I know this is somewhat old now, but I wanted to add how I ended up finally fixing this. Originally what I did was create a batch script that was executed when a user logged into the VPN. This batch script would connect to a Windows share on our internal network, copy down a PowerShell script along with the related support files to the users local machine. The batch would then execute the PowerShell script that was downloaded. This worked fine initially and got the desired result. We recently replaced the NAS device this share was hosted on which for whatever reason resulted in certain clients being unable to access the share and thus download the PowerShell script for execution. Some clients have differing AV clients which might block files from being downloaded. Just became too unreliable. I searched for a different way and finally came up with the fix which as it turns out so much less complicated than the way I was originally trying to do this. I ended up configuring the ASA device to use two different scripts for Windows clients when they log in. First I configured one script for use on the ASA, and then configured a second script for use on the ASA for VPN Onconnect execution. So what happens here is that when an AnyConnect client connects to the VPN, the ASA actually automatically downloads two different scripts to the clients local hard drive. One script is just a batch script that just has code in it to execute the second script, which is my PowerShell code. Since the ASA is configured to use two scripts, each one gets downloaded to the local client. No more having to connect to a share to copy the files, potentially exposing passwords or perhaps not being able to download the files needed at all from the share. Whats more, is that the scripts get downloaded anytime they are changed. If you make a change to the scripts, you just re-upload them to the ASA, re-configured the VPN configuration to use them, and your changes get re-downloaded to the client upon connecting to the VPN. Then its just a matter of having the batch script call the PowerShell script in the path it gets downloaded to by the ASA.
I had originally tried this method, and the ASA would download both scripts, but I could never get the PowerShell one to execute. It seemed as though the ASA was confused about which script to execute when there were two of them, or that it was executing the PowerShell script first which would never work because its PowerShell. I tried this again tonight and finally got it to work. The key was uploading the PowerShell code to the ASA first, and then adding the batch script second. Seemed to order the two scripts in such a way as to allow the batch to run first which then will run the PowerShell code. I may have also had the path incorrect when I originally tried this. I forgot that the PowerShell file that gets downloaded has a prefix added to the filename of "Onconnect_". So UserRDP.ps1 becomes "Onconnect_UserRDP.ps1" when its added to the VPN configuration. Its possible it would not work because I was not calling the correct filename with the pre-pended filename in the batch file. Not sure. Anyway its working now.
For anyone else wanting to do this, try the following:
1. Create your PowerShell script
2. Create your batch file. The batch file should just have the following in it:
powershell.exe -ExecutionPolicy Bypass -File "%ALLUSERSPROFILE%\Cisco\Cisco AnyConnect Secure Mobility Client\Script\Onconnect_<PowerShellScriptName>.ps1"
3. Upload both scripts to the ASA flash filesystem
4. Add a new onconnect script for Windows clients to your VPN configuration. Choose the PS script you created in step one. Ignore the warning about the script not being executable and continue importing the script.
5. Add a second Onconnect script to the ASA VPN configuration. This time choose the batch file that you created in step two.
That's it. The ASA should download both scripts locally, and execute the batch script first to then call the locally downloaded PowerShell script. Just wanted to finish this out in case any one else tries to do something similar. HTH.
... View more
OK I figured this out. Sorry for the time waste here netpros. Despite me saying there was not an ACL entry in there that allowed it, there was. The reason the packet tracer worked is because I was not specific enough with the source ports when running it. Only the destination ports. The ACL was to allow VoIP to work with our voice provider and is pretty loose as the provider never could tell me what ports they use. Just wanted a huge range opened. Anyway this is solved and again sorry for the stupidity.
... View more
Have a strange issue here (or what I feel is strange). I have an ASA 5515X series box setup using two interfaces, inside and outside. Using NAT to translate between interfaces. Fairly simple setup. I have a handful of services I allow through the device from outside:some WWW/TLS traffic, email traffic, etc by way of an outside ACL configured on the outside interface. Recently I discovered one of the translated devices had a rogue RDP connection terminated on it from the Internet. The ACL configuration for this device only allowed Email and web traffic to it. Yet there was the RDP connection. I tried connecting to the RDP server off net and sure enough the connection was allowed in. I looked through the ACL to try and figure out how this connection was getting through. I could not find any rule allowing RDP access to this machine in the ACL. I ran packet-tracer to test the connection on the device:
packet-tracer input outside tcp 22.214.171.124 3753 <public NAT IP> 3389
Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
So testing in packet tracer shows that the traffic should be dropped by the ACL protecting the outside interface.
Yet when I try connecting RDP offnet the traffic bypasses the ACL somehow and gets to the machine:
CAB01-ASA5515X-A# sh conn | i 10.20.50.116 UDP outside 126.96.36.199:56835 inside 10.20.50.116:3389, idle 0:00:18, bytes 147162, flags -
Here is the relevant configuration:
object network mailtest-int host 10.20.50.116 description Internal VDI Workstation Test Mail Server object network mailtest-ext host <public IP> description External VDI Workstation Test Mail Server
object network mailtest-int nat (inside,outside) static mailtest-ext
object-group service mail tcp description Mail Server Ports port-object eq 366 port-object eq 465 port-object eq 587 port-object eq 993 port-object eq 995 port-object eq imap4 port-object eq pop3 port-object eq smtp port-object eq 1000 port-object eq 3000 port-object eq 3101 port-object eq 4069 port-object eq https port-object eq www
access-list outside-in remark Any to Email Test Server for Email Services access-list outside-in extended permit tcp any object mailtest-int object-group mail access-group outside-in in interface outside
So why would the device show the traffic as being dropped in packet tracer but then turn around and allow the traffic through, especially when there is not an ACL entry that allows the traffic. I cannot find a single rule in this ACL that would allow it. Is it possible some kind of connection outbound from the PC is getting reused and allowing RDP inbound bypassing the ACL? If I put a deny rule specifically for blocking RDP traffic in the ACL like so:
access-list outside-in remark Deny RDP access to Email Test Machine access-list outside-in extended deny tcp any object mailtest-int eq 3389
the traffic gets blocked. If I put an explicit catch all deny any any at the end of the ACL the traffic still gets allowed. I don't normally have that rule as the flow of traffic would be from lower security level to higher security level. Firewall is running Cisco Adaptive Security Appliance Software Version 9.9(1). This host and configurations were recently moved from one site to another. The same basic FW configuration for this host was on the original ASA at the original site and this same issue came up there. Same problem. No RDP access allowed but yet it works. Normally I am trying to get traffic through this thing, not the other way around. Not sure whats going on here. Any help is appreciated. Thanks in advance.
... View more
I gave up here and called TAC. It works the way I thought it did in the first scenario. Each host in the ACL can only accept the number of connections configured in the set connection part of the policy. Thanks.
... View more
I got this to work following this thread:
The last post from Fabian L did the trick. This issue for me was that Split-DNS was working, but using IPv6 for doing lookups for IPv6 hosts outside the tunnel. Anyconnect was simply dropping those packets instead of splitting them out because IPv6 was not enabled in the Anyconnect client. I added IPv6 split tunneling using a bogus IPv6 IP block. This allows the Anyconnect connection to know what IPv6 traffic to split out so that the client can make normal local IPv6 DNS queries and thus allow IPv6 connectivity for IPv6 split tunnel clients. Keeps the Anyconnect client from just dropping all IPv6 traffic which would be needed for clients using native IPv6 with their ISPs. Here are the relevant config additions for reference:
group-policy colo-anyconnect-ras attributes
ipv6-split-tunnel-policy tunnelspecified split-tunnel-network-list value colo-ras-split-tunnel
split-dns value domain.com split-tunnel-all-dns disable address-pools value colo-ras ipv6-address-pools value colo-ras-ipv6
ipv6 local pool colo-ras-ipv6 <ipv6 Address Block Goes Here>/80 100
access-list colo-ras-split-tunnel extended permit ip <IPv6 Address Block/80
So this has the effect of allowing IPv6 traffic to selectively traverse the Anyconnect tunnel based on the access list colo-ras-split-tunnel . Now I don't need IPv6 traffic over the tunnel at all, but since I am specifying what should go over it, this has the side affect of telling Anyconnect what traffic should NOT go over it. Anyconnect then splits the traffic out for IPv6 lookups to the Internet for the Anyconnect clients which use native IPv6. Anyway its all figured out. Hope this helps someone else with the same issue.
... View more
Setting up some MPF protections for some of our Internet services. I am using MPF to create a class to match traffic out of an ACL, and then am applying some connection limits and parameters on the traffic specified in said ACL. See the relevant configuration:
class-map webserver-protect-class description Webserver Protection Class used to protect Webservers from DOS attacks match access-list webserver-protection
description Policy to control and protect Internet Services
class webserver-protect-class set connection conn-max 300 embryonic-conn-max 20
access-list webserver-protection extended permit tcp any object-group web-servers-int object-group web
So the ACL just lists a group of destination hosts and services using object-groups. What I am trying to determine is with the above MPF configuration, are the conn-max limits I am imposing going to be set for each host listed in the ACL, or are the limits the total limits for all hosts in the ACL? So for example if I match 10.10.10.5, 10.10.10.6, 10.10.10.7 for WWW connections in the ACL, and impose a 300 conn-max in the MPF policy, does the conn-max apply to 10.10.10.5, 10.10.10.6, and 10.10.10.7 for WWW traffic individually such that each host has a conn-max of 300, or is the 300 conn-max setting a 300 connection total for all of the 10.10.10.5-7 hosts such that only 300 connections across 10.10.10.5-7 as a total are allowed. In other words, only 300 connections are allowed between 10.10.10.5-7 as a total. I think its the former but when I run the command sh service-policy interface OUTSIDE, it seems to show a total in the output so I want to clarify:
Class-map: webserver-protect-class Set connection policy: conn-max 300 embryonic-conn-max 20 current conns 84, drop 0
In the output is it showing a total of all the hosts in the ACL and the number of connections that are open amongst all of them? Hopefully this makes sense what I am asking. Thanks in advance for any help here.
... View more
Not sure what has happened here but after upgrading my ASA to 9.9.1 from 9.6.3, a global MPF policy I had applied was removed from the configuration. This policy was doing default traffic inspection as well as DNS inspection for use with DNS doctoring. I tried re-applying the policy to the device. The device would take the command but not actually add the command to the configuration. I also use an interface policy for traffic policing and DDOS protection so at first I thought the device was no longer allowing the use of both an interface policy and a global policy together. I tried to shift some of the inspection configurations to the interface policy. I got that to work but noticed that one of the commands I added there would not take. Here is what I had in the global policy:
policy-map global_policy class inspection_default inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect ipv6 inspect icmp
So after moving this inspection config to the interface policy, I noticed that all commands showed in the configuration except for the ' user-statistics scanning ' part. So I removed that from the global policy and re-added the service-policy command to add the global policy to the configuration. This time the device took the command and added it to the configuration. So it seems somewhere between 9.6.3 and 9.9.1, the user-statistics scanning command has been removed or no longer works. With that command as part of the policy-map, I cannot apply the policy and have it stick in the config. The device takes the command and gives no errors but the command does not show in the configuration. Does anyone know if the ' user-statistics scanning ' command has been deprecated? Whats the deal here? Thanks in advance for any help.
... View more
Yes thanks for the reply here. I thought about this some just before seeing your post and it became clear the only way to get this one was in two steps, as you pointed out. I tried converting the PS to exe file and use just that. I could get the file to download, and actually execute, but for some reason the exe did not actually do anything. Worked fine by itself when executing this locally, but did nothing when executed using Anyconnect. Was running but never did anything coded in the original PS script. I just killed it in Task Manager.
I also tried to upload two scripts to the ASA: The batch file I wrote and the PS script I wrote. The thinking here is that this would allow me an easy way to get both scripts downloaded to the local machine for executin. It did just that but seemed to confuse the ASA as to which script needed to be run. The end result is nothing would run so I moved on.
I finally got this working tonight after some throwback Windows batch coding re-education(thank goodness for Powershell is all I can say). For those who are interested here is what I ended up doing.
I created a batch file that connects to a network share, copies down the Powershell script I wrote to C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Script using robocopy, and then executes it using the following command:
powershell.exe -ExecutionPolicy Bypass -File "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Script\UserRDP.ps1
Executing the script this way allows you to bypass the configured powershell execution policy on the local machine, allowing the script to run, while not needing to reconfigure the machine at all.
While I would prefer to just have the ASA include PS scripts as a valid scripting option for OnConnect scripts, this current method does work. What is this 1995? Batch scripts really? It also allows me the opportunity to not only download the PS scripts themselves, but also any needed support files (since this script was an interactive forms based script, I included a nice image file in the form which I downloaded as part of my download commands).
Anyway thanks for the replies.
... View more
I was trying to bring up more of a GUI environment for users instead of regular command windows. Where I work, console windows frighten people. So was bringing up a windows form where users can enter some text in the forms box. Stuff like that. More than just the typical net use commands and whatnot.
How would one call a script from another script using the onconnect anyconnect tools? The way I need this to work is to have the script on the ASA, have it downloaded to the local machine, and then executed. I can call a batch file, and execute powershell from the batch calling the powershell exe and the path to the ps script file, but it seems for that to work the PS script file would already need to be on the machine. In my case its not.
So if I were to have a batch file as the onconnect script I run, and in it run powershell.exe -path <path to powershell script to run>, how can I get the powershell file from the ASA to the local client for it to execute. Or when the admin guide says you can call scripts from other scripts, what they mean is that the scripts called from other scripts would need to either be shell commands, or batch files already on the local disk of the VPN client machine. Is there no way I can do the following:
VPNLogin---->Onconnect----->commands.bat---->run powershellscript.ps1. It seems like all you can do with the onconnect scripts is load a single script on the ASA.
There is some sort of PStoexe converter available from MS but have a hard time believing all functionality will still be there in the resulting exe.
Any thoughts here will be appreciated.
... View more
Hello All. Has anyone tried using the onconnect scripting tools for ASA Anyconnect VPNs using Windows Powershell scripts? Trying to deploy a script which starts an RDP session after connecting to the VPN. Script works locally fine, and downloads through Anyconnect, but cannot execute. The issue is that Windows will not run PS scripts from the current directory by default. Need to use .\scriptname.ps1 to get them to run. If anyone knows the trick to getting PS to run via Anyconnect onconnect tools I would appreciate the help. Options are
get anyconnect to run the script using .\ in front of the command or
use a batch file to call the PS script.
I am told you can have scripts call other scripts using the onconnect tools, but have not been able to find a single example of how to get it to work. Thanks in advance for the help.
... View more
Greetings all. So I have an issue with the Split-DNS feature over Anyconnect SSL client based VPN. Running Anyconnect 4.3 with ASA code 9.6(3)1. We use both the split-tunneling and split-dns features to selectively direct network and dns queries to our remote DNS servers and networks. This works fine for most of our users. We are not yet using IPv6 over our VPN setups because we still have too many legacy devices on our network which do not support IPv6 fully.
Some of my users have been experiencing an issue where Split-dns is not working for them. Lookups for names sent over the tunnel using split-dns work fine, but any lookups not sent over the tunnel fail. Meaning that a lookup of host.internaldomain.com work fine, but a lookup of www.google.com would fail. If they disconnect from the VPN, Internet resolution works for them. As a work around I have them disable IPv6 on their network adapter, and then the split-dns feature works perfectly. With IPv6 enabled on their end, split-dns feature stops working. I run IPv6 on my home network and do not have any issues with the split-dns feature and therefore cannot reproduce their problem. When looking at my anyconnect client, I see the following in the information section:
Cisco AnyConnect Secure Mobility Client 4.3.03086 (Fri Jan 12 08:57:58 2018)
Connection Information Tunnel Mode (IPv4): Split Include Tunnel Mode (IPv6): Drop All Traffic
What I am wondering is if because our clients are using "Drop All Traffic" for IPv6, when the trouble users machines try and do lookups outside the tunnel, they use an IPv6 DNS server as configured by their ISP, and because the VPN tunnel is set to drop all IPv6 traffic, the lookup never works because it gets dropped. You can see here in my Windows IPCONFIG output that I have an IPv6 DNS server listed as one of my local resolvers:
DNS Servers . . . . . . . . . . . : 2001:470:X:X::X 172.16.0.20 172.16.0.21
But when I do Internet lookups (lookups outside the tunnel) it works fine with my IPv6 config. Is there some sort of config in the splitdns feature to not do anything with IPv6 name lookups over the tunnel? Any idea on what I have wrong here? I really am not sure why disabling IPv6 on their client machines would have any affect but it does.
Here is my config for split DNS:
group-policy colo-anyconnect-ras attributes wins-server none dns-server value 10.20.20.105 10.20.20.106 vpn-simultaneous-logins 3 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value colo-ras-split-tunnel default-domain value internaldomain.int split-dns value domain.com internaldomain.int domain2.com split-tunnel-all-dns disable address-pools value colo-ras
Any help is much appreciated. Thanks.
... View more
We have an old legacy application which connects to a third party via SSL. The third party provider is limiting connections to using TLS 1.2 beginning in June. Our legacy application can only support TLS 1.0. Upgrading the application seems to be not possible at the moment according to our development team. We use a Cisco ASA 5515X at our border. I was wondering if there was any way to have an ASA 'proxy' TLS sessions for a particular inside host and connect to an Internet host using TLS 1.2 on behalf of the inside host? So something like the inside host (with the ASA as the default route) connects to the ASA outbound, the ASA intercepts this connection, holds it open while connecting to the requested outside host via TLS 1.2. I noticed that the ASA has a TLS proxy of sorts for use with securing VoIP sessions, but I wondered if it could be leveraged here for what I am trying to do. Is there any other way I can have the ASA intercept older TLS sessions and have them be upgraded to TLS 1.2? Thanks in advance for any ideas.
... View more