Cisco released information on their blog a few days ago to say that they would be offering free Umbrella, Duo and AnyConnect Licences to customers in the wake of the the COVID-19 outbreak.
Thats great news, but there’s no information on how to get the AnyConnect licences. It just says speak to your Cisco partner. As I am a Cisco partner I was confused, and it seems my colleagues were also. So I contacted Cisco Partner help, who passed me to licensing, who passed me to Cisco TAC, who opened a call. 24 hours later still no reply. Luckily by this time a colleague had managed to set this up for a client, and he pointed me in the right direction, (cheers Trev!)
Solution
Note: This procedure DOES NOT work for vASA or FTD. You can email licensing@cisco.com Subject: ‘COVID-19 AnyConnect License Request’. Provide your platform information, and smart account details, and they will provision licenses for your account that you can then assign via the usual methods.
Note: I exclusively work at command line, I realise some people are terrified of doing this, so if you want to work with activation keys and serial numbers in the ASDM then read this post.
Log into your Cisco Device (in my case a Cisco ASA) and get the serial number. (Issue a show version command).
Note: I would also take a copy of the Activation Key at this point paste it into Notepad and keep it somewhere safe.
Also from the show version command you will see I only have the factory default 2 AnyConnect premium licences.
You will need a Cisco CCO account, these are free to setup and once you have one you can log into the licensing portal, from there, (either using classic licences or SMART licences) > Get Licences > Demo and Evaluation > Security Products > AnyConnect Plus/Apex(ASA) Demo Licence and Emergency COVID-19 Licence > Next.
Enter the Serial Number of your ASA (from above), Here I asked for 10 users, you will get the maximum for your model of ASA, if you don’t know what the maximum is see this article > Next.
Review > Next.
You will get sent the licence by email, (this has a habit of going into spam!) But I download them directly anyway.
Heres you new activation key, copy it to the clipboard;
Excute the following commands;
[box]
Petes-ASA# configure terminal
Petes-ASA(config)# activation-key a27ed158 406176b7 799f41f2 6184be43 12345678
Validating activation key. This may take a few minutes...
The requested key is a timebased key and is activated, it has 91 days remaining.
[/box]
Now if you recheck your AnyConnect Licence count, it will match the maximum for your hardware.
I Need More! Sorry buddy, you need to replace the hardware with a larger one.
Related Articles, References, Credits, or External Links
For most people that’s fine, but if you have a lot of FirePOWER devices to manage that does not scale well. In those cases you should use theFMC (FirePOWER Management Center). Here ‘Im going to use the Vmware virtual appliance, (at time of writing there is no Hyper-V version).
This lets you create policies centrally and then deploy them to your devices in bulk.
Solution
Deploy the FirePOWER Management Center Appliance
Obviously before you start you need to have VMware (ESX or vCenter). With 250GB of storage free, (you can deploy it thin provisioned). You will also need to allocate 8GB of RAM and 4 virtual CPUs. Whichever network (or VMware port Group) you connect the appliance to it needs to have IP connectivity to the devices you intend to manage.
Download the FMC Appliance: Be aware it downloads in tar.gz format so on a Windows machine you will need something like 7Zip to uncompress the files. You WONT find the file under the firewalls, they are listed under;
You will need to accept the EULA, then set the admin password, and some basic IP settings.
I’ve got IPv6 disabled, if you want to address the appliance with IPv6 enter the details here.
Even after the appliance has been imported and powered on it can take 20-30 minutes before you can log on. At this point I would go and do something else. If you really must, then open a ‘console’ session and wait until the logon prompt is shown. You can then logon to the web portal.
Go to System > Updates > Download and install any updates > Visit both the ‘Rule Updates’ and the ‘Geolocation Updates’ tabs and set a time to download them.
Don’t Install the licences Just Yet! Add your devices to the FMC first, then if there’s a problem and you need to rebuild/redeploy, you don’t have to go cap in hand to Cisco licensing to get the licences re-armed. To add the SFR devices see the following article;
Network Discovery: Older version of the FMC used to only look for RFC 1918 IP ranges, This was changed at some point to 0.0.0.0/0 so you couldn’t misconfigure the system by having a private address space internally for example. This was a good idea but Ive seen some firewalls fall over trying to run discovery on every IP address they see! So lets manually add in our subnets. Objects > Object Management > Add Network > Add Object > Add one for you internal network(s).
Policies > Network Discovery > Remove the 0.0.0.0 Rule.
Create a new discovery rule using just your subnet(s).
Adding Licences To FirePOWER Management Center
You used to have to licence the appliance itself, after version 6 you don’t need to do that, if you have a licence and you try and apply it nothing happens and you just see this message;
Note: FireSIGHT is the old name for FirePOWER Management Center.
What Licences do I need to Add? Your Next Generation Firewalls now come with a ‘CONTROL LICENSE‘ in the box, it is in a large white card envelope, you don’t need to open it the number you need is on the front of the envelope. You add a control licence for every device you want to manage (they do not expire).
System > Licences > Classic Licenses > You need to take a note of the ‘Licence Key’, (which is the MAC address of the appliance with a 66 in front of it). This is the serial number you need to enter on the Cisco licensing portal.
When you get the licence back, if you open it in a text editor, it will look like this (its essentially a digital certificate). Copy everything from ‘— BEGIN‘ to ‘License —‘
Paste in the text > Submit License.
Repeat for each licence (IDS, AMP, URL Filtering ,etc)
You will also need to allocate the licenses to devices. Devices > Device Management Select the Device in question > Edit.
To use an intrusion policy the devices each need a ‘Protection‘ licence. Note: You get a protection licence now automatically when you add a CONTROL licence, but you still need to pay a subscription to legally obtain the updates.
Policies > Access control > Intrusion > Create Policy.
Give the policy a recognisable name > Create and Edit policy.
The policy it creates is based on the ‘Balances Security and Connectivity’ Template. You might want to add a few extra rules > Rules > Blacklist > Select All.
Rule State > Drop and Generate Events.
Repeat for ‘Malware’. Note: This does NOT require and AMP licence@
Repeat for PUA (Probably Unwanted Applications).
Repeat for ‘Indicator Compromise‘.
Repeat for ‘Exploit Kit‘.
Search for ‘1201’ and locate the ‘INDICATOR-COMPROMISE 403 Forbidden’ rule and DISABLE IT.
Policy Information > Commit Changes > OK.
Note: To be used, the Intrusion policy needs to be declared in an Access control policy (or set as a Default Action).
Also in the Access Policy set the logging to ‘Log at the end of connection‘.
As mentioned above you can also set it as the ‘Default Action‘.
Configuring FirePOWER AMP and File Policy
You need an AMP, (subscription based licence) to enable the ‘Malware Cloud Lookup, or Block Malware‘ Actions, but you can have a file policy and block specific file types.
Polices > Access Control > Malware and File > New File Policy.
Give the policy a name you will remember > Save.
Action = Malware Cloud lookup > Add in the files you want to scan > Below I’ve set it to store unknown files > Save.
Then create another rule below that that detects all files.
As above the file policy wont be applied to anything unless you specify it in an access policy.
In the rule also set the logging to ‘log at the end of connection’.
Configuring FirePOWER URL Filtering Policy
You need to have a URL filtering licence allocated to the devices you want to use this policy on.
Unlike File policies and Intrusion policies, URL filtering is configured directly on your Access Control policy > Add Rule.
Here’s an example of blocking some categories you don’t want viable in tour organisation.
In a rule that only has URL filtering set the login to ‘Log at the beginning of the conneciton‘.
When done, don’t forget to ‘Deploy‘ the new policy to your managed devices. Deploy > Select Devices > Deploy.
hen Related Articles, References, Credits, or External Links
When Cisco released the 8.2 version of the ASA code, they changed their licensing model for AnyConnect Licenses. There are two licensing models, Premium and Essentials.
Solution
Cisco ASA AnyConnect Premium Licenses.
You get two of these free with your firewall*, with a ‘Premium License’ you can use the AnyConnect client software for remote VPN Access, and you can access Clientless SSL facilities via the web portal.
*As pointed out by @nhomsany “The two default premium licenses available are NOT cross-platform, (i.e. only Mac or Windows).
Additionally you can use this license’ model with the Advanced Endpoint Assessment License’, this is the license’ you require for Cisco Secure Desktop. You can also use this license’ with the AnyConnect Mobile license’ for access from mobile devices like phones or tablets, (both these licenses are an additional purchase).
For most people wishing to buy extra AnyConnect licensing, this will be the one you want. Their type and size differ depending on the ASA platform in question, e.g. the 5505 premium licenses. are available as 10 session and 25 session licenses. the 5510 are in 10, 25, 50, 100 and 250 Sessions. (Note: These are correct for version 8.4 and are subject to change, check with your re seller).
Failover: If you are using failover firewalls you can (but don’t have to) use a shared license’ model, this lets you purchase a bundle of Premium licenses. and share them across multiple pieces of hardware, This requires an ASA to be setup as the license’ server’. Before version 8.3 you needed to purchase licenses for both firewalls. After version 8.3, Cisco allowed the licenses. to be replicated between firewalls in a failover pair. The exception is Active/Active where the amount of licenses. is aggregated together from both firewalls and ALL are available providing the figure does not exceed the maximum for the hardware being used.
Cisco ASA AnyConnect Essential Licenses
When you enable ‘Essential Licensing’, your firewall changes it’s licensing model and the two Premium licenses. you get with it are disabled*. The Firewall will then ONLY accept AnyConnect connections from the AnyConnect VPN client software.
Note: The portal still exists, but can only be used to download the AnyConnect Client Software.
With Essentials licensing enabled, the firewall will then accept the maximum VPN sessions it can support for that hardware version (see here), without the need to keep adding licenses.
Note: Remember these are “Peer VPN Sessions”. If you have a bunch of other VPN’s (including IPSEC ones), then these are taken from the ‘pot’.
Additionally, you can also use this license’ with the AnyConnect Mobile license’ for access from mobile devices like phones or tablets, this license’ is an additional purchase.
Failover: Prior to version 8.3, if you have failover firewalls and are using Essentials licenses you need to purchase an Essentials license’ for BOTH firewalls. After version 8.3 Cisco allowed the licenses. to be replicated between firewalls in a failover pair.
*To re-enable the built in Premium Licenses. you need to disable Essentials licensing by using the ‘no anyconnect-essentials” command or in the ASDM> Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Essentials.
Related Articles, References, Credits, or External Links
While using the Apple/Cisco Anyconnect App/Client you receive the following error.
Error:
The secure gateway has rejected the agent’s VPN request. A New connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists.
The following message was received from the security gateway: No License.
Solution
The most pertinent information above is the last two words of the error message “No License”
This DOES NOT mean you have ran out of SSL/AnyConnect Licences!
This licence is a “One Off” purchase and will enable the feature on your ASA, be aware the licence is different for each model make sure you purchase the correct one!
AnyConnect Mobile, (or AnyConnect for Mobile) licence details can be found at Cisco’s website Below is the section we are interested in.
Update 2017: Applying a modern AnyConnect (v4) licence, will also enable the mobile feature as well.
Once the correct licences are installed this is what it SHOULD look liike.
Related Articles, References, Credits, or External Links
While using the Android/Cisco Anyconnect App/Client you receive the following error.
Error:
The secure gateway has rejected the agent’s VPN request. A New connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists.
The following message was received from the security gateway: No License.
Solution
The most pertinent information above is the last two words of the error message “No License”
This DOES NOT mean you have ran out of SSL/AnyConnect Licences!
This licence is a “One Off” purchase and will enable the feature on your ASA, be aware the licence is different for each model make sure you purchase the correct one!
AnyConnect Mobile, (or AnyConnect for Mobile) licence details can be found at Cisco’s website Below is the section we are interested in.
Once the correct licences are installed this is what it SHOULD look liike.
Related Articles, References, Credits, or External Links
Given the amount of ASA work I do it’s surprising that the first time I saw an ASA 5506-X was last week (I’ve been working on larger firewalls for a while). I’m probably going to have to do a few of these over the next couple of years so I’ll update this article as things surface.
Solution
Q: Can I just copy the config from an ASA 5505 to an ASA 5506-X?
A: No, that would be nice, truth be told if the 5505 is running an OS newer than 8.3, about 90% of the config can be copy/pasted if you know what you are doing.
The ASA 5506 Interfaces are different.
Unlike its predecessor (and just about all other Cisco equipment), the interfaces start at number 1 (the 5505 starts at 0).
The 5506 Interfaces are the opposite way round (left to right).
The 5506 has IP addresses applied to its physical interfaces. Where as the 5505 had IP addresses applied to VLANs and then the physical interfaces were added to the appropriate VLAN. Note: the 5506 still supports VLANs, (5 or 30 with a security plus license).*
*UPDATE: After version 9.7 This has changed (on the 5506-X) See the following article for an explanation;
So let’s say your 5505 has three interfaces called inside, outside, and DMZ, (yours might have different names, and you may only have two,) the relevant parts of the 5505 config would be;
VLAN Note: You might be wondering why no ports have been put into VLAN 1? By default all ports are in VLAN 1, So above, ports 0/1 and 0/3 to 0/7 are all in VLAN 1.
Outside IP Note: Yours may say ‘dhcp setroute’ if it does not have a static IP , that’s fine.
To convert that (Assuming you are NOT going to use the BVI interface, (see link above!);
If you use AnyConnect then prepare for a little hand wringing. The 5505 could support up to 25 SSLVPN connections. On a 5506 they are actually called AnyConnect now, and it supports up to 50.
There is no Essentials license for a 5506-X! Don’t bother looking, you need to get your head into AnyConnect 4 licensing, I’ve already written about that at length.
Q: Does this mean I can’t use my AnyConnect 3 (or earlier) packages in the new 5506?
A: Yes you can, but you will only get two connections, unless you purchase additional Apex/Plus licensing.
I’m working on the assumption that we are going to load in the AnyConnect 4 packages and use those. With that in mind if anyone manages to get them added to their Cisco profile without the ‘Additional Entitlement Required’ then contact me, and let me know how, (link at bottom). I have to ring Cisco and use my employers partner status to get the client software 🙁
In addition to getting new AnyConnect Packages and loading them into the new 5506. If you have an anyconnect XML profile, that will also need copying into the new firewalls flash drive before you can paste the AnyConnect settings in.
Below you can see I’ve got a profile on my 5505.
Tools > File Transfer > File Transfer > Between Local PC and Flash. (Do the reverse to get the file(s) into the new 5506).
Note: You can also do this from CLI by copying the file to a TFTP server.
Below is a typical AnyConnect config from an ASA 5505, I’ve highlighted the lines that will cause you problems.
[box]
ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
object network OBJ-ANYCONNECT-SUBNET
subnet 192.168.100.0 255.255.255.0
!
webvpn
enable outside
anyconnect-essentials<-REMOVE THIS IT'S OBSOLETEanyconnect-win-3.1.05152-k9.pkg 1 <-REPLACE WITH ANYCONNECT 4anyconnect image disk0:/anyconnect-macosx-i386-3.1.04063-k9.pkg 2<-REPLACE WITH ANYCONNECT 4 anyconnect profiles SSL-VPN-POLICY disk0:/PeteNetLive-Profile.xml<-COPY OVER FIRST
anyconnect enable
tunnel-group-list enable
!
access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0
!
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
vpn-tunnel-protocol ssl-client
dns-server value 10.0.0.10 10.0.0.11
wins-server none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value petenetlive.com
split-tunnel-all-dns enable
webvpn
anyconnect profiles value SSL-VPN-POLICY type user
!
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
address-pool ANYCONNECT-POOL
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable
!
nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET
OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
!
[/box]
ASA Transferring Certificates From One ASA to Another
I appreciate a lot of you wont be using certificates, and even if you use AnyConnect you just put up with the certificate error. That’s fine, but do me a favor? Before you do anything else go and generate the RSA keys on your new 5506 before you do anything else, (people forgetting to do this has cause me a LOT of grief over the years). So set the host name, domain-name, and then generate the keys like so;
[box]
ciscoasa# configure terminal
Petes-ASA(config)# hostname Petes-ASA
Petes-ASA(config)# domain-name petenetlive.com
Petes-ASA(config)# crypto key generate rsa modulus 2048
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
Petes-ASA(config)#
[/box]
OK, so if you are still reading this section, then you have at least one certificate, that you need to move to the new firewall. For each scenario here’s what I recommend you do;
Self Signed Certificate from your own PKI / CA Server : Just generate a new cert for the new firewall and import it the same as you did on the old firewall
Externally / Publicly signed certificate that you have paid for: This we will need to export then import onto the new 5506. (Note: If there’s not much time left to run on the validity, it may be easier to get onto the certificate vendor and have a new one reissued to save you having to replace it in a couple of months – just a thought).
If you have purchased a certificate you will have already gone though the process below;
The easiest option for you is to go where you purchased the cert, download it again, and import it into the new firewall. But here’s where you find out you forgot the username and password you used, or the guy who sorted this out has left the company etc. If that is the case all is not lost. You can export an identity certificate, either from the ADSM;
Cisco ASA Export Certificates From ASDM
Configuration > Device Management > Certificate Management > Identity Certificates > Select the certificate > Export > Choose a location and a ‘pass-phrase’.
Cisco ASA Export Certificates From Command Line.
To do the same at CLI the procedure is as follows;
[box]
Get Your Trustpoint(s) Names
Petes-ASA# show crypto ca trustpoints
Trustpoint ASDM_TrustPoint0:
Not authenticated.
Trustpoint PNL-Trustpoint-1:
Subject Name:
cn=PNL-DC-PROD-CA
dc=petenetlive
dc=com
Serial Number: 5ec427e4910fa2bf47e1269e7fdd7081
Certificate configured.
Then Export the Certificate(s) for that Trustpoint
Petes-ASA# configure terminal
Petes-ASA(config)# crypto ca export PNL-Trustpoint-1 pkcs12 Password123
Exported pkcs12 follows:
-----BEGIN PKCS12-----
MIISXwIBAzCCEhkGCSqGSIb3DQEHAaCCEgoEghIGMIISAjCCEf4GCSqGSIb3DQEH
BqCCEe8wghHrAgEAMIIR5AYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQId/f5
{{{{{{{LOTS OF OUTPUT REMOVED FOR THE SAKE OF BREVITY}}}}}}}}}}}
mLt/6QKDVig6ofxrnvP0tbh9Jmjwe4NkTsJUb+H+7JGvJoUsMD0wITAJBgUrDgMC
GgUABBRCPROoZsdSBfIpwVmvfSSoOxzNCAQUWJ/J9hTkuNd92u4Z3owgrrO3cYIC
AgQA
-----END PKCS12-----
Petes-ASA(config)#
[/box]
Cisco ASA Import Certificates From ASDM
Configuration > Device Management > Certificate Management > Identity Certificates > Add > Use the same Trustpoint name as the source firewall > Browse the file you exported earlier > Enter the passphrase > Add Certificate.
Cisco ASA Import Certificates From Command Line.
To do the same at CLI the procedure is as follows, Note: You need to paste in the text from the output.
[box]
Petes-ASA# configure terminal
Petes-ASA(config)# crypto ca import PNL-Trustpoint-1 pkcs12 Password123
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
-----BEGIN PKCS12-----
MIISXwIBAzCCEhkGCSqGSIb3DQEHAaCCEgoEghIGMIISAjCCEf4GCSqGSIb3DQEH
BqCCEe8wghHrAgEAMIIR5AYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQId/f5
{{{{{{{LOTS OF OUTPUT REMOVED FOR THE SAKE OF BREVITY}}}}}}}}}}}
mLt/6QKDVig6ofxrnvP0tbh9Jmjwe4NkTsJUb+H+7JGvJoUsMD0wITAJBgUrDgMC
GgUABBRCPROoZsdSBfIpwVmvfSSoOxzNCAQUWJ/J9hTkuNd92u4Z3owgrrO3cYIC
AgQA
-----END PKCS12-----
quit
INFO: Import PKCS12 operation completed successfully
Petes-ASA(config)#
[/box]
Assorted Firewall Migration ‘Gotchas’
Time (Clock Setting)
If you do any AAA via Kerberos or LDAP, then not having the time correct on the new ASA might get you locked out of it. I would always suggest setting up NTP so do that before you restart.
Not on the ASA, but on the devices the ASA is connecting to, (routers and switches etc). Unplug an ASA 5505 and plug in an ASA 5506, and nine times out of ten you will not get comms. This is because the device you are connecting to has cached the MAC address of the old firewall in its ARP cache. So either reboot the device, (or it thats not practical, lower the ARP cache to about 30 seconds).
ASA 5505 to 5506 Config To Copy And Paste
Below I’ll put a full config for an ASA 5505. If the text is normal,the commands can be copy and pasted directly into the new firewall. If the text is RED, then you can NOT, and I will have outlined the problems above.