Cisco Firepower 1010 Configuration

KB ID 0001673

Background

This page will be used as a central repository and ‘index’ for configuration on the Cisco Firepower 1010 series firewall. I intend to add to it as I test the capabilities and work out any problems whilst trialing/deploying and operating this platform.

Config Documents

VPN Firepower 1000 series running ASA Code.

General

Cisco Firepower 1010 Licensing

Reimage Cisco 1010 ASA to FTD

VPN

EZVPN

Is not supported on this platform, it cannot be configured as an EZVPN client.

Site to Site VPN (as per older 5500-x and 5500 series)

Cisco ASA Site To Site VPN IKEv2 “Using CLI”

Cisco ASA Site To Site VPN IKEv1 “Using CLI” (Only normally required, if the other end does not support IKEv2)

Cisco ASA Site to Site VPN ‘Using ASDM’

Remote Access VPN

Cisco ASA AnyConnect VPN ‘Using CLI’

Cisco ASA AnyConnect VPN ‘Using ASDM’

Cisco ASA – L2TP over IPSEC VPN ‘Using CLI or ASDM’ (Using Windows 10 Built in VPN client)

Port Forwarding and NAT

Cisco ASA Port Forwarding ‘Using CLI or ASDM’

Cisco ASA Port Forwarding To A Different Port

Cisco ASA Port Forwarding a ‘Range of Ports’

Cisco ASA Static (One to One) NAT Translation

 

VPN Firepower 1000 series running FTD Code.

General

Cisco Firepower 1010 (FTD) Initial Setup

Cisco FTD: AMP/URL Filtering/Threat Detection and AVC

VPN

Site to Site VPN 

Cisco FTD Site to Site VPN

Remote Access VPN 

Cisco FTD Remote Access VPN (AnyConnect)

Cisco FTD (and ASA) Creating AnyConnect Profiles

 

 

I will continue to add to this page but please be patient. (I’m juggling two jobs, and have a personal life!)

Related Articles, References, Credits, or External Links

NA

Cisco ASA AnyConnect VPN ‘Using CLI’

KB ID 0000943

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco FTD running ASA Code.

Also See Cisco ASA AnyConnect VPN ‘Using ASDM’

This procedure was done on Cisco ASA (post) version 8.4, so it uses all the newer NAT commands. I’m also going to use self signed certificates so you will see this error when you attempt to connect.

Solution

1. The first job is to go get the AnyConnect client package(s), download them from Cisco, (with a current support agreement). Then copy them into the firewall via TFTP. If you are unsure how to do that see the following article.

Install and Use a TFTP Server

[box]

Petes-ASA(config)# copy tftp flash

Address or name of remote host [10.254.254.183]? 192.168.80.1

Source filename []?anyconnect-win-4.7.02036-webdeploy-k9.pkg

Destination filename [anyconnect-win-4.7.02036-webdeploy-k9.pkg]? {Enter}

Accessing tftp://192.168.80.1/anyconnect-win-4.7.02036-webdeploy-k9.pkg
.........!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

4807912 bytes copied in 549.790 secs (8757 bytes/sec)
Petes-ASA(config)#

[/box]

2. Create a ‘pool’ of IP addresses that the ASA will allocate to the remote clients, also create a network object that covers that pool of addresses we will use later.

[box]

Petes-ASA(config)# ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
Petes-ASA(config)# object network OBJ-ANYCONNECT-SUBNET
Petes-ASA(config-network-object)# subnet 192.168.100.0 255.255.255.0

[/box]

3. Enable webvpn, set the package to the one you uploaded earlier, then turn on AnyConnect.

[box]

Petes-ASA(config)# webvpn
Petes-ASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
Petes-ASA(config-webvpn)# tunnel-group-list enable
Petes-ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.02042-webdeploy-k9.pkg 1 
Petes-ASA(config-webvpn)# anyconnect enable

[/box]

4. I’m going to create a LOCAL username and password, I suggest you do the same, then once you have proved it’s working OK, you can. change the authentication method, (see links below). I’m also going to create an ACL that we will use for split-tunneling in a minute.

[box]

Petes-ASA(config)# username PeteLong password Password123
Petes-ASA(config)# access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0

[/box]

5. Create a group policy, change the values to match your DNS server(s), and domain name accordingly.

[box]

Petes-ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE internal
Petes-ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
Petes-ASA(config-group-policy)# vpn-tunnel-protocol ssl-client
Petes-ASA(config-group-policy)# dns-server value 10.0.0.10 10.0.0.11
Petes-ASA(config-group-policy)# split-tunnel-policy tunnelspecified
Petes-ASA(config-group-policy)# split-tunnel-network-list value SPLIT-TUNNEL
Petes-ASA(config-group-policy)# default-domain value petenetlive.com

[/box]

6. Create a matching tunnel-group that ties everything together.

[box]

Petes-ASA(config-group-policy)# tunnel-group ANYCONNECT-PROFILE type remote-access
Petes-ASA(config)# tunnel-group ANYCONNECT-PROFILE general-attributes
Petes-ASA(config-tunnel-general)# default-group-policy GroupPolicy_ANYCONNECT-PROFILE
Petes-ASA(config-tunnel-general)# address-pool ANYCONNECT-POOL
Petes-ASA(config-tunnel-general)# tunnel-group ANYCONNECT-PROFILE webvpn-attributes
Petes-ASA(config-tunnel-webvpn)# group-alias ANYCONNECT-PROFILE enable

[/box]

7. Then stop any traffic that is going to, (or coming from) the remote clients from being NATTED.

[box]

Petes-ASA(config)# nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup

[/box]

8. Save the changes.

[box]

PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425

8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#

[/box]

9. Give it a test from a remote client.

AnyConnect Commands to Copy and Paste

Simply change the values shown in red;

[box]

!
ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
!
object network OBJ-ANYCONNECT-SUBNET
 subnet 192.168.100.0 255.255.255.0
!
webvpn
enable outside
tunnel-group-list enable
anyconnect image disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg 1
anyconnect enable
!
username PeteLong password Password123
!
access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.0.0.0
!
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
vpn-tunnel-protocol ssl-client
dns-server value 10.0.0.10 10.0.0.11
wins-server none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value petenetlive.com
!
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
address-pool ANYCONNECT-POOL
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable
!
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
!

[/box]

Related Articles, References, Credits, or External Links

Cisco ASA AnyConnect VPN ‘Using ASDM’

AnyConnect: Allow ‘Local’ LAN Access

Cisco AnyConnect – Essentials / Premium Licences Explained

Cisco AnyConnect – PAT External VPN Pool To An Inside Address

AnyConnect (AAA) Authentication Methods

Kerberos Authentication (Cisco ASA)

LDAP Authenticaiton (Cisco ASA)

RADIUS Authentication(Cisco ASA)

Duo 2FA Authentication (Cisco ASA)

Cisco – Testing AAA Authentication (Cisco ASA and IOS)

Cisco ASA Site To Site VPN IKEv2 “Using CLI”

KB ID 0001429

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

You want a secure IPSEC VPN between two sites using IKEv2.

Note: If the device you are connecting to does not support IKEv2 (i.e. it’s not a Cisco ASA, or it’s running code older than 8.4) then you need to go to the older version of this article;

Cisco ASA 5500 Site to Site VPN IKEv1 (From CLI)

Solution

Before you start – you need to ask yourself “Do I already have any IPSEC VPN’s configured on this firewall?” Because if it’s not already been done, you need to enable ISAKMP IKEv2 on the outside interface. To ascertain whether yours is on or off, issue a “show run crypto ” command and check the results, if you do NOT see  “crypto ikev2 enable outside” then you need to issue that command.

[box]

PetesASA# show run crypto
crypto ikev2 enable outside << Mines already enabled and its IKE version 2
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 19
 prf sha256
 lifetime seconds 86400
crypto ikev2 enable outside

[/box]

1. I’m going to create access control lists next, one to tell the ASA what is “Interesting traffic”, that’s traffic that it needs to encrypt.

So below I’m saying “Don’t NAT Traffic from the network behind the ASA (10.254.254.0) that’s going to network behind the VPN device at the other end of the tunnel (172.16.254.0).

[box]

PetesASA(config)#object network Site-A-SN
PetesASA(config-network-object)#subnet 10.254.254.0 255.255.255.0
PetesASA(config)#object network Site-B-SN
PetesASA(config-network-object)#subnet 172.16.254.0 255.255.255.0
PetesASA(config)#access-list VPN-INTERESTING-TRAFFIC line 1 extended permit 
ip object Site-A-SN object Site-B-SN
PetesASA(config)#nat (inside,outside) source static Site-A-SN Site-A-SN 
destination static Site-B-SN Site-B-SN no-proxy-arp route-lookup

[/box]

2. Now I’m going to create a “Tunnel Group” to tell the firewall it’s a site to site VPN tunnel “l2l”, and create a shared secret that will need to be entered at the OTHER end of the site to site VPN Tunnel. I also set a keep alive value.

Note: Ensure the Tunnel Group Name is the IP address of the firewall/device that the other end of the VPN Tunnel is terminating on.

[box]

PetesASA(config)# tunnel-group 123.123.123.123 type ipsec-l2l
PetesASA(config)# tunnel-group 123.123.123.123 ipsec-attributes
PetesASA(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key 1234567890
PetesASA(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key 1234567890
PetesASA(config-tunnel-ipsec)# isakmp keepalive threshold 10 retry 2
PetesASA(config-tunnel-ipsec)# exit

[/box]

3. Now we need to create a policy that will setup how “Phase 1” of the VPN tunnel will be established. It sets the encryption type (AES-256), the hashing/integrity algorithm (SHA-256), The Diffie Hellman group exchange version, and the Level of PRF (Pseudo Random Function). Finally it sets the timeout before phase 1 needs to be re-established. It sets the timeout value to 86400 seconds (That’s 1440 Minutes – or 24 hours if your still confused 🙂 ).

[box]

PetesASA(config)# crypto ikev2 policy 10
PetesASA(config-ikev1-policy)# encryption aes-256
PetesASA(config-ikev1-policy)# integrity sha256
PetesASA(config-ikev1-policy)# group 19
PetesASA(config-ikev1-policy)# prf sha256
PetesASA(config-ikev1-policy)# lifetime 86400

[/box]

4. We stated above that we are going to use AES-256 and SHA-256, for Phase 1, so let’s use the same for the IPSEC proposal (Phase 2), ‘Transform Set’.

[box]

PetesASA(config)# crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
PetesASA(config-ipsec-proposal)# protocol esp encryption aes-256
PetesASA(config-ipsec-proposal)# protocol esp integrity sha-1

[/box]

5. Finally we need to create a “Cryptomap”, this is the ‘thing’ that fires up the tunnel, when the ACL INTERESTING TRAFFIC is used, it also defines the transform set for “Phase 2” of the VPN Tunnel, that will also use 3DES and SHA and PFS. And last of all we apply that Cryptomap to the outside interface.

[box]

PetesASA(config)# crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC 
PetesASA(config)# crypto map CRYPTO-MAP 1 set peer 123.123.123.123
PetesASA(config)# crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
PetesASA(config)# crypto map CRYPTO-MAP interface outside
 

[/box]

5. Don’t forget to save your hard work with a “write mem” command.

[box]

PetesASA(config)#
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425

8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#

[/box]

6. Simply configure the other end as a “Mirror Image” of this one.

ASA 5500 Site to Site IKEv2 VPN Copy and Paste Config

Note: This uses AES-256 and SHA-256. It also assumes your outside interface is called ‘outside’. Check! I’ve seen them called Outside (capital O), wan, and WAN.

[box]

!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 19
 prf sha256
 lifetime seconds 86400
crypto ikev2 enable outside
!
object network OBJ-SITE-A
subnet 10.0.0.0 255.255.255.0
object network OBJ-SITE-B
subnet 10.0.3.0 255.255.255.0
!

access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-SITE-A object OBJ-SITE-B
nat (inside,outside) source static OBJ-SITE-A OBJ-SITE-A destination static OBJ-SITE-B OBJ-SITE-B no-proxy-arp route-lookup
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key 1234567
ikev2 local-authentication pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
 protocol esp encryption aes-256
 protocol esp integrity sha-1
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
!
 
[/box]

Simply change the values in red where;

  • 10.0.0.0 255.255.255.0 is the network behind the ASA you are working on.
  • 10.0.3.0 255.255.255.0 is the destination network behind the device you are connecting to.
  • 2.2.2.2 is the peer IP address of the device you are attempting to connect to.
  • 1234567 Is the shared secret you will use at both ends.

Related Articles, References, Credits, or External Links

NA

Microsoft Azure ‘Route Based’ VPN to Cisco ASA

KB ID 0001515

Problem

This covers the, (more modern) Route based VPN to a Cisco ASA that’s using a VTI (Virtual Tunnel Interface).

 

Virtual Network Gateway Options

With VPN’s into Azure you connect to a Virtual Network Gateway, of which there are TWO types Policy Based, and Route Based. This article will deal with Route Based, for the older Policy Based option, see the following link;

Microsoft Azure To Cisco ASA Site to Site VPN

Route Based

These were typically used with routers, because routers used Virtual Tunnel Interfaces to terminate VPN tunnels, that way traffic can be routed down various different tunnels based on a destination, (which can be looked up in a routing table). Cisco ASA now supports Virtual Tunnels Interfaces (After version 9.7(1)).

Advantages

  • Can be used for VPNs to multiple sites.

Disadvantages

  • Requires Cisco ASA OS 9.7(1) So no ASA 5505, 5510, 5520, 5550, 5585 firewalls can use this.

Policy Based

These came first, essentially they work like this, “If traffic is destined for remote network (x) then send the traffic ‘encrypted’ to local security gateway (y).”  Note: Where Local Security Gateway is a firewall at YOUR site, NOT in Azure! This is the way traditionally VPNs have been done in Cisco ASA, in Cisco Firewall speak it’s the same as “If traffic matches the interesting traffic ACL, then send the traffic ‘encrypted’ to the IP address specified in the crypto map”. 

Advantages:

  • Can be used on older Cisco Firewalls (ASA 5505, 5510, 5520, 5550, 5585).
  • Can be used on newer Cisco Firewalls (ASA 5506-x, 5508-X, 5512-x, 5515-x, 5516-x, 5525-X, 5545-X, 5555-x, 5585-X)
  • Can be used with Cisco ASA OS (pre 8.4) IKEv1 only.

Disadvantages

  • Can only be used for ONE connection from your Azure Subnet to your local subnet. Note: You could ‘hairpin’ multiple sites over this one tunnel, but that’s not ideal.

Configure Azure for ‘Route Based’ IPSec Site to Site VPN

You may already have Resource Groups and Virtual Networks setup, if so you can skip the first few steps.

Sign int0 Azure > All Services > Resource Groups > Create Resource Group > Give your Resource Group a name, and select a location > Create.

 

OK, if you’re used to networking this can be a little confusing, we are going to create a virtual network, and in it we are going to put a virtual subnet, (yes I know this is odd, bear with me!) It’s the ‘Subnet Name ‘and ‘address range‘ that things will actually connect to, (10.0.0.0/24).

All Services > Virtual Networks > Create Virtual Network > Give the Virtual Network a name, a subnet, select your resource group > Then create a Subnet, give it a name and a subnet > Create.

To further confuse all the network engineers, we now need to add another subnet, this one will be used by the ‘gateway’. If you are  a ‘networking type’ it’s part of the virtual network, but is more specific than the subnet you already created. 

With your virtual network selected >Subnets > +Gateway Subnet.

You can’t change the name, (you could before, then it wouldn’t work, which was strange, but I suppose it’s fixed now) >  put in another network that’s part of the Virtual-Network, but does not overlap with the subnet you created in the previous step > OK.

All Services > Virtual Network Gateways > Create Virtual Network Gateway > Name it > Route Based > Create New Public IP > Give it a Name > Create.

Note: This will take a while, go and put the kettle on! Make sure all running tasks and deployments are complete before continuing.

You can do the next two steps together, but I prefer to do then separately, or it will error if the first one does not complete!

Now you need to create a Local Security Gateway. (To represent your Cisco ASA). All Services > Local Security Gateway > Create Local Security Gateway > Name it > Supply the public IP > Supply the Subnet(s) ‘behind’ the ASA > Select your Resource Group > Create.

Finally create the VPN > Select your Virtual Network Gateway > Connections > Add.

Give the tunnel a name > Site-to-Site IPSec > Select your Local Network Gateway (ASA) > Create a pre-shared-key (you will need this for the ASA config!) > Select your Resource Group > OK.

Configure the Cisco ASA for ‘Policy Based’ Azure VPN

I’m using 9.9(2)36, VTIs are supported on 9.7, but as with all new things, I’d assume that was buggy and go for 9.8 or above.

To Avoid Emails:

What IP do I put on my Tunnel interface / Where do I get that from? Use whatever you want, NO it does not have to be on the same network as something in Azure, in fact I’m using an APIPA 169.254.x.x. address, and it works fine, (think of it like a local loopback address, though do note the difference to the last octet in the route statement!)

Where’s the Crypto Map? It doesn’t need one.

Do I need to do NAT Exemption? NO (Unless you were hair pinning a traditional VPN from another ASA into this tunnel, or an AnyConnect client VPN session.)

There’s No ACL to Allow the Traffic, or an Interesting Traffic ACL? That’s correct, you don’t need any, (unless you apply an access-list to the the tunnel interface).

Config

Connect to the ASA and create a set of IPSec and IKEv2 proposals

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# crypto ipsec ikev2 ipsec-proposal AZURE-PROPOSAL
Petes-ASA(config-ipsec-proposal)# protocol esp encryption aes-256
Petes-ASA(config-ipsec-proposal)# protocol esp integrity sha-384 sha-256 sha-1
Petes-ASA(config-ipsec-proposal)# exit
Petes-ASA(config)# crypto ipsec profile AZURE-PROFILE
Petes-ASA(config-ipsec-profile)# set ikev2 ipsec-proposal AZURE-PROPOSAL
Petes-ASA(config-ipsec-profile)# exit
Petes-ASA(config)#

[/box]

Now create the VTI (Virtual Tunnel Interface) Note: 40.115.49.202 is the public IP address of the Virtual Network Gateway in Azure.

[box]

Petes-ASA(config)# Interface Tunnel1
Petes-ASA(config-if)# no shutdown
Petes-ASA(config-if)# nameif AZURE-VTI01
Petes-ASA(config-if)# ip address  169.254.225.1 255.255.255.252
Petes-ASA(config-if)# tunnel destination 40.115.49.202
Petes-ASA(config-if)# tunnel source interface outside
Petes-ASA(config-if)# tunnel protection ipsec profile AZURE-PROFILE
Petes-ASA(config-if)# tunnel mode ipsec ipv4
Petes-ASA(config-if)# exit

[/box]

Now create a group-policy and a tunnel-group, this is where you enter the pre-shared-key you created above.

[box]

Petes-ASA(config)# group-policy AZURE-GROUP-POLICY internal
Petes-ASA(config)# group-policy AZURE-GROUP-POLICY attributes
Petes-ASA(config-group-policy)# vpn-tunnel-protocol ikev2
Petes-ASA(config-group-policy)# exit
Petes-ASA(config)# tunnel-group 40.115.49.202 type ipsec-l2l
Petes-ASA(config)# tunnel-group 40.115.49.202 general-attributes
Petes-ASA(config-tunnel-general)# default-group-policy AZURE-GROUP-POLICY
Petes-ASA(config-tunnel-general)# tunnel-group 40.115.49.202 ipsec-attributes
Petes-ASA(config-tunnel-ipsec)# peer-id-validate nocheck
Petes-ASA(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key supersecretpassword
INFO: You must configure ikev2 remote-authentication pre-shared-key
      and/or certificate to complete authentication.
Petes-ASA(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key supersecretpassword
Petes-ASA(config-tunnel-ipsec)# isakmp keepalive threshold 10 retry 2
Petes-ASA(config-tunnel-ipsec)# exit
Petes-ASA(config)#

[/box]

Enable ISAKMP (version 2) on the outside interface, then configure the parameters that it will use.

Note: If your outside interface is called something else like Outside or WAN substitute that!

[box]

Petes-ASA(config)# crypto ikev2 enable outside
Petes-ASA(config)# crypto ikev2 notify invalid-selectors
Petes-ASA(config)# crypto ikev2 policy 10
Petes-ASA(config-ikev2-policy)#  encryption aes-256
Petes-ASA(config-ikev2-policy)#  integrity sha256
Petes-ASA(config-ikev2-policy)#  group 2
Petes-ASA(config-ikev2-policy)#  prf sha
Petes-ASA(config-ikev2-policy)#  lifetime seconds 28800
Petes-ASA(config-ikev2-policy)#  exit
Petes-ASA(config)#  crypto ikev2 policy 20
Petes-ASA(config-ikev2-policy)#  encryption aes-256
Petes-ASA(config-ikev2-policy)#  integrity sha
Petes-ASA(config-ikev2-policy)#  group 2
Petes-ASA(config-ikev2-policy)#  prf sha
Petes-ASA(config-ikev2-policy)#  lifetime seconds 28800
Petes-ASA(config-ikev2-policy)#  exit
Petes-ASA(config)#

[/box]

There are a couple of extra commands you will need, these are sysops commands. Their purpose is to set things globally, and are generally hidden from the config, (i.e ‘show run’ wont show them). These are recommendations from Azure. The first one drops the maximum segment size to 1350.The second command keeps the TCP session information even if the VPN tunnel drops.

[box]

Petes-ASA(config)# sysopt connection tcpmss 1350
Petes-ASA(config)# sysopt connection preserve-vpn-flows
Petes-ASA(config)# exit

[/box]

The last thing to do, is tell the firewall to ‘route’ the traffic for Azure though the VTI. Note: The last octet in the destination IP is different from the VTI IP!

[box]

Petes-ASA(config)# route AZURE-VTI01 10.0.0.0 255.255.255.0 169.254.225.2 1

[/box]

Whole Config For You to Copy and Paste, (I’m good to you guys!)

Take note/change the values in red accordingly;

[box]

!
crypto ipsec ikev2 ipsec-proposal AZURE-PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-384 sha-256 sha-1
!
crypto ipsec profile AZURE-PROFILE
set ikev2 ipsec-proposal AZURE-PROPOSAL
!
Interface Tunnel1
no shutdown
nameif AZURE-VTI01
ip address  169.254.225.1 255.255.255.252
tunnel destination 40.115.49.202
tunnel source interface outside
tunnel protection ipsec profile AZURE-PROFILE
tunnel mode ipsec ipv4
!
group-policy AZURE-GROUP-POLICY internal
group-policy AZURE-GROUP-POLICY attributes
vpn-tunnel-protocol ikev2
!
tunnel-group 40.115.49.202 type ipsec-l2l
tunnel-group 40.115.49.202 general-attributes
default-group-policy AZURE-GROUP-POLICY
tunnel-group 40.115.49.202 ipsec-attributes
peer-id-validate nocheck
ikev2 local-authentication pre-shared-key supersecretpassword
ikev2 remote-authentication pre-shared-key supersecretpassword
isakmp keepalive threshold 10 retry 2
!
route AZURE-VTI01 10.0.0.0 255.255.255.0 169.254.225.2 1
!
crypto ikev2 enable outside
crypto ikev2 notify invalid-selectors
!
sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows
!
crypto ikev2 policy 10
  encryption aes-256
  integrity sha256
  group 2
  prf sha
  lifetime seconds 28800
crypto ikev2 policy 20
  encryption aes-256
  integrity sha
  group 2
  prf sha
  lifetime seconds 28800
!

[/box]

 

Testing Azure to Cisco ASA VPN

To test we usually use ‘ping’, the problem with that is, if you are using Windows Servers they will have their Windows firewall on by default, which blocks pings, (bear this in mind when testing). Also your ASA needs to be setup to allow pings, (try pinging 8.8.8.8 that usually responds), if yours doesn’t then configure your ASA to allow ping traffic.

As mentioned above, you might want to turn the firewalls off to test.

On the ASA the first thing to make sure is that the Tunnel Interface is up!

[box]

Petes-ASA# show interface tunnel 1
Interface Tunnel1 "AZURE-VTI01", is up, line protocol is up
  Hardware is Virtual Tunnel	MAC address N/A, MTU 1500
	IP address 169.254.225.1, subnet mask 255.255.255.252
  Tunnel Interface Information:
	Source interface: outside	IP address: 126.63.123.43
	Destination IP address: 40.115.49.202
	Mode: ipsec ipv4	IPsec profile: AZURE-PROFILE

[/box]

You can also use the following;

[box]

Petes-ASA# show crypto ikev2 sa

IKEv2 SAs:

Session-id:2, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                                               Remote                                                  Status         Role
268975001 123.123.12.1/500                                    40.115.49.202/500                                        READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 28800/814 sec
Child sa: local selector  0.0.0.0/0 - 255.255.255.255/65535
          remote selector 0.0.0.0/0 - 255.255.255.255/65535
          ESP spi in/out: 0x7b10e41a/0xfcb4576a

[/box]

Thats Phase 1 connected, you will also need to check Phase 2

[box]

Petes-ASA(config)# show crypto ipsec sa
interface: AZURE-VTI01
    Crypto map tag: __vti-crypto-map-11-0-1, seq num: 65280, local addr: 82.21.58.194

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer: 40.115.49.202


      #pkts encaps: 32, #pkts encrypt: 32, #pkts digest: 32
      #pkts decaps: 33, #pkts decrypt: 33, #pkts verify: 33
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 32, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 123.123.123/500, remote crypto endpt.: 40.115.49.202/500
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: DA3A1C28
      current inbound spi : B562D9C6

    inbound esp sas:
      spi: 0xB562D9C6 (3043154374)
         SA State: active
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv2, VTI, }
         slot: 0, conn_id: 11, crypto-map: __vti-crypto-map-11-0-1
         sa timing: remaining key lifetime (kB/sec): (3962877/28755)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x000003FF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xDA3A1C28 (3661241384)
         SA State: active
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv2, VTI, }
         slot: 0, conn_id: 11, crypto-map: __vti-crypto-map-11-0-1
         sa timing: remaining key lifetime (kB/sec): (4193277/28755)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Petes-ASA(config)#

[/box]

Related Articles, References, Credits, or External Links

Microsoft Azure To Cisco ASA Site to Site VPN

Microsoft Azure To Cisco ISR Router Site to Site VPN

Azure to Cisco VPN – ‘Failed to allocate PSH from platform’

Cisco – Cracking and Decrypting Passwords (Type 7 and Type 5)

KB ID 0000940 

Problem

Decrypt Type 7 Cisco Passwords

The Internet is full of sites that have something like the tool below, tap your ‘encrypted’ password in and it will reveal the Cisco password.

 

Input Type 7 Obfuscated Password: Output Plain Text Password:

As you can see I’ve specifically written ‘obfuscated’ above, because the password isn’t actually encrypted at all. All that happens is the Vigenere algorithm is used to obfuscate the password. While tools like the one above are all well and good, your Cisco router will do exactly the same for you, to demonstrate, paste the following into the tool above.

107D1C09560521580F16693F14082026351C1512

Hopefully you will get the password Sup3rS3cr#tP@ssword.

Your router can also convert that to clear text for you;

[box]

Petes-Router#
Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#key chain decrypt
Petes-Router(config-keychain)#key 0
Petes-Router(config-keychain-key)#key-string 7 107D1C09560521580F16693F14082026351C1512
Petes-Router(config-keychain-key)#exit
Petes-Router(config-keychain)#exit
Petes-Router(config)#exit
Petes-Router#
*Mar 1 00:04:48.691: %SYS-5-CONFIG_I: Configured from console by console
Petes-Router#show key chain decrypt
Key-chain decrypt:
key 0 -- text "Sup3rS3cr#tP@ssword"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#no key chain decrypt

[/box]

So whats the point of these type 7 passwords? Well the only real benefit of them is if someone is looking over your shoulder while you are looking at the config, they can’t see actual passwords in the config.

The passwords in my config are in clear text? That’s because there are three levels of password storage 0 (not encrypted), 7 (weakly encrypted), and (5 strongly encrypted). If you want to convert your config to display them as 7 you need to enter the service password-encryption command;

[box]

Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#service password-encryption
Petes-Router(config)#

Before

username pete password 0 Password123

After

username pete password 7 142713181F13253920796166

[/box]

If Type 7 passwords are so weak, how do I use Type 5 passwords? When creating accounts use the secret command like so;

[box]

Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#username petelong secret Password123
Petes-Router(config)#

Displays in the config as;

username petelong secret 5 $1$VkQd$Vma3sR7B1LL.v5lgy1NYc/

[/box]

Decrypting Type 5 Cisco Passwords

 

Decrypting a Type 5 Cisco password is an entirely different ball game, they are considered ‘secure’ because they are ‘salted’ (have some random text added to the password to create an MD5 hash) however that random salt is shown in the config.

[box]

username attackme secret 5 $1$TMnL$iAFs16ZXx7x18vR1DeIp6/

[/box]

Well armed with the salt and the hash, we can use exactly the same method that Cisco use to create the encrypted password, by brute force attacking the password, this might sound like a difficult piece of hacking ninja skill, but we simply use openssl on a Linux box (here I’m using CentOS 6.5), all you need is a wordlist.txt file (search the Internet).

Feed openssl the salt, and a piece of the hash (see the example above), and it will run through, (grep) the wordlist until it finds a match, where it spits out the decrypted password an the original hash like so;

[box]

[root@pnl-server1 ~]# openssl passwd -1 -salt TMnL -table -in wordlist.txt | grep 8vR1DeIp6
SECRETPASSWORD $1$TMnL$iAFs16ZXx7x18vR1DeIp6/
[root@pnl-server1 ~]#

[/box]

The decrypted password is SECRETPASSWORD

Note: The limitation here is the password has to be in the wordlist.txt file,but if you are adept at searching the Internet there are some impressive wordlist files out there, just make sure you use one that has full line breaks. Also remember, the longer the wordlist, the longer it takes.

Related Articles, References, Credits, or External Links

NA

CentOS – Install and Configure a TFTP Server

KB ID 0000998

Problem

I needed to back up a Cisco firewall, and perform an upgrade remotely, despite my best efforts to use the ASDM and update via http, I had to go ‘old school’ and bring up a TFTP server on one of my CentOS Linux servers.

Solution

1. Log onto the server and install the xinetd TFTP Server. Execute the following command and follow the on-screen prompts.

[box]Using username “root”.
Last login: Thu Aug 7 17:58:10 2014 from midd-8.cable.virginm.net
[root@Web-Test ~]# yum install tftp tftp-server xinetd[/box]

2. Now you need to edit the config file, here I’m using nano, but you could use vi as well.

[box][root@Web-Test ~]# nano /etc/xinetd.d/tftp[/box]

3. When you open the file it will look like this;

[box]

# default: off
# description: The tftp server serves files using the trivial file transfer
#       protocol.  The tftp protocol is often used to boot diskless
#       workstations, download configuration files to network-aware printers,
#       and to start the installation process for some operating systems.
service tftp
{
        socket_type             = dgram
        protocol                = udp
        wait                    = yes
        user                    = root
        server                  = /usr/sbin/in.tftpd
        server_args             = -s /var/lib/tftpboot
        disable                 = yes
        per_source              = 11
        cps                     = 100 2
        flags                   = IPv4
}  

[/box]

4. Edit the file and save it, so it looks like this;

[box]

# default: off
# description: The tftp server serves files using the trivial file transfer
#       protocol.  The tftp protocol is often used to boot diskless
#       workstations, download configuration files to network-aware printers,
#       and to start the installation process for some operating systems.
service tftp
{
        socket_type             = dgram
        protocol                = udp
        wait                    = yes
        user                    = root
        server                  = /usr/sbin/in.tftpd
        server_args             = -c -s /var/lib/tftpboot
        disable                 = no
        per_source              = 11
        cps                     = 100 2
        flags                   = IPv4
}

[/box]

5. Set the permissions on the tftp folder.

[box][root@Web-Test ~]# chmod 777 /var/lib/tftpboot[/box]

Note: if you run SELinux you may also need to execute the following command, ‘setsebool -P tftp_anon_write 1‘.

WARNINIG: This enables anonymous access on the TFTP root folder, if your server is public facing and not firewalled, then I would suggest you do what I do, (stop and start the service manually, and only open the firewall for TFTP when you need to use it – see below).

6. If you use iptables as a firewall, you will need to open the TFTP port (UDP Port 69).

[box][root@Web-Test ~]# iptables -I INPUT -p udp –dport 69 -j ACCEPT[/box]

7. Start the xinetd service.

[box][root@Web-Test ~]# /etc/init.d/xinetd start
Starting xinetd:[ OK ][/box]

8. If you want the service to always be running, (see my warning above) then use the following command.

[box][root@Web-Test ~]# chkconfig xinetd on[/box]

9. Let’s give it a test, from my Cisco device lets see if I can backup the config to this server.

[box]

Petes-ASA# copy run tftp

Source filename [running-config]?

Address or name of remote host []? 123.123.123.123

Destination filename [running-config]?
Cryptochecksum: 9d4006ed 0bb1d39c fe61da22 91222a76
!!!
9284 bytes copied in 2.130 secs (4642 bytes/sec)
Petes-ASA#

[/box]

10. I could SSH into the server and change to the /var/lib/tftpboot directory and see the file. But I’ve got WinSCP installed so I can view the backup with that.

11. Let’s see if we can copy a file off the TFTP server back to the firewall.

[box]

Petes-ASA# copy tftp flash

Address or name of remote host []? 123.123.123.123

Source filename []? asa915-k8.bin

Destination filename [asa915-k8.bin]?

Accessing tftp://123.123.123.123/asa915k8.bin…!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asa915-k8.bin…
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
27113472 bytes copied in 845.110 secs (32086 bytes/sec)
Petes-ASA#

[/box]

12. Now unless you are leaving xinetd running lets turn it off.

[box][root@Web-Test ~]# /etc/init.d/xinetd stop
Stopping xinetd: [ OK ][/box]

13. If you are running iptables and have opened the TFTP port I like to close that as well.

Note: It its possible to see that that port is open even if there is no service running on it, that’s why I close it down.

[box][root@Web-Test ~]# iptables -D INPUT -p udp –dport 69 -j ACCEPT[/box]

Related Articles, References, Credits, or External Links

NA

 

Replace an ASA 5505 with an ASA 5506-X

KB ID 0001091 

Problem

Given the amount of ASA work I do it’s surprising that the first time I saw an ASA 5506-X was last week (I’ve been working on larger firewalls for a while). I’m probably going to have to do a few of these over the next couple of years so I’ll update this article as things surface.

Solution

Q: Can I just copy the config from an ASA 5505 to an ASA 5506-X?

A: No, that would be nice, truth be told if the 5505 is running an OS newer than 8.3, about 90% of the config can be copy/pasted if you know what you are doing.

The ASA 5506 Interfaces are different.

  • Unlike its predecessor (and just about all other Cisco equipment), the interfaces start at number 1 (the 5505 starts at 0).
  • The 5506 Interfaces are the opposite way round (left to right).
  • The 5506 has IP addresses applied to its physical interfaces. Where as the 5505 had IP addresses applied to VLANs and then the physical interfaces were added to the appropriate VLAN. Note: the 5506 still supports VLANs, (5 or 30 with a security plus license).*

*UPDATE: After version 9.7 This has changed (on the 5506-X) See the following article for an explanation;

Cisco ASA 5506-X: Bridged BVI Interface

So let’s say your 5505 has three interfaces called inside, outside, and DMZ, (yours might have different names, and you may only have two,) the relevant parts of the 5505 config would be;

[box]

 ASA 5505 VLAN and Physical Interface configuration

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.254 255.255.255.0
 !
 interface Vlan2
 nameif outside
 security-level 0
 ip address 123.123.123.123 255.255.255.252
 !
 interface Vlan3
 nameif DMZ
 security-level 50
 ip address 10.0.0.1 255.0.0.0
 !
 interface Ethernet0/0
 switchport access vlan 2
 !
 interface Ethernet0/1
 !
 interface Ethernet0/2
 switchport access vlan 3
 !
 interface Ethernet0/3
 !
 interface Ethernet0/4
 !
 interface Ethernet0/5
 !
 interface Ethernet0/6
 !
 interface Ethernet0/7
 !

[/box]

VLAN Note: You might be wondering why no ports have been put into VLAN 1? By default all ports are in VLAN 1, So above, ports 0/1 and 0/3 to 0/7 are all in VLAN 1.

Outside IP Note: Yours may say ‘dhcp setroute’ if it does not have a static IP , that’s fine.

To convert that (Assuming you are NOT going to use the BVI interface, (see link above!);

[box]

ASA 5506-X Physical Interface configuration

interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 123.123.123.123 255.255.255.252
 !
 interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.10.254 255.255.255.0
 !
 interface GigabitEthernet1/3
 nameif DMZ
 security-level 50
 ip address 10.0.0.1 255.0.0.0
 !

[/box]

AnyConnect Has Changed

If you use AnyConnect then prepare for a little hand wringing. The 5505 could support up to 25 SSL VPN connections. On a 5506 they are actually called AnyConnect now, and it supports up to 50.

There is no Essentials license for a 5506-X! Don’t bother looking, you need to get your head into AnyConnect 4 licensing, I’ve already written about that at length.

AnyConnect 4 – Plus and Apex Licensing Explained

Q: Does this mean I can’t use my AnyConnect 3 (or earlier) packages in the new 5506?

A: Yes you can, but you will only get two connections, unless you purchase additional Apex/Plus licensing.

I’m working on the assumption that we are going to load in the AnyConnect 4 packages and use those. With that in mind if anyone manages to get them added to their Cisco profile without the ‘Additional Entitlement Required’ then contact me, and let me know how, (link at bottom). I have to ring Cisco and use my employers partner status to get the client software 🙁

In addition to getting new AnyConnect Packages and loading them into the new 5506. If you have an anyconnect XML profile, that will also need copying into the new firewalls flash drive before you can paste the AnyConnect settings in.

Below you can see I’ve got a profile on my 5505.

Tools > File Transfer > File Transfer > Between Local PC and Flash. (Do the reverse to get the file(s) into the new 5506).

Note: You can also do this from CLI by copying the file to a TFTP server.

Below is a typical AnyConnect config from an ASA 5505, I’ve highlighted the lines that will cause you problems.

[box]

ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
object network OBJ-ANYCONNECT-SUBNET
 subnet 192.168.100.0 255.255.255.0
!
webvpn
 enable outside
 anyconnect-essentials <-REMOVE THIS IT'S OBSOLETE
 anyconnect-win-3.1.05152-k9.pkg 1 <-REPLACE WITH ANYCONNECT 4
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.04063-k9.pkg 2 <-REPLACE WITH ANYCONNECT 4 
 anyconnect profiles SSL-VPN-POLICY disk0:/PeteNetLive-Profile.xml <-COPY OVER FIRST
 anyconnect enable
 tunnel-group-list enable
!
access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0
!

group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
 vpn-tunnel-protocol ssl-client
 dns-server value 10.0.0.10 10.0.0.11
 wins-server none
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value petenetlive.com
 split-tunnel-all-dns enable
 webvpn
  anyconnect profiles value SSL-VPN-POLICY type user
!
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
 default-group-policy GroupPolicy_ANYCONNECT-PROFILE
 address-pool ANYCONNECT-POOL
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
 group-alias ANYCONNECT-PROFILE enable
!
nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET
 OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
!

[/box]

ASA Transferring Certificates From One ASA to Another

I appreciate a lot of you wont be using certificates, and even if you use AnyConnect you just put up with the certificate error. That’s fine, but do me a favor? Before you do anything else go and generate the RSA keys on your new 5506 before you do anything else, (people forgetting to do this has cause me a LOT of grief over the years). So set the host name, domain-name, and then generate the keys like so;

[box]

ciscoasa# configure terminal
Petes-ASA(config)# hostname Petes-ASA
Petes-ASA(config)# domain-name petenetlive.com
Petes-ASA(config)# crypto key generate rsa modulus 2048

INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
Petes-ASA(config)# 

[/box]

OK, so if you are still reading this section, then you have at least one certificate, that you need to move to the new firewall. For each scenario here’s what I recommend you do;

Self Signed Certificate from your own PKI / CA Server : Just generate a new cert for the new firewall and import it the same as you did on the old firewall

Externally / Publicly signed certificate that you have paid for: This we will need to export then import onto the new 5506. (Note: If there’s not much time left to run on the validity, it may be easier to get onto the certificate vendor and have a new one reissued to save you having to replace it in a couple of months – just a thought).

If you have purchased a certificate you will have already gone though the process below;

Cisco ASA 5500 – Using a Third Party Digital Certificate

The easiest option for you is to go where you purchased the cert, download it again, and import it into the new firewall. But here’s where you find out you forgot the username and password you used, or the guy who sorted this out has left the company etc. If that is the case all is not lost. You can export an identity certificate, either from the ADSM;

Cisco ASA Export Certificates From ASDM

Configuration > Device Management > Certificate Management > Identity Certificates > Select the certificate > Export > Choose a location and a ‘pass-phrase’.

Cisco ASA Export Certificates From Command Line.

To do the same at CLI the procedure is as follows;

[box]

Get Your Trustpoint(s) Names


Petes-ASA# show crypto ca trustpoints 

Trustpoint ASDM_TrustPoint0:
    Not authenticated.

Trustpoint PNL-Trustpoint-1:
    Subject Name:
    cn=PNL-DC-PROD-CA
    dc=petenetlive
    dc=com
          Serial Number: 5ec427e4910fa2bf47e1269e7fdd7081
    Certificate configured.

Then Export the Certificate(s) for that Trustpoint

Petes-ASA# configure terminal
Petes-ASA(config)# crypto ca export PNL-Trustpoint-1 pkcs12 Password123

Exported pkcs12 follows:
-----BEGIN PKCS12-----
MIISXwIBAzCCEhkGCSqGSIb3DQEHAaCCEgoEghIGMIISAjCCEf4GCSqGSIb3DQEH
BqCCEe8wghHrAgEAMIIR5AYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQId/f5

{{{{{{{LOTS OF OUTPUT REMOVED FOR THE SAKE OF BREVITY}}}}}}}}}}}

mLt/6QKDVig6ofxrnvP0tbh9Jmjwe4NkTsJUb+H+7JGvJoUsMD0wITAJBgUrDgMC
GgUABBRCPROoZsdSBfIpwVmvfSSoOxzNCAQUWJ/J9hTkuNd92u4Z3owgrrO3cYIC
AgQA
-----END PKCS12-----
Petes-ASA(config)#  

[/box]

Cisco ASA Import Certificates From ASDM

Configuration > Device Management > Certificate Management > Identity Certificates > Add > Use the same Trustpoint name as the source firewall > Browse the file you exported earlier > Enter the passphrase > Add Certificate.

Cisco ASA Import Certificates From Command Line.

To do the same at CLI the procedure is as follows, Note: You need to paste in the text from the output.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# crypto ca import PNL-Trustpoint-1 pkcs12 Password123

Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
-----BEGIN PKCS12-----
MIISXwIBAzCCEhkGCSqGSIb3DQEHAaCCEgoEghIGMIISAjCCEf4GCSqGSIb3DQEH
BqCCEe8wghHrAgEAMIIR5AYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQId/f5

{{{{{{{LOTS OF OUTPUT REMOVED FOR THE SAKE OF BREVITY}}}}}}}}}}}

mLt/6QKDVig6ofxrnvP0tbh9Jmjwe4NkTsJUb+H+7JGvJoUsMD0wITAJBgUrDgMC
GgUABBRCPROoZsdSBfIpwVmvfSSoOxzNCAQUWJ/J9hTkuNd92u4Z3owgrrO3cYIC
AgQA
-----END PKCS12-----
quit

INFO: Import PKCS12 operation completed successfully
Petes-ASA(config)#  

[/box]

 

Assorted Firewall Migration ‘Gotchas’

Time (Clock Setting)

If you do any AAA via Kerberos or LDAP, then not having the time correct on the new ASA might get you locked out of it. I would always suggest setting up NTP so do that before you restart.

Cisco ASA – Configuring for NTP

ARP Cache

Not on the ASA, but on the devices the ASA is connecting to, (routers and switches etc). Unplug an ASA 5505 and plug in an ASA 5506, and nine times out of ten you will not get comms. This is because the device you are connecting to has cached the MAC address of the old firewall in its ARP cache. So either reboot the device, (or it thats not practical, lower the ARP cache to about 30 seconds).

 

ASA 5505 to 5506 Config To Copy And Paste

Below I’ll put a full config for an ASA 5505. If the text is normal,the commands can be copy and pasted directly into the new firewall. If the text is RED, then you can NOT, and I will have outlined the problems above.

 

[box]

hostname Petes-ASA
 domain-name petenetlive.com
 enable password H4ejVQF2DI/W9sLZ encrypted
 xlate per-session deny tcp any4 any4
 xlate per-session deny tcp any4 any6
 xlate per-session deny tcp any6 any4
 xlate per-session deny tcp any6 any6
 xlate per-session deny udp any4 any4 eq domain
 xlate per-session deny udp any4 any6 eq domain
 xlate per-session deny udp any6 any4 eq domain
 xlate per-session deny udp any6 any6 eq domain
 passwd 2GFQnbJIdI.2KYOU encrypted
 names
 !
 interface Ethernet0/0
 switchport access vlan 2
 !
 interface Ethernet0/1
 !
 interface Ethernet0/2
 switchport access vlan 12
 !
 interface Ethernet0/3
 !
 interface Ethernet0/4
 !
 interface Ethernet0/5
 !
 interface Ethernet0/6
 !
 interface Ethernet0/7<
 !
 interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 !
 interface Vlan2
 nameif outside
 security-level 0
 ip address 123.123.123.123 255.255.255.252
 !
 DONT COPY OVER THE BOOT SYSTEM PATHS FROM THE OLD FIREWALL
 !
 boot system disk0:/asa903-6-k8.bin
 boot system disk0:/asa902-k8.bin
 ! 
 ftp mode passive
 clock timezone GMT/BST 0
 clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
 dns server-group DefaultDNS
 domain-name petenetlive.com
 same-security-traffic permit inter-interface
 same-security-traffic permit intra-interface
 !
 NOTE ALL THE OBJECTS AND OBJECT GROUPS CAN BE COPIED OVER
 !
 object network obj_any
 subnet 0.0.0.0 0.0.0.0
 object network Obj-INT-Server1
 host 192.168.1.10
 object network Obj-Ext-Public_1
 host 123.123.123.124
 object network VPN_Pool
 subnet 10.253.253.0 255.255.255.0
 object service Obj-ApplicationX-Ports-TCP
 service tcp destination eq 1234
 object-group icmp-type Obj-ICMP
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object unreachable
 !
 NOTE ALL THE ACCESS-LISTS CAN BE COPIED OVER
 !
 access-list inbound remark traffic allowed to Server1
 access-list inbound extended permit tcp any object Obj-INT-Server1 object-group Obj-ApplicationX-Ports-TCP
 access-list inbound extended deny ip any any log disable
 access-list outbound remark traffic allowed from Server1
 access-list outbound extended permit ip object Obj-INT-Server1 any
 access-list outbound extended deny ip any any log disable
 !
 no pager
 logging enable
 logging asdm debugging
 logging mail critical
 logging from-address netalerts@petenetlive.com
 logging recipient-address externalalert@petenetlive.com level critical
 mtu inside 1500
 mtu outside 1500
 ip local VPN-POOL 10.253.253.1-10.253.253.50 mask 255.255.255.128
 !
 IF YOU EXECUTE A NO FAILOVER IT WILL COMPLAIN IF YOU DON'T HAVE A FAILOVER LICENCE
 !
 no failover
 ! 
 icmp unreachable rate-limit 50 burst-size 10
 icmp permit any inside
 icmp permit any outside
 no asdm history enable
 arp timeout 14400
 no arp permit-nonconnected 
 !
 NAT COMMANDS ARE FINE IF THE SOURCE IS NEWER THAN VERSION 8.3
 !
 nat (inside,outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
 !
 object network obj_any
 nat (inside,outside) dynamic interface
 object network Obj-INT-Server1
 nat (inside,outside) static Obj-Ext-Public_1
 !
 access-group inbound in interface inside
 access-group outbound in interface outside<
 !
 route outside 0.0.0.0 0.0.0.0 123.123.123.124 1
 route inside 192.168.1.0 255.255.255.0 192.168.1.50 1
 timeout xlate 3:00:00
 timeout pat-xlate 0:00:30
 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
 timeout tcp-proxy-reassembly 0:01:00
 timeout floating-conn 0:00:00
 dynamic-access-policy-record DfltAccessPolicy
 !
 aaa-server AD protocol kerberos
 aaa-server AD (Inside) host 192.168.1.10
 kerberos-realm PETENETLIVE.COM
 aaa-server AD (Inside) host 192.168.1.11
 kerberos-realm PETENETLIVE.COM
 aaa-server AD-LDAP protocol ldap
 aaa-server AD-LDAP (Inside) host 192.168.1.10
 server-port 636
 ldap-base-dn OU=Users, OU=PETENETLIVE, DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password Password123
 ldap-login-dn cn=ciscoasa, OU=Service Accounts, OU=Service, DC=petenetlive, DC=com
 ldap-over-ssl enable
 server-type microsoft
 ! 
 user-identity default-domain LOCAL
 aaa authentication enable console LOCAL 
 aaa authentication http console LOCAL 
 aaa authentication ssh console LOCAL 
 aaa authentication telnet console LOCAL 
 aaa authentication serial console LOCAL 
 http server enable 2456
 http 192.168.1.0 255.255.255.0 inside
 http 245.245.245.0 255.255.255.0 outside
 no snmp-server location
 no snmp-server contact
 snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
 sysopt noproxyarp inside 
 sysopt connection tcpmss 0
 crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
 crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
 crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
 crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
 crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
 crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
 crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
 crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
 crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
 crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
 crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
 crypto map outside_map interface outside
 crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
 crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
 crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
 crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
 crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
 crypto ikev2 enable outside client-services port 443
 crypto ikev1 enable outside
 crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
 crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
 crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
 !
 crypto ca trustpoint PNL-Trustpoint-1
 enrollment terminal
 fqdn remote.petenetlive.com
 subject-name CN=remote.petenetlive.com,OU=IS,O=PeteNetLive,C=GB,St=Teesside,
 L=Middlesbrough,EA=admin@petenetlive.com!
 keypair PNL-NEW-KEYPAIR
 crl configure
 crypto ca trustpool policy
 crypto ca certificate chain ASDM_TrustPoint1
 certificate ca 33f5d6ed96a558bc45f43f6c9b8fd82d
 30820397 3083027f a0030201 02021033 f5d6ed96 a558bc45 f43f6c9b 8fd82d30 
 0d06092a 864886f7 0d010105 05003052 31133011 060a0992 268993f2 2c640119 
 16036e65 74311b30 19060a09 92268993 f22c6401 19160b70 6574656e 65746c69 
 7665311e 301c0603 55040313 15706574 656e6574 6c697665 2d504e4c 2d44432d 
 4341301e 170d3133 31313131 31313135 30305a17 0d323331 31313131 31323530 
 305a3052 31133011 060a0992 268993f2 2c640119 16036e65 74311b30 19060a09 
 92268993 f22c6401 19160b70 6574656e 65746c69 7665311e 301c0603 55040313 
 15706574 656e6574 6c697665 2d504e4c 2d44432d 43413082 0122300d 06092a86 
 4886f70d 01010105 00038201 0f003082 010a0282 010100c8 2d21e8cb 317741d7 
 e4eb4af4 2561f92a efec293a 9202bc38 e9d25eb7 3a0ff9e0 7c7ee9b3 8e76f328 
 df115581 3f70ac45 91b402b4 dba25c80 6dee49da eb904bda f2fbb21f 5661ba2a 
 81f9cd37 87d87811 05cce829 8112495b 0587b272 12b6d3c1 107d9529 e860900b 
 947af212 0b72eb0e de2f5891 87be7172 1fc02f38 ba82d0c9 ec3351b2 c6fe216a 
 0f674e81 608ba7f9 5fd9343a 4d815a12 0dbc0747 854211ba c0a32cdb 18fe8a92 
 bc5dd319 f4fba969 ed95c7d6 a51620f3 d3510b56 17471ece 89c2393d c14b42b9 
 2d4fc2c5 7f47b9b0 c4645c60 00d02e1c e54669b9 e54d0d49 1b6a4a09 e5f1ad5c 
 e2f901d9 b679ef5a 27de98bf 089c79b4 6723295a 436db902 03010001 a3693067 
 30130609 2b060104 01823714 0204061e 04004300 41300e06 03551d0f 0101ff04 
 04030201 86300f06 03551d13 0101ff04 05300301 01ff301d 0603551d 0e041604 
 146baa8b 30599cfb d5a0b40a 33a9c296 f4f24ec2 80301006 092b0601 04018237 
 15010403 02010030 0d06092a 864886f7 0d010105 05000382 0101007a d4edaf88 
 6bd0d3d5 916c9c1c 3d67d551 f78b41f6 75740965 f6dca8df 30878d56 65b900c8 
 cb27aa65 9092c9f0 c3bdc080 ded23cb0 10715db9 af8cd39c 5416d8d2 a0ee7ae2 
 ceb09be7 145a0969 1bf672db e0c532d2 26a27e8a f897f474 e9e638e1 bf12e385 
 3bb9af1e bdaadecd cbcf5a61 23c5b68f a040a5e0 70150541 d190eeef 3d72d702 
 b0d9d3fa 0241802a b87505c6 a217c714 e9f55692 b9bdd84f 25351f18 35bf53c1 
 b24d10be 876ef392 c971dee4 10a5d244 d08624eb 6d29975a 2f35e3d1 38260a1d 
 51e6b661 f0c709a7 0e072039 530a26b8 78d00f22 a754c0f7 90fb58a0 5d564259 
 ceafe29f 22e95391 7ea10a81 629f384c 7ed8d009 02f65068 e93ff0
 quit
 crypto ca certificate chain PNL-Trustpoint-1
 certificate 1a000000056df312597af00c80000000000005
 3082062a 30820512 a0030201 0202131a 00000005 6df31259 7af00c80 00000000 
 0005300d 06092a86 4886f70d 01010505 00304b31 13301106 0a099226 8993f22c 
 64011916 03636f6d 311b3019 060a0992 268993f2 2c640119 160b7065 74656e65 
 746c6976 65311730 15060355 0403130e 504e4c2d 44432d50 524f442d 4341301e 
 170d3135 30363135 31353131 32325a17 0d313730 36313531 35323132 325a3081 
 c9312530 2306092a 864886f7 0d010902 13167265 6d6f7465 2e706574 656e6574 
 6c697665 2e636f6d 310b3009 06035504 06130247 42311130 0f060355 04081308 
 54656573 73696465 31163014 06035504 07130d4d 6964646c 65736272 6f756768 
 31143012 06035504 0a130b50 6574654e 65744c69 7665310b 30090603 55040b13 
 02495331 1f301d06 03550403 13167265 6d6f7465 2e706574 656e6574 6c697665 
 2e636f6d 31243022 06092a86 4886f70d 01090116 1561646d 696e4070 6574656e 
 65746c69 76652e63 6f6d3082 0122300d 06092a86 4886f70d 01010105 00038201 
 0f003082 010a0282 010100ed 6403f970 5c3d8f90 c106cc7a 85b69965 05ac5a50 
 2f3f0351 984e28aa d68d1f28 88d44ae6 99997b06 cc7ca9a0 573db801 d8277276 
 b6e7d7a7 6863da35 29156dcd fbe063f2 9855bf75 b5529c22 ecbd87f0 9be50cc4 
 cf5d245f 9e7b4443 6e8afe02 9442f79d 16f0d4e6 09cdb3f4 0771173d 707a0cae 
 9facd254 a9ba4401 d3ce14fe 1ecee991 b83f7ca8 f11f549f b4b0f302 6d09eec7 
 b522d7b7 97af7648 a2f99b93 207c3f0c 62800df7 532478ad 9020c6e6 87fb956c 
 d20289f6 68efe7ff a7914fea 7b28d9f4 e8504c40 48f65d88 dffcfa3e 5ecbc50a 
 b28b07dc 792ce53d 0475ef96 12c3d402 d2ad7fcb b1099266 1fb5087b 71910dd4 
 d0b33dcf 7cc585c7 af0b4702 03010001 a3820286 30820282 300e0603 551d0f01 
 01ff0404 030205a0 30210603 551d1104 1a301882 1672656d 6f74652e 70657465 
 6e65746c 6976652e 636f6d30 1d060355 1d0e0416 0414e3d5 5aaa3004 d607bd3f 
 13384329 1acf7f21 92f3301f 0603551d 23041830 16801495 d2ae01e1 45769582 
 39b946bf a2799ccd c5d28a30 81d40603 551d1f04 81cc3081 c93081c6 a081c3a0 
 81c08681 bd6c6461 703a2f2f 2f434e3d 504e4c2d 44432d50 524f442d 43412c43 
 4e3d504e 4c2d4443 2d50524f 442c434e 3d434450 2c434e3d 5075626c 69632532 
 304b6579 25323053 65727669 6365732c 434e3d53 65727669 6365732c 434e3d43 
 6f6e6669 67757261 74696f6e 2c44433d 70657465 6e65746c 6976652c 44433d63 
 6f6d3f63 65727469 66696361 74655265 766f6361 74696f6e 4c697374 3f626173 
 653f6f62 6a656374 436c6173 733d6352 4c446973 74726962 7574696f 6e506f69 
 6e743081 c406082b 06010505 07010104 81b73081 b43081b1 06082b06 01050507 
 30028681 a46c6461 703a2f2f 2f434e3d 504e4c2d 44432d50 524f442d 43412c43 
 4e3d4149 412c434e 3d507562 6c696325 32304b65 79253230 53657276 69636573 
 2c434e3d 53657276 69636573 2c434e3d 436f6e66 69677572 6174696f 6e2c4443 
 3d706574 656e6574 6c697665 2c44433d 636f6d3f 63414365 72746966 69636174 
 653f6261 73653f6f 626a6563 74436c61 73733d63 65727469 66696361 74696f6e 
 41757468 6f726974 79303d06 092b0601 04018237 15070430 302e0626 2b060104 
 01823715 0885fbfb 0d83ea8c 0c83e187 2282c9d9 5783d9e2 675c86b2 fd3486f3 
 8d1b0201 64020104 30130603 551d2504 0c300a06 082b0601 05050703 01301b06 
 092b0601 04018237 150a040e 300c300a 06082b06 01050507 0301300d 06092a86 
 4886f70d 01010505 00038201 01002154 6bf54ea2 23a10a75 77df1b15 65c4c2b9 
 f17ff795 1cc28834 f41e6d88 3e03f18a 6e2bdc05 f1da80b3 10ccf096 eeec10c4 
 07dccb0a 0791a99f afda01ac 6cc7d985 82060c56 9e871a56 136805b3 7c277162 
 ae034197 addfe623 2bb814dd a401b053 b44fd7a6 302237ac f5bcc024 a25d3f84 
 d8d3ecb4 de0d9c7e 51e56c95 5e2ebf7a fee86ac6 26dcbaf8 09e4864f f3956447 
 398ed790 8cba02c3 bddca424 3777d625 3e39ed27 8b2778b8 20414b5d 30d1b20a 
 ee1e2771 deea6f40 e2ed07de 8e66e2b6 651d7b19 4f3594d6 8acc0713 fd4436cc 
 c38e9f92 b0ebc89a f39c599d 28a23040 d46dd8ad 80fec713 d38987f5 0c473098 
 5584e2de 3a1be0e3 72c24d48 90de
 quit
 certificate ca 5ec427e4910fa2bf47e1269e7fdd7081
 30820371 30820259 a0030201 0202105e c427e491 0fa2bf47 e1269e7f dd708130 
 0d06092a 864886f7 0d010105 0500304b 31133011 060a0992 268993f2 2c640119 
 1603636f 6d311b30 19060a09 92268993 f22c6401 19160b70 6574656e 65746c69 
 76653117 30150603 55040313 0e504e4c 2d44432d 50524f44 2d434130 1e170d31 
 35303631 32313231 3935375a 170d3330 30363132 31323239 35365a30 4b311330 
 11060a09 92268993 f22c6401 19160363 6f6d311b 3019060a 09922689 93f22c64 
 0119160b 70657465 6e65746c 69766531 17301506 03550403 130e504e 4c2d4443 
 2d50524f 442d4341 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 
 3082010a 02820101 00ad6ce6 b3d3852b 6524ee38 bab2beb8 1184f717 0bcebe1f 
 7b590260 6f0d0503 6d3409cb fcc7af7c f197cc74 91de290f cd65da5b cb5715b9 
 5c975ad6 20ba8573 4e4058fc 383f40d2 08f6390d f4c5c3e5 c7fc8571 ba7613a4 
 5e0dafde b98b8641 f9b5ba7f c50142c6 7854a785 22fa94d8 2f648590 0a0287ab 
 568fcac4 e6fde0aa 11cafe44 beadd840 7c1fa631 89be34c0 bf15858e c44f78be 
 c1140f04 f1b89eb0 23442430 bacd9b9d a3b2620b 5d0e59c1 520b39e2 f95c9e91 
 305bd92b 4eab53b6 bfee551d 57e1f864 a043a757 39150ca7 bfdfb6ab 77510fa9 
 c8c35eec 02a59c75 460cdd61 7cae7949 9879e472 970bb444 25d01556 336b1a86 
 1ec95330 cac03f5e 01020301 0001a351 304f300b 0603551d 0f040403 02018630 
 0f060355 1d130101 ff040530 030101ff 301d0603 551d0e04 16041495 d2ae01e1 
 45769582 39b946bf a2799ccd c5d28a30 1006092b 06010401 82371501 04030201 
 00300d06 092a8648 86f70d01 01050500 03820101 005c4437 216d5cc1 38a0e3bb 
 8af4657d 83fca1a3 57483d54 4a73a663 c8bf8c2a b0280cc4 155f4a15 72da34ee 
 6e67ae3f c503b73f 3e267f05 b1be022e 2e979295 b661e942 ef8d2039 4da5e555 
 a1babc03 33792b4d 85272d81 0484c36c fd49c383 dd95b1a3 64dbca14 b01bc48a 
 61b6cb84 38128fbe 2860097c 1a0e15a1 6a3c409a be6074fb be64d87a 6d46b11e 
 8548fb44 dfc35483 1c7668cd e72828fa 102a2069 8939f613 11ec5bb6 341a70fc 
 a6a85bc6 a93cdc73 59b36756 cba6f787 957d3eca 1ef9a057 31c2ae9c 26ab72f5 
 096129c6 0ed0bc05 0a7bca34 ae6fd90a 1e86cf91 49f558ea e174de18 dc8cb428 
 922bb233 ee5cf072 98a78f60 1a98f540 7c227063 e2
 quit
 !
 telnet 0.0.0.0 0.0.0.0 inside
 telnet timeout 5
 ssh 192.168.1.0 255.255.255.0 inside
 ssh timeout 5
 ssh version 2
 console timeout 0
 !
 YOUR NEW FIREWALL HAS A MANAGEMENT INTERFACE, YOU MIGHT NOT WANT TO COPY THIS OVER
 ! 
 management-access Inside
 !
 tls-proxy maximum-session 24
 !
 threat-detection basic-threat
 threat-detection statistics port
 threat-detection statistics protocol
 threat-detection statistics access-list
 no threat-detection statistics tcp-intercept
 ntp server 87.194.255.141 source outside
 ntp server 194.117.157.4 source outside prefer
 ssl encryption 3des-sha1
 webvpn
 enable outside
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 anyconnect profiles SSL_VPN disk0:/Petenetlive-profile.xml 
 anyconnect enable
 tunnel-group-list enable
 ! 
 group-policy DefaultRAGroup internal
 group-policy DefaultRAGroup attributes
 dns-server value 192.168.1.12 192.168.1.13
 vpn-tunnel-protocol ikev2 l2tp-ipsec 
 default-domain value petenetlive.com
 group-policy DfltGrpPolicy attributes
 dns-server value 192.168.1.12 192.168.1.13
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
 address-pools value VPN_Pool
 !
 username user1 password G0=2iYoApombmlE5de7 encrypted
 username user1 attributes
 service-type remote-access
 !
 tunnel-group DefaultRAGroup general-attributes
 address-pool VPN_Pool
 !
 class-map inspection_default
 match default-inspection-traffic
 !
 policy-map type inspect dns preset_dns_map
 parameters
 message-length maximum client auto
 message-length maximum 512
 policy-map global_policy
 class inspection_default
 inspect dns preset_dns_map 
 inspect ftp 
 inspect tftp 
 inspect icmp 
 inspect pptp 
 inspect ipsec-pass-thru 
 inspect icmp error 
 class class-default
 set connection decrement-ttl
 !
 service-policy global_policy global
 smtp-server 192.168.1.41 192.168.1.42
 prompt hostname context
 no call-home reporting anonymous
 call-home
 profile CiscoTAC-1
 no active
 destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
 destination address email callhome@cisco.com
 destination transport-method http
 subscribe-to-alert-group diagnostic
 subscribe-to-alert-group environment
 subscribe-to-alert-group inventory periodic monthly
 subscribe-to-alert-group configuration periodic monthly
 subscribe-to-alert-group telemetry periodic daily 
 no call-home reporting anonymous
 : end

[/box]

 

Related Articles, References, Credits, or External Links

NA