FortiGate: SSL-VPN With FortiClient (AD Authenticated)

KB ID 0001725

Problem

FortiGate Remote Access (SSLVPN ) is a solution that is a lot easier to setup than on other firewall competitors. Here’s how to setup remote access to a FortiGate firewall device, using the FortiClient software, and Active Directory authentication. This is what my topology looks like;

Note: I’ve changed the FortiGates default management HTTPS port from 443 to 4433 (before I started). This was to let me use the proper HTTPS port of 443 for remote access SSL VPN. I suggest you also do this, as running SSL-VPN over an ‘odd’ port may not work from some locations. See the following article;

FortiGate: Change the HTTPS Management Port

Certificate: I’m also using a self signed certificate on the FortiGate, in a production environment you may want to purchase a publicly signed one!

Step 1: FortiGate LDAPS Prerequisites

Before we start, we need to make sure your firewall can resolve internal DNS. (Because the Kerberos Certificate name on your Domain Controller(s) gets checked, when doing LDAPS queries, if you DON’T want to do this then disable server identity check when you setup your LDAP server below). Or you can add the IP address to the servers Kerberos certificate as a ‘Subject Alternative Name‘ but thats a bit bobbins IMHO

Network > DNS > Specify > Add in your ‘Internal” DNS servers > Apply.


Certificate Prerequisites

To perform LDAPS the FortiGate needs to trust the certificate(s) that our domain controller(s) use. To enable that you need a copy of the CA Certificate, for the CA that issued them. At this point if  you’re confused, you might want to run through the following article;

Get Ready for LDAPS Channel Binding

So to get a copy of your CA cert on a Windows CA server use the following command;

[box]

certutil -ca.cert My-Root-CA-Cert.cer

[/box]


To ‘Import‘ the certificate into the Fortigate > System > Certificates > Import > CA Certificate.

File > Upload > Browse to your CA Certificate > Open > OK.

Take note of the certificate name, (CA_Cert_1 in the example below,) you will need this information below.

Step 2: Allow FortiGate LDAPS Authentication (Active Directory)

User & Authentication > LDAP Servers > Add.

  • Name: Something Sensible!
  • Server IP/Name: Use the FQDN of the server (or you need to put the IP on the Kerberos certificate as a SAN!)
  • ServerPort: 636 (We’re not using 389 LDAP is NOT secure!)
  • Common Name Identifier: sAMAccountName
  • Distinguished Name: Enter the DN for either the top level of your domain or an OU that’s got all your users/groups in.
  • Bind Type: Regular.
  • Username: in DOMAIN\username format Note: A normal domain user account is sufficient it DOES NOT need to be a domain administrator.
  • Password: For the above user.
  • Secure Connection: LDAPS.
  • Certificate: Select YOUR CA Certificate.
  • Server Identity Check: Enabled.

Click ‘Test Connectivity‘ It should say successful, then you can check some other domain user credentials as a test > OK.

Domain / Active Directory Setup

Over in my Active Directory I’ve created a security group called GS-VPN-Users, and put my user object into it.

Now I need to create a FIREWALL GROUP and add my ACTIVE DIRECTORY GROUP to that. User & Authentication > User Groups > Create New.

  • Name: Something sensible!
  • Type: Firewall

Remote Groups > Add.

Change the Remote Server drop down list to be your LDAPS Server > Browse to your ACTIVE DIRECTORY GROUP, right click and Add Selected (Cheers, that took me three goes to find FortiNet!) > OK.

All being well you should see your LDAPS server AND the distinguished name of your AD group, (check that’s not missing!) > OK.

Step 3: Setup FortiGate SSL-VPN

First we need an SSL Portal > VPN  > SSL-VPN Portals > Create New.

  • Name: Something sensible!
  • Enable Split Tunnelling: Enabled. (If you don’t do this then remote clients need to come though the FortiGate for web access, I usually enable split tunnel).
  • Source IP Pools: Add Then Create.

Address.

  • Name: Something sensible!
  • Type: IP Range
  • IP Range: The subnet you want to use. (Note:If you are routing on your LAN, make sure there’s a route back to the FortiGate for this subnet or bad things will happen!)
  • Interface: SSL-VPN tunnel interface

OK.

Enter a portal message, (the header on the page once a remote user connects)  > Enable FortiClient download > OK.

If you see the following error, that’s because on some smaller firewalls, (like the 40F) there can only be one, so you need to edit the one that is there by default.

Maximum number 0f entries has been reached.

FortiGate SSL-VPN Settings

VPN  > SSL-VPN Settings > Listen on Interfaces.

Set to the outside (WAN) interface > Address Range > Specify custom IP Ranges > IP Ranges > Add in the pool you created above.

DNS Server > Specify > Add in your internal DNS servers > Authentication Portal Mapping > Create New.

  • Users/Groups: Your AD GROUP.
  • Portal: Your Portal

OK.

Apply (Note: If it complains ‘All Other User/Group‘ is not configured, set that to  web-access (as shown).

FortiGate SSL-VPN Firewall Policy

Policy & Objects > Firewall Policy (or IPV4 Policy on older versions) > Create New.

  • Name: Something sensible.
  • Incoming Interface: SSL-VPN Tunnel Interface.
  • Outgoing Interface: Inside (LAN).
  • Source: Your remote IP Pool AND your FIREWALL GOUP.
  • Destination: Local LAN (remember if you want DMZ access, add that in also)
  • Schedule: Always
  • Action: Accept
  • NAT: Disabled

  • Generate logs when session starts: Enabled 

OK.

Step 4: Test FortiGate SSL-VPN

From your remote client, browse to the public IP/FQDN of the firewall and log in, you should see the SSL-VPN portal you created, and have the option to download the FortiClient (VPN) software for your OS version.

Install the FortiClient (Note: This is only the VPN component not the full FortiClient).

Remote Access > Configure VPN.

  • VPN: SSL-VPN.
  • Connection Name: Something sensible.
  • Remote Gateway: IP or FQDN of the FortiGate.
  • Authentication: Prompt on Logon (unless you want it to remember).
  • Do not warn invalid Server Certificate: Enabled (Unless you are using a publicly signed certificate on your FortiGate).

Save.

Then test connection, make sure you can ping internal IP addresses and DNS names.

Related Articles, References, Credits, or External Links

NA

Azure: Point to Site VPN From mac OS?

KB ID 0001693

Problem

We mac users always get overlooked. If I had a pound for every time I’ve heard ‘Yeah we don’t support macs?” I would be a rich man. But thankfully this makes us work things out for ourselves usually!

So recently I did a article Azure: Point To Site VPN (Remote Access User VPN) but what if you want to use the same solution for a remote mac user?

Solution

Firstly you will want to download the VPN package (and have a valid client/user certificate, [see the link above]).

Obviously the installer is for Windows, but within the ZIP file you download, it has a copy of the XML file with the settings in it, and a copy of the Root CA certificate you used.

So your first job is to ‘import‘ the client certificate, it will be in PFX format, (if you followed my instructions), so you will need to supply the password you specified when creating the PFX file (not the mac password), when prompted to install it (double click on it).

The engineer in me isn’t quite sure why the client needs the Root CA certificate on it, (because that’s not how certificates work!) But Microsoft insist it’s necessary, so also double click and install the Root CA Certificate, (it’s inside the VPN Package).

You don’t need to install VPN software onto the mac, (it has its own built in). Click the Apple Logo > System Preferences > Network > Add > Interface = VPN > VPN Type = IKEv2 > Service Name = Azure-Client-VPN > Create.

Now open the XML file from within you VPN client software ZIP file, and locate the FQDN of the ‘Gateway’ address in Azure > Copy it to the clipboard.

Paste the server address into BOTH Server Address AND Remote ID > (Leave Local ID blank for now) > Authentication Settings

WARNING: I’m using mac OS Catalina, so I choose ‘None’ (NOT CERTIFICATE). But for mac OS Mojave (and older) CHOOSE CERTIFICATE). It’s a bug that causes an error (see below) if you don’t.

Select > Choose the CLIENT certificate you imported earlier, (Take note of the name in brackets, this is the common name on the certificate). You will need this in a minute!  > Continue > OK.

Put the Common Name from the certificate into the Local ID section > Apply > Connect.

All being well it should connect, (though it may prompt for you to enter your user password). BY DEFAULT the option ‘Show VPN Status in Menu Bar‘ should be ticked, if it isn’t then tick it.

With that option ticked, you can connect and disconnect the VPN quickly without needing to go back into System Preferences like so;

Error: VPN Connection, ‘An unexpected error occurred’

Remember above when I said choose ‘None‘ for Catalina, NOT certificate? Well this is what happens if you choose certificate!

Related Articles, References, Credits, or External Links

NA

Cisco ASA – Enable Split Tunnel for Remote Clients

KB ID 0000066

Problem

This is a simple job to do from command line, however the world is full of people who would rather spend an hour in the ASDM working out how to do it! So I’ve included both methods.

What is split tunneling?

This is the process of letting a remote VPN user browse the web, and access local resources etc, from their location whilst connected to your VPN in this case via SSLVPN, but also from WebVPN or IPSEC VPN.

Solution

Option 1 Enable Split Tunnel via Command Line.

1. Connect to the ASA > Go to enable mode > Then to global configuration mode > Create an ACL that permits traffic from the network behind the ASA to any. (Note: Add additional ACL’s for additional internal networks).

[box]

Type help or '?' for a list of available commands.
PetesASA> enable
Password: ******
PetesASA# configure terminal
PeteASA(config)# access-list Split-Tunnel standard permit 10.0.0.0 255.255.255.0

[/box]

2. Add the split tunnel to the policy you are using for you remote VPN, (if you are unsure issue a show run group-policy).

[box]

PeteASA(config)# group-policy SSL_Policy attributes
PeteASA(config-group-policy)# split-tunnel-policy tunnelspecified
PeteASA(config-group-policy)# split-tunnel-network-list value Split-Tunnel
PeteASA(config-group-policy)# exit
PeteASA(config)#

[/box]

3. Save the changes.

[box]

PeteASA(config)# write mem
Building configuration...
Cryptochecksum: cb28eeb2 3d203272 eda92e1c a3b70d09

3166 bytes copied in 0.890 secs
[OK]
PeteASA(config)#

[/box]

Enable Split Tunnel on an older (PIX Firewall)

[box]

Type help or '?' for a list of available commands.
PetesPIX> enable
Password: ******
PetesPIX# configure terminal
PetesPIX(config)# access-list Split-Tunnel permit ip 10.0.0.0 255.255.255.0 any
PetesPIX(config)# vpngroup RemoteVPN split-tunnel Split-Tunnel

[/box]  

Option 2 Enable Split Tunnel via ASDM

1. Launch the ASDM > Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Select your policy.

2. Edit > Select Advanced > Split Tunneling.

3. Next to Policy > Untick “Inherit” > Change to “Tunnel Network List Below”.

4. Next to “Network List” remove the tick from Inherit > Click Manage.

5. Add ACL > Call it something sensible like Split-Tunnel > OK.

6. Then click Add ACE.

7. Select Permit and enter the network BEHIND THE ASA> OK.

8. Should look a bit like this > OK.

9. OK.

10. Apply > File > Save running configuration to flash.

Related Articles, References, Credits, or External Links

Original Article Written 14/06/12

Troubleshooting Cisco ASA Split Tunnel

Cisco ASA – Remote VPN Client Internet Access

PPTP VPN – Enable Split Tunneling

Cisco VPN Client Connects but no traffic will Pass

Note: May also be asked as, Client VPN connects but cannot ping anything behind the Firewall.

KB ID 0000199

Problem

If I had a pound for every time I’ve seen this either in the wild, or asked in a forum, I would be minted! In nearly every case the problem is NAT related.

In most cases, If the person launching the VPN client is behind a device that is performing NAT, (Home Router, Access Point, Firewall, etc) then the device will BREAK the NO NAT, or “nat 0” on pre 8.3 firewalls. (that’s the command that says “DONT change the address of my remote VPN client as it passes up and down the VPN tunnel).

Update 08/09/16: Due to a bug, I found an exception to this problem being broken NAT (see below)

Solution

Enable nat-traversal, this is a global configuration setting and will not affect any other site to site, or client to gateway VPN’s you are currently running.

Option 1 Connect to the ASA Via Command Line.

Then go to enable mode > Configure Terminal mode > and issue a “crypto isakmp nat-traversal 20” command >Then save the change with a “write mem” command.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# crypto isakmp nat-traversal 20
Petes-ASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
Petes-ASA#

[/box]

Option 2 Connect to the ASA Via ASDM Version used here is 6.2.(5)

If you can find this in the ASDM post version 7 – You are better than me!

Navigate to > Configuration > Remote Access VPN > Advanced > IKE Parameters > Tick “Enable IPSec over NAT-T” option > Set the “NAT Keepalive” to 20 seconds > Apply > File > Save running configuration to flash.

I’ve done that and its still not working?

On a Firewall Running 8.3 (or Newer)

1. On the firewall issue a “show run nat” command > Make sure there is a NAT statement that has static (the network behind the ASA) to static (the remote VPN network). I’ve highlighted it below.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.

Petes-ASA>enable
Password: ********
Petes-ASA# show run nat 
nat (inside,any) source static obj-10.254.254.0 obj-10.254.254.0 destination static obj-10.253.253.0 obj-10.253.253.0 route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
object network Media_PC
nat (inside,outside) static interface service tcp 123 123
!
nat (outside,outside) after-auto source dynamic VPN_Pool interface
PetesASA#

[/box]

2. Make sure the correct network(s) are in the correct groups.

[box]

PetesASA# show run object
object network obj-10.254.254.0
subnet 10.254.254.0 255.255.255.0 <- Subnet behind the ASA
object network obj-10.253.253.0 <- Remote VPN Subnet
subnet 10.253.253.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Media_PC
host 10.254.254.5
PetesASA#

[/box]

3. Also make sure you don’t have any legacy nat rules breaking things.

On a Firewall Older than Version 8.3

On the firewall issue a “show run nat 0” command > take note of the access-list name.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# show run nat 0
nat (inside) 0 access-list NO-NAT-TRAFFIC
nat (inside) 1 0.0.0.0 0.0.0.0

[/box]

In this example mines called NO-NAT-TRAFFIC (cause I like to keep things simple) yours can be called anything (inside_nat0_outbound is the norm if you used the ASDM to set up the VPN).

Now make sure that you have the correct addresses in that access-list, issue a show run access-list {name} command.

[box]

Petes-ASA#show run access-list NO-NAT-TRAFFIC
access-list NO-NAT-TRAFFIC extended permit ip 10.254.254.0 255.255.255.0 10.253.253.0 255.255.255.0
access-list NO-NAT-TRAFFIC extended permit ip 10.254.254.0 255.255.255.0 10.252.252.0 255.255.255.0
Petes-ASA#

[/box]

Above we have two subnets that are going to be exempt from NAT, they are 10.253.253.0/24 and 10.252.252.0/24, if the range of IP addresses your remote clients are using is NOT on this list you need to add them.

If you don’t know what addresses they are supposed to be using, then issue a “show run ip local pool” command.

[box]

Petes-ASA#show run ip local pool
ip local pool IPSEC-VPN-DHCP-POOL 10.253.253.1-10.253.253.5
ip local pool SSL-VPN-DHCP-POOL 10.252.252.1-10.252.252.5
Petes-ASA#

[/box]

Again I’ve got a sensible naming policy – so we can see what my pools are for, to see what pools are being used for what, issue a “show run tunnel-group” command.

[box]

Petes-ASA# show run tunnel-group
tunnel-group IPSEC-VPN-GROUP type remote-access <<< Here's my IPSEC VPN's
tunnel-group IPSEC-VPN-GROUP general-attributes
address-pool IPSEC-VPN-DHCP-POOL <<< And here's my matching DHCP scope (IPSEC)
authentication-server-group PNL-KERBEROS
default-group-policy IPSEC-VPN-POLICY
tunnel-group IPSEC-VPN-GROUP ipsec-attributes
pre-shared-key *****
tunnel-group SSL-VPN-POLICY type remote-access <<< Here's my SSL VPN's
tunnel-group SSL-VPN-POLICY general-attributes
address-pool SSL-VPN-DHCP-POOL <<< And here's my matching DHCP scope (SSL)
authentication-server-group PNL-KERBEROS
default-group-policy SSL-VPN-GROUP-POLICY
tunnel-group SSL-VPN-POLICY webvpn-attributes
group-alias PNL enable
Petes-ASA#

[/box]

If any of yours are missing then change accordingly.

BUG (08/09/16)

Had this problem again recently, and after staying on the phone to TAC until 03:00, it turned out to be a bug in the SFR (FirePOWER service module) code. That was causing the firewall to silently drop the AnyConnect traffic. So debugs showed nothing, and packet captures were empty. Fixed by removing ‘sfr fail-open’ from the firewall and upgrading the code by re-imaging the SFR module.

Related Articles, References, Credits, or External Links

NA

Bag Yourself a Cheap Firewall The Symantec FW100 and FW200(R) Appliances

KB ID 0000109 

Problem

OK to be honest, before I went to work for my current employer I didn’t even know Symantec made hardware firewall’s, and at the time of writing they no longer make “Low End” firewall’s and corporate support for them has all but ended. With this in mind there are a load of them currently being replaced with newer firewall’s and they are either getting thrown in cupboards “In case of emergency” ending up on eBay, or worst of all going in the skip.

So why would you want one then?

Because in true Petenetlive fashion you can pick them up for nothing, or for a few pounds on eBay, and they make an excellent firewall for your Home PC, Home network or Small business.

Fair enough but what’s the difference between the two?

Basically both firewall’s can function as a hardware firewall and do site to site VPNS, the FW200 however can have 2 WAN connections and the 200R supports client to gateway VPN connections using the Symantec Client VPN software. Both appliances have a built in switch, on the FW100 its a four port and on the FW200 its an eight port.

FW100 (Top) and FW200 (Bottom)

To see what the Warning Lights and Symbols mean CLICK HERE

Right I’ve bought one now what the hell do I do with it?

That depends on what you want it for, there are a number of things a firewall can do, you can simply run through the basic setup and it will protect you PC/Network, or you might want to set up a permanent connection from home to your office (Site to Site VPN). Or you might want to access your PC’s at home or in the office from anywhere in the world with an internet connection (Client to Gateway VPN – FW200R only) You may have a server at home or an Xbox and want to Port forward particular traffic to a particular PC/Server or games console.

You can do as much or as little as you like with it, Ill outline the basic things you may want to do below

1. Reset to factory Settings

2. Connect to the firewall for administration

3. Update the firmware

4. Basic Setup

5. Port Forwarding

6. Site to Site VPN

7. Client to Gateway VPN

8. Client VPN Software

Solution

Reset to Factory Settings

If you have got an appliance of ebay or been given it by work then chances are you wont know its settings and the password to get in an manage it so before you do anything you need to reset the appliance back to its factory settings. Read the ENTIRE procedure before you do anything!

Factory Settings

1. Inside IP address set to 192.168.0.1

2. Inside Subnet Mask set to 255.255.255.0

3. Password is set to {Blank} – That’s NO Password.

4. Outside Interface(s) set to obtain their IP address dynamically.

5. Appliance turns on its internal DHCP server and leases addresses from its switch ports.

6. All traffic will be allowed out

7. No traffic will be allowed in (unless its a reply to traffic instigated inside).

On the back of the alliance you will see a row of “dip” switches, you can turn on (down) and off (up) With the unit powered off make use a pen, or paperclip and have a couple of practice flicks on switch 1

Procedure

1. Power off the appliance

2. Drop dip swich1 to ON

3 Power on the appliance and watch the backup/active LED Light come on (This one )

4. As soon as the LED goes out flip dip switch 1 up(off) , down (on), and up(off) again – note you only get 12 seconds!

5. If you have carried out the procedure correctly then the Error LED will come on (This one )and then alternate with the LAN/WAN Status LED (This one ).

6. The Appliance will reboot let it do so then remove the power, wait a few seconds, and power it up again.

Connect to the Firewall for Administration

Assuming you have just reset the firewall then its internal IP address will be 192.168.0.1, then simply connect your PC or Laptop to the firewall using a standard ethernet cable to any of the ports labelled LAN

Your PC should be set to get an IP address dynamically – Or Manually set an IP address in the 192.168.0.2 to 254 range. Then open a web browser and go to http://192.168.0.1

Standard front Page here on a FW100

And here on a FW200 (note the second WAN settings)

Note: You can manage these firewall’s from outside for example from work, BUT you need to enter the IP range that you will be administering from, to do this Select the “Expert Level” section and enter the range (note if you only have 1 IP add it in the start and End IP address section. you then access the device from http://public_IP_address:8088

Remember this is a firewall always set a password for access, select the “Config Password” Section then type and re-type a password. Then Press Save

Now to access the firewall the username is admin and the password you set above.

Upgrade the Firmware

You might wonder why bother – well I’ve used these firewall’s in anger on corporate networks, and I’ve seen strange problems with VPN’s and other bugs that have been fixed by simply upgrading the firmware – remember these are old firewall’s so the last version of firmware released for them (Called 18F was released Nov 2005) The FW100 firmware is here  vpn100_build18f and the FW200 firmware is here vpn200r_build18f. You will also need the nxtftpw.exe program you can download that here nxtftpw.

To check your Firewall’s Firmware version connect to the firewall as above and Select the Status section > Then the Device section. here you will see the firmware revision. This one says V1 Rel 8D so its version 18D we are going to upgrade it to 18F.

To Prepare the firewall for firmware updating, Power it off and drop dip switches 1 and 2 on the back. Then Power the firewall back on again.

On your PC launch nxtftpw.exe and enter the following information, under Server IP enter the IP address of the firewall. An in Local file navigate to the firmware file on your PC.

Warning: there are two versions of the firmware file, one looks like vpn100_18F_app.bin the other looks like vpn100_18Fall.bin use app.bin the all.bin will erase the configuration as well!

Click PUT.

It might take a while and say its re tying a few times, be patient, when its finished it will say SUCCESS at the bottom.

Wait a couple of minutes, when the lights on the appliance all return to normal shut it down. Lift all the dip switches again and power back up.

Log back into the firewall and Check the firmware revision on the Status Tab > Device Section to make sure the version is correct, it should say V1 Rel 8F.

Basic Setup

For a simple home user you will want to set an external IP with a default gateway, some DNS settings. Then set your internal IP.

Main Setup Tab

If your ISP supplies your IP address via DHCP you don’t need to do anything that’s the default – note if you have a router that needs PPPoE settings these can be set up on this tab as well. Click Save when finished

Static IP & DNS Tab

Or if you have a static IP address enter it here with the subnet mask and the default gateway supplied by your ISP. Also note you can statically assign DNS servers here too, then your internal clients can point directly to the Symantec Firewall for their DNS settings. Click Save when finished

LAN IP & DHCP

Set your inside interface here – Note you can also set the firewall up as a DHCP server for your network as well. Click Save when finished.

Port Forwarding

Not all port forwarding is used for servers and complicated communications, simply downloading torrent software or playing online games may require you to forward a port to one of your clients. For this example I’ll port forward TCP Port 3389 (that’s RDP for the non tech’s do you can connect to your PC and server from outside – note doing this in the real world has security implications and is done at your own risk).

Custom Virtual Servers Tab

You need to give the protocol you are forwarding a name, like RDP, Tick Enable, Enter the IP address you want to forward it to, Then enter the port number into ALL FOUR box’s. When done click “Add.”

This is what you want to be seeing 🙂

You will see the rule added at the bottom of the page – Note: As I said this is quite a security hole, so you can tick and un tick enable, then tick update to turn on and off as required.

Site to Site VPN

A site to site VPN connects one network to another securely, across an insecure network (in almost every case the insecure network is the public internet) So you can connect two offices together, or connect your home PC(s) to the office network. You need a device at both ends that can terminate a VPN. At our end we have the Symantec the other can be your corporate firewall or a VPN server.

To form a VPN you need both ends to agree a “Policy” as there are different methods of forming a VPN, the device at the other end must use the SAME settings as you do.

OK what do I need to know?

Encryption method: We will use 3DES Hashing Method: We will use SHA1 Diffie Hellman Group: we will use Group 2 IP address of the other Firewall: We will use 123.123.123.123 Network address of the Other network (the far one you are connecting to): We will use 10.1.0.0 Subnet Mask of the Other network (the far one you are connecting to): We will use 255.255.0.0 A Pre shared Key: we will use qwertyuiop123

Note: This firewall uses a system called PFS. Tell the Firewall administrator at the other end of the tunnel to make sure that end has it enabled.

VPN Dynamic Key Tab

Give it a descriptive name > Tick Enable > PPPoE Session set to Session 1 > Select Main Mode > ESP 3DES SHA1 > SA Lifetime to 475 > Data Volume Limit to 2100000 > PFS enable

Gateway Address set to the IP of the other firewall > ID Type to IP Address > Pre Shared Key to qwertyuiop123 > NETBIOS Broadcast to Disable > Global Tunnel to Disable > Remote subnet to the network at the other end of the tunnel > Remote Mask to the mask at the other end of the tunnel. > Click Add

Hopefully you will see this.

You will then see the tunnel appear at the bottom of the screen.

And the connection will change colour and say “Connected” when the tunnel comes up.

Client to Gateway VPN (200R Only)

In a client to gateway scenario, you install the client software on a laptop or remote PC, you then use that software to connect to your network behind the firewall. With this method you can securely connect many clients to one firewall.

OK What Do I need to Know?

A username: We will use Jane A shared secret: We will use 1234567890qwertyuiop

VPN Dynamic Key Tab

This sets the levels and method of encryption used by your remote clients, Type the name clients into the name box > Enable > Session 1 > Aggressive mode > ESP 3DES SHA1 > 475 Mins > 2100000 > PFS enable > Gateway Address to 0.0.0.0 > ID Type to Distinguished Name. Click Add

VPN Client Identity Tab

Enter the username > Tick Enable > Type in the shared secret > Tick Add > The user will be displayed at the bottom.

Obviously this procedure is carried out on the remote PC/Laptop

Once you have the software installed (Note you need to le a local system administrator to this bit – or the software wont let you in) Fire up the software and give yourself a username and password (This can be anything – its just to log into the software NOT bring up the VPN). You will be asked to confirm the password.

This is the main screen, you can save many tunnels to many firewalls, but we are just dealing with one, click new.

On the gateway tab, in IP address enter the IP of the outside of the firewall > Make sure download VPN policy is NOT checked > enter your shared secret 1234567890qwertyuiop (as set up on the firewall > Your client phase 1 ID is the name on the firewall – in the example above that’s “jane”

Click the Advanced Tab > Under Gateway Phase 1 ID re-enter the IP address of the outside of the firewall.

Click the Tunnels Tab > Click New.

Tunnel name HAS TO match the policy you created on the firewall (in out case “clients”) Then enter the network address and subnet mask of the network BEHIND the firewall you are connecting to. > OK > OK.

Back at the main screen click the Policies Tab > Set “Port Control Type” to “Wide Open”.

Click the Gateways Tab > Log Off > Close and restart the client software > Select the tunnel and click connect > In the progress log when you see a message stating “security gateway connected”.

Related Articles, References, Credits, or External Links

NA

Cisco ASA5500 Client IPSEC VPN Access

(This method uses the ASA to hold the user database) to use RADIUS CLICK HERE to use Kerberos CLICK HERE

KB ID 0000070

Problem

Note: IPSEC VPN is still possible, but getting Windows clients is a little sketchy, and you will have to mess about with them to get them to work on modern versions of Windows. (Mac OSX and iPhone/iPad can connect with their built in VPN software though).

Below is a walkthrough for setting up a client to gateway VPN Tunnel using a Cisco ASA appliance.This is done via the ASDM console.

It also uses the Cisco VPN client – This is no longer available form Cisco see the following article.

Download Cisco VPN Client Software

Solution

Step1 Configure the ASA5500

1. Open up the ADSM console. > Click Wizards > VPN Wizard.

2. Select “Remote Access”. > Next.

3. Select Cisco VPN Client. > Next.

4. Enter a Pre Shared Key e.g. thisisthepresharedkey > And then give the Tunnel group a name e.g. “RemoteVPN”. > Next.

5. Select “Authenticate using the local user database”. > Next.

6. Now create a user, for this exercise I’ve created a user called user1 with a password of password1

7. Click Add. > Next.

8. Now we need to create some IP addresses that the remote clients will use when connected. > Click New

9. Give the Pool a name e.g. RemotePool and set the start and end IP addresses you want to lease (note these DONT have to be on the same network as your internal IP’s – In fact, for auditing its good practice to make them different). > Enter a Subnet Mask. > OK.

10 Click Next.

11 Enter the details you want the remote clients to use while connected, DNS servers, WINS Servers and domain name. > Next.

12. Leave it on the defaults of 3DES, SHA and DH Group 2 (Note some Cisco VPN clients will not support AES). > Next

13. Again leave it on the default of 3DES and SHA. > Next.

14. You can choose what IP addresses you want the remote VPN clients to have access to, first change the dropdown to “Inside”, here I want them to have access to the entire network behind the ASA so I will choose 10.254.254.0 with a mask of 255.255.255.0 > Click Add. > Next.

NOTE If you do not tick the box to enable “Split Tunneling” then the client cannot browse the internet etc while connected via VPN.

15. Review the information at the end of the wizard. > Finish

16. Now you need to save the changes you have just made, From the ASDM Select File > “Save running configuration to flash”

Step 2 Configure the Client VPN Software on the remote client.

Also See THIS VIDEO

1. I’ll assume you have the software installed you can get it from two places, On the CD that came with the ASA, or download it direct from Cisco (NOTE this needs a valid Cisco CCO account and a service contract). > Click New.

2. Under connection entry give the connection a name e.g. “Remote VPN to Office” > Under “Host” enter the Public IP of the ASA (NOTE I’ve blurred this one out to protect my IP address). > Under “Name” enter the name you created earlier (Step 1 number 4) > Under Password use the password you created earlier (Step 1 number 4) and enter it a second time to confirm. NOTE these are NOT the usernames and passwords you created in Step 1 number 6. > Click Transport Tab.

3 Accept the defaults but tick “Allow LAN access if you want to be able to access YOUR drives etc from the network behind the ASA” > Save.

4. Select the Connection you have just created. > Connect.

5. Enter the username and password you created earlier (Step 1 Number 6) of user1 and password1. > OK.

6 After a few seconds (provided the details were all right) it will connect, hover over the padlock in your task tray and it should say “VPN Client – Connected”.

Create Additional Users on the ASA

1. Open the ASDM and navigate to Configuration > VPN > General > Users > Add.

2. Give the user a name > Enter and confirm a password > Set the Privilege Level to 0 > Then Select the VPN Policy Tab

3. > Under Group Policy untick “Inherit” > Select RemoteVPN (the policy you set in Step1 Number 4) > OK.

4. You will now see the user listed (Don’t forget to save the settings, (File > “Save Running Configuration to Flash”).

Setup ASA 5500 IPSEC Remote VPN From Command Line

[box]

ip local pool IPSEC-VPN-POOL 10.254.250.1-10.254.250.100 mask 255.255.255.0
!
access-list ACL-SPLIT-TUNNEL standard permit 10.254.254 255.255.255.0
!      
object network Obj-Remote-IPSEC-VPN
 subnet 10.254.250.0 255.255.255.128
!
object network Obj-Local-LAN
 subnet 10.254.254.0 255.255.255.0
!
group-policy IPSEC-Remote-VPN internal
group-policy IPSEC-Remote-VPN attributes
  von-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value ACL-SPLIT-TUNNEL
  dns-server value 8.8.8.8
  default-domain value petenetlive.com
  vpn-simultaneous-logins 5
!
tunnel-group IPSEC-Remote-VPN type remote-access
tunnel-group IPSEC-Remote-VPN general-attributes
 default-group-policy IPSEC-Remote-VPN
 address-pool IPSEC-VPN-POOL
 tunnel-group IPSEC-Remote-VPN ipsec-attributes
 ikev1 pre-shared-key 123456
!
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
crypto ikev1 enable  outside
!
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group2
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface  outside
!
nat (inside,outside) 1 source static Obj-Local-LAN Obj-Local-LAN destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp route-lookup
!
crypto isakmp nat-traversal 20
!
username TestUser password Password123 privilege 0
username TestUser attributes
vpn-group-policy IPSEC-Remote-VPN

[/box]

Below, is the commands required for an ASA running code OLDER than version 8.3

[box]

access-list splitvpn standard permit 10.254.254.0 255.255.255.0
access-list nonat extended permit ip 10.254.254.0 255.255.255.0 10.254.250.0 255.255.255.0
ip local pool VPNPool 10.254.250.1-10.254.250.254 mask 255.255.255.0
nat (inside) 0 access-list nonat
group-policy remotevpn internal
group-policy remotevpn attributes
dns-server value 10.254.254.10
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splitvpn
split-dns value petenetlive.com
username user1 password IzFIX6IZbh5HBYwq encrypted privilege 0
username user1 attributes
vpn-group-policy remotevpn
sysopt connection tcpmss 1200
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set ESP-3DES-SHA
crypto map outside_map 64553 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group remotevpn type ipsec-ra
tunnel-group remotevpn general-attributes
address-pool vpnpool
default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
pre-shared-key thisisthepresharedkey

[/box]

Related Articles, References, Credits, or External Links

Original article written 21/01/10 updated 07/06/11

Windows 8 and Cisco (IPSEC) VPN Client

Windows 10 – Running the Cisco VPN Client Software

Cisco ASA 5500 – Remote Management via VPN

KB ID 0000984

Problem

It’s been ages since I has to do this, I usually just manage firewalls via SSH from outside. But I was out on a client site last week and needed to connect to to my ASA, so I simply connected in via AnyConnect;

Note: The same procedure is applicable if you are an IPSEC VPN client, L2TP VPN client, or simply coming in over a site to site VPN link.

And attempted to SSH, no joy, I tried the ASDM, nothing. So basic troubleshooting kicked in, and I tried to ping its inside interface;

Solution

Normally, you would see this if you forgot to add ‘management-access inside‘ to the firewall. I was sure I had done, so I connected to one of my servers and then SSH’d to the firewall to check, and that command was there?

The cause of the problem was a change made in version 8.4(3). I had to edit the NAT rule for the remote traffic. But I’ll cover ALL the bases in case you are missing anything else.

1. Connect to the the firewall via CLI, and check management-access is on, on the interface you are connecting to, mines the ‘inside’ interface yours might be management or some other name you have allocated to the interface in question.

[box]

 User Access Verification

Password:
 Type help or '?' for a list of available commands.
 PetesASA> enable
 Password: ********
 PetesASA# show run management-access
 management-access inside
 PetesASA#

If yours is different or missing;

PetesASA# configure terminal
 PetesASA(config)# management-access inside [/box]

To do the same via ASDM.

2. Now I know, my remote VPN clients are getting a 10.253.254.x addresses, (show run ip local pool should tell you, unless you are using internal DHCP for the remote clients). After version 8.4(3) you need an extra command on the end of the NAT rule for that traffic. I’ll highlight the line below;

[box]

PetesASA# show run nat
 nat (inside,any) source static obj-10.254.254.0 obj-10.254.254.0 destination static obj-10.253.253.0 obj-10.253.253.0
 !
 object network obj_any
 nat (inside,outside) dynamic interface
 object network Media_PC
 nat (inside,outside) static interface service tcp 467 467
 !
 nat (outside,outside) after-auto source dynamic VPN_Pool interface
 PetesASA#[/box]

3. The line highlighted above, needs ‘route-lookup’ adding to the end of it.

[box]

PetesASA# configure terminal
 PetesASA(config)#nat (inside,any) source static obj-10.254.254.0 obj-10.254.254.0 destination static obj-10.253.253.0 obj-10.253.253.0 route-lookup[/box]

To do the same in the ASDM locate the NAT rule, edit it, and tick this box. (Configuration > Firewall > NAT Rules).

4. At this point your VPN client(s) should now be ale to ping the interface again.

5. As with any management traffic, also ensure that the subnet you are connecting from, has been allowed.

[box]

Check SSH

PetesASA# show run ssh
 ssh 10.253.253.0 255.255.255.0 inside
 ssh 10.254.254.0 255.255.255.0 inside
 ssh 123.123.123.123 255.255.255.255 outside
 ssh timeout 45
 ssh key-exchange group dh-group1-sha1
 PetesASA#

Check Telnet (If used)

PetesASA# show run telnet
 telnet 10.253.253.0 255.255.255.0 inside
 telnet 10.254.254.0 255.255.255.0 inside
 telnet timeout 45
 PetesASA#

Check ASDM (If used)

PetesASA# show run http
 http server enable
 http 10.253.253.0 255.255.255.0 inside
 http 10.254.254.0 255.255.255.0 inside
 http 123.123.123.123 255.255.255.255 outside
 PetesASA#

[/box]

5. Save the changes.

[box]

 PetesASA# write mem
 Building configuration...
 Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
 [OK]
 PetesASA# [/box]

 

Related Articles, References, Credits, or External Links

Cisco ASA – Allow Remote Management

Connecting to and Managing Cisco Firewalls

Cisco AnyConnect – Essentials / Premium Licenses. Explained

KB ID 0000628 

Problem

Note: With Anyconnect 4 Cisco now use Plus and Apex AnyConnect licensing.

When Cisco released the 8.2 version of the ASA code, they changed their licensing model for AnyConnect Licenses. There are two licensing models, Premium and Essentials.

Solution

Cisco ASA AnyConnect Premium Licenses.

You get two of these free with your firewall*, with a ‘Premium License’ you can use the AnyConnect client software for remote VPN Access, and you can access Clientless SSL facilities via the web portal.

*As pointed out by @nhomsany “The two default premium licenses available are NOT cross-platform, (i.e. only Mac or Windows).

Additionally you can use this license’ model with the Advanced Endpoint Assessment License’, this is the license’ you require for Cisco Secure Desktop. You can also use this license’ with the AnyConnect Mobile license’ for access from mobile devices like phones or tablets, (both these licenses are an additional purchase).

For most people wishing to buy extra AnyConnect licensing, this will be the one you want. Their type and size differ depending on the ASA platform in question, e.g. the 5505 premium licenses. are available as 10 session and 25 session licenses. the 5510 are in 10, 25, 50, 100 and 250 Sessions. (Note: These are correct for version 8.4 and are subject to change, check with your re seller).

Failover: If you are using failover firewalls you can (but don’t have to) use a shared license’ model, this lets you purchase a bundle of Premium licenses. and share them across multiple pieces of hardware, This requires an ASA to be setup as the license’ server’. Before version 8.3 you needed to purchase licenses for both firewalls. After version 8.3, Cisco allowed the licenses. to be replicated between firewalls in a failover pair. The exception is Active/Active where the amount of licenses. is aggregated together from both firewalls and ALL are available providing the figure does not exceed the maximum for the hardware being used.

Cisco ASA AnyConnect Essential Licenses

When you enable ‘Essential Licensing’, your firewall changes it’s licensing model and the two Premium licenses. you get with it are disabled*. The Firewall will then ONLY accept AnyConnect connections from the AnyConnect VPN client software.

Note: The portal still exists, but can only be used to download the AnyConnect Client Software.

With Essentials licensing enabled, the firewall will then accept the maximum VPN sessions it can support for that hardware version (see here), without the need to keep adding licenses.

Note: Remember these are “Peer VPN Sessions”. If you have a bunch of other VPN’s (including IPSEC ones), then these are taken from the ‘pot’.

Additionally, you can also use this license’ with the AnyConnect Mobile license’ for access from mobile devices like phones or tablets, this license’ is an additional purchase.

Failover: Prior to version 8.3, if you have failover firewalls and are using Essentials licenses you need to purchase an Essentials license’ for BOTH firewalls. After version 8.3 Cisco allowed the licenses. to be replicated between firewalls in a failover pair.

Cisco ASA Maximum VPN Peers / Sessions

5505 = 25
5510 = 250
5520 = 750
5540 = 5,000
5550 = 5,000
5580 = 10,000

Next Generation Platform (X)

5512-X = 250
5515-X = 250
5525-X = 750
5545-X = 2500
5555-X = 5000
5585-X = 10,000

*To re-enable the built in Premium Licenses. you need to disable Essentials licensing by using the ‘no anyconnect-essentials” command or in the ASDM> Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Essentials.

Related Articles, References, Credits, or External Links

Cisco ASA5500 AnyConnect SSL VPN 

Cisco AnyConnect Mobility License’

Cisco ASA 5500 – Adding Licenses