Archive for category Cisco

Getting Windows 8 to work with Cisco VPN Client

I got stuck with Windows 8 pre-installed, lets just say I wont be buying from NewEgg anymore sadly.  Efforts to install Windows 7 even after negotiating UEFI failed, I believe that the BIOS has been specifically munged to thwart the 7 install. Asus simply says you cant go back.

So why I hate Windows 8 starts with the fact that I am a business/tech user, I don’t need to draw pictures for my mother or swipey swipey with my finger.  I need VPN’s to work and ASDM software to work.

Tip #1:  How to get Cisco VPN Client to work with Windows 8
Open Registry editor by typing regedit in CMD prompt
Browse to the Registry Key  HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\CVirtA
Select the DisplayName to modify, and delete the leading characters in front of “Cisco”

For x64, change the value data from something like “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows” to “Cisco Systems VPN Adapter for 64-bit Windows”

Share

, , , , ,

7 Comments

Cisco ASA 8.4 – No more Global Address Pools

There are a couple of ways to do NAT/PAT assignments as you might expect out of 8.4.  Assuming that you don’t really have a single Net Object that represents the entire inside network I recommend not using the Net-Object method and to define a rule “outside” of the Net-Object framework.

So first define a network object for NAT range of external IPs and then a PA  external IP address.  In cli it looks like this, these are external IPs just to be clear:

object network nat-range1
range 209.103.0.150 209.103.0.154

object network pat-ip1
host 209.103.0.155

You can do the same easily from the ASDM but I wanted to make sure the size of the block as a range instead of a subnet was visible.

asa-84-dnat-2

Now from the NAT page create a new Dynamic  Rule,

asa-84-dnat-31

The NAT Pool should look like this when done, I use inside to Outside2 here.

asa-84-dnat-4


Note the nat-range object which used to be a “pool”.

Now add a PAT.  It cant overlap with the NAT pool, etc etc.  Don’t choose Round Robin as it’s memory intensive. I believe I read that 8.4 has an issue where it can run out of certain types of PAT ports (they try and group all ports below 1024 together, etc) that from what I gather is fixed in 8.51 <sigh>

Add Nat Rule after "Network Object" NAT Rules

Add Nat Rule after "Network Object" NAT Rules

Should look like this when done, I moved it to the top for clarity.

asa-84-dnat-6

I recommend making this change separate from other work so it can be tested separately, TEST for a couple of hours make sure it is NATting and patting correctly under load is my advice.

Share

1 Comment

Getting Cisco Netflow to work on Solarwinds

I don’t have the details as to which version of IOS does what, we just call it the “new netflow” where you separately specify the exporter, the monitor, etc.  It’s usefulness comes from it’s ability to be specific and puts to bed once and for all the whole “is it version 5 or 9 Netflow?” question since you have control over it.

Here is a basic setup that uses UDP 2055 for Solarwinds instead of the standard 9991.

flow record NF-Record1
     match ipv4 protocol
     match ipv4 source address
     match ipv4 destination address
     match transport source-port
     match transport destination-port
     match interface input
     collect transport tcp flags
     collect routing forwarding-status
     collect interface output
     collect counter packets long
     collect counter bytes long
     collect timestamp sys-uptime first
     collect timestamp sys-uptime last
!
flow exporter NF-Export1
     destination aaa.bbb.ccc.ddd   <-- IP Address of collector/Solarwinds system
     source Loopback0
     transport udp 2055
     template data timeout 60
!
flow monitor NF-Monitor1
     record NF-Record1
     exporter NF-Export1
     cache timeout inactive 30
     cache timeout active 60
     cache entries 1000

interface Gig x/xxx   <-- the interface to be monitored
  ip flow monitor NF-Monitor1 input

I added additional collection stats out of habit in the flow record, it’s worth investigating what other flags/packets your interested in.

To view the exporter settings do a

show flow exporter
4500-Switch#sho flow exporter 
Flow Exporter NF-Export1:
  Description:              User defined
  Export protocol:          NetFlow Version 9
  Transport Configuration:
    Destination IP address: aaa.bbb.ccc.ddd
    Source IP address:      eee.fff.ggg.hhh
    Source Interface:       Loopback0
    Transport Protocol:     UDP
    Destination Port:       2055
    Source Port:            56118
    DSCP:                   0x0
    TTL:                    255
    Output Features:        Not Used

To switch between Netflow Version 5 and 9, issue the export-protocol netflow-v5 or netflow-v9 from within the exporter config as see below as command completion:

4500-Switch(config)#flow exporter NF-Export1
4500-Switch(config-flow-exporter)#export-protocol ?
  netflow-v5  NetFlow Version 5
  netflow-v9  NetFlow Version 9

Share

No Comments

Yet another Hairpin: Internet Access from VPN Hub

Firewalls typically don’t hairpin well or at all for that matter,  unless specifically told to do so.  Hair-pinning is when a packet ultimately leaves the same interface it came into.

On a LAN it is somewhat common for packets to “bounce” off of one router interface to get to the right one, a prime candidate for the ICMP Redirect process.  Forget having your Cisco ASA or Pix participate in that little exchange of ICMP messages needed though, Cisco has long held that routing protocols are exploitable and have no place on a firewall (Yes they now speak EIGRP and OSPF, go figure).

The other example of hair-pinning that comes to mind deals with VPNs and Internet Access. The scenario is that a spoke or remote site VPNs to the hub or central site and wants to travel on to the Internet from there.  While it’s tempting to think of a VPN as originating from deep in the firewall the reality is that it is treated as coming from the outside interface.

In short you have to set up NAT for packets that arrive on the outside interface to turnaround and exit through the outside interface. Yes this is counter-intuitive, you have to apply the same NAT-Exempt and NAT statements on the interface as if friendlies were behind you and not the wild woolly Internet.

Assuming you assign VPN addresses from a  pool on 172.16.0.0/24; the CLI then looks like this:

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0
nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 0 access-list outside_nat0
nat (outside) 1 10.17.0.0 255.255.255.0

access-list outside_nat0 extended permit ip any 172.16.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any <your network>

Also you will need a very important sysopt:

same-security-traffic permit intra-interface

This basically turns on the ability to hair-pin.

Share

, , , , , , , , , ,

2 Comments

Upgrading your Pix to an ASA

One of the things we do is specialize in upgrading Pix configurations to ASA implementations.  We don’t run the Cisco tool as we would rather work with the network administrator to understand their policies and make sure that not only was the intent met but not fill their brand new ASA with a lot of meta-lables.

One thing that recently slipped through was the “non-printable defaults” for Pix and ASA don’t show some of the intricacies of PAP vs MS-CHAP authentication.  Be prepared to regenerate the Authentication Group from scratch if using CHAP.

I get asked a lot how to view the tunnel keys or tunnel group passwords.  To view them you can do one fo two things:

1) TFTP the config file to a server and look at it there

or

2) On ASA’s issue the command (without the quote’s y’all)
“more system:running-config”

Share

, , , , ,

No Comments

Cisco VPN X64 support…. or not.

Okay, if you read this http://www.cisco.com/web/software/282364316/31835/5.0.07.0240-beta-rel-notes.txt it says that x64 support for Windows 7 and Vista is finally here.  It’s just that it also says that 64 bit isn’t supported.

Share

, , ,

No Comments

Cisco ASA and Windows Server 2008: Welcome Back LDAP

You may or may not have problems doing Windows style authentication to your Server 2008 for your AAA access on your ASA firewall.

I have seen it work and not work, I suspect that the forest/domains were probably at different levels, I have heard that Server 2008 doesn’t support NTLM version 1.

If your doesn’t or you want to use LDAP, read on.  One reason you may want to use LDAP is you can stack attributes using Dynamic Policies,

The first problem I will encounter at a customer site is getting the ASA to talk to the domain controller as part of the LDAP AAA group setup. Usually it’s an OU issue, to find the exact string run the dsquery command on the Domain Controller (DC):

dsquery user -samid ciscoldap
"CN=ciscoldap,OU=Service Accounts,OU=HQ,DC=somedomain,DC=com"

In the case above there was an additional OU of HQ.  Now when clicking on the Test button on AAA group setup it successfully communicates.


Be aware that a failure of credentials for LDAP will give the same error as if there is a connectivity issue or the Windows firewall is blocking the port.


Now the cool thing IMHO is you can browse the various Windows attributes from with in the ASA.  I use this to “stack” attributes, instead of just controlling whether someone can log in if the RemoteDialIn I can also authorize them based on membership in a second group or select a group policy depending on which AD attributes match.


To View the various AD groups that can be used as a selection criteria go to:

Remote Access VPN>Clientless SSL>Dynamic Access Polocies

On the left select Add,  then LDAP for AAA Attribute type.  Now click on “Get AD Groups” and you can change filters, policies, etc all based on AD group membership.

Ideal for keeping vendors limited to work hours and a single network asset.

Share

, , , ,

No Comments

Cisco Icons and Visio

Where are the Color Logical Network Icons from Cisco?

I get asked from time to time where the color logical network icons are to be found for Visio, specifically the Cisco’ish ones that are prevalent in the Cisco Press books.

It’s all too easy to find the icons depicting the physical systems, (only useful for drawing a cabinet layout IMHO)

http://www.cisco.com/en/US/products/prod_visio_icon_list.html

You would think from this page that this is all of the Icons from Cisco, but it ain’t. Here is the

For the logical collections for all of the formats such as Power Point and EPS check out http://www.cisco.com/web/about/ac50/ac47/2.html

Now this still doesn’t look like the color ones are present as there is a note that the URL for color Icons to be added. Color Icons are actually under the PMS3015 link. Originally the only Icons in here years ago were VPN Concentrator Icons for the 3000 series, I kid you not. So for about a year and a half I did not look in here for new color icons because I thought the name meant that this was 3000 family only. Evidently it means Pantone PMS color spec.

Direct link to Color Logical Icons

Logical network Icons, Color, Cisco, Visio, – http://www.cisco.com/web/about/ac50/ac47/3015VSS.zip

Share

, , , , , ,

No Comments

Fixing Static Addresses on Verizon FIOS

Verizon has a bug in their business offering for multiple static IP addresses.

When using a professional firewall that such as a Cisco ASA, I could only get 1 address to respond from offsite.

The first problem was solved by going to DSLReports.com, you have to call Verizon and convince them to instant message the group that runs the ONT’s (the termination that is onsite) to set the MAC filter to 5.

After that only 1 IP address worked per device. I could ping each other but Verizon served traffic could not see me. A quick TCP-Dump of the external segment showed the problem:

arp who-has 98.109.50.34 (00:1e:4a:87:32:59) tell 0.0.0.0
arp who-has 98.109.50.35 (00:1d:70:26:3c:53) tell 0.0.0.0

The address 0.0.0.0 is slightly illegal, the ASA ignores the ARP request and the Verizon gateway never binds the Mac to the translated IP addresses. This means that inbound static addresses didn’t work and only the physical interface address could be used for the outbound global pool.

I managed to get Verizon to admit the bug, the Alcatel equipment was partially to blame and I would imagine that the (non-professional) “firewall” that comes with the account had been modified to respond to an ARP request from 0.0.0.0 They projected it would be fixed Q1 of the next year… that was 15 months ago.

I found that the service (that I am paying for) could be made to work. I adapted a short Perl script to send ARP replies to the Verizon gateway router every 30 seconds or so, as if it was responding to an ARP request.

arp reply 98.109.50.36 is-at 00:1d:70:26:2c:53

Here I am telling the gateway that .36 is bound to the same address as .35. I was immediately able to ping the address .36 remotely, alls it took was a Linux system and the perl script below. I don’t believe that the ARP replies can be generated inside the ASA and be made to traverse the firewall; several types of lower traffic can using the ethertype command but ARP’s get absorbed. I haven’t tried proxy-arp to see if it relays the bogus advertisement as it breaks so many rules of paranoia that I doubt that the ASA would propagate it.

At the moment I have plugged in a dedicated Ethernet interface from my VMWare stack and am running a virtual Linux machine for the sole purpose of “poisoning” the ARP table. The FIOS service itself screams, though we wouldn’t ever consider using their DNS, but leave it to Verizon to pull up short on static IP address support.

Bil Herd

#!/usr/bin/perl
use Net::ARP;
use strict;
use warnings;
for (;;){
Net::ARP::send_packet(

‘eth0’, # Device
‘98.109.50.1’, # Verizon gateway, not really 0.0.0.0 of course

‘98.109.50.36’, # address that we want Verizon to respond

’00:1E:EC:9F:DB:67′, # Source MAC Mac of our address

’00:1d:70:26:cc:53, # Destinaton MAC address for ARP
‘reply’ # ARP operation
)
;
print “packet sent\n”;
sleep(30);
}

To install the Net::ARP module using CPAN:

perl -MCPAN -e ‘install Net::ARP’

Share

, , , , , , , , , ,

10 Comments

How to Install Cisco VPN Client on Windows 7

This appears to be typical of what is needed to get Windows 7 to live with Cisco VPN client:
http://weblogs.asp.net/bhouse/archive/2009/01/15/how-to-successfully-install-cisco-vpn-client-on-windows-7.aspx

Share

, , , ,

No Comments