Ironport S Series Web Security

1. Pastikan menggunakan P1 sebagai wccp
2. wccp berjalan dengan L2 or GRE dan default
3. Pastikan jika menggunakan P1 sebagai data maka DNS harus menggunakan port Data sebagai query DNS di routing table (Pengaturan di bagian DNS)
4. wccp dengan service number or web cache gak ada masalah
5. http proxy dan https proxy berjalan dengan create cert dan key terlebih dahulu tanpa perlu mengupload nya.


-----------

Restrictions regardnig WCCPv2 implementation on ASA are:

- Multiple routers in a service group is not supported. Multiple Cache Engines in a service group is still supported.

#- Multicast WCCP is not supported.

#

- The Layer 2 redirect method is not supported; only GRE encapsulation is supported.

#

- WCCP source address spoofing is not supported

#

Beside these restrictions, IronPort WSA must be connected to ASA's inside segment.

Also, ASA's inside interface must be in the same IP subnet like IronPort WSA.

If you have problems with wccp on WSA in general, here are some steps that you should follow during troubleshooting:

1. Mind all the WCCP/ASA restrictions mentioned above

2. Capture packets on WSA's interface. If everything is OK, you should see both wccp HIA and wccp "I see you" hello messages.

3. Turn on debug ip wccp events on ASA/router

3. If all WCCP messages are present, you should not have the problem

If not... First see if WSA is sending WCCP messages to ASA/router (debug wccp events).

WSA has one bug that affects WCCP function... Somethimes (and believe me - sometimes==a lot) when WCCP reconfiguration is performed on WSA, it sends WCCP packets with wrong Host ID.

So in that case,  in router/ASA debug you see message like this: "Here_I_Am packet from X.X.X.X w/bad rcv_id 00000000".

If you see this,  you should execute following hidden command on WSA from WSA CLI:

//*****************************

diagnostic->proxy->kick

//*****************************

Konfigurasi Remote Access VPN dengan Cisco ASA

Posted on 26/01/2010 by masterbay

Remote access VPN memungkinkan remote atau mobile user untuk bisa terkoneksi ke jaringan perusahaan. Kalau dulu service ini dilayani oleh koneksi dial up dengan menggunakan modem analog. Perusahaan menyediakan banyak pool modem dan akses server untuk mengakomodasi kebutuhan remote tersebut.

Dalam perkembangan selanjutnya koneksi dial up digantikan dengan koneksi broadband DSL dan cable modem yang memungkinkan user korporat berpindah dari dial up ke remote akses vpn untuk komunikasi yang lebih baik.

Berikut adalah langkah-langkah (command line) untuk mengkonfigurasi remote access vpn di Cisco ASA:
Pertama, konfigurasi interface ASA
!–interface name
ASA(config)#interface GigabitEthernet 0/1
ASA(config-if)# no shutdown
ASA(config-if)# nameif outside
!–security level
ASA(config-if)#security-level 0
!–ip address
ASA(config-if)# ip address 20.1.1.50 255.0.0.0
!–Enable crypto isakmp
ASA(config)# crypto isakmp enable outside

Kedua, konfigurasi IP Pool
!–konfigurasi IP Pool
ASA(config)# ip local poolname 30.1.1.1-30.1.1.50
ASA(config)# route outside 0 0 20.0.0.0

Ketiga, konfigurasi user account
ASA(config)# username ism password Cisco.123

Keempat, mendefinisikan ISAKMP policy: authentication, encryption, hash, dan group
!–mendefinisikan isakmp policy 10
ASA-(config)#crypto isakmp policy 10
!–enable des ecryption
ASA(config-isakmp)#encryption des
!–enable algorithm md5 for hashing
ASA(config-isakmp)#hash md5
!–enable metode Pre-shared
ASA(config-isakmp)#authentication pre-share
!–enable diffie-Helman group 2
ASA(config-isakmp)#group 2
!–keluar dari mode crypto isakmp
ASA(config-isakmp)#exit

Kelima, membuat IPsec transform set
!–tipe enkripsinya des dan tehnik hashingnya md5-hmac
ASA(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac
!–terapkan transform set
ASA(config)# crypto dynamic-map dmap 10 set transform-set ts2
!–panggil dynamic-map di crypto map dengan nama imap
ASA(config)#crypto map imap 10 ipsec-isakmp dynamic dmap

Keenam, konfigurasi tunnel group
!–create group untuk IT departemen
ASA(config)# tunnel-group itdept type ipsec-ra
!–create group policy
ASA(config)# tunnel-group itdept general-attributes
ASA(config-general)# address-pool poolname
ASA(config-general)# exit
ASA(config)# tunnel-group itdept ipsec-attributes
ASA(config-ipsec)# pre-shared-key Cisco
ASA(config-ipsec)# exit

Tujuh, apply crypto map di interface outside
ASA(config)# crypto map imap interface outside

Delapan, verifikasi secure tunnel dengan menggunakan Cisco VPN Client
Tunnel group: itdept
share key: Cisco
Username: ism
Password:Cisco.123

Step - Step Any Connect di ASA

Eight easy steps to Cisco ASA remote access setup

By Lori Hyde

March 19, 2009, 12:28 PM PDT

Takeaway: Lori Hyde shows you a simple eight-step process to setting up remote access for users with the Cisco ASA.

There are eight basic steps in setting up remote access for users with the Cisco ASA.

• Step 1. Configure an Identity Certificate
• Step 2. Upload the SSL VPN Client Image to the ASA
• Step 3. Enable AnyConnect VPN Access
• Step 4. Create a Group Policy
• Step 5. Configure Access List Bypass
• Step 6. Create a Connection Profile and Tunnel Group
• Step 7. Configure NAT Exemption
• Step 8. Configure User Accounts

So let’s get started!

Step 1. Configure an Identity Certificate

Here I am creating a general purpose, self-signed, identity certificate named sslvpnkey and applying that certificate to the “outside” interface. You can purchase a certificate through a vendor such as Verisign, if you choose.

corpasa(config)#crypto key generate rsa label sslvpnkey

corpasa(config)#crypto ca trustpoint localtrust

corpasa(config-ca-trustpoint)#enrollment self

corpasa(config-ca-trustpoint)#fqdn sslvpn. mycompany.com

corpasa(config-ca-trustpoint)#subject-name CN=sslvpn.mycompany.com

corpasa(config-ca-trustpoint)#keypair sslvpnkey

corpasa(config-ca-trustpoint)#crypto ca enroll localtrust noconfirm

corpasa(config)# ssl trust-point localtrust outside

Step 2. Upload the SSL VPN Client Image to the ASA

You can obtain the client image at Cisco.com. As you choose which image to download to your tftp server, remember that you will need a separate image for each OS that your users have. After you select and download your client software, you can tftp it to your ASA.

corpasa(config)#copy tftp://192.168.81.50/anyconnect-win-2.0.0343-k9.pkg flash

After the file has been uploaded to the ASA, configure this file to be used for webvpn sessions. Note that if you have more than one client, configure the most commonly used client to have the highest priority. In this case, we’re using only one client and giving it a priority of 1.

corpasa(config)#webvpn

corpasa(config-webvpn)#svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1

Step 3. Enable AnyConnect VPN Access

corpasa(config)#webvpn

corpasa(config-webvpn)#enable outside

corpasa(config-webvpn)#svc enable

Step 4. Create a Group Policy

Group Policies are used to specify the parameters that are applied to clients when they connect. In this case, we’ll create a group policy named SSLClient. The remote access clients will need to be assigned an IP address during login, so we’ll also set up a DHCP pool for them, but you could also use a DHCP server if you have one.

corpasa(config)#ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0

corpasa(config)#group-policy SSLCLient internal

corpasa(config)#group-policy SSLCLient attributes

corpasa(config-group-policy)#dns-server value 192.168.200.5

corpasa(config-group-policy)#vpn-tunnel-protocol svc

corpasa(config-group-policy)#default-domain value mysite.com

corpasa(config-group-policy)#address-pools value SSLClientPool

Step 5. Configure Access List ByPass

By using the sysopt connect command we tell the ASA to allow the SSL/IPsec clients to bypass the interface access lists.

corpasa(config)#sysopt connection permit-vpn

Step 6. Create a Connection Profile and Tunnel Group

As remote access clients connect to the ASA, they connect to a connection profile, which is also known as a tunnel group. We’ll use this tunnel group to define the specific connection parameters we want them to use. In our case, we’re configuring these remote access clients to use the Cisco AnyConnect SSL client, but you can also configure the tunnel groups to use IPsec, L2L, etc.

First, let’s create the tunnel group SSL Client:

corpasa(config)#tunnel-group SSLClient type remote-access

Next, we’ll assign the specific attributes:

corpasa(config)#tunnel-group SSLClient general-attributes

corpasa(config-tunnel-general)#default-group-policy SSLCLient

corpasa(config-tunnel-general)#tunnel-group SSLClient webvpn-attributes

corpasa(config-tunnel-webvpn)#group-alias MY_RA enable

corpasa(config-tunnel-webvpn)#webvpn

corpasa(config-webvpn)#tunnel-group-list enable

Note that the alias MY_RA is the group that your users will see when they are prompted for login authentication.

Step 7. Configure NAT Exemption

Now we need to tell the ASA not to NAT the traffic between the remote access clients and the internal network they will be accessing. First we’ll create an access list that defines the traffic, and then we’ll apply this list to the nat statement for our interface.

corpasa(config)#access-list no_nat extended permit

ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0

corpasa(config)#nat (inside) 0 access-list no_nat

Step 8. Configure User Accounts

Now we’re ready for some user accounts. Here we’ll create a user and assign this user to our remote access vpn.

corpasa(config)#username hyde password l3tm3in

corpasa(config)#username hyde attributes

corpasa(config-username)#service-type remote-access

Finishing up

Don’t forget to save your configuration to memory.

corpasa#write memory

Verify your configuration by establishing a remote access session and use the following showcommand to view session details.

corpasa #show vpn-sessiondb svc

Command Cisco ASA agar bisa traceroute..

Terkadang fitur traceroute atau tracert di windows sangat di butuhkan, terutama cisco ASA yang akan digunakan sebagai gateway internet. Network Admin harus bisa traceroute untuk memastikan apakah koneksi internet atau VPN bermasalah di ISP atau di sisi dalam jaringan.

Berikut perintahnya tinggal copy paste saja, (Tested in 8.4)
ciscoasa#config t
(config)#access-list internal-out permit icmp any any echo-reply
(config)#access-list internal-out permit icmp any any time-exceeded
(config)#access-list internal-out permit icmp any any unreachable
(config)#policy-map global_policy
(config-pmap)#class inspection_default
(config-pmap-c)# inspect icmp ciscoasa
(config-pmap-c)# inspect icmp error
(config-pmap-c)#end
(config)#service-policy global_policy global
(config)#access-group internal-out in interface outside

SSO Bluecoat

I see "nt authority\anonymous logon" and machine names (names that end with a dollar sign $) instead of proper user names. This happens because some software clients or update agents use the Internet at a time when the machine and/or the AD is unable to identify the proper user Solution : 1. BCAAA reports the anonymous user when it finds a NULL SMB session. This is the correct behavior, because NULL sessions use anonymous credentials. This problem can be fixed by adding to the [SSOServiceUsers] section of sso.ini. This will cause BCAAA to ignore NULL sessions. BCAAA must be restarted after applying the changes. From: [SSOServiceUsers] ; Standared Windows service users NetShowServices To: [SSOServiceUsers] ; Standared Windows service users NetShowServices NT AUTHORITY\ANONYMOUS LOGON 2. Management Console->Configuration->Policy->Policy Files->Local Policy->Text editor->Install define condition IWA_SILENT_USERS user.regex='.+\$$' user='NT AUTHORITY\anonymous logon' end condition authenticate(IWA_Server) authenticate.mode(proxy-ip) ALLOW group=ProxyUsers realm=IWA_Server deny.unauthorized condition=IWA_SILENT_USERS Note: IWA_Server above MUST be changed to your local name of IWA server that is configured in your proxy. A quick way to find out is by going to your management console->configuration->authentication->realms-> and select the name of the realm that you are using and replace the IWA_Server above with that name