Cisco Easy VPN Router-to-Router

Cisco Easy VPN is not a new technology. Actually it is pretty old, but still used by many companies or people to connect remote site / remote workers to headquarter.

A few days ago I was looking to connect a remote site in a simple way but still secure and a colleagues suggested me to use Easy VPN. It supposed to be a simple configuration and it was after solving all issues that came into play.

First of all, I needed an Easy VPN Router(client) – to – Router(server). The other method is some client (PC) with software connection to Router / PIX / ASA / VPN Concentrator (Server). Something like this:

Add caption

The idea is that behind the Client router, I will have a group of people who need to connect to the headquarter, so I don’t want each of them to use personal VPN connections. In search of possible configurations, I’ve found this Cisco configuration example. The only issue in that document is that the Easy VPN tunnel needs manual intervention to connect, which I want to avoid.

For those who need a quick and secure Easy VPN connection here is my sample configuration:

EasyVPN-Server

!! We define a new AAA model for authentication and authorization
!! for remote VPN clients
aaa new-model
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!! Generic username and password
username cisco password 0 cisco123
!
!! We configure a crypto isakmp policy. The number and encryption are your choice
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
!! We add a key and ! Important ! “save-password” command
!! “Save-password” allow client to save the password in an automatic vpn connection
!! scenario
crypto isakmp client configuration group vpngrp
key cisco123
save-password
!
!! The IPSec transform set; You can pick a stronger one like esp-aes 256, but
!! for this example will work fine
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
!! We get everything together in a crypto dynamic map
crypto dynamic-map dynmap 10
set transform-set myset
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!! Add the crypto map on the WAN interface or where your VPN tunnels will terminate
interface x/y
description WAN
crypto map clientmap

EasyVPN-Client

!! On the remote side we define an Easy VPN client
!! connect auto – means it will connect automatically
!! network-extension – connection between remote side LAN and server LAN will
!! not need NAT
!! peer is the VPN server IP address
!! xauth mode has to be local for auto connection without manual intervention
crypto ipsec client ezvpn ez
connect auto
group vpngrp key cisco123
mode network-extension
peer 192.168.0.2
username cisco password cisco123
xauth userid mode local
!
!! Apply the already defined crypto to WAN interface
!! This will be automatically the Outside interface, even if you don’t
!! add the “outside” keyword at the end of the command
interface x/y
description WAN
crypto ipsec client ezvpn ez
!
!! Apply it on ALL L3 LAN interfaces that needs to communicate over VPN
!! more, you need to specifiy the keyword “inside”
interface x/y
description ANY L3 LAN interface (SVI / Physical)
crypto ipsec client ezvpn ez inside

To test if your tunnel is up, issue the following command on the EasyVPN client router

#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 8

Tunnel name : TEST
Inside interface list: GigabitEthernet0/0, GigabitEthernet0/1
Outside interface: FastEthernet0/0
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Save Password: Allowed
Current EzVPN Peer: 192.168.0.2

As you can see the Current State shows IPSEC_ACTIVE

Other commands that will help you see if everything is ok (this can be run on client or server side)
#show crypto isakmp sa
! Look for the “state” (it has to be QM_IDLE) and
! “status” (has to be ACTIVE)

#show crypto ipsec sa
! Look for #pkts encaps and #pkts decaps; the decimal values should be close

I hope this will help you. If anything is unclear please ask in comments.

Ironport S Series Web Security

1. Pastikan menggunakan P1 sebagai wccp
2. wccp berjalan dengan L2 or GRE dan default
3. Pastikan jika menggunakan P1 sebagai data maka DNS harus menggunakan port Data sebagai query DNS di routing table (Pengaturan di bagian DNS)
4. wccp dengan service number or web cache gak ada masalah
5. http proxy dan https proxy berjalan dengan create cert dan key terlebih dahulu tanpa perlu mengupload nya.


-----------

Restrictions regardnig WCCPv2 implementation on ASA are:

- Multiple routers in a service group is not supported. Multiple Cache Engines in a service group is still supported.

#- Multicast WCCP is not supported.

#

- The Layer 2 redirect method is not supported; only GRE encapsulation is supported.

#

- WCCP source address spoofing is not supported

#

Beside these restrictions, IronPort WSA must be connected to ASA's inside segment.

Also, ASA's inside interface must be in the same IP subnet like IronPort WSA.

If you have problems with wccp on WSA in general, here are some steps that you should follow during troubleshooting:

1. Mind all the WCCP/ASA restrictions mentioned above

2. Capture packets on WSA's interface. If everything is OK, you should see both wccp HIA and wccp "I see you" hello messages.

3. Turn on debug ip wccp events on ASA/router

3. If all WCCP messages are present, you should not have the problem

If not... First see if WSA is sending WCCP messages to ASA/router (debug wccp events).

WSA has one bug that affects WCCP function... Somethimes (and believe me - sometimes==a lot) when WCCP reconfiguration is performed on WSA, it sends WCCP packets with wrong Host ID.

So in that case,  in router/ASA debug you see message like this: "Here_I_Am packet from X.X.X.X w/bad rcv_id 00000000".

If you see this,  you should execute following hidden command on WSA from WSA CLI:

//*****************************

diagnostic->proxy->kick

//*****************************

Konfigurasi Remote Access VPN dengan Cisco ASA

Posted on 26/01/2010 by masterbay

Remote access VPN memungkinkan remote atau mobile user untuk bisa terkoneksi ke jaringan perusahaan. Kalau dulu service ini dilayani oleh koneksi dial up dengan menggunakan modem analog. Perusahaan menyediakan banyak pool modem dan akses server untuk mengakomodasi kebutuhan remote tersebut.

Dalam perkembangan selanjutnya koneksi dial up digantikan dengan koneksi broadband DSL dan cable modem yang memungkinkan user korporat berpindah dari dial up ke remote akses vpn untuk komunikasi yang lebih baik.

Berikut adalah langkah-langkah (command line) untuk mengkonfigurasi remote access vpn di Cisco ASA:
Pertama, konfigurasi interface ASA
!–interface name
ASA(config)#interface GigabitEthernet 0/1
ASA(config-if)# no shutdown
ASA(config-if)# nameif outside
!–security level
ASA(config-if)#security-level 0
!–ip address
ASA(config-if)# ip address 20.1.1.50 255.0.0.0
!–Enable crypto isakmp
ASA(config)# crypto isakmp enable outside

Kedua, konfigurasi IP Pool
!–konfigurasi IP Pool
ASA(config)# ip local poolname 30.1.1.1-30.1.1.50
ASA(config)# route outside 0 0 20.0.0.0

Ketiga, konfigurasi user account
ASA(config)# username ism password Cisco.123

Keempat, mendefinisikan ISAKMP policy: authentication, encryption, hash, dan group
!–mendefinisikan isakmp policy 10
ASA-(config)#crypto isakmp policy 10
!–enable des ecryption
ASA(config-isakmp)#encryption des
!–enable algorithm md5 for hashing
ASA(config-isakmp)#hash md5
!–enable metode Pre-shared
ASA(config-isakmp)#authentication pre-share
!–enable diffie-Helman group 2
ASA(config-isakmp)#group 2
!–keluar dari mode crypto isakmp
ASA(config-isakmp)#exit

Kelima, membuat IPsec transform set
!–tipe enkripsinya des dan tehnik hashingnya md5-hmac
ASA(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac
!–terapkan transform set
ASA(config)# crypto dynamic-map dmap 10 set transform-set ts2
!–panggil dynamic-map di crypto map dengan nama imap
ASA(config)#crypto map imap 10 ipsec-isakmp dynamic dmap

Keenam, konfigurasi tunnel group
!–create group untuk IT departemen
ASA(config)# tunnel-group itdept type ipsec-ra
!–create group policy
ASA(config)# tunnel-group itdept general-attributes
ASA(config-general)# address-pool poolname
ASA(config-general)# exit
ASA(config)# tunnel-group itdept ipsec-attributes
ASA(config-ipsec)# pre-shared-key Cisco
ASA(config-ipsec)# exit

Tujuh, apply crypto map di interface outside
ASA(config)# crypto map imap interface outside

Delapan, verifikasi secure tunnel dengan menggunakan Cisco VPN Client
Tunnel group: itdept
share key: Cisco
Username: ism
Password:Cisco.123

Step - Step Any Connect di ASA

Eight easy steps to Cisco ASA remote access setup

By Lori Hyde

March 19, 2009, 12:28 PM PDT

Takeaway: Lori Hyde shows you a simple eight-step process to setting up remote access for users with the Cisco ASA.

There are eight basic steps in setting up remote access for users with the Cisco ASA.

• Step 1. Configure an Identity Certificate
• Step 2. Upload the SSL VPN Client Image to the ASA
• Step 3. Enable AnyConnect VPN Access
• Step 4. Create a Group Policy
• Step 5. Configure Access List Bypass
• Step 6. Create a Connection Profile and Tunnel Group
• Step 7. Configure NAT Exemption
• Step 8. Configure User Accounts

So let’s get started!

Step 1. Configure an Identity Certificate

Here I am creating a general purpose, self-signed, identity certificate named sslvpnkey and applying that certificate to the “outside” interface. You can purchase a certificate through a vendor such as Verisign, if you choose.

corpasa(config)#crypto key generate rsa label sslvpnkey

corpasa(config)#crypto ca trustpoint localtrust

corpasa(config-ca-trustpoint)#enrollment self

corpasa(config-ca-trustpoint)#fqdn sslvpn. mycompany.com

corpasa(config-ca-trustpoint)#subject-name CN=sslvpn.mycompany.com

corpasa(config-ca-trustpoint)#keypair sslvpnkey

corpasa(config-ca-trustpoint)#crypto ca enroll localtrust noconfirm

corpasa(config)# ssl trust-point localtrust outside

Step 2. Upload the SSL VPN Client Image to the ASA

You can obtain the client image at Cisco.com. As you choose which image to download to your tftp server, remember that you will need a separate image for each OS that your users have. After you select and download your client software, you can tftp it to your ASA.

corpasa(config)#copy tftp://192.168.81.50/anyconnect-win-2.0.0343-k9.pkg flash

After the file has been uploaded to the ASA, configure this file to be used for webvpn sessions. Note that if you have more than one client, configure the most commonly used client to have the highest priority. In this case, we’re using only one client and giving it a priority of 1.

corpasa(config)#webvpn

corpasa(config-webvpn)#svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1

Step 3. Enable AnyConnect VPN Access

corpasa(config)#webvpn

corpasa(config-webvpn)#enable outside

corpasa(config-webvpn)#svc enable

Step 4. Create a Group Policy

Group Policies are used to specify the parameters that are applied to clients when they connect. In this case, we’ll create a group policy named SSLClient. The remote access clients will need to be assigned an IP address during login, so we’ll also set up a DHCP pool for them, but you could also use a DHCP server if you have one.

corpasa(config)#ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0

corpasa(config)#group-policy SSLCLient internal

corpasa(config)#group-policy SSLCLient attributes

corpasa(config-group-policy)#dns-server value 192.168.200.5

corpasa(config-group-policy)#vpn-tunnel-protocol svc

corpasa(config-group-policy)#default-domain value mysite.com

corpasa(config-group-policy)#address-pools value SSLClientPool

Step 5. Configure Access List ByPass

By using the sysopt connect command we tell the ASA to allow the SSL/IPsec clients to bypass the interface access lists.

corpasa(config)#sysopt connection permit-vpn

Step 6. Create a Connection Profile and Tunnel Group

As remote access clients connect to the ASA, they connect to a connection profile, which is also known as a tunnel group. We’ll use this tunnel group to define the specific connection parameters we want them to use. In our case, we’re configuring these remote access clients to use the Cisco AnyConnect SSL client, but you can also configure the tunnel groups to use IPsec, L2L, etc.

First, let’s create the tunnel group SSL Client:

corpasa(config)#tunnel-group SSLClient type remote-access

Next, we’ll assign the specific attributes:

corpasa(config)#tunnel-group SSLClient general-attributes

corpasa(config-tunnel-general)#default-group-policy SSLCLient

corpasa(config-tunnel-general)#tunnel-group SSLClient webvpn-attributes

corpasa(config-tunnel-webvpn)#group-alias MY_RA enable

corpasa(config-tunnel-webvpn)#webvpn

corpasa(config-webvpn)#tunnel-group-list enable

Note that the alias MY_RA is the group that your users will see when they are prompted for login authentication.

Step 7. Configure NAT Exemption

Now we need to tell the ASA not to NAT the traffic between the remote access clients and the internal network they will be accessing. First we’ll create an access list that defines the traffic, and then we’ll apply this list to the nat statement for our interface.

corpasa(config)#access-list no_nat extended permit

ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0

corpasa(config)#nat (inside) 0 access-list no_nat

Step 8. Configure User Accounts

Now we’re ready for some user accounts. Here we’ll create a user and assign this user to our remote access vpn.

corpasa(config)#username hyde password l3tm3in

corpasa(config)#username hyde attributes

corpasa(config-username)#service-type remote-access

Finishing up

Don’t forget to save your configuration to memory.

corpasa#write memory

Verify your configuration by establishing a remote access session and use the following showcommand to view session details.

corpasa #show vpn-sessiondb svc

Command Cisco ASA agar bisa traceroute..

Terkadang fitur traceroute atau tracert di windows sangat di butuhkan, terutama cisco ASA yang akan digunakan sebagai gateway internet. Network Admin harus bisa traceroute untuk memastikan apakah koneksi internet atau VPN bermasalah di ISP atau di sisi dalam jaringan.

Berikut perintahnya tinggal copy paste saja, (Tested in 8.4)
ciscoasa#config t
(config)#access-list internal-out permit icmp any any echo-reply
(config)#access-list internal-out permit icmp any any time-exceeded
(config)#access-list internal-out permit icmp any any unreachable
(config)#policy-map global_policy
(config-pmap)#class inspection_default
(config-pmap-c)# inspect icmp ciscoasa
(config-pmap-c)# inspect icmp error
(config-pmap-c)#end
(config)#service-policy global_policy global
(config)#access-group internal-out in interface outside

SSO Bluecoat

I see "nt authority\anonymous logon" and machine names (names that end with a dollar sign $) instead of proper user names. This happens because some software clients or update agents use the Internet at a time when the machine and/or the AD is unable to identify the proper user Solution : 1. BCAAA reports the anonymous user when it finds a NULL SMB session. This is the correct behavior, because NULL sessions use anonymous credentials. This problem can be fixed by adding to the [SSOServiceUsers] section of sso.ini. This will cause BCAAA to ignore NULL sessions. BCAAA must be restarted after applying the changes. From: [SSOServiceUsers] ; Standared Windows service users NetShowServices To: [SSOServiceUsers] ; Standared Windows service users NetShowServices NT AUTHORITY\ANONYMOUS LOGON 2. Management Console->Configuration->Policy->Policy Files->Local Policy->Text editor->Install define condition IWA_SILENT_USERS user.regex='.+\$$' user='NT AUTHORITY\anonymous logon' end condition authenticate(IWA_Server) authenticate.mode(proxy-ip) ALLOW group=ProxyUsers realm=IWA_Server deny.unauthorized condition=IWA_SILENT_USERS Note: IWA_Server above MUST be changed to your local name of IWA server that is configured in your proxy. A quick way to find out is by going to your management console->configuration->authentication->realms-> and select the name of the realm that you are using and replace the IWA_Server above with that name

Setting ASA

How to configure LDAP access for an ASA 5505
Assumptions:

ASDM is already installed
You know the password to the ASA
Launch ASDM and select Configuration from the top bar. On the left hand bard, select Remote Access VPN. You then should see a heading that says AAA/Local Users. After clicking the + sign, select AAA Server Groups. You should now see an add button on the right hand side of the screen. Click add and make up a name for the server group. This can be anything. Also set the settings below.

Reactivation Mode: Depletion
Dead Time: 10 Minutes (this was the default setting)
Max Failed Attempts: 3 (this was the default setting)

Click Ok. You should now see that in the AAA Server Group box at the top of the page. Highlight the newly created group and click add button beside the servers in the selected group box. This is what it should be set to:


Interface Name: Inside
Servername or IP Address: Your active directory server IP
Timeout: 10 seconds
Enable LDAP over SSL: Unchecked (this is up to your current setup)
Server Port: 389
Server Type: Microsoft
Base DN: dc=example,dc=com (see note below on how to find this and your user name)
Naming Attribute(s): sAMAccountName
Login DN: CN=John Doe,OU=Custom Users,DC=example,dc=com
Login Password: Type the password to the user
LDAP Attribute Map: None

Everything else was just left as default. Click ok, then click apply. Highlight the server IP in the box and click the test button. You will see a box pop up. You will want to choose the Authentication button and type your active directory username and password. If everything is configured correctly, you should get a message saying "Authentication test to host ip is successful."

***Note:*** Now I had some problems when configuring this. The first problem I felt deserved its own post. It's here.

The second problem was getting the right syntax for the LDAP part of it. You can refer to my post that talks about dsquery more in depth. It could help you. It is here. The two commands that will help you the most are:

dsquery user (This lists every single user. I only have maybe 20 users so if you have alot more then this, you can use some more specific switches to narrow it down).

dsquery computer (This will show you all the computers. Same possible problem with dsquery user. The big thing here is all you need is the dc part of the results).








Eight easy steps to Cisco ASA remote access setup
By Lori Hyde
March 19, 2009, 12:28 PM PDT
Takeaway: Lori Hyde shows you a simple eight-step process to setting up remote access for users with the Cisco ASA.

There are eight basic steps in setting up remote access for users with the Cisco ASA.

Step 1. Configure an Identity Certificate
Step 2. Upload the SSL VPN Client Image to the ASA
Step 3. Enable AnyConnect VPN Access
Step 4. Create a Group Policy
Step 5. Configure Access List Bypass
Step 6. Create a Connection Profile and Tunnel Group
Step 7. Configure NAT Exemption
Step 8. Configure User Accounts
So let’s get started!

Step 1. Configure an Identity Certificate

Here I am creating a general purpose, self-signed, identity certificate named sslvpnkey and applying that certificate to the “outside” interface. You can purchase a certificate through a vendor such as Verisign, if you choose.

corpasa(config)#crypto key generate rsa label sslvpnkey
corpasa(config)#crypto ca trustpoint localtrust
corpasa(config-ca-trustpoint)#enrollment self
corpasa(config-ca-trustpoint)#fqdn sslvpn. mycompany.com
corpasa(config-ca-trustpoint)#subject-name CN=sslvpn.mycompany.com
corpasa(config-ca-trustpoint)#keypair sslvpnkey
corpasa(config-ca-trustpoint)#crypto ca enroll localtrust noconfirm
corpasa(config)# ssl trust-point localtrust outside
Step 2. Upload the SSL VPN Client Image to the ASA

You can obtain the client image at Cisco.com. As you choose which image to download to your tftp server, remember that you will need a separate image for each OS that your users have. After you select and download your client software, you can tftp it to your ASA.

corpasa(config)#copy tftp://192.168.81.50/anyconnect-win-2.0.0343-k9.pkg flash
After the file has been uploaded to the ASA, configure this file to be used for webvpn sessions. Note that if you have more than one client, configure the most commonly used client to have the highest priority. In this case, we’re using only one client and giving it a priority of 1.

corpasa(config)#webvpn
corpasa(config-webvpn)#svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
Step 3. Enable AnyConnect VPN Access

corpasa(config)#webvpn
corpasa(config-webvpn)#enable outside
corpasa(config-webvpn)#svc enable
Step 4. Create a Group Policy

Group Policies are used to specify the parameters that are applied to clients when they connect. In this case, we’ll create a group policy named SSLClient. The remote access clients will need to be assigned an IP address during login, so we’ll also set up a DHCP pool for them, but you could also use a DHCP server if you have one.

corpasa(config)#ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0
corpasa(config)#group-policy SSLCLient internal
corpasa(config)#group-policy SSLCLient attributes
corpasa(config-group-policy)#dns-server value 192.168.200.5
corpasa(config-group-policy)#vpn-tunnel-protocol svc
corpasa(config-group-policy)#default-domain value mysite.com
corpasa(config-group-policy)#address-pools value SSLClientPool
Step 5. Configure Access List ByPass

By using the sysopt connect command we tell the ASA to allow the SSL/IPsec clients to bypass the interface access lists.

corpasa(config)#sysopt connection permit-vpn
Step 6. Create a Connection Profile and Tunnel Group

As remote access clients connect to the ASA, they connect to a connection profile, which is also known as a tunnel group. We’ll use this tunnel group to define the specific connection parameters we want them to use. In our case, we’re configuring these remote access clients to use the Cisco AnyConnect SSL client, but you can also configure the tunnel groups to use IPsec, L2L, etc.

First, let’s create the tunnel group SSL Client:

corpasa(config)#tunnel-group SSLClient type remote-access
Next, we’ll assign the specific attributes:

corpasa(config)#tunnel-group SSLClient general-attributes
corpasa(config-tunnel-general)#default-group-policy SSLCLient
corpasa(config-tunnel-general)#tunnel-group SSLClient webvpn-attributes
corpasa(config-tunnel-webvpn)#group-alias MY_RA enable
corpasa(config-tunnel-webvpn)#webvpn
corpasa(config-webvpn)#tunnel-group-list enable
Note that the alias MY_RA is the group that your users will see when they are prompted for login authentication.

Step 7. Configure NAT Exemption

Now we need to tell the ASA not to NAT the traffic between the remote access clients and the internal network they will be accessing. First we’ll create an access list that defines the traffic, and then we’ll apply this list to the nat statement for our interface.

corpasa(config)#access-list no_nat extended permit
ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0
corpasa(config)#nat (inside) 0 access-list no_nat
Step 8. Configure User Accounts

Now we’re ready for some user accounts. Here we’ll create a user and assign this user to our remote access vpn.

corpasa(config)#username hyde password l3tm3in
corpasa(config)#username hyde attributes
corpasa(config-username)#service-type remote-access
Finishing up

Don’t forget to save your configuration to memory.

corpasa#write memory
Verify your configuration by establishing a remote access session and use the following show command to view session details.

corpasa #show vpn-sessiondb svc
This guide should help you to get your remote access users up and running in no time. If you run into any difficulties, use the debug webvpn commands to diagnose the problem.

Good luck and have fun out there!