Tag Archives: ASA
Redundant Cisco ASA VPN scenario
Posted by on September 28, 2017
Cisco ASA (Pre X series) are still extremely common.
This entry describes a redundant VPN setup of two ISPs on the Branch firewall (Cisco 5505), and one ISP on the Datacenter/hub side (Cisco ASA 5510).
The Branch office has a cable connection as their primary ISP and a backup 4G Cradle Point. We will be using SLAs to track the internet status of the Cable connection, and a floating static route to control backup route priority.
The idea behind the branch office is that two different Crypto Maps exist, one mapped to each of the interfaces. If the SLA fails and brings down the primary internet the traffic starts going out of the backup connection which has a backup Crypto map applied. When the primary interface comes back up, then traffic will start going over the crypto map applied to it. Therefore we do not have flip/flop VPNs and it solves the issue of having one crypto map applied to two different interface.
CONFIG
Branch ASA:
interface Vlan2
nameif PRIMARY
security-level 0
ip address 1.1.1.10 255.255.255.0
!
interface Vlan12
nameif BACKUP
security-level 0
ip address 2.2.2.10 255.255.255.0
object-group network CORE-SUBNETS — Object group for Core subnets
network-object 10.0.0.0 255.255.255.0
network-object 192.168.0.0 255.255.255.0
object-group network BRANCH-SUBNETS — Object group for Branch subnets
network-object 192.168.18.0 255.255.255.0
object network Any-Cable — NAT For Primary
nat (inside,PRIMARY) dynamic interface
object network Any-Backup — NAT For Backup Internet
nat (inside,BACKUP) dynamic interface
NO-NAT
nat (inside,any) source static BRANCH-SUBNETS BRANCH-SUBNETS destination static CORE-SUBNETS CORE-SUBNETS
SLA config:
sla monitor 123
type echo protocol ipIcmpEcho 8.8.8.8 interface PRIMARY
sla monitor schedule 123 life forever start-time now
route PRIMARY 0.0.0.0 0.0.0.0 1.1.1.1 1 track 2 – The Track statement maps that SLA to the route
route BACKUP 0.0.0.0 0.0.0.0 250 – Floating Static – Makes this a backup route. I set the distance to 250
VPN CONFIG:
access-list VPN-to-CORE permit ip object-group BRANCH-SUBNETS object-group CORE-SUBNETS
crypto ipsec ikev1 transform-set AES256SHA esp-aes-256 esp-sha-hmac
Primary Crypto
crypto map BRANCH_MAP 100 match address VPN-to-CORE
crypto map BRANCH_MAP 100 set peer 3.3.3.1
crypto map BRANCH_MAP 100 set ikev1 transform-set AES256SHA
crypto map BRANCH_MAP 100 set security-association lifetime seconds 28800
crypto ikev1 enable PRIMARY
crypto map BRANCH-MAP interface PRIMARY
BACKUP Crypto MAP
crypto map BRANCH-MAP-BK 100 match address VPN-to-CORE
crypto map BRANCH-MAP-BK 100 set peer 3.3.3.1
crypto map BRANCH-MAP-BK 100 set ikev1 transform-set AES256SHA
crypto map BRANCH-MAP-BK 100 set security-association lifetime seconds 28800
crypto map BRANCH-MAP-BK interface BACKUP
crypto ikev1 enable BACKUP
crypto ikev1 policy 10
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
Tunnel Group
tunnel-group 3.3.3.1 type ipsec-l2l
tunnel-group 3.3.3.1 ipsec-attributes
ikev1 pre-shared-key password
Core Config:
object-group network CORE-SUBNETS — Object group for Core subnets
network-object 10.0.0.0 255.255.255.0
network-object 192.168.0.0 255.255.255.0
object-group network BRANCH-SUBNETS — Object group for Branch subnets
network-object 192.168.18.0 255.255.255.0
NO-NAT
nat (inside,any) source static BRANCH-SUBNETS BRANCH-SUBNETS destination static CORE-SUBNETS CORE-SUBNETS
VPN CONFIG:
access-list VPN-to-BRANCH permit ip object-group CORE-SUBNETS object-group BRANCH-SUBNETS
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto map outside_map 100 match address VPN-to-BRANCH
crypto map outside_map 100 set peer 1.1.1.10 2.2.2.10 —Notice both IPs
crypto map outside_map 100 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 100 set reverse-route
crypto ikev1 enable outside
crypto map outside_map interface outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
tunnel-group 1.1.1.10 type ipsec-l2l
tunnel-group 1.1.1.10 ipsec-attributes
ikev1 pre-shared-key password
tunnel-group 2.2.2.10 type ipsec-l2l
tunnel-group 2.2.2.10 ipsec-attributes
ikev1 pre-shared-key password
Cisco ASA VPN Spoke to Spoke communication in 8.3 and later
Posted by on May 16, 2016
This configuration was in ASA 8.4
Spoke to spoke communication has always been super easy in ASA Site to Site VPNs. As long as your CRYPTO ACL has the remote subnets in it, and NO-NAT Statements are there everything pretty much works.
The other day I had an issue getting it to work. After some research I was still struggling. All of my remote sites were in my Crypto ACL, my VPN was up and working to the hub, and any subnet behind the hub would work, but access to other IPSEC tunnels connected behind were not working. See rough sketch of the network below.
I checked Nat statements, looked great, but my traffic was not flowing. I decided to debug via ASDM this is the error I received.
Routing failed to locate next hop for ICMP then my outside (Louisville), and inside (Italy) address.
Other examples are:
Routing failed to locate next hop for TCP then my outside (Louisville), and inside (Italy) address.
Routing failed to locate next hop for UDP then my outside (Louisville), and inside (Italy) address.
Well, 192.168.17.0/24 does not live inside my firewall – it should be connected to the outside (US-Signal) VIA the VPN. Boom, that’s when it clicked. My nat statement is wrong, well not wrong, just missing. Since these connections are connecting to my outside network, and then going to my outside network – I need to create the nat statement with the source interface and destination interface being US-Signal.
A few things to note about the below statement – I put it at the top of my manual nat entries, and notice the interface – both are US-Signal my outside interface.
object network Louisville-Subnet
subnet 10.26.0.0 255.255.0.0
object network Italy-Subnet
subnet 192.168.17.0 255.255.255.0
nat (US-Signal,US-Signal) source static Louisville-Subnet Louisville-Subnet destination static Italy-Subnet Italy-Subnet no-proxy-arp route-lookup
As soon as I added this statement everything worked great. All of my spoke to spoke communication flowed through the hub perfectly.
Cisco ASA 8.4+ manual nat – the only way to nat!
Posted by on March 23, 2016
Before learning the more about Manual or “Twice Nat” I would use individual object NAT (Auto NAT) for my incoming services, and use Manual NAT for my No-NAT or if I had to NAT VPN traffic before encryption (Policy NAT).
Recently though I started using it for everything. Once you get the hang of it, it is much more applicable to everyday NAT needs.
Something to note about Manual NAT:
- Processed before Auto NAT (Nat under the object command)
- Considers source, or source and destination together (Policy)
- For example – I need to NAT traffic to this IP, only when it goes to this network
- Configured directly from global config
- Uses objects only, cannot specify direct IPs
- Can specify to come after auto NAT.
Lets get started with a few examples. A list of all examples is below:
Static NAT – Public address/server to Private address/service
Group/Range of services forwarded into private server
Port redirection
Dynamic NAT
Policy Based Nat
Something to always note – 8.3 and above firmware’s require you to put in the private or real ip address of destination , not the public or Natted address.
Static NAT – Public address/server to Private address/service
Lets say my internal web servers is at 10.20.20.10. The external IP I am using is 23.4.3.10. I want to NAT in only HTTP (80) traffic to my server. No problem.
Lets create the our address Objects
object service OBJ-TCP-80
service tcp source eq 80
object network OBJ-10.20.20.10
host 10.20.20.10
object network OBJ-23.4.3.10
host 23.4.3.10
Great! Now lets create our Manual nat rule to allow that traffic in.
nat (inside,outside) source static OBJ-10.20.20.10 23.4.3.10 service OBJ-TCP-80 OBJ-TCP-80
Thats it, we would create our ACL to allow traffic to the Private host (Remember that, big time change in 8.3) and that’s it. Our traffic would be natted from Public, to Private port 80.
The next example will be a 1 to 1 NAT from our private object created above, to our public object also created above.
NAT (inside,outside) source static OBJ-10.20.20.10 OBJ-23.4.3.10
Modify the ACL to allow traffic to 10.20.20.10 and traffic should make it to the host.
Forward in a group or range of services
In this example we will forward in a group of service objects. Lets say HTTP, HTTPS, and SSH . Still using our local/public hosts. You have two options, 1 create a service group full of existing objects, or create a group of Service-objects. Int the below example I will create a group of predefined objects. This is due to having so many different configurations of groups.
object service OBJ-TCP-80
service tcp source eq 80
object service OBJ-TCP-443
service tcp source eq 443
object service OBJ-TCP-22
service tcp source eq 22
object-group service Web-services
group-object OBJ-TCP-80
group-object OBJ-TCP-443
group-object OBJ-TCP-22
object network OBJ-10.20.20.10
host 10.20.20.10
object network OBJ-23.4.3.10
host 23.4.3.10
So now our NAT rule:
nat (inside,outside) source static OBJ-10.20.20.10 23.4.3.10 service Web-services Web-services
Port redirection
Sometimes we have the need to make a port such as 8080 on the outside go to our websever on the inside at port 80. The below example shows how to do that. In this example we will forward in port 8080 on our public IP to port 80 on our private webserver. First we need to create the objects for the service and networking addresses, and then apply the nat rule – an don’t forget our ACL. To help visualize whats happening here look at the format of the rule:
nat (source interface,destination interface) source static object ((private) IP) object ( Natted (Public IP)) service Private-Service Public-Service
object service OBJ-TCP-80
service tcp source eq 80
object service OBJ-TCP-8080
service tcp source eq 8080
object network OBJ-10.20.20.10
host 10.20.20.10
object network OBJ-23.4.3.10
host 23.4.3.10
So now our nat rule:
nat (inside,outside) source static OBJ-10.20.20.10 23.4.3.10 service OBJ-TCP-80 OBJ-TCP-8080
Dynamic NAT
I like to usually do this through Auto nat, but you can most definitely do this through Manual.
object network OBJ-10.0.0.0/8
host 10.0.0.0/8
nat (inside,outside) source dynamic OBJ-10.0.0.0/8 interface
You could also specify “any” instead of the internal address object, or specify the public IP you want to be natted to instead of “interface”.
Policy Based manual NAT
Manual NAT is the only way I believe that Policy based natting is done. You would use this if you had to NAT traffic into some other IP when going to a certain destination address. In this example lets say we need to NAT traffic from 10.0.0.0/8 int 1.1.1.1 when going to destination 3.3.3.3. This comes up a lot in healthcare when both sides need to nat into a Public address so there are no address conflicts.
Lets first create our objects, then our Nat rule.
object network OBJ-10.0.0.0/8
host 10.0.0.0/8
object network OBJ-3.3.3.3
host 3.3.3
object network OBJ-1.1.1.1
host 1.1.1.1
So now our nat rule:
nat (inside,outside) source static OBJ-10.0.0.0/8 OBJ-1.1.1.1 destination static OBJ-3.3.3.3 OBJ-3.3.3.3
This reads that whenever 10.0.0.0/8 is going to 3.3.3.3, nat 10.0.0.0/8 into 1.1.1.1. This might help:
nat (inside,outside) source static Private-IP Natted-IP destination static Real-destination Natted-Destination
So, if this was used for a VPN you would just create an Crypto-ACL and the source would be your Natted-IP, and destination would be your 3.3.3.3 or whatever address lives across the tunnel that you set as your NAT destination.
Cisco ASA 9.1+ Static Nat example
Posted by on February 20, 2015
Below shows how to configure Static nat for a web server or some kind of application running on a internal host. Basically we are port forwarding port 80 from our public IP of 1.1.1.2 to port 80 of our internal IP at 10.1.1.2. In this example Auto Nat will be used. You could also use Manual nat, I have written another blog entry on this. This is way different than 8.2 and below. Here we create an object and then modify the object with the Static port forward we want. I
In this example my ASA outside IP is 1.1.1.1, and I want the web server to answer on 1.1.1.2.
object network 1.1.1.2
host 1.1.1.2
exit
object network 10.1.1.2
host 10.1.1.2
nat (inside,outside) static 1.1.1.2 service tcp 80 80
Somethings to note- We could name the objects anything, I just chose to use the actual IP address. For example, you could do the command ” object network Webserver-Outside” and use that name to reference the outside IP address.
Next, if I want to allow access to 10.1.1.2 from the outside world, I will need an ACL.
access-list Outside-In permit tcp any 10.1.1.2 eq 80
access-group Outside-In in interface outside
Notice the internal IP specified in the ACL – that is there on purpose. Instead of referencing the External IP you now reference the internal.
What if the outside address answering for my web server is the outside IP of the ASA?
No problem, just have to modify that one NAT entry. Instead of the public NAT object we use the “interface” keyword.
object network 1.1.1.2
host 1.1.1.2
exit
object network 10.1.1.2
host 10.1.1.2
nat (inside,outside) static interface service tcp 80 80
Cisco Preshared Key recovery options
Posted by on June 25, 2014
The other day I had to copy the config of an ASA and a PIX to other devices. They both had VPNS to different sites and I had to have those keys as no one documented them.
A few different ways to get those keys are:
ASA
Option 1: Login using ASDM and make a full backup including preshared keys
Option 2: Run the cli command :
more system:running-config
Option 3: Copy running config to a TFTP/FTP server
PIX
The above options exist for the PIX as well. I have read that the more command will work , but it did not for me. Then I found this option to get the Keys on the pix:
Enable http server, create a username and go to https://pix-ip/config the key is then shown in clear text.
Commands to do that:
config t
http server enable
http 0.0.0.0 0.0.0.0 inside
username admin password password
The go to the web interface.
Cisco ASA IPSEC site to site VPN IOS 8.3+
Posted by on March 24, 2014
There are multiple parts to the IPSEC SIte-to-Site VPN config.
– Create access list to specify what will be encrypted
– Create access list to specify what should go over the VPN, and not be natted
– Create Phase 1 (IKE) settings and apply it to the selected interface.
– Create our transformation set (what encryption settings we will use for phase 2).
– Create Phase 2 (ESP) settings otherwise known as a Crypto map.
– Apply Crypto map settings specifying interface.
– Create the tunnel object for peer.
Config:
ASA 1 Core
Create Objects
First create the objects representing what will be found on each side of the VPN.
config t
object network Local-Subnet
subnet 10.100.1.0 255.255.255.0
object network Remote-Subnet
subnet 10.100.2.0 255.255.255.0
Encryption Access-list
Next I will create the Access list to tell the firewall what to Encrypt
access-list VPN-to-Remote extended permit ip object Local-Subnet Remote-Subnet
Now we need to make sure traffic is not being forwarded out of our WAN interface, and that the firewall knows to send it over the VPN. We do this with a “No-Nat” statement. This is different than what it once was in 8.2 and below. We will specify this with a different kind of nat statement.
No NAT
nat (inside,outside) source static Local-Subnet Local-Subnet destination static Remote-Subnet Remote-Subnet
IKE Settings
Now its time for the VPN settings!
First lets create our IKE settings and enable it on the outside interface.
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Create the IPSEC transformation
crypto ipsec ikev1 transform-set transfrom esp-3des esp-sha-hmac
Crypto MAP (Phase 2)
Now lets create our Crypto map and put it all together.
crypto map VPN 10 match address VPN-to-Remote
crypto map VPN 10 set pfs
crypto map VPN 10 set peer 1.1.1.2
crypto map VPN 10 set ikev1 transform-set transfrom
crypto map VPN 10 set security-association lifetime seconds 28800
crypto map VPN 10 set security-association lifetime kilobytes 4608000
There are a few optional settings like the lifetime, by default its 28800. In this config I am just making it known that’s what its set on. Also you can set “reverse-route” which will add the route to the remote subnet into the routing table. This way you can push it out in a routing protocol.
We will also need to apply the Crypto map to the interface.
crypto map VPN interface outside
Tunnel Group/PSK
Our last step is to create the tunnel group with our Peer IP/DNS name and set the PSK.
tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes
ikev1 pre-shared-key presharedkey
Below is the config for the Remote side
config t
object network Local-Subnet
subnet 10.100.2.0 255.255.255.0
object network Core-Subnet
subnet 10.100.1.0 255.255.255.0
access-list VPN-to-Remote extended permit ip object Local-Subnet Core-Subnet
nat (inside,outside) source static Local-Subnet Local-Subnet destination static Core-Subnet Core-Subnet
crypto ipsec ikev1 transform-set transfrom esp-3des esp-sha-hmac
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto map VPN 10 match address VPN-to-Core
crypto map VPN 10 set pfs
crypto map VPN 10 set peer 1.1.1.1
crypto map VPN 10 set ikev1 transform-set transfrom
crypto map VPN 10 set security-association lifetime seconds 28800
crypto map VPN 10 set security-association lifetime kilobytes 4608000
crypto map VPN interface outside
tunnel-group 1.1.1.1type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key presharedkey
Cisco ASA Packet capture
Posted by on January 14, 2014
Within the Cisco ASA you can capture packets within the CLI or ASDM. Here I will be demonstrating the CLI Method. You can find the ASDM method under – wizards – packet capture
The other day I had a botnet on a internal client that would start communicating at strange hours, so it was hard to get info without a syslog server. I created a ACL within the ASA with the destination IP and then started a capture to get all traffic going to that destination. Below are the steps
1. Create ACL to grab traffic you want to capture
access-list Botnet ext per ip any host x.x.x.x
2. Start the capture to grab the ACL traffic
capture Botnet-traffic interface inside access-list Botnet
3. Check the traffic capture:
show capture Botnet-traffic
All commands show below:
config t
access-list Botnet ext per ip any host x.x.x.x
capture Botnet-traffic interface inside access-list Botnet
show capture Botnet-traffic
TravelingPacket - A blog of network musings 