Tech 21 Century » Cisco ASA General

How to Recover a preshared key of IPSEC VPN on Cisco ASA

BlogAdmin — Sat, 10 Apr 2010 10:39:12 +0000

One of the ways to configure authentication between two Cisco ASA firewalls having a site-to-site IPSec VPN tunnel between them is to configure a pre-shared key under the tunnel group attributes. This is actually the most common implementation of IPSEC lan-to-lan authentication that you will find in most real life networks.

The pre-shared key must be the same on both IPSEC VPN devices between which the secure tunnel is created. To configure the pre-shared key on a Cisco ASA:

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key key123

Now, after configuring the pre-shared key, it is stored as encrypted hash on the ASA appliance and therefore when you view the running configuration (show run) you don’t see the actual clear text key anymore (i.e instead of “key123” you will see “*”).

Ciscoasa# show run

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *

The problem arises when you forget the pre-shared key after a few months and you want to change one of the VPN tunnels. This situation happened to me recently when I had to change the public IP address on one of the ASA sites which had a Lan-to-Lan tunnel with a second ASA. Therefore I had to reconfigure the tunnel group and re-enter the old pre-shared key. However, I did not have it stored in clear text anywhere. The way to recover the pre-shared key is actually simple. Use the more system:running-config command. This command shows the pre-shared key in clear text format:

Ciscoasa# more system:running-config

…..
…..
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key key123

Comparison Between Cisco ASA WebVPN Technologies

BlogAdmin — Mon, 15 Mar 2010 20:10:17 +0000

Cisco ASA supports two major WebVPN modes: Clientless WebVPN and Anyconnect WebVPN.

Let’s see the differences between the two WebVPN modes and I’m sure you will understand why the AnyConnect mode is much better in my opinion.

Clientless WebVPN does not require any VPN client to be installed on user’s computer. It uses a normal web browser. By pointing the browser to https://[outside address of ASA] the user authenticates with the firewall and gets access to a Web Portal. Through this Web Portal, the user can then access a limited number of internal applications. Specifically, only internal Web applications (HTTP, HTTPs), email servers (POP3, SMTP, IMAP), Windows file shares and a small number of TCP legacy applications (e.g Telnet) can be accessed. That is, there is no full network connectivity with Clientless WebVPN.

[ad#embedded-square]

AnyConnect WebVPN, on the other hand, provides FULL network connectivity to the remote user. The ASA firewall, working as AnyConnect WebVPN server, assigns an IP address to the remote user and attaches the user to the network. Thus, all IP protocols and applications function across the SSL VPN tunnel without any problems. For example, a remote user, after successfully authenticated with AnyConnect VPN, can open a Remote Desktop connection and access a Windows Terminal Server inside the central network. Although a special Java-based client is required to be installed on the user’s desktop, this client can be supplied dynamically to the user from the ASA. The user can connect with a browser to the ASA firewall and download the Java client on demand. The Java client can remain installed or even get removed from the user’s desktop when disconnected from the ASA appliance. This Java client is small in size (around 3MB) and is stored on the ASA flash memory.

Cisco AnyConnect SSL VPN Client on Cisco ASA 5500

BlogAdmin — Fri, 19 Jun 2009 20:01:10 +0000

The convenience and advantages of secure VPNs has driven the specific technology to keep evolving continuously. Several years ago we only had the standardized IPSec VPN (which still strongly exists today). IPSec is a pure IP network VPN technology for connecting distant LAN networks over unsecured paths. Also, IPSec is used for client VPNs connecting remote teleworkers to their central site network. The characteristic of IPSec VPNs is that it provides FULL network connectivity between the VPN peers. That is, a remote access client IPSec VPN will connect the remote user to the central network just like the user would be locally connected.

After IPsec, the Web SSL VPN made its appearance. The remote user needs just a Web Browser with HTTPs to connect to the central site network. After authentication, the user is presented with a Web portal with links to the applications he is allowed to run. That is, the Web SSL VPN does not provide full network visibility to the remote user. The user has access only to specific applications (like internal email, internal files etc). Both IPSec VPNs and SSL VPNs are supported by Cisco ASA 5500 firewalls.

The newest generation of remote access VPNs is offered from Cisco AnyConnect SSL VPN client. This is supported by Cisco ASA 8.x. The AnyConnect SSL VPN provides the best features from both of the other VPN technologies (IPSec and Web SSL). With AnyConnect, the remote user has full network connectivity to the central site. Also, it offers the convenience of the Web SSL since there is no need to install an IPSec VPN client permanently to the user’s computer. Instead, there is an SSL client stored in the ASA flash memory which is downloaded to the remote user’s computer on demand.

How AnyConnect SSL VPN Client works

For first time user connection, the remote teleworker just opens a browser pointing to https://. The browser connects to the ASA firewall and presents the user with a login screen. The user enters his credentials (username/password) and the ASA identifies that the user does not have the SSL client installed. Therefore it pushes the SSL client to the user’s computer. The client installs itself to the remote PC and establishes a secure SSL VPN connection between the remote user and the ASA. The user is also assigned an IP address from an address pool configured on the ASA and has full network access to the central site. When the SSL connection is stopped, the SSL client either uninstalls itself or remains on the user’s PC (depending on the configuration of the ASA).

In the case of a previously installed client, when the user authenticates, the security appliance examines the revision of the client, and upgrades the client as necessary.

The AnyConnect SSL client can be downloaded from the security appliance, or it can be installed manually on the remote PC by the system administrator.

In another post I will explain how to configure the AnyConnect SSL VPN on a Cisco ASA 5500 firewall.

Access Lists and NAT on Cisco ASA Firewalls. Some Clarifications

BlogAdmin — Mon, 13 Apr 2009 08:25:59 +0000

Access Control Lists (ACLs) and Network Address Translation (NAT) are two of the most common features that coexist in the configuration of a Cisco ASA appliance. For both inbound and outbound access control lists, the IP addresses specified in the ACL depend on the interface where the ACL is applied. These IP addresses must be valid on the specific interface that the ACL is attached, regardless of NAT. Keep the following statement in mind: An Access Control List takes precedence over NAT. That is, an ACL is evaluated FIRST and then a NAT rule is applied to the packet.

For example, assume an inside host with private address 10.1.1.10 is translated to a public address 200.200.200.10 for outbound traffic (inside to outside). An ACL applied to the inside interface of the ASA firewall will first be evaluated to verify if the host 10.1.1.10 can access the Internet (outbound communication) and if the ACL permits this communication, only then NAT will be performed to translate 10.1.1.10 to 200.200.200.10. This is shown in the figure below.

See the following commands for the example above:

!The following ACL is evaluated first

ciscoasa(config)# access-list INSIDE extended permit ip host 10.1.1.10 host 100.100.100.1

ciscoasa(config)# access-group INSIDE in interface inside

!NAT can be applied only if ACL allows the communication

ciscoasa(config)# global (outside) 1 200.200.200.10 netmask 255.255.255.255

ciscoasa(config)# nat (inside) 1 0.0.0.0 0.0.0.0

[ad#embedded-square]

Similarly, a scenario with inbound traffic (outside to inside) works again the same way. That is, an ACL is evaluated first for inbound traffic and then a NAT translation rule is applied. For example, assume we have a Web Server located on the inside network (should be on a DMZ for better security but for the sake of simplicity we assume it is located on the inside network). The private address configured on the Web Server is 10.1.1.10. We configured also static NAT on the Firewall to map the private address of the Web Server to a public address 200.200.200.10 on the outside (see figure below). Inbound traffic coming from the Internet towards the public address of the Web Server will first go through an ACL to verify if the traffic is permitted or not. If traffic is allowed by the ACL, then the static NAT will be applied to translate the destination address from 200.200.200.10 to 10.1.1.10.

See the following commands for the example above:

!The following ACL is evaluated first

ciscoasa(config)# access-list OUTSIDE extended permit tcp any host 200.200.200.10 eq 80

ciscoasa(config)# access-group OUTSIDE in interface outside

! Static NAT can be applied only if ACL allows the communication

ciscoasa(config)# static (inside,outside) 200.200.200.10 10.1.1.10 netmask 255.255.255.255

UPDATE:

For Cisco ASA version 8.3 and later, the order of operation regarding ACL and NAT is still the same (i.e ACLs are evaluated first and then static NAT takes place), HOWEVER the ACL now must reference the real private IP of the server and NOT the public IP.

In our example above, for ASA 8.3 the ACL would look like below:

ciscoasa(config)# access-list OUTSIDE extended permit tcp any host 10.1.1.10 eq 80

The power of the Show Version command on Cisco ASA

BlogAdmin — Sat, 04 Apr 2009 13:01:28 +0000

Maybe the most popular and frequently used command on Cisco ASA firewalls is the one which shows the current running configuration, that is the “show run” command. However, maybe the most powerful command on Cisco ASA is the “show version” command. An example output of a show version command is shown below:

CISCO-ASA# show version

Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(3)
Compiled on Wed 15-Aug-07 16:08 by builders
System image file is “disk0:/asa723-k8.bin”
Config file at boot was “startup-config”

CISCO-ASA up 25 mins 32 secs

Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0×0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Int: Internal-Data0/0    : address is 001e.4afa.2404, irq 11
1: Ext: Ethernet0/0         : address is 001e.4afa.23fc, irq 255
2: Ext: Ethernet0/1         : address is 001e.4afa.23fd, irq 255
3: Ext: Ethernet0/2        : address is 001e.4afa.23fe, irq 255
4: Ext: Ethernet0/3         : address is 001e.4afa.23ff, irq 255
5: Ext: Ethernet0/4         : address is 001e.4afa.2400, irq 255
6: Ext: Ethernet0/5         : address is 001e.4afa.2401, irq 255
7: Ext: Ethernet0/6         : address is 001e.4afa.2402, irq 255
8: Ext: Ethernet0/7         : address is 001e.4afa.2403, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:

Maximum Physical Interfaces : 8
VLANs                       : 3, DMZ Restricted
Inside Hosts                : 10
Failover                    : Disabled
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
VPN Peers                   : 10
WebVPN Peers                : 2
Dual ISPs                   : Disabled
VLAN Trunk Ports            : 0

This platform has a Base license.

Serial Number: 1234567890
Running Activation Key: 123456781234567812345678

Configuration register is 0×1
Configuration last modified by enable_15 at 05:35:16.773 UTC Wed Apr 2 2008

Usefulness of show version command:

The power of the show version command comes from the wealth of useful information you can obtain from the output of this command. Use the show version command to display the following information:

Appliance software version (in our example above it is 7.2(3)
Software version of ASDM GUI software (in our example above it is 5.2(3)
Where the appliance software image file is located (disk0:/asa723-k8.bin)
Appliance up-time since last reboot (25 mins 32 secs)
Appliance model, RAM memory and CPU type (ASA5505, 256 MB RAM, CPU Geode 500 MHz)
Flash Memory (Internal ATA Compact Flash, 128MB)
MAC Addresses of Ethernet Network Interfaces.
Licensed features
Serial Number (this can be used to order software upgrades)
Running activation key
Last time the configuration was modified.

Traffic Rate Limiting on Cisco ASA

BlogAdmin — Tue, 31 Mar 2009 06:12:27 +0000

With the new modular policy framework (MPF) introduced in ASA versions 7.x and 8.x, the firewall administrator is now able to apply policing and rate limiting to traffic passing through the ASA appliance. I got a few questions from people how this functionality works and decided to throw in a quick example below which you can easily modify accordingly to match your needs.

Scenario:

We want to rate limit a local internal host when accessing a specific external public server. The local host is 192.168.1.10 and the external public server is 100.100.100.1. We need to limit the traffic to 100kbps and burst size 8000.

Configuration Snippet:

ASA(config)#access-list rate-limit-acl extended permit ip host 192.168.1.10 host 100.100.100.1

ASA(config)#class-map rate-limit
ASA(config-cmap)#match access-list rate-limit-acl

ASA(config)#policy-map limit-policy
ASA(config-pmap)#class rate-limit
ASA(config-pmap-c)#police output 100000 8000

ASA(config)#service-policy limit-policy interface outside

Connections and Translations on Cisco ASA Firewalls

BlogAdmin — Sun, 22 Mar 2009 14:56:49 +0000

In order to be able to monitor and troubleshoot your Cisco ASA firewall, you need to understand the difference between connections and translations.

Refer to the diagram above for an explanation about Connections and Translations.

A Connection works at the Transport Layer and includes the Source IP/Source Port and the Destination IP/Destination Port. Connections are subsets of Translations. You can have many connections open that are all using the same Translation. For example, a connection shown above is originated from Internal source host 192.168.1.1 with source port 1030 towards a Destination host (public Web Server) 100.100.100.1 on Destination Port 80.

A Translation works at the IP Layer and includes the Real IP Address and the Mapped (Translated) IP Address. Using NAT or PAT, a Real IP address is translated to a Mapped IP address and vice-versa. From the diagram above, the Real IP address 192.168.1.1 is translated to a Mapped IP address 20.20.20.1.

Connection Related Commands

ASA# show conn
ASA# show conn details
ASA# show local-host

The above commands will display the current active connections and information details about each connection. An example output is the following:

TCP outside:100.100.100.1/80 inside:192.168.1.1/1030 idle 0:00:05 bytes 1965 flags UIO

Translation Related Commands

ASA# show xlate
ASA# show xlate detail
ASA# clear xlate

The commands above enable you to display or clear the contents of the translation table. An example output is the following:

NAT from inside:192.168.1.1 to outside:20.20.20.1 flags i

Cisco ASA Multiple Context Mode – Configuring Virtual Firewalls on Same Chassis

BlogAdmin — Tue, 17 Mar 2009 08:47:12 +0000

A single Cisco ASA appliance can be partitioned into multiple virtual firewalls known also as “Security Contexts”. Each security context acts as a separate firewall with its own security policy, interfaces and configuration. However, some features are not available for virtual firewalls, such as IPSEC and SSL VPN, Dynamic Routing Protocols, Multicast and Threat Detection.

All firewall models (except ASA 5505) support multiple security contexts. By default, all models support 2 security contexts without a license upgrade (except the ASA 5510 which requires the security plus license).

[ad#embedded-square]

Each security context that you create on the appliance includes its own configuration file (filename.cfg) stored on local flash memory. This configuration file contains the security policy, the included interfaces and the virtual firewall configuration of the specific security context. By default, an admin context is always created having a configuration file “admin.cfg“. This is just like any other security context except that when a user logs in the admin context then he has full administrator access to all other security contexts.

When you convert the appliance from single context mode to multiple context mode (using the command “mode multiple“) the firewall converts the current running configuration into two files: a new startup configuration that comprises the system configuration, and “admin.cfg” that comprises the admin context (stored in the root directory of the internal Flash memory). The original running configuration is saved as “old_running.cfg” (in the root directory of the internal Flash memory).

Configuring Security Contexts

! Enable multiple context mode
ASA(config)# mode multiple

! Then reboot the appliance.

! Configure the administrator context
ASA(config)# admin-context administrator
ASA(config)# context administrator
ASA(config-ctx)# allocate-interface gigabitethernet0/1.10
ASA(config-ctx)# allocate-interface gigabitethernet0/1.11
ASA(config-ctx)# config-url flash:/admin.cfg

! Configure other contexts as required
ASA(config)# context customerA
ASA(config-ctx)# allocate-interface gigabitethernet0/2.100
ASA(config-ctx)# allocate-interface gigabitethernet0/2.200
ASA(config-ctx)# config-url flash:/customerA.cfg

! Configure other contexts as required
ASA(config)# context customerB
ASA(config-ctx)# allocate-interface gigabitethernet0/2.111
ASA(config-ctx)# allocate-interface gigabitethernet0/2.222
ASA(config-ctx)# config-url flash:/customerB.cfg

Changing between contexts and the system execution space:

When you connect with a console cable on the appliance, you will log in the system configuration (or the system execution space). The “system execution space” is the global appliance space from where you can then enter into specific security contexts. If you are logged in the “system execution space” and issue a “show run” command, this will ONLY show you the global system configuration and NOT the various security contexts configurations. You will need to log into a specific security context in order to change or see its configuration.

To change between the system execution space and a context, or between contexts, see the following commands:

! To change to a context named CustomerA, enter the following command:
ASA# changeto context CustomerA

! The prompt changes to the following:
ASA/CustomerA#

! To change back to the system execution space, enter the following command:
ASA/CustomerA# changeto system

! The prompt changes to the following:
ASA#

Password Recovery for the Cisco ASA 5500 Firewall

BlogAdmin — Wed, 11 Feb 2009 11:33:53 +0000

If you have lost the administrator password to access the security appliance you can recover the password with the following steps:

Step1: Connect to the firewall using a console cable

Step2: Power cycle the appliance (power off and then on)

Step3: Press the Escape key to enter ROMMON mode

Step4: Use confreg command to change the configuration register to 0×41

rommon #1> confreg 0×41

Step5: Configure the security appliance to ignore the startup configuration.

rommon #2> confreg

The ASA firewall will display the current configuration register value and boot parameters and ask you if you want to change them

Current Configuration Register: 0×00000041

Configuration Summary:

boot default image from Flash

ignore system configuration

Do you wish to change this configuration? y/n [n]: y

Step6: At the prompt enter Y to change the parameters.

Step7: Accept the default values for all settings (at the prompt enter Y)

Step8: Reload the ASA appliance by entering the following command

rommon #3> boot

The firewall will reboot and load the default configuration instead of the startup configuration.

Step9: Enter into EXEC mode

hostname> enable

When prompted for the password, press Enter (the password in blank now)

Step 10: Access the global configuration mode and change the passwords as required:

hostname# configure terminal
hostname(config)# password password
hostname(config)# enable password password
hostname(config)# username name password password

Step 11: Load the default configuration register value (0×1) by entering the following command:

hostname(config)# no config-register

Step 12: Save the new passwords to the startup configuration by entering the following command:

hostname(config)# copy running-config startup-config

Using the ROMMON to load a new image on Cisco ASA Firewall

BlogAdmin — Thu, 05 Feb 2009 08:42:13 +0000

If for any reason the software image on your Cisco ASA appliance is corrupted and the device does not boot to normal operating mode, then you can load a new image using ROMMON (ROM monitor mode) and TFTP. Follow the steps below to get into ROMMON mode and then assign all necessary settings for uploading the new image file:

Step1: Connect to the ASA firewall using a console cable.

Step2: Power off the appliance and then power it on.

Step3: When the appliance starts, press the Escape key on your keyboard to force the appliance to enter ROMMON mode.

Step4: In ROMMON mode, configure all necessary settings for connecting to the TFTP server to load the new image. You need to connect a PC with TFTP server on a firewall port (e.g Ethernet0/0). Then enter the following commands on the ASA.

rommon #1> ADDRESS=192.168.1.10
rommon #2> SERVER=192.168.1.1
rommon #3> GATEWAY=192.168.1.1
rommon #4> IMAGE=asa800-232-k8.bin
rommon #5> PORT=Ethernet0/0

The above configuration will assign an IP address of 192.168.1.10 to interface Ethernet0/0 of the firewall appliance. It will also tell the firewall that the TFTP SERVER is at address 192.168.1.1 and the image to load is asa800-232-k8.bin

Step5: Execute the TFTP upload from the ASA using:

rommon #6> tftp

The above instructs the firewall to start uploading the image file from TFTP.

After the firewall reboots, login and check that the new image has been installed (show version)