Cisco Firewall Port Forwarding

KB ID 0000077

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

Note2: If your firewall is running a version older than 8.3 you will need to scroll down the page.

Port forwarding on Cisco firewalls can be a little difficult to get your head around, to better understand what is going on remember in the “World of Cisco” you need to remember two things…..

1. NAT Means translate MANY addresses to FEW Addresses

2. PAT Means translate MANY addresses to ONE Address.

Why is that important you ask? Well most networking types assume NAT is translating one address to many, BUT on a Cisco device this is PAT, and it uses (as the name implies) port numbers to track everything. e.g. the first connection outbound might be seen on the firewall as 123.123.123.123:1026 and the second connection outbound might be seen as 123.123.123.123:2049 so when the traffic comes back the firewall knows where to send it.

Fair enough but what has that got to do with Port Forwarding? Well you can use the exact same system to lock a port to an IP address – so if only one port can go to one IP address then that’s going to give you port forwarding 🙂

To make matters more confusing (sorry) you configure PAT in the NAT settings, for this very reason it confuses the hell out of a lot of people, and the GUI is not intuitive for configuring port forwarding, (the ADSM is better than the old PIX PDM) but most people, (me included,) prefer to use command line to do port forwarding.

Below you will find;

Option 1 (Use ASDM)
Option 2 Use Command Line Interface
Option 3 Use PDM (PIX v6 Only)

Option 1: Port Forwarding Using ASDM

Note: This option uses ASDM Version 7.9(2) If yours is older see below;

Connect to the ASDM, Configuration > Firewall > NAT Rules > Right Click ‘Network Object Nat Rules’ > Add ‘Network Object’ Nat Rule.

Name = “Give the internal server/host a sensible name” > Type = Host > IP Address = The internal / private IP address > Type = Static > Translated address = Outside > Advanced > Source Interface = Inside > Destination Interface = Outside > Protocol = TCP  > Real port = http > Mapped Port = http > Ok > OK > Apply.

Note: This assumes your Outside interface is called outside, Inside interface is called inside and you want to port TCP port 80 (http).

Configuration > Firewall > Access Rules > Right Click ‘Outside Interface” > Add Access Rule.

Interface = Outside > Action = Permit > Source = Any > Destination {Browse}  > Locate the object you created earlier > Add to Destination > OK.

Service {Browse} > Select the Port you require (i.e. http) > OK.

OK > Apply > When you have tested it works, save the changes.

 

Using Older ASDM (PIX V7 and ASA5500) 1 Port to 1 IP Address

1. As above you will need to know the port and the IP to forward it to, Launch the ASDM, Select Configuration > Security Policy > Then either Rule Add, or right click the incoming rules and select “Add Access Rule.”

2. Interface = Outside > Direction = Incoming > Action = Permit > Source = Any > Destination, Type = Interface IP, Interface = Outside > Protocol = TCP > Destination Port Source = smtp (for example) > OK > Apply.

3. Back at the main screen select Configuration > NAT > Add, or Right Click an Existing mapping and click “Add Static NAT Rule.”

4. Real Address Interface = Inside > IP Address = 10.254.254.1 > Netmask = 255.255.255.255 > Static Translation Interface = outside > IP Address = (Interface IP) > Tick “Enable Port Translation (PAT) > Protocol = TCP > Original Port = smtp > Translated Port = smtp (for example) > OK > Apply.

5. File > “Save Running Configuration to Flash.”

Option 2 Use the Command Line to Port Forward (Post Version 8.3)

Note: Port forwarding changed on PIX/ASA devices running OS 8.3 and above, in regards to port forwarding. There is no longer a global command, for a full run-down of the changes click here.

If you issue a global command after version 8.3 you will see this error,

ERROR: This syntax of nat command has been deprecated.
Please refer to “help nat” command for more details.

1. First things first, you will need to know what port you want to forward, and where you want to forward it, for this example We will assume I’ve got a server at 10.254.254.5 and it’s a mail server so I want to Forward all TCP Port 80 traffic (HTTP) to it. Connect to the Firewall via Console/Telnet or SSH.

[box]

Warning Notice
User Access Verification#
Password:********
Type help or '?' for a list of available commands.
Petes-ASA>

[/box]

2. Enter enable mode, and enter the enable mode password.

[box]

Petes-ASA> enable
Password:********
Petes-ASA#

[/box]

3. Now we need to go to configuration mode.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)#

[/box]

4. Create an object for the web server that the traffic is going to be forwarded to.

[box]

Petes-ASA(config)# object network Internal_Web_Server
Petes-ASA(config-network-object)# host 10.254.254.5

[/box]

5. Then create a NAT translation for the port to be forwarded. Then you can exit the network object prompt.

[box]

Petes-ASA(config-network-object)# nat (inside,outside) static interface service tcp http http
Petes-ASA(config-network-object)# exit

[/box]

6. Now you need to allow the http traffic in. Before you can add an ACL you need to see if you already have one. We are applying an ACL to the outside interface for traffic going in (I call this inbound for obvious reasons). To see if you already have an ACL applied, issue the following command;

[box]

Petes-ASA# show run access-group
access-group inbound in interface outside
access-group outbound in interface inside

[/box]

Note: In the example above we have an ACL called inbound that we MUST use. (If you added a new one, all the access list entries for the old one get ‘Un-applied’). If yours has a different name (e.g. outside_access_in then use that instead of the ACL name I’m using here). If you DONT have an access-group entry for inbound traffic then we will do that at the end!

[box]

Petes-ASA(config)# access-list inbound permit tcp any object Internal_Web_Server eq http

[/box]

7. Then: Only carry out the following command if you DO NOT HAVE an ACL applied for incoming traffic.

[box]

Petes-ASA(config)# access-group inbound in interface outside
Petes-ASA(config)#

[/box]

8. Don’t forget to save your hard work. (write memory).

[box]

Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#

[/box]

All the commands to Copy & Paste (Post v 8.3);

[box]

object network Internal_Web_Server
 host 10.254.254.5
nat (inside,outside) static interface  service tcp http http
access-list inbound permit tcp any object Internal_Web_Server eq http
access-group inbound in interface outside 

[/box]

Use the Command Line to Port Forward (pre version 8.3) 1 Port to 1 IP Address

1. First things first, you will need to know what port you want to forward, and where you want to forward it, for this example we will assume I’ve got a server at 10.254.254.1 and it’s a mail server so I want to forward all TCP Port 25 traffic to it. Connect to the Firewall via Console/Telnet or SSH.

[box]

Warning Notice

User Access Verification
Password:*******

Type help or '?' for a list of available commands.
Petes-ASA>

[/box]

2. Enter enable mode, and enter the enable mode password.

[box]

Petes-ASA> enable
Password: ********
Petes-ASA#

[/box]

3. Now we need to go to configuration mode.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)#

[/box]

4. Now you need to allow the http traffic in. Before you can add an ACL you need to see if you already have one. We are applying an ACL to the outside interface for traffic going in (I call this inbound for obvious reasons). To see if you already have an ACL applied, issue the following command;

[box]

Petes-ASA#show run access-group
access-group inbound in interface outside
access-group outbound in interface inside

[/box]

Note: In the example above we have an ACL called inbound that we MUST use. (If you added a new one, all the access list entries for the old one get ‘Un-applied’). If yours has a different name (e.g. outside_access_in then use that instead of the ACL name I’m using here). If you DON’T have an access-group entry for inbound traffic then we will do that at the end!

5. Then: Only carry out the following command if you DO NOT HAVE an ACL applied for incoming traffic.

[box]

Petes-ASA(config)# access-group inbound in interface outside
Petes-ASA(config)#

[/box]

6. Lastly the command that actually does the port forwarding, (static command). And allow the traffic in.

[box]

Petes-ASA(config)# static (inside,outside) tcp interface smtp 10.254.254.1 smtp netmask 255.255.255.255
Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq smtp

[/box]

7. Don’t forget to save your hard work. (write memory).

[box]

Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#

[/box]

Option 3 Use the PIX Device Manager (PIX Version 6 Only)1 Port to 1 IP Address

1. As above you will need to know the port and the IP to forward it to, Launch the PIX Device manager, Select Configuration > Access Rules > Then either click “Rule”s > Add or Right click an incoming rule and select > “Insert Before” or “Insert After”.

2. Under the “Action” select “Permit”, Under Source Host/Network Select “Outside”, and all the zeros, Under Destination Host/Network Select “Inside” and all the zeros then set the “Destination Port” to smtp > OK > Apply.

3, Now select the “Translation Rules” tab, Rules Add or Right click a rule and select “Insert before” or “Insert After”.

4. In this example I’ve set it to forward all TCP Port 25 traffic to 10.254.254.10 (NOTE: I’ve blurred out the public IP Address you will need to add this also) > OK > Apply.

5. Finally save your work > File > “Save Running Configuration to Flash.” > Exit.

Related Articles, References, Credits, or External Links

ASA 5500 – Port Forwarding To A Different Port

Cisco ASA – Port Forward a ‘Range of Ports’

Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall

Cisco ASA Site to Site VPN ‘Using ASDM’

KB ID 0000072

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

Do the same from command line

Below is a walk-through for setting up one end of a site to site VPN Tunnel using a Cisco ASA appliance – Via the ASDM console. Though if (like me) you prefer using the Command Line Interface I’ve put the commands at the end.

click image for full subnet information

Solution

VPN Setup Procedure carried out on ASDM 6.4

Note: The video above uses IKE v1 and IKE v2, in reality you would choose one or the other, and for IKE v2 both ASA 5500 firewalls need to be running OS 8.4(1) or above.

VPN Setup Procedure carried out on ASDM 5.2

1. Open up the ADSM console. > Click Wizards > VPN Wizard.

2. Select “Site-to-Site VPN” > Next.

3. Enter the Peer IP address (IP of the other end of the VPN tunnel – I’ve blurred it out to protect the innocent) > Select “Pre Shared Key” and enter the key (this needs to be identical to the key at the other end. > Give the tunnel group a name or accept the default entry of its IP address. > Next.

4. Choose the encryption protocol (DES, 3DES, AES-128, AES-192, or AES256), choose the Authentication Method (SHA or MD5), and choose the Diffie Hellman Group (1, 2, 5 or 7). Note the other end must match, this establishes phase 1 of the tunnel. > Next.

5. Now select the Encryption Protocols (DES, 3DES, AES-128, AES-192, or AES256), choose the Authentication method (SHA, MD5 or None). Note this is for phase 2 and will protect the encrypted traffic “In Flight”. > Next.

6. Now you need to specify what traffic to encrypt, on the left hand side enter the network or host details (of what’s behind the ASA you are working on), and on the right hand side the IP address of the network or host that’s behind the other VPN endpoint.  Note the other end should be a mirror image. > Next.

7. Review the Settings (Note I’ve blurred the IP address out again) > Next.

8. Back at the ASDM console commit the settings to the ASA memory, Click File > “Save Running Configuration to Flash.”

ASA 5500 VPN Setup from command line

[box]

object network Site-A-SN
subnet 192.168.1.0 255.255.255.0
object network Site-B-SN
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) source static Site-A-SN Site-A-SN destination static Site-B-SN Site-B-SN
access-list outside_1_cryptomap extended permit ip object Site-A-SN object Site-B-SN
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer {Other Ends IP Address}
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group {Other Ends IP Address} type ipsec-l2l
tunnel-group {Other Ends IP Address} ipsec-attributes
ikev1 pre-shared-key 12345678901234567890asdfg

[/box]

ASA 5500 VPN for Version 8.2 and older firewalls

[box]

access-list outside_20_cryptomap extended permit ip 10.254.254.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.254.254.0 255.255.255.0 10.1.0.0 255.255.0.0
nat (inside) 0 access-list inside_nat0_outbound
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer {Other Ends IP Address}
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group {Other Ends IP Address} type ipsec-l2l
tunnel-group {Other Ends IP Address} ipsec-attributes
pre-shared-key 12345678901234567890asdfg

[/box]

 

Related Articles, References, Credits, or External Links

Original article written 09/11/09

Troubleshooting Phase 1 Cisco Site to Site (L2L) VPN Tunnels

Troubleshooting Phase 2 Cisco Site to Site (L2L) VPN Tunnels

Cisco ASA – Port Forward a ‘Range of Ports’

KB ID 0001111

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

This comes up on forums a lot, some applications and most phone systems require a ‘LOT’ of ports to be open. Normally thats fine you just give the internal IP a static public IP and open the ports. But what if you don’t have a spare public IP? I’ve already covered port forwarding before.

Cisco PIX / ASA Port Forwarding

Until version 8.4 you couldn’t even do this, you needed to create a translation for each port! Note: There is a bug in versions 9.0 and 9.1 that can stop this working, so check your OS with a ‘Show Ver’ command to be sure.

As I said this come up a lot on forums so when it asked on EE the other day, I fired up GNS3 and works out how to do it. Here is my topology;

So I will setup ‘port forwarding’ from the outside interface of ASA-1 for TCP ports 1000 to 2000 to then Internal Server (10.2.2.10).

1. Setup object groups for your internal server and for the range of ports you are going to forward.

[box]

!
object network Obj-Internal-Server
 host 10.2.2.10
!
object service Obj-Ports-Range
 service tcp destination range 1000 2000
!

[/box]

2. Then allow the traffic in with an ACL See MY WARNING before doing this.

[box]

!
access-list inbound extended permit tcp any host 10.2.2.10 range 1000 2000
!
access-group inbound in interface outside
!

[/box]

3. Perform the PAT translation from the outside interface to the internal server.

[box]

!
nat (outside,inside) source static any any destination static interface Obj-Internal-Server service Obj-Ports-Range Obj-Ports-Range
!

[/box]

Note: A lot of people ask to ‘port forward’ a range of ports when they actually mean ‘I would like to open a range of ports to an internal IP address’. Thats essentially just a one-to-one static NAT. I’ve already covered that before, but in our example i use a spare public ip 192.168.253.100.

[box]

!
object network Obj-External-Server
 host 192.168.253.100
!
object network Obj-Internal-Server
 host 10.2.2.10
 nat (inside,outside) static Obj-External-Server
!
access-list inbound permit tcp any host 10.2.2.10 range 1000 2000
!
access-group inbound in interface outside

[/box]

EVE-NG on VMware ESX Strange ARP Problems?

KB ID 0001601

Problem

I use EVE-NG a lot, it’s an awesome tool. Also I’m lucky enough to have my own ESX servers, so that’s where it lives. I’ve noticed this problem before, but I’ve either given up, and done something else, or it’s manifested itself in an ‘odd’ way that I can work around.

If you’re new to connecting EVE-NG to a live network you might want to read the following post first;

EVE-NG (VMware) Connecting to the Internet

When setting up a new lab, I connected a Ciso IOL router to my cloud object, and it successfully got an IP from DHCP, but could not communicate with the outside world. So I replaced it with a Cisco (Dynamips) router, same thing! So I replaced with with a Cisco ASAv, same thing!

I moved the EVE-NG machine onto its own standard vSwitch, (no difference).


I hadn’t committed the ‘schoolboy error‘ of forgetting to allow promiscuous mode on the port group.

I could also see from my physical network, that there was layer 2 connectivity happening, as it was in in the ARP cache of my core switch.

I did notice that if I waited for a long time, it would start working, so (on the Core Switch) I flushed the ARP cache, and pinged the EVE-NG device and got a response, then it worked fine from EVE-NG, (for a while, in a manner of speaking!) If I tried to NAT any other traffic, or do anything else, then the problem returned. I could keep flushing the ARP cache on the switch, but that’s a bit annoying?

Solution

Well, (in my case) the problem turned out to be a problem with the fact I have ‘teamed‘ physical NICs on the vSwitch, which you can see above (vmnic0, and vmnic7). AS SOON as I removed one, and only had one physical uplink it worked faultlessly?

Everything works now.

Note: I tried changing the load balancing algorithms to ‘Route based on IP hash‘, ‘Route based on source MAC hash, and even ‘Use Explicit failover order‘, none of these worked.

I did see other people in forums that were saying, ‘I only have one physical uplink‘, I’m suspecting that in their case, it’s promiscuous mode was missing, but feel free to comment below, if any one manages a better work-around / fix / explanation.

Related Articles, References, Credits, or External Links

NA

VMware Fusion: Guest VM ‘Lost’ Network Connectivity

KB ID 0001450

Problem

I keep a Windows 10 VM on my laptop, and last week it lost network connectivity, (it’s set to get its IP from my mac and get network connectivity via NAT). The guest was getting a 169.254.x.x APIPA address so either NAT was down, or there was no network?

Solution

You need to ‘Restart’ the services on the Mac host machine. Execute the following two commands;

[box]

sudo /Applications/VMware\ Fusion.app/Contents/Library/vmnet-cli --stop   
  
sudo /Applications/VMware\ Fusion.app/Contents/Library/vmnet-cli --start  

[/box]

Then check you guest machine again.

Related Articles, References, Credits, or External Links

NA

Cisco ASA 5506-X: Bridged BVI Interface

KB ID 0001422

Problem

When the ASA 5506-X appeared there was much grumbling, “This is not a replacement for the ASA 5505, I need to buy a switch as well!”  and “I have six ports on the firewall I cant use” etc.

While I understand that, and if truth be told the ASA 5505, was SUPPOSED to be used in SOHO environments where an all in one device, (with PoE) was a great fit. The problem was, people started throwing them in everywhere, I’ve seen them in large businesses, and in data centres. Because it’s easier to sell a firewall that cost less than 500 quid, than it is to sell a firewall that fits the network requirements! 

To ‘fix’ the problem would probably mean changing hardware, so Cisco gave us a BVI, Bridge Virtual Interface instead (with version 9.7). Well not strictly true, Cisco ASA has had BVI interfaces in ‘transparent mode‘ for some time. So on the ASA 5506-X with a default configuration, it ‘Bridges’ interfaces Ge0/2 to Ge0/8, into one interface which you can call the inside interface an give it an IP address.

Oh Great! So Just Like an ASA5505 Then? Well no sorry, I don’t like it because it needs an access-group/ACL for each bridged interface, and a NAT statement for each bridged interface. Unless you have a very simple network that can get very complicated, very quickly! Also note, the same holds true for remote management via SSH/ADSM etc.

Changes to ASA for BVI Interface

I’ll shorten the default firewall config and show you the ‘added commands’ that are used for this configuration.

[box]

!
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside_1
 security-level 100
!
interface GigabitEthernet1/3
 bridge-group 1
 nameif inside_2
 security-level 100
!
interface GigabitEthernet1/4
 bridge-group 1
 nameif inside_3
 security-level 100
!
interface GigabitEthernet1/5
 bridge-group 1
 nameif inside_4
 security-level 100
!
interface GigabitEthernet1/6
 bridge-group 1
 nameif inside_5
 security-level 100
!
interface GigabitEthernet1/7
 bridge-group 1
 nameif inside_6
 security-level 100
!
interface GigabitEthernet1/8
 bridge-group 1
 nameif inside_7
 security-level 100
!
interface BVI1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
same-security-traffic permit inter-interface
!
object network obj_any1
 subnet 0.0.0.0 0.0.0.0
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
object network obj_any3
 subnet 0.0.0.0 0.0.0.0
object network obj_any4
 subnet 0.0.0.0 0.0.0.0
object network obj_any5
 subnet 0.0.0.0 0.0.0.0
object network obj_any6
 subnet 0.0.0.0 0.0.0.0
object network obj_any7
 subnet 0.0.0.0 0.0.0.0
!
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
!
object network obj_any1
 nat (inside_1,outside) dynamic interface
object network obj_any2
 nat (inside_2,outside) dynamic interface
object network obj_any3
 nat (inside_3,outside) dynamic interface
object network obj_any4
 nat (inside_4,outside) dynamic interface
object network obj_any5
 nat (inside_5,outside) dynamic interface
object network obj_any6
 nat (inside_6,outside) dynamic interface
object network obj_any7
 nat (inside_7,outside) dynamic interface
!
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
!

[/box]

Yes I’m not making it up, that’s the added default config for a new 5506-X firewall, (post version 9.7) if you issue a configure factory-default, that’s what you will get! (Don’t panic: If you upgrade a firewall it wont add this in!) 

Is That What You Wanted?

Well if you are a small business and make very little changes to the firewall then this may be fine, (if a little cumbersome to setup). But to be honest I think its pretty bobbins! So I’ll be ripping it out of every 5506-X I deploy.

ASA 5506-X Remove the BVI Interface From CLI

First you have to remove the bridge group from the physical interfaces, but first you need to remove the interface name, or it will error. Obviously connect via the console cable, or from the outside interface, (because you’re about to remove the configured inside interface, until we recreate it again).

[box]

!
interface GigabitEthernet1/2
 no nameif
 no bridge-group 1
interface GigabitEthernet1/3
 no nameif
 no bridge-group 1
interface GigabitEthernet1/4
 no nameif
 no bridge-group 1
interface GigabitEthernet1/5
 no nameif
 no bridge-group 1
interface GigabitEthernet1/6
 no nameif
 no bridge-group 1
interface GigabitEthernet1/7
 no nameif
 no bridge-group 1
interface GigabitEthernet1/8
 no nameif
 no bridge-group 1
!

[/box]

Only now can you remove the BVI interface.

[box]

clear configure interface BVI1
WARNING: DHCPD bindings cleared on interface 'inside', address pool removed
WARNING: BVI interface 1 is in use.

[/box]

Note: The BVI1 interface will now disappear from the config, (if you’re used to working on routers it’s a bit like removing a loopback interface). Now Remove the ‘defunct’ object groups that were being used for NAT.

[box]

no object network obj_any1
no object network obj_any2
no object network obj_any3
no object network obj_any4
no object network obj_any5
no object network obj_any6
no object network obj_any7

[/box]

Assuming your outside Interface (GigabitEthernet0/1) is still up and connected, (by default it will be set to DHCP and also set to get its outside automatically). You would then need to configure an ‘inside’ interface (I’ll use GigabitEthernet0/2) and specify a NAT/PAT rule to allow traffic out.

[box]

!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
object network OBJ-NAT-ALL
 subnet 0.0.0.0 0.0.0.0
 nat (inside,outside) dynamic interface
!

[/box]

That gets everything up and connected, (all traffic out allowed, and all traffic in (initiated from outside) is blocked)).

ASA 5506-X Remove the BVI Interface From CLI

Configuration > Device Setup > Interface Settings > Interfaces > Select interface 1/8 > Edit.

Remove the Interface name > OK >OK.

Change the Bridge Group to ‘None’ > OK.

Repeat for interfaces 0/7 to 0/2 > Apply.

Select BVI1 > Delete > Yes.

Configuration > Firewall > Objects > Network Objects/Groups > obj_any1 > Delete > Repeat for tall the other objects.

Save the changes.

 

Related Articles, References, Credits, or External Links

NA

Cisco VPN Client Connects but no traffic will Pass

Note: May also be asked as, Client VPN connects but cannot ping anything behind the Firewall.

KB ID 0000199

Problem

If I had a pound for every time I’ve seen this either in the wild, or asked in a forum, I would be minted! In nearly every case the problem is NAT related.

In most cases, If the person launching the VPN client is behind a device that is performing NAT, (Home Router, Access Point, Firewall, etc) then the device will BREAK the NO NAT, or “nat 0” on pre 8.3 firewalls. (that’s the command that says “DONT change the address of my remote VPN client as it passes up and down the VPN tunnel).

Update 08/09/16: Due to a bug, I found an exception to this problem being broken NAT (see below)

Solution

Enable nat-traversal, this is a global configuration setting and will not affect any other site to site, or client to gateway VPN’s you are currently running.

Option 1 Connect to the ASA Via Command Line.

Then go to enable mode > Configure Terminal mode > and issue a “crypto isakmp nat-traversal 20” command >Then save the change with a “write mem” command.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# crypto isakmp nat-traversal 20
Petes-ASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
Petes-ASA#

[/box]

Option 2 Connect to the ASA Via ASDM Version used here is 6.2.(5)

If you can find this in the ASDM post version 7 – You are better than me!

Navigate to > Configuration > Remote Access VPN > Advanced > IKE Parameters > Tick “Enable IPSec over NAT-T” option > Set the “NAT Keepalive” to 20 seconds > Apply > File > Save running configuration to flash.

I’ve done that and its still not working?

On a Firewall Running 8.3 (or Newer)

1. On the firewall issue a “show run nat” command > Make sure there is a NAT statement that has static (the network behind the ASA) to static (the remote VPN network). I’ve highlighted it below.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.

Petes-ASA>enable
Password: ********
Petes-ASA# show run nat 
nat (inside,any) source static obj-10.254.254.0 obj-10.254.254.0 destination static obj-10.253.253.0 obj-10.253.253.0 route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
object network Media_PC
nat (inside,outside) static interface service tcp 123 123
!
nat (outside,outside) after-auto source dynamic VPN_Pool interface
PetesASA#

[/box]

2. Make sure the correct network(s) are in the correct groups.

[box]

PetesASA# show run object
object network obj-10.254.254.0
subnet 10.254.254.0 255.255.255.0 <- Subnet behind the ASA
object network obj-10.253.253.0 <- Remote VPN Subnet
subnet 10.253.253.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Media_PC
host 10.254.254.5
PetesASA#

[/box]

3. Also make sure you don’t have any legacy nat rules breaking things.

On a Firewall Older than Version 8.3

On the firewall issue a “show run nat 0” command > take note of the access-list name.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# show run nat 0
nat (inside) 0 access-list NO-NAT-TRAFFIC
nat (inside) 1 0.0.0.0 0.0.0.0

[/box]

In this example mines called NO-NAT-TRAFFIC (cause I like to keep things simple) yours can be called anything (inside_nat0_outbound is the norm if you used the ASDM to set up the VPN).

Now make sure that you have the correct addresses in that access-list, issue a show run access-list {name} command.

[box]

Petes-ASA#show run access-list NO-NAT-TRAFFIC
access-list NO-NAT-TRAFFIC extended permit ip 10.254.254.0 255.255.255.0 10.253.253.0 255.255.255.0
access-list NO-NAT-TRAFFIC extended permit ip 10.254.254.0 255.255.255.0 10.252.252.0 255.255.255.0
Petes-ASA#

[/box]

Above we have two subnets that are going to be exempt from NAT, they are 10.253.253.0/24 and 10.252.252.0/24, if the range of IP addresses your remote clients are using is NOT on this list you need to add them.

If you don’t know what addresses they are supposed to be using, then issue a “show run ip local pool” command.

[box]

Petes-ASA#show run ip local pool
ip local pool IPSEC-VPN-DHCP-POOL 10.253.253.1-10.253.253.5
ip local pool SSL-VPN-DHCP-POOL 10.252.252.1-10.252.252.5
Petes-ASA#

[/box]

Again I’ve got a sensible naming policy – so we can see what my pools are for, to see what pools are being used for what, issue a “show run tunnel-group” command.

[box]

Petes-ASA# show run tunnel-group
tunnel-group IPSEC-VPN-GROUP type remote-access <<< Here's my IPSEC VPN's
tunnel-group IPSEC-VPN-GROUP general-attributes
address-pool IPSEC-VPN-DHCP-POOL <<< And here's my matching DHCP scope (IPSEC)
authentication-server-group PNL-KERBEROS
default-group-policy IPSEC-VPN-POLICY
tunnel-group IPSEC-VPN-GROUP ipsec-attributes
pre-shared-key *****
tunnel-group SSL-VPN-POLICY type remote-access <<< Here's my SSL VPN's
tunnel-group SSL-VPN-POLICY general-attributes
address-pool SSL-VPN-DHCP-POOL <<< And here's my matching DHCP scope (SSL)
authentication-server-group PNL-KERBEROS
default-group-policy SSL-VPN-GROUP-POLICY
tunnel-group SSL-VPN-POLICY webvpn-attributes
group-alias PNL enable
Petes-ASA#

[/box]

If any of yours are missing then change accordingly.

BUG (08/09/16)

Had this problem again recently, and after staying on the phone to TAC until 03:00, it turned out to be a bug in the SFR (FirePOWER service module) code. That was causing the firewall to silently drop the AnyConnect traffic. So debugs showed nothing, and packet captures were empty. Fixed by removing ‘sfr fail-open’ from the firewall and upgrading the code by re-imaging the SFR module.

Related Articles, References, Credits, or External Links

NA

Manually Configuring HP Wireless (MSM 720 controller) for Public and Private Wireless Networks

KB ID 0000833 

Problem

In the following procedure I’ll configure the following;

  1. HP 5412zl Switch.
  2. Cisco ASA 5510 Firewall.
  3. HP MSM720 Controller.
  4. HP MSM460 and MSM317 Access Points.

If you are configuring an MSM765zl or MSM775zl use the following article first.

HP MSM765zl and 775zl – Initial Setup and Routing

Assumptions

  1. Private SSID will be on the normal corporate LAN (In this case 172.16.254.0/24).
  2. Public SSID will get its IP addressing from the controllers DHCP Server. (10.220.0.0/16).
  3. The Wireless traffic will traverse the corporate LAN (After being natted on the controller) as 10.210.0.0/16.
  4. My LAN DNS Servers are 172.16.254.1 and 172.16.254.2.

Solution

HP Switch Configuration.

1. The switch must be performing LAN routing, if the LAN’s default gateway is a firewall that needs rectifying first. (where 172.16.254.200 is the firewall).

[box]ip routing
ip route 0.0.0.0 0.0.0.0 172.16.254.200[/box]

2. Switch must be able to resolve DNS queries.

[box]ip dns server-address priority 1 172.16.254.1[/box]

3. Declare a VLAN for the guest VLAN (210), name it, and give it an IP address > Add a Port (A1) to that VLAN which will connect to the Internet Port of the MSM Controller (Port5).

[box]vlan 210
name WIRELESS-TRAFFIC
ip address 10.210.0.1 255.255.255.0.0
untagged A1 [/box]

4. Tag This VLAN on the ‘Inter Switch’ Links from the core switch to the firewall/perimeter device.

[box]tag D24[/box]

5. Save the Switch changes with a write mem command.

Configure the Cisco ASA To Allow the Wireless Traffic out.

Actions for different firewall vendors will vary but you need to achieve the following;

Make sure that a client on the 10.210.0.0/16 network can get access to the Internet

To do that you will need to achieve the following;

Make sure that the 10.210.0.0/16 network has http and https access allowed outbound on the firewall.
Make sure that 10.210.0.0/16 is getting NATTED through the firewall to the public IP address
.

1. Connect to the firewall > Allow the Wireless Traffic out.

[box]

access-list outbound extended permit ip 10.210.0.0 255.255.0.0 any

Note: this permits ALL IP traffic you might prefer

access-list outbound extended permit ip 10.210.0.0 255.255.0.0 any eq http
access-list outbound extended permit ip 10.210.0.0 255.255.0.0 any eq https

Note2: This also assumes you have an ACL called outbound applied to traffic that is destined outbound (show run access-group will tell you)

[/box]

2. Perform NAT on the new wireless outbound traffic.

[box]

object network WLAN-CLIENTS
subnet 10.210.0.0 255.255.0.0
nat (inside,outside) dynamic interface

Note: For Firewalls running versions older than 8.3 the NAT commands will be different, e.g.

nat (inside) 1 10.210.0.0 255.255.0.0

{Where you have a matching global (outside) 1 command in the config already}

[/box]

3. Allow the firewall to ‘route’ traffic back to the wireless clients. (where 172.16.254.254 is the core switch performing LAN routing).

[box] route inside 10.210.0.0 255.255.0.0 172.16.254.254[/box]

4. Save the changes.

5. At this point plug a PC/Laptop into the core switch (Port A1) and make sure you can get Internet access (‘you will need a static IP on the 10.210.0.0 range).

Configure the HP MSM 720 Controller

MSM 720 Initial Setup and IP Addressing.

1. Connect to to the MSM 720 controller (Port 1) 192.168.1.1 (username admin, password admin).

2. Go though the initial setup > Stop when you get to the Automated workflows screen (simply press Home).

3. Setup Access Network: Home > Network > Access Network > Set the Addressing and Management IP addresses like so;

  • Addressing 172.16.254.115/24
  • Management address 172.16.254.116/25

Save.

Note: There’s two because you can separate the management traffic off to another subnet if you wish.

4. Connect Port 1 on the MSM controller to ANY normal port on the Switch (which will be untagged in VLAN 1) >Then connect to the Controller on its new IP https://172.16.254.115.

5. Setup Internet Network: Home > Network > Internet Network > Static.

6. Configure > IP = 10.210.0.2 > Address Mask 255.255.0.0 > Save (don’t worry if you get a warning about DNS).

7. Connect Port 5 on the MSM to Port A1 on the switch (the one you untagged in VLAN 210).

8. Setup DNS: Home > Network > DNS > Enter the Primary LAN DNS servers (172.16.254.1 and 172.16.254.2).

9. Tick DNS Cache > Tick DNS Switch over > Tick DNS interception > Save.

10. Setup Default Route: Home > Network > IP Routes > Add.

11. Enter 10.210.0.1 with a Metric of 1 > Add.

12. Setup DHCP (Note: you will create the scope later)

Obviously only complete this step if you want the Controller to act as a DHCP server for your ‘Public’ Wireless network.

Home> Network > Address allocation > Tick DHCP Server > Configure.

13. Enter the domain name > change Lease tome to 1500.

Note: At this point it automatically fills in DHCP Settings (these will NOT be used don’t panic!)

14. REMOVE the tick form Listen for DHCP Requests on ‘Access Network’

15. MAKE SURE there is a tick in the ‘Client data tunnel’ box > Save.

HP MSM 720 Configure Wireless Access Public and Private

For this procedure we will rename the default VSC which is called HP.

1. Home > Controller (on the left) > VSCs) > HP > Change the Profile name for HP to “Private” > Untick Authentication > Untick Access control.

2. Change the SSID from HP to ‘Private’ > Tick Broadcast Filtering.

3. Ensure Wireless security filters is unticked.

4. Tick Wireless Protection > Set the mode to WPA2 (AES/CCMP) > Change Key Source to ‘Preshared Key’ > Enter and confirm the WPA Password > Save (at the bottom of the screen).

5. Setup Public/Guest VSC: Home > VSC’s > Add New VSC Profile.

6. Set the profile name to ‘Public’ > MAKE SURE authentication and access control ARE ticked.

7. Change the SSID to Public > Tick broadcast filtering.

8. Change Allow Traffic between wireless clients to NO > Expand Client Data Tunnel > Tick ‘always tunnel client traffic’.

9. Ensure Wireless Protection is unticked.

10. If you require HTML based logins, tick that (Note: You will need to create a user later, if you enable this).

11. If using the controller for DHCP > Enable the DHCP Server and specify;

  • DNS 10.220.0.1
  • Start 10.220.0.100
  • End 10.220.0.200
  • Gateway 10.220.0.1
  • Net mask 255.255.0.0
  • Subnet 10.220.0.0

Create a Network Profile for Each of the New VSC’s

1. Home > Network > Network Profiles > Add New Profile.

2. Call it ‘Private’ Tick VLAN ID select 1 > Save.

3. Add New Profile > Call it ‘Public’ > Tick VLAN ID and set it to 210 > Save.

4. At this point, connect your wireless AP’s to the network, and the controller should detect them.

Bind the VSC’s to the Default AP Group (Using the network profiles we just created)

1. On the left hand menu > Controller > Controlled Alps > Default Group > VSC Bindings (top) > Select the ‘Private’ VSC Binding.

2. Make sure ‘Egress Network’ is NOT ticked and none is selected > Save.

3. Add New Binding > Select the ‘Public’ VSC Profile > Tick EGRESS NETWORK > Set the Network profile to ‘Public (210)’ > Save.

Create user accounts (Only if using HTML Based Authentication)

1. Home > Users > User Accounts > Add New Account > specify a name i.e guest > specify and confirm a password i.e. Password123.

2. Change the MAX concurrent Sessions to 250 > Enable VSC Usage > Add the ‘Public’ VSC (right arrow) > Save.

Synchronize the Access Points to the MSM Controller

1. Home > Controller (left) > Controller APs > Overview Tab > Change the Action drop down to Synchronize Configuration > Apply.

2. Wait for the APs to synchronize > Test both the SSIDs.

 

Related Articles, References, Credits, or External Links

NA

 

Connecting GNS3 to VMware Workstation

KB ID 0000996 

Problem

A while back I got an email “Here is a suggestion for an article. ‘How to link GNS3 with VMware Workstation'”. Sorry it’s taken me so long to get round to it, here you go Daniel Newton.

Solution

Before we start I’m assuming you have installed VMware Workstation, and you’ve installed and configured GNS3.

1. Launch VMware Workstation > Edit > Virtual Network Editor > By default there will be three networks, the one we are concerned with is the ‘NAT‘ one. I change the default IP range, (in the example below to 123.123.123.123 255.255.255.0) > Apply > OK.

2. NAT Settings > Set the default gateway for the network (Tip: Don’t choose .1, I’ve had problems with that in the past) > OK.

3. DHCP Settings > Even if you’re not going to use DHCP, enter a range of IP addresses on your network > OK.

4. Windows Key + R > ncpa.cpl {Enter} > Notice there’s two new network connections, one for the NAT network, and one for the ‘Host only’ network.

5. To avoid confusion, I rename them.

6. So they are easily identifiable, (you will see why later).

7. In GNS3 drag a ‘Cloud’ onto your workspace.

8. Right click > Configure > NIO Ethernet > Select the Network drop-down box > Select your VMware NAT interface.

9. Add > Apply > OK.

10. Note: If you are working with Cisco ASA firewalls, you cannot simply connect it to the cloud, you need to put a hub/switch or router in between them, or you will see this error message;

Dynamips error
Device does not support this type of NIO. Use an ETHSW or
hub to bridge the connection to the NIO instead.

11. With a switch in between you can connect them together.

12. Now if you give the outside of the firewall an IP on the correct network range (you configure in step 1), and set its default route to point to the gateway address, (you configured in step 2). You will have public Internet access, (assuming the host computer has Internet access).

13 Working with routers (and switches) you can connect them directly to the cloud.

14. Again set the interface IP correctly, and the default route, and you will have public Internet access.

 

Related Articles, References, Credits, or External Links

NA

Cisco Router – Configure Site to Site IPSEC VPN

KB ID 0000933

Problem

I’ve done thousands of firewall VPN’s but not many that terminate on Cisco Routers. It’s been a few years since I did one, and then I think I was a wuss and used the SDM. So when I was asked to do one last week thankfully I had the configs ready to go.

I’m going to use the IP addresses above, and my tunnel will use the following settings;

  • Encryption: AES.
  • Hashing: SHA.
  • Diffie Hellman: Group 2.
  • PFS: Enabled.
  • Authentication method: Pre-Shared Key.

Solution

1. Setup a policy for phase 1 of the tunnel (ISAKMP).

[box]

R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encr aes
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#crypto isakmp key SecretK3y address 1.1.1.2

[/box]

2. Setup an ACL to define what traffic will be encrypted, and a ‘Transform set’ that will dictate the encryption and hashing for phase 2 (IPSEC).

[box]

R1(config)#ip access-list extended VPN-ACL
R1(config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
R1(config-ext-nacl)#crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac

[/box]

3. Create a ‘Crypto map’ that is used to apply the phase 2 settings to an interface.

[box]

R1(config)#crypto map VPN-C-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 1.1.1.2
R1(config-crypto-map)#set transform-set VPN-TS
R1(config-crypto-map)#match address VPN-ACL

[/box]

4. Apply that crypto map to an interface, (usually the Internet facing one).

[box]

R1(config-crypto-map)#interface Serial0/1/0
R1(config-if)#crypto map VPN-C-MAP
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#exit
R1(config)#

[/box]

5. In most cases your router will be doing NAT, if so you will need to change the ACL that is looking after the NAT for you, look in your running config for something that looks like the following;

[box]

R1#show run
Building configuration...

Current configuration : 1249 bytes
------------output removed for the sake of space------------
!

ip nat inside source list 100 interface Serial0/1/0 overload
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
!

------------output removed for the sake of space------------
!
line aux 0
!

[/box]

6. To stop our VPN traffic getting NATTED, we need to put a deny in that ACL, and put it before that permit statement. Remember:

  • Permit=Perform NAT
  • Deny=Don’t perform NAT

On this router (unlike the ASA‘s that I’m more used to), there is no option to define an ACL line number. So its easier to remove the existing one, add the new line then put the original one back. Finally save the changes.

[box]

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no access-list 100 permit ip 10.10.10.0 0.0.0.255 any
R1(config)#access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
R1(config)#access-list 100 permit ip 10.10.10.0 0.0.0.255 any
R1(config)#exit
R1#
%SYS-5-CONFIG_I: Configured from console by console

R1#write mem
Building configuration...
[OK]

[/box]

7. Now at the other site, the config should be a mirror image. I will post it in its entirety, so you can copy and paste it into the router, I will highlight the bits you need to check and change in red.

[box]

crypto isakmp policy 1
encr aes
hash sha
authentication pre-share
group 2
lifetime 86400
crypto isakmp key SecretK3y address 1.1.1.1
ip access-list extended VPN-ACL
permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac

crypto map VPN-C-MAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set VPN-TS
match address VPN-ACL
interface Serial0/1/0
crypto map VPN-C-MAP

no access-list 100 permit ip 20.20.20.0 0.0.0.255 any
access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any

[/box]

8. Test your VPN with the following commands. Note: you need to send some traffic over the VPN before it will establish!

[box]

show crypto isakmp sa
show crypto ipsec sa

[/box]

WARNING: If you have an ACL applied to the routers outside interface, you will need to allow in the Peer IP, like so;

[box]

ip access-list extended outside-in
 permit esp host 1.1.1.1 any
 permit udp host 1.1.1.1 any eq isakmp
 permit udp host 1.1.1.1 any eq non500-isakmp

[/box]

If you do not, the other end will fail Phase 1 with a WAIT_MSG_3 Error!

Related Articles, References, Credits, or External Links

NA