Cisco Лицензии для Cisco ASA Firewall [ENG]https://www.cyberforum.ru/ cisco/ thread1118559.html Cisco ASA Licensing Explained
Cisco ASA firewall licensing used to be pretty simple, but as features were rolled out as licenses, the scheme became quite complex. The matters are further complicated since different appliances and versions change the rules. This document will help you make sense of ASA licensing, but is not intended to be used as a design guide. Make sure you work with your...
Cisco 2821 - SIP поле "From" Cisco День добрый. Вопрос можно ли вообще в IOSe на csico в SIP-сообщении INVITE в поле заголовков жестко задать полe "FROM". Конкретно вот тут:
Sent:
INVITE sip:0442217255@212.58.166.46:5060 SIP/2.0
Via: SIP/2.0/UDP 172.30.128.6:5060;branch=z9hG4bK1BC153D
From: <sip:200@212.58.166.46>;tag=10E2C18-101E
To: <sip:0442217255@212.58.166.46>
Подскажите, пожалуйста, как и где это сделать.
Cisco Cisco ASA5505 - какая задержкаЗдравствуйте!
Начинающий в таких вопросах, без опытного совета не обойдусь. В связи с проектированием топологии сети интересует одна из характеристик Cisco ASA 5505-UL-BUN . А именно, какова велична задержки сигнала при установке 2 или 3 данных моделей сетевого экрана между оператором и управляемым объектом (комплексом видеокамер и некоторых других модулей)? Управление "в реальном времени", с...https://www.cyberforum.ru/ cisco/ thread1117930.html
Cisco Cisco 881 - запретить P2PДобрый день !
Прошу помощи, так как сам не силен в ACL, есть необходимость запретить не просто доступ к трекерам, а в целом запретить прохождение p2p трафика.
Возможно ли это ? Конфиг готов предоставить.https://www.cyberforum.ru/ cisco/ thread1116136.html
Cisco 1811 ipsec 1811 +vpn клиенты Cisco заранее прошу не ругаться и не кричать В цисках полный чайник
Есть два офиса. В обоих стоят циски 1811. Полазив по инету смог организовать между ними туннель. но теперь ещё требуется чтобы в каждый офис можно было подключаться по vpn из других мест(филиалы и домашние компы) не посредственно с компов. Помогите, пожалуйста, решить проблему.
З.Ы. 1 циску подкручивал уже готовую. (Был настроен...
Cisco Плохая связь между споком и хабомПриветствую.
Спок находится в Тайланде, а хаб находится в России. Между ними настолько отвратная связь, что на Win 7 сетевой диск периодически переходит в автономный режим и приходится руками его включать, что не всегда удается. Но самое главное почти никогда не удается прорваться по RDP на сервер 1С - появляется черный экран и через пару минут выкидывает с ошибкой о том, что связь плохая.
...https://www.cyberforum.ru/ cisco/ thread1116074.html
Cisco Cisco 3825 - настройка PPPoEДоброго времени всем.
С такой кошкой связался впервые и хотелось бы начать с самого "простого" ))
В интернете слишком много "универсальных" настроек PPPoE на кошках. Попробовав пару и ничего не добившись, спешу обратиться к истинным специалистам. Помогите, плиз...
P.S.: конфиг нулевой.https://www.cyberforum.ru/ cisco/ thread1115328.html
Cisco Настройка базовой безопасности Здравствуйте! Есть такое задание:
1. По заданию преподавателя запустить следующие службы на компьютере PC2:
– HTTP-сервер (на порту 80 протокола TCP);
– TFTP-сервер (на порту 69 протокола UDP).
2. Проверить доступ к службам компьютера PC2 с устройств сети A:
– проверить работу протокола ICMP командой ping;
– проверить HTTP-сервер. Для этого подключиться к PC2 из браузера PC0 и PC1;
–...
Cisco Cisco2821 Voiphttps://www.cyberforum.ru/ cisco/ thread1112693.html День добрый всем. Имеется такая схема Астелит(провайдер)==>Cisco2821==>E1==>TDA200
вот конфиг циски:
voipPRI#show derived-config
Building configuration...
Derived configuration : 13281 bytes
!
! Last configuration change at 11:42:55 Ukraine Thu Mar 6 2014 by admin1
Cisco Не стартует Cisco 7931https://www.cyberforum.ru/ cisco/ thread1112591.html Добрый день.
Столкнулся с такой дилеммой, доставшейся от предыдущего айтишника. Есть сеть под управлением cisco 3750 (выступает в качестве роутера и свича), на нем работает 3 телефона cisco 7931.
Когда начал проверку сети, то оказалось, что один из телефонов не работает.
Он запускается, но сразу выдает свой мак и надпись Upgrading, при этом ничего не происходит. Он не забирает свою прошивка...
Cisco OSPF external (E1/E2+2 ASBR) Разбираю темные для себя уголки ospf, возникло недопонимание такого вопроса:
имею такую топологию
за исключением того что вместо eigrp rip и метрики не тронуты, то есть дефолтные. Нa R4 анонсится сетка 200.200.200.200/32 в RIP на R2,R3 перераспределяю одинаково подобным образом:
R2(config-router)#do sho run | sec router
router ospf 1
log-adjacency-changes
redistribute rip metric...
Cisco Cisco 881-SEC-K9 падает при настройке firewallhttps://www.cyberforum.ru/ cisco/ thread1111305.html Доброго времени суток!
Помогите решить проблему.
Необходимо объединить центральный офис (ЦО) и удаленный (УО), для этого взяли в ЦО 1941-SEC-K9 в УО 881-SEC-K9.
С настройкой 1941 все нормально, пока...,
1.1 Configuring a Basic IKEv1 IPsec Site-to-Site VPN
Step 1. Configure basic peer authentication. Enable IKEv1 on the interface and configure PSKs and IKEv1 policies.
Step 2. Configure transmission protection. Configure IPsec transform sets, peer addresses, and local and remote identity (interesting traffic).
Step 3. Verify communication through the encrypted tunnel.
Enable IKEv1 on the Outside Interface
Код
ciscoasa(config)# crypto ikev1 enable outside
Enable ISAKMP Session Control Options
Код
ciscoasa(config)# crypto isakmp identity address
ciscoasa(config)# crypto ikev1 am-disable // disable aggressive mode
!!Enable open sessions to be closed voluntarily upon a reload!!
ciscoasa(config)# crypto isakmp reload-wait
!!Enable remote peers to gracefully close connections with the use of a disconnect notification!!
ciscoasa(config)# crypto isakmp disconnect-notify
1.3 Configure Advanced Authentication for IKEv1 IPsec Site-to-Site VPN Adding an Identity Certificate to Your Tunnel Group Configuration for Authentication Purposes
1.4 Troubleshooting Tunnel Not Establishing: Phase 1
Is IKEv1 or IKEv2 enabled on the correct interface? Are the appropriate IKEv1 or IKEv2 policies available? Also check for any ACLs applied to the incoming interface of your device, and make sure the necessary ports/protocols have been allowed through (for example, AH IP protocol 50, ESP IP protocol 51, IKEv1 UDP 500, and NAT-T UDP 4500).
Are the appropriate IKEv1 or IKEv2 policies available?
Do you have the correct authentication parameters?
Make sure traffic you want to go through the tunnel is routed over the interface where crypto map is applied, so the crypto process gets triggered.
Make sure the connection profile name can be matched by the ASA used algorithm.
Tunnel Not Establishing: Phase 2
Are your IPsec policies configured to match those of the remote peer?
Make sure the crypto ACL (one which defines interesting traffic) is configured in mirror on the two VPN endpoints.
Traffic Not Passing Through Your Tunnel
Interesting traffic/ACLs.
Local NAT: Make sure that any traffic that has been marked as interesting is configured to bypass any NAT rules for packets traveling out of the destination interface toward the remote network. If you want traffic that travels over the tunnel to be NAT’ed, make sure you configured the crypto ACL to match on the NAT’ed subnets, because from the order-ofoperation point of view, NAT takes place before the crypto process.
NAT-T: Is there a NAT device in the path of your tunnel? NAT-T works during the connection phase to report whether there is or is not a NAT device in the path between the tunnel endpoints. If NAT-T has been disabled, your networks at each end will not be able to communicate with each other, because ESP is not NAT aware and will be dropped along the path.
Routing.
RRI: Do you have any internal routes advertised in the interior gateway protocol (IGP) of your network? If any devices in your network do not have a specific route for the remote network via your ASA device, they may be sending the traffic to their default route or another destination.
ACLs: Is your IPsec traffic subject to the same interface ACLs as incoming packets? If so, you might want to bypass the ACLs for IPsec traffic or allow through the appropriate packets.
2. High Availability and Performance Strategies
Note that multiple peers are supported only for IKEv1 IPsec site-to-site VPNs.
2.1 High Assurance with QoS
Код
ciscoasa(config)# class-map outside-class
ciscoasa(config-cmap)# match dscp 46
ciscoasa(config-cmap)# match tunnel-group 192.168.1.1
ciscoasa(config-cmap)# policy-map CCNP-VPN-QOS-Policy
ciscoasa(config-pmap)# class outside-class
ciscoasa(config-pmap-c)# priority
ciscoasa(config-pmap-c)# class class-default
ciscoasa(config-pmap-c)# police output 2000000 1500 conform-action transmit exceed-action drop
ciscoasa(config-pmap-c)# service-policy CCNP-VPN-QOS-Policy interface outside
IP Address Allocation using the Cisco VPN Client
You have three options to choose from, listed in order of preference for assigning IP addresses to VPN clients:
Use Authentication Server: Internal and remote authentication, authorization, and accounting (AAA) servers.
Use DHCP: An external or internally available Dynamic Host Control Protocol (DHCP) server.
Use Internal Address Pools: An internal address pool configured locally on the ASA device.
Assigning an IP Address Directly to a User Account:
Configuring DNS Servers and a Domain Name for Use by Clients:
Код
ciscoasa(config)# group-policy CCNP-VPN-POLICY attributes
ciscoasa(config-group-policy)# dns-server value 192.168.1.1 192.168.1.2
ciscoasa(config-group-policy)# default-domain value lab.local
1.2 Controlling Your Environment with Advanced Features
ACL bypass
Interface ACLs
Per-group or per-user ACLs
Split tunneling
1.3 Troubleshooting
2. Advanced Authentication and Authorization
2.1 Authentication Options and Strategies
The Adaptive Security Appliance (ASA) has sent a copy of its digital certificate to the IPsec client for authentication purposes. The certificate has been encrypted/ digitally signed using the root CA’s private key on being issued to the ASA.
The IPsec client receives the ASA’s certificate, verifies that the root CA’s certificate (that issued the ASA’s certificate) is in its local trusted root CA store, and decrypts (verifies the signature) the ASA certificate using the stored root CA’s public key.
The ASA’s certificate has been validated using the stored CA information, and the authenticity of the ASA is confirmed.
The IPsec client sends a copy of its digital certificate to the ASA for authentication purposes. The certificate has been encrypted/digitally signed using the issuing root CA’s private key.
The ASA receives the IPsec client’s certificate, verifies the issuing root CA’s certificate is in its local trusted root CA store, and decrypts (verifies the signature) the client’s certificate using the stored root CA’s public key.
The IPsec client’s certificate has been validated using the stored CA information, and the authenticity of the IPsec is confirmed.
(Optional) In the case of mutual/hybrid or certificate authentication, the connecting user of the IPsec client can now be prompted for additional authentication information using XAUTH. If XAUTH was disabled on the ASA at the connection profile level, this step does not occur.
2.2 Configuring PKI for Use with Easy VPN
Before your remote users can successfully establish a working VPN connection using certificate-based authentication, you must first enable the use of certificates in two places:
Use the configured rules to match a certificate to a connection profile. (This option must be selected before any incoming identity certificates are evaluated against your configured mapping rules.) CLI command: tunnel-group-map enable rules
Use the certificate OU field to determine the connection profile. CLI command: tunnel-group-map enable ou
Use the IKE identity to determine the connection profile. CLI command: tunnelgroup-map enable ike-id
Use the peer IP address to determine the connection profile. CLI command: tunnelgroup-map enable peer-ip
Default connection profile. Select the default connection profile name from the drop-down list of those configured. If none of the points listed match along with any custom certificate maps you have created, the user is applied this connection profile. CLI command: tunnel-group-map default-group connection profile.
Код
ciscoasa(config)# crypto ca certificate map Country-Map 10
ciscoasa(config-ca-cert-map)# subject-name attr c eq US
ciscoasa(config-cert-mapping)# tunnel-group-map Country-Map CCNP-VPN-CONN
2.5 Provisioning Certificates from a Third-Party CA
NAT Transparency (NAT Traversal): UDP/TCP:4500, ESP. Device Pass-Through: To accompany the implementation of any IUA authentication that might have been configured, you can also configure the option to allow certain devices to pass traffic through the tunnel without having to authenticate.
ciscoasa(config)# tunnel-group "AnyConnect Connection 1" type remote-access
ciscoasa(config)# tunnel-group "AnyConnect Connection 1" general-attributes
ciscoasa(config-tunnel-general)# authentication-server-group LOCAL
ciscoasa(config-tunnel-general)# address-pool SSL-POOL
ciscoasa(config-tunnel-general)# default-group-policy DfltGrpPolicy
ciscoasa(config-tunnel-general)# domain-name lab.local
// connection profile grou alias and url conf
ciscoasa(config)# tunnel-group "AnyConnect Connection 1" webpn-attributes
ciscoasa(config-tunnel-webvpn)# group-url [url]https://ccnp.vpn.lab/AnyConnectSSL1[/url]
ciscoasa(config-tunnel-webvpn)# group-alias AnyConnectSSL1
// user
ciscoasa(config)# username AnyConnectUser1 password cisco
ciscoasa(config)# username AnyConnectUser1 attributes
ciscoasa(config-username)# service-type remote-access // VPN only access
ciscoasa(config-username)# vpn-tunnel-protocol ssl-client // only SSL access
1.2 Deploying an IKEv2 VPN
Step 1. Configure ASA interface IP addresses.
Step 2. Enter the hostname and domain name.
Step 3. Enroll with a CA and become a member of a PKI (only if certificate-based authentication is required).
Step 4. Enable the relevant interfaces for IKEv2 and AnyConnect client access. Before IKEv2 and AnyConnect client access can occur, you need to specify which interface the services will be available on.
Step 5. Create a new IKEv2 policy and assign it to the outside interface of your ASA. This step is only required if you have chosen to configure your ASA using the CLI as when configuring using the ASDM a system default policy is created and automatically applied to the outside interface (the interface you enabled IKEv2 access on in Step 4).
ciscoasa(config)# ip local pool IKEv2-Pool 10.10.10.0-10.10.10.50 mask 255.255.255.0
ciscoasa(config)# tunnel-group IKEv2 type remote-access
ciscoasa(config)# tunnel-group IKEv2 genereal-attributes
ciscoasa(config-tunnel-general)# address-pool IKEv2-Pool
ciscoasa(config-tunnel-general)# dhcp-server 10.0.0.1
Group policy address assignment.
Код
ciscoasa(config)# ip local pool POOL 10.10.10.0-10.10.10.50 mask 255.255.255.0
ciscoasa(config)# group-policy GP internal
ciscoasa(config)# group-policy GP attributes
ciscoasa(config-group-policy)# address-pools value POOL
ciscoasa(config-group-policy)# dhcp-network-scope 10.0.0.0 // to locate an available IP address from the 10.0.0.0 scope (if configured). If not, the DHCP scope configured value is set as the giaddr field by the ASA relay agent function.
Mapping Criteria
After creating a certificate-to-connection profile map, you can create and assign rules that will match the criteria you require to be present in users’ certificate files for them to be assigned to the connection profile you have chosen.
Код
ciscoasa(config)# crypto ca certificate map Cert-Map-Country 10
ciscoasa(config-ca-cert-map)# subject-name attr c eq RU
2.3 Provisioning Certificates from a Third-Party CA
Enrollment outside an SSL VPN tunnel: The AnyConnect client prompts the user to click the Get Certificate button to start the enrollment process. The user then enters her username and OTP received from the CA server.
Enrollment inside an SSL VPN tunnel.
Enrollment outside an SSL VPN tunnel
This method requires two connection profiles, one configured with certificate-based authentication and the second without. The connection profile without certificate-based authentication is used for the purposes of enrollment and will allow access only to the CA. Upon connecting, the AnyConnect client receives a profile that includes the Simple Certificate Enrollment Protocol (SCEP) parameters.
Step 1. Configure an Extensible Markup Language (XML) profile for use by the AnyConnect client containing the SCEP parameters required for communication with the CA.
Step 2. Configure a dedicated connection profile with password-based authentication used by clients for the purposes of enrollment. Communication only to the CA must be allowed through this connection. Configure group-policy.
Код
ciscoasa(config)# group-policy Enrollment-Policy internal
ciscoasa(config)# group-policy Enrollment-Policy attributes
ciscoasa(config-group-policy)# address-pools value AnyConnectAdd
ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified // only to CA
ciscoasa(config-group-policy)# split-tunnel-network-list value SPLIT
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# anyconnect profiles value Enrollment type vpn
ciscoasa(config-group-wevpn)# tunnel-group Enrollment type remote-access
ciscoasa(config)# tunnel-group Enrollment general-attributes
ciscoasa(config-tunnel-general)# default-group-policy Enrollment-Policy
ciscoasa(config-tunnel-general)# tunnel-group Enrollment webvpn-attributes
ciscoasa(config-tunnel-webvpn)# group-alias Enrollment enable
3.2 Managing AnyConnect Client Profiles
The client profiles that may be configured are as follows:
VPN: Settings applied to the core AnyConnect client software.
NAM: Network Access Manager module settings for control of wireless and wired network device settings.
Web Security: The settings required for operation by the Web Security module (for example, which local ports to run on and which scanning hosts are available).
Telemetry: The settings required for the Telemetry module operation (for example, service control and local device antivirus checking).
3.3 Advanced Profile Features
SBL (Start Before Login)
Код
ciscoasa(config-group-webvpn)# anyconnect modules value vpngina
Trusted Network Detection: Trusted Network Detection is typically used by remote users who spend time working from both a remote location and their corporate office using the same device. Depending on the user’s current location, you can configure the AnyConnect client to disconnect from its current VPN connection, pause a VPN connection, start a connection, or do nothing.
4. AnyConnect Advanced Authorization using AAA and DAPs
4.1 Configuring Local and Remote Group Policies
Creating an External Group Policy and AAA Server Group:
[CODE]ciscoasa(config)# aaa-server RADIUS protocol radius
ciscoasa(config)# aaa-server RADIUS (dmz) host 192.168.0.10
ciscoasa(config-aaa-server-host)# key ciscoman
ciscoasa(config)# group-policy External_Policy1 external server-group RADIUS password ciscoman
Configuring Split-Tunnel Lists and Options:
Код
ciscoasa(config)# group-policy AnyConnect1 attributes
ciscoasa(config-group)# split-dns value lab.local
ciscoasa(config-group)# split-tunnel-policy tunnelspecified
ciscoasa(config-group)# split-tunnel-network-list value AnyConnect_Client_Local_Print
5.1 Deploying DTLS
Let’s assume DTLS has been enabled and a user tries to establish an AnyConnect session. To connect to the ASA and successfully establish the SSL VPN session, AnyConnect first creates the TLS (using TCP) tunnel. After VPN session is up, AnyConnect tries to negotiate with the ASA, also a DTLS tunnel. When the DTLS tunnel is established, all VPN session user data goes through the DTLS tunnel, the initial TLS tunnel being used only for VPN session control traffic. DPD needs to be enabled so that AnyConnect can detect whether a problem exists with the DTLS tunnel and thus failover user data to the TLS tunnel. Otherwise, user data will still go through the DTLS tunnel and end up dropped because of the DTLS tunnel no longer being available.
ciscoasa(config)# priority-queue outside
ciscoasa(config)# class-map voice-classciscoasa(config-cmap)# match tunnel-group AnyConnect_Connect_1
ciscoasa(config-cmap)# match dscp ef
ciscoasa(config-cmap)# policy-map outside-policy
ciscoasa(config-pmap)# class voice-class
ciscoasa(config-pmap-c)# priority
ciscoasa(config-pmap)# class class-default
ciscoasa(config-pmap-c)# police output 2000000 1500 conform-action transmit exceed-action drop
ciscoasa(config-pmap-c)# service-policy outside-policy interface outside
5.3 AnyConnect Redundant Peering and Failover
In addition to trying one of the configured backup servers if the primary ASA is unavailable when establishing a new VPN session, the AnyConnect client uses dead peer detection (DPD) to detect when an ASA becomes unavailable during an established VPN connection. DPD is a keepalive mechanism that sends DPD_R_U_THERE packets to the ASA after a defined period of inactivity (default 30 seconds, maximum configurable value being 3600 seconds). After the AnyConnect client sends its first DPD_R_U_THERE packet, it expects a DPD_R_U_THERE_ACK back from the ASA. If the AnyConnect client does not receive an ACK from the ASA, it continues to send DPD_R_U_THERE packets until three have been sent. If at this point the AnyConnect client still has not received a response from the ASA, it tears down the connection and attempts to open a connection to the next available server configured in the Backup Servers list. In the scenario that both TLS and DTLS tunnels are established, DPD always uses the TLS tunnel.
ciscoasa(config)# failover lan unit primary
ciscoasa(config)# failover lan interface logical name physical failover interface
ciscoasa(config)# failover link logical stateful name physical stateful interface
ciscoasa(config)# failover interface ip failover int logical name ip address mask standby ip address
ciscoasa(config)# failover interface ip stateful int logical name ip address mask standby ip address
ciscoasa(config)# interface physical failover int
ciscoasa(config-if)# no shut
ciscoasa(config-if)# interface physical stateful int
ciscoasa(config-if)# no shut
ciscoasa(config)# failover
Step 2. Configure standby addresses on interfaces used for traffic forwarding.
Код
ciscoasa(config)# interface GigabitEthernet0/0
ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
Step 4. (Optional) Configure nondefault MAC addresses.
Код
ciscoasa(config)# failover mac address physical interface primary mac standby mac
5.5 Redundancy in the VPN Core
Clustering (or VPN load balancing, as it is more commonly known) can be used to divide AnyConnect remote client sessions between the available ASA devices without the need for identical hardware and software.
1.1 Deployment Procedures and Strategies
You can configure five options:
Reverse proxy: Also known as the clientless SSL VPN, the reverse-proxy method of connection provides the benefits of ubiquitous connectivity (anywhere, anytime, from anything connectivity—within reason, of course). This particular connection method is commonly deployed for user access to internal web-enabled resources (Microsoft SharePoint or web mail, for example). Port forwarding: Typically, the use of this connection method is for users accessing a Telnet application. The program’s connection/server settings must be changed from the default server addresses to the local loopback address where port 23 is listening and forwarded to the VPN appliance. Only TCP applications using static port assignments can be used, and client certificates cannot be used because the Java Runtime Environment (JRE) cannot access the local certificate store. Because of these reasons and others, port forwarding is now considered a legacy application, and Cisco recommends the use of plug-ins or smart tunnels. Client/server plug-ins: Plug-ins enable users to access their familiar applications from within the browser window. This feature continues the ubiquitous ideal of SSL VPNs, where unlike port forwarding, the client can connect to the VPN and use the application from a public computer without any need for the application to be locally installed. Available plug-ins include RDP, VNC, SSH, Telnet, and Citrix. Smart tunnels: The smart tunnel client requires the exact executable name of the local PC’s application process, including the extension (such as .exe), to be configured on the ASA, and it redirects any requests from the process to the ASA device through the SSL tunnel. Unlike with the plug-ins feature, the applications used by the client need to be installed locally on the PC in use. However, this feature can allow clients to use their existing application without the need to change any settings, and therefore the need for local administrator rights is removed as a requirement. Full tunnel with AnyConnect: Similar to the IPsec client implementation, this method of access enables users to tunnel into the internal network and access network resources from their machines without having to choose a URL or change their local application settings.
1.2 Deploying Your First Clientless SSL VPN Solution
Configure a basic clientless SSL VPN:
Step 1. Plan an IP addressing.
Step 2. Configure a hostname, domain name, and Domain Name System (DNS).
Код
ciscoasa(config)# hostname ciscoasa
ciscoasa(config)# domain-name lab.local
ciscoasa(config)# dns server-group DNS
ciscoasa(config)# dns domain-lookup outside
ciscoasa(config-dns-server-group)# domain-name lab.local
ciscoasa(config-dns-server-group)# name-server 10.10.10.10
Step 3. Enroll with a CA and become a member of a PKI: install CA certificate and identity certificate.
Код
! To manually enter the root CA certificate
ciscoasa(config)# crypto ca trustpoint CA
ciscoasa(config-ca-trustpoint)# enrollment terminal
ciscoasa(config-ca-trustpoint)# revocation-check none
ciscoasa(config-ca-trustpoint)# no id-usage
ciscoasa(config)# crypto ca authenticate CA
! To manually enter the identity certificate
ciscoasa(config)# crypto ca trustpoint ASA
ciscoasa(config-ca-trustpoint)# enrollment terminal
ciscoasa(config-ca-trustpoint)# revocation-check none
ciscoasa(config-ca-trustpoint)# id-usage ssl-ipsec
ciscoasa(config-ca-trustpoint)# no fqdn
ciscoasa(config-ca-trustpoint)# subject-name CN=ASA
ciscoasa(config)# crypto ca enroll ASA
!When you receive the certificate back from the issuing CA
ciscoasa(config)# crypto ca import ASA certificate
!!!!!!! or you can enroll the certificate with SCEP
ciscoasa(config)# crypto ca trustpoint ASA
ciscoasa(config-ca-trustpoint)# enrollment url [url]http://CA[/url]
ciscoasa(config-ca-trustpoint)# revocation-check none
ciscoasa(config-ca-trustpoint)# id-usage ssl-ipsec
ciscoasa(config-ca-trustpoint)# no fqdn
ciscoasa(config-ca-trustpoint)# subject-name CN=ASA
ciscoasa(config)# crypto ca authenticate ASA
ciscoasa(config)# crypto ca enroll ASA
Step 4. Enable the relevant interfaces for SSL VPN access.
Step 6. Create a Connection Profile (optional but recommended so that the DefaultWEBVPNGroup is not used).
Код
ciscoasa(config)# tunnel-group SSL type remote-access
ciscoasa(config)# tunnel-group SSL general-attributes
ciscoasa(config)# tunnel-group SSL webvpn-attributes
ciscoasa(config-tunnel-webvpn)# dns-group DNS
1.3 Optimizing Clientless SSL VPN Performance with Content Transformation 1.3.1 Gateway Content Rewriting
You might not want some applications and web resources, for example, public websites, to go through the ASA. The ASA therefore lets you create rewrite rules that let users browse certain sites and applications without going through the ASA. This is similar to split-tunneling in an IPsec VPN connection.
Код
ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# rewrite order 1 disable resource-mask https://bank.com/* name Disable-Content-Rewrite-for-Banking
1.3.2 Application Helper Profiles
Clientless SSL VPN includes an Application Profile Customization Framework option that lets the ASA handle non-standard applications and web resources so they display correctly over a clientless SSL VPN connection. An APCF profile contains a script that specifies when (pre, post), where (header, body, request, response), and what (data) to transform for a particular application. The script is in XML and uses sed (stream editor) syntax to transform strings/text.
1.3.3 Java Code Signing
A digital signature can be added to the application to provide the client with a way to verify that the application’s underlying code has not been tampered with between the server sending it and the client receiving it. The ASA can be configured to add a digital signature to Java objects for code-verification processes on the receiving client, because the ASA’s rewrite operation has the potential to modify any stored links within the file and render the current signature useless. Configuring a Certificate for Signing Rewritten Java Content:
1.4 Troubleshooting a Basic Clientless SSL VPN
The most common causes of problems for users are as follows:
Session establishment;
Certificate errors.
1.4.1 Troubleshooting Session Establishment
Step 1. Observe the SSL establishment phase for any incompatible protocol versions or cipher suites. If protocol errors have occurred, you can see these in the syslog real-time viewer within the ASDM or within the client browser. Some browsers, such as Mozilla, return messages that are easier to read and understand. Others, such as Internet Explorer, provide more generic error messages.
Step 2. After confirming SSL establishment has completed successfully, check for user authentication errors within the ASDM real-time viewer. Authentication errors (for example, an incorrect password or username) also display to the client upon submission.
Step 3. Check the user’s associated connection profile/tunnel group and group policy objects for clientless SSL VPN being allowed under the Protocols section. With this you make sure the user is allowed to connect using a clientless SSL VPN session and is also allowed to connect by using a certain or any connection profile.
After the user session has established successfully.
Step 1. Verify whether the ASA device is allowing traffic through the SSL tunnel without denying it. If any errors exist, examine the ASDM syslog output to display them.
Step 2. Check any content-rewrite rules configured to determine whether inside resources are incorrectly being sent by the user to the Internet directly (and thus bypassing the rewrite engine by mistake).
Step 3. Verify the HTML content being passed back to the client by the ASA. You can use packet-sniffing tools locally on the PC to check for the content being returned by the ASA when a user clicks a link and so forth.
Step 4. Verify the DNS server configuration on the ASA. If the ASA does not have any DNS servers or DNS server groups assigned, the client cannot browse resources internal or external by name through the SSL VPN portal.
Step 5. Ensure that the ASA is included in the browser Trusted Zone and that cookies are enabled in the used browser.
1.4.2 Troubleshooting Certificate Errors
Certificate expires.
Invalid hostname or hostname mismatch.
Invalid CA root certificate.
Revoked certificate.
Connection partially encrypted.
2. Portal
2.1 Configuring Application Access
2.1.1 Application Access Through Port Forwarding
Port forwarding lets users access TCP-based applications over a clientless SSL VPN connection. Protocols that use UDP do not work. Requires admin privileges.
Step 3. Configure a bookmark list or use an existing one and create a new bookmark using the plug-in prefix. (For example, the VNC plug-in uses a prefix of vnc://.)
Step 4. (Optional) Define plug-in parameters to customize the user experience or connection type. (This step is usually carried out during bookmark creation. However, it is important and therefore requires its own step.)
Step 5. Connect to a remote server using the application plug-in bookmark for access and experience verification.
2.1.3 Application Access Through Smart Tunnels
Smart tunnels can be implemented into an existing or new SSL VPN connection using the following three methods:
Smart tunnel application lists: You must first create a list and then associate smart tunnel applications.
Smart tunnel network lists: You must first create a network list and then associate networks to be tunneled by the Smart Tunnel feature.
Bookmarks: When creating a bookmark list, you have an Enable Smart Tunnel option. You can check this option for web-enabled applications, allowing users to automatically start the smart tunnel process upon bookmark selection.
Код
ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# smart-tunnel list SMART-RDP RDP "mstsc.exe"
ciscoasa(config-webvpn)# smart-tunnel network SMART-RDP-NET ip 192.168.1.0 255.255.255.0
ciscoasa(config)# group-policy name webvpn-attributes
ciscoasa(group-policy-webvpn)# smart-tunnel list SMART-RDP enable
ciscoasa(group-policy-webvpn)# smart-tunnel tunnel-policy tunnelspecified SMART-RDP-NET
2.2 Customizine the Clientless Portal 2.2.1 Basic Portal Layout Configuration
You can modify the look and feel of the following pages:
Logon page.
Portal page.
Logout page.
The onscreen keyboard is a Java-based keyboard that you can use to prevent potential keylogger software access to any credentials the user might be required to enter:
Код
ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# onscreen-Keyboard all
or
Код
ciscoasa(config-webvpn)# onscreen-Keyboard logon
2.2.2 Outside-the-Box Portal Configuration
You can download any current template or content files that reside on the ASA device:
2.3 Advanced Authentication
The following are typical authentication options for client authentication:
Static passwords.
Digital certificates.
Double authentication.
2.3.1 Clientless SSL VPN Double Authentication
Код
ciscoasa(config)# tunnel-group name general-attributes
ciscoassa(config-tunnel-general)# secondary-authentication-server-group ASA_interface none | LOCAL | groupname [use-primary-name]
2.3.2 Single Sign-on
Single sign-on support lets users of clientless SSL VPN enter a username and password only once to access multiple protected services and web servers. The clientless SSL VPN server running on the ASA acts as a proxy for the user to the authenticating server. When a user logs in, the clientless SSL VPN server sends an SSO authentication request, including username and password, to the authenticating server. If the server approves the authentication request, it returns an SSO authentication cookie to the clientless SSL VPN server. The ASA keeps this cookie on behalf of the user and uses it to authenticate the user to secure websites within the domain protected by the SSO server.
a) Configuring SSO with HTTP Basic or NTLM Authentication
Configures auto-signon for all users of clientless SSL VPN to servers with IP addresses ranging from 10.1.1.0 to 10.1.1.255 using NTLM authentication.
Код
ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# auto-signon allow ip 10.1.1.1 255.255.255.0 auth-type ntlm
Configures auto-signon for all users of clientless SSL VPN, using basic HTTP authentication, to servers defined by the URI mask https://*.example.com/*.
Код
ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# auto-signon allow uri [url]https://*.example.com/*[/url] auth-type basic
b) Configuring SSO Authentication Using SiteMinder
Код
ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# sso-server SSO-Server type siteminder
ciscoasa(config-webvpn-sso-siteminder)# web-agent-url [url]http://10.1.1.1[/url]
ciscoasa(config-webvpn-sso-siteminder)# policy-server-secret ciscot
ciscoasa(config-webvpn-sso-siteminder)# username test attributes
ciscoasa(config-username)# webvpn
ciscoasa(config-username-webvpn)# sso-server value SSO-Server
ciscoasa(config-username-webvpn)# group-policy DfltGrpPolicy attributes
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# sso-server value SSO-Server
c) Configuring SSO Authentication Using SAML Browser Post Profile
d) Configuring SSO with the HTTP Form Protocol
2.3.3 Troublshooting PKI
3. Dynamic Access Policies (DAP)
Dynamic access policies (DAP) provide a higher level of granularity when assigning object access to users or groups through the matching of specific authentication, authorization, and accounting (AAA) attributes and endpoint attributes (for example, the existence of particular local files or Registry settings). DAP is not restricted to just clientless SSL VPN. It can be applied to all remote-access VPN connection types.
To deploy a DAP, you must complete five steps:
Step 1. Create a DAP.
Step 2. Specify user AAA attributes for match purposes.
a) Group policy name
b) Assigned IP address
c) Connection profile
d) Username
e) Username 2
f) SCEP Required
Step 3. Specify endpoint attributes for match purposes.
a) Anti-Spyware (CSD Required)
b) Anti-Virus (CSD Required)
c) Application (connection type)
d) File (CSD Required)
e) Device (CSD Reqired)
f) NAC
g) Operating System (CSD Required)
h) Personal Firewall (CSD Required)
j) Policy (CSD Required)
k) Process (CSD Required)
m) Registry (CSD Required)
Step 4. Configure authorization parameters.
a) Action
b) Netwrok ACL Filters (Client)
c) Webtype ACL Filters (Clientless)
d) Functions
e) Port Forwarding List
f) Bookmarks
g) Access Method
h) AnyConnect
Step 5. Configure authorization parameters for the default DAP.
DAP Record Aggregation
DAP record aggregation is the result of configured match conditions in two or more DAPs matching those of the user AAA or endpoint attributes. The results can vary based on the priorities of the DAPs being aggregated and the actions that are configured within them. DAP records, unlike ACLs, do not finish processing and apply the action as soon as a match is found. Instead, all DAP records (except for the DfltAccessPolicy) are checked against the session, and any authorization attributes that result from the matching records are cumulated.
Troubleshooting DAP Deployment
ASDM test feature
ASA logging
DAP debugging
4. High Availability and Performance
4.1 Content Caching for Optimization
It stores frequently reused objects in the system cache, which reduces the need to perform repeated rewriting and compressing of content. It reduces traffic between clientless SSL VPN and the remote servers, with the result that many applications run much more efficiently. By default, caching is enabled. 4.2 Clustering
HA clustering (or VPN load balancing, as it is more commonly known) can be used to divide our remote clients’ SSL VPN sessions between our ASA devices without the need for duplicate hardware, software, or an intermediate load balancer (ACE). After a failover between devices occurs, any clientless SSL VPN sessions must be re-created. However, if connected using a client with DPD enabled (like AnyConnect or IPsec VPN Client), the client can automatically reconnect to the virtual cluster address (VIP) for session reestablishment.
Код
ciscoasa(config)# crypto isakmp enable inside
ciscoasa(config)# vpn load-balancing
ciscoasa(config-load-balancing)# cluster ip add 192.168.0.1 // same on all ASAs
ciscoasa(config-load-balancing)# cluster key cisco123
ciscoasa(config-load-balancing)# cluster encryption
ciscoasa(config-load-balancing)# priority 10 // higher better
ciscoasa(config-load-balancing)# participate
4.3 Troubleshooting
Configuring Policies, Inheritance, and Attributes
1. Policies and Their Relationships
Before remote users can build a successful connection into an organization through a VPN, they must first go through the following two phases:
The prelogin phase is achieved through the use of connection profiles (also known as tunnel groups). In connection profiles, you can carry out the assignment of connection attributes and parameters (for example, AAA and IP address assignment) and define the available connection methods (for example, IKEv1, IKEv2, and SSL), allowing users to move on to the login process.
The post-login phase is achieved through the use of group policy objects, DAPs, and user-specific attributes. These may include such items as IPv4 or IPv6 access lists, DNS servers, access hours, split tunneling, and so on.
The hierarchal policy model (any unassigned attributes inherit their settings from the lower-level policy methods):
2. Understanding Connection Profiles
Connection profiles, or tunnel groups, provide the necessary prelogin policy criteria required to enable remote users to successfully establish a VPN connection to the ASA device.
Connection profiles are typically used to separate remote users into the relevant groups that may require separate methods of access or login (for example, clientless SSL VPN, AnyConnect VPN sessions, username and password, or certificate-based authentication) and provide these groups with general connectivity settings such as AAA, DNS, DHCP servers, and IP address pools.
A few methods are available for allowing users to select and connect to the appropriate connection profile:
Group URL: Group URLs allow remote users connecting through a clientless SSL VPN session to select a connection profile by entering the direct URL in their browser that has been configured for the profile they require.
Group alias: Group aliases allow clientless SSL VPN users to select the appropriate connection profile from a list at the portal login page and AnyConnect users to select a connection profile in the client software.
Код
ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# tunnel-group-list enable // enabling group alias feature
ciscoasa(config)# tunnel-group SSLVPN webvpn-attributes
ciscoasa(config-tunnel-webvpn)# group-alias SSL enable
Certificate to connection profile mapping: If you have chosen to use digital certificate authentication for your connection profiles, the distinguished name (DN) values in a remote user’s certificate can be used to select the appropriate connection profile.
Per-user connection profile lock: You can also assign a connection profile directly to remote users on an individual basis. For example, you might have a specific connection profile for sales users and want to make the process of connecting as seamless as possible for them without their having to first enter or select a connection profile.
Код
ciscoasa(config-username)# username CCNP attributes
ciscoasa(config-username)# group-lock value SSL
Creating connection profile:
Код
ciscoasa(config)# tunnel-group SSL type remote-access
3. Understanding Group Policies
A group policy object is a container for the various attributes and post-login parameters that can be assigned to VPN users and to endpoints such as IPv4 and IPv6 ACLs, DHCP servers, address pools, and so on.
Код
ciscoasa(config)# group-policy name internal
ciscoasa(config)# group-policy name internal from existing policy // you can specify the name of an existing group policy object for the new group policy object to use as a template
4. Configure User Attributes
The policies and parameters assigned to either local or remote users are the same and are assigned using either connection profiles or group policy objects.
However, in a locally configured user, you can also assign attributes and policy objects directly to the user account using the various options available.
Код
ciscoasa(config)# username test password cisco privilege 2
ciscoasa(config)# username test attributes
ciscoasa(config-username)# service-type remote-access // no ASDM, SSH, TELNET access
5. Using External Servers for AAA and Policies
The ASA device supports the following external AAA server types and protocols for authentication purposes:
RADIUS;
TACACS+;
LDAP;
NT Domain;
SDI;
Kerberos;
HTTP Form.
Only two of the protocols are available for use with external group policy assignment: RADIUS and LDAP.
Код
ciscoasa(config)# group-policy name external server-group name password password
VPN Technologies Overview
1. Overview
VPN methods and their associated protocols supported by the ASA:
IPsec remote-access (IKEv1);
Easy VPN Remote client and server (IKEv1);
Easy VPN Remote hardware client (ASA 5505 only);
Clientless SSL remote-access;
AnyConnect SSL remote-access (SSL/TLS);
AnyConnect IKEv2 remote-access (SSL/TLS and Datagram Transport Layer Security (DTLS);
IPsec site-to-site (IKEv1 and IKEv2).
IPsec
IKEv1 or IKEv2 is used by IPsec for the exchange of parameters used for key negotiation, the exchange of the derived authentication/encryption keys, and overall establishment of security associations (SA).
Encapsulating Security Payload (ESP) provides a framework for the data integrity, encryption, authentication, and antireplay functions of an IPsec VPN.
Authentication Header (AH) provides a framework for the data integrity, authentication, and antireplay functions. (No encryption is provided when using AH.)
2. IKEv1
IKEv1 provides a framework for the parameter negotiation and key exchange between VPN peers for the correct establishment of an SA.
Two protocols used by IKEv1:
Internet Security Association and Key Management Protocol (ISAKMP) takes care of parameter negotiation between peers (for example, DH groups, lifetimes, encryption, and authentication).
Oakley provides the key-exchange function between peers using the DH protocol.
Two mandatory IKEv1 phases must be followed by each peer before a communications tunnel can be established between them:
IKEv1 Phase 1: both peers negotiate parameters to set up a secure and authenticated tunnel. Both peers use only one session key to secure both incoming and outgoing traffic. IKEv1 Phase 2: uses the negotiated parameters in Phase 1 for secure IPsec SA creation. However, unlike the single bidirectional SA created within Phase 1, the IPsec SAs are unidirectional, meaning a different session key is used for each direction (one for inbound, or decrypted, traffic, and one for outbound, or encrypted, traffic).
IKEv1 uses either IKEv1 Main mode or IKEv1 Aggressive mode in Phase 1 to carry out the actions required to build a bidirectional tunnel. It then uses IKEv1 Quick mode for Phase 2 operations.
IKEv1 Main mode (Phase 1) uses three pairs of messages (making six in total) between peers:
Pair 1 consists of the IKEv1 security policies configured on the device: One peer (initiator) begins by sending one or more IKEv1 policies, and the receiving peer responds (responder) with its choice from the policies.
Pair 2 includes DH public key exchange: DH creates shared secret keys using the agreed upon DH group/algorithm exchanged in pair 1 and encrypts nonces (a randomly generated number) that begin life by first being exchanged between peers. They are then encrypted by the receiving peer and sent back to the sender and decrypted using the generated keys.
Pair 3 is used for ISAKMP authentication: Each peer is authenticated and their identity validated by the other using pre-shared keys or digital certificates. These packets and all others exchanged from now on during the negotiations are encrypted and authenticated using the policies exchanged and agreed upon in pair 2.
IKEv1 Aggressive mode (Phase 1) uses just three messages:
The initiator sends DH groups signed nonces (randomly generated numbers), identity information, IKEv1 policies, and so on.
The responder authenticates the packet and sends back accepted IKEv1 policies, nonces, key material, and an identification hash that are required to complete the exchange.
The initiator authenticates the responder’s packet and sends the authentication hash.
During IKEv1 Quick mode (Phase 2), IKEv1 transform sets (a list of encryption and hashing protocols) used for IPsec policy negotiation and unidirectional SA creation are exchanged between peers. Regardless of the parameters/attributes selected within a transform set, the same five pieces of information are always sent.
An optional Extended Authentication (XAUTH) phase can also take place after successful Phase 1 SA creation. The difference is IKEv1 Phase 1 carries out the authentication of the VPN peers used to terminate each end of the SA, whereas XAUTH is used for the authentication of users or devices that will be transmitting and receiving data across the established VPN tunnel.
2. Authentication Header and Encapsulating Security Payload
ESP and AH are not PAT aware, cannot be PAT’ed because these protocols do not have the notion of port numbers, and run on top of IP with their own protocol numbers. To resolve this problem, a similar approach to adding a new IP header can be taken by adding a new transport header.
AH cannot operate with NAT-T because changing the authenticated IP address in the outer header will break the integrity check.
For ESP to pass across PAT devices on Cisco ASA, the following options are available:
Standard-based NAT-T, which encapsulates ESP into User Datagram Protocol (UDP) port 4500 only if NAT/PAT device is detected along the path between the two VPN endpoints. This method is supported for all IKEv1 IPsec VPN types, but only in Tunnel mode. Cisco proprietary UDP or TCP encapsulation, which always encapsulates ESP into UDP or TCP, even though no NAT/PAT device exists along the path. If UDP encapsulation is being used, IKEv1 negotiation still uses UDP port 500, but ESP is encapsulated into UDP. (By default, port 10000 is used.) With TCP encapsulation, both IKEv1 and ESP are encapsulated into TCP, and by default, port 10000 is used. This method is available only for remote-access IKEv1 IPsec VPNs in Tunnel mode.
3. IKEv2
IKEv2 introduces a new packet-exchange process using just four messages most of the time:
IKE_SA_INIT (Phase 1): The first exchange, IKE_SA_INIT, is used to negotiate the security parameters by sending IKEv2 proposals, including the configured encryption and integrity protocols, DH values, and nonces (random) numbers. At this point, the two peers generate SKEYSEED (a seed security key value) from which all future IKE keys are generated
IKE_AUTH (Phase 1 and 2): IKE_AUTH, operates over the IKE_SA created by the IKE_SA_ INIT exchanges and is used to validate the identity of the peers and negotiate the various encryption, authentication, and integrity protocols to establish the first CHILD_SA for use by ESP or AH in which IPsec communication occurs. The first CHILD_SA created in the second exchange is commonly the only SA created for IPsec communication. However, if an application or peer requires the use of additional SAs to secure traffic through an encrypted tunnel, IKEv2 uses the CREATE_CHILD_SA exchange. During the CREATE_CHILD_SA exchange, new DH values may be generated and cryptographic protocols used.
IKEv2 also implements a fourth exchange type: INFORMATIONAL. This message type is used to exchange error and management information between peers. 4. SSL/TLS
SSL handshake process with client authentication:
5. DTLS
DTLS is based on the original implementation of TLS, but instead operates using the UDP transport protocol for faster packet delivery.
To provide the functions of message reordering and reliable delivery, the DTLS protocol has added two new fields to the TLS record layer format: the Sequence Number and the Epoch. The Epoch field is used to distinguish the different conversations that may be occurring at the same time.