ASA me2

Let's troubleshoot... We also do trainings .. Checkout our training page https://asame2.blogspot.com/p/we-also-deliver-trainings.html

Featured Post

How to generate a CSR on Cisco ASA using CLI? CSR- (Certificate signing request)

First thing we need is an RSA key pair:   crypto key generate rsa label SSL-Key modulus 1024 noconfirm Create a trust-point crypto ca...

Recent Comments

Recent Post

Thursday, 14 June 2018

How to control SSH access via LDAP?

  June 14, 2018    






I have an ASA and LDAP server. I am doing all my authentications with this LDAP server, even SSH.

The problem I ran into is: all my authenticated users are able to SSH my ASA. While I want only few users to have admin access to ASA, probably a group of users.

I have created an admin group in LDAP and only those users should be able to login to ASA and no one else.



SOLUTION:


This is how I fixed it:

I already had authentication server group configured on ASA that is being used for authentication.

I created an LDAP attribute map to match the "memberOf" attribute sent from server and then assign a service-type 6.

Example:


ldap attribute-map mymap
map-name  memberOf IETF-Radius-Service-Type
map-value memberOf CN=Admin,OU=acb,OU=Loc,DC=test,DC=com 6


Apply the ldap attribute map in aaa server group that is being used for authentication.

With this, if a user is a member of Admin group then only he/she will be allowed to SSH to the device otherwise not. 

If you are still unable to make it work then please post your comment and I should be able to help you out.











  No Comments

Tuesday, 12 June 2018

I cannot see anyconnect adapter in wireshark.

  June 12, 2018    

And yes, I ran into this problem.

Things were doing great and suddenly I stopped seeing my any-connect adapter in wire-shark. It used to be there when I use wire-shark as run as admin. I don't see it anymore.

Here is what you can do:

1. kill wire-shark process
2. open cmd as administrator
3. sc stop npf



4. sc start npf

 

You should be good now.
 

  No Comments

Friday, 1 June 2018

SSH issue: SSH-3-NO_MATCH: No matching cipher found

  June 01, 2018    

Router1------ Router2---- PC2

I have two routers connected and configured for SSH. When I use PC2 to SSH to Router2, it works fine.

I am trying to SSH to Router2 from Router1 and in "debug ip ssh" I see following error

SSH-3-NO_MATCH: No matching cipher found

Here in this scenario Router1 is SSH client and Router2 is SSH server.

Solution:
=======
On Router1 I configured the following:

Router1#conf t
ip ssh client algorithm encryption aes128-cbc aes192-cbc aes192-ctr aes128-ctr 3des-cbc aes256-cbc aes256-ctr

On Router2 I configured the following:

Router2#conf t
ip ssh server algorithm encryption aes128-cbc aes192-cbc aes192-ctr aes128-ctr 3des-cbc aes256-cbc aes256-ctr

  No Comments

ASA doesn't display Primary/secondary status.

  June 01, 2018    

Hello again,

I had a pair of ASAs and wanted to put them in failover. I configured that and everything was working fine.
Only thing I did not like was how my ASA was displaying its name. On both ASAs I see the name as ciscoasa#

I wanted it to be something that can tell me on which ASA I am. Am I on Primary or Secondary ASA?
Am I on Active or standby ASA?

"sh failover" will show that.

Then I figured out that we can even have the "priority" and "state" displayed right there in hostname.

Use command " prompt"

ASA1(config)# prompt hostname ?

configure mode commands/options:
  cluster-unit     Display the cluster unit name in the session prompt
  context          Display the context in the session prompt (multimode only)
  domain           Display the domain in the session prompt
  management-mode  Display management mode
  priority         Display the priority in the session prompt (If your ASA is Primary/Secondary)
  state            Display the traffic passing state in the session prompt (Active or Standby)
  <cr>

With command "prompt hostname" it will only display ASA hostname. Now if you want to display "priority" of ASA use "prompt hostname priority".

Let's also have "state" displayed as well:

ASA1(config)# prompt hostname  priority state

  No Comments

Monday, 23 April 2018

Why my ASA presents a self signed certificate?

  April 23, 2018    




This issue presents itself when an RSA keypair is used with the certificate. 
 On ASA versions from 9.4(1) onwards, all the ECDSA and RSA ciphers are enabled by default and the strongest cipher (usually an ECDSA cipher) will be used for negotiation. 

If this happens, the ASA presents a Self-Signed certificate instead of the currently configured RSA-based certificate. There is an enhancement in place to change the behaviour when an RSA-based certificate is installed on an interface and is tracked by Cisco bug ID CSCuu02848

How to fix it: Disable ECDSA ciphers with these CLI commands: 

ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"

  No Comments

Tuesday, 27 February 2018

How to configure IP SLA monitoring on Cisco ASA?

  February 27, 2018    

IP SLA MONITORING on Cisco ASA:

I have 2 ISPs connected on "outside" and "outside2".
I want to have ISP connected on outside interface as my primary and if something goes wrong with this ISP then I would like to change my default route towards ISP on outside2.
In this case I will be tracking some IP that guarantees me the availability for ISP1. And then I will apply this track on my "Main" route.

To understand how it works, look at the very bottom.

First configure SLA monitoring process using a unique ID. In t.his example I am using 100
Here we define what IP address we will be sending pings to and what interface will be used to source it from.
here we are going to send pings to  8.8.8.8 using "outside" interface IP address.
We want to send 3 ping packets at an interval of 10 seconds.

sla monitor 100
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside
 num-packets 3
 frequency 10

Now schedule your monitoring process, when would you like to have it started.

sla monitor schedule 100 life forever start-time now

Create a Track and associate it with the monitoring process that we created above.
I am using a track ID 1 and associating it with monitoring process 100.

track 1 rtr 100 reachability

rtr = Response Time Reporter

Now the track is ready to be applied on a route that you would like to MONITOR.

route outside 0.0.0.0 0.0.0.0 65.123.2.1 1 track 1
route outside2 0.0.0.0 0.0.0.0 34.65.1.2 10

Working:
=============
As per the above example I am pinging to 8.8.8.8 by sending 3 packets after every 10 seconds. If I do not get reply for 1 packet, it will think that something went wrong with ISP1 and track will FAIL. When track fails, the route that it has been applied to also fails.
It dynamically disables that route, and the other static route configured with a higher metric value becomes active. During this time, that SLA is still sending pings to 8.8.8.8 via ISP1. If it receives a reply, considers ISP1 back online and track becomes active. As a results that route also becomes active.

All configuration at once:
sla monitor 100
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside
 num-packets 3
 frequency 10
 !
sla monitor schedule 100 life forever start-time now
!
track 1 rtr 100 reachability
!
route outside 0.0.0.0 0.0.0.0 65.123.2.1 1 track 1

  No Comments

How to configure failover on Cisco ASA?

  February 27, 2018    

 Cisco ASA failover prerequisites:
1. Both ASAs must be same hardware model.
2. Both ASAs must have same interfaces and modules (can be verified using "sh inventory" command)
3. Both ASAs must have same licenses.
4. Both must have failover license enabled.
5. It is recommended to have same software version for better stability.
6. They can have different amount of flash.
7. Flash content is not replicated during a stateful failover.

Below is an example configuration for "Stateful Failover" using 2 interfaces (one for LAN failover and other for stateful failover).

on Primary:
==============================================================================
failover lan unit primary
inter gi0/0
no shut
inter gi0/1
no shut
! note: There is no additional configuration required on physical interfaces. All other configuration such as assigning ip address and nameif will be done by "failover" comamnds shown below.
! Define interface for failover
! Syntx: failover lan interface <nameif> <name of physical innterface on which you would like to have this nameif assigned>
failover lan interface FAIL GigabitEthernet0/0
! Define interface for stateful data transfer
! Syntx: failover lan interface <nameif> <name of physical innterface on which you would like to have this nameif assigned>
failover link State GigabitEthernet0/1
! Assign IP for failover link
failover interface ip FAIL 10.10.10.1 255.255.255.0 standby 10.10.10.2
! Assign ip for stateful link
failover interface ip State 172.16.10.1 255.255.255.0 standby 172.16.10.2
failover
==============================================================================

On Secondary
==============================================================================
failover lan unit secondary
inter gi0/0
no shut
inter gi0/1
no shut
! Define interface for failover
failover lan interface FAIL GigabitEthernet0/0
! Define interface for stateful data transfer
failover link State GigabitEthernet0/1
! Assign IP for failover link
failover interface ip FAIL 10.10.10.1 255.255.255.0 standby 10.10.10.2
! Assign ip for stateful link
failover interface ip State 172.16.10.1 255.255.255.0 standby 172.16.10.2
Failover
==============================================================================

Useful debug comamnds:
To check failover LAN status:
 debug  fover cable

 Working output:
 fover_health_monitoring_thread: fover_luifc_check: skip lu ifc monitoring
fover_health_monitoring_thread: fover_lan_check() Failover LAN Check
fover_health_monitoring_thread: fover_lan_check() Failover Interface OK

When there is actually a problem with failover LAN link:

fover_health_monitoring_thread: fover_chk_my_down_ifcs() Local unit has 0 down ifcs
fover_health_monitoring_thread: fover_lan_check() Failover Interface TEST started
fover_health_monitoring_thread: send_mate_arp(0x2) - 10.10.10.1
fover_health_monitoring_thread: fover_luifc_check: skip lu ifc monitoring
fover_health_monitoring_thread: fover_lan_check() Failover LAN Check
fover_health_monitoring_thread: fover_chk_my_down_ifcs() Local unit has 0 down ifcs
fover_health_monitoring_thread: send_mate_arp(0x2) - 10.10.10.1
fover_health_monitoring_thread: fover_luifc_check: skip lu ifc monitoring
fover_health_monitoring_thread: fover_lan_check() Failover LAN Check
fover_health_monitoring_thread: fover_chk_my_down_ifcs() Local unit has 0 down ifcs
Debug fover tx
fover_health_monitoring_thread: send_msg_reliable_ip cmd = 1 seqNum = 0x2489 size = 32 bytes
fover_health_monitoring_thread: send_msg_reliable_ip cmd = 1 seqNum = 0x248a size = 32 bytes
fover_health_monitoring_thread: send_msg_reliable_ip cmd = 1 seqNum = 0x248b size = 32 bytes

Debug fover rx
fover_ip: HA TRANS: receive message for client Failover Control Module, length 200
fover_rx: rx msg: cmd 0x30, seqNum 0xce1
fover_rx: receive_msg(cmd=FXCHG_CARD_INFO), seqNum=0xce1, size=200
fover_parse: parse_thread_helper() - execute msg 48
fover_ip: HA TRANS: receive message for client Failover Control Module, length 28

  No Comments

Monday, 26 February 2018

How to allocate interfaces in multiple contexts?

  February 26, 2018    

When we have switched to multiple context, ASA created a system space and admin context by default. Admin context can be used as a normal user context, but is not recommended. System context is used to manage the entire system space, such as creating contexts, allocating resources, allocating interfaces, etc.

Lets say I have created a context with name ASA1 and I would like to allocate Eth0/0 and Eth0/1 to this context.
This will be done from System context: Here are the commands

changeto System
allocate-interface Eth0/0
allocate-interface Eth0/1

  No Comments

Wednesday, 9 November 2016

How to delete anyconnect cache?

  November 09, 2016    

I had a few xml profiles in my profile folder. I have deleted them all and restarted anyconnect but I still see last connected name in any-connect. Shouldn't it be clean?

So I then deleted prefrences.xml file from this location and restarted any-connect service:

C:\Users\<username>\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client

 That did the trick!

 Download a batch file to do this:

 https://drive.google.com/file/d/0B5l3rOLgYvw4QTVYSnh6SVlLV1E/view?usp=sharing&resourcekey=0-GGOunpyw-z7H-r7ZB_cuMw

  2 Comments

Thursday, 13 October 2016

ASA as a CA server:

  October 13, 2016    



sh crypto ca certificate

ASA as a CA server:
====================

1. clock must be correct.
sh crypto mypubkey

Generate keys:

crypto key gen rsa label mykey modu 2048

crypto ca server

CA server ka naam:

issuer-name cisco

subject name default CN=nameofthe CA, C=IN

Start CA server : no shutdown

It will ask for a passphrase : give any key here


then u will see certificat server enabled.

crypto ca server user-db add mitin

goi to this URL : https://ip/+CSCOCA+/login.html

https://10.197.222.122/+CSCOCA+/login.html

https://172.16.0.22/+CSCOCA+/enroll.html

crypto ca server user-db allow mitin display-otp

it will disaply an OTP, give that OTP to user.
enter user name and OTP, he will get certificate downloaded.
enter the passphrase.


clear configure crypto ca server : to clear the configuration for CA
whenever we shut a ca server it will also delete the user database, so be careful here.


Via ASDM: local CA authority
manage user database>> allow regetration

as we enable CA server, we can see a CA certificate on firewal, where issued by and issued to will be same. THis is called as root certificate.






===========================================================
HOw to add certificate using CLI:

Generate CSR:
===============
Generate key : crypto key generate rsa label mykey mod 2048
crypto ca trustpoint ca
enrollment terminal : this iwill enable a terminal where we can copy and paste certificate text
enrollment self : this means generate a self sign certificate
Tell key pair to use:
keypair mykey

remove fqdn : fqdn none
subject name CN=asa.cisco.com
crypto ca enroll ca <trustpoint ka name>
Add device serial number : NO

this will genarate CSR.
now copy this and send to CA.

DER encoding and base 64 encodeing

crypto ca import ca certificate --------> this imports ID cert. crypto ca authenticate ca certificate ---> This imports Root CA cert, crypto ca enroll --->> to generate CSR. There are the only 3 options available.
paste here
quit

debug crypto ca message 255

If cert was generated with sha256 and we are trying to import it on older code 8.0,8.2 then it will give an error.

==========================================================
ECHQ VPN
vpn.ensenta.com


SCEP : simple certificat enrollment procedure
automatic enrollment procedure it is. we can conifgure asa to get a certificate automatically. ASA can be configured SECP client and then ASA will send the request to your CA server

http://10.197.222.221/certsrv/mscep/mscep.dll
ASA as SCEP client:
crypto ca trustpoint ca
enrollment url http://ip/certsrv/mscep/mscep.dll
subject-name CN=ASAme2
exit
crypto ca authenticate ca
this will autmatically downlaod root ca certificate

crypto ca import ca certificate/ crypto ca enroll ca certificate ----- > this will request certificate from CA using SCEP. both commands will do the same thing.

sh crypto ca certificate --> this will show you the ID certificate that we have received.

Ca server :  10.77.178.91





  No Comments

Thursday, 15 September 2016

Some users are unable to connect with anyconnect while others can : PUBLICPROXIES_ERROR_NO_INSTANCE

  September 15, 2016    

Hello there,

So this time I ran into an issue where some users (Windows) were unable to connect with any-connect while others can. Sometimes uninstalling anyconnect software helped, sometimes not.

They get error message : Failed to get configuration from secure gateway. Contact your system administrator

Luckily I  picked DART from a user PC and found the following:

Invoked Function: ConnectIfc::TranslateStatusCode
Return Code: -32899061 (0xFE0A000B)
TEST_TG: PUBLICPROXIES_ERROR_NO_INSTANCE
Connection attempt failed. Please try again


This led me to these two windows updates: 
KB3161949 also KB3160005

After I uninstalled these two windows updates, everything worked fine.

I hope this helps you :)

-
Raj

  No Comments

Some users are unable to connect with anyconnect while others can

  September 15, 2016    

Hello there,

So this time I ran into an issue where some users (Windows) were unable to connect with any-connect while others can. Sometimes uninstalling anyconnect software helped, sometimes not.

They get error message : Failed to get configuration from secure gateway. Contact your system administrator.

Luckily I  picked DART from a user PC and found the following:

Invoked Function: ConnectIfc::TranslateStatusCode
Return Code: -32899061 (0xFE0A000B)
TEST_TG: PUBLICPROXIES_ERROR_NO_INSTANCE
Connection attempt failed. Please try again


This led me to these two windows updates: 
KB3161949 also KB3160005

After I uninstalled these two windows updates, everything worked fine.

I hope this helps you :)

-
Raj

  No Comments

Wednesday, 14 September 2016

How to check if ASA has Apex license installed or not?

  September 14, 2016    


Q. How to check if ASA has Apex license installed or not?

A. Use command: debug menu license 23

Q. I am not able to select "Match All" for DAP Policy - Endpoint - Device - MAC address - MATCH ALL. I am trying to match (!=) for multiple mac addresses.
A. You will need to have "Advanced endpoint assessment" enabled.

  No Comments

Subscribe to: Posts (Atom)