skimpydog.com - Forums - Cisco Notes

skimpydog.com Forum Index

Cisco Notes

ASA's basics

Browsing this Thread: 1 Anonymous Users

Bottom

Previous Topic

Next Topic

Topic options

Rate Thread

Rate this Thread
Excellent Good Average Bad Terrible

Search Forum

Search Forum

Advanced Search

View mode

View mode
Threaded
Newest First

Poster	Thread	Rated: 2 Votes

skimpydog

Re: ASA's basics

#11

Webmaster

Joined: 2007/6/10

From Dallas, TX

Posts: 79
Level : 7
HP : 0 / 170

MP : 26 / 8763

EXP : 83

Group:
Webmasters
Registered Users

RAVPN Users authentication against LDAP server

Failover configuration whereas there are 2 LDAP servers which may be used "LDAP-SERVER-IPADDRESS1" & "LDAP-SERVER-IPADDRESS2" whereas You wish to implement Your own LDAP server to authenticate their RAVPN users:
- This should NOT be done through the Outside Interface unless tunneling is used!!

ASA LDAP Configuration

aaa-server LDAPAuth protocol ldap
aaa-server LDAPAuth (<InterfaceName>) host <LDAP-SERVER-IPADDRESS1>
 ldap-base-dn DC=<PREFIX>,DC=<DOMAIN>,DC=<COM>,DC=<LOCAL>
 ldap-scope subtree
 ldap-naming-attribute <samAccountName>
 ldap-login-password <samPassword>
 ldap-login-dn CN=<CN>,OU=<OU>,DC=<PREFIX>,DC=<DOMAIN>,DC=<COM>,DC=<LOCAL>
 ldap-over-ssl enable
 server-type auto-detect
aaa-server LDAPAuth (<InterfaceName>) host <LDAP-SERVER-IPADDRESS2>
 ldap-base-dn DC=<PREFIX>,DC=<DOMAIN>,DC=<COM>,DC=<LOCAL>
 ldap-scope subtree
 ldap-naming-attribute <samAccountName>
 ldap-login-password <samPassword>
 ldap-login-dn CN=<CN>,OU=<OU>,DC=<PREFIX>,DC=<DOMAIN>,DC=<COM>,DC=<LOCAL>
 ldap-over-ssl enable
 server-type auto-detect
!
access-list split_acl standard permit <Network> <SubnetMask>
access-list split_acl standard permit <Network2> <SubnetMask>
!access-list split_acl standard permit 184.132.245.160 255.255.255.248
!access-list split_acl standard permit 184.132.245.168 255.255.255.248
!
ip local pool VPNpool <IPRange-Range> mask <SubnetMask>
!ip local pool VPNpool 192.168.1.1-192.168.1.62 mask 255.255.255.0
!
group-policy LDAP_group internal
group-policy LDAP_group attributes
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_acl
address-pools value VPNpool
vpn-simultaneous-logins 4
!
tunnel-group tunnel type remote-access
tunnel-group tunnel general-attributes
address-pool VPNpool
authentication-server-group LDAPAuth
default-group-policy LDAP_group

Definitions

Attribute       Definition
CN              Common Name: the name of a person, system, or other entity
OU              Organizational Unit: the subgroup within the organization (O)
O               Organization: the name of the company, institution, agency, association or
                other entity
L               Locality: the city or town where the organization is located
SP              State/Province: the state or province where the organization is located
C               Country: the two-letter country abbreviation. These codes conform to ISO
                3166 country abbreviations.
EA              E-mail address
T               Title
N               Name
GN              Given Name
SN              Surname
I               Initials
GENQ            Generational Qualifier
DNQ             Domain Name Qualifier
UID             User Identifier
UPN             User Principal Name
SER             Serial Number
use-entire-name Use entire DN name

Posted on: 2012/1/9 16:17

skimpydog

Re: ASA's basics

#12

Webmaster

Joined: 2007/6/10

From Dallas, TX

Posts: 79
Level : 7
HP : 0 / 170

MP : 26 / 8763

EXP : 83

Group:
Webmasters
Registered Users

DNS

If DNS appears to be an issue once connected to a VPN tunnel, such as if the user is using a MAC OS X client, the following will be required:

dns domain-lookup outside
dns name-server x.x.x.x x.x.x.x x.x.x.x
!
group-policy WebVPNPolicy attributes
dns-server value 4.2.2.1 4.2.2.2 
!
group-policy RA_VPN  attributes
dns-server value x.x.x.x x.x.x.x

You may change the DNS servers which you are authorized to use, and trust

Posted on: 2012/1/9 16:19

skimpydog

Re: ASA's basics

#13

Webmaster

Joined: 2007/6/10

From Dallas, TX

Posts: 79
Level : 7
HP : 0 / 170

MP : 26 / 8763

EXP : 83

Group:
Webmasters
Registered Users

Failover

Here is a basic config example for a regular Active/Standby setup on a Cisco ASA (7.0+):
Primary

int Eth0/0
ip address 60.60.60.60 255.255.255.0 standby 60.60.60.61
exit
failover lan unit primary
failover lan interface failover ma0/0
failover interface ip failover 10.70.0.1 255.255.255.0 standby 10.70.0.2
interface ma0/0
no shut
exit
wr mem

Failover (Secondary - Standby Unit)

int Eth0/0
ip address 60.60.60.60 255.255.255.0 standby 60.60.60.61
exit
failover lan unit secondary
failover lan interface failover ma0/0
failover interface ip failover 10.70.0.1 255.255.255.0 standby 10.70.0.2
interface ma0/0
no shut
exit
wr mem

Please ensure the Management0/0 interface is up on both units. Everything else is pretty much a standard configuration as far as the config is concerned.
Standard output of sh failover

hostname-5510# sh failover
Failover On 
Failover unit Primary
<snip>
        This host: Primary - Active 
<snip>

Posted on: 2012/1/9 16:19

skimpydog

Re: ASA's basics

#14

Webmaster

Joined: 2007/6/10

From Dallas, TX

Posts: 79
Level : 7
HP : 0 / 170

MP : 26 / 8763

EXP : 83

Group:
Webmasters
Registered Users

DoS/DDoS Mitigation Technique

Port 80 Rate Limitations

Please keep in mind these thresholds are low, and may need to be modified to fit Your requirements

access-list port80-connections extended permit tcp any any eq 80
 
class-map port80-connections
 match access-list port80-connections
 
policy-map port80-policy
 class port80-connections
  set connection per-client-embryonic-max 30
  set connection per-client-max 20
 
service-policy port80-policy interface outside

IP Rate Limitations

Please keep in mind these thresholds are low, and may need to be modified to fit the requirements of the customer

access-list IP-connections extended permit ip any any
 
class-map IP-connections
 match access-list IP-connections
 
policy-map IP-policy
 class IP-connections
  set connection per-client-embryonic-max 30
  set connection per-client-max 20
 
service-policy IP-policy interface outside

Regex Pattern Blockage

This is not a tutorial on regular expressions (regex)
The regular expression to be caught for this example would be equivalent to "http://www.example.com/BOT"

regex block_BOT "/BOT"
 
class-map type inspect http match-any block-url-class
 match request uri regex block_BOT
 
policy-map type inspect http block-url-policy
 parameters
  class block-url-class
  drop-connection log
 
policy-map global_policy
 class inspection_default
  inspect http block-url-policy
 
service-policy global_policy global

threat-detection

More information may be found at Cisco's Site.

threat-detection basic-threat
threat-detection rate dos-drop rate-interval 600 average-rate 60 burst-rate 100
threat-detection scanning-threat shun duration 20
threat-detection statistics
threat-detection statistics port

Posted on: 2012/1/9 16:20

skimpydog

Re: ASA's basics

#15

Webmaster

Joined: 2007/6/10

From Dallas, TX

Posts: 79
Level : 7
HP : 0 / 170

MP : 26 / 8763

EXP : 83

Group:
Webmasters
Registered Users

ASA - SYSLOG - Linux

Enabling SYSLOG on a RHEL5 server to accept remote SYSLOG from the ASA on the "INSIDE" interface of the ASA whereas the SYSLOG server is behind the ASA
ASA:
This ASA has been configured in Routed Mode - This example will NOT work with a Transparent firewall
10.0.0.90 - This is the server IP which the ASA it sending it's SYSLOG data to

ASA# sh run logging
logging enable
logging timestamp
logging console warnings
logging buffered warnings
logging trap warnings
logging history warnings
logging host inside 10.0.0.90
route inside 10.0.0.0 255.255.255.0 10.0.0.90 1

Server:

User@InsideHost [~]# cat /etc/syslog.conf
#Kernel logs will be redirected to this file to avoid filling
#/var/log/messages with grsec messages
kern.*                                                  /var/log/kern.log
 
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;local4.none                    /var/log/messages
 
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
 
# Log all the mail messages in one place.
local0.notice;local0.debug;mail.*;mail.none;mail.info;local0.info /var/log/maillog
 
# Log cron stuff
cron.*                                                  /var/log/cron
 
# Save boot messages to boot.log
local7.*                                                /var/log/boot.log
 
local4.*                                                /var/log/ASA/firewall.log

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094030.shtml

User@InsideHost [~]# cat /etc/sysconfig/syslog
# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-m 0 -r"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
#    once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x -c3"

User@InsideHost [~]# cat /etc/logrotate.d/ASA
/var/log/ASA/*log {
        missingok
        compress
        notifempty
        daily
        rotate 10
        create 0600 root root
}

User@InsideHost [~]# touch /var/log/ASA/firewall.log

User@InsideHost [~]# ls /var/log/ASA
./  ../  firewall.log

The SYSLOG server is now ready to accept input for:

local4.* /var/log/ASA/firewall.log

from whereever is allowed through the software firewall.
Verify the port is listening on the host:

[User@InsideHost2 ~]# nmap -sU -p 514 10.0.0.90
 
Starting Nmap 5.00 ( http://nmap.org ) at DATE CDT
Interesting ports on host.com (10.0.0.90):
PORT    STATE         SERVICE
514/udp open|filtered syslog
 
Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds

Posted on: 2012/1/9 16:21

skimpydog

Re: ASA's basics

#16

Webmaster

Joined: 2007/6/10

From Dallas, TX

Posts: 79
Level : 7
HP : 0 / 170

MP : 26 / 8763

EXP : 83

Group:
Webmasters
Registered Users

Troubleshooting

Common Errors

Microsoft SQL

Issue being Faced:

Having issues linking 70.70.70.70 to SQL port 1433 on 80.80.80.80. We can telnet to it. Sometimes the connection works but other times it is showing a general network error.
Possible Errors:

[Microsoft][ODBC SQL Server Driver][TCP/IP Sockets]General network error. Check your network documentation.

Description: Unspecified error

Dec 16 xxxx 13:35:16: %ASA-4-419002: Duplicate TCP SYN from outside:70.70.70.70/48797 to inside:80.80.80.80/1433 with different initial sequence number

In many situations, this can be cleared by rebooting the server, and the workstation attempting to negotiate the connection as the firewalls inspection for SQL has been disabled this should no longer be an issue, however as the firewall is in transparent mode, there is no method to clear the connection table - therefore this leaves the session data to be cleared at the server, and the workstation.

Oracle SQL Inspection

Complaint about not able to connect to their Oracle database traversing the firewall, SQL Inspections may need to be disabled:

policy-map global_policy
 class inspection_default
 no inspect sqlnet

MSS Exceeded

HTTP Clients Cannot Browse to Some Web Sites
May have the error of:

%ASA-4-419001: Dropping TCP packet from outside:192.168.9.2/80 to inside:192.168.9.30/1025, reason: MSS exceeded, MSS 460, data 1440

The Fix:

access-list HTTP_MSS_Allow_ACL permit tcp any any
class-map MSS_Exceeded_MAP
match access-list HTTP_MSS_Allow_ACL
exit
tcp-map mss-map
exceed-mss allow
policy-map MSS_Exceeded_MAP
class MSS_Exceeded_MAP
set connection advanced-options mss-map
service-policy MSS_Exceeded_MAP interface outside
end
wr mem