Wednesday, January 27, 2010

Cisco ASA iPhone VPN Config

I recently purchased a shiny new iPhone 3G and wanted to be able to connect back to my house where I have a Cisco ASA 5505. I have noticed a lot of questions about how to get this to work, so here it is…

First, make sure you are running ASA Software version 8.0(3) or better. The previous versions have a bug when the iPhone connects that will boot all other users connected to the VPN.

On the ASA, we need to get the VPN configured. First, the ACLs for split-tunneling, no NAT and VPN access:

access-list RA_VPN_ACL extended permit ip any 172.30.30.0 255.255.255.0
access-list RA_VPN_SplitTunnel_ACL standard permit 172.25.25.0 255.255.255.0
access-list NoNAT_ACL extended permit ip 172.25.25.0 255.255.255.0 172.30.30.0 255.255.255.0
nat (inside) 0 access-list NoNAT_ACL

Since this config will authenticate to the local ASA, we need to have a username and password setup:

username iPhone password your_password

Now setup a DHCP pool for VPN clients:

ip local pool RA_VPN_POOL 172.30.30.100-172.30.30.200

Now create the crypto maps and apply them to the outside interface:

crypto ipsec transform-set RA_VPN_SET esp-aes esp-sha-hmac
crypto dynamic-map RA_VPN_MAP 1 match address RA_VPN_ACL
crypto dynamic-map RA_VPN_MAP 1 set transform-set RA_VPN_SET
crypto dynamic-map RA_VPN_MAP 1 set reverse-route
crypto map RA_VPN 65535 ipsec-isakmp dynamic RA_VPN_MAP
crypto map RA_VPN interface outside

Setup ISAKMP:

crypto isakmp enable outside
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20

Now create a remote access VPN policy. Make sure to add the split-dns value for your local domian. If you leave this out, the iPhone will not resolve DNS on the internal network!

group-policy RA_VPN_Policy internal
group-policy RA_VPN_Policy attributes
dns-server value DNS_Server_IP
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RA_VPN_SplitTunnel_ACL
split-dns value domain.local

Add the tunnel-group to allow the VPN connection:

tunnel-group RA_VPN type ipsec-ra
tunnel-group RA_VPN general-attributes
address-pool RA_VPN_POOL
default-group-policy RA_VPN_Policy
tunnel-group RA_VPN ipsec-attributes
pre-shared-key your_password

Now to configure the iPhone. First, go to Settings -> General -> Network -> VPN. Then Add VPN Configuration. Select IPSec at the top and enter your information. The Server is the IP address or hostname of the ASA. The Account is the Username you created in the config above. The Group Name is the tunnel-group name created on the ASA.


iPhone VPN Config

iPhone VPN Config

iPhone VPN Config

To connect the VPN, go to Settings -> VPN (this appears after you create a VPN connection). Just change the option to ON.

iPhone VPN Config

iPhone VPN Config


iPhone VPN Config

Once you see the VPN icon on the top bar, you are connected!

Posted by at No comments:
Labels:

Tuesday, January 26, 2010

Telnet logging to Cisco router with Radius authentication based on Windows 2008 R2


Say you want to give a network admin access to a Cisco router via telnet with Radius authentication (user account is stored in AD).

The network admin is not a system admin so he does not have administrator rights on the AD domain but it has to have level 15 access to all Cisco devices.

Here is the configuration of the router (tested on Cisco 1800 Series)

enable secret 5 ############

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local

privilege configure level 7 snmp-server host
privilege configure level 7 snmp-server enable
privilege configure level 7 snmp-server
privilege exec level 7 ping
privilege exec level 7 configure terminal
privilege exec level 7 configure

line con 0
password 7 ############
line aux 0
line vty 0 4
password 7 ############
transport input telnet
session-timeout 60


Quick description:
enable secret 5 - password for admin level to restrict the use of "enable" command


aaa new-model - start the AAA configuration
aaa authentication login default group radius local - login authentication is done by the AAA mechanism in the following fasion:
  • first the default authentication group is used (I did not create my own authgroup for this example) and checked by a Radius server
  • if the server does not respond (and only then) - local user database is checked
aaa authorization exec default group radius local- command execution authorization is done in the same way as above.


The next set of commands is to create a new priviledge level. In Cisco IOS the admin level is 15. It has the full right on any hardware. Lower level must be defined before can be used.
In this case I created a 7th level of access with right to execute ping, enter configuration options and configure SNMP settings.


line vty 0 4 - telnet connection configuration (total of 5 lines - from 0 to 4)



Now for the Windows 2008 Server R2 side:

Network policy for level 15:

  • Windows Group: NetAdmins
  • Standard Attributes: 7 (Framed Protocol) - PPP, 6 (Service Type) - NAS Prompt
  • Cisco Attributes AV-Pair: shell:priv-lvl=15
Network policy for level 7:

  • Windows Group: SomeoneElse
  • Standard Attributes: 7 (Framed Protocol) - PPP, 6 (Service Type) - NAS Prompt
  • Cisco Attributes AV-Pair: shell:priv-lvl=7

Now when logging via telnet users belonging to NetAdmin group gain full access to router (without the need for "enable" command) while users from SomeoneElse group have only level 7.
If the other user would want the full access he would have to know the secret password
Posted by at No comments:
Labels:

Thursday, January 7, 2010

Cisco ASA NetFlow Support – NetFlow Security Event Logging – NSEL

Cisco has changed its ways! Cisco ASA now supports NetFlow. The new feature in Cisco ASA version 8.2 is called NSEL (NetFlow Security Event Logging) and it allows all ASA models to support NetFlow. Below I have provided the NetFlow configuration of a Cisco ASA.

Three event types can trigger a NetFlow record.

flow-export destination inside x.x.x.x xxxx(Collector & Port)
access-list flow_export_acl permit ip host x.x.x.x host x.x.x.x

class-map flow_export_class
match access-list flow_export_acl

policy-map flow_export_policy
class flow_export_class
flow-export event-type flow-creation destination x.x.x.x(Collector IP)
service-policy flow_export_policy global

To see all event type records with NetFlow
event-type all
If you disable logging for flow export events this will increase performance
logging flow-export syslogs disable

  • Conf Configuration-Firewall->Service Policy Rules.
  • Click Add->select “Use class-default as the traffic class”->Next->Netflow (tab)->Add (check the collector(s) you want to use)->Finish->Apply.
NetFlow can be configured in the Cisco ASDM GUI by clicking:
* flow-create
* flow-denied
* flow-teardown
This isn’t your typical NetFlow
Posted by at 1 comment:
Labels:
Subscribe to: Posts (Atom)