Basic ASA configuration

oli356

Hi all,

I'm trying to get an SSL-VPN up on an ASA, I know how to do this configuration but I can't figure out how to get the ASA to work 'correctly'. Never used this platform before.



Image to help. (where it says public IP, that should also say G 0/0 and not on the switch).

So I have the management interface configured with 9.9.6.4/24 which connects directly to a L3 switch which does all of the management routing.
Int g 0/0 has a public IP and I've named the port 'external'
Int g 0/1 has 9.9.3.253 as the IP which goes to the same L3 switch. This is called internal.

When I use ping management x.x.x.x I can ping around the 9.9.6.0/24 network as I need to. (it would be nice to ping 9.9.0.0/16, but routing conflicts come later)

I can also ping onto the internet from the external port with the public IP.

Now the 9.9.3.0/24 network is the range of IP addresses I want to give out for the VPN connection.
When I try and ping internal x.x.x.x though I can only ping the L3 switch, 9.9.3.254 and nothing else, not even another SVI on the l3 switch.

This is annoying me... any suggestions?? Thanks

Whole config:

SSL-VPN# sh run
: Saved
:
ASA Version 9.1(3)
!
hostname SSL-VPN
enable password ******** encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
 nameif external
 security-level 0
 ip address PUBLIC_IP 255.255.255.240
!
interface GigabitEthernet0/1
 nameif internal
 security-level 50
 ip address 9.9.3.253 255.255.255.0
!
<snip interfaces as not in use>
!
interface Management0/0
 management-only
 nameif Management
 security-level 100
 ip address 9.9.6.4 255.255.255.0
!
ftp mode passive
pager lines 24
mtu external 1500
mtu Management 1500
mtu internal 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
route external 0.0.0.0 0.0.0.0 PUBLIC_GATEWAY 1
route internal 9.9.0.0 255.255.0.0 9.9.3.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 26
  subscribe-to-alert-group configuration periodic monthly 26
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5e4efbd6066c7491742bb885bff24874
: end

Legacy User

For starters what kind of SSL-VPN on the ASA are you trying to create clientless or clientbase? --Oops not the issue your having

oli356

Hi dmarcisco. I will be using an AnyConnect VPN.

Thanks

RouteMyPacket

If that is your running-config, you might want to actually configure the AnyConnect VPN because you don't have it configured at all.

Why are you handing out addresses to VPN clients from "internal", are you using a DHCP server that sits on that segment?

Anyway, first things first, configure the VPN first

oli356

I had all of the VPN configuration in but then realised it didn't work, probably because of this issue.. I will be using split tunneling for the 9.9.0.0/16 management network and couldn't ping this network from a client machine.

Honestly, I don't know another way to do it.. Currently we have Cisco 2921s doing this on IOS and we use this config:

ip local pool pool-svc 9.9.10.1 9.9.10.252    (defining the pool)
svc address-pool "pool-svc" netmask 255.255.255.0   (for the VPN config)
GigabitEthernet0/1.120     9.9.10.253

One interface on VLAN120 and then the rest of the subnet is used for handing out addresses, DHCP isn't used.

The purpose of all of this is to access a test network which is behind a DMZ. We have devices in racks with management IP's on the 9.9.x.x network. All devices eventually connect back to this L3 switch on a certain VLAN. The only management routing is done here to get onto other VLANs as well as some static routes for connections going across IPSEC, L2tpv3 tunnels etc.
if you are in the office you can use the wireless which gives a 9.9.8.x address. For the AnyConnect VPN giving out IP addresses from a network on this L3 switch makes sense and keeps things simple

oli356

Here is the configuration with the AnyConnect config. My laptop is getting 9.9.3.1 as expected and can ping 8.8.8.8 onto the internet as it's not going over the tunnel. Though I can't ping anything on the 9.9.x.x network.
Thanks

hostname SSL-VPN
enable password ***** encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool AnyConnect-POOL 9.9.3.1-9.9.3.252 mask 255.255.255.0
!
interface GigabitEthernet0/0
 nameif external
 security-level 0
 ip address PUBLIC_IP 255.255.255.240
!
interface GigabitEthernet0/1
 nameif internal
 security-level 50
 ip address 9.9.3.253 255.255.255.0
!
!
interface Management0/0
 management-only
 nameif Management
 security-level 100
 ip address 9.9.6.4 255.255.255.0
!
ftp mode passive
object network NETWORK_OBJ_9.9.3.0_24
 subnet 9.9.3.0 255.255.255.0
access-list SPLIT_TUNNEL_ACL remark To access all inbound mgmt
access-list SPLIT_TUNNEL_ACL standard permit 9.9.0.0 255.255.0.0
pager lines 24
mtu external 1500
mtu Management 1500
mtu internal 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (internal,external) source static any any destination static NETWORK_OBJ_9.9.3.0_24 NETWORK_OBJ_9.9.3.0_24 no-proxy-arp route-lookup
route external 0.0.0.0 0.0.0.0 PUBLIC_GATEWAY 1
route internal 9.9.0.0 255.255.0.0 9.9.3.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ACS protocol tacacs+
aaa-server ACS (Management) host 9.9.6.233
 timeout 5
 key *****
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable external
 anyconnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.02026-k9.pkg 2
 anyconnect image disk0:/anyconnect-linux-3.1.02026-k9.pkg 3
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_AnyConnect-VPN internal
group-policy GroupPolicy_AnyConnect-VPN attributes
 wins-server none
 dns-server value 9.9.6.231 9.9.6.232
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT_TUNNEL_ACL
 default-domain value dmz.lab
username admin password uOxuG2EKbLbVqlG4 encrypted privilege 15
tunnel-group AnyConnect-VPN type remote-access
tunnel-group AnyConnect-VPN general-attributes
 address-pool AnyConnect-POOL
 authentication-server-group ACS
 default-group-policy GroupPolicy_AnyConnect-VPN
tunnel-group AnyConnect-VPN webvpn-attributes
 group-alias AnyConnect-VPN enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 26
  subscribe-to-alert-group configuration periodic monthly 26
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e8263a8f91a61e46be17c529408207c7
: end

gbdavidx

That is basic asa configuration? fml

oli356

gbdavidx wrote: »

That is basic asa configuration? fml

The first post is basic config with IP addresses post 6 is with the VPN config.. It's all done through the ASDM gui so it only took a few minutes. The CLI on ASAs looks messy....

eten

oli356 wrote: »

Hi all,

Now the 9.9.3.0/24 network is the range of IP addresses I want to give out for the VPN connection.
When I try and ping internal x.x.x.x though I can only ping the L3 switch, 9.9.3.254 and nothing else, not even another SVI on the l3 switch.

9.9.6.0/24 is being routed out management
9.9.3.0/24 is routed out internal
9.9.0.0/16 is routed out internal

When you try to ping internal 9.9.6.254,it will be routed out the "management" interface sourced from 9.9.3.253. Source ping from "internal" to "management" (lower security 50 to higher 100), you have to explicitly create an inbound ACL on the "internal" to permit this traffic, and also permit return traffic if you are not inspecting icmp.

******************************************************

Edit correction:

https://supportforums.cisco.com/thread/2048443

This is actually not supported as per link above. If you have a real host on the internal segment and ping from there, I believe my post above is still valid.

oli356

Thanks Eten

Spent some of the day messing around with this... I just ended up moving the Mgmt Interface, it isn't needed.

Everything appears to be working apart from 1 major problem... user authentication. Its done via TACACS to an ACS server.

I run the tacacs test from ASDM and it is successful, I try and login via https://..... and it just says login failed. But in ACS I see the successful authentication trend going up for TACACS... Followed: ASA 8.3: TACACS Authentication using ACS 5.X - Cisco Systems

I rebooted the ASA and managed to login with 1 account, I refresh the page and try another and denied... I try the original account and it gets denied!? This is just making no sense at all.

RouteMyPacket

AAA configs on ASA's can sometimes be tricky..mainly in that you need to ensure ACS is properly configured. Once the appropriate AAA config is on the ASA, you can troubleshoot from ACS until you gain access

You're config should be something like this

Create your AAA Server

aaa-server "TACACS" protocol tacacs+
aaa-server "TACACS" (inside) host x.x.x.x
timeout 30
key "cisco123"


Configure AAA Access

aaa authentication enable console "TACACS" LOCAL
aaa authentication http console "TACACS" LOCAL
no aaa authentication ssh console LOCAL
aaa authentication ssh console "TACACS" LOCAL
aaa authorization command "TACACS" LOCAL
aaa authorization exec authentication-server
aaa accounting enable console "TACACS"
aaa accounting ssh console "TACACS"

"TACACS" being whatever name you give your AAA server

I don't have time to walk you through ACS, excellent source of knowledge here on ACS and various other topics

http://www.labminutes.com/video/sec/ACS

oli356

That is the configuration I'm using apart from the accounting and authorisation commands.

I know how to drive ACS well and based off the link I attached you don't even need to create rules. Need to look into this further, I just find it strange how after I reload I have been able to authenticate once but then can't repeat it.

thanks

oli356

licensing problem lol. Oh dear. Managed to find a CCIE in Security from TAC and asked him to take a quick look.

Now to apply for a license!