Posts Tagged VPN

Getting Windows 8 to work with Cisco VPN Client

I got stuck with Windows 8 pre-installed, lets just say I wont be buying from NewEgg anymore sadly.  Efforts to install Windows 7 even after negotiating UEFI failed, I believe that the BIOS has been specifically munged to thwart the 7 install. Asus simply says you cant go back.

So why I hate Windows 8 starts with the fact that I am a business/tech user, I don’t need to draw pictures for my mother or swipey swipey with my finger.  I need VPN’s to work and ASDM software to work.

Tip #1:  How to get Cisco VPN Client to work with Windows 8
Open Registry editor by typing regedit in CMD prompt
Browse to the Registry Key  HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\CVirtA
Select the DisplayName to modify, and delete the leading characters in front of “Cisco”

For x64, change the value data from something like “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows” to “Cisco Systems VPN Adapter for 64-bit Windows”


, , , , ,


Yet another Hairpin: Internet Access from VPN Hub

Firewalls typically don’t hairpin well or at all for that matter,  unless specifically told to do so.  Hair-pinning is when a packet ultimately leaves the same interface it came into.

On a LAN it is somewhat common for packets to “bounce” off of one router interface to get to the right one, a prime candidate for the ICMP Redirect process.  Forget having your Cisco ASA or Pix participate in that little exchange of ICMP messages needed though, Cisco has long held that routing protocols are exploitable and have no place on a firewall (Yes they now speak EIGRP and OSPF, go figure).

The other example of hair-pinning that comes to mind deals with VPNs and Internet Access. The scenario is that a spoke or remote site VPNs to the hub or central site and wants to travel on to the Internet from there.  While it’s tempting to think of a VPN as originating from deep in the firewall the reality is that it is treated as coming from the outside interface.

In short you have to set up NAT for packets that arrive on the outside interface to turnaround and exit through the outside interface. Yes this is counter-intuitive, you have to apply the same NAT-Exempt and NAT statements on the interface as if friendlies were behind you and not the wild woolly Internet.

Assuming you assign VPN addresses from a  pool on; the CLI then looks like this:

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0
nat (inside) 1

nat (outside) 0 access-list outside_nat0
nat (outside) 1

access-list outside_nat0 extended permit ip any
access-list inside_nat0_outbound extended permit ip any <your network>

Also you will need a very important sysopt:

same-security-traffic permit intra-interface

This basically turns on the ability to hair-pin.


, , , , , , , , , ,


Cisco VPN X64 support…. or not.

Okay, if you read this it says that x64 support for Windows 7 and Vista is finally here.  It’s just that it also says that 64 bit isn’t supported.


, , ,

No Comments

How to Install Cisco VPN Client on Windows 7

This appears to be typical of what is needed to get Windows 7 to live with Cisco VPN client:


, , , ,

No Comments

QM FSM error

Getting “QM FSM error” while establishing a Cisco VPN?  Particularly site-to-site and even more particularly with IOS on one end and a Pix/ASA on the other?

Go to the Pix/ASA side and remove Perfect Forward Secrecy (PFS).  Rather than tell you it’s incompatible, it just barfs because it can’t read it (because it’s you know… encrypted).

no cryptomap outside 1 set pfs group2

If anyone finds a better error message than the ubiquitous “QM FSM error” let me know and I will post it.


, , , , , , , ,


Migrating from Cisco Pix to Cisco ASA

One of the most notable differences between Cisco ASA devices  and Cisco Pix devices  to be aware of is that the  ASA devices don’t  support the PPTP  protocol, (think of it as sanity catching up to your organization) and that the ASA5505 doesn’t support EZVpn server mode. While these may sound trivial, suddenly changing the way employees connect can feel like a cultural issue.

Another difference and one I wouldn’t  have guessed until I saw it on a customer system was that capitalization alone is not enough to distinguish names on the ASA, you cannot assign Test1 to an IP address and TEST1 to a different address, they are the same reference.  Again think of it as sanity enforcement, your organization should not be using the caplock key as an address discriminator.  The PDM “name” function is not supported at all as well as a handful of other warnings when importing.

There is a utility from Cisco available to assist in importing, alas I have never used it because I like to know exactly what is changing. Yes this can be a big  job when working with 20,000 lines of configuration but the last job I did of that size was 100% successful, not just 99%,  due to understanding the details of each conversion issue. My process is to reflect the changes back into the source and then re-import until there is a completely  clean import.

VPN organization is also very different, there are tunnel groups, isakmp definitions and group policies, these require an understanding of the intent and the security policies behind your VPN rules.

For those needing help with converting from Pix to ASA you may want to get an expert involved, especially to understand the impact on security policy as after all the firewall device is meant to be the implementation of a security policy, it should not be the security policy itself.

For help in migrating or configuring Cisco ASA security appliances or VPN connectivity and architecture email security @

I also recommend a followup security scan if ever there is any doubt, one should be done periodically anyways so post conversion is an ideal time.

Bil Herd


, , , , , , , , , , , ,

No Comments

Blocking ICMP

This is old news, real old, but I still run across it from time to time.  Customers block ICMP in their firewall or other places.

Internet Control Messaging Protocol is more than just ping (I remember the early Mac’s didn’t implement ICMP or at least echo/ping in their IP stack).

ICMP among other things tells equipment up and down the line a few interesting things, not least is when they need to fragment a packet into smaller packets.  Symptoms range from telnet or web works and email or ftp don’t, some of the time.  In short to the casual observer (known as a user), it is one more thing that works randomly.

Nowadays it’s more important then ever with the proliferation of VPN’s,  to get your fragging done as thoroughly as possible, before the packet gets sucked into the VPN terminus.  Why?  You cant fragment an encrypted packet, in fact it’s not even TCP (IP Protocol type 9) anymore it is type 50/ESP or type 47/GRE, and because it’s encrypted you really cant bust it into smaller parts and calculate checksums, etc.

Exchange clients don’t work on all workstations across VPN’s?  There were various versions of MS patches hat appeared to break the MTU discovery mechanism that says use smaller packets.


, , , , , , , , , ,

No Comments