#

Tuesday, January 9, 2018

There are so many policies which can be configured for a one user on different places on ASA. But when the ASA is reading them, there is an order. It is crucial to understand how ASA takes the decision to assign policies for the particular user for troubleshooting.

Policies are ordered in 2 steps for a one user who is connected via a VPN.

1. Pre-Login Policy
2. Post-Login Policies

Pre-Login Policy

Connection Profile (Tunnel Group) controls the Pre Login Policy entirely.

When a user is going to connect via a VPN client like Cisco 

AnyConnect, he is asked to select a group. This group is actually the tunnel group or in ASA language it is called the Connection Profile..

In the capture you can see the group name is Anyconnect which really means there is a Connection Profile named Anyconnect on the ASA with a Group Policy bound with it which tells how the specific user should be authenticated, assign IP address if not a "Client Less SSL", DNS servers to use etc..
If a specific group policy is not bound, Default Connection Profiles will be used..




















After the login is successful, Post-Login Policies will be applied for the same user..

Post-Login Policies

Post-Login Polices define the permissions, authorizations, restrictions etc for a particular user..


Dynamic Access Policies are the 1st to take care of after a user is authenticated. If no specific DAP is applied, default of DiftAccessPolicy will be applied.

Ex:- An example for a Dynamic Access Policy is that we can configure some access restrictions to a specific internal server resource if the authenticated user has or has not an active firewall on his machine.

For all unmatched items the order stated on the snap will be used.

Ex:- For a user, a connection timeout is configured with 2 values on his Connection Profile Group Policy and his User Group Policy. In this case the value configured on his User Group Policy will be used because it is more preferable in the order..

This means that the Connection Profile can have a different Group Policy than a User Profile has..

If no Group Policy is configured on ASA, Default Group Policies will be applied like in Pre-Login Policy.

There are 2 Default Group Policies for SSL and IPSec.
According to the connection type, a user will end up in a one group..

You can view these order of operation real time on Monitoring > VPN > VPN Statistics > Sessions tab on ASDM for VPN sessions users come in..

On CLI you can use show vpn-sessiondb command for similar output..
Read More

Posted in

Network Security
0 comments
by at No comments:
Tags ,

Monday, January 8, 2018

Anyconnect is used by many enterprises to allow their customers to connect to their internal network through internet via Cisco AnyConnect Monility Client. Here is the way how to configure it on ASA.





If you are going to practice this lab, you will need to go through following posts..

Basic Installation of Microsoft Windows Server 2012 R2 in VMware Workstation
Installing Active Directory, DNS and DHCP on Windows Server 2012 R2
Configuring LDAP Services on Windows Server 2012 R2
Configuring AAA on Cisco ASA for LDAP Users to Use with VPNs
How to Enable ASDM Access to ASA

Well, the easiest method is to go through the Wizard..
Here is the manual way..

 Create a Group Policy

Go to Configuration > Remote Access VPN > Network (Client) Access > Group Policies
+Add, give a name give an address pool like below. You can create the address pool by clicking on the select tab and adding and assigning a new one. This address pool will be the addresses which will be assigned to the clients. In this topology I took it to be from 11.1.1.50 to 11.1.1.100 and named it as 11-pool..









Now collapse the Advanced and select Split Tunneling.. This configuration is required because when the users are connected to the VPN all the traffic will be directed to the VPN by default. With split tunneling we can tunnel only the traffic destined to a network list which is specified by the Firewall. Give the policy as Tunnel Network List Below and specify the Network List by hitting the Manage tab. You will hae to add the ACL, which is just the name of the ACL and add an ACE which is actually the statement of the ACL..

This standard ACL I created permits 11.0.0.0/8 traffic only which actually means that only the traffic which is destined to 11.0.0.0/8 subnet will be directed to the VPN..








Specify Client Software

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Software
Hit Add and Browse Flash for a an image.

Create a Connection Profile

Now go to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles

Add a new profile and configure it the following way..






















Now tick the boxes like the following..











Now users can connect to the VPN from Cisco AnyConnect Mobility Client..

If users do not have the AnyConnect software, they can download it from accessing the 10.1.1.200 IP from web browser..










Note:- 

If unable to reach internal servers after the VPN establishment you may need to issue the following command on ASA..
ASA(config)# sysopt connection permit-vpn

Some useful show commands on CLI;
ASA# show vpn-sessiondb
Read More

Posted in

Network Security
0 comments
by at No comments:
Tags

Before reading this you may need to know how to configure LDAP for Windows server. If so click here and comeback.. This configuration is about using LDAP accounts for VPNs. Not for ASA administration..

Steps:-

1. Define the LDAP server group name and protocol
Server group name (tag) here is TACACS and the protocol is tacacs+

 ASA(config)# aaa-server AD protocol ldap

2. Define the reachable interface, server IP address and other parameters.
In my setup AD server is reachable from INSIDE interface & the IP is 11.2.2.20
Domain is roshanznet.local
sAMAccountName is a default for Windows servers I guess..
Password is administrator password of AD..

ASA(config)# aaa-server AD (INSIDE) host 11.2.2.20
ASA(config-aaa-server-host)# ldap-base-dn DC=roshanznet,DC=local
ASA(config-aaa-server-host)# ldap-scope subtree
ASA(config-aaa-server-host)# ldap-naming-attribute sAMAccountName
ASA(config-aaa-server-host)# ldap-login-password roshan123#
ASA(config-aaa-server-host)# ldap-login-dn CN=administrator,CN=Users,DC=roshanznet,DC=local
ASA(config-aaa-server-host)# server-type microsoft

You can test the authentication like following..
ASA# test aaa authentication AD host 11.2.2.20 username roshan password C1sc0#adm

roshan is a username I created on AD and it's password is C1sc0#adm.. Following results will be displayed if everything works fine..


Read More

Posted in

Network Security
0 comments
by at No comments:
Tags

This is required for many networking devices to function including VPN configuration of ASA, wireless authentication by WLC or ISE etc. So I thought it will be useful for network engineers to know how to get this working..

Before doing this you need to install AD services which is described here.

Then you will need to create a user account by going to Server Manager > Tools > Active Directory Users & Computers.
Select the domain name under 'Users' folder.





















Then create a new user and give him a password..

Now go to Server Manager > Add Roles & Features
It will prompt "Add Roles & Features" wizard. Basically you will need only to hit Next until where you will asked to select Server Roles..


Select Active Directory Lightweight Directory Services and hit Next for all upcoming windows.
















After the installation click on the Notifications icon with the flag + exclamation mark

You will notice a Post-deployment Configuration is pending. Click on the blue line underneath to Run the AD LDAP Servi..

It will pop up an installation wizard..

For my installation I just hit Next for everything with default and automatically filled settings..

Now you may need to refresh the Server Manager Dashboard and everything will work fine..
Read More

Posted in

Operating Systems
0 comments
by at No comments:
Tags ,

Monday, January 1, 2018

This post is about a wired result I have encountered while troubleshooting NAT related issues.


















Configuration is like the following..

R1(config)#int e0/0
R1(config-if)#ip nat outside
R1(config)#int e0/1
R1(config-if)#ip nat inside

 R1(config)#ip nat inside source static 192.168.1.11 203.115.41.111
R1(config)#ip nat inside source static 192.168.1.12 203.115.41.112

 R2(config)#int e0/0
R2(config-if)#ip nat outside
R2(config)#int e0/1
R2(config-if)#ip nat inside

 R2(config)#ip nat inside source static 192.168.2.11 203.115.41.221
R2(config)#ip nat inside source static 192.168.2.12 203.115.41.222

Now everything works fine.. Pings from PC-1 to public IP of Server-1 (203.115.41.221) is reachable.


Thing to note here is the TTL value which is 253. Which means the server is 2 hops away..




Now let's power down Server-1 and start a ping from PC-1


Obviously  it is not pinging..





But what if the ip nat outside command on e0/0 of R2 is not issued?

Well it is now reachable. Notice the TTL value which is 254 now, which tells the hop count is 1 this time.
Which means R2 is responding as the internal Servers even they are really not reachable.


Traffic does not even go to servers. No translation has occurred. But R2 is replying for the public IP of servers because of the misconfiguration of NAT commands..

Note:- 

This happens in Domainless NATing too.
Read More

Posted in

Network Services
1 comments
by at 1 comment:
Tags ,
Subscribe to: Posts (Atom)