RDP to Multiple Servers with a Cisco PIX/ASA Firewall

KB ID 0000167 

Problem

WARNING: Allowing RDP traffic from ‘any’ IP this is a monumentally bad idea, ONLY allow RDP traffic from trusted hosts/networks, or better still, limit RDP to clients/locations the have their traffic protected by VPN.

You want to connect via “Remote Desktop” to multiple servers behind your firewall. To do this you have three options.

Note: This is an old article that refers to ‘pre 8.3’ code, for modern firewalls see this article.

Solution

Option 1 (Use if you have multiple free Public IP addresses)

Connect to the firewall, go to enable mode, then go to “Configure Terminal Mode”, and create a names entity for each Servers public and Private Address.

[box]

Petes-ASA> en
Password: *********
Petes-ASA#configure terminal
Petes-ASA(config)# name 192.168.1.1 Server1-Internal
Petes-ASA(config)# name 192.168.1.2 Server2-Internal
Petes-ASA(config)# name 123.123.123.123 Server1-External
Petes-ASA(config)# name 123.123.123.124 Server2-External

[/box]

Now Allow RDP to both of the servers with an Access con troll list and apply that access con troll list to the outside interface (Note if you already have in inbound ACL simply substitute the name “inbound” for yours.

[box]

Petes-ASA(config)# access-list inbound extended permit tcp host 123.123.123.123 host Server1-External eq 3389
Petes-ASA(config)# access-list inbound extended permit tcp host 123.123.123.123 host Server2-External eq 3389
Petes-ASA(config)# access-group inbound in interface outside

[/box]

 

Option 2 (Uses Port Forwarding and uses a different port for each server).

To deploy this option the ASA will accept the connection for each server on a different port, to do this each server must listen on a different port.

Connect to the firewall, go to enable mode, then go to “Configure Terminal Mode” then allow each port you are going to use (in this case 3389 and 3390).

[box]

Petes-ASA> en
Password: *********
Petes-ASA#configure terminal
Petes-ASA(config)# access-list inbound extended permit tcp host 123.123.123.123 interface outside eq 3389
Petes-ASA(config)# access-list inbound extended permit tcp host 123.123.123.123 interface outside eq 3390

[/box]

Then Port Forward those ports to the correct internal servers.

[box]

Petes-ASA(config)# static (inside,outside) tcp interface 3389 192.168.1.1 3389
 netmask 255.255.255.255
Petes-ASA(config)# static (inside,outside) tcp interface 3390 192.168.1.2 3390
 netmask 255.255.255.255

[/box]

 

Option 3 (Uses Port Forwarding and uses a different port for each server).

This differs from option 2 because in this example the firewall will translate each incoming port to RDP 3389 and sent it to the correct Server.

[box]

Petes-ASA> en
Password: *********
Petes-ASA#configure terminal
Petes-ASA(config)# access-list inbound extended permit tcp host 123.123.123.123 interface outside eq 3389
Petes-ASA(config)# access-list inbound extended permit tcp host 123.123.123.123 interface outside eq 3390

[/box]

Then Port Forward AND TRANSLATE those ports to the correct internal servers.

[box]

Petes-ASA(config)# static (inside,outside) tcp interface 3389 192.168.1.1 3389
 netmask 255.255.255.255
Petes-ASA(config)# static (inside,outside) tcp interface 3390 192.168.1.2 3389 
netmask 255.255.255.255

[/box]

Related Articles, References, Credits, or External Links

NA

Set Cisco ASA for Kerberos Authentication

KB ID 0000039

Problem

You want to set up a Cisco ASA to authenticate users (VPN access for example).

Solution

Kerberos can only be used as an authentication protocol on the ASA, so its fine for allowing VPN connections but not for assigning policies etc. To work both the ASA and the domain need to be showing accurate time.

Step 1: Set the ASA to get time from an External NTP Server

1. Log onto the ASA > Go to “Enable Mode” > Issue the following command;

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# ntp server 130.88.212.143 source outside

[/box]

Note that’s a public time server in the UK (Manchester University) that I use. you may want to use another.

2. To check the ASA has synchronised issue the a ‘show ntp status‘ command,

[box]

If you see a message like the following, go and have a coffee.
Petes-ASA(config)# show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is 00000000.00000000 (06:28:16.000 UTC Thu Feb 7 2036)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
What you are looking for is "Clock is Syncronized"
Petes-ASA(config)# show ntp status
Clock is synchronized, stratum 3, reference is 130.88.212.143
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is cdd7b741.119bcc72 (16:13:53.068 UTC Mon Jun 8 2009)
clock offset is 15.0836 msec, root delay is 56.50 msec
root dispersion is 15931.63 msec, peer dispersion is 15890.63 msec

[/box]

3. Save the update to your firewall with a “write mem” command.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# ntp server 130.88.212.143 source outside

[/box] Note that’s a public time server in the UK (Manchester University) that I use. you may want to use another.

2. To check the ASA has synchronised issue the a ‘show ntp status‘ command,

[box]

Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#

[/box]

Step 2 – Set the server(s) you are going to authenticate against to a public NTP Server.

Note TCP Port 123 needs to be open outbound for this to work 🙂

1. Log into the Server > Start > run > cmd {enter}

2. Issue the following four commands;

[box]

w32tm /config /manualpeerlist:ntp2d.mcc.ac.uk /syncfromflags:manual /reliable:yes /update {enter}
net stop "windows time" {enter}
net start "windows time" {enter}
W32TM /resync {enter}

[/box]

Step 3 – Set up the AAA Kerberos in ASDM

1. Log into the ASDM.

2. Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups (top Section) > Add

3. Give the Server group a name i.e. KerberosGroup > Change the protocol to “Kerberos” > OK.

4. Move to the bottom section of the page (Servers In the Selected Group) > Add.

5. Enter the IP Address of the Domain Controller providing Authentication > In the Realm section enter the “Domain Realm.”

Note: To Find out the REALM, on the domain controller issue the following command; [box] set USERDNSDOMAIN [/box]

Note: enter the Realm “IN CAPITALS

6. Click Apply  > File > “Save running configuration to flash”.

To set up from Kerberos AAA command line

[box]

Petes-ASA>
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# aaa-server KerberosGroup protocol kerberos
Petes-ASA(config-aaa-server-group)# aaa-server KerberosGroup (inside) host 192.1.2.10
Petes-ASA(config-aaa-server-host)# kerberos-realm PETENETLIVE.COM
Petes-ASA(config-aaa-server-host)# exit
Petes-ASA(config)#

[/box]

Step 5 – Test Kerberos Authentication

1. Log into the ASDM.

2. Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups (top Section) > Select the Kerberos Group.

3. In the bottom section click Test.

4. Enter the username and password > OK.

5. It should say that the test was successful.

If It says “Error: Authentication Rejected: Clock skew greater than 300 Seconds” then steps 1 and 2 did not work.

Kerberos Pre-Authentication

Also Note: You may need to turn of “Require pre-authentication” on a user by user basis. If so, log onto the domain controller > Start > Run > dsa.msc > Locate the user > Right Click > Properties > account > Account options (scroll down) > Select “Do Not require Kerberos preauthentication”.

Related Articles, References, Credits, or External Links

Thanks to Zsolt Horvath at Cisco TAC Cisco ASA – Configuring for NTP

Cisco ASA – Only Allow Mail Servers SMTP Outbound

KB ID 0000172 

Problem

It’s not unusual for nasty Virus’s and Malware once they have infected a machine, to set up outbound communications on the mail protocol SMTP (TCP Port 25), which can lead to your public address being blacklisted.

So it’s considered good practice to stop all your clients getting mail access outbound through your firewall, while still allowing your mail server.

Note: On Cisco firewall’s, access lists are processed in order – so the ALLOW must come before the DENY, they are read from the top down (If you don’t have a clue what I’m talking about don’t worry).

Microsoft Exchange Users Note

If your firewall is using the default inspection map, it will be doing ESMTP inspection. Microsoft has it’s own opinion on what should be allowed in SMTP which differs form Cisco’s. The result is you will need to disable ESMTP inspection for Exchange to work properly. Go here to find out how to Disable ESMTP Inspection on the Cisco ASA.

Solution

Option 1 Via Command Line

1. Connect to the firewall, go to enable mode.

[box]

User Access Verification
Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA#

[/box]

2. Now you need to find if an access control list is being applied to your inside interface, to do that issue the “show run access-group” command, below are two possible results.

[box]

Result 1 (there IS NOT an access list applied to the inside Interface).

PetesASA# show run access-group
access-group inbound in interface outside
PetesASA#

Result 2 (There IS and access List applied to the inside interface).

PetesASA# show run access-group
access-group outbound in interface inside <Here it is
access-group inbound in interface outside

Note:In the Example above the Access List is called "outbound" it can be called anything!

[/box]

3. Now you need to allow your mail server SMTP access (In this example my mail server is on 10.254.254.5), then deny SMTP to everyone else, Then allow everything else. (REMEMBER with Cisco firewalls, once you have an access list everything that is not allowed is DENIED that’s why you need to allow at the end. (To see this look in the ASDM you will see an “Implicit Deny” at the end.

[box]

Note: If you already had an outbound access list (Result 2 above), substitute the name of yours for the work outbound below.

PetesASA# configure terminal
PetesASA(config)# access-list outbound permit tcp host 10.254.254.5 any eq smtp
PetesASA(config)# access-list outbound deny tcp any any eq smtp
PetesASA(config)# access-list outbound permit ip any any
PetesASA(config)#

[/box]

4. If you already had an access list applied (result 2 above) then you are finished skip to step 5 to save, If you DID NOT then you need to apply the access list you just created to the inside interface, with an access-group command.

[box]

Note: Only do this if you got Result 1 above.

PetesASA(config)#
PetesASA(config)# access-group outbound in interface inside
PetesASA(config)#

[/box]

5. Save your hard work with a “write mem” command.

[box]

PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d
7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#

[/box]

Option 2 Block SMTP via ASDM

1. Connect to the ASDM, and add a rule allowing your host to SMTP (At the top!)

2. Below that create a rule that denies SMTP from “any” to “any”.

3. Below that create a rule that allows “ip” from “any” to “any”.

4. This is what it should look like when you are finished.

5. Finally save the config, click File > Save running config to flash.

Related Articles, References, Credits, or External Links

NA

DNS resolves intermittently – EDNS Problems

KB ID 0000312

Problem

DNS resolves intermittently, and your Exchange outbound mail may fail and give the following error:

The following recipient(s) could not be reached: user@domain.com on (Date Time). There was a SMTP communication problem with the recipient’s email server. Please contact your system administrator. <(Domain.com) #5.5.0 smtp;550-Domain does not recognize your computer (xx.xx.xxx.xxx) as connecting from an Domainconnection. If this is in error, please contact technical support.>

Seen on Server 2003 and Server 2008 R2 DNS Servers, caused by Extension Mechanisms for DNS (EDNS0), this allows the use of UDP packets that are larger than 512 bytes. Some firewall systems do not like this and will drop the traffic.

Solution

Solution 1

The best way to cure the problem is to ensure any upstream devices either understand EDNS, or allow packets over 512 bytes. Check with your firewall vendor.

On a Cisco ASA, the default inspection map is defined as follows (maximum of 512 bytes), this was defined in RFC 1035 that’s why it’s there.

This value can be increased to 65535, however the higher the number the more susceptible you are to a DNS amplification attack, most blogs and forums I’ve read suggest setting a value of 4096 (though I’d suggest 1024). EDNS is fully supported on ASA firewalls running 8.2(2) and above. If you are running 8.2(2) or above you can simply use the following command:

[box]message-length maximum client auto[/box]

Note: For Cisco PIX Version 6 and lower use the following:

? [box]fixup protocol dns maximum-length 4096[/box]

To raise the value in the ASDM

1. Connect to the ASDM > Configuration > Firewall >Objects >Inspection Maps > DNS > default_dns_map > Customise > Details.

2. Under global settings change as required > OK > Apply > File > Save running configuration to flash.

Solution 2

Disable EDNS on the DNS Server from command (No restart of DNS service is required).

1. On the Server Start > Run > cmd {enter}

2. Execute the following command:

[box]dnscmd /config /enableednsprobes 0[/box]

Note: dnscmd is NOT installed by default on Server 2003 you need to install it from the support tools.

Solution 3

Disable EDNS via the registry (Requires a restart of the DNS Server Service).

1. Start > Run > regedit {enter}

2. Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesDNSParameters.

3. Create or Modify the REG_DWORD value EnableEDNSProbes and set it to 0 (Decimal).

Or

Import this registry key, or download and merge this one.

[box]

Windows Registry Editor Version 5.00

<p>[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesDNSParameters]<br />
"EnableEDnsProbes"=dword:00000000

[/box]

Related Articles, References, Credits, or External Links

NA

SmoothWall site to site (IPSEC) VPN to Cisco ASA

KB ID 0000436 

Problem

You would like to put in a site to site VPN from a site that has a SmoothWall firewall to another site that has a Cisco ASA.

Note: This procedure was carried out on a SmoothWall UTM 1000 Series appliance, and uses a pre-shared key to authenticate the VPN.

Solution

1. For The Cisco end of the configuration, you can configure it from command line see here, or from the ASDM see here..

2. Connect to the SonicWall’s web management console. Navigate to VPN > IPSEC subnets.

2. Set as follows,

Name: Can be anything give it a recognisable name.
Enabled: Tick.
Local IP : Leave blank.
Local Network: The network behind the SmoothWall.
Local ID Type: Local IP
Local ID Value: Leave blank.
Remote IP or Hostname: The outside IP of the Cisco ASA.
Remote Network: The subnet address behind the Cisco ASA.
Remote ID Type: User Specified IP Address.
Remote ID value: The outside IP of the Cisco ASA.
Authenticate by: Preshared Key.
Preshared Key: The same key you entered on the Cisco ASA e.g. This1sak3y
Preshared Key again: Repeat above.
Use Compression: Leave un-ticked.
Initiate the connection: Tick.

Advanced Options

Local Certificate: Default.
Interface: PRIMARY.
Perfect Forward Secrecy: Tick.
Authentication type: ESP
Phase 1 cryptographic algo: 3DES
Phase 1 hash algo: SHA
Phase 2 cryptographic algo: 3DES
Phase 2 hash algo: SHA
Key Life: 60.
IKE Lifetime: 30

3. Finally press “Add”.

Note: To edit an existing tunnel, in the summary at the bottom place a tick in the “Mark” box then click “Edit”.

4. Normally that should be all you need to do, however you may also need to allow zone bridging, select networking > zone bridging.

5. Set as follows,

Source Interface: IPSec
Destination interface: Port that the hosts inside the SmoothWall are plugged into.
Bi-directional: Tick.
Protocol: ALL
Source IP: 0.0.0.0/0
Destination IP: The subnet behind the SmoothWall.
Service: User Defined
Port: Leave Blank
Comment: Put in a sensible text comment.
Enabled: Tick

6. Finally press “Add”.

Note: To edit an existing zone bridge, in the summary at the bottom place a tick in the “Mark” box then click “Edit”.

 

Related Articles, References, Credits, or External Links

NA

 

Cisco ASA – Port Forwarding To A Different Port

Port Translation

KB ID 0001087 

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

A very long time ago I wrote an article about how to port forward from a public IP address to multiple servers for RDP. Basically you would connect to the firewall using various different ports, and the firewall would change the port to the correct one for RDP (TCP port 3389, unless you changed it on the machine). Then send it to the correct server, so you could manage multiple servers from the same public IP.

Now that was so long ago it was before the version 8.3 NAT changes. This week I was working on a problem where every change I made that had to be tested meant I had to swap VPNs, and reconnect to servers and test comms. This was getting a bit time consuming so I needed a public server to jump on for testing. I didn’t want to expose RDP to my server, so I planned to use a different port and translate that port on the firewall. But how to do that with modern ASA code?

Solution

1. Create the objects and NAT Rules;

[box]

 Petes-ASA> enable
 Password: ********
 Petes-ASA# configure terminal
 Petes-ASA(config)# object network Internal_RDP_Server-1
 Petes-ASA(config-network-object)# host 192.168.1.1
 Petes-ASA(config-network-object)# nat (inside,outside) static interface service tcp 3389 3390
 Petes-ASA(config-network-object)# exit
 Petes-ASA(config)# object network Internal_RDP_Server-2
 Petes-ASA(config-network-object)# host 192.168.1.2
 Petes-ASA(config-network-object)# nat (inside,outside) static interface service tcp 3389 3391
 Petes-ASA(config-network-object)# exit [/box]

2. Allow the traffic, (read this article before executing the access-group command).

[box] Petes-ASA(config)# access-list inbound permit tcp any object Internal_RDP_Server-1 eq 3389
 Petes-ASA(config)# access-list inbound permit tcp any object Internal_RDP_Server-2 eq 3389 
 Petes-ASA(config)# access-group inbound in interface outside
 

[/box]

Whole Code

[box]

object network Internal_RDP_Server-1
 host 192.168.1.1
 nat (inside,outside) static interface service tcp 3389 3390
 object network Internal_RDP_Server-2
 host 192.168.1.2
 nat (inside,outside) static interface service tcp 3389 3391
 !
 access-list inbound permit tcp any object Internal_RDP_Server-1 eq 3389
 access-list inbound permit tcp any object Internal_RDP_Server-2 eq 3389
 !
 access-group inbound in interface outside 

[/box]

OLD (Pre version 8.3) Port Forwarding to a Different port

So (as above), I’ll connect to the first server on port 3390, and the second on port 3391.

[box]

Petes-ASA> enable
 Password: *********
 Petes-ASA#configure terminal
 Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq 3390
 Petes-ASA(config)#access-list inbound extended permit tcp any interface outside eq 3391

[/box]

Then Port Forward AND TRANSLATE those ports to the correct internal servers.

[box]

Petes-ASA(config)# static (inside,outside) tcp interface 3390 192.168.1.1 3389 netmask 255.255.255.255
 Petes-ASA(config)# static (inside,outside) tcp interface 3391 192.168.1.2 3389 netmask 255.255.255.255

[/box]

Related Articles, References, Credits, or External Links

NA