Cisco ASA AnyConnect VPN ‘Using CLI’

KB ID 0000943

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco FTD running ASA Code.

Also See Cisco ASA AnyConnect VPN ‘Using ASDM’

This procedure was done on Cisco ASA (post) version 8.4, so it uses all the newer NAT commands. I’m also going to use self signed certificates so you will see this error when you attempt to connect.

Solution

1. The first job is to go get the AnyConnect client package(s), download them from Cisco, (with a current support agreement). Then copy them into the firewall via TFTP. If you are unsure how to do that see the following article.

Install and Use a TFTP Server

[box]

Petes-ASA(config)# copy tftp flash

Address or name of remote host [10.254.254.183]? 192.168.80.1

Source filename []?anyconnect-win-4.7.02036-webdeploy-k9.pkg

Destination filename [anyconnect-win-4.7.02036-webdeploy-k9.pkg]? {Enter}

Accessing tftp://192.168.80.1/anyconnect-win-4.7.02036-webdeploy-k9.pkg
.........!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

4807912 bytes copied in 549.790 secs (8757 bytes/sec)
Petes-ASA(config)#

[/box]

2. Create a ‘pool’ of IP addresses that the ASA will allocate to the remote clients, also create a network object that covers that pool of addresses we will use later.

[box]

Petes-ASA(config)# ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
Petes-ASA(config)# object network OBJ-ANYCONNECT-SUBNET
Petes-ASA(config-network-object)# subnet 192.168.100.0 255.255.255.0

[/box]

3. Enable webvpn, set the package to the one you uploaded earlier, then turn on AnyConnect.

[box]

Petes-ASA(config)# webvpn
Petes-ASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
Petes-ASA(config-webvpn)# tunnel-group-list enable
Petes-ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.02042-webdeploy-k9.pkg 1 
Petes-ASA(config-webvpn)# anyconnect enable

[/box]

4. I’m going to create a LOCAL username and password, I suggest you do the same, then once you have proved it’s working OK, you can. change the authentication method, (see links below). I’m also going to create an ACL that we will use for split-tunneling in a minute.

[box]

Petes-ASA(config)# username PeteLong password Password123
Petes-ASA(config)# access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0

[/box]

5. Create a group policy, change the values to match your DNS server(s), and domain name accordingly.

[box]

Petes-ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE internal
Petes-ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
Petes-ASA(config-group-policy)# vpn-tunnel-protocol ssl-client
Petes-ASA(config-group-policy)# dns-server value 10.0.0.10 10.0.0.11
Petes-ASA(config-group-policy)# split-tunnel-policy tunnelspecified
Petes-ASA(config-group-policy)# split-tunnel-network-list value SPLIT-TUNNEL
Petes-ASA(config-group-policy)# default-domain value petenetlive.com

[/box]

6. Create a matching tunnel-group that ties everything together.

[box]

Petes-ASA(config-group-policy)# tunnel-group ANYCONNECT-PROFILE type remote-access
Petes-ASA(config)# tunnel-group ANYCONNECT-PROFILE general-attributes
Petes-ASA(config-tunnel-general)# default-group-policy GroupPolicy_ANYCONNECT-PROFILE
Petes-ASA(config-tunnel-general)# address-pool ANYCONNECT-POOL
Petes-ASA(config-tunnel-general)# tunnel-group ANYCONNECT-PROFILE webvpn-attributes
Petes-ASA(config-tunnel-webvpn)# group-alias ANYCONNECT-PROFILE enable

[/box]

7. Then stop any traffic that is going to, (or coming from) the remote clients from being NATTED.

[box]

Petes-ASA(config)# nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup

[/box]

8. Save the changes.

[box]

PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425

8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#

[/box]

9. Give it a test from a remote client.

AnyConnect Commands to Copy and Paste

Simply change the values shown in red;

[box]

!
ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
!
object network OBJ-ANYCONNECT-SUBNET
 subnet 192.168.100.0 255.255.255.0
!
webvpn
enable outside
tunnel-group-list enable
anyconnect image disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg 1
anyconnect enable
!
username PeteLong password Password123
!
access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.0.0.0
!
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
vpn-tunnel-protocol ssl-client
dns-server value 10.0.0.10 10.0.0.11
wins-server none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value petenetlive.com
!
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
address-pool ANYCONNECT-POOL
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable
!
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
!

[/box]

Related Articles, References, Credits, or External Links

Cisco ASA AnyConnect VPN ‘Using ASDM’

AnyConnect: Allow ‘Local’ LAN Access

Cisco AnyConnect – Essentials / Premium Licences Explained

Cisco AnyConnect – PAT External VPN Pool To An Inside Address

AnyConnect (AAA) Authentication Methods

Kerberos Authentication (Cisco ASA)

LDAP Authenticaiton (Cisco ASA)

RADIUS Authentication(Cisco ASA)

Duo 2FA Authentication (Cisco ASA)

Cisco – Testing AAA Authentication (Cisco ASA and IOS)

OWA 2016 – Change Login From Domain\Username to Username

KB ID 0001254 

Problem

Out of the box, if you want to log into Outlook Web App, you need to use the Domain\Username format, like so;

Seeing as how Microsoft are making a big song and dance about using UPN’s to log into Office 365, I thought they might have changed from the NT4 way of doing things, but hey what do I know?

As we all know users are stupid, Domain\Username is up there with string theory and quantum mechanics. So how do you change the format to simply Username?

Solution

Log into the Exchange eAdmin Center > Servers > Virtual Directories > Locate OWA > Edit.

Authentication Tab > Use Forms Based Authentication > User name only >Browse > Select your domain > OK > OK.

Now on the server that’s hosting the OWA Website you need to Restart IIS.

[box]iisreset /noforce[/box]

Now your users can authenticate with just their username.

Exchange Admin Center Logon Note

This will also change the login method for the Exchange Admin Center website (ECP). because by default it has this set in it’s properties;

Related Articles, References, Credits, or External Links

 

Event ID 5719

KB ID 0000712 

Problem

You see the following error in your event log (seen here in the system log on a domain controller).

Log Name: System
Source: NETLOGON
Date: 15/11/2012 06:00:35
Event ID: 5719
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Servername.Domain-Name.com
Description:
This computer was not able to set up a secure session with a domain controller in domain (domain-name) due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.

Solution

Note: In this case the domain it could not contact was NOT my live domain name it was a different domain name. If your error is referencing your live domain name then you have a different problem.

Cause: In my case the problem was being caused because I had a domain trust to a domain that was no longer contactable, (one of my colleagues has set it up in the past to do some testing). So I simply needed to remove the trust.

Warning: In this case that trust is no longer required – Check!

1. On a domain controller > Windows Key+R > domain.msc {enter}

2. Right click the domain name > Properties > Trusts > Select the problem domain > Remove > Yes > OK.

 

Related Articles, References, Credits, or External Links

NA

Setting up the Correct DNS Records for your Web or Mail Server

KB ID 0000567 

Problem

Simply purchasing a domain name is not enough to get email flowing in your direction, and people onto your website. you also need your DNS Records to point to your IP address(s) as well.

For those people, that needs either an email or fax (on company headed note paper) to request that these records be set up correctly. You will need to send this request to your ISP (or whoever is hosting your public DNS records).

This runs through what information you should request and why.

Remember if you have a security device on the outside of your network (like a firewall or a router providing firewall services) the correct ports will need to be open to your web server (usually TCP Port 80 and/or 443), or your mail server (TCP Port 25, though Exchange may require 443 for OWA and ActiveSync).

Note: This assumes your ISP has given you either a static public IP address, or a range of public IP addresses. While it is possible to use services like no-ip if you don’t have a static IP address.

DNS Records – Web server Requirements

DNS Records – Mail Server Requirements

Solution

Setting up DNS Records for a Web Server (A Records)

I’m not bothered how it works, what do I need to send to my ISP?

To get to http://www.yourwebsite.com people need to be able to translate that address to the IP address of your web server. You do this by sending a “query” to a DNS server, which either checks with other DNS servers, or sends you the IP address directly.

1. You need to purchase your domain name. This may sound obvious but I’ve seen people who own companya.com, simply add company.co.uk to their Exchange server and expect it to work!

2. This website is on my petenetlive.com domain, the people who host my DNS records have a record called an “A Record” (may be called a “host” record depending on your ISP) that points www to the public address of my website, like so;

Note: Above I’ve shown you how the record would look in a Windows DNS server, just so you can get an idea of what these records are that you are requesting. (also they take seconds to create, don’t let your ISP take ages to do this!).

Testing your DNS Host Records

On a windows client you have a command that can test, and show you what your machine sees when it looks for DNS records, this is called nslookup, below you can see I’m issuing a query to see what IP address www.petenetlive.com should be on.

Note: I’m not on this IP address, I’ve just set it up this way for the purpose of demonstration. Drop to command line and issue the above command and you will see my real current IP address.

What do I need to Request from my ISP / Domain Host?

Assuming your domain name is xyz-company.com and you have a public IP address of 234.234.234.234. The following should suffice;

[box]

Ref: Domain name xyz-company.com

Please can you arrange for my www record to point to 234.234.234.234

Signed
{Someone your ISP has on record}

[/box]

Setting up DNS Records for a Email Server (A, MX, PTR and SPF Records)

I’m not bothered how it works, what do I need to send to my ISP?

1. Just as above your mail server(s) will need an “A Record“, I’m going to create two (just to demonstrate mail preferences later on), one for mail.petenetlive.com and the other for mail2.petenetlive.com

2. Now, you need an MX (Mail Exchange) Record that points to the A Record(s) you created earlier, you can set them with preferences.

What are MX Record Preferences

If you have multiple mail servers, or a backup mail system you can create as many MX Records as you like, by default mail will be sent to the LOWEST preference first, if that IP address is offline or unreachable it will try the NEXT HIGHEST preference.

Testing your MX Records

As above I’m going to use the nslookup command, though this time I’ll simply issue nslookup command on its own, then I can change the type of record it searches for to MX, before I issue my query.

Note: Helpfully it also shows you the correct A Records as well.

3. Though not essential to get your mail, you should also have a PTR (Pointer) record(s) set up as well. These work the opposite way round to an A Record. An A Record converts a name into an IP address, a PTR Record converts an IP address back to the name again.

Why Do I Need PTR Records?

With the explosion in the amount of spam being sent, people have sought a system that will cut it down. So some email systems (famously Hotmail) started doing reverse lookups on incoming mail, they lookup the address that is sending them mail (THAT WOULD BE YOU) and if it does not resolve back to the domain name of the email being sent they drop the mail (This is called a Reverse Lookup Failure). So without PTR records you may find you cannot email some domains. If your ISP cannot provide PTR records you may need to ask if you can route your mail through your ISP’s “Smart Host”.

Testing your PTR Records

As above, I’m going to use the nslookup command, though this time I’ll simply issue nslookup command on its own, then I can change the type of record it searches for PTR records, before I issue my query.

4. The last type of record you MAY need is an SPF (Sender Policy Framework) Record. They are designed so you can list your mail servers and domains in a special record (either a text record or a DNS option 99 record). They are designed to cut down spam, but to be honest YOU ONLY NEED ONE IF you have some external entity that sends mail that comes from your email addresses (i.e. your web hosted CRM system).

How do I create an SPF Record?

An SPF Record is just some text (see above), the simplest way to work out what you need in yours, is to use this wizard.

Testing your PTR Records

As above, I’m going to use the nslookup command, though this time I’ll simply issue nslookup command on its own, then I can change the type of record it searches for TXT records, before I issue my query.

Note: This is also a great online checking tool.

What do I need to Request from my ISP / Domain Host?

Assuming your domain name is xyz-company.com and you have a public IP address of 234.234.234.234. The following should suffice;

[box]

Ref: Domain name xyz-company.com

Please can you arrange for the following records to be created;.

A/Host Record for mail.xyz-company.com to point to 234.234.234.234
MX Record (Preference 10) that points to mail.xyz-company.com
PTR Record that points 234.234.234.234 to mail.xyz-company.com

Signed
{Someone your ISP has on record}

[/box]

Assuming your domain name is xyz-company.com and you have a public IP address of 234.234.234.234, and a backup mail server at your secondary site that has an IP address off 333.333.333.333. The following should suffice;

[box]

Ref: Domain name xyz-company.com

Please can you arrange for the following records to be created;.

A/Host Record for mail.xyz-company.com to point to 234.234.234.234
A/Host Record for mail2.xyz-company.com to point to 333.333.333.333
MX Record (Preference 10) that points to mail.xyz-company.com
MX Record (Preference 20) that points to mail2.xyz-company.com
PTR Record that points 234.234.234.234 to mail.xyz-company.com
PTR Record that points 333.333.333.333 to mail2.xyz-company.com

Signed
{Someone your ISP has on record}

[/box]

Related Articles, References, Credits, or External Links

NA

 

Deploying Exchange 2013

Part Three – Deploying Exchange 2013 On a ‘Greenfield Site’

KB ID 0000730

Problem

In part one and part two we looked at what to consider, and what you need to be doing before you reach for the install DVD. Now we will run through a complete Exchange deployment on a fresh site with no existing mail system.

Items covered below

Install Exchange Server 2013

Exchange 2013 Post Install Configuration Tasks

Enter the Exchange 2013 Server Product Key

Exchange 2013 Create a Default Send Connector

Exchange 2013 Adding a Domain Name as an Accepted Domain

Adding New Email Addresses to the Default Email Address Policy

Exchange 2013 Additional Post Installation Tasks

Moving Exchange 2013 Database(s)

Exchange 2013 Apply for, and Install a Third Party Certificate

Exchange 2013 Setting up ‘Split DNS’ for your Exchange Certificate

Exchange 2013 Test Mail Flow

Solution

Exchange Prerequisites

å

I’ve already written extensively about the hardware, software and environment requirements for Exchange 2013. Please run through the following article before you start.

Deploying Exchange 2013Part One – Prerequisites for Windows Server 2012

With a fully updated Windows Server 2012, that is a domain member your main three pre deployment tasks are to install the following pieces of software.

1. Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit.

2. Microsoft Office 2010 Filter Pack 64 bit

3. Microsoft Office 2010 Filter Pack 64 bit

Install Exchange Server 2013

1. Insert the install DVD and auto-run the setup.

2. Next > Let it check for updates.

3. Next.

4. It will copy the setup files to the server.

5. Next.

6. Accept the EULA > Next.

8. Next.

9. Select the roles required, I’m just having one server so I’m selecting both > Next.

Note: Current Microsoft thinking is to NOT separate out roles like you did with Exchange 2007 and 2010, if you deploy multiple servers deploy multiple roles.

10. Set the install path for the Exchange program files. If you change form the default, and you are deploying multiple Exchange servers, try to keep the path the same for all > Next.

11. Select an Organization name > Next.

12. Select if you want to disable the built in malware protection or not.

Note: Malware protection is now based on Forefront. Only consider disabling this if you plan to deploy some third party malware/AV scanning software.

13. You should get a warning telling you that once complete you will not be able to install Exchange 2010 > Next.

14. Setup will progress (Approx 45 minutes).

15. When done > you can tick the box and launch the ‘Exchange Admin Center’. BUT At this point I would run a full Windows update and reboot the server.

Exchange 2013 Post Install Configuration Tasks

1. To launch the new ‘Exchange Admin Center’, navigate to https://localhost/ecp.

2. Sign in.

Enter the Exchange 2013 Server Product Key

3. Navigate to Server > {Server-Name} > Enter Product Key.

4. Type in your 25 character product key > Save.

5. Read the warning > OK.

6. Windows Key+R > services.msc {Enter} > Locate and restart the ‘Microsoft Exchange Information Store’ service.

Exchange 2013 Create a Default Send Connector

Without configuring a send connector, your outbound/internet destined mail will sit on the outbound queue with the following error.

 ‘A matching connector cannot be found to route the external recipient’

7. Navigate to > Mail flow > Send Connector > Add.

8. Give the connector a name and select ‘Internet’ as it’s use > Next.

9. By default it will select where to send the email based on the DNS name of the recipient, however some people route all their mail via a smart host, (this can be a server or IP address at your ISP or a mail filtering provider). If you use a smart host you will probably already know, in most cases you will want the default option of ‘MX record associated with recipient domain’ > Next.

10. Add.

11. Set the FQDN to asterisk > Save.

12. Add > Then select the Exchange Server.

13. Finish.

Exchange 2013 Adding a Domain Name as an Accepted Domain

14. Whilst in the Mail Flow section > Accepted Domains > Add.

15. Give the entry a name > Type in your domain name > Save > Repeat for any additional domain names.

Adding New Email Addresses to the Default Email Address Policy.

16. Whilst in the Mail Flow section > email address policies > With the default policy selected > Edit (pencil icon).

17. Email address format.

18. Add.

19. Select the domain > Select the name format > If this email address will be the default/reply address then select the bottom tick box > Save > Repeat for each additional email address you want to apply to your users, but only one can be the reply address.

20. When finished > Save.

21. Read the warning > OK.

22. Apply.

23. Yes.

Exchange 2013 Additional Post Installation Tasks.

Moving Exchange 2013 Database(s)

1. Create a folder on the destination drive/volume.

2. First see where the database is now. From within the Exchange admin center (https://localhost/ecp) > Servers > Databases > Select the database to be moved > Edit (pencil icon).

3. Take a note of the database path, and the database filename (filename.edb).

4. Launch the Exchange Management Shell.

5. Execute the the following PowerShell command;

Answer Y to the questions (or A for all).

6. Now you can check that the database has mounted, and is in its new location.

Exchange 2013 Apply for, and Install a Third Party Certificate

1. From within the Exchange admin center (https://localhost/ecp) > Certificates > Add.

2. Self signed certificates are literally more trouble than they are worth, you need to BUY A CERTIFICATE! > Next.

3. Give the request a name > Next.

4. We don’t want a wildcard certificate > Next.

Note: A wildcard certificate is a certificate that has a name like ‘*.domain.com’.

5. Select the Exchange Server > Next.

6. Select the internet Outlook Web App and Edit (pencil icon).

7. Type in the publicly addressable domain name of the Exchange Server > OK.

8. Set the public name of the Autodiscover service > OK > Next.

9. MAKE SURE that the OWA public name is IN BOLD as this will be set as the ‘common name’ on the certificate > Next.

10. Type in your details > Next.

11. Select a share to save the certificate request in > Finish.

Note: This share must already exist, with the correct permissions, if in doubt watch the video above.

12. Now you should have a pending request.

13. Take the certificate request that it has generated (in PIM format), and send that to your certification authority, the link below will take you straight to the correct certificate you need;

Exchange 2013 Server Certificates.

14. Once complete and you have received your new certificate back again > Select the pending request > Complete.

15. Supply the path to the certificate > OK.

16. Now you need to assign Exchange services to the certificate> with it selected > Edit (pencil icon).

17. I’m not using unified messaging or POP, so I’ve just selected SMTP, IMAP and IIS > Save.

18. Yes to overwrite the existing certificate.

19. Now lets make sure its worked, open https://localhost/owa > it will error because the URL is wrong > continue to this website.

20. Open the certificate and check it is correct. (here mine has a common name of mail.petenetlive.com).

Exchange 2013 Setting up ‘Split DNS’ for your Exchange Certificate

Note: You only need to set this up if your private/internal, and public/external domain names are different.

21. To avoid annoying DNS and certificate errors on your internal network, your best bet is to setup ‘Split DNS’. Create a forward lookup zone that matches your PUBLIC domain name. Then inside this zone create an A/Host record for mail that points to the internal IP of your Exchange Server. And another for Autodiscover that points to the same IP address.

WARNING: If you do this, and have a www.yourdomainname.com website hosted externally, you will find that your internal users can no longer get to it! If that happens create an additional A/Host record for a host called www and point its IP address to the public IP address of your website (you may also need an FTP entry if you use that externally as well).

22. Now open a web browser and navigate to the public name of your mail sever, this time it SHOULD NOT ERROR.

Exchange 2013 Test Mail Flow

1. Log into OWA, and send a test email to an internal email address (on a new deployment you probably only have Administrator as a mailbox, so send yourself an email).

2. Then send a test email out to a public email address.

Note: If this fails, check it has left the Exchange Organization by looking at the Queue Viewer.

Exchange 2013 – Where is the Queue Viewer?

.

3. Once you know mail is flowing out test mail in, if this fails make sure you have an MX Record and an A/host record pointing to your Exchange 2013 Server.

Setting up the Correct DNS Records for your Web or Mail Server

Also ensure that TCP port 25 (SMTP) is open to the Exchange Server, (or ‘port forwarded’ to it). And if not add TCP 443 That’s HTTPS, so it is also open/forwarded for OWA, Outlook Anywhere and ActiveSync to work.

 

Related Articles, References, Credits, or External Links

NA