23. June 2013 · Comments Off on MicroNugget – ASA VPN Connection Profiles · Categories: Cisco · Tags: , , , , , , ,

04. June 2013 · Comments Off on DNS dropped because packets to big for configured 512? · Categories: Cisco · Tags: , , , ,

6-4-2013 12-02-03 PM

you can safely increase the dns packet length to 1500 ,  512 is the default.

“fixup protocol dns maximum-length 1500 ”

Background on fixup protocol dns

Use the fixup protocol dns command to specify the maximum DNS packet length. DNS requires application inspection so that DNS queries are not subject to the generic UDP handling based on activity timeouts. Instead, UDP connections associated with DNS queries and responses are torn down as soon as a reply to a DNS query has been received.

The port assignment for the Domain Name System (DNS) is not configurable.

Set the maximum length for the DNS fixup as shown in the following example:

pixfirewall(config)# fixup protocol dns maximum-length 1500

pixfirewall(config)# show fixup protocol dns

fixup protocol dns maximum length 1500

17. December 2012 · Comments Off on Reveal the Site-to-Site VPN key on an ASA · Categories: Cisco · Tags: , , , ,

Ive needed to know what the site-to-site vpn key is when reconfiguring a firewall.  No one knew what the password is & I was under the impression that I would have to just reset the password on both ends. Well, Ive learned that a command can provide more information without having to reset the vpn key on the other side. If you do a ‘show run’ on the ASA, you will see that you can not see what the key is. It just gives you an: *

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *

Ok, I need that password. So, Ive learned that if you do a “more system:/running-config”, it will show you that pass key.
Below is what is displayed when I enter the command:

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key !Password1!!

 

24. November 2012 · Comments Off on How to Upgrade the ASA5500 using CLI · Categories: Cisco · Tags: , , , , ,

Version 9.0 of the Cisco ASA software has now been released. Here are some of the major features in the new release.

Filter ICMP by ICMP code
Clustering of multiple ASAs
OSPFv3 and EIGRP support
IPv6 support on outside interface for VPNs
NAT for IPv6 and NAT64
DHCPv6 relay
Unified ACLs for v4 and v6
Clientless SSL VPN – Support for new browsers and HTML5
Site to Site VPN in multiple context mode
Dynamic routing in multiple context mode
Mixed firewall support in multiple context mode

So Today I decided to upgrade my ASA5505 to Version 9.0(1).  Below are the steps to upgrade your ASA More »

23. November 2012 · Comments Off on Cisco ASA Port Forwarding in 8.3 from the CLI the easy way · Categories: Cisco · Tags: , , , , ,

In this example, we want to be able to access a Media Server behind the firewall.  We’ll assume you are using port 32400, the Media Server’s internal IP address is 10.11.12.13/24, I’ll give you the steps, then I’ll explain.

Step 1: Create a new object group for you web server.

asa5505(config)# object network MediaServer

Step 2: Add the IP of the web server to the network group.

asa5505(config-network-object)# host 10.11.12.13

Step 3: Forward the port via the NAT command.

asa5505(config-network-object)# nat (inside,outside) static interface service tcp 32400 32400

Step 4: Exit back to the root and add the access list

 asa5505(config)# access-list outside_access_in permit tcp any object MediaServer eq 32400 any

That’s it!  Now, let’s explain what’s going on here.  Cisco has started moving more and more towards use of object groups in their configs.  It makes things easier, especially when you have a situation where you have 20 web servers behind the firewall and you want to add 1 more in.  Rather than having to rewrite a whole bunch of ACL’s, you just add the IP of the new web server into the object group and everything is done for you.  So here our Media Server is 10.11.12.13.  If you want to send port 80 to more than 1 IP on your internal network, just add more IP’s to that object group.

This works for ANY port forward.  If you want to RDP into a machine, simply replace port 32400 with 3389.  There is one caveat.  You can only do one port forward per object group.  So let’s say that our Media Server is also an FTP server and you want port 21 to forward as well as port 32400.  You’re going to have to create a whole new object group (object network FTPServer), put the same IP in the group (host 10.11.12.13), do the nat command again (nat (inside,outside) static interface service tcp ftp ftp), exit back to the root of config, and add the access list (access-list outside_access_in  permit tcp any object FTPServer eq ftp).

This should get you up and running in no time

07. August 2012 · Comments Off on Recovering Passwords for the ASA 5500 Series Adaptive Security Appliance · Categories: Cisco · Tags: , , ,

To recover passwords for the ASA, perform the following steps:

Step 1 Connect to the ASA console port according to the instructions in “Accessing the Appliance Command-Line Interface” section.

Step 2 Power off the ASA, and then power it on.

Step 3 After startup, press the Escape key when you are prompted to enter ROMMON mode.

Step 4 To update the configuration register value, enter the following command:

rommon #1> confreg 0x41

Update Config Register (0x41) in NVRAM…

Step 5 To set the ASA to ignore the startup configuration, enter the following command:

rommon #1> confreg

More »

18. July 2012 · Comments Off on SSH access on Cisco ASA · Categories: Cisco · Tags: , ,

SSH access on Cisco ASA

Firewall#config t
Firewall(config)# enable passwordpassword
Firewall(config)# username test password test123
Firewall(config)# aaa authentication ssh console LOCAL (LOCAL in all caps for LOCAL db)
Firewall(config)# ssh A.B.C.D  255.255.255.0 inside
Firewall(config)# ssh version 2

 

18. July 2012 · Comments Off on ASA VPN Quick Copy Paste Setup · Categories: Cisco · Tags: , , , ,

ASA VPN Quick Copy Paste Setup

webvpn
enable outside
tunnel-group DefaultWEBVPNGroup tunnel-group DefaultWEBVPNGroup webvpn-attributes
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group LOCAL
!
username Username password UserPassword
username Username attributes
!
webvpn
svc image anyconnect-win-2.5.2014-k9.pkg 1
svc image anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc image anyconnect-linux-2.5.2014-k9.pkg 3
!
svc enable
!
ip local pool client-pool 172.16.21.1-172.16.21.254 mask 255.255.255.0
!
group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol svc webvpn
!
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool client-pool
!

!
object-group network VPN
network-object 172.16.21.0 255.255.255.0
object-group network INSIDE-NETWORK
network-object 10.10.10.0 255.255.255.0
group-object VPN
!
access-list VPNUSERS extended permit ip 10.10.10.0 255.255.255.0 any
access-list SplitACL standard permit 10.10.10.0 255.255.255.0
!
group-policy DfltGrpPolicy attributes
split-tunnel-network-list value VPNUSERS
dns-server value 10.10.10.20 10.10.10.21
default-domain value MyDomain.local
!
group-policy DfltGrpPolicy attributes
split-tunnel-policy tunnelspecified
!
group-policy DfltGrpPolicy attributes
webvpn
svc ask none default svc
!
End


The above config is a vpn setup on a different subnet.  Works well tested several times on a Cisco Adaptive Security Appliance Software Version 8.4(4)1

** The Setup command (guide) on the ASA Below.  Doesn’t harm the config..shows you the steps **

vpnsetup ssl-remote-access steps

18. July 2012 · Comments Off on Cisco ASA Anyconnect Setup · Categories: Cisco · Tags: , , ,

Getting Started with Cisco Anyconnect

For the last few years, Cisco has been attempting to do away with what they call the Cisco EZVPN client. This has been the solution used by many corporate users in the mobile workforce for secure access to enterprise data. The need for mobility certainly isn’t going away and Cisco has a new solution for this called Anyconnect. While the EZVPN client used IPSec, Anyconnect uses SSL to create a secure tunnel. From the wire, this connection looks very much like accessing any ecommerce site and alleviates some of the challenges of using IPSec in an adhoc basis. In this article, we will start with a very basic ASA configuration and add a very basic Anyconnect configurations. There is actually a command that we can use to show us many of the configuration steps. We will also look at some of the additional items that typically need to be configured to achieve a basic Anyconnect environment.

Let’s start with the simplest possible ASA configuration. This can be achieved by using the “configure factory-default” command followed by configuring an outside IP address and default route. The relevant configuration is posted below. This output is from an ASA5505, so it uses VLANs as the layer 3 interfaces.

!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
!
interface Vlan1
 name if inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 name if outside
 security-level 0
 ip address 192.0.2.2 255.255.255.0
!
!
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.0.2.1 1 ! !

The configuration above is sufficient in order to achieve the NAT and Firewall configuration for the following image.

More »