Wednesday, June 20, 2018

CISCO ASA VPN Tips and Tricks

1. Clear VPN Configuration: 

clear configure crypto map VPN_AAAA


2. Debug and show commands:

Enable logging:

ciscoasa#terminal monitor
ciscoasa(config)# logging buffer-size 1048576
ciscoasa(config)# logging buffered 7
ciscoasa(config)# logging monitor 7
ciscoasa(config)# debug crypto condition peer 10.10.10.10
ciscoasaa(config)#
ciscoasa(config)# debug crypto ipsec 127




The debug icmp trace command is used to capture the ICMP traffic of the user.

ciscoasa#debug icmp trace

ciscoasa#

!--- Output is suppressed.

ICMP echo request from 192.168.1.50 to 192.168.1.1 ID=512 seq=5120 len=32
ICMP echo reply from 192.168.1.1 to 192.168.1.50 ID=512 seq=5120 len=32

!--- The user IP address is 192.168.1.50.


The user pings the inside interface of the ASA (ping 192.168.1.1). This output is displayed on the console.



In order to disable debug icmp trace, use one of these commands:

no debug icmp trace

undebug icmp trace

undebug all, Undebug all, or un all

Each of these three options helps the administrator to determine the source IP address. In this example, the source IP address of the user is 192.168.1.50. The administrator is ready to learn more about application X and determine the cause of the problem.

To see ISAKMP configuration use show run crypto isakmp
To see IPSec configuration  use show run crypto ipsec
To see crypto map configuration use show run crypto map
To see IPsec operational data use show crypto ipsec sa
To see ISAKMP operational data use show crypto isakmp sa

To debug isakmp use debug crypto isakmp
To debug ipsec use debug crypto ipsec

To manually tear down an ISAKMP or IPSEC SA:
clear crypto ipsec
clear crypto isakmp

To clear IPsec SA counters use Clear crypto ipsec sa counters
To clear IPsec SAs by entry use Clear IPsec SAs entry ipaddress
To clear IPsec SAs by map use Clear IPsec SAs map cryptomap_name
To clear IPsec SA by peer use Clear IPsec SA peer ipaddress
To clear ISAKMP SA by ipaddress use Clear crypto Isakmp SA ipaddress

3. Recover Pre-Shared Key in Pix/ASA: 

more system:running-config

4. Use a capture to confirm IPSec packets hit the firewall:

The administrator needs to create an access-list that defines what traffic the ASA needs to capture. After the access-list is defined, the capture command incorporates the access-list and applies it to an interface.

ciscoasa(config)#access-list inside_test permit icmp any host 192.168.1.1
ciscoasa(config)#capture inside_interface access-list inside_test interface inside
The user pings the inside interface of the ASA (ping 192.168.1.1). This output is displayed.

ciscoasa#show capture inside_interface
   1: 13:04:06.284897 192.168.1.50 > 192.168.1.1: icmp: echo request

!--- The user IP address is 192.168.1.50.

Note: In order to download the capture file to a system such as ethereal, you can do it as this output shows.


!--- Open an Internet Explorer and browse with this https link format:

https://[<pix_ip>/<asa_ip>]/capture/<capture name>/pcap
Refer to ASA/PIX: Packet Capturing using CLI and ASDM Configuration Example in order to know more about Packet Capturing in ASA.



Turn off the packet capture and remove the ACL:

ASA(config)#no capture inside_interface
ASA(config)#clear configure access-list inside_test



You can clear the capture log by using this command:
ASA#clear capture inside_interface

You can also use the pipe functionality when viewing the capture output:
ASA#show capture inside_interface | inc 192.168.1.1



To confirm that the IPSEC packets are reaching the firewall, a capture can be created for all UDP 500 traffic.
First create an access-list for the traffic you would like to capture.
Access-list capture1 permit udp any any eq 500

Next create a capture.
Capture cap1 access-list capture1 interface outside

Next display the results of the capture.
Show capture cap1 detail
1: 13:04:06.284897 192.168.1.50 > 192.168.1.1: UDP:500

Or view capture on web
https://capture/pcap/cap1



5. Syslog

Make sure logging is enabled. The logging level needs to be set to debug. Logging can be sent to various locations. This example uses the ASA log buffer. You might need an external logging server in production environments.

ciscoasa(config)#logging enable
ciscoasa(config)#logging buffered debugging
The user pings the inside interface of the ASA (ping 192.168.1.1). This output is displayed.

ciscoasa#show logging

!--- Output is suppressed.

%ASA-6-302020: Built ICMP connection for faddr 192.168.1.50/512
gaddr 192.168.1.1/0 laddr 192.168.1.1/0
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.50/512
gaddr 192.168.1.1/0 laddr 192.168.1.1/0

!--- The user IP address is 192.168.1.50.

6. 'ping -f' command troubleshooting MTU size over IPSEC VPN

The -f flag from a Windows command prompt prevents an ICMP packet from being fragmented. This, combined with the -l flag allows you to set the size of the ICMP packet being sent.

So, assuming a standard ethernet MTU of 1500, and accounting for an 8-byte ICMP header, and 20-byte IP header, I should be able to send an ICMP packet sized to 1472 bytes, but 1473 should be too large:
C:\Users\netcanuck>ping 172.16.32.1 -f -l 1472

Pinging 172.16.32.1 with 1472 bytes of data:
Reply from 172.16.32.1: bytes=1472 time=3ms TTL=251
Reply from 172.16.32.1: bytes=1472 time=4ms TTL=251
Reply from 172.16.32.1: bytes=1472 time=4ms TTL=251
Reply from 172.16.32.1: bytes=1472 time=3ms TTL=251

C:\Users\netcanuck>ping 172.16.32.1 -f -l 1473

Pinging 172.16.32.1 with 1473 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.



7. Assign AnyConnect User a static ip with local authentication

7.1 vpn-framed-ip-address command
username user1 password user12345

username user1 attributes

vpn-framed-ip-address 192.168.1.11 255.255.255.0

Reference: ASA/PIX: Static IP Addressing for IPSec VPN Client with CLI and ASDM Configuration Example

7.2 Create Multiple Groups with own pool and with just one ip
For example:
Three groups are created, each with its own pool and with just one IP address. The inside network is 192.168.1.0/24:


ip local pool group1 172.16.99.1
ip local pool group2 172.16.99.2
ip local pool group3 172.16.99.3

access-list nonat permit ip 192.168.1.0 255.255.255.0 172.16.99.0 255.255.255.0

crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 99 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside

sysopt connection permit ipsec

isakmp nat-trav
isakmp identity address
isakmp keepalive 10 2

isakmp enable outside

isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400

(the actual vpn groups):

vpngroup group1 password MYPASSWORD
vpngroup group1 address-pool group1
vpngroup group1 dns 192.168.1.5
vpngroup group1 wins 192.168.1.5

vpngroup group2 password MYPASSWORD
vpngroup group2 address-pool group2
vpngroup group2 dns 192.168.1.5
vpngroup group2 wins 192.168.1.5

vpngroup group3 password MYPASSWORD
vpngroup group3 address-pool group3
vpngroup group3 dns 192.168.1.5
vpngroup group3 wins 192.168.1.5

wr mem


8. Limit AnyConnect User to Assigned Resources
8.1 All all VPN traffic bypassing interface ACL.
The default setting of the ASA is that it allows all traffic coming from a VPN Connection to bypass the interface ACL of the interface to which the VPN Clients connect. In this case your "outside" interface. The default configuration command is

sysopt connection permit-vpn

If you were to change it to

no sysopt connection permit-vpn

Then you would have to allow ALL VPN related traffic in the interface ACL of "outside".

8.2 Building Interface VPN ACL
After this we could start building the interface ACL which you could use to control the traffic from the VPN Clients.

Lets presume that you can allocate the user an IP address based on the login information. Lets also presume that the following are the starting information

Users:
User A: 192.168.2.1
User B: 192.168.2.2
User C: 192.168.2.3

Servers:
Server A: x.x.x.1
Server B: x.x.x.2
Server C: x.x.x.3
Lets now presume that you wanted to allow connections from User A to Server A and from User B to Server B and so on. Then you could configure the following ACL

access-list OUTSIDE-IN remark Rules for VPN users
access-list OUTSIDE-IN remark User A
access-list OUTSIDE-IN permit ip host 192.168.2.1 host x.x.x.1
access-list OUTSIDE-IN remark User B
access-list OUTSIDE-IN permit ip host 192.168.2.2 host x.x.x.2
access-list OUTSIDE-IN remark User C
access-list OUTSIDE-IN permit ip host 192.168.2.3 host x.x.x.3
access-group OUTSIDE-IN in interface outside

The above configurations would allow all TCP/UDP traffic from the User A to Server A and so on. They wont not be able to access other servers other what is specified in the ACL.

Naturally the other option is to use the VPN Filter ACL as it should work too to my understanding but the above is one option.




Notes: Other ASA troubleshooting Commands
Please refer to this post.

No comments:

Post a Comment