Cisco ASA – Adding New Networks to Existing VPNs

KB ID 0001240

Problem

Note: To add new subnets to an AnyConnect Remote Access VPN, see the following article instead;

Cisco ASA – Adding New Networks to AnyConnect  VPNs

I see this get asked in forums A LOT, so I though I’d get around to getting it written up. If you have an existing VPN to a remote site and then need to add another network how do you do it?

Well that depends on where the new network is, and how it’s entering the firewall, these diagrams can be either way round, but the new network will either be coming into the ASA on the same interface (i.e you’ve spun up a new network for phones, or a new department etc.) Or the traffic will be coming into the ASA through a different interface, (like a DMZ, or partner network).

Note: The process for adding the new network is the same for both, BUT depending on which interface the new traffic is coming in on, this will change your NAT command. 

Solution

Option A: New Network is on a Different Interface

Let’s flesh our diagram out a bit, to make things easier to explain;

Tasks on ASA-1

  • Locate the ACL that’s handling the site to site VPN and add the new network to it.
  • Locate the NAT Exemption for the site to site VPN and add a new one for the new interface.

Locate the ACL that’s handling the VPN: This will be declared in the crypto map that points to the other ASA (203.0.113.100)

[box]

ASA-1# show run crypto map
crypto map PNL-MAP 1 match address VPN-BACKUP-TRAFFIC
crypto map PNL-MAP 1 set pfs
crypto map PNL-MAP 1 set peer 123.123.123.123
crypto map PNL-MAP 1 set ikev1 transform-set ESP-AES-128-SHA 
crypto map PNL-MAP 1 set security-association lifetime kilobytes unlimited
crypto map PNL-MAP 2 match address VPN-INTERESTING-TRAFFIC
crypto map PNL-MAP 2 set pfs
crypto map PNL-MAP 2 set peer 203.0.113.100
crypto map PNL-MAP 2 set ikev1 transform-set VPN-TRANSFORM
crypto map PNL-MAP interface outside

[/box]

From the output above we can see that the ACL for this VPN is called VPN-INTERESTING-TRAFFIC, yours, probably, will have a less friendly name. Let’s see what that’s doing.

[box]

ASA-1# show run access-list VPN-INTERESTING-TRAFFIC
access-list VPN-INTERESTING-TRAFFIC extended permit ip object Obj-Local-LAN object Obj-Remote-LAN

[/box]

Again I’ve got nice neat groups, yours may simply have the networks listed, let’s check those objects marry up with the subnets we expect.

[box]

ASA-1# show run object id Obj-Local-LAN
object network Obj-Local-LAN
 subnet 192.168.1.0 255.255.255.0
ASA-1# show run object id Obj-Remote-LAN
object network Obj-Remote-LAN
 subnet 192.168.2.0 255.255.255.0

[/box]

So now  create an object for the new network and add it to the existing ACL.

[box]

ASA-1# configure terminal
ASA-1(config)# object network Obj-DMZ-LAN
ASA-1(config-network-object)# subnet 172.16.0.0 255.255.0.0
ASA-1(config-network-object)# access-list VPN-INTERESTING-TRAFFIC extended permit ip object Obj-DMZ-LAN object Obj-Remote-LAN

[/box]

Now just the NAT exception to do, let’s find the NAT exemption;

[box]

ASA-1(config)# show run nat
nat (inside,outside) source static any any destination static Obj-ANYCONNECT-SUBNET Obj-ANYCONNECT-SUBNET no-proxy-arp route-lookup
nat (inside,outside) source static Obj-Local-LAN Obj-Local-LAN destination static Obj-Remote-LAN Obj-Remote-LAN no-proxy-arp route-lookup
!
object network Server
 nat (inside,outside) static interface service tcp 3389 3389
!
object network OBJ-ANY
 nat (inside,outside) dynamic interface

[/box]

Now as this traffic is actually coming though the DMZ interface (not the inside interface) we add our new object in and exempt it from NAT like so

[box]

ASA-1(config)# nat (DMZ,outside) source static Obj-DMZ-LAN Obj-DMZ-LAN destination static Obj-Remote-LAN Obj-Remote-LAN no-proxy-arp route-lookup

[/box]

Tasks on ASA-2

  • Locate the ACL that’s handling the site to site VPN and add the new network to it.
  • Locate the NAT Exemption for the site to site VPN  and add the new network to it.

Locate the ACL that’s handling the VPN: This will be declared in the crypto map that points to the other ASA (203.0.113.1)

[box]

ASA-2# show run crypto map
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 203.0.113.1
crypto map outside_map 1 set ikev1 transform-set VPN-TRANSFORM
crypto map outside_map interface outside

[/box]

From the output above we can see that the ACL for this VPN is called outside_cryptomap_1 . Let’s see what that’s doing.

[box]

ASA-2# show run access-list outside_cryptomap_1
access-list outside_cryptomap_1 extended permit ip object Obj-Local-LAN object Obj-Remote-LAN

[/box]

I’ve got nice neat groups, yours may simply have the networks listed, let’s check those objects mary up with the subnets we expect.

[box]

ASA-2# show run object id Obj-Local-LAN
object network Obj-Local-LAN
 subnet 192.168.2.0 255.255.255.0
ASA-2# show run object id Obj-Remote-LAN
object network Obj-Remote-LAN
 subnet 192.168.1.0 255.255.255.0

[/box]

So now  create an object for the new network and add it to the existing AC.L

[box]

ASA-2# configure terminal
ASA-2(config)# object network Obj-DMZ-LAN
ASA-2(config-network-object)# subnet 172.16.0.0 255.255.0.0
ASA-2(config-network-object)# access-list outside_cryptomap_1 extended permit ip object Obj-Local-LAN object Obj-DMZ-LAN

[/box]

Now just the NAT exception to do, let’s find the NAT exemption;

[box]

ASA-2(config)# show run nat
nat (inside,outside) source static Obj-Local-LAN Obj-Local-LAN destination static Obj-Remote-LAN Obj-Remote-LAN no-proxy-arp route-lookup
!
object network Obj-ANY
 nat (inside,outside) dynamic interface

[/box]

Now simply add the new object we created above as an extra NAT exemption.

[box]

ASA-1(config)# nat (inside,outside) source static Obj-Local-LAN Obj-Local-LAN destination static Obj-DMZ-LAN Obj-DMZ-LAN no-proxy-arp route-lookup

[/box]

DON’T FORGET to save the config on both firewalls with a ‘write mem‘ command!

 

Option B: New Network is on the Same Interface

Let’s flesh our diagram out a bit, to make thinks easier to explain;

 

Tasks on ASA-1

  • Locate the ACL that’s handling the site to site VPN and add the new network to it.
  • Locate the NAT Exemption for the site to site VPN and add the new network to it.

Locate the ACL that’s handling the VPN: This will be declared in the crypto map that points to the other ASA (203.0.113.100)

[box]

ASA-1# show run crypto map
crypto map PNL-MAP 1 match address VPN-BACKUP-TRAFFIC
crypto map PNL-MAP 1 set pfs
crypto map PNL-MAP 1 set peer 123.123.123.123
crypto map PNL-MAP 1 set ikev1 transform-set ESP-AES-128-SHA 
crypto map PNL-MAP 1 set security-association lifetime kilobytes unlimited
crypto map PNL-MAP 2 match address VPN-INTERESTING-TRAFFIC
crypto map PNL-MAP 2 set pfs
crypto map PNL-MAP 2 set peer 203.0.113.100
crypto map PNL-MAP 2 set ikev1 transform-set VPN-TRANSFORM
crypto map PNL-MAP interface outside

[/box]

From the output above we can see that the ACL for this VPN is called VPN-INTERESTING-TRAFFIC, yours ,probably, will have a less friendly name. Let’s see what that’s doing.

[box]

ASA-1# show run access-list VPN-INTERESTING-TRAFFIC
access-list VPN-INTERESTING-TRAFFIC extended permit ip object Obj-Local-LAN object Obj-Remote-LAN

[/box]

Again I’ve got nice neat groups, yours may simply have the networks listed, let’s check those objects mary up with the subnets we expect.

[box]

ASA-1# show run object id Obj-Local-LAN
object network Obj-Local-LAN
 subnet 192.168.1.0 255.255.255.0
ASA-1# show run object id Obj-Remote-LAN
object network Obj-Remote-LAN
 subnet 192.168.2.0 255.255.255.0

[/box]

So now  create an object for the new network and add it to the existing ACL

[box]

ASA-1# configure terminal
ASA-1(config)# object network Obj-Local-LAN-2
ASA-1(config-network-object)# subnet 172.16.0.0 255.255.0.0
ASA-1(config-network-object)# access-list VPN-INTERESTING-TRAFFIC extended permit ip object Obj-Local-LAN-2 object Obj-Remote-LAN

[/box]

Now just the NAT exception to do, let’s find the NAT exemption;

[box]

ASA-1(config)# show run nat
nat (inside,outside) source static any any destination static Obj-ANYCONNECT-SUBNET Obj-ANYCONNECT-SUBNET no-proxy-arp route-lookup
nat (inside,outside) source static Obj-Local-LAN Obj-Local-LAN destination static Obj-Remote-LAN Obj-Remote-LAN no-proxy-arp route-lookup
!
object network Server
 nat (inside,outside) static interface service tcp 3389 3389
!
object network OBJ-ANY
 nat (inside,outside) dynamic interface

[/box]

Now add the new subnet in as an additional NAT exemption.

[box]

ASA-1(config)# nat (inside,outside) source static Obj-Local-LAN-2 Obj-Local-LAN-2 destination static Obj-Remote-LAN Obj-Remote-LAN no-proxy-arp route-lookup

[/box]

Tasks on ASA-2

  • Locate the ACL that’s handling the site to site VPN and add the new network to it.
  • Locate the NAT Exemption for the site to site VPN  and add the new network to it.

Locate the ACL that’s handling the VPN: This will be declared in the crypto map that points to the other ASA (203.0.113.1)

[box]

ASA-2# show run crypto map
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 203.0.113.1
crypto map outside_map 1 set ikev1 transform-set VPN-TRANSFORM
crypto map outside_map interface outside

[/box]

From the output above we can see that the ACL for this VPN is called outside_cryptomap_1 . Let’s see what thats doing.

[box]

ASA-2# show run access-list outside_cryptomap_1
access-list outside_cryptomap_1 extended permit ip object Obj-Local-LAN object Obj-Remote-LAN

[/box]

I’ve got nice neat groups, yours may simply have the networks listed, let’s check those objects marry up with the subnets we expect.

[box]

ASA-2# show run object id Obj-Local-LAN
object network Obj-Local-LAN
 subnet 192.168.2.0 255.255.255.0
ASA-2# show run object id Obj-Remote-LAN
object network Obj-Remote-LAN
 subnet 192.168.1.0 255.255.255.0

[/box]

So now  create an object for the new network and add it to the existing ACL

[box]

ASA-2# configure terminal
ASA-2(config)# object network Obj-Remote-LAN-2
ASA-2(config-network-object)# subnet 172.16.0.0 255.255.0.0
ASA-2(config-network-object)# access-list outside_cryptomap_1 extended permit ip object Obj-Local-LAN object Obj-Remote-LAN-2

[/box]

Now just the NAT exception to do, lets find the NAT exemption;

[box]

ASA-2(config)# show run nat
nat (inside,outside) source static Obj-Local-LAN Obj-Local-LAN destination static Obj-Remote-LAN Obj-Remote-LAN no-proxy-arp route-lookup
!
object network Obj-ANY
 nat (inside,outside) dynamic interface

[/box]

Now simply add the new object we created above as an extra NAT exemption.

[box]

ASA-2(config)# nat (inside,outside) source static Obj-Local-LAN Obj-Local-LAN destination static Obj-Remote-LAN-2 Obj-Remote-LAN-2 no-proxy-arp route-lookup

[/box]

DON’T FORGET to save the config on both firewalls with a ‘write mem‘ command!

Related Articles, References, Credits, or External Links

NA

Cisco VPN – Split Tunnel Not Working?

KB ID 0001239

Problem

Here I’m dealing with AnyConnect VPNs, but the principles are exactly the same for both remote IPSEC and L2TP VPNs. You connect to your VPN and can no longer browse the internet from your remote location. 

You can confirm that split-tunnelling is working or not by connecting with your VPN client and looking at the routing information.

Solution

Before proceeding are you sure Split-Tunnelling has ever been setup and configured? See the following article.

Cisco ASA – Enable Split Tunnel for IPSEC / SSLVPN / AnyConnect Clients

For Split Tunnelling to work you need;

  • An Access Control List, allowing the networks/IP’s that are protected by your ASA, that you need to access over the VPN.
  • A Group-policy that references the access-list above.
  • A Tunnel Group that references the Group-policy above.

The lines get a bit blurred if you are in the ASDM, in there the terminology, is access control list, group-policy, and connection profile.

Troubleshoot Split Tunnel From CLI

Connect and authenticate an AnyConnect client. Then on the firewall run the following command.

[box]

Petes-ASA# show vpn-sessiondb anyconnect

Session Type: AnyConnect

Username     : petelong               Index        : 4
Assigned IP  : 172.16.1.1             Public IP    : 192.168.100.77
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES256  DTLS-Tunnel: (1)AES256
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA1  DTLS-Tunnel: (1)SHA1
Bytes Tx     : 14128                  Bytes Rx     : 12305
Group Policy : GroupPolicy_ANYCONNECT-PROFILE
Tunnel Group : ANYCONNECT-PROFILE
Login Time   : 12:49:31 GMT/BST Mon Sep 19 2016
Duration     : 0h:01m:03s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : c0a86e010000400057dfd0cb
Security Grp : none

Petes-ASA#

[/box]

From the output above, we know the name of the Group Policy and the Tunnel Group. The fact we can see BOTH is an indication that the tunnel group is setup correctly, but it does no harm to check.

[box]

Petes-ASA# show run tunnel-group ANYCONNECT-PROFILE
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
 address-pool ANYCONNECT-POOL
 default-group-policy GroupPolicy_ANYCONNECT-PROFILE
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
 group-alias ANYCONNECT-PROFILE enable
Petes-ASA#

[/box]

Then check that that group-policy has enabled split tunnelling, and referenced the correct access control list.

[box]

Petes-ASA# show run group-policy  GroupPolicy_ANYCONNECT-PROFILE
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
 wins-server none
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value petenetlive.com
 webvpn
  anyconnect profiles value testbench type user
Petes-ASA#

[/box]

Finally take the ACL name (SPLIT-TUNNEL) and make sure that’s OK.

[box]

Petes-ASA# show run access-list SPLIT-TUNNEL
access-list SPLIT-TUNNEL standard permit 192.168.110.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 192.168.115.0 255.255.255.0

[/box]

Troubleshoot Split Tunnel From ASDM

As above connect a remote AnyConnect client > Monitoring > VPN > VPN Statistics > Sessions > AnyConnect Client > Select your connected client > Details.

Note: The info we actually want, is shown on this screen, but let’s look at the session anyway.

Now you can see the Group Policy and Connection Profile thats been applied to this user.

Configuration > Remote Access VPN > AnyConnect Connection Profiles > Select the one shown above > Edit.

Check the Group-Policy is correct, (Note: You can manage it directly from here, but I will take the long way round).

Configuration > Remote Access VPN > Network (Client Access) > Group Policies > Select the one shown above > Edit.

Advanced > Split Tunneling > Ensure Policy is ‘untucked’ and set to ‘Tunnel Network List Below’ > Ensure Network list is ‘untucked’ and set to the name of your split tunnel ACL > Manage.

Make sure the network(s) or IP addresses behind your ASA, that you want to access over the VPN, are listed.

 

Related Articles, References, Credits, or External Links

Cisco ASA – Enable Split Tunnel for IPSEC / SSLVPN / AnyConnect Clients

Cisco ASA – Remote VPN Client Internet Access

Changing Domain Users’ ‘User Logon Names’ and UPN’s

KB ID 0001238

Problem

Changing a users UPN suffix is easy (as long as it’s been added – see below). There is some confusion about the User Login Name though.

 

A few weeks ago I had a client that needed this done, (for an office 365 migration). But they had the added problem that some of their User Logon Names had spaces in them, they were in first-name{space}last-name format.

What would happen if I changed their user logon names? Would they have to use a different logon name? Would their profile break? Or worse still, would they all lose their roaming profiles?

 Solution

Adding A New UPN Suffix

Before you can add a new UPN suffix you need to make it available in the domain. Administrative Tools > Active Directory Domains and Trusts > Right Click ‘Active Directory Domains and Trusts’  > Properties > Add the new Suffix  >Apply > OK.

From this point forward you can add that as a new suffix for any/all users.

The Effect of Changing a User Logon Name

Using the same user as above, I’ve changed the ‘User Logon Name’, and added the new UPN Suffix to test.

How Does Changing a User Logon Name Affect Profile and Home Drive Paths?

Put simply it does not! To prove it I did some testing. The profile and home drive path of this user’s is set on the ‘profile’ tab of their user object.

It remains the same after the User Logon Name changes. When these users were setup the profile paths and home drive paths were all set ‘on mass’, by selecting multiple users and setting the path to \\server-name\folder-name\%username% and it fills in all the ‘usernames‘ with the sAMAccountName and that has not changed.

Does the User Have to Change their Logon Name?

Confusingly users don’t log on with their User Logon Name (Usually, but they can if they wanted to) from all the way back to NT4 we have logged on with the DOMAIN-NAME\USER-NAME format which uses the sAMAccountName, NOT the User Logon Name. If you look at the very first picture at the top of the page you can see that below the UPN. Its called the User name (pre-Windows 2000). You may not of even have noticed, but on Windows 10 they put this right in your face on the logon screen.

Whats the Point of a UPN Then?

You can actually authenticate, and log on with your UPN, (see below)

This logs on as the user in the example above with the correct profile, and group membership etc. Though it’s not common practice to logon with a UPN. Microsoft Now Have a Very BAD HABIT of telling users, (and putting in their documentation), to ‘Log on with your Email AddressThis is wrong, you actually are logging on with your UPN, Microsoft are making the assumption, that your Email and UPN are the same. This is why blogs and forums are full of scripts to change your UPN so that it matches your email address. They assume, (usually quite rightly, that if you tell users to log on with their UPN they will be confused and not know what that is). So rather than address this problem, they tell users to log on with their Email addresses. That’s the real reason we are talking about changing UPN’s, and probably why your here in the first place.

Some Users Don’t Have UPN’s?

This is normal, don’t panic, a user does not have to have a UPN, if you are seeing blank entries that user was probably migrated via a script or tool into your AD, or simply was migrated from an older version of AD as part of a domain upgrade.

So Nothing Broke?

No, the local cached copy of the profile is still named the same as the sAMAccountName;

And the roaming profile and home drive also stayed the same;

WARNING: Just so I don’t do the same thing Microsoft did and ‘Make an Assumption’. Where changing the User Logon Names would affect you is if users were already logging into their machines with their UPN, Then they would need to change their login names to the new UPN, (or use the pre-Windows 2000 login name). But I’ve never seen a user logon with a UPN, the only time I’ve ever logged onto something with a UPN, is when I can’t type a back slash to log on as DOMAIN\Username (I use a Mac). 

Remove Spaces From User Logon Names

Seriously who does this? I don’t even like spaces in folder names! Below is a PowerShell script that will search through AD and find users with a space in the middle of their logon name and replace the login name with firstname.lastname

Change the values in red.

[box]

Import-Module ActiveDirectory
Get-ADUser -Filter "UserPrincipalName -like '* *'" -SearchBase 'OU=Test,DC=pnl,DC=com' | ForEach { Set-ADUser -Identity $_.SamAccountName -UserPrincipalName "$($_.GivenName).$($_.Surname)@pnl.com" }

[/box]

Note: If you have users with spaces in their GivenName or Surname attributes in AD this wont work, i.e if AD thinks a users first name is Juan Carlos, and the Surname is Rodriquez, then it would change the user logon name to ‘Juan Carlos.Rodriquez’ which is the very problem we are trying to fix! Also the first name and surname fields in AD have to have properties in them as well, or you will see red errors.

Change UPN Suffix For All Users Script

In the script below I’ve targeted a specific OU, but you can change the $ou parameter to point at the root of the domain, and do all users at once if you wish. Change the values in red to suit your domain.

[box]

Import-Module ActiveDirectory
$oldSuffix = "pnl.com"
$newSuffix = "petenetlive.com"
$ou = "OU=Test,DC=pnl,DC=com"
$server = "DC-01"
Get-ADUser -SearchBase $ou -filter * | ForEach-Object {
$newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix)
$_ | Set-ADUser -server $server -UserPrincipalName $newUpn
}

[/box]

Related Articles, References, Credits, or External Links

PowerShell – Update All Domain Users With Email Address From UPN

PowerShell – Updating Users Email Addresses In Active Directory

Cisco ASA – Allowing Microsoft Activation

KB ID 0001237 

Problem

 

Activation occurs over TCP 80 and 443, so usually this will not trip you up. However if you are on a site with a very restrictive firewall config, then you might want to add the following.

Solution

I’ll break with the norm, and just post the config in its entirety, (just remove the comments in red.)

[box]

!The Firewall needs a domain name of its own.
!
domain-name petenetlive.com
!
!Setup DNS Lookups so the firewall can resolve the FQDNs we are going to use.
!
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.4.4
!
!Create objects for each of the activation FQDN's.
!
object network Obj-go.microsoft.com
  fqdn go.microsoft.com
object network Obj-wpa.one.microsoft.com
  fqdn wpa.one.microsoft.com
object network Obj-crl.microsoft.com
  fqdn crl.microsoft.com
object network Obj-wwwtk2test1.microsoft.com
  fqdn wwwtk2test1.microsoft.com
object network Obj-wwwtk2test2.microsoft.com
  fqdn wwwtk2test2.microsoft.com
object network Obj-db3.sls.microsoft.com
  fqdn db3.sls.microsoft.com
!
!Create objects for each of the activation subnets.
!
object network Obj-MS-Activation-Subnet-1
 subnet 64.4.0.0 255.255.192.0
object network Obj-MS-Activation-Subnet-2
 subnet 65.52.0.0 255.252.0.0
!
!Create an object group that holds all the objects.
!
object-group network Obj-GP-MS-Activation
 network-object object Obj-go.microsoft.com
 network-object object Obj-wpa.one.microsoft.com
 network-object object Obj-crl.microsoft.com
 network-object object Obj-wwwtk2test1.microsoft.com
 network-object object Obj-wwwtk2test2.microsoft.com
 network-object object Obj-db3.sls.microsoft.com
 network-object object Obj-MS-Activation-Subnet-1
 network-object object Obj-MS-Activation-Subnet-2
!
!Create a service object for the activation ports.
!
object-group service Obj-SVC-MS-Activation tcp
 port-object eq www
 port-object eq https
!
!Allow the traffic Out (SEE THE WARNING BELOW!)
!
access-list outbound extended permit tcp any object-group Obj-GP-Microsoft-Activation object-group Obj-SVC-MS-Activation

[/box]

 

Warning: Before Executing the access-list command, make sure the ACL name matches your existing ACL. In the example above I’ve used outbound, See the following article for clarification;

Cisco ASA – ‘access-group’ Warning

Related Articles, References, Credits, or External Links

NA

AnyConnect – The VPN Connection Failed (Domain Name Resolution)

KB ID 0001236 

Problem

This is a pretty generic error to be honest.

AnyConnect Secure Mobility Client

VPN

The VPN connection failed due to unsuccessful domain name resolution.

Solution

Firstly, (and obviously) the name you are typing in the AnyConnect window can be resolved can’t it? If not then you might want to consider some employment that does not involve computers.

Secondly (this is what usually trips me up) did you copy and paste the name? If so is there a space on the end?

This name may also be incorrect in the profile.xml that’s associated with this VPN, to check, the location of that file is covered in this article.

Also check that the VPN device, does not need to be connected to on a different port, as per this article.

Related Articles, References, Credits, or External Links

NA

Migrating Local Profiles to Domain Profiles

KB ID 0001235 

Problem

Moving a machine onto a Windows domain, is a simple task, I’ve done this for a lot of clients. The main complaint (post migration,) is that something is missing. This is because your-account-name on your PC or laptop, and your-account-name in the domain are TWO DIFFERENT ACCOUNTS, (even if they have the same name). 

Microsoft have produced some tools help you, but I challenge you to start reading the USMT documentation for  more than 15 minutes without losing the will to live. 

Below is a list of things people have complained to me about losing post migration;

  • Desktop wallpaper.
  • Files & Folders from the desktop.
  • My Documents.
  • Internet Favorites.
  • My Pictures.
  • Outlook Signatures.
  • Outlook Mail Accounts.
  • Word Custom Dictionaries.
  • Work Autocomplete Settings.
  • MS Access Macro settings.

So I setup a test Windows 10 machine, with all of the above setup, and used two tools to migrate my local profile into my domain profile.

 

Solution

Test 1 ForensIT User Profile Wizard

Software is free (there are paid for versions) but I plumbed for the free one, you don’t have to install anything as it runs from an executable, (which is a bonus if you have a lot to do). Its VERY fast, and simple to use.

I’ve joined my target machine to the new domain and logged on once as the domain user and created a blank profile, then logged back on as the domain admin to carry out the following.

Launch the software > Next > Select the profile you want to copy from.

Select your domain name > Enter the logon name for the ‘DOMAIN USER’ you want to copy the profile to > Next > Next.

Verdict: Of the two, this ones quicker, more intuitive and free.

Test 2 USMT GUI 10

This is a graphical wrapper that sits on-top of the Microsoft USMT tools, I donated $10.00 for the cheapest version, and repeated the tests above. 

First you have to take a backup of the local profile(s).

I’m just choosing one (Pete) > RUN > My profile was 177Mb and it took about 5 minutes.

Now resort the profile back to your domain profile, as you can see that’s a little more complicated, but not that difficult > RUN.

At this point it ran thought and gave me an error, even though it did migrate the profile successfully.

Verdict: Well it does the job, it’s probably a lot more versatile than the first tool, but nowhere near as intuitive, and it costs $10. I know that’s cheap, and the dev deserves to be paid for their hard work, but I prefer the free one.

Related Articles, References, Credits, or External Links

NA

Cisco – Dissolve / Break ASA Failover Firewall Configuration

KB ID 0001234 

Problem

I’ve written at length about setting up failover firewall configurations. But what if you already have a working pair, and you need to remove one? There’s plenty of reasons to do this, i.e. another site needs a firewall in a hurry, you’re replacing failover firewalls with a single firewall, or you just need to do sone testing and don’t have a spare.

Solution

It goes without saying, before doing anything, take a backup of the firewall. I used to do this with TFTP, but now I simply run ‘more system:running config‘ and my console software logs all the output. (I use the awesome Royal TSX software, though PuTTY will do the same).

Make sure you know which is the primary firewall, and which is the secondary firewall, and which is active and which is passive.

[box]

Petes-ASA(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/3 
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 160 maximum
failover replication http
Version: Ours 9.1(4), Mate 9.1(4)
Last Failover at: 15:57:12 GMT/BDT Jul 2 2016
        This host: Primary - Active
                Active time: 5768814 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/9.1(4)) status (Up Sys)
                  Interface outside (123.123.123.123): Normal (Waiting)
                  Interface inside (192.168.1.10): Normal (Waiting)
                slot 1: empty
        Other host: Secondary - Standby Ready
                Active time: 2755983 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/9.1(4)) status (UP SYS)
                  Interface outside (123.123.123.123): Normal (Monitored)
                  Interface inside (192.168.1.10): Normal (Monitored)
                slot 1: empty
[/box]

So above I’m going to power off the other firewall, (if there was a drama I could connect that back in, and get comms back up again quickly).

Now stop the remaining ‘primary active’ firewall from attempting to be part of a failover pair.

[box]

Petes-ASA(config)# no failover

[/box]

Thankfully we can get rid of ‘nearly’ all the failover configuration with the following command;

[box]

Petes-ASA(config)# clear configure failover

[/box]

Which is brilliant as it removes all the failover section and reverts statefull  and failover link interfaces, back to default, what it does not do though, is remove the standby IP addresses from your interfaces, you will need to do that manually.

[box]

-----Config Removed For the Sake of Brevity-----
!
interface GigabitEthernet0/0
 description WAN Interface
 nameif outside
 security-level 0
 ip address 123.123.123.123 255.255.255.240 standby 123.123.123.124
!
interface GigabitEthernet0/1
 description LAN Interface
 nameif inside
 security-level 100
 ip address 192.168.1.10 255.255.255.0 standby 192.168.1.11
!
interface GigabitEthernet0/2
 speed 1000
 duplex full
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 description MGMT Interface
 shutdown
 no nameif
 security-level 100
 no ip address
!
-----Config Removed For the Sake of Brevity-----
So to Remove the Standby IP's

Petes-ASA(config)# interface GigabitEthernet0/0
Petes-ASA(config-if)# ip address 123.123.123.123 255.255.255.240
Petes-ASA(config-if)# interface GigabitEthernet0/1
Petes-ASA(config-if)# ip address 192.168.1.10 255.255.255.0

[/box]

 

Don’t forget to save the changes with a ‘write mem‘ command when you are happy.

Related Articles, References, Credits, or External Links

Deploy Cisco ASA 55xx in Active / Standby Failover

Cisco ASA 5500 Active/Standby – Zero Downtime Upgrade

Cisco ASA – Active / Active Failover

 

Cisco VPN Client Connects but no traffic will Pass

Note: May also be asked as, Client VPN connects but cannot ping anything behind the Firewall.

KB ID 0000199

Problem

If I had a pound for every time I’ve seen this either in the wild, or asked in a forum, I would be minted! In nearly every case the problem is NAT related.

In most cases, If the person launching the VPN client is behind a device that is performing NAT, (Home Router, Access Point, Firewall, etc) then the device will BREAK the NO NAT, or “nat 0” on pre 8.3 firewalls. (that’s the command that says “DONT change the address of my remote VPN client as it passes up and down the VPN tunnel).

Update 08/09/16: Due to a bug, I found an exception to this problem being broken NAT (see below)

Solution

Enable nat-traversal, this is a global configuration setting and will not affect any other site to site, or client to gateway VPN’s you are currently running.

Option 1 Connect to the ASA Via Command Line.

Then go to enable mode > Configure Terminal mode > and issue a “crypto isakmp nat-traversal 20” command >Then save the change with a “write mem” command.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# crypto isakmp nat-traversal 20
Petes-ASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
Petes-ASA#

[/box]

Option 2 Connect to the ASA Via ASDM Version used here is 6.2.(5)

If you can find this in the ASDM post version 7 – You are better than me!

Navigate to > Configuration > Remote Access VPN > Advanced > IKE Parameters > Tick “Enable IPSec over NAT-T” option > Set the “NAT Keepalive” to 20 seconds > Apply > File > Save running configuration to flash.

I’ve done that and its still not working?

On a Firewall Running 8.3 (or Newer)

1. On the firewall issue a “show run nat” command > Make sure there is a NAT statement that has static (the network behind the ASA) to static (the remote VPN network). I’ve highlighted it below.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.

Petes-ASA>enable
Password: ********
Petes-ASA# show run nat 
nat (inside,any) source static obj-10.254.254.0 obj-10.254.254.0 destination static obj-10.253.253.0 obj-10.253.253.0 route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
object network Media_PC
nat (inside,outside) static interface service tcp 123 123
!
nat (outside,outside) after-auto source dynamic VPN_Pool interface
PetesASA#

[/box]

2. Make sure the correct network(s) are in the correct groups.

[box]

PetesASA# show run object
object network obj-10.254.254.0
subnet 10.254.254.0 255.255.255.0 <- Subnet behind the ASA
object network obj-10.253.253.0 <- Remote VPN Subnet
subnet 10.253.253.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Media_PC
host 10.254.254.5
PetesASA#

[/box]

3. Also make sure you don’t have any legacy nat rules breaking things.

On a Firewall Older than Version 8.3

On the firewall issue a “show run nat 0” command > take note of the access-list name.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# show run nat 0
nat (inside) 0 access-list NO-NAT-TRAFFIC
nat (inside) 1 0.0.0.0 0.0.0.0

[/box]

In this example mines called NO-NAT-TRAFFIC (cause I like to keep things simple) yours can be called anything (inside_nat0_outbound is the norm if you used the ASDM to set up the VPN).

Now make sure that you have the correct addresses in that access-list, issue a show run access-list {name} command.

[box]

Petes-ASA#show run access-list NO-NAT-TRAFFIC
access-list NO-NAT-TRAFFIC extended permit ip 10.254.254.0 255.255.255.0 10.253.253.0 255.255.255.0
access-list NO-NAT-TRAFFIC extended permit ip 10.254.254.0 255.255.255.0 10.252.252.0 255.255.255.0
Petes-ASA#

[/box]

Above we have two subnets that are going to be exempt from NAT, they are 10.253.253.0/24 and 10.252.252.0/24, if the range of IP addresses your remote clients are using is NOT on this list you need to add them.

If you don’t know what addresses they are supposed to be using, then issue a “show run ip local pool” command.

[box]

Petes-ASA#show run ip local pool
ip local pool IPSEC-VPN-DHCP-POOL 10.253.253.1-10.253.253.5
ip local pool SSL-VPN-DHCP-POOL 10.252.252.1-10.252.252.5
Petes-ASA#

[/box]

Again I’ve got a sensible naming policy – so we can see what my pools are for, to see what pools are being used for what, issue a “show run tunnel-group” command.

[box]

Petes-ASA# show run tunnel-group
tunnel-group IPSEC-VPN-GROUP type remote-access <<< Here's my IPSEC VPN's
tunnel-group IPSEC-VPN-GROUP general-attributes
address-pool IPSEC-VPN-DHCP-POOL <<< And here's my matching DHCP scope (IPSEC)
authentication-server-group PNL-KERBEROS
default-group-policy IPSEC-VPN-POLICY
tunnel-group IPSEC-VPN-GROUP ipsec-attributes
pre-shared-key *****
tunnel-group SSL-VPN-POLICY type remote-access <<< Here's my SSL VPN's
tunnel-group SSL-VPN-POLICY general-attributes
address-pool SSL-VPN-DHCP-POOL <<< And here's my matching DHCP scope (SSL)
authentication-server-group PNL-KERBEROS
default-group-policy SSL-VPN-GROUP-POLICY
tunnel-group SSL-VPN-POLICY webvpn-attributes
group-alias PNL enable
Petes-ASA#

[/box]

If any of yours are missing then change accordingly.

BUG (08/09/16)

Had this problem again recently, and after staying on the phone to TAC until 03:00, it turned out to be a bug in the SFR (FirePOWER service module) code. That was causing the firewall to silently drop the AnyConnect traffic. So debugs showed nothing, and packet captures were empty. Fixed by removing ‘sfr fail-open’ from the firewall and upgrading the code by re-imaging the SFR module.

Related Articles, References, Credits, or External Links

NA