Cisco ASA EZVPN (Revisited)

KB ID 0001261

Problem

EZVPN is a technology that lets you form an ISAKMP/IPSEC VPN tunnel from a site with a dynamically assigned IP (EZVPN Client,) back to a device with a static IP (EZVPN Server).

I’ve called this EZVPN revisited, because this is a technology I’ve talked about before. So why am I here again? Well back then I used the ASDM. If you do that now, you need to go in and mess about with things to get it to work properly. Last week a client was asking me about buying a 5505 for his home, and putting a VPN into his place of work. Obviously he did not have a static IP at home, which was why I suggested EZVPN.

So it’s time to ‘Man Up’ and get to grips with the CLI. In the example below my corporate LAN is behind a Cisco ASA 5515-X, and my ‘Home Office’ is behind a Cisco ASA 5506-X, (you can use a 5508-X as well, or an old 5505).

 

Solution

So How does EZVPN Work? Well there’s no separate/special technology, it’s a good old fashioned Client IPSEC VPN. The one we used to use the OLD IPSEC VPN client for, (yes the one that went end of life – in 2011!)

But instead of using a piece of software to supply the username/password and the group/pre-shared-key, you configure a hardware device to supply those details. This enables the hardware device to bring up a software client VPN session. There are two methods of doing this, Client Mode and Network Extension Mode (NEM).

  • Client Mode: Works exactly like the VPN client software, and leases an IP address from a pool of IP addresses supplied by the ASA, (or a DHCP server).
  • Network Extension Mode: This works like a ‘proper’ site to site VPN, insofar as, all the IP addresses on the client/remote site can be addressed from the main site. 

I’m going to use Network Extension Mode for this example, I’m also going to enable ‘Split tunnelling’ so that only VPN traffic goes over the VPN.

Remote EZVPN Client WARNING

The client that ‘dials in’ cannot be running any other VPN solution. In fact it can’t even have IKE policies defined, (even if they are not in use).

Configure the EZVPN Server

The bulk of the work is on the main site ASA.

[box]

!
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
crypto ipsec ikev1 transform-set TS-IPSEC-VPN esp-3des esp-sha-hmac
!
access-list SPLIT-TUNNEL standard permit 192.168.100.0 255.255.255.0
!
group-policy IPSEC-VPN internal
group-policy IPSEC-VPN attributes
 password-storage enable
 nem enable
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 vpn-simultaneous-logins 3
!
tunnel-group IPSEC-VPN type remote-access
tunnel-group IPSEC-VPN general-attributes
 default-group-policy IPSEC-VPN
 authentication-server-group LOCAL
tunnel-group IPSEC-VPN ipsec-attributes
 ikev1 pre-shared-key Cisco123456
!
crypto dynamic-map DYNAMIC-CRYPTO-MAP 65535 set ikev1 transform-set TS-IPSEC-VPN
!
crypto map CRYPTO-MAP 65535 ipsec-isakmp dynamic DYNAMIC-CRYPTO-MAP
!
crypto map CRYPTO-MAP interface outside
!
crypto ikev1 enable outside
!
object network OBJ-EZVPN-SUBNET
 subnet 10.254.254.0 255.255.255.0
!
nat (inside,outside) source static any any destination static OBJ-EZVPN-SUBNET OBJ-EZVPN-SUBNET no-proxy-arp route-lookup
!
username EZVPNSite1 password P@ssword123
!

[/box]

Points to Note:

  • I’m using 3DES and SHA1 for Phase 1 (ISAKMP,) and phase 2 (IPSEC).
  • The Network behind my main site ASA is 192.168.100.0/24.
  • The Network behind my remote site ASA is 10.254.254.0/24.
  • I’ve enabled split tunnelling.
  • My interfaces are called inside and outside, yours might be different!
  • Crypto Map Warning: If you already have a crypto map applied to the outside interface use the name of the existing one (i.e NOT CRYPTO-MAP), or your exiting VPN’s will stop working! Issue a ‘show run crypto map‘ command to check.
  • I have not enabled PFS. (If I had it would have been in the crypto map).

Configure the EZVPN Client (Remote Site)

The remote site(s) are easy.

[box]

!
vpnclient server 198.100.51.1
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup IPSEC-VPN password Cisco123456
vpnclient username EZVPNSite1 password P@ssword123
vpnclient enable
!

[/box]

Adding Additional EZVPN Sites

To add another site in Client Mode you would simply add another username and password, on the EZVPN server. With Network Extension Mode then you would add an object and NAT exemption on the main site, then setup a new username and password for that site like so;

New Site EZVPN Server Config

[box]

!
object network OBJ-EZVPN-SUBNET-2
 subnet 10.254.254.0 255.255.255.0
!
nat (inside,outside) source static any any destination static OBJ-EZVPN-SUBNET-2 OBJ-EZVPN-SUBNET-2 no-proxy-arp route-lookup
!
username EZVPNSite2 password P@ssword456
!

[/box]

New Site EZVPN Client Config

You just need the new username and password;

[box]

!
vpnclient server 198.100.51.1
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup IPSEC-VPN password Cisco123456
vpnclient username EZVPNSite2 password P@ssword456
vpnclient enable
!

[/box]

 

Related Articles, References, Credits, or External Links

NA

Cisco IOS and ASA Showing the Config Without the ‘More’ Breaks/Pauses

KB ID 0001017

Problem

When looking at a router, switch or firewall running config, it will usually display a page at a time, you can page down with the space bar, or line down with the Enter/Return key.

Normally that’s fine, but what if you want to capture (take a quick backup,) of the config?

If you do that, and page down you get a copy of the config that looks like this;

–More–

Yes, you can delete them, but in a big config that can take time, how about making the config scroll right to the end without the breaks/pauses.

Solution

Cisco ASA Disable Paging

On a firewall that’s done with a pager command, normally a firewall config will display 25 lines at a time, to get it to scroll straight to the end set the pager length to zero.

[box]

Type help or '?' for a list of available commands.
Petes-ASA> enable
Password:*********
Petes-ASA# configure terminal
Petes-ASA(config)# pager 0
Petes-ASA(config)#

[/box]

Tip: If you want to take a copy of a firewall config it will blank, (replace with asterisks) the VPN shared secrets and failover keys, you can suppress that from happening, and show the hidden values with the following command;

[box]

Petes-ASA(config)# more system:running-config

[/box]

To return it back to pausing every 25 lines and giving the <— More —> prompt again.

[box]

Petes-ASA(config)# pager 25 

[/box]

Cisco Router / Switch IOS Terminal Length

On IOS the default is 24 lines at a time (show terminal will tell you). You can change this by changing the terminal length. Note: This is NOT a global configuration command.

[box]

Petes-Router#terminal length 0

[/box]

To reset it, and get the –More– prompt back again;

[box]

Petes-Router#terminal length 24

[/box]

Related Articles, References, Credits, or External Links

NA

Cisco ASA – Enrolling for Certificates with NDES

KB ID 0000948

Problem

To get your ASA 5500 firewall to enroll, and obtain a certificate from a Windows Server running NDES, this is the procedure you need to follow.

Solution

When dealing with certificates, it’s important that your firewall is maintaining the correct time. You can set this manually, but I’d recommend setting up NTP.

Cisco ASA – Configuring for NTP

1. Make sure the firewall can contact the NDES server, below I ping its IP address (192.168.1.10) . Then set a hostname and domain name for the firewall. These are required to generate an RSA Key-pair on the firewall before we start.

[box]

Petes-ASA# ping 192.168.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.80.130, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Petes-ASA# configure terminal
Petes-ASA(config)# hostname Firewall
Firewall(config)# domain-name testbench.local
Firewall(config)# crypto key generate rsa modulus 2048
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
Firewall(config)#

[/box]

2. Create a set of CA settings (a trustpoint), then authenticate to it.

[box]

Firewall(config)# crypto ca trustpoint PNL-TRUSTPOINT
Firewall(config-ca-trustpoint)# enrollment url http://192.168.1.10/CertSrv/mscep/mscep.dll
Firewall(config-ca-trustpoint)# revocation-check crl
Firewall(config-ca-trustpoint)# enrollment retry count 3
Firewall(config-ca-trustpoint)# enrollment retry period 5
Firewall(config-ca-trustpoint)# fqdn Firewall.testbench.local
Firewall(config-ca-trustpoint)# crypto ca authenticate PNL-TRUSTPOINT

INFO: Certificate has the following attributes:
Fingerprint: 0454b8f4 73374de8 2fb034cb b887b1d4
Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

[/box]

3. If your NDES Server requires a password you can embed that.

NDES Server Removing or Enforcing Passwords

If you require a password you can obtain it from the NDES Server using the following URL.

http://{IP-or-name-of-NDES-server}/CertSrv/mscep_admin

This is the password you need to enter.

If it looks like (below), then password enforcement has been disabled, and you can skip the next step.

[box]

 Firewall(config)# crypto ca trustpoint PNL-TRUSTPOINT
Firewall(config-ca-trustpoint)# password EC4C68382A504339

[/box]

4. Enroll for a certificate.

[box]

Firewall(config)# crypto ca enroll PNL-TRUSTPOINT
%
% Start certificate enrollment ..

IF YOU SUPPLIED A PASSWORD YOU WILL NOT BE ASKED THE FOLLOWING
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ********
Re-enter password: ********

% The fully-qualified domain name in the certificate will be: Firewall.testbench.local

% Include the device serial number in the subject name? [yes/no]: yes

% The serial number in the certificate will be: 123456789AB

Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
Firewall(config)# The certificate has been granted by CA!

Firewall(config)#

[/box]

5. If you have a look on the Certificate Server you will also see that the certificate has been issued.

Remember: We set the device to check the Certificate Servers CRL, make sure that’s setup properly, and the device can resolve its name.

Windows Certificate Services – Setting up a CRL

Related Articles, References, Credits, or External Links

Windows Server 2012 – Install and Configure NDES

 

Cisco ASA 5585-X Port Numbering

KB ID 0001004 

Problem

Back at the beginning of the year I had to do a firewall design that included an ASA5585-X, I did some searching to find out how the ports were numbered but came up blank. So I took an (incorrect) educated guess.

I unboxed and fired one up today, and ran though the port numbering and orientation, and discovered the correct numbering.

Solution

Note: This ASA5585-X also has a CX module fitted. The bottom ‘blade’ is the ASA firewall, and the one at the TOP is the CX module. With the CX module fitted, we have an extra eight gigabit Ethernet ports, and two more ten gigabit Ethernet ports.

Port Numbering

Click for larger image

Related Articles, References, Credits, or External Links

NA

 

ASA 5585-X Update the CX SSP Module

KB ID 0001005 

Problem

Every piece of documentation I found on upgrading CX SSP modules was for doing so on models other than the ASA5585-X. The (current) latest CLI guide says;

“For the ASA 5585-X hardware module, you must install or upgrade your image from within the ASA CX module. See the ASA CX module documentation for more information.”

Yeah good luck finding that!

Solution

Before I saw the information above I tried to upgrade the CX module from the ASA and this is the error you get when you try;

[box]PetesASA(config)# hw-module module 1 recover configure url tftp://10.0.41.100/asacx-5500x-boot-9.3.1.1-112.img
ERROR: Module in slot 1 does not support recovery[/box]

Then, I tried the update from within the CX module, and got the following error;

[box] asacx>system upgrade ftp://10.0.41.100/asacx-sys-9.3.1.1-112.pkg
Verifying

111
Upgrade aborted.

[/box]

Note: If you have not already found out, the default username is admin and the default password is Admin123.

Turns out that was an error in 3CDaemon that I use as an FTP server, once I fixed that, I was cooking on gas.

Upgrade the ASA 5585-X CX SSP Module

1. Connect to the CX modules console port, and you can view the version.

[box] Cisco ASA CX 9.1.2
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority to import,
export, distribute or use encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and local country laws. By using
this product you agree to comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg
If you require further assistance please contact us by sending email to
export@cisco.com.

You can access the Web UI from your browser using the following URL(s):
https://192.168.8.8/

asacx login:

[/box]

2. Now the CX module has its default IP of 192.168.8.8, I need to change this, I’ll do that from command line on the ASA like so.

[box] PetesASA(config)# session 1 do setup host ip 10.0.41.34/24,10.1.41.1

Syntax

session 1 do setup host ip {IP Address}/{Subnet Mask},{Default Gateway}

[/box]

3. At this point make sure that Management port 1/0 on the CX module is connected to the network.

4. You can simply ping the new IP, or view it in the ASDM. (Note: here you can also view the CX software version).

5. Now the CX module and your FTP server are on the same network, and you have downloaded the CX software from Cisco, you can perform the upgrade, (from the console session on the CX module).

Note: Don’t press any keys (unless asked to), while this is going on, or it has a habit of aborting!

[box] asacx>system upgrade ftp://10.0.41.100/asacx-sys-9.3.1.1-112.pkg
Verifying
Downloading
Extracting
Package Detail
Description: Cisco ASA-CX 9.3.1.1-112 System Upgrade
Requires reboot: Yes

NOTE: If this device is being managed by a PRSM server, you must also apply the same upgrade package to the PRSM server or you will not be able to deploy configurations from the PRSM server to this device.

Do you want to continue with upgrade? [y]:y

Doing so might leave system in unusable state.

Upgrading
Starting upgrade process …[ 459.563380] kjournald starting. Commit interval 5 seconds
[ 459.648202] EXT3 FS on sde3, internal journal
[ 459.700274] EXT3-fs: mounted filesystem with ordered data mode.

Populating new system image
Copying over new application components
Cleaning up old application components

Reboot is required to complete the upgrade. Press ‘Enter’ to reboot the system. {Enter}

Broadcast message from root (console) (Fri Oct 3 08:20:59 2014):

The system is going down for reboot NOW!

[/box]

6. Post reboot you can see the new version from the console connection.

[box] Cisco ASA CX 9.3.1.1
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority to import,
export, distribute or use encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and local country laws. By using
this product you agree to comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg
If you require further assistance please contact us by sending email to
export@cisco.com.

You can access the Web UI from your browser using the following URL(s):
https://10.0.41.34/
https://[fe80::5af3:9cff:fe05:d2e4]/

asacx login:

[/box]

You can also check the version has updated from within the ASDM.

 

Related Articles, References, Credits, or External Links

NA

 

Cisco ASA – Global Access Lists

KB ID 0001019

Problem

I’ve been working for a client that has a large firewall deployment, and they have twelve switches in their six DMZ’s. I wanted to take a backup of these switches (and all the other network devices).

While I was bemoaning the amount of ACL’s that I would need to allow TFTP in from, (note: that’s UDP port 69 if you are interested). My colleague said “Why not use a global ACL?”, On the rare occasions I’m in the ASDM I’ve seen the ‘global’ rule but never really paid it much attention. (Note: You need an OS of 8.3 or newer!)

Don’t panic! I’m not going to use the ASDM, (if you want to use it you can pretty much work out how to do it from the picture above).

What is a Global ACL?

This is an access list that will allow traffic inbound on all interfaces. There are a couple of caveats;

  • Interface specific ACL’s will take precedence over the global ACL (with the exception of the implicit deny at the end of the ACL).
  • With the above in mind, if there is a deny on an interface ACL, traffic will be blocked for that interface.
  • If you have manually added a deny ip any any to the end of an interface ACL (e.g. for logging purposes) then traffic allowed in the global ACL will fail for that interface.

So the firewall processes each interfaces ACL and just before the implicit deny, if then checks the global ACL, if the global ACL allows the traffic it is passed.

Solution

OK, I want to allow all my DMZ devices to be able to communicate with a the TFTP server on my management server in the LAN.

1. Log into the firewall and create and ACL as you would normally.

[box]

PetesASA> enable
Password: *********
PetesASA# configure terminal
PetesASA(config)# access-list ACL-Global extended permit udp any any eq 69

[/box]

2. Then instead of applying the ACL directionally to an interface, apply it globally.

[box]

PetesASA(config)# access-group ACL-Global global

[/box]

Thats it! Let’s test it by trying to backup a DMZ switch.

[box]

DMZ1-SW-1#copy running-config tftp
Address or name of remote host []? 192.168.10.10
Destination filename [DMZ-SW-1-confg]? DMZ-SW-1-Backup
!!
1130 bytes copied in 12.244 secs (92 bytes/sec)

[/box]

Related Articles, References, Credits, or External Links

NA

Configure Your Firewall for SNMP

KB ID 0001034 

Problem

Had a requirement to let SNMP traffic though a firewall this week, I have a client that has both SolarWinds and SCOM, and they need to monitor the external Citrix ADC load balancers. For SNMP we simply need UDP ports 161 and 162 (See below) but SolarWinds maintains ‘ping’ connectivity to the monitored assets, so ICMP also needs to be open.

Inbound Ports

Outbound Ports

Solution

As my ‘weapon of choice’ is a Cisco ASA, here’s how to set it up.

1. Connect to the firewall and proceed to global configuration mode.

[box] User Access Verification

Password:*******
Type help or ‘?’ for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)#

[/box]

2. Assuming my inside interface is called ‘inside’ allow the traffic outbound then apply that ACL to the firewall with an access-group command.

Cisco ASA – ‘access-group’ Warning

[box] Petes-ASA(config)# access-list outbound permit udp host 192.168.1.100 host 172.16.1.10 eq 161
Petes-ASA(config)# access-list outbound permit icmp host 192.168.1.100 host 172.16.1.10
Petes-ASA(config)# access-group outbound in interface inside [/box]

3. Assuming my outside interface is called ‘outside’ allow the traffic inbound then apply that ACL to the firewall with an access-group command.

Cisco ASA – ‘access-group’ Warning

[box]Petes-ASA(config)# access-list inbound permit udp host 172.16.1.10 host 192.168.1.100 eq 161
Petes-ASA(config)# access-list inbound permit icmp host 172.16.1.10 host 192.168.1.100
Petes-ASA(config)# access-group inbound in interface outside [/box]

Note: Simply allowing ICMP will not permit ‘ping’ see the following article;

Cisco Firewalls and PING

4. Save the changes.

[box]Petes-ASA(config)# write memory
Building configuration…
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#[/box]

Also

You may want to open UDP 514 (syslog) from the device to the monitoring server, (assuming you have configured syslog on the monitored device). If the monitored device cannot communicate make sure it’s not using DNS to resolve the monitoring server (if so you may need to open UDP 53 to a DNS server).

Related Articles, References, Credits, or External Links

NA

 

Cisco ASA – ‘access-group’ Warning

KB ID 0001035

Problem

I’ve been writing Cisco ASA walkthroughs for years, and littered all over PeteNetLive you will see me warning readers every time I use access-group commands. So I’ve finally got round to putting this article up so I can reference it in future.

What is an Access-Group command?

You use an access-group command to apply an access-list to an interface, in a particular direction (in or out). Although I always apply access-groups in an interface to avoid confusion.

Example

[box]

Create an access list first

access-list outbound permit tcp host 192.168.1.1 any eq www

Then nothing will happen unless you apply that ACL to an interface with an 
access-group command.

access-group outbound in interface inside

[/box]

Solution

So Why The Access-Group Warning?

Reason 1

When I post articles and direct you to allow traffic though a firewall, I make the assumption that you do not have any ACL’s already applied with access-group commands. if you did, and followed my tutorials blindly then you would overwrite your access-groups, and any existing ACLs would stop working! (The ACL would still be there, you would need to reapply them though).

Reason 2

By default traffic will flow though the ASA from interfaces that have a higher (more secure) security level, to interfaces with a lower security level. Thats why you can get out though a new firewall without adding any rules. However every ACL has an implicit deny on the end of it. So if you have a mail server and allow out SMTP for example, as soon as you apply the ACL with your access-group command you STOP ALL OTHER OUTBOUND COMMUNICATION until that is allowed also.

So How Can You Make Sure I’m Not About to Break Anything?

Easy, your firewall will tell you if you have any access-groups already in use, with a ‘show run access-group‘ command. Below you can see theres three and what interface they are applied to.

[box]

User Access Verification

Password: ******** Type help or ‘?’ for a list of available commands. PetesASA> enable Password: ******** PetesASA# show run access-group access-group inside-in in interface outside access-group outside-in in interface inside access-group DMZ-in in interface DMZ PetesASA#

[/box]

I’ve deliberately shown a naming convention I don’t usually use, I typically have an ACL called outbound for outgoing traffic, and inbound for incoming traffic. If your firewall has different named ACLs applied with access-group commands USE YOUR ACL NAME, NOT THE ONES IN MY ARTICLES!

I’ve followed Your Article and It Works But Everything Else Has Stopped Working!

OK remember (Reason 2) above, you need to allow the traffic out again. The simplest way to do that is with a permit ip any any command which is what you had originally*, (I prefer to only allow out what traffic needs to go out, but I’m a firewall nut!)

*Note: To avoid emails form the pedants, you actually had all protocols open, not just IP.

[box]

Assuming the last commands you issued looked something a little like..

access-list outbound permit tcp host 192.168.1.1 any eq www
access-group outbound in interface inside

Now that works, but everything else does not, you have fallen foul of the ‘implicit deny’, so allow out the traffic you want to allow out i.e.

access-list outbound permit ip any any

 

[/box]

 

Related Articles, References, Credits, or External Links

NA

 

Cisco ASA – Changing the Outside IP Address

KB ID 0001081 

Problem

I see this question get asked a lot on forums, most people never touch the firewall, ‘if it’s working leave it alone’. And that’s great until you move offices, or get a newer faster (or cheaper) Internet connection.

What if you have lots of public IP addresses? What if you have VPN’s (or AnyConnect clients). What’s the best way to do this with a minimum of downtime?

Note: If you get your all your outside IP details via DHCP, and no one speaks you you from outside (i.e. The ISP always reserves and issues the same IP details to you because you have a mail server or have VPN connections etc). Then you can probably simply plug into the new Router/Modem/Socket and reboot the ASA.

Solution

Time spent on reconnaissance is seldom wasted.

OK lets not run to the comms rack with a laptop and get stuck into the problem, get all your ducks in a row first.

1. Your Current Internet Connection: I know you’re going to turn this off, but if there’s a problem and everything ‘goes to hell in a hand cart’, you might need to connect back to this one in a hurry, (best not to look like a clown because you deleted all those settings and don’t know what they are). As a bare minimum have the following;

  • ISP Name.
  • ISP Tech Support phone number.
  • IP Address(s) allocated to you from the ISP. (Including the subnet mask and IP of their router if applicable).
  • Username and Passwords for your Internet Connection (if applicable i.e. for ADSL, PPPoE etc).
  • The details, of any public DNS records that point to you i.e. The MX records for your email, or URLs for any web services you host etc. If you have a web portal for managing this make sure you can log in. Or if your ISP handles this, get the information on how you can change your host records to point to the new IP address, (i.e. a fax on company headed notepaper, or a call to your account manager etc).

Setting up the Correct DNS Records for your Web or Mail Server

Then ring the old ISP make sure you can log a technical call without having to give them a password, (that everyone’s forgotten), or the only person who they will talk to left the company five years ago. (Get the feeling I’ve done this a lot!)

2. Your New Internet Connection: See everything you did above? get all the same information for the new ISP.

3. Backup: You are only ever as good as your last backup, make sure the ASA is backed up before you start, and backup to TFTP, or via the ASDM NOT by copy pasting the config into Notepad (this tends to hide shared secrets etc).

Backup and Restore a Cisco Firewall.

4. Test The New Internet Connection: I’ve had many a call from a colleague, that they can’t get an ASA working through a new Internet connection. And when I tell then to turn off the ASA and plug their Laptop into the Router/Modem/Socket guess what? Yes, the connection that the salesmen at the ISP said was live, really isn’t!

Warning: Sometimes you find that if you have used the public IP your ISP gave you on your laptop, that when you plug in the ASA it won’t work, (this happens because the router ‘caches’ the MAC address of the Laptop, and get confused when the ASA uses the same IP). So if possible use a different IP for testing, (if you have more than one IP). Or turn the ISP equipment off for a while after testing.

5. Who talks to you? What speaks to the ASA from outside? Do you have a web server, email server, FTP server, public facing service. Do have other offices that connect to you via VPN? Do you have remote workers that connect via VPN/AnyConnect?

5a. What Other Public IP’s Do You Use? You may have covered this in point 5 but now I’m talking about the public IP addresses that are in use but NOT assigned to the outside interface. Typically these are used in what we call static NAT.

If you have other sites with VPNs to you, they will need changing to point to the new public IP address.

Cisco ASA – Changing VPN IP Addresses

 

Changing The ‘Outside’ IP of the ASA

Now you’ve read all the above, you have a better appreciation of what you might break, and how much downtime to expect. The outside interface of the ASA is exactly the same as any network connection it needs an IP address, a subnet mask, and a default route (same as default gateway for you Windows types).

Again never assume the outside interface is called ‘outside’, I’ve seen all sorts of naming outside, Outside, Public, WAN etc. You already know the public IP so let’s see what the interface name that’s using it is;

Connect to the ASA

From CLI;

[box]

Petes-ASA> enable
Password: ********
Petes-ASA# show ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0         outside                91.91.91.1      255.255.255.248 CONFIG
GigabitEthernet1         inside                 192.168.1.1     255.255.255.0   CONFIG
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0         outside                91.91.91.1      255.255.255.248 CONFIG
GigabitEthernet1         inside                 192.168.1.1     255.255.255.0   CONFIG
Petes-ASA#

Or on an ASA 5505

Password: ********
Petes-ASA# show ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method 
Vlan1                    inside                 192.168.1.1     255.255.255.0   CONFIG
Vlan2                    outside                91.91.91.1      255.255.252.248 CONFIG  
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method 
Vlan1                    inside                 192.168.1.1     255.255.255.0   CONFIG
Vlan2                    outside                91.91.91.1      255.255.252.248 CONFIG  
Petes-ASA#

Notice: On smaller ASA's the IP address is allocated to a VLAN, on larger ones the IP
is allocated to a physical interface. Also the 'Method' says 'CONFIG', if it said DHCP
then you are getting these settings dynamically from your ISP.

[/box]

From ASDM;

Configuration > Device Setup > Interfaces.

Now we know out interface name and where the IP address and the subnet mask are. Now we need to locate the default route for the ‘outside’ interface, (or whatever yours is called).

From CLI;

[box]

ASA-1# show run route
route outside 0.0.0.0 0.0.0.0 91.91.91.2 1
ASA-1#

Or to get the same information from the routing table;

Petes-ASA# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 10.2.2.10 to network 0.0.0.0

C    91.91.91.0 255.255.255.248 is directly connected, outside
C    192.168.1.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 91.91.91.2 outside
Petes-ASA# 

[/box]

From ASDM;

Configuration > Device Setup > Routing > Static Routes.

Now you know the interface name, you know know its physical name, (GigabitEthernet0, Vlan 2, etc.) You have all the information you need to change the IP address, subnet mask and default route.

From CLI;

[box]

Petes-ASA> enable
Password: *********
Petes-ASA# Configure Terminal
Petes-ASA(config)# int gigabitEthernet 0
Petes-ASA(config-if)# ip address 60.60.60.1 255.255.255.240
Petes-ASA(config-if)# exit

You can only have one 'Default route', so you can't just add the new one, (or it will error)
so you need to remove that route, (by prefixing the command with a 'no'). Then add the new
default route in.

Note: If there's a number at the end of the route command, you can leave that off it's just
a routing metric number.

Petes-ASA(config)# no route outside 0.0.0.0 0.0.0.0 91.91.91.2
Petes-ASA(config)# route outside 0.0.0.0 0.0.0.0 60.60.60.2

[/box]

From ASDM;

In the ASDM you go to the same sections you did above, select the interface or route, click edit, then make the change. Note if you are going to use PPPoE read the following article.

Cisco ASA 5500 – Configuring PPPoE

Don’t forget to click Apply!

Test – The New Public IP Address

Before we look at anything else we need to make sure the ASA has connectivity to the Internet, and THE ASA can ping a public ip address (Note: I said the ASA, not something on your network). I usually ping 8.8.8.8 (Google DNS server) because it always responds.

[box]

User Access Verification

Password: *******
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/14/20 ms
Petes-ASA# 

[/box]

If this fails, ensure you can ping your ISP router (default route IP) this should be pretty easy to troubleshoot with the assistance of the ISP.

Once the ASA can connect to the Internet make sure your internal clients can, remember if you are going to use ping to test connectivity though the firewall you need to have ICMP inspection setup see the following article;

Cisco Firewalls and PING

 

Cisco ASA – Migrating Other Public IP Addresses

If you are performing ‘port forwarding‘ from the outside interface, i.e. taking all SMTP (TCP Port 25) traffic and forwarding it to an internal host, then the firewall should require no further configuration as that should be done from the interface name NOT the old public IP address.

You can quickly setup port forwarding if it’s stopped by reading the following article;

Cisco PIX / ASA Port Forwarding

If you have public IP addresses statically mapped to public IP addresses from your old ISP range then these will need to be changed. here you can see Ive got a static NAT for an internal server;

[box]

Petes-ASA# show nat

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static Obj-Web-Server 91.91.91.3
    translate_hits = 101, untranslate_hits = 100
2 (inside) to (outside) source dynamic PAT-Internal interface
    translate_hits = 999, untranslate_hits = 52
Petes-ASA#

Petes-ASA# show run nat 
!
object network PAT-Internal
 nat (inside,outside) dynamic interface
object network Obj-Web-Server
 nat (inside,outside) static 91.91.91.3
ASA-1#

To Change

Petes-ASA# configure terminal 
Petes-ASA(config)# object network Obj-Web-Server
Petes-ASA(config-network-object)# no nat (inside,outside) static 91.91.91.3
Petes-ASA(config-network-object)# nat (inside,outside) static 60.60.60.3   
Petes-ASA(config-network-object)# exit
Petes-ASA(config)# clear xlate
INFO: 453 xlate deleted
Petes-ASA(config)# 

[/box]

To do the same in the ASDM, is a little more convoluted you need to check every NAT rule and see if you have one thats type is ‘static’ and has an IP address from your old ISP range, then you can change it accordingly.

Configuration > Firewall > NAT Rules

Don’t forget to click Apply!

For more information on Static (One to One) NAT see the following article;

Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall

 

Cisco ASA – Migrating VPN’s Post IP Address Change

Site to Site VPN

If you have site to site (IPSEC) VPN’s then these will have gone down when the public IP address changed. If the device at the other end is a Cisco ASA/PIX then follow the advice in the following article;

Cisco ASA – Changing VPN IP Addresses

Client VPN

For remote workers using the older IPSEC VPN client, you will need to send them a new PCF file to import into their VPN client with the new IP address in it, (unless they are pointing at your public DNS name, then you simply need to change the IP address that the DNS name points to). PCF files are explained in the following article;

Working with the Cisco VPN Client. (IPSEC)

AnyConnect

As above if your AnyConnect clients connect directly to a public name like vpn.yourbusiness.com then just change that record to point to the new public IP address. Just be aware if you have set the AnyConnect profile to point to your old IP address, then your remote clients will automatically break themselves every-time they connect and download the profile, change it to the new IP address, or even better a public name/URL.

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile.

 

Dont Forget: Save any changes you have made to the firewall either with a ‘write mem‘ command, or File > Save running configuration to flash, if you’re in the ASDM.

I think I’ve got most stuff covered, if I’ve missed something that’s caused you problems let me know, and I will update this article accordingly (contact link below).

Related Articles, References, Credits, or External Links

Cisco ASA 5500 – Adding New ‘Different Range’ Public IP Addresses

 

 

Cisco ASA 5500 – Sub Interfaces and VLANS

KB ID 0001085 

Problem

You can take the physical interface of a Cisco ASA firewall, (or an ether channel) and split it down into further sub-interfaces. This way you can set multiple VLANs to use this interface as a gateway at the same time whilst still separating the traffic.

In this scenario I’m going to have two VLANs, one for my wired clients, and one for a ‘Guest WiFi’ that I’m setting up. I want the guest WiFi to run in its own separate VLAN, so it can’t touch my corporate network. And I want to NAT both networks to my public IP.

Maximum number of sub interfaces, depends on the hardware model maximum number of VLANs so;

Model
Max VLANS
5506-X 5 (30 with Security Plus)
5506-W-X 5 (30 with Security Plus)
5506-H-X 30
5508-X 50
5510 50 (100 with Security Plus)
5512-X 10 (100 with Security Plus)
5515-X 100
5516-X 100
5520 150
5525-X 200
5540 200
5545-X 300
5550 250
5555-X 500
5580 250
5585-X 1024

Note: Sub interfaces are NOT supported on the ASA 5505. (But you can have up to 20 VLANs with a ‘security-plus‘ licence, or 3 (DMZ restricted) with a ‘base‘ licence).

Solution

To create sub interfaces on a physical interface, that interface must have no settings on it (other than it should not be shutdown).

[box]

 Petes-ASA # configure terminal 
 Petes-ASA(config)# clear interface gigabitEthernet 1

[/box] Then create a sub-interface for each of my VLANs. [box]

 Create Sub interface for VLAN 2 

Petes-ASA(config)# interface gigabitEthernet 1.2
 Petes-ASA(config-subif)# vlan 2
 Petes-ASA(config-subif)# nameif Corp-LAN
 INFO: Security level for "Corp-LAN" set to 0 by default.
 Petes-ASA(config-subif)# security-level 100
 Petes-ASA(config-subif)# ip address 10.2.2.254 255.255.0.0
 Petes-ASA(config-subif)# exit
 Petes-ASA(config)#

Create Sub interface for VLAN 3

Petes-ASA(config)# interface gigabitEthernet 1.3
 Petes-ASA(config-subif)# vlan 3
 Petes-ASA(config-subif)# nameif Corp-WiFi
 INFO: Security level for "Corp-Wifi” set to 0 by default.
 Petes-ASA(config-subif)# security-level 90
 Petes-ASA(config-subif)# ip address 10.3.3.254 255.255.0.0
 Petes-ASA(config-subif)# exit
 Petes-ASA(config)#

[/box]

Note: I’ve manually set the security levels and made the corp-lan interface more trusted.

So my firewall config now looks like this;

[box]

!
 interface GigabitEthernet1
 no nameif
 no security-level
 no ip address
 !
 interface GigabitEthernet1.2
 vlan 2
 nameif Corp-LAN
 security-level 100
 ip address 10.2.2.254 255.255.0.0 
 !
 interface GigabitEthernet1.3
 vlan 3
 nameif Corp-WiFi
 security-level 90
 ip address 10.3.3.254 255.255.0.0 
 !

[/box]

NAT/PAT Traffic From Your Sub-Interfaces

Taking all traffic from both subnets (10.2.0.0/16 and 10.3.0.0/16), and I’m going to NAT both of these to my public IP. (Note: I’m actually going to PAT the addresses, but that’s just semantics).

[box]

Petes-ASA(config)# object network Corp-LAN-PAT
 Petes-ASA(config-network-object)# subnet 10.2.0.0 255.255.0.0
 Petes-ASA(config-network-object)# nat (Corp-LAN,outside) dynamic interface 
 Petes-ASA(config-network-object)# exit
 Petes-ASA(config)# object network Corp-Wifi
 Petes-ASA(config-network-object)# subnet 10.3.0.0 255.255.0.0
 Petes-ASA(config-network-object)# nat (Corp-WiFi,outside) dynamic interface
 Petes-ASA(config-network-object)# exit

[/box]

If you have ACLs you will need to allow the traffic out, and if you want to test connectivity by pinging a public IP address you will need to have ICMP inspection configured on the firewall.

What if you want the WiFi VLAN to have a different Public IP?

If you want to use another public IP from your public range, here is an example of the config;

<[box]

 !
 interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 123.123.123.123 255.255.255.0 
 !
 interface GigabitEthernet1
 no nameif
 no security-level
 no ip address
 !
 interface GigabitEthernet1.2
 vlan 2
 nameif Corp-LAN
 security-level 100
 ip address 10.2.2.254 255.255.0.0 
 !
 interface GigabitEthernet1.3
 vlan 3
 nameif Corp-WiFi
 security-level 90
 ip address 10.3.3.254 255.255.0.0 
 ! 
 object network Corp-LAN-PAT
 subnet 10.2.0.0 255.255.0.0
 nat (Corp-LAN,outside) dynamic interface
 !
 object network Corp-Wifi
 subnet 10.3.0.0 255.255.0.0
 nat (Corp-WiFi,outside) dynamic 123.123.123.124 
 ! 
 route outside 0.0.0.0 0.0.0.0 123.123.123.124
 ! 

[/box]

OR, If you want the traffic to leave by another public interface (i.e. connected to another ISP) you can do the following;

[box]

!
 interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 123.123.123.123 255.255.255.0 
 !
 interface GigabitEthernet1
 no nameif
 no security-level
 no ip address
 !
 interface GigabitEthernet1.2
 vlan 2
 nameif Corp-LAN
 security-level 100
 ip address 10.2.2.254 255.255.0.0 
 !
 interface GigabitEthernet1.3
 vlan 3
 nameif Corp-WiFi
 security-level 90
 ip address 10.3.3.254 255.255.0.0 
 !
 interface GigabitEthernet2
 nameif outside-WiFi
 security-level 0
 ip address 234.234.234.234 255.255.255.252 
 ! 
 object network Corp-LAN-PAT
 subnet 10.2.0.0 255.255.0.0
 nat (Corp-LAN,outside) dynamic interface
 !
 object network Corp-Wifi
 subnet 10.3.0.0 255.255.0.0
 nat (Corp-WiFi,outside-WiFi) dynamic interface
 !
 route outside 0.0.0.0 0.0.0.0 123.123.123.124
 route outside-wifi 0.0.0.0 0.0.0.0 234.234.234.235
 ! 
 

[/box]

Setting Up The Switch

This will depend upon the vendor, but essentially if it’s a Cisco Switch you make the uplink switch port a ‘trunk-port’, and either allow ALL or VLAN 2 and 3. Then every wired connection will connect to a port you have setup as a ‘access-port’ on VLAN 2. All the wireless equipment will plug into ports that you have made ‘access-ports’ on VLAN 3.

For other vendors you would need to ‘tag’ VLANs 2 and 3 onto the firewall uplink port. Then ‘untag’ VLAN 2 on all the wired ports. Then finally ‘untagVLAN 3 on all the wireless ports.

See the following article for more information;

HP and Cisco – VLANs and Trunks Confusion!

Related Articles, References, Credits, or External Links

NA