Abril 3

How to configure Cisco ASA 5505 SSH access

I’ve been involved in a project of security assessment for my company and i had to find all possible vulnerabilities in network design, processes and data flows of my case study.
I’m starting to configure a secondary access to all core network devices(including some firewall appliances) and i’ve discovered that cisco asa 5505 haven’t a simple automatic mechanism to configure ssh access.
To achieve this goal we must enter some commands in command line interface form the instruments bar:
Tools –> Command Line Iface

Now we must enter these commands:

*) conf t
*) username password
*) passwd
*) ssh x.x.x.x x.x.x.x {inside/outside} —>The IP/Network enabled for access to asa(e.g. 10.0.0.0 255.255.255.0
*) crypto key generate rsa modulus {512/768/1024/2048}
*) aaa authentication ssh console LOCAL

Check it out by putty client or unix command line.
Pay attention to the ENABLE PASSWORD when you connect with ssh. It is the same used in ASDM.

Category: CISCO | Los comentarios están deshabilitados en How to configure Cisco ASA 5505 SSH access
Abril 3

Setting up ssh for remote management.

I have a generated RSA key which is stored in my ASA’s flash memory. I am going to recreate a RSA key once more, so I will zeroize the key. If there is a RSA key stored in the flash, ASA will prompt whether I want to replace the current generated key with the old one.Zeroize the key:

ciscoasa(config)# crypto key zeroize rsa
WARNING: All RSA keys will be removed.
WARNING: All device digital certificates issued using these keys will also be removed

Do you really want to remove these keys? [yes/no]: y
ciscoasa(config)#

Generating RSA key needs to define a domain name, this is the same as in IOS.

ciscoasa(config)# domain-name cyruslab.com
ciscoasa(config)#

Generate a 1024-bit long RSA key:
ciscoasa(config)# crypto key generate rsa general-keys modulus 1024
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait…
ciscoasa(config)#

Actually it is sufficient if I just type crypto key generate rsa <cr>, the interactive prompt will just prompt me for the length of the key (modulus).

This is the 1024-bit long RSA key which I have just generated:

ciscoasa(config)# sh crypto key mypubkey rsa
Key pair was generated at: 06:20:15 UTC Apr 8 2010
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:

30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c2890c
ad9065a0 f17eebbd 726029dc 0a9f40a9 ca714031 5de9d15b fe7b8fc7 e11e7ffd
8f27befc beaf0aae fa937c69 482a1595 f8865cc1 d8ced14a 737243c3 8f9886ab
75be998a 8a7437a1 bac57f34 d31774b7 a53cd803 a7837bc4 92f9f326 8fc818a5
54ca0476 3c864534 7b50d635 88905d28 cfeec63d e32324a9 98eba845 3b020301 0001

Allow ssh connection from my private network:
ciscoasa(config)# ssh 192.168.1.0 255.255.255.0 inside

Allow ssh connection from the internet (any connection):
ciscoasa(config)# ssh 0 0 outside

Set up ssh idle time-out period (maximum is 1hour):
ciscoasa(config)# ssh timeout 30

ssh has two versions: 1 and 2. ssh version 1 is less secured than version 2. My default ssh supports two versions:

ciscoasa(config)# sh ssh
Timeout: 30 minutes
Versions allowed: 1 and 2
192.168.1.0 255.255.255.0 inside
0.0.0.0 0.0.0.0 outside

To support only version 2, I have to explicitly tell my firewall with this command:
ciscoasa(config)# ssh version 2

ciscoasa(config)# sh ssh
Timeout: 30 minutes
Version allowed: 2
192.168.1.0 255.255.255.0 inside
0.0.0.0 0.0.0.0 outside

I think putty supports ssh version 2.. so I shall test it…

Category: CISCO | Los comentarios están deshabilitados en Setting up ssh for remote management.
Octubre 29

PIX/ASA 7.2(1) and later: Intra-Interface Communications

Background Information

intra-interface-communications-1.gif

Note: The IP addressing schemes used in this configuration are not legally routable on the Internet. They are RFC 1918 leavingcisco.comaddresses that have been used in a lab environment.

<i><b>same-security-traffic permit intra-interface</b></i>

Intra-Interface Communications Enabled

Intra-interface communications are now enabled. The same-security-traffic permit intra-interface command is added to the previous configuration. Host 172.22.1.6 attempts to ping host 172.16.10.1. Host 172.22.1.6 sends an ICMP echo request packet to the default gateway (ASA). Host 172.22.1.6 records successful replies from 172.16.10.1. The ASA passes the ICMP traffic successfully.

intra-interface-communications-5.gif

 

Category: CISCO | Los comentarios están deshabilitados en PIX/ASA 7.2(1) and later: Intra-Interface Communications
Septiembre 25

Activate ASDM as GUI Interface for Cisco ASA/PIX Firewall

pixfirewall> enable
Password:
pixfirewall# configure terminal
pixfirewall(Config)# interface ethernet1
pixfirewall(Config-if)# nameif inside
pixfirewall(Config-if)# ip address 192.168.1.1 255.255.255.0
pixfirewall(Config-if)# no shutdown
pixfirewall(Config-if)#

Activate ASDM and enable http server.

pixfirewall(Config)# asdm image flash:/asdm.bin.
pixfirewall(Config)# http server enable.

Open a connection for your PC. Example your pc IP address is 192.168.1.2

pixfirewall(Config)# http 192.168.1.2 255.255.255.255 inside

Make sure all your config running properly.

pixfirewall(Config)# show running http
http server enabled
http 192.168.1.2 255.255.255.255 inside
pixfirewall(Config)#

Now your Cisco ASA/PIX can be access from your PC.
Make sure your PC and Firewall has connected and open your web browser then enter this address
https://192.168.1.1/admin

Category: CISCO | Los comentarios están deshabilitados en Activate ASDM as GUI Interface for Cisco ASA/PIX Firewall
Septiembre 25

How To Upgrade Cisco ASA Software And ASDM

Download the software

First things first. In order to upgrade the software, you’re going to actually acquire the software. As long as you have a valid service contract, you should be able to login to cisco.com and download it (unless Cisco’s doing something stupid again). If you don’t have the ability to download it from Cisco, well, you’re on your own.

Check for free space

Depending on your ASA hardware version (and what you already have saved in there), the amount of flash memory you have available will vary. Before proceeding, you’ll want to verify that you have enough space available to hold the ASA software (and ASDM, if you’re going to upgrade that too).

ciscoasa# <strong>show flash: | include free</strong>
127111168 bytes total (93192192 bytes free)

Here, I have a little over 93 MB available which is plenty. If you don’t have enough free space, you’ll need to delete some other crap you’re hoarding there in order to make enough space.

Dump the software on a TFTP server

I’ll be copying the software over from a TFTP server and I’ve already made it available there. If you don’t have a TFTP server available it’s also possible to put it on a web server and use HTTP or HTTPS to transfer it to your ASA.

As last resorts, you can also copy it from a Windows fileshare (using SMB/CIFS) or, $deity forbid, Xmodem.

Do the needful

Alright, now we’re to the good part.

ciscoasa# <strong>show version | include image</strong>
System image file is "disk0:/asa822-k8.bin"
ciscoasa# <strong>show asdm image</strong>
Device Manager image file, disk0:/asdm-635.bin
ciscoasa#

As you can see, this ASA is currently running version 8.2(2) along with ASDM version 6.3.5. Because Cisco recommends that you stay within the same major version (unless you need the features introduced in newer major versions), I’m going to upgrade to 8.2(5). We’ll also upgrade ASDM to version 6.4.5 as well.

For example, here’s the information we need to complete the upgrade process:

  • TFTP server IP address: 198.18.42.125
  • ASA 8.2(5) filename: asa825-k8.bin
  • ASDM 6.4.5 filename: asdm-645.bin

Here we go!

ciscoasa# <strong>copy tftp flash</strong>

Address or name of remote host []? <strong>198.18.42.125</strong>

Source filename []? <strong>asa825-k8.bin</strong>

Destination filename [asa825-k8.bin]? 

Accessing tftp://198.18.42.125/asa825-k8.bin...!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asa825-k8.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
15390720 bytes copied in 42.870 secs (366445 bytes/sec)
ciscoasa#

Perfect. Now, let’s copy over the updated version of ASDM as well.

ciscoasa# <strong>copy tftp flash</strong>

Address or name of remote host [198.18.42.125]? 

Source filename [asa825-k8.bin]? <strong>asdm-645.bin</strong>

Destination filename [asdm-645.bin]? 

Accessing tftp://198.18.42.125/asdm-645.bin...!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asdm-645.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
16280544 bytes copied in 46.120 secs (353924 bytes/sec)
ciscoasa#

Tell the ASA which software you want to run

If the ASA and ASDM software that you just transferred to your ASA are the only copies in flash then the below steps aren’t completely necessary. Any time you have more than one copy in flash, however, it’s a good idea to explicitly specify which software you want the ASA to actually run.

If you don’t specify, it will use the first version that it finds in flash which may — or may NOT — be the one you want it to.

For good measure, let’s explicitly specify that we want to use the new versions that we just copied onto flash.

ciscoasa# <strong>configure terminal</strong>
ciscoasa(config)# <strong>boot system flash:/asa825-k8.bin</strong>
INFO: Converting flash:/asa825-k8.bin to disk0:/asa825-k8.bin
ciscoasa(config)# <strong>asdm image flash:/asdm-645.bin</strong>
ciscoasa(config)#

Easy enough, right?

Reload

At this point, the only thing that remains to do is to save your changes and reload your ASA so that it will boot into the new version of the software (and make use of the new version of ASDM).

ciscoasa(config)# <strong>end</strong>
ciscoasa# <strong>write memory</strong>
Cryptochecksum: aaaa08ce ccde38f2 19c42e08 dea24cbd 

2713 bytes copied in 1.450 secs (2713 bytes/sec)
[OK]
ciscoasa# <strong>reload</strong>
Proceed with reload? [confirm]

Once the ASA comes back up, verify that it did, in fact, boot from the new software.

ciscoasa# <strong>show version | include image</strong>
System image file is "disk0:/asa825-k8.bin"
ciscoasa# <strong>show asdm image</strong>
Device Manager image file, disk0:/asdm-645.bin

Success!

 

Category: CISCO | Los comentarios están deshabilitados en How To Upgrade Cisco ASA Software And ASDM
Junio 9

CISCO ASA TCP SYN CHECKS

In certain circumstances you may wish an ASA not to inspect the TCP SYN flags of packets. This is usually the case if the device will not see the return traffic, such as in the following example:

TCP State Bypass ASA

To do this, we need to first of all create an access-list containing the destination IP range we’e going to exclude from TCP SYN checks. This is an extended acl that you’ll likely have plenty of:

same-security-interface permit intra-interface
sysopt noproxyarp inside

access-list NoSYNChecksACL extended permit tcp 172.16.0.0 255.240.0.0 172.16.0.0 255.240.0.0 log disable

Next up we create a class map to identify packets based on the ACL we’ve created:

class-map NoSYNChecksCM
 match access-list NoSYNChecksACL

With our ACL and Class Map created we now need to decide what should happen to these packets to which we don’t see the return traffic. We’re going to tell the ASA to bypass TCP state checks ( SYN / ACK ) for traffic matching our class map.

policy-map NoSYNChecksPM
 class NoSYNChecksCM
 set connection timeout idle 0:15:00
 set connection advanced-options tcp-state-bypass

With that done, all we need to do is apply the policy to an interface:

service-policy NoSYNChecksPM interface Inside

Any traffic sourced from the inside interface, destined for addresses matched by our ACL will now not be subject to TCP state checks.

Category: CISCO | Los comentarios están deshabilitados en CISCO ASA TCP SYN CHECKS
Junio 5

Cisco ASA to Play Nice with Asymmetric RoutingPrint

Some day you might find yourself in a situation where you have an ASA device protecting an asymmetric network. This is a problem for ASA as it can only see one half of the connection, the other half being routed to the destination through a path that doesn’t involve the ASA. Now, this is not a recommended practice, but in 8.2(1) you can bypass the connection state check that the ASA performs to get asymmetric traffic through the firewall.

Below is an example of a policy that enables TCP State by-pass for an internal network, 10.1.1.0/24.

ASA(config)#access-list STATE_BYPASS_ACL extended permit tcp 10.1.1.0 255.255.255.0 any
ASA(config)#class-map STATE_BYPASS_CMAP
ASA(config-cmap)#match access-list STATE_BYPASS_ACL
ASA(config-cmap)#description "TCP traffic that bypasses stateful firewall"
ASA(config-cmap)#exit
ASA(config)#policy-map STATE_BYPASS_PMAP
ASA(config-pmap)#class STATE_BYPASS_CMAP
ASA(config-pmap-c)#set connection advanced-options tcp-state-bypass
ASA(config-pmap-c)#exit
ASA(config)#service-policy STATE_BYPASS_PMAP interface inside
ASA(config)#object network OBJ-10.1.1.6
ASA(config-network-object)#host 10.1.1.6     
ASA(config-network-object)#nat (inside,outside) static 192.168.1.6

 

Category: CISCO | Los comentarios están deshabilitados en Cisco ASA to Play Nice with Asymmetric RoutingPrint
Junio 5

TESTING

There are 2 ways to make it work:

1.  Easy way:
Point the gateway of all Local PCs to 192.168.1.2 (Local Router) instead of 192.168.1.1 (ASA5505)
Then add :” ip toute 0.0.0.0 0.0.0.0 192.168.1.1″ on Local Router (for Internet browsing).
2.  Fun way:
asa(config)#same-security-traffic permit intra-interface
asa(config)#static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 norandomseq nailed
asa(config)#static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 norandomseq nailed
asa(config)#no sysopt noproxyarp inside
asa(config)#failover timeout -1

Category: CISCO | Los comentarios están deshabilitados en TESTING
Junio 5

Cisco ASA Asymmetric Routing Configuration


When an interface that is not in an ASR group receives a packet that it does not have an established connection for, it will normally drop it. However, when an interface is in an ASR group, the ASA checks the connection information for all other interfaces in the same group. If the ASA finds another context that has connection information that would match the received packet, the Layer 2 header information is rewritten and the packet is redirected to the appropriate context for processing.

 

TCP State Bypass

Specifically for TCP-based connections, disabling stateful TCP checks can help mitigate asymmetric routing. When TCP state checks are disabled, the ASA can allow packets in a TCP connection even if the ASA didn’t see the entire TCP 3-way handshake. This feature is called TCP State Bypass (introduced in ASA 8.2).

ASA(config)# access-list tcp_bypass extended permit tcp 192.168.1.0 255.255.255.0 any
ASA(config)# class-map tcp_bypass
ASA(config-cmap)# match access-list tcp_bypass
ASA(config-cmap)# policy-map tcp_bypass_policy
ASA(config-pmap)# class tcp_bypass
ASA(config-pmap-c)# set connection advanced-options tcp-state-bypass
ASA(config-pmap-c)# set connection timeout idle 0:10:00
ASA(config-pmap-c)# service-policy tcp_bypass_policy inside

Category: CISCO | Los comentarios están deshabilitados en Cisco ASA Asymmetric Routing Configuration
Diciembre 10

Site-to-Site IPSEC VPN Between Cisco ASA and pfSense

IPSEC is a standardized protocol (IETF standard) which means that it is supported by many different vendors. Therefore if you want to create a VPN between different vendor devices, then IPSEC VPN is the way to go.

In this article we will see a site-to-site VPN using the IPSEC protocol between a Cisco ASAand a pfSense firewall. PfSense is an open source distribution of FreeBSD customized for use as a firewall and router. You can install pfSense on a PC with two (or more) NICs, essentially turning it into a flexible security appliance. You can obtain your copy of pfSense from the Downloads section of www.pfsense.org. At the time of this writing, the latest available release is 2.0.2 and the same has been used in this tutorial.

In this article, we will focus on site-to-site IPsec implementation between a Cisco ASA and a pfSense firewall, as shown in Figure 1 below.

Figure 1  Cisco ASA to pfSense IPsec Implementation (Click for Larger Picture)

IPsec - ASA to pfSense

We will start with a preconfiguration checklist that will serve as a reference for configuration of IPSEC on both devices. ISAKMP/Phase 1 attributes are used to authenticate and create a secure tunnel over which IPsec/Phase 2 parameters are negotiated.

Table 1   Preconfiguration Checklist: ISAKMP/Phase-1 Attributes

Attribute Value
Encryption AES 128-bit
Hashing SHA-1
Authentication method Preshared keys
DH group Group 2 1024-bit field
Lifetime 86,400 seconds

We will use main mode rather than aggressive mode for negotiation. IPsec Phase 2 attributes are used to encrypt and decrypt the actual data traffic.

  Table 2   Preconfiguration Checklist: IPsec/Phase-2 Attributes

Attribute Value
Encryption AES 128-bit
Hashing SHA-1
Lifetime 28,800 seconds4,608,000 kB
Mode Tunnel
PFS group None

Now that we have determined what Phase 1 and Phase 2 attributes to use, we’re ready to configure IPsec. We assume that all IP addresses are already configured and basic connectivity exists between Cisco ASA and pfSense firewall.

ASA Configuration

Let’s start with configuring the ASA (Using ASA 8.4(2) in this example):

! IPsec ISAKMP Phase 1

crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
exit
!
crypto ikev1 enable outside

tunnel-group 173.199.183.2 type ipsec-l2l
tunnel-group 173.199.183.2 ipsec-attributes
ikev1 pre-shared-key Cisc0

! IPsec Phase 2

crypto ipsec ikev1 transform-set pfSense-AES128SHA esp-aes esp-sha-hmac
!
access-list outside_cryptomap_10 remark ACL to encrypt traffic from ASA to pfSense
access-list outside_cryptomap_10 extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
!
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 173.199.183.2
crypto map outside_map 10 set ikev1 transform-set pfSense-AES128SHA
crypto map outside_map interface outside

PfSense Configuration

We open the URL http://173.199.183.2 in a Web browser to access the pfSense firewall and enter the default username/password of admin/pfsense. You may have noticed that 173.199.183.2 is the WAN IP address of the pfSense firewall that indicates we are accessing it from the Internet.

pfSense Login

(click for larger picture)

After successfully logging in you reach the Status page which reports the summary state of your pfSense firewall. Go to VPN > IPsec using the menu and click add phase1 entry on theTunnels tab. Configure ISAKMP/Phase 1 parameters as given in Table 1 and shown in the following screenshot.

pfSense ipsec Phase1

(click for larger picture)

Click the Save button to save the configuration and go back to the Tunnels tab. Click add phase 2 entry to configure IPsec/Phase 2 parameters as given in Table 2 and shown in the following screenshot.

pfSense ipsec Phase2

(click for larger picture)

Click the Save button to save changes and go back to the Tunnels tab where you can view a summary of your Phase 1 and Phase 2 configuration. Check the Enable IPsec checkbox and press the Save button. In the end, press the Apply changes button to finalize your configuration, as shown in the following screenshot.

VPN IPsec

  (click for larger picture)

Our IPsec configuration is now complete on both devices. We can generate some traffic from a host in subnet 192.168.1.0/24 connected to Cisco ASA to a host in subnet 10.0.0.2/24 connected to pfSense, using the ping utility. If ping is successful between the two subnets, an IPsec tunnel is likely to have established successfully. The same can be verified using command show crypto ipsec stats on Cisco ASA.

In order to check IPsec tunnel status on the pfSense firewall, go to Status > IPsec. If you see a tiny green icon in the Status column, IPsec tunnel is successfully established as shown in the following screenshot.

Category: CISCO, VPN IPSEC | Los comentarios están deshabilitados en Site-to-Site IPSEC VPN Between Cisco ASA and pfSense