Cisco PIX 500 – IPSEC Site to Site VPNs (v6)

KB ID 0000611 

Problem

Note: This is for firewalls running an operating system BEFORE version 7, if you have an PIX running version 7 or above go here instead. I’ll run though he commands first and then the configuration from PDM at the end.

Solution

PIX 500: Configure a site to site VPN from command line

1. Connect to the PIX, go to “enable mode”, then to “Configure terminal mode”

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
PetesPIX> enable
Password: ********
PetesPIX# configure Terminal
PetesPIX(config)# 

[/box]

2. I’m assuming the network BEHIND the PIX 500 is 192.168.124.0/24 and the network at the far end of the tunnel is 192.168.123.0/24. So I’m going to create two ACL’s one to tell the PIX that this traffic should be encrypted, and the second to tell the PIX NOT to perform NAT on the VPN traffic.

Note: Yes I can use one ACL, but having two makes it easier to troubleshoot any VPN problems.

[box]

PetesPIX(config)# access-list VPN_CRYPTO_ACL permit ip 192.168.124.0 255.255.255.0 192.168.123.0 255.255.255.0
PetesPIX(config)# access-list VPN_NO_NAT line 1 permit ip 192.168.124.0 255.255.255.0 192.168.123.0 255.255.255.0

[/box]

3. Now I’ve got an ACL that will stop performing NAT I need to add it as a “Nat 0” (this means don’t perform NAT).

Note: Check to make sure you do not already have a nat(inside) 0 xxx command, if you do, use the SAME ACL that is already in use.

[box]

PetesPIX(config)# nat (inside) 0 access-list VPN_NO_NAT

[/box]

4. To set up all the VPN parameters you need to create a crypto map. In the example below I set the peer IP (the firewall at the other end of the tunnel), to 81.81.81.81. Then I tie it to the ACL I created earlier (VPN_CRYPTO_ACL). I’ve set the encryption and hashing used for the tunnel to 3DES and SHA (These will be used for IPSec (Phase 2)). Set the timeouts for the tunnel, and finally apply the cryptomap I’ve just created, to the outside interface.

[box]

PetesPIX(config)# crypto map VPN_CRYPTO_MAP 20 set peer 81.81.81.81
PetesPIX(config)# crypto map VPN_CRYPTO_MAP 20 match address VPN_CRYPTO_ACL
PetesPIX(config)# crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
PetesPIX(config)# crypto map VPN_CRYPTO_MAP 20 set transform-set ESP-3DES-SHA
PetesPIX(config)# crypto map VPN_CRYPTO_MAP 20 set security-association lifetime seconds 28800 kilobytes 4608000
PetesPIX(config)# crypto map VPN_CRYPTO_MAP interface outside

[/box]

5. The next command lets VPN traffic bypass any other ACLs configured on the firewall.

[box]

PetesPIX(config)# sysopt connection permit-ipsec

[/box]

6. I’m using a “shared secret” that also needs to be setup on the other end of the tunnel. As I said earlier the peer IP is 81.81.81.81.

[box]

PetesPIX(config)# isakmp key 123456 address 81.81.81.81 netmask 255.255.255.255 no-xauth no-config-mode

[/box]

7. To establish the VPN phase 1 (ISAKMP) the devices at both ends of the tunnel need a matching ISAKMP policy. I’ve already set up my shared secret, the first line lets the other end know that’s how we will be communicating. Then once again I’m using 3DES and SHA. I’m telling the system to use Diffie Hellman group 2 for the secure key exchange, and then binding this policy to the outside interface.

Note: If you are interested on how all this stuff works see here

[box]

PetesPIX(config)# isakmp policy 20 authen pre-share
PetesPIX(config)# isakmp policy 20 encrypt 3des
PetesPIX(config)# isakmp policy 20 hash sha
PetesPIX(config)# isakmp policy 20 group 2
PetesPIX(config)# isakmp enable outside

[/box]

8. Then save the changes with a write mem command.

[box]

PetesPIX# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesPIX#

[/box]

PIX 500: Configure a site to site VPN from the PDM

1. To connect to the PDM you are going to need two things, an OLD browser (IE6) and an OLD version of Java. Select Wizards > VPN Wizard.

2. Site to Site > Next.

3. Set the Peer (Device at the other end of the tunnel) and a shared secret that you will also use at the other end > Next.

4. Set the policy that will be used for phase 1 > Next.

5. Now the phase 2 policy > Next

6. Enter the network behind the PIX > Next.

7. Enter the network at the far end of the tunnel > Finish.

8. Finish by saving the changes > File > Save running configuration to flash.

Related Articles, References, Credits, or External Links

Set up a PIX Firewall with the PDM

PIX 506E and 501 Firewall Image and PDM Upgrade

Securing Network Device Access With Cisco ACS (and Active Directory)

KB ID 0000942

Problem

For network identification I have tended to use RADIUS (in a Windows NPS or IAS flavour), in the past. I turned my back on Cisco TACACS+ back in my ‘Studying for CCNA’ days, because back then it was clunky and awful. I have a client that will be installing ACS in the near future, so I thought I would take a look at it again, and was surprised at how much more polished it is. As Cisco plans to roll ACS into Cisco ISE in the future, I’m not sure if it will remain as a separate product. So we may find people using version 5 for a long time yet.

Solution

I’m deploying ACS version 5.5 as a virtual appliance, remember to give it at least 60GB of hard drive or the install will fail. If you are installing on VMware workstation, choose the ‘I will install the operating system later’ option and manually present the CD image or it will also fail.

When you have run through the initial setup on the appliance it will set;

  • Hostname.
  • IP Address.
  • Subnet Mask.
  • Default Gateway.
  • DNS Domain Name.
  • DNS IP Address.
  • Secondary DNS (if required).
  • NTP Server IP address. (Ensure UDP port 123 is open or this will fail).
  • Secondary NTP (if required).
  • Timezone.
  • Username.
  • Password.

Then connect via a web browser (https);

  • Username: ACSAdmin
  • Password: default

1. Join the ACS appliance to your domain. Users and Identity Stores > External Identity Stores > Active Directory > Join/Test Connection > Enter Domain Credentials > Join.

2. Be patient it can take a couple of minutes, wait till it says ‘Joined and Connected’.

3. Make sure you already have some groups in active directory that you want to grant access to, here I’ve got a full-access group and a read-only access group.

Note: I’m going to grant privilege level 15 to full-access, and privilege level 1 to read-only, (yes I know they can still escalate to configure terminal mode, but you can always restrict level 1 so it can only use the show command if you like).

4. Back in ACS > Directory Groups > Add > Add in your Groups > OK.

5. Create a Shell Policy: Policy Elements > Authorization and Permissions > Shell Profiles > Create > First create one for level 15 (full-access).

6. Common Tasks tab > Default Privilege > Static > 15 > Submit.

7. Then repeat to create a profile for read-only (level 1) access.

8. Common Tasks tab > Default Privilege > Static > 1 > Submit.

9. Access Policies > Access Services > Default Device Admin > Identity >Select > AD1 (this got created when you joined the domain earlier) > OK.

10. Access Policies > Access Services > Default Device Admin > Authorisation > Customise > Add ‘Compound Condition’ > OK.

11. Create > Tick ‘Compound Condition’ > Select > ExternalGroups > Select your full-access group.

12. Add > Shell Profile > Select > Select the full-access profile > OK.

13. Repeat for the read-only group.

14. Set the shell profile to read-only access > OK.

15. Access Policies > Service Selection Rules > Create > Set to Match Protocol TACACS > Set the service to Default Device Admin > OK.

16. Network Resources > Network Devices and AAA Clients > Enter the details of your Cisco device and set a shared key, (here I’m using 666999) > Submit.

17. Make the necessary changes on your Cisco devices, like so;

Cisco IOS TACACS+ Config

[box]

Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#aaa new-model
Petes-Router(config)#aaa authentication login default group tacacs+ local
Petes-Router(config)#aaa authorization exec default group tacacs+ local
Petes-Router(config)#aaa authorization console
Petes-Router(config)#tacacs-server host 10.254.254.22
Petes-Router(config)#tacacs-server key 666999
Petes-Router(config)#end
Petes-Router#
*Mar 1 00:10:24.691: %SYS-5-CONFIG_I: Configured from console by console
Petes-Router#write mem
Building configuration...
[OK]
Petes-Router# 

[/box]

Cisco ASA 5500 (and Next Generation) TACACS+ Config

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# aaa-server PNL-AAA-TACACS protocol tacacs+
Petes-ASA(config-aaa-server-group)# aaa-server PNL-AAA-TACACS (inside) host 10.254.254.22
Petes-ASA(config-aaa-server-host)# key 666999
Petes-ASA(config-aaa-server-host)# exit
Petes-ASA(config)#

-=-=-=-=-Authentication-=-=-=-=-
ASDM Authentication

Petes-ASA(config)# aaa authentication http console PNL-AAA-TACACS LOCAL 
Console Authentication

Petes-ASA(config)# aaa authentication serial console PNL-AAA-TACACS LOCAL
SSH Authentication

Petes-ASA(config)# aaa authentication ssh console PNL-AAA-TACACS LOCAL
Telnet Authentication

Petes-ASA(config)# aaa authentication telnet console PNL-AAA-TACACS LOCAL

Enable Mode Command Protection Authentication

Petes-ASA(config)# aaa authentication enable console PNL-AAA-TACACS LOCAL
-=-=-=-=-Authorisation-=-=-=-=-

Petes-ASA(config)# aaa authorization command PNL-AAA-TACACS LOCAL
Petes-ASA(config)# privilege show level 5 mode configure configure command aaa

<repeat as necessary - Note: Turn it on with the ASDM with command preview enables and you can copy paste all the commands out and edit them accordingly>
-=-=-=-=-Accounting-=-=-=-=-

Petes-ASA(config)# aaa accounting command PNL-AAA-TACACS

[/box]

18. Now you can test, here I connect as a user with read-only access (Note: I have a greater than prompt, I’m in user EXEC mode). Then when I connect as a full-access user (Note: I have a hash prompt. I’m in privileged EXEC mode).

19. The results are the same if I connect via SSH.

Enabling TACACS+ Though a Firewall

Sometimes, e.g. you have a switch in a DMZ or a router outside your firewall that you want to secure with TACACS. To enable this you simply need to open TCP port 49, from the device you are securing with TACACS to the ACS server.

Related Articles, References, Credits, or External Links

JunOS – Using TACACS+ With Cisco ACS