jklogic.net » James

Cisco ASA iPhone VPN Config

James — Tue, 07 Oct 2008 19:43:58 +0000

I recently purchased a shiny new iPhone 3G and wanted to be able to connect back to my house where I have a Cisco ASA 5505. I have noticed a lot of questions about how to get this to work, so here it is…

First, make sure you are running ASA Software version 8.0(3) or better. The previous versions have a bug when the iPhone connects that will boot all other users connected to the VPN.

On the ASA, we need to get the VPN configured. First, the ACLs for split-tunneling, no NAT and VPN access:

access-list RA_VPN_ACL extended permit ip any 172.30.30.0 255.255.255.0
access-list RA_VPN_SplitTunnel_ACL standard permit 172.25.25.0 255.255.255.0
access-list NoNAT_ACL extended permit ip 172.25.25.0 255.255.255.0 172.30.30.0 255.255.255.0
nat (inside) 0 access-list NoNAT_ACL

Since this config will authenticate to the local ASA, we need to have a username and password setup:

username iPhone password your_password

Now setup a DHCP pool for VPN clients:

ip local pool RA_VPN_POOL 172.30.30.100-172.30.30.200

Now create the crypto maps and apply them to the outside interface:

crypto ipsec transform-set RA_VPN_SET esp-aes esp-sha-hmac
crypto dynamic-map RA_VPN_MAP 1 match address RA_VPN_ACL
crypto dynamic-map RA_VPN_MAP 1 set transform-set RA_VPN_SET
crypto dynamic-map RA_VPN_MAP 1 set reverse-route
crypto map RA_VPN 65535 ipsec-isakmp dynamic RA_VPN_MAP
crypto map RA_VPN interface outside

Setup ISAKMP:

crypto isakmp enable outside
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20

Now create a remote access VPN policy. Make sure to add the split-dns value for your local domian. If you leave this out, the iPhone will not resolve DNS on the internal network!

group-policy RA_VPN_Policy internal
group-policy RA_VPN_Policy attributes
dns-server value DNS_Server_IP
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RA_VPN_SplitTunnel_ACL
split-dns value domain.local

Add the tunnel-group to allow the VPN connection:

tunnel-group RA_VPN type ipsec-ra
tunnel-group RA_VPN general-attributes
address-pool RA_VPN_POOL
default-group-policy RA_VPN_Policy
tunnel-group RA_VPN ipsec-attributes
pre-shared-key your_password

Now to configure the iPhone. First, go to Settings -> General -> Network -> VPN. Then Add VPN Configuration. Select IPSec at the top and enter your information. The Server is the IP address or hostname of the ASA. The Account is the Username you created in the config above. The Group Name is the tunnel-group name created on the ASA.

To connect the VPN, go to Settings -> VPN (this appears after you create a VPN connection). Just change the option to ON.

Once you see the VPN icon on the top bar, you are connected!

MSS Exceeded Workaround

James — Tue, 08 Apr 2008 13:40:14 +0000

After installing a new ASA 5520, I noticed that a few websites were loading very slowly or not at all. The problem seemed to be very intermittent, but reproducible by revisiting the websites at any time of the day. Browsing to the site from outside of the firewall showed the site to be responsive.

I started to watch the live log while browsing to the site and noticed packets being dropped. The log read:

Dropping TCP packet from outside: to inside: , reason: MSS exceeded, MSS 1260, data 1460

Apparently, this is a new security feature for the 7.0+ code for the ASA. Normally, the client and server send their MSS (Maximum Segment Size) while establishing the TCP connection. Once this occurs, neither the client or server should send a packet larger than their peer’s MSS. However, some HTTP servers do not recognize the MSS and send packets that are too large, and are thus dropped by the ASA.

The workaround for this is to allow the firewall to pass the packets whose data exceeds the MSS. Let’s say the server causing the problems ip is 192.168.10.9. First, create and access-list for any host accessing that server.

access-list MSS_Exceeded_ACL permit tcp any host 192.168.10.9

And then create a class map.

class-map MSS_Exceeded_MAP
match access-list MSS_Exceeded_ACL
exit
tcp-map mss-map
exceeded mss allow

Create the policy map.

policy-map MSS_Exceeded_MAP
class MSS_Exceeded_MAP
set connection advanced-options mss-map

Apply the map to the outside interface.

service-policy MSS_Exceeded_MAP interface outside

If there is more than one site, just add the additional sites to the MSS_Exceeded_ACL access list or change it to allow all sites.

access-list MSS_Exceeded_ACL permit tcp any any

For more information about MSS and logging these events, check out the document from Cisco.

Configure SSH Access on an ASA

James — Sun, 06 Apr 2008 08:00:53 +0000

If you have recently tried to setup SSH access on a new ASA, it might not have worked the way you wanted. That is because the RSA keys need to be generated first. To do that:

crypto key generate rsa

asa(config)# crypto key generate rsa
INFO: The name for the keys will be:
Keypair generation process begin. Please wait…

And then configure SSH to be allowed from the inside interface:

ssh 0.0.0.0 0.0.0.0 inside

Now you will be able to login using the default username and password of pix/cisco, Or you can configure AAA and setup your own usernames. Doing this will make the pix username no longer work for SSH.

First, a username needs to be created:

username cisco password c1sc0

And then configure AAA:

aaa authentication ssh console LOCAL

Done!

Unable to download NAT policy for ACE

James — Sat, 29 Mar 2008 08:05:37 +0000

I was working on an ASA config and ran into an interesting error. I needed to not perform NAT on the traffic from the inside LAN to the DMZ. I configured an access-list:

access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 10.10.48.0 255.255.255.0
access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 10.10.49.0 255.255.255.0
access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 172.31.3.0 255.255.255.0
access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 172.31.4.0 255.255.255.0

And then specified to not perform NAT:

nat (inside) 0 access-list InsideNoNAT_ACL
nat (inside) 1 0.0.0.0 0.0.0.0

I then needed to add another line to the InsideNoNAT_ACL, and that is where I received the error.

(config)#access-list InsideNoNAT_ACL permit 10.0.0.0 255.0.0.0 172.31.3.0 255.255.255.0
Unable to download NAT policy for ACE

All this error message is saying is that the new line in the access-list was not added to the active NAT table, but was added to the access-list. Upon doing some searching, I read in several places that a reboot fixed the problem. While this is true, it is not necessary. All that needs to be done is to remove and reapply the nat statement.

(config)#no nat (inside) 0 access-list InsideNoNAT_ACL
(config)#nat (inside) 0 access-list InsideNoNAT_ACL

This rebuilds the NAT rules and applies all rules in the ACL. Much better than a reload!

Cisco ASA and ICMP Configurations

James — Tue, 19 Feb 2008 15:59:50 +0000

As I am sure many of you who have ever worked with a Cisco firewall know, ICMP is not allowed through the firewall by default. If you are just configuring the device, this can make it very difficult to troubleshoot connectivity issues. Thankfully, there are several ways to get around this.

Solution 1: Use access-lists to allow pings from inside/DMZ to the outside.
To allow pinging from the inside to the outside interfaces, you will need to configure an access-list for the outside interface.

access-list OUTSIDE_IN_ACL permit icmp any any echo-reply

Then apply the access-list to the outside interface.

access-group OUTSIDE_IN_ACL in interface outside

This will allow only ping. If you would like to allow trace route, you will also need to allow time-exceeded.

access-list OUTSIDE_IN_ACL permit icmp any any time-exceeded

Solution 2: Use access-list to allow ping and trace route from the internet to your dmz/inside servers.
To do this, we are going to build off of what we did above, so you should already have this in the config.

access-list OUTSIDE_IN_ACL permit icmp any any echo-reply
access-list OUTSIDE_IN_ACL permit icmp any any time-exceeded
access-group OUTSIDE_IN_ACL in interface outside

Now all we need to do is allow echo into the network.

access-list OUTSIDE_IN_ACL permit icmp any any echo

Even though we are allowing icmp, we still need to have a static mapping to allow the packets to reach the DMZ.

static (dmz,outside) PUBLIC_IP DMZ_IP netmask 255.255.255.255

Of course, you will need to have a static mapping for every server you want to have reachable from the internet.

Solution 3: This is a bit more complex, but will allow higher security level interfaces to ping/trace route lower security level interfaces without the use of access-lists. To do this, we will tell the ASA to inspect icmp in a service policy. If you are using a ASA, you should have a default policy in the base config called global_policy.

global_policy:

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global

To add icmp inspection.

FW-ASA(config)# policy-map global_policy
FW-ASA(config-pmap)# class inspection_default
FW-ASA(config-pmap-c)# inspect icmp

Cisco IOS to CatOS Etherchannel Configuration

James — Mon, 29 Oct 2007 19:02:43 +0000

Here are the relevant parts of the configuration to setup an etherchannel between an IOS device and a CatOS device. First lets start with the CatOS device, in this case a 6509. We will be using ports 3/9 and 3/10.

We first need to set the ports we want to use to be a trunk. Here we are forcing dot1q.

6509#set trunk 3/1-2 nonegotiate dot1q

Now we need to setup the port channels. These channels will be used as 1 and aggregate bandwidth between them.

6509#set port channel 3/9-10

Note: There is an option at the end of this command to specify the admin group. This is how the CatOS groups the ports. If you do not specify the admin group, the CatOS will automatically assign one. This is something to watch out for if you set each port separately.

Now, turn the port channel on.

6509#set port channel 3/9-10 mode on

That is it for the CatOS. The config for the IOS is quite a bit different. First, create a port channel interface and make it a trunk.

3750(config)#interface port-channel 1
3750(config-if)#switchport trunk encapsulation dot1q
3750(config-if)#switchport mode trunk

Assign ports to the port channel group.

3750(config)#interface GigabitEthernet1/0/1
3750(config-if)#channel-group 1 mode on
3750(config-if)#interface GigabitEthernet1/0/2
3750(config-if)#channel-group 1 mode on

Just connect the ports and everything should come up. To check on the CatOS.

6509#show port channel
Port Status Channel Admin Ch Mode Group Id
—– ———- ——————– —– —–
3/9 connected on 746 1734
3/10 connected on 746 1734

Port Device-ID Port-ID Platform
—– ——————————- ————————- —————-
3/9 3750 GigabitEthernet1/0/1 cisco WS-C3750-48P
3/10 3750 GigabitEthernet1/0/2 cisco WS-C3750-48P

Here, both ports 3/9 and 3/10 show as connected and on the same admin channel.

And for the IOS.

3750#show etherchannel summary
Flags: D – down P – in port-channel
I – stand-alone s – suspended
H – Hot-standby (LACP only)
R – Layer3 S – Layer2
U – in use f – failed to allocate aggregator
u – unsuitable for bundling
w – waiting to be aggregated
d – default port

Number of channel-groups in use: 1
Number of aggregators: 1

Group Port-channel Protocol Ports
——+————-+———–+———————————————–
1 Po1(SU) – Gi1/0/1(P) Gi2/0/1(P)

The last line is the important one. Notice that is shows both ports are in port channel 1.

To configure and IOS to IOS etherchannel, just repeat the exact steps for the IOS on the second switch.
That’s all there is to it.

Adding a Cisco switch to a VTP domain

James — Wed, 17 Oct 2007 05:09:27 +0000

Adding a switch to a VTP domain is fairly easy to do, but done incorrectly, can bring down a whole network. Fortunatly I have not had this happen to me, but I have heard horror stories. There are a few simple steps to take to make sure everything stays running smoothly.

The very first step to complete as soon as you are ready to put a new switch on a network and join it to the domain, is to make sure that the vtp mode is set to transparent. Setting the mode to transparent ensures that the “Configuration Revision” is set to 0. If the switch has been used in a lab and has vlans configured and a configuration revision that is higher than the domain server, even if the switch being added is in client mode, it will overwrite the server and propagate all of it’s vlans across the network.

This is directly taken from Cisco’s website:

A recently added switch can cause problems in the network. It can be a switch that was previously used in the lab, and a good VTP domain name was entered. The switch was configured as a VTP client and was connected to the rest of the network. Then, you brought the trunk link up to the rest of the network. In just a few seconds, the whole network can go down.

If the configuration revision number of the switch that you inserted is higher than the configuration revision number of the VTP domain, it propagates its VLAN database through the VTP domain.

This occurs whether the switch is a VTP client or a VTP server. A VTP client can erase VLAN information on a VTP server. You can tell this has occurred when many of the ports in your network go into the Inactive state but continue to assign to a nonexistent VLAN.

To make sure this does not happen, before you connect the switch to the network, make sure to set the vtp mode to transparent.

C3750-Client(config)#vtp mode transparent
C3750-Client(config)#exit
C3750-Client#show vtp status
C3750-Client#sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 7
VTP Operating Mode : Transparent
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0×18 0×17 0xE9 0×22 0×49 0×96 0×0C 0×7E
Configuration last modified by 10.10.10.20 at 3-1-93 00:03:25

Now that this switch won’t overwrite the server, configure the vtp domain and password, and then change the mode to client.

C3750-Client(config)#vtp domain Test
Changing VTP domain name from NULL to Test
C3750-Client(config)#vtp password Testpassword
C3750-Client(config)#vtp mode client
Setting device to VTP CLIENT mode

Show the vtp status to confirm.

C3750-Client#show vtp status
VTP Version : 2
Configuration Revision : 62
Maximum VLANs supported locally : 1005
Number of existing VLANs : 38
VTP Operating Mode : Client
VTP Domain Name : Test
VTP Pruning Mode : Enabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0xCD 0×9D 0xFF 0xC3 0×6F 0×63 0×5F 0xF5
Configuration last modified by 10.10.10.2 at 10-16-07 22:16:43

And then a show vlan and check the output to make sure all the vlans have propagated.

C3750-Client#show vlan

The only rule you really need when adding switches is to make sure the switch is in TRANSPARENT mode first.

Configuring a VTP domain on Cisco switches

James — Wed, 17 Oct 2007 04:45:00 +0000

VTP domains allow you to manage all of your vlans from a central switch. This can be a great tool if you are dealing with a large number of vlans spread out over multiple switches. There are a couple of issues that you must be careful of when you implement a vtp domain, which I will go over shortly.

The first requirement is to make sure that your trunks between switches are up and working.

C3750-Payment#show interface trunk

And the output should look something like:

C3750-Payment#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa2/0/48 on 802.1q trunking 1

Port Vlans allowed on trunk
Fa2/0/48 1-4094

Port Vlans allowed and active in management domain
Fa2/0/48 1-2,4,6,8,10,12,16-37,102-103,256-258

Port Vlans in spanning tree forwarding state and not pruned
Fa2/0/48 1-2,4,6,8,10,12,16-37,102-103,256-258

If there are not any ports listed as a trunk, that needs to be fixed before proceeding. Now that we know the switches are communicating, we can proceed to look at the current vtp configuration.

C3750-Payment#show vtp status

And you should get:

C3750-Payment#sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 7
VTP Operating Mode : Transparent
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0×18 0×17 0xE9 0×22 0×49 0×96 0×0C 0×7E
Configuration last modified by 10.10.10.20 at 3-1-93 00:03:25

If the VTP Operating Mode is not “Transparent” on all of the switches, it needs to be set to transparent to prevent problems later.

C3750-Payment(config)#vpt mode transparent

This will reset the Configuration Revision to 0. It is very important that all switches have the configuration revision reset!

Now, on the switch that you want to be the vtp server; set the domain, password, and then change it to server mode.

C3750-Payment(config)#vtp domain Test
VTP domain Test modified
C3750-Payment(config)#vtp password Testpassword
C3750-Payment(config)#vtp mode server
Setting the device to VTP SERVER mode

Make sure all of the vlans that you need are on this switch. Once they are, setup the other switches as clients.

C3750-Client(config)#vtp domain Test
Changing VTP domain name from NULL to Test
C3750-Client(config)#vtp password Testpassword
C3750-Client(config)#vtp mode client
Setting device to VTP CLIENT mode

Check the VTP status on the client to confirm the vtp status has changed and the vlans have been configured.

C3750-Client#show vlan

Everything is now configured. Vlan additions can now be made on the switch that is in server mode and they will be propagated down to all of the clients.

Adding a switch to an already established vtp domain is basically the same, just make sure to set the switch to transparent mode first. For more details, check Adding a Cisco switch to a vtp domain.

Vista VPN to Cisco Pix devices

James — Fri, 05 Oct 2007 14:46:50 +0000

While trying to setup Vista to connect to new client’s network using a VPN, I kept running into problems and could not get it to connect. I was attempting to connect to a PPTP VPN on a Pix 500 series firewall. The error I kept getting was “Failed to connect to VPN Connection”. I tested the connection with XP and was able to connect without any issues.

Come to find out, Microsoft deprecated MSCHAP v1 from Vista! Vista only supports MSCHAP v2, CHAP, and PAP. Cisco does not support MSCHAP v2 in the 6.x line of software for the PIX. Unfortunately, I was connecting to a Pix 501 and did not have the option to upgrade to version 7.x software which does support MSCHAP v2.

Since the only option left is to use CHAP, I had reconfigured the VPN connection in Vista. To do this:

Go to Properties of the VPN connection

-> Security Tab

-> Select Advanced (custom settings)

-> Click Settings

-> Set Data encryption to optional

-> Then check CHAP under Allow these protocols

Now I am able to connect without any problems.

Please note that CHAP should not be considered secure. While it is better than PAP in that is uses encryption, it is only one-way and therefore should be used with caution.

Cisco SNMP MIB Source

James — Thu, 27 Sep 2007 13:31:23 +0000

I have been configuring a basic monitoring solution for a client and stumbled upon this little gem on Cisco’s website. You can find nearly all MIBs for Cisco devices here. I really wish I had found this a couple weeks ago!

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml