Cisco FPR – Re-image from FTD to ASA Code

KB ID 0001766

Problem

Note: This procedure is to re-image a Cisco Firepower device from FTD to ASA code, (in this example a Cisco FPR 1010). 

Why would you want to do this? Well to be frank FTD is bobbins, so if you have a device running FTD code you might want to ‘convert’ it to ASA code. If you tried to do this with an older firewall (ASA 5500-X) then you needed to go to Cisco TAC and try and get them to give you an activation code for the ASA. But if you are using an FPR device then YOU DON’T NEED TO DO THAT.

You might also want to do this because, (at time of writing) buying a Cisco FPR device running ASA code, the lead times in the UK are eye wateringly long (200-300 days!) But you can buy a chassis running FTD code and then convert that to ASA code with the following procedure.

Solution

Connect to your FPR device with a console cable, and log on as admin (the default password is Admin123, unless you have changed it of course!) Download the latest version of ASA code for your device from Cisco, in my case (at time of writing) that’s cisco-asa-fp1k.9.14.3.15.SPA. Copy that onto a USB drive (WARNING: The drive needs to be formatted with FAT32, the firewall will not recognise or mount the drive unless it is!) Finally insert the USB drive into the firewall, and issue the following commands.

[box]

FTD-1# scope firmware
FTD-1 /firmware # download image usbA:/cisco-asa-fp1k.9.14.3.15.SPA
Please use the command 'show download-task' or 'show download-task detail' to check download progress.
FTD-1 /firmware # show download-task

Download task:
    File Name Protocol Server          Port       Userid          State
    --------- -------- --------------- ---------- --------------- -----
    cisco-asa-fp1k.9.14.3.15.SPA
              Usb A                             0                 Downloading

% Download-task cisco-asa-fp1k.9.14.3.15.SPA : completed successfully.

[/box]

Note: If it says, ‘failed. Download failure – USB drive is not mounted‘ the drive is probably formatted incorrectly. If it says ‘Download-task failed. Failed signature validation‘, then the image is probably corrupt, try again, or use a different version.

Verify the file has downloaded correctly.

[box]

show download-task

Download task:
    File Name Protocol Server          Port       Userid          State
    --------- -------- --------------- ---------- --------------- -----
    cisco-asa-fp1k.9.14.3.15.SPA
              Usb A                             0                 Downloaded

[/box]

Then make sure the package is listed with a show package command.

[box]

FTD-1 /firmware # show package
Name                                          Package-Vers
--------------------------------------------- ------------
cisco-asa-fp1k.9.13.1.2.SPA                   9.13.1.2
cisco-asa-fp1k.9.14.3.15.SPA                  9.14.3.15
cisco-ftd-fp1k.6.6.0-90.SPA                   6.6.0-90

[/box]

Note: You can see (above) there’s an ASA code version from a previous install and it shows the current running FTD code also. To re-image the firewall execute the following commands. (Note: you enter the VERSION NOT THE FILENAME!)

[box]

FTD-1 /firmware # scope auto-install
FTD-1 /firmware/auto-install # install security-pack version 9.14.3.15

The system is currently installed with security software package 6.6.0-90, which has:
   - The platform version: 2.8.1.105
   - The CSP (ftd) version: 6.6.0.90
If you proceed with the upgrade 9.14.3.15, it will do the following:
   - upgrade to the new platform version 2.8.1.172
During the upgrade, the system will be reboot

Do you want to proceed ? (yes/no):yes {Enter}

This operation upgrades firmware and software on Security Platform Components
Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup

Do you want to proceed? (yes/no):yes {Enter}

Triggered the install of software package version 9.14.3.15
Install started. This will take several minutes.
For monitoring the upgrade progress, please enter 'show' or 'show detail' command.
FTD-1 /firmware/auto-install #

[/box]

Now go and have a coffee, it will take 20 minutes, and a few reboots before it’s finished. When completed you should see a login prompt, login with admin/Admin123 and reset the password. 

[box]

firepower-1010 login: admin
Password: Admin123
Successful login attempts for user 'admin' : 1
Last failed login: Sun Nov 21 16:55:16 UCT 2021 on ttyS0
There was 1 failed login attempt since the last successful login.
Hello admin. You must change your password.
Enter new password: password123
Confirm new password: password123
Your password was updated successfully.

[/box]

Then connect to the ASA CLI with the connect asa command. Go to enable mode, and set the enable password. Finally, save the config.

[box]

firepower-1010# connect asa
firepower-1010# Verifying signature for cisco-asa.9.14.3.15 ...
Verifying signature for cisco-asa.9.14.3.15 ... success
ciscoasa>
ciscoasa> enable
The enable password is not set.  Please set it now.
Enter  Password: password123
Repeat Password: password123
Note: Save your configuration so that the password can be used for FXOS failsafe access and persists across reboots
("write memory" or "copy running-config startup-config").
ciscoasa# write memory
Building configuration...
Cryptochecksum: a607255a a64f2898 97bb6b40 9a8ff25c

[/box]

You will now be running ASA code with the factory settings (Inside 192.168.1.1/24, Management 192.168.45.1/24 (with DHCP enabled), Outside set to get IP dynamically, and all traffic allowed out).

Remember if you’re a ‘light weight’ and cant use command line, then you will need to install and configure the ASDM 🙂 

Related Articles, References, Credits, or External Links

Reimage Cisco 1010 ASA to FTD

Convert ASA 5500-X To FirePOWER Threat Defence

Cisco FTD Deploy AnyConnect (from FDM)

KB ID 0001682

Problem

In this article I will focus on ‘Remote Access’ VPN, which for Cisco FTD means using the AnyConnect client. Ive spent years deploying this solution for ASA so it’s a product I know well. As with all things Cisco, there are a couple of things that could trip you up. Let’s get them out of the way first.

If you are used to AnyConnect then you probably have the client software. It’s the same software package that’s installed with Cisco ASA. Sometimes just getting access to the download is a trial! Anyway you will need the AnyConnect ‘Package’ files, these typically have a .pkg extension, (Cisco refer to these as Head-End packages). Theres one for macOS, one for Windows, (well another one now for ARM processors, but I’ve not needed it yet), and one for Linux. You will need to download a package for each platform your users will need to connect with.

AnyConnect Licence! After years of getting a few free with a Cisco ASA, I was unhappy to find that’s not the case with Cisco FTD. If you want to use AnyConnect you need to have a licence, and it needs to be in your Smart Licensing Account, (before you enable Remote Access VPN). 

Final Gotcha! Make sure you HAVE NOT enabled HTTPS management on the outside interface of the FTD before you start configuring AnyConnect, or you will get all the way to the end, and it will fall over and you will have to start again (thanks Cisco! How hard would it be to say, if you enable this, I will disable https outside management is this OK?) 

Solution

If you haven’t already done so enable the Remote Access VPN licence > Smart Licence > Fire Configuration > RA VPN  License > Enable > Change to licence type (mines Apex). Have a coffee and recheck everything is licensed OK.

AnyConnect 4 – Plus and Apex Licensing Explained

Remote Access VPN > Configure > Create Connection Profile.

Give the profile a name, a group alias, and group URL > I’m using the FTD as my AAA Identity source (so my username and passwords are held on the firewall) that’s fine for small deployments, but in production you should think about deploying an AAA solution (called a Special Identities Realm in FTD). Scroll down.

I typically create a new network object for my remote clients to use, you can select your internal DHCP server to send out addresses if you wish > Next.

I’m using Cisco Umbrella DNS servers, (or the DNS servers formally known as OpenDNS) > I’m setting a ‘welcome banner’ but you dont need to, (some people find them annoying!) > Scroll down.

Split tunnelling: As always Cisco assume you want to tunnel everything, in most cases that’s NOT the requirement (BUT it IS the most secure!) I setup split tunnelling by Excluding my internal networks > Next.

Client Profiles: If you have one you can set it here, if you want to create one, see the following article;

Cisco FTD (and ASA) Creating AnyConnect Profiles

Select the certificate the FTD will present (don’t choose the web one it will error!) > Select the interface your client will connect to (typically outside) > Enter the FQDN of the device > I allow bypass for VPN traffic, if you want to scan remote traffic with firepower etc DON’T select this > Enable NAT Exemption (select the internal interface) > Internal Networks: Then add in the internal network, I’ve already got an object for that, (you may need to create one.) > Scroll down.

Here you upload your .pkg files (I mentioned above) when you have finished > Next.

Review the settings > Finish.

Cisco FTD Create User (via FDM)

You will need a username and password to authenticate (skip this as you are not using the FTD’s internal user database.) Objects > Users > Add > Supply a username and password > OK

Pending Changes > Deploy Now.

Go and have a coffee again, keep clicking pending changes until it looks like this. (Quite why it takes so long, I have no idea?) It’s even more fun, if you made a mistake, because it will just error and fall over, so you have to find the error (if you can) > then remove the pending change and start all over again. Cheers Cisco!

Finally go to an external client and give it a try, if your clients don’t have the client software installed simply ‘browse’ to the FTD to get it.

Related Articles, References, Credits, or External Links

Cisco Firepower 1010 Configuration

Cisco ASA Site To Site VPN IKEv1 “Using CLI”

KB ID 0000050

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

Note: This is quite an OLD POST, only use these instructions if you need to create a VPN tunnel that uses IKEv1, (i.e. The other end is not a Cisco ASA, or it’s a Cisco ASA running code older than 8.4). You can still use an IKEv1 tunnel of course, so this article is still valid, it’s just IKEv2 has some better levels of encryption.

Everyone else, go to the following article instead!

Cisco Site To Site VPN IKEv2 “Using CLI”

You want a secure IPSEC VPN between two sites.

Solution

Note: There have been a number of changes both in NAT and IKE on the Cisco ASA that mean commands will vary depending on the OS that the firewall is running, make sure you know what version your firewall is running (either by looking at the running config or issue a “sho ver” command).

Note 2: Cisco introduced IKE version 2 with ASA 8.4(x). This assumes we are configuring a tunnel using IKE version 1. (For version 2, both ends need to be running version 8.4(x) or greater).

Before you start – you need to ask yourself “Do I already have any IPSEC VPN’s configured on this firewall?” Because if it’s not already been done, you need to enable ISAKMP on the outside interface. To ascertain whether yours is on or off, issue a “show run crypto ” command and check the results, if you do NOT see “crypto isakmp enable outside” or “crypto ikev1 enable outside” then you need to issue that command.

[box]

Firewall Running an OS of 8.4(x) or newer

PetesASA# show run crypto
crypto ikev1 enable outside << Mines already enabled and its IKE version1
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
PetesASA#

Firewall Running an OS Earlier than 8.4(x) 

PetesASA# show run crypto
crypto isakmp enable outside << Mines already enabled.
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
PetesASA#

[/box]

1. I’m going to create access control lists next, one to tell the ASA what is “Interesting traffic”, that’s traffic that it needs to encrypt. If you are running an ASA older than version 8.3(x) you will need to create a second access list to STOP the ASA performing NAT on the traffic that travels over the VPN.

Warning: (ASA Version 8.3 or older): If you already have NAT excluded traffic on the firewall (for other VPN’s) this will BREAK THEM – to see if you do, issue a “show run nat” command, if you already have a nat (inside) 0 access-list {name} entry, then use that {name} NOT the one in my example.

So below I’m saying “Don’t NAT Traffic from the network behind the ASA (10.254.254.0) that’s going to network behind the VPN device at the other end of the tunnel (172.16.254.0).

[box]

Firewall Running an OS of 8.3(x) or newer

PetesASA(config)#object network Site-A-SN
PetesASA(config-network-object)#subnet 10.254.254.0 255.255.255.0
PetesASA(config)#object network Site-B-SN
PetesASA(config-network-object)#subnet 172.16.254.0 255.255.255.0
PetesASA(config)#access-list VPN-INTERESTING-TRAFFIC line 1 extended permit ip object Site-A-SN object Site-B-SN
PetesASA(config)#nat (inside,outside) source static Site-A-SN Site-A-SN destination static Site-B-SN Site-B-SN no-proxy-arp route-lookup

Firewall Running an OS Earlier than 8.3(x) 

PetesASA(config)# access-list VPN-INTERESTING-TRAFFIC line 1 extended permit 
ip 10.254.254.0 255.255.255.0 172.16.254.0 255.255.255.0
PetesASA(config)# access-list NO-NAT-TRAFFIC line 1 extended permit 
ip 10.254.254.0 255.255.255.0 172.16.254.0 255.255.255.0
PetesASA(config)#nat (inside) 0 access-list NO-NAT-TRAFFIC

[/box]

2. Now I’m going to create a “Tunnel Group” to tell the firewall it’s a site to site VPN tunnel “l2l”, and create a shared secret that will need to be entered at the OTHER end of the site to site VPN Tunnel. I also set a keep alive value.

Note: Ensure the Tunnel Group Name is the IP address of the firewall/device that the other end of the VPN Tunnel is terminating on.

[box]

PetesASA(config)# tunnel-group 123.123.123.123 type ipsec-l2l
PetesASA(config)# tunnel-group 123.123.123.123 ipsec-attributes
PetesASA(config-tunnel-ipsec)# pre-shared-key 1234567890
PetesASA(config-tunnel-ipsec)# isakmp keepalive threshold 10 retry 2
PetesASA(config-tunnel-ipsec)# exit

[/box]

3. Now we need to create a policy that will setup how “Phase 1” of the VPN tunnel will be established, we have already put in a shared secret, this policy will make sure we use it. It also sets the encryption type (3DES), the hashing algorithm (SHA) and the Level of PFS (Group 2). Finally it sets the timeout before phase 1 needs to be re-established. It sets the timeout value to 86400 seconds (that’s 1440 Minutes – or 24 hours if your still confused 🙂 ).

[box]

Firewall Running an OS of 8.4(x) or newer

PetesASA(config)# crypto ikev1 policy 10
PetesASA(config-ikev1-policy)#authentication pre-share
PetesASA(config-ikev1-policy)#hash sha
PetesASA(config-ikev1-policy)#group 2 
PetesASA(config-ikev1-policy)#lifetime 86400

Firewall Running an OS Earlier than 8.4(x)

PetesASA(config)# crypto isakmp policy 10 authen pre-share
PetesASA(config)# crypto isakmp policy 10 encrypt 3des
PetesASA(config)# crypto isakmp policy 10 hash sha
PetesASA(config)# crypto isakmp policy 10 group 2
PetesASA(config)# crypto isakmp policy 10 lifetime 86400

[/box]

4. We stated above that we are going to use 3DES and SHA so we need a “Transform Set” that matches. [box]

Firewall Running an OS of 8.4(x) or newer

PetesASA(config)# crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

Firewall Running an OS Earlier than 8.4(x)

PetesASA(config)# crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

[/box]

5. Finally we need to create a “Cryptomap” to handle “Phase 2” of the VPN Tunnel, that also will use 3DES and SHA and PFS. And last of all we apply that Cryptomap to the outside interface.

[box]

Firewall Running an OS of 8.4(x) or newer

PetesASA(config)# crypto map outside_map 1 match address VPN-INTERESTING-TRAFFIC 
PetesASA(config)# crypto map outside_map 1 set pfs group2 
PetesASA(config)# crypto map outside_map 1 set peer 123.123.123.123 
PetesASA(config)# crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA 
PetesASA(config)# crypto map outside_map interface outside

Firewall Running an OS Earlier than 8.4(x)

PetesASA(config)# crypto map outside_map 1 match address VPN-INTERESTING-TRAFFIC 
PetesASA(config)# crypto map outside_map 1 set pfs group2 
PetesASA(config)# crypto map outside_map 1 set peer 123.123.123.123 
PetesASA(config)# crypto map outside_map 1 set transform-set ESP-3DES-SHA 
PetesASA(config)# crypto map outside_map interface outside

[/box]

5. Don’t forget to save your hard work with a “write mem” command.

[box]

PetesASA(config)#
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425

8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#

[/box]

6. Simply configure the other end as a “Mirror Image” of this one.

ASA 5500 Site to Site VPN Copy and Paste Config

Note: This uses AES and SHA. It also assumes your outside interface is called ‘outside’. Check! I’ve seen them called Outside (capital O), wan, and WAN.

[box]

crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
object network OBJ-MainSite
subnet 10.0.0.0 255.255.255.0
object network OBJ-RemoteSite
subnet 10.0.3.0 255.255.255.0
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-MainSite object OBJ-RemoteSite
nat (inside,outside) source static OBJ-MainSite OBJ-MainSite destination static OBJ-RemoteSite OBJ-RemoteSite no-proxy-arp route-lookup
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set pfs group2
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
[/box]

Simply change the values in red where;

  • 10.0.00 255.255.255.0 is the network behind the ASA you are working on.
  • 10.0.3.0 255.255.255.0 is the destination network behind the device you are connecting to.
  • 2.2.2.2 is the peer IP address of the device you are attempting to connect to.
  • 1234567 Is the shared secret you will use at both ends.

Related Articles, References, Credits, or External Links

Original Article Written 07/06/11, updated 20/04/14

Cisco ASA AnyConnect VPN ‘Using ASDM’

KB ID 0000069

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

Below is a walk through for setting up a client to gateway VPN Tunnel using a Cisco Firepower ASA appliance. This was done via the ASDM console. The video was shot with ASA version 9.13(1) and ASDM 7.13(1).

Suggestion: If you are setting this up for the first time, I would suggest setting it up to use the ASA’s LOCAL database for usernames and passwords, (as shown in the video). Then once you have it working, you can change the authentication (AAA) to your preferred method (see links at bottom of page).

The original article was written with ASA version 8.0(4) and ASDM 6.1(3), which was a little more difficult so I will leave that procedure at the end just in case 🙂

Note: The ASDM cannot be used on the normal port (https) on the outside interface when using AnyConnect, because HTTPS or TCP port 443 needs to be free (and also IMPORTANTLY NOT ‘port-forwarded’ to a web server / Exchange server etc. for this to work). To fix that, either change the port that AnyConnect is using (not the best solution!) Or, (a much better solution) Change the port ASDM is using

Solution

Setup AnyConnect From ASDM (Local Authentication)

In case you don’t want to watch a video! Launch the ASDM > Wizards > VPN Wizards > AnyConnect VPN Wizard > Next.

Give the AnyConnect profile a name i.e PF-ANYCONNECT, (I capitalise any config that I enter, so it stands out when I’m looking at the firewall configuration). >Next > Untick IPSec > Next.

Note: You can use IPSec if you want, but you will need a Certificate pre-installed to do so!

Now you need to upload the AnyConnect client packages for each operating system that is going to want to connect, 

Once the package (with a pkg extension) is located, you can upload it directly into the firewalls flash memory. 

Repeat the process for each OS that will be connecting. (PLEASE! Don’t forget to add the macOS package! or your users will see THIS ERROR) > Next > As mentioned above I’m using LOCAL (on the ASA) authentication. I always set this up first, then test it, then if required, change the authentication method > If you don’t already have a LOCAL user created then add a username and password for testing > Next.

Next (Unless you want to setup SAML) > Here I’ll create a new ‘Pool’ of IP addresses for my remote clients to use. You can also use an internal DHCP server for remote clients, again I normally setup and test with a Pool from the ASA, then if I need to use a DHCP server, I swap it over once I’ve tested AnyConnect. If that’s a requirement, see the following article;

AnyConnect – Using a Windows DHCP Server

Enter the DNS server(s) details for you remote clients > WINS? Who is still using WINS! > Domain name > Next > Tick ‘Exempt VPN traffic from network address translation’ > Next.

Next > Finish

DON’T FORGET TO SAVE THE CHANGES!! (File > Save Running Configuration to Flash)

Now any remote client attempting to connect to AnyConnect can install the client software directly from the firewall, (This is assuming you have not already installed it for them beforehand).

 

For Older Versions of the ASA/ASDM

Note: The information below is OBSOLETE, I only leave it here in case someone is running some VERY old versions of the ASDM and AnyConnect

1. Open up the ADSM console. > Click Wizards >SSL VPN Wizard.

2. Select “Both Options”. > Next.

3. Enter a connection name > If you have a certificate already select it here or simply leave it on” -None-” and the ASA will generate an un trusted one. > Next.

4. For this example we are going to use the ASA’s Local database to hold our user database, however, if you want to use RADIUS/Windows IAS select those options and accordingly, and then follow the instructions. Note: To set up IAS read my notes HERE > Enter a username and password.

5. Add. > Next

6. We are going to create a new policy in this case called SSL Users > Next.

7. You can now add bookmarks (Links on the VPN portal page) > Manage > Add > Type in a name > Add. > OK.

8. Give it a name and subtitle (look at step 18 to see how that displays) > Enter the internal URL for the web site > OK.

9. Add > OK.

10. OK.

11. Next.

12. Create an IP Pool (IP range to be leased to the VPN clients that is DIFFERENT to your LAN IP range) > New > enter a name, IP addresses, and the subnet mask > OK.

13. Point the ASA to the Anyconnect client you want to use (Note you can upload a software image from your PC here as well) Next > Accept the warning about NAT Exemptions (Note if you do get a warning to add a NAT Exemption see the note at the end).

14. Finish.

15. Before it will work you need to Select Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles > Double click the Connection profile you created earlier in step 3 > Enter a name in the Aliases section i.e. AnyConnect > OK. > Tick the box that says “Allow user to select connection profile by its alias………” > Apply.

16. File > Save running configuration to flash.

17. Connect externally to https://{public_IP} (Note this has to be in the browsers trusted site list) > Enter a username and password > Login

18. You are now on the “Portal” site any bookmarks created above will be visible > Click the AnyConnect Tab.

19. Double click to launch AnyConnect.

20. The Anyconnect client will install if not used previously (User needs to be local admin) and connects.

NAT Exemptions: Note if you received a warning about needing to add the remote VPN pool as a NAT Exemption (After step 13) you will need to add the following lines to the ASA

Syntax;

[box]

access-list {name} extended permit ip {LAN behind ASA} {Subnet behind ASA} {VPN Pool Range} {VPN Pool Subnet}

nat (inside) 0 access-list {name}

Working example

access-list nonat extended permit ip 10.254.254.0 255.255.255.0 10.254.253.0 255.255.255.0

nat (inside) 0 access-list nonat

[/box]

WARNING: Make sure the name matches any existing no NAT ACLs or your IPsec vpns will fail!

Related Articles, References, Credits, or External Links

Cisco ASA 5500 AnyConnect Setup From Command Line

AnyConnect: Allow ‘Local’ LAN Access

AnyConnect 4 – Plus and Apex Licensing Explained

Cisco AnyConnect – Essentials / Premium Licences Explained

AnyConnect (AAA) Authentication Methods

Kerberos Authentication (Cisco ASA)

LDAP Authenticaiton (Cisco ASA)

RADIUS Authentication(Cisco ASA)

Duo 2FA Authentication (Cisco ASA)

Cisco – Testing AAA Authentication (Cisco ASA and IOS)

Cisco ASA AnyConnect VPN ‘Using CLI’

KB ID 0000943

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco FTD running ASA Code.

Also See Cisco ASA AnyConnect VPN ‘Using ASDM’

This procedure was done on Cisco ASA (post) version 8.4, so it uses all the newer NAT commands. I’m also going to use self signed certificates so you will see this error when you attempt to connect.

Solution

1. The first job is to go get the AnyConnect client package(s), download them from Cisco, (with a current support agreement). Then copy them into the firewall via TFTP. If you are unsure how to do that see the following article.

Install and Use a TFTP Server

[box]

Petes-ASA(config)# copy tftp flash

Address or name of remote host [10.254.254.183]? 192.168.80.1

Source filename []?anyconnect-win-4.7.02036-webdeploy-k9.pkg

Destination filename [anyconnect-win-4.7.02036-webdeploy-k9.pkg]? {Enter}

Accessing tftp://192.168.80.1/anyconnect-win-4.7.02036-webdeploy-k9.pkg
.........!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

4807912 bytes copied in 549.790 secs (8757 bytes/sec)
Petes-ASA(config)#

[/box]

2. Create a ‘pool’ of IP addresses that the ASA will allocate to the remote clients, also create a network object that covers that pool of addresses we will use later.

[box]

Petes-ASA(config)# ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
Petes-ASA(config)# object network OBJ-ANYCONNECT-SUBNET
Petes-ASA(config-network-object)# subnet 192.168.100.0 255.255.255.0

[/box]

3. Enable webvpn, set the package to the one you uploaded earlier, then turn on AnyConnect.

[box]

Petes-ASA(config)# webvpn
Petes-ASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
Petes-ASA(config-webvpn)# tunnel-group-list enable
Petes-ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.02042-webdeploy-k9.pkg 1 
Petes-ASA(config-webvpn)# anyconnect enable

[/box]

4. I’m going to create a LOCAL username and password, I suggest you do the same, then once you have proved it’s working OK, you can. change the authentication method, (see links below). I’m also going to create an ACL that we will use for split-tunneling in a minute.

[box]

Petes-ASA(config)# username PeteLong password Password123
Petes-ASA(config)# access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0

[/box]

5. Create a group policy, change the values to match your DNS server(s), and domain name accordingly.

[box]

Petes-ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE internal
Petes-ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
Petes-ASA(config-group-policy)# vpn-tunnel-protocol ssl-client
Petes-ASA(config-group-policy)# dns-server value 10.0.0.10 10.0.0.11
Petes-ASA(config-group-policy)# split-tunnel-policy tunnelspecified
Petes-ASA(config-group-policy)# split-tunnel-network-list value SPLIT-TUNNEL
Petes-ASA(config-group-policy)# default-domain value petenetlive.com

[/box]

6. Create a matching tunnel-group that ties everything together.

[box]

Petes-ASA(config-group-policy)# tunnel-group ANYCONNECT-PROFILE type remote-access
Petes-ASA(config)# tunnel-group ANYCONNECT-PROFILE general-attributes
Petes-ASA(config-tunnel-general)# default-group-policy GroupPolicy_ANYCONNECT-PROFILE
Petes-ASA(config-tunnel-general)# address-pool ANYCONNECT-POOL
Petes-ASA(config-tunnel-general)# tunnel-group ANYCONNECT-PROFILE webvpn-attributes
Petes-ASA(config-tunnel-webvpn)# group-alias ANYCONNECT-PROFILE enable

[/box]

7. Then stop any traffic that is going to, (or coming from) the remote clients from being NATTED.

[box]

Petes-ASA(config)# nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup

[/box]

8. Save the changes.

[box]

PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425

8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#

[/box]

9. Give it a test from a remote client.

AnyConnect Commands to Copy and Paste

Simply change the values shown in red;

[box]

!
ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
!
object network OBJ-ANYCONNECT-SUBNET
 subnet 192.168.100.0 255.255.255.0
!
webvpn
enable outside
tunnel-group-list enable
anyconnect image disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg 1
anyconnect enable
!
username PeteLong password Password123
!
access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.0.0.0
!
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
vpn-tunnel-protocol ssl-client
dns-server value 10.0.0.10 10.0.0.11
wins-server none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value petenetlive.com
!
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
address-pool ANYCONNECT-POOL
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable
!
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
!

[/box]

Related Articles, References, Credits, or External Links

Cisco ASA AnyConnect VPN ‘Using ASDM’

AnyConnect: Allow ‘Local’ LAN Access

Cisco AnyConnect – Essentials / Premium Licences Explained

Cisco AnyConnect – PAT External VPN Pool To An Inside Address

AnyConnect (AAA) Authentication Methods

Kerberos Authentication (Cisco ASA)

LDAP Authenticaiton (Cisco ASA)

RADIUS Authentication(Cisco ASA)

Duo 2FA Authentication (Cisco ASA)

Cisco – Testing AAA Authentication (Cisco ASA and IOS)

Cisco ASA Site To Site VPN IKEv2 “Using CLI”

KB ID 0001429

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

You want a secure IPSEC VPN between two sites using IKEv2.

Note: If the device you are connecting to does not support IKEv2 (i.e. it’s not a Cisco ASA, or it’s running code older than 8.4) then you need to go to the older version of this article;

Cisco ASA 5500 Site to Site VPN IKEv1 (From CLI)

Solution

Before you start – you need to ask yourself “Do I already have any IPSEC VPN’s configured on this firewall?” Because if it’s not already been done, you need to enable ISAKMP IKEv2 on the outside interface. To ascertain whether yours is on or off, issue a “show run crypto ” command and check the results, if you do NOT see  “crypto ikev2 enable outside” then you need to issue that command.

[box]

PetesASA# show run crypto
crypto ikev2 enable outside << Mines already enabled and its IKE version 2
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 19
 prf sha256
 lifetime seconds 86400
crypto ikev2 enable outside

[/box]

1. I’m going to create access control lists next, one to tell the ASA what is “Interesting traffic”, that’s traffic that it needs to encrypt.

So below I’m saying “Don’t NAT Traffic from the network behind the ASA (10.254.254.0) that’s going to network behind the VPN device at the other end of the tunnel (172.16.254.0).

[box]

PetesASA(config)#object network Site-A-SN
PetesASA(config-network-object)#subnet 10.254.254.0 255.255.255.0
PetesASA(config)#object network Site-B-SN
PetesASA(config-network-object)#subnet 172.16.254.0 255.255.255.0
PetesASA(config)#access-list VPN-INTERESTING-TRAFFIC line 1 extended permit 
ip object Site-A-SN object Site-B-SN
PetesASA(config)#nat (inside,outside) source static Site-A-SN Site-A-SN 
destination static Site-B-SN Site-B-SN no-proxy-arp route-lookup

[/box]

2. Now I’m going to create a “Tunnel Group” to tell the firewall it’s a site to site VPN tunnel “l2l”, and create a shared secret that will need to be entered at the OTHER end of the site to site VPN Tunnel. I also set a keep alive value.

Note: Ensure the Tunnel Group Name is the IP address of the firewall/device that the other end of the VPN Tunnel is terminating on.

[box]

PetesASA(config)# tunnel-group 123.123.123.123 type ipsec-l2l
PetesASA(config)# tunnel-group 123.123.123.123 ipsec-attributes
PetesASA(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key 1234567890
PetesASA(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key 1234567890
PetesASA(config-tunnel-ipsec)# isakmp keepalive threshold 10 retry 2
PetesASA(config-tunnel-ipsec)# exit

[/box]

3. Now we need to create a policy that will setup how “Phase 1” of the VPN tunnel will be established. It sets the encryption type (AES-256), the hashing/integrity algorithm (SHA-256), The Diffie Hellman group exchange version, and the Level of PRF (Pseudo Random Function). Finally it sets the timeout before phase 1 needs to be re-established. It sets the timeout value to 86400 seconds (That’s 1440 Minutes – or 24 hours if your still confused 🙂 ).

[box]

PetesASA(config)# crypto ikev2 policy 10
PetesASA(config-ikev1-policy)# encryption aes-256
PetesASA(config-ikev1-policy)# integrity sha256
PetesASA(config-ikev1-policy)# group 19
PetesASA(config-ikev1-policy)# prf sha256
PetesASA(config-ikev1-policy)# lifetime 86400

[/box]

4. We stated above that we are going to use AES-256 and SHA-256, for Phase 1, so let’s use the same for the IPSEC proposal (Phase 2), ‘Transform Set’.

[box]

PetesASA(config)# crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
PetesASA(config-ipsec-proposal)# protocol esp encryption aes-256
PetesASA(config-ipsec-proposal)# protocol esp integrity sha-1

[/box]

5. Finally we need to create a “Cryptomap”, this is the ‘thing’ that fires up the tunnel, when the ACL INTERESTING TRAFFIC is used, it also defines the transform set for “Phase 2” of the VPN Tunnel, that will also use 3DES and SHA and PFS. And last of all we apply that Cryptomap to the outside interface.

[box]

PetesASA(config)# crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC 
PetesASA(config)# crypto map CRYPTO-MAP 1 set peer 123.123.123.123
PetesASA(config)# crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
PetesASA(config)# crypto map CRYPTO-MAP interface outside
 

[/box]

5. Don’t forget to save your hard work with a “write mem” command.

[box]

PetesASA(config)#
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425

8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#

[/box]

6. Simply configure the other end as a “Mirror Image” of this one.

ASA 5500 Site to Site IKEv2 VPN Copy and Paste Config

Note: This uses AES-256 and SHA-256. It also assumes your outside interface is called ‘outside’. Check! I’ve seen them called Outside (capital O), wan, and WAN.

[box]

!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 19
 prf sha256
 lifetime seconds 86400
crypto ikev2 enable outside
!
object network OBJ-SITE-A
subnet 10.0.0.0 255.255.255.0
object network OBJ-SITE-B
subnet 10.0.3.0 255.255.255.0
!

access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-SITE-A object OBJ-SITE-B
nat (inside,outside) source static OBJ-SITE-A OBJ-SITE-A destination static OBJ-SITE-B OBJ-SITE-B no-proxy-arp route-lookup
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key 1234567
ikev2 local-authentication pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
 protocol esp encryption aes-256
 protocol esp integrity sha-1
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
!
 
[/box]

Simply change the values in red where;

  • 10.0.0.0 255.255.255.0 is the network behind the ASA you are working on.
  • 10.0.3.0 255.255.255.0 is the destination network behind the device you are connecting to.
  • 2.2.2.2 is the peer IP address of the device you are attempting to connect to.
  • 1234567 Is the shared secret you will use at both ends.

Related Articles, References, Credits, or External Links

NA