Friday, February 17, 2017

Cisco ASA NAT

Cisco ASA NAT 8.3+

IN Cisco ASA NAT is divided into 2 sections
  • Network Object NAT ( Auto NAT)   ----> object network is used here
  • Twice NAT ( Manual NAT)   ----> object network and object-group network used.
Static NAT :
Consider R1 as internal server. We are going to redirect traffic from internet hitting on public 110.110.10.2  to 172.16.2.1 for port 80.
This can be done in 2 parts
  • Do Static NAT
  • Restrict Port using an ACL on outside port
Static NAT :
object network webserver
host 172.16.10.2       --------------------------------> internal server IP
nat (inside,OUTSIDE) static 110.110.10.2 -------> public IP
You can now restrict traffic to inside server using an ACL.
Note : Outside interface IP of firewall cannot be used for NAT instead we have to use a IP in the same subnet of public IP.
Static PAT ( Port Address Translation)
In this Scenario lets assume that a inside webserver (172.16.20.2) which listens on port 80 wants all traffic  hitting on port 444 of firewall IP 110.110.10.3.
object network server-1
 host 172.16.20.2
 nat (dmZ,oUTSIDE) static 110.110.10.3 service tcp 80 80
Colour = real port
Colour = mapped port
Same can be achieved using firewall's outside interface IP :
object network server-1
 host 172.16.20.2
 nat (dmZ,oUTSIDE) static interface service tcp 80 80
Dynamic PAT
Here all the inside network hosts will use ASA's outside interface IP src while going to outside.
object network inside-hots
 subnet 172.16.10.0 255.255.255.0
 nat (inside,ouTSIDE) dynamic interface
If there is static NAT present for a specific host then it will get priority and it will be used for NATing for that specific host.
Dynamic NAT
Here while doing NATing instead of using outside interface IP we will use  a specific pool for NATing.
object network  IP-POOL
range 110.110.10.2 110.110.10.4
object network inside-hots
 subnet 172.16.10.0 255.255.255.0
 nat (inside,ouTSIDE) dynamic IP-POOL
Twice NAT (Manual NAT)
Twice NAT is having higher preference means before going to all other NAT  ASA will got through twice NAT.
In manual NAT we can use object network and object-group network
In
nat(inside,outside) 1 source  static  <object>  < object> destination  static  <object>  <object>
Colour = Original Source
Colour =  NATed Source
Colour = Original Destination
Colour = NATed destination.

Posted by at No comments:

Thursday, January 5, 2017

Cisco Anyconnect VPN Configuration

Any Connect VPN :

C:\Users\jees\AppData\Local\Temp\msohtmlclip1\02\clip_image001.jpg
ASA Details
Interface                        Name           IP address          Subnet mask     
GigabitEthernet0         outside        110.110.10.1     255.255.255.0   
GigabitEthernet1         inisde          192.168.22.10    255.255.255.0  
 Note : This configuration is based on a lab setup.
Outside PC
IP address 110.110.10.24
Create Network Object for inside and Anyconnect network ranges :
object network inside-net
subnet 192.168.22.0 255.255.255.0
object network anyconnect-net
subnet 10.0.0.0 255.255.255.0
using above network Objects define an twice NAT/ manual Nat to exempt traffic from NATing while going to Anyconnect client. If this NAT is not there then ASA will NAT the traffic from inside network towards the Anyconnect host.
nat (inisde,outside) source static inside-net inside-net destination static anyconnect-net anyconnect-net no-proxy-arp route-lookup
Create a access list for split tunneling
access-list anyconnect-acl standard permit 192.168.22.0 255.255.255.0
This access list is used in split tunneling. According to this access list all the traffic destined towards 192.168.22.0 network will be send via tunnel , all others will be send towards regular local network (NIC).
You can use an extended acl, which have destination as ‘any’.
Create local IP pool.
ip local pool anyconnect-pool 10.0.0.1-10.0.0.10 mask 255.255.255.0
When a Anyconnect host connects VPN it receives a local LAN IP which is defined in this pool. Try to not use inside network range in pool. Also make sure that pool range is within the subnet we specified earlier for Anyconnect pool object ( here it is Anyconnect-net). That’s because we want twice NAT to work when traffic goes from inside network to Anyconnect host.
Define a group policy :
group-policy anyconnect-policy internal
group-policy anyconnect-policy attributes
vpn-tunnel-protocol ssl-client ssl-clientless -------- this defines type of VPN
split-tunnel-policy tunnelspecified  ------------- this tells ASA that tunneling parameters will be specified for
split  tunnel.
split-tunnel-network-list value anyconnect-acl  ---- Split tunnel parameter is specified using the ACl we
created earlier.

Define Tunnel group :
tunnel-group anyconnect-grp type remote-access
tunnel-group anyconnect-grp general-attributes
address-pool anyconnect-pool  ---------- Pool we created earlier.
default-group-policy anyconnect-policy  --------- Associating the Policy we created earlier with the pool.
tunnel-group anyconnect-grp webvpn-attributes
group-alias STAFF enable
Define WebVPN setup :
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1 - This image pkg should be same as we installed in PC,
anyconnect enable
tunnel-group-list enable ---- Enables option for selecting from drop down.
Note : Its important to specify the installer pkg otherwise ASA will give a message ‘Anyconnect not enables in server’ even though we have enabled it.
Define a local user
username joe attributes
group-lock value anyconnect-grp
service-type remote-access

Posted by at 1 comment:

Saturday, November 12, 2016

Cisco ASA VPN : Part 2 – Phase 1, phase 2 & combined view.

Cisco ASA VPN : Part 2 – Phase 1, phase 2 & combined view.
Before reading this it is recommended to go through Part 1 of Site to Site VPN. Click Here.
Phase 1
Phase 1 of VPN is where we create tunnel that sends management data across the peers. The major parameters in phase 1 are
  • Encryption : Specifies the encryption used in the phase 1.
  • Hashing : hashing algorithm are used to keep the integrity of the packet.
  • DH group : DH group used to share encryption keys over internet safely. DH algorithms uses a method called public-private key method to achieve this.
  • Timers : They define the re negotiation time.

Below is the part of configuration which defines phase 1 parameters :

       crypto ikev1 policy 10
  authentication pre-share
encryption aes
  hash sha
  group 2
lifetime 86400
ex

Suppose you want see policies configured in phase 1 then you need to run the following command.

ciscoasa# sh running-config | begin policy

Lets check what is the status of phase of VPN we created.
sh crypto isakmp sa

Here you can see ‘state : MM_ACTIVE’. This denotes phase 1 is operating in main mode. Phase 1 negotiations take place in two modes :
  • Main mode : Contains six packet exchanges. More secure.
    • Initiator sends packet with ISAKMP policy
    • Remote end responds with matching ISAKMP policy.
    • Initiator sends Key exchanges payload and Nonce payload. These payloads are required for generating DH secret key.
    • Remote end responds with key exchange and nonce payload. All further negotiations are encrypted.
    • Now the initiator sends hash payload, Identity payload, device’s IP address.
    • Remote ends responds with corresponding payload.

  • Aggressive mode : Contains three packet exchanges : less secure method.
    • All information required to generate DH secret is send to remote end by initiator.
    • Remote end responds with DH secret.
    • Initiator now sends identity and hash payloads. If this matches with remote end phase 1 tunnel will be up.

For reference :
Phase 2
Phase 2 of site to site VPN is where data is transferred. The following part of configuration is for phase 2.
crypto ipsec ikev1 transform-set set1 esp-3des esp-sha-hmac
We can use two protocols for phase 2 :
  • AH – provides encapsulation.
  • ESP – Provides encapsulation and encryption. Works well when a NAT in place.
AH is not used these days.
Phase will security associations for outbound and inbound data. Each outbound and inbound sa will have their own SPI (security perimeter index). It is based on this SPI firewall identifies the SA associated with packet and decrypts the data. Each SA will have details of encryption, hashing and other details.
Lets check the status of phase 2 in our VPN.

Sh crypto ipsec sa
If there are more subnets to be encrypted then you will see additional SAs and their SPIs.
The combined view : Phase 1 and Phase 2
Finally lets do a capture of phase 1 and phase 2 and go through it.


Posted by at No comments:
Labels:

Friday, November 11, 2016

Cisco ASA site to site VPN break down: PART 1

Cisco ASA site to site VPN break down: PART 1
Lets Create a site to site VPN between two locations as shown below:
Configurations are given below with each component breakdown:

1.Enable isakmp outside

crypto isakmp enable outside

This parts relates to phase 1 of the VPN. IKE is a protocol  we uses to establish a shared security policy for exchanges of keys for services like IPsec. ISAKMP is a part of IKE which makes up the rules for this negotiation. It is to be noted that there are also other components that makes up the IKE. In Cisco world we often see ISAKMP and IKE used as synonymously.

Using this command we are enabling ISAKMP in the outside interface of ASA.

2. Create intresting traffic acl ( Crypto acl)

 access-list vpn_access extended permit ip object net-local object net-remote

Interesting traffic ACL defines which traffic should be passed via VPN. As you can see I have used object as source and destination. It is always more convenient to use object-group in the interesting traffic ACL. The advantage is that
You can always add additional object/subnet in the object-group, no changes required in original acl.

3. Create a tunnel group and define attributes

tunnel-group 110.110.10.2 type ipsec-l2l
tunnel-group 110.110.10.2 ipsec-attributes
ikev1 pre-shared-key 123456
isakmp keepalive threshold 10 retry 2
 
Tunnel group used to define the details of VPN such type or its attributes. There are two attributes for tunnel group.
  • General attributes
  • VPN Specific

In this example since it is a site to site VPN it is mandatory to use remote peer IP as tunnel group name. Also we have specified its type as ipsec-l2l, which means it is a site to site ipsec vpn. In the second line we are providing the ipsec –attributes/VPN specific attributes such as pre-shared key and re-try times etc.

4. Create ikev1 policy

 crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
 ex

ikev1 policy is used for Phase 1 negotiation. Various parameters such as authentication type, encryption, hashing, DH group etc. are specified here.

5. Create a tranform set
 
crypto ipsec ikev1 transform-set set1 esp-3des esp-sha-hmac

A transform set contains phase 2 parameters to set up a tunnel. Here we defined a transform set named set1 with its parameters.

6. Create a crypto map

 crypto map map1 10 match address vpn_access
 crypto map map1 10 set pfs group1
 crypto map map1 10 set peer 110.110.10.2
 crypto map map1 10 set ikev1 transform-set set1
 crypto map map1 interface outside

In Crypto map we combines interesting traffic acl, transform set used, peer ip address and apply it on the outside interface.

7. Exempt interesting traffic acl from NAT.
 nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote

This NAT statement make sure that traffic that is going to VPN is exempted from the NAT. However there are situations in which we need to NAT the VPN traffic. Which we will explain later.



Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)