ASA me2

Let's troubleshoot... We also do trainings .. Checkout our training page https://asame2.blogspot.com/p/we-also-deliver-trainings.html

Featured Post

How to generate a CSR on Cisco ASA using CLI? CSR- (Certificate signing request)

First thing we need is an RSA key pair:   crypto key generate rsa label SSL-Key modulus 1024 noconfirm Create a trust-point crypto ca...

Recent Comments

Recent Post

Thursday, 21 June 2018

How to configure anyconnect start before logon? How to configure SBL?

  June 21, 2018    

Cisco Any-connect provides a feature for Windows users to start any-connect even before they login to computers. This is SBL : start before logon.

Prerequisites: 

1. ASDM access to the ASA
2. A client profile must be created and must have server list defined. Client profile can be created at following location in ASDM.
Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile

3. You must have  a valid certificate on your ASA. If you are using a self signed certificate make sure to add that under trusted root store of machine store.

4. Once you the client profile, make sure to check mark (enable) SBL:



5. You can have this feature "User controllable" or not. Once user controllable is checked, users will be able to enable and disable the feature using  any-connect settings.

6. Now having only any-connect installed on machine does not give capabilities to start it before logon. We need to have a module installed into machine which will help initiate Any-connect before logon. This can be done using SBL module in group policy. Once a user connects to VPN and gets this group policy , SBL module download in the machine.

7. Call SBL module/vpngina module into the group policy.
8. Make sure any-connect version installed on client PC is same as the package file on ASA. If they are not same then make sure "Auto update" feature is enabled in client profile.



Verification:
==========

1. Connect with any-connect, it will download SBL module and new XML profile. Once it is done, you should be able to see  this installed in control panel.
2. You will need to restart your computer.
3. After it boots up, on logon screen, press crtl+alt+del
4. You will see a computer icon in right bottom corner. Click on it and that launches any-connect.


  No Comments

Thursday, 14 June 2018

How to control SSH access via LDAP?

  June 14, 2018    






I have an ASA and LDAP server. I am doing all my authentications with this LDAP server, even SSH.

The problem I ran into is: all my authenticated users are able to SSH my ASA. While I want only few users to have admin access to ASA, probably a group of users.

I have created an admin group in LDAP and only those users should be able to login to ASA and no one else.



SOLUTION:


This is how I fixed it:

I already had authentication server group configured on ASA that is being used for authentication.

I created an LDAP attribute map to match the "memberOf" attribute sent from server and then assign a service-type 6.

Example:


ldap attribute-map mymap
map-name  memberOf IETF-Radius-Service-Type
map-value memberOf CN=Admin,OU=acb,OU=Loc,DC=test,DC=com 6


Apply the ldap attribute map in aaa server group that is being used for authentication.

With this, if a user is a member of Admin group then only he/she will be allowed to SSH to the device otherwise not. 

If you are still unable to make it work then please post your comment and I should be able to help you out.











  No Comments

Tuesday, 12 June 2018

I cannot see anyconnect adapter in wireshark.

  June 12, 2018    

And yes, I ran into this problem.

Things were doing great and suddenly I stopped seeing my any-connect adapter in wire-shark. It used to be there when I use wire-shark as run as admin. I don't see it anymore.

Here is what you can do:

1. kill wire-shark process
2. open cmd as administrator
3. sc stop npf



4. sc start npf

 

You should be good now.
 

  No Comments

Friday, 1 June 2018

SSH issue: SSH-3-NO_MATCH: No matching cipher found

  June 01, 2018    

Router1------ Router2---- PC2

I have two routers connected and configured for SSH. When I use PC2 to SSH to Router2, it works fine.

I am trying to SSH to Router2 from Router1 and in "debug ip ssh" I see following error

SSH-3-NO_MATCH: No matching cipher found

Here in this scenario Router1 is SSH client and Router2 is SSH server.

Solution:
=======
On Router1 I configured the following:

Router1#conf t
ip ssh client algorithm encryption aes128-cbc aes192-cbc aes192-ctr aes128-ctr 3des-cbc aes256-cbc aes256-ctr

On Router2 I configured the following:

Router2#conf t
ip ssh server algorithm encryption aes128-cbc aes192-cbc aes192-ctr aes128-ctr 3des-cbc aes256-cbc aes256-ctr

  No Comments

ASA doesn't display Primary/secondary status.

  June 01, 2018    

Hello again,

I had a pair of ASAs and wanted to put them in failover. I configured that and everything was working fine.
Only thing I did not like was how my ASA was displaying its name. On both ASAs I see the name as ciscoasa#

I wanted it to be something that can tell me on which ASA I am. Am I on Primary or Secondary ASA?
Am I on Active or standby ASA?

"sh failover" will show that.

Then I figured out that we can even have the "priority" and "state" displayed right there in hostname.

Use command " prompt"

ASA1(config)# prompt hostname ?

configure mode commands/options:
  cluster-unit     Display the cluster unit name in the session prompt
  context          Display the context in the session prompt (multimode only)
  domain           Display the domain in the session prompt
  management-mode  Display management mode
  priority         Display the priority in the session prompt (If your ASA is Primary/Secondary)
  state            Display the traffic passing state in the session prompt (Active or Standby)
  <cr>

With command "prompt hostname" it will only display ASA hostname. Now if you want to display "priority" of ASA use "prompt hostname priority".

Let's also have "state" displayed as well:

ASA1(config)# prompt hostname  priority state

  No Comments

Monday, 23 April 2018

Why my ASA presents a self signed certificate?

  April 23, 2018    




This issue presents itself when an RSA keypair is used with the certificate. 
 On ASA versions from 9.4(1) onwards, all the ECDSA and RSA ciphers are enabled by default and the strongest cipher (usually an ECDSA cipher) will be used for negotiation. 

If this happens, the ASA presents a Self-Signed certificate instead of the currently configured RSA-based certificate. There is an enhancement in place to change the behaviour when an RSA-based certificate is installed on an interface and is tracked by Cisco bug ID CSCuu02848

How to fix it: Disable ECDSA ciphers with these CLI commands: 

ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"

  No Comments

Tuesday, 27 February 2018

How to configure IP SLA monitoring on Cisco ASA?

  February 27, 2018    

IP SLA MONITORING on Cisco ASA:

I have 2 ISPs connected on "outside" and "outside2".
I want to have ISP connected on outside interface as my primary and if something goes wrong with this ISP then I would like to change my default route towards ISP on outside2.
In this case I will be tracking some IP that guarantees me the availability for ISP1. And then I will apply this track on my "Main" route.

To understand how it works, look at the very bottom.

First configure SLA monitoring process using a unique ID. In t.his example I am using 100
Here we define what IP address we will be sending pings to and what interface will be used to source it from.
here we are going to send pings to  8.8.8.8 using "outside" interface IP address.
We want to send 3 ping packets at an interval of 10 seconds.

sla monitor 100
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside
 num-packets 3
 frequency 10

Now schedule your monitoring process, when would you like to have it started.

sla monitor schedule 100 life forever start-time now

Create a Track and associate it with the monitoring process that we created above.
I am using a track ID 1 and associating it with monitoring process 100.

track 1 rtr 100 reachability

rtr = Response Time Reporter

Now the track is ready to be applied on a route that you would like to MONITOR.

route outside 0.0.0.0 0.0.0.0 65.123.2.1 1 track 1
route outside2 0.0.0.0 0.0.0.0 34.65.1.2 10

Working:
=============
As per the above example I am pinging to 8.8.8.8 by sending 3 packets after every 10 seconds. If I do not get reply for 1 packet, it will think that something went wrong with ISP1 and track will FAIL. When track fails, the route that it has been applied to also fails.
It dynamically disables that route, and the other static route configured with a higher metric value becomes active. During this time, that SLA is still sending pings to 8.8.8.8 via ISP1. If it receives a reply, considers ISP1 back online and track becomes active. As a results that route also becomes active.

All configuration at once:
sla monitor 100
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside
 num-packets 3
 frequency 10
 !
sla monitor schedule 100 life forever start-time now
!
track 1 rtr 100 reachability
!
route outside 0.0.0.0 0.0.0.0 65.123.2.1 1 track 1

  No Comments

How to configure failover on Cisco ASA?

  February 27, 2018    

 Cisco ASA failover prerequisites:
1. Both ASAs must be same hardware model.
2. Both ASAs must have same interfaces and modules (can be verified using "sh inventory" command)
3. Both ASAs must have same licenses.
4. Both must have failover license enabled.
5. It is recommended to have same software version for better stability.
6. They can have different amount of flash.
7. Flash content is not replicated during a stateful failover.

Below is an example configuration for "Stateful Failover" using 2 interfaces (one for LAN failover and other for stateful failover).

on Primary:
==============================================================================
failover lan unit primary
inter gi0/0
no shut
inter gi0/1
no shut
! note: There is no additional configuration required on physical interfaces. All other configuration such as assigning ip address and nameif will be done by "failover" comamnds shown below.
! Define interface for failover
! Syntx: failover lan interface <nameif> <name of physical innterface on which you would like to have this nameif assigned>
failover lan interface FAIL GigabitEthernet0/0
! Define interface for stateful data transfer
! Syntx: failover lan interface <nameif> <name of physical innterface on which you would like to have this nameif assigned>
failover link State GigabitEthernet0/1
! Assign IP for failover link
failover interface ip FAIL 10.10.10.1 255.255.255.0 standby 10.10.10.2
! Assign ip for stateful link
failover interface ip State 172.16.10.1 255.255.255.0 standby 172.16.10.2
failover
==============================================================================

On Secondary
==============================================================================
failover lan unit secondary
inter gi0/0
no shut
inter gi0/1
no shut
! Define interface for failover
failover lan interface FAIL GigabitEthernet0/0
! Define interface for stateful data transfer
failover link State GigabitEthernet0/1
! Assign IP for failover link
failover interface ip FAIL 10.10.10.1 255.255.255.0 standby 10.10.10.2
! Assign ip for stateful link
failover interface ip State 172.16.10.1 255.255.255.0 standby 172.16.10.2
Failover
==============================================================================

Useful debug comamnds:
To check failover LAN status:
 debug  fover cable

 Working output:
 fover_health_monitoring_thread: fover_luifc_check: skip lu ifc monitoring
fover_health_monitoring_thread: fover_lan_check() Failover LAN Check
fover_health_monitoring_thread: fover_lan_check() Failover Interface OK

When there is actually a problem with failover LAN link:

fover_health_monitoring_thread: fover_chk_my_down_ifcs() Local unit has 0 down ifcs
fover_health_monitoring_thread: fover_lan_check() Failover Interface TEST started
fover_health_monitoring_thread: send_mate_arp(0x2) - 10.10.10.1
fover_health_monitoring_thread: fover_luifc_check: skip lu ifc monitoring
fover_health_monitoring_thread: fover_lan_check() Failover LAN Check
fover_health_monitoring_thread: fover_chk_my_down_ifcs() Local unit has 0 down ifcs
fover_health_monitoring_thread: send_mate_arp(0x2) - 10.10.10.1
fover_health_monitoring_thread: fover_luifc_check: skip lu ifc monitoring
fover_health_monitoring_thread: fover_lan_check() Failover LAN Check
fover_health_monitoring_thread: fover_chk_my_down_ifcs() Local unit has 0 down ifcs
Debug fover tx
fover_health_monitoring_thread: send_msg_reliable_ip cmd = 1 seqNum = 0x2489 size = 32 bytes
fover_health_monitoring_thread: send_msg_reliable_ip cmd = 1 seqNum = 0x248a size = 32 bytes
fover_health_monitoring_thread: send_msg_reliable_ip cmd = 1 seqNum = 0x248b size = 32 bytes

Debug fover rx
fover_ip: HA TRANS: receive message for client Failover Control Module, length 200
fover_rx: rx msg: cmd 0x30, seqNum 0xce1
fover_rx: receive_msg(cmd=FXCHG_CARD_INFO), seqNum=0xce1, size=200
fover_parse: parse_thread_helper() - execute msg 48
fover_ip: HA TRANS: receive message for client Failover Control Module, length 28

  No Comments

Monday, 26 February 2018

How to allocate interfaces in multiple contexts?

  February 26, 2018    

When we have switched to multiple context, ASA created a system space and admin context by default. Admin context can be used as a normal user context, but is not recommended. System context is used to manage the entire system space, such as creating contexts, allocating resources, allocating interfaces, etc.

Lets say I have created a context with name ASA1 and I would like to allocate Eth0/0 and Eth0/1 to this context.
This will be done from System context: Here are the commands

changeto System
allocate-interface Eth0/0
allocate-interface Eth0/1

  No Comments

Subscribe to: Posts (Atom)