Tag Archives: ASA

How to configure Cisco ASA 5500 for AnyConnect Client

So i was testing some stuff with the Authentication on the ASA Firewall and the AnyConnect client in the last days. So i feel it is time to write things down a little bit.

First i discovered we have the same problem with Windows 7 Firewall. Windows is not detecting the Interface so the Firewall do not say here we are part of the domain:-( Sad very Sad. But as i described here, there is a workaround but this is not supported by Cisco in any way.
But anyhow, we have to move to the AnyConnect Client to get VPN running with WWAN Cards.

So lets begin with a basic setup, only localusers and connect to the ASA with the AnyConnect Client.
No complex things, just connectivity. So we will start here with the configuration.
In the next posts we will go to the more complex things.

Continue reading How to configure Cisco ASA 5500 for AnyConnect Client

Cisco VPN Clients are not recognized by Windows 7 Firewall

As i former described we have problems with the Cisco IPSec VPN Client and WWAN Cards. So we are testing the AnyConnect Client. We are now faceing some common problems with both clients.

We discovered that the Network adapter created by the Cisco IPSec VPN Client (Version 5.0.07.0290) and also the Cisco AnyConnect SSL VPN Client (Version 2.5.0217) not recognized by the Windows 7 Advanced Firewall. And therefore the AD Grouppolicy for the Firewall is not applied.

As a Workaround you can drop following lines from the “vpnva.inf” file from the AnyConnect Package:
[sourcecode]
;Vista specific entry — benign on 2K/XP
HKR, , *NdisDeviceType, 0x00010001, 1
[/sourcecode]
or delete the Key for the adapter from the registry.

If you feel this helps a bit or may be not ? Please leave a comment.
Flickr : , , , ,

Cisco IPSec VPN and WWAN Cards are not working so we move to Cisco AnyConnect

Lately we discovered that Windows 7, Cisco IPsec VPNs and buildin UMTS Cards, also called WWAN Cards, do not work togehter. So we are now going the next step to the Cisco AnyConnect on the ASA Platform.

Here the snipplet from the release notes:

Support for Windows 7 on x64 (64-bit). This release, however, does not support WWAN devices (also called wireless data cards) on Windows 7 x86 (32-bit) and x64.

Reference : Release Notes for Cisco VPN Client, Release 5.0.0

For the ASA based AnyConnect you will find the nessesay Tools and Software here:

Cisco ASA Series Firewalls and VPN Gateways
Cisco AnyConnect Client
Cisco AnyConnect Client Profile Editor

A Basic Installation will follow.

If you feel this helps a bit or may be not ? Please leave a comment.

Flickr : , , , ,

Cisco ASA and lot of email recipients

Those days we faced the problem that we recived a mail with approx 150 recipients.
Somewhere in the communication it seams that a mail address is broken by the asa.

On the Outside of the ASA you see following in the trace:

        Inside E-Mail Server (Blue) mail.example.com
        Outside E-Mail Server (Red) mail.asdf.com
        220-mail.example.com ESMTP Server [Wed, 18 Aug 2010 10:30:58 +0200]
        220-Ready to recycle your bits, but we don't want 
        220 your unsolicited or bulk e-mail (ie: spam) 
        EHLO mail.asdf.com 
        250-mail.example.com Hello mail.asdf.com [192.168.0.1] 
        250-SIZE 4194304
        250-PIPELINING 
        250-AUTH PLAIN LOGIN CRAM-MD5 NTLM 
        250-STARTTLS 
        250 HELP 
        MAIL FROM:<asdf@asdf.com> SIZE=42157 
        RCPT TO:<user1@example.com> 
        <output omited> 
        RCPT TO:<user20@example.com> 
        RCPT TO:<user21@ 
        250 OK 
        example.com> 
        RCPT TO:<user22@example.com> 
        RCPT TO:<user23@example.com> 
        RCPT TO:<user24@example.com>
        <output omited> 
        250 Accepted 
        <output omited> 
        250 Accepted 
        
            501 <user21@XXXXXXXXXXXXXX: '>' missing at end of address
          
        250 Accepted 
        250 Accepted
        250 Accepted

On the Inside of the ASA you see following in the trace:

        Inside E-Mail Server (Blue) mail.example.com
        Outside E-Mail Server (Red) mail.asdf.com
        220-mail.example.com ESMTP Server [Wed, 18 Aug 2010 10:30:58 +0200]
        220-Ready to recycle your bits, but we don't want
        220 your unsolicited or bulk e-mail (ie: spam)
        EHLO mail.asdf.com
        250-mail.example.com Hello mail.asdf.com [192.168.0.1]
        250-SIZE 4194304
        250-PIPELINING
        250-AUTH PLAIN LOGIN CRAM-MD5 NTLM
        250-STARTTLS
        250 HELP
        MAIL FROM:<asdf@asdf.com> SIZE=42157
        RCPT TO:<user1@example.com>
        <output omited> 
        RCPT TO:<user20@example.com>
        RCPT TO:<user21@ 250 OK
        XXXXXXXXXXXXXX
        RCPT TO:<user22@example.com>
        RCPT TO:<user23@example.com>
        RCPT TO:<user24@example.com>
        <output omited> 
        250 Accepted
        <output omited> 
        250 Accepted
        
            501 <user21@XXXXXXXXXXXXXX: '>' missing at end of address
          
        250 Accepted
        250 Accepted
        250 Accepted

This is a little bit strange so i will ask the Guys from Cisco if this is a known feature or a bug.

For the Momemt we have disabled the esmtp fixup, on monday we will do future analysis.

If you feel this helps a bit or may be not ? Please leave a comment.

Cisco ASA and SMTP

We recently bought so new Firewalls to replace to aged Cisco PIX515e with some new Gear. We decided to use Ciscos new Firewall flagship the Cisco ASA Devices. Everything was fine after the replacement, we transfered the configuration from the old boxes to the new with the help of the Cisco Security Manager.

Later that day there was complains about e-mails are not delivered properly.

On the Cisco PIX with Software 6.2 we had implemented following:

   
        no fixup smtp

For the ASA5510 we had to implement following

        policy-map type inspect esmtp esmtp_pmap
            parameters
              allow-tls action log
        policy-map global_policy
            class inspection_default
                no inspect esmtp
                inspect esmtp esmtp_pmap
            exit
        exit

If you feel this helps a bit or may be not ? Please leave a comment.