A while back I ran though “Managing Cisco ASA devices via the ASDM with Ubuntu“, I prefer to work at command line, with a new firewall my only choice is via the console port, In a windows environment I can fire up Hyperterminal and I’m away. With Linux there a couple of things to do first.
Solution
Step 1 (Get the Serial / RS232 / COM Port working)
As pictured above, this is being done on my Acer Netbook so I don’t have a serial port. I need to use a USB to Serial converter, If your machine has a serial port then simply skip this section.
1. Plug in your serial converter and wait a few seconds, open a terminal window (Applications > Accessories > Terminal) and issue the following command,
[box]dmesg[/box]
2. Amazingly it looks like been installed with the correct driver, without any effort by me at all! Lets make sure, unplug the USB to serial converter then issue the following command,
[box]lusb[/box]
Then plug the device back in and run the same command, notice the serial port has popped onto the list.
Note: If you not as lucky as me follow the excellent advice here to install the drivers you need.
Step 2 Install and Configure Minicom
1. Open a terminal window and issue the following command,
[box]sudo apt-get install minicom[/box]
Tap in your password, then enter “Y” for yes when prompted.
4. We need to know the connection name for the USB to Serial converter, issue the following command (See mines called ttyUSB0).
[box]dmesg | grep tty[/box]
5. Now lets fire up Minicom with the following command,
[box]sudo minicom[/box]
Tap in your password again, then as requested press CTRL+A, then Z.
6. To configure the serial settings press O (that’s O for Oscar not zero).
7. Select “Serial Port Setup”.
8. Press A to set the device.
9. As we discovered (above) ours is called ttyUSB0, so change the device to /dev/ttyUSB0.
10. Press C to change the connection speed to 9600 baud, Press Q (to set 8 bits, no stop bit, and 1 parity bit. On mine this was set by default), press {enter} to exit.
11. Press F to turn off hardware flow control (Some posts will say leave it on, I generally turn if off and I’ve never seen anything break!). Press G to disable software flow control (if enabled).
12. Then Select “Save setup as..”, and give is a sensible name. (If you went back too far simply press O again to get back here).
13. Now the settings are saved you can launch them at anytime with,
[box]sudo minicom {filename}[/box]
Note: Sometimes your serial drive gets locked up but a reboot will solve the problem.
14. Here’s me connected to an ancient old catalyst switch.
While attempting to connect to a Cisco firewall with a Linux client (In my case Ubuntu 10.10,) using AnyConnect you see the following error.
Or on MAC OSX
Error: Cisco AnyConnect VPN Client
The AnyConnect package on the secure gateway could not be located. You may be experiencing network connectivity issues. Please try connecting again.
Note: You may also see this error on a Mac OSX, or a Windows CE machine.
2. Save the new config > File > “Save Running Configuration to flash”.
Cisco PIX (Version 6) Firewalls – Disable Web Management
If you are stuck on version 6, i.e. you are running a PIX 506E or PIX 501, then you CANNOT change the PDM port. you only option is to disable the PDM if you want to port forward https / ssl / TCP Port 443.
Related Articles, References, Credits, or External Links
I had a client the other week with about 25 sites, his core site was changing ISP and therefore changing its IP address. On the main site this is pretty straightforward, just change the outside interfaces IP address, sub net mask and the default route (That’s the default gateway for non cisco-ites).
All well and good, but what about his other 24 sites? They all had VPN’s back to the main site, and all these VPN’s were “hairpinned” together for “spoke to spoke” communication.
Well you can simply delete the VPNs and recreate them, but multiply that by 24 – then add on all the extra config for the hairpins and that’s a massive amount of work (and for the client a LOT of downtime.) So a swift config change on the remote sites is a much better idea.
For Cisco PIX firewalls running version 6 click here.
3. To see all the cryptomaps issue a “show run crypto map” command. (you may see more or less depending on the amount of VPN tunnels you have.
[box]
RemoteSite(config)# show run crypto map
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 111.111.111.111
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 123.123.123.123 <<<< Here it is!!!
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 133.133.133.133
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 144.144.144.144
crypto map outside_map 4 set transform-set ESP-3DES-SHA
RemoteSite(config)#[/box]
4. From the example above we can see the tunnel we want to change is using “outside_map 2” so lets remove the entry for the old IP address and put one in for the new IP address.
[box]
RemoteSite(config)# no crypto map outside_map 2 set peer 123.123.123.123
WARNING: The crypto map entry will be incomplete!
RemoteSite(config)# crypto map outside_map 2 set peer 234.234.234.234
RemoteSite(config)#[/box]
5. That’s the cryptomap changed, now for the tunnel group. You can see all your tunnel groups with a “sho run tun” command.
[box]
RemoteSite(config)# sho run tun
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group 111.111.111.111 type ipsec-l2l
tunnel-group 111.111.111.111 ipsec-attributes
pre-shared-key *****
tunnel-group 123.123.123.123 type ipsec-l2l <<<< Here it is!!!
tunnel-group 123.123.123.123 ipsec-attributes
pre-shared-key *****
tunnel-group 133.133.133.133 type ipsec-l2l
tunnel-group 133.133.133.133 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 20 retry 2
tunnel-group 144.144.144.144 type ipsec-l2l
tunnel-group 144.144.144.144 ipsec-attributes
pre-shared-key *****[/box]
6. To delete a tunnel group, you use the “clear config tunnel-group” command.
Note: Before you delete it, make sure you know the pre shared key / shared secret – to see this, issue a “more system:running-config” command.
RemoteSite(config)# write mem
Building configuration...
Cryptochecksum: f3645705 ae6bafda c5606697 ecd61948
9830 bytes copied in 1.550 secs (9830 bytes/sec)
[OK]
RemoteSite(config)#
[/box]
9. Job done!
Well that didn’t seem very quick? No, but for the sake of explanation I did go a little deep, if you have multiple sites, just have the following in notepad.
configure terminal
no crypto map outside_map 2 set peer 123.123.123.123
crypto map outside_map 2 set peer 234.234.234.234
clear config tunnel-group 123.123.123.123
tunnel-group 234.234.234.234 type ipsec-l2l
tunnel-group 234.234.234.234 ipsec-attributes
pre-shared-key 123456789
write mem
Then simply jump from site to site changing the cryptomap name and shared secret for each one. If you get all this info first, you can migrate hundreds of sites in minutes, (That’s why I prefer command line to GUI ASDM).
Option 2 From ASDM
1. Connect to the ASDM, Configuration > Site-to-Site VPN > Advanced > Crypto Maps > Select the cryptomap going to 123.123.123.123 > Edit > Add the new IP Address.
2. Remove the old one > OK > Apply.
3. Configuration > Site-to-Site VPN > Advanced > Tunnel Groups > Select the old one > Delete > Apply.
4. Then to add a new one > Add > Set the Tunnel group name to the new IP > Enter the shared secret > OK > Apply.
5. Finally Save the changes > File > Save running configuration to Flash.
Cisco PIX (Version 6)
For older firewalls you will notice there is no “Tunnel-Group”, these came in with version 7. The process is similar, again you have to change the peer entry in the cryptomap, but you also need to set an isakmp peer.
no crypto map outside_map 20 set peer 123.123.123.123
crypto map outside_map 20 set peer 234.234.234.234
no isakmp key ******** address 123.123.123.123 netmask 255.255.255.255
isakmp key 123456789 address 234.234.234.234 netmask 255.255.255.255
Related Articles, References, Credits, or External Links
Even though I prefer to use command line, there are times I need to manage Cisco firewalls from the ASDM. To do this from my Netbook running Ubuntu 10.10 it was not as straight forward as I was used to.
Solution
In my scenario I’m using Ubuntu 10.10 Desktop Edition, Chrome as my browser, and the ASDM is running version 6.3(1).
2. Connect to the web console of the firewall using its configured IP Address, Chrome by default will download the Java file (which I’ve written about before). Normally this is annoying, but here it’s a good thing, by default it will drop the file in your home folder in the downloads directory, for simplicity I moved it to the root of my home folder. Then open a terminal window (Applications > Accessories > Terminal), and execute the following command.
[box]javaws asdm.jnlp[/box]
3. After a little while, you will be prompted to accept the certificate (The self signed certificate on the server will not be trusted that’s OK).
4. After entering your password (User name will be blank, unless you have enabled AAA). the ASDM will open.
5. Thankfully, you only need to do this the first time you connect, the next time you try it will open the ASDM password prompt and run correctly.
Related Articles, References, Credits, or External Links
AnyConnect runs over TCP port 443 (That’s HTTPS/SSL), but if you only have one public IP and need to forward that port to a web server or internal host then you are a bit snookered. You can of course change the port that AnyConnect runs over, so that it’s no longer on TCP port 443.
Why you would NOT want to do this.
Bear in mind that https is a well known port, and its open in most places for secure web traffic. You use it when you purchase things over the internet, or do your banking. For that reason it’s allowed from most networks, and through most firewalls. Which is what makes AnyConnect so handy, if you change the port then you may have some connection problems.
Solution
Assuming you accept the potential problems and want to swap the port over then do the following.
3. You can’t change the port while AnyConnect is enabled, so you need to disable it, change the port then re-enable it again (in this example I’ve changed it to port 444).
[box]
PetesASA(config)# webvpn
PetesASA(config-webvpn)# no enable outside
WARNING: Disabling webvpn removes proxy-bypass settings.
Do not overwrite the configuration file if you want to keep existing proxy-bypass commands.
INFO: WebVPN and DTLS are disabled on 'outside'.
PetesASA(config-webvpn)# port 444
PetesASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
PetesASA(config-webvpn)#
[/box]
4. Save the changes with a write mem command.
[box]
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: f3645705 ae6bafda c5606697 ecd61948
9830 bytes copied in 1.550 secs (9830 bytes/sec)
[OK]
PetesASA(config)#