Posts

How to use a question mark on preshared-key

How to escape question mark (?) on a cisco asa

How to insert question mark in regex or How to use a question mark on preshared-key

How to insert question mark in regex or pre-sharedkeys

How to insert question mark in regex or When I was working on setting up a vpn for a customer they presented us with a PSK that had a question (?) in the pre-shared-key this proved a challenge on the cisco asa and I found the below solution to escape question mark, this can be done on any cisco ios device

1. just before you want to add the character ? hit ctrl-v,
2. then enter the ? character, finally ctrl-l

Firewall VPN ISAKMP (IKE Phase 1) status messages

These are the possible ISAKMP negotiation states on an ASA firewall. ISAKMP stands for: The Internet Security Association and Key Management Protocol.

ASA ISAKMP STATES

  • MM_WAIT_MSG2 – Initial DH public key sent to responder. Awaiting initial contact reply from other side. If stuck here it usually means the other end is not responding. This could be due to no route to the far end or the far end does not have ISAKMP enabled on the outside or the far end is down.
  • MM_WAIT_MSG3 – Both peers have agreed on the ISAKMP policies. Awaiting exchange of keyring information. Hang up’s here may be due to mismatch device vendors, a router with a firewall in the way, or even ASA version mismatches.
  • MM_WAIT_MSG4 – In this step the pre-share key hashes are exchanged. They are not compared or checked, only sent. If one side sends a key and does not receive a key back, this is where the tunnel will fail. I have seen the tunnel fail at this step due to the remote side having the wrong Peer IP address. Hang up’s here may also be due to mismatch device vendors, a router with a firewall in the way, or even ASA version mismatches.
  • MM_WAIT_MSG5 – This step is where the devices exchange pre-shared keys. If the pre-shared keys do not match it will stay at this MSG. I have also seen the tunnel stop here when NAT Traversal was on when it needed to be turned off.
  • MM_WAIT_MSG6 – This step is where the devices exchange pre-shared keys. If the pre-shared keys do not match it will stay at this MSG. I have also seen the tunnel stop here when NAT Traversal was on when it needed to be turned off. However, if the state goes to MSG6 then the ISAKMP gets reset that means phase 1 finished but phase 2 failed. Check that IPSEC settings match in phase 2 to get the tunnel to MM_ACTIVE.
  • AM_ACTIVE / MM_ACTIVE – The ISAKMP negotiations are complete. Phase 1 has successfully completed.

PIX ISAKMP STATES

  • MM_NO_STATE – ISAKMP SA has been created but nothing else has happened yet.
  • MM_SA_SETUP – The peers have agreed on parameters for the ISAKMP SA.
  • MM_KEY_EXCH – The peers have exchanged Diffie-Hellman public keys and have generated a shared secret. The I SAKMP SA remains unauthenticated.
  • MM_KEY_AUTH – The ISAKMP SA has been authenticated. If the router initiated this exchange, this state trans itions immediately to QM_IDLE and a Quick mode exchange begins.
  • AG_NO_STATE – The ISAKMP SA has been created but nothing else has happened yet.
  • AG_INIT_EXCH – The peers have done the first exchange in Aggressive mode but the SA is not authenticated.
  • AG_AUTH – The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to QM_IDLE and a Quick mode exchange begins.
  • QM_IDLE – The ISAKMP negotiations are complete. Phase 1 successfully completed. It remains authenticated with its peer and may be used for subsequent Quick mode exchanges.

Static NAT for client VPN cisco asa version 8.4

This static NAT which was setup on cisco asa version 8.4 as part of a client vpn installation, in order for the client IP pool to communicate with the local lan we need to setup a static nat as shown below

You must use route-lookup as it cannot determine the egress interface from the NAT.

Cisco ASA vpnsetup command

I was browsing around the command line on the cisco asa vpnsetup and came across this hidden command, this gives you the steps to setup a VPN.

Cisco ASA Custom ftp passive port inspection

When an ftp server is configured with a custom ftp passive port, to ensure passive FTP continues working as expected the below configuration will help ensure passive FTP will work when the custom ftp server port is 10021

VPN tunnel initiation only from one end

To have the VPN tunnel initiation only from one end, configure the head end of the connection as originate-only with the originate-only keyword in the crypto map entry, and the remote end with answer-only keyword.

Refer to this crypto map configuration example on main site:
local site:

For the remote site:

Netflow on Cisco ASA 8.2(2)

In order to export netflow on cisco asa 8.2(2) below will configure this, configuration differs based on the code version so please do check the documentation.

ref:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_nsel.html
https://supportforums.cisco.com/docs/DOC-6113;jsessionid=9EACF763F416537E9089654464F74024.node

VPN using LDAP Authentication

below is an example configuration of a VPN using LDAP Authentication, in this example a redhat ldap server was used to authenticate against using cisco vpn’s, the configuration below checks to see if the user is part of the vpn_access group and only then allows access, if the auth fails the users gets bound to the noaccess policy.

Policy to filter outbound http requests

There was a requirement from a client to filter outbound http connections to domainx.com and domainy.com below was a policy written to tackle such a requirement

Policy NAT example

The below configuration is used for a example where the remote end has the same local-lan network as the remote side, what this will accomplish is it will present 172.30.(5/6).0 to the remote end. This has been tested on cisco asa version 8.2 and less

Policy NAT with Client VPN Pool

The below solution is used so we do not have to RE-IP the internal LAN[192.168.(1/2).0] as the Client has the same IP address as the remote end