Anyconnect VPN using local account

Network diagram

diagram.png

Configure inside and outside interface

ciscoasa(config)# int gi0/1
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# ip address dhcp setroute
ciscoasa(config-if)# no shut
ciscoasa(config-if)# int gi0/0
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip address 172.18.1.1 255.255.255.224
ciscoasa(config-if)# no shut

Self signed certificate

ciscoasa(config)# hostname vpn
vpn(config)# domain-name cyruslab.net
vpn(config)# clock timezone SGT 8
vpn(config)# ntp server 118.189.177.157 prefer

vpn(config)# sh ntp associations
      address         ref clock     st  when  poll reach  delay  offset    disp
 ~118.189.177.157  118.189.138.5     2     3    64    0     8.5  35742.  16000.
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured
vpn(config)#

vpn(config)# crypto key generate rsa label rsa-key modulus 2048 noconfirm
INFO: The name for the keys will be: rsa-key
Keypair generation process begin. Please wait...

vpn(config)# crypto ca trustpoint self
vpn(config-ca-trustpoint)# keypair rsa-key
vpn(config-ca-trustpoint)# fqdn vpn.cyruslab.net
vpn(config-ca-trustpoint)# subject-name CN=vpn.cyruslab.net
vpn(config-ca-trustpoint)# enrollment self
vpn(config-ca-trustpoint)# exit
vpn(config)# crypto ca enroll self

% The fully-qualified domain name in the certificate will be: vpn.cyruslab.net

% Include the device serial number in the subject name? [yes/no]: yes

Generate Self-Signed Certificate? [yes/no]: yes
vpn(config)#

Trustpoint is the container for certificate. The enrollment self command means self-signed certificate.

Enable the self-signed trustpoint

The self-signed certificate will be enabled on the interface where the VPN will terminate, in this lab is outside interface

vpn(config)# ssl trust-point self outside

Export the certificate to the vpn user computer

vpn(config)# crypto ca export self identity-certificate

The PEM encoded identity certificate follows:
-----BEGIN CERTIFICATE-----
MIIDHDCCAgSgAwIBAgIEScjJVzANBgkqhkiG9w0BAQUFADBQMRkwFwYDVQQDExB2
cG4uY3lydXNsYWIubmV0MTMwEgYDVQQFEws5QVdORDlHVUVHTDAdBgkqhkiG9w0B
CQIWEHZwbi5jeXJ1c2xhYi5uZXQwHhcNMTYwOTAyMTkxMjQ5WhcNMjYwODMxMTkx
MjQ5WjBQMRkwFwYDVQQDExB2cG4uY3lydXNsYWIubmV0MTMwEgYDVQQFEws5QVdO
RDlHVUVHTDAdBgkqhkiG9w0BCQIWEHZwbi5jeXJ1c2xhYi5uZXQwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCZO/HICWkfpBeVEEd7n7PYICFYmC8ngyAB
xKsmic5tt95Rs7K36wiC+V3t01eO375L7EORtAkiZwo3sHFggZpb4LrSBVQI7Wb1
E/uRMX/8GKkZoPrwYIu7P1oLCBVI7Jh/XUyhNP9S01EfalfQQ7syZmk+O2M6GlQ8
FukffEv8g6PclavZYcbH8CytrtJAGD7J4Sv3BgJMu4z1y/cqf1v11xb7keLHlaD1
r4gpmJNstFEyn9YDU/O644FiikibsBnBNGAw8E2vNLBZSzMXzkZz+NlW1OLnods0
emQ7UOtnoRi6R4c1nmIMYpjtaiNWAnM254beUHZi4cJfjacFVq1DAgMBAAEwDQYJ
KoZIhvcNAQEFBQADggEBAIp7JGh6n95IQd47vypn0C3FBexlasuWmQuyFEeZFXLr
iYClsdvqirJJFWMIKPOxTk67tSGG6yom7D6OiJSOtZLtGk0ee5zhY6PFxqRldzXp
+sCzYN0WYjV04r8U3j8NYnwGwc9kDw2Iz0VQydds1JOblXbh83iQaeLmA+lGTDk0
6tmqbeXzUquPwNslEp0ibZ+Lw/tvllIg+k5BmdYD9zoZyas/AlN+c7ady6qol1jt
3GllGap6B+NL4o0YQBmSAv63/obTUGObevnQxK1EmAoxUnE1nITzJdsEgSswYLhy
WlkKubqXwzojhb7M2cSLJTDOV/9clayrJB2chnCKXKg=
-----END CERTIFICATE-----
vpn(config)#

Copy and paste from BEGIN CERTIFICATE until END CERTIFICATE and save as cert.cer. If you are using Windows you can use certmgr.msc and import the certificate. See screenshot below.

certmgr.png

On Linux:
cyrus@cyrus-vm:~$ sudo nano /usr/local/share/ca-certificates/cert.cer
Then copy the certificate:

linux2.png

SSL VPN begins….

vpn(config)# username cyrus password P@ssw0rd
vpn(config)# username cyrus attributes
vpn(config-username)# service-type remote-access

This account solely for remote access vpn only.

vpn(config)# ip local pool VPN 192.168.100.1-192.168.100.14 mask 255.255.255.240

Allocate a pool for vpn user after successfully login.

vpn(config)# webvpn
vpn(config-webvpn)#anyconnect image disk0:/anyconnect-linux-64-4.0.00048-k9.pkg
vpn(config-webvpn)# anyconnect enable
vpn(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
vpn(config-webvpn)# tunnel-group-list enable

anyconnect enable to enable anyconnect and enable outside and enable webvpn on the outside interface. tunnel-group-list enable to enable drop down box on the anyconnect vpn client for group selection.


vpn(config)# group-policy VPN internal

Internal means the group-policy is stored locally.

vpn(config)# group-policy VPN attributes
vpn(config-group-policy)# address-pools value VPN
vpn(config-group-policy)# dns-server value 8.8.8.8 8.8.4.4
vpn(config-group-policy)# gateway-fqdn value vpn.cyruslab.net
vpn(config-group-policy)# vpn-tunnel-protocol ssl-client ssl-clientless
vpn(config)#access-list SPLIT-TUNNEL standard permit 172.18.1.0 255.255.255.224
vpn(config)# group-policy VPN attributes
vpn(config-group-policy)# split-tunnel-policy tunnelspecified
vpn(config-group-policy)# split-tunnel-network-list value SPLIT-TUNNEL
vpn(config-group-policy)# split-tunnel-all-dns disable
vpn(config-group-policy)# split-dns value cyruslab.net
vpn(config-group-policy)# default-domain value cyruslab.net
vpn(config-group-policy)# vpn-idle-timeout 60
vpn(config-group-policy)# vpn-simultaneous-logins 1

This group-policy defines which VPN address assignment after successfully login, and also perform split tunnel.
Any traffic that matches SPLIT-TUNNEL is tunneled through the vpn.
Only DNS query for *.cyruslab.net will be tunneled through else the rest of the dns queries will not be tunneled.
The vpn idle timeout is set to 1 hour and only one login at any time no concurrent login is allowed.
To specify for ssl anyconnect client connection or webvpn (browser based) clientless connection methods.

vpn(config)# tunnel-group VPN type remote-access
vpn(config)# tunnel-group VPN general-attributes
vpn(config-tunnel-general)# default-group-policy VPN

Only need to define the default group policy, the rest leave as default. Anything default will be inherited from this “invisible” default group-policy DfltGrpPolicy, you can only see this group-policy when you issue show run all group-policy. This default group-policy cannot be deleted.

vpn(config-tunnel-general)# tunnel-group VPN webvpn-attributes
vpn(config-tunnel-webvpn)# group-alias VPN

Only create a group which will be displayed as a drop down box in Anyconnect client. The rest will be default settings inherited from “invisible” default tunnel group known as DefaultWEBVPNGroup similar to DfltGrpPolicy this cannot be deleted and can only be shown by using show run all tunnel-group


vpn(config)# vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2

Ok this is stupid in my opinion, this command should not even exist!

If you do not specify there will be no connection available! If you buy license for example like 300 make sure you use this command and make the number to 300! Otherwise you will have users complaining cannot connect! This command simply means allowing 2 concurrent anyconnect vpn.


vpn(config)# sysopt connection permit-vpn

This command tells ASA to close a blind-eye whenever vpn traffic enters. Yeah it simply bypass whatever rules you set…


vpn(config)# http redirect outside 80

Ok simply to redirect http request to https… make your vpn user easier when they use the clientless.

Let’s test it!

webvpn2

Ok the redirection works, i used http instead of https…

webvpn3.png

On linux is a bit problematic on installing Cisco anyconnect client, so I use openconnect instead

apt install network-manager-openconnect

It is command line….:

cyrus@cyrus-vm:~/Downloads/binaries$ sudo openconnect vpn.cyruslab.net
POST https://vpn.cyruslab.net/
Attempting to connect to server 172.16.10.18:443
SSL negotiation with vpn.cyruslab.net
Server certificate verify failed: signer not found

Certificate from VPN server "vpn.cyruslab.net" failed verification.
Reason: signer not found
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on vpn.cyruslab.net
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://vpn.cyruslab.net/
Attempting to connect to server 172.16.10.18:443
SSL negotiation with vpn.cyruslab.net
Server certificate verify failed: signer not found
Connected to HTTPS on vpn.cyruslab.net
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://vpn.cyruslab.net/+webvpn+/index.html
SSL negotiation with vpn.cyruslab.net
Server certificate verify failed: signer not found
Connected to HTTPS on vpn.cyruslab.net
Please enter your username and password.
GROUP: [VPN]:VPN
Please enter your username and password.
Username:cyrus
Password:
POST https://vpn.cyruslab.net/+webvpn+/index.html
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Connected tun0 as 192.168.100.1, using SSL
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-256-CBC)-(SHA1).

Ok a new virtual interface appears known as tun0

linux3

Ok so from my Cisco ASA gateway I can see this connection:

asa1

Advertisements
Posted in General stuffs, VPN | Tagged , , , , , | Leave a comment

[CISCO ACI] Inter tenant contract

The ACI configuration for inter tenant contract is complicated.

A contract provides two functions:

  1. Provide filter.
  2. Provide route leak.

A tenant is considered a VRF itself. In this example there are two tenants T05 and T06.

T05 exports the contract to T06, and T05 provide the contract. T06 consumed the contract exported by T06.

tenant to tenant contract4

Shared my bridge domain subnet.

tenant to tenant contract1

Export the contract. The contract created has a GLOBAL scope.

tenant to tenant contract2

Give a meaningful name of this export, because the target tenant can only see the name of the contract. Choose the GLOBAL scope contract which is ICMP-GLOBAL. Choose the target Tenant which is T06.

tenant to tenant contract3

Provide the ICMP-GLOBAL contract in EPG which you want to route leak to another tenant.

T06 will need to consume the contract exported from T05. T06 also follows the same steps as above. Now T05 will need to consume the exported contract from T06.

tenant to tenant contract5

On T05 tenant, select Application Profile > EPG > Contracts and right click to choose Add Consumed Contract Interface.

tenant to tenant contract6

Now T05 and T06 can ping to each other.

There is a common tenant which is a built-in in APIC, common tenant to another tenant communication does not need to do export, common tenant’s contract is visible by all tenants, but a contract created by a tenant is only visible by its own creator. Which is why tenant T05 need to export the contract to T06, and T06 did vice versa.

 

 

Posted in General stuffs, Software Defined Network | Tagged , | Leave a comment

[CISCO ACI] Same VRF contract

I have an EPG Web and an EPG DB, I have provided a contract in EPG web and consumed contract in EPG DB. The results are:

DB server can ping to Web server, and Web server can ping to DB server. How is this possible?

See the below screenshots. EPG Web provided the icmp contract, and EPG DB consumed the icmp contract.

contracts2

EPG Web provided the contract

contracts3

EPG db consumed the contract

The above is achieved due to these condition:

  1. The EPGs are under one VRF. No route leaking is required.
  2. The contracts have these defaults: Apply Both Directions and Reverse Filter Ports.

contracts1

Posted in Software Defined Network | Tagged , , | Leave a comment

bigip snat automap

You created a forwarder virtual server for your servers behind the bigip appliance to access the internet, your server could not get a respond back. You troubleshoot the problem and found that:

  1. Default route is configured in the bigip.
  2. You cannot ping the next hop gateway specified in the default route.
  3. You could not determine if this is the cause of routing because the next hop router is not in your governance.

To troubleshoot the problem you can try using SNAT automap. SNAT automap will translate the address in this sequence:

  1. floating self ip of the egress vlan.
  2. floating self ip of a different vlan.
  3. non-floating self ip of an egress vlan.
  4. non-floating selfip of a different vlan.

snat-automap.png

After you have turned on the SNAT automap your server is able to get external updates

apt-get1.png

Now you can conclude that it is highly possible that the next hop router does not have a route back to your server.

snat1

what this means is that your server’s traffic is being translated into the floating self ip address of vlan internet, and the firewall thought that the incoming request is from a directly connected route.

 

 

Posted in F5, General stuffs | Tagged | Leave a comment

Is bigip packet filter stateful or stateless?

Packet filter
I have allowed vmnet5 to http and dns to any destination, and drop all for the rest.

pf1.png

Nmap from client

nmap.png

Actually nmap could not determine whether port 80 is opened or closed because there is no response.

Packet filter log

pf2

Looks like the packet filter accept despite TCP FIN was sent…

The below tcpdump proves that TCP FIN was sent over.

tcpdump1.png

So based on the packet filter log I should conclude that packet filter is a stateless access control?

Posted in General stuffs | Leave a comment

Upgrade bigip image in active/standby HA

Import the latest iso to both the active and standby bigip

import1import2

Install latest iso on standby bigip

install1.png

On command line:

[root@bigip2:Standby:In Sync] config # tmsh
root@(bigip2)(cfg-sync In Sync)(Standby)(/Common)(tmos)# /sys software image
root@(bigip2)(cfg-sync In Sync)(Standby)(/Common)(tmos.sys.software.image)# install BIGIP-12.1.0.0.0.1434.iso volume HD1.1

HD1.1 currently has the base version 12 image, we will want to overwrite this.

progress.png

Activate the new image on the standby bigip

activate1.png

After the standby unit has finished rebooted the configsync status will be disconnected. This means latest configuration cannot be sync over to the standby unit. This is caused by version mismatch.

The active bigip will still be accepting traffic, failover to the standby unit is still possible. Hence after the active bigip finished installation, do a failover to the standby unit.

root@(bigip1)(cfg-sync Disconnected)(Active)(/Common)(tmos)# run /sys failover standby

Install the latest image on the active unit

The installation process is the same when upgrading the standby unit. The active bigip will still accept traffic hence till now there should be no disruption to the clients.

install2.png

When finished installation, make this unit a standby bigip by issuing the command in tmsh.


root@(bigip1)(cfg-sync Disconnected)(Active)(/Common)(tmos)# run /sys failover standby

The failover should be transparent to the client, traffic will still be processed on the newly active bigip the state should also be failed over.

install3

Activate the latest image.

Config sync device to group

Do a config sync and overwrite the config after the standby has finished reboot.

sync the configsync the config 2

Client’s impact

client

0% packet loss while doing the upgrade and failover

 

Posted in F5, General stuffs, High Availability | Tagged , | Leave a comment