Search This Blog

Tuesday, 31 January 2012

IPSEC Tunnel, NAT and Cisco ASA 8.4

Back on my Cisco ASA I now needed to work out how to build an IPSEC tunnel to a customer and then make sure that the traffic to that subnet is not subject to the Dynamic PAT I have for my inside network.

Setting up a Site to Site IPSEC VPN with the ASA is different to using a IOS router for example, the concepts remain the same but the order and way you do it are different.

First I will define two network objects for my network and my remote network.

object network Remote

object network CSCM

Next comes a series of crypto commands for the IPSEC tunnel

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

There are several other transform sets that can be created but for brevity I have only included the ones that I am using.

access-list acl-crypto-remote extended permit ip object Remote

This is an ACL to match the traffic from my network to the remote network.

crypto map crypto-map-remote 1 match address acl-crypto-remote

This will match the interesting traffic from my network to the remote network and assign this to the crypto map.

crypto map crypto-map-remote 1 set peer 195.xx.xx.xx

Set the peer address for the remote network WAN IP.

crypto map crypto-map-remote set ikev1 transform-set ESP-3DES-SHA ESP-3DES-MD5

This enables the crypto map to use the transform sets we defined earlier.

crypto map crypto-map-remote interface Internet

Similar to IOS here we are adding the crypto map to the Internet interface so matching traffic is encapsulated.

crypto ikev1 enable Internet
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

This sets the IKE Policy for the tunnel on the Internet Interface with the correct Phase 1 settings for our remote site.

group-policy GroupPolicy_195.xx.xx.xx internal
group-policy GroupPolicy_195.xx.xx.xx attributes
 vpn-tunnel-protocol ikev1

Here we setup a Group Policy for VPN settings, this specifies that the type is internal and that the tunnel type is a IKE version 1 tunnel.

tunnel-group 195.xx.xx.xx type ipsec-l2l
tunnel-group 195.xx.xx.xx general-attributes
 default-group-policy GroupPolicy_195.xx.xx.xx
tunnel-group 195.xx.xx.xx ipsec-attributes
 ikev1 pre-shared-key ******

Finally we assign this as an IPSEC Site to Site Tunnel  or ipsec-l2l, then we assign the Group Policy we created to this tunnel and the pre shared key we are using.

Trouble shooting this can be tricky and so I recommend the following commands to help

show crypto ipsec sa
show  crypto ikev1 sa
show logging

You can get a really good log view with the ASDM for this type of configuration, it beats the SSH or console view in my opinion.

Static NAT and Cisco ASA 8.4

I like the Cisco ASA appliances and I like Cisco CLI but sometimes I don't always get the syntax I need right first time and I spend some time scratching my head on how to do something.  One of these was the changes to NAT in the 8.3 ASA and above.

All I wanted to do was allow inbound access to a SMTP and HTTP Server for a customer, now on IOS this would take me a few minutes for the NAT statement and then a few more for the Zone Based Firewall and Class Maps.  But this is ASA and things are different, and in 8.3 they are even more different!

So my configuration is

Internal Server -
Outside Interface - 78.xx.xx.xx
Services Requires - SMTP & HTTPS

So the first change is that 8.3 uses network objects to define IP addresses and ports, this is so you can change the object and not the rules, in a big configuration this is going to help a lot.

I need to define my internal server

object network obj-server

Next I need to define an object for my services of SMTP and HTTPS

object service obj-smtp
service tcp source eq smtp
object service obj-https
service tcp source eq https

Now this is important as it creates an object for traffic that has the source port of 25 and 443.  Once this is done a Static NAT is required to translate the traffic from anywhere on the Internet to our Internal Server.

nat (Inside,Internet) 1 source static obj-server interface service obj-smtp
nat (Inside,Internet) 2 source static obj-server interface service obj-https

We will now have a translation from the Inside host to the Internet Interface on port 25 and 443, but there are no rules allowing this traffic and as we are going from a lower security interface to a higher this will be dropped.

So we need to use an Access Control List to allow the traffic.

access-list acl-Internet-To-Inside extended permit tcp any host eq smtp
access-list acl-Internet-To-Inside extended permit tcp  any host eq https

Then the final step is to assign this ACL to the Internet Interface in an inbound direction.

access-group acl-Internet-To-Inside in interface internet

On a remote server I try a telnet to my Internet Interface IP address of port 25 and I connect, a show nat command will display the translations that are created

Manual NAT Policies (Section 1)
1 (Inside) to (Internet) source static obj-smtp interface   service smtp smtp
    translate_hits = 0, untranslate_hits = 8

Its a very simple system once you get used to it but it is different from IOS and ASA 8.2 and lower.

Monday, 30 January 2012

Acronis Backup & Recovery 11 - Cannot cancel current activities

We use the Acronis Backup and Recovery application for server backup, sometimes in the current version 11 you will find you have backup tasks that are stuck in the Current Activities list and you cannot cancel them or delete them.

Well don't worry, its a bug and it needs an Acronis fix!  Here is the KB article
 Use the download patch to remove the stuck tasks.

Friday, 20 January 2012

Windows 8 - The game changer?

Over the last few years you could be forgiven for thinking that Microsoft has had its day, Google and Apple dominate the media, Microsoft have gone the way of IBM haven't they?

Well, maybe not. Windows 8 has one killer feature, a type 1 hyper visor. This means you can install multiple OS on a laptop and it runs in the bare metal.

This will have a profound effect, so now power users can run Windows 7 and Ubuntu on one laptop, but that's just the start. Let's say you have a user and want a maintain a clean OS so you deploy Windows 7 in the hyper v and then use App-v for all applications. Now you have a secure and clean OS for your user, ok so what's different to now?

For one, let's sync that VM guest to the data centre when in the office, laptop stolen or lost? VM is ready to use again, just deploy a new Windows 8 laptop.

User wants iTunes and The Sims? Build a VM guest for their home OS and keep your business OS for business. BYOC? It's going to happen with Windows 8, if the user leaves you can remotely close the VM and wipe it.

So what about what we do? The VM needs to be built, deployed, managed and supported. App-v must be designed to support applications and Remote Desktop Services utilised.

The hardware is and will become irrelevant to support, support will be all about availability, transparency of movement and always available applications.

Windows support is complex and costly, it needs to be simple for the user and Windows 8 entertains this.

The days of device drivers, reinstalls, registry hacks, malware, personal data management are going to end, the skills of tomorrow will be client virtualisation, application virtualisation, and application abstraction.

We will see the biggest shift in IT techs in the next three years as the game changes and only those with the right skills can deliver.

SBS 2003 Server CEICW Fails at Firewall Configuration

I was working on a customers Small Business Server 2003 system this week and had a problem where Remote Web Workplace had stopped working, a check on the ISA 2004 console showed that the publishing rules were all gone!  It appeared they may have been inadvertently deleted.

So the best plan with SBS Server 2003 is to use the Internet connection Wizard to reset all the publishing rules, SBS kind of likes you to use the wizards even if you can configure the ISA manually.

However whenever I ran the wizard it would fail at the Firewall configuration stage, I used the BPA to check the server and worked on my event logs until they were clean of errors but still it would fail.

So what was the cause?  Well it turns out that having a Web Listener in the ISA objects was the issue,  I removed the SBS Web Listener and then ran the CEICW and bingo it runs through and recreates my RWW rule and RWW is working again.

This is one with no real reason I feel, one of these Microsoft things were you just have to learn from experience and move on!