Cisco ASA 5585-X Port Numbering

KB ID 0001004 

Problem

Back at the beginning of the year I had to do a firewall design that included an ASA5585-X, I did some searching to find out how the ports were numbered but came up blank. So I took an (incorrect) educated guess.

I unboxed and fired one up today, and ran though the port numbering and orientation, and discovered the correct numbering.

Solution

Note: This ASA5585-X also has a CX module fitted. The bottom ‘blade’ is the ASA firewall, and the one at the TOP is the CX module. With the CX module fitted, we have an extra eight gigabit Ethernet ports, and two more ten gigabit Ethernet ports.

Port Numbering

Click for larger image

Related Articles, References, Credits, or External Links

NA

 

ASA 5585-X Update the CX SSP Module

KB ID 0001005 

Problem

Every piece of documentation I found on upgrading CX SSP modules was for doing so on models other than the ASA5585-X. The (current) latest CLI guide says;

“For the ASA 5585-X hardware module, you must install or upgrade your image from within the ASA CX module. See the ASA CX module documentation for more information.”

Yeah good luck finding that!

Solution

Before I saw the information above I tried to upgrade the CX module from the ASA and this is the error you get when you try;

[box]PetesASA(config)# hw-module module 1 recover configure url tftp://10.0.41.100/asacx-5500x-boot-9.3.1.1-112.img
ERROR: Module in slot 1 does not support recovery[/box]

Then, I tried the update from within the CX module, and got the following error;

[box] asacx>system upgrade ftp://10.0.41.100/asacx-sys-9.3.1.1-112.pkg
Verifying

111
Upgrade aborted.

[/box]

Note: If you have not already found out, the default username is admin and the default password is Admin123.

Turns out that was an error in 3CDaemon that I use as an FTP server, once I fixed that, I was cooking on gas.

Upgrade the ASA 5585-X CX SSP Module

1. Connect to the CX modules console port, and you can view the version.

[box] Cisco ASA CX 9.1.2
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority to import,
export, distribute or use encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and local country laws. By using
this product you agree to comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg
If you require further assistance please contact us by sending email to
export@cisco.com.

You can access the Web UI from your browser using the following URL(s):
https://192.168.8.8/

asacx login:

[/box]

2. Now the CX module has its default IP of 192.168.8.8, I need to change this, I’ll do that from command line on the ASA like so.

[box] PetesASA(config)# session 1 do setup host ip 10.0.41.34/24,10.1.41.1

Syntax

session 1 do setup host ip {IP Address}/{Subnet Mask},{Default Gateway}

[/box]

3. At this point make sure that Management port 1/0 on the CX module is connected to the network.

4. You can simply ping the new IP, or view it in the ASDM. (Note: here you can also view the CX software version).

5. Now the CX module and your FTP server are on the same network, and you have downloaded the CX software from Cisco, you can perform the upgrade, (from the console session on the CX module).

Note: Don’t press any keys (unless asked to), while this is going on, or it has a habit of aborting!

[box] asacx>system upgrade ftp://10.0.41.100/asacx-sys-9.3.1.1-112.pkg
Verifying
Downloading
Extracting
Package Detail
Description: Cisco ASA-CX 9.3.1.1-112 System Upgrade
Requires reboot: Yes

NOTE: If this device is being managed by a PRSM server, you must also apply the same upgrade package to the PRSM server or you will not be able to deploy configurations from the PRSM server to this device.

Do you want to continue with upgrade? [y]:y

Doing so might leave system in unusable state.

Upgrading
Starting upgrade process …[ 459.563380] kjournald starting. Commit interval 5 seconds
[ 459.648202] EXT3 FS on sde3, internal journal
[ 459.700274] EXT3-fs: mounted filesystem with ordered data mode.

Populating new system image
Copying over new application components
Cleaning up old application components

Reboot is required to complete the upgrade. Press ‘Enter’ to reboot the system. {Enter}

Broadcast message from root (console) (Fri Oct 3 08:20:59 2014):

The system is going down for reboot NOW!

[/box]

6. Post reboot you can see the new version from the console connection.

[box] Cisco ASA CX 9.3.1.1
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority to import,
export, distribute or use encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and local country laws. By using
this product you agree to comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg
If you require further assistance please contact us by sending email to
export@cisco.com.

You can access the Web UI from your browser using the following URL(s):
https://10.0.41.34/
https://[fe80::5af3:9cff:fe05:d2e4]/

asacx login:

[/box]

You can also check the version has updated from within the ASDM.

 

Related Articles, References, Credits, or External Links

NA

 

Cisco AnyConnect – Securing with Microsoft Certificate Services

Part 2 (How to Configure AnyConnect)

KB ID 0001031

Problem

Back in Part 1 We configured the Microsoft Certificate Services to meet our certificate needs. Now we configure the firewall for AnyConnect.

Solution

1. Log onto the ASA > Go to global configuration Mode.

[box]

login as: petelong
petelong@192.168.100.1's password:**********
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: *******
Petes-ASA# configure terminal
Petes-ASA(config)#

[/box]

2. Enable domain DNS Lookup inside, (for CRL lookups).

[box]

Petes-ASA(config)# dns domain-lookup inside
Petes-ASA(config)# dns server-group DefaultDNS
Petes-ASA(config-dns-server-group)# name-server 192.168.1.10
Petes-ASA(config-dns-server-group)# exit
Petes-ASA(config)#

[/box]

3. Enable NTP Time sync (here I’m using an external IP in the UK).

[box]

Petes-ASA(config)# ntp server 130.88.212.143 source outside

[/box]

4. Copy over AnyConnect Image, from a TFTP server.

[box]

Petes-ASA(config)# copy tftp flash

Address or name of remote host [] 192.168.100.10

Source filename [] anyconnect-win-3.1.06079-k9.pkg

Destination filename [anyconnect-win-3.1.06079-k9.pkg]{Enter}

Accessing tftp://192.168.100.10/anyconnect-win-3.1.06079-k9.pkg...!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-3.1.06079-k9.pkg...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

37984585 bytes copied in 69.650 secs (550501 bytes/sec)

[/box]

5. Setup AnyConnect, Ive covered this before here if you want to know what all these commands are for.

[box]

Petes-ASA(config)# ip local pool AnyConnect-Pool 172.16.1.1-172.16.1.254 mask 255.255.255.0
Petes-ASA(config)# object network Obj-AnyConnect-Subnet
Petes-ASA(config-network-object)# subnet 172.16.1.0 255.255.255.0
Petes-ASA(config-network-object)# exit
Petes-ASA(config)# webvpn
Petes-ASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
Petes-ASA(config-webvpn)# tunnel-group-list enable
Petes-ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-3.1.06079-k9.pkg
Petes-ASA(config-webvpn)# anyconnect enable
Petes-ASA(config-webvpn)# exit
Petes-ASA(config)# username testuser password Password1
Petes-ASA(config)# access-list Split-Tunnel permit 192.168.100.0 255.255.255.0
Petes-ASA(config)# group-policy AnyConnectProfile internal
Petes-ASA(config)# group-policy AnyConnectProfile attributes
Petes-ASA(config-group-policy)# vpn-tunnel-protocol ssl-client
Petes-ASA(config-group-policy)# dns-server value 192.168.100.10
Petes-ASA(config-group-policy)# wins-server none
Petes-ASA(config-group-policy)# split-tunnel-policy tunnelspecified
Petes-ASA(config-group-policy)# split-tunnel-network-list value Split-Tunnel
Petes-ASA(config-group-policy)# default-domain value petenetlive.com
Petes-ASA(config-group-policy)# exit
Petes-ASA(config)# tunnel-group AnyConnectProfile type remote-access
Petes-ASA(config)# tunnel-group AnyConnectProfile general-attributes
Petes-ASA(config-tunnel-general)# default-group-policy AnyConnectProfile
Petes-ASA(config-tunnel-general)# address-pool AnyConnect-Pool
Petes-ASA(config-tunnel-general)# tunnel-group AnyConnectProfile webvpn-attributes
Petes-ASA(config-tunnel-webvpn)# group-alias AnyConnectProfile enable
Petes-ASA(config-tunnel-webvpn)# exit
Petes-ASA(config)# nat (inside,outside) 2 source static any any destination static Subnet Obj-AnyConnect-Subnet no-proxy-arp route-lookup

[/box]

6. Set the ASA to get a cert from NDES, start by generating an RSA key pair.

[box]

Petes-ASA(config)# crypto key generate rsa label PNL-Key modulus 2048 noconfirm

[/box]

7. Setup a certificate Trustpoint (Note: mine checks CRL’s, if you do the same make sure your PKI deployment has CRL locations setup and configured properly).

[box]

Petes-ASA(config)# crypto ca trustpoint PNL-Trustpoint
Petes-ASA(config-ca-trustpoint)# enrollment url http://192.168.100.11/certsrv/mscep/mscep.dll
Petes-ASA(config-ca-trustpoint)# revocation-check crl
Petes-ASA(config-ca-trustpoint)# keypair PNL-Key
Petes-ASA(config-ca-trustpoint)# id-usage ssl-ipsec
Petes-ASA(config-ca-trustpoint)# enrollment retry count 3
Petes-ASA(config-ca-trustpoint)# enrollment retry period 5
Petes-ASA(config-ca-trustpoint)# fqdn vpn.petenetlive.com
Petes-ASA(config-ca-trustpoint)# CN=vpn.petenetlive.com,OU=IS,O=PeteNetLive,
C=GB,St=Teesside,L=Middlesbrough,EA=pl@petenetlive.com

[/box]

8. Get your CA Certificate from NDES (Note: If you have multiple issuing servers then you may need to manually import the CA certs for them later, or some clients will work, and others wont depending on which issuing CA servers issued the computer or user certificates! Good luck troubleshooting that if you forget!)

[box]

Petes-ASA(config-ca-trustpoint)# crypto ca authenticate PNL-Trustpoint 

 

INFO: Certificate has the following attributes:
Fingerprint: cc528d62 112a5704 bd444535 53353d0e
Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.
Petes-ASA(config)#

[/box]

9. Get the Identity Certificate for the ASA (this will be created from either the ‘IPSEC (Offline request)’ template), or your custom one if you changed it.

[box]

Petes-ASA(config)# crypto ca enroll PNL-Trustpoint

Would you like to continue with this enrollment? [yes/no]: yes
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ********
Re-enter password: ********

% The subject name in the certificate will be: CN=vpn.petenetlive.com,OU=IS,O=Pe teNetLive,C=GB,St=Teesside,L=Middlesbrough,EA=pl@petenetlive.com

% The fully-qualified domain name in the certificate will be: vpn.petenetlive.com

% Include the device serial number in the subject name? [yes/no]: no

Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
Petes-ASA(config)#

[/box]

10. You can take a look on your running config and you should not see two certificates (big blocks of hex code). Or simply go to the Certificate Services server and see if the cert was issued.

Or you can look in the ASDM.

11. Enable the cert on the outside interface.

[box]Petes-ASA(config)# ssl encryption rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes$
Petes-ASA(config)# ssl trust-point PNL-Trustpoint outside[/box]

12. Finally change the AnyConnect profile to now use certificate authentication.

[box]

Petes-ASA(config)# tunnel-group AnyConnectProfile webvpn-attributes
Petes-ASA(config-tunnel-webvpn)# authentication certificate
Petes-ASA(config-tunnel-webvpn)# exit

[/box]

13. Don’t forget to save the changes.

[box]

Petes-ASA(config)# write mem
Building configuration...
Cryptochecksum: 063a55a7 0ddf34dd a80373cd 0bc5e269

11299 bytes copied in 1.330 secs (11299 bytes/sec)
[OK]
Petes-ASA(config)#

[/box]

14. Take a client with the correct certificates on to an external Internet connection and test.

15. To make the connection seamless (without any user intervention), add a group-url, and disable ‘tunnel-group-list’.

[box]

Petes-ASA(config)# tunnel-group AnyConnectProfile webvpn-attributes
Petes-ASA(config-tunnel-webvpn)# group-url https://vpn.petenetlive.com enable
Petes-ASA(config)# webvpn
Petes-ASA(config-webvpn)# no tunnel-group-list enable

[/box]

AnyConnect Client Profiles

Now if you have been following along from the beginning, you will remember my client wants an ‘always on’ connection, and they want to allow ‘local LAN‘ access to the remote client. This is done by configuring an ‘AnyConnect Client Profile’. This has to be done from the ASDM.

Open the ASDM and navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile > Add > Name the profile and assign it to your AnyConnect Group Policy.

Note: Here is where you specify ‘always on’.

Note: If you cannot see this option make sure you have an AnyConnect software package loaded into the firewall.

You can now select and open this profile, and a separate profile editor window will open, where you can allow LAN access, specify reconnect, and get the connection to auto-connect.

Related Articles, References, Credits, or External Links

NA