dokucama

This is an old revision of the document!

CISCO ASA
Configuration:\\

Set ip addresses
Set security levels
set routes
* Then I will be able to ping interface (internal no needed)

Contexts
To see all the contexts, we need to be in the system context:

DC03-ROUTEFW01/admin/pri/act# changeto context sys
DC03-ROUTEFW01/pri/act# show context 
...
DC03-ROUTEFW01/pri/act# changeto dmz-internet-fwall

Troubleshooting capture : classical packet capture requires an access list matching the interesting traffic. (elaborate this!)

capture nameofcapture accesslistname interface..

Then we can just download the pcap with:

url/captures/nameofthecapture/pcap

We can also use a match clause instead
copy /pcap
Concept of service policy :

show service policy set connection detail

This is to see all the class-map with the number of packets and rate they are hit
This one will ‘emulate’ a packet and will inform which service policies it hits:

show service-policy flow udp host 209.165.200.229 host 209.165.202.158 eq 5060

PACKET TRACER
Specially for ipsec… https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer
Inject a virtual packet into the security appliance and track the flow from ingress to egres
To generate real tcp probes useful to test natting: tcpping

packet-tracer input inside icmp 10.1.1.2 8 0 172.21.1.2 # FOR ECHO REQUEST
packet-tracer input outside icmp 172.21.1.2 0 0 10.1.1.2 # FOR ECHO REPLY

IDS in ASA

show run thread detection

Basic (default)

threat-detection basic-threat
no threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ACL LOOKUP
From a high security level to a lower one, no access list is strictly required (traffic will flow). But we can apply it
In ACS, access lists are not constrained up to L4 but they go all over Layer 7. Referring here to security appliance ACL (proper subnet mask, no wild-cards like plain acl (they only only first packet): ACE
Note that, in tcp or udp sessions, the flow (and therefore the return traffic) is easy to identify by the appliance. However, for icmp, we need to 1) explicitly enable a return ACL for icmp and apply it to the outside interface or 2) enable ICMP inspection.
Ping to the asa interfaces is allowed by default. We can restrict it with an icmp policy (start with the icmp keyword)

Review split tunnel for remote access vpn: Solution that allows no tunnel bound traffic to bypass the firewall. Split tunnel is mainly for remote access vpn where we want our customers' Internet traffic also to be inspected by the fw(this needs to be reviewed)

ACLs can be global, applied to all ifaces inbound:
standard access lists are applied to process, not interfaces: used to split tunnel. For example, we can apply the acl TO OSPF through an access list (see pg 251) Review split tunnel for remote access vpn

Extended access lists are not applied on the interface level hierarchy as in the classical IOS.

access-group name in interface inside

Check object grouping and object nesting for ACL!

ASA can download acls on demand after a customer tries to access a resource(and is prompted for credentials)

show conn detail  <-- important here are the flags (see table 263)
show conn all
show access-list    <-- for the hit count

NAT Essential resource: NAT cheat sheet: See: http://packetpushers.net/cisco-nat-cheat-sheet/

NAT types: Inside NAT (from high to low security level. Traffic destined to public realm and device translating src so return is possible), Outside NAT is when a host in the lower security level is also translated when the destination is on the inside & bidirectional NAT when both happen.
NAT methods: static, dynamic, policy & identity.
By default, NAT translates (e.g.) source address BUT ALSO randomizes TCP sequence number (aka ISN). This could have issues with the BGP MD5, therefore sometimes we may need to turn it off.

In pre 8.3 version it used: There was a more libertine way of natting: from high to low security level, we don't require natting compulsory. We can force flows to match a policy or not through with -NAT-control: It means: matching a nat OR discarding(from inside to outside), that is using 'nat-control' command plus access lists.

Pg348. We see before routing, the ASA checks destination NAT and virtually forwards the packet according to it. Note that this prefer is only relevant in pre8.3. In later ASA OS, Unified NAT is used.

“nat (inside,outside)..” this is natting, nothing to do with global access lists (from 8.3 ahead..)

global (liffe_nyse_hpci_red) 60 interface

Define the inside group to be included for NAT.

nat (inside) 1 10.1.6.0 255.255.255.0

Specify a pool of addresses on the outside interface to which the hosts defined in the NAT statement are translated.
global (outside) 1 175.1.1.3-175.1.1.64 netmask 255.255.255.0 Now the hosts on the inside can access outside networks. When hosts from the inside initiate a connection to the outside, they are translated to an address from the global pool. Note that the addresses are assigned from the global pool on a first-come, first-translated basic.

Static NAT/PAT: Same pair and If we have 100 hosts in the inside, it would require 100 addresses on the outside. Important is to have clear the concept that outside destination address/port that is translated to an internal one doesn’t necessary have to be the interface address but something in that external subnet. E.g.: Client in 2.32.1.1/16 with destination packets in 209.165.200.229:25 are translated to an internal 192.168.1.1/24 but the outbound interface address in 209.65.200.229!*
* this would need some kind of route outbound towards that internal one… (see pg 342)
NAT example:

nat (inside) 1 10.1.2.0 255.255.255.0   <-- To set the address pool
global (outside) 1 209.165.201.1-209.165.201.15 <-- To refer the add pool to a set of outside addresses

static (inside,dmz) 10.1.6.0 10.1.6.0 netmask 255.255.255.0
access-list acl_outbound permit tcp 10.1.6.0 255.255.255.0 any eq www
access-list acl_outbound deny tcp any any eq www
access-list acl_outbound permit ip any any
access-group acl_outbound in interface inside

(config)# static(outside, inside) 213.238.120.10 10.1.3.4 netmask 255.255.255.255 dns

It does resolve the problem stated by paul so any dns response from an inside host to an outside dnss regarding a host inside is changed to the unmapped ip of the host

+8.3, All the examples HERE Listen to show 35 in
Listen to show 35 in http://www.cisco.com/c/en/us/solutions/enterprise-networks/security/security_tac_podcasts.html

Basically AutoNAT and Manual/Policy NAT. Simplified configurations, see here steps
AutoNAT: object order is not relevant as a ASA chooses most suitable based on specificity
To configure it, we use one of the defined methods inside the network object. E. G. :

(conf-network-obj)# nat(inside, outside) dynamic interface

or

(conf-network-obj)# nat(DNZ, outside) static 212.165.20.225

Note obj:Means this is inside an object definition

Manual/Policy NAT: changes source and/or destination. Uses predefined object and is Not inside the object definition. Network objects in matt can be seen as containers of the nat actions. Then, the NAT is embedded in the object. The object can be reuse outside the NAT realm. For instance in access lists: an example is a server being translated outbound. If we want to use that server definition in an acl permitting traffic outbound we can do it an the NAT well be implicit!. If we change the server address, the NAT and the ACL will be updated automatically. Manual NAT :Example 10-3 pg 359

Also see the special location of the network object in the configuration and how it seems repeated. This is todo with the way it is loaded in memory. Lauren to explanation in min 12 in podcast.
The real (not translated) address of the host of used for the access list to allow or deny traffic that is destined to it. Understand not translated in the sense of space, not time (as this latter would be ambiguous). Basically means inside address. In pre8.3 is the opposite.
The following commands are no longer supported: alias,global,nat (old version), nat-control, static, ..

Also no default nat rules exists anymore so, in order to let traffic (e.g. move from inside to outside), we need to create those NAT rules

Unified NAT is used instead of NAT order meaning to down and more specific first order.

Troubleshooting To see the bay table order:

show nat <-- to see the Unfied NAT table
show xlate
show local-host {ip} <-- to see the statistics of a single host (practise this)

If memory issues:

show xlate count
show conn count
show processes cpu-usage sorted non-zero
fw01/dc.grapeshot.co.uk/pri/act# show perfmon 

PERFMON STATS:                     Current      Average
Xlates                             1116/s          7/s
Connections                        4446/s         26/s
TCP Conns                          2992/s         26/s
UDP Conns                          1448/s         29/s
[..]

VALID CONNS RATE in TCP INTERCEPT:    Current      Average
                                     N/A         100.00%

show asdm history feature memory  # historical (200Mb last time)

NETWORK ATTACKS , DDOS:

This is to prevent overload due to tcp syn flood in the ASA. https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100830-asa-pix-netattacks.htm
Global timeouts in the ASA, see pg 44: https://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/conns_connlimits.pdf
show threat-detection statistics top

This might help: http://balodeamit.blogspot.com/2013/10/detecting-and-mitigating-ddos-attacks.html

netstat -npt | awk '{print $6}' | sort | uniq -c | sort -nr | head
  37705 TIME_WAIT
 9190 ESTABLISHED
 1362 FIN_WAIT2
  188 CLOSING
  136 FIN_WAIT1
   94 LAST_ACK
   73 SYN_SENT # SYN_RECV state it means your server has received the initial SYN packet, it has sent it's own SYN+ACK packet and is waiting on the ACK from the external machine to complete the TCP handshake.
   36 SYN_RECV # same but from the possible source of attack
    1 Foreign
    1

IPSec VPN
To show just the ipsec config:

show run brief | s crypto|isakmp|access-list

ISAKMP=IKE (IKE works insie ISAKMP (RFC 2408))
ISAKMP port udp500 (if NAT-T udp4500 )
ESP prot-50
AH prot-51

FRAMEWORK STEPS

Enable ISAKAMP
Define ISAKAMP policy
Define Tunnel type
Define IPSEC policy
Define cryptomap
Traffic filtering, Bypass NAT, PFS

Config source

access-list s2s extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Acess list insertion : External Link

access-list TEST_ACL line 1 extended deny ip 10.1.1.1 255.255.255.255 4.2.2.2

TEMPLATE

crypto ikev1 enable outside

crypto isakmp identity address 
no crypto isakmp nat-traversal

crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 am-disable ← (If we want to disable aggressive mode. There is no command to explicitly enable main mode
tunnel-group 100.1.1.2 type ipsec-l2l
tunnel-group 100.1.1.2 ipsec-attributes
ikev1 pre-shared-key *****

crypto ipsec ikev1 transform-set CISCO esp-des esp-md5-hmac

crypto map outside_map 20 match address s2s
crypto map outside_map 20 set pfs 
crypto map outside_map 20 set peer 100.1.1.2 
crypto map outside_map 20 set ikev1 transform-set CISCO
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map interface outside

show cryp isakmp sa
show cryp isakmp sa peer ….

sh vpn-sessiondb remote (IPSec Remote VPN Clients)
sh vpn-sessiondb l2l (L2L Tunnels)
sh vpn-sessiondb svc (SSL VPN / Anyconnect Clients)

To clear down a tunnel:

clear ip sec sa <peer ip>
\\

Policy-Based VPN

- We have to define symmetric access lists - Association-ISAKMP and authentication using pre-shared keys.

  We'll create a keyring to hold our pre-shared keys, which are mapped by peer (public) IP address
  (in both ends)
  crypto keyring VPN
  pre-shared-key address 172.16.0.3 key MySecretKey

- Now we create the ISAKMP policy

  (both ends)
  crypto isakmp profile R1_to_R3
  keyring VPN
  match identity address 172.16.0.3 255.255.255.255

- Define an IPsec transform-set (protocol, encryption, and hashing algorithms)

  crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac

- Match all together (creating the crypto map)

  (both ends)
  crypto map Policy_VPN 10 ipsec-isakmp
   match address R1_to_R3
  set peer 172.16.0.3
   set transform-set ESP-AES256-SHA1
   set isakmp-profile R1_to_R3
   reverse-route static
   set reverse-route distance 10
  !
  interface FastEthernet0/0
   crypto map Policy_VPN

Remember, different from tunneling. Here there is usually a server (the firewall): http://packetlife.net/blog/2011/aug/15/policy-based-vs-route-based-vpns-pa

VPN REMOTE ACCESS

ISAKMP: Auth method, Encrypt method, HMAC integrity, DH, time-limit

ISAKMP phase1: create the tunnel to

ISAKMP phase2

Real example (trad.)

Dubinetfw1 – dubcorertr1 – TRADIF-L2L-TRF1-TRF2-001 (10m BSO) – ldnbh1gtransitrtr1
NAT

sh nat

Several exempts:

from inside to inside  <<< Review when and how natting is needed inside same sec-level ifaces. network-control
from inside to Internet
match ip inside any inside 10.25.195.0 255.255.255.0
dynamic translation to pool 30 (No matching global)
match ip inside any Internet any
dynamic translation to pool 1 (94.200.58.68 [Interface PAT])
translate_hits = 217109256, untranslate_hits = 80650806

- Also network-object analogous to address-book
MODULAR POLICY FRAMEWORK
CLASS-MAP - POLICY-MAP - SERVICE POLICY (template that matches different traffic types/list of policies referred to a class-map/number of ifaces to which the policy-map is applied)
Global policy → A policy applied to all interfaces
Example:

ASAwAIP-CLI(config)#policy-map global_policy  Issue the policy-map global_policy command.
ASAwAIP-CLI(config-pmap)#class inspection_default  Issue the class inspection_default command.
ASAwAIP-CLI(config-pmap-c)#inspect FTP  <-- Issue the inspect FTP command.

Content filtering (triggered by the http engine) - Websense (adding seny to the web requests from inside to outside)

Based on an auxiliary server (in the inside/DMZ zone) that tells the firewall which urls are allowed to be visited
Per user basis filter from credentials previously presented by the user

Identify the servers:

Firewall(config)# url-server [(if_name)] vendor websense host local_ip   [timeout seconds] [protocol {tcp | udp} version]
Define policy
Firewall(config)# filter url [http | port[-port]] local_ip local_mask foreign_ip foreign_mask [allow] [proxy-block] [longurl         truncate |   longurl-deny] [cgi-truncate]

Define a filtering policy for HTTPS/FTP..:

Firewall(config)# filter https dest-port local_ip local_mask foreign_ip   foreign_mask [allow]

Example:

Firewall(config)# url-server (dmz) vendor websense host 192.168.199.10

protocol TCP
version 4

Firewall(config)# url-server (dmz) vendor websense host 192.168.199.11

protocol TCP \\version 4

Firewall(config)# filter url http 0 0 0 0 allow proxy-block
Firewall(config)# filter url except 192.168.4.0 255.255.255.0 0 0
Firewall(config)# filter url except 192.168.7.33 255.255.255.255 0 0
Firewall(config)# filter url except 192.168.7.40 255.255.255.255 172.24.1.10 255.255.255.255
Firewall(config)# filter https 443 0 0 0 0 allow
Firewall(config)# filter ftp 21 0 0 0 0 allow
Firewall(config)# url-block block 128
Firewall(config)# url-cache src_dst 128

Filtered based on policies hierarchy – Modular Policy Framework (fine tuning) (7.2) \\CLASS-MAPS: \\One condition to match per each class-map
To define it: # class-map [name]

{(destination) port}:
(config-cmap)# match port tcp  eq  http
{access-list}

to group disparate traffics into a class and then apply an action: Define the access-list

access-list test extended permit tcp any host  192.168.198.17 eq http

Apply match condition

(config-cmap)# match access-list acl_name
{QoS parameters}

2 criteria: IP precedence and DSCP \\IP precedence

(config-cmap)# match precedence value1 [value2 [value3  [value4]]]

\\DSCP

(config-cmap)# match dscp value1 [value2 ...[value8]]  
RTP
(config-cmap)# match rtp starting_port range

\\VPN tunnel group

(config-cmap)# match tunnel-group name
(config-cmap)# match any / (config-cmap)# match default
(config-cmap)# match default-inspection-traffic
(config)# class-map type management mgmt_cmap_name

\\POLICY-MAP: Define a policy-map

(config)# policy-map class_name

Match traffic with class

(config-pmap)# class class_name

Take an action on the matched traffic

(config)# service-policy policy_name {global | interface if_name}

Actions \\Connection limits (on matched traffic) \\TCP timeouts

(config-pmap-c)# set connection timeout  [embryonic {hh:mm:...

Connection volume limits (nº of connections)

(config-pmap-c)# set connection [conn-max n] [embryonic-...

Firewall# show service-policy set connection
Firewall# show service-policy [iface] ← to monitor the policy

Adjust TCP options \\Define a tcp map \\Firewall(config)# tcp-map tcp_map_name \\Define actions (table 7-5) \\Apply map as a template action

(config-pmap-c)# set connection advanced-options tcp_map_name

Use an IPS Module (Intrusion Prevention System(hw module for the ASA)) \\inline \\promiscuous \\CSC Module \\Policer to limit the BW

(config-pmap-c)# police output conform_rate [burst_bytes] conform-action drop

ASA CLUSTERING / FAILOVER Evolution from simple failover. Now up to 8 members are allowed. Cluster sych link \\All the routing/layer 2 distribution is made by the switches on top and under the cluster. Therefore asymmetric Routing can be a problem. The preferred distribution technique is span etherchannel.

\\They're is a: master, owner (of the connection) and forwarder.
To Force failover :

failover active   # in the secondary 
no failover active # in the primary

To restart the standby box:

failover reload-standby

For the isakmp sa:

show crypto isakmp sa

For the ipsec sa:

show crypto ipsec sa

debug crypto isakmp

debug crypto ipsec

Review “Sample Error Messages” from http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html

ldngs28vpnfw01# sh crypto isakmp sa

Active SA: 11
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 11

IKE Peer: 213.61.9.96
Type    : L2L             Role    : initiator
Rekey   : no              State   : MM_ACTIVE

  
ldngs28vpnfw01# sh crypto ipsec sa peer 213.61.9.96
peer address: 213.61.9.96
Crypto map tag: outside_map, seq num: 7, local addr: 94.142.184.25

access-list outside_7_cryptomap extended permit tcp host 94.142.184.179 host 194.55.42.40 eq 14000
local ident (addr/mask/prot/port): (94.142.184.179/255.255.255.255/6/0)
remote ident (addr/mask/prot/port): (194.55.42.40/255.255.255.255/6/14000)
current_peer: 213.61.9.96

pkts encaps: 5601916, #pkts encrypt: 5601916, #pkts digest: 5601916
pkts decaps: 5084409, #pkts decrypt: 5084409, #pkts verify: 5084409
pkts compressed: 0, #pkts decompressed: 0
pkts not compressed: 5601916, #pkts comp failed: 0, #pkts decomp failed: 0
pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
send errors: 0, #recv errors: 0

local crypto endpt.: 94.142.184.25/0, remote crypto endpt.: 213.61.9.96/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 87888A79
current inbound spi : 6A649AF5

inbound esp sas:
spi: 0x6A649AF5 (1784978165)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 215240704, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373977/20503)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:
spi: 0x87888A79 (2273872505)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 215240704, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373985/20502)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

         
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hma

crypto map outside_map 7 match address outside_7_cryptomap

crypto map outside_map 7 set pfs group5
crypto map outside_map 7 set peer 213.61.9.96
crypto map outside_map 7 set transform-set ESP-AES-256-MD5
crypto map outside_map 7 set reverse-route

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable BTRadianz
crypto isakmp policy 10

crypto isakmp enable outside
crypto isakmp enable BTRadianz
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
[....]

crypto isakmp policy 120
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800

tunnel-group 213.61.9.96 type ipsec-l2l
tunnel-group 213.61.9.96 ipsec-attributes

IDENTITY BASED FIREWALLING Local user groups

TRUSTSEC AND ISE
AAA SERVICES (Chap7)
The following is mainly for wireless devices
ISE server
PSN server (Policy Service Node)

Enable console/terminal logging

To enable syslogging (prerequisite):

logging enable

Default: Not log messages to tty. Yes to console.
If in console

show logging | inc onsole

If in vty

terminal monitor
rerminal no monitor

conf t 
logging console
logging monitor     ! For vty
logging buffered    ! For local syslog

IPSEC VPN in Cisco ASA

debug crypto isakmp 50       ! 50 is the debug level <1-255>
debug crypto ipsec sa 7      ! 7 is the debug level <1-255>

vpn-sessiondb logoff tunnel-group 192.168.1.1	!Pre 8.3 
clear crypto isakmp sa <peer ip address>	!Post 8.3
clear ipsec sa peer 192.168.1.1

Is recommended to enable debugging or terminal monitor :

debug crypto isakmp 50

You may need to enable terminal monitor to see the messages:

Configuration:

Enable isakmp (udp 500)
Isakmp policy (crypto ikev2 policy) {Auth, Encryp, DH, Lifetime, DH)
Tunnel type (tunnel group)
IPsec policy (crypto ipsec ikev2 policy-proposal) {Encryp, Integrity, Mode and ESP type}
Define crypto map
Traffic filtering
Bypass NAT
PFS

INTERPRETING ASA LOGS

.. flags UIOB ..

Review “Sample Error Messages” from http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html

NOTES FROM TRAx ASA NOTES- TO BE FORMATTED
Troubleshooting general VPN

capture : classical packet capture requires an access list matching the interesting traffic. (elaborate this!)

capture name of capture access list name interface..

Then we can just download the pcap with:

url/captures/nameofthecapture/pcap

We can also use a match clause instead

copy /pcap

service policy :

show service policy set connection detail

This is to see all the class-map with the number of packets and rate they are hit

This one will ‘emulate’ a packet and will inform which service policies it hits:

show service-policy flow udp host 209.165.200.229 host 209.165.202.158 eq 5060

For a list of all tunnels in phase 2 :

show crypto ipsec sa | beg access

show crypto isakmp sa

show cryp isakmp sa
show cryp isakmp sa peer ….

sh vpn-sessiondb remote (IPSec Remote VPN Clients)

sh vpn-sessiondb l2l (L2L Tunnels)
sh vpn-sessiondb svc (SSL VPN / Anyconnect Clients)

To clear down a tunnel:

clear ip sec sa <peer ip>

show conn detail  <-- important here are the flags (see table 263)
show conn all
show access-list    <-- for the hit count

show nat <-- to see the Unfied NAT table
show xlate
show local-host {ip} <-- to see the statistics of a single host.

Interesting SYSLOG MESSAGES:

Ipsec phase 1-2 related: Syslog 713120 Syslog 713119 syslog 713049

less localmessages | g “713119|713049|713019|713049”

https://supportforums.cisco.com/discussion/11119801/monitoring-vpn-connection-attempts ; http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/syslog.html

http://blog.webernetz.net/2014/07/25/grep-commands-for-cisco-asa-syslog-messages/

The “U”, “I”, and “O” flags denote that the connection is active and has received inbound and outbound data. The “B” flag, the connection is initiated from the outside.

.. flags UIOB ..

To quickly see the flags' meaning do:

ASA5515-X# show conn detail ..

Review “Sample Error Messages” from http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html

IPSEC-VPN SYSLOG MESSAGES http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs2.html

# %ASA-5-713119 - PHASE 1 COMPLETED %ASA-5-713119: Group = 193.29.78.6, IP = 193.29.78.6, PHASE 1 COMPLETED

# %ASA-5-713049 - PHASE 2 COMPLETED -Explanation An IPsec tunnel has been started. # The 'group' here is the name of the gateway %ASA-5-713049: Group = 199.166.9.47, IP = 199.166.9.47, Security negotiation complete for LAN-to-LAN Group (199.166.9.47) Responder, Inbound SPI = 0xafe32a83, Outbound SPI = 0xe275cedd

# %ASA-4-113019 - SESSION DISCONNECTED # Reason: %ASA-4-113019: Group = 193.29.78.6, Username = 193.29.78.6, IP = 193.29.78.6, Session disconnected. Session Type: IKE, Duration: 0h:00m:32s, Bytes xmt: 0, Bytes rcv: 0, Reason: Lost Service

# Example of good connection. Phase 1 not included:

%ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xEE07D12B) between 64.209.115.250 and 199.166.9.47 (user= 199.166.9.47) has been created. %ASA-5-713120: Group = 199.166.9.47, IP = 199.166.9.47, PHASE 2 COMPLETED (msgid=c3c3b320) %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x98F27E7F) between 64.209.115.250 and 199.166.9.47 (user= 199.166.9.47) has been deleted. %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x1E9C1091) between 64.209.115.250 and 199.166.9.47 (user= 199.166.9.47) has been deleted. %ASA-5-713075: Group = 199.166.9.47, IP = 199.166.9.47, Overriding Initiator's IPSec rekeying duration from 28800 to 3600 seconds %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x1FB41823) between 64.209.115.250 and 199.166.9.47 (user= 199.166.9.47) has been created. %ASA-5-713049: Group = 199.166.9.47, IP = 199.166.9.47, Security negotiation complete for LAN-to-LAN Group (199.166.9.47) Responder, Inbound SPI = 0x1dc8bc00, Outbound SPI = 0x1fb41823

RA user related: syslog ID: 113015 user authentication Rejected : reason = Invalid password : local database : user = / Syslog: ID 713184 Group = ciscovpn_ra_access, Username = IP = , Client Type: WinNT Client Application Version: 4.8.00.0440

Syslog: ID 113012 AAA user authentication Successful : local database : user = username

https://supportforums.cisco.com/discussion/11119801/monitoring-vpn-connection-attempts ; http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/syslog.html

http://blog.webernetz.net/2014/07/25/grep-commands-for-cisco-asa-syslog-messages/

supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer Inject a virtual packet into the security appliance and track the flow from ingress to egres To generate real tcp probes useful to test natting: tcpping

debug crypto isakmp 50 ! 50 is the debug level <1-255> debug crypto ipsec sa 7 ! 7 is the debug level <1-255>

vpn-sessiondb logoff tunnel-group 192.168.1.1 !Pre 8.3 clear crypto isakmp sa <peer ip address> !Post 8.3 clear ipsec sa peer 192.168.1.1

Is recommended to enable debugging or terminal monitor :

debug crypto isakmp 50

Troubleshoot l2tp vpn

https://supportforums.cisco.com/document/66921/pptp-l2tp-l2tp-over-ipsec-important-debugs

IPSEC VPN CONFIGURATION

ISAKMP=IKE (IKE works insie ISAKMP (RFC 2408)) ISAKMP port udp500 (if NAT-T udp4500 ) ESP prot-50 AH prot-51

FRAMEWORK STEPS

Enable ISAKAMP
Define ISAKAMP policy
Define Tunnel type. PSK
Define IPSEC policy
Define cryptomap
Traffic filtering, Bypass NAT, PFS

Config source

access-list s2s extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Network Operations profile:

ukvpn.marketaxess.com/NETOPSSLVPN

IPSEC VPN Configuration:

  Enable isakmp (udp 500)
  Isakmp policy (crypto ikev2 policy) {Auth, Encryp, DH, Lifetime, DH)
  Tunnel type (tunnel group) PSK
  IPsec policy (crypto ipsec ikev2 policy-proposal) {Encryp, Integrity, Mode and ESP type}
  Define crypto map
  Traffic filtering
  Bypass NAT
  PFS

TEMPLATE http://www.cisco.com/c/en/us/td/docs/security/asa/asa70/configuration/guide/config/ike.html

PHASE I

crypto ikev1 enable outside

crypto isakmp identity address

no crypto isakmp nat-traversal

crypto isakmp policy 20

authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 am-disable               #aggressive mode. No command to explicitly enable main mode
tunnel-group 100.1.1.2 type ipsec-l2l         #  Note that we just call the tunnel group with that number!
tunnel-group 100.1.1.2 ipsec-attributes
ikev1 pre-shared-key *                # PSK not shown. To see it use more system:running-config

PHASE II

crypto ipsec ikev1 transform-set CISCO esp-des esp-md5-hmac

crypto map outside_map 20 match address s2s

crypto map outside_map 20 set pfs 
crypto map outside_map 20 set peer 100.1.1.2 
crypto map outside_map 20 set ikev1 transform-set CISCO
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map interface outside

POLICY BASED VPN (CISCO OLD)

PHASE I

- We have to define symmetric access lists - Association-ISAKMP and authentication using pre-shared keys.

  We'll create a keyring to hold our pre-shared keys, which are mapped by peer (public) IP address
  (in both ends)
  crypto keyring VPN
  pre-shared-key address 172.16.0.3 key MySecretKey

- Now we create the ISAKMP policy

  (both ends)
  crypto isakmp profile R1_to_R3
  keyring VPN
  match identity address 172.16.0.3 255.255.255.255

PHASE II

- Define an IPsec transform-set (protocol, encryption, and hashing algorithms)

  crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac

- Match all together (creating the crypto map)

  (both ends)
  crypto map Policy_VPN 10 ipsec-isakmp
   match address R1_to_R3
  set peer 172.16.0.3
   set transform-set ESP-AES256-SHA1
   set isakmp-profile R1_to_R3
   reverse-route static
   set reverse-route distance 10
  !
  interface FastEthernet0/0
   crypto map Policy_VPN

Remember, different from tunneling. Here there is usually a server (the firewall): http:packetlife.net/blog/2011/aug/15/policy-based-vs-route-based-vpns-pa

VPN REMOTE ACCESS

# isakmp policy 1 authentication pre-share # isakmp policy 1 encryption 3des # isakmp policy 1 hash sha # isakmp policy 1 group 2 # isakmp policy 1 lifetime 43200 # isakmp enable outside

# ip local pool testpool 192.168.0.10-192.168.0.15 # username testuser password 12345678

# crypto ipsec transform set FirstSet esp-3des esp-md5-hmac

# tunnel-group CORPORATE type remote-access # tunnel-group CORPORATE general-attributes # tunnel-group CORPORATE webvpn-attributes

# tunnel-group testgroup general-attributes -general)# address-pool testpool # tunnel-group testgroup ipsec-attributes -ipsec)# pre-shared-key 44kkaol59636jnfx

# crypto dynamic-map dyn1 1 set transform-set FirstSet # crypto dynamic-map dyn1 1 set reverse-route # crypto map mymap 1 ipsec-isakmp dynamic dyn1 # crypto map mymap interface outside

vpn.marketaxess.com usvpn.marketaxess.com (legacy?) ukvpn.marketaxess.com

Anyconnect. To check who is currently connected:

For USA

CP02-ASAVPN01/pri/act# sh vpn-sessiondb anyconnect | i Username

For UK:

UK02-ASAVPN01# show vpn-sessiondb anyconnect | grep User

  ISAKMP: Auth method, Encrypt method, HMAC integrity, DH, time-limit
  ISAKMP phase1: create the tunnel to 
  ISAKMP phase2

NAT in ASA

Essential resource: NAT cheat sheet: See: http:packetpushers.net/cisco-nat-cheat-sheet

Packet flow:

ASA Packet Flow

BRKSEC-3020.pdf

NAT types: Inside NAT (from high to low security level. Traffic destined to public realm and device translating src so return is possible), Outside NAT is when a host in the lower security level is also translated when the destination is on the inside & bidirectional NAT when both happen. NAT methods: static, dynamic, policy & identity. By default, NAT translates (e.g.) source address BUT ALSO randomizes TCP sequence number (aka ISN). This could have issues with the BGP MD5, therefore sometimes we may need to turn it off.

Downloadable ACL (DACLs) on the intervrf fwall (for users access in ABS (no CHKP) ←- These access-lists will override the access-list configured for the interface that the host is connected to.

After the upgarde to 9.5(1), we are not using DACL. The user authenticate to the own ASA instead when they access resources, see “show uauth” below

We put the config in the object groups and when teh user auths, they get that rule set. The only difference is the ACL is not defined on an interface.

User is not bound to an IP: when the auth the ASA tells teh IP based off the src that they came from during the auth

show uauth: To display one or all currently authenticated users, the host IP to which they are bound, and any cached IP and port authorization information, use the show uauth command in privileged EXEC mode.

uk02-intervrf-fwall/pr

IDS in ASA

show run thread detection

Basic (default)

threat-detection basic-threat
no threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ACL LOOKUP From a high security level to a lower one, no access list is strictly required (traffic will flow). But we can apply it

In ACS, access lists are not constrained up to L4 but they go all over Layer 7. Referring here to security appliance ACL (proper subnet mask, no wild-cards like plain acl (they only only first packet): ACE

Note that, in tcp or udp sessions, the flow (and therefore the return traffic) is easy to identify by the appliance. However, for icmp, we need to 1) explicitly enable a return ACL for icmp and apply it to the outside interface or 2) enable ICMP inspection. Ping to the asa interfaces is allowed by default. We can restrict it with an icmp policy (start with the icmp keyword)

Review split tunnel for remote access vpn: Solution that allows no tunnel bound traffic to bypass the firewall. Split tunnel is mainly for remote access vpn where we want our customers' Internet traffic also to be inspected by the fw(this needs to be reviewed)

ACLs can be global, applied to all ifaces inbound: standard access lists are applied to process, not interfaces: used to split tunnel. For example, we can apply the acl TO OSPF through an access list (see pg 251) Review split tunnel for remote access vpn

Extended access lists are not applied on the interface level hierarchy as in the classical IOS.

access-group name in interface inside

Check object grouping and object nesting for ACL!

ASA can download acls on demand after a customer tries to access a resource(and is prompted for credentials)

ASA TRANSPARENT FIREWALL FEATURE

In pre 8.3 version it used: There was a more libertine way of natting: from high to low security level, we don't require natting compulsory. We can force flows to match a policy or not through with -NAT-control: It means: matching a nat OR discarding(from inside to outside), that is using 'nat-control' command plus access lists.

Pg348. We see before routing, the ASA checks destination NAT and virtually forwards the packet according to it. Note that this prefer is only relevant in pre8.3. In later ASA OS, Unified NAT is used.

 "nat (inside,outside).."

this is natting, nothing to do with global access lists (from 8.3 ahead..)

global (liffe_nyse_hpci_red) 60 interface

Define the inside group to be included for NAT.

nat (inside) 1 10.1.6.0 255.255.255.0

Specify a pool of addresses on the outside interface to which the hosts defined in the NAT statement are translated.

global (outside) 1 175.1.1.3-175.1.1.64 netmask 255.255.255.0

Now the hosts on the inside can access outside networks. When hosts from the inside initiate a connection to the outside, they are translated to an address from the global pool. Note that the addresses are assigned from the global pool on a first-come, first-translated basic.

Static NAT/PAT: Same pair and If we have 100 hosts in the inside, it would require 100 addresses on the outside. Important is to have clear the concept that outside destination address/port that is translated to an internal one doesn’t necessary have to be the interface address but something in that external subnet. E.g.: Client in 2.32.1.1/16 with destination packets in 209.165.200.229:25 are translated to an internal 192.168.1.1/24 but the outbound interface address in 209.65.200.229! this would need some kind of route outbound towards that internal one… (see pg 342)

NAT example:

nat (inside) 1 10.1.2.0 255.255.255.0   <-- To set the address pool
global (outside) 1 209.165.201.1-209.165.201.15 <-- To refer the add pool to a set of outside addresses

static (inside,dmz) 10.1.6.0 10.1.6.0 netmask 255.255.255.0

access-list acl_outbound permit tcp 10.1.6.0 255.255.255.0 any eq www
access-list acl_outbound deny tcp any any eq www
access-list acl_outbound permit ip any any
access-group acl_outbound in interface inside

(config)# static(outside, inside) 213.238.120.10 10.1.3.4 netmask 255.255.255.255 dns

It does resolve the problem stated by paul so any dns response from an inside host to an outside dnss regarding a host inside is changed to the unmapped ip of the host

+8.3 ASA versions

All the examples HERE Listen to show 35 in

Listen to show 35 in www.cisco.com/c/en/us/solutions/enterprise-networks/security/security_tac_podcasts.html

Basically AutoNAT and Manual/Policy NAT. Simplified configurations, see here steps

AutoNAT: object order is not relevant as a ASA chooses most suitable based on specificity To configure it, we use one of the defined methods inside the network object. E. G. :

(conf-network-obj)# nat(inside, outside) dynamic interface

or

(conf-network-obj)# nat(DNZ, outside) static 212.165.20.225

Note obj:Means this is inside an object definition

Manual/Policy NAT: changes source and/or destination. Uses predefined object and is Not inside the object definition. Network objects in matt can be seen as containers of the nat actions. Then, the NAT is embedded in the object. The object can be reuse outside the NAT realm. For instance in access lists: an example is a server being translated outbound. If we want to use that server definition in an acl permitting traffic outbound we can do it an the NAT well be implicit!. If we change the server address, the NAT and the ACL will be updated automatically. Manual NAT :Example 10-3 pg 359

Also see the special location of the network object in the configuration and how it seems repeated. This is todo with the way it is loaded in memory. Lauren to explanation in min 12 in podcast.

The real (not translated) address of the host of used for the access list to allow or deny traffic that is destined to it. Understand not translated in the sense of space, not time (as this latter would be ambiguous). Basically means inside address. In pre8.3 is the opposite.

The following commands are no longer supported: alias,global,nat (old version), nat-control, static, ..

Also no default nat rules exists anymore so, in order to let traffic (e.g. move from inside to outside), we need to create those NAT rules

Unified NAT is used instead of NAT order meaning to down and more specific first order.

Review “Sample Error Messages” from http:www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html

ldngs28vpnfw01# sh crypto isakmp sa

Active SA: 11
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 11

IKE Peer: 213.61.9.96

Type    : L2L             Role    : initiator
Rekey   : no              State   : MM_ACTIVE

ldngs28vpnfw01# sh crypto ipsec sa peer 213.61.9.96

peer address: 213.61.9.96
Crypto map tag: outside_map, seq num: 7, local addr: 94.142.184.25

access-list outside_7_cryptomap extended permit tcp host 94.142.184.179 host 194.55.42.40 eq 14000

local ident (addr/mask/prot/port): (94.142.184.179/255.255.255.255/6/0)
remote ident (addr/mask/prot/port): (194.55.42.40/255.255.255.255/6/14000)
current_peer: 213.61.9.96

pkts encaps: 5601916, #pkts encrypt: 5601916, #pkts digest: 5601916

pkts decaps: 5084409, #pkts decrypt: 5084409, #pkts verify: 5084409
pkts compressed: 0, #pkts decompressed: 0
pkts not compressed: 5601916, #pkts comp failed: 0, #pkts decomp failed: 0
pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
send errors: 0, #recv errors: 0

local crypto endpt.: 94.142.184.25/0, remote crypto endpt.: 213.61.9.96/0

path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 87888A79
current inbound spi : 6A649AF5

inbound esp sas:

spi: 0x6A649AF5 (1784978165)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 215240704, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373977/20503)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0x87888A79 (2273872505)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 215240704, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373985/20502)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hma

        
crypto map outside_map 7 match address outside_7_cryptomap
crypto map outside_map 7 set pfs group5
crypto map outside_map 7 set peer 213.61.9.96
crypto map outside_map 7 set transform-set ESP-AES-256-MD5
crypto map outside_map 7 set reverse-route

crypto isakmp identity address

crypto isakmp enable outside
crypto isakmp enable BTRadianz
crypto isakmp policy 10

crypto isakmp enable outside

crypto isakmp enable BTRadianz
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
[....]

crypto isakmp policy 120

authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800

tunnel-group 213.61.9.96 type ipsec-l2l

tunnel-group 213.61.9.96 ipsec-attributes

IDENTITY BASED FIREWALLING Local user groups

TRUSTSEC AND ISE

AAA SERVICES (Chap7)

The following is mainly for wireless devices ISE server PSN server (Policy Service Node)

Enable console/terminal logging

To enable syslogging (prerequisite):

logging enable

Default: Not log messages to tty. Yes to console. If in console

show logging | inc onsole

If in vty

terminal monitor rerminal no monitor

conf t logging console logging monitor ! For vty logging buffered ! For local syslog

ASA from scratch, configuration

Set ip addresses
Set security levels
set routes
* Then I will be able to ping interface (internal no needed)

Remote site vpn:

ip local pool MKTX_ASHBURN_GUEST_POOL 10.30.162.225-10.30.162.247 mask 255.255.255.0

This is for the set of source addresses that will be given to the customer when they ipsec to us. They will be landing in Vlan 118/119 CRP-DR-VDI-inside

Contexts To see all the contexts, we need to be in the system context:

DC03-ROUTEFW01/admin/pri/act# changeto context sys
DC03-ROUTEFW01/pri/act# show context 
...
DC03-ROUTEFW01/pri/act# changeto dmz-internet-fwall

Types of vpn:

  IPSEC-VPN: Site2site and Anyconnect
  l2tp : SIte2site & remote access

SLL VPN

Concepts:

trustpoint: In the ASDM, the trustpoint is automatically created when a CSR is generated or when the CA certificate is installed. In the CLI, the trustpoint must be created manually.
WebVPN (or often called SSL VPN) (or sometimes called clientless VPN) : is used when someone needs to access a web based application that is on the private network. A web browser is used for all the encryption and authentication.WebVPN (or often called SSL VPN) (or sometimes called clientless VPN) is used when someone needs to access a web based application that is on the private network. A web browser is used for all the encryption and authentication. External Link

CERTIFICATE INSTALLATION:
https://www.digicert.com/ssl-certificate-installation-cisco-asa-5500.htm
https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html#anc7

CONFIGURING THE VPN
todo
SETTING UP THE NAT RULES (AND SPLIT TUNNEL IF NEEDED)

access-list NAT-EXEMPT extended permit ip 192.168.100.0 255.255.255.0 192.168.104.0 255.255.255.0
tunnel-group VPN general-attributes
address-pool AnyConnect (the address pool you created earlier)\\

To configure the split tunnel: https://www.techrepublic.com/blog/smb-technologist/quick-guide-anyconnect-client-vpn-on-cisco-asa-5505/

NEW 'MODELS': FIREPOWER , SOURCEFIRE

Firepower is services on top of the ASA platform
Sourcefire was acquired by Cisco several years ago and now going to change name to NGIPS Firepower center

dokucama

User Tools

Site Tools

Page Tools