Cisco Archives

Allowing Microsoft PPTP through Cisco ASA

The Microsoft Point to Point Tunneling Protocol (PPTP) is used to create a Virtual Private Network (VPN) between a PPTP client and server. It is used for remote access from mobile users to connect back to their corporate network over the Internet. A PPTP client connects and authenticates to the PPTP server which assigns an IP address to the client and attaches the remote user to the network. After that, the remote user has full network connectivity just like being connected locally.

In the older PIX version 6.x, you could configure the PIX firewall itself to work as a PPTP server, thus you didn’t even need to have a Windows PPTP server in place. With the new ASA firewall however, you cannot terminate PPTP on the ASA itself. Therefore you must have a Microsoft PPTP server in the network in order to terminate PPTP connections from clients.

[ad#embedded-square]

PPTP uses two protocols: GRE to encapsulate PPP packets and a control channel at TCP port 1723. Any stateful firewall would have a problem with allowing PPTP protocol without any special “fixup” because of the two protocols needed for communication (GRE and TCP 1723). Cisco ASA allows you to pass PPTP traffic through with a special “inspection” mechanism which checks the control traffic (TCP 1723) in order to dynamically open also access for GRE traffic to pass through with no problems.

In this post we will see two scenarios of allowing PPTP traffic through a Cisco ASA. In the first scenario we have a PPTP client on the inside of ASA which communicates with a PPTP server on the outside zone. In the second scenario we have a PPTP client on the outside of ASA which communicates with a PPTP server on the inside.

Scenario 1: PPTP client on inside and server on outside

The first scenario above depicts a PPTP server located on the outside of the ASA (Internet) and PPTP clients on the inside. Using the “inspect” command in the global policy-map we can enable access from inside to outside for PPTP.

! enable Port Address Translation on the outside interface
ciscoasa(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0
ciscoasa(config)#global (outside) 1 interface

! Add PPTP inspection to the default policy-map using the default class-map
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect pptp

Scenario 2: PPTP client on outside and server on inside

This scenario depicts a PPTP server located on the inside network. Here we must configure static NAT for the PPTP server and allow the appropriate protocols from outside (GRE, TCP 1723)

! translate the PPTP server private address 192.168.1.1 to public 50.50.50.1
ciscoasa(config)# static (inside,outside) 50.50.50.1 192.168.1.1 netmask 255.255.255.255

! allow the appropriate protocols from outside to inside
ciscoasa(config)# access-list acl-out permit gre any host 50.50.50.1
ciscoasa(config)# access-list acl-out permit tcp any host 50.50.50.1 eq 1723
ciscoasa(config)# access-group acl-out in interface outside

Cisco ASA 5505 User License Explained

I get a lot of questions regarding the meaning of user license numbers for the Cisco ASA 5505. This model is offered in three User License options. 10 users, 50 users and UL (unrestricted license). The meaning of user license basically refers to concurrent IP addresses that can communicate between Internal (inside) network and Internet (outside) interface. So, for 10 user license, only 10 concurrent internal hosts (IP addresses) can access the internet. The same applies for 50 users (only 50 concurrent IP addresses can access the Internet). For UL license, there is no such restriction.

The user licensing has also an effect on the maximum number of IP addresses that can be assigned by the DHCP server of the ASA5505 to the internal hosts. For a 10-user license, the max number of DHCP clients on the internal network is 32. For 50-user license, the max number of DHCP clients is 128.

The official explanation from Cisco regarding the Cisco ASA5505 user licensing is as follows:

“In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN). Internet hosts are not counted towards the limit. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view host limits. “

The terms “Business” and “Home” VLANs above refer to the Internal and DMZ network zones.

How to Pass Your CCNA Exam

If you really want to know how to pass you CCNA (Cisco Certified Network Associate) exam then you’ll want to read every word of this article. There are several key areas that you need to master in order for your best chance of success to pass the CCNA test.

You will want to get comfortable with all the different realms of information. Like anything else that you want to achieve, the true keys is not whether you can gather a multitude of books, manuals or other learning materials, it’s whether you have the determination and drive to get the job done.

There are so many types of learning guides and materials out there, so many in fact that sometimes you can be burdened down with information overload. This is where you continually seek out new material, and there is a ton of it out there, you have so much that it all becomes very confusing instead of easier. Many of the so called ‘can’t miss’ study courses that are offered only give you a false sense of knowledge.

Once you realize that in order to pass your CCNA exam, it will take some hard work and dedication on your part, as it is a very difficult test to pass, will your journey get better.

Once you decide that you are ready to embark on the journey of passing the CCNA exam, the next step is to set out a realistic time frame to do so. When you set this time frame, be honest with yourself. There’s nothing worse then trying to complete the Cisco certification in less time than you are physically or mentally able to handle.
 
Once a realistic time frame is in place, it is nice to have a calendar with your time schedule in front of you to keep you focused and determined to meet your schedule. Also, a weekend excursion away, a bottle of finely aged wine, or anything that will keep you going when the times get tough are all recommended.

Now, the CCNA exam is one of those certifications that a proper training is required to pass it. You can go for an instructor class-based training (usually 5-day boot camp) and get the required training. However this option is very expensive and study intensive since you are not studying on your own pace. The other great option is to get a computer based training (usually video training style) where you get videos plus audio plus many practice questions and instructor notes for a complete training in your home. What I used personally and passed my Cisco exams (CCNA, CCNP, CCSP) is the Trainsignal Video Training packages which offer excellent value and in-depth training to pass the CCNA or any other Cisco exam. Check out Trainsignal Website for more information.  

In addition to the training I suggest above, I also recommend you to get some tangible book study material that others have used and been successful with. Here are some books that you should look into:

  1. Cisco Press CCNA Study Guide
  2. Jeremy Cioara’s Exam Cram and Prep Guide
  3. Any books on the subject by Todd Lammle.

I highly recommend the Cisco Press books. These books are usually the best because they come from the actual exam giver, Cisco. Therefore, the exercises and test questions will be very relevant to what you’ll see on the exam. Moreover, a Cisco Press book will be a great reference even after you pass your CCNA exam.

Having some highlighters and a note pad is a must in order to go back for easy review of any of the topic that you studied. When ever you have some extra time, even just five or ten minutes, you can whip out your study notes and do a quick review. This will keep you sharp, and get you into some good study habits.

Perhaps the best resource that you can find is the actual people that have gone through and passed their CCNA exam. You don’t have to have a face to face with them. Because of the speed and convenience of the Internet, you can search them online and seek any and all information you need.

Talking with these people that have gone through and learned how to pass the CCNA exam is an easier way to learn then any book or course that you could buy. Real life experience is better then any book ever printed. Good luck for your CCNA certification efforts.

Trainsignal Vs CBT Nuggets Training

IT technology and computer/data networking are two hot career paths that many people get into hopping for a successful professional establishment. However, as technology demands get higher and higher, professional qualifications (such as technical certifications) are now a necessity for people trying to get a job in IT or networking. Most companies now require several professional certifications from candidate employees before even considering their application for employment.

Cisco and Microsoft are the two hottest and most prestigious companies that offer technical certification paths. Personally I pursued certifications from both companies, but my main focus is on Cisco (my Microsoft certifications have expired long time ago!!). I get a lot of questions from people seeking a Cisco certification regarding the best study and training option. I always tell them that their best option is first of all determination and discipline and then anything else. If certification candidates have those two characteristics then they only need a good training and study methodology to pass their exams guaranteed.

I have always liked CBT (Computer Based Training) style trainings because they combine both self-study and instructor based training methods. CBT is basically Video based training where you get high quality DVD video tutorials with an actual instructor teaching the course in the video. The two biggest companies in the industry offering CBT video trainings are TrainSignal and CBT Nuggets. They are both excellent options for using towards your certification exam preparation. They both offer trainings on Cisco, Microsoft, VMWare, CompTIA etc. I have read testimonials in various forums for both companies (regarding Cisco Trainings) and the conclusion is that TrainSignal offers the most complete exam coverage and details but CBT Nuggets is less boring but does not cover all exam topics. The instructor of Cisco trainings in Trainsignal is Chris Bryant who is more focused on teaching you all the details required to pass the exam, but he is not as exciting and “funny” as Jeremy Cioara (the instructor of CBT Nuggets). Anyhow, I have personally used TrainSignal training for passing my CCNP exams and was very satisfied with the quality of the training. Check out the following comparison table between Trainsignal Vs CBT Nuggets for CCNA Video Training to get a better picture of the two options and decide which one is best for you (in case you are studying for a CCNA certification).

Policy NAT on Cisco ASA Firewall

As we know, the conventional NAT functionality on Cisco devices (routers, ASA firewalls etc) translates the SOURCE IP address to something else. There is also the so called “Destination based NAT” (or you may see it referred as “Reverse NAT”) which changes the destination IP address. Here we will deal with conventional source based NAT with a policy.

Sometimes we need to change the source IP address to another source address (lets call it “translated-A”) when we are communicating with “destination-A”, and also change the source IP to “translated-B” when we are communicating with “destination-B”.

 So, to be clearer, the scenario is the following:
 

  • When internal host 192.168.1.1 wants to communicate with external host 100.100.100.1, then the internal host must be translated to 50.50.50.1
  • When the internal host 192.168.1.1 wants to communicate with external host 200.200.200.1, then the internal host must be translated to 50.50.50.2

 We can achieve the functionality above with Policy-Based NAT.

Configuration Example:

Assume that the internal host 192.168.1.1 is connected to the inside interface of ASA. We have also in our possession the public IP range 50.50.50.0/24. We will use the public IP range to translate our internal host according to the destination.

! First create the access lists for the policy NAT
ASA(config)# access-list POLICYNAT-A extended permit ip host 192.168.1.1 host 100.100.100.1
ASA(config)# access-list POLICYNAT-B extended permit ip host 192.168.1.1 host 200.200.200.1

! Now create the static NAT translation for Destination-A
ASA(config)# static(inside,outside) 50.50.50.1 access-list POLICYNAT-A

! Now create the static NAT translation for Destination-B
ASA(config)# static(inside,outside) 50.50.50.2 access-list POLICYNAT-B

The above commands will do the following: When source address is 192.168.1.1 and destination address is 100.100.100.1, then change the source address to 50.50.50.1.

Similarly, when source address is 192.168.1.1 and destination is 200.200.200.1, then change the source address to 50.50.50.2.

The above static nat commands will only take effect if and only if the traffic is between the hosts referenced in the access-lists (either inbound or outbound traffic).

SNMP stands for Simple Network Management Protocol. Up to ASA software 8.1, the SNMP version supported was v1 and v2c. The newest ASA software 8.2 supports also SNMP v3 which is the most secure snmp protocol version.

The ASA works as an SNMP server (or agent), so you need also a Network Management System (NMS) which will act as the SNMP manager in order to provide network monitoring and management functionality. The NMS is basically a management server such as the CiscoWorks product. With the NMS you can either poll the ASA appliance to collect information, or the ASA appliance can send snmp traps (event notifications) to the NMS server. SNMP Traps are sent on UDP port 162 and SNMP poll uses UDP port 161. So, the ASA will listen on udp 161 and the NMS will listen on udp 162 and 161.

Configuring SNMP

 Step1: Enable the snmp server on the ASA

ASA(config)# snmp-server enable
 

Step2: Identify the NMS host that can connect to the ASA for SNMP management

ASA(config)# snmp-server host [interface_name][ ip_address] community [community string]

Where “interface name” is the ASA interface through which the NMS can be reached, and “ip address” is the NMS address. “community string” is like a preshared password which must be configured on both the ASA and the NMS in order for the two elements to communicate.

Step3: Specify the ASA community string

 ASA(config)# snmp-server community [community string]
 

Step4: Enable the ASA to send snmp traps to the NMS

 ASA(config)# snmp-server enable traps [all | snmp [trap] [trap] ]

The default configuration has all snmp traps enabled (snmp-server enable traps snmp authentication linkup linkdown coldstart). It is recommended to leave all traps enabled as the default setting.

Configuration Example:

ASA(config)# snmp-server enable
ASA(config)# snmp-server host inside 10.1.1.100 community somesecretword
ASA(config)# snmp-server community somesecretword
ASA(config)# snmp-server enable traps snmp authentication linkup linkdown coldstart

Virtual private networks, and really VPN services of many types, are similar in function but different in setup. In a previous post (anyconnect ssl vpn) I briefly explained the general functionality of a new remote access vpn technology, the AnyConnect SSL client VPN. The Cisco AnyConnect VPN is supported on the new ASA 8.x software version and provides remote access to users with just a secure Web Browser (https). The AnyConnect client software supports Windows Vista, XP, 2000, MAC OS X and Linux. The client can either be preinstalled to remote user’s PC or it can be loaded to ASA flash and uploaded to remote user’s PC when they connect to the ASA. You have also the option to uninstall the client from the remote user when he/she disconnects from the ASA.

EDIT: My new ebook, “Cisco VPN Configuration Guide – By Harris Andrea” provides a comprehensive technical tutorial about all types of VPNs that you can configure on Cisco Routers and ASA Firewalls (including of course SSL Anyconnect or IPSEC Remote Access VPNs).

In this post I will explain the technical details to configure AnyConnect SSL VPN on Cisco ASA 5500. I assume that we use the AnyConnect client version 2.0 which will be stored on ASA flash and uploaded to remote user on demand. The same configuration applies for newer versions of AnyConnect. The remote users, after successful authentication, will receive an IP address from local ASA pool 192.168.100.1-50. The internal ASA network will use subnet range 192.168.5.0/24

Therefore, after the remote user successfully authenticates on Cisco ASA with the AnyConnect client, he will receive an IP address in the range 192.168.100.1 to 50 and he will be able to access resources in the internal LAN network 192.168.5.0/24.

Upload AnyConnect to ASA

The first step is to obtain the AnyConnect client software from the Cisco Software Download Website. You will need to download the appropriate software version according to the Operating System that your users have on their computers.

Assume the software vpn client file is “anyconnect-win-2.0.0343-k9.pkg”.

ASA(config)# copy tftp flash
Address or name of remote host ? 192.168.5.10
Source filename ? anyconnect-win-2.0.0343-k9.pkg
Destination filename [anyconnect-win-2.0.0343-k9.pkg]?

Accessing tftp://192.168.5.10/anyconnect-win-2.0.0343-k9.pkg…!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-2.0.0343-k9.pkg…
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Configuring the Cisco ASA

! Specify the AnyConnect image to be downloaded by users
ASA(config)#webvpn
ASA(config-webvpn)#anyconnect image disk0:/anyconnect-win-2.0.0343-k9.pkg 1

! Enable AnyConnect access on the outside ASA interface
ASA(config-webvpn)#enable outside
ASA(config-webvpn)#anyconnect enable
ASA(config-webvpn)#exit

! Create a local IP address pool to assign for remote users
ASA(config)# ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0

! Configure NAT exemption for traffic between internal LAN and remote users

For ASA Version prior to 8.3
ASA(config)#access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0

ASA(config)# nat (inside) 0 access-list NONAT

For ASA Version 8.3 and later

object network INSIDE-HOSTS
 subnet 192.168.5.0 255.255.255.0
 !
 object network VPN-HOSTS
 subnet 192.168.100.0 255.255.255.0
 !
 nat (inside,outside) source static INSIDE-HOSTS INSIDE-HOSTS  destination static VPN-HOSTS VPN-HOSTS

! Create usernames that will use the AnyConnect remote access only
ASA(config)#username userA password test123
ASA(config)#username userA attributes
ASA(config-username)# service-type remote-access

ASA(config)#username userB password test12345
ASA(config)#username userB attributes
ASA(config-username)# service-type remote-access

! Create a group policy with configuration parameters that should be applied to clients (there are two options available here according to the ASA version you are running)

OPTION 1
ASA(config)# group-policy SSLCLientPolicy internal

ASA(config)# group-policy SSLCLientPolicy attributes
ASA(config-group-policy)# dns-server value 192.168.5.100
ASA(config-group-policy)# vpn-tunnel-protocol svc
ASA(config-group-policy)# address-pools value SSLClientPool

OPTION 2
ASA(config)# group-policy SSLCLientPolicy internal
ASA(config)# group-policy SSLCLientPolicy attributes
ASA(config-group-policy)# dns-server value 192.168.5.100
ASA(config-group-policy)# address-pools value SSLClientPool
ASA(config-group-policy)# webvpn
ASA(config-group-webvpn))#vpn-tunnel-protocol svc

! Allow the AnyConnect traffic to bypass access lists
ASA(config)# sysopt connection permit-vpn

! Create tunnel group profile to define connection parameters
ASA(config)# tunnel-group SSLClientProfile type remote-access
ASA(config)# tunnel-group SSLClientProfile general-attributes
ASA(config-tunnel-general)# default-group-policy SSLCLientPolicy
ASA(config-tunnel-general)# tunnel-group SSLClientProfile webvpn-attributes
ASA(config-tunnel-webvpn)# group-alias SSLVPNClient enable
ASA(config-tunnel-webvpn)# webvpn
ASA(config-webvpn)#tunnel-group-list enable

How to Connect

The user just needs to open a browser and go to https://[outside ASA IP]

The login screen is displayed as below example:

On “Group” field enter the name of the tunnel group SSLClientProfile or SSLVPNClient (group alias name).

On “Username” and “Password” field enter the user credentials (e.g UserA, test123)

 Page 5 of 12  « First  ... « 3  4  5  6  7 » ...  Last »