Setting up Etherchannel between Cisco ASA and Cisco Switch

I’ve recently had the need to re-architect my network in order to gain more functionality, scalability and security. I’ve written in past blogs on how important it is to have network security built into your network, and how important it is to have a properly segmented network. Here I’m going to show you how easy that is to do, and show you why every business should be doing this to some extent.

So let’s get going here. First off, if you have an ASA that is already being used in a production environment, you’re going to have to schedule some downtime. In order to setup Etherchannel on the ASA, your ports need to have no configuration on them. In my case, I’m setting up a quad port Etherchannel, so I need all my ports wiped clean.

erdmanor-5510# sh run int
!
interface Ethernet0/0
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif Management
 security-level 100
 ip address 192.168.1.2 255.255.255.0
erdmanor-5510#
erdmanor-5510#
erdmanor-5510# sh int ip bri
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  up                    up  
Ethernet0/1                unassigned      YES unset  up                    up  
Ethernet0/2                unassigned      YES unset  up                    up  
Ethernet0/3                unassigned      YES unset  up                    up  
Management0/0              192.168.1.2     YES manual up                    up  
erdmanor-5510#


Now that we have a clean configuration, let’s setup the port-channel.

erdmanor-5510(config)# int port-channel 1
erdmanor-5510(config-if)#
erdmanor-5510(config-if)# no nameif
erdmanor-5510(config-if)# no security-level
erdmanor-5510(config-if)# no ip address
erdmanor-5510(config-if)#


Now that we have a port-channel created, we need to assign what interfaces are going to take part in that port channel.

erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int Ethernet0/0
erdmanor-5510(config-if)# channel-group 1 mode on
INFO: security-level, delay and IP address are cleared on Ethernet0/0.
erdmanor-5510(config-if)# exit
erdmanor-5510(config)# int Ethernet0/1        
erdmanor-5510(config-if)# channel-group 1 mode on
INFO: security-level, delay and IP address are cleared on Ethernet0/1.
erdmanor-5510(config-if)# exit
erdmanor-5510(config)# int Ethernet0/2        
erdmanor-5510(config-if)# channel-group 1 mode on
INFO: security-level, delay and IP address are cleared on Ethernet0/2.
erdmanor-5510(config-if)# exit                  
erdmanor-5510(config)# int Ethernet0/3        
erdmanor-5510(config-if)# channel-group 1 mode on
INFO: security-level, delay and IP address are cleared on Ethernet0/3.
erdmanor-5510(config-if)# exit                  
erdmanor-5510(config)#


Now we need to get our switch configured. We’ll basically be doing the same thing on the switch that we just got done doing on our ASA. You’ll notice the syntax on the ASA is just a bit different than the switch, but Cisco came close on the two.

Let’s start with creating our port channel.

Erdmanor3750G(config)#
Erdmanor3750G(config)#int port-channel 1
Erdmanor3750G(config-if)#    
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switch mode trunk
Erdmanor3750G(config-if)#


Now we can get our Ethernet ports into the port channel.

Erdmanor3750G(config)#
Erdmanor3750G(config)#int Gi4/0/1
Erdmanor3750G(config-if)#description Port-Channel group to ERD-ASA
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switchport mode trunk  
Erdmanor3750G(config-if)#channel-group 1 mode on
Erdmanor3750G(config-if)#exit                    
Erdmanor3750G(config)#
Erdmanor3750G(config)#int Gi4/0/2              
Erdmanor3750G(config-if)#description Port-Channel group to ERD-ASA                
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switchport mode trunk  
Erdmanor3750G(config-if)#channel-group 1 mode on
Erdmanor3750G(config-if)#exit                    
Erdmanor3750G(config)#
Erdmanor3750G(config)#int Gi4/0/3        
Erdmanor3750G(config-if)#description Port-Channel group to ERD-ASA    
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switchport mode trunk  
Erdmanor3750G(config-if)#channel-group 1 mode on
Erdmanor3750G(config-if)#exit                    
Erdmanor3750G(config)#
Erdmanor3750G(config)#int Gi4/0/4      
Erdmanor3750G(config-if)#description Port-Channel group to ERD-ASA      
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switchport mode trunk  
Erdmanor3750G(config-if)#channel-group 1 mode on
Erdmanor3750G(config-if)#exit                    
Erdmanor3750G(config)#
Erdmanor3750G(config)#


Now that the port-channel is up and running, we need to establish what VLANs are going to traverse this link. The way that Cisco ASAs interpret VLANs is a bit different than the way Catalyst Switches interpret VLANs, at least for the configuration of them. In a Cisco ASA, for every VLAN that you want, you create a sub-interface. For The Catalyst Switch,

erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.10
erdmanor-5510(config-subif)# vlan 10
erdmanor-5510(config-subif)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
erdmanor-5510(config-subif)# ip address 172.98.17.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.20                
erdmanor-5510(config-subif)# vlan 20                            
erdmanor-5510(config-subif)# nameif Inside                      
INFO: Security level for "Inside" set to 100 by default.
erdmanor-5510(config-subif)# ip address 192.168.100.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.30                
erdmanor-5510(config-subif)# vlan 30                              
erdmanor-5510(config-subif)# nameif FrontDMZ                      
INFO: Security level for "FrontDMZ" set to 0 by default.
erdmanor-5510(config-subif)# ip address 10.121.23.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.40                
erdmanor-5510(config-subif)# vlan 40                              
erdmanor-5510(config-subif)# nameif BackDMZ                      
INFO: Security level for "BackDMZ" set to 0 by default.
erdmanor-5510(config-subif)# ip address 10.156.183.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.50                
erdmanor-5510(config-subif)# vlan 50                              
erdmanor-5510(config-subif)# nameif Wireless                      
INFO: Security level for "Wireless" set to 0 by default.
erdmanor-5510(config-subif)# security-level 50
erdmanor-5510(config-subif)# ip address 172.21.49.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#



From here we just need to create some VLANs on the switch and then we can finalize the configuration on the ASA.

Erdmanor3750G#
Erdmanor3750G#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Erdmanor3750G(config)#vlan 10
Erdmanor3750G(config-vlan)#no shut
%VLAN 10 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#vlan 20
Erdmanor3750G(config-vlan)#no shut
%VLAN 20 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#vlan 30
Erdmanor3750G(config-vlan)#no shut
%VLAN 30 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#vlan 40
Erdmanor3750G(config-vlan)#no shut
%VLAN 20 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#vlan 50
Erdmanor3750G(config-vlan)#no shut
%VLAN 40 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#
Erdmanor3750G(config)#interface vlan 10
Erdmanor3750G(config-if)#description Outside zone between pfSense and ASA
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#interface vlan 20                              
Erdmanor3750G(config-if)#description Inside network                      
Erdmanor3750G(config-if)#no shut                  
Erdmanor3750G(config-if)#exit                      
Erdmanor3750G(config)#interface vlan 30        
Erdmanor3750G(config-if)#description Front DMZ for direct connections from the Internet
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#interface vlan 40                                            
Erdmanor3750G(config-if)#description Back DMZ -- Teired DMZ for server systems
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#interface vlan 50                                    
Erdmanor3750G(config-if)#description Wireless network                
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#
Erdmanor3750G(config)#



So this is what my interface list looks like in the running config now:

interface Ethernet0/0
 channel-group 1 mode on
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 channel-group 1 mode on
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 channel-group 1 mode on
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 channel-group 1 mode on
 no nameif    
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif Management
 security-level 100
 ip address 192.168.1.2 255.255.255.0
!
interface Port-channel1
 no nameif
 no security-level
 no ip address
!
interface Port-channel1.10
 vlan 10
 nameif Outside
 security-level 0
 ip address 172.98.17.1 255.255.255.0
!
interface Port-channel1.20
 vlan 20
 nameif Inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
interface Port-channel1.30
 vlan 30
 nameif FrontDMZ
 security-level 0
 ip address 10.121.23.1 255.255.255.0
!
interface Port-channel1.40
 vlan 40
 nameif BackDMZ
 security-level 0
 ip address 10.156.183.1 255.255.255.0
!
interface Port-channel1.50
 vlan 50      
 nameif Wireless
 security-level 50
 ip address 172.21.49.1 255.255.255.0
!



And now a look at my switch port configuration:

!
!
interface Port-channel1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet4/0/1
 description Port-Channel group to ERD-ASA
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet4/0/2
 description Port-Channel group to ERD-ASA
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet4/0/3
 description Port-Channel group to ERD-ASA
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet4/0/4
 description Port-Channel group to ERD-ASA
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
interface Vlan1
 ip address 192.168.1.3 255.255.255.0
!
interface Vlan10
 description Outside zone between pfSense and ASA
 no ip address
!
interface Vlan20
 description Inside network
 no ip address
!
interface Vlan30
 description Front DMZ for direct connections from the Internet
 no ip address
!
interface Vlan40
 description Back DMZ -- Teired DMZ for server systems
 no ip address
!
interface Vlan50
 description Wireless network
 no ip address


Erdmanor3750G#
Erdmanor3750G#sh ip int bri
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  192.168.1.3     YES manual up                    up      
Vlan10                 unassigned      YES unset  up                    up      
Vlan20                 unassigned      YES unset  up                    up      
Vlan30                 unassigned      YES unset  up                    up      
Vlan40                 unassigned      YES unset  up                    up  
GigabitEthernet4/0/1   unassigned      YES unset  up                    up      
GigabitEthernet4/0/2   unassigned      YES unset  up                    up      
GigabitEthernet4/0/3   unassigned      YES unset  up                    up      
GigabitEthernet4/0/4   unassigned      YES unset  up                    up      
...  
Port-channel1          unassigned      YES unset  up                    up



Fantastic. Let’s check to see that the ASA is showing the port-channel working.

erdmanor-5510# sh port-channel detail
        Channel-group listing:
        -----------------------

Group: 1
----------
Span-cluster port-channel: No
Ports: 4   Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: ON
Minimum Links: 1
Load balance: src-dst-ip
        Ports in the group:
        -------------------
Port: Et0/0
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

Port: Et0/1
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

Port: Et0/2
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

Port: Et0/3
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

erdmanor-5510# sh port-channel sum    
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        U - in use      N - not in use, no aggregation/nameif
        M - not in use, no aggregation due to minimum links not met
        w - waiting to be aggregated
Number of channel-groups in use: 1
Group  Port-channel  Protocol  Span-cluster  Ports
------+-------------+---------+------------+------------------------------------
1      Po1(U)             -            No     Et0/0(P)   Et0/1(P)   Et0/2(P)   Et0/3(P)  
erdmanor-5510#
erdmanor-5510# sh int ip bri
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  up                    up  
Ethernet0/1                unassigned      YES unset  up                    up  
Ethernet0/2                unassigned      YES unset  up                    up  
Ethernet0/3                unassigned      YES unset  up                    up  
Management0/0              192.168.86.2    YES manual up                    up  
Port-channel1              unassigned      YES unset  up                    up  
Port-channel1.10           172.98.17.1     YES manual up                    up  
Port-channel1.20           192.168.100.1   YES manual up                    up  
Port-channel1.30           10.121.23.1     YES manual up                    up  
Port-channel1.40           10.156.183.1    YES manual up                    up  
Port-channel1.50           172.21.49.1     YES manual up                    up  
erdmanor-5510#



And now to check the port channel on the Catalyst switch:

Erdmanor3750G#sh etherchannel detail
        Channel-group listing:
        ----------------------

Group: 1
----------
Group state = L2
Ports: 4   Maxports = 8
Port-channels: 1 Max Port-channels = 1
Protocol:    -
        Ports in the group:
        -------------------
Port: Gi4/0/1
------------

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:24m:45s

Port: Gi4/0/2
------------

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:24m:16s

Port: Gi4/0/3
------------

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:24m:04s

Port: Gi4/0/4
------------

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:23m:53s

        Port-channels in the group:
        ---------------------------

Port-channel: Po1
------------

Age of the Port-channel   = 0d:00h:33m:13s
Logical slot/port   = 10/1          Number of ports = 4
GC                  = 0x00000000      HotStandBy port = null
Port state          = Port-channel Ag-Inuse
Protocol            =    -

Ports in the Port-channel:

Index   Load   Port     EC state        No of bits
------+------+------+------------------+-----------
  0     00     Gi4/0/1  On                 0
  0     00     Gi4/0/2  On                 0
  0     00     Gi4/0/3  On                 0
  0     00     Gi4/0/4  On                 0

Time since last port bundled:    0d:00h:23m:53s    Gi4/0/4

Erdmanor3750G#
Erdmanor3750G#
Erdmanor3750G#
Erdmanor3750G#
Erdmanor3750G#sh etherchannel sum  
Flags:  D - down        P - in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      f - failed to allocate aggregator
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port


Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
1      Po1(SU)          -        Gi4/0/1(P)  Gi4/0/2(P)  Gi4/0/3(P)  
                                 Gi4/0/4(P)  

Erdmanor3750G#



Now, moving forward, please remember that you MUST specify the VLAN each switch port will be in, otherwise you’re going to have communications issues. The Catalyst switches do NOT auto-sense what VLAN your port is in. So to do this, you need to specify the VLAN, on both the Cisco ASA and the Switch, like this:

Erdmanor3750G#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Erdmanor3750G(config)#
Erdmanor3750G(config)#vlan 60
Erdmanor3750G(config-vlan)#no shut
%VLAN 60 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#interface Vlan60
Erdmanor3750G(config-if)#description ATT Outside Public 108.227.33.120/28 Network
Erdmanor3750G(config-if)#no ip address
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#
Erdmanor3750G(config)#int GigabitEthernet4/0/19
Erdmanor3750G(config-if)#switchport access vlan 60
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#


Now create the VLAN (sub-interface) on the ASA, like this:

erdmanor-5510# conf t
erdmanor-5510(config)# interface Port-channel1.60
erdmanor-5510(config-subif)# vlan 60
erdmanor-5510(config-subif)# nameif ATTOutside
INFO: Security level for "ATTOutside" set to 0 by default.
erdmanor-5510(config-subif)# ip address 108.227.33.121 255.255.255.248
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)# exit
erdmanor-5510#


Now that we have the VLANs and port-channel created, we need to ensure that our firewall rulebase is setup properly.

NOTE: I am just showing you how to set this up. It is up to YOU to be a smart network admin and lock down these VLANs with the proper rules!!!

From here, create your basic ACLs and lock them down tightly. Make sure that you tie your access-list to an interface too! I personally like to write all my ACLs from the point of view of the requester or client machine on a network. So what I do is write the ACL like you’re going into a garden hose. The garden hose is like the interface that traffic will be going to. Basically, you’re writing the rules that will be implemented as close to the end point as possible.

erdmanor-5510(config)# access-list backdmz-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)# access-list frontdmz-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)# access-list inside-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)# access-list outside-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)# access-list wireless-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)#
erdmanor-5510(config)# access-group outside-traffic-in in interface Outside
erdmanor-5510(config)# access-group inside-traffic-in in interface Inside
erdmanor-5510(config)# access-group frontdmz-traffic-in in interface FrontDMZ
erdmanor-5510(config)# access-group backdmz-traffic-in in interface BackDMZ
erdmanor-5510(config)# access-group wireless-traffic-in in interface Wireless


Now we’re all done! Please contact me with any questions or concerns (or if you found that I screwed this up at all!). Thanks for reading!





http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/interface_start.html#wp1709086
http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/interface_start.html#18497
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/XE3-5-0E/15-21E/configuration/guide/config/channel.html#pgfId-1040179
http://www.cisco.com/c/en/us/support/docs/lan-switching/etherchannel/12033-89.html
http://www.amirmontazeri.com/?p=18
http://www.ciscozine.com/configuring-link-aggregation-with-etherchannel/
https://networkingtipz.wordpress.com/2013/12/09/etherchannel-on-asa-2/
http://www.gomjabbar.com/2012/05/08/cisco-asa-5520-creating-subinterfaces/
http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/configuration/general/asa-general-cli/interface-vlan.pdf
https://supportforums.cisco.com/discussion/11378981/portchannel-cisco-asa-subinterface-vlan
https://www.fir3net.com/Firewalls/Cisco/configuring-etherchannel-on-an-asa-firewall.html
http://www.danpol.net/index.php/cisco/firewalls/asa-port-channels/
http://www.petenetlive.com/KB/Article/0001085.htm
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-1_19_ea1/configuration/guide/3750scg/swethchl.pdf

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Cisco AnyConnect on Cisco ASA 5500 running IOS 9.1.5

Cisco AnyConnect is a great VPN client because it runs over SSL/TLS and is very mature at this point in time. So, because of this, and the fact that I had a lot of questions come up about this in the past month (for one of my clients), I decided to write a blog on how to implement Cisco AnyConnect on a Cisco ASA 5515, running IOS 9.1.5. While I’m using a ASA-5515, I have also tested this to work on my 5505 and my 5510 test machines. So let’s get configuring!

We’ll start by downloading all the software from Cisco. For this you’ll need Cisco IOS version 9.1.5, ASDM version 7.x, and AnyConnect Version 2.5 or higher. To get this software legally, you’ll need to have a valid CCO ID (Cisco account), and you’ll need a valid SmartNet or SmartCare contract on your ASA.

Once you’ve obtained your software, we’ll need to upload it to your ASA. So let’s do that right now. If you don’t have a TFTP server, you’ll need one. If you need one that is simple to setup and use, check out my blog on setting up a Linux TFTP server.


Below, I am uploading the new IOS 9.1.5.

erdmanor-5510# copy tftp flash

Address or name of remote host []? 192.168.1.10

Source filename []? asa915-k8.bin

Destination filename [asa915-k8.bin]?

Accessing tftp://192.168.1.10/asa915-k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asa915-k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
27113472 bytes copied in 39.670 secs (695217 bytes/sec)
erdmanor-5510#
erdmanor-5510# conf t
erdmanor-5510(config)# boot system disk0:/asa915-k8.bin
erdmanor-5510(config)# sh run boot
boot system disk0:/asa915-k8.bin
erdmanor-5510(config)#
erdmanor-5510(config)# wr
Building configuration...
Cryptochecksum: fdee857f 734e0f13 a5fda71e e6bc2320
9154 bytes copied in 3.250 secs (3051 bytes/sec)
[OK]
erdmanor-5510(config)#
erdmanor-5510(config)# exit
erdmanor-5510# reload
Proceed with reload? [confirm]
erdmanor-5510#

***
*** --- START GRACEFUL SHUTDOWN ---


Now lets get the new ASDM uploaded along with our SSLVPN client.

erdmanor-5510# copy tftp flash

Address or name of remote host []? 192.168.1.10

Source filename []? asdm-743.bin

Destination filename [asdm-743.bin]?

Accessing tftp://192.168.1.10/asdm-743.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing current ASDM file disk0:/asdm-743.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
24810876 bytes copied in 34.30 secs (729731 bytes/sec)
erdmanor-5510# copy tftp flash

Address or name of remote host [192.168.1.10]?

Source filename [asdm-743.bin]? anyconnect-win-2.5.2014-k9.pkg

Destination filename [anyconnect-win-2.5.2014-k9.pkg]?

Accessing tftp://192.168.1.10/anyconnect-win-2.5.2014-k9.pkg...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-2.5.2014-k9.pkg...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
4678691 bytes copied in 6.460 secs (779781 bytes/sec)

erdmanor-5510# dir

Directory of disk0:/

107    -rwx  27113472     13:27:06 Nov 03 2015  asa915-k8.bin
113    -rwx  24810876     13:40:12 Nov 03 2015  asdm-743.bin
115    -rwx  4678691      13:41:07 Nov 03 2015  anyconnect-win-2.5.2014-k9.pkg

62904320 bytes total (5550080 bytes free)
erdmanor-5510#


Great. Now that we have our software, let’s start setting up our environment.

When dealing with SSL, you need to have some kind of certificate installed on your server in order to create a secure connection. If this is a company, you should setup a real certificate from a real vendor like Verisign/Symantec, but for this instance I’m just going to setup a self-signed certificate. Keep in mind that self-signed certs are less secure and that they will prompt your end users with security warnings whenever your users connect.

So lets get a certificate setup for our ASA’s Outside interface, since that’s where our outside users will be connecting from.

erdmanor-5510(config)#
erdmanor-5510(config)# crypto key generate rsa label ErdmanorSSLCert modulus 2048

Keypair generation process begin. Please wait...
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# crypto ca trustpoint ErdmanorSSLTrustpoint
erdmanor-5510(config-ca-trustpoint)# enrollment self
erdmanor-5510(config-ca-trustpoint)# fqdn sslvpn.erdmanor.com
erdmanor-5510(config-ca-trustpoint)# subject-name CN=sslvpn.erdmanor.com
erdmanor-5510(config-ca-trustpoint)# keypair ErdmanorSSLCert
erdmanor-5510(config-ca-trustpoint)# crypto ca enroll ErdmanorSSLTrustpoint
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.

Would you like to continue with this enrollment? [yes/no]: yes

% The fully-qualified domain name in the certificate will be: sslvpn.erdmanor.com

% Include the device serial number in the subject name? [yes/no]: no

Generate Self-Signed Certificate? [yes/no]: yes
erdmanor-5510(config)#
erdmanor-5510(config)# ssl trust-point ErdmanorSSLTrustpoint Outside
erdmanor-5510(config)#
erdmanor-5510(config)# wr
Building configuration...
Cryptochecksum: 9be339e8 0522dd14 a192370f 5e9c6bf4

7969 bytes copied in 3.240 secs (2656 bytes/sec)
[OK]
erdmanor-5510(config)#


Now we need to configure WebVPN to work on our ASA, and allow it to present the AnyConnect VPN client to our connecting users.

erdmanor-5510(config)# webvpn
erdmanor-5510(config-webvpn)# enable Outside
INFO: WebVPN and DTLS are enabled on 'Outside'.
erdmanor-5510(config-webvpn)#
erdmanor-5510(config-webvpn)#
erdmanor-5510(config-webvpn)# anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg
erdmanor-5510(config-webvpn)# anyconnect enable
erdmanor-5510(config-webvpn)#
erdmanor-5510(config-webvpn)# exit
erdmanor-5510(config)# wr
Building configuration...
Cryptochecksum: aa7a52ab 38eb7e98 3e15d522 856eae67

8069 bytes copied in 3.250 secs (2689 bytes/sec)
[OK]
erdmanor-5510(config)#


Before we go any further, you have to make a determination here on how you’re going to perform DHCP addressing for your VPN users. There are two primary options:
1. Host the DHCP pool on the ASA
2. Forward DHCP requests to a DHCP server (like a Windows Domain Controller)

For this case, I’ve opted to host the DHCP pool locally on the ASA. But for a business environment, I would suggest that you forward these requests to your domain controller. Especially if you’re running other Microsoft services such as Exchange, SCCM, SCOM and others. I’ll go over both methods, but I’m going to be using the local DHCP server.

erdmanor-5510(config)#
erdmanor-5510(config)# ip local pool AnyConnectIPPool 192.168.2.1-192.168.2.200 mask 255.255.255.0
erdmanor-5510(config)#


I will update this section of the DHCP forwarding at a later time. Please check back!
For now, here is what Cisco has on this: http://www.cisco.com/c/en/us/td/docs/security/asa/asa70/configuration/guide/config/vpnadd.html#wp999516



In the Microsoft world, Group Policies are a group of settings that are applied to a Windows operating system in a domain. For instance, if you wanted all the desktop backgrounds to be a picture of your company logo, you could roll that our via MS Group Policy.

In the same fashion, Cisco has begun using Group Policies in order to set certain parameters and settings to their clients that connect. Group Policies are actually a pretty good idea in order to group a list of settings together that would apply to one connection type. In this case, that connection type is Cisco’s AnyConnect users.

So, let’s get our Group Policy setup for our users. This policy will be extremely basic, but please understand that Cisco’s Group Policies can get very in-depth.

erdmanor-5510(config)#
erdmanor-5510(config)# group-policy AnyConnectPolicy Internal
erdmanor-5510(config)# group-policy AnyConnectPolicy attributes
erdmanor-5510(config-group-policy)#
erdmanor-5510(config-group-policy)# dns-server value 192.168.1.5 192.168.1.6
erdmanor-5510(config-group-policy)#
erdmanor-5510(config-group-policy)# vpn-tunnel-protocol ssl-client
erdmanor-5510(config-group-policy)# default-domain value erdmanor.com
erdmanor-5510(config-group-policy)#
erdmanor-5510(config-group-policy)# address-pools value AnyConnectIPPool
erdmanor-5510(config-group-policy)#


The next thing we need to do is allow our SSL VPN users to bypass outside access lists so they can get to the Internal network. If this isn’t put in there, then you’ll have to write up ACLs on your Outside access list that specifically allow your VPN users to access certain network locations. This can turn into an administration overhead nightmare. The easiest thing to do is allow your users to bypass the Outside ACL, and then manage the ACL from the inside. It’s cleaner, and causes less headaches.

erdmanor-5510(config)# sysopt connection permit-vpn


Now we need to create our AnyConnect connection profile. This profile is what users will see when they connect to the Outside interface of our ASA. To do this we need to create what is named a, “tunnel-group” in Cisco terminology. This tunnel-group will contain all of the connection profile settings that will be applied to any user successfully connecting with the AnyConnect client. When you’re going through this configuration, please make sure to see what config mode you’re in. You’ll start in normal config and progress through “config-tunnel-general“, “config-tunnel-webvpn“, and “config-webvpn“. Make sure to ? each of those and check out the other commands in there.

erdmanor-5510(config)#
erdmanor-5510(config)# tunnel-group AnyConnectPolicy type remote-access
erdmanor-5510(config)# tunnel-group AnyConnectPolicy general-attributes
erdmanor-5510(config-tunnel-general)#
erdmanor-5510(config-tunnel-general)# default-group-policy AnyConnectPolicy
erdmanor-5510(config-tunnel-general)# tunnel-group AnyConnectPolicy webvpn-attributes
erdmanor-5510(config-tunnel-webvpn)#
erdmanor-5510(config-tunnel-webvpn)# group-alias Erdmanor-VPN enable
erdmanor-5510(config-tunnel-webvpn)#
erdmanor-5510(config-tunnel-webvpn)# webvpn
erdmanor-5510(config-webvpn)#
erdmanor-5510(config-webvpn)#
erdmanor-5510(config-webvpn)# tunnel-group-list enable
erdmanor-5510(config-webvpn)# exit
erdmanor-5510(config)# exit
erdmanor-5510# wr
Building configuration...
Cryptochecksum: 52d129a7 a5d58820 28b2f420 29226a32

8622 bytes copied in 3.240 secs (2874 bytes/sec)
[OK]
erdmanor-5510#


Since we’re going to be using Split Tunneling for our VPN connection, we need to ensure that our VPN users get the proper routing updates they need so that when they try to access a resource on our corporate network, their computers will send that traffic down the SSL VPN tunnel to our office or Data Center. We should discuss what we mean by Split tunneling as well. There are three options here, as you can see below, and here is more information from Cisco on Split-Tunneling.

erdmanor-5510(config-group-policy)# split-tunnel-policy ?              

group-policy mode commands/options:
  excludespecified  Exclude only networks specified by split-tunnel-network-list
  tunnelall         Tunnel everything
  tunnelspecified   Tunnel only networks specified by split-tunnel-network-list


To configure the network routes that our end user will see, we’ll create an access list and then specify that ACL in the group-policy configuration. We’ll also specify that our tunnel is a Split-Tunnel, and we’ll provide our internal domain name so any DNS resolution works as well.

erdmanor-5510(config)#
erdmanor-5510(config)# access-list split-tunnel-network-acl standard permit 192.168.1.0 255.255.255.0
erdmanor-5510(config)# access-list split-tunnel-network-acl standard permit 10.10.10.0 255.255.255.0
erdmanor-5510(config)#                                                                                
erdmanor-5510(config)# group-policy AnyConnectPolicy attributes    
erdmanor-5510(config-group-policy)# split-tunnel-policy tunnelspecified
erdmanor-5510(config-group-policy)# split-tunnel-network-list value split-tunnel-network-acl
erdmanor-5510(config-group-policy)# split-dns value erdmanor.com
erdmanor-5510(config-group-policy)# exit
erdmanor-5510(config)#


Now we need to fix up the NAT’ing to ensure that our users are able to communicate to the rest of the network as well as get Internet access. To enable that functionality, we’re actually going to be creating two NAT statements here. The first NAT that we’re going to create is a dynamic NAT that will translate connections from the VPN users and allow them Internet access. Remember that in order for this to work, you still need an ACL to allow the access to specific locations. Also, another point is that we are allowing split tunnelling, so technically we don’t need to allow them Internet access here, but I’m covering it anyway just in case you need to tunnel all traffic from your end users back to your internal network for security reasons.

First let’s get our dynamic NAT created. Since our internal network is on 192.168.1.0/24, we put our VPN users on 192.168.2.0/24. So here we’ll create an object-group for our VPN users and then we can create our dynamic NAT.

erdmanor-5510(config)#
erdmanor-5510(config)# object-group network VPN-Users                        
erdmanor-5510(config-network-object-group)# network-object 192.168.2.0 255.255.255.0
erdmanor-5510(config)# nat (Outside,Outside) source dynamic VPN-Users interface
erdmanor-5510(config)#


Now let’s get our static NAT configured. This one is what Cisco refers to as a “Identity NAT”. According to Cisco, “You might have a NAT configuration in which you need to translate an IP address to itself. For example, if you create a broad rule that applies NAT to every network, but want to exclude one network from NAT, you can create a static NAT rule to translate an address to itself. Identity NAT is necessary for remote access VPN, where you need to exempt the client traffic from NAT.

So based on this information, we know that we need an Identity NAT. So let’s get that going.

erdmanor-5510(config)#
erdmanor-5510(config)# nat (Inside,Outside) source static Internal-Network Internal-Network destination static VPN-Users VPN-Users no-proxy-arp route-lookup
erdmanor-5510(config)#


Also, let’s say for instance that we have a Site-to-Site VPN tunnel to our sister data center, or a partner company, which our end users will need access to. While we’re talking about NATs, let’s walk through NATing this traffic as well.

We’ll start by assuming that we already have a S2S VPN already up and running. Let’s say it’s to the Amazon Cloud (AWS). Since this is already setup, we just need to allow our users access to this. Remember, you’ll need to setup ACLs to allow the traffic, this is just ensuring that NAT’ing is setup properly. Here, we’re assuming we already have an Object-Group named “AWS-Network“. But the NAT is nearly the same as before, but the difference is that this is what Cisco refers to as a Hairpin Nat. For this to work properly, you’ll need to enable “intra-interface” traffic. The “Inter-Interface” traffic is for different interfaces, while the “Intra-Interface” allows communication into and back out the SAME interface. See here:

erdmanor-5510(config)# same-security-traffic permit ?              

configure mode commands/options:
  inter-interface  Permit communication between different interfaces with the same security level
  intra-interface  Permit communication between peers connected to the same interface
erdmanor-5510(config)#


So let’s get this Hairpin NAT started. First you’ll notice that the Interface is the same (Outside,Outside). Remember, AnyConnect users are coming in from the “Outside” interface, and they’re communicating across a VPN tunnel that is also connected to the “Outside” interface.

erdmanor-5510(config)#
erdmanor-5510(config)# same-security-traffic permit intra-interface
erdmanor-5510(config)# nat (Outside,Outside) source static VPN-Users VPN-Users destination static AWS-Network AWS-Network no-proxy-arp route-lookup
erdmanor-5510(config)#


Okay moving right along here! Now we’ll create a user account and test logging into our system.

erdmanor-5510(config)#
erdmanor-5510(config)# username vpnsteve password NotMyP@ssw0rd
erdmanor-5510(config)# username vpnsteve attributes        
erdmanor-5510(config-username)# service-type remote-access
erdmanor-5510(config-username)# exit
erdmanor-5510(config)#


I’ll have to get this thing actually setup on the Internet so that I can connect to it, but I know the configuration works from here. I’ve set this up a few times this month alone for clients, so I’m confident in it running properly for you as well. When I can, I’ll get some screenshots posted here to show it works.

Thanks for reading!




http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/anyconnectadmin30.pdf
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect24/administration/guide/anyconnectadmin24/ac03features.html#wp1064149
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
http://www.databasemart.com/HowTo/Cisco_VPN_Remote_Access_Setup_ASA5500.aspx
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_rules.html
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_overview.html#25608
http://www.cisco.com/c/en/us/td/docs/security/asa/asa70/configuration/guide/config/vpnadd.html#wp999516
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/dhcp.html
http://www.petenetlive.com/KB/Article/0001050.htm
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html
http://www.techrepublic.com/blog/data-center/eight-easy-steps-to-cisco-asa-remote-access-setup/

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

How-to: SCP files from ASA

This is a quick and simple blog. Just notes really on how to use SCP/SSH to download files off of an ASA. It comes in handy for scripting purposes, but I thought I would at least share for everyone to see.

First things first, we need to enable SSH and SCopy on our ASA. We can accomplish this by entering config mode, and then issuing 2 different “ssh” commands:

steve @ phiberoptiklmde ~ :) ##  ssh steve@1.1.1.1
pomeroy@1.1.1.1's password:
Type help or '?' for a list of available commands.
MyASA5510> en
Password: ***********
MyASA5510# conf t
MyASA5510(config)#ssh 0.0.0.0 0.0.0.0 Inside
MyASA5510(config)#ssh scopy enable
MyASA5510(config)#wr
Cryptochecksum: 0d46cc75 79177ae7 9069c9a8 94153d78

8184 bytes copied in 0.690 secs
[OK]
MyASA5510(config)#exit
MyASA5510#exit

The first “ssh” command allows anyone to connect to this from the “Inside” interface of our ASA. This is NOT secure. In a real production environment, we should lock this down to a specific IP address, a handful of IP addresses, or a management network.

The second “ssh” command tells the ASA to enable “scopy”. Which basically means that you can connect to the ASA with a SCP client and download files.

From here we can just use our Linux machine to download the file to whatever folder you want to save your files to. See below on how to do that.
Start with “scp”, then your user account at the IP of the machine: “scp steve@1.1.1.1”.
From here, it needs to call an actual file that exists on the ASA. If you log into the ASA and issue the “dir” command from enable mode, you can get a listing of all files on the local flash drive on the machine.
Lastly, you just need to specify the path that you want to save the file to.

It’s that easy!

steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-win-3.1.05152-k9.pkg /home/steve/Desktop/anyconnect-win-3.1.05152-k9.pkg
serdman@1.1.1.1's password:
anyconnect-win-3.1.05152-k9.pkg                                                                                                                                                                           100%   34MB 212.0KB/s   02:42    
Connection to 1.1.1.1 closed by remote host.
steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-macosx-i386-3.1.02040-k9.pkg /home/steve/Desktop/penvpn01-anyconnect/anyconnect-macosx-i386-3.1.02040-k9.pkg
serdman@1.1.1.1's password:
anyconnect-macosx-i386-3.1.02040-k9.pkg                                                                                                                                                                   100%   11MB 226.7KB/s   00:48    
Connection to 1.1.1.1 closed by remote host.
steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-linux-3.1.02040-k9.pkg /home/steve/Desktop/anyconnect-linux-3.1.02040-k9.pkg
serdman@1.1.1.1's password:
anyconnect-linux-3.1.02040-k9.pkg                                                                                                                                                                         100%   11MB 317.9KB/s   00:34    
Connection to 1.1.1.1 closed by remote host.
steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-linux-64-3.1.02040-k9.pkg /home/steve/Desktop/anyconnect-linux-64-3.1.02040-k9.pkg
serdman@1.1.1.1's password:
anyconnect-linux-64-3.1.02040-k9.pkg                                                                                                                                                                      100% 9735KB 314.0KB/s   00:31    
Connection to 1.1.1.1 closed by remote host.
steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-macosx-i386-3.1.05152-k9.pkg /home/steve/Desktop/anyconnect-macosx-i386-3.1.05152-k9.pkg
serdman@1.1.1.1's password:
anyconnect-macosx-i386-3.1.05152-k9.pkg                                                                                                                                                                   100%   11MB 334.6KB/s   00:34  
Connection to 1.1.1.1 closed by remote host.  
steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-linux-64-3.1.05152-k9.pkg /home/steve/Desktop/anyconnect-linux-64-3.1.05152-k9.pkg
serdman@1.1.1.1's password:
anyconnect-linux-64-3.1.05152-k9.pkg                                                                                                                                                                      100%   10MB 343.9KB/s   00:31  
Connection to 1.1.1.1 closed by remote host.
steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-linux-3.1.05152-k9.pkg /home/steve/Desktop/anyconnect-linux-3.1.05152-k9.pkg
serdman@1.1.1.1's password:
anyconnect-linux-3.1.05152-k9.pkg                                                                                                                                                                         100%   10MB 341.5KB/s   00:31    
Connection to 1.1.1.1 closed by remote host.
steve @ phiberoptiklmde ~ :) ##

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Backing up Cisco Configurations for Routers, Switches and Firewalls

I will add more about this when I have time. Until then, you should be able to just install python, paramiko and pexpect and run this script as-is (obviously changing the variables).

This should give you all the software you need:

sudo apt-get update
sudo apt-get install python python-pexpect python-paramiko

I plan on GREATLY increasing the ability of this script, adding additional functionality, as well as setting up a bash script that will be able to parse the configs, and perform much deeper backup abilities for ASAs.

I have not tested this on Routers and Switches. I can tell you that the production 5520 HA Pair that I ran this script against was running “Cisco Adaptive Security Appliance Software Version 8.4(2)160”. Theoretically, I would believe that this would work with all 8.4 code and up, including the 9.x versions that are out as of the writing of this blog.

Here you go! Full Scripted interrogation of Cisco ASA 5520 that can be setup to run on a CRON job.

#!/usr/bin/python
import paramiko, pexpect, hashlib, StringIO, re, getpass, os, time, ConfigParser, sys, datetime, cmd, argparse



### DEFINE VARIABLES

currentdate="10-16-2014"
hostnamesfile='vpnhosts'
asahost="192.168.222.1"
tacacsuser='testuser'
userpass='Password1'
enpass='Password2'
currentipaddress="192.168.222.1"
currenthostname="TESTASA"


#dummy=sys.argv[0]
#currentdate=sys.argv[1]
#currentipaddress=sys.argv[2]
#tacacsuser=sys.argv[3]
#userpass=sys.argv[4]
#enpass=sys.argv[5]
#currenthostname=sys.argv[6]

parser = argparse.ArgumentParser(description='Get "show version" from a Cisco ASA.')
parser.add_argument('-u', '--user',     default='cisco', help='user name to login with (default=cisco)')
parser.add_argument('-p', '--password', default='cisco', help='password to login with (default=cisco)')
parser.add_argument('-e', '--enable',   default='cisco', help='password for enable (default=cisco)')
parser.add_argument('-d', '--device',   default=asahost, help='device to login to (default=192.168.120.160)')
args = parser.parse_args()

   


#python vpnbackup.py $currentdate $currentipaddress $tacacsuser $userpass $enpass $currenthostname



def asaLogin():
   
    #start ssh")
    child = pexpect.spawn ('ssh '+tacacsuser+'@'+asahost)
   
    #testing to see if I can increase the buffer
    child.maxread=9999999
   
    #expect password prompt")
    child.expect ('.*assword:.*')
    #send password")
    child.sendline (userpass)
    #expect user mode prompt")
    child.expect ('.*>.*')
    #send enable command")
    child.sendline ('enable')
    #expect password prompt")
    child.expect ('.*assword:.*')
    #send enable password")
    child.sendline (enpass)
    #expect enable mode prompt = timeout 5")
    child.expect ('#.*', timeout=10)
    #set term pager to 0")
    child.sendline ('terminal pager 0')
    #expect enable mode prompt = timeout 5")
    child.expect ('#.*', timeout=10)
    #run create dir function")
    createDir()
    #run create show version")
    showVersion(child)
    #run create show run")
    showRun(child)
    # run showCryptoIsakmp(child)
    showCryptoIsakmp(child)
    # run dirDisk0(child)
    dirDisk0(child)
    # run showInterfaces(child)
    showInterfaces(child)
    #run  showRoute")
    showRoute(child)
    #run showVpnSessionDetail")
    showVpnSessionDetail(child)
    # run showVpnActiveSessions(child)
    showWebVpnSessions(child)
    # run showVpnActiveSessions(child)
    showAnyConnectSessions(child)
    #send exit")
    child.sendline('exit')
    #close the ssh session")
    child.close()
   
   
def createDir():
    if not os.path.exists(currentdate):
        os.makedirs(currentdate)
    if not os.path.exists(currentdate+"/"+currenthostname):
        os.makedirs(currentdate+"/"+currenthostname)
   
   
   
def showVersion(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"sh-ver.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show version")
    child.sendline('show version')
    #expect enable mode prompt = timeout 400")
    child.expect(".*# ", timeout=50)
    #closing the log file")
    fout.close()
   
   
def showRun(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"sh-run.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending more system running-config")
    child.sendline('more system:running-config')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=999)
    #closing the log file
    fout.close()   
   

def showCryptoIsakmp(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"cryptoisakmp.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show crypto isakmp sa")
    child.sendline('show crypto isakmp sa')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=50)
    #closing the log file
    fout.close()   


def dirDisk0(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"dirdisk0.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending dir disk0:")
    child.sendline('dir disk0:')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=75)
    #closing the log file
    fout.close()


def showInterfaces(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"interfaces.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show interface")
    child.sendline('show interface')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=100)
    #closing the log file
    fout.close()


def showRoute(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"show-route.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show route")
    child.sendline('show route')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=300)
    #closing the log file
    fout.close()


def showVpnSessionDetail(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"vpnsession.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show vpn-sessiondb detail")
    child.sendline('show vpn-sessiondb detail')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=50)
    #closing the log file
    fout.close()


def showWebVpnSessions(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"webvpns.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show vpn-sessiondb webvpn")
    child.sendline('show vpn-sessiondb webvpn')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=200)
    #closing the log file
    fout.close()


def showAnyConnectSessions(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"anyconnectvpns.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show vpn-sessiondb anyconnect")
    child.sendline('show vpn-sessiondb anyconnect')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=999)
    #closing the log file
    fout.close()




def main():
    #Nothing has been executed yet
    #executing asaLogin function
    asaLogin()
    #Finished running parTest\n\n Now exiting
   

main()

Here are all the websites that have provided help to me writing these scripts:
http://www.802101.com/2014/06/automated-asa-ios-and-nx-os-backups.html
http://yourlinuxguy.com/?p=300
http://content.hccfl.edu/pollock/Unix/FindCmd.htm
http://paulgporter.net/2012/12/08/30/
http://paklids.blogspot.com/2012/01/securely-backup-cisco-firewall-asa-fwsm.html
http://ubuntuforums.org/archive/index.php/t-106287.html
http://stackoverflow.com/questions/12604468/find-and-delete-txt-files-in-bash
http://stackoverflow.com/questions/9806944/grep-only-text-files
http://unix.stackexchange.com/questions/132417/prompt-user-to-login-as-root-when-running-a-shell-script
http://stackoverflow.com/questions/6961389/exception-handling-in-shell-scripting
http://stackoverflow.com/questions/7140817/python-ssh-into-cisco-device-and-run-show-commands
http://pastebin.com/qGRdQwpa
http://blog.pythonicneteng.com/2012/11/pexpect-module.html
https://pynet.twb-tech.com/blog/python/paramiko-ssh-part1.html
http://twistedmatrix.com/pipermail/twisted-python/2007-July/015793.html
http://www.lag.net/paramiko/
http://www.lag.net/paramiko/docs/
http://stackoverflow.com/questions/25127406/paramiko-2-tier-cisco-ssh
http://rtomaszewski.blogspot.com/2012/08/problem-runing-ssh-or-scp-from-python.html
http://www.copyandwaste.com/posts/view/pexpect-python-and-managing-devices-tratto/
http://askubuntu.com/questions/344407/how-to-read-complete-line-in-for-loop-with-spaces
http://stackoverflow.com/questions/10463216/python-pexpect-timeout-falls-into-traceback-and-exists
http://stackoverflow.com/questions/21055943/pxssh-connecting-to-an-ssh-proxy-timeout-exceeded-in-read-nonblocking
http://www.pennington.net/tutorial/pexpect_001/pexpect_tutorial.pdf
https://github.com/npug/asa-capture/blob/master/asa-capture.py
http://stackoverflow.com/questions/26227791/ssh-with-subprocess-popen

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Cisco ASAs: Baseline Configurations


So, I’ve been dabbling around in the Cisco field for many years now. I started taking Cisco Academy courses at a local college in the Fall of 2002 and since then I’ve completed all the CCNA, CCNP and most recently the CCNA Security courses. By no means am I calling myself an expert, the best Cisco Engineer on the planet, or even on par with a Cisco engineer that’s been in the field for at least a year or so. But what I am saying is that, I feel that I’ve got a decent background.

I bought a Cisco ASA 5505 a few years ago, played with it for a while and then got side tracked with other work. I even forgot I even owned the device for a while, until I took my CCNA Security course in the Fall of 2012.

Again, my purpose of this blog site is to help give back to the community. So I just want to throw down a little ASA knowledge for anyone interested in buying an ASA for home use. This stuff is even transferable to the high class 5510’s up to the 5585’s.

Now, I host my own services for many reasons; mail, web, remote access, etc… Mainly the reason I do this is because for every service I run out of my house, the more knowledge I gain in IT management, Securing networks, and knowing what it takes to run both sides of the house (IT and Security). What I want to do here is go over how to create a baseline configuration for a Cisco ASA unit. It really is easier than you think.

 

So lets get going here!

 

If you’ve got a brand new Cisco ASA, right out of the box and you’re about to plug it in, you’re in a perfect spot. If you bought one off eBay or something like that, you’ll want to wipe the configuration on the device.

In order to wipe an ASA you need to know the enable password to the device, or you need to boot it into recovery mode. If you’re having issues with the password, I recommend you just reset it with the information on Cisco’s website.

I’m doing this work from a Debian box, but you can do this from virtually any OS. You’ll need a Cisco serial cable, which you should’ve gotten with your purchase of an ASA. For those of you who haven’t seen one, they look like this:
Cisco Serial Cable

And if you’re connecting with a laptop made in the last few years you’ll need a USB to serial adapter. Many computers don’t even have Serial ports anymore, so this adapter is essential.
USB to Serial (RS-232)

To connect to the Cisco ASA, connect your USB connector to your computer, and the Cisco serial cable to your ASA device. Then the easiest thing to use is Putty, which you can get from the Putty Website. There is the installer for pretty much every Windows OS as well as the source code that you can compile on just about every Unix/Linux platform out there.

After you get Putty installed and running, you can modify the settings to your liking. I like being able to see all the scroll-back of my sessions, so I normally set that to “999999” or something like that, and I also save all session output to putty.log on the Desktop of whatever OS I’m on at the time.

To connect to your Cisco ASA, on the main screen, click on “Serial” verify that your serial port is properly setup and click “Connect”. For Windows based machines, your USB to Serial connector usually will create a COM port that you’ll have to verify in the “Device Manager”. In Linux, the USB to Serial Adapter creates a device in your “/dev” directory, usually named “/dev/ttyUSB0”, but again, you’ll want to verify that. Also, most Linux distro’s require that you access that device as Root. You may have to start Putty from the Command line like this:

sudo putty

 

You should see this window appear after a few seconds:

Putty Screen in Linux

 

Alright enough messing around. Connect to your ASA and then power it on. You’ll see a bunch of scroll back as your device is starting. Like this:

CISCO SYSTEMS
Embedded BIOS Version 1.0(12)6 08/21/06 17:26:53.43

Low Memory: 632 KB
High Memory: 251 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
 00  01  00   1022   2080  Host Bridge        
 00  01  02   1022   2082  Chipset En/Decrypt 11
 00  0C  00   1148   4320  Ethernet           11
 00  0D  00   177D   0003  Network En/Decrypt 10
 00  0F  00   1022   2090  ISA Bridge        
 00  0F  02   1022   2092  IDE Controller    
 00  0F  03   1022   2093  Audio              10
 00  0F  04   1022   2094  Serial Bus         9
 00  0F  05   1022   2095  Serial Bus         9

Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(12)6) #0: Mon Aug 21 19:34:06 PDT 2006

Platform ASA5505

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
                                               
Launching BootLoader...
Default configuration file contains 1 entry.

Searching / for images to boot.

Loading /asa845-k8.bin... Booting...
Platform ASA5505

Loading...
IO memory blocks requested from bigphys 32bit: 9672
�dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/hda1: 96 files, 10581/31033 clusters
dosfsck(/dev/hda1) returned 0
Processor memory 109051904, Reserved memory: 41943040

Total SSMs found: 0

Total NICs found: 10
88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002
88E6095 rev 2 Ethernet @ index 08 MAC: 0019.0724.43f6
88E6095 rev 2 Ethernet @ index 07 MAC: 0019.0724.43f5
88E6095 rev 2 Ethernet @ index 06 MAC: 0019.0724.43f4
88E6095 rev 2 Ethernet @ index 05 MAC: 0019.0724.43f3
88E6095 rev 2 Ethernet @ index 04 MAC: 0019.0724.43f2
88E6095 rev 2 Ethernet @ index 03 MAC: 0019.0724.43f1
88E6095 rev 2 Ethernet @ index 02 MAC: 0019.0724.43f0
88E6095 rev 2 Ethernet @ index 01 MAC: 0019.0724.43ef
y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 0019.0724.43f7
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
Verify the activation-key, it might take a while...
Running Permanent Activation Key:  

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
Inside Hosts                      : 50             perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has a Base license.


Cisco Adaptive Security Appliance Software Version 8.4(5)

  ****************************** Warning *******************************
  This product contains cryptographic features and is
  subject to United States and local country laws
  governing, import, export, transfer, and use.
  Delivery of Cisco cryptographic products does not
  imply third-party authority to import, export,
  distribute, or use encryption. Importers, exporters,
  distributors and users are responsible for compliance
  with U.S. and local country laws. By using this
  product you agree to comply with applicable laws and
  regulations. If you are unable to comply with U.S.
  and local laws, return the enclosed items immediately.

  A summary of U.S. laws governing Cisco cryptographic
  products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

  If you require further assistance please contact us by
  sending email to export@cisco.com.
  ******************************* Warning *******************************

Copyright (c) 1996-2012 by Cisco Systems, Inc.

                Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

Reading from flash...
Flash read failed

Cryptochecksum (changed):  

Pre-configure Firewall now through interactive prompts [yes]?

 

From here the ASA is going to ask a series of questions in order to get a very minimal configuration setup. You can go through them or not. Either way will be fine. I’m going to go through the prompts just to show what questions are asked:

Pre-configure Firewall now through interactive prompts [yes]?
Firewall Mode [Routed]: Routed
Enable password [<use current password>]: {strong-password-here}
Allow password recovery [yes]?
Clock (UTC):
  Year [2012]:
  Month [Dec]:
  Day [21]:
  Time [22:57:31]: 18:00:35
Management IP address: 172.27.128.56
Management network mask: 255.255.255.0
Host name: Erdmanor-ASA
Domain name: erdmanor.com
IP address of host running Device Manager:

The following configuration will be used:
Enable password:
Allow password recovery: yes
Clock (UTC): 18:00:35 Dec 21 2012
Firewall Mode: Routed
Management IP address: 172.27.128.56
Management network mask: 255.255.255.0
Host name: Erdmanor-ASA
Domain name: erdmanor.com

Use this configuration and write to flash? yes
INFO: Security level for "management" set to 0 by default.
Cryptochecksum: e661f916 9e00a961 ba015bae 20f4d894

2081 bytes copied in 1.50 secs (2081 bytes/sec)

 

It’s very import here that you setup your ASA with Routed mode. The reason why is that the only way to have an Internal, External and DMZ interface on your network with a base licensed ASA is to have it in Routed mode. According to Cisco, “For the Base license, allow this interface to be the third VLAN by limiting it from initiating contact to one other VLAN using the following command:

hostname(config-if)# no forward interface vlan number

Where number specifies the VLAN ID to which this VLAN interface cannot initiate traffic.

With the Base license, you can only configure a third VLAN if you use this command to limit it.

For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an inside business network, and a third VLAN assigned to your home network. The home network does not need to access the business network, so you can use the no forward interface command on the home VLAN; the business network can access the home network, but the home network cannot access the business network.

If you already have two VLAN interfaces configured with a nameif command, be sure to enter the no forward interface command before the nameif command on the third interface; the adaptive security appliance does not allow three fully functioning VLAN interfaces with the Base license on the ASA 5505 adaptive security appliance.”

 

My suggestion here is that our Outside interface should never initiate traffic to the Internal network. The purpose of the Internal network is to communicate with Internet Hosts and the DMZ. It is the most secure network we have, therefore we should never accept incoming traffic. The DMZ will accept all incoming traffic and if there are any reverse proxies, then the DMZ will hold all of those systems and communicate to the internal for any Internet host. A few examples of this would be a Reverse SMTP Proxy or a HTTP or HTTPS Reverse Proxy. There is NEVER a reason for the Internal network to accept Internet traffic…… unless you have a lazy admin, or your company doesn’t know shit about security.

 

By default, interfaces on the same security level cannot communicate with each other. Allowing communication between same security interfaces lets traffic flow freely between all same security interfaces without access lists. If you enable NAT control, you do not need to configure NAT between same security level interfaces. If you enable same security interface communication, you can still configure interfaces at different security levels as usual. While I highly discourage this!, if you want to enable interfaces on the same security level so that they can communicate with each other, enter the following command:

hostname(config)# same-security-traffic permit inter-interface

 

So let’s see. What should we start with? Well, if you saw my blog on network architecture you’ll know that we should start things off securely. Let’s get a DMZ up and running as well as our internal and external interfaces.

enable
conf t
(config)# interface vlan 1
(config-if)# ip address (192.168.0.1) 255.255.255.0 ### Change this to match your internal network
(config-if)# nameif Inside
(config-if)# security-level 100
(config-if)# no shut
(config-if)# exit
(config)# interface vlan 100
(config-if)# ip address (outside IP) 255.255.255.248 ### Change this to match your ISP Static IP Address
(config-if)# nameif Outside
(config-if)# security-level 0
(config-if)# no shut
(config-if)# exit
(config)# interface vlan 200
(config-if)# ip address (172.16.0.1) 255.255.255.0 ### Change this to match your DMZ network
(config-if)# nameif DMZ
(config-if)# security-level 50
(config-if)# no forward interface vlan 100
(config-if)# end
write mem

What we’ve done here is setup the three VLANs that we’ll be using in our network. Once you setup these VLANs, issue the “end” command followed by the “write mem” command to save your current running config. Then issue the “show run” command to view your config.

 

Now, let’s get rid of some junk configurations that Cisco throws in there.

conf t
(config)# no service-policy global_policy global
(config)# clear config call-home
(config)# no ftp mode passive
(config)# no snmp-server enable
(config)# no telnet timeout 5
(config)# end
wr mem

 

Now you can go back and check your config again by issuing the “show run” command.

So, let’s get off this console connection and get our SSH running. Once SSH is running we can not only access our Cisco ASA from the Linux command line where most of us are more comfortable, but we can also build up some pretty sweet Python scripts that we can use to manage our ASA much easier. My coworker Adrian, (AKA, IronGeek), wrote up some pretty bad ass Python scripts to do some various management tasks on some higher end 5500 Series ASA’s (fully tested on 5510, 5520 and 5540’s).

(config)# crypto key generate rsa modulus 2048
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.

Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...
(config)# ssh 192.168.0.0 255.255.255.0 inside
(config)# ssh timeout 45
(config)# ssh version 2
(config)# aaa aut
(config)# aaa authen
(config)# aaa authentication ssh console LOCAL
WARNING: local database is empty! Use 'username' command to define local users.
(config)# aaa authentication enable console LOCAL
WARNING: local database is empty! Use 'username' command to define local users.
(config)# username steve password MyP@ssw0rd! privilege 15

You got 2 warning messages here. The first command that warned you the local user database was empty was telling the ASA to look at the local user database for authentication. The second warning was for the same reason, but the command was telling the ASA that you also wanted user authentication for the “enable” command.

 

Perfect, now lets get out of this console connection and configure this thing over SSH.

ssh steve@192.168.0.1
The authenticity of host '192.168.0.1 (192.168.0.1)' can't be established.
RSA key fingerprint is 54:df:df:3e:we:5b:yj:20:ng:46:f4:a7:9p:a3:e6:8x.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.1' (RSA) to the list of known hosts.
steve@192.168.0.1's password:
Type help or '?' for a list of available commands.
Erdmanor-ASA> en
Password: *********
Erdmanor-ASA#

 

Now that we’ve got management access setup, let’s get a real config going on this thing. The first way that’s going to be possible is if we give it a Default Gateway so that it knows where to send traffic. Your Internet Service Provider (ISP) should have given you a default gateway IP Address. If they haven’t, it is usually your ISP’s on-site equipment; usually some type of router.

 

Now lets start creating our Object groups. Beginning with ASA version 8.3, network objects are used to configure all forms of NAT. A network object is created and it is within this object that NAT is configured. In this step, network object “inside-net” is used to translate the inside network addresses 192.168.0.0/24 to the global address of the outside ASA interface. Cisco says that this type of object configuration is called Auto-NAT.

 

You’re really going to want to create as MANY object groups as you can think of for all of your network segments. There’s a LOT of overhead here. You’re better off starting out making a list of all your servers, their functions, their open ports and what needs to be accessed from the Internet, then coming back and making your object groups. I went through all this crap when I put this together, you can do the same (it’s really not that difficult, and if you’re at a business and you dont already have this stuff documented, shame on you!).

 

Let’s start with the default “quad-zero” route and then specify the internal, external and DMZ networks. The “nat” statements we’re going to add to the DMZ and Internal network specify that all Internal traffic will leave through the “Outside-hide-nat” network, and be split up across the IP addresses in the range.

(config)# route outside 0.0.0.0 0.0.0.0 108.227.33.126
(config)# object network outside-hide-nat
(config-network-object)# range 108.227.33.121 108.227.33.124
(config-network-object)# exit
(config)# object network internal-network
(config-network-object)# subnet 192.168.0.0 255.255.255.0
(config-network-object)# nat (inside,outside) dynamic outside-hide-nat
(config-network-object)# exit
(config)# object network dmz-network
(config-network-object)# subnet 172.16.0.0 255.255.255.0
(config-network-object)# nat (DMZ,Outside) dynamic outside-hide-nat
(config-network-object)# end
# wr mem
Building configuration...
Cryptochecksum: 9a5cd00b 1dcb8169 b07905cf 8b7904ed

2961 bytes copied in 1.120 secs (2961 bytes/sec)
[OK]

 

Alright, so now we have basic Internet access from both our networks (the DMZ and Internal). Now we need to configure our ASA to forward specific traffic to our DMZ servers. It is very important that you realize we’re using Port Address Translation (PAT) here. There are other ways to do NAT, but we have more ports to open up to internal servers than we have external IP addresses. We have over 5 Internal Servers and only 4 Public IP addresses we can use for inbound traffic.

What we’ll do here is create more objects first.

object network openvpn
 host 172.16.0.14
object network https-exchange
 host 172.16.0.17
object network dns-external-1
 host 172.16.0.23
object network dns-external-2
 host 172.16.0.28
object network external-rdp
 host 172.16.0.37
object network external-ssh
 host 172.16.0.45

 

Now we need to create the proper PAT NAT statements for all of our externally accessible services. To do this, first we need to identify a new network object and specify a unique name for each inbound service. Then we’ll specify the host that it’s talking to in our DMZ, then we can create the inbound NAT and tie it to a service.

(config)# object network client-openvpn
(config-network-object)# host 172.16.0.14
(config-network-object)# nat (Inside,Outside) static 108.227.33.124 service tcp https https  
(config-network-object)# exit

 

See how easy that is? Let’s look at this stuff for a quick minute though. First there is the network object name, “Client-OpenVPN”. Then we specify the DMZ host IP Address that the name is attached to. Then we create the PAT. The NAT statement specifies the static address is a outside public address and then specifies that it’s a TCP service type and specifies its outside port is 443, mapping to the inside host 172.16.0.14 port number 443.

 

Now, we’ve got one done, lets get the rest:

(config)# object network openvpn-site2site
(config-network-object)# host 172.16.0.14
(config-network-object)#  nat (Inside,Outside) static 108.227.33.124 service udp 7777 7777
(config-network-object)# exit
(config)# object network http-20
(config-network-object)# host 172.16.0.23
(config-network-object)#  nat (Inside,Outside) static 108.227.33.122 service tcp www www
(config-network-object)# exit
(config)# object network http-25
(config-network-object)# host 172.16.0.28
(config-network-object)#  nat (Inside,Outside) static 108.227.33.123 service tcp www www
(config-network-object)# exit
(config)# object network https-25
(config-network-object)# host 172.16.0.28
(config-network-object)#  nat (Inside,Outside) static 108.227.33.123 service tcp https https
(config-network-object)# exit
(config)# object network https-exchange
(config-network-object)# host 172.16.0.17
(config-network-object)#  nat (Inside,Outside) static 108.227.33.122 service tcp https https
(config-network-object)# exit
(config)# object network smtp-in
(config-network-object)# host 172.16.0.28
(config-network-object)#  nat (Inside,Outside) static 108.227.33.122 service tcp smtp smtp
(config-network-object)# exit
(config)# object network dns-external-1
(config-network-object)# host 172.16.0.23
(config-network-object)#  nat (Inside,Outside) static 108.227.33.122 service udp domain domain
(config-network-object)# exit
(config)# object network dns-external-2
(config-network-object)# host 172.16.0.28
(config-network-object)#  nat (Inside,Outside) static 108.227.33.123 service udp domain domain
(config-network-object)# exit
(config)# object network external-rdp
(config-network-object)# host 172.16.0.37
(config-network-object)#  nat (Inside,Outside) static 108.227.33.124 service tcp 3389 3389
(config-network-object)# exit
(config)# object network external-ssh
(config-network-object)# host 172.16.0.45
(config-network-object)#  nat (Inside,Outside) static 108.227.33.124 service tcp ssh ssh
(config-network-object)# exit
(config)# wr mem

 

Now that we have our internal objects created, as well as our PAT NAT objects created, now we can move
along and create our access list for our outside interface. This access list will control Internet
traffic inbound to our servers, specify the port number we’ll be using for each server service and then specify to log the event. Then we’ll place the access list on the external interface.

(config)# access-list outside-traffic-inbound extended permit udp any host 172.16.0.23 eq domain log
(config)# access-list outside-traffic-inbound extended permit udp any host 172.16.0.28 eq domain log
(config)# access-list outside-traffic-inbound extended permit tcp any host 172.16.0.23 eq www log
(config)# access-list outside-traffic-inbound extended permit tcp any host 172.16.0.28 eq www log
(config)# access-list outside-traffic-inbound extended permit tcp any host 172.16.0.37 eq 3389 log
(config)# access-list outside-traffic-inbound extended permit tcp any host 172.16.0.45 eq ssh log
(config)# access-list outside-traffic-inbound extended permit tcp any host 172.16.0.17 eq https log
(config)# access-list outside-traffic-inbound extended permit tcp any host 172.16.0.28 eq https log
(config)# access-list outside-traffic-inbound extended permit tcp any host 172.16.0.14 eq https log
(config)# access-list outside-traffic-inbound extended permit udp any host 172.16.0.14 eq 5656 log
(config)# access-list outside-traffic-inbound extended permit tcp any host 172.16.0.28 eq smtp log
(config)# access-list outside-traffic-inbound extended deny ip any any log
(config)# access-group outside-traffic-in in interface Outside
(config)# wr mem
Building configuration...
Cryptochecksum: 7f5a5aab aabeeafa dff03aeb ef264ed5

3404 bytes copied in 1.110 secs (3404 bytes/sec)
[OK]

 

 

Fantastic. Now, the process we just ran through for creating inbound NATs for DNS traffic into the DMZ, that process can be repeated for any other service you are running on your network. Running Microsoft Exchange? You’ll want to allow TCP 443 into it. An SSH server? TCP 22 for that. An SMTP reverse proxy for SPAM filtering? TCP 25 into that.

Well… you get the picture. Just repeat process! 🙂

 

 

Now, to complete a network properly we shouldn’t just let anyone out over any port. There’s no egress filtering going on here. Let’s specify what ports our internal users, as well as our servers, are allowed to communicate on over the internet. The only way that’s going to be possible is to create more network objects and more access lists.

 

 

Obviously, there’s no reason to ever be browsing the Internet from a server. Don’t be lazy, just do it right. Start by creating a network object containing either the subnet your Windows servers are on, or, you can just specify the host IP addresses your Windows servers have.

object-group network Windows-Servers
 description Microsoft Windows Servers Group
 network-object host 172.16.0.15
 network-object host 172.16.0.16
 network-object host 172.16.0.17
 network-object host 172.16.0.19
 network-object host 172.16.0.37
 network-object host 172.16.0.45
 network-object host 172.16.0.99

 

 

Now let’s make a network object that contains the most common used IP ranges owned and operated by Microsoft:

object-group network Microsoft-Internet
 description Microsoft server networks External IP ranges
 network-object 64.4.0.0 255.255.192.0
 network-object 65.52.0.0 255.252.0.0
 network-object 207.46.0.0 255.255.0.0

 

 

Now all we need is an ACL to allow the servers to talk outbound:

access-list inside-traffic-outbound extended permit tcp object-group Windows-Servers object-group Microsoft-Internet eq www
access-list inside-traffic-outbound extended permit tcp object-group Windows-Servers object-group Microsoft-Internet eq https

 

 

Let’s do the same thing for our Ubuntu Servers. We have Linux Mint, Debian, and Ubuntu on the network, so we’ll just tie them all together:

object-group network Linux-OS-Updates
 description Linux Mint - Debian - and Ubuntu server networks External IP ranges
 network-object 91.189.88.0 255.255.240.0
 network-object 65.175.128.0 255.255.255.128
 network-object 109.203.97.0 255.255.255.0
 network-object 204.45.0.0 255.255.0.0

 

 

And again we need to create our ACLs:

access-list inside-traffic-outbound extended permit tcp object-group Linux-Systems object-group Linux-OS-Updates eq www
access-list inside-traffic-outbound extended permit tcp object-group Linux-Systems object-group Linux-OS-Updates eq https

 

 

I also talk on a couple networks like AOL IM, ICQ and Facebook Chat so my computer needs access out to those servers.

So again create the object group, with the IP Ranges for AOL, ICQ and Facebook:

object-group network aim-icq-fb
 description networks for Facebook, AOL IM and ICQ Instant Messangers
 network-object 173.252.64.0 255.255.192.0
 network-object 69.171.224.0 255.255.224.0
 network-object 66.220.144.0 255.255.240.0
 network-object 64.12.0.0 255.255.0.0
 network-object 205.188.0.0 255.255.0.0

 

 

And again, allow traffic out with an ACL:

access-list inside-traffic-outbound extended permit tcp host 192.168.0.86 object-group aim-icq-fb eq aol
access-list inside-traffic-outbound extended permit tcp host 192.168.0.86 object-group aim-icq-fb eq 5222

 

Also, if you’re running a Spam Filtering server in your DMZ, yet your mail server is in your Internal Network, then you’ll have to create a NAT from your DMZ to your internal, which you can use the same process again.

 

Also, dont forget to allow your Exchange server send mail and you DNS servers perform lookups!!

 

access-list inside-traffic-outbound extended permit tcp object https-exchange any eq smtp
access-list inside-traffic-outbound extended permit udp object-group Internal-DNS-Servers any eq domain

 

 

Lastly, if you want your DMZ or Internal to have access to the Internet, make sure to build an Access List to allow traffic out! Haha, wont get far without that!

 
 

Have fun with this. There’s a million ways to tweak what you’re trying to do!

 

Enjoy!

 

 

 

References for this blog go to:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html#wp1054877
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
http://www.gomjabbar.com/2011/09/11/no-forward-interface-command-on-the-cisco-asa-5505-with-a-base-license/
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/aaa.html#wpxref64390
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/aaa.html#wp1094668
http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/nat_overview.html
http://blog.f85.net/2011/11/cisco-asa-5500-ad-integration.html
https://www.google.com/search?oq=cisco+asa+5505+active+directory+authentication&sourceid=chrome&ie=UTF-8&q=cisco+asa+5505+active+directory+authentication
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_objects.html#wp1140516
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/objectgroups.html
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/acl_objects.html#wp1525205
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/acl_objects.html
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/acl_overview.html
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/acl_extended.html
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_objects.html

 

 

 

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Cisco Fun

So, I decided to go back to school (after 3 or so semesters off) and take some fun classes. Last time I went I was stuck in some shit Liberal Arts classes. I wont bore you with that. So this semester I’m taking Red Hat Admin 1, which I’m flying through at an obscene rate, and Cisco Security 1. Now, when I started college back in fall of 2002, I started with CCNA classes. I loved them; took 8 semesters of Cisco CCNA and CCNP courses. SO it’s been a while, but I figured I should take some new Cisco classes.

Well, it’s been great so far. Tonight, in my home lab I hooked up my 2600 routers and did some labs on password resets (easy, but good to know), and I also hooked up my 2 Cisco PIX 515’s and learned how to do a password reset on those too.

Now I learned that both of my PIX firewalls are still running 5.3 software… these things are from the stone age!!!

Also in my quest was working on some client work. They have a ASA 5510. In working on that, I thought to update my 5505. It’s been a while, so I went through and reconfigured a bunch of stuff. In the process I figured out it only supports 3 VLANs. 2 of those are for the Inside and Outside networks and a third, DMZ type VLAN, that isn’t allowed to initiate communications to any other VLAN. Come on Cisco, this is ridiculous. I need something with a serious amount of more horsepower and abilities.

The ASA 5505 is probably great for some people, but not me. Any one out there interested in buying this thing? It’s a couple years old but I have the 8.4 software on it and am willing to sell it at a good price!

References:

http://www.cisco.com/en/US/products/hw/routers/ps259/products_password_recovery09186a0080094675.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_password_recovery09186a008009478b.shtml#pix_without

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)