Cisco Firewalls and PING

KB ID 0000351

Problem

With regards to Ping, out of the box a Cisco firewall will allow you to ping the interface you are connected to, so in a normal setup inside clients can ping the inside interface, and the firewalls outside interface can be pinged from outside.

OK – to understand pinging through a Cisco Firewall you need to understand that Ping is part of the ICMP protocol suite, and unlike other protocols is not “connection orientated” what that means is, (on a new firewall that has no rules applied outbound) the firewall happily lets ping traffic out but it won’t let ping traffic back in – this results in a failure on the client.

Also See:

Cisco ASA 5500 Allowing Tracert

Solution

Cisco ASA and Cisco PIX (version 7 and above) From CLI

Version 7 introduced an ICMP inspection engine so that it could track ICMP requests like other protocols. It’s NOT turned on by default. And the command is “inspect icmp” but you need to enter the default map first (this assumes you have the standard policy-map). Connect to the firewall and use the following commands from config terminal mode. then save the changes with a “write mem” command.

[box]

PetesASA>
PetesASA> enable
Password:********
PetesASA# conf t
PetesASA(config)# policy-map global_policy
PetesASA(config)# (config-pmap)#class inspection_default
PetesASA(config)#inspect icmp
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425 
8695 bytes copied in 3.670 secs (2898 bytes/sec)
 [OK] 
PetesASA(config)#

[/box]

Cisco ASA and Cisco PIX (version 7 and above) From ASDM

Connect to the ASDM > Configuration > Firewall > Service Policy Rules > Select “inspection_default” > Edit > Rule Actions > Tick ICMP > OK > Apply > File > Save running configuration to flash.

Cisco PIX (version 6 and below) From CLI

Older firewalls do not have an inspection map, nor was there a “fixup” for ICMP and ping traffic, so you need to explicitly allow the return icmp traffic back in. Note: this assumes you already have an inbound access-list called “inbound”, and we are adding some more lines to it, change the works inbound to match the name/number of your inbound access list (the “show access-group” will tell you what is applied to the outside interface),

e.g.

[box]

PetesASA>
PetesASA> enable
Password: ********
PetesASA# show access-group
access-group inbound in interface outside <<This ones called inbound.

[/box]

If you already have an access-list applied then simply substitute the name word “inbound” for the name on your ACL.

[box]

PetesASA# conf t
PetesASA(config)# access-list inbound permit icmp any any echo-reply 
PetesASA(config)# access-list inbound permit icmp any any time-exceeded 
PetesASA(config)# access-list inbound permit icmp any any unreachable
PetesASA(config)# access-list inbound permit icmp any any source-quench

[/box]

If you HAD an inbound ACL skip this step, If you didn’t have one you need to apply the ACL with an access-group command.

[box]

PetesASA(config)# access-group inbound in interface outside

[/box]

Lastly save your work with a write mem command.

[box]

PetesASA# write mem
Building configuration...
Cryptochecksum: 4d7f7ccd 5c55a9e1 6ced12c4 46728bc7
[OK]
PetesASA#

[/box]

Cisco PIX (version 6 and below) From PDM

Connect to the PDM > Configuration > Access Rules > Rules > Add > Permit > Outside Inside > Tick ICMP > Select “echo-reply”> OK > Apply > File > Save running configuration to flash.

Then repeat for time-exceeded, unreachable and source-quench

Stop Interfaces replying to Ping traffic

As stated above all firewall interfaces will respond to pings if they are on the network you are connected to. To stop this you use the “icmp” command.

[box]

Syntax
icmp {permit or deny} {any or IP and subnet}{type of icmp traffic}{interface name}

Example
icmp deny any echo outside

[/box]

Do the same from ASDM

Connect to the ASDM > Configuration > Device Management > Management Access > ICMP > Add > Select ICMP type > Interface > Action > OK > Apply > File > Save running configuration to flash.

Do the same from PDM

Connect to the PDM > Configuration > system Properties > Administration > ICMP > Add > > Specify the Type, Interface, Source etc > OK > Apply > File > Save running configuration to flash.

If you are still having problems, see the following article;

Cisco ASA – I Cannot Ping External Addresses? (Troubleshooting ICMP)

Related Articles, References, Credits, or External Links

NA

Ubuntu – Managing Cisco Devices via Serial / Rollover Cable

KB ID 0000400 

Problem

A while back I ran though “Managing Cisco ASA devices via the ASDM with Ubuntu“, I prefer to work at command line, with a new firewall my only choice is via the console port, In a windows environment I can fire up Hyperterminal and I’m away. With Linux there a couple of things to do first.

Solution

Step 1 (Get the Serial / RS232 / COM Port working)

As pictured above, this is being done on my Acer Netbook so I don’t have a serial port. I need to use a USB to Serial converter, If your machine has a serial port then simply skip this section.

1. Plug in your serial converter and wait a few seconds, open a terminal window (Applications > Accessories > Terminal) and issue the following command,

[box]dmesg[/box]

2. Amazingly it looks like been installed with the correct driver, without any effort by me at all! Lets make sure, unplug the USB to serial converter then issue the following command,

[box]lusb[/box]

Then plug the device back in and run the same command, notice the serial port has popped onto the list.

Note: If you not as lucky as me follow the excellent advice here to install the drivers you need.

Step 2 Install and Configure Minicom

1. Open a terminal window and issue the following command,

[box]sudo apt-get install minicom[/box]

Tap in your password, then enter “Y” for yes when prompted.

4. We need to know the connection name for the USB to Serial converter, issue the following command (See mines called ttyUSB0).

[box]dmesg | grep tty[/box]

5. Now lets fire up Minicom with the following command,

[box]sudo minicom[/box]

Tap in your password again, then as requested press CTRL+A, then Z.

6. To configure the serial settings press O (that’s O for Oscar not zero).

7. Select “Serial Port Setup”.

8. Press A to set the device.

9. As we discovered (above) ours is called ttyUSB0, so change the device to /dev/ttyUSB0.

10. Press C to change the connection speed to 9600 baud, Press Q (to set 8 bits, no stop bit, and 1 parity bit. On mine this was set by default), press {enter} to exit.

11. Press F to turn off hardware flow control (Some posts will say leave it on, I generally turn if off and I’ve never seen anything break!). Press G to disable software flow control (if enabled).

12. Then Select “Save setup as..”, and give is a sensible name. (If you went back too far simply press O again to get back here).

13. Now the settings are saved you can launch them at anytime with,

[box]sudo minicom {filename}[/box]

Note: Sometimes your serial drive gets locked up but a reboot will solve the problem.

14. Here’s me connected to an ancient old catalyst switch.

15. And the baby PIX on my test network.

Note: If your keystrokes are not getting sent: From the main menu (CTRL+A then Z) Press E to turn on local echo.

 

Related Articles, References, Credits, or External Links

NA

Cisco Remote (IPSEC) VPN Clients Timeout / Disconnect

KB ID 0000309 

Problem

By default, your remote VPN clients will timeout their connections after 300 seconds of inactivity, should you wish to increase that you can, on a user by user basis, however sometimes that does not work. To fix the problem you need to disable ISAKMP monitoring at the “Head End”.

Solution

Enable via Command Line

(see below for ASDM instructions)

1. Connect to the the firewall (see here for instructions).

2. Login and go to enable mode.

[box]

User Access Verification

Password: Type help or ‘?’ for a list of available commands. PetesASA> en Password: ********

[/box]

3. We need to change the remote access IPSEC VPN tunnel group, to find out what its called issue a “show running-config tunnel-group” command.

The tunnel group we want will have an “ipsec-attributes” entry AND a “remote-access” entry, so in the example below the tunnel group we want is called “IPSEC-VPN-GROUP” (Yours may not be as well named!).

[box]

PetesASA# show running-config tunnel-group
tunnel-group IPSEC-VPN-GROUP type remote-access <<< Here's a remote access group
tunnel-group IPSEC-VPN-GROUP general-attributes
address-pool IPSEC-VPN-DHCP-POOL
authentication-server-group PNL-KERBEROS LOCAL
default-group-policy IPSEC-VPN-POLICY
tunnel-group IPSEC-VPN-GROUP ipsec-attributes <<< Its an IPSEC tunnel :)
pre-shared-key *****
tunnel-group SSL-VPN-POLICY type remote-access <<< Here's a remote access group
tunnel-group SSL-VPN-POLICY general-attributes
address-pool SSL-VPN-DHCP-POOL
default-group-policy SSL-VPN-GROUP-POLICY
tunnel-group SSL-VPN-POLICY webvpn-attributes <<< this ones an SSL group :(
group-alias PNL enable
PetesASA#

[/box]

4. Enter configuration mode (conf t) > Then to add the new attribute issue a “tunnel-group {tunnel group name} ipsec-attributes” > then to disable the keepalives, issue the following command “isakmp keepalive threshold infinite“.

Finally save your hard work with a “write mem” command.

[box]

PetesASA# conf t PetesASA(config)# tunnel-group IPSEC-VPN-GROUP ipsec-attributes PetesASA(config-tunnel-ipsec)# isakmp keepalive threshold infinite PetesASA(config-tunnel-ipsec)# PetesASA(config-tunnel-ipsec)# write mem Building configuration… Cryptochecksum: 5417d5a1 bee8b082 16c6f19d b3839f13

9379 bytes copied in 1.410 secs (9379 bytes/sec) [OK] PetesASA(config-tunnel-ipsec)#

 

[/box]

Do the same from ASDM.

1. Connect to the ASDM

2. Click Configuration > Remote Access VPN > IPSEC Connection Profiles > {Your IPSEC Policy} > Edit.

2. Select Advanced > IPSEC > and tick “Headend will never initiate keepalive monitoring” > OK > Apply.

3. Finally click File > “Save Running Configuration to Flash”.

Related Articles, References, Credits, or External Links

NA

Securing Cisco SSL VPN’s with Certificates

KB ID 0000335

Problem

It’s been a while since I wrote a walk though on the Cisco AnyConnect/SSL VPN solution, and usually I secure these with Active Directory or simply using the local user database on the firewall. But what if you wanted to use certificates instead? Perhaps your users are too “technically challenged” to remember their passwords. Or you want to enable two factor authentication with usernames/passwords AND certificates (something you know and something you have).

Solution

Step 1: Setup the ASA as a Certificate Authority

After version 8 Cisco included a complete CA solution in the firewall with a web front end. to use it we need to a) turn it on, b) give it an email address, c) provide a subject name, and finally d) create a unique pass phrase to generate the root certificate from.

Connect to the firewall and carry out the following,

[box]

PetesASA>
PetesASA> en
Password: ********
PetesASA# conf t
PetesASA(config)# crypto ca server
PetesASA(config-ca-server)# smtp from-address pnlCA@petenetlive.com
PetesASA(config-ca-server)# subject-name-default cn=pnlCA, o=petenetlive, c=GB
PetesASA(config-ca-server)# no shutdown

% Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or press return to exit
Passphrase: ********

Re-enter passphrase: ********

Keypair generation process begin. Please wait...

Completed generation of the certificate and keypair...

Archiving certificate and keypair to storage... Complete
INFO:
Certificate Server enabled.
PetesASA(config-ca-server

[/box]

To do the same via ASDM connect to the ASDM > Navigate to Configuration > Remote Access VPN > Certificate Management > Local Certificate Authority > CA Server > Fill in the details > Apply.

To check that the CA Server is up and running issue a “show crypto ca server” command.

[box]


PetesASA# show crypto ca server

Certificate Server LOCAL-CA-SERVER:
Status: enabled <--Good!
State: enabled <--Good!
Server's configuration is locked (enter "shutdown" to unlock it)
Issuer name: CN=PetesASA.petenetlive.com
CA certificate fingerprint/thumbprint: (MD5)
774e1fe0 27495b35 019a9874 7507d8a9
CA certificate fingerprint/thumbprint: (SHA1)
93414d52 5f23e510 0f7f8fc2 857e3c86 d5687286
Last certificate issued serial number: 0x1
CA certificate expiration timer: 12:33:29 UTC Sep 30 2013
CRL NextUpdate timer: 18:33:29 UTC Oct 1 2010
Current primary storage dir: flash:/LOCAL-CA-SERVER/

Auto-Rollover configured, overlap period 30 days
Autorollover timer: 12:33:29 UTC Aug 31 2013
PetesASA#

[/box]

Step 2: Obtain a Client Certificate

If you have a LOT of these you can set them up and send them by email directly, I’m just going to do this one manually, By default your webvpn probably isn’t enabled on the “inside” so lets turn that on.

[box]

PetesASA#
PetesASA# conf t
PetesASA(config)# webvpn
PetesASA(config-webvpn)# enable inside
INFO: WebVPN and DTLS are enabled on 'inside'.
PetesASA(config-webvpn)# exit
PetesASA(config)#

[/box]

To do the same via ASDM connect to the ASDM > Navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles > Tick both the inside options > Apply.

Now I’m going to create a user, and a “One Time Password”.

[box]


PetesASA(config)#
PetesASA(config)# crypto ca server user-db add petelong
INFO: User added as 'petelong'
PetesASA(config)# crypto ca server user-db allow petelong display-otp
Username: petelong
OTP: 010B3B9F500F7142 <--your user will need this!
Enrollment Allowed Until: 12:43:23 UTC Mon Oct 4 2010

PetesASA(config)#

[/box]

Via ADSM it’s a little more convoluted, you need to add the user then view/re-generate the OTP.

Open a web browser and got to https://{ip or name of firewall}/+CSCOCA+/enroll log in with the details you created above.

When prompted download the certificate and put it on the machine that requires secure access. Simply double click it and import it (it should import into the “Personal Certificates” folder.) – if you are prompted for a password you enter the OTP from above.

Step 3: Change the VPN authentication to Certificate.

First lets check that enrolment was successfully with a “show ca server user-db” command.

[box]


PetesASA(config)# show crypto ca server user-db
username: petelong
email: <None>
dn: <None>
allowed: 12:43:23 UTC Mon Oct 4 2010
notified: 1 times
enrollment status: Enrolled, Certificate valid until 12:47:25 UTC Sat Oct 1 2011,<--Good!
Renewal: Allowed

PetesASA(config)#

[/box]

Change the webvpn authenticate to certificate. Note your SSL tunnel group WILL have different name.

[box]

PetesASA# conf t
PetesASA(config)# tunnel-group SSL-VPN-POLICY webvpn-attributes
PetesASA(config-tunnel-webvpn)# authentication certificate
PetesASA(config-tunnel-webvpn)# exit
PetesASA(config)#

[/box]

To use usernames AND certificates use “both” instead of “cert”, to Revert back to usernames enter “aaa”

Via ASDM

Step 4: Test

Connect to the VPN portal and you should now be prompted for certificate authentication.

 

Related Articles, References, Credits, or External Links

AnyConnect VPN

Cisco ASA 5500 – Using a Third Party Digital Certificate (For Identification, AnyConnect, and SSL VPN)

Site to Site IPSEC VPN from SonicWALL to Cisco ASA

KB ID 0000357

Problem

You want to put in a secure IPSEC VPN tunnel from a Cisco ASA Device to a Sonicwall Firewall. Note in this example we will use 3DES for encryption, SHA1 for Hashing, Diffie Hellman Group 2, PFS enabled, and we will use a shared secret (Pre Shared Key).

SonicWALL used in this example is a PRO 3060.

Solution

The main two gotcha’s

Update 12/03/11 Feedback from Wajma Omari:

I would like to add that this configuration will build the Tunnel but one more step needed to enable the Traffic between the two networks and that is by adding ACL from Inside network to the Remote Site Configuration – Firewall – Advanced – ACL Manager – Add – Add ACL and then ADD ACE

Thanks for the very helpful article

Many Thanks for the feedback! Pete

Related Articles, References, Credits, or External Links

Special thanks to David Pounds for his help with the SonicWALL configuration.

Cisco AnyConnect Error “The VPN client driver has encountered an error”

KB ID 0000347

Problem

I rolled out AnyConnect for a client this week, and saw this error on one of the clients.

Error Reads:
The VPN client driver has received an error.

Solution

A quick search of web forums etc, sent me all over the place, the most promising link  told me to do the following,

Repair

This issue is due to Cisco bug ID CSCsm54689 (registered customers only) . In order to resolve this issue, make sure that Routing and Remote Access Service is disabled before you start AnyConnect. If this does not resolve the issue, complete these steps:

  1. Open a command prompt as an Administrator on the PC (elevated prompt on Vista).

  2. Run net stop CryptSvc.

  3. Run esentutl /p %systemroot%System32catroot2{F750E6C3-38EE-11D1-85E5-00C04FC295EE}catdb.

  4. When prompted, choose OK to attempt the repair.

  5. Exit the command prompt.

  6. Reboot.

If Repair fails

If the repair fails, complete these steps:

  1. Open a command prompt as an Administrator on the PC (elevated prompt on Vista).

  2. Run net stop CryptSvc.

  3. Rename the %WINDIR%system32catroot2 to catroot2_old directory.

  4. Exit the command prompt.

  5. Reboot.

However this procedure DID NOT WORK FOR ME

How I repaired it.

1. Click Start > Run > appwiz.cpl {enter}

2. The Add or Remove Programs window should open, locate and uninstall the Cisco AnyConnect VPN client.

In XP

In Windows 7

3. Once uninstalled Navigate to,

XP or older C:Documents and SettingsAll UsersApplication Data
Vista or Newer C:UsersAll Users


4. Delete the “Cisco” folder.

5. Navigate to,

XP or older C:Documents and Settings{username}Local settingsApplication Data
Vista or Newer C:Users{username}AppDataLocal


6. Delete the folder named “Cisco”.

7. This was all I had to do, but it would be prudent to have a good search round your hard drive to make sure its not lurking anywhere else.

8. Once done, reboot the client then either install the AnyConnect client from the .msi installer package, or connect to the SSL/AnyConnect Portal to reinstall the client automatically (Local admin rights required on the remote machine).

 

Related Articles, References, Credits, or External Links

NA

Cisco AnyConnect Error (iPhone)

KB ID 0000362

Problem

While using the Apple/Cisco Anyconnect App/Client you receive the following error.

Error:

The secure gateway has rejected the agent’s VPN request. A New connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists.
The following message was received from the security gateway: No License.

 

Solution

The most pertinent information above is the last two words of the error message “No License”

This DOES NOT mean you have ran out of SSL/AnyConnect Licences!

This licence is a “One Off” purchase and will enable the feature on your ASA, be aware the licence is different for each model make sure you purchase the correct one!

AnyConnect Mobile, (or AnyConnect for Mobile) licence details can be found at Cisco’s website Below is the section we are interested in.

Update 2017: Applying a modern AnyConnect (v4) licence, will also enable the mobile feature as well.

Once the correct licences are installed this is what it SHOULD look liike.

 

Related Articles, References, Credits, or External Links

Cisco ASA 5500 – Adding Licenses

Android AnyConnect Error

Android AnyConnect Error

KB ID 0000537

Problem

While using the Android/Cisco Anyconnect App/Client you receive the following error.

Error:

The secure gateway has rejected the agent’s VPN request. A New connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists.
The following message was received from the security gateway: No License.

Solution

The most pertinent information above is the last two words of the error message “No License”

This DOES NOT mean you have ran out of SSL/AnyConnect Licences!

This licence is a “One Off” purchase and will enable the feature on your ASA, be aware the licence is different for each model make sure you purchase the correct one!

AnyConnect Mobile, (or AnyConnect for Mobile) licence details can be found at Cisco’s website Below is the section we are interested in.

Once the correct licences are installed this is what it SHOULD look liike.

Related Articles, References, Credits, or External Links

Cisco ASA 5500 – Adding Licenses

Cisco AnyConnect Error (iPhone)