OPTION Knowledge Base

Just a bunch of tips

Browsing Posts tagged asa

If you have a new Cisco ASA 5500 and try to connect to the web UI or connect to it using SSLVPN, you may find the connection failed with the following error show in a Firefox browser,

Error code: ssl_error_no_cypher_overlap

Check the out of the command “show run all ssl”

ciscoasa(config)# sh run all ssl

If it shows only the following:

ssl server-version any
ssl client-version any

Run the following command to enable the complete set of encryption algorithm:

ciscoasa(config)#ssl encryption 3des-sha1 des-sha1 rc4-md5 aes128-sha1 aes256-sha1
ciscoasa(config)# sh run all ssl
ssl server-version any
ssl client-version any
ssl encryption 3des-sha1 des-sha1 rc4-md5 aes128-sha1 aes256-sha1

Try again to connect and it may solve your problem.

OPTION Consulting would like to offer a special promotion for Watchguard’s XTM21 with 1 Year XTM features included.

Product: XTM21 with 1 Year XTM

Price: HKD6,500

Validity: 30 Sep, 2010

Recommended for remote offices, wireless hotspots, and small businesses with up to 50 users

WatchGuard XTM 2 Series appliances deliver a new class of performance-driven security. Network protection is stronger than ever, with full HTTPS inspection and VoIP support. All models have three 1-Gigabit Ethernet ports for faster link speeds, and optional wireless capabilities include dual-band 802.11n technology for greater wireless speed and responsiveness.

An XTM 2 Series appliance can be used as a stand-alone security solution for a small business, and makes an ideal endpoint for connecting a secure VPN tunnel back to a WatchGuard XTM or WatchGuard Firebox network.

Watchguard Firewall XTM21

Interfaces 3: 10/100/1000 and 3:10/100
DMZs 6
Application Proxies HTTP, HTTPS, SMTP, FTP, DNS, TCP, POP3, SIP, H.323, TFTP
Intrusion Prevention (DOS, DDOS, PAD, port scanning, spoofing attacks, address space probes, and more)
Wireless Guest Services
User Authentication with transparent Windows authentication
Firewall Throughput 110 Mbps
VPN Throughput 35 Mbps
XTM Throughput 18 Mbps
Concurrent Sessions(bi-directional) 10,000
Branch Office VPN Tunnels (Max.) 5
Mobile VPN with SSL Incl/Max 1/11
Mobile VPN with IPSec Client Licenses (Bundled) 1
Mobile VPN with IPSec Tunnels (Max.) 11
VPN Authentication
Centralized (Multibox) Management. Optional licenses enable Drag and Drop VPN and one-touch Edge updates.
Dynamic NAT
Static NAT
One to One NAT
VLAN 20, upgradeable to 50 with Fireware® XTM Pro upgrade
Policy-Based Routing Optional with Fireware® XTM Pro
WAN Failover Optional with Fireware® XTM Pro
Multi-WAN Load Balancing Optional with Fireware® XTM Pro
Server Load Balancing N/A
Traffic Management/QoS
High Availability (Active/Passive) N/A
Dynamic Routing Optional with Fireware® XTM Pro
VoIP (SIP and H.323) Support
spamBlocker with Virus Outbreak Detection Optional
Gateway AV/IPS with Virus Quarantine Optional
WebBlocker with HTTPS URL filtering Optional

Please contact us for a quotation or further information.

Cisco ASA can be configured to block the users from logging in to MSN messenger. The configuration is based on the service policies and it does not required the Anti-X module. Create a service policy to monitor the IM traffic passing through the ASA firewall and check the login name of the MSN users. If the login user names match the pre-defined string it will block the users from logging in. In this example, it will block all the MSN login by matching the string “@”, which is present in every MSN user ID.

This sample configuration is tested with a Cisco ASA 5510 with OS version 8.2(1), and ASDM version 6.2(1).

It is assumed that all the IP routing, NAT, firewall rules are all configured and the firewall is already functioned normally. For a basic sample configuration of ASA 5510, please refer to the post “Cisco ASA firewall basic configuration”.

1) Create a regular expression named “IM_MSN_Any”. The regex contains one string, which is “@”. In fact, you can create multiple regex to include all the user ID which you will block, and allow some users to use MSN.

Cisco ASA Block MSN
Create Regular Expression

2) Create a Regular Express Group. Then add the regex created in Step 1 into the group.

Cisco ASA Block MSN
Create Regular Expression Group

3) Create an IM Class Map. The class map is used to match all IM traffic and see if the traffic match the regex defined in previous steps.

Cisco ASA Block MSN
Create IM Class Map

4) Create an IM Inspection Map. Inspection map determines the action if the IM traffic match the class map defined in Step 3.

Cisco ASA Block MSN
Create an IM Inspection Map

5) Create a service policy for the interface inside(or for other interfaces if it is to apply to the respective interfaces).

Cisco ASA Block MSN
Create Service Policy

Cisco ASA Block MSN
Create Service Policy

For more information about the configuration or the Cisco ASA firewall, please leave a message or contact us.

cisco partner

Cisco ASA 5500 Version 8.3

Cisco ASA 5500 series version 8.3 was released few months ago, but if your ASA was bought for some time you have to aware the minimum memory requirements of 8.3 for different models. Please follow this link for the memory requirements.

http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html#wp321918

For example, the ASA5510 shipped during last year has 256MB DRAM, and the required memory for 8.3 is 1GB. So it is necessary to upgrade the memory if you want to upgrade the firmware. The part number for the memory is ASA5510-MEM-1GB=. Please contact us if you need more information.

Upgrade ASA 5510 from 8.2.1 to 8.3.2

In ASA5500 8.3.2, some commands are obsoleted. For example, the “static” command which is used to create one-to-one NAT mapping, it is being replaced by using an object. For details, you can refer to the release notes at the link in the above.

I just tried to upgrade my ASA 5510 from OS 8.2.1 to 8.3.2. The ASA 5510 had what a typical firewall is configured. One-to-one NAT mapping for email server, web server; port address mapping(PAT) for outgoing traffic; access control list for all interfaces; remote access IPSec VPN and Anyconnect VPN.

During the upgrade, the ASA firewall automatically converted the obsoleted commands to the new commands. The upgrading process was captured as below:

*************************************************************************
**                                                                     **
**  Note that for a failover deployment, both devices in the pair      **
**  must have identical memory.                                        **
**                                                                     **
*************************************************************************
Reading from flash…
!!!!!!!
REAL IP MIGRATION: WARNING
In this version access-lists used in ‘access-group’, ‘class-map’,
‘dynamic-filter classify-list’, ‘aaa match’ will be migrated from
using IP address/ports as seen on interface, to their real values.
If an access-list used by these features is shared with per-user ACL
then the original access-list has to be recreated.
INFO: Note that identical IP addresses or overlapping IP ranges on
different interfaces are not detectable by automated Real IP migration.
If your deployment contains such scenarios, please verify your migrated
configuration is appropriate for those overlapping addresses/ranges.
Please also refer to the ASA 8.3 migration guide for a complete
explanation of the automated migration process.

INFO: MIGRATION – Saving the startup configuration to file

INFO: MIGRATION – Startup configuration saved to file ‘flash:8_2_1_0_startup_cfg.sav’
*** Output from config line 4, “ASA Version 8.2(1) ”
….WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 203, “access-group inside_acce…”
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
WARNING: MIGRATION: During migration of access-list <outside_access_in> expanded
this object-group ACE
permit tcp any host 202.155.218.219 object-group DM_INLINE_TCP_4
WARNING: MIGRATION: During migration of access-list <outside_access_in> expanded
this object-group ACE
permit tcp any host 202.155.218.218 object-group DM_INLINE_TCP_1
WARNING: MIGRATION: During migration of access-list <outside_access_in> expanded
this object-group ACE
permit icmp any host 202.155.218.218 object-group DM_INLINE_ICMP_1
*** Output from config line 204, “access-group outside_acc…”
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 205, “access-group dmz_access_…”
……..ERROR: Address pool vpnpool2 does not exist.
*** Output from config line 478, ” address-pools value vpn…”

Cryptochecksum (unchanged): 7184f3e3 63473f61 4d2636da 92b0ba0a
NAT migration logs:
The following ‘nat’ command didn’t have a matching ‘global’ rule on interface ‘dmz’ and was not migrated.
nat (inside) 101 Net_VLAN3 255.255.255.0

The following ‘nat’ command didn’t have a matching ‘global’ rule on interface ‘dmz’ and was not migrated.
nat (inside) 101 Net_VLAN1 255.255.255.0

The following ‘nat’ command didn’t have a matching ‘global’ rule on interface ‘dmz’ and was not migrated.
nat (dmz) 101 192.168.0.0 255.255.255.0

INFO: NAT migration completed.
Real IP migration logs:
ACL <outside_access_in> has been migrated to real-ip version

INFO: MIGRATION – Saving the startup errors to file ‘flash:upgrade_startup_errors_201008110827.log’

After the upgrade, I found that most of the functions are working properly. I can access Internet, send and receive emails, web server is working fine. IPSec VPN client can login to the ASA firewall and built the VPN tunnel, however, it seemed that the client cannot access the internal network, which was originally able to. Later it was found out that the NAT exemption rules, which was used to exclude the VPN traffic from NAT, was not properly configured.

It is not sure if I had changed anything after the upgrade, since I tested only the IPSec client days after, but I remember that I had not changed anything. I will try to revert the ASA firewall to 8.2.1 and then upgrade again to test it out later.

After all, the upgrade involves some configuration changes and unlike previous upgrade, for example from 8.1 to 8.2, it is more risky and more tests have to be conducted to make sure it works. Good news is that it provides a way to boot to its previous configuration and OS so if the upgrade is failed it won’t take you long to fall back.

Upgrade ASA 5510 from 8.2.1 to 8.3.2 (II)

Today I tried the upgrade again. This time I’m able to compare the configuration files before upgrade, right after upgrade and the one I changed after upgrade with everything working.

So it was found that only the NAT exemption rules were not migrated correctly. In my case, it affected only the remote access VPN clients that they can not access LAN resources even connected successfully. Other functions such as outgoing traffic to the Internet, incoming traffic to our web servers, email servers are working properly.

Before upgrade, the NAT exemption rules are like these:

nat (inside) 0 access-list inside_nat0_outbound

The access list ‘inside_nat0_outbound defines what traffic are not nat’ed when coming from inside interface to any other interfaces. Usually it is from LAN IP to VPN client IP.

After 8.2 to 8.3 upgrade, ASA will migrate the configuration above to something as below:

nat (inside,any) source static <IP Subnet> <IP Subnet> destination static <obj-IP-subnet> <obj-IP-subnet> unidirectional

There may be several lines of them, depends on whether you have multiple IP pools for VPN clients for different VPN groups.

The only thing I changed to make it work is to remove the parameter ‘unidirectional’ from the command.

nat (inside,any) source static <IP Subnet> <IP Subnet> destination static <obj-IP-subnet> <obj-IP-subnet>

You can try this to see if it works in your ASA. For more information about the migration, you can refer to the migration document from Cisco.

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

Read well.

We also provide professional service to perform upgrade for customers. Please contact us or leave a comment for more information.

Option Consulting Limitedcisco partner

Cisco ASA firewall has lots of security features. It can be deployed in network perimeter to protect the LAN from security threats in Internet.

Hardware modules can be added to provide advance features of anti spam, anti virus, web filtering and IPS.

ASA can also be deployed as the VPN gateway to build site to site VPN tunnels between offices. You can also provide the bundled Cisco VPN client to your end users who can build a remote access VPN tunnel to the ASA from anywhere in the Internet.

Furthermore, the ASA supports SSLVPN. The ASA comes with 2 SSLVPN concurrent connection license. The end users do not need to install the VPN client and can connect to the corporate network by just using a web browser.

If you just purchase an ASA firewall and would just like to make it work, enabling the end users to access the Internet and block all incoming traffic from Internet. You can copy and paste the following configuration to your ASA by using the console. After that, connect the LAN and WAN cable correctly and you are done.

Of course, you are not optimizing the ASA features by just this configuration. Leave your questions and I will try to answer you, or you can contact us.

Visit our homepage for more ASA information.

Step 1: Connect to the ASA console using the blue cable that comes with the ASA

Refer to this guide if you don’t know how. Don’t worry if it is a switch or ASA, it is the same to connect to the console port for those Cisco device.

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008010ff7a.shtml#connecttermtocat

Step 2: Enter config mode. No password is required by default.

ciscoasa>enable

ciscoasa#config t

ciscoasa(config)#

Step 3: Replace the IP that suits your network and copy and paste to the console.

interface Ethernet0/0
nameif inside
security-level 100
ip address <IP of LAN default gateway> <Subnet mask>
no shutdown
!
interface Ethernet0/1
nameif outside
security-level 0
ip address <IP provided by ISP> <Subnet mask>
no shutdown

access-list outside_access_in extended deny ip any any log
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended deny ip any any log

global (outside) 1 interface
nat (inside) 1 0 0

access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 <IP of default gateway provided by your ISP>

Step 4: Save the config by the command ‘write mem’

Step 5: Connect the LAN and WAN cables then you are done.

The configuration are written based on an ASA 5510. Since different model’s interface number may be different, you can change the interface number based on the model that you are using.

HTH:)