Booches.nl

Cisco ASA remote management via VPN

By default, remote access VPN users aren’t able to manage a Cisco ASA firewall on the inside interface using any kind of management protocol (SSH, telnet, HTTPS).

You can enable remote management by specifying the management-access interface. You can specify the interface via the CLI or via the Cisco Adaptive Security Device Manager (ASDM). Both methods are specified below.

CLI

fw01/booches.nl/act# configure terminal
fw01/booches.nl/act(config)# management-access inside

ASDM

When using the Management Access feature with remote VPN connections (IPSec or SSL VPN) don’t forget to add the VPN pool to the corresponding management access protocols on the interface you specified as management access interface

Cisco ASA NPE image

I got complains from a customer who wasn’t able to configure 3DES or AES encryption for a VPN tunnel. Sounds familiar with a problem I had a couple of weeks ago. So I gave the customer the advice to upgrade and activate the VPN-3DES-AES feature. He tried but that didn’t solve this problem.

I remotely logged in and checked the software he was using. I noticed he was using the image asa832-npe-k8.bin. Problem found!!!

NPE stands for No Payload Encryption. For export to some countries, payload encryption cannot be enabled on the Cisco ASA 5500 series. For version 8.3(2), you can now install a No Payload Encryption image (asa832-npe-k8.bin).

Features that are disabled in the No Payload Encryption image include:

• Unified Communications;
• Strong encryption for VPN (DES encryption is still available for VPN);
• VPN load balancing (note that the CLI is still present; the feature will not function, however)
• Downloading of the dynamic database for the Botnet Traffic Filer (Static black and whitelists are still supported. Note that the CLI is still present; the feature will not function, however);
• Management protocols requiring strong encryption, including SSL, SSHv2, and SNMPv3. You can, however, use SSL or SNMPv3 using base encryption (DES). Also, SSHv1 and SNMPv1 and v2 are still available;

If you attempt to install a Strong Encryption (3DES/AES) license, you see the following warning:

WARNING: Strong encryption types have been disabled in this image; the VPN-3DES-AES license option has been ignored.

I replaced the software image with the regular image and the problem was solved.

Cisco stack: version mismatch

When adding a new switch to an existing stack, the new switch should have the same software image as the existing stack member switches. If the new switch has different software, the switch isn’t capable of joining the stack.

Switch/Stack Mac Address : 588d.0918.3100
H/W   Current
Switch#  Role   Mac Address     Priority Version  State
———————————————————-
*1       Master 588d.0918.3100     15     1       Ready
2       Member c471.fe99.b580     1      2       Version Mismatch

There are different ways to upgrade the new switch to the correct software image. The hard way is unplugging the new switch from the stack, upgrade the switch separately and add the switch to the stack again. A more easy way is using the archive copy-sw command. This command allows you to copy the software from a specific member switch to the new switch.

The example below copies the software from switch 1 to the destiniation switch 2.

sw-stack#archive copy-sw /destination-system 2 1
System software to be uploaded:
System Type:             0×00000002
archiving c3750e-universalk9-mz.122-53.SE2 (directory)
Stacking Version Number: 1.43

System Type:             0×00000002
Ios Image File Size:   0x00DA7200
Total Image File Size: 0×01076600
Minimum Dram required: 0×08000000
Image Suffix:          universalk9-122-53.SE2
Image Directory:       c3750e-universalk9-mz.122-53.SE2
Image Name:            c3750e-universalk9-mz.122-53.SE2.bin
Image Feature:         IP|LAYER_3|PLUS|SSH|3DES|MIN_DRAM_MEG=128

Old image for switch 2: flash2:/c3750e-universalk9-mz.122-53.SE1
Old image will be deleted after download.

Extracting images from archive into flash on switch 2…

Installing (renaming): `flash2:/update/c3750e-universalk9-mz.122-53.SE2′ –> flash2:/c3750e-universalk9-mz.122-53.SE2′
New software image installed in flash2:/c3750e-universalk9-mz.122-53.SE2
Removing old image: flash2:/c3750e-universalk9-mz.122-53.SE

All software images installed.

sw-stack#reload slot 2

This is by far the easiest way to upgrade the new switch to the correct software image. Another method is using the copy command.

sw-stack#copy image-file.bin flash2:

sw-stack#config t

sw-stack(config)#boot system switch 2 flash:/image-file.bin

sw-stack(config)#exit

sw-stack#wr mem

sw-stack#reload slot 2

This method is very useful if you are using an image without the html web features.

Cisco Connect – Software Download Entitlement Controls

I read about it on the internet and last week I received the “official” mail from the Cisco Partner Channel about the changes regarding the Software Download Centre Entitlement Controls. The e-mail (in Dutch) can be found below. I have different feelings about the changes regarding the software entitlements. It isn’t possible anymore to just download any software with a CCO of PICA (Partner Initiated Customer Access) account from January 2nd 2011.

Downloading software is only possible for networking components with a valid ‘software- download‘ contract (like SmartNet). If you have a contract to download software for a specific Cisco Catalyst switch, you can only download the software of that switch. So check your Cisco Service contract, like serial number and part ID, check if they are correctly registered and if the contract are registered to the correct CCO ID.

Sadly for me, as consultant, it will be very hard to download the latest software. I have a valid CCO account, but as a company we don’t have any support contracts to download software. Not only the change in software entitlement, but also the change in the license structure of the hardware and software feature set has impact on my daily work. It is getting harder and harder, and in the end, maybe impossible to check the latest features with tools like GNS3 and Dynamips. Not only for testing purposes, but also for studying purposes. Emulating software with Dynamips is extremely powerful when you try to achieve CCIE or other certifications.

On the other hand, I can also understand Cisco that they try to protect the copyrights of their products and the investment of the paying customers. I know that multiple vendors make their software available for free, but I know some of these vendors and they have very poor software maintenance. Sometimes you need to downgrade after upgrading an image. Or specific releases just disappear and aren’t supported anymore.

I guess we have to get used to the new concept and in a couple of months or years we don’t know better. I am positive that somebody will find new ‘solutions’ for the download and feature set ‘problems’.

Beste Partner,

Zoals u wellicht weet is voor het gebruik van Cisco software een licentie vereist. Een licentie die betaald is en waarmee u software kunt downloaden. Dit spreekt voor zich. Echter, voorheen was het mogelijk om met een CCO of PICA (Partner Initiated Customer Access) account met ‘software-download toegang’ alle IOS software te downloaden. Ook van producten die niet binnen het contract vielen. Cisco heeft tot op heden een zogenaamd trust model gehanteerd.
Om de copyrights van onze software producten te beschermen, herzien we in december alle contracten op basis van betaalde licenties. Partners die betaald hebben voor de service kunnen in de toekomst software blijven downloaden. Diegenen zonder licentie hebben vanaf 2 januari geen gratis toegang meer. Op die manier beschermt Cisco het intellectueel eigendom en uw investering in de producten.
Om deze wijziging zo goed mogelijk te laten verlopen, vragen we u als Partner het volgende te doen voor 2 januari 2011:

• Check hier of uw Cisco Services contract(en) volledig zijn en vul eventueel ontbrekende gegevens in, zoals serie nummers, part ID’s (productserie en typenummer) en locaties.
• Verifieer of al uw Cisco producten geregistreerd staan op het Cisco servicecontract en dat u geldige licenties heeft voor de Cisco Software.
• Bekijk of alle servicecontract(en) aan de juiste gebruikersnaam en CCO ID zijn gekoppeld op www.cisco.com
• Controleer of al uw medewerkers geregistreerd en geautoriseerd zijn en check of hun gegevens ook correct zijn ingevuld.

Vanaf 2 januari 2011 controleren we standaard alle software die wordt gedownload op licenties. De download snelheid vertraagt niet. En als u geregistreerd bent, ondervindt u geen hinder van deze wijziging tijdens het downloaden.

Mocht u naar aanleiding van dit bericht vragen hebben, stel deze gerust aan uw Partner Account Manager.

Met vriendelijke groet,
Cisco

Fred Gerritse
Directeur Partner Organisatie

Cisco CSC-SSM-20 notes

The Cisco CSC-SSM-20 modules provide advanced scanning technologies within the Cisco ASA firewall. During installations of these modules I created some quick notes, which I would like to share with you.

Initial configuration

After inserting the Cisco CSC-SSM modules into the Cisco ASA firewall, you have two ways to configure the initial configuration. The first method is through Cisco ASDM and launching the Cisco CSC-SSM Launch Wizard under Configuration. The second method is through the Cisco ASA CLI. Below you see an example of the CLI method.

session 1 do setup ac-key base 1 <license key>
session 1 do setup ac-key plus 1 <license key>
session 1 ip address 10.10.1.1 255.255.255.0
session 1 ip gateway 10.10.1.1
session 1 do setup dns 10.10.1.10 10.10.1.11
session 1 do setup host csc-ssm1.booches.nl
session 1 do setup email-domain booches.nl
session 1 do setup ntfn-email admin@booches.nl
session 1 do setup ntfn-svr-ip 10.10.1.100
session 1 do setup ntfn-svr-port 25
session 1 do setup password <old password> <new password>
session 1 do apply-config

The above commands configure various parameters, like license keys, hostname, IP address, internal mail domain and password credentials.

Define scanning traffic

With the configuration of a service-policy within the Cisco ASA configuration, you define which traffic should be forwarded and scanned by the CSC-SSM modules. The Cisco CSC-SSM modules provide scanning for the following protocols: tcp/http, tcp/smtp, tcp/pop3 and tcp/ftp. The Cisco CSC-SSM modules have their own management interface. This interface is used by the Cisco CSC-SSM modules to check for updates or query the TrendMicro databases for web or e-mail reputation checks. I always exempt the traffic from the Cisco CSC-SSM modules from scanning, because scanning the Cisco CSC-SSM traffic could impact the performance. Below you see and example configuration of the service-policy configuration, including the exemption of the Cisco SSM traffic. The Cisco SSM modules have the IP addresses 10.10.1.1 and 10.10.1.2 in this example.

access-list csc-ssm extended deny tcp host 10.10.1.1 any eq www
access-list csc-ssm extended deny tcp host 10.10.1.1 any eq smtp
access-list csc-ssm extended deny tcp host 10.10.1.1 any eq pop3
access-list csc-ssm extended deny tcp host 10.10.1.1 any eq ftp
access-list csc-ssm extended deny tcp host 10.10.1.2 any eq ftp
access-list csc-ssm extended deny tcp host 10.10.1.2 any eq pop3
access-list csc-ssm extended deny tcp host 10.10.1.2 any eq smtp
access-list csc-ssm extended deny tcp host 10.10.1.2 any eq www
access-list csc-ssm extended permit tcp any any eq www
access-list csc-ssm extended permit tcp any any eq smtp
access-list csc-ssm extended permit tcp any any eq pop3
access-list csc-ssm extended permit tcp any any eq ftp
!
class-map cm-csc-scanning
match access-list csc-ssm
!
policy-map pm-csc-scanning
class cm-csc-scanning
csc fail-open
!
service-policy pm-csc-scanning interface inside

The policy-map uses csc fail-open, which means that all traffic is allowed through if the Cisco CSC-SSM module would (physically) fail and become unavailable. Depending on the security policy used within your organization, you can also configure the Cisco ASA to block all traffic. You should then use the command csc fail-closed.

I configured the service-policy on the inside interface. This is done for logging purposes. When you apply the service-policy to the outside interface, you will only see the outside PAT address in the http logging. Which is fairly useless if you would like to know who is accessing an “illegal” website.

Before placing the Cisco CSC-SSM module in production, be sure that the Cisco CSC-SSM module has access to the internet to query the TrendMicro database. If the Cisco CSC-SSM modules don’t have the appropriate rights to the internet the scanning feature doesn’t work properly and nobody will have access to the internet.

Failover / Synchronization

Cisco ASA appliances are mostly configured in a redundant way, like active/passive or active/active. When both Cisco ASA appliances have their own Cisco CSC-SSM module, you can configure synchronization between the Cisco CSC-SSM modules. This ensures that the configuration of both modules is always the same. I configure failover / synchronization with the following steps.

1. 1. Completely configure the primary module;
2. 2. Complete the initial configuration on the secondary module;
3. 3. Test connectivity between both modules and export the configuration of the primary module;
4. 4. Open a browser window and enter the following URL in the Address Field: https://<primary IP device address>:8443. The Logon windows appears. Log on, and choose Administration – Device Settings – Device Failover Settings.
5. 5. Open a second browser windows and enter the following URL in the Address Field: https://<secondary device IP address>:8443. As in step 4, log on and choose Administration – Device Settings – Device Failover Settings.
6. 6.On the Device Failover Settings window for the primary device, enter the IP address of the secondary device in the Peer IP address field. Enter an encryption key of one to eight alphanumeric characters in the Encryption key field. Click Save, and then click Enable. The following message appears under the windows title: Interscan for CSC SSM could not establish a connection because the failover peer device is not yet configured. Please configure the failover peer device, then try again. This message is normal behavior and appears because the peer is not yet configured.
7. 7. On the Device Failover Settings window for the secondary device, enter the IP address of the primary device in the Peer IP address field. Enter the encryption key of one to eight alphanumeric characters in the Encryption key field. The encryption key must be identical to the key entered for the primary device. Click Save, and then click Enable. The following message appears under the windows title: InterScan for CSC SSM has successfully connected with the failover peer device. Do not click at anything else at this time for the secondary device.
8. 8. On the Device Failover Settings window for the primary device, click Synchronize to peer. The message in the Status field at the bottom of the window should state the data and time of the synchronization, for example: Status: last synchronized with peer on 11/01/2010 09:12:12.

Be sure you do not click Synchronize to peer at the end of step 7, while you are still on the Device Failover Settings window for the secondary device. If you do, the configuration you have already set up on the primary device is erased. You must perform manual synchronization from the primary device, as described in step 8. The exception to the auto-synchronization feature is uploading a system patch. A patch must be applied on both the primary and the secondary device.