topic New ASA Device in Network Security

New ASA Device

Kesar123456 — Mon, 11 Mar 2019 23:21:51 GMT

Hello,

We have a new ASA box configured and one of the user is using his IPad to connect to it.

It is asking for secret password while he trys to connect it.

Arun

New ASA Device

Jennifer Halim — Fri, 22 Jun 2012 03:54:01 GMT

Enable password should be blank if you haven't configured the ASA.

New ASA Device

Kesar123456 — Fri, 22 Jun 2012 20:50:14 GMT

Let me put it this way, user is trying to connected ASA using his IPAD.

It is asking for password, which he has.

Again it is asking for Secret...................so not sure what it is.

New ASA Device

Marvin Rhoads — Fri, 22 Jun 2012 22:12:30 GMT

Is the user trying to use the AnyConnect app on an iPad or is he trying to connect to the ASA to administer it?

Only in the latter case should an enable password be required. In the former case - e.g., when connecting using AnyConnect (for a remote access VPN), a user should only be required to provide their user password (unless 2 factor authentication with a third party application is setup for the VPN).

Please provide the ASA configuration file for better assistance.

New ASA Device

Kesar123456 — Sat, 23 Jun 2012 12:41:07 GMT

Hi Marvin,

I am attaching the running config.

The user is from the group MDW(You can see it in the config).

=====================================================================================

sh run
: Saved
:
ASA Version 8.2(5)
!
hostname nmtasav001
domain-name internal.XXX.com
enable password xxx encrypted
passwd xxx encrypted
names
name 10.4.5.5 NetflowAnalyzer
name 10.4.5.6 Challenger
name 10.4.237.0 Net-10.4.237.0 description ASA Client VPN
name xxx Net-xxx description Hosting
name 10.4.4.50 mtcdnsw001
name 10.4.4.51 mtcdnsw002
name xxx nmtasav001-outside
name 172.16.0.0 Net-172.16.0.0
name 192.168.0.0 Net-192.168.0.0
!
interface GigabitEthernet0/0
nameif INSIDE
security-level 100
ip address 10.4.1.20 255.255.255.224
!
interface GigabitEthernet0/1
nameif OUTSIDE
security-level 0
ip address nmtasav001-outside 255.255.255.0
!
interface GigabitEthernet0/2
nameif lab
security-level 100
ip address 192.168.105.193 255.255.254.0
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup INSIDE
dns server-group DefaultDNS
name-server mtcdnsw001
name-server mtcdnsw002
domain-name internal.xxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network obj-SSL-pool
network-object 10.2.31.0 255.255.255.0
object-group network obj-inside-LAN
network-object 10.4.1.0 255.255.255.224
object-group network INTERNAL-DNS
network-object host mtcdnsw001
network-object host mtcdnsw002
object-group network Net-PrivateRFC1918
network-object 10.0.0.0 255.0.0.0
network-object Net-172.16.0.0 255.240.0.0
network-object Net-192.168.0.0 255.255.0.0
access-list mngmt-in extended permit ip any any
access-list INSIDE_nat0_outbound extended permit ip any 192.168.105.194 255.255.255.254
access-list INSIDE_nat0_outbound extended permit ip any 10.2.31.0 255.255.255.0
access-list no_nat extended permit ip 10.2.31.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list no_nat extended permit ip any 10.0.0.0 255.255.255.0
access-list tcp_bypass extended permit tcp host 10.4.4.38 any
access-list DAP-Test extended deny ip 10.2.31.0 255.255.255.0 host Challenger

access-list MDW-Contractors extended permit ip Net-10.4.237.0 255.255.255.0 Net-xxx 255.255.224.0
access-list MDW-Contractors extended permit udp Net-10.4.237.0 255.255.255.0 object-group INTERNAL-DNS eq domain
access-list MDW-Contractors extended deny ip any object-group Net-PrivateRFC1918
access-list MDW-Contractors extended permit ip Net-10.4.237.0 255.255.255.0 any
access-list MDW-ST-TEST extended permit ip any any inactive
access-list MDW-ST-TEST2 standard permit host xxx
pager lines 24
logging enable
logging asdm informational
flow-export destination INSIDE NetflowAnalyzer 2055
mtu INSIDE 1500
mtu OUTSIDE 1500
mtu lab 1500
mtu management 1500
ip local pool IPPool 192.168.105.194-192.168.105.195 mask 255.255.254.0
ip local pool TestPool 10.0.0.1-10.0.0.254 mask 255.255.255.0
ip local pool OUTSIDE-TEST 10.2.31.2-10.2.31.254 mask 255.255.255.0
ip local pool MDW-Contractors 10.4.237.206-10.4.237.210 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list no_nat
nat (OUTSIDE) 1 Net-10.4.237.0 255.255.255.0
access-group mngmt-in in interface management
route OUTSIDE 0.0.0.0 0.0.0.0 xxx 1
route INSIDE 10.0.0.0 255.0.0.0 10.4.1.4 1
route INSIDE Net-172.16.0.0 255.240.0.0 10.4.1.4 1
route INSIDE Net-192.168.0.0 255.255.0.0 10.4.1.4 1
route INSIDE Net-xxx 255.255.224.0 10.4.1.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-message "Default Success"
dynamic-access-policy-record Employees
user-message "Employees DAP Good"
network-acl DAP-Test
aaa-server Internal_LDAP protocol nt
aaa-server Internal_LDAP (INSIDE) host 10.4.4.40
nt-auth-domain-controller 10.4.4.40
aaa-server CryptoCard protocol radius
aaa-server CryptoCard (INSIDE) host 10.4.5.1
key *****
authentication-port 1812
accounting-port 1813
aaa-server INTERNAL_AD protocol nt
aaa-server INTERNAL_AD (INSIDE) host 10.4.4.40
nt-auth-domain-controller 10.4.4.40
aaa-server AD_LDAP protocol ldap
aaa-server AD_LDAP (INSIDE) host 10.4.4.38
server-port 389
ldap-base-dn ou=xxx,dc=internal,dc=xxx,dc=com
ldap-group-base-dn ou=xxx,dc=internal,dc=xxx,dc=xxx
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn ldapquery@xxx
server-type microsoft
aaa-server BlackShield protocol radius
aaa-server BlackShield (INSIDE) host 10.4.4.253
key *****
authentication-port 1812
accounting-port 1813
aaa-server BlackShield (INSIDE) host 10.4.4.254
key *****
authentication-port 1812
<--- More --->

accounting-port 1813
aaa-server Hosting-LDAP protocol ldap
aaa-server Hosting-LDAP (INSIDE) host xxx
server-port 636
ldap-base-dn ou=People,dc=xxx,dc=xxx
ldap-scope subtree
ldap-naming-attribute uid
ldap-login-password *****
ldap-login-dn cn=VPN,ou=Auth Accounts,dc=xxx,dc=xxx
ldap-over-ssl enable
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.105.192 255.255.255.255 lab
http Challenger 255.255.255.255 lab
http 10.0.0.0 255.0.0.0 lab
http 10.0.0.0 255.0.0.0 INSIDE
http Net-192.168.0.0 255.255.0.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map lab_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map lab_map interface lab
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=nmtasav001
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 17ffe14e
    308201d7 30820140 a0030201 02020417 ffe14e30 0d06092a 864886f7 0d010105
    05003030 31133011 06035504 03130a6e 6d746173 61763030 31311930 1706092a
    864886f7 0d010902 160a6e6d 74617361 76303031 301e170d 31313132 30393132
    34363231 5a170d32 31313230 36313234 3632315a 30303113 30110603 55040313
    0a6e6d74 61736176 30303131 19301706 092a8648 86f70d01 0902160a 6e6d7461
    73617630 30313081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902
    8181009a 6917bd8f e740f061 92d7a6fe 93407ac8 0449a07d 65da57c8 ce4954d4
    2260f2b5 ab4df14c 5ad4c326 83a5d44f 61c1fcf1 4b297cfd 99b5d476 1c448acf
    1939e5aa 8b994aba 4a6cd5ee dc9add18 92677696 773d581c 3b8bc39b 3257c32c
    cf1288d2 9a2addce 76b3fd5c 90207513 c4f2c662 771dfbe7 4b6ce8a3 5ec886a4
    3ec27d02 03010001 300d0609 2a864886 f70d0101 05050003 8181008e 36d02573
    df2277dd d0902fa8 83b6efb1 183c3df1 2d305cd8 c3eb6c15 f21534e1 12252077
    f9d92978 7477cd70 b0e5cf6a db9401ea b02b1ece ace0ed55 7b84bddc cb86e9af
    306c1033 ed52c294 ea59a284 0e6f63e6 d1c6f3c8 ace8b8ba 158e38a1 2923cbc2
    27895b29 549ce80a 66170c58 b4e493d5 879c44d5 860ed20d 96d05d
quit
crypto isakmp enable OUTSIDE
crypto isakmp enable lab
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha

group 2
lifetime 86400
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 INSIDE
ssh Net-192.168.0.0 255.255.0.0 INSIDE
ssh 10.0.0.0 255.0.0.0 lab
ssh Net-192.168.0.0 255.255.0.0 lab
ssh Challenger 255.255.255.255 lab
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.4.4.35 source INSIDE prefer
ssl trust-point ASDM_TrustPoint0 lab
webvpn
enable OUTSIDE
csd image disk0:/csd_3.5.841-k9.pkg
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 2
svc image disk0:/anyconnect-macosx-powerpc-2.3.2016-k9.pkg 3
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 4
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 5
svc enable
group-policy RSA-TEST internal
group-policy RSA-TEST attributes
dns-server value 10.4.4.50 10.4.4.51
vpn-tunnel-protocol IPSec
default-domain value internal.xxx
group-policy DfltGrpPolicy attributes
dns-server value 10.4.4.50 10.4.4.51
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
default-domain value internal.xxx
group-policy GroupPolicy4 internal
group-policy GroupPolicy4 attributes
wins-server none
dns-server value 10.4.4.50 10.4.4.51
vpn-filter value MDW-Contractors
vpn-tunnel-protocol svc
default-domain value internal.xxx
group-policy GroupPolicy3 internal
group-policy GroupPolicy3 attributes
wins-server none
dns-server value 10.4.4.50 10.4.4.51
vpn-tunnel-protocol svc
default-domain value internal.xxx
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
wins-server none
dns-server value 10.4.4.50 10.4.4.51
vpn-tunnel-protocol svc
default-domain value internal.xxx
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value 10.4.4.50 10.4.4.51
vpn-tunnel-protocol svc
default-domain value internal.xxx
group-policy EmployeeGrpPolicy internal
group-policy EmployeeGrpPolicy attributes
wins-server none
dns-server value 10.4.4.50 10.4.4.51
vpn-tunnel-protocol svc webvpn
default-domain value internal.xxx
webvpn
url-list value Challenger
group-policy OUTSIDE-REMOTEACCESS internal
group-policy OUTSIDE-REMOTEACCESS attributes
dns-server value 10.4.4.50 10.4.4.51
vpn-tunnel-protocol IPSec svc
default-domain value internal.xxx
username user1 password spqkEUN2dW2Uq2B3 encrypted
username user2 password CiPqkZGHO77wSa/e encrypted privilege 0
username user2 attributes
vpn-group-policy RSA-TEST
username xxx password xxx encrypted
username neteng password xxx encrypted privilege 15
username neteng attributes
service-type remote-access
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool OUTSIDE-TEST
authentication-server-group INTERNAL_AD
secondary-authentication-server-group CryptoCard use-primary-username
tunnel-group CompanyOwnedComputer type remote-access
tunnel-group CompanyOwnedComputer general-attributes
address-pool OUTSIDE-TEST
authentication-server-group INTERNAL_AD
secondary-authentication-server-group BlackShield use-primary-username
default-group-policy EmployeeGrpPolicy
tunnel-group CompanyOwnedComputer webvpn-attributes
group-url https://xxx/employees enable
tunnel-group MDW type remote-access
tunnel-group MDW general-attributes
address-pool MDW-Contractors
authentication-server-group Hosting-LDAP
authorization-server-group Hosting-LDAP
default-group-policy GroupPolicy4
tunnel-group MDW webvpn-attributes
group-url https://xxx/mdw enable
tunnel-group OUTSIDE-REMOTEACCESS type remote-access
tunnel-group OUTSIDE-REMOTEACCESS general-attributes
address-pool OUTSIDE-TEST
default-group-policy OUTSIDE-REMOTEACCESS
tunnel-group OUTSIDE-REMOTEACCESS ipsec-attributes
trust-point ASDM_TrustPoint0
tunnel-group RSA-TEST type remote-access
tunnel-group RSA-TEST general-attributes
address-pool TestPool
default-group-policy RSA-TEST
tunnel-group RSA-TEST ipsec-attributes
pre-shared-key *****
tunnel-group TunnelGroup1 type remote-access
tunnel-group TunnelGroup1 general-attributes
authentication-server-group (INSIDE) Internal_LDAP
default-group-policy GroupPolicy2
!
class-map inspection_default
match default-inspection-traffic
class-map tcp_bypass
description "TCP traffic that bypasses stateful firewall"
match access-list tcp_bypass
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map tcp_bypass_policy
class tcp_bypass
set connection advanced-options tcp-state-bypass
!
service-policy global_policy global
service-policy tcp_bypass_policy interface INSIDE
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:8ebf55bf0eac5187d701d62352d57e6f
: end

nmtasav001#

New ASA Device

Marvin Rhoads — Sat, 23 Jun 2012 12:53:26 GMT

Hmm,

I'm zeroing in on the section I've copied below. Which username is the iPad user logging in with? I'm thinking perhaps either the username command parameterrs need to be modified or possibly the secondary CryptoCard autherntication server is not getting the Radius secret properly from the iPad client.

group-policy OUTSIDE-REMOTEACCESS attributes

dns-server value 10.4.4.50 10.4.4.51

vpn-tunnel-protocol IPSec svc

default-domain value internal.xxx

username user1 password spqkEUN2dW2Uq2B3 encrypted

username user2 password CiPqkZGHO77wSa/e encrypted privilege 0

username user2 attributes

vpn-group-policy RSA-TEST

username xxx password xxx encrypted

username neteng password xxx encrypted privilege 15

username neteng attributes

service-type remote-access

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool OUTSIDE-TEST

authentication-server-group INTERNAL_AD

secondary-authentication-server-group CryptoCard use-primary-username

tunnel-group CompanyOwnedComputer type remote-access

tunnel-group CompanyOwnedComputer general-attributes

New ASA Device

Kesar123456 — Sat, 23 Jun 2012 17:27:03 GMT

The user is trying to connect ASA using Anyconnect from his IPAD.

We use Authentication using LDAP.

What i see from the attachment his send me is.

He is entering the followng information:

Description as MDW

Server as Public IP of the ASA box

Account as his name Tim.Hopes

Password as ***************

Use Certificate

Group Name as mdw

secret Missing info>>>>>>>>>>>>>>>>>>>>>>I am looking for this Information.

We are currently accessing Juniper box for VPN access. Permanant Employees dont use Cryptocard for secondary authentication, but this user is a contractor.

I am not sure if he is currently using it. That I can check with user on Monday.

New ASA Device

Kesar123456 — Sat, 23 Jun 2012 20:06:18 GMT

I just got reply from the user, he is not using Cryptocard while connecting to Juniper box.

Re: New ASA Device

Marvin Rhoads — Sat, 23 Jun 2012 21:29:59 GMT

You've said Juniper twice now. Do you mean Cisco ASA?

In mentioning the certificate, I assume you mean the user is accepting the SSL certificate of the ASA.

Can you verify that your system has the Anyconnect Mobile license installed? (Please post output of "show version | i AnyConnect".)

Re: New ASA Device

Kesar123456 — Sun, 24 Jun 2012 04:45:29 GMT

I will answer your question one by one.

We are currently using Juniper VPN box.This user is having no problem while connected to it from Mac Laptop.
We are moving from Juniper to Cisco ASA. Same user is now trying to connect to ASA using his IPAD.
Regarding certificate, I am not sure, he just send me the print screen. If you want I can attach it.

nmtasav001# show version | i AnyConnect

AnyConnect for Mobile : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials : Disabled

nmtasav001#

Re: New ASA Device

Marvin Rhoads — Sun, 24 Jun 2012 14:48:56 GMT

Ok, that makes more sense. You might want to open a TAC case since this is more complex than a simple question.

I was going to suggest using AnyConnect but it will not work without the license. You do not have Anyconnect for Mobile license installed on your ASA. That is a prerequisite for AnyConnect access from an iOS device. Reference, excerpted here:

The Mobile license is a fixed license on top of the existing number of licensed Secure Socket Layer (SSL) users. It can be used either with a Premium SSL VPN license or an AnyConnect Essentials license. To order the AnyConnect Mobile license for an existing unit with an SSL license, the part number is L-ASA-AC-M-55XX= (XX=05,10,20,40,50,80 depending on the model). This Mobile license can also be added as an option for new device purchases (ASA-AC-M-55XX). To order the AnyConnect Mobile license for an existing unit, contact your Cisco reseller. For an evaluation license for devices that have Essentials or Premium licenses, refer to Product License Registration for AnyConnect Mobile (registered customers only) . If you have specific questions on Mobile license requirements, send an e-mail to ac-mobile-license-request@cisco.com.

Re: New ASA Device

Kesar123456 — Sun, 24 Jun 2012 16:26:51 GMT

I found the same answer in this link.

http://www.cisco.com/en/US/partner/products/ps8411/products_qanda_item09186a00809aec31.shtml

One more question, this license is required for all the user who will be connected to this ASA box or just for this user using IPAD.

After getting this license installed on the ASA, do I need to do some configuration changes and what will be the anwer to my question.................Secret .................for the IPAD user.

New ASA Device

Marvin Rhoads — Sun, 24 Jun 2012 16:58:32 GMT

If you use AnyConnect for a mobile device, it is an alternative to clientless SSL VPN. A single license is required for the ASA to service multiple end users.

In that case, one installs and launches AnyConnect on the mobile device. The userid and password should be all that are required.

New ASA Device

Kesar123456 — Mon, 25 Jun 2012 20:59:59 GMT

Hi Marvin,

While checking with my boss, we found that we have already procured the Cisco AnyConnect Mobile license.

But these were never opened or installed.

Can you help me to get it installed or let me know the steps, which I have to follow.

Thanks

Arun

New ASA Device

Kesar123456 — Thu, 28 Jun 2012 20:27:19 GMT

Hi Marvin,

Even after installing Anyconnect license, it is still prompting for second password.

nmtasav001# show version | i AnyConnect

AnyConnect for Mobile : Enabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials : Disabled

Arun