VMware Enable SSH (vSphere ESX)

 

VMware Enable SSH KB ID 0000299 

Problem

Should you wish to get SSH (remote secure console) access to your ESX  hosts, you need to do the following.

ESX Version 8 and Newer

ESX Version 6.5 and Newer

ESX version 5 and Newer

ESX version 4.1.0

ESX version 4.0.0 and earlier

ESX version 4.0.0 and earlier

Solution

VMware Enable SSH ESX 8.0

Directly on an ESX Host: If you have a stand-alone ESX Server running version 8.x, Log in via the web console >  Select ‘Host’ > Actions > Services > Enable Secure Shell (SSH).

Via vSphere/vCenter: If you want to enable SSH on an ESX host through the vCenter Web client then, from the ‘hosts and datacentres’ view > Select the Host  > Configure > Services > Locate SSH > Start.

Enable SSH Permanently: Some people don’t want this enabled for security reasons, and in production that makes sense, but on my test network I always have SSH enabled. from the same screen as above with SSH selected > Edit Start-up Policy > Select ‘Start an stop with host” > OK.

VMware Enable SSH 6.5

If you have a stand-alone ESX Server running version 6.5, it’s a lot easier to enable ESX access. Select ‘Host’ > Actions > Service > Enable Secure Shell (SSH). Note: You can also enable the direct console access here.

If you want to enable SSH on an ESX host through the vCenter Web client then, from the ‘hosts and datacenters’ view > Select the Host  > Configure > Security Profile > Scroll down to ‘Services’ > Edit.

Locate ‘SSH > Start > OK.

Once enabled you will see the following warning on the hosts summary page, however, in version 6.5 you can suppress this error.

VMware Enable SSH ESX 5

ESX 5 has a built in firewall, which can have SSH opened in the VI clients, or just as with version 4.1.0 you can enable SSH Locally from the console from troubleshooting options.

Enable Remotely

1. Log into the host with the VI client > Select the host > Configuration > Security Profile > Properties.

2. Locate SSH Server > Tick it > Options > You can either manually start it or set it to start automatically.

3. You will see the following warning to “retrieve” the firewall settings (because you have just changed them) > Select Yes.

Note: Having it running will still cause the “Configuration Issues – SSH for the host has been enabled” nag screen on the summary tab of the host.

VMware Enable SSH ESX 4.0.1

Starting with version 4.0.1 you can enable SSH access from the server console.

1. Go to the normal ESX console > Press F2 > Log in >Troubleshooting Options.

2. Select “Enable Remote Tech support” toggle on and off with {enter} if you want to SSH in the server remotely using PuTTy for example > If you want to log on directly at the console choose “Enable Local Tech Support”.

3. Note: Having it running will still cause the “Configuration Issues – Remote Tech support Mode (SSH) for the host {hostname} has been enabled” nag screen on the summary tab of the host.

Grant SSH Access to ESX 4.0.0 and earlier

1. Go to the normal ESXi console.

2. Press ALT+F1 > the screen will change > Type unsupported {enter} > Note: Nothing will appear on the screen till you hit {enter} > Type in the root password and press {enter}.

3. You now need to edit a config file, the only editor we have is vi (sorry) issue the following command,

[box]vi /etc/inetd.conf[/box]

4. The vi editor will open the file, use the arrow keys to move down to the line that says,

[box]#ssh stream tcp nowait root…[/box]

Press I on the keyboard (that puts the vi editor into insert mode) and delete the hash “#” mark from the beginning of the line.

5 Then, to save the changes press {Esc} > type in :wq {Enter} (that’s write the changes and quit if you’re interested).

6. Enter the following command.

[box]

cat /var/run/inetd.pid

[/box]

It will provide you with a number, (in the example below its 4983, yours will be different).

7. Issue the following command.

[box]

kill -HUP {the number you got from above}

[/box]

8. To get back to the usual ESXi screen and exit command line press ALT+F2.

9. You can now connect with an SSH client like Putty.

 

Related Articles, References, Credits, or External Links

Original Article written: 07/12/11

ESX4 – Grant Root User SSH Access

Thanks to Dave Corrasa for the feedback.

FortiClient Azure Authentication

FortiClient Azure KB ID 0001797

Problem

More and more people are using Azure as their primary identity provider, thanks in no small part to the massive success of Office/Windows 365. So if you want to provide a FortiGate/FortiClient SSL remote access VPN solution then securing it via Azure makes a lot of sense.

Multi Factor Authentication: If you have MFA on your Azure accounts then that’s a big box ticked for your accreditations and digital liability insurance also. This article does not cover enabling MFA in Azure, we are assuming you already have that enabled. I’ve covered that in other articles anyway, (use the search box above!)

Essentially your firewall will redirect authentication (via SAML) to Azure when you attempt to connect either via the web or tunnelled with the FortiClient.

Note: You can of course Use Azure MFA With Microsoft NPS (RADIUS) Server but this would require an additional server.

FortiClient Azure Authentication

FortiClient Azure Prerequisites

You will need an Azure subscription (a trial one is fine), obviously a FortiGate firewall, and a publicly signed certificate for the firewall (see below).

Note: Stop asking if you can use self signed certs – this one cost me six dollars! It needs to be publicly signed so Azure trusts it!

Add and Configure the FortiGate SSL VPN Application

From within your Azure tenancy, locate Enterprise applications and choose to add a new one.

Do a search for Forti and you should see the FortiGate SSL VPN application, select it.

In the setup single sign on  section, click ‘Get Started’.

Select SAML.

The ‘Vast Majority’ of the work that needs to be done will be done in here. In Section 1 (Basic SAML Configuration)  you will enter FOUR URLs (these URLs will reside on your FortiGate). 

Change the values in red to match your own publicly resolvable FQDN, (which will match the CN on your certificate).

Identifier (Entity-ID)

[box]

https://vpn.petenetlive.com/remote/saml/metadata

[/box]

Reply URL (Assertion Consumer Service URL)

[box]

https://vpn.petenetlive.com/remote/saml/login

[/box]

Sign on URL (Yes it’s the same as the one above!)

[box]

https://vpn.petenetlive.com/remote/saml/login

[/box]

Then scroll down.

Log out URL 

[box]

https://vpn.petenetlive.com/remote/saml/logout

[/box]

Then SAVE.

Section 2: Attributes and Claims, click edit.

Add a new claim.

Name = username, Source attribute = user.userprinciplename > Save.

Select the existing user.groups value > Change it to ‘All Groups’ > Tick ‘Customise the same of the group claim’ > Set the name to group > Save.

Note: It can take little while for the main page to refresh .

Section 3: SAML Signing Certificate. Download the Base64 version of the certificate.

Back on your FortiGate > System > Certificates > Import > Remote Certificate.

If you can’t see certificates click here.

Browse to and upload the certificate you just dowloaded.

Make a note of the certificate name, in this case it’s REMOTE_Cert_2 (You will need this later).

Section 4: Setup FortiGate SSL VPN. In this section there are three URLs that you need to take a copy of (they are used in the code block you will post into the FortiGate.

You now have all the elements you need to paste the following code block into your FortiGate, the following elements IN RED should be changed to match yours.

set-cert is the NAME that the FortiGate has given to its public cert, (mine’s the same as its common name, yours may be something else!)

entity-id, single-sign-on-url, and single-log-out-url are the URLs you pasted into section 1 (above).

idp-entity-id, idp-single-sign-on-url, and idp-single-log-out-url are the URLs you copied out of section 4 (above).

idp-cert is the NAME that the FortiGate has given to the cert you dowloaded from section 3 (above)

user-name and group-name are the attributes and claims you setup in section 2 (above).

[box]

config user saml
edit SSL-Azure-SAML
set cert vpn.petenetlive.com
set entity-id https://vpn.petenetlive.com/remote/saml/metadata
set single-sign-on-url https://vpn.petenetlive.com/remote/saml/login
set single-logout-url https://vpn.petenetlive.com/remote/saml/logout
set idp-entity-id https://sts.windows.net/de742342-edf0-49e7-8ca3-1402fddc17bc/
set idp-single-sign-on-url https://login.microsoftonline.com/de742342-edf0-49e7-8ca3-1402fddc17bc/saml2
set idp-single-logout-url https://login.microsoftonline.com/de742342-edf0-49e7-8ca3-1402fddc17bc/saml2
set idp-cert REMOTE_Cert_2
set user-name username
set group-name group
next
end

[/box]

Azure Groups

You will need a group in Azure created with the users that you wish to be able to authenicate into to the remote VPN. Take a copy of its Object ID (you will need that shortly).

With that object ID you can create a ‘Group’ on the FortiGate with the following code block

[box]

config user group
edit AAD-Remote-VPN
set member SSL-Azure-SAML
config match
edit 1
set server-name SSL-Azure-SAML
set group-name 02f047b1-8db2-4474-84df-21af6a16204c
next
end
next
end

[/box]

You will also need to add this group (In Azure) into the FortiGate SSL VPN application > users and groups > add user/group.

Click ‘None Selected” > Select your user group > Select.

Heed the warning! No nested groups, which is a little annoying, but you can’t say they didn’t warn you > Accept.

FortiGate SSL VPN

I’m going to use the basic settings to get this up and running, VPN > SSL VPN Settings > Listen on Interfaces (set to the outside facing interface (that the certificate name points to!) Server Certificate set to your publicly signed certificate > Scroll down.

Note: If you see a warning about not having configured SSL policy, dont worry we will fix that in a moment.

Create New.

Select the AAD user group (we created with the second code block) and set the Portal, (here I’m using full access so the remote client can use the web, or full tunnel options) > OK.

Policy & Objects > Firewall Policy > Create New.

Give the policy a sensible name > Incoming Interface will be SSL-VPN (Not outside!) > Outgoing interface is usually the inside (unless you have DMZs etc) > Source, add in All and your AAD-Group you created with the second code block above >  DISABLE NAT > Scroll down.

Change Logging to ‘All sessions’ (Note: once fully deployed, you can change this to security events) > OK.

Note: It may error at this point if the portal you have chosen, (in this case full-access) has split tunnelling enabled, you can either disable split tunnelling on the portal, or change All in the destination section to a particular subnet on the the LAN).

Testing Forti Web SSL With Azure

From an external client connect the web address of your FortiGate, all being well it should redirect you to Azure, (or your ADFS portal if you use ADFS).

Provision authentication is successful, you should see something like this.

Testing FortiClient Azure SSL VPN With Azure

Install the FortiClient, (here I’m using the VPN only version). Give the connect a sensible name > Set the gateway to your public FQDN, and tick ‘Enable Single Sign On (SSO) for VPN Tunnel > Save.

SAML Login

After your Microsoft authentication prompt appears, the client should connect successfully.

Related Articles, References, Credits, or External Links

Microsoft: Azure AD SSO with FortiGate

Fortinet: Configuring SAML SSO login for SSL VPN

FortiGate: SSL-VPN With FortiClient (AD Authenticated)

KB ID 0001725

Problem

FortiGate Remote Access (SSLVPN ) is a solution that is a lot easier to setup than on other firewall competitors. Here’s how to setup remote access to a FortiGate firewall device, using the FortiClient software, and Active Directory authentication. This is what my topology looks like;

Note: I’ve changed the FortiGates default management HTTPS port from 443 to 4433 (before I started). This was to let me use the proper HTTPS port of 443 for remote access SSL VPN. I suggest you also do this, as running SSL-VPN over an ‘odd’ port may not work from some locations. See the following article;

FortiGate: Change the HTTPS Management Port

Certificate: I’m also using a self signed certificate on the FortiGate, in a production environment you may want to purchase a publicly signed one!

Step 1: FortiGate LDAPS Prerequisites

Before we start, we need to make sure your firewall can resolve internal DNS. (Because the Kerberos Certificate name on your Domain Controller(s) gets checked, when doing LDAPS queries, if you DON’T want to do this then disable server identity check when you setup your LDAP server below). Or you can add the IP address to the servers Kerberos certificate as a ‘Subject Alternative Name‘ but thats a bit bobbins IMHO

Network > DNS > Specify > Add in your ‘Internal” DNS servers > Apply.


Certificate Prerequisites

To perform LDAPS the FortiGate needs to trust the certificate(s) that our domain controller(s) use. To enable that you need a copy of the CA Certificate, for the CA that issued them. At this point if  you’re confused, you might want to run through the following article;

Get Ready for LDAPS Channel Binding

So to get a copy of your CA cert on a Windows CA server use the following command;

[box]

certutil -ca.cert My-Root-CA-Cert.cer

[/box]


To ‘Import‘ the certificate into the Fortigate > System > Certificates > Import > CA Certificate.

File > Upload > Browse to your CA Certificate > Open > OK.

Take note of the certificate name, (CA_Cert_1 in the example below,) you will need this information below.

Step 2: Allow FortiGate LDAPS Authentication (Active Directory)

User & Authentication > LDAP Servers > Add.

  • Name: Something Sensible!
  • Server IP/Name: Use the FQDN of the server (or you need to put the IP on the Kerberos certificate as a SAN!)
  • ServerPort: 636 (We’re not using 389 LDAP is NOT secure!)
  • Common Name Identifier: sAMAccountName
  • Distinguished Name: Enter the DN for either the top level of your domain or an OU that’s got all your users/groups in.
  • Bind Type: Regular.
  • Username: in DOMAIN\username format Note: A normal domain user account is sufficient it DOES NOT need to be a domain administrator.
  • Password: For the above user.
  • Secure Connection: LDAPS.
  • Certificate: Select YOUR CA Certificate.
  • Server Identity Check: Enabled.

Click ‘Test Connectivity‘ It should say successful, then you can check some other domain user credentials as a test > OK.

Domain / Active Directory Setup

Over in my Active Directory I’ve created a security group called GS-VPN-Users, and put my user object into it.

Now I need to create a FIREWALL GROUP and add my ACTIVE DIRECTORY GROUP to that. User & Authentication > User Groups > Create New.

  • Name: Something sensible!
  • Type: Firewall

Remote Groups > Add.

Change the Remote Server drop down list to be your LDAPS Server > Browse to your ACTIVE DIRECTORY GROUP, right click and Add Selected (Cheers, that took me three goes to find FortiNet!) > OK.

All being well you should see your LDAPS server AND the distinguished name of your AD group, (check that’s not missing!) > OK.

Step 3: Setup FortiGate SSL-VPN

First we need an SSL Portal > VPN  > SSL-VPN Portals > Create New.

  • Name: Something sensible!
  • Enable Split Tunnelling: Enabled. (If you don’t do this then remote clients need to come though the FortiGate for web access, I usually enable split tunnel).
  • Source IP Pools: Add Then Create.

Address.

  • Name: Something sensible!
  • Type: IP Range
  • IP Range: The subnet you want to use. (Note:If you are routing on your LAN, make sure there’s a route back to the FortiGate for this subnet or bad things will happen!)
  • Interface: SSL-VPN tunnel interface

OK.

Enter a portal message, (the header on the page once a remote user connects)  > Enable FortiClient download > OK.

If you see the following error, that’s because on some smaller firewalls, (like the 40F) there can only be one, so you need to edit the one that is there by default.

Maximum number 0f entries has been reached.

FortiGate SSL-VPN Settings

VPN  > SSL-VPN Settings > Listen on Interfaces.

Set to the outside (WAN) interface > Address Range > Specify custom IP Ranges > IP Ranges > Add in the pool you created above.

DNS Server > Specify > Add in your internal DNS servers > Authentication Portal Mapping > Create New.

  • Users/Groups: Your AD GROUP.
  • Portal: Your Portal

OK.

Apply (Note: If it complains ‘All Other User/Group‘ is not configured, set that to  web-access (as shown).

FortiGate SSL-VPN Firewall Policy

Policy & Objects > Firewall Policy (or IPV4 Policy on older versions) > Create New.

  • Name: Something sensible.
  • Incoming Interface: SSL-VPN Tunnel Interface.
  • Outgoing Interface: Inside (LAN).
  • Source: Your remote IP Pool AND your FIREWALL GOUP.
  • Destination: Local LAN (remember if you want DMZ access, add that in also)
  • Schedule: Always
  • Action: Accept
  • NAT: Disabled

  • Generate logs when session starts: Enabled 

OK.

Step 4: Test FortiGate SSL-VPN

From your remote client, browse to the public IP/FQDN of the firewall and log in, you should see the SSL-VPN portal you created, and have the option to download the FortiClient (VPN) software for your OS version.

Install the FortiClient (Note: This is only the VPN component not the full FortiClient).

Remote Access > Configure VPN.

  • VPN: SSL-VPN.
  • Connection Name: Something sensible.
  • Remote Gateway: IP or FQDN of the FortiGate.
  • Authentication: Prompt on Logon (unless you want it to remember).
  • Do not warn invalid Server Certificate: Enabled (Unless you are using a publicly signed certificate on your FortiGate).

Save.

Then test connection, make sure you can ping internal IP addresses and DNS names.

Related Articles, References, Credits, or External Links

NA

Set up Remote Access PPTP VPN’s in Windows Server

KB ID 0000103

Problem

You want to provide access to your corporate network for your remote users.

Solution

Installing the Server Role

1. Start > Server Manager (or Start > run > CompMgmtLauncher.exe (Enter) > Add Roles > Select Network Policy and Access Services > Next > Next

2. Select Remote Access Service > Next > Install > The Service will take awhile to install (Coffee time!).

3. When Done > Close.

4. Start > Administrative tools > Routing and Remote Access > The Server will have a red “down” Arrow on it > Right Click the Server and Select “Configure and enable routing and remote access”

5. Next > Select “Custom Configuration” > Next. (Note: I’m selecting this because I only Have One NIC and I want to use this NIC).

6. VPN Access > Next.

7. When Promoted Select “Start Service” > The Service will start > you can now close the Routing and Remote Access Console.

8. Ensure the user who needs to connect has been granted (either directly or through Policy).

Firewall Note:

For this to work two things need to happen, TCP Port 1723 needs to be allowed (or Port) forwarded to the Server. And GRE (Generic Routing Encapsulation) needs to be allowed to the server. GRE is a PROTOCOL and NOT a Port so you cannot simply Port forward it, it need to be allowed directly to the server, so the server needs a public IP address to allow it to.

Cisco PIX / ASA Users Click Here

Set Up the Client PC’s

Vista & Windows 7

1. Start > Control Panel > Network and sharing Center > Connect to a Network > Set up a Connection or Network > Connect To a Workplace > Next.

2. Use My Internet Connection (VPN) > Enter the public IP address of the VPN server > Enter a Name for the Connection > Next > Enter your Domain Logon details > Connect.

Note sometimes you need to put the username in user_name@domain_name.com format

Windows 2000, 2003, & XP

1. Start > run > NCPA.CPL {Enter}> File > New Connection > Next > Connect to the Network at my workplace > Next.

2. Virtual Private Network Connection > Next.

3.Enter the Public IP Address of the VPN Server. > Next > Select who can use the connection > Next > Finish > Enter the username and password > Connect.

Related Articles, References, Credits, or External Links

Using the Microsoft VPN client through Cisco ASA/PIX

Windows Server 2008 R2 – Configure RADIUS for Cisco ASA 5500 Authentication

KB ID 0000688

Problem

Last week I was configuring some 2008 R2 RADIUS authentication, for authenticating remote VPN clients to a Cisco ASA Firewall.

I will say that Kerberos Authentication is a LOT easier to configure, so you might want to check that first.

Solution

Step 1 Configure the ASA for AAA RADIUS Authentication

1. Connect to your ASDM, > Configuration > Remote Access VPN. > AAA Local Users > AAA Server Groups.

2. In the Server group section > Add.

3. Give the group a name and accept the defaults > OK.

4. Now (with the group selected) > In the bottom (Server) section > Add.

5. Specify the IP address, and a shared secret that the ASA will use with the 2008 R2 Server performing RADIUS > OK.

6. Apply.

Configure AAA RADIUS from command line;

[box]

aaa-server PNL-RADIUS protocol radius
aaa-server PNL-RADIUS (inside) host 172.16.254.223
  key 123456
  radius-common-pw 123456
  exit

[/box]

Step 2 Configure Windows 2012 Server to allow RADIUS

7. On the Windows 2008 Server > Launch Server Manager > Roles > Add Role.

8. If you get a welcome page > Next > Select Network Policy and Access Server > Next >Next.

9. Select ‘Network Policy Server’ > Next > Install.

10. Close, when complete.

11. Whilst still in Server Manager > Network Policy and Access Server > NPS (Local).

12. Register Server in Active Directory >OK > OK.

13. Expand RADIUS Clients and Servers > Right click RADIUS Clients > New.

14. Give the firewall a friendly name, (take note of what this is, you will need it again) > Specify its IP > Enter the shared secret you setup above (number 5) > OK.

15. Expand policies > right click ‘Connection Request Policies’ > New > Give the policy a name > Next.

16. Add a condition > Set the condition to ‘Client Friendly Name’ > Add.

17. Specify the name you set up above (number 14) > OK > Next > Next > Next.

18. Change the attribute to User-Name > Next > Finish.

19. Now right click ‘Network Policies’ > New > Give the policy a name> Next.

20. Add a condition > User Groups > Add.

21. Add in the AD security group you want to allow access to > OK > Next > Next.

22. Select ‘Unencrypted Authentication PAP SPAP” > Next > No > Next > Next > Finish.

Step 3 Test RADIUS Authentication

23. Back at the ASDM, in the same page you were in previously, select your server and then click ‘Test’.

24. Change the selection to Authentication > Enter your domain credentials > OK.

25. You are looking for a successful outcome.

Note: if it fails check there is physical connectivity between the two devices, the shared secrets match. Also ensure UDP ports 1645 and 1646 are not being blocked.

To Test AAA RADIUS Authentication from Command Line

[box]

test aaa-server authentication PNL-RADIUS host 172.16.254.223 username petelong password password123

[/box]

26. Finally, save the firewall changes > File > Save running configuration to flash.

Related Articles, References, Credits, or External Links

Windows Server 2003 – Configure RADIUS for Cisco ASA 5500 Authentication

Windows Server 2012 – Configure RADIUS for Cisco ASA 5500 Authentication

Cisco ASA5500 Client IPSEC VPN Access

(This method uses the ASA to hold the user database) to use RADIUS CLICK HERE to use Kerberos CLICK HERE

KB ID 0000070

Problem

Note: IPSEC VPN is still possible, but getting Windows clients is a little sketchy, and you will have to mess about with them to get them to work on modern versions of Windows. (Mac OSX and iPhone/iPad can connect with their built in VPN software though).

Below is a walkthrough for setting up a client to gateway VPN Tunnel using a Cisco ASA appliance.This is done via the ASDM console.

It also uses the Cisco VPN client – This is no longer available form Cisco see the following article.

Download Cisco VPN Client Software

Solution

Step1 Configure the ASA5500

1. Open up the ADSM console. > Click Wizards > VPN Wizard.

2. Select “Remote Access”. > Next.

3. Select Cisco VPN Client. > Next.

4. Enter a Pre Shared Key e.g. thisisthepresharedkey > And then give the Tunnel group a name e.g. “RemoteVPN”. > Next.

5. Select “Authenticate using the local user database”. > Next.

6. Now create a user, for this exercise I’ve created a user called user1 with a password of password1

7. Click Add. > Next.

8. Now we need to create some IP addresses that the remote clients will use when connected. > Click New

9. Give the Pool a name e.g. RemotePool and set the start and end IP addresses you want to lease (note these DONT have to be on the same network as your internal IP’s – In fact, for auditing its good practice to make them different). > Enter a Subnet Mask. > OK.

10 Click Next.

11 Enter the details you want the remote clients to use while connected, DNS servers, WINS Servers and domain name. > Next.

12. Leave it on the defaults of 3DES, SHA and DH Group 2 (Note some Cisco VPN clients will not support AES). > Next

13. Again leave it on the default of 3DES and SHA. > Next.

14. You can choose what IP addresses you want the remote VPN clients to have access to, first change the dropdown to “Inside”, here I want them to have access to the entire network behind the ASA so I will choose 10.254.254.0 with a mask of 255.255.255.0 > Click Add. > Next.

NOTE If you do not tick the box to enable “Split Tunneling” then the client cannot browse the internet etc while connected via VPN.

15. Review the information at the end of the wizard. > Finish

16. Now you need to save the changes you have just made, From the ASDM Select File > “Save running configuration to flash”

Step 2 Configure the Client VPN Software on the remote client.

Also See THIS VIDEO

1. I’ll assume you have the software installed you can get it from two places, On the CD that came with the ASA, or download it direct from Cisco (NOTE this needs a valid Cisco CCO account and a service contract). > Click New.

2. Under connection entry give the connection a name e.g. “Remote VPN to Office” > Under “Host” enter the Public IP of the ASA (NOTE I’ve blurred this one out to protect my IP address). > Under “Name” enter the name you created earlier (Step 1 number 4) > Under Password use the password you created earlier (Step 1 number 4) and enter it a second time to confirm. NOTE these are NOT the usernames and passwords you created in Step 1 number 6. > Click Transport Tab.

3 Accept the defaults but tick “Allow LAN access if you want to be able to access YOUR drives etc from the network behind the ASA” > Save.

4. Select the Connection you have just created. > Connect.

5. Enter the username and password you created earlier (Step 1 Number 6) of user1 and password1. > OK.

6 After a few seconds (provided the details were all right) it will connect, hover over the padlock in your task tray and it should say “VPN Client – Connected”.

Create Additional Users on the ASA

1. Open the ASDM and navigate to Configuration > VPN > General > Users > Add.

2. Give the user a name > Enter and confirm a password > Set the Privilege Level to 0 > Then Select the VPN Policy Tab

3. > Under Group Policy untick “Inherit” > Select RemoteVPN (the policy you set in Step1 Number 4) > OK.

4. You will now see the user listed (Don’t forget to save the settings, (File > “Save Running Configuration to Flash”).

Setup ASA 5500 IPSEC Remote VPN From Command Line

[box]

ip local pool IPSEC-VPN-POOL 10.254.250.1-10.254.250.100 mask 255.255.255.0
!
access-list ACL-SPLIT-TUNNEL standard permit 10.254.254 255.255.255.0
!      
object network Obj-Remote-IPSEC-VPN
 subnet 10.254.250.0 255.255.255.128
!
object network Obj-Local-LAN
 subnet 10.254.254.0 255.255.255.0
!
group-policy IPSEC-Remote-VPN internal
group-policy IPSEC-Remote-VPN attributes
  von-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value ACL-SPLIT-TUNNEL
  dns-server value 8.8.8.8
  default-domain value petenetlive.com
  vpn-simultaneous-logins 5
!
tunnel-group IPSEC-Remote-VPN type remote-access
tunnel-group IPSEC-Remote-VPN general-attributes
 default-group-policy IPSEC-Remote-VPN
 address-pool IPSEC-VPN-POOL
 tunnel-group IPSEC-Remote-VPN ipsec-attributes
 ikev1 pre-shared-key 123456
!
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
crypto ikev1 enable  outside
!
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group2
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface  outside
!
nat (inside,outside) 1 source static Obj-Local-LAN Obj-Local-LAN destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp route-lookup
!
crypto isakmp nat-traversal 20
!
username TestUser password Password123 privilege 0
username TestUser attributes
vpn-group-policy IPSEC-Remote-VPN

[/box]

Below, is the commands required for an ASA running code OLDER than version 8.3

[box]

access-list splitvpn standard permit 10.254.254.0 255.255.255.0
access-list nonat extended permit ip 10.254.254.0 255.255.255.0 10.254.250.0 255.255.255.0
ip local pool VPNPool 10.254.250.1-10.254.250.254 mask 255.255.255.0
nat (inside) 0 access-list nonat
group-policy remotevpn internal
group-policy remotevpn attributes
dns-server value 10.254.254.10
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splitvpn
split-dns value petenetlive.com
username user1 password IzFIX6IZbh5HBYwq encrypted privilege 0
username user1 attributes
vpn-group-policy remotevpn
sysopt connection tcpmss 1200
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set ESP-3DES-SHA
crypto map outside_map 64553 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group remotevpn type ipsec-ra
tunnel-group remotevpn general-attributes
address-pool vpnpool
default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
pre-shared-key thisisthepresharedkey

[/box]

Related Articles, References, Credits, or External Links

Original article written 21/01/10 updated 07/06/11

Windows 8 and Cisco (IPSEC) VPN Client

Windows 10 – Running the Cisco VPN Client Software

Securing Cisco SSL VPN’s with Certificates

KB ID 0000335

Problem

It’s been a while since I wrote a walk though on the Cisco AnyConnect/SSL VPN solution, and usually I secure these with Active Directory or simply using the local user database on the firewall. But what if you wanted to use certificates instead? Perhaps your users are too “technically challenged” to remember their passwords. Or you want to enable two factor authentication with usernames/passwords AND certificates (something you know and something you have).

Solution

Step 1: Setup the ASA as a Certificate Authority

After version 8 Cisco included a complete CA solution in the firewall with a web front end. to use it we need to a) turn it on, b) give it an email address, c) provide a subject name, and finally d) create a unique pass phrase to generate the root certificate from.

Connect to the firewall and carry out the following,

[box]

PetesASA>
PetesASA> en
Password: ********
PetesASA# conf t
PetesASA(config)# crypto ca server
PetesASA(config-ca-server)# smtp from-address pnlCA@petenetlive.com
PetesASA(config-ca-server)# subject-name-default cn=pnlCA, o=petenetlive, c=GB
PetesASA(config-ca-server)# no shutdown

% Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or press return to exit
Passphrase: ********

Re-enter passphrase: ********

Keypair generation process begin. Please wait...

Completed generation of the certificate and keypair...

Archiving certificate and keypair to storage... Complete
INFO:
Certificate Server enabled.
PetesASA(config-ca-server

[/box]

To do the same via ASDM connect to the ASDM > Navigate to Configuration > Remote Access VPN > Certificate Management > Local Certificate Authority > CA Server > Fill in the details > Apply.

To check that the CA Server is up and running issue a “show crypto ca server” command.

[box]


PetesASA# show crypto ca server

Certificate Server LOCAL-CA-SERVER:
Status: enabled <--Good!
State: enabled <--Good!
Server's configuration is locked (enter "shutdown" to unlock it)
Issuer name: CN=PetesASA.petenetlive.com
CA certificate fingerprint/thumbprint: (MD5)
774e1fe0 27495b35 019a9874 7507d8a9
CA certificate fingerprint/thumbprint: (SHA1)
93414d52 5f23e510 0f7f8fc2 857e3c86 d5687286
Last certificate issued serial number: 0x1
CA certificate expiration timer: 12:33:29 UTC Sep 30 2013
CRL NextUpdate timer: 18:33:29 UTC Oct 1 2010
Current primary storage dir: flash:/LOCAL-CA-SERVER/

Auto-Rollover configured, overlap period 30 days
Autorollover timer: 12:33:29 UTC Aug 31 2013
PetesASA#

[/box]

Step 2: Obtain a Client Certificate

If you have a LOT of these you can set them up and send them by email directly, I’m just going to do this one manually, By default your webvpn probably isn’t enabled on the “inside” so lets turn that on.

[box]

PetesASA#
PetesASA# conf t
PetesASA(config)# webvpn
PetesASA(config-webvpn)# enable inside
INFO: WebVPN and DTLS are enabled on 'inside'.
PetesASA(config-webvpn)# exit
PetesASA(config)#

[/box]

To do the same via ASDM connect to the ASDM > Navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles > Tick both the inside options > Apply.

Now I’m going to create a user, and a “One Time Password”.

[box]


PetesASA(config)#
PetesASA(config)# crypto ca server user-db add petelong
INFO: User added as 'petelong'
PetesASA(config)# crypto ca server user-db allow petelong display-otp
Username: petelong
OTP: 010B3B9F500F7142 <--your user will need this!
Enrollment Allowed Until: 12:43:23 UTC Mon Oct 4 2010

PetesASA(config)#

[/box]

Via ADSM it’s a little more convoluted, you need to add the user then view/re-generate the OTP.

Open a web browser and got to https://{ip or name of firewall}/+CSCOCA+/enroll log in with the details you created above.

When prompted download the certificate and put it on the machine that requires secure access. Simply double click it and import it (it should import into the “Personal Certificates” folder.) – if you are prompted for a password you enter the OTP from above.

Step 3: Change the VPN authentication to Certificate.

First lets check that enrolment was successfully with a “show ca server user-db” command.

[box]


PetesASA(config)# show crypto ca server user-db
username: petelong
email: <None>
dn: <None>
allowed: 12:43:23 UTC Mon Oct 4 2010
notified: 1 times
enrollment status: Enrolled, Certificate valid until 12:47:25 UTC Sat Oct 1 2011,<--Good!
Renewal: Allowed

PetesASA(config)#

[/box]

Change the webvpn authenticate to certificate. Note your SSL tunnel group WILL have different name.

[box]

PetesASA# conf t
PetesASA(config)# tunnel-group SSL-VPN-POLICY webvpn-attributes
PetesASA(config-tunnel-webvpn)# authentication certificate
PetesASA(config-tunnel-webvpn)# exit
PetesASA(config)#

[/box]

To use usernames AND certificates use “both” instead of “cert”, to Revert back to usernames enter “aaa”

Via ASDM

Step 4: Test

Connect to the VPN portal and you should now be prompted for certificate authentication.

 

Related Articles, References, Credits, or External Links

AnyConnect VPN

Cisco ASA 5500 – Using a Third Party Digital Certificate (For Identification, AnyConnect, and SSL VPN)

iPhone and iPad – Configure the Cisco VPN Client

KB ID 0000360

Problem

You have already configured a Cisco ASA / PIX device to provide Client VPN connectivity, and you now wish to configure the iPhone/iPad Device.

Solution

Note: The screen shots are taken from an iPhone running (4.2.1) the process for iPad is the same.

1. Select Settings.

2. Select General.

3. Select Network.

4. Scroll to the bottom of the page and select VPN.

5. Add VPN Configuration.

6. Select IPSec.

7. Description = the connection a simple name > Server = Either the IP address or public name of the firewall > Account > Your username.

8. Group Name = Is the VPN group configured on the firewall > Secret = Is the shared secret for this Group Name.

Where do you get this information from? Basically from your IT department, they can find out by issuing a “more system:running-config” command on the firewall

code?

9. Flick the VPN switch to “On”.

10. Enter your username and password > OK.

11. It may say “Starting” for a while.

12. “Connected” is what we are looking for.

14. For the duration of the connection you will see the “VPN” icon on the phones information bar.

 

Related Articles, References, Credits, or External Links

NA