Cisco Small Business (SG500) Link Aggregation (LAG) With LACP

KB ID 0001277 

Problem

At work a client was having trouble with a NAS Drive (Buffalo Terastation). It was being used as a backup target and some of the servers were dropping connections. I knew the client had some Catalist 3750’s So I suggested going and creating an Ether Channel to the two NICs in the NAS box, to try and cure the problem.

However when I went onsite, I noticed the 3750 didn’t have any spare Gigabit ports only FastEthernet ones. So I thought I’d create a port channel on one of their Cisco Small Business Switches (SG500-52P). I mean how difficult can that be?

Solution

SG500 LAG Configuration

Note: Configure the switch FIRST.

Before you start, the ports you want to use MUST NOT be a member of a VLAN, and this needs to be done for EVERY VLAN, and saved each time. VLAN Management  > Port to VLAN.

So the port should be a simple access port set as below, VLAN Management > Interface Settings.

Now you can create the Link Aggregate Group > Port Management > LAG Management > I set the global option to ‘IP/MAC Address’ > Then select the first free LAG  > Edit.

Tick LACP BEFORE you add in the ports. If you don’t, it creates the LAG, but the LACP option is ‘greyed out’. (The only way to solve this, is remove all the ports, save the settings, add LACP, then add the ports back in again!)

At this point you need to add your LAG interface into the appropriate VLAN, or more likely set it as a Trunk.

Buffalo Terastation NAS Settings for LACP

For LACP to work both ends need to be configured, on the NAS box, bond the two networks cards together, then set the ‘Port Trunking’ mode to ‘Dynamic link aggregation’ > Accept.

Related Articles, References, Credits, or External Links

NA

ASA Setup FirePOWER Services (for ASDM)

KB ID 0001107 

Problem

Both the 5506-X (rugged version and wireless), and 5508-X now come with a FirePOWER services module inside them. This can be managed from either ASDM* (with OS and ASDM upgraded to the latest version), and via the FireSIGHT management software/appliance.

Related Articles, References, Credits, or External Links

*UPDATE: All ASA ‘Next-Gen’ firewalls can now have their Firepower Service Module managed from the ASDM.

Solution

1. The first thing to do is cable the management interface and the interface you are going to use as the ‘inside’ (LAN) into the same network (VLAN).

2. The next step might seem strange if you are used to working with Cisco firewalls, but you need to make sure there is no IP address configured on the management interface. Try to think of it as just the hole that the FirePOWER services module (which will get its own IP) speaks out though.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# interface Management1/1
Petes-ASA(config-if)# no nameif
WARNING: DHCPD bindings cleared on interface 'management', address pool removed
Petes-ASA(config-if)# no security-level
Petes-ASA(config-if)# no ip address 

[/box]

3. So it should look like this;

[box]

Petes-ASA(config-if)# show run
: Saved

ASA Version 9.3(2)2
!
----Output removed for the sake of brevity----
!
interface Management1/1
management-only
no nameif
no security-level
!
----Output removed for the sake of brevity---- 

[/box]

4. Lets make sure the FirePOWER service module is ‘up’ and healthy.

[box]

Petes-ASA(config)# show module 


Mod  Card Type                                    Model              Serial No.

---- -------------------------------------------- ------------------ -----------

   1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506            JAD19090XXX

 sfr FirePOWER Services Software Module           ASA5506            JAD19090XXX


Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version

---- --------------------------------- ------------ ------------ ---------------

   1 a46c.2a99.eec5 to a46c.2a99.eece  1.0          1.1.1        9.3(2)2

 sfr a46c.2a99.eec4 to a46c.2a99.eec4  N/A          N/A          5.4.1-211


Mod  SSM Application Name           Status           SSM Application Version

---- ------------------------------ ---------------- --------------------------

 sfr ASA FirePOWER                  Up               5.4.1-211


Mod  Status             Data Plane Status     Compatibility

---- ------------------ --------------------- -------------

   1 Up Sys             Not Applicable

 sfr Up                 Up

[/box]

5. The SFR module is actually a Linux box that’s running within the firewall, to connect to it you issue a ‘session sfr’ command.

  • Default Username: admin
  • Default Password: Sourcefire (capital S)
  • Default Password (after version 6.0.0): Admin123 (capital A)

As this is the first time you have entered the SFR you need to page down (press space) though the sizable EULA, then accept it.

[box]

Petes-ASA(config)# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Cisco ASA5506 v5.4.1 (build 211)

Sourcefire3D login: admin

Password: Sourcefire

Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Linux OS v5.4.1 (build 12)

Cisco ASA5506 v5.4.1 (build 211)

You must accept the EULA to continue.

Press <ENTER> to display the EULA:

END USER LICENSE AGREEMENTIMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. IT IS VERY

----Output removed for the sake of brevity---- 

Product warranty terms and other information applicable to Cisco products are

available at the following URL: http://www.cisco.com/go/warranty.
----Output removed for the sake of brevity---- 

Please enter 'YES' or press <ENTER> to AGREE to the EULA: YES

[/box]

6. Set a new password.

[box]

System initialization in progress. Please stand by.
You must change the password for 'admin' to continue.

Enter new password: Password123

Confirm new password: Password123

[/box]

7. Set up all the IP and DNS settings, then exit from the module session.

[box]

You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.

Do you want to configure IPv4? (y/n) [y]: y
Do you want to configure IPv6? (y/n) [n]: n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: manual
Enter an IPv4 address for the management interface [192.168.45.45]: 192.168.100.22
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.0
Enter the IPv4 default gateway for the management interface []: 192.168.100.1
Enter a fully qualified hostname for this system [Sourcefire3D]: SFire
Enter a comma-separated list of DNS servers or 'none' []: 192.168.100.10,192.168.100.11
Enter a comma-separated list of search domains or 'none' [example.net]: petenetlive.com,pnl.net

If your networking information has changed, you will need to reconnect.

For HTTP Proxy configuration, run 'configure network http-proxy'

Applying 'Default Allow All Traffic' access control policy.
You can register the sensor to a Defense Center and use the Defense Center

----Output removed for the sake of brevity---- 

sensor to the Defense Center.

> exit

Remote card closed command session. Press any key to continue.

[/box]

8. Now you need to ‘send’ traffic though the module, in this case I’m going to send all IP traffic though, I’m also going to set it to ‘fail open’, If you set it to fail closed then traffic will cease to flow though the firewall if the FirePOWER services module goes off-line. I’m making the assumption you have a default policy-map applied.

[box]

Petes-ASA(config)# access-list SFR extended permit ip any any
Petes-ASA(config)# class-map SFR
Petes-ASA(config-cmap)# match access-list SFR
Petes-ASA(config-cmap)# exit

[/box]

9. Add that new class-map to the default policy-map.

WARNING: If you are going to set ‘fail-close‘ then make sure your SFR module is operating normally, or you will cause downtime, best to do this in a maintenance window!)

[box]

Petes-ASA(config)# policy-map global_policy 
Petes-ASA(config-pmap)# class SFR
Petes-ASA(config-pmap-c)# sfr fail-open
Petes-ASA(config-pmap-c)# exit
Petes-ASA(config-pmap)# exit

[/box]

10. Save the changes.

[box]

Petes-ASA(config)# write mem
Building configuration...

Cryptochecksum: 72c138e3 1fa6ec32 31c35497 621cff02

35819 bytes copied in 0.210 secs

[OK]

[/box]

11. At this point the firewall should be able to ping the management IP of the SFR module.

[box]

Petes-ASA# ping 192.168.100.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
Petes-ASA#

[/box]

12. Now when you connect to the ASDM you can manage the FirePOWER services module.Note: I have seen some firewalls that flatly refuse to connect to the Firepower Services Module, and give an error ‘unable to connect on port 443’ every time you launch ASDM. I just re-image the module and load in a fresh install (40 mins to an hour), and start again.

Code to Copy & Paste

If you are lazy like me!

[box]

access-list ACL-FirePOWER extended permit ip any any
 class-map CM-SFR
 match access-list ACL-FirePOWER
 exit
policy-map global_policy 
 class CM-SFR
 sfr fail-open
 exit
 exit
write mem

[/box]

Note If you get an unable to connect error see the following article;

Cisco – Cannot Connect to the ASA FirePOWER Module

13. I suggest you update everything first, the ASA will configure an access control policy set to allow and inspect all traffic by default, which we will edit, set everything to update on a schedule, (rule updates and geolocation info).

Cisco FirePOWER Services Adding Licences (ASDM)

In the box with the firewall, you will have an envelope, you don’t need to open it (as below) because the PAK number you need is printed on the outside anyway. This is the firewalls CONTROL LICENCE, it allows it to be managed, we will install it into the ASDM, if you have a SourceFIRE appliance to manage the firewall you would install it there. You need two  bits of information the PAK and the LICENCE KEY of the FirePOWER module, (See Below).

The Licence Key is the MAC address of the Module, (Not the ASA). You can find it at Configuration > ASA FirePOWER Configuration > Licence. This is also where you will add all the licences. Go to www.cisco.com/go/licence and register the licence (and any additional licences i.e. AMP, Web filtering, etc.)

The Licence(s) will be emailed to you open them in a text editor and copy the text of each licence. You can see I’ve indicated below what you should be copying.

Paste that into the ASDM > Submit Licence.

It should say success, if it fails you’ve pasted to much text, or there’s a problem with the licence.

Review you licences, here Ive added AMP and web filtering but Ive yet to add the control licence. If you don’t add the control licence then when you try and edit the access control policy it will say you need a PROTECTION LICENCE (confusingly!)

FirePOWER Services Setup IPS

Disclaimer: These settings, (and allotters below,) are to get you up and running, As with any security device, you need to tune settings accordingly. Please don’t follow these instructions, then email me with complaints that you been attacked by ISIS/Scammers/Bots etc.

You get an IPS/IDS Licence with any of the subscription based licences, its less hassle to set this up before the the access control policy. Configuration > ASA FirePOWER Configuration  > Policies > Intrusion Policy  > Create Policy > Give it a name > I tend to use ‘Balanced Security and connectivity’ look at the other options and choose whichever you prefer > Create and Edit Policy.

Give the policy a name > Commit changes (I accept all the defaults).

FirePOWER Services Enable Malware Inspection and Protection

Note: Obviously this needs you to have added an AMP Licence!

 Configuration > ASA FirePOWER Configuration  > Policies > Intrusion Policy  > Files > New File Policy > Give it a name > Store FirePOWER Changes.

Add new file rule > I add everything  > and Set it to ‘Block Malware’ > Store FirePOWER Changes.

“Store ASA FirePOWER Changes”.

Warning: Nothing will be inspected, until you add this file policy to an access control policy.

ASA FirePOWER Services Edit / Create Access Control Policy

I renamed the default policy, Note: Even though I’ve called it ‘Base-Access-Control-Policy’ you can only apply one policy, you just add different rules to the policy as required. Add Rule.

In Source Networks > Add in ‘Private Networks’ (See Warning Below).

Inspection Tab > Add in the IPS and file policy you created above (That’s why I’ve done it in this order).

I set it to log at the end of the connection  > Add.

“Store ASA FirePOWER Changes”.

FirePOWER Private Networks Warning

Private networks only cover RFC1918 addresses, if you LAN/DMZ etc subnets are different you should create a new Network object, then add the subnets for your network. If you do this, then substitute your network object every time I mention the Private Networks object.

Blocking a Particular URL with FirePOWER Services

Even if you don’t have a Web Filtering licence you can block particular URL’s here Im going to block access to Facebook.  Configuration > ASA FirePOWER Configuration  > Object Management > URL > Individual Objects > Add URL > Note Im adding http and https.

Then add a rule to your existing access control policy ABOVE the permit all rule, (they are processed like ACLS from the top down). Set the source network to your private subnets.

On the URLs tab add in your URL objects and set the action to block with reset, or Interactive block with reset if you want to let the users proceed to Facebook after a warning.

Note: If you have a Web filtering Licence you can select ‘Social Networking’ from the Categories tab, and that would also block Facebook, and Twitter etc.

ASA FirePOWER Services Commit and Deploy The Changes

FirePOWER services behaves the same on-box as it does when you use the SourceFIRE Appliance, you can make changes but nothing gets deployed until you commit the changes. If you have made a change then there will be a ‘Store ASA FirePOWER services button active. Then you need to select File > Deploy FirePOWER Changes.

Note: You will only see the Deploy option on SFR modules running 6.0.0 or newer.

Deploy.

Even now its not deployed, it takes a while, to see progress navigate to Monitoring > ASA FirePOWER Monitoring > Task Status > It will probably have a ‘running’ task.

Wait until the policy deployment says completed before testing.

Related Articles, References, Credits, or External Links

Originally Published 17/11/15

Thanks to Eli Davis for the feedback.

Cisco ASA 5506-X / 5508-X Restart the FirePOWER Service Module

Audi A6 – Luggage Compartment Fuse Box Location

KB ID 0001161

Problem

I know it’s not the usual site content, but PNL was born from my dislike of vendor documentation, and crappy documentation is not limited to the world of IT.

The 12v power socket in my A6 wasn’t working, this was probably because there was a 1p coin stuck in it that took a lot of fishing out, I assumed the fuse had blown, and put up with it for a while. When I finally got round to sorting it out today, I opened the ‘owners manual’, and looked for information on fuses and fuse box locations. Turns out I have three fuse box locations, one in either side of the dashboard, and one in the boot, (or trunk for our American visitors). It showed a zoomed in diagram of the fuse numbers and locations, and what each fuse was for, (which also turned out to be incorrect). What it didn’t say was where it was.

I rang the Audi Garage, no one was available, I rang another one, who was obviously doing what I had done and was Google searching it, (I could have saved him some time I’d spent an hour online). The best information I got was “it’s on the right hand side of the boot below the recess with the net over it”. This is true, but getting into it is another story.

Solution

On the right side of the boot is a recessed area with a small net over it see below, the net is held in place with a thick metal bar/rod, which will ‘pop out’ if you pull it and swing up through ninety degrees.

The two catches that hold the bar in place need to be removed, rotate them though ninety degrees anti clockwise, and you can withdraw them.

Now the base and rear of this recess are one piece that can be removed, (be careful the 12v socket shown above will come away also and is still connected, (that’s the wire you can see bottom right). The pink coloured fuse coveres will just ‘pop off’. The 20 Amp fuse, (indicated) is for the 12v power supply in the front center console (cigarette lighter). The 20 Amp fuse next to it is for the rear center console AND the boot 12V power supply.

Related Articles, References, Credits, or External Links

NA

GNS3 Update – Could Not Find a VM Named ‘GNS3 VM’

KB ID 0001160 

Problem

GNS3 had nagged me the last few times I tried to use it about upgrading, so I downloaded and installed the update and it stopped here;

Could not find a VM named ‘GNS3 VM’ is it imported in VMware or Virtualbox

I use both VMware Fusion and Virtualbox. But Virtualbox looks after all the VM’s I use in GNS3. Either way I did not know what I was looking for, and the download (and application folder) did not have a VM within it for me to import?

Solution

It turns out the link for the VM is on the GNS3version download page, (it redirects you  to another site).

Once you have it downloaded, you can import it into either Virtualbox, VMware Fusion or VMware Workstation.

Then you can select it, and progress.

Related Articles, References, Credits, or External Links

NA

FMC – AMP Malware Inspection

KB ID 0001159 

Problem

If you take a look in your SourceFire dashboard, and there is no data shown on the malware threat section like so;

Solution

The message is pretty descriptive, and it’s telling you exactly what you need to do. Now I’m making the assumption that you have added a valid AMP / Malware licence like so;

Policies > Access Control > Edit your access control policy > Then Edit the file policy.

Add in “Block Malware with Reset”.

You can test the rule is applying correctly by trying to download the eicar test infected files;

Then after a short time, you should start to see the malware threats window start to show some data.

Related Articles, References, Credits, or External Links

NA

Windows 10 – Installing IIS

KB ID 0001158 

Problem

I needed to get a web server up and running today, so I could upload some files into a firewall via http. I have a copy of Windows 10 running on my mac in VMware fusion, so that’s what I thought I would use.

Solution

Open a command window and run appwiz.cpl > Turn Windows features on or off > Internet Information Services > OK > Follow the instructions.

Now to test,  open a browser window and navigate to http://localhost. You should see the IIS welcome page.

Windows IIS Add A File Extension For ‘Download’

I needed to download a file with a .SPA exntention, this didn’t work, because I needed to add that file extension for download. Open IIS Management console > Expand {server-name} > Sites  > Default Web Site > MIME Types > Add > Type in the file extension > Set the MIME Type to application/octet-stream  > OK.

Normally the files I needs are in .BIN format, but this file extension is already included by default.

Related Articles, References, Credits, or External Links

NA

Mac OSX and Linux – Quick and Dirty Web Server

KB ID 0001157 

Problem

I was clearing out some old emails yesterday, and saw one my colleague Steve had sent me. It was info on how to fire up a quick web server on your mac. It wasn’t until I took a look at it, I realised how handy it was.

After some reading, I found that it was not only possible on a mac, but on other flavours of Linux as well, (as long as they support ‘python’ and have it loaded).

WHAT USE IS THAT? What if you want to send a large file to a colleague? Yes you could use USB drives or dropbox, but executing one command is a lot quicker. Or what if you are on a site where everything is locked down, and only a few ports are open but you need to get a file somewhere, do a quick nmap scan and you can download your files over a different port.

Solution

First open a terminal window, then navigate to the folder you want to ‘serve’. Then simply execute the following command;

[box]

python -m SimpleHTTPServer 8080

[/box]

Note: Where TCP port 8080 is the port you want to use.
Then simply browse to https://{Your-IP-Address}:8080

BE AWARE: You shouldn’t see a problem if you use any port ABOVE 1024, however if you chose a lower port, you may see ‘Permission Denied’ errors.

To address that ‘sudo’ the command, (unless you are logged into Linux as root!)

Related Articles, References, Credits, or External Links

NA

AnyConnect Group Authentication With Cisco ISE and Downloadable ACLs (Part 2)

KB ID 0001156 

Problem

Carrying on from PART 1

Solution

Add  > Create Before.

Edit the Policy

Giv the policy set a name and description > Create a new condition.

Set Description to Device Type.

Equals > All Device Types (The Device Group You Created Above).

Add attribute value.

Set Description to RADIUS.

NAS-Port-Type-[61].

Equals  > Virtual.

Edit the Authentication Policy.

Change the identity source to the the identity source sequence you created above.

Authorisation Policy > Insert New Rule Above.

Give it a Name i.e. VPN-ADMIN-RULE > Create New Condition.

Set Description to your Active Directory.

External Groups.

Select your AD group (VPN-Admins).

Set Permissions to Standard.

Select your VPN-Admins authorisation profile.

Add another rule (directly below) of your VPN-Users and set this one to use the user profile.

Add a further rule (below that) for your LOCAL admin in the ISE database.

Set User Identity Groups to VPN-Admins.

Note: this is the LOCAL group in ISE, NOT the domain security group.

Again use the admin authorisation profile.

Finally you need to change the ‘Default’ rule to ‘Deny Access’, (or they will just hit the default allow and get in anyway!)

Now you can test.

Related Articles, References, Credits, or External Links

AnyConnect Group Authentication With Cisco ISE and Downloadable ACLs (Part 1)

AnyConnect Group Authentication With Cisco ISE and Downloadable ACLs (Part 1)

KB ID 0001155

Problem

To be honest it’s probably a LOT easier to do this with Dynamic Access Policies, but hey, if you have ISE then why not use it for RADIUS, and let it deploy downloadable ACL’s to your remote clients and give them different levels of access, based on their group membership.

I’m going to keep things simple, I will have a group for admins that can access anything, and a group for users that can only RDP to internal servers.

I always assume things will break, so I’m also going to create a local user on the ISE deployment, so if Active Directory is down I will have a user account I can use to gain full access in the event of an emergency.

Solution

In production you will have plenty of users, but to test Im going to create a test user, and a test admin user.

Then put those users in an appropriate Active Directory security group, (here I’m using VPN-Users and VPN-Admins).

Now you will also need a ‘Tunnel-Group and a matching Group-Policy on the ASA to map the user groups to. That way, when a user connects they can pick the appropriate tunnel group like so;

So what I’ve done is setup AnyConnect and configured it properly, (see article below) then I’ve simply ‘cloned‘ the tunnel group, and group policy to create a VPN-ADMIN and VPN-USERS tunnel-group ,and  a group-policy. So my ASA config is as follows;

[box]

1. Show run ip local pool

Petes-ASA# show run ip local pool
ip local pool ANYCONNECT-POOL 192.168.101.1-192.168.101.254 mask 255.255.255.0
Petes-ASA# 

2. Show Group-Policy

Petes-ASA# show run group-policy
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
 wins-server none
 dns-server value 192.168.100.10
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value petenetlive.com
 webvpn
  anyconnect profiles value PNL-Profile type user
group-policy VPN-ADMINS internal
group-policy VPN-ADMINS attributes
 wins-server none
 dns-server value 192.168.100.10
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value petenetlive.com
 webvpn
  anyconnect profiles value PNL-Profile type user
group-policy VPN-USERS internal
group-policy VPN-USERS attributes
 wins-server none
 dns-server value 192.168.100.10
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value petenetlive.com
 webvpn
  anyconnect profiles value PNL-Profile type user
Petes-ASA#  

Show Tunnel Groups

Petes-ASA# show run tunnel
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
 address-pool ANYCONNECT-POOL
 default-group-policy GroupPolicy_ANYCONNECT-PROFILE
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
 group-alias ANYCONNECT-PROFILE enable
tunnel-group VPN-ADMINS type remote-access
tunnel-group VPN-ADMINS general-attributes
 address-pool ANYCONNECT-POOL
 default-group-policy VPN-ADMINS
tunnel-group VPN-ADMINS webvpn-attributes
 group-alias VPN-ADMINS enable
tunnel-group VPN-USERS type remote-access
tunnel-group VPN-USERS general-attributes
 address-pool ANYCONNECT-POOL
 default-group-policy VPN-USERS
tunnel-group VPN-USERS webvpn-attributes
 group-alias VPN-USERS enable
Petes-ASA# 

[/box]

Create a Local Admin Group in Cisco ISE

On your Cisco ISE Deployment > Identity Management > Groups > Add.

Give the group a name and optional description > Save.

To create an admin user > Administration > Identity Management > Identities > Add.

Create the new admin user > set the password > add the user to the group you create above.

Adding Domain Groups To Cisco ISE

I’m assuming you have joined ISE toActive Directory > To check Administration > Identity Management > External Identity Sources > Ensure the domain is joined and operational.

Groups > Add.

Locate and add the groups you created above.

Add An Active Directory Identity Source Sequence

We need to authenticate against our AD, but we want it to fail back to the ISE local database, (for our local admin). To do that we use and identity source sequence. Administration > Identity Management > Identity Source Sequence > Add.

Give the sequence a name and add your AD and Internal Users.

MAKE SURE you select ‘Treat as if the user was not found and proceed to the next store in the sequence’ > Submit.

Add Cisco ASA to Cisco ISE as a RADIUS Device.

Administration > Network Resources  > Network Device Groups > All Device Types > Add.

Add a device GROUP for your ASA(s) > Submit.

Administration > Network Resources  > Network Devices > Add.

Add in the ASA > Provide its IP address, and add it to the group you created above > Set a RADIUS Shared Secret > Submit.

The shared secret must be the same on the ASA in the AAA config, like so;

[box]

Petes-ASA(config)# aaa-server Cisco-ISE protocol radius
Petes-ASA(config-aaa-server-group)# aaa-server Cisco-ISE host 192.168.100.11
Petes-ASA(config-aaa-server-host)# key 123456
Petes-ASA(config-aaa-server-host)# radius-common-pw 123456 
Petes-ASA(config-aaa-server-host)# exit
Petes-ASA(config)# 

[/box]

Cisco ISE Create Downloadable Access Control Lists DACL

Policy > Policy Elements > Results > Authorisation > Downloadable ACL’s > Add.

Create an ACL for our VPN-USER group, that will only allow RDP (TCP 3389) > Submit.

Repeat the process to create an ACL that allows everything, (for our VPN-ADMINS) > Submit.

Cisco ISE Create Authorisation Profiles

Policy > Policy Elements > Results > Authorisation > Authorisation Profiles > Add.

Create a profile for VPN-ADMINS > Set the correct DACL.

Set the advanced attributes > Change to RADIUS.

Class-25

Set the OU to equal the group-policy that you want the ASA to apply > Submit.

Create another profile for your VPN-USERS > Set the correct ACL.

RADIUS > Class-25 > OU set to the group-policy on your ASA for the normal users > Submit.

Cisco ISE Enable Policy Sets

Note: only available on newer versions of ISE: Administration > System > Settings > Policy Sets > Enabled > Submit.

Policy > Policy Sets  > Add.

Continue to PART TWO

Related Articles, References, Credits, or External Links

AnyConnect Group Authentication With Cisco ISE and Downloadable ACLs (Part 2)

Cisco ASA 5500 AnyConnect Setup From Command Line

NTP Stratum 1 and Stratum 2 UK Time Servers

KB ID 0001154 

Problem

There are a LOT of NTP servers lists published. I’ve sat and checked all the servers below, and their DNS resolution, and they are correct as at the date above.

Solution

Stratum 1

Hostname

IP Address Resolvable By

Location

chronos.csr.net 194.35.252.7 DNS Cambridge

Stratum 2

Hostname

IP Address Resolvable By

Location

0.uk.pool.ntp.org

109.74.206.120

176.58.109.199

94.125.129.7

5.77.45.219

DNS Various
1.uk.pool.ntp.org 93.93.131.118
185.53.93.157
158.43.128.33
134.0.16.1
DNS Various
2.uk.pool.ntp.org 5.77.45.219
82.219.4.30
176.58.109.199
85.119.80.232
DNS Various
3.uk.pool.ntp.org 149.18.38.230
176.126.242.239
91.212.90.20
188.114.116.1
DNS Various
ntp.plus.net 212.159.13.50
212.159.6.9
212.159.6.10
212.159.13.49
DNS Various
ntp.first2know.net 90.155.48.164 DNS Edinburgh
ntp2a.mcc.ac.uk 130.88.202.49 DNS Manchester
ncl.ac.uk 128.240.233.197 DNS Newcastle
ntp2b.mcc.ac.uk. 130.88.200.4 DNS Manchester
ntp2c.mcc.ac.uk 130.88.200.6 DNS Manchester
ntp2d.mcc.ac.uk 130.88.212.143 DNS Manchester
ntp.exnet.com 79.135.97.70 DNS London
ntp.cis.strath.ac.uk

130.159.196.117

130.159.196.118

DNS Strathclyde
ntppub.le.ac.uk

143.210.16.201

2001:630:306:10::c

DNS Leicester

 

Related Articles, References, Credits, or External Links

UK – Internet Service Provider – DNS Server Addresses

VMware – Setting up ESX NTP Time Sync

Cisco ASA – Configuring for NTP