” route and then specify the internal, external and DMZ networks. The “nat” statements we’re going to add to the DMZ and Internal network specify that all Internal traffic will leave through the “Outside-hide-nat” network, and be split up across the IP addresses in the range.

(config)# route outside 0.0.0.0 0.0.0.0 108.227.33.126
(config)# object network outside-hide-nat
(config-network-object)# range 108.227.33.121 108.227.33.124
(config-network-object)# exit
(config)# object network internal-network
(config-network-object)# subnet 192.168.0.0 255.255.255.0
(config-network-object)# nat (inside,outside) dynamic outside-hide-nat
(config-network-object)# exit
(config)# object network dmz-network
(config-network-object)# subnet 172.16.0.0 255.255.255.0
(config-network-object)# nat (DMZ,Outside) dynamic outside-hide-nat
(config-network-object)# end
# wr mem
Building configuration...
Cryptochecksum: 9a5cd00b 1dcb8169 b07905cf 8b7904ed

2961 bytes copied in 1.120 secs (2961 bytes/sec)
[OK]

 

Alright, so now we have basic Internet access from both our networks (the DMZ and Internal). Now we need to configure our ASA to forward specific traffic to our DMZ servers. It is very important that you realize we’re using Port Address Translation (PAT) here. There are other ways to do NAT, but we have more ports to open up to internal servers than we have external IP addresses. We have over 5 Internal Servers and only 4 Public IP addresses we can use for inbound traffic.

What we’ll do here is create more objects first.

object network openvpn
 host 172.16.0.14
object network https-exchange
 host 172.16.0.17
object network dns-external-1
 host 172.16.0.23
object network dns-external-2
 host 172.16.0.28
object network external-rdp
 host 172.16.0.37
object network external-ssh
 host 172.16.0.45

 

Now we need to create the proper PAT NAT statements for all of our externally accessible services. To do this, first we need to identify a new network object and specify a unique name for each inbound service. Then we’ll specify the host that it’s talking to in our DMZ, then we can create the inbound NAT and tie it to a service.

(config)# object network client-openvpn
(config-network-object)# host 172.16.0.14
(config-network-object)# nat (Inside,Outside) static 108.227.33.124 service tcp https https  
(config-network-object)# exit

 

See how easy that is? Let’s look at this stuff for a quick minute though. First there is the network object name, “Client-OpenVPN”. Then we specify the DMZ host IP Address that the name is attached to. Then we create the PAT. The NAT statement specifies the static address is a outside public address and then specifies that it’s a TCP service type and specifies its outside port is 443, mapping to the inside host 172.16.0.14 port number 443.

 

Now, we’ve got one done, lets get the rest:

(config)# object network openvpn-site2site
(config-network-object)# host 172.16.0.14
(config-network-object)#  nat (Inside,Outside) static 108.227.33.124 service udp 7777 7777
(config-network-object)# exit
(config)# object network http-20
(config-network-object)# host 172.16.0.23
(config-network-object)#  nat (Inside,Outside) static 108.227.33.122 service tcp www www
(config-network-object)# exit
(config)# object network http-25
(config-network-object)# host 172.16.0.28
(config-network-object)#  nat (Inside,Outside) static 108.227.33.123 service tcp www www
(config-network-object)# exit
(config)# object network https-25
(config-network-object)# host 172.16.0.28
(config-network-object)#  nat (Inside,Outside) static 108.227.33.123 service tcp https https
(config-network-object)# exit
(config)# object network https-exchange
(config-network-object)# host 172.16.0.17
(config-network-object)#  nat (Inside,Outside) static 108.227.33.122 service tcp https https
(config-network-object)# exit
(config)# object network smtp-in
(config-network-object)# host 172.16.0.28
(config-network-object)#  nat (Inside,Outside) static 108.227.33.122 service tcp smtp smtp
(config-network-object)# exit
(config)# object network dns-external-1
(config-network-object)# host 172.16.0.23
(config-network-object)#  nat (Inside,Outside) static 108.227.33.122 service udp domain domain
(config-network-object)# exit
(config)# object network dns-external-2
(config-network-object)# host 172.16.0.28
(config-network-object)#  nat (Inside,Outside) static 108.227.33.123 service udp domain domain
(config-network-object)# exit
(config)# object network external-rdp
(config-network-object)# host 172.16.0.37
(config-network-object)#  nat (Inside,Outside) static 108.227.33.124 service tcp 3389 3389
(config-network-object)# exit
(config)# object network external-ssh
(config-network-object)# host 172.16.0.45
(config-network-object)#  nat (Inside,Outside) static 108.227.33.124 service tcp ssh ssh
(config-network-object)# exit
(config)# wr mem

 

Now that we have our internal objects created, as well as our PAT NAT objects created, now we can move
along and create our access list for our outside interface. This access list will control Internet
traffic inbound to our servers, specify the port number we’ll be using for each server service and then specify to log the event. Then we’ll place the access list on the external interface.

(config)# access-list outside-traffic-inbound extended permit udp any host 172.16.0.23 eq domain log
(config)# access-list outside-traffic-inbound extended permit udp any host 172.16.0.28 eq domain log
(config)# access-list outside-traffic-inbound extended permit tcp any host 172.16.0.23 eq www log
(config)# access-list outside-traffic-inbound extended permit tcp any host 172.16.0.28 eq www log
(config)# access-list outside-traffic-inbound extended permit tcp any host 172.16.0.37 eq 3389 log
(config)# access-list outside-traffic-inbound extended permit tcp any host 172.16.0.45 eq ssh log
(config)# access-list outside-traffic-inbound extended permit tcp any host 172.16.0.17 eq https log
(config)# access-list outside-traffic-inbound extended permit tcp any host 172.16.0.28 eq https log
(config)# access-list outside-traffic-inbound extended permit tcp any host 172.16.0.14 eq https log
(config)# access-list outside-traffic-inbound extended permit udp any host 172.16.0.14 eq 5656 log
(config)# access-list outside-traffic-inbound extended permit tcp any host 172.16.0.28 eq smtp log
(config)# access-list outside-traffic-inbound extended deny ip any any log
(config)# access-group outside-traffic-in in interface Outside
(config)# wr mem
Building configuration...
Cryptochecksum: 7f5a5aab aabeeafa dff03aeb ef264ed5

3404 bytes copied in 1.110 secs (3404 bytes/sec)
[OK]

 

 

Fantastic. Now, the process we just ran through for creating inbound NATs for DNS traffic into the DMZ, that process can be repeated for any other service you are running on your network. Running Microsoft Exchange? You’ll want to allow TCP 443 into it. An SSH server? TCP 22 for that. An SMTP reverse proxy for SPAM filtering? TCP 25 into that.

Well… you get the picture. Just repeat process! 🙂

 

 

Now, to complete a network properly we shouldn’t just let anyone out over any port. There’s no egress filtering going on here. Let’s specify what ports our internal users, as well as our servers, are allowed to communicate on over the internet. The only way that’s going to be possible is to create more network objects and more access lists.

 

 

Obviously, there’s no reason to ever be browsing the Internet from a server. Don’t be lazy, just do it right. Start by creating a network object containing either the subnet your Windows servers are on, or, you can just specify the host IP addresses your Windows servers have.

object-group network Windows-Servers
 description Microsoft Windows Servers Group
 network-object host 172.16.0.15
 network-object host 172.16.0.16
 network-object host 172.16.0.17
 network-object host 172.16.0.19
 network-object host 172.16.0.37
 network-object host 172.16.0.45
 network-object host 172.16.0.99

 

 

Now let’s make a network object that contains the most common used IP ranges owned and operated by Microsoft:

object-group network Microsoft-Internet
 description Microsoft server networks External IP ranges
 network-object 64.4.0.0 255.255.192.0
 network-object 65.52.0.0 255.252.0.0
 network-object 207.46.0.0 255.255.0.0

 

 

Now all we need is an ACL to allow the servers to talk outbound:

access-list inside-traffic-outbound extended permit tcp object-group Windows-Servers object-group Microsoft-Internet eq www
access-list inside-traffic-outbound extended permit tcp object-group Windows-Servers object-group Microsoft-Internet eq https

 

 

Let’s do the same thing for our Ubuntu Servers. We have Linux Mint, Debian, and Ubuntu on the network, so we’ll just tie them all together:

object-group network Linux-OS-Updates
 description Linux Mint - Debian - and Ubuntu server networks External IP ranges
 network-object 91.189.88.0 255.255.240.0
 network-object 65.175.128.0 255.255.255.128
 network-object 109.203.97.0 255.255.255.0
 network-object 204.45.0.0 255.255.0.0

 

 

And again we need to create our ACLs:

access-list inside-traffic-outbound extended permit tcp object-group Linux-Systems object-group Linux-OS-Updates eq www
access-list inside-traffic-outbound extended permit tcp object-group Linux-Systems object-group Linux-OS-Updates eq https

 

 

I also talk on a couple networks like AOL IM, ICQ and Facebook Chat so my computer needs access out to those servers.

So again create the object group, with the IP Ranges for AOL, ICQ and Facebook:

object-group network aim-icq-fb
 description networks for Facebook, AOL IM and ICQ Instant Messangers
 network-object 173.252.64.0 255.255.192.0
 network-object 69.171.224.0 255.255.224.0
 network-object 66.220.144.0 255.255.240.0
 network-object 64.12.0.0 255.255.0.0
 network-object 205.188.0.0 255.255.0.0

 

 

And again, allow traffic out with an ACL:

access-list inside-traffic-outbound extended permit tcp host 192.168.0.86 object-group aim-icq-fb eq aol
access-list inside-traffic-outbound extended permit tcp host 192.168.0.86 object-group aim-icq-fb eq 5222

 

Also, if you’re running a Spam Filtering server in your DMZ, yet your mail server is in your Internal Network, then you’ll have to create a NAT from your DMZ to your internal, which you can use the same process again.

 

Also, dont forget to allow your Exchange server send mail and you DNS servers perform lookups!!

 

access-list inside-traffic-outbound extended permit tcp object https-exchange any eq smtp
access-list inside-traffic-outbound extended permit udp object-group Internal-DNS-Servers any eq domain

 

 

Lastly, if you want your DMZ or Internal to have access to the Internet, make sure to build an Access List to allow traffic out! Haha, wont get far without that!

 
 

Have fun with this. There’s a million ways to tweak what you’re trying to do!

 

Enjoy!

 

 

 

References for this blog go to:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html#wp1054877
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
http://www.gomjabbar.com/2011/09/11/no-forward-interface-command-on-the-cisco-asa-5505-with-a-base-license/
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/aaa.html#wpxref64390
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/aaa.html#wp1094668
http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/nat_overview.html
http://blog.f85.net/2011/11/cisco-asa-5500-ad-integration.html
https://www.google.com/search?oq=cisco+asa+5505+active+directory+authentication&sourceid=chrome&ie=UTF-8&q=cisco+asa+5505+active+directory+authentication
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_objects.html#wp1140516
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/objectgroups.html
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/acl_objects.html#wp1525205
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/acl_objects.html
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/acl_overview.html
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/acl_extended.html
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_objects.html

 

 

 

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Cisco Fun

So, I decided to go back to school (after 3 or so semesters off) and take some fun classes. Last time I went I was stuck in some shit Liberal Arts classes. I wont bore you with that. So this semester I’m taking Red Hat Admin 1, which I’m flying through at an obscene rate, and Cisco Security 1. Now, when I started college back in fall of 2002, I started with CCNA classes. I loved them; took 8 semesters of Cisco CCNA and CCNP courses. SO it’s been a while, but I figured I should take some new Cisco classes.

Well, it’s been great so far. Tonight, in my home lab I hooked up my 2600 routers and did some labs on password resets (easy, but good to know), and I also hooked up my 2 Cisco PIX 515’s and learned how to do a password reset on those too.

Now I learned that both of my PIX firewalls are still running 5.3 software… these things are from the stone age!!!

Also in my quest was working on some client work. They have a ASA 5510. In working on that, I thought to update my 5505. It’s been a while, so I went through and reconfigured a bunch of stuff. In the process I figured out it only supports 3 VLANs. 2 of those are for the Inside and Outside networks and a third, DMZ type VLAN, that isn’t allowed to initiate communications to any other VLAN. Come on Cisco, this is ridiculous. I need something with a serious amount of more horsepower and abilities.

The ASA 5505 is probably great for some people, but not me. Any one out there interested in buying this thing? It’s a couple years old but I have the 8.4 software on it and am willing to sell it at a good price!

References:

http://www.cisco.com/en/US/products/hw/routers/ps259/products_password_recovery09186a0080094675.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_password_recovery09186a008009478b.shtml#pix_without

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)