Archive for category VPN

Getting Windows 8 to work with Cisco VPN Client

I got stuck with Windows 8 pre-installed, lets just say I wont be buying from NewEgg anymore sadly.  Efforts to install Windows 7 even after negotiating UEFI failed, I believe that the BIOS has been specifically munged to thwart the 7 install. Asus simply says you cant go back.

So why I hate Windows 8 starts with the fact that I am a business/tech user, I don’t need to draw pictures for my mother or swipey swipey with my finger.  I need VPN’s to work and ASDM software to work.

Tip #1:  How to get Cisco VPN Client to work with Windows 8
Open Registry editor by typing regedit in CMD prompt
Browse to the Registry Key  HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\CVirtA
Select the DisplayName to modify, and delete the leading characters in front of “Cisco”

For x64, change the value data from something like “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows” to “Cisco Systems VPN Adapter for 64-bit Windows”

Share

, , , , ,

7 Comments

Yet another Hairpin: Internet Access from VPN Hub

Firewalls typically don’t hairpin well or at all for that matter,  unless specifically told to do so.  Hair-pinning is when a packet ultimately leaves the same interface it came into.

On a LAN it is somewhat common for packets to “bounce” off of one router interface to get to the right one, a prime candidate for the ICMP Redirect process.  Forget having your Cisco ASA or Pix participate in that little exchange of ICMP messages needed though, Cisco has long held that routing protocols are exploitable and have no place on a firewall (Yes they now speak EIGRP and OSPF, go figure).

The other example of hair-pinning that comes to mind deals with VPNs and Internet Access. The scenario is that a spoke or remote site VPNs to the hub or central site and wants to travel on to the Internet from there.  While it’s tempting to think of a VPN as originating from deep in the firewall the reality is that it is treated as coming from the outside interface.

In short you have to set up NAT for packets that arrive on the outside interface to turnaround and exit through the outside interface. Yes this is counter-intuitive, you have to apply the same NAT-Exempt and NAT statements on the interface as if friendlies were behind you and not the wild woolly Internet.

Assuming you assign VPN addresses from a  pool on 172.16.0.0/24; the CLI then looks like this:

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0
nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 0 access-list outside_nat0
nat (outside) 1 10.17.0.0 255.255.255.0

access-list outside_nat0 extended permit ip any 172.16.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any <your network>

Also you will need a very important sysopt:

same-security-traffic permit intra-interface

This basically turns on the ability to hair-pin.

Share

, , , , , , , , , ,

2 Comments

Cisco VPN X64 support…. or not.

Okay, if you read this http://www.cisco.com/web/software/282364316/31835/5.0.07.0240-beta-rel-notes.txt it says that x64 support for Windows 7 and Vista is finally here.  It’s just that it also says that 64 bit isn’t supported.

Share

, , ,

No Comments

Cisco ASA and Windows Server 2008: Welcome Back LDAP

You may or may not have problems doing Windows style authentication to your Server 2008 for your AAA access on your ASA firewall.

I have seen it work and not work, I suspect that the forest/domains were probably at different levels, I have heard that Server 2008 doesn’t support NTLM version 1.

If your doesn’t or you want to use LDAP, read on.  One reason you may want to use LDAP is you can stack attributes using Dynamic Policies,

The first problem I will encounter at a customer site is getting the ASA to talk to the domain controller as part of the LDAP AAA group setup. Usually it’s an OU issue, to find the exact string run the dsquery command on the Domain Controller (DC):

dsquery user -samid ciscoldap
"CN=ciscoldap,OU=Service Accounts,OU=HQ,DC=somedomain,DC=com"

In the case above there was an additional OU of HQ.  Now when clicking on the Test button on AAA group setup it successfully communicates.


Be aware that a failure of credentials for LDAP will give the same error as if there is a connectivity issue or the Windows firewall is blocking the port.


Now the cool thing IMHO is you can browse the various Windows attributes from with in the ASA.  I use this to “stack” attributes, instead of just controlling whether someone can log in if the RemoteDialIn I can also authorize them based on membership in a second group or select a group policy depending on which AD attributes match.


To View the various AD groups that can be used as a selection criteria go to:

Remote Access VPN>Clientless SSL>Dynamic Access Polocies

On the left select Add,  then LDAP for AAA Attribute type.  Now click on “Get AD Groups” and you can change filters, policies, etc all based on AD group membership.

Ideal for keeping vendors limited to work hours and a single network asset.

Share

, , , ,

No Comments

Fixing Static Addresses on Verizon FIOS

Verizon has a bug in their business offering for multiple static IP addresses.

When using a professional firewall that such as a Cisco ASA, I could only get 1 address to respond from offsite.

The first problem was solved by going to DSLReports.com, you have to call Verizon and convince them to instant message the group that runs the ONT’s (the termination that is onsite) to set the MAC filter to 5.

After that only 1 IP address worked per device. I could ping each other but Verizon served traffic could not see me. A quick TCP-Dump of the external segment showed the problem:

arp who-has 98.109.50.34 (00:1e:4a:87:32:59) tell 0.0.0.0
arp who-has 98.109.50.35 (00:1d:70:26:3c:53) tell 0.0.0.0

The address 0.0.0.0 is slightly illegal, the ASA ignores the ARP request and the Verizon gateway never binds the Mac to the translated IP addresses. This means that inbound static addresses didn’t work and only the physical interface address could be used for the outbound global pool.

I managed to get Verizon to admit the bug, the Alcatel equipment was partially to blame and I would imagine that the (non-professional) “firewall” that comes with the account had been modified to respond to an ARP request from 0.0.0.0 They projected it would be fixed Q1 of the next year… that was 15 months ago.

I found that the service (that I am paying for) could be made to work. I adapted a short Perl script to send ARP replies to the Verizon gateway router every 30 seconds or so, as if it was responding to an ARP request.

arp reply 98.109.50.36 is-at 00:1d:70:26:2c:53

Here I am telling the gateway that .36 is bound to the same address as .35. I was immediately able to ping the address .36 remotely, alls it took was a Linux system and the perl script below. I don’t believe that the ARP replies can be generated inside the ASA and be made to traverse the firewall; several types of lower traffic can using the ethertype command but ARP’s get absorbed. I haven’t tried proxy-arp to see if it relays the bogus advertisement as it breaks so many rules of paranoia that I doubt that the ASA would propagate it.

At the moment I have plugged in a dedicated Ethernet interface from my VMWare stack and am running a virtual Linux machine for the sole purpose of “poisoning” the ARP table. The FIOS service itself screams, though we wouldn’t ever consider using their DNS, but leave it to Verizon to pull up short on static IP address support.

Bil Herd

#!/usr/bin/perl
use Net::ARP;
use strict;
use warnings;
for (;;){
Net::ARP::send_packet(

‘eth0’, # Device
‘98.109.50.1’, # Verizon gateway, not really 0.0.0.0 of course

‘98.109.50.36’, # address that we want Verizon to respond

’00:1E:EC:9F:DB:67′, # Source MAC Mac of our address

’00:1d:70:26:cc:53, # Destinaton MAC address for ARP
‘reply’ # ARP operation
)
;
print “packet sent\n”;
sleep(30);
}

To install the Net::ARP module using CPAN:

perl -MCPAN -e ‘install Net::ARP’

Share

, , , , , , , , , ,

10 Comments

How to Install Cisco VPN Client on Windows 7

This appears to be typical of what is needed to get Windows 7 to live with Cisco VPN client:
http://weblogs.asp.net/bhouse/archive/2009/01/15/how-to-successfully-install-cisco-vpn-client-on-windows-7.aspx

Share

, , , ,

No Comments

QM FSM error

Getting “QM FSM error” while establishing a Cisco VPN?  Particularly site-to-site and even more particularly with IOS on one end and a Pix/ASA on the other?

Go to the Pix/ASA side and remove Perfect Forward Secrecy (PFS).  Rather than tell you it’s incompatible, it just barfs because it can’t read it (because it’s you know… encrypted).

Example:
no cryptomap outside 1 set pfs group2

If anyone finds a better error message than the ubiquitous “QM FSM error” let me know and I will post it.

Share

, , , , , , , ,

2 Comments

(Mostly) No split-tunnel on Cisco VPN Clients

Split tunnel is where the person connected to your corporate network via their VPN can also go willy-nilly to the Internet at the same time.  This is generally considered to be a bad thing, though I have heard a “security consultant” recommend to the customer with me in the room to go ahead and do this because it made it easier for him to connect.

Bad consultant. He should learn about ‘bots, back-doors and virus/worms in general.

However there is an issue with no-split tunnel in the Cisco world, or at least using the VPN client version 5 and the ASA, and at least for trying to be selective.  By that I mean, what if I want to get to one thing locally and tunnel the rest.

The problem appears to be as soon as you don’t “Tunnel Everything” as your selection, and instead use “Tunnel Network List Below” trying to tell it to tunnel “any”, 0.0.0.0/0 or even something like a 10.0.0.0/8 wont stop traffic from going to everything behind the local interface.It seems that the /24 of the local wins the most specific route contest against the  ” tunnel this specific /8″ command that gets pushed down.

To use “Tunnel Network List Below” to prevent local traffic, add an entry in the ACL that matches the /24 of the local LAN (assuming it’s a /24, you get the idea).  Now when you display the routing table while the VPNs connected (netstat -nr in windows or unix) you will see the local LAN but also a matching route form the VPN, and it now stands a chance of winning.

See my next post aboput why the access list seemes to be reversed when applying an ACL to a VPN as either a tunnel list or filter list.

Share

2 Comments

Blocking ICMP

This is old news, real old, but I still run across it from time to time.  Customers block ICMP in their firewall or other places.

Internet Control Messaging Protocol is more than just ping (I remember the early Mac’s didn’t implement ICMP or at least echo/ping in their IP stack).

ICMP among other things tells equipment up and down the line a few interesting things, not least is when they need to fragment a packet into smaller packets.  Symptoms range from telnet or web works and email or ftp don’t, some of the time.  In short to the casual observer (known as a user), it is one more thing that works randomly.

Nowadays it’s more important then ever with the proliferation of VPN’s,  to get your fragging done as thoroughly as possible, before the packet gets sucked into the VPN terminus.  Why?  You cant fragment an encrypted packet, in fact it’s not even TCP (IP Protocol type 9) anymore it is type 50/ESP or type 47/GRE, and because it’s encrypted you really cant bust it into smaller parts and calculate checksums, etc.

Exchange clients don’t work on all workstations across VPN’s?  There were various versions of MS patches hat appeared to break the MTU discovery mechanism that says use smaller packets.

Share

, , , , , , , , , ,

No Comments