Updating the AnyConnect client for Deployment from the Cisco ASA 5500

KB ID 0000704 

Problem

Your ASA will (by default) update your AnyConnect clients to the latest client software when they connect. However you need to supply the ASA with the updated packages first.

Solution

1. Download the latest AnyConnect client package, from Cisco. The one you want will have a file extension of .pkg

AnyConnect 4

AnyConnect 3

2. Connect to the ASDM > Configuration > Remote Access VPN > Network (Client) access > AnyConnect Client Software > Add.

 

Note: On older versions of the ASDM you will find the option under > Network (Client) access > Advanced > SSL VPN > Client Settings > Add.

3. Select Upload > Browse to the software you downloaded > Select.

 

4. The file should upload to flash memory.

 

5. And it will tell you if it has been successful.

 

6. Select the new software and, using the ‘up arrow’ move it to the top of the list > Apply.

Note: At this point I also delete the old software packages.

7. Don’t forget to upload the packages for Linus and MacOS of you may see the following error;

The AnyConnect package on the secure gateway could not be located.

 

 

8. Remember to save the changes. File > Save running configuration to flash.

Related Articles, References, Credits, or External Links

Cisco ASA5500 AnyConnect SSL VPN 

Original article written: 02/11/12

Cannot Open a Console Session in the VMware VI Client on Windows 8

KB ID 0000677 

Problem

Mostly my conversion to Windows 8 has been pretty painless, the only thing that wont work is the VMware VI client cant open a console session to the VMs on my ESX server.

Error
The VMRC console has disconencted…attempting to reconnect

This happens because the IE10 that comes with Windows 8 does NOT LIKE the requests the VI client is sending to the Internet Explorer plug-in.

Update 08/03/13 – This problem has now been fixed! Download the latest 5.1 version of the VI client. (see screenshot).

Solution

Work-Around 1 Use VMware workstation (Note: scroll down for a permanent fix)

Until either Microsoft or VMware change something then we are stuck! however there is a work around. if you have VMware Workstation (download the trial it will keep you ticking over till the problem is fixed!).

1. Launch VMware workstation > File > Connect to Server > Enter your ESX/vCenter server details > Connect.

Note: You may need to accept the certificate warning if you are using self signed certificates.

2. Now you can open a console session to your virtual machines.

Work-Around 2 Use VMware Guest Console

Download and run VMware Guest Console > Connect to to a host or vCenter, and you can access the guest machines consoles from there.

Permanent Fix

Sorry, the only way to fix this (at time of writing) is to upgrade to vSphere 5.1 AND install the 5.1 version of the vSphere client. (You can’t point the 5.1 client at a 5.0 host, it automatically launches the 5.0 version of the VI client).

Note: You will need to update vCenter to 5.1 as well for that to work!

Problem Resolved

Update to the latest VI client, and the problem will cease.

 

Related Articles, References, Credits, or External Links

NA

Install and Configure an HP UPS Network Module

KB ID 0000813

Problem

I installed one of these a couple of weeks ago, and there’s some good documentation with the module itself so installing it into the UPS and giving it an IP address was easy, getting the right client software to talk to it was a pain.

Solution

Configure the Network Module

1. Physically install the module in the UPS, it’s fixed with two screws and you can install it with the UPS powered on.

2. It takes a while for the card to boot, pop in the console cable that came with it (into the Settings/AUX socket – see above). Fire up PuTTy and connect via serial.

Note: Standard Serial Settings,

Bits per second—9600
Data bits—8
Parity—None
Stop bits—1
Flow control—None

3. The default password is ‘admin’

4. Use the menus presented to change the IP details, you MUST restart the module when you are finished or the IP address WONT change.

5. Once its rebooted (again this takes a while) you can login with a web browser, (username admin password admin).

Configure the Client Machines.

1. Download HP Power Protector, (Note: there is no client and administrator software any more, this software will do BOTH. The network module has the administration software built in).

2. Install the software on your machine, and login (again username admin password admin).

3. Select client > Save.

4. Select the Device Discovery tab. The software usually detects the network module on its own quite quickly, if it does not you can use the options on right to do a scan.

Ports Required for HP UPS Network Module

If you are connecting through a firewall (or you machine has a software firewall), make sure the following six ports are open.

TCP 5000
TCP 5001
TCP and UDP 4680
TCP and UDP 4679

5. When it’s fully detected, select the network module and select ‘Configure power source’, supply the login credentials for the network module, and the load segment the machine is plugged into (see below) > Save.

6. Back in the web console of the network module > Open ‘Notified Applications’ and in about 5-10 minutes your server should appear.

Related Articles, References, Credits, or External Links

NA

 

Cisco ASA 5500 Client VPN Access Via Kerberos (From CLI)

KB ID 0000049

Problem

You would like to enable remote access for your clients using the Cisco VPN Client software.

Solution

Before you start – you need to ask yourself “Do I already have any IPSEC VPN’s configured on this firewall?” Because if its not already been done, you need to enable ISAKMP on the outside interface. To accertain whether yours is on, or off, issue a “show run crypto isakmp” command and check the results, if you do NOT see “crypto isakmp enable outside” then you need to issue that command.

[box]

PetesASA# show run crypto isakmp
crypto isakmp enable outside << Mines already enabled.
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
PetesASA#

[/box]

1. Firstly we need to set up Kerberos AAA, if you wanted to use the ASDM to do this CLICK HERE however, to do the same via command line see the commands below. (so my DC is at 10.254.254.5 and the the domain is petenetlive.com). Note you could use LOCAL or RADIUS for authentication as well, but as the title states we are using Kerberos 🙂

[box]

PetesASA(config)#
PetesASA(config)# aaa-server PNL-KERBEROS protocol kerberos
PetesASA(config)# aaa-server PNL-KERBEROS (inside) host 10.254.254.5
PetesASA(config)# kerberos-realm PETENETLIVE.COM
PetesASA(config)# 

[/box]

2. Set up a range of IP addresses, for the remote clients to use, Note: DONT use the same IP range as your internal network (That’s a common error!) In this example I’m going to only have a range of 10 IP addresses.

[box]

PetesASA(config)#
PetesASA(config)# ip local pool IPSEC-VPN-DHCP-POOL 10.253.253.1-10.253.253.5
PetesASA(config)#

[/box]

3. Now I’m going to create two access control lists, one for “Split Tunneling” (So when my remote clients connect, they can still browse the internet from their remote location.) And the second one will be to STOP the ASA performing NAT on the traffic that travels over the VPN.

Warning: If you already have NAT excluded traffic on the firewall (for other VPN’s) this will BREAK THEM – to see if you do, issue a “show run nat” command, if you already have a nat (inside) 0 access-list {name} entry, then use that {name} NOT the one in my example.

So below I’m saying “Don’t NAT Traffic from the network behind the ASA (10.254.254.0) that’s going to the remote clients (10.253.253.0) that we set up in step 2″.

[box]

PetesASA(config)#
PetesASA(config)# access-list Split-Tunnel standard permit 10.254.254.0 255.255.255.0
PetesASA(config)# access-list NO-NAT-TRAFFIC extended permit ip 10.254.254.0 255.255.255.0 10.253.253.0 255.255.255.0
PetesASA(config)# nat (inside) 0 access-list NO-NAT-TRAFFIC
PetesASA(config)#

[/box]

3. Now we need to create a “Group Policy” this will specify that we are going to use split-tunneling, what type of VPN it is (IPSEC), the domain name and DNS server for the policy.

[box]

PetesASA(config)#
PetesASA(config)# group-policy IPSEC-VPN-POLICY internal
PetesASA(config)# group-policy IPSEC-VPN-POLICY attributes
PetesASA(config-group-policy)# vpn-tunnel-protocol IP Sec
PetesASA(config-group-policy)# split-tunnel-policy tunnelspecified
PetesASA(config-group-policy)# split-tunnel-network-list value Split-Tunnel
PetesASA(config-group-policy)# dns-server value 10.254.254.5
PetesASA(config-group-policy)# default-domain value PETENETLIVE.COM
PetesASA(config)#

[/box]

4. Next we create a tunnel group, and tell that group to use the policy we created above, we also specify the Kerberos AAA we created , the IP Pool, and lastly we set up a shared key.

NOTE: This sets up two of the three pieces of information that you need to enter into the VPN Client software, the tunnel group goes in the “Name” section, and the pre-shared-key goes in the “Password” section HERE.

[box]

PetesASA(config)#
PetesASA(config-group-policy)# tunnel-group IPSEC-VPN-GROUP type remote-access
PetesASA(config)# tunnel-group IPSEC-VPN-GROUP general-attributes
PetesASA(config-tunnel-general)# default-group-policy IPSEC-VPN-POLICY
PetesASA(config-tunnel-general)# authentication-server-group PNL-KERBEROS
PetesASA(config-tunnel-general)# address-pool IPSEC-VPN-DHCP-POOL
PetesASA(config-tunnel-general)# tunnel-group IPSEC-VPN-GROUP ipsec-attributes
PetesASA(config-tunnel-ipsec)# pre-shared-key 12345678901234567890asdfg
PetesASA(config)#

[/box]

5. Now we add “Transform sets” these are sets of encryption and hashing algorithms that the firewall will try and use to encrypt traffic with.

[box]

PetesASA(config)#
PetesASA(config)# crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
PetesASA(config)# crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
PetesASA(config)# crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
PetesASA(config)# crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
PetesASA(config)# crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
PetesASA(config)# crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
PetesASA(config)# crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
PetesASA(config)# crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
PetesASA(config)# crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
PetesASA(config)# crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
PetesASA(config)#

[/box]

6. Lastly we need to create a “Dynamic Cryptomap”, then get that cryptomap to use the transforms we have just created.

Note: I’ve also enabled NAT-Traversal here as well – sometimes the client software will connect successfully,and pass no traffic, if that happens 99% of the time its a NAT problem, caused by either mis-configured NAT on the ASA, or a device somewhere in the VPN tunnels path, that’s performing NAT that breaks the traffic flow, NAT-Traversal fixes this, so lets turn it on anyway to be on the safe side 🙂

[box]

PetesASA(config)#
PetesASA(config)# crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
PetesASA(config)# crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
PetesASA(config)# crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
PetesASA(config)#
PetesASA(config)# crypto isakmp nat-traversal 20
PetesASA(config)#

[/box]

7. Don’t forget to save your hard work with a “write mem” command.

[box]

PetesASA(config)#
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425

8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#

[/box]

8. Now install and configure the VPN client on your remote client, you need to supply the client with the public IP address of the ASA, the tunnel group name, and the pre-shared-key (The last two sere set up in step 4).

Related Articles, References, Credits, or External Links

NA

Cisco ASA5500 Client IPSEC VPN Access

(This method uses the ASA to hold the user database) to use RADIUS CLICK HERE to use Kerberos CLICK HERE

KB ID 0000070

Problem

Note: IPSEC VPN is still possible, but getting Windows clients is a little sketchy, and you will have to mess about with them to get them to work on modern versions of Windows. (Mac OSX and iPhone/iPad can connect with their built in VPN software though).

Below is a walkthrough for setting up a client to gateway VPN Tunnel using a Cisco ASA appliance.This is done via the ASDM console.

It also uses the Cisco VPN client – This is no longer available form Cisco see the following article.

Download Cisco VPN Client Software

Solution

Step1 Configure the ASA5500

1. Open up the ADSM console. > Click Wizards > VPN Wizard.

2. Select “Remote Access”. > Next.

3. Select Cisco VPN Client. > Next.

4. Enter a Pre Shared Key e.g. thisisthepresharedkey > And then give the Tunnel group a name e.g. “RemoteVPN”. > Next.

5. Select “Authenticate using the local user database”. > Next.

6. Now create a user, for this exercise I’ve created a user called user1 with a password of password1

7. Click Add. > Next.

8. Now we need to create some IP addresses that the remote clients will use when connected. > Click New

9. Give the Pool a name e.g. RemotePool and set the start and end IP addresses you want to lease (note these DONT have to be on the same network as your internal IP’s – In fact, for auditing its good practice to make them different). > Enter a Subnet Mask. > OK.

10 Click Next.

11 Enter the details you want the remote clients to use while connected, DNS servers, WINS Servers and domain name. > Next.

12. Leave it on the defaults of 3DES, SHA and DH Group 2 (Note some Cisco VPN clients will not support AES). > Next

13. Again leave it on the default of 3DES and SHA. > Next.

14. You can choose what IP addresses you want the remote VPN clients to have access to, first change the dropdown to “Inside”, here I want them to have access to the entire network behind the ASA so I will choose 10.254.254.0 with a mask of 255.255.255.0 > Click Add. > Next.

NOTE If you do not tick the box to enable “Split Tunneling” then the client cannot browse the internet etc while connected via VPN.

15. Review the information at the end of the wizard. > Finish

16. Now you need to save the changes you have just made, From the ASDM Select File > “Save running configuration to flash”

Step 2 Configure the Client VPN Software on the remote client.

Also See THIS VIDEO

1. I’ll assume you have the software installed you can get it from two places, On the CD that came with the ASA, or download it direct from Cisco (NOTE this needs a valid Cisco CCO account and a service contract). > Click New.

2. Under connection entry give the connection a name e.g. “Remote VPN to Office” > Under “Host” enter the Public IP of the ASA (NOTE I’ve blurred this one out to protect my IP address). > Under “Name” enter the name you created earlier (Step 1 number 4) > Under Password use the password you created earlier (Step 1 number 4) and enter it a second time to confirm. NOTE these are NOT the usernames and passwords you created in Step 1 number 6. > Click Transport Tab.

3 Accept the defaults but tick “Allow LAN access if you want to be able to access YOUR drives etc from the network behind the ASA” > Save.

4. Select the Connection you have just created. > Connect.

5. Enter the username and password you created earlier (Step 1 Number 6) of user1 and password1. > OK.

6 After a few seconds (provided the details were all right) it will connect, hover over the padlock in your task tray and it should say “VPN Client – Connected”.

Create Additional Users on the ASA

1. Open the ASDM and navigate to Configuration > VPN > General > Users > Add.

2. Give the user a name > Enter and confirm a password > Set the Privilege Level to 0 > Then Select the VPN Policy Tab

3. > Under Group Policy untick “Inherit” > Select RemoteVPN (the policy you set in Step1 Number 4) > OK.

4. You will now see the user listed (Don’t forget to save the settings, (File > “Save Running Configuration to Flash”).

Setup ASA 5500 IPSEC Remote VPN From Command Line

[box]

ip local pool IPSEC-VPN-POOL 10.254.250.1-10.254.250.100 mask 255.255.255.0
!
access-list ACL-SPLIT-TUNNEL standard permit 10.254.254 255.255.255.0
!      
object network Obj-Remote-IPSEC-VPN
 subnet 10.254.250.0 255.255.255.128
!
object network Obj-Local-LAN
 subnet 10.254.254.0 255.255.255.0
!
group-policy IPSEC-Remote-VPN internal
group-policy IPSEC-Remote-VPN attributes
  von-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value ACL-SPLIT-TUNNEL
  dns-server value 8.8.8.8
  default-domain value petenetlive.com
  vpn-simultaneous-logins 5
!
tunnel-group IPSEC-Remote-VPN type remote-access
tunnel-group IPSEC-Remote-VPN general-attributes
 default-group-policy IPSEC-Remote-VPN
 address-pool IPSEC-VPN-POOL
 tunnel-group IPSEC-Remote-VPN ipsec-attributes
 ikev1 pre-shared-key 123456
!
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
crypto ikev1 enable  outside
!
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group2
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface  outside
!
nat (inside,outside) 1 source static Obj-Local-LAN Obj-Local-LAN destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp route-lookup
!
crypto isakmp nat-traversal 20
!
username TestUser password Password123 privilege 0
username TestUser attributes
vpn-group-policy IPSEC-Remote-VPN

[/box]

Below, is the commands required for an ASA running code OLDER than version 8.3

[box]

access-list splitvpn standard permit 10.254.254.0 255.255.255.0
access-list nonat extended permit ip 10.254.254.0 255.255.255.0 10.254.250.0 255.255.255.0
ip local pool VPNPool 10.254.250.1-10.254.250.254 mask 255.255.255.0
nat (inside) 0 access-list nonat
group-policy remotevpn internal
group-policy remotevpn attributes
dns-server value 10.254.254.10
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splitvpn
split-dns value petenetlive.com
username user1 password IzFIX6IZbh5HBYwq encrypted privilege 0
username user1 attributes
vpn-group-policy remotevpn
sysopt connection tcpmss 1200
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set ESP-3DES-SHA
crypto map outside_map 64553 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group remotevpn type ipsec-ra
tunnel-group remotevpn general-attributes
address-pool vpnpool
default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
pre-shared-key thisisthepresharedkey

[/box]

Related Articles, References, Credits, or External Links

Original article written 21/01/10 updated 07/06/11

Windows 8 and Cisco (IPSEC) VPN Client

Windows 10 – Running the Cisco VPN Client Software

Download Cisco VPN Client Software

KB ID 0001098 

Problem

The Cisco VPN client software (CVPN-CL-IPSEC-ALL) is no longer available from Cisco.

Milestone

Definition

Date

End-of-Llfe Announcement Date The date the document that announces the end of sale and end of life of a product is distributed to the general public. July 29, 2011
End-of-Availability Date The last date to download the product from Cisco.com. The product is no longer for download after this date. July 29, 2014
End of SW Maintenance Releases Date: The last date that Cisco Engineering may release any final software maintenance releases or bug fixes. After this date, Cisco Engineering will no longer develop, repair, maintain, or test the product software. July 30, 2012
Last Date of Support: The last date to receive service and support for the product. After this date, all support services for the product are unavailable, and the product becomes obsolete. July 29, 2014

Solution

Download The latest versions below;

Windows 10/8.1/8/7/Vista x64 Bit Cisco VPN Client vpnclient-winx64-msi-5.0.07.0440-k9

Windows 10/8.1/8/7/Vista/XP x86 (32 Bit) Cisco VPN Client vpnclient-win-msi-5.0.07.0410-k9

MAC OSX vpnclient-darwin-4.9.01.0100-universal-k9

Linux vpnclient-linux-x86_64-4.8.02.0030-k9

Related Articles, References, Credits, or External Links

NA