set syslog config “10.0.12.1”
set syslog config “10.0.12.1” facilities local0 local1
set syslog config “10.0.12.1” log traffic
set syslog config “10.0.12.1” transport tcp
set syslog src-interface untrust
set syslog enable
set log cli enable
Category Archives: Security
i got my first juniper
It is a Netscreen 5gt. So now commands maybe usefull:
Cisco IOS | Cisco PIX Cisco ASA |
Juniper Netscreen | Description |
---|---|---|---|
show configuration | show configuration | get config saved | get saved configuration |
show running-config | show running-config | get config | get device configuration |
save | to save changes to config | ||
show version | show version | get system | gets system information, Netscreen mode |
show ip inspect session | get session info | shows load on the firewall 85+ implies there will be some latency | |
show interface sh ip interface |
get interface | shows interfaces, zones | |
get address trust/unturst | shows defined network objects | ||
show arp sh ip arp <interface> |
show arp | get arp | shows arp entries |
show ip route | show route | get route | shows firewall routes |
get service | shows firewall services | ||
get group address | network groups | ||
get group service | service groups | ||
get policy in/out | shows applied firewall policies | ||
get log traffic | shows firewall logs – options: based on src/dst/IP/port | ||
no <command> | unset | to remove a config statement | |
get user all | shows vpn users | ||
get log event | shows vpn logs | ||
get mip | shows one to one Nat’s | ||
get vip | shows configured port forwarding rules | ||
get route ip x.x.x.x | finds the specific route for an ip | ||
set policy id xx | put you in a specific policy then you can add more objects it instead of creating a group |
Cisco IOS VPN to IPCop
[sourcecode]
crypto isakmp key supersecertkey address AAA.BBB.CCC.DDD
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map CSM_CME_FastEthernet0.831 131 ipsec-isakmp
set peer AAA.BBB.CCC.DDD
set transform-set ESP-3DES-SHA
match address XY-TEST-CRYPTO-ACL
reverse-route
!
ip nat outside source static 192.168.XX.121 10.4.YYY.243 add-route
!
ip access-list extended XY-TEST-CRYPTO-ACL
permit ip 10.0.YYY.40 0.0.0.252 192.168.XX.0 0.0.0.255
!
[/sourcecode]
[sourcecode]
# Do not modify ‘ipsec.conf’ directly since any changes you make will be
# overwritten whenever you change IPsec settings using the web interface!
#
version 2.0
config setup
protostack=netkey
klipsdebug=”none”
plutodebug=”none”
#plutoload=%search
#plutostart=%search
uniqueids=yes
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.5.0/255.255.255.0,%v4:!10.0.244.40/30
conn %default
keyingtries=0
disablearrivalcheck=no
leftupdown=/usr/local/bin/ipsecupdown.sh
#RED
conn RED
left=192.168.0.1
leftsubnet=192.168.XXX.0/24
right=AAA.BBB.CCC.EEE
rightsubnet=10.0.YYYY.40/30
ike=3des-sha-modp1024
esp=3des-sha1
ikelifetime=1h
keylife=24h
dpddelay=30
dpdtimeout=120
dpdaction=restart
pfs=no
authby=secret
auto=start
[/sourcecode]
Enterasys Radius authentication against ACS
set radius enable
set radius server 1 10.0.xx.y7 1812 supersecret realm any
set radius server 2 10.0.xx.y8 1812 supersecret realm any
on the acs
Radius reply item must be
Filter-ID = Enterasys:version=1:mgmt=su
Cisco AnyConnect VPN with Cisco 3845
After the implementation of the AnyConnect Client to our ASA5500 is at a good state i want to have some backup until our productional hardware will delivered. 😉
So i decided to use one of our Cisco 3845 Routers to do the job.
show version
[sourcecode gutter=”false” autolinks=”false” collapse=”true”]
C3845#show version
Load for five secs: 1%/0%; one minute: 3%; five minutes: 3%
Time source is NTP, 07:48:17.248 CET Sat Sep 11 2010
Cisco IOS Software, 3800 Software (C3845-ADVSECURITYK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 02-Dec-09 16:43 by prod_rel_team
ROM: System Bootstrap, Version 12.4(13r)T10, RELEASE SOFTWARE (fc1)
C3845 uptime is 34 weeks, 4 days, 14 hours, 47 minutes
System returned to ROM by reload at 15:53:45 CET Mon Jan 11 2010
System restarted at 15:55:20 CET Mon Jan 11 2010
System image file is "flash:c3845-advsecurityk9-mz.150-1.M1.bin"
[/sourcecode]
First i installed the AnyConnect Package on the Router.
[sourcecode gutter=”false” autolinks=”false”]
C3845(config)#webvpn install svc flash:/anyconnect-win-2.5.1025-k9.pkg sequence 1
SSLVPN Package SSL-VPN-Client (seq:1): installed successfully
[/sourcecode]
[sourcecode gutter=”false” autolinks=”false”]
ip local pool CSM_POOL_1 10.2.16.20 10.2.16.30
ip local pool vpnpool 10.2.16.31 10.2.16.41
ip local pool SSLVPNClient 10.2.16.50 10.2.16.60
!
webvpn gateway SSLVPN
ip address 192.168.10.66 port 443
ssl trustpoint TP-self-signed-2234495401
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-2.5.1025-k9.pkg sequence 1
!
webvpn context SSLVPN
ssl authenticate verify all
!
!
policy group SSLVPN
functions svc-required
svc address-pool "CSM_POOL_1"
svc keep-client-installed
svc dns-server primary 10.0.243.143
svc dns-server secondary 10.0.243.144
default-group-policy SSLVPN
gateway SSLVPN
inservice
!
[/sourcecode]
If you feel this helps a bit or may be not ? Please leave a comment.
Cisco ASA AnyConnect VPN
Some Notes what todo
http://www.block.net.au/blogs/james/pages/active-directory-vpn-authentication-with-a-cisco-asa-5510-series-appliance.aspx
radius authentication für die ASA
ASA 8.X: AnyConnect Start Before Logon Feature Configuration
Configuration Examples and TechNotes
ToDo:
av-pairs ????
certificate selection process
set the certificate on the interface : ssl trust-point MyTrustPoint Outside
Docu: Backup Gateway
Piuctures: ASDM, CCP
Write complete setup down ….
Reference the Docu.
http://www.cisco.com/en/US/docs/security/asa/asa83/getting_started/5500/guide/getstart.html
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/svc.html#wp1090595
http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/config.html
http://www.cisco.com/en/US/products/ps8411/prod_maintenance_guides_list.html
How to authentication AnyConnect VPN against RADIUS
AnyConnect and Cisco ACS Radius is a bit more complected because the ASA5500 documentation states that you can not use the Same Radius for
Authentication and Authorization. So things getting more complex by it self 😉 But if i see things in the right light we don’t need authorization at all so we will on monday how things will develope.
How to authentication AnyConnect VPN against RADIUS
The Authentication against RADIUS is quiet easy to configure.
Just add the RADIUS Servers as described here.
Than add following to the configuration:
[sourcecode gutter=”false” autolinks=”false”]
tunnel-group SSLClientProfile general-attributes
authentication-server-group AAA-RADIUS
[/sourcecode]
By debuging the radius authentication is see our freeradius deliver the av-pairs with the authentication request so lets see if the ASA accepts them.
If you feel this helps a bit or may be not ? Please leave a comment.
How to use RADIUS for Authentication
How to use RADIUS on Cisco ASA for Shell and Web Authentication
Assume the RADIUS Servers are:
Cisco ACS Server 1 | 10.120.10.11 |
Cisco ACS Server 2 | 10.120.10.12 |
[sourcecode gutter=”false” autolinks=”false”]
aaa-server AAA-RADIUS protocol radius
!
aaa-server AAA-RADIUS (Management) host 10.120.10.11
key YYYYXXXYYY
!
aaa-server AAA-RADIUS (Management) host 10.120.10.12
key YYYYXXXYYY
!
! Delete the old local only configuration
no aaa authentication http console LOCAL
no aaa authentication ssh console LOCAL
!
aaa authentication http console AAA-RADIUS LOCAL
aaa authentication ssh console AAA-RADIUS LOCAL
aaa authentication enable console AAA-RADIUS LOCAL
aaa authorization command AAA-RADIUS LOCAL
!
[/sourcecode]
If you have allready configured aaa for the ssh you might see something like
[sourcecode autolinks=”false” gutter=”false” highlight=”2″]
asa1(config)# aaa authentication ssh console AAA-RADIUS LOCAL
Range already exists.
[/sourcecode]
Then you must first disable the aaa authentication and than add the new settings.
[sourcecode autolinks=”false” gutter=”false”]
no aaa authentication ssh console LOCAL
aaa authentication ssh console AAA-RADIUS LOCAL
[/sourcecode]
If you feel this helps a bit or may be not ? Please leave a comment.
How to use Radius/Tacacs+ and Certificate based Authentication for AnyConnect VPN
First you have to add a valid Certificate to the ASA, then change following in the configuration.
[sourcecode]
tunnel-group SSLClientProfile general-attributes
authentication-server-group AAA-TACACS+
!
tunnel-group SSLClientProfile webvpn-attributes
authentication aaa certificate
[/sourcecode]
Then you can connect to the asa only with username and a user certificate.
How to authenticate AnyConnect VPN against Tacacs+
How to authentication AnyConnect VPN against Tacacs+
The Authentication against Tacacs+ is quiet easy to configure.
Just add the Tacacs+ Servers as described here.
Than add following to the configuration:
[sourcecode]
tunnel-group SSLClientProfile general-attributes
authentication-server-group AAA-TACACS+
[/sourcecode]
If you feel this helps a bit or may be not ? Please leave a comment.