Cisco FTD: AMP/URL Filtering/Threat Detection and AVC

KB ID 0001686

Problem

This brings me to the end of my recent FTD articles. Although this is not a complete run though of all the capabilities, it will point you in the right direction to enable;

Solution

Each of these is a ‘Licensed Feature‘ which means it’s going to cost you. Not only that, but  you need to have the licences in your Cisco Smart Account before you start.

Connect to the FTD via the FDM web console. > Smart Licence > View Configuration > Enable Threat, Malware, and URL License.

Make sure it looks like this, before proceeding.

Mines got a ‘vanilla’ (factory default) policy, (allow everything out). But it’s set to TRUST, you need to change that to ALLOW, (you can’t do advanced inspection while it’s set to trust) > OK.

FTD: Enable IDS/IPS Intrusion Policy

With a policy access rule selected > Intrusion Policy > Enable > Select the level you want (they are pretty self explanatory, and if you have worked with Cisco IDS before you will be familiar) > OK.

Note: By default the FTD will be in IPS mode (prevention), If you want to change to IDS mode (detection). Then select policies > Security Policies > Intrusion > Inspection Mode > Edit > Chose ‘detection’ > OK

FTD: Enable AMP Policy

While in the access policy > File Policy > Block Malware All > OK.

FTD: Enable URL Filtering Policy

Now we need to create a new access rule and set its action to BLOCK. Create (add) a new access rule > Make sure it is ABOVE your default TRUST or ALLOW rule > Give it a name > Set the action to BLOCK > Then I’m simply adding the inside zone as the source, and the outside zone as the destination > URLs.

Then simply add in either the individual URLs you want to block. Or (more sensibly) the URL Category, i.e. Adult, Social Networking, or Gambling etc.  you want to block > OK > OK.

FTD: Enable Application Inspection (AVC)

Cisco have had AVC for a long time, but not many people use it, it’s the ability to perform up-to layer 7 (application layer) inspection and blocking. So let’s say you want to let your employees use LinkedIn but you don’t want them to use the job search, you can block that, or you want to block BitTorrent traffic, you can also do that with AVC. There are thousands of different options.

Like URL filtering you need to enable this on an access rule that’s set to BLOCK (here I’m lazily adding to the same one as my URL blocking, I suggest in production you create one just for AVC).

DONT FORGET: No changes will be applied untill you save and deploy the changes. (WHICH TAKES AGES!)

Related Articles, References, Credits, or External Links

Cisco Firepower 1010 Configuration

Cisco ASA: “Wrong Serial Number?”

KB ID 0001530

Problem

Cisco have done this for a while, the first time I saw it was years ago on a 5585, but all the NGFW models now have a ‘Serial Number” and a “Chassis Serial Number”. Normally you don’t care unless you need to log a TAC call online. So you issue a show version command, take a note of the serial number, and then it says, there’s no record of that serial number?

Solution

Just to be clear

SmartNets are registered to the Chassis Serial Number, this is NOT the serial number shown with a ‘show version‘ command.

Software (e.g. AnyConnect) is licensed to the Serial Number that IS shown with a ‘show version‘ command.

As a general rule, Cisco ASA chassis serial numbers start with JMX, and the serial numbers start with JAD.

How to Locate the Cisco ASA ‘Chassis Serial Number’

Well it’s printed on the chassis of course, but if it’s in a rack or a thousand miles away, that’s not much help! To get it remotely you use the ‘show inventory’ command;

[box]

Petes-ASA# show inventory
Name: "Chassis", DESCR: "ASA 5516-X with FirePOWER services, 8GE, AC, DES"
PID: ASA5516           , VID: V05     , SN: JMX1234ABCD

Name: "Storage Device 1", DESCR: "ASA 5516-X SSD"
PID: ASA5516-SSD       , VID: N/A     , SN: MSA21470XXX

Petes-ASA#

[/box]

How to Locate the Cisco ASA ‘Serial Number’

Same as with the old 5500 series firewalls, (and the PIX) use a show version command.

[box]

Petes-ASA# show version

Cisco Adaptive Security Appliance Software Version 9.8(2)24
Firepower Extensible Operating System Version 2.2(2.75)
Device Manager Version 7.8(2)151

Compiled on Thu 01-Mar-18 20:21 PST by builders
System image file is "disk0:/asa982-24-lfbff-k8.SPA"
Config file at boot was "startup-config"

Petes-ASA up 146 days 1 hour
failover cluster up 146 days 1 hour

Hardware:   ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
                             Number of accelerators: 1

 1: Ext: GigabitEthernet1/1  : address is 00a7.42e1.6ed6, irq 255
 2: Ext: GigabitEthernet1/2  : address is 00a7.42e1.6ed7, irq 255
 3: Ext: GigabitEthernet1/3  : address is 00a7.42e1.6ed8, irq 255
 4: Ext: GigabitEthernet1/4  : address is 00a7.42e1.6ed9, irq 255
 5: Ext: GigabitEthernet1/5  : address is 00a7.42e1.6eda, irq 255
 6: Ext: GigabitEthernet1/6  : address is 00a7.42e1.6edb, irq 255
 7: Ext: GigabitEthernet1/7  : address is 00a7.42e1.6edc, irq 255
 8: Ext: GigabitEthernet1/8  : address is 00a7.42e1.6edd, irq 255
 9: Int: Internal-Data1/1    : address is 00a7.42e1.6ed5, irq 255
10: Int: Internal-Data1/2    : address is 0000.0001.0002, irq 0
11: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0
12: Int: Internal-Data1/3    : address is 0000.0001.0003, irq 0
13: Ext: Management1/1       : address is 00a7.42e1.6ed5, irq 0
14: Int: Internal-Data1/4    : address is 0000.0100.0001, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 150            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 4              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 300            perpetual
Total VPN Peers                   : 300            perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 1000           perpetual
Botnet Traffic Filter             : Disabled       perpetual
Cluster                           : Enabled        perpetual
Cluster Members                   : 2              perpetual
VPN Load Balancing                : Enabled        perpetual


Failover cluster licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 150            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 4              perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 8              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 300            perpetual
Total VPN Peers                   : 300            perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 1000           perpetual
Botnet Traffic Filter             : Disabled       perpetual
Cluster                           : Enabled        perpetual
VPN Load Balancing                : Enabled        perpetual

The Running Activation Key feature: 2000 TLS Proxy sessions exceed the limit on the platform, reduced to 1000 TLS Proxy sessions.

Serial Number: JAD1234ABCD
Running Permanent Activation Key: 0x0037exxx 0x482ffyyy 0x04718yyy 0xaad48xxx 0x49343xxx
Configuration register is 0x1
Image type                : Release
Key Version               : A
Configuration last modified by PeteLong at 13:50:02.750 GMT Tue Mar 26 2019

Petes-ASA#

[/box]

Related Articles, References, Credits, or External Links

NA

Using a KMS Server

KB ID 0000582

Problem

Given the amount of deployments I do, it’s surprising that I don’t use KMS more often. Like most technical types, I find a way that works for me, and that’s the way I do things from then on. However these last few weeks I’ve been putting in a new infrastructure for a local secondary school. Their internet access is through a proxy server, that refuses to let Windows activation work. Unfortunately the “Administrators” of this proxy server were not disposed to give me any help, or let me anywhere near it, to fix it.

So after activating a dozen servers over the phone, I decided enough was enough “I’m putting in a KMS Server!”

I’m deploying KMS on Windows Server 2008 R2, and it is for the licensing and activation of Serer 2008 R2 and Windows 7. I will also add in the licensing KMS mechanism for Office 2010 as well.

Note: If you are using Server 2003 it will need SP1 (at least) and this update.

Solution

To be honest it’s more difficult to find out how to deploy a KMS server, than it actually is to do. I’ve gone into a fair bit of detail below but most of you will simply need to follow steps 1-4 (immediately below). In addition, after that I’ve outlined how to deploy KMS from command line. Then how to test it, and finally how to add Microsoft Office 2010 Licenses to the KMS Server.

Install Microsoft Windows 2008 R2 Key Management Service (EASY)

1. The most difficult part is locating your KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Windows Server 2008 Std/Ent KMS B”

Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).

2. Armed with your new key, you simply need to change the product key on the server that will be the KMS server, to the new key. Start > Right Click “Computer” > Properties. (Or Control Panel > System). Select “Change Product Key” > Enter the new KMS Key > Next.

3. You will receive a warning that you are using a KMS Key > OK. You may now need to activate your copy of Windows with Microsoft, this is done as normal, if you can’t get it to work over the internet you can choose to do it over the phone.

4. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.

Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;

[box]

cscript c:\Windows\System32\slmgr.vbs /SPrt 1024

[/box]

That’s It! That is all you should need to do, your KMS Server is up and running.

Install Microsoft Windows 2008 R2 Key Management Service from Command Line

You will notice below that I’m running these commands from command windows running as administrator (Right click “Command Prompt” > Run as administrator).

1. Locate your “Windows Server 2008 Std/Ent KMS B” Key > From command line issue the following command;

[box]

cscript c:\Windows\System32\slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

[/box]

Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).

2. Providing the command runs without error, we have just changed the product key for this Windows server to be the KMS key.

3. Now we need to activate the Windows Server > Run the following command;

[box]

c:\Windows\System32\slui.exe

[/box]

Select “Activate Windows online now” > Follow the on screen prompts.

4. When complete, it should tell you that it was successfully activated.

5. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.

Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;

[box]

cscript c:\Windows\System32\slmgr.vbs /SPrt 1024

[/box]

That’s It! That is all you should need to do, your KMS Server is up and running.

Testing the Key Management Server

Before it will start doing what you want it to, you need to meet certain thresholds, with Windows 7 clients it WONT work till it has had 25 requests from client machines. If you are making the requests from Windows 2008 Servers then the count is 5. (Note: For Office 2010 the count is 5 NOT 25)

Interestingly: On my test network I activated five Windows 7 machines, then one server, and it started working.

Windows 7 and Windows 2008 R2 have KMS Keys BUILT INTO THEM, if you are deploying/imaging machines you should not need to enter a key into them (unless you have entered a MAK key on these machines then you will need to change it to a client KMS Key). These are publicly available (see here).

1. The service works because it puts an SRV record in your DNS, when clients want to activate, they simply look for this record before they try and activate with Microsoft, if they find the record, they activate from your KMS Server instead. If you look on your domain DNS servers, expand “Forward Lookup Zones” > {your domain name} > _tcp > You will see an entry for _VLMCS that points to your KMS Server.

2. From your client machines you can test that they can see the SRV record, by running the following command;

[box]

nslookup -type=srv _vlmcs._tcp

[/box]

Note: If this fails, can your client see the DNS server? And is it in the domain?

3. There is no GUI console for KMS to see its status, so run the following command on the KMS server;

[box]

cscript c:\Windows\System32\slmgr.vbs /dli

[/box]

4. As I’ve mentioned above, with Windows clients you need 25, and Windows Servers you will need 5 requests before KMS will work, before this you will see;

Windows Activation
A problem occurred when Windows tried to activate. Error Code 0xC004F038

5. For each of these failures, look-in the KMS Server, and the “Current count” will increment by 1 till it starts to work). In a live environment this wont be a problem, (You probably wont be looking at KMS with less than 25 clients!). On a test network just clone/deploy a load of machines until you hit the threshold.

Troubleshooting KMS Clients

To make things simple the command to execute on the clients, is the same command that you run on the KMS server to check the status.

[box]

cd c:\windows\system32
slmgr /dli

[/box]

For further troubleshooting, see the following links.

How to troubleshoot the Key Management Service (KMS)

Managing License States

Adding an Office 2010 KMS Key to Your KMS Server.

In addition to servers and clients, KMS can activate and handle Office 2010 licenses as well. You simply need to add in Office support, and your Office 2010 KMS key. As mentioned above, unlike Windows clients, you only need five requests to the KMS server before it will start activating Office 2010 normally.

If you want a KMS Server for JUST OFFICE 2010 and not Windows, then simply install and run the Office 2010 Key Management Service Host.

1. First locate your Office 2010 KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Office 2010 Suites and Apps KMS”

Note: As with Windows 7, and Server 2008 R2, Office 2010 comes with a KMS key already installed, if you have changed the key to a MAK key you can change it back using the Microsoft public KMS keys (see here).

2. Download and run the “Microsoft Office 2010 KMS Host License Pack“.

3. When prompted type/paste in your “Office 2010 Suites and Apps KMS” product key > OK.

4. It should accept the key.

5. Press {Enter} to close.

6. Once you have five Office 2010 installations they should start to activate from your KMS server.

Troubleshooting Office 2010 KMS Activation

If you have a client that refuses to work you can manually force it to activate against your KMS server;

x64 Bit Clients. (Where kms.domaina.com is the FQDN of the KMS server)

[box]

cscript "C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS" /sethst:kms.domaina.com 
cscript "C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS" /act 

[/box]

x32 Bit Clients. (Where kms.domaina.com is the FQDN of the KMS server)

[box]

cscript "C:\Program Files\Microsoft Office\Office14\OSPP.VBS" /sethst:kms.domaina.com
cscript "C:\Program Files\Microsoft Office\Office14\OSPP.VBS" /act [/box]

Related Articles, References, Credits, or External Links

KMS Activation – Error: 0xC004C008

Deploying VMware View 5 – Part 1: Configure Active Directory and Deploy VMware Connection Server

KB ID 0000594

Problem

Note: This is an old post for VMware view version 5, you might want to read Deploying VMware Horizon View instead.

VMware View is a big product, deploying it can be daunting, and if you’re not sure what you’re doing it’s pretty easy to deploy ‘misconfigured’, or at the very least not configured as well as it should. I’m going to run though most requirements, but it would seem sensible to break this up into a few different articles.

Solution

Configuring Windows Active Directory for VMware View

1. Before you start, on your domain controller open active directory users and computers (dsa.msc). Create an OU for your View Desktops, also to make administration easier create a separate OU for any linked clones you are going to deploy. In the example below I’ve nested one inside the other to keep my AD neat and tidy.

2. Also whilst in AD users and computers, create some groups, one for ViewUsers, and one for ViewAdministrators. Add in your users to the groups as required.

Note: You can call the groups whatever you like, and have as many different groups as you like.

3. Now connect to your Virtual Center Server, and add the domain ViewAdministrators group to the LOCAL Administrators group on that server.

Installing and configuring VMware View 5

4. Run the installer for VMware Connection Server (there is a x32 and an x64 version, make sure you download the correct one as VMware call the x64 bit version VMware-viewconnectionserver-x86_64-5.0.1-640055.exe, which at first glance looks like a x32 bit file). Accept all the defaults until you see the following screen, and select View Standard Server.

View Standard Server: Select if this is the first Connection Server you are deploying. View Replica Server: Select this if you already have a connection server and you want to copy the configuration from that server, once in operation it just becomes a standard replica server. View Security Server: Usually placed on an edge network or in a DMZ to broker connection requests. View Transfer Server: Only required if your clients are going to use ‘Local Mode’ for their View desktops..

5. Accept all the defaults and finish the installation.

6. Connect to the VMware View administrator console, this is a web connection to https://{Connection-server-name/admin Note: Adobe Flash is required for it to work.

7. The first time you connect it will take you straight to View Configuration > Product Licencing and Usage > Select “Edit Licence” and type/paste in your licence key.

8. To point the connection server to your virtual center server, select View Configuration > Servers > vCenter Server section > Add.

9. Give it the vCenter server name, and a username and password for a user who is a member of your ViewAdministrators group.

Note: If your vCenter server has VMware composer installed this is where you would enable it. At this time I do not, but I will return here later after I’ve installed it when I cover VMware Composer and ‘linked clones’.

Related Articles, References, Credits, or External Links

Deploying VMware View 5 – Part 2: Configure Windows 7 to be a VMware View Desktop

Windows – Changing the Unlock Code and Activating

KB ID 0000667 

Problem

Some versions of Windows 8 (Windows 8 Pro for example) ask for the unlock code as soon as you install them, I installed Windows 8 Enterprise on my PC at home today, and I couldn’t even change my user photo, because Windows hadn’t activated. When I tried, this is what happened.

Solution

As I had not yet installed a Windows unlock code, it’s safe to assume it had it’s in built KMS code, so I would need to change it to my own Windows code.

1. Press Windows Key+X to bring up the Advanced Context Menu >Select ‘Command Prompt (Admin)’.

2. Run the following command (where 12345-ABCDE-12345-ABCDE-12345 is YOUR Windows code);

[box]slmgr.vbs -ipk 12345-ABCDE-12345-ABCDE-12345[/box]

3. Then to activate your copy of Windows run the following command;

[box]slmgr.vbs -ato[/box]

Related Articles, References, Credits, or External Links

NA

Error Adding Office KMS Keys “0x80072F8F”

KB ID 0000584 

Problem

Seen when adding an Office 2010 KMS key on a Windows 2008 R2 KMS Server.

Note: Using the Microsoft Office 2010 KMS Host License pack as per this article.

An error occurred: 0x80072F8F
To display the error text run the following:
slui.exe 0x2a 0x80072F8F

Solution

1. If you do run the command that they have asked you to, all you get is;

Code:
0x80072F8F
Description:
A Security error occurred

2. Not very helpful, however some Google searching turned up the solution. Check the time on the KMS server is correct, mine was way out.

Note: This had happened because the domain controller was on an ESXi host with the incorrect time, the KMS server took its time from the domain controller when it booted. (Domain clients typically take their time from the DC holding the PDC emulator role).

Locate your FSMO Role Servers

3. With the time fixed, try once again, and you should be successful.

Related Articles, References, Credits, or External Links

Using KMS Server for Windows Server 2008 R2, Windows 7, and Office 2010

Office 2010 – Find your Version and Licensing Information

Activation Error: Code 0x8007232b DNS Name does not exist

 

Cisco Router – CBAC and Zone Based Firewall Setup

KB ID 0000937 

Problem

IOS 11.2 gave us CBAC, and IOS 12.4(6)T gave us the Zone Based Firewall. You can still use either, (providing you are running the correct IOS, or in the case of version 15 and upwards, added the correct license, ‘securityK9’). For older IOS versions usually you want the advipservices version of the IOS).

Solution

Run the following command to see if you have the correct license installed.

[box]

Petes-Router#show license features 

[/box]

Cisco IOS Setup CBAC (IOS Firewall Classic)

1. Declare the protocols you want to inspect.

[box]

Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#ip inspect name IOS-FW tcp
Petes-Router(config)#ip inspect name IOS-FW udp
Petes-Router(config)#ip inspect name IOS-FW icmp

[/box]

2. Apply that inspection inbound on the inside interface (that’s traffic going out).

[box]

Petes-Router(config)#interface FastEthernet 0/1
Petes-Router(config-if)#ip inspect IOS-FW in
Petes-Router(config-if)#exit
Petes-Router(config)#

[/box]

4. Apply the inspection inbound on the outside interface (for traffic coming in). And then save the changes.

Note: If you have VPN traffic this will NOT break it.

[box]

Petes-Router(config)#interface Dialer0
Petes-Router(config-if)#ip inspect IOS-FW in
Petes-Router(config-if)#exit
Petes-Router(config)#exit
*Mar 1 00:05:29.875: %SYS-5-CONFIG_I: Configured from console by console
Petes-Router#wr mem
Building configuration...
[OK]
Petes-Router#

[/box]

Cisco Zone Based Firewall Setup

The config on ZBF can get quite complicated, I’m simply going to allow traffic out, and block all traffic coming in (apart from traffic that will be coming in over VPN).

Note: CBAC Settings (if used), must be removed before configuring ZBF.

1. The first thing to do is setup the zones, I only have a LAN an WAN to worry about.

[box]

Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#zone security SZ-INSIDE
Petes-Router(config-sec-zone)#description Local Area Network
Petes-Router(config-sec-zone)#zone security SZ-OUTSIDE
Petes-Router(config-sec-zone)#description Wide Area Network (Internet)
Petes-Router(config-sec-zone)#exit

[/box]

2. Create two ACLs to decide which traffic you want to allow in and out. Note: I’ve also added the subnets for my remote VPN network. I will allow out www (TCP 80), https (TCP 443), and DNS (TCP 53). Inbound everything is blocked apart from my VPN traffic.

Note: I’m not covering setting up the VPN, if you want to know how to do that, see the following article;

Cisco Router – Configure Site to Site IPSEC VPN

Then for each ACL I’m creating a class-map, it’s the class-map that decides what traffic will be inspected, (by inspected, in ZBF terms we mean allowed).

[box]

Petes-Router(config)#ip access-list extended ACL-OUTBOUND
Petes-Router(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Petes-Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq www
Petes-Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq 443
Petes-Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq 53
Petes-Router(config-ext-nacl)#class-map type inspect match-all CM-OUTBOUND
Petes-Router(config-cmap)#match access-group name ACL-OUTBOUND
Petes-Router(config-ext-nacl)#exit
Petes-Router(config)#ip access-list extended ACL-INBOUND
Petes-Router(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

[/box]

3. Define what to do with the (matched) traffic with a policy-map, this can be set to inspect, log , or drop. We set it to inspect our traffic, and drop, then log everything else.

[box]

Petes-Router(config)#policy-map type inspect PM-OUTBOUND
Petes-Router(config-pmap)#class type inspect CM-OUTBOUND
Petes-Router(config-pmap-c)#inspect
%No specific protocol configured in class CM-OUTBOUND for inspection. All protocols will be inspected

Note: The Above is not really true - we have defined the port in the ACL

Petes-Router(config-pmap-c)#class class-default
Petes-Router(config-pmap-c)#drop log
Petes-Router(config-pmap-c)#exit
Petes-Router(config-pmap)#exit
Petes-Router(config)#policy-map type inspect PM-INBOUND
Petes-Router(config-pmap)#class type inspect CM-INBOUND
Petes-Router(config-pmap-c)#inspect
%No specific protocol configured in class CM-INBOUND for inspection. All protocols will be inspected

Note: The Above is fine, it drops everything that's not VPN traffic anyway.

Petes-Router(config-pmap-c)#class class-default
Petes-Router(config-pmap-c)#drop log
Petes-Router(config-pmap-c)#exit
Petes-Router(config-pmap)#exit

[/box]

4. The last task is to create zone-pairs for the outbound and inbound traffic, then apply our policy-map to them with a service-policy.

[box]

Petes-Router(config)#security ZP-OUTBOUND source SZ-INSIDE destination SZ-OUTSIDE
Petes-Router(config-sec-zone-pair)#service-policy type inspect PM-OUTBOUND
Petes-Router(config-sec-zone-pair)#exit
Petes-Router(config)#security ZP-INBOUND source SZ-OUTSIDE destination SZ-INSIDE
Petes-Router(config-sec-zone-pair)#service-policy type inspect PM-INBOUND
Petes-Router(config-sec-zone-pair)#exit

[/box]

5. Save the changes, sit back, light your pipe, and admire your handiwork.

[box]

Petes-Router(config)#exit
Petes-Router#write mem
Building configuration...
[OK]

[/box]

 

Related Articles, References, Credits, or External Links

NA

ASA 5505 Determine Your License Version

KB ID 0000701

Problem

If you are having problems with internal clients NOT getting through the firewall, the license on your ASA 5505 may be ‘to small’.

ASA 5505 License Differences

Essentially the licenses come in 10 user, 50 user, and unlimited*. You can also have a Security Plus License, this increases IPSEC VPN’s from 10 to 25, and adds Active/Standby failover, Dual ISP Support, and DMZ Support.

*Note: These figures are the concurrent total users, for internal clients making connections through the firewall, from the internal VLAN to the external VLAN (not between internal VLANS). If you have no default route defined then the limit is placed in ALL hosts on ALL VLANS.

From Cisco 

In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit when they communicate with the outside (Internet VLAN), including when the inside initiates a connection to the outside as well as when the outside initiates a connection to the inside. Note that even when the outside initiates a connection to the inside, outside hosts are not counted towards the limit; only the inside hosts count. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the outside Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view host limits.

Solution

To locate your license version issue the following command whilst in enable mode. ‘sho ver or show version’.

code?

ASA 5505 10 User License

ASA5505 50 User License

ASA 5505 Unlimited License

ASA 5505 Security Plus License

Related Articles, References, Credits, or External Links

Find out your Cisco ASA version (Operating system and ASDM)

Cisco ASA 5500 – Adding Licenses