Category Archives: Security

ASA, Cisco, Computer, VPN

Cisco ASA5500 Setup

Leave a comment

Cisco ASA5500 Setup

In my test enviroment i have a ASA5510 with a Basic Configuration. You can use this as a starting point for configuring the ASA5500 Series Firewalls.

The ASA5510 is connected behind the Outside ASA5500 Firewall, this ASA will do the Packet filtering,
because i am a friend of KISS (“keep it simple and straightforward”), things get complicated by it self.
For the same reasons i like diving after the DIR (“Do it right”) Method.

In this post we will begin with a basic Setup of the ASA firewall. In the next posts i will describe other topics based on this setup.

Continue reading Cisco ASA5500 Setup

ASA, Cisco, Computer, Routing, Security, VPN

How to configure Cisco ASA 5500 for AnyConnect Client

Leave a comment

So i was testing some stuff with the Authentication on the ASA Firewall and the AnyConnect client in the last days. So i feel it is time to write things down a little bit.

First i discovered we have the same problem with Windows 7 Firewall. Windows is not detecting the Interface so the Firewall do not say here we are part of the domain:-( Sad very Sad. But as i described here, there is a workaround but this is not supported by Cisco in any way.
But anyhow, we have to move to the AnyConnect Client to get VPN running with WWAN Cards.

So lets begin with a basic setup, only localusers and connect to the ASA with the AnyConnect Client.
No complex things, just connectivity. So we will start here with the configuration.
In the next posts we will go to the more complex things.

Continue reading How to configure Cisco ASA 5500 for AnyConnect Client

ASA, Cisco, Computer, Security, VPN

Cisco VPN Clients are not recognized by Windows 7 Firewall

Leave a comment

As i former described we have problems with the Cisco IPSec VPN Client and WWAN Cards. So we are testing the AnyConnect Client. We are now faceing some common problems with both clients.

We discovered that the Network adapter created by the Cisco IPSec VPN Client (Version 5.0.07.0290) and also the Cisco AnyConnect SSL VPN Client (Version 2.5.0217) not recognized by the Windows 7 Advanced Firewall. And therefore the AD Grouppolicy for the Firewall is not applied.

As a Workaround you can drop following lines from the “vpnva.inf” file from the AnyConnect Package:
[sourcecode]
;Vista specific entry — benign on 2K/XP
HKR, , *NdisDeviceType, 0x00010001, 1
[/sourcecode]
or delete the Key for the adapter from the registry.

If you feel this helps a bit or may be not ? Please leave a comment.
Flickr : , , , ,

ASA, Cisco, Computer, VPN

Cisco IPSec VPN and WWAN Cards are not working so we move to Cisco AnyConnect

1 Comment

Lately we discovered that Windows 7, Cisco IPsec VPNs and buildin UMTS Cards, also called WWAN Cards, do not work togehter. So we are now going the next step to the Cisco AnyConnect on the ASA Platform.

Here the snipplet from the release notes:

Support for Windows 7 on x64 (64-bit). This release, however, does not support WWAN devices (also called wireless data cards) on Windows 7 x86 (32-bit) and x64.

Reference : Release Notes for Cisco VPN Client, Release 5.0.0

For the ASA based AnyConnect you will find the nessesay Tools and Software here:

Cisco ASA Series Firewalls and VPN Gateways
Cisco AnyConnect Client
Cisco AnyConnect Client Profile Editor

A Basic Installation will follow.

If you feel this helps a bit or may be not ? Please leave a comment.

Flickr : , , , ,

Computer, Enterasys, Network, Security

Enterasys C2 and SSH

Leave a comment

To enable the SSH Service on a Enterasys SecureStack C2 and similar you have to issue “set ssh enabled” on the cli.

[sourcecode autolinks=”false” gutter=”false” highlight=”2″]
C2(su)->set ssh enabled
SSH hostkey generation initiated. Process should complete in 60 seconds.
C2(su)->

[/sourcecode]

If you feel this helps a bit or may be not ? Please leave a comment.

ASA, Cisco, Computer, Tacacs+

Cisco ASA and Tacacs+

Leave a comment

How to use Tacacs+ on Cisco ASA for Shell and Web Authentication

Assume the Tacacs+ Servers are:

Cisco ACS Server 1 10.120.10.11
Cisco ACS Server 2 10.120.10.12

[sourcecode gutter=”false” autolinks=”false”]
aaa-server AAA-TACACS+ protocol tacacs+
!
aaa-server AAA-TACACS+ (Management) host 10.120.10.11
key YYYYXXXYYY
!
aaa-server AAA-TACACS+ (Management) host 10.120.10.12
key YYYYXXXYYY
!
! Delete the old local only configuration
no aaa authentication http console LOCAL
no aaa authentication ssh console LOCAL
!
aaa authentication http console AAA-TACACS+ LOCAL
aaa authentication ssh console AAA-TACACS+ LOCAL
aaa authentication enable console AAA-TACACS+ LOCAL
aaa authorization command AAA-TACACS+ LOCAL
!
[/sourcecode]
If you have allready configured aaa for the ssh you might see something like

[sourcecode autolinks=”false” gutter=”false” highlight=”2″]
asa1(config)# aaa authentication ssh console AAA-TACACS+ LOCAL
Range already exists.
[/sourcecode]
Then you must first disable the aaa authentication and than add the new settings.
[sourcecode autolinks=”false” gutter=”false”]
no aaa authentication ssh console LOCAL
aaa authentication ssh console AAA-TACACS+ LOCAL
[/sourcecode]

If you feel this helps a bit or may be not ? Please leave a comment.

ASA, Cisco, Computer, E-Mail, PIX, Security, SMTP

Cisco ASA and SMTP

Leave a comment

We recently bought so new Firewalls to replace to aged Cisco PIX515e with some new Gear. We decided to use Ciscos new Firewall flagship the Cisco ASA Devices. Everything was fine after the replacement, we transfered the configuration from the old boxes to the new with the help of the Cisco Security Manager.

Later that day there was complains about e-mails are not delivered properly.

On the Cisco PIX with Software 6.2 we had implemented following:

   
        no fixup smtp

For the ASA5510 we had to implement following

        policy-map type inspect esmtp esmtp_pmap
            parameters
              allow-tls action log
        policy-map global_policy
            class inspection_default
                no inspect esmtp
                inspect esmtp esmtp_pmap
            exit
        exit

If you feel this helps a bit or may be not ? Please leave a comment.

Cisco, Computer, MDS, Tacacs+

Cisco MDS 9222i with ACS

Leave a comment

If you want to configure tacacs+ on the Cisoc MDS9222i Series you have to enable first the feature.
[sourcecode autolinks=”false” gutter=”false”]
feature tacacs+
[/sourcecode]

After this the commands to configure the Tacacs+ are available.
[sourcecode autolinks=”false” gutter=”false”]
feature tacacs+
!
tacacs+ distribute
tacacs-server timeout 10
tacacs-server host 10.0.243.247 key 0 secertkey
tacacs-server host 10.0.243.248 key 0 secretkey
tacacs+ commit
!
aaa group server tacacs+ AAA-Servers
server 10.0.243.247
server 10.0.243.248
deadtime 5
!
aaa authentication login default group AAA-Servers
aaa authentication login console local
aaa authentication login error-enable
!
ip route 10.0.243.247 255.255.255.255 10.0.160.1 interface mgmt0
ip route 10.0.243.248 255.255.255.255 10.0.160.1 interface mgmt0
!
interface mgmt0
ip address 10.0.160.99 255.255.255.0
switchport description Management
switchport speed 100
[/sourcecode]
On the ACS side you have to configure the shell profile with the following role:
[sourcecode autolinks=”false” gutter=”false”]
shell:roles="network-admin"
[/sourcecode]
If you feel this helps a bit or may be not ? Please leave a comment.

Cisco, Computer, Tacacs+, WAAS

Cisco WAAS and Tacacs+

Leave a comment
How To use Tacacs+ with Cisco WAAS for Authentication.

Configuration with the Central Manager

Tacacs+ is configured in the Device Context at Configure > Security > AAA > TACACS+
Go to Configure > Security > AAA > Authentication Methods
Go to Configure > Security > AAA > Command Authorization
On the Accelerator CLI
   tacacs key ****
   tacacs host 10.0.243.247 primary
   tacacs host 10.0.243.248
   tacacs key ****
   authentication login local enable secondary
   authentication login tacacs enable primary
   authentication configuration local enable secondary
   authentication configuration tacacs enable primary
   authentication fail-over server-unreachable
   aaa authorization commands 15 default tacacs+

On the ACS you have to add following Attribute to the Profil
For the cetral manager to work also you have to create a group “admin” and assign the role admin Under Admin > AAA > User Groups
If you feel this helps a bit or may be not ? Please leave a comment.
Cisco, Debian, DMVPN, Network, Routing, Security

DMVPN with Linux

14 Comments

I know since i discovered the DMVPN in 2004/5 this is a very intelligent combination of IPsec, GRE and NHRP. Many Thanks to the Guys at Cisco, Christoph, Frederick and all other.

This week i discovered “opennhrp” on sourceforge.

It took me a minute or two to have a VM with debian up and the needed tools installed.

I used VMWare with a bridged ethernet interface for testing, installed debian 4.0 netinstall iso and upgraded to sid / testing, so i got Kernel Version 2.6.26-1-686.

Then downloaded ipsec-tools-0.8-alpha20090126.tar.bz2 from the site. you have to install some libs and tools to build ipsec tools, like kernel headers and so on:-) and done some configure and make stuff.

I went to make opennhrp, well all done with out a problem to here.

Next i configured racoon and ipsec-tools and opennhrp like this:

   /etc/ipsec-tools.conf 
   #!/usr/sbin/setkey -f
   spdflush;
   spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
   spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;


   /etc/racoon/racoon.conf 
   path pre_shared_key "/etc/racoon/psk.txt";
   remote anonymous {
      exchange_mode main,aggressive;
      lifetime time 24 hour;
      # nat_traversal on;
      script "/etc/opennhrp/racoon-ph1down.sh" phase1_down;
      proposal {
         encryption_algorithm 3des;
         hash_algorithm sha1;
         authentication_method pre_shared_key;
         dh_group 5;
      }
   }
   sainfo anonymous {
      lifetime time 12 hour;
      encryption_algorithm 3des, blowfish 448, rijndael;
      authentication_algorithm hmac_sha1, hmac_md5;
      compression_algorithm deflate;
   }


   /etc/racoon/psk.txt
   10.2.0.90 1234


   /etc/opennhrp/opennhrp.conf
   interface gre1
      map 172.255.255.1/24 10.2.0.90 register cisco
      cisco-authentication 1234
      shortcut

No get the Tunnel UP: 

   ip tunnel add gre1 mode gre key 1234 ttl 64
   ip addr add 172.255.255.2/24 dev gre1
   ip tunnel change gre1 local 10.0.81.115
   ip link set gre1 up

Now its time to get on the other side.

We are using a Cisco 1812 with c181x-advsecurityk9-mz.124-15.T7.bin running.

   crypto isakmp policy 10
      encr 3des
      authentication pre-share
      group 5
   !
   crypto isakmp key 1234 address 0.0.0.0 0.0.0.0
   !
   crypto ipsec transform-set TRANSFORMSET_3 esp-3des esp-sha-hmac
      mode transport
   !
   crypto ipsec profile Profile3
      set transform-set TRANSFORMSET_3
   !
   interface Tunnel888
      ip address 172.255.255.1 255.255.255.0
      no ip redirects
      no ip unreachables
      no ip proxy-arp
      ip mtu 1400
      ip flow ingress
      ip nhrp authentication 1234
      ip nhrp map multicast dynamic
      ip nhrp network-id 10064
      ip nhrp holdtime 360
      ip nhrp max-send 200 every 10
      ip route-cache same-interface
      ip tcp adjust-mss 1350
      load-interval 30
      tunnel source 10.2.0.90
      tunnel mode gre multipoint
      tunnel key 1234
      tunnel protection ipsec profile Profile3

and viola

   Router# sh dmvpn interface tunnel 888
   Load for five secs: 8%/3%; one minute: 9%; five minutes: 10%
   Time source is NTP, 22:14:22.148 CET Sat Feb 14 2009
   Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
   N - NATed, L - Local, X - No Socket
   # Ent --> Number of NHRP entries with same NBMA peer
   Tunnel888, Type:Hub, NHRP Peers:1,
   # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
   ----- --------------- --------------- ----- -------- -----
   1 10.0.81.115 172.255.255.2 UP never D

   Router# ping 172.255.255.2
   Type escape sequence to abort.
   Sending 5, 100-byte ICMP Echos to 172.255.255.2, timeout is 2 seconds:
   !!!!!
   Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

this looks great:-)
Many thanks Timo for doing such a impressiv work. I like the cisco for they impressiv boxes and i also like opensource software.

— edit February 15, 2009 at 12:09 am —

I found after a while no packets traveling, the nhrp registration had gone on the cisco side may be holdtimers differ so added “holding-time 360” to the opennhrp.conf , a opennhrpctl purge fixed the problem.