Cisco ASA 5500 Client VPN Access Via Kerberos (From CLI)
KB ID 0000049 Problem You would like to enable remote access for your clients using the Cisco VPN Client software. Solution Before you start – you need to ask yourself “Do I already have any IPSEC VPN’s configured on this firewall?” Because if its not already been done, you need to enable ISAKMP on the outside interface. To accertain whether yours is on, or off, issue a “show run crypto isakmp”...
Cisco ASA5500 Client VPN Access Via RADIUS
KB ID 0000071 Problem Below is a walkthrough for setting up a client to gateway VPN Tunnel using a Cisco ASA appliance.This is done via the ASDM console. Though if (Like me) you prefer using the Command Line Interface I’ve put the commands at the end. You will need a RADIUS server, WIndows Server (2000 and 2003) Has its own RADIUS bolt on called Windows IAS Step 1 Below is a walkthrough on how to set this up. It also uses the...
Cisco ASA5500 Client IPSEC VPN Access
(This method uses the ASA to hold the user database) to use RADIUS CLICK HERE to use Kerberos CLICK HERE KB ID 0000070 Problem Note: IPSEC VPN is still possible, but getting Windows clients is a little sketchy, and you will have to mess about with them to get them to work on modern versions of Windows. (Mac OSX and iPhone/iPad can connect with their built in VPN software though). Below is a walkthrough for setting up a client to...
Manage Cisco ASA5500 From Outside
KB ID 0000068 Problem Note: This is an old article, you might want to go here If you have to look after a lot of client firewall’s, or you simply want to be able to manage your own remotely then this can be done via the ASDM console. Solution 1 Log into the firewall > Go to enable mode. Ciscoasa Password: ******* 2 Go to configure terminal mode. ciscoasa# conf t 3. Turn on the ASDM Server. ciscoasa(config)# http server enable...
Cisco ASA5505 Setup (Via ASDM)
KB ID 0000067 Problem Regular visitors to PNL will know I much prefer to do things at command line, but I appreciate most people trying to set up a new firewall will want to use the GUI. Before you start you will need to know what IP addresses you want to use, what password you want to use etc. Solution 1. You get two network cables in the box, connect your PC/Laptop to Ethernet port 1 (See the photo, that’s the second one in...
Set Cisco ASA for Kerberos Authentication
KB ID 0000039 Problem You want to set up a Cisco ASA to authenticate users (VPN access for example). Solution Kerberos can only be used as an authentication protocol on the ASA, so its fine for allowing VPN connections but not for assigning policies etc. To work both the ASA and the domain need to be showing accurate time. Step 1: Set the ASA to get time from an External NTP Server 1. Log onto the ASA > Go to “Enable...
Cisco Firewall VPN “Hair Pinning” Note: Cisco refer to this as a “Spoke to Spoke VPN”
KB ID 0000040 Problem You have multiple sites protected by Cisco Firewalls, you establish a remote connection VPN to one of your sites, but cannot get to the others. Solution Normally your remote workers will establish a VPN, with a VPN client (though this principle will also work for remote users with a hardware firewall). In this example we will stick with a remote client using VPN Client software (either using an IPSEC version 3...
Block Access to Facebook on Cisco ASA with MPF
KB ID 0000054 Problem If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the best solution. NOTE: This can be used for any web site simply add each URL you want to block. Solution 1. Log into your firewal,l and enter enable mode, then enter...
Enabling NetFlow on Cisco ASA
KB ID 0000055 Problem Cisco NetFlow lets you export information about traffic flow, it was originally written for the router IOS, but is now available for Cisco ASA, which uses NSEL (Note ASA uses NetFlow version 9 {newest at time of writing}) Note: NetFlow can not give you “Live” data, but it can show you what has happened over a period of time, and remember like any other “Logging” this will have an adverse...
Cisco ASA – Only Allow Mail Servers SMTP Outbound
KB ID 0000172 Problem It’s not unusual for nasty Virus’s and Malware once they have infected a machine, to set up outbound communications on the mail protocol SMTP (TCP Port 25), which can lead to your public address being blacklisted. So it’s considered good practice to stop all your clients getting mail access outbound through your firewall, while still allowing your mail server. Note: On Cisco firewall’s,...