Category Archives: Security

Self Signed Certificate for WebVPN on ASA

We will configure self signed certificate on Cisco ASA for AnyConnect (WebVPN).

1.Generate an RSA key for the certificate. The name should be unique. For example, sslvpnkeypair.

ASA-1(config)#crypto key generate rsa label sslvpnkeypair modulus 1024
INFO: The name for the keys will be: sslvpnkeypair
Keypair generation process begin. Please wait…

2. Create a trustpoint for the self-issued certificate.

ASA-1(config)#crypto ca trustpoint self

3. The fully qualified domain name is used for both fqdn and CN. The name should resolve to the ASA outside interface IP address.

ASA-1(config-ca-trustpoint)#enrollment self
ASA-1(config-ca-trustpoint)#fqdn vpn.amolak.net
ASA-1(config-ca-trustpoint)#subject-name CN=vpn.amolak.net

4. The RSA key is assigned to the trustpoint for certificate creation.

ASA-1(config-ca-trustpoint)#keypair sslvpnkeypair

5. Assign the trustpoint to be used for SSL connections on the outside interface.

ASA-1(config-ca-trustpoint)#crypto ca enroll self noconfirm
% The fully-qualified domain name in the certificate will be: vpn.amolak.net
ASA-1(config)# ssl trust-point self outside

Final Configuration:

crypto key generate rsa label sslvpnkeypair modulus 1024
!
crypto ca trustpoint self
 enrollment self
 fqdn vpn.amolak.net
 subject-name CN=vpn.amolak.net
 keypair sslvpnkeypair
!
crypto ca enroll self noconfirm
!
ssl trust-point self outside

ASA Static Route with Object Tracking

We will use following topology to configure floating static route on Cisco ASA with Object Tracking.

Objective of this task:

  1. Configure floating static route with object tracking
  2. Configure Dynamic NAT via Primary and Backup Link
  3. Configure Static NAT with auto failover between Primary and Backup Link

asa-static-route-track

 

Basic Configuration on ASA:

interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 1.1.14.1 255.255.255.0 
!
interface GigabitEthernet1
 nameif outside-2
 security-level 0
 ip address 2.2.14.1 255.255.255.0 
!
interface GigabitEthernet2
 nameif inside
 security-level 100
 ip address 10.10.123.1 255.255.255.0 
!
  • Primary internet link IP subnet is 1.1.14.0/24 and ISP GW IP is 1.1.14.4.
  • Backup internet link IP subnet is 2.2.14.0/24 and ISP GW IP is 2.2.14.4
  • We will track reachability to IP address 4.4.4.4 via primary internet link to confirm if it is working fine.
# Configure static route to reach IP address 4.4.4.4 via primary internet link

route outside 4.4.4.4 255.255.255.255 1.1.14.4

# Create SLA Monitor session

sla monitor 101
 type echo protocol ipIcmpEcho 4.4.4.4 interface outside
 num-packets 5
 frequency 10
sla monitor schedule 101 life forever start-time now

# Create track session

track 1 rtr 101 reachability

# Configure default route via primary internet link with tracking

route outside 0.0.0.0 0.0.0.0 1.1.14.4 1 track 1

# Configure default route via backup internet link with higher administrative distance (i.e, 200, default AD is 1 for static route)

route outside-2 0.0.0.0 0.0.0.0 2.2.14.4 200

# Configure Dynamic NAT rule for LAN users to access internet via primary or backup internet link

object network ANY
 subnet 0.0.0.0 0.0.0.0
!
object network ANY-2
 subnet 0.0.0.0 0.0.0.0
!
object network ANY
 nat (inside,outside) dynamic interface
!
object network ANY-2
 nat (inside,outside-2) dynamic interface

Verify default route and internet access

# Verify SLA Monitor configuration

ASA# show sla monitor configuration 
SA Agent, Infrastructure Engine-II
Entry number: 101
Owner: 
Tag: 
Type of operation to perform: echo
Target address: 4.4.4.4
Interface: outside
Number of packets: 5
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 10
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

# Verify SLA Monitor operational status

ASA# show sla monitor operational-state 
Entry number: 101
Modification time: 09:54:01.469 UTC Sat Aug 1 2015
Number of Octets Used by this Entry: 1480
Number of operations attempted: 34
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 8
Latest operation start time: 09:59:31.479 UTC Sat Aug 1 2015
Latest operation return code: OK
RTT Values:
RTTAvg: 8       RTTMin: 1       RTTMax: 20
NumOfRTT: 5     RTTSum: 42      RTTSum2: 602

# Verify track status

ASA# show track 
Track 1
  Response Time Reporter 101 reachability
  Reachability is Up
  2 changes, last change 00:05:45
  Latest operation return code: OK
  Latest RTT (millisecs) 4
  Tracked by:
    STATIC-IP-ROUTING 0

# Verify routing

ASA# show run route
route outside 0.0.0.0 0.0.0.0 1.1.14.4 1 track 1
route outside-2 0.0.0.0 0.0.0.0 2.2.14.4 200
route outside 4.4.4.4 255.255.255.255 1.1.14.4 1
 
ASA# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 1.1.14.4 to network 0.0.0.0

C    1.1.14.0 255.255.255.0 is directly connected, outside
C    2.2.14.0 255.255.255.0 is directly connected, outside-2
S    4.4.4.4 255.255.255.255 [1/0] via 1.1.14.4, outside
C    10.10.123.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 1.1.14.4, outside

# Ping internet IP address 5.5.5.5 (It is configured on R5)

R2#ping 5.5.5.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/36/48 ms

# Verify NAT on ASA

ASA# show xlate 
3 in use, 3 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.10.123.3 to outside-2:2.2.14.103
    flags s idle 0:09:24 timeout 0:00:00
NAT from inside:10.10.123.3 to outside:1.1.14.103
    flags s idle 0:09:30 timeout 0:00:00
ICMP PAT from inside:10.10.123.2/2 to outside:1.1.14.1/35590 flags ri idle 0:00:28 timeout 0:00:30

ASA# show conn address 5.5.5.5
1 in use, 4 most used
ICMP outside 5.5.5.5:0 inside 10.10.123.2:3, idle 0:00:00, bytes 72

# Let's simulate primary internet link failure
# Shutdown int f0/0 on R4

R4#sh run int f0/0
Building configuration...

Current configuration : 92 bytes
!
interface FastEthernet0/0
 ip address 1.1.14.4 255.255.255.0
 speed 100
 full-duplex
end

R4#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R4(config)#int f0/0
R4(config-if)#shut 
R4(config-if)#
*Mar  1 00:13:08.571: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
*Mar  1 00:13:09.571: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
R4(config-if)#

# Verify Track status on ASA

ASA# show track
Track 1
  Response Time Reporter 101 reachability
  Reachability is Down
  3 changes, last change 00:00:31
  Latest operation return code: Timeout
  Tracked by:
    STATIC-IP-ROUTING 0

# Verify Routing

ASA# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 2.2.14.4 to network 0.0.0.0

C    1.1.14.0 255.255.255.0 is directly connected, outside
C    2.2.14.0 255.255.255.0 is directly connected, outside-2
S    4.4.4.4 255.255.255.255 [1/0] via 1.1.14.4, outside
C    10.10.123.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [200/0] via 2.2.14.4, outside-2

# As you see in above output it has selected default route via backup ISP GW (2.2.14.4) now.

# Verify Internet access from LAN and NAT status on ASA. Now LAN subnet is dynamically NAT'ed to backup interface.

R2#ping 5.5.5.5        

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/40/64 ms

ASA# show xlate 
3 in use, 5 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.10.123.3 to outside-2:2.2.14.103
    flags s idle 0:18:18 timeout 0:00:00
NAT from inside:10.10.123.3 to outside:1.1.14.103
    flags s idle 0:18:24 timeout 0:00:00
ICMP PAT from inside:10.10.123.2/6 to outside-2:2.2.14.1/5805 flags ri idle 0:00:39 timeout 0:00:30

ASA# show conn address 5.5.5.5
1 in use, 6 most used
ICMP outside-2 5.5.5.5:0 inside 10.10.123.2:6, idle 0:00:00, bytes 72

# Let's restore primary internet link

R4(config-if)#no shut
R4(config-if)#end
R4#
*Mar  1 00:22:12.595: %SYS-5-CONFIG_I: Configured from console by console
R4#
*Mar  1 00:22:13.935: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar  1 00:22:14.935: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

# Track status is UP now

ASA# show track
Track 1
  Response Time Reporter 101 reachability
  Reachability is Up
  4 changes, last change 00:00:28
  Latest operation return code: OK
  Latest RTT (millisecs) 8
  Tracked by:
    STATIC-IP-ROUTING 0

# Verify Routing

ASA# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 1.1.14.4 to network 0.0.0.0

C    1.1.14.0 255.255.255.0 is directly connected, outside
C    2.2.14.0 255.255.255.0 is directly connected, outside-2
S    4.4.4.4 255.255.255.255 [1/0] via 1.1.14.4, outside
C    10.10.123.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 1.1.14.4, outside

So everything is working as expected, default route is used via primary link when track object IP 4.4.4.4 is reachable and when there is any issue with the primary link, i.e., IP 4.4.4.4 is not reachable via primary link, then this default route is removed and backup link become active. Also NAT translations are done based on the outgoing interface used by default route.

Now we have another requirement, We have a server (10.10.123.3) in LAN which need to be accessed from internet. First, we should have static NAT to be created for this server.

We will create two static NAT entries for this server. So that it can be accessed via either  IP and internet link (Primary/Backup)

# Define Objects

object network SERVER-R3-PRIMARY
 host 10.10.123.3
!
object network SERVER-R3-BACKUP
 host 10.10.123.3

# Configure NAT Rules

object network SERVER-R3-PRIMARY
 nat (inside,outside) static 1.1.14.103
!
object network SERVER-R3-BACKUP
 nat (inside,outside-2) static 2.2.14.103

# Verify reachability from Internet (R5) to Server (Real IP: 10.10.123.3, Primary NAT: 1.1.14.103)

R5#ping 1.1.14.103

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.14.103, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/39/40 ms

# Verify NAT status on ASA

ASA# show xlate
2 in use, 5 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.10.123.3 to outside-2:2.2.14.103
    flags s idle 0:36:19 timeout 0:00:00
NAT from inside:10.10.123.3 to outside:1.1.14.103
    flags s idle 0:00:11 timeout 0:00:00

ASA# show conn address 10.10.123.3
1 in use, 6 most used
ICMP outside 1.1.45.5:5 inside 10.10.123.3:0, idle 0:00:00, bytes 72

# Primary internet link is down now and default route is changed via backup ISP GW now

ASA# show track 
Track 1
  Response Time Reporter 101 reachability
  Reachability is Down
  5 changes, last change 00:00:01
  Latest operation return code: Timeout
  Tracked by:
    STATIC-IP-ROUTING 0

ASA# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 2.2.14.4 to network 0.0.0.0

C    1.1.14.0 255.255.255.0 is directly connected, outside
C    2.2.14.0 255.255.255.0 is directly connected, outside-2
S    4.4.4.4 255.255.255.255 [1/0] via 1.1.14.4, outside
C    10.10.123.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [200/0] via 2.2.14.4, outside-2

# The Server is still reachable from internet via backup NAT IP

R5#ping 2.2.14.103        

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.14.103, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/40/48 ms

# Verify NAT and connection status on ASA

ASA# sh xlate 
2 in use, 5 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.10.123.3 to outside-2:2.2.14.103
    flags s idle 0:00:00 timeout 0:00:00
NAT from inside:10.10.123.3 to outside:1.1.14.103
    flags s idle 0:04:03 timeout 0:00:00

ASA# show conn address 10.10.123.3
1 in use, 6 most used
ICMP outside-2 1.1.45.5:10 inside 10.10.123.3:0, idle 0:00:00, bytes 72 

Good Luck! 🙂

Packet Flow through Cisco ASA Firewall

Cisco ASA Packet Process Algorithm

The interface that receives the packet is called the ingress interface and the interface through which the packet exits is called the egress interface. When referring to the packet flow through any device, it can be easily simplified by looking at the task in terms of these two interfaces.

Here is a diagram of how the Cisco ASA processes the packet that it receives:

asa-packet-flow-2

Here are the individual steps in detail:

1. Packet is reached at the ingress interface.

2. Once the packet reaches the internal buffer of the interface, the input counter of the interface is incremented by one.

3. Cisco ASA will first verify if this is an existing connection by looking at its internal connection table details. If the packet flow matches an existing connection, then the access-control list (ACL) check is bypassed, and the packet is moved forward.

If packet flow does not match an existing connection, then TCP state is verified. If it is a SYN packet or UDP packet, then the connection counter is incremented by one and the packet is sent for an ACL check. If it is not a SYN packet, the packet is dropped and the event is logged.

4. The packet is processed as per the interface ACLs. It is verified in sequential order of the ACL entries and if it matches any of the ACL entries, it moves forward. Otherwise, the packet is dropped and the information is logged. The ACL hit count will be incremented by one when the packet matches the ACL entry.

5. The packet is verified for the translation rules. If a packet passes through this check, then a connection entry is created for this flow, and the packet moves forward. Otherwise, the packet is dropped and the information is logged.

6. The packet is subjected to an Inspection Check. This inspection verifies whether or not this specific packet flow is in compliance with the protocol. Cisco ASA has a built-in inspection engine that inspects each connection as per its pre-defined set of application-level functionalities. If it passed the inspection, it is moved forward. Otherwise, the packet is dropped and the information is logged.

Additional Security-Checks will be implemented if a CSC module is involved.

7. The IP header information is translated as per the NAT/PAT rule and checksums are updated accordingly. The packet is forwarded to AIP-SSM for IPS related security checks, when the AIP module is involved.

8. The packet is forwarded to the egress interface based on the translation rules. If no egress interface is specified in the translation rule, then the destination interface is decided based on global route lookup.

9. On the egress interface, the interface route lookup is performed. Remember, the egress interface is determined by the translation rule that will take the priority.

10. Once a Layer 3 route has been found and the next hop identified, Layer 2 resolution is performed. Layer 2 rewrite of MAC header happens at this stage.

11. The packet is transmitted on wire, and Interface counters increment on the egress interface.

Show Commands

Here are some useful commands that help in tracking the packet flow details at different stages of processing:

Show interface
Show conn
Show access-list
Show xlate
Show service-policy inspect
Show run static
Show run nat
Show run global
Show nat
Show route
Show arp

Syslog Messages

Syslog messages provide useful information about packet processing. Here are some example syslog messages for your reference:

Syslog message when there is no connection entry:

%ASA-6-106015: Deny TCP (no connection) from
IP_address/port to IP_address/port flags tcp_flags on interface
interface_name

Syslog message when the packet is denied by an access-list:

%ASA-4-106023: Deny protocol src
[interface_name:source_address/source_port] dst
interface_name:dest_address/dest_port by access_group
acl_ID

Syslog message when there is no translation rule is found:

%ASA-3-305005: No translation group found for protocol
src interface_name: source_address/source_port dst interface_name:
dest_address/dest_port

Syslog message when a packet is denied by Security Inspection:

%ASA-4-405104: H225 message received from
outside_address/outside_port to inside_address/inside_port before
SETUP

Syslog message when there is no route information:

%ASA-6-110003: Routing failed to locate next-hop for
protocol from src interface:src IP/src port to dest interface:dest IP/dest
port