Why Securing Your VPN Solution With Computer Certificates ‘Only’ Is A BAD Idea
KB ID 0001055 Problem After a large AnyConnect 4 roll-out, I had the following conversation with a client; Client: Can we change the way the clients authenticate? Me: Yes, no problem what do you need? Client: Well instead of user based certificate authentication, we want to use computer certificates only. Me: Really why? Client: So when we roll out a lot of imaged new machines we don’t need to get the users to log onto them and...
Windows Server 2008 R2 – Configure RADIUS for Cisco ASA 5500 Authentication
KB ID 0000688 Problem Last week I was configuring some 2008 R2 RADIUS authentication, for authenticating remote VPN clients to a Cisco ASA Firewall. I will say that Kerberos Authentication is a LOT easier to configure, so you might want to check that first. Solution Step 1 Configure the ASA for AAA RADIUS Authentication 1. Connect to your ASDM, > Configuration > Remote Access VPN. > AAA Local Users > AAA Server Groups. 2....
Cisco ASA Disable ESMTP Inspection
Telnet to Exchange on Port 25 shows a row of Asterisks? KB ID 0000536 Problem Yesterday my colleague Ben called me over to the help-desk and asked “Have you ever seen this before?” This was what was on his screen. 220 *************************************************** Solution Usually when you Telnet to an Exchange server it gives you a 220 message followed by the “Banner” of the Exchange server, a little...
GNS3 ASA Error – ‘ASDM did not recognize device model ASA5520’
KB ID 0001028 Problem Apart from the fact that’s an appalling spelling of recognise, I got bitten by this last weekend. I don’t use the ADSM as a rule so it would not normally be a problem, the only thing I do use the ASDM for is certificates, (it’s just easier). Solution Last time I saw an error like this I had to use a fiddler script to embed the firewall model in the https traffic, however now there’s a...
VPN Problem Cisco PIX v6 to Cisco ASA 5500
KB ID 0000761 Problem I found this out purely by accident today, while replacing an old PIX 506E that had died with an ASA 5505. The client’s other site still had a PIX 506E (Running 6.3(5)). I was setting up the VPN, and noticed something that WOULD have been a problem if I had not spotted it. Solution Essentially the older PIX firewalls are set for 3DES encryption, MD5 Hashing and Diffie Hellman 2. After version 8.4 the ASA...
Using the Microsoft VPN client through Cisco ASA/PIX
KB ID 0000009 Problem You cannot open a Microsoft client VPN tunnel with a cisco PIX or ASA in front of you on the network. Solution You need the following open (outbound) TCP port 1723 (thats pptp) Protocol 47 (GRE) – note thats a PROTOCOL and NOT a PORT Allow PPTP Client through the ASA via Command Line 1. Connect to the ASA then add PPTP inspection to the default inspection map. PetesASA> PetesASA> en Password: ********...
Cisco ASA 5500 – Error ‘DHCP: Interface ‘inside’ is currently configured as SERVER and cannot be changed to a CLIENT by a CLIENT feature’
KB ID 0000836 Problem I put in an ASA 5505 this week, and while I was setting it up I was getting plagued with these popping up in the command window all the time; DHCP: Interface ‘inside’ is currently configured as SERVER and cannot be changed to a CLIENT by a CLIENT feature DHCP Client: can’t enable DHCP Client when DHCP Server/Relay is running on the interface. Seen here on ASA Version 9.1(1) Solution There not a...
Enable DNS Lookup on the Cisco PIXASA
KB ID 0000029 Problem You need the ASA to be able to resolve external hostname’s. Note: You need at least version 8.2(2) before you can use a DNS name in an access-list. Solution Note: In this example I’m using 122.122.122.199 and 122.122.122.198 (yes, they cannot exist!) as the external DNS addresses, substitute your own.</p? 1. Whilst in enable mode > enter configure terminal mode, then enable DNS Lookups....
Backup and Restore a Cisco Firewall.
KB ID 0000076 Problem There are many different versions of PIX and ASA Firewalls. So, if you want to get a backup of the configuration and save it elsewhere, (so in the event of a failure, (or more likely someone tinkering and breaking the firewall)). you will be able to recall and restore that configuration. By far the easiest method is to use a TFTP server – and it works on ALL versions, so learn it once and use it many...
Manage your Cisco Firewall from your Windows Mobile Device
KB ID 0000158 Problem You have a new windows mobile device and your bored! – well not really, I hope I never have to do this in anger but, It was an exercise in proving it can be done 🙂 Solution Before you start you need to ensure the following has been done, 1. The firewall in question needs an RSA Key generating on it, (on the firewall issue the following command “crypto key generate rsa” {without the quotes}. 2....