Azure VPN: Point To Site VPN (Remote Access)

KB ID 0001692

Problem

Given my background I’m usually more comfortable connecting to Azure with a Route Based VPN from a hardware device, like a Cisco ASA. I got an email this afternoon, a client had a server in a private cloud and a server in Azure, they needed to transfer files from the Azure server to the server in the private cloud. Now on further investigation this client had a Cisco vASA so a VPN was the best option for them, (probably).

But what if they didn’t? Or what if they were ‘working from home’ and needed to access their Azure servers that were not otherwise publicly accessible?

Well the Microsoft solution for that is called an ‘Azure Point to Site VPN‘, even though in the current Azure UI they’ve called it ‘User VPN Configuration‘, because ‘Hey! Screw consistency and documentation that goes out of date every time a developer has a bright idea, and updates the UI’ Note: I have a thing about things being changed in GUIs!

So regardless whether you are on or off the corporate LAN, you can connect to your Azure Virtual Networks.

Azure VPN (Remote Access)

This is not a full Azure tutorial, I’m assuming, as you want to connect to existing Azure resources, you will already have most of this setup already. But, just to quickly run through. You will need a Resource Group, and in that Resource Group you will need a Virtual Network. (Note: I like to delete the ‘default‘ subnet and create one with a sensible name).

So far so good, within your virtual network you will need to create, (if you don’t already have one,) a ‘Gateway Subnet‘. To annoy the other network engineers, I’ve made it a /24, but to be honest a /29 is usually good enough).

Now to terminate a VPN, you need a ‘Virtual Network Gateway‘.

Make sure it’s set for VPN (Route Based) > Connected to your Virtual Network  > Either create (or assign) a public IP to it. I told you I’d be quick, however the Gateway will take a few minutes to deploy, (time for a coffee.)

Azure VPN Certificate Requirement

For the purpose of this tutorial I’ll just create some certificates with PowerShell, (a root CA cert, and a client cert signed by that root certificate). This wont scale very well in a production environment. I’d suggest setting up a decent PKI infrastructure, Then using auto-enrolment for your users to get client certificates. However for our run through, execute the following TWO commands;

[box]

$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=Azure-VPN-Root-Cert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

New-SelfSignedCertificate -Type Custom -DnsName Azure-VPN-Client-Cert -KeySpec Signature -Subject "CN=Azure-VPN-Client-Cert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

[/box]

Now launch ‘certmgr‘ and you will see the two certificates. Firstly, export the client certificate.

Yes you want to export the private key > You want to Save it as a .PFX file > Create a password for the certificate (MAKE NOTE OF IT!) > Save it somewhere you can get to, (you will need it in a minute).

Secondly, export the Root CA certificate.

 You DON’T export the private key > Save as Base-64 encoded > Again save it somewhere sensible, you will also need it in a minute.

Open the ROOT CA CERT with Notepad, and copy all the text BETWEEN —-BEGIN CERTIFICATE—- and —-END CERTIFICATE—- Note: This is unlike most scenarios, when working with PEM files, where you select everything, (it tripped me up!)

Back in Azure > Select your Virtual Network Gateway > Select ‘User VPN Connection’ (seriously, thanks Microsoft be consistent eh!) > ‘Configure now‘.

Pick an address pool for your remote clients to use, (make sure it does not overlap with any of your assets, and don’t use 192.168.1.0/24, or 192.168.0.0/24, Note: These will work, but most home networks use these ranges, and let’s not build in potential routing problems before we start!)

Choose IKEv2 and SSTP > Authentication Type = Azure Certificate > Enter your Root CA details, and paste in the PEM text, you copied above > Save > Time for another coffee!

When is stopped deploying, you can download the the VPN client software.

Azure Point to Site (User VPN) Client Configuration

So for your client(s) you will need the Client Certificate, (the one in PFX format,*) and the VPN Client software >  Double click the PFX file > Accept ‘Current User‘.

*Note: Unless you deployed user certificates already, and your corporate Root Cert was entered into Azure above.

Type in the certificate password you created above > Accept all the defaults.

Yes.

Now install the Client VPN software, you may get some security warnings, accept them and install.

Now you will have a configured VPN connection. I’m a keyboard warrior so I usually run ncpa.cpl to get to my network settings, (because it works on all versions of Windows back to NT4, and ‘developers’ haven’t changed the way it launches 1006 times!)

Launch the Connection > Connect > Tick the ‘Do not show…‘ option > Continue > If it works, everything will just disappear and you will be connected.

Related Articles, References, Credits, or External Links

NA

Migrate Exchange 2010 to Exchange 2016 (& 2013)

Part 3

Migrating Certificates and Decommissioning Exchange 2010

KB ID 0000816

Problem

Continued from Migration From Exchange 2010 to Exchange 2016 Part 2

Solution

Exchange 2013/2016 Migration Step 8 Migrating Certificates from 2010 to 2016

Only consider doing this if you have a purchased (i.e. NOT using a self signed) certificate on your Exchange 2010 server. Bear in mind if you have the internal FQDN of your Exchange 2010 server as a SAN (Subject Alternative Name), then you cannot renew the certificate if it lasts longer than November 2013, so you might want to purchase a new one anyway.

Also make sure the public name of the server resolves to the public IP of the new server (or you change the port forwarding for HTTPS traffic to point to the new server).

1. On the Exchange 2010 Server > Launch the Exchange Management Console > Server Configuration > Select the certificate > Export Exchange Certificate.

2. Select a location to save the exported cert > supply a password > Next.

3. Finish.

4. On the Exchange 2013/2016 Server > Launch the Exchange Admin Center > Servers > Certificates > Select the ‘more options’ icon > Import Exchange Certificate.

5. Put in the path to where you saved the exported cert, and the password you used > Next.

6. Add in the Exchange 2016 Server > Finish.

7. Select the new certificate > Edit > Services > Select the service for which you want to use the certificate. Note: I don’t have Unified Messaging so I’m selecting all the other options > Save.

8. Answer ‘Yes’ to replace the self signed certificate that Exchange 2016 installs by default.

9. You can then open Outlook Web Access and give it a test (Remember to change the DNS records so that the Common Name on the certificate points to the new Exchange 2016 server).

Exchange 2013/2016 Migration Step 9 Decommissioning Exchange 2010

Before doing this: Have a quick common sense check!

  • Do you need to migrate any Transport rules? (For Exchange Disclaimers etc).
  • Do you need to change any Journaling settings for your third party Email Archive solutions etc.
  • Do you need to replicate ant receive connectors from the old email server to  the new one? (For Scanners, Photocopiers, SharePoint, SQL Mail, SAP, etc).

1. Before we can retire the old server we need to remove its databases, even though we have moved all the user mailboxes, If you try and delete the database it will complain that’s its not empty. This is because it will have either Archive or Arbitration mailboxes in it. To see, execute the following commands;

[box]

Get-Mailbox -Archive
Get-Mailbox -Arbitration

OR, If you have multiple source databases use the following syntax,

Get-Mailbox -Archive  | fl name,database
Get-Mailbox -Arbitration  | fl name,database

[/box]

As you can see (in the diagram below) I have Arbitration mailboxes left in the old Exchange 2010 database, to move them use the following command, Note: Execute this command from the Exchange 2013 Server!

[box] Get-Mailbox -Database “Mailbox-Database” -Arbitration | New-MoveRequest -TargetDatabase “Mailbox-Database-2016“[/box]

Obviously if you have archive mailboxes use the same command, but substitute archive for arbitration.

Note: Update 04/11/13 (Credit to Jeroen Bonenberg)

You may also have a Discovery Search Mailbox that will need migrating. To do so, use the following syntax.

[box]New-MoveRequest DiscoverySearchMailbox* -TargetDatabase “Mailbox-Database-2013[/box]

2. Wait a while and then check that they have moved. Note: You can check status with ‘Get-MoveRequest’.

3. In the Exchange Management Console > Organization Configuration > Mailbox > Database Management > Select the mailbox database > right click > Dismount Database.

4. Now Remove the database > Yes.

5. OK.

6. Offline Address Book Tab > Default Offline Address Book > Remove > Yes.

Note: If this OAB is still in use you will NOT be able to remove it, Go to the Address Book Policies tab > Change the default OAB from the 2010 one to the 2013 one.

7. If you try and remove the public folder database it will complain that it contains replicas, which you cant remove. The easiest way I’ve found to remove it is as follows. Dismount the public folder database.

8. Then delete (or move if you are paranoid) the database file (.edb file) and the logs for this database.

9. Then mount the database > Yes to all > It will mount a blank empty database.

10. You can now delete the database without error.

11. OK.

12. Close Exchange System Manager > Start > In the search/run box >appwiz.cpl {Enter} > Locate Microsoft Exchange Server 2010 > Uninstall.

13. Next.

14. Untick all the installed roles > Untick Management tools > Next.

15. Uninstall.

16. Finish.

Exchange 2013/2016 Migration Step 9 ‘Finish Up’

Remember if you are keeping this server, you might want to delete all the database files which get left behind. You will also want to change your backup software so that it is pointing to the new mailboxes/databases.

Related Articles, References, Credits, or External Links

Thanks to Shawn Welker for the Arbitration/Archive feedback
Thanks to leandro.chiesa for the OAB feedback

 

Replace an ASA 5505 with an ASA 5506-X

KB ID 0001091 

Problem

Given the amount of ASA work I do it’s surprising that the first time I saw an ASA 5506-X was last week (I’ve been working on larger firewalls for a while). I’m probably going to have to do a few of these over the next couple of years so I’ll update this article as things surface.

Solution

Q: Can I just copy the config from an ASA 5505 to an ASA 5506-X?

A: No, that would be nice, truth be told if the 5505 is running an OS newer than 8.3, about 90% of the config can be copy/pasted if you know what you are doing.

The ASA 5506 Interfaces are different.

  • Unlike its predecessor (and just about all other Cisco equipment), the interfaces start at number 1 (the 5505 starts at 0).
  • The 5506 Interfaces are the opposite way round (left to right).
  • The 5506 has IP addresses applied to its physical interfaces. Where as the 5505 had IP addresses applied to VLANs and then the physical interfaces were added to the appropriate VLAN. Note: the 5506 still supports VLANs, (5 or 30 with a security plus license).*

*UPDATE: After version 9.7 This has changed (on the 5506-X) See the following article for an explanation;

Cisco ASA 5506-X: Bridged BVI Interface

So let’s say your 5505 has three interfaces called inside, outside, and DMZ, (yours might have different names, and you may only have two,) the relevant parts of the 5505 config would be;

[box]

 ASA 5505 VLAN and Physical Interface configuration

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.254 255.255.255.0
 !
 interface Vlan2
 nameif outside
 security-level 0
 ip address 123.123.123.123 255.255.255.252
 !
 interface Vlan3
 nameif DMZ
 security-level 50
 ip address 10.0.0.1 255.0.0.0
 !
 interface Ethernet0/0
 switchport access vlan 2
 !
 interface Ethernet0/1
 !
 interface Ethernet0/2
 switchport access vlan 3
 !
 interface Ethernet0/3
 !
 interface Ethernet0/4
 !
 interface Ethernet0/5
 !
 interface Ethernet0/6
 !
 interface Ethernet0/7
 !

[/box]

VLAN Note: You might be wondering why no ports have been put into VLAN 1? By default all ports are in VLAN 1, So above, ports 0/1 and 0/3 to 0/7 are all in VLAN 1.

Outside IP Note: Yours may say ‘dhcp setroute’ if it does not have a static IP , that’s fine.

To convert that (Assuming you are NOT going to use the BVI interface, (see link above!);

[box]

ASA 5506-X Physical Interface configuration

interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 123.123.123.123 255.255.255.252
 !
 interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.10.254 255.255.255.0
 !
 interface GigabitEthernet1/3
 nameif DMZ
 security-level 50
 ip address 10.0.0.1 255.0.0.0
 !

[/box]

AnyConnect Has Changed

If you use AnyConnect then prepare for a little hand wringing. The 5505 could support up to 25 SSL VPN connections. On a 5506 they are actually called AnyConnect now, and it supports up to 50.

There is no Essentials license for a 5506-X! Don’t bother looking, you need to get your head into AnyConnect 4 licensing, I’ve already written about that at length.

AnyConnect 4 – Plus and Apex Licensing Explained

Q: Does this mean I can’t use my AnyConnect 3 (or earlier) packages in the new 5506?

A: Yes you can, but you will only get two connections, unless you purchase additional Apex/Plus licensing.

I’m working on the assumption that we are going to load in the AnyConnect 4 packages and use those. With that in mind if anyone manages to get them added to their Cisco profile without the ‘Additional Entitlement Required’ then contact me, and let me know how, (link at bottom). I have to ring Cisco and use my employers partner status to get the client software 🙁

In addition to getting new AnyConnect Packages and loading them into the new 5506. If you have an anyconnect XML profile, that will also need copying into the new firewalls flash drive before you can paste the AnyConnect settings in.

Below you can see I’ve got a profile on my 5505.

Tools > File Transfer > File Transfer > Between Local PC and Flash. (Do the reverse to get the file(s) into the new 5506).

Note: You can also do this from CLI by copying the file to a TFTP server.

Below is a typical AnyConnect config from an ASA 5505, I’ve highlighted the lines that will cause you problems.

[box]

ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
object network OBJ-ANYCONNECT-SUBNET
 subnet 192.168.100.0 255.255.255.0
!
webvpn
 enable outside
 anyconnect-essentials <-REMOVE THIS IT'S OBSOLETE
 anyconnect-win-3.1.05152-k9.pkg 1 <-REPLACE WITH ANYCONNECT 4
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.04063-k9.pkg 2 <-REPLACE WITH ANYCONNECT 4 
 anyconnect profiles SSL-VPN-POLICY disk0:/PeteNetLive-Profile.xml <-COPY OVER FIRST
 anyconnect enable
 tunnel-group-list enable
!
access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0
!

group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
 vpn-tunnel-protocol ssl-client
 dns-server value 10.0.0.10 10.0.0.11
 wins-server none
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value petenetlive.com
 split-tunnel-all-dns enable
 webvpn
  anyconnect profiles value SSL-VPN-POLICY type user
!
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
 default-group-policy GroupPolicy_ANYCONNECT-PROFILE
 address-pool ANYCONNECT-POOL
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
 group-alias ANYCONNECT-PROFILE enable
!
nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET
 OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
!

[/box]

ASA Transferring Certificates From One ASA to Another

I appreciate a lot of you wont be using certificates, and even if you use AnyConnect you just put up with the certificate error. That’s fine, but do me a favor? Before you do anything else go and generate the RSA keys on your new 5506 before you do anything else, (people forgetting to do this has cause me a LOT of grief over the years). So set the host name, domain-name, and then generate the keys like so;

[box]

ciscoasa# configure terminal
Petes-ASA(config)# hostname Petes-ASA
Petes-ASA(config)# domain-name petenetlive.com
Petes-ASA(config)# crypto key generate rsa modulus 2048

INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
Petes-ASA(config)# 

[/box]

OK, so if you are still reading this section, then you have at least one certificate, that you need to move to the new firewall. For each scenario here’s what I recommend you do;

Self Signed Certificate from your own PKI / CA Server : Just generate a new cert for the new firewall and import it the same as you did on the old firewall

Externally / Publicly signed certificate that you have paid for: This we will need to export then import onto the new 5506. (Note: If there’s not much time left to run on the validity, it may be easier to get onto the certificate vendor and have a new one reissued to save you having to replace it in a couple of months – just a thought).

If you have purchased a certificate you will have already gone though the process below;

Cisco ASA 5500 – Using a Third Party Digital Certificate

The easiest option for you is to go where you purchased the cert, download it again, and import it into the new firewall. But here’s where you find out you forgot the username and password you used, or the guy who sorted this out has left the company etc. If that is the case all is not lost. You can export an identity certificate, either from the ADSM;

Cisco ASA Export Certificates From ASDM

Configuration > Device Management > Certificate Management > Identity Certificates > Select the certificate > Export > Choose a location and a ‘pass-phrase’.

Cisco ASA Export Certificates From Command Line.

To do the same at CLI the procedure is as follows;

[box]

Get Your Trustpoint(s) Names


Petes-ASA# show crypto ca trustpoints 

Trustpoint ASDM_TrustPoint0:
    Not authenticated.

Trustpoint PNL-Trustpoint-1:
    Subject Name:
    cn=PNL-DC-PROD-CA
    dc=petenetlive
    dc=com
          Serial Number: 5ec427e4910fa2bf47e1269e7fdd7081
    Certificate configured.

Then Export the Certificate(s) for that Trustpoint

Petes-ASA# configure terminal
Petes-ASA(config)# crypto ca export PNL-Trustpoint-1 pkcs12 Password123

Exported pkcs12 follows:
-----BEGIN PKCS12-----
MIISXwIBAzCCEhkGCSqGSIb3DQEHAaCCEgoEghIGMIISAjCCEf4GCSqGSIb3DQEH
BqCCEe8wghHrAgEAMIIR5AYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQId/f5

{{{{{{{LOTS OF OUTPUT REMOVED FOR THE SAKE OF BREVITY}}}}}}}}}}}

mLt/6QKDVig6ofxrnvP0tbh9Jmjwe4NkTsJUb+H+7JGvJoUsMD0wITAJBgUrDgMC
GgUABBRCPROoZsdSBfIpwVmvfSSoOxzNCAQUWJ/J9hTkuNd92u4Z3owgrrO3cYIC
AgQA
-----END PKCS12-----
Petes-ASA(config)#  

[/box]

Cisco ASA Import Certificates From ASDM

Configuration > Device Management > Certificate Management > Identity Certificates > Add > Use the same Trustpoint name as the source firewall > Browse the file you exported earlier > Enter the passphrase > Add Certificate.

Cisco ASA Import Certificates From Command Line.

To do the same at CLI the procedure is as follows, Note: You need to paste in the text from the output.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# crypto ca import PNL-Trustpoint-1 pkcs12 Password123

Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
-----BEGIN PKCS12-----
MIISXwIBAzCCEhkGCSqGSIb3DQEHAaCCEgoEghIGMIISAjCCEf4GCSqGSIb3DQEH
BqCCEe8wghHrAgEAMIIR5AYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQId/f5

{{{{{{{LOTS OF OUTPUT REMOVED FOR THE SAKE OF BREVITY}}}}}}}}}}}

mLt/6QKDVig6ofxrnvP0tbh9Jmjwe4NkTsJUb+H+7JGvJoUsMD0wITAJBgUrDgMC
GgUABBRCPROoZsdSBfIpwVmvfSSoOxzNCAQUWJ/J9hTkuNd92u4Z3owgrrO3cYIC
AgQA
-----END PKCS12-----
quit

INFO: Import PKCS12 operation completed successfully
Petes-ASA(config)#  

[/box]

 

Assorted Firewall Migration ‘Gotchas’

Time (Clock Setting)

If you do any AAA via Kerberos or LDAP, then not having the time correct on the new ASA might get you locked out of it. I would always suggest setting up NTP so do that before you restart.

Cisco ASA – Configuring for NTP

ARP Cache

Not on the ASA, but on the devices the ASA is connecting to, (routers and switches etc). Unplug an ASA 5505 and plug in an ASA 5506, and nine times out of ten you will not get comms. This is because the device you are connecting to has cached the MAC address of the old firewall in its ARP cache. So either reboot the device, (or it thats not practical, lower the ARP cache to about 30 seconds).

 

ASA 5505 to 5506 Config To Copy And Paste

Below I’ll put a full config for an ASA 5505. If the text is normal,the commands can be copy and pasted directly into the new firewall. If the text is RED, then you can NOT, and I will have outlined the problems above.

 

[box]

hostname Petes-ASA
 domain-name petenetlive.com
 enable password H4ejVQF2DI/W9sLZ encrypted
 xlate per-session deny tcp any4 any4
 xlate per-session deny tcp any4 any6
 xlate per-session deny tcp any6 any4
 xlate per-session deny tcp any6 any6
 xlate per-session deny udp any4 any4 eq domain
 xlate per-session deny udp any4 any6 eq domain
 xlate per-session deny udp any6 any4 eq domain
 xlate per-session deny udp any6 any6 eq domain
 passwd 2GFQnbJIdI.2KYOU encrypted
 names
 !
 interface Ethernet0/0
 switchport access vlan 2
 !
 interface Ethernet0/1
 !
 interface Ethernet0/2
 switchport access vlan 12
 !
 interface Ethernet0/3
 !
 interface Ethernet0/4
 !
 interface Ethernet0/5
 !
 interface Ethernet0/6
 !
 interface Ethernet0/7<
 !
 interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 !
 interface Vlan2
 nameif outside
 security-level 0
 ip address 123.123.123.123 255.255.255.252
 !
 DONT COPY OVER THE BOOT SYSTEM PATHS FROM THE OLD FIREWALL
 !
 boot system disk0:/asa903-6-k8.bin
 boot system disk0:/asa902-k8.bin
 ! 
 ftp mode passive
 clock timezone GMT/BST 0
 clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
 dns server-group DefaultDNS
 domain-name petenetlive.com
 same-security-traffic permit inter-interface
 same-security-traffic permit intra-interface
 !
 NOTE ALL THE OBJECTS AND OBJECT GROUPS CAN BE COPIED OVER
 !
 object network obj_any
 subnet 0.0.0.0 0.0.0.0
 object network Obj-INT-Server1
 host 192.168.1.10
 object network Obj-Ext-Public_1
 host 123.123.123.124
 object network VPN_Pool
 subnet 10.253.253.0 255.255.255.0
 object service Obj-ApplicationX-Ports-TCP
 service tcp destination eq 1234
 object-group icmp-type Obj-ICMP
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object unreachable
 !
 NOTE ALL THE ACCESS-LISTS CAN BE COPIED OVER
 !
 access-list inbound remark traffic allowed to Server1
 access-list inbound extended permit tcp any object Obj-INT-Server1 object-group Obj-ApplicationX-Ports-TCP
 access-list inbound extended deny ip any any log disable
 access-list outbound remark traffic allowed from Server1
 access-list outbound extended permit ip object Obj-INT-Server1 any
 access-list outbound extended deny ip any any log disable
 !
 no pager
 logging enable
 logging asdm debugging
 logging mail critical
 logging from-address netalerts@petenetlive.com
 logging recipient-address externalalert@petenetlive.com level critical
 mtu inside 1500
 mtu outside 1500
 ip local VPN-POOL 10.253.253.1-10.253.253.50 mask 255.255.255.128
 !
 IF YOU EXECUTE A NO FAILOVER IT WILL COMPLAIN IF YOU DON'T HAVE A FAILOVER LICENCE
 !
 no failover
 ! 
 icmp unreachable rate-limit 50 burst-size 10
 icmp permit any inside
 icmp permit any outside
 no asdm history enable
 arp timeout 14400
 no arp permit-nonconnected 
 !
 NAT COMMANDS ARE FINE IF THE SOURCE IS NEWER THAN VERSION 8.3
 !
 nat (inside,outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
 !
 object network obj_any
 nat (inside,outside) dynamic interface
 object network Obj-INT-Server1
 nat (inside,outside) static Obj-Ext-Public_1
 !
 access-group inbound in interface inside
 access-group outbound in interface outside<
 !
 route outside 0.0.0.0 0.0.0.0 123.123.123.124 1
 route inside 192.168.1.0 255.255.255.0 192.168.1.50 1
 timeout xlate 3:00:00
 timeout pat-xlate 0:00:30
 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
 timeout tcp-proxy-reassembly 0:01:00
 timeout floating-conn 0:00:00
 dynamic-access-policy-record DfltAccessPolicy
 !
 aaa-server AD protocol kerberos
 aaa-server AD (Inside) host 192.168.1.10
 kerberos-realm PETENETLIVE.COM
 aaa-server AD (Inside) host 192.168.1.11
 kerberos-realm PETENETLIVE.COM
 aaa-server AD-LDAP protocol ldap
 aaa-server AD-LDAP (Inside) host 192.168.1.10
 server-port 636
 ldap-base-dn OU=Users, OU=PETENETLIVE, DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password Password123
 ldap-login-dn cn=ciscoasa, OU=Service Accounts, OU=Service, DC=petenetlive, DC=com
 ldap-over-ssl enable
 server-type microsoft
 ! 
 user-identity default-domain LOCAL
 aaa authentication enable console LOCAL 
 aaa authentication http console LOCAL 
 aaa authentication ssh console LOCAL 
 aaa authentication telnet console LOCAL 
 aaa authentication serial console LOCAL 
 http server enable 2456
 http 192.168.1.0 255.255.255.0 inside
 http 245.245.245.0 255.255.255.0 outside
 no snmp-server location
 no snmp-server contact
 snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
 sysopt noproxyarp inside 
 sysopt connection tcpmss 0
 crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
 crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
 crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
 crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
 crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
 crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
 crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
 crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
 crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
 crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
 crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
 crypto map outside_map interface outside
 crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
 crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
 crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
 crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
 crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
 crypto ikev2 enable outside client-services port 443
 crypto ikev1 enable outside
 crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
 crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
 crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
 !
 crypto ca trustpoint PNL-Trustpoint-1
 enrollment terminal
 fqdn remote.petenetlive.com
 subject-name CN=remote.petenetlive.com,OU=IS,O=PeteNetLive,C=GB,St=Teesside,
 L=Middlesbrough,EA=admin@petenetlive.com!
 keypair PNL-NEW-KEYPAIR
 crl configure
 crypto ca trustpool policy
 crypto ca certificate chain ASDM_TrustPoint1
 certificate ca 33f5d6ed96a558bc45f43f6c9b8fd82d
 30820397 3083027f a0030201 02021033 f5d6ed96 a558bc45 f43f6c9b 8fd82d30 
 0d06092a 864886f7 0d010105 05003052 31133011 060a0992 268993f2 2c640119 
 16036e65 74311b30 19060a09 92268993 f22c6401 19160b70 6574656e 65746c69 
 7665311e 301c0603 55040313 15706574 656e6574 6c697665 2d504e4c 2d44432d 
 4341301e 170d3133 31313131 31313135 30305a17 0d323331 31313131 31323530 
 305a3052 31133011 060a0992 268993f2 2c640119 16036e65 74311b30 19060a09 
 92268993 f22c6401 19160b70 6574656e 65746c69 7665311e 301c0603 55040313 
 15706574 656e6574 6c697665 2d504e4c 2d44432d 43413082 0122300d 06092a86 
 4886f70d 01010105 00038201 0f003082 010a0282 010100c8 2d21e8cb 317741d7 
 e4eb4af4 2561f92a efec293a 9202bc38 e9d25eb7 3a0ff9e0 7c7ee9b3 8e76f328 
 df115581 3f70ac45 91b402b4 dba25c80 6dee49da eb904bda f2fbb21f 5661ba2a 
 81f9cd37 87d87811 05cce829 8112495b 0587b272 12b6d3c1 107d9529 e860900b 
 947af212 0b72eb0e de2f5891 87be7172 1fc02f38 ba82d0c9 ec3351b2 c6fe216a 
 0f674e81 608ba7f9 5fd9343a 4d815a12 0dbc0747 854211ba c0a32cdb 18fe8a92 
 bc5dd319 f4fba969 ed95c7d6 a51620f3 d3510b56 17471ece 89c2393d c14b42b9 
 2d4fc2c5 7f47b9b0 c4645c60 00d02e1c e54669b9 e54d0d49 1b6a4a09 e5f1ad5c 
 e2f901d9 b679ef5a 27de98bf 089c79b4 6723295a 436db902 03010001 a3693067 
 30130609 2b060104 01823714 0204061e 04004300 41300e06 03551d0f 0101ff04 
 04030201 86300f06 03551d13 0101ff04 05300301 01ff301d 0603551d 0e041604 
 146baa8b 30599cfb d5a0b40a 33a9c296 f4f24ec2 80301006 092b0601 04018237 
 15010403 02010030 0d06092a 864886f7 0d010105 05000382 0101007a d4edaf88 
 6bd0d3d5 916c9c1c 3d67d551 f78b41f6 75740965 f6dca8df 30878d56 65b900c8 
 cb27aa65 9092c9f0 c3bdc080 ded23cb0 10715db9 af8cd39c 5416d8d2 a0ee7ae2 
 ceb09be7 145a0969 1bf672db e0c532d2 26a27e8a f897f474 e9e638e1 bf12e385 
 3bb9af1e bdaadecd cbcf5a61 23c5b68f a040a5e0 70150541 d190eeef 3d72d702 
 b0d9d3fa 0241802a b87505c6 a217c714 e9f55692 b9bdd84f 25351f18 35bf53c1 
 b24d10be 876ef392 c971dee4 10a5d244 d08624eb 6d29975a 2f35e3d1 38260a1d 
 51e6b661 f0c709a7 0e072039 530a26b8 78d00f22 a754c0f7 90fb58a0 5d564259 
 ceafe29f 22e95391 7ea10a81 629f384c 7ed8d009 02f65068 e93ff0
 quit
 crypto ca certificate chain PNL-Trustpoint-1
 certificate 1a000000056df312597af00c80000000000005
 3082062a 30820512 a0030201 0202131a 00000005 6df31259 7af00c80 00000000 
 0005300d 06092a86 4886f70d 01010505 00304b31 13301106 0a099226 8993f22c 
 64011916 03636f6d 311b3019 060a0992 268993f2 2c640119 160b7065 74656e65 
 746c6976 65311730 15060355 0403130e 504e4c2d 44432d50 524f442d 4341301e 
 170d3135 30363135 31353131 32325a17 0d313730 36313531 35323132 325a3081 
 c9312530 2306092a 864886f7 0d010902 13167265 6d6f7465 2e706574 656e6574 
 6c697665 2e636f6d 310b3009 06035504 06130247 42311130 0f060355 04081308 
 54656573 73696465 31163014 06035504 07130d4d 6964646c 65736272 6f756768 
 31143012 06035504 0a130b50 6574654e 65744c69 7665310b 30090603 55040b13 
 02495331 1f301d06 03550403 13167265 6d6f7465 2e706574 656e6574 6c697665 
 2e636f6d 31243022 06092a86 4886f70d 01090116 1561646d 696e4070 6574656e 
 65746c69 76652e63 6f6d3082 0122300d 06092a86 4886f70d 01010105 00038201 
 0f003082 010a0282 010100ed 6403f970 5c3d8f90 c106cc7a 85b69965 05ac5a50 
 2f3f0351 984e28aa d68d1f28 88d44ae6 99997b06 cc7ca9a0 573db801 d8277276 
 b6e7d7a7 6863da35 29156dcd fbe063f2 9855bf75 b5529c22 ecbd87f0 9be50cc4 
 cf5d245f 9e7b4443 6e8afe02 9442f79d 16f0d4e6 09cdb3f4 0771173d 707a0cae 
 9facd254 a9ba4401 d3ce14fe 1ecee991 b83f7ca8 f11f549f b4b0f302 6d09eec7 
 b522d7b7 97af7648 a2f99b93 207c3f0c 62800df7 532478ad 9020c6e6 87fb956c 
 d20289f6 68efe7ff a7914fea 7b28d9f4 e8504c40 48f65d88 dffcfa3e 5ecbc50a 
 b28b07dc 792ce53d 0475ef96 12c3d402 d2ad7fcb b1099266 1fb5087b 71910dd4 
 d0b33dcf 7cc585c7 af0b4702 03010001 a3820286 30820282 300e0603 551d0f01 
 01ff0404 030205a0 30210603 551d1104 1a301882 1672656d 6f74652e 70657465 
 6e65746c 6976652e 636f6d30 1d060355 1d0e0416 0414e3d5 5aaa3004 d607bd3f 
 13384329 1acf7f21 92f3301f 0603551d 23041830 16801495 d2ae01e1 45769582 
 39b946bf a2799ccd c5d28a30 81d40603 551d1f04 81cc3081 c93081c6 a081c3a0 
 81c08681 bd6c6461 703a2f2f 2f434e3d 504e4c2d 44432d50 524f442d 43412c43 
 4e3d504e 4c2d4443 2d50524f 442c434e 3d434450 2c434e3d 5075626c 69632532 
 304b6579 25323053 65727669 6365732c 434e3d53 65727669 6365732c 434e3d43 
 6f6e6669 67757261 74696f6e 2c44433d 70657465 6e65746c 6976652c 44433d63 
 6f6d3f63 65727469 66696361 74655265 766f6361 74696f6e 4c697374 3f626173 
 653f6f62 6a656374 436c6173 733d6352 4c446973 74726962 7574696f 6e506f69 
 6e743081 c406082b 06010505 07010104 81b73081 b43081b1 06082b06 01050507 
 30028681 a46c6461 703a2f2f 2f434e3d 504e4c2d 44432d50 524f442d 43412c43 
 4e3d4149 412c434e 3d507562 6c696325 32304b65 79253230 53657276 69636573 
 2c434e3d 53657276 69636573 2c434e3d 436f6e66 69677572 6174696f 6e2c4443 
 3d706574 656e6574 6c697665 2c44433d 636f6d3f 63414365 72746966 69636174 
 653f6261 73653f6f 626a6563 74436c61 73733d63 65727469 66696361 74696f6e 
 41757468 6f726974 79303d06 092b0601 04018237 15070430 302e0626 2b060104 
 01823715 0885fbfb 0d83ea8c 0c83e187 2282c9d9 5783d9e2 675c86b2 fd3486f3 
 8d1b0201 64020104 30130603 551d2504 0c300a06 082b0601 05050703 01301b06 
 092b0601 04018237 150a040e 300c300a 06082b06 01050507 0301300d 06092a86 
 4886f70d 01010505 00038201 01002154 6bf54ea2 23a10a75 77df1b15 65c4c2b9 
 f17ff795 1cc28834 f41e6d88 3e03f18a 6e2bdc05 f1da80b3 10ccf096 eeec10c4 
 07dccb0a 0791a99f afda01ac 6cc7d985 82060c56 9e871a56 136805b3 7c277162 
 ae034197 addfe623 2bb814dd a401b053 b44fd7a6 302237ac f5bcc024 a25d3f84 
 d8d3ecb4 de0d9c7e 51e56c95 5e2ebf7a fee86ac6 26dcbaf8 09e4864f f3956447 
 398ed790 8cba02c3 bddca424 3777d625 3e39ed27 8b2778b8 20414b5d 30d1b20a 
 ee1e2771 deea6f40 e2ed07de 8e66e2b6 651d7b19 4f3594d6 8acc0713 fd4436cc 
 c38e9f92 b0ebc89a f39c599d 28a23040 d46dd8ad 80fec713 d38987f5 0c473098 
 5584e2de 3a1be0e3 72c24d48 90de
 quit
 certificate ca 5ec427e4910fa2bf47e1269e7fdd7081
 30820371 30820259 a0030201 0202105e c427e491 0fa2bf47 e1269e7f dd708130 
 0d06092a 864886f7 0d010105 0500304b 31133011 060a0992 268993f2 2c640119 
 1603636f 6d311b30 19060a09 92268993 f22c6401 19160b70 6574656e 65746c69 
 76653117 30150603 55040313 0e504e4c 2d44432d 50524f44 2d434130 1e170d31 
 35303631 32313231 3935375a 170d3330 30363132 31323239 35365a30 4b311330 
 11060a09 92268993 f22c6401 19160363 6f6d311b 3019060a 09922689 93f22c64 
 0119160b 70657465 6e65746c 69766531 17301506 03550403 130e504e 4c2d4443 
 2d50524f 442d4341 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 
 3082010a 02820101 00ad6ce6 b3d3852b 6524ee38 bab2beb8 1184f717 0bcebe1f 
 7b590260 6f0d0503 6d3409cb fcc7af7c f197cc74 91de290f cd65da5b cb5715b9 
 5c975ad6 20ba8573 4e4058fc 383f40d2 08f6390d f4c5c3e5 c7fc8571 ba7613a4 
 5e0dafde b98b8641 f9b5ba7f c50142c6 7854a785 22fa94d8 2f648590 0a0287ab 
 568fcac4 e6fde0aa 11cafe44 beadd840 7c1fa631 89be34c0 bf15858e c44f78be 
 c1140f04 f1b89eb0 23442430 bacd9b9d a3b2620b 5d0e59c1 520b39e2 f95c9e91 
 305bd92b 4eab53b6 bfee551d 57e1f864 a043a757 39150ca7 bfdfb6ab 77510fa9 
 c8c35eec 02a59c75 460cdd61 7cae7949 9879e472 970bb444 25d01556 336b1a86 
 1ec95330 cac03f5e 01020301 0001a351 304f300b 0603551d 0f040403 02018630 
 0f060355 1d130101 ff040530 030101ff 301d0603 551d0e04 16041495 d2ae01e1 
 45769582 39b946bf a2799ccd c5d28a30 1006092b 06010401 82371501 04030201 
 00300d06 092a8648 86f70d01 01050500 03820101 005c4437 216d5cc1 38a0e3bb 
 8af4657d 83fca1a3 57483d54 4a73a663 c8bf8c2a b0280cc4 155f4a15 72da34ee 
 6e67ae3f c503b73f 3e267f05 b1be022e 2e979295 b661e942 ef8d2039 4da5e555 
 a1babc03 33792b4d 85272d81 0484c36c fd49c383 dd95b1a3 64dbca14 b01bc48a 
 61b6cb84 38128fbe 2860097c 1a0e15a1 6a3c409a be6074fb be64d87a 6d46b11e 
 8548fb44 dfc35483 1c7668cd e72828fa 102a2069 8939f613 11ec5bb6 341a70fc 
 a6a85bc6 a93cdc73 59b36756 cba6f787 957d3eca 1ef9a057 31c2ae9c 26ab72f5 
 096129c6 0ed0bc05 0a7bca34 ae6fd90a 1e86cf91 49f558ea e174de18 dc8cb428 
 922bb233 ee5cf072 98a78f60 1a98f540 7c227063 e2
 quit
 !
 telnet 0.0.0.0 0.0.0.0 inside
 telnet timeout 5
 ssh 192.168.1.0 255.255.255.0 inside
 ssh timeout 5
 ssh version 2
 console timeout 0
 !
 YOUR NEW FIREWALL HAS A MANAGEMENT INTERFACE, YOU MIGHT NOT WANT TO COPY THIS OVER
 ! 
 management-access Inside
 !
 tls-proxy maximum-session 24
 !
 threat-detection basic-threat
 threat-detection statistics port
 threat-detection statistics protocol
 threat-detection statistics access-list
 no threat-detection statistics tcp-intercept
 ntp server 87.194.255.141 source outside
 ntp server 194.117.157.4 source outside prefer
 ssl encryption 3des-sha1
 webvpn
 enable outside
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 anyconnect profiles SSL_VPN disk0:/Petenetlive-profile.xml 
 anyconnect enable
 tunnel-group-list enable
 ! 
 group-policy DefaultRAGroup internal
 group-policy DefaultRAGroup attributes
 dns-server value 192.168.1.12 192.168.1.13
 vpn-tunnel-protocol ikev2 l2tp-ipsec 
 default-domain value petenetlive.com
 group-policy DfltGrpPolicy attributes
 dns-server value 192.168.1.12 192.168.1.13
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
 address-pools value VPN_Pool
 !
 username user1 password G0=2iYoApombmlE5de7 encrypted
 username user1 attributes
 service-type remote-access
 !
 tunnel-group DefaultRAGroup general-attributes
 address-pool VPN_Pool
 !
 class-map inspection_default
 match default-inspection-traffic
 !
 policy-map type inspect dns preset_dns_map
 parameters
 message-length maximum client auto
 message-length maximum 512
 policy-map global_policy
 class inspection_default
 inspect dns preset_dns_map 
 inspect ftp 
 inspect tftp 
 inspect icmp 
 inspect pptp 
 inspect ipsec-pass-thru 
 inspect icmp error 
 class class-default
 set connection decrement-ttl
 !
 service-policy global_policy global
 smtp-server 192.168.1.41 192.168.1.42
 prompt hostname context
 no call-home reporting anonymous
 call-home
 profile CiscoTAC-1
 no active
 destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
 destination address email callhome@cisco.com
 destination transport-method http
 subscribe-to-alert-group diagnostic
 subscribe-to-alert-group environment
 subscribe-to-alert-group inventory periodic monthly
 subscribe-to-alert-group configuration periodic monthly
 subscribe-to-alert-group telemetry periodic daily 
 no call-home reporting anonymous
 : end

[/box]

 

Related Articles, References, Credits, or External Links

NA