Tag Archives: ASA

Redundant Cisco ASA VPN scenario

Cisco ASA (Pre X series) are still extremely common.

This entry describes a redundant VPN setup of two ISPs on the Branch firewall (Cisco 5505), and one ISP on the Datacenter/hub side (Cisco ASA 5510).

The Branch office  has a cable connection as their primary ISP and a backup 4G Cradle Point. We will be using SLAs to track the internet status of the Cable connection, and a floating static route to control backup route priority.

The idea behind the branch office is that two different Crypto Maps exist, one mapped to each of the interfaces. If the SLA fails and brings down the primary internet the traffic starts going out of the backup connection which has a backup Crypto map applied.  When the primary interface comes back up, then traffic will start going over the crypto map applied to it. Therefore we do not have flip/flop VPNs and it solves the issue of having one crypto map applied to two different interface.

 

layout

CONFIG

Branch ASA:

interface Vlan2
nameif PRIMARY
security-level 0
ip address 1.1.1.10 255.255.255.0
!
interface Vlan12
nameif BACKUP
security-level 0
ip address 2.2.2.10 255.255.255.0

object-group network CORE-SUBNETS        — Object group for Core subnets
network-object 10.0.0.0 255.255.255.0
network-object 192.168.0.0 255.255.255.0
object-group network BRANCH-SUBNETS    — Object group for Branch subnets
network-object 192.168.18.0 255.255.255.0

object network Any-Cable                                     — NAT For Primary
nat (inside,PRIMARY) dynamic interface
object network Any-Backup                                  — NAT For Backup Internet
nat (inside,BACKUP) dynamic interface

NO-NAT

nat (inside,any) source static BRANCH-SUBNETS BRANCH-SUBNETS destination static CORE-SUBNETS CORE-SUBNETS

SLA config:

sla monitor 123
type echo protocol ipIcmpEcho 8.8.8.8 interface PRIMARY
sla monitor schedule 123 life forever start-time now

route PRIMARY 0.0.0.0 0.0.0.0 1.1.1.1 1 track 2  – The Track statement maps that SLA to the route

route BACKUP 0.0.0.0 0.0.0.0 250     – Floating Static – Makes this a backup route. I set the distance to 250

VPN CONFIG:

access-list VPN-to-CORE permit ip object-group BRANCH-SUBNETS object-group CORE-SUBNETS

crypto ipsec ikev1 transform-set AES256SHA esp-aes-256 esp-sha-hmac

Primary Crypto

crypto map BRANCH_MAP 100 match address VPN-to-CORE
crypto map BRANCH_MAP 100 set peer 3.3.3.1
crypto map BRANCH_MAP 100 set ikev1 transform-set AES256SHA
crypto map BRANCH_MAP 100 set security-association lifetime seconds 28800

crypto ikev1 enable PRIMARY

crypto map BRANCH-MAP interface PRIMARY

BACKUP Crypto MAP

crypto map BRANCH-MAP-BK 100 match address VPN-to-CORE
crypto map BRANCH-MAP-BK 100 set peer 3.3.3.1
crypto map BRANCH-MAP-BK 100 set ikev1 transform-set AES256SHA
crypto map BRANCH-MAP-BK 100 set security-association lifetime seconds 28800
crypto map BRANCH-MAP-BK interface BACKUP

crypto ikev1 enable BACKUP

crypto ikev1 policy 10
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400

Tunnel Group

tunnel-group 3.3.3.1 type ipsec-l2l
tunnel-group 3.3.3.1 ipsec-attributes
ikev1 pre-shared-key password

 

Core Config:

object-group network CORE-SUBNETS        — Object group for Core subnets
network-object 10.0.0.0 255.255.255.0
network-object 192.168.0.0 255.255.255.0
object-group network BRANCH-SUBNETS    — Object group for Branch subnets
network-object 192.168.18.0 255.255.255.0

NO-NAT

nat (inside,any) source static BRANCH-SUBNETS BRANCH-SUBNETS destination static CORE-SUBNETS CORE-SUBNETS

VPN CONFIG:

access-list VPN-to-BRANCH permit ip object-group CORE-SUBNETS object-group BRANCH-SUBNETS

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto map outside_map 100 match address VPN-to-BRANCH
crypto map outside_map 100 set peer 1.1.1.10 2.2.2.10              —Notice both IPs
crypto map outside_map 100 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 100 set reverse-route

crypto ikev1 enable outside

crypto map outside_map interface outside

crypto ikev1 policy 10
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400

tunnel-group 1.1.1.10 type ipsec-l2l
tunnel-group 1.1.1.10 ipsec-attributes
ikev1 pre-shared-key password

tunnel-group 2.2.2.10 type ipsec-l2l
tunnel-group 2.2.2.10 ipsec-attributes
ikev1 pre-shared-key password

Cisco ASA VPN Spoke to Spoke communication in 8.3 and later

This configuration was in ASA 8.4

Spoke to spoke communication has always been super easy in ASA Site to Site VPNs. As long as your CRYPTO ACL has the remote subnets in it, and NO-NAT Statements are there  everything pretty much works.

The other day I had an issue getting it to work. After some research I was still struggling. All of my remote sites were in my Crypto ACL, my VPN was up and working to the hub, and any subnet behind the hub would work, but access to other IPSEC tunnels connected behind were not working. See rough sketch of the network below.

diagram

I checked Nat statements, looked great, but my traffic was not flowing. I decided to debug via ASDM this is the error I received.

asdm-error

Routing failed to locate next hop for ICMP then my outside (Louisville), and inside (Italy) address.

Other examples are:

Routing failed to locate next hop for TCP then my outside (Louisville), and inside (Italy) address.

Routing failed to locate next hop for UDP then my outside (Louisville), and inside (Italy) address.

Well, 192.168.17.0/24 does not live inside my firewall – it should be connected to the outside (US-Signal) VIA the VPN. Boom, that’s when it clicked. My nat statement is wrong, well not wrong, just missing. Since these connections are connecting to my outside network, and then going to my outside network – I need to create the nat statement with the source interface and destination interface being US-Signal.

A few things to note about the below statement – I put it at the top of my manual nat entries, and notice the interface – both are US-Signal my outside interface.

object network Louisville-Subnet
 subnet 10.26.0.0 255.255.0.0

object network Italy-Subnet
 subnet 192.168.17.0 255.255.255.0

nat (US-Signal,US-Signal) source static Louisville-Subnet Louisville-Subnet destination static Italy-Subnet Italy-Subnet no-proxy-arp route-lookup

As soon as I added this statement everything worked great. All of my spoke to spoke communication flowed through the hub perfectly.

 

 

 

 

Cisco ASA 8.4+ manual nat – the only way to nat!

Before learning the more about Manual or “Twice Nat” I would use individual object NAT (Auto NAT) for my incoming services, and use Manual NAT for my No-NAT or if I had to NAT VPN traffic before encryption (Policy NAT).

Recently though I started using it for everything. Once you get the hang of it, it is much more applicable to everyday NAT needs.

Something to note about Manual NAT:

  • Processed before Auto NAT (Nat under the object command)
  • Considers source, or source and destination together (Policy)
    • For example – I need to  NAT traffic to this IP, only when it goes to this network
  • Configured directly from global config
  • Uses objects only, cannot specify direct IPs
  • Can specify to come after auto NAT.

Lets get started with a few examples. A list of all examples is below:

Static NAT – Public address/server to Private address/service

Group/Range of services forwarded into private server

Port redirection

Dynamic NAT

Policy Based Nat

Something to always note – 8.3 and above firmware’s require you to put in the private or real ip address of destination , not the public or Natted address.

Static NAT – Public address/server to Private address/service

Lets say my internal web servers  is at 10.20.20.10. The external IP I am using is 23.4.3.10. I want to NAT in only HTTP (80) traffic to my server. No problem.

Lets create the our address Objects

object service OBJ-TCP-80
 service tcp source eq 80

object network OBJ-10.20.20.10
 host 10.20.20.10
object network OBJ-23.4.3.10
 host 23.4.3.10

Great! Now lets create our Manual nat rule to allow that traffic in.

nat (inside,outside) source static OBJ-10.20.20.10 23.4.3.10 service OBJ-TCP-80 OBJ-TCP-80

Thats it, we would create our ACL to allow traffic to the Private host (Remember that, big time change in 8.3) and that’s it. Our traffic would be natted from Public, to Private port 80.

The next example will be a 1 to 1 NAT from our private object created above, to our public object also created above.

NAT (inside,outside) source static OBJ-10.20.20.10 OBJ-23.4.3.10

Modify the ACL to allow traffic to 10.20.20.10 and traffic should make it to the host.

 

Forward in a group or range of services

In this example we will forward in a group of service objects. Lets say HTTP, HTTPS, and SSH . Still using our local/public hosts. You have two options, 1 create a service group full of existing objects, or create a group of Service-objects. Int the below example I will create a group of predefined objects. This is due to having so many different configurations of groups.

object service OBJ-TCP-80
 service tcp source eq 80

object service OBJ-TCP-443
 service tcp source eq 443

object service OBJ-TCP-22
 service tcp source eq 22

object-group service Web-services
group-object OBJ-TCP-80
group-object OBJ-TCP-443
group-object OBJ-TCP-22

object network OBJ-10.20.20.10
 host 10.20.20.10
object network OBJ-23.4.3.10
 host 23.4.3.10

So now our NAT rule:

nat (inside,outside) source static OBJ-10.20.20.10 23.4.3.10 service Web-services Web-services

 

Port redirection

Sometimes we have the need to make a port such as 8080 on the outside go to our websever on the inside at port 80. The below example shows how to do that. In this example we will forward in port 8080 on our public IP to port 80 on our private webserver. First we need to create the objects for the service and networking addresses, and then apply the nat rule – an don’t forget our ACL. To help visualize whats happening here look at the format of the rule:

nat (source interface,destination interface) source static object ((private) IP) object ( Natted (Public IP))  service Private-Service Public-Service

object service OBJ-TCP-80
 service tcp source eq 80

object service OBJ-TCP-8080
 service tcp source eq 8080

object network OBJ-10.20.20.10
 host 10.20.20.10
object network OBJ-23.4.3.10
 host 23.4.3.10

So now our nat rule:
nat (inside,outside) source static OBJ-10.20.20.10 23.4.3.10 service OBJ-TCP-80 OBJ-TCP-8080

 

Dynamic NAT

I like to usually do this through Auto nat, but you can most definitely do this through Manual.

object network OBJ-10.0.0.0/8
host 10.0.0.0/8

nat (inside,outside) source dynamic OBJ-10.0.0.0/8 interface

You could also specify “any” instead of the internal address object, or specify the public IP you want to be natted to instead of “interface”.

 

Policy Based manual NAT

Manual NAT is the only way I believe that Policy based natting is done. You would use this if you had to NAT traffic into some other IP when going to a certain destination address. In this example lets say we need to NAT traffic from 10.0.0.0/8 int 1.1.1.1 when going to destination 3.3.3.3. This comes up a lot in healthcare when both sides need to nat into a Public address so there are no address conflicts.

Lets first create our objects, then our Nat rule.

object network OBJ-10.0.0.0/8
 host 10.0.0.0/8
object network OBJ-3.3.3.3
 host 3.3.3
object network OBJ-1.1.1.1
 host 1.1.1.1

So now our nat rule:

nat (inside,outside) source static OBJ-10.0.0.0/8 OBJ-1.1.1.1 destination static OBJ-3.3.3.3 OBJ-3.3.3.3

This reads that whenever 10.0.0.0/8 is going to 3.3.3.3, nat 10.0.0.0/8 into 1.1.1.1. This might help:

nat (inside,outside) source static Private-IP Natted-IP destination static Real-destination Natted-Destination

So, if this was used for a VPN you would just create an Crypto-ACL and the source would be your Natted-IP, and destination would be your 3.3.3.3 or whatever address lives across the tunnel that you set as your NAT destination.

 

 

 

 

Cisco ASA 9.1+ Static Nat example

Below shows how to configure Static nat for a web server or some kind of application running on a internal host. Basically we are port forwarding port 80 from our public IP of 1.1.1.2 to port 80 of our internal IP at 10.1.1.2. In this example Auto Nat will be used. You could also use Manual nat, I have written another blog entry on this.  This is way different than 8.2 and below. Here we create an object and then modify the object with the Static port forward we want. I

In this example my ASA outside IP is 1.1.1.1, and I want the web server to answer on 1.1.1.2.

object network 1.1.1.2
host 1.1.1.2
exit

object network 10.1.1.2
host 10.1.1.2
nat (inside,outside) static 1.1.1.2 service tcp 80 80

Somethings to note- We could name the objects anything, I just chose to use the actual IP address. For example, you could do the command ” object network Webserver-Outside” and use that name to reference the outside IP address.

Next, if I want to allow access to 10.1.1.2 from the outside world, I will need an ACL.

access-list Outside-In permit tcp any 10.1.1.2 eq 80

access-group Outside-In in interface outside

Notice the internal IP specified in the ACL – that is there on purpose. Instead of referencing the External IP  you now reference the internal.

What if the outside address answering for my web server is the outside IP of the ASA?

No problem, just have to modify that one NAT entry. Instead of the public NAT object we use the “interface” keyword.

object network 1.1.1.2
host 1.1.1.2
exit

object network 10.1.1.2
host 10.1.1.2
nat (inside,outside) static interface service tcp 80 80

Cisco Preshared Key recovery options

The other day I had to copy the config of an ASA and a PIX to other devices. They both had VPNS to different sites and I had to have those keys as no one documented them.

A few different ways to get those keys are:

ASA

Option 1: Login using ASDM and make a full backup including preshared keys

Option 2: Run the cli command :

more system:running-config

Option 3: Copy running config to a TFTP/FTP server

PIX

The above options exist for the PIX as well. I have read that the more command will work , but it did not for me. Then I found this option to get the Keys on the pix:

Enable http server, create a username and go to https://pix-ip/config  the key is then shown in clear text.

Commands to do that:

config t

http server enable

http 0.0.0.0 0.0.0.0 inside

username admin password password

The go to the web interface.

 

Cisco ASA IPSEC site to site VPN IOS 8.3+

There are multiple parts to the IPSEC SIte-to-Site VPN config.

– Create access list to specify what will be encrypted

– Create access list to specify what should go over the VPN, and not be natted

– Create Phase 1 (IKE) settings and apply it to the selected interface.

– Create our transformation set (what encryption settings we will use for phase 2).

– Create Phase 2 (ESP) settings otherwise known as a Crypto map.

– Apply Crypto map settings specifying interface.

– Create the tunnel object for peer.

 

Config:

ASA 1 Core

Create Objects

First create the objects representing what will be found on each side of the VPN.

config t

object network Local-Subnet
 subnet 10.100.1.0 255.255.255.0

object network Remote-Subnet
 subnet 10.100.2.0 255.255.255.0

 

Encryption Access-list

Next I will create the Access list to tell the firewall what to Encrypt

access-list VPN-to-Remote extended permit ip object Local-Subnet Remote-Subnet

Now we need to make sure traffic is not being forwarded out of our WAN interface, and that the firewall knows to send it over the VPN. We do this with a “No-Nat” statement. This is different than what it once was in 8.2 and below. We will specify this with a different kind of nat statement.

No NAT

nat (inside,outside) source static Local-Subnet Local-Subnet destination static Remote-Subnet Remote-Subnet

 

IKE Settings

Now its time for the VPN settings!

First lets create our IKE settings and enable it on the outside interface.

crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

 

Create the IPSEC transformation

crypto ipsec ikev1 transform-set transfrom esp-3des esp-sha-hmac

 

Crypto MAP (Phase 2)

Now lets create our Crypto map and put it all together.

crypto map VPN 10 match address VPN-to-Remote
crypto map VPN 10 set pfs
crypto map VPN 10 set peer 1.1.1.2
crypto map VPN 10 set ikev1 transform-set transfrom
crypto map VPN 10 set security-association lifetime seconds 28800
crypto map VPN 10 set security-association lifetime kilobytes 4608000

There are a few optional settings like the lifetime, by default its 28800. In this config I am just making it known that’s what its set on. Also you can set “reverse-route” which will add the route to the remote subnet into the routing table. This way you can push it out in a routing protocol.

We will also need to apply the Crypto map to the interface.

crypto map VPN interface outside

 

Tunnel Group/PSK

Our last step is to create the tunnel group with our Peer IP/DNS name and set the PSK.

tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes
 ikev1 pre-shared-key presharedkey

 

Below is the config for the Remote side

config t

object network Local-Subnet
 subnet 10.100.2.0 255.255.255.0

object network Core-Subnet
 subnet 10.100.1.0 255.255.255.0

access-list VPN-to-Remote extended permit ip object Local-Subnet Core-Subnet

nat (inside,outside) source static Local-Subnet Local-Subnet destination static Core-Subnet Core-Subnet

crypto ipsec ikev1 transform-set transfrom esp-3des esp-sha-hmac

crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

crypto map VPN 10 match address VPN-to-Core
crypto map VPN 10 set pfs
crypto map VPN 10 set peer 1.1.1.1
crypto map VPN 10 set ikev1 transform-set transfrom
crypto map VPN 10 set security-association lifetime seconds 28800
crypto map VPN 10 set security-association lifetime kilobytes 4608000

crypto map VPN interface outside

tunnel-group 1.1.1.1type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 ikev1 pre-shared-key presharedkey

Cisco ASA Packet capture

Within the Cisco ASA you can capture packets within the CLI or ASDM. Here I will be demonstrating the CLI Method. You can find the ASDM method under – wizards – packet capture

The other day I had a botnet on a internal client that would start communicating at strange hours, so it was hard to get info without a syslog server. I created a ACL within the ASA with the destination IP and then started a capture to get all traffic going to that destination. Below are the steps

1. Create ACL to grab traffic you want to capture

access-list Botnet ext per ip any host x.x.x.x

2. Start the capture to grab the ACL traffic

capture Botnet-traffic interface inside access-list Botnet

3. Check the traffic capture:

show capture Botnet-traffic

All commands show below:

config t

access-list Botnet ext per ip any host x.x.x.x
capture Botnet-traffic interface inside access-list Botnet

show capture Botnet-traffic