Cisco ASA – L2TP over IPSEC VPN

KB ID 0000571

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

When Cisco released version 7 of the operating system for PIX/ASA they dropped support for the firewall acting as a PPTP VPN device.

Note: If you want to use PPTP you can still terminate PPTP VPNs on a Windows server, if you enable PPTP and GRE Passthrough on the ASA.

But if you want to use the native Windows VPN client you can still use L2TP over IPSEC. I had a look around the net to work out how to do this and most decent articles are written using the older versions of the ASDM, and the CLI information I found on Cisco’s site didn’t help either.

What I’m using

1. Cisco ASA5525 version 9.2(4) and ASDM version 7.6(1).

2. Network behind the ASA 192.168.110.0/24.

3. IP addresses of the remote clients 192.168.198.1 to 254 (DNS 192.168.110.10).

4. Split tunnelling enabled.

5. Local (On the ASA) user authentication.

6. Authentication via Pre Shared Key 1234567890.

Configure the ASA 5500 for L2TP IPSEC VPNs from ASDM

1.  From within the ASDM > Wizards > VPN Wizards > IPSec (IKEv1) Remote Access VPN Wizard)

2. Next.

3. Tick Microsoft Windows Client using L2TP over IPSEC > Tick MS-CHAP-V2 ONLY  > Next.

4. Type in a pre-shared key > Next. 

5. Select LOCAL authentication > Next.

6. Enter a username/password to use for connection to the VPN > Next.

7.  Create a ‘VPN Pool‘ for the remote clients to use as a DHCP pool > OK > Next.

8. Enter your internal DNS server(s) and domain name > Next.

 

9. Set your internal network(s) > Tick “Enable Split tunnelling…” > Untick PFS > Next.

10. Finish.

11. Save the changes.

Configure the ASA 5500 for L2TP IPSEC VPNs from CLI

1. Connect to the ASA, go to “enable mode”, then to “Configure terminal mode”

[box]

User Access Verification
        
Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure Terminal
PetesASA(config)#

[/box]

2. First we need to create a “Pool” of IP addresses for the remote client to use.

[box]

PetesASA(config)# ip local pool L2TP-Pool 192.168.198.1-192.168.198.10

[/box]

3. Now to make sure the traffic that’s going to travel over our VPN is not NATTED.

Note: This is assuming that 192.168.100.0/24 is the remote VPN clients subnet, and 10.254.254.0/24 is the subnet BEHIND the ASA.

[box]

PetesASA(config)# object network Internal-Subnet
PetesASA(config-network-object)#  subnet 192.168.110.0 255.255.255.0
PetesASA(config-network-object)# object network L2TP-Subnet
PetesASA(config-network-object)#  subnet 192.168.198.0 255.255.255.248
PetesASA(config-network-object)# nat (inside,outside) source static Internal-Subnet Internal-Subnet destination static L2TP-Subnet L2TP-Subnet no-proxy-arp route-lookup  

[/box]

4. Normally when a remote client is connected they will lose all other connections (including their other internet connections) while connected, to stop this you need to enable “Split Tunnelling“. You will refer to this later but for now we just need to create an ACL.

[box]

PetesASA(config)# access-list Split-Tunnel-ACL standard permit 192.168.110.0 255.255.255.0 

[/box]

5. We need a “Transform Set” that will be used for “Phase 2” of the tunnel, I’m going to use AES encryption and SHA hashing, then set the transform type to “Transport”.

[box]

PetesASA(config)# crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set esp-aes esp-sha-hmac
PetesASA(config)# crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set mode transport

[/box]

6. Remote VPNs usually use a “Dynamic Cryptomap”, the following will create one that uses our transform set, then applies that to the firewalls outside interface.

[box]

PetesASA(config)# crypto dynamic-map L2TP-MAP 10 set ikev1 transform-set L2TP-IKE1-Transform-Set
PetesASA(config)# crypto map L2TP-VPN-MAP 20 ipsec-isakmp dynamic L2TP-MAP
PetesASA(config)# crypto map L2TP-VPN-MAP interface outside

[/box]

7. Then enable IKE (version 1) on the outside interface. And create a policy that will handle “Phase 1” of the tunnel, in this case 3DES for encryption, and SHA for hashing, and Diffie Hellman group 2 for the secure key exchange.

[box]

PetesASA(config)# crypto ikev1 enable outside
PetesASA(config)# crypto ikev1 policy 5
PetesASA(config-ikev1-policy)#  authentication pre-share
PetesASA(config-ikev1-policy)#  encryption 3des
PetesASA(config-ikev1-policy)#  hash sha
PetesASA(config-ikev1-policy)#  group 2
PetesASA(config-ikev1-policy)#  lifetime 86400
PetesASA(config-ikev1-policy)#

[/box]

8. Create a group policy, that hold the following, DNS server IP(s) that will be leased to the remote clients. Tunnel type (L2TP IPSEC), enable spit tunnelling using the ACL we created in step 4. The domain name that will be given to the remote clients. The “intercept-dhcp enable” looks after a Windows client problem. And finally create a user and password.

Note: In this example I’m using the ASA’s local database of users for authentication.

[box]

PetesASA(config)# group-policy L2TP-Policy internal
PetesASA(config)# group-policy L2TP-Policy attributes
PetesASA(config-group-policy)#  dns-server value 192.168.110.10
PetesASA(config-group-policy)#  vpn-tunnel-protocol l2tp-ipsec
PetesASA(config-group-policy)#  split-tunnel-policy tunnelspecified
PetesASA(config-group-policy)#  split-tunnel-network-list value Split-Tunnel-ACL
PetesASA(config-group-policy)#  default-domain value test.net
PetesASA(config-group-policy)#  intercept-dhcp enable
PetesASA(config-group-policy)# username testuser password password123 mschap

[/box] 

9. Every tunnel needs a “Tunnel Group”, You HAVE TO use the DefaultRAGroup (Unless you are securing things with certificates which we are not). This pulls in the IP Pool we created in step 2 and the policy we created in step 8.

[box]

PetesASA(config)# tunnel-group DefaultRAGroup general-attributes
PetesASA(config-tunnel-general)#  address-pool L2TP-Pool
PetesASA(config-tunnel-general)#  default-group-policy L2TP-Policy

[/box]

10. For the tunnel group, setup a shared key, and the authentication method for our clients.

Note: We are disabling CHAP and enabling MSCHAP v2.

[box]

PetesASA(config-tunnel-general)# tunnel-group DefaultRAGroup ipsec-attributes
PetesASA(config-tunnel-ipsec)#  ikev1 pre-shared-key 1234567890
PetesASA(config-tunnel-ipsec)# tunnel-group DefaultRAGroup ppp-attributes
PetesASA(config-ppp)#  no authentication chap
PetesASA(config-ppp)#  authentication ms-chap-v2

[/box]

11. Finally save the new config.

[box]

PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d
7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#
[/box]

Configure Windows VPN client for L2TP IPSEC connection to Cisco ASA 5500

Note: Windows 10 Enterprise used.

1. Start > Settings > Network and Internet.

2. VPN > Add a VPN Connection.

3. VPN Provider = Windows (Built-in) > Connection Name = (A Sensible name) > Server name or Address = Public IP/Hostname of the ASA > Scroll Down.

4. VPN Type = L2TP/IPSEC with pre-shared key > Pre Shared Key = {the one you set on the firewall in our example 1234567890} > Type of sign-in information = Username and Password.

Note: You may want to untick “Remember my sign-in information” To supply a username and password each time.

5. Start > ncpa.cpl {Enter} > Right click your VPN connection profile > Properties..

6. Security Tab > Allow These Protocols > Tick “Microsoft CHAP version 2 (MS-CHAP v2)” > OK.

7. You can now connect your VPN.

 

Related Articles, References, Credits, or External Links

Cisco ASA Site to Site VPN’s Site to Site ISAKMP VPN

Set up Remote Access PPTP VPN’s in server 2008

Using the Microsoft VPN client through Cisco ASA/PIX

Enable Split Tunnel for IPSEC / SSLVPN / WEBVPN Clients

Windows Server 2008 R2 – Configure RADIUS for Cisco ASA 5500 Authentication

KB ID 0000688

Problem

Last week I was configuring some 2008 R2 RADIUS authentication, for authenticating remote VPN clients to a Cisco ASA Firewall.

I will say that Kerberos Authentication is a LOT easier to configure, so you might want to check that first.

Solution

Step 1 Configure the ASA for AAA RADIUS Authentication

1. Connect to your ASDM, > Configuration > Remote Access VPN. > AAA Local Users > AAA Server Groups.

2. In the Server group section > Add.

3. Give the group a name and accept the defaults > OK.

4. Now (with the group selected) > In the bottom (Server) section > Add.

5. Specify the IP address, and a shared secret that the ASA will use with the 2008 R2 Server performing RADIUS > OK.

6. Apply.

Configure AAA RADIUS from command line;

[box]

aaa-server PNL-RADIUS protocol radius
aaa-server PNL-RADIUS (inside) host 172.16.254.223
  key 123456
  radius-common-pw 123456
  exit

[/box]

Step 2 Configure Windows 2012 Server to allow RADIUS

7. On the Windows 2008 Server > Launch Server Manager > Roles > Add Role.

8. If you get a welcome page > Next > Select Network Policy and Access Server > Next >Next.

9. Select ‘Network Policy Server’ > Next > Install.

10. Close, when complete.

11. Whilst still in Server Manager > Network Policy and Access Server > NPS (Local).

12. Register Server in Active Directory >OK > OK.

13. Expand RADIUS Clients and Servers > Right click RADIUS Clients > New.

14. Give the firewall a friendly name, (take note of what this is, you will need it again) > Specify its IP > Enter the shared secret you setup above (number 5) > OK.

15. Expand policies > right click ‘Connection Request Policies’ > New > Give the policy a name > Next.

16. Add a condition > Set the condition to ‘Client Friendly Name’ > Add.

17. Specify the name you set up above (number 14) > OK > Next > Next > Next.

18. Change the attribute to User-Name > Next > Finish.

19. Now right click ‘Network Policies’ > New > Give the policy a name> Next.

20. Add a condition > User Groups > Add.

21. Add in the AD security group you want to allow access to > OK > Next > Next.

22. Select ‘Unencrypted Authentication PAP SPAP” > Next > No > Next > Next > Finish.

Step 3 Test RADIUS Authentication

23. Back at the ASDM, in the same page you were in previously, select your server and then click ‘Test’.

24. Change the selection to Authentication > Enter your domain credentials > OK.

25. You are looking for a successful outcome.

Note: if it fails check there is physical connectivity between the two devices, the shared secrets match. Also ensure UDP ports 1645 and 1646 are not being blocked.

To Test AAA RADIUS Authentication from Command Line

[box]

test aaa-server authentication PNL-RADIUS host 172.16.254.223 username petelong password password123

[/box]

26. Finally, save the firewall changes > File > Save running configuration to flash.

Related Articles, References, Credits, or External Links

Windows Server 2003 – Configure RADIUS for Cisco ASA 5500 Authentication

Windows Server 2012 – Configure RADIUS for Cisco ASA 5500 Authentication

HP MSM Controller – Using RADIUS With Windows Server

KB ID 0000922 

Problem

I’m very disappointed with HP, theres next to no information on how to do this. My plan was to secure wireless access with certificates, so only clients with a valid digital certificate could authenticate and connect to the wireless. After spending nearly a whole day on the phone to various technical support departments at HP, this remained an impossible requirement!

In the end, as the client only had a few laptops for wireless access, we had to set NPS to allow access to domain users, then filter the devices that were allowed on the MSM controller via MAC address.

Solution

1. Launch Server Manager (Servermanager.msc) Roles > Add Roles > Network Policy and Access Services > Next.

2. Accept the defaults, but on the Role Services page select ‘Network Policy Server’.

3. Expand Network Policy and Access Services > Right click NPS (Local) > Register in Active Directory > Accept the defaults.

4. Expand RADIUS Client and Servers > RADIUS Clients > New.

5. Specify a name > The IP address of the MSM controller > type in a shared secret and confirm it (this can be anything but remember it, as you need to enter it on the controller later > OK.

6. Expand Policies > Network Policies > New.

7. Give it a name > Next.

8. Add in Windows Groups and select the user group you wish to grant access to > OK > Add > Next.

9. Add in ‘Microsoft Protected EAP (PEAP)’ > OK > Next.

10. Move your newly created policy to the top.

11. Now create a new ‘Connection Request Policy’.

12. Add in NAS Port Type > Select Ethernet and Wireless – IEEE 802.11 > OK > Next.

13. Move your new policy to the top.

14. Log into the MSM > Home > Authentication > RADIUS Profiles > Add New Profile.

15. Give the policy a name > Enter the IP address of the NPS server > Then type in the shared secret, (you created in step 5.) > Save.

16. On the VSC for the wireless network you want to enable RADIUS for > Set Wireless protection to WPA > Mode to WPA2 (AES/CCMP) > Key source to Dynamic > Your RADIUS profile should be added automatically > Save.

 

Related Articles, References, Credits, or External Links

NA

 

Cisco Router – Configure Site to Site IPSEC VPN

KB ID 0000933

Problem

I’ve done thousands of firewall VPN’s but not many that terminate on Cisco Routers. It’s been a few years since I did one, and then I think I was a wuss and used the SDM. So when I was asked to do one last week thankfully I had the configs ready to go.

I’m going to use the IP addresses above, and my tunnel will use the following settings;

  • Encryption: AES.
  • Hashing: SHA.
  • Diffie Hellman: Group 2.
  • PFS: Enabled.
  • Authentication method: Pre-Shared Key.

Solution

1. Setup a policy for phase 1 of the tunnel (ISAKMP).

[box]

R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encr aes
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#crypto isakmp key SecretK3y address 1.1.1.2

[/box]

2. Setup an ACL to define what traffic will be encrypted, and a ‘Transform set’ that will dictate the encryption and hashing for phase 2 (IPSEC).

[box]

R1(config)#ip access-list extended VPN-ACL
R1(config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
R1(config-ext-nacl)#crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac

[/box]

3. Create a ‘Crypto map’ that is used to apply the phase 2 settings to an interface.

[box]

R1(config)#crypto map VPN-C-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 1.1.1.2
R1(config-crypto-map)#set transform-set VPN-TS
R1(config-crypto-map)#match address VPN-ACL

[/box]

4. Apply that crypto map to an interface, (usually the Internet facing one).

[box]

R1(config-crypto-map)#interface Serial0/1/0
R1(config-if)#crypto map VPN-C-MAP
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#exit
R1(config)#

[/box]

5. In most cases your router will be doing NAT, if so you will need to change the ACL that is looking after the NAT for you, look in your running config for something that looks like the following;

[box]

R1#show run
Building configuration...

Current configuration : 1249 bytes
------------output removed for the sake of space------------
!

ip nat inside source list 100 interface Serial0/1/0 overload
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
!

------------output removed for the sake of space------------
!
line aux 0
!

[/box]

6. To stop our VPN traffic getting NATTED, we need to put a deny in that ACL, and put it before that permit statement. Remember:

  • Permit=Perform NAT
  • Deny=Don’t perform NAT

On this router (unlike the ASA‘s that I’m more used to), there is no option to define an ACL line number. So its easier to remove the existing one, add the new line then put the original one back. Finally save the changes.

[box]

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no access-list 100 permit ip 10.10.10.0 0.0.0.255 any
R1(config)#access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
R1(config)#access-list 100 permit ip 10.10.10.0 0.0.0.255 any
R1(config)#exit
R1#
%SYS-5-CONFIG_I: Configured from console by console

R1#write mem
Building configuration...
[OK]

[/box]

7. Now at the other site, the config should be a mirror image. I will post it in its entirety, so you can copy and paste it into the router, I will highlight the bits you need to check and change in red.

[box]

crypto isakmp policy 1
encr aes
hash sha
authentication pre-share
group 2
lifetime 86400
crypto isakmp key SecretK3y address 1.1.1.1
ip access-list extended VPN-ACL
permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac

crypto map VPN-C-MAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set VPN-TS
match address VPN-ACL
interface Serial0/1/0
crypto map VPN-C-MAP

no access-list 100 permit ip 20.20.20.0 0.0.0.255 any
access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any

[/box]

8. Test your VPN with the following commands. Note: you need to send some traffic over the VPN before it will establish!

[box]

show crypto isakmp sa
show crypto ipsec sa

[/box]

WARNING: If you have an ACL applied to the routers outside interface, you will need to allow in the Peer IP, like so;

[box]

ip access-list extended outside-in
 permit esp host 1.1.1.1 any
 permit udp host 1.1.1.1 any eq isakmp
 permit udp host 1.1.1.1 any eq non500-isakmp

[/box]

If you do not, the other end will fail Phase 1 with a WAIT_MSG_3 Error!

Related Articles, References, Credits, or External Links

NA

Cisco Simple GRE Tunnels (With IPSEC)

KB ID 0000951

Problem

I’ve spent years setting up VPN tunnels between firewalls. The only time I’ve ever dealt with GRE is for letting VPN client software though firewalls. GRE’s job is to ‘encapsulate’ other protocols and transport those protocols inside a virtual point to point link. Below is the topology, I’m going to use.

The tunnel will run form Router R1 to Router R3, once complete I should be able to ping Host2 from Host1.

Solution

Configure Router R1 for GRE

1. Create and configure a tunnel interface on the R1 Router. It will need an IP address, (here I’m using 10.0.0.1/30). Then you need to specify the source and destination of the GRE tunnel. Finally I’ve changed some MTU settings because typically MTU’s are set to 1500 and GRE adds an overhead, I’m dropping the MTU to 1400 and setting the maximum segment size to 1360.

[box]

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface Tunnel0
*Mar 1 00:01:27.747: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R1(config-if)#ip address 10.0.0.1 255.255.255.252
R1(config-if)#ip mtu 1400
R1(config-if)#ip tcp adjust-mss 1360
R1(config-if)#tunnel source 1.1.1.1
R1(config-if)#tunnel destination 2.2.2.1
R1(config-if)#exit

[/box]

2. Then we need to add a static route to the router’s routing table so it knows to use that tunnel for traffic destined for the 192.168.2.0/24 network.

[box]

R1(config)#ip route 192.168.2.0 255.255.255.0 Tunnel0

[/box]

Configure Router R3 for GRE

3. This is simply a mirror image, of the configuration you carried our on router R1.

[box]

R3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#interface Tunnel0
*Mar 1 00:01:30.747: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R3(config-if)#ip address 10.0.0.1 255.255.255.252
R3(config-if)#ip mtu 1400
R3(config-if)#ip tcp adjust-mss 1360
R3(config-if)#tunnel source 2.2.2.1
R3(config-if)#tunnel destination 1.1.1.1
R3(config-if)#exit
R3(config)#ip route 192.168.1.0 255.255.255.0 Tunnel0
[/box]

Verify GRE Tunnel

 

4. Use the following command to check the status of the GRE tunnel.

[box]

R1# show interface tunnel 0
Tunnel0 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 10.0.0.1/30
  MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 1.1.1.1, destination 2.2.2.1
  Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
  Tunnel TTL 255
  Fast tunneling enabled
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

[/box]

5. Then make sure that traffic passes over the tunnel.

[box]

R1#ping 192.168.2.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/64/88 ms
R1#

[/box]

Securing the Tunnel with IPsec

6. Our traffic is now going where we want it to, and it’s encapsulated, but it’s still being ‘sent in clear’ if traffic is intercepted ‘in flight’ it can be read. So we need to secure that traffic by encrypting it. First Job is to create an ISAKMP policy that will establish ‘phase-1’ of our secure tunnel. I’m using AES, with Diffie Hellman group 2, and SHA hashing. Ive specified that I will be using a pre-shared-key so that’s been created with the last command, and is assigned to the IP of the ‘other end’ of the VPN tunnel.

[box]

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption aes
R1(config-isakmp)#group 2
R1(config-isakmp)#hash sha
R1(config-isakmp)#exit
R1(config)#crypto isakmp key 0 Sh@reds3cret address 2.2.2.1

[/box]

7. Phase 2 of our tunnel (IPsec) is encrypted and hashed with a ‘transform set’ again I’m using AES and SHA, then I create a profile that uses my transform set.

[box]

R3(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
R3(cfg-crypto-trans)#exit
R1(config)#crypto ipsec profile PF-PNL
R1(ipsec-profile)#set transform-set TFS-PNL
R1(ipsec-profile)#exit

[/box]

8. The last job is to apply the profile I created above, to our GRE tunnel interface.

[box]

R3(config)#interface tun0
R3(config-if)#tunnel mode ipsec ipv4
R3(config-if)#tunnel protection ipsec profile PF-PNL
*Mar 1 00:20:32.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R3(config-if)#
*Mar 1 00:20:33.175: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config-if)#
*Mar 1 00:20:33.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R3(config-if)#exit
R3(config)#
[/box]

9. Again configure router 3 as a mirror image.

[box]

R3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#crypto isakmp policy 10
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption aes
R3(config-isakmp)#group 2
R3(config-isakmp)#hash sha
R3(config-isakmp)#exit
R3(config)#crypto isakmp key 0 Sh@reds3cret address 1.1.1.1
R3(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
R3(cfg-crypto-trans)#exit
R3(config)#crypto ipsec profile PF-PNL
R3(ipsec-profile)#set transform-set TFS-PNL
R3(ipsec-profile)#exit
R3(config)#interface tun0
R3(config-if)#tunnel mode ipsec ipv4
R3(config-if)#tunnel protection ipsec profile PF-PNL
R3(config-if)#
*Mar 1 00:25:32.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R3(config-if)#
*Mar 1 00:25:33.175: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config-if)#
*Mar 1 00:25:33.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R3(config-if)#exit
R3(config)#
[/box]

Cisco IOS Verify IPsec VPN Tunnel Is Up

 

Note: To bring up the tunnel simply send some traffic over it by pinging something on the other side of the tunnel. If you get a reply then the tunnel is up! But to check it status firstly make sure phase 1 has established.

[box]

R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
1.1.1.1         2.2.2.1         QM_IDLE           1001    0 ACTIVE

IPv6 Crypto ISAKMP SA

R3#

[/box]

QM_IDLE means that phase 1 has established (in Quick Mode), and is in an idle state (this is what you want to see, if you see any other state message you may need to start debugging things).

Once you know phase 1 is established you need to check phase 2.

[box]

R3#show crypto ipsec sa
interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 2.2.2.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 1.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 2.2.2.1, remote crypto endpt.: 1.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0x3AA3F6B0(983824048)

     inbound esp sas:
      spi: 0x5C5C5EF1(1549557489)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4559832/3506)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x3AA3F6B0(983824048)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4559832/3506)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

[/box]

 

Related Articles, References, Credits, or External Links

NA

Cisco – Configuring Dynamic Multipoint Virtual Private Networks DMVPN

KB ID 0000954

Problem

A while back I uploaded a run through on how to deploy GRE tunnels and protect those tunnels with IPsec. That point-to-point GRE tunnel is a good solution, but if you have a lot of sites it’s not a solution that scales very well. Yes you can have 2147483647 tunnel interfaces, but good luck manually configuring all those tunnels and even if you did, if you want each of your remote sites to talk to each other you have all those tunnels to configure as well.

To address that we have DMVPN, rather than a point-to-point GRE tunnel it uses multipoint GRE that can have more than two endpoints. In fact it acts like a ‘network overlay’ that joins all the sites together. It is typically deployed in a hub-and-spoke configuration where one router (the hub) sits at the center and each remote site (spoke) joins the multipoint GRE, tunnels back to the hub. The magic part is, if one spoke needs to speak to another spoke, this is done by building a dynamic tunnel between them ‘on the fly’.

Below is the the network topology I’m going to use;

Note: If you use GNS3 heres the topology and configs for all the routers.

I have a main site that will be the ‘Hub Site’ and at that site MainSiteRTR will be the NHS router. The remaining three hub sites will act as ‘spokes’, so my ‘network overlay’ will be 192.168.1.0/24.

Solution

Configure DMVPN Hub (NHS) Router

Before I start, all the sites are pre-configured as per figure1 above, all the routers can see each other via EIGRP.

1. To begin the setup looks very much like a standard GRE tunnel, but we define a source but no destination (we don’t need to, because we specify tunnel mode gre multipoint). There are two commands for the NHRP setup, ‘ip nhrp map multicast dynamic‘ lets EIGRP information propagate to the ‘spokes’. And ‘ip nhrp network-id 1’ creates a group ID for the DMVPN group. All the spokes will need to share this ID to form tunnels with this NHS Router.<.p>

[box]

MainSiteRTR#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
MainSiteRTR(config)#interface Tunnel0
MainSiteRTR(config-if)# ip address 192.168.0.1 255.255.255.0
MainSiteRTR(config-if)# ip nhrp map multicast dynamic
MainSiteRTR(config-if)# ip nhrp network-id 1
MainSiteRTR(config-if)# tunnel source 1.1.1.1
MainSiteRTR(config-if)# tunnel mode gre multipoint
*Mar 1 00:02:31.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
MainSiteRTR(config-if)#exit
*Mar 1 00:02:41.635: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
MainSiteRTR(config)#

[/box]

Configure the Branch ‘Spoke’ Routers

2. There are a few differences here, first ‘ip nhrp map 192.168.0.1 1.1.1.1’ tells the branch router to map the 192.168.0.2 private IP permanently to the 1.1.1.1 public address. ‘ip nhrp map multicast 1.1.1.1’ tells the router to relay ALL its multicast traffic back to the hub router. ‘ip nhrp nhs 192.168.0.1’ tells the spoke router where the hub router is.

[box]

Branch1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch1(config)#interface Tunnel0
Branch1(config-if)# ip address 192.168.0.2 255.255.255.0
Branch1(config-if)# ip nhrp map 192.168.0.1 1.1.1.1
Branch1(config-if)# ip nhrp map multicast 1.1.1.1
Branch1(config-if)# ip nhrp network-id 1
Branch1(config-if)# ip nhrp nhs 192.168.0.1
Branch1(config-if)# tunnel source 2.2.2.1
Branch1(config-if)# tunnel mode gre multipoint
*Mar 1 00:07:28.403: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
Branch1(config-if)#exit
*Mar 1 00:07:38.387: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Branch1(config)#

[/box]

3. Then configure each branch router the same, (apart from the tunnel source and the endpoint IP).

[box]

Branch 2 Router Config

Branch2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch2(config)#interface Tunnel0
Branch2(config-if)# ip address 192.168.0.3 255.255.255.0
Branch2(config-if)# ip nhrp map 192.168.0.1 1.1.1.1
Branch2(config-if)# ip nhrp map multicast 1.1.1.1
Branch2(config-if)# ip nhrp network-id 1
Branch2(config-if)# ip nhrp nhs 192.168.0.1
Branch2(config-if)# tunnel source 3.3.3.1
Branch2(config-if)# tunnel mode gre multipoint
Branch2(config-if)# exit
*Mar 1 00:09:32.631: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Branch2(config)#

Branch 3 Router Config

Branch3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch3(config)#interface Tunnel0
Branch3(config-if)# ip address 192.168.0.4 255.255.255.0
Branch3(config-if)# ip nhrp map 192.168.0.1 1.1.1.1
Branch3(config-if)# ip nhrp map multicast 1.1.1.1
Branch3(config-if)# ip nhrp network-id 1
Branch3(config-if)# ip nhrp nhs 192.168.0.1
Branch3(config-if)# tunnel source 4.4.4.1
Branch3(config-if)# tunnel mode gre multipoint
Branch3(config-if)# exit
*Mar 1 00:11:05.259: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
Branch3(config)#
*Mar 1 00:11:15.247: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Branch3(config)#

[/box]

Verifying and Testing the DMVPN Setup

4. On the main site;

[box]

MainSiteRTR#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Hub, NHRP Peers:3,
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1         2.2.2.1     192.168.0.2    UP    never D
     1         3.3.3.1     192.168.0.3    UP    never D
     1         4.4.4.1     192.168.0.4    UP    never D

[/box]

5. On a branch site (Note: There is only one tunnel to the Main Site);

[box]

Branch1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Spoke, NHRP Peers:1,
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1         1.1.1.1     192.168.0.1    UP 00:08:24 S

[/box]

6. But if from the same branch site you ping another branch site, it will dynamically build a tunnel to that site also. (Note: The S denotes static, and the D denotes dynamic).

[box]

Branch1#ping 192.168.0.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/60/108 ms

Branch1#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Spoke, NHRP Peers:2,
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1         1.1.1.1     192.168.0.1    UP 00:08:52 S
     1         4.4.4.1     192.168.0.4    UP    never D

[/box]

Protect and Encrypt the Tunnel(s) with IPSEC

7. BE AWARE the traffic traveling over these tunnels is still being sent in cleartext, it’s simply been ‘encapsulated’ with GRE. To rectify that we can protect the tunnels with IPSEC.

[box]

MainSiteRTR#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
MainSiteRTR(config)#crypto isakmp policy 10
MainSiteRTR(config-isakmp)# authentication pre-share
MainSiteRTR(config-isakmp)# encryption aes
MainSiteRTR(config-isakmp)# group 2
MainSiteRTR(config-isakmp)# hash sha
MainSiteRTR(config-isakmp)# crypto isakmp key Sh@reds3cret address 2.2.2.1
MainSiteRTR(config)# crypto isakmp key Sh@reds3cret address 3.3.3.1
MainSiteRTR(config)# crypto isakmp key Sh@reds3cret address 4.4.4.1
MainSiteRTR(config)# crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
MainSiteRTR(cfg-crypto-trans)# crypto ipsec profile PF-PNL
MainSiteRTR(ipsec-profile)# set transform-set TFS-PNL
MainSiteRTR(ipsec-profile)# interface Tunnel0
MainSiteRTR(config-if)# tunnel protection ipsec profile PF-PNL
*Mar 1 00:25:34.055: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
MainSiteRTR(config-if)# exit
MainSiteRTR(config)#

[/box]

8. Then simply repeat on the branch routers, the only difference is the peer addresses.

[box]

Branch 1 Router Config

Branch1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch1(config)#crypto isakmp policy 10
Branch1(config-isakmp)# authentication pre-share
Branch1(config-isakmp)# encryption aes
Branch1(config-isakmp)# group 2
Branch1(config-isakmp)# hash sha
Branch1(config-isakmp)#crypto isakmp key Sh@reds3cret address 1.1.1.1
Branch1(config)#crypto isakmp key Sh@reds3cret address 3.3.3.1
Branch1(config)#crypto isakmp key Sh@reds3cret address 4.4.4.1
Branch1(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
Branch1(cfg-crypto-trans)#crypto ipsec profile PF-PNL
Branch1(ipsec-profile)# set transform-set TFS-PNL
Branch1(ipsec-profile)#interface Tunnel0
Branch1(config-if)# tunnel protection ipsec profile PF-PNL
Branch1(config-if)#exit
Branch1(config)#
*Mar 1 00:36:47.179: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Branch1(config)#

Branch 2 Router Config

Branch2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch2(config)#crypto isakmp policy 10
Branch2(config-isakmp)# authentication pre-share
Branch2(config-isakmp)# encryption aes
Branch2(config-isakmp)# group 2
Branch2(config-isakmp)# hash sha
Branch2(config-isakmp)#crypto isakmp key Sh@reds3cret address 1.1.1.1
Branch2(config)#crypto isakmp key Sh@reds3cret address 2.2.2.1
Branch2(config)#crypto isakmp key Sh@reds3cret address 4.4.4.1
Branch2(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
Branch2(cfg-crypto-trans)#crypto ipsec profile PF-PNL
Branch2(ipsec-profile)# set transform-set TFS-PNL
Branch2(ipsec-profile)#interface Tunnel0
Branch2(config-if)# tunnel protection ipsec profile PF-PNL
Branch2(config-if)#exit
Branch2(config)#
*Mar 1 00:37:57.239: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Branch2(config)#

Branch 3 Router Config

Branch3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch3(config)#crypto isakmp policy 10
Branch3(config-isakmp)# authentication pre-share
Branch3(config-isakmp)# encryption aes
Branch3(config-isakmp)# group 2
Branch3(config-isakmp)# hash sha
Branch3(config-isakmp)#crypto isakmp key Sh@reds3cret address 1.1.1.1
Branch3(config)#crypto isakmp key Sh@reds3cret address 2.2.2.1
Branch3(config)#crypto isakmp key Sh@reds3cret address 3.3.3.1
Branch3(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
Branch3(cfg-crypto-trans)#crypto ipsec profile PF-PNL
Branch3(ipsec-profile)# set transform-set TFS-PNL
Branch3(ipsec-profile)#interface Tunnel0
Branch3(config-if)# tunnel protection ipsec profile PF-PNL
*Mar 1 00:39:10.515: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Branch3(config-if)#exit

[/box]

9. To test re-establish the tunnels, and this time you can see they are protected;

[box]

MainSiteRTR#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
1.1.1.1         3.3.3.1         QM_IDLE           1002    0 ACTIVE
1.1.1.1         4.4.4.1         QM_IDLE           1003    0 ACTIVE
1.1.1.1         2.2.2.1         QM_IDLE           1001    0 ACTIVE

[/box]

Download the DMVPN labs and have a play

Related Articles, References, Credits, or External Links

Cisco Simple GRE Tunnels (With IPSEC)

Cisco PIX 500 – IPSEC Site to Site VPNs (v6)

KB ID 0000611 

Problem

Note: This is for firewalls running an operating system BEFORE version 7, if you have an PIX running version 7 or above go here instead. I’ll run though he commands first and then the configuration from PDM at the end.

Solution

PIX 500: Configure a site to site VPN from command line

1. Connect to the PIX, go to “enable mode”, then to “Configure terminal mode”

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
PetesPIX> enable
Password: ********
PetesPIX# configure Terminal
PetesPIX(config)# 

[/box]

2. I’m assuming the network BEHIND the PIX 500 is 192.168.124.0/24 and the network at the far end of the tunnel is 192.168.123.0/24. So I’m going to create two ACL’s one to tell the PIX that this traffic should be encrypted, and the second to tell the PIX NOT to perform NAT on the VPN traffic.

Note: Yes I can use one ACL, but having two makes it easier to troubleshoot any VPN problems.

[box]

PetesPIX(config)# access-list VPN_CRYPTO_ACL permit ip 192.168.124.0 255.255.255.0 192.168.123.0 255.255.255.0
PetesPIX(config)# access-list VPN_NO_NAT line 1 permit ip 192.168.124.0 255.255.255.0 192.168.123.0 255.255.255.0

[/box]

3. Now I’ve got an ACL that will stop performing NAT I need to add it as a “Nat 0” (this means don’t perform NAT).

Note: Check to make sure you do not already have a nat(inside) 0 xxx command, if you do, use the SAME ACL that is already in use.

[box]

PetesPIX(config)# nat (inside) 0 access-list VPN_NO_NAT

[/box]

4. To set up all the VPN parameters you need to create a crypto map. In the example below I set the peer IP (the firewall at the other end of the tunnel), to 81.81.81.81. Then I tie it to the ACL I created earlier (VPN_CRYPTO_ACL). I’ve set the encryption and hashing used for the tunnel to 3DES and SHA (These will be used for IPSec (Phase 2)). Set the timeouts for the tunnel, and finally apply the cryptomap I’ve just created, to the outside interface.

[box]

PetesPIX(config)# crypto map VPN_CRYPTO_MAP 20 set peer 81.81.81.81
PetesPIX(config)# crypto map VPN_CRYPTO_MAP 20 match address VPN_CRYPTO_ACL
PetesPIX(config)# crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
PetesPIX(config)# crypto map VPN_CRYPTO_MAP 20 set transform-set ESP-3DES-SHA
PetesPIX(config)# crypto map VPN_CRYPTO_MAP 20 set security-association lifetime seconds 28800 kilobytes 4608000
PetesPIX(config)# crypto map VPN_CRYPTO_MAP interface outside

[/box]

5. The next command lets VPN traffic bypass any other ACLs configured on the firewall.

[box]

PetesPIX(config)# sysopt connection permit-ipsec

[/box]

6. I’m using a “shared secret” that also needs to be setup on the other end of the tunnel. As I said earlier the peer IP is 81.81.81.81.

[box]

PetesPIX(config)# isakmp key 123456 address 81.81.81.81 netmask 255.255.255.255 no-xauth no-config-mode

[/box]

7. To establish the VPN phase 1 (ISAKMP) the devices at both ends of the tunnel need a matching ISAKMP policy. I’ve already set up my shared secret, the first line lets the other end know that’s how we will be communicating. Then once again I’m using 3DES and SHA. I’m telling the system to use Diffie Hellman group 2 for the secure key exchange, and then binding this policy to the outside interface.

Note: If you are interested on how all this stuff works see here

[box]

PetesPIX(config)# isakmp policy 20 authen pre-share
PetesPIX(config)# isakmp policy 20 encrypt 3des
PetesPIX(config)# isakmp policy 20 hash sha
PetesPIX(config)# isakmp policy 20 group 2
PetesPIX(config)# isakmp enable outside

[/box]

8. Then save the changes with a write mem command.

[box]

PetesPIX# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesPIX#

[/box]

PIX 500: Configure a site to site VPN from the PDM

1. To connect to the PDM you are going to need two things, an OLD browser (IE6) and an OLD version of Java. Select Wizards > VPN Wizard.

2. Site to Site > Next.

3. Set the Peer (Device at the other end of the tunnel) and a shared secret that you will also use at the other end > Next.

4. Set the policy that will be used for phase 1 > Next.

5. Now the phase 2 policy > Next

6. Enter the network behind the PIX > Next.

7. Enter the network at the far end of the tunnel > Finish.

8. Finish by saving the changes > File > Save running configuration to flash.

Related Articles, References, Credits, or External Links

Set up a PIX Firewall with the PDM

PIX 506E and 501 Firewall Image and PDM Upgrade

Securing Network Device Access With Cisco ACS (and Active Directory)

KB ID 0000942

Problem

For network identification I have tended to use RADIUS (in a Windows NPS or IAS flavour), in the past. I turned my back on Cisco TACACS+ back in my ‘Studying for CCNA’ days, because back then it was clunky and awful. I have a client that will be installing ACS in the near future, so I thought I would take a look at it again, and was surprised at how much more polished it is. As Cisco plans to roll ACS into Cisco ISE in the future, I’m not sure if it will remain as a separate product. So we may find people using version 5 for a long time yet.

Solution

I’m deploying ACS version 5.5 as a virtual appliance, remember to give it at least 60GB of hard drive or the install will fail. If you are installing on VMware workstation, choose the ‘I will install the operating system later’ option and manually present the CD image or it will also fail.

When you have run through the initial setup on the appliance it will set;

  • Hostname.
  • IP Address.
  • Subnet Mask.
  • Default Gateway.
  • DNS Domain Name.
  • DNS IP Address.
  • Secondary DNS (if required).
  • NTP Server IP address. (Ensure UDP port 123 is open or this will fail).
  • Secondary NTP (if required).
  • Timezone.
  • Username.
  • Password.

Then connect via a web browser (https);

  • Username: ACSAdmin
  • Password: default

1. Join the ACS appliance to your domain. Users and Identity Stores > External Identity Stores > Active Directory > Join/Test Connection > Enter Domain Credentials > Join.

2. Be patient it can take a couple of minutes, wait till it says ‘Joined and Connected’.

3. Make sure you already have some groups in active directory that you want to grant access to, here I’ve got a full-access group and a read-only access group.

Note: I’m going to grant privilege level 15 to full-access, and privilege level 1 to read-only, (yes I know they can still escalate to configure terminal mode, but you can always restrict level 1 so it can only use the show command if you like).

4. Back in ACS > Directory Groups > Add > Add in your Groups > OK.

5. Create a Shell Policy: Policy Elements > Authorization and Permissions > Shell Profiles > Create > First create one for level 15 (full-access).

6. Common Tasks tab > Default Privilege > Static > 15 > Submit.

7. Then repeat to create a profile for read-only (level 1) access.

8. Common Tasks tab > Default Privilege > Static > 1 > Submit.

9. Access Policies > Access Services > Default Device Admin > Identity >Select > AD1 (this got created when you joined the domain earlier) > OK.

10. Access Policies > Access Services > Default Device Admin > Authorisation > Customise > Add ‘Compound Condition’ > OK.

11. Create > Tick ‘Compound Condition’ > Select > ExternalGroups > Select your full-access group.

12. Add > Shell Profile > Select > Select the full-access profile > OK.

13. Repeat for the read-only group.

14. Set the shell profile to read-only access > OK.

15. Access Policies > Service Selection Rules > Create > Set to Match Protocol TACACS > Set the service to Default Device Admin > OK.

16. Network Resources > Network Devices and AAA Clients > Enter the details of your Cisco device and set a shared key, (here I’m using 666999) > Submit.

17. Make the necessary changes on your Cisco devices, like so;

Cisco IOS TACACS+ Config

[box]

Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#aaa new-model
Petes-Router(config)#aaa authentication login default group tacacs+ local
Petes-Router(config)#aaa authorization exec default group tacacs+ local
Petes-Router(config)#aaa authorization console
Petes-Router(config)#tacacs-server host 10.254.254.22
Petes-Router(config)#tacacs-server key 666999
Petes-Router(config)#end
Petes-Router#
*Mar 1 00:10:24.691: %SYS-5-CONFIG_I: Configured from console by console
Petes-Router#write mem
Building configuration...
[OK]
Petes-Router# 

[/box]

Cisco ASA 5500 (and Next Generation) TACACS+ Config

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# aaa-server PNL-AAA-TACACS protocol tacacs+
Petes-ASA(config-aaa-server-group)# aaa-server PNL-AAA-TACACS (inside) host 10.254.254.22
Petes-ASA(config-aaa-server-host)# key 666999
Petes-ASA(config-aaa-server-host)# exit
Petes-ASA(config)#

-=-=-=-=-Authentication-=-=-=-=-
ASDM Authentication

Petes-ASA(config)# aaa authentication http console PNL-AAA-TACACS LOCAL 
Console Authentication

Petes-ASA(config)# aaa authentication serial console PNL-AAA-TACACS LOCAL
SSH Authentication

Petes-ASA(config)# aaa authentication ssh console PNL-AAA-TACACS LOCAL
Telnet Authentication

Petes-ASA(config)# aaa authentication telnet console PNL-AAA-TACACS LOCAL

Enable Mode Command Protection Authentication

Petes-ASA(config)# aaa authentication enable console PNL-AAA-TACACS LOCAL
-=-=-=-=-Authorisation-=-=-=-=-

Petes-ASA(config)# aaa authorization command PNL-AAA-TACACS LOCAL
Petes-ASA(config)# privilege show level 5 mode configure configure command aaa

<repeat as necessary - Note: Turn it on with the ASDM with command preview enables and you can copy paste all the commands out and edit them accordingly>
-=-=-=-=-Accounting-=-=-=-=-

Petes-ASA(config)# aaa accounting command PNL-AAA-TACACS

[/box]

18. Now you can test, here I connect as a user with read-only access (Note: I have a greater than prompt, I’m in user EXEC mode). Then when I connect as a full-access user (Note: I have a hash prompt. I’m in privileged EXEC mode).

19. The results are the same if I connect via SSH.

Enabling TACACS+ Though a Firewall

Sometimes, e.g. you have a switch in a DMZ or a router outside your firewall that you want to secure with TACACS. To enable this you simply need to open TCP port 49, from the device you are securing with TACACS to the ACS server.

Related Articles, References, Credits, or External Links

JunOS – Using TACACS+ With Cisco ACS

Cisco ISE – Basic 802.1x With WindowsPart Three – Adding Network Devices (Authenticators)

KB ID 0001077 

Problem

Back in Part Two we configured the specific 802.1x policies in Cisco ISE. Remember with 802.1x it is a three tier system there is a supplicant, (a machine that wants to authenticate), the Authenticator, (the device the supplicant connect to, in our case a switch), and finally an Authentication server (Cisco ISE).

Below I will add our switch into ISE, as a RADIUS device and create some groups, and locations for good housekeeping.

Solution

1. From within ISE > Authentication > Network Resources > Network Devices > Network Devices > Add.

2. Specify a name and description for the device > Set its IP address > Set the device type and location (we will change these in a minute) > Under authentication settings select RADIUS and enter a shared secret, (you can set these up globally if you prefer).

3. Create a Device Type: Administration > Network Devices > Network Device Groups > Groups > All Device Types > Add.

Note: You can have as many of these as you like to make managing your network easier, I’m just going to set one up for Cisco Switches.

4. Give the group a name and description > Submit.

5. Create a Location: On the same page > All Locations > Add.

6. Give the location a name and description > Submit.

7. You can now go back to the network device you created earlier, and set the location and group accordingly.

8. Now you can configure the Cisco switch for RADIUS Authentication.

Note: 192.168.100.12 is the IP address of the ISE server, and 666999 is the shared secret we setup in step 2.

[box]

Petes-3750(config)#aaa new-model 
Petes-3750(config)#aaa group server radius ISE
Petes-3750(config-sg-radius)#server-private 192.168.200.12 key 666999
Petes-3750(config-sg-radius)#exit
Petes-3750(config)#aaa authentication dot1x default group ISE
Petes-3750(config)#aaa authorization network default group ISE
Petes-3750(config)#dot1x system-auth-control
Petes-3750(config)#do write
Building configuration...
[OK]
Petes-3750(config)#

[/box]

9. To configure the port that our supplicant is going to connect to;

Note: I’m setting the host-mode to multi-host because my clients are all in VMware ESXi and are coming from a VMware vSwitch into the Cisco switch.

[box]

Petes-3750(config)#interface fastEthernet 1/0/4
Petes-3750(config-if)#authentication host-mode multi-host
Petes-3750(config-if)# authentication port-control auto
Petes-3750(config-if)# dot1x pae authenticator
Petes-3750(config-if)#exit
Petes-3750(config)#exit
Petes-3750#write mem
Building configuration...
[OK]
Petes-3750#

[/box]

10. Once a supplicant has been authenticated you can check like so;

[box]

Petes-3750#show dot1x all summary
Interface PAE Client Status
--------------------------------------------------------
Fa1/0/4 AUTH 0050.56b1.5f5c AUTHORIZED
Petes-3750#

[/box]

Related Articles, References, Credits, or External Links

Cisco ISE – Basic 802.1x With Windows – Part Four – Configuring The Windows Clients (Supplicants)

Site to Site IPSEC VPN from SonicWALL to Cisco ASA

KB ID 0000357

Problem

You want to put in a secure IPSEC VPN tunnel from a Cisco ASA Device to a Sonicwall Firewall. Note in this example we will use 3DES for encryption, SHA1 for Hashing, Diffie Hellman Group 2, PFS enabled, and we will use a shared secret (Pre Shared Key).

SonicWALL used in this example is a PRO 3060.

Solution

The main two gotcha’s

Update 12/03/11 Feedback from Wajma Omari:

I would like to add that this configuration will build the Tunnel but one more step needed to enable the Traffic between the two networks and that is by adding ACL from Inside network to the Remote Site Configuration – Firewall – Advanced – ACL Manager – Add – Add ACL and then ADD ACE

Thanks for the very helpful article

Many Thanks for the feedback! Pete

Related Articles, References, Credits, or External Links

Special thanks to David Pounds for his help with the SonicWALL configuration.