Cisco ASA setting up port forwarding using ASDM – Minecraft example

To setup port forwarding on a Cisco ASA (5505 or 5506 on my systems but is applicable to any PIX type Cisco firewall) you need to setup a NAT translation rule and Access rules.

I mainly use ASDM for making changes as opposed to the command line. See Cisco ASA 5506 (and 5505, 5510) Basic Setup for details on setting up access.

The example given here is for port forwarding to a Minecraft server on the internal network at IP address 192.168.0.7 but is applicable to any device you want to make available on the internet.

Setting up the NAT rule:

Goto Configuration, Firewall, NAT Rules.

On the right hand side you should see a list of Network Objects – adding a network object is the easiest way to add a port forwarding NAT rule. Click Add above the list.

Enter the name of the network object – this can be anything you like but should be descriptive of the type of server and service.

Select Host for the Type.

Enter the IP address of the server – the internal IP.

Click on the NAT heading at the bottom to expand the NAT options.

Tick the Add Automatic Address Translation Rules option.

Select Static for the Type.

Select your ‘outside’ interface for the Translated Address.

Cisco_PFW1

Then click Advanced.

Source Interface should be set to Any.

Destination Interface should be set to your ‘outside’ interface.

At this point you can specify specific service ports to be used under the Real Port and Mapped Port options or you can leave them blank if you are happy for any service to be used.

You may want to allow any service if you have a range of external IP numbers that you can use. You can assign a single external static IP for your internal server and set the NAT rule to Any service. This does not mean that you are allowing access on any port to the server as you still have to setup Access rules to allow traffic through – you are just allowing access on any port from the ASA to the internal server.

Cisco_PFW2

In my case I only have one external IP address so I need specify specific ports as I also want to run a web server from a different internal machine and I may add other devices in future.

In the example above I have a Minecraft server which needs to allow access on port 25565 so that’s what I enter for the Real and Mapped ports (real port is the one being hit on the outside interface. You can map to a different port on the internal server if you wish).

I also need to setup port forwarding for UDP port 25565 – Minecraft server requires both TCP and UDP protocols on port 25565.

So I setup a separate network object for the UDP port forwarding:

Cisco_PFW3

Cisco_PFW4

Unfortunately you cannot choose tcp/udp when setting up NAT rules so you have to create two rules in this example – as mentioned earlier if you have a number of external IP addresses available then you could set service to Any and control ports using Access rules. You would then have just one NAT rule and 1 Access Rule (access rules allow you to specify tcp/udp).

You should now see something like this in your NAT rules list (note I also have my web server rule on port 80 (http) listed here as well):

Cisco_PFW5

Also note the general NAT rule at the bottom for translating internal addresses to external addresses for general browsing etc. See: Cisco ASA 5506 (and 5505, 5510) Basic Setup

Setting up Access Rules:

Goto Configuration, Firewall, Access Rules.

Select the ‘outside’ interface and select Add.

The interface should be set to ‘outside’.

The Action should be set to Permit.

The Source should be set to Any – you want everyone to be able to access your server.

Set the Destination to the Network Object you created under the NAT rules.

Under Service click the …elipse.

In this example we need to create a new Service Object corresponding to the port required (25565)

Under the Add option select Service Object.

Enter a Name of your choice.

Select the Service type

The destination port should be set to the Real port you are forwarding.

Leave the source port as the default – machines connecting may use any port in the allowable range to connect to a service on the internet so you have to cater for any port.

Click OK, make sure the Service Object you just create is selected and click OK.

Cisco_PFW6

Cisco_PFW7

Click OK and Apply to set your new Access Rule.

We also need to setup a separate rule for the UDP port 25565 that we also need to forward:

Cisco_PFW8

Cisco_PFW9

As mentioned before in the case of using a NAT rule covering any service you can add just one Access Rule that covers both tcp and udp.

You should now have an Access Rules screen that looks something like this:

Cisco_PFW10

Make sure you click Apply and you are all done.

Remember that any firewall on your servers also has to be set to allow traffic on the port you have forwarded.

 

Cisco ASA 5506 (and 5505, 5510) Basic Setup

I recently acquired a Cisco ASA 5506-X unit to use as my main router for my fibre broadband connection and thought I should detail the basic setup of these units to get you connected.

Occasionaly I delve into the Cisco iOS command line but normally I just use the ASDM management GUI so that’s what i’ll use for the rest of this article.

The first thing to note is that the 5505 and 5506 units have 8 ports, the 5510 has 4 ports. Any port can be configured as a WAN side port or LAN side port or another type of port (failover between 2 units for example).

However, only the 5505 unit can use a set of ports in switching or bridging mode – enabling you to setup 1 port for the WAN connection and 7 ports as a LAN side switch where you can connect all your equipment. For some reason Cisco decided not to include this functionality in the newer 5506 units and there is some consternation about this decision and debate as the whether they can physically include that functionality in a future software release – a lot of people will upgrade to the 5506 to gain gigabit speeds (5505 is a 100mbit unit only) expecting it to function the same as the 5505 but will be disappointed. So for now you have to use the 5506 as a standard router with 1 port for WAN and 1 port for LAN connected to a separate switch (8 port gigabit switch is pretty cheap anyway).

Although you do lose the ability to do switching you do gain in terms of licensing – the basic license for a 5505 unit does not include trunking and failover. It also limits the number of inside hosts to 10. The 5506 units basic licensing includes unlimited inside hosts and trunking via sub-interfaces. You still have to pay extra for failover though.

5505 licensing: http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/license.html

5506 licensing: http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/intro-license.html

Connecting to the management interface:

To connect to the router there is a separate management port usually set to IP: 192.168.1.1. To connect, change your network adapters IP address to an IP within that range e.g. 192.168.1.5, with a Class C subnet mask: 255.255.255.0.

In your browser goto the address: https://192.168.1.1 and you will be prompted to download the ASDM software package. Note: you may be prompted for a username and password – enter the standard enable_15 for username and password should be blank if the unit is at factory default (to factory default an ASA unit connect to the console using the console lead supplied and the Putty terminal programme – logon with enable_15, config terminal, configure factory-default). You will need Java runtime installed on your machine in order to use ASDM and you may get problems with newer versions of Java regarding certificates. Usually you can just ignore certificate warnings but if you do get problems Java 7 release 45 is the version that works without any problems.

For more details on this goto the Cisco site: http://www.cisco.com/c/en/us/td/docs/security/asdm/7_3/release/notes/rn73.html See the Java and Browser compatability section.

Or setup a self signed certificate: http://www.cisco.com/c/en/us/td/docs/security/asdm/identity-cert/cert-install.html Which you install into the Java software certificates list.

Setting up the WAN interface:

Most broadband connections will require you authenticate with the ISPs servers using the PPPoE protocol (point-to-point protocol over ethernet: https://en.wikipedia.org/wiki/Point-to-point_protocol_over_Ethernet).

In ASDM goto Configuration, Interface Settings, Interfaces and edit port 1 (GigabitEthernet1/1).

Give the Interface a name – I usually choose ‘outside’ for the WAN link and ‘inside’ for the LAN link but you can choose whatever you like.

Make sure the Security Level is set to zero.

Make sure the interface is enabled.

Under the IP Address section you can choose PPPoE and fill out the relevant details that you would have obtained from your ISP. You may have a different setup to mine and your ISP may use a different method of connecting you e.g. DHCP, in which case choose the method that is relevant to your situation.

Here’s a screenshot:

Cisco_WAN1

Scroll down until you see the IP Address and Route Settings button. You don’t need to tick the Store Username and Password in local flash option. Type in the settings according to your ISPs setup (usually you would obtain IP and default gateway information automatically – even if you have a static IP setup with your ISP):

Cisco_WAN2

Click on the Advanced tab and check the MTU setting – the default is 1500 but you may need to change this, again depending on your ISPs setup. With BT in the UK I need to set it to 1492 which is the standard setting for PPPoE connections. See here for more info: https://en.wikipedia.org/wiki/Maximum_transmission_unit:

Cisco_WAN3

There are obviously loads of other settings here because a Cisco router can basically connect to anything if setup correctly but these should be the only changes you need to make for a standard broadband connection.

If you go back to the Home screen you should see the ‘Outside’ interface changes from Down to Up and the ISPs IP address will appear together with the network mask number. Note: this may take a few seconds to appear.

Setting up the LAN interface:

On the interfaces page choose a port to use as the LAN port – usually port 2 (GigabitEthernet 1/2) and click edit.

Give an interface name – ‘inside’ in my case.

Make sure the security level is set to a higher number than was given for the WAN port – 50 is the default. With the ‘Outside’ interface set to zero this setting will ensure that no traffic will be allowed between the ‘Inside’ and ‘Outside’ interfaces unless explicitly allowed by NAT and Firewall Access rules – by default the router does not allow traffic to pass between higher and lower security levels.

Make sure the enable interface option is ticked.

Choose a static IP and fill in the IP address and Subnet mask – this is a number on your internal network. In my case I use the IP range 192.168.0.1-256 (a class C address range with subnet mask 255.255.255.0) but you can choose any range designated for private use. See: https://en.wikipedia.org/wiki/Private_network. It is also possible to use any valid IP range as these numbers are never routed to the outside world but the convention is to use a private range specifically designated for this purpose.

Note: the number you choose here will be your default gateway for all local connections.

Cisco_LAN1

Allowing PING:

By default the Cisco ASA allows the router to be pinged on the ‘Outside’ interface. If you wish to block this you can do so by adding a Management Access Rule.

Goto Configuration, Device Management, Management Access, ICMP and click Add.

Set the ICMP Type to Any.

Set the Interface to ‘Outide’.

Set the Action to Deny.

Set the IP address and the Mask to Any or 0.0.0.0

Cisco_PING1

By default the Cisco ASA does allow you to ping external addresses (see default Firewall Access Rules below) but will NOT allow the reply from the PING to be routed back. There are two ways of adding this functionality:

First method is by changing the Default Service Policy Rules – goto Configuration, Firewall, Service Policy Rules. There should be a Default Inspection rule listed – hit Edit.

Goto the Rule Actions tab.

Tick the ICMP option and click OK and Apply.

This will now allow the PING replies (or Echo’s) to be routed back.

The second method involves adding a Firewall Access Rule – goto Configuration, Firewall, Access Rules.

Select the ‘Outside’ interface section and click Add.

Select permit for the Action.

Source will by Any.

Destination will be Any.

The services should be set to ‘icmp/echo-reply’.

Again this will now allow the PING replies (or Echo’s) to be routed back.

Cisco_PING3.png

I prefer the second method as it separates the default rules from the ones you have added and keeps your rules listed under one section in the Firewall Access Rules.

Setting up the DHCP server:

Your next task is to setup the DHCP server which assigns addresses from your local network address range when devices try to connect.

Go to Configuration, Device Management, DHCP, DHCP Server.

This will list the interfaces you have created on the ASA – ‘inside’, ‘outside’ and the ‘management’ interface that was automatically setup (with a DHCP range already allocated to it).

We want to setup a DHCP server for the ‘inside’ interface so select that interface and click Edit.

Tick the ‘Enable DHCP Server’ option and enter an IP range for the pool of addresses the DHCP server should use. In our case I have chosen 192.168.0.10 to 100.

Don’t enter your inside interfaces address (192.168.0.1) as part of the pool – that needs to stay as a static IP.

Cisco routers do not allow address reservation. This is a function on, most consumer broadband routers, that allows you to reserve a particular IP for a device from the DHCP range according to the devices MAC address. This is useful if later on you want to use port forwarding to the device – you need the IP of the device to not change over time otherwise your port forwarding and routing rules, which have been specified for a particular internal IP number, will not work. This is an essential requirement if you want to host a server behind your router – web server, minecraft server etc.

When using Cisco routers you have to set the devices IP statically on the devices themselves – usually in their network adapter settings. I need a number of these static IPs setup – Wi-Fi Access Point, NAS drive, Minecraft server etc. So I have started my address range at 10 so that I can use the IPs 192.168.0.2-9 as static IPs on these devices. If I need any more in future I can change the DHCP range or use the numbers above 100. My DHCP addresses will only be used for roaming devices – mobiles, laptops, iPad’s etc.

You also need to enter the DNS server addresses that your DHCP clients will use. This can be an internal DNS server or more likely your ISPs DNS servers. In my case I use OpenDNS:

Cisco_DHCP1.png

Setting up NAT translation:

In order for your devices to be able to communicate to the outside world you need to setup some kind of translation to and from the external IP address and your internal IP addresses. You achieve this using a NAT rule.

The router uses NAT rules to substitute source and destination addresses as required – this enables you to use a single IP address on the ‘outside’ interface and a range of addresses on the ‘inside’ interface.

Goto Configuration, Firewall, NAT Rules and click Add.

Set the source interface to ‘Inside’.

Source address, destination address and service should all be set to ‘any’.

Under the Translated Packet section the Source NAT type should be ‘Dynamic PAT (Hide)’ and source address should be ‘Outside’.

Destination address and service should be set to Original.

Make sure the ‘Enable rule’ box is ticked.

Cisco_NAT1.png

Your NAT screen should look something like the image below. I have added a port forwarding NAT rule just to illustrate where the NAT rule should be positioned – it should always be at the bottom of the list otherwise your port forwarding rule would overide it. For port forwarding rules read my article here: Cisco ASA Port forwarding.

Cisco_NAT2.png

Configuring NAT rules guide: http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/cfgnat.html

Setting up Firewall Access Rules:

This NAT rule you added above will translate any ‘inside’ IP addresses to the ‘outside’ address for any service. But the router will still abide by the Firewall Access Rules (Configuration, Firewall, Access Rules).

By default the Cisco ASA will allow all outbound traffic so in reality you don’t need to change anything after adding the NAT rule. But just to check here is the default Access Rules screen:

Cisco_FW1.png

At the bottom is a Global rule that denies all traffic (hence IP as the service) – both Inbound and Outbound.

The rule under the ‘Inside’ interface allows any IP traffic from the Inside interface to any less secure network i.e. any interface with a lower security level – we set the ‘Outside’ interface to security level 0 and the ‘Inside’ to level 50 so this rule will allow traffic to pass through the ‘Outside’ interface.

You can of course block all outbound traffic by denying access on the ‘Inside’ interface rule. And you can then explicitly allow traffic for invidual services above this rule e.g. add a rule to allow http traffic only – this would allow inside devices to browse to websites on port 80 (http) and nothing else, not even https (port 443).

To allow incoming traffic you would add rules to the ‘Outside’ interface section e.g. allow http (port 80) traffic to an internal web server address (192.168.0.2 for instance – you would also have to setup port forwarding NAT rules for this to work fully – see my Cisco ASA Port Forwarding article).

Setting Time:

Time is a critical component for the router so you should make sure the ASA is getting the correct time from the internet.

To set a time server goto Configuration, Device Setup, System Time.

You can set the time under the Clock section.

To set the ntp server goto NTP section and click Add.

I prefer to use the NTP.ORG servers – unfortunately you cannnot put a host name in here, you have to use an IP.

So ping pool.ntp.org first to obtain the correct IP number: 129.250.35.251 in my case, and enter that in the IP address field.

Tick the preferred box.

Set the interface to Outside (you can set it to an internal time server if you wish).

Click OK and Apply.

Cisco_NTP1.png

That’s about it, you now have a fully functioning router that is connecting to your ISP automatically, allowing internal devices to obtain IP numbers, allowing outbound traffic, denying inbound traffic, allowing pinging outbound and allowing pinging externally to the router.

Going forward you should make sure you keep your router up-to-date with the latest firmware and ASDM version. I find it easiest to download the update images from the Cisco server to a local drive and then using the ASDM ‘Upgrade from Local Computer’ option under the Tools menu.

And one final thing – backup your configuration using Tools, Backup Configurations. Do this now and before you do any upgrades.

ASDM Not working after restore – Unable to launch device manager error

I was recently setting up a new ASA 5505 unit from a backup configuration file and after restoring the backup through ASDM I could not connect back again using ASDM.

I received the error message: Unable to launch device manager

Command line console was ok.

Worked out in the end that I had upgraded to the latest ASDM version on the 5505 but when it re-booted it picked up the old original ASDM file as the one to load (this may have been due to not saving the configuration before restoring).

In the command line I just had to set the ASDM version back to the newest version:

Config T

asdm image disk0:/asdm-???.bin

e.g.

asdm image disk0:/asdm-713.bin

Then do a:

write mem

You should now be able to logon to asdm as normal.

Cisco VPN Client with Windows 7 and 3g datacards – WWAN support

When we upgraded to Windows 7 we found that our laptops would not connect to our VPN over 3G Datacards using the Cisco VPN Client.

This is due to the Cisco VPN Client software not supporting WWAN devices. Initially we were stunned to learn that the latest VPN Client wasn’ compatible with Windows 7! Subsequently they did release a version – we currently use version: 5.0.07.0440. But at the same time they announced that the VPN Client was end of life and that you should be using the AnyConnect client instead (that’s a whole different story see: http://www.islandearth.com/articles/2013/5/2/cisco-asa-anyconnect-vpn-per-device-ipsecv2-tunnels-using-ce.html)

This meant that WWAN was never going to be supported in the Cisco VPN Client and we could not upgrade to AnyConnect VPN due to our reliance on IPSECv1 VPN Tunnels (see article above).

After much searching we managed to find a solution:

http://community.spiceworks.com/topic/143383-solved-problem-using-cisco-vpn-client-when-connected-over-3g

The problem is apparently to do with a limit on Citrix DNE instrumentation measuring! Quite how this makes the VPN Client work with WWAN cards is beyond me but it does!

Cisco ASA not connecting to the Internet – static route setting

We had to setup a new Cisco ASA 5505 unit on a separate connection – mainly as a backup but also for testing purposes.

We set everything up correctly according to our notes for our primary ASA 5510 units (the interface and software for the 5505 is exactly the same as that for the 5510). But we could not connect to the internet through the ASA – firewall ACL rules were all ok and everything seemed fine but logging showed it was dropping packets destined for outside the LAN.

It turned out that we had forgotten to setup what is probably the most important parameter on the Cisco ASA units – the static route to the next hop router i.e. our ISP’s router!

If you use the ASDM initial configuration Wizard to setup the ASA you don’t get this problem as the next hop question is asked during this process.

To set the static route in ASDM go to:

Configuration -> Device Setup -> Routing -> Static Routes

Add a static route:

cisco_staticroute.png
        

Where Gateway IP is the IP address of your ISP’s router.

Cisco ASA Anyconnect VPN per Device IPSECv2 tunnels using certificates – no failover

After we upgraded from Windows XP to Windows 7 we started getting problems with VPN users not being able to connect or weird things happening (random re-boots!).

We then discovered that Cisco did not support the VPN Client using IPSEC tunnels in Windows 7! We apparently had to use the new Anyconnect VPN tunnels and client software.

Our VPN setup is rather different to the standard VPN setup – most IT Managers setup their VPN on a per user basis (particularly with the newer SSL VPNs). That’s all well and good but what happens if they have been using a communal laptop on the road – we have several laptops that are held as a pool for use by anyone. Our staff logon to these laptops as a standard user called ‘User’ and then connect to the company with VPN using their network username and password. What happens if the laptop is lost or stolen? You have no means of revoking access to the VPN for that laptop. This scenario extends to home users as well who may have had their desktop computer stolen in a house robbery. And, most importantly, this scenario is also relevant for mobile devices which we are increasingly connecting to the VPN system.

Rather than live with this problem we prefer to create a separate tunnel group for each device with its own IPSEC shared secret password. When we are notified we can then delete that tunnel group and know without doubt that the device cannot be used to access our network. We are effectively creating a 2 factor authentication solution – something the user has (a company approved device) and something they know (their username and password). This system also has the added advantage of locking down VPN access to company approved devices only – vitally important to keep the nasties out of your company network.

For our VPN system we have 2 Cisco ASA units working in Active/Standby mode – if one unit fails or is brought down for maintenance the other unit automatically kicks in. On Cisco ASA units with the most up to date software the VPN tunnels do not disconnect when this failover occurs, all IPSEC VPN tunnels stay up. This is a fantastic feature for when we need to update software on the ASAs – we can simply failover and work on the inactive unit without having to inform VPN users, then failback and work on the other unit in the same way – no downtime whatsoever. In addition our 2 units are in different geographic locations with a good point to point link between them. This all provides a very robust service – something we really need with so many users these days on the road or home working in various parts of the world.

Therefore, we wanted to replicate this system with the Anyconnect VPN solution and not suffer the problems with the incompatible VPN client software in Windows 7. But we soon came across a major problem.

Anyconnect VPN relies on IKEv2 or SSL which both require the use of certificates from a certificate authority (CA) rather than shared secrets. This is fine as the Cisco ASA contains a CA server component which you can set up to serve certificates to the VPN tunnel groups. Devices then use a separate certificate according to their device tunnel group. We tested this setup on a lone Cisco ASA 5505 unit before moving the configuration to our production ASA 5510 units that are in Active/Standby mode.

And that’s when the problem became apparent – the Cisco ASA software does not support a Certificate Authority on ASA units setup as Active/Standby units. The only suggestion Cisco could make was to use a Windows based certificate authority but that meant extra servers being tied up as CA servers with failover setup between the 2 – not trivial!

In the end we had to give up. As it turned out, Cisco recognised this as a bug which is still active awaiting resolution see: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsm17487 (You will need a Cisco support username to view this).

In the meantime they did update their IPSECv1 based VPN client to support Windows 7 so we have happily been using that without any problems (current version: 5.0.07.0440) with our IPSECv1 per device VPN setup. However, Cisco have stated that the VPN Client is end of life and will no longer be updated. They recommend you use the Anyconnect client instead – useless advice as we can’t use that becuase of the CA server failover problem!

MSCHAP-v2 for Cisco ASA VPN connections using Radius on Windows Server 2008

When we upgraded our Windows domain servers to 2008 we found the default authentication methods had changed – PAP/SPAP was no longer enabled by default:

radius.png

Consequently our VPN users could not connect as it turned out they were using PAP/SPAP by default.

We wanted to MS-CHAP-v2 for obvious security reasons so we needed to find out how to change our VPN tunnel groups on the Cisco ASA unit to use the stronger authentication method.

Within each tunnel group:

Configuration -> Remote Access VPN -> IPSEC (IKEv1) Connection Profiles (or whatever type of VPN you use)

Under Advanced -> Password Management

Enable the password management option:

password_mgmt.png

You can also set the password expiration notification here if you use that on your network – this is the Active Directory password expiration i.e. you are prompted every so often to change your network password. If you have users that are permanently on VPN connections then this can be set to warn them well before their expiration so that your IT team does not get calls regarding passwords not working 🙂

The Password Management turns on MS-CHAP-v2 for your VPN connections so you can keep your Radius servers using MS-CHAP-v2 only and ensure you are using the strongest authentication on your VPN connections.

NOTE: Once MS-CHAP-v2 is working you will notice that a extra box appears for domain in your VPN Client logon dialog box – you should enter your Windows Active Directory root domain in this box.

 

Allowing Traceroute through a Cisco ASA firewall using ASDM

The default settings on a Cisco ASA firewall are to block all traffic including ICMP traffic which is what utilities such as Ping and Traceroute (Tracert on Windows) use.

You will just get ‘Request Timed Out’ messages unless you add an Access Rule to the Cisco ASA firewall.

Using ASDM goto Configuration and Access Rules.

Add an Incoming Rule to the WAN section and fill in as follows:

WAN, Permit, any, any, icmp/time-exceeded

Cisco_ASA_Traceroute_Rule.png

ICMP Time-exceeded is what the Traceroute utility uses to measure response time. See Wiki article:

http://en.wikipedia.org/wiki/Traceroute

 

Command line setup of Cisco VPN on ASA 5500

These VPN setup notes are for an ASA 5500 unit but relate, in general, to all Cisco firewall units:

Notes created 4 December 2008

Assumptions:

Company name: IBM

VPN IP Range: 192.168.100.1-192.168.100.254

VPN IP Subnet Mask: 255.255.255.0

Internal network IP range: 192.168.1.1-192.168.1.254

Internal network IP range subnet mask: 255.255.255.0

Primary DNS server: 192.168.1.100

Secondary DNS server: 192.168.1.101

Radius authentication server IP: 192.168.1.200

Remote access vpn configuration :

You can use the ASDM interface (GUI for Cisco ASA units) to enter details or

For command line input:

Use telnet or Putty as telnet.

At password prompt type ‘cisco’.

Then type ‘enable’ and enter enable password (same one you logon to asdm with).

1. Initial setup of ipsec – just need to do once:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map dyn1 10 set transform-set ESP-3DES-SHA

crypto dynamic-map dyn1 10 set reverse-route

crypto map WAN_map 65535 ipsec-isakmp dynamic dyn1

crypto map WAN_map interface WAN

crypto isakmp enable WAN

crypto isakmp enable management

crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400

crypto isakmp nat-traversal  20

crypto isakmp ipsec-over-tcp port 10000

2. Setup authentication server – use Radius for Windows based domain, do not use NT Domain (this is legacy NT only):

Radius uses active directory for group policy settings e.g. allow or deny remote access on users dialin tab.

Note: Items in quotes ” are supplied by you – do not include quotes:

aaa-server IBM_Auth_servers protocol radius

aaa-server IBM_Auth_servers (LAN) host 192.168.1.200  key “radius server secret key”  radius-common-pw “radius server password”

IBM_Auth_Servers is the ASA’s connection to the Windows Radius authentication server and can be setup in ASDM under Configuration, Properties, AAA Setup, AAA Server Objects. Add a server group called IBM_Auth_servers and then add the IP number of the Radius server. 

Note: you can add more than one Radius server IP, so you could add a remote radius server for failover if you have two ASA units failing over.

Radius servers are setup using Internet Authentication Service in Admin Tools – add the Cisco units internal IP (gateway IP) and shared secret and password.

 3. Setup group policy:

configure terminal

group-policy IBM_VPN internal

group-policy IBM_VPN attributes dns-server value 192.168.1.100 192.168.1.101 vpn-tunnel-protocol IPSec

exit

exit

Note: Secondary DNS server should be on remote failover site if you have 2 ASA units failing over.

4. Setup IP Pool:

configure terminal

ip local pool IBM_VPN_POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0

exit

Note: the VPN IP range should be a separate range from your normal network and not used by any other service.

5. Setup Tunnel group – for each machine or site:

Items in quotes ” are supplied by you – do not include quotes:

configure terminal

tunnel-group IBM_VPN_London type ipsec-ra

tunnel-group IBM_VPN_London general-attributes address-pool IBM_VPN_POOL authentication-server-group IBM_Auth_Servers default-group-policy IBM_VPN

exit

tunnel-group IBM_VPN_London ipsec-attributes pre-shared-key “your secret key”

exit

exit

Note: IBM_VPN_London is an individual tunnel group for a set of machines. e.g. you may use “IBM_VPN_Germany” for another remote office as a site name or “IBM_DESKTOP_77_WindowsXP” for an individual machine

“Your secret key” is the key you type into the VPN client software – use http://www.grc.com/passwords.htm to obtain 64 character key (do a separate one for each tunnel group i.e. each site and/or machine, DO NOT USE THE SAME KEY for all tunnel groups. In this way you can revoke a key and assign a new one without having to redo all VPN connections.

6. For the vpn client to be able to access internal network and go to internet via vpn tunnel (no split tunneling):

6a. Internet access:

See: Allowing Cisco VPN to access Internet via tunnel

configure terminal

same-security-traffic permit intra-interface

nat (WAN) 10 192.168.100.1-192.168.100.254 255.255.255.0

6b. Internal access:

access-list Inside_nat0_outbound line 4 extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

exit

7. Allow local LAN access

To enable clients with ‘Allow Local access’ option set on VPN Client to be able to access their local resources do the following (this is so a user can access local resources like NAT drives or network printers whilst connected to the VPN – otherwise all traffic goes via the VPN link):

See: Cisco Local LAN Access Notes

access-list LOCAL_LAN_Access remark Clients with local lan access option set – internet and dns access is still via tunnel

access-list LOCAL_LAN_Access standard permit host 0.0.0.0 group-policy IBM_VPN attributes split-tunnel-policy excludespecified split-tunnel-network-list value LOCAL_LAN_Access

8. Setup on client machine:

Use VPN client software available from: Cisco VPN Client Software Download Site

Connect to external IP of ASA unit (WAN address) using IBM_VPN as VPN name and enter secret key for the tunneling group setup for this machine or site.

9. To list connections:

In ASDM goto Monitoring, VPN, VPN Statistics, Sessions – this will list all current sessions with relevant username, IP and encryption details.