This is an old revision of the document!
CISCO ASA
Configuration:\\
- Set ip addresses
- Set security levels
- set routes
- * Then I will be able to ping interface (internal no needed)
Example: asa_config1.cfg.zip
Contexts
To see all the contexts, we need to be in the system context:
DC03-ROUTEFW01/admin/pri/act# changeto context sys DC03-ROUTEFW01/pri/act# show context ... DC03-ROUTEFW01/pri/act# changeto dmz-internet-fwall
Troubleshooting
capture : classical packet capture requires an access list matching the interesting traffic. (elaborate this!)
capture nameofcapture accesslistname interface..
Then we can just download the pcap with:
url/captures/nameofthecapture/pcap
We can also use a match clause instead
copy /pcap
Concept of service policy :
show service policy set connection detail
This is to see all the class-map with the number of packets and rate they are hit
This one will ‘emulate’ a packet and will inform which service policies it hits:
show service-policy flow udp host 209.165.200.229 host 209.165.202.158 eq 5060
PACKET TRACER
Specially for ipsec…
https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer
Inject a virtual packet into the security appliance and track the flow from ingress to egres
To generate real tcp probes useful to test natting: tcpping
packet-tracer input inside icmp 10.1.1.2 8 0 172.21.1.2 # FOR ECHO REQUEST packet-tracer input outside icmp 172.21.1.2 0 0 10.1.1.2 # FOR ECHO REPLY
IDS in ASA
show run thread detection
Basic (default)
threat-detection basic-threat no threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ACL LOOKUP
From a high security level to a lower one, no access list is strictly required (traffic will flow). But we can apply it
In ACS, access lists are not constrained up to L4 but they go all over Layer 7.
Referring here to security appliance ACL (proper subnet mask, no wild-cards like plain acl (they only only first packet): ACE
Note that, in tcp or udp sessions, the flow (and therefore the return traffic) is easy to identify by the appliance. However, for icmp, we need to 1) explicitly enable a return ACL for icmp and apply it to the outside interface or 2) enable ICMP inspection.
Ping to the asa interfaces is allowed by default. We can restrict it with an icmp policy (start with the icmp keyword)
Review split tunnel for remote access vpn: Solution that allows no tunnel bound traffic to bypass the firewall. Split tunnel is mainly for remote access vpn where we want our customers' Internet traffic also to be inspected by the fw(this needs to be reviewed)
ACLs can be global, applied to all ifaces inbound:
standard access lists are applied to process, not interfaces: used to split tunnel. For example, we can apply the acl TO OSPF through an access list (see pg 251) Review split tunnel for remote access vpn
Extended access lists are not applied on the interface level hierarchy as in the classical IOS.
access-group name in interface inside
Check object grouping and object nesting for ACL!
ASA can download acls on demand after a customer tries to access a resource(and is prompted for credentials)
show conn detail <-- important here are the flags (see table 263) show conn all show access-list <-- for the hit count
NAT
Essential resource: NAT cheat sheet: See: http://packetpushers.net/cisco-nat-cheat-sheet/
NAT types: Inside NAT (from high to low security level. Traffic destined to public realm and device translating src so return is possible), Outside NAT is when a host in the lower security level is also translated when the destination is on the inside & bidirectional NAT when both happen.
NAT methods: static, dynamic, policy & identity.
By default, NAT translates (e.g.) source address BUT ALSO randomizes TCP sequence number (aka ISN). This could have issues with the BGP MD5, therefore sometimes we may need to turn it off.
In pre 8.3 version it used:
There was a more libertine way of natting: from high to low security level, we don't require natting compulsory. We can force flows to match a policy or not through with -NAT-control: It means: matching a nat OR discarding(from inside to outside), that is using 'nat-control' command plus access lists.
Pg348. We see before routing, the ASA checks destination NAT and virtually forwards the packet according to it. Note that this prefer is only relevant in pre8.3. In later ASA OS, Unified NAT is used.
“nat (inside,outside)..” this is natting, nothing to do with global access lists (from 8.3 ahead..)
global (liffe_nyse_hpci_red) 60 interface
Define the inside group to be included for NAT.
nat (inside) 1 10.1.6.0 255.255.255.0
Specify a pool of addresses on the outside interface to which the hosts defined in the NAT statement are translated.
global (outside) 1 175.1.1.3-175.1.1.64 netmask 255.255.255.0
Now the hosts on the inside can access outside networks. When hosts from the inside initiate a connection to the outside, they are translated to an address from the global pool. Note that the addresses are assigned from the global pool on a first-come, first-translated basic.
Static NAT/PAT: Same pair and If we have 100 hosts in the inside, it would require 100 addresses on the outside.
Important is to have clear the concept that outside destination address/port that is translated to an internal one doesn’t necessary have to be the interface address but something in that external subnet. E.g.: Client in 2.32.1.1/16 with destination packets in 209.165.200.229:25 are translated to an internal 192.168.1.1/24 but the outbound interface address in 209.65.200.229!*
* this would need some kind of route outbound towards that internal one… (see pg 342)
NAT example:
nat (inside) 1 10.1.2.0 255.255.255.0 <-- To set the address pool global (outside) 1 209.165.201.1-209.165.201.15 <-- To refer the add pool to a set of outside addresses
static (inside,dmz) 10.1.6.0 10.1.6.0 netmask 255.255.255.0 access-list acl_outbound permit tcp 10.1.6.0 255.255.255.0 any eq www access-list acl_outbound deny tcp any any eq www access-list acl_outbound permit ip any any access-group acl_outbound in interface inside
(config)# static(outside, inside) 213.238.120.10 10.1.3.4 netmask 255.255.255.255 dns
It does resolve the problem stated by paul so any dns response from an inside host to an outside dnss regarding a host inside is changed to the unmapped ip of the host
+8.3,
All the examples HERE
Listen to show 35 in
Listen to show 35 in http://www.cisco.com/c/en/us/solutions/enterprise-networks/security/security_tac_podcasts.html
Basically AutoNAT and Manual/Policy NAT. Simplified configurations, see here steps
AutoNAT: object order is not relevant as a ASA chooses most suitable based on specificity
To configure it, we use one of the defined methods inside the network object. E. G. :
(conf-network-obj)# nat(inside, outside) dynamic interface
or
(conf-network-obj)# nat(DNZ, outside) static 212.165.20.225
Note obj:Means this is inside an object definition
Manual/Policy NAT: changes source and/or destination. Uses predefined object and is Not inside the object definition.
Network objects in matt can be seen as containers of the nat actions. Then, the NAT is embedded in the object. The object can be reuse outside the NAT realm. For instance in access lists: an example is a server being translated outbound. If we want to use that server definition in an acl permitting traffic outbound we can do it an the NAT well be implicit!. If we change the server address, the NAT and the ACL will be updated automatically.
Manual NAT :Example 10-3 pg 359
Also see the special location of the network object in the configuration and how it seems repeated. This is todo with the way it is loaded in memory. Lauren to explanation in min 12 in podcast.
The real (not translated) address of the host of used for the access list to allow or deny traffic that is destined to it. Understand not translated in the sense of space, not time (as this latter would be ambiguous). Basically means inside address.
In pre8.3 is the opposite.
The following commands are no longer supported: alias,global,nat (old version), nat-control, static, ..
Also no default nat rules exists anymore so, in order to let traffic (e.g. move from inside to outside), we need to create those NAT rules
Unified NAT is used instead of NAT order meaning to down and more specific first order.
Troubleshooting To see the bay table order:
show nat <-- to see the Unfied NAT table
show xlate
show local-host {ip} <-- to see the statistics of a single host (practise this)
If memory issues:
show xlate count
show conn count
show processes cpu-usage sorted non-zero
fw01/dc.grapeshot.co.uk/pri/act# show perfmon
PERFMON STATS: Current Average
Xlates 1116/s 7/s
Connections 4446/s 26/s
TCP Conns 2992/s 26/s
UDP Conns 1448/s 29/s
[..]
VALID CONNS RATE in TCP INTERCEPT: Current Average
N/A 100.00%
show asdm history feature memory # historical (200Mb last time)
NETWORK ATTACKS , DDOS:
- This is to prevent overload due to tcp syn flood in the ASA. https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100830-asa-pix-netattacks.htm
- Global timeouts in the ASA, see pg 44: https://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/conns_connlimits.pdf
- show threat-detection statistics top
This might help: http://balodeamit.blogspot.com/2013/10/detecting-and-mitigating-ddos-attacks.html
netstat -npt | awk '{print $6}' | sort | uniq -c | sort -nr | head
37705 TIME_WAIT
9190 ESTABLISHED
1362 FIN_WAIT2
188 CLOSING
136 FIN_WAIT1
94 LAST_ACK
73 SYN_SENT # SYN_RECV state it means your server has received the initial SYN packet, it has sent it's own SYN+ACK packet and is waiting on the ACK from the external machine to complete the TCP handshake.
36 SYN_RECV # same but from the possible source of attack
1 Foreign
1
IPSec VPN
To show just the ipsec config:
show run brief | s crypto|isakmp|access-list
ISAKMP=IKE (IKE works insie ISAKMP (RFC 2408))
ISAKMP port udp500 (if NAT-T udp4500 )
ESP prot-50
AH prot-51
FRAMEWORK STEPS
- Enable ISAKAMP
- Define ISAKAMP policy
- Define Tunnel type
- Define IPSEC policy
- Define cryptomap
- Traffic filtering, Bypass NAT, PFS
access-list s2s extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
- Acess list insertion : External Link
access-list TEST_ACL line 1 extended deny ip 10.1.1.1 255.255.255.255 4.2.2.2
TEMPLATE
crypto ikev1 enable outside
crypto isakmp identity address no crypto isakmp nat-traversal
crypto isakmp policy 20 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 am-disable ← (If we want to disable aggressive mode. There is no command to explicitly enable main mode tunnel-group 100.1.1.2 type ipsec-l2l tunnel-group 100.1.1.2 ipsec-attributes ikev1 pre-shared-key *****
crypto ipsec ikev1 transform-set CISCO esp-des esp-md5-hmac
crypto map outside_map 20 match address s2s crypto map outside_map 20 set pfs crypto map outside_map 20 set peer 100.1.1.2 crypto map outside_map 20 set ikev1 transform-set CISCO crypto map outside_map 20 set security-association lifetime seconds 28800 crypto map outside_map interface outside
show cryp isakmp sa show cryp isakmp sa peer ….
sh vpn-sessiondb remote (IPSec Remote VPN Clients) sh vpn-sessiondb l2l (L2L Tunnels) sh vpn-sessiondb svc (SSL VPN / Anyconnect Clients)
To clear down a tunnel:
clear ip sec sa <peer ip> \\
Policy-Based VPN
- We have to define symmetric access lists - Association-ISAKMP and authentication using pre-shared keys.
We'll create a keyring to hold our pre-shared keys, which are mapped by peer (public) IP address (in both ends) crypto keyring VPN pre-shared-key address 172.16.0.3 key MySecretKey
- Now we create the ISAKMP policy
(both ends) crypto isakmp profile R1_to_R3 keyring VPN match identity address 172.16.0.3 255.255.255.255
- Define an IPsec transform-set (protocol, encryption, and hashing algorithms)
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
- Match all together (creating the crypto map)
(both ends) crypto map Policy_VPN 10 ipsec-isakmp match address R1_to_R3 set peer 172.16.0.3 set transform-set ESP-AES256-SHA1 set isakmp-profile R1_to_R3 reverse-route static set reverse-route distance 10 ! interface FastEthernet0/0 crypto map Policy_VPN
Remember, different from tunneling. Here there is usually a server (the firewall): http://packetlife.net/blog/2011/aug/15/policy-based-vs-route-based-vpns-pa
VPN REMOTE ACCESS
- ISAKMP: Auth method, Encrypt method, HMAC integrity, DH, time-limit
- ISAKMP phase1: create the tunnel to
- ISAKMP phase2
Real example (trad.)
Dubinetfw1 – dubcorertr1 – TRADIF-L2L-TRF1-TRF2-001 (10m BSO) – ldnbh1gtransitrtr1
NAT
sh nat
Several exempts:
from inside to inside <<< Review when and how natting is needed inside same sec-level ifaces. network-control from inside to Internet match ip inside any inside 10.25.195.0 255.255.255.0 dynamic translation to pool 30 (No matching global) match ip inside any Internet any dynamic translation to pool 1 (94.200.58.68 [Interface PAT]) translate_hits = 217109256, untranslate_hits = 80650806
- Also network-object analogous to address-book
MODULAR POLICY FRAMEWORK
CLASS-MAP - POLICY-MAP - SERVICE POLICY (template that matches different traffic types/list of policies referred to a class-map/number of ifaces to which the policy-map is applied)
Global policy → A policy applied to all interfaces
Example:
ASAwAIP-CLI(config)#policy-map global_policy Issue the policy-map global_policy command. ASAwAIP-CLI(config-pmap)#class inspection_default Issue the class inspection_default command. ASAwAIP-CLI(config-pmap-c)#inspect FTP <-- Issue the inspect FTP command.
Content filtering (triggered by the http engine) - Websense (adding seny to the web requests from inside to outside)
Based on an auxiliary server (in the inside/DMZ zone) that tells the firewall which urls are allowed to be visited
Per user basis filter from credentials previously presented by the user
Identify the servers:
Firewall(config)# url-server [(if_name)] vendor websense host local_ip [timeout seconds] [protocol {tcp | udp} version]
Define policy
Firewall(config)# filter url [http | port[-port]] local_ip local_mask foreign_ip foreign_mask [allow] [proxy-block] [longurl truncate | longurl-deny] [cgi-truncate]
Define a filtering policy for HTTPS/FTP..:
Firewall(config)# filter https dest-port local_ip local_mask foreign_ip foreign_mask [allow]
Example:
Firewall(config)# url-server (dmz) vendor websense host 192.168.199.10
protocol TCP
version 4
Firewall(config)# url-server (dmz) vendor websense host 192.168.199.11
protocol TCP \\version 4
Firewall(config)# filter url http 0 0 0 0 allow proxy-block Firewall(config)# filter url except 192.168.4.0 255.255.255.0 0 0 Firewall(config)# filter url except 192.168.7.33 255.255.255.255 0 0 Firewall(config)# filter url except 192.168.7.40 255.255.255.255 172.24.1.10 255.255.255.255 Firewall(config)# filter https 443 0 0 0 0 allow Firewall(config)# filter ftp 21 0 0 0 0 allow Firewall(config)# url-block block 128 Firewall(config)# url-cache src_dst 128
Filtered based on policies hierarchy – Modular Policy Framework (fine tuning) (7.2)
\\CLASS-MAPS:
\\One condition to match per each class-map
To define it: # class-map [name]
{(destination) port}:
(config-cmap)# match port tcp eq http
{access-list}
to group disparate traffics into a class and then apply an action:
Define the access-list
access-list test extended permit tcp any host 192.168.198.17 eq http
Apply match condition
(config-cmap)# match access-list acl_name
{QoS parameters}
2 criteria: IP precedence and DSCP \\IP precedence
(config-cmap)# match precedence value1 [value2 [value3 [value4]]]
\\DSCP
(config-cmap)# match dscp value1 [value2 ...[value8]] RTP (config-cmap)# match rtp starting_port range
\\VPN tunnel group
(config-cmap)# match tunnel-group name (config-cmap)# match any / (config-cmap)# match default (config-cmap)# match default-inspection-traffic (config)# class-map type management mgmt_cmap_name
\\POLICY-MAP: Define a policy-map
(config)# policy-map class_name
Match traffic with class
(config-pmap)# class class_name
Take an action on the matched traffic
(config)# service-policy policy_name {global | interface if_name}
Actions \\Connection limits (on matched traffic) \\TCP timeouts
(config-pmap-c)# set connection timeout [embryonic {hh:mm:...
Connection volume limits (nº of connections)
(config-pmap-c)# set connection [conn-max n] [embryonic-...
Firewall# show service-policy set connection Firewall# show service-policy [iface] ← to monitor the policy
Adjust TCP options \\Define a tcp map \\Firewall(config)# tcp-map tcp_map_name \\Define actions (table 7-5) \\Apply map as a template action
(config-pmap-c)# set connection advanced-options tcp_map_name
Use an IPS Module (Intrusion Prevention System(hw module for the ASA)) \\inline \\promiscuous \\CSC Module \\Policer to limit the BW
(config-pmap-c)# police output conform_rate [burst_bytes] conform-action drop
ASA CLUSTERING / FAILOVER Evolution from simple failover. Now up to 8 members are allowed. Cluster sych link \\All the routing/layer 2 distribution is made by the switches on top and under the cluster. Therefore asymmetric Routing can be a problem. The preferred distribution technique is span etherchannel.
\\They're is a: master, owner (of the connection) and forwarder.
To Force failover :
failover active # in the secondary no failover active # in the primary
To restart the standby box:
failover reload-standby
For the isakmp sa:
show crypto isakmp sa
For the ipsec sa:
show crypto ipsec sa
debug crypto isakmp
debug crypto ipsec
Review “Sample Error Messages” from http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html
ldngs28vpnfw01# sh crypto isakmp sa
Active SA: 11 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 11
IKE Peer: 213.61.9.96 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE
ldngs28vpnfw01# sh crypto ipsec sa peer 213.61.9.96 peer address: 213.61.9.96 Crypto map tag: outside_map, seq num: 7, local addr: 94.142.184.25
access-list outside_7_cryptomap extended permit tcp host 94.142.184.179 host 194.55.42.40 eq 14000 local ident (addr/mask/prot/port): (94.142.184.179/255.255.255.255/6/0) remote ident (addr/mask/prot/port): (194.55.42.40/255.255.255.255/6/14000) current_peer: 213.61.9.96
pkts encaps: 5601916, #pkts encrypt: 5601916, #pkts digest: 5601916 pkts decaps: 5084409, #pkts decrypt: 5084409, #pkts verify: 5084409 pkts compressed: 0, #pkts decompressed: 0 pkts not compressed: 5601916, #pkts comp failed: 0, #pkts decomp failed: 0 pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 send errors: 0, #recv errors: 0
local crypto endpt.: 94.142.184.25/0, remote crypto endpt.: 213.61.9.96/0 path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: 87888A79 current inbound spi : 6A649AF5
inbound esp sas:
spi: 0x6A649AF5 (1784978165)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 215240704, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373977/20503)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x87888A79 (2273872505)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 215240704, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373985/20502)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hma
crypto map outside_map 7 match address outside_7_cryptomap
crypto map outside_map 7 set pfs group5 crypto map outside_map 7 set peer 213.61.9.96 crypto map outside_map 7 set transform-set ESP-AES-256-MD5 crypto map outside_map 7 set reverse-route
crypto isakmp identity address crypto isakmp enable outside crypto isakmp enable BTRadianz crypto isakmp policy 10
crypto isakmp enable outside crypto isakmp enable BTRadianz crypto isakmp policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 [....]
crypto isakmp policy 120 authentication pre-share encryption aes-256 hash sha group 2 lifetime 28800
tunnel-group 213.61.9.96 type ipsec-l2l tunnel-group 213.61.9.96 ipsec-attributes
IDENTITY BASED FIREWALLING
Local user groups
TRUSTSEC AND ISE
AAA SERVICES (Chap7)
The following is mainly for wireless devices
ISE server
PSN server (Policy Service Node)
Enable console/terminal logging
To enable syslogging (prerequisite):
logging enable
Default: Not log messages to tty. Yes to console.
If in console
show logging | inc onsole
If in vty
terminal monitor rerminal no monitor
conf t logging console logging monitor ! For vty logging buffered ! For local syslog
IPSEC VPN in Cisco ASA
debug crypto isakmp 50 ! 50 is the debug level <1-255> debug crypto ipsec sa 7 ! 7 is the debug level <1-255>
vpn-sessiondb logoff tunnel-group 192.168.1.1 !Pre 8.3 clear crypto isakmp sa <peer ip address> !Post 8.3 clear ipsec sa peer 192.168.1.1
Is recommended to enable debugging or terminal monitor :
debug crypto isakmp 50
You may need to enable terminal monitor to see the messages:
Configuration:
- Enable isakmp (udp 500)
- Isakmp policy (crypto ikev2 policy) {Auth, Encryp, DH, Lifetime, DH)
- Tunnel type (tunnel group)
- IPsec policy (crypto ipsec ikev2 policy-proposal) {Encryp, Integrity, Mode and ESP type}
- Define crypto map
- Traffic filtering
- Bypass NAT
- PFS
INTERPRETING ASA LOGS
.. flags UIOB ..
Review “Sample Error Messages” from http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html
NOTES FROM TRAx
ASA NOTES- TO BE FORMATTED
Troubleshooting general VPN
capture : classical packet capture requires an access list matching the interesting traffic. (elaborate this!)
capture name of capture access list name interface..
Then we can just download the pcap with:
url/captures/nameofthecapture/pcap
We can also use a match clause instead
copy /pcap
service policy :
show service policy set connection detail
This is to see all the class-map with the number of packets and rate they are hit
This one will ‘emulate’ a packet and will inform which service policies it hits:
show service-policy flow udp host 209.165.200.229 host 209.165.202.158 eq 5060
For a list of all tunnels in phase 2 :
show crypto ipsec sa | beg access
show crypto isakmp sa
show cryp isakmp sa show cryp isakmp sa peer ….
sh vpn-sessiondb remote (IPSec Remote VPN Clients)
sh vpn-sessiondb l2l (L2L Tunnels) sh vpn-sessiondb svc (SSL VPN / Anyconnect Clients)
To clear down a tunnel:
clear ip sec sa <peer ip>
show conn detail <-- important here are the flags (see table 263) show conn all show access-list <-- for the hit count
show nat <-- to see the Unfied NAT table
show xlate
show local-host {ip} <-- to see the statistics of a single host.
Interesting SYSLOG MESSAGES:
Ipsec phase 1-2 related: Syslog 713120 Syslog 713119 syslog 713049
less localmessages | g “713119|713049|713019|713049”
https://supportforums.cisco.com/discussion/11119801/monitoring-vpn-connection-attempts ; http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/syslog.html
http://blog.webernetz.net/2014/07/25/grep-commands-for-cisco-asa-syslog-messages/
The “U”, “I”, and “O” flags denote that the connection is active and has received inbound and outbound data. The “B” flag, the connection is initiated from the outside.
.. flags UIOB ..
To quickly see the flags' meaning do:
ASA5515-X# show conn detail ..
Review “Sample Error Messages” from http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html
IPSEC-VPN SYSLOG MESSAGES http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs2.html
# %ASA-5-713119 - PHASE 1 COMPLETED %ASA-5-713119: Group = 193.29.78.6, IP = 193.29.78.6, PHASE 1 COMPLETED
# %ASA-5-713049 - PHASE 2 COMPLETED -Explanation An IPsec tunnel has been started. # The 'group' here is the name of the gateway %ASA-5-713049: Group = 199.166.9.47, IP = 199.166.9.47, Security negotiation complete for LAN-to-LAN Group (199.166.9.47) Responder, Inbound SPI = 0xafe32a83, Outbound SPI = 0xe275cedd
# %ASA-4-113019 - SESSION DISCONNECTED # Reason: %ASA-4-113019: Group = 193.29.78.6, Username = 193.29.78.6, IP = 193.29.78.6, Session disconnected. Session Type: IKE, Duration: 0h:00m:32s, Bytes xmt: 0, Bytes rcv: 0, Reason: Lost Service
# Example of good connection. Phase 1 not included:
%ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xEE07D12B) between 64.209.115.250 and 199.166.9.47 (user= 199.166.9.47) has been created. %ASA-5-713120: Group = 199.166.9.47, IP = 199.166.9.47, PHASE 2 COMPLETED (msgid=c3c3b320) %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x98F27E7F) between 64.209.115.250 and 199.166.9.47 (user= 199.166.9.47) has been deleted. %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x1E9C1091) between 64.209.115.250 and 199.166.9.47 (user= 199.166.9.47) has been deleted. %ASA-5-713075: Group = 199.166.9.47, IP = 199.166.9.47, Overriding Initiator's IPSec rekeying duration from 28800 to 3600 seconds %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x1FB41823) between 64.209.115.250 and 199.166.9.47 (user= 199.166.9.47) has been created. %ASA-5-713049: Group = 199.166.9.47, IP = 199.166.9.47, Security negotiation complete for LAN-to-LAN Group (199.166.9.47) Responder, Inbound SPI = 0x1dc8bc00, Outbound SPI = 0x1fb41823
RA user related: syslog ID: 113015 user authentication Rejected : reason = Invalid password : local database : user = / Syslog: ID 713184 Group = ciscovpn_ra_access, Username = IP = , Client Type: WinNT Client Application Version: 4.8.00.0440
Syslog: ID 113012 AAA user authentication Successful : local database : user = username
https://supportforums.cisco.com/discussion/11119801/monitoring-vpn-connection-attempts ; http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/syslog.html
http://blog.webernetz.net/2014/07/25/grep-commands-for-cisco-asa-syslog-messages/
supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer Inject a virtual packet into the security appliance and track the flow from ingress to egres To generate real tcp probes useful to test natting: tcpping
debug crypto isakmp 50 ! 50 is the debug level <1-255> debug crypto ipsec sa 7 ! 7 is the debug level <1-255>
vpn-sessiondb logoff tunnel-group 192.168.1.1 !Pre 8.3 clear crypto isakmp sa <peer ip address> !Post 8.3 clear ipsec sa peer 192.168.1.1
Is recommended to enable debugging or terminal monitor :
debug crypto isakmp 50
Troubleshoot l2tp vpn
https://supportforums.cisco.com/document/66921/pptp-l2tp-l2tp-over-ipsec-important-debugs
IPSEC VPN CONFIGURATION
ISAKMP=IKE (IKE works insie ISAKMP (RFC 2408)) ISAKMP port udp500 (if NAT-T udp4500 ) ESP prot-50 AH prot-51
FRAMEWORK STEPS
- Enable ISAKAMP
- Define ISAKAMP policy
- Define Tunnel type. PSK
- Define IPSEC policy
- Define cryptomap
- Traffic filtering, Bypass NAT, PFS
access-list s2s extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
Network Operations profile:
ukvpn.marketaxess.com/NETOPSSLVPN
IPSEC VPN Configuration:
Enable isakmp (udp 500)
Isakmp policy (crypto ikev2 policy) {Auth, Encryp, DH, Lifetime, DH)
Tunnel type (tunnel group) PSK
IPsec policy (crypto ipsec ikev2 policy-proposal) {Encryp, Integrity, Mode and ESP type}
Define crypto map
Traffic filtering
Bypass NAT
PFS
TEMPLATE http://www.cisco.com/c/en/us/td/docs/security/asa/asa70/configuration/guide/config/ike.html
PHASE I
crypto ikev1 enable outside
crypto isakmp identity address
no crypto isakmp nat-traversal
crypto isakmp policy 20
authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 am-disable #aggressive mode. No command to explicitly enable main mode tunnel-group 100.1.1.2 type ipsec-l2l # Note that we just call the tunnel group with that number! tunnel-group 100.1.1.2 ipsec-attributes ikev1 pre-shared-key * # PSK not shown. To see it use more system:running-config
PHASE II
crypto ipsec ikev1 transform-set CISCO esp-des esp-md5-hmac
crypto map outside_map 20 match address s2s
crypto map outside_map 20 set pfs crypto map outside_map 20 set peer 100.1.1.2 crypto map outside_map 20 set ikev1 transform-set CISCO crypto map outside_map 20 set security-association lifetime seconds 28800 crypto map outside_map interface outside
POLICY BASED VPN (CISCO OLD)
PHASE I
- We have to define symmetric access lists - Association-ISAKMP and authentication using pre-shared keys.
We'll create a keyring to hold our pre-shared keys, which are mapped by peer (public) IP address (in both ends) crypto keyring VPN pre-shared-key address 172.16.0.3 key MySecretKey
- Now we create the ISAKMP policy
(both ends) crypto isakmp profile R1_to_R3 keyring VPN match identity address 172.16.0.3 255.255.255.255
PHASE II
- Define an IPsec transform-set (protocol, encryption, and hashing algorithms)
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
- Match all together (creating the crypto map)
(both ends) crypto map Policy_VPN 10 ipsec-isakmp match address R1_to_R3 set peer 172.16.0.3 set transform-set ESP-AES256-SHA1 set isakmp-profile R1_to_R3 reverse-route static set reverse-route distance 10 ! interface FastEthernet0/0 crypto map Policy_VPN
Remember, different from tunneling. Here there is usually a server (the firewall): http:packetlife.net/blog/2011/aug/15/policy-based-vs-route-based-vpns-pa
VPN REMOTE ACCESS
# isakmp policy 1 authentication pre-share # isakmp policy 1 encryption 3des # isakmp policy 1 hash sha # isakmp policy 1 group 2 # isakmp policy 1 lifetime 43200 # isakmp enable outside
# ip local pool testpool 192.168.0.10-192.168.0.15 # username testuser password 12345678
# crypto ipsec transform set FirstSet esp-3des esp-md5-hmac
# tunnel-group CORPORATE type remote-access # tunnel-group CORPORATE general-attributes # tunnel-group CORPORATE webvpn-attributes
# tunnel-group testgroup general-attributes -general)# address-pool testpool # tunnel-group testgroup ipsec-attributes -ipsec)# pre-shared-key 44kkaol59636jnfx
# crypto dynamic-map dyn1 1 set transform-set FirstSet # crypto dynamic-map dyn1 1 set reverse-route # crypto map mymap 1 ipsec-isakmp dynamic dyn1 # crypto map mymap interface outside
vpn.marketaxess.com usvpn.marketaxess.com (legacy?) ukvpn.marketaxess.com
Anyconnect. To check who is currently connected:
For USA
CP02-ASAVPN01/pri/act# sh vpn-sessiondb anyconnect | i Username
For UK:
UK02-ASAVPN01# show vpn-sessiondb anyconnect | grep User
ISAKMP: Auth method, Encrypt method, HMAC integrity, DH, time-limit ISAKMP phase1: create the tunnel to ISAKMP phase2
NAT in ASA
Essential resource: NAT cheat sheet: See: http:packetpushers.net/cisco-nat-cheat-sheet
Packet flow:
ASA Packet Flow
BRKSEC-3020.pdf
NAT types: Inside NAT (from high to low security level. Traffic destined to public realm and device translating src so return is possible), Outside NAT is when a host in the lower security level is also translated when the destination is on the inside & bidirectional NAT when both happen. NAT methods: static, dynamic, policy & identity. By default, NAT translates (e.g.) source address BUT ALSO randomizes TCP sequence number (aka ISN). This could have issues with the BGP MD5, therefore sometimes we may need to turn it off.
Downloadable ACL (DACLs) on the intervrf fwall (for users access in ABS (no CHKP) ←- These access-lists will override the access-list configured for the interface that the host is connected to.
After the upgarde to 9.5(1), we are not using DACL. The user authenticate to the own ASA instead when they access resources, see “show uauth” below
We put the config in the object groups and when teh user auths, they get that rule set. The only difference is the ACL is not defined on an interface.
User is not bound to an IP: when the auth the ASA tells teh IP based off the src that they came from during the auth
show uauth: To display one or all currently authenticated users, the host IP to which they are bound, and any cached IP and port authorization information, use the show uauth command in privileged EXEC mode.
uk02-intervrf-fwall/pr
IDS in ASA
show run thread detection
Basic (default)
threat-detection basic-threat no threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ACL LOOKUP From a high security level to a lower one, no access list is strictly required (traffic will flow). But we can apply it
In ACS, access lists are not constrained up to L4 but they go all over Layer 7. Referring here to security appliance ACL (proper subnet mask, no wild-cards like plain acl (they only only first packet): ACE
Note that, in tcp or udp sessions, the flow (and therefore the return traffic) is easy to identify by the appliance. However, for icmp, we need to 1) explicitly enable a return ACL for icmp and apply it to the outside interface or 2) enable ICMP inspection. Ping to the asa interfaces is allowed by default. We can restrict it with an icmp policy (start with the icmp keyword)
Review split tunnel for remote access vpn: Solution that allows no tunnel bound traffic to bypass the firewall. Split tunnel is mainly for remote access vpn where we want our customers' Internet traffic also to be inspected by the fw(this needs to be reviewed)
ACLs can be global, applied to all ifaces inbound: standard access lists are applied to process, not interfaces: used to split tunnel. For example, we can apply the acl TO OSPF through an access list (see pg 251) Review split tunnel for remote access vpn
Extended access lists are not applied on the interface level hierarchy as in the classical IOS.
access-group name in interface inside
Check object grouping and object nesting for ACL!
ASA can download acls on demand after a customer tries to access a resource(and is prompted for credentials)
ASA TRANSPARENT FIREWALL FEATURE
In pre 8.3 version it used: There was a more libertine way of natting: from high to low security level, we don't require natting compulsory. We can force flows to match a policy or not through with -NAT-control: It means: matching a nat OR discarding(from inside to outside), that is using 'nat-control' command plus access lists.
Pg348. We see before routing, the ASA checks destination NAT and virtually forwards the packet according to it. Note that this prefer is only relevant in pre8.3. In later ASA OS, Unified NAT is used.
"nat (inside,outside).."
this is natting, nothing to do with global access lists (from 8.3 ahead..)
global (liffe_nyse_hpci_red) 60 interface
Define the inside group to be included for NAT.
nat (inside) 1 10.1.6.0 255.255.255.0
Specify a pool of addresses on the outside interface to which the hosts defined in the NAT statement are translated.
global (outside) 1 175.1.1.3-175.1.1.64 netmask 255.255.255.0
Now the hosts on the inside can access outside networks. When hosts from the inside initiate a connection to the outside, they are translated to an address from the global pool. Note that the addresses are assigned from the global pool on a first-come, first-translated basic.
Static NAT/PAT: Same pair and If we have 100 hosts in the inside, it would require 100 addresses on the outside. Important is to have clear the concept that outside destination address/port that is translated to an internal one doesn’t necessary have to be the interface address but something in that external subnet. E.g.: Client in 2.32.1.1/16 with destination packets in 209.165.200.229:25 are translated to an internal 192.168.1.1/24 but the outbound interface address in 209.65.200.229! this would need some kind of route outbound towards that internal one… (see pg 342)
NAT example:
nat (inside) 1 10.1.2.0 255.255.255.0 <-- To set the address pool global (outside) 1 209.165.201.1-209.165.201.15 <-- To refer the add pool to a set of outside addresses
static (inside,dmz) 10.1.6.0 10.1.6.0 netmask 255.255.255.0
access-list acl_outbound permit tcp 10.1.6.0 255.255.255.0 any eq www access-list acl_outbound deny tcp any any eq www access-list acl_outbound permit ip any any access-group acl_outbound in interface inside
(config)# static(outside, inside) 213.238.120.10 10.1.3.4 netmask 255.255.255.255 dns
It does resolve the problem stated by paul so any dns response from an inside host to an outside dnss regarding a host inside is changed to the unmapped ip of the host
+8.3 ASA versions
All the examples HERE Listen to show 35 in
Listen to show 35 in www.cisco.com/c/en/us/solutions/enterprise-networks/security/security_tac_podcasts.html
Basically AutoNAT and Manual/Policy NAT. Simplified configurations, see here steps
AutoNAT: object order is not relevant as a ASA chooses most suitable based on specificity To configure it, we use one of the defined methods inside the network object. E. G. :
(conf-network-obj)# nat(inside, outside) dynamic interface
or
(conf-network-obj)# nat(DNZ, outside) static 212.165.20.225
Note obj:Means this is inside an object definition
Manual/Policy NAT: changes source and/or destination. Uses predefined object and is Not inside the object definition. Network objects in matt can be seen as containers of the nat actions. Then, the NAT is embedded in the object. The object can be reuse outside the NAT realm. For instance in access lists: an example is a server being translated outbound. If we want to use that server definition in an acl permitting traffic outbound we can do it an the NAT well be implicit!. If we change the server address, the NAT and the ACL will be updated automatically. Manual NAT :Example 10-3 pg 359
Also see the special location of the network object in the configuration and how it seems repeated. This is todo with the way it is loaded in memory. Lauren to explanation in min 12 in podcast.
The real (not translated) address of the host of used for the access list to allow or deny traffic that is destined to it. Understand not translated in the sense of space, not time (as this latter would be ambiguous). Basically means inside address. In pre8.3 is the opposite.
The following commands are no longer supported: alias,global,nat (old version), nat-control, static, ..
Also no default nat rules exists anymore so, in order to let traffic (e.g. move from inside to outside), we need to create those NAT rules
Unified NAT is used instead of NAT order meaning to down and more specific first order.
Review “Sample Error Messages” from http:www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html
ldngs28vpnfw01# sh crypto isakmp sa
Active SA: 11 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 11
IKE Peer: 213.61.9.96
Type : L2L Role : initiator Rekey : no State : MM_ACTIVE
ldngs28vpnfw01# sh crypto ipsec sa peer 213.61.9.96
peer address: 213.61.9.96 Crypto map tag: outside_map, seq num: 7, local addr: 94.142.184.25
access-list outside_7_cryptomap extended permit tcp host 94.142.184.179 host 194.55.42.40 eq 14000
local ident (addr/mask/prot/port): (94.142.184.179/255.255.255.255/6/0) remote ident (addr/mask/prot/port): (194.55.42.40/255.255.255.255/6/14000) current_peer: 213.61.9.96
pkts encaps: 5601916, #pkts encrypt: 5601916, #pkts digest: 5601916
pkts decaps: 5084409, #pkts decrypt: 5084409, #pkts verify: 5084409 pkts compressed: 0, #pkts decompressed: 0 pkts not compressed: 5601916, #pkts comp failed: 0, #pkts decomp failed: 0 pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 send errors: 0, #recv errors: 0
local crypto endpt.: 94.142.184.25/0, remote crypto endpt.: 213.61.9.96/0
path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: 87888A79 current inbound spi : 6A649AF5
inbound esp sas:
spi: 0x6A649AF5 (1784978165)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 215240704, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373977/20503)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x87888A79 (2273872505)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 215240704, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373985/20502)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hma
crypto map outside_map 7 match address outside_7_cryptomap crypto map outside_map 7 set pfs group5 crypto map outside_map 7 set peer 213.61.9.96 crypto map outside_map 7 set transform-set ESP-AES-256-MD5 crypto map outside_map 7 set reverse-route
crypto isakmp identity address
crypto isakmp enable outside crypto isakmp enable BTRadianz crypto isakmp policy 10
crypto isakmp enable outside
crypto isakmp enable BTRadianz crypto isakmp policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 [....]
crypto isakmp policy 120
authentication pre-share encryption aes-256 hash sha group 2 lifetime 28800
tunnel-group 213.61.9.96 type ipsec-l2l
tunnel-group 213.61.9.96 ipsec-attributes
IDENTITY BASED FIREWALLING Local user groups
TRUSTSEC AND ISE
AAA SERVICES (Chap7)
The following is mainly for wireless devices ISE server PSN server (Policy Service Node)
Enable console/terminal logging
To enable syslogging (prerequisite):
logging enable
Default: Not log messages to tty. Yes to console. If in console
show logging | inc onsole
If in vty
terminal monitor rerminal no monitor
conf t logging console logging monitor ! For vty logging buffered ! For local syslog
ASA from scratch, configuration
- Set ip addresses
- Set security levels
- set routes
- * Then I will be able to ping interface (internal no needed)
Remote site vpn:
ip local pool MKTX_ASHBURN_GUEST_POOL 10.30.162.225-10.30.162.247 mask 255.255.255.0
This is for the set of source addresses that will be given to the customer when they ipsec to us. They will be landing in Vlan 118/119 CRP-DR-VDI-inside
Contexts To see all the contexts, we need to be in the system context:
DC03-ROUTEFW01/admin/pri/act# changeto context sys DC03-ROUTEFW01/pri/act# show context ... DC03-ROUTEFW01/pri/act# changeto dmz-internet-fwall
Types of vpn:
IPSEC-VPN: Site2site and Anyconnect l2tp : SIte2site & remote access
SLL VPN
Concepts:
- trustpoint: In the ASDM, the trustpoint is automatically created when a CSR is generated or when the CA certificate is installed. In the CLI, the trustpoint must be created manually.
- WebVPN (or often called SSL VPN) (or sometimes called clientless VPN) : is used when someone needs to access a web based application that is on the private network. A web browser is used for all the encryption and authentication.WebVPN (or often called SSL VPN) (or sometimes called clientless VPN) is used when someone needs to access a web based application that is on the private network. A web browser is used for all the encryption and authentication. External Link
CERTIFICATE INSTALLATION:
https://www.digicert.com/ssl-certificate-installation-cisco-asa-5500.htm
https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html#anc7
CONFIGURING THE VPN
todo
SETTING UP THE NAT RULES (AND SPLIT TUNNEL IF NEEDED)
access-list NAT-EXEMPT extended permit ip 192.168.100.0 255.255.255.0 192.168.104.0 255.255.255.0 tunnel-group VPN general-attributes address-pool AnyConnect (the address pool you created earlier)\\
To configure the split tunnel: https://www.techrepublic.com/blog/smb-technologist/quick-guide-anyconnect-client-vpn-on-cisco-asa-5505/
FIREPOWER ( new evolved asa )
- Sourcefire was acquired by Cisco several years ago and now going to change name to NGIPS Firepower center
- This is what is added to the asa access ctrl and vpn https://blogs.cisco.com/security/3-reasons-to-upgrade-from-cisco-asa-to-cisco-firepower-ngfw-today
- NGIPS : Intrution prevntion, is not even degraded wheb we turn it on!
