Archive for category Adaptive Security Appliance (ASA)

Getting Windows 8 to work with Cisco VPN Client

I got stuck with Windows 8 pre-installed, lets just say I wont be buying from NewEgg anymore sadly.  Efforts to install Windows 7 even after negotiating UEFI failed, I believe that the BIOS has been specifically munged to thwart the 7 install. Asus simply says you cant go back.

So why I hate Windows 8 starts with the fact that I am a business/tech user, I don’t need to draw pictures for my mother or swipey swipey with my finger.  I need VPN’s to work and ASDM software to work.

Tip #1:  How to get Cisco VPN Client to work with Windows 8
Open Registry editor by typing regedit in CMD prompt
Browse to the Registry Key  HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\CVirtA
Select the DisplayName to modify, and delete the leading characters in front of “Cisco”

For x64, change the value data from something like “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows” to “Cisco Systems VPN Adapter for 64-bit Windows”

Share

, , , , ,

7 Comments

Cisco ASA 8.4 – No more Global Address Pools

There are a couple of ways to do NAT/PAT assignments as you might expect out of 8.4.  Assuming that you don’t really have a single Net Object that represents the entire inside network I recommend not using the Net-Object method and to define a rule “outside” of the Net-Object framework.

So first define a network object for NAT range of external IPs and then a PA  external IP address.  In cli it looks like this, these are external IPs just to be clear:

object network nat-range1
range 209.103.0.150 209.103.0.154

object network pat-ip1
host 209.103.0.155

You can do the same easily from the ASDM but I wanted to make sure the size of the block as a range instead of a subnet was visible.

asa-84-dnat-2

Now from the NAT page create a new Dynamic  Rule,

asa-84-dnat-31

The NAT Pool should look like this when done, I use inside to Outside2 here.

asa-84-dnat-4


Note the nat-range object which used to be a “pool”.

Now add a PAT.  It cant overlap with the NAT pool, etc etc.  Don’t choose Round Robin as it’s memory intensive. I believe I read that 8.4 has an issue where it can run out of certain types of PAT ports (they try and group all ports below 1024 together, etc) that from what I gather is fixed in 8.51 <sigh>

Add Nat Rule after "Network Object" NAT Rules

Add Nat Rule after "Network Object" NAT Rules

Should look like this when done, I moved it to the top for clarity.

asa-84-dnat-6

I recommend making this change separate from other work so it can be tested separately, TEST for a couple of hours make sure it is NATting and patting correctly under load is my advice.

Share

1 Comment

Yet another Hairpin: Internet Access from VPN Hub

Firewalls typically don’t hairpin well or at all for that matter,  unless specifically told to do so.  Hair-pinning is when a packet ultimately leaves the same interface it came into.

On a LAN it is somewhat common for packets to “bounce” off of one router interface to get to the right one, a prime candidate for the ICMP Redirect process.  Forget having your Cisco ASA or Pix participate in that little exchange of ICMP messages needed though, Cisco has long held that routing protocols are exploitable and have no place on a firewall (Yes they now speak EIGRP and OSPF, go figure).

The other example of hair-pinning that comes to mind deals with VPNs and Internet Access. The scenario is that a spoke or remote site VPNs to the hub or central site and wants to travel on to the Internet from there.  While it’s tempting to think of a VPN as originating from deep in the firewall the reality is that it is treated as coming from the outside interface.

In short you have to set up NAT for packets that arrive on the outside interface to turnaround and exit through the outside interface. Yes this is counter-intuitive, you have to apply the same NAT-Exempt and NAT statements on the interface as if friendlies were behind you and not the wild woolly Internet.

Assuming you assign VPN addresses from a  pool on 172.16.0.0/24; the CLI then looks like this:

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0
nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 0 access-list outside_nat0
nat (outside) 1 10.17.0.0 255.255.255.0

access-list outside_nat0 extended permit ip any 172.16.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any <your network>

Also you will need a very important sysopt:

same-security-traffic permit intra-interface

This basically turns on the ability to hair-pin.

Share

, , , , , , , , , ,

2 Comments

Upgrading your Pix to an ASA

One of the things we do is specialize in upgrading Pix configurations to ASA implementations.  We don’t run the Cisco tool as we would rather work with the network administrator to understand their policies and make sure that not only was the intent met but not fill their brand new ASA with a lot of meta-lables.

One thing that recently slipped through was the “non-printable defaults” for Pix and ASA don’t show some of the intricacies of PAP vs MS-CHAP authentication.  Be prepared to regenerate the Authentication Group from scratch if using CHAP.

I get asked a lot how to view the tunnel keys or tunnel group passwords.  To view them you can do one fo two things:

1) TFTP the config file to a server and look at it there

or

2) On ASA’s issue the command (without the quote’s y’all)
“more system:running-config”

Share

, , , , ,

No Comments

Cisco VPN X64 support…. or not.

Okay, if you read this http://www.cisco.com/web/software/282364316/31835/5.0.07.0240-beta-rel-notes.txt it says that x64 support for Windows 7 and Vista is finally here.  It’s just that it also says that 64 bit isn’t supported.

Share

, , ,

No Comments

Cisco ASA and Windows Server 2008: Welcome Back LDAP

You may or may not have problems doing Windows style authentication to your Server 2008 for your AAA access on your ASA firewall.

I have seen it work and not work, I suspect that the forest/domains were probably at different levels, I have heard that Server 2008 doesn’t support NTLM version 1.

If your doesn’t or you want to use LDAP, read on.  One reason you may want to use LDAP is you can stack attributes using Dynamic Policies,

The first problem I will encounter at a customer site is getting the ASA to talk to the domain controller as part of the LDAP AAA group setup. Usually it’s an OU issue, to find the exact string run the dsquery command on the Domain Controller (DC):

dsquery user -samid ciscoldap
"CN=ciscoldap,OU=Service Accounts,OU=HQ,DC=somedomain,DC=com"

In the case above there was an additional OU of HQ.  Now when clicking on the Test button on AAA group setup it successfully communicates.


Be aware that a failure of credentials for LDAP will give the same error as if there is a connectivity issue or the Windows firewall is blocking the port.


Now the cool thing IMHO is you can browse the various Windows attributes from with in the ASA.  I use this to “stack” attributes, instead of just controlling whether someone can log in if the RemoteDialIn I can also authorize them based on membership in a second group or select a group policy depending on which AD attributes match.


To View the various AD groups that can be used as a selection criteria go to:

Remote Access VPN>Clientless SSL>Dynamic Access Polocies

On the left select Add,  then LDAP for AAA Attribute type.  Now click on “Get AD Groups” and you can change filters, policies, etc all based on AD group membership.

Ideal for keeping vendors limited to work hours and a single network asset.

Share

, , , ,

No Comments

Fixing Static Addresses on Verizon FIOS

Verizon has a bug in their business offering for multiple static IP addresses.

When using a professional firewall that such as a Cisco ASA, I could only get 1 address to respond from offsite.

The first problem was solved by going to DSLReports.com, you have to call Verizon and convince them to instant message the group that runs the ONT’s (the termination that is onsite) to set the MAC filter to 5.

After that only 1 IP address worked per device. I could ping each other but Verizon served traffic could not see me. A quick TCP-Dump of the external segment showed the problem:

arp who-has 98.109.50.34 (00:1e:4a:87:32:59) tell 0.0.0.0
arp who-has 98.109.50.35 (00:1d:70:26:3c:53) tell 0.0.0.0

The address 0.0.0.0 is slightly illegal, the ASA ignores the ARP request and the Verizon gateway never binds the Mac to the translated IP addresses. This means that inbound static addresses didn’t work and only the physical interface address could be used for the outbound global pool.

I managed to get Verizon to admit the bug, the Alcatel equipment was partially to blame and I would imagine that the (non-professional) “firewall” that comes with the account had been modified to respond to an ARP request from 0.0.0.0 They projected it would be fixed Q1 of the next year… that was 15 months ago.

I found that the service (that I am paying for) could be made to work. I adapted a short Perl script to send ARP replies to the Verizon gateway router every 30 seconds or so, as if it was responding to an ARP request.

arp reply 98.109.50.36 is-at 00:1d:70:26:2c:53

Here I am telling the gateway that .36 is bound to the same address as .35. I was immediately able to ping the address .36 remotely, alls it took was a Linux system and the perl script below. I don’t believe that the ARP replies can be generated inside the ASA and be made to traverse the firewall; several types of lower traffic can using the ethertype command but ARP’s get absorbed. I haven’t tried proxy-arp to see if it relays the bogus advertisement as it breaks so many rules of paranoia that I doubt that the ASA would propagate it.

At the moment I have plugged in a dedicated Ethernet interface from my VMWare stack and am running a virtual Linux machine for the sole purpose of “poisoning” the ARP table. The FIOS service itself screams, though we wouldn’t ever consider using their DNS, but leave it to Verizon to pull up short on static IP address support.

Bil Herd

#!/usr/bin/perl
use Net::ARP;
use strict;
use warnings;
for (;;){
Net::ARP::send_packet(

‘eth0’, # Device
‘98.109.50.1’, # Verizon gateway, not really 0.0.0.0 of course

‘98.109.50.36’, # address that we want Verizon to respond

’00:1E:EC:9F:DB:67′, # Source MAC Mac of our address

’00:1d:70:26:cc:53, # Destinaton MAC address for ARP
‘reply’ # ARP operation
)
;
print “packet sent\n”;
sleep(30);
}

To install the Net::ARP module using CPAN:

perl -MCPAN -e ‘install Net::ARP’

Share

, , , , , , , , , ,

10 Comments

How to Install Cisco VPN Client on Windows 7

This appears to be typical of what is needed to get Windows 7 to live with Cisco VPN client:
http://weblogs.asp.net/bhouse/archive/2009/01/15/how-to-successfully-install-cisco-vpn-client-on-windows-7.aspx

Share

, , , ,

No Comments

QM FSM error

Getting “QM FSM error” while establishing a Cisco VPN?  Particularly site-to-site and even more particularly with IOS on one end and a Pix/ASA on the other?

Go to the Pix/ASA side and remove Perfect Forward Secrecy (PFS).  Rather than tell you it’s incompatible, it just barfs because it can’t read it (because it’s you know… encrypted).

Example:
no cryptomap outside 1 set pfs group2

If anyone finds a better error message than the ubiquitous “QM FSM error” let me know and I will post it.

Share

, , , , , , , ,

2 Comments

Migrating from Cisco Pix to Cisco ASA

One of the most notable differences between Cisco ASA devices  and Cisco Pix devices  to be aware of is that the  ASA devices don’t  support the PPTP  protocol, (think of it as sanity catching up to your organization) and that the ASA5505 doesn’t support EZVpn server mode. While these may sound trivial, suddenly changing the way employees connect can feel like a cultural issue.

Another difference and one I wouldn’t  have guessed until I saw it on a customer system was that capitalization alone is not enough to distinguish names on the ASA, you cannot assign Test1 to an IP address and TEST1 to a different address, they are the same reference.  Again think of it as sanity enforcement, your organization should not be using the caplock key as an address discriminator.  The PDM “name” function is not supported at all as well as a handful of other warnings when importing.

There is a utility from Cisco available to assist in importing, alas I have never used it because I like to know exactly what is changing. Yes this can be a big  job when working with 20,000 lines of configuration but the last job I did of that size was 100% successful, not just 99%,  due to understanding the details of each conversion issue. My process is to reflect the changes back into the source and then re-import until there is a completely  clean import.

VPN organization is also very different, there are tunnel groups, isakmp definitions and group policies, these require an understanding of the intent and the security policies behind your VPN rules.

For those needing help with converting from Pix to ASA you may want to get an expert involved, especially to understand the impact on security policy as after all the firewall device is meant to be the implementation of a security policy, it should not be the security policy itself.

For help in migrating or configuring Cisco ASA security appliances or VPN connectivity and architecture email security @ idsbusiness.com

I also recommend a followup security scan if ever there is any doubt, one should be done periodically anyways so post conversion is an ideal time.

Bil Herd

Share

, , , , , , , , , , , ,

No Comments