Cisco ASA VPN to Cisco Router “MM_WAIT_MSG3”

KB ID 0001531

Problem

While migrating a VPN tunnel from an ASA 5520 firewall to a new 5516-X I got this problem. The other end was a Cisco router (2900). As soon as I swapped it over, it was stuck at MM_WAIT_MSG3, and phase 1 would not establish;

[box]

NUFC-ASA5516x(config-tunnel-ipsec)# show crypto isa

IKEv1 SAs:

   Active SA: 6
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 6

1   IKE Peer: 1.1.1.1
    Type    : user            Role    : responder
    Rekey   : no              State   : MM_WAIT_MSG3

[/box]

Debugs didn’t help much either;

[box]

Mar 25 2019 18:50:49: %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 164
Mar 25 2019 18:50:49: %ASA-7-715047: IP = 1.1.1.1, processing SA payload
Mar 25 2019 18:50:49: %ASA-7-713906: IP = 1.1.1.1, Oakley proposal is acceptable
Mar 25 2019 18:50:49: %ASA-7-715047: IP = 1.1.1.1, processing VID payload
Mar 25 2019 18:50:49: %ASA-7-715049: IP = 1.1.1.1, Received NAT-Traversal RFC VID
Mar 25 2019 18:50:49: %ASA-7-715047: IP = 1.1.1.1, processing VID payload
Mar 25 2019 18:50:49: %ASA-7-715047: IP = 1.1.1.1, processing VID payload
Mar 25 2019 18:50:49: %ASA-7-715049: IP = 1.1.1.1, Received NAT-Traversal ver 03 VID
Mar 25 2019 18:50:49: %ASA-7-715047: IP = 1.1.1.1, processing VID payload
Mar 25 2019 18:50:49: %ASA-7-715049: IP = 1.1.1.1, Received NAT-Traversal ver 02 VID
Mar 25 2019 18:50:49: %ASA-7-715047: IP = 1.1.1.1, processing IKE SA payload
Mar 25 2019 18:50:49: %ASA-7-715028: IP = 1.1.1.1, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 8
Mar 25 2019 18:50:49: %ASA-7-715046: IP = 1.1.1.1, constructing ISAKMP SA payload
Mar 25 2019 18:50:49: %ASA-7-715046: IP = 1.1.1.1, constructing NAT-Traversal VID ver RFC payload
Mar 25 2019 18:50:49: %ASA-7-715046: IP = 1.1.1.1, constructing Fragmentation VID + extended capabilities payload
Mar 25 2019 18:50:49: %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Mar 25 2019 18:50:57: %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Mar 25 2019 18:50:59: %ASA-7-713906: IKE Receiver: Packet received on 2.2.2.2:500 from 1.1.1.1:500
Mar 25 2019 18:50:59: %ASA-5-713202: IP = 1.1.1.1, Duplicate first packet detected.  Ignoring packet.
Mar 25 2019 18:51:05: %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Mar 25 2019 18:51:21: %ASA-7-715065: IP = 1.1.1.1, IKE MM Responder FSM error history (struct &0x00007f4d2d293690)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent
Mar 25 2019 18:51:21: %ASA-7-713906: IP = 1.1.1.1, IKE SA MM:5f3d6a94 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Mar 25 2019 18:51:21: %ASA-7-713906: IP = 1.1.1.1, sending delete/delete with reason message
Mar 25 2019 18:51:21: %ASA-6-713905: IP = 1.1.1.1, Warning: Ignoring IKE SA (src) without VM bit set

[/box]

Solution

Well, as you can tell from my Troubleshooting Phase 1 Cisco Site to Site (L2L) VPN Tunnels article MM_WAIT_MSG3 usually happens if something is blocking ISAKMP (UDP 500) in-between the peers. Or there’s a ‘bug’ that needs some newer or older code. The problem was not spotted by me, I was chatting to an ex colleague about it and he knew what it was straight away (annoyingly). The Router had an ACL on its outside interface that was NOT allowing the peer in to establish a VPN.

On the router take a look a the outside interface, and look for an access-list;

[box]

Remote-Router#show run interface GigabitEthernet 0/0
Building configuration...

Current configuration : 214 bytes
!
interface GigabitEthernet0/0
 bandwidth 200000
 ip address 1.1.1.1 255.255.255.248
 ip access-group outside-in in
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map CMAP-1
end

Remote-Router#

[/box]

So it’s called outside-in what’s it doing?

[box]

Remote-Router#show access-list outside-in
Extended IP access list outside-in
    10 permit udp any eq domain any
    20 permit icmp any any echo-reply (956 matches)
    30 permit ip 123.123.123.64 0.0.0.15 any (127341882 matches)
    40 permit ip 123.123.123.128 0.0.0.127 any (572 matches)
    50 permit ip 222.222.222.96 0.0.0.15 any (4 matches)
    60 permit ip host 123.123.123.68 any
    70 permit udp host 222.222.222.76 eq ntp any
    80 permit udp host 222.222.222.204 eq ntp any
    90 permit udp host 222.222.222.232 eq ntp any
    100 permit icmp any any (1320 matches)
    110 permit ip 223.223.233.0 0.0.0.255 any

[/box]

Add in our peer IP address;

[box]

Remote-Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Remote-Router(config)#ip access-list extended outside-in
Remote-Router(config-ext-nacl)# permit esp host 2.2.2.2 any
Remote-Router(config-ext-nacl)# permit udp host 2.2.2.2 any eq isakmp
Remote-Router(config-ext-nacl)# permit udp host 2.2.2.2 any eq non500-isakmp
Remote-Router(config-ext-nacl)#exit
Remote-Router(config)# 

[/box]

Let’s just make sure it’s there;

[box]

Remote-Router#show access-list outside-in
Extended IP access list outside-in
    10 permit udp any eq domain any
    20 permit icmp any any echo-reply (956 matches)
    30 permit ip 123.123.123.64 0.0.0.15 any (127341882 matches)
    40 permit ip 123.123.123.128 0.0.0.127 any (572 matches)
    50 permit ip 222.222.222.96 0.0.0.15 any (4 matches)
    60 permit ip host 123.123.123.68 any
    70 permit udp host 222.222.222.76 eq ntp any
    80 permit udp host 222.222.222.204 eq ntp any
    90 permit udp host 222.222.222.232 eq ntp any
    100 permit icmp any any (1320 matches)
    110 permit ip 223.223.233.0 0.0.0.255 any
    120 permit esp host 2.2.2.2 any
    130 permit udp host 2.2.2.2 any eq isakmp
    140 permit udp host 2.2.2.2 any eq non500-isakmp

[/box]

Don’t forget to save the changes with a ‘write mem’ command!

Related Articles, References, Credits, or External Links

Once again, thanks to SteveH for spotting, (in less than sixty seconds) what was wrong.

ADMT (Active Directory Migration Tool) Domain Migration – Part 4

KB ID 0001308 

Problem

On the homeward stretch now, back in Part Three, we migrated service accounts, groups, and users. Now we turn our attention to our machines.

Note ADMT 3.2 Only support the migration of Operating Systems up to Windows 7, (that doesn’t mean Windows 8 and Windows 10 wont work, it just means they are not supported). Migrating Windows 8 and 10 throws a lot of security translation errors, because of the way it treats ‘Apps’, so I’d recommend you do a LOT of testing before carrying out a live migration.

Solution

ADMT Computer Security Translation

Migrating computers is a two-step procedure, you do a security translation on a machine, then you migrate the machine. The security translation adds the security for the user(s) in newdomain.com to all the objects (files, folders, user profiles, and registry hives, etc) that their user account in olddomain.com did. like doing the service account migration (above) the plan is to get everything ready to ‘work’ before the machine is migrated.

Real World Note: This can take a while, (up to an hour for some machines,) and it’s best done without anyone being logged in (to prevent any profiles, or registry hives being locked). So take time to plan when this is done – rush it and you will have problems, and the very users who are too busy to be interrupted, are the very ones that shout the loudest if there’s a problem post migration. I would (if possible) have a stock of prebuilt machines on the new domain in case there’s any migration dramas, at least then you can get people working quickly.

This should be getting familiar by now, accept the defaults.

Select your computer(s) > Select all the options > SELECT ADD > Finish.

Agent Note: You are about to deploy the ADMT agent, make sure you have followed part one and part two. This process will be familiar if you carried out the service translation wizard earlier.

Run the pre check, and agent deploy.

What you will find after translation is all the profiles, and files etc will have the new domain users added alongside the old one with the same rights.

ADMT Computer Migration

Now finally to migrate the machines, ADMT > Computer Migration Wizard.

Select the computers.

Select the Target OU > Tick everything > Add > Select the amount of time to wait before rebooting the machine into the new domain.

Hang About Haven’t we done some of this? Yes, but because you have done the security translation already it can see the ACLs exist as it goes through and skips creating them.

As usual I’m not filtering any attributes > I’ll quit if theres a conflict > Migration should then complete.

Can I migrate Servers With ADMT?

Yes, but you need to have a good think about doing so first? For simple file and print servers that should be OK (Obviously back them up first etc). DONT try and do this with an Exchange server, or any other server that relies on Active directory for its very existence! And wherever possible if you can create clean new servers and migrate your data into them do so!

 

What about Microsoft Exchange and User Mailboxes?

I mentioned Exchange briefly on the user migration, Exchange migrations between domains, are possible, depending on your setup it may be easier to export all the mail form the old system and import it into the new one (use the search bar above. I’ve already written a load of stuff about doing this). In the not to distant future I’ll cover Exchange Inter Organisation Mail migrations.

Readers Note:

As with all the articles here, please provide feedback below, if one thing you have found can save another reader sweat and toil, then that’s the very reason for this site! If you have been with this since part one thanks for staying till the end (PL).

Related Articles, References, Credits, or External Links

NA

Cisco VPN – Split Tunnel Not Working?

KB ID 0001239

Problem

Here I’m dealing with AnyConnect VPNs, but the principles are exactly the same for both remote IPSEC and L2TP VPNs. You connect to your VPN and can no longer browse the internet from your remote location. 

You can confirm that split-tunnelling is working or not by connecting with your VPN client and looking at the routing information.

Solution

Before proceeding are you sure Split-Tunnelling has ever been setup and configured? See the following article.

Cisco ASA – Enable Split Tunnel for IPSEC / SSLVPN / AnyConnect Clients

For Split Tunnelling to work you need;

  • An Access Control List, allowing the networks/IP’s that are protected by your ASA, that you need to access over the VPN.
  • A Group-policy that references the access-list above.
  • A Tunnel Group that references the Group-policy above.

The lines get a bit blurred if you are in the ASDM, in there the terminology, is access control list, group-policy, and connection profile.

Troubleshoot Split Tunnel From CLI

Connect and authenticate an AnyConnect client. Then on the firewall run the following command.

[box]

Petes-ASA# show vpn-sessiondb anyconnect

Session Type: AnyConnect

Username     : petelong               Index        : 4
Assigned IP  : 172.16.1.1             Public IP    : 192.168.100.77
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES256  DTLS-Tunnel: (1)AES256
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA1  DTLS-Tunnel: (1)SHA1
Bytes Tx     : 14128                  Bytes Rx     : 12305
Group Policy : GroupPolicy_ANYCONNECT-PROFILE
Tunnel Group : ANYCONNECT-PROFILE
Login Time   : 12:49:31 GMT/BST Mon Sep 19 2016
Duration     : 0h:01m:03s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : c0a86e010000400057dfd0cb
Security Grp : none

Petes-ASA#

[/box]

From the output above, we know the name of the Group Policy and the Tunnel Group. The fact we can see BOTH is an indication that the tunnel group is setup correctly, but it does no harm to check.

[box]

Petes-ASA# show run tunnel-group ANYCONNECT-PROFILE
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
 address-pool ANYCONNECT-POOL
 default-group-policy GroupPolicy_ANYCONNECT-PROFILE
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
 group-alias ANYCONNECT-PROFILE enable
Petes-ASA#

[/box]

Then check that that group-policy has enabled split tunnelling, and referenced the correct access control list.

[box]

Petes-ASA# show run group-policy  GroupPolicy_ANYCONNECT-PROFILE
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
 wins-server none
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value petenetlive.com
 webvpn
  anyconnect profiles value testbench type user
Petes-ASA#

[/box]

Finally take the ACL name (SPLIT-TUNNEL) and make sure that’s OK.

[box]

Petes-ASA# show run access-list SPLIT-TUNNEL
access-list SPLIT-TUNNEL standard permit 192.168.110.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 192.168.115.0 255.255.255.0

[/box]

Troubleshoot Split Tunnel From ASDM

As above connect a remote AnyConnect client > Monitoring > VPN > VPN Statistics > Sessions > AnyConnect Client > Select your connected client > Details.

Note: The info we actually want, is shown on this screen, but let’s look at the session anyway.

Now you can see the Group Policy and Connection Profile thats been applied to this user.

Configuration > Remote Access VPN > AnyConnect Connection Profiles > Select the one shown above > Edit.

Check the Group-Policy is correct, (Note: You can manage it directly from here, but I will take the long way round).

Configuration > Remote Access VPN > Network (Client Access) > Group Policies > Select the one shown above > Edit.

Advanced > Split Tunneling > Ensure Policy is ‘untucked’ and set to ‘Tunnel Network List Below’ > Ensure Network list is ‘untucked’ and set to the name of your split tunnel ACL > Manage.

Make sure the network(s) or IP addresses behind your ASA, that you want to access over the VPN, are listed.

 

Related Articles, References, Credits, or External Links

Cisco ASA – Enable Split Tunnel for IPSEC / SSLVPN / AnyConnect Clients

Cisco ASA – Remote VPN Client Internet Access

Cisco ASA – Packet Tracer Fails VPN:Encrypt:Drop

KB ID 0001198

Problem

Sometimes when troubleshooting VPN traffic, you may choose to use the ‘packet-tracer’ command to simulate interesting traffic. I did this today and got;

[box]

Phase: {number}
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
Drop-reason: (acl-drop) Flow is denied by configured rule

[/box]

I replicated the error on the test bench.

Solution

Below is the full packet trace;

[box]

Petes-ASA(config)# packet-tracer input inside tcp 192.168.254.1 www 10.254.254.10 www

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static Obj-SiteA Obj-SiteA destination static Obj-SiteB Obj-SiteB no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.254.254.10/80 to 10.254.254.10/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outbound in interface inside
access-list outbound extended permit ip any any
Additional Information:

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
  set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static Obj-SiteA Obj-SiteA destination static Obj-SiteB Obj-SiteB no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.254.1/80 to 192.168.254.1/80

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

[/box]

This is an annoying error, that is difficult to solve. The reason you are seeing this error is because the ACL that defines the ‘interesting traffic’ for the VPN, does not a MIRROR IMAGE ACL on the OTHER VPN endpoint. As soon as this was rectified the packet-trace ran successfully.

[box]

Petes-ASA(config)# packet-tracer input inside tcp 192.168.254.1 www 10.254.254.10 www

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static Obj-SiteA Obj-SiteA destination static Obj-SiteB Obj-SiteB no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.254.254.10/80 to 10.254.254.10/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outbound in interface inside
access-list outbound extended permit ip any any
Additional Information:

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
  set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static Obj-SiteA Obj-SiteA destination static Obj-SiteB Obj-SiteB no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.254.1/80 to 192.168.254.1/80

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static Obj-SiteA Obj-SiteA destination static Obj-SiteB Obj-SiteB no-proxy-arp route-lookup
Additional Information:

Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 359, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

[/box]

Related Articles, References, Credits, or External Links

Troubleshooting Phase 1 Cisco Site to Site (L2L) VPN Tunnels

Troubleshooting Phase 2 Cisco Site to Site (L2L) VPN Tunnels

ASA Setup FirePOWER Services (for ASDM)

KB ID 0001107 

Problem

Both the 5506-X (rugged version and wireless), and 5508-X now come with a FirePOWER services module inside them. This can be managed from either ASDM* (with OS and ASDM upgraded to the latest version), and via the FireSIGHT management software/appliance.

Related Articles, References, Credits, or External Links

*UPDATE: All ASA ‘Next-Gen’ firewalls can now have their Firepower Service Module managed from the ASDM.

Solution

1. The first thing to do is cable the management interface and the interface you are going to use as the ‘inside’ (LAN) into the same network (VLAN).

2. The next step might seem strange if you are used to working with Cisco firewalls, but you need to make sure there is no IP address configured on the management interface. Try to think of it as just the hole that the FirePOWER services module (which will get its own IP) speaks out though.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# interface Management1/1
Petes-ASA(config-if)# no nameif
WARNING: DHCPD bindings cleared on interface 'management', address pool removed
Petes-ASA(config-if)# no security-level
Petes-ASA(config-if)# no ip address 

[/box]

3. So it should look like this;

[box]

Petes-ASA(config-if)# show run
: Saved

ASA Version 9.3(2)2
!
----Output removed for the sake of brevity----
!
interface Management1/1
management-only
no nameif
no security-level
!
----Output removed for the sake of brevity---- 

[/box]

4. Lets make sure the FirePOWER service module is ‘up’ and healthy.

[box]

Petes-ASA(config)# show module 


Mod  Card Type                                    Model              Serial No.

---- -------------------------------------------- ------------------ -----------

   1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506            JAD19090XXX

 sfr FirePOWER Services Software Module           ASA5506            JAD19090XXX


Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version

---- --------------------------------- ------------ ------------ ---------------

   1 a46c.2a99.eec5 to a46c.2a99.eece  1.0          1.1.1        9.3(2)2

 sfr a46c.2a99.eec4 to a46c.2a99.eec4  N/A          N/A          5.4.1-211


Mod  SSM Application Name           Status           SSM Application Version

---- ------------------------------ ---------------- --------------------------

 sfr ASA FirePOWER                  Up               5.4.1-211


Mod  Status             Data Plane Status     Compatibility

---- ------------------ --------------------- -------------

   1 Up Sys             Not Applicable

 sfr Up                 Up

[/box]

5. The SFR module is actually a Linux box that’s running within the firewall, to connect to it you issue a ‘session sfr’ command.

  • Default Username: admin
  • Default Password: Sourcefire (capital S)
  • Default Password (after version 6.0.0): Admin123 (capital A)

As this is the first time you have entered the SFR you need to page down (press space) though the sizable EULA, then accept it.

[box]

Petes-ASA(config)# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Cisco ASA5506 v5.4.1 (build 211)

Sourcefire3D login: admin

Password: Sourcefire

Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Linux OS v5.4.1 (build 12)

Cisco ASA5506 v5.4.1 (build 211)

You must accept the EULA to continue.

Press <ENTER> to display the EULA:

END USER LICENSE AGREEMENTIMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. IT IS VERY

----Output removed for the sake of brevity---- 

Product warranty terms and other information applicable to Cisco products are

available at the following URL: http://www.cisco.com/go/warranty.
----Output removed for the sake of brevity---- 

Please enter 'YES' or press <ENTER> to AGREE to the EULA: YES

[/box]

6. Set a new password.

[box]

System initialization in progress. Please stand by.
You must change the password for 'admin' to continue.

Enter new password: Password123

Confirm new password: Password123

[/box]

7. Set up all the IP and DNS settings, then exit from the module session.

[box]

You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.

Do you want to configure IPv4? (y/n) [y]: y
Do you want to configure IPv6? (y/n) [n]: n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: manual
Enter an IPv4 address for the management interface [192.168.45.45]: 192.168.100.22
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.0
Enter the IPv4 default gateway for the management interface []: 192.168.100.1
Enter a fully qualified hostname for this system [Sourcefire3D]: SFire
Enter a comma-separated list of DNS servers or 'none' []: 192.168.100.10,192.168.100.11
Enter a comma-separated list of search domains or 'none' [example.net]: petenetlive.com,pnl.net

If your networking information has changed, you will need to reconnect.

For HTTP Proxy configuration, run 'configure network http-proxy'

Applying 'Default Allow All Traffic' access control policy.
You can register the sensor to a Defense Center and use the Defense Center

----Output removed for the sake of brevity---- 

sensor to the Defense Center.

> exit

Remote card closed command session. Press any key to continue.

[/box]

8. Now you need to ‘send’ traffic though the module, in this case I’m going to send all IP traffic though, I’m also going to set it to ‘fail open’, If you set it to fail closed then traffic will cease to flow though the firewall if the FirePOWER services module goes off-line. I’m making the assumption you have a default policy-map applied.

[box]

Petes-ASA(config)# access-list SFR extended permit ip any any
Petes-ASA(config)# class-map SFR
Petes-ASA(config-cmap)# match access-list SFR
Petes-ASA(config-cmap)# exit

[/box]

9. Add that new class-map to the default policy-map.

WARNING: If you are going to set ‘fail-close‘ then make sure your SFR module is operating normally, or you will cause downtime, best to do this in a maintenance window!)

[box]

Petes-ASA(config)# policy-map global_policy 
Petes-ASA(config-pmap)# class SFR
Petes-ASA(config-pmap-c)# sfr fail-open
Petes-ASA(config-pmap-c)# exit
Petes-ASA(config-pmap)# exit

[/box]

10. Save the changes.

[box]

Petes-ASA(config)# write mem
Building configuration...

Cryptochecksum: 72c138e3 1fa6ec32 31c35497 621cff02

35819 bytes copied in 0.210 secs

[OK]

[/box]

11. At this point the firewall should be able to ping the management IP of the SFR module.

[box]

Petes-ASA# ping 192.168.100.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
Petes-ASA#

[/box]

12. Now when you connect to the ASDM you can manage the FirePOWER services module.Note: I have seen some firewalls that flatly refuse to connect to the Firepower Services Module, and give an error ‘unable to connect on port 443’ every time you launch ASDM. I just re-image the module and load in a fresh install (40 mins to an hour), and start again.

Code to Copy & Paste

If you are lazy like me!

[box]

access-list ACL-FirePOWER extended permit ip any any
 class-map CM-SFR
 match access-list ACL-FirePOWER
 exit
policy-map global_policy 
 class CM-SFR
 sfr fail-open
 exit
 exit
write mem

[/box]

Note If you get an unable to connect error see the following article;

Cisco – Cannot Connect to the ASA FirePOWER Module

13. I suggest you update everything first, the ASA will configure an access control policy set to allow and inspect all traffic by default, which we will edit, set everything to update on a schedule, (rule updates and geolocation info).

Cisco FirePOWER Services Adding Licences (ASDM)

In the box with the firewall, you will have an envelope, you don’t need to open it (as below) because the PAK number you need is printed on the outside anyway. This is the firewalls CONTROL LICENCE, it allows it to be managed, we will install it into the ASDM, if you have a SourceFIRE appliance to manage the firewall you would install it there. You need two  bits of information the PAK and the LICENCE KEY of the FirePOWER module, (See Below).

The Licence Key is the MAC address of the Module, (Not the ASA). You can find it at Configuration > ASA FirePOWER Configuration > Licence. This is also where you will add all the licences. Go to www.cisco.com/go/licence and register the licence (and any additional licences i.e. AMP, Web filtering, etc.)

The Licence(s) will be emailed to you open them in a text editor and copy the text of each licence. You can see I’ve indicated below what you should be copying.

Paste that into the ASDM > Submit Licence.

It should say success, if it fails you’ve pasted to much text, or there’s a problem with the licence.

Review you licences, here Ive added AMP and web filtering but Ive yet to add the control licence. If you don’t add the control licence then when you try and edit the access control policy it will say you need a PROTECTION LICENCE (confusingly!)

FirePOWER Services Setup IPS

Disclaimer: These settings, (and allotters below,) are to get you up and running, As with any security device, you need to tune settings accordingly. Please don’t follow these instructions, then email me with complaints that you been attacked by ISIS/Scammers/Bots etc.

You get an IPS/IDS Licence with any of the subscription based licences, its less hassle to set this up before the the access control policy. Configuration > ASA FirePOWER Configuration  > Policies > Intrusion Policy  > Create Policy > Give it a name > I tend to use ‘Balanced Security and connectivity’ look at the other options and choose whichever you prefer > Create and Edit Policy.

Give the policy a name > Commit changes (I accept all the defaults).

FirePOWER Services Enable Malware Inspection and Protection

Note: Obviously this needs you to have added an AMP Licence!

 Configuration > ASA FirePOWER Configuration  > Policies > Intrusion Policy  > Files > New File Policy > Give it a name > Store FirePOWER Changes.

Add new file rule > I add everything  > and Set it to ‘Block Malware’ > Store FirePOWER Changes.

“Store ASA FirePOWER Changes”.

Warning: Nothing will be inspected, until you add this file policy to an access control policy.

ASA FirePOWER Services Edit / Create Access Control Policy

I renamed the default policy, Note: Even though I’ve called it ‘Base-Access-Control-Policy’ you can only apply one policy, you just add different rules to the policy as required. Add Rule.

In Source Networks > Add in ‘Private Networks’ (See Warning Below).

Inspection Tab > Add in the IPS and file policy you created above (That’s why I’ve done it in this order).

I set it to log at the end of the connection  > Add.

“Store ASA FirePOWER Changes”.

FirePOWER Private Networks Warning

Private networks only cover RFC1918 addresses, if you LAN/DMZ etc subnets are different you should create a new Network object, then add the subnets for your network. If you do this, then substitute your network object every time I mention the Private Networks object.

Blocking a Particular URL with FirePOWER Services

Even if you don’t have a Web Filtering licence you can block particular URL’s here Im going to block access to Facebook.  Configuration > ASA FirePOWER Configuration  > Object Management > URL > Individual Objects > Add URL > Note Im adding http and https.

Then add a rule to your existing access control policy ABOVE the permit all rule, (they are processed like ACLS from the top down). Set the source network to your private subnets.

On the URLs tab add in your URL objects and set the action to block with reset, or Interactive block with reset if you want to let the users proceed to Facebook after a warning.

Note: If you have a Web filtering Licence you can select ‘Social Networking’ from the Categories tab, and that would also block Facebook, and Twitter etc.

ASA FirePOWER Services Commit and Deploy The Changes

FirePOWER services behaves the same on-box as it does when you use the SourceFIRE Appliance, you can make changes but nothing gets deployed until you commit the changes. If you have made a change then there will be a ‘Store ASA FirePOWER services button active. Then you need to select File > Deploy FirePOWER Changes.

Note: You will only see the Deploy option on SFR modules running 6.0.0 or newer.

Deploy.

Even now its not deployed, it takes a while, to see progress navigate to Monitoring > ASA FirePOWER Monitoring > Task Status > It will probably have a ‘running’ task.

Wait until the policy deployment says completed before testing.

Related Articles, References, Credits, or External Links

Originally Published 17/11/15

Thanks to Eli Davis for the feedback.

Cisco ASA 5506-X / 5508-X Restart the FirePOWER Service Module

XCOPY – Insufficient Memory

KB ID 0000810 

Problem

If I’m migrating client data, I use Xcopy a lot, especially if I want to preserve the permissions. One of the questions I usually ask is “Do any of your users have file names that are very long, i.e. longer than 256 characters?” Because if you are moving a lot of data and it’s been running for a few hours, then suddenly fails saying ‘Insufficient Memory‘, then that’s probably what the problem is.

Solution

1. At the point of failure, you will have successfully moved some data, so you want a solution that just moves the remaining data, Robocopy will do that for you.

Note: For Server 2008, Server 2008 R2, Server 2012, and Windows Vista/7/8, you will already have Robocopy installed, for older clients you will need to install the 2003 Resource Kit.

[box]

Syntax

robocopy "source" "destination" "options"

robocopy S: D:Shared /MIR /SECFIX /SEC

Note:Robocopy by default will retry 1000000 times, and wait 30 seconds each time (if it has a problem). You might want to add /R:3 /W:1 as switches to stop that.

[/box]

/MIR – Mirror the two locations, this will copy the difference IN BOTH DIRECTIONS! (Simply use /E if you don’t want this).

/SECFIX – Checks the Permissions on ALL FILES as it goes through (to make sure)

/SEC – Copies the data with its security ACL’s intact.

Use Robocopy to copy only newer files/folders

Thankfully this is the default behaviour, simply run the same command again.

Related Articles, References, Credits, or External Links

NA

Cisco Routers – Port Forwarding

KB ID 0000533 

Problem

If you have a server or host that you want to be publicly addressable and only have one public IP address then port forwarding is what you require.

Solution

Assumptions

1. You have a public IP on the outside of your Router.

2. You are performing NAT from your internal range of IP address to your External IP address.

To Make Sure

1. Run the following command:

[box]PetesRouter#show run | include ip nat inside[/box]

You should see a line like,

[box]ip nat inside source list 101 interface Dialer0 overload[/box]

2. That means NAT all traffic that access-list 101 applies to, to Dialer0 (this is an ADSL router and that’s it’s outside interface). To see what traffic is in access-list 101 is issue the following command:

[box]PetesRouter#show run | include access-list 101[/box]

You should see a line like,

[box]access-list 101 permit ip 10.10.0.0 0.0.255.255 any[/box]

3. This means permit (apply this ACL) to all traffic from 10.10.0.0/16 to anywhere. So its set to NAT all traffic from the inside network to the outside network.

4. Finally to see what IP is on your Dialer0 issue the following command:

[box]PetesRouter#show ip interface brief | exclude unassigned[/box]

You should see something like this

Now we know all traffic from 10.10.0.0/24 (All inside traffic) will be NAT translated to 123.123.123.123

Set up Port Forwarding

In this case Ill port forward TCP Port 443 (HTTPS) and TCP Port 25 (SMTP) to an internal Server (10.10.0.1).

1. First set up the static NAT translations.

[box]

PetesRouter#ip nat inside source static tcp 10.10.0.1 443 123.123.123.123 443 extendable
PetesRouter#ip nat inside source static tcp 10.10.0.1 25 123.123.123.123 extendable
OR If you are running with a Public DHCP address

PetesRouter#ip nat inside source static tcp 10.10.0.1 443 interface Dialer0 443
PetesRouter#ip nat inside source static tcp 10.10.0.1 25 interface Dialer0 25

[/box]

2. Second stop that traffic being NATTED with everything else.

[box]

PetesRouter#access-list 101 deny tcp host 10.10.0.1 eq 443 any
PetesRouter#access-list 101 deny tcp host 10.10.0.1 eq 25 any

[/box]

3. Save the changes with “copy run start”, then press enter to access the default name of startup-config:

[box]

PetesRouter#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
PetesRouter#

[/box]

Setup port forwarding and restrict it to an IP or network

For things like HTTPS and SMTP you might want them accessible from anywhere but you might want to lock down access for something like RDP, (TCP port 3389) if that’s the case then you need to do the following.

1. Create a new ACL that allows traffic from you but denies it from everyone else (remember to put an allow a permit at the end).

[box]

PetesRouter#access-list 199 permit tcp host 234.234.234.234 host 123.123.123.123 eq 3389
PetesRouter#access-list 199 deny tcp any host 123.123.123.123 eq 3389
PetesRouter#access-list 199 permit ip any any

[/box]

Note: To allow a network substitute the first line for,

[box]PetesRouter#access-list 199 permit tcp 234.234.234.232 0.0.0.7 host 123.123.123.123 eq 3389[/box]

Note: Cisco Routers use inverted masks, so 234.234.234.232 0.0.0.7 is 234.234.234.232 255.255.255.248 (or/29)

2. Then (as in the example above) create the static NAT translation.

[box]PetesRouter#ip nat inside source static tcp 10.10.0.1 3389 123.123.123.123 3389 extendable[/box]

3. Then (as in the example above) exempt this traffic from the default NAT ACL.

[box]PetesRouter#access-list 101 deny tcp host 10.10.0.1 eq 3389 any[/box]

4. Finally apply the ACL you created inbound on the Dialer0 interface.

[box]

PetesRouter#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
PetesRouter(config)#interface Dialer0
PetesRouter(config-if)#ip access-group 199 in
PetesRouter(config-if)#exit
PetesRouter#

[/box]

5. Save the changes with “copy run start”, then press enter to access the default name of startup-config:

[box]

PetesRouter#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
PetesRouter#

[/box]

Related Articles, References, Credits, or External Links

Cisco PIX / ASA Port Forwarding

Cisco Router – Configure Site to Site IPSEC VPN

KB ID 0000933

Problem

I’ve done thousands of firewall VPN’s but not many that terminate on Cisco Routers. It’s been a few years since I did one, and then I think I was a wuss and used the SDM. So when I was asked to do one last week thankfully I had the configs ready to go.

I’m going to use the IP addresses above, and my tunnel will use the following settings;

  • Encryption: AES.
  • Hashing: SHA.
  • Diffie Hellman: Group 2.
  • PFS: Enabled.
  • Authentication method: Pre-Shared Key.

Solution

1. Setup a policy for phase 1 of the tunnel (ISAKMP).

[box]

R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encr aes
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#crypto isakmp key SecretK3y address 1.1.1.2

[/box]

2. Setup an ACL to define what traffic will be encrypted, and a ‘Transform set’ that will dictate the encryption and hashing for phase 2 (IPSEC).

[box]

R1(config)#ip access-list extended VPN-ACL
R1(config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
R1(config-ext-nacl)#crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac

[/box]

3. Create a ‘Crypto map’ that is used to apply the phase 2 settings to an interface.

[box]

R1(config)#crypto map VPN-C-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 1.1.1.2
R1(config-crypto-map)#set transform-set VPN-TS
R1(config-crypto-map)#match address VPN-ACL

[/box]

4. Apply that crypto map to an interface, (usually the Internet facing one).

[box]

R1(config-crypto-map)#interface Serial0/1/0
R1(config-if)#crypto map VPN-C-MAP
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#exit
R1(config)#

[/box]

5. In most cases your router will be doing NAT, if so you will need to change the ACL that is looking after the NAT for you, look in your running config for something that looks like the following;

[box]

R1#show run
Building configuration...

Current configuration : 1249 bytes
------------output removed for the sake of space------------
!

ip nat inside source list 100 interface Serial0/1/0 overload
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
!

------------output removed for the sake of space------------
!
line aux 0
!

[/box]

6. To stop our VPN traffic getting NATTED, we need to put a deny in that ACL, and put it before that permit statement. Remember:

  • Permit=Perform NAT
  • Deny=Don’t perform NAT

On this router (unlike the ASA‘s that I’m more used to), there is no option to define an ACL line number. So its easier to remove the existing one, add the new line then put the original one back. Finally save the changes.

[box]

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no access-list 100 permit ip 10.10.10.0 0.0.0.255 any
R1(config)#access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
R1(config)#access-list 100 permit ip 10.10.10.0 0.0.0.255 any
R1(config)#exit
R1#
%SYS-5-CONFIG_I: Configured from console by console

R1#write mem
Building configuration...
[OK]

[/box]

7. Now at the other site, the config should be a mirror image. I will post it in its entirety, so you can copy and paste it into the router, I will highlight the bits you need to check and change in red.

[box]

crypto isakmp policy 1
encr aes
hash sha
authentication pre-share
group 2
lifetime 86400
crypto isakmp key SecretK3y address 1.1.1.1
ip access-list extended VPN-ACL
permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac

crypto map VPN-C-MAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set VPN-TS
match address VPN-ACL
interface Serial0/1/0
crypto map VPN-C-MAP

no access-list 100 permit ip 20.20.20.0 0.0.0.255 any
access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any

[/box]

8. Test your VPN with the following commands. Note: you need to send some traffic over the VPN before it will establish!

[box]

show crypto isakmp sa
show crypto ipsec sa

[/box]

WARNING: If you have an ACL applied to the routers outside interface, you will need to allow in the Peer IP, like so;

[box]

ip access-list extended outside-in
 permit esp host 1.1.1.1 any
 permit udp host 1.1.1.1 any eq isakmp
 permit udp host 1.1.1.1 any eq non500-isakmp

[/box]

If you do not, the other end will fail Phase 1 with a WAIT_MSG_3 Error!

Related Articles, References, Credits, or External Links

NA

Cisco IOS – Setup Remote Telnet/SSH Management

KB ID 000093

Problem

Having the ability to remotely administer network devices, means I don’t have to get my lazy carcass out of my chair and start fishing console cables out of my bag, also it saves on shoe leather, and travelling time.

Solution

Cisco Router / Switch – Setup Telnet Access

These days people frown at Telnet. It’s an insecure protocol so your password is sent in clear text over the wire, and can be seen by anyone sniffing traffic. For that reason SSH is preferred, but for completeness I’ll start with Telnet.

1. Log in the the device > Go to enable mode > Go to configuration mode > Enable Telnet and set a password.

[box]

Router0>enable
Router0#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router0(config)#line vty 0 4
Router0(config-line)#transport input telnet 
Router0(config-line)# password P@ssword123

[/box]

2. Save the changes and test.

[box]

Router0(config)#exit
Router0#write mem 
Building configuration...
[OK]
Router0#

[/box]

Cisco Router / Switch – Setup SSH Access

1. SSH is a little more involved, before you can connect via SSH, you need a certificate, and before you can generate a certificate, you need a host name and a domain name.

[box]

Router0>enable
Router0#conf terminal
Router0(config)#hostname Petes-Router
Petes-Router(config)#ip domain-name petenetlive.com
Petes-Router(config)#crypto key generate rsa modulus 2048
The name for the keys will be: Petes-Router@petenetlive.com

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 17 seconds)

Petes-Router(config)#

[/box]

2. Another prerequisite is you need usernames and passwords, these can be managed by a separate AAA solution like RADIUS, TACACS+, or Active Directory. But for this example I’ll simply set them up on the device, and use local authentication.

Note: I set myself up with privilege 15, this means when I log on, I automatically log on at enable mode, the other user account does not, and needs to know the enable password to make any changes.

[box]

Petes-Router(config)#username testuser password testpassword
Petes-Router(config)#username petelong privilege 15 password P@ssword123

[/box]

3. Finally allow remote management via SSH, and save the changes.

[box]

Petes-Router(config)#line vty 0 4
Petes-Router(config-line)#transport input ssh
Petes-Router(config-line)#exit
Petes-Router(config)#exit
Petes-Router#write mem 
Building configuration...
[OK]
Petes-Router#

[/box]

4. Finally you need to enable AAA Authentication to use the local database;

[box]

Petes-Router(config)#aaa new-model
Petes-Router(config)#aaa authentication login default local
Petes-Router(config)#aaa authorization exec default local

[/box]

WARNING

This also will enable username/password authentication for ‘console‘ (rollover cable) access. I dont like that, so I remove that with the following commands;

[box]

Switch(config)#aaa authentication login CONSOLE none
Switch(config)#line console 0
Switch(config-line)#login authentication CONSOLE

[/box]

Cisco Router – Restricting Telnet and SSH Access via Access List

You can lock down access further to remote management, by allowing or denying access from an ACL.

WARNING: If doing this remotely, and just using SSH remember to generate the key and create users FIRST, or you may lock yourself out. If you are worried schedule a reload in twenty minutes, do the work, if it works cancel the reload, if it all explodes, go have a coffee, when you come back it will have reverted back!

Schedule a Router Reload

[box]

Petes-Router#reload in 20
Reload scheduled in 20 minutes by petelong on vty0 (123.123.123.123)
Reload reason: Reload Command
Proceed with reload? [confirm] {Enter}
Petes-Router#

---CARRY OUT THE CHANGES---

Petes-Router#reload cancel
Petes-Router#

***
*** --- SHUTDOWN ABORTED ---
***

[/box]

1. From the top let’s create a user, and setup the RSA key, (skip this step if you have already done this).

[box]

Router0>enable
Router0#conf terminal
Router0(config)#hostname Petes-Router
Petes-Router(config)#ip domain-name petenetlive.com
Petes-Router(config)#crypto key generate rsa modulus 2048
The name for the keys will be: Petes-Router@petenetlive.com

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 17 seconds)
Petes-Router(config)#

[/box]

2. Now create an access-list to allow and deny access, (usual ACL rules apply).

Note: Port 23 is Telnet and port 22 is SSH

[box]

Petes-Router(config)#ip access-list extended VTY_ACCESS
Petes-Router(config-ext-nacl)#10 permit tcp 123.123.123.123 0.0.0.0 any eq 23
Petes-Router(config-ext-nacl)#20 permit tcp 123.123.123.123 0.0.0.0 any eq 22
Petes-Router(config-ext-nacl)#30 permit tcp 10.1.1.0 0.0.0.255 any eq 23
Petes-Router(config-ext-nacl)#100 deny ip any any
Petes-Router(config-ext-nacl)#exit
Petes-Router(config)#

[/box]

2. In this example I will set the transport input to all (that’s Telnet AND SSH), then lock access down the the ACL we have just created.

[box]

Petes-Router(config)#line vty 0 4
Petes-Router(config-line)#transport input all
Petes-Router(config-line)#login local
Petes-Router(config-line)#access-class VTY_ACCESS in
Petes-Router(config-line)#exit
Petes-Router(config)#exit

[/box]

3. Save your changes and test.

[box]

Petes-Router#write mem 
Building configuration...
[OK]
Petes-Router#

[/box]

 

Related Articles, References, Credits, or External Links

NA

Cisco Router – CBAC and Zone Based Firewall Setup

KB ID 0000937 

Problem

IOS 11.2 gave us CBAC, and IOS 12.4(6)T gave us the Zone Based Firewall. You can still use either, (providing you are running the correct IOS, or in the case of version 15 and upwards, added the correct license, ‘securityK9’). For older IOS versions usually you want the advipservices version of the IOS).

Solution

Run the following command to see if you have the correct license installed.

[box]

Petes-Router#show license features 

[/box]

Cisco IOS Setup CBAC (IOS Firewall Classic)

1. Declare the protocols you want to inspect.

[box]

Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#ip inspect name IOS-FW tcp
Petes-Router(config)#ip inspect name IOS-FW udp
Petes-Router(config)#ip inspect name IOS-FW icmp

[/box]

2. Apply that inspection inbound on the inside interface (that’s traffic going out).

[box]

Petes-Router(config)#interface FastEthernet 0/1
Petes-Router(config-if)#ip inspect IOS-FW in
Petes-Router(config-if)#exit
Petes-Router(config)#

[/box]

4. Apply the inspection inbound on the outside interface (for traffic coming in). And then save the changes.

Note: If you have VPN traffic this will NOT break it.

[box]

Petes-Router(config)#interface Dialer0
Petes-Router(config-if)#ip inspect IOS-FW in
Petes-Router(config-if)#exit
Petes-Router(config)#exit
*Mar 1 00:05:29.875: %SYS-5-CONFIG_I: Configured from console by console
Petes-Router#wr mem
Building configuration...
[OK]
Petes-Router#

[/box]

Cisco Zone Based Firewall Setup

The config on ZBF can get quite complicated, I’m simply going to allow traffic out, and block all traffic coming in (apart from traffic that will be coming in over VPN).

Note: CBAC Settings (if used), must be removed before configuring ZBF.

1. The first thing to do is setup the zones, I only have a LAN an WAN to worry about.

[box]

Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#zone security SZ-INSIDE
Petes-Router(config-sec-zone)#description Local Area Network
Petes-Router(config-sec-zone)#zone security SZ-OUTSIDE
Petes-Router(config-sec-zone)#description Wide Area Network (Internet)
Petes-Router(config-sec-zone)#exit

[/box]

2. Create two ACLs to decide which traffic you want to allow in and out. Note: I’ve also added the subnets for my remote VPN network. I will allow out www (TCP 80), https (TCP 443), and DNS (TCP 53). Inbound everything is blocked apart from my VPN traffic.

Note: I’m not covering setting up the VPN, if you want to know how to do that, see the following article;

Cisco Router – Configure Site to Site IPSEC VPN

Then for each ACL I’m creating a class-map, it’s the class-map that decides what traffic will be inspected, (by inspected, in ZBF terms we mean allowed).

[box]

Petes-Router(config)#ip access-list extended ACL-OUTBOUND
Petes-Router(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Petes-Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq www
Petes-Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq 443
Petes-Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq 53
Petes-Router(config-ext-nacl)#class-map type inspect match-all CM-OUTBOUND
Petes-Router(config-cmap)#match access-group name ACL-OUTBOUND
Petes-Router(config-ext-nacl)#exit
Petes-Router(config)#ip access-list extended ACL-INBOUND
Petes-Router(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

[/box]

3. Define what to do with the (matched) traffic with a policy-map, this can be set to inspect, log , or drop. We set it to inspect our traffic, and drop, then log everything else.

[box]

Petes-Router(config)#policy-map type inspect PM-OUTBOUND
Petes-Router(config-pmap)#class type inspect CM-OUTBOUND
Petes-Router(config-pmap-c)#inspect
%No specific protocol configured in class CM-OUTBOUND for inspection. All protocols will be inspected

Note: The Above is not really true - we have defined the port in the ACL

Petes-Router(config-pmap-c)#class class-default
Petes-Router(config-pmap-c)#drop log
Petes-Router(config-pmap-c)#exit
Petes-Router(config-pmap)#exit
Petes-Router(config)#policy-map type inspect PM-INBOUND
Petes-Router(config-pmap)#class type inspect CM-INBOUND
Petes-Router(config-pmap-c)#inspect
%No specific protocol configured in class CM-INBOUND for inspection. All protocols will be inspected

Note: The Above is fine, it drops everything that's not VPN traffic anyway.

Petes-Router(config-pmap-c)#class class-default
Petes-Router(config-pmap-c)#drop log
Petes-Router(config-pmap-c)#exit
Petes-Router(config-pmap)#exit

[/box]

4. The last task is to create zone-pairs for the outbound and inbound traffic, then apply our policy-map to them with a service-policy.

[box]

Petes-Router(config)#security ZP-OUTBOUND source SZ-INSIDE destination SZ-OUTSIDE
Petes-Router(config-sec-zone-pair)#service-policy type inspect PM-OUTBOUND
Petes-Router(config-sec-zone-pair)#exit
Petes-Router(config)#security ZP-INBOUND source SZ-OUTSIDE destination SZ-INSIDE
Petes-Router(config-sec-zone-pair)#service-policy type inspect PM-INBOUND
Petes-Router(config-sec-zone-pair)#exit

[/box]

5. Save the changes, sit back, light your pipe, and admire your handiwork.

[box]

Petes-Router(config)#exit
Petes-Router#write mem
Building configuration...
[OK]

[/box]

 

Related Articles, References, Credits, or External Links

NA