Thanks for the reply here.Yes agreed that DAP is most likely a better way to go with this. I was under the impression that DAP required an Advanced Endpoint Assessment license to function which I did not have when I originally set this up so I used attribute maps. I have never been sure if that means that you can use DAP for auth parameters (AD group membership for example) and not configure policies that require endpoint assessment (presence of registry keys, etc.), or if that means any DAP configured on here would not work. I just went with attribute maps and moved on.
I had to get a different VPN license to enable higher end SSL encryption (TLS 2.0) recently. When I looked at the license today it seems I now have both endpoint assessment and Anyconnect premium enabled now as a result:
AnyConnect Premium Peers : 250 perpetual AnyConnect Essentials : 250 perpetual Other VPN Peers : 250 perpetual Total VPN Peers : 250 perpetual Shared License : Disabled perpetual AnyConnect for Mobile : Enabled perpetual AnyConnect for Cisco VPN Phone : Enabled perpetual Advanced Endpoint Assessment : Enabled perpetual
So I should be OK now to use DAP. In looking at the options for DAP for GP assignment, it still seems to only support AD group membership as a way to assign ASA VPN Group Policies (Attribute ID: memberOf). Again to use this I would still need to create multiple AD groups, (as in if user A is part of group A and group B then assign policy A, but if they are just part of group B assign policy B). This will work but requires multiple AD groups configured on domain controllers to work which I was hoping to avoid. Is there no way to just assign a policy based on username? I don't see it in ASDM for DAP configuration.
On a side note, if I now have Anyconnect essentials enabled, what would be the impact to client-based Anyconnect VPN users by turning it off if I now have Anyconect premium licenses available on my ASA. Will they just start using the premium licenses when they connect rather the the essentials licenses. Any impact to the Anyconnect client install portal page? Thanks again for the reply here. Appreciate setting me set straight on this issue.
EDIT: Looking through the link you provided, it seems that DAP takes the place of ASA tunnel groups and group polices. I'll look into the use of DAP some more. Thanks for the link.
... View more
We currently have Anyconnect (client based) up and running on our ASA 5515X running 9.5(1). I am using AD LDAP for authentication and have LDAP attribute maps setup and assigned to our LDAP server config on the ASA. Like many we use these maps to allow the ASA to assign a particular group policy to a user based on AD group membership. I basically have a group in AD for regular VPN users and a group in AD for Admin VPN users. This works pretty well however there are instances where the particular user profile tied to the 'Regular VPN Users' group policy does not work for all users in that AD group. I was trying to find a way to tweak the settings for certain users based on username. Say user A needs VPN establishment from an RDP session, but I don't want every user to have that so I would assign a different group policy\user profile to user A based on AD username which would allow VPN from an RDP session. The remainder of users would still be blocked from allowing VPN from RDP. Here is my basic LDAP attribute map:
ldap attribute-map <map-name> map-name memberOf Group-Policy map-value memberOf "LDAP path" <AnyConnect Group Policy name> map-name msRADIUSFramedIPAddress IETF-Radius-Framed-IP-Address
Now what I could do here with the config above I think is create a new group policy on the ASA for a certain group of users and then create a new map-value with a new LDAP path which would point to a new group in AD, say 'RDP VPN Users'. I would then add the users I want specific Anyconnect group policies\user profiles assigned to to that particular AD group. But the issue is I would prefer not to have to create so many groups in AD.
What I wanted to know is if there is a way to have an LDAP attribute map value path to a certain AD username somehow. Like if the LDAP path was something like "CN=<username>,OU=users,DC=<domain>,DC=<name>". This way I could assign a group policy to the majority of users in the 'Regular VPN Users' AD group, but then assign a different policy to certain users that need slightly different settings. Would that allow me to match on a certain user and not on an AD group? Does the group-policy cisco-attribute-name treat a user as though it were an AD group? I would guess no but not sure. I looked through the list of cisco-attribute-names but did not see anything that seemed like it worked for AD usernames.
Also if anyone knows a better way to achieve this please let me know as I am open to suggestions. Hopefully this makes sense. Thanks in advance to the community for the help.
... View more
So we currently have an ASA 5515-X Failover pair running at one of our sites. This serves as a VPN gateway for our users. I am in the process of migrating users from the old Cisco VPN client to the newer Cisco Anyconnect client. I have anyconnect setup and working. I discovered during this process that in order to support TLS 1.1 and up using the Anyconnect client, you would need to use the newer Anyconnect 4.0 client. In order to use this client, you need to have something called an 'Anyconnect Plus' license which I think was a recent change back in 2014. We currently have the Anyconnect Essentials license installed on the ASA pair. I found out that not only is there an upgrade license available to upgrade to Anyconnect Plus, but the Anyconnect Plus license is subscription based now. Boo Cisco. But thats another discussion.
I went ahead and reluctantly purchased the upgrade license to upgrade to Anyconnect Plus. I am trying to understand however the affects of installing this license in terms of the current VPN functionality. We currently offer the following VPN options for our users:
RA IPSEC (IKE v1via old client)
RA IPSEC (L2TP via Windows client)
SSL (Anyconnect 3.0)
We also use a P2P IPSEC tunnel (IKEv1 PSK) between two sites to serve as a backup link when our primary site to site link fails.
So would anyone know what the affect on current VPN functionality would be when installing my upgrade license? Does it disable older IPSEC IKEv1 functionality? As I said I would like to migrate users to the newer platform but need the older client to still work until that can be done. I have this in my configuration currently:
What happens to that command when I apply the new license?
Appreciate any help here. Thanks.
... View more
Greetings forum. So I am working on a project that could potentially make use of PVLANs to isolate some hosting servers we are possibly going to bring online in the coming weeks. We currently have Catalyst 4507R switches as the core at our DC running IOS version 15.0(2)SG7. We are using SVIs for Inter-vlan routing on the 4507Rs. We are running VTP version 2 currently. I am trying to lock down some answers with regards to running PVLANs in my environment. Any help here is much appreciated. I have read that to run PVLANs, you need to put your switches in transparent mode before enabling PVLANs. The thing I am not sure on is why. Do they say this because only VTP version 3 supports the synchronization of PVLANs in the VTP domain, and without version 3 your PVLANS will not be propagated, or is there an another reason to put your switches in transparent other than this. I understand that without v3 I would have to manually configure the PVLANS on my switches that would needs them. Just trying to understand if thats the reason they say to put VTP in transparent mode before implementing PVLANS or if there is something else to it I am missing. Can I run PVLANs using VTPv2 and manually configure the PVLANs on the switches that need them? Secondly, in order to switch to using VTPv3 from VTPv2, are there any gotchas I need to be aware of. I have two VTP servers in my VTP domain. I understand VTPv3 works differently with regards to VTP updates. When I change to version 3, will the current VLAN Database be overwritten causing me to loose my current VLANs, or will the current VLANs stay as is while I go about switching all my switches to VTPv3. Would like to avoid wiping out my network if possible. Third, I have a VMWare ESX setup. These new hosts will be VM servers. We do not have a license to support the Distributed VSwitch which allows PVLAN support for ESX VMs. These VMs are running on a Dell M1000e chassis with Cisco WS-CBS3130G-S switches in it. They have limited support for PVLANs. We have VLAN trunk uplinked to our core switches from these blade switches, and then trunk to the VMWare standard switch so we can control VLAN placement of the VLAN hosts. Looks like this: 4507R---------------->WS-CBS3130G-S----------->VMWareStandardSwitch--------->VMWare Guests Trunk Trunk Access I believe there is some way to set up using PVLANs using a setup like this. I think using an isolated PVLAN trunk port. The Blade switch does not seem to support that feature (running 12.2(40)EX1). This is said to be the desired practice when you have upstream switches which do not support PVLANs. Since my VMWare switch does not support them, but the switch linking the core to the vswitch does somewhat I am trying to understand the issues that would be seen there. Again lots if questions. Any help would be much appreciated.
... View more
Greetings to the forum. Let me start by admitting I am way behind here on deploying IPv6. I tried to get this moving last year but other projects were in front. Now its being requested so I am starting on a deployment plan for our network. I would like some general guidance on the use of some of the standard IPv4 tools and how to implement them with IPv6 versions. I have been doing significant amount of reading on the subject and am trying to nail down some best practices with regards to deploying IPv6. First a little background. We have two sites: A collocated DC with most of our servers and networking gear and an office site connected via redundant 200Mbps Ethernet L3 links. At each site we have twin Core switches (4507R at colo site and 3750E series at the office). Using the typical multi-vlan for traffic segmentation at each site, with VLAN interfaces using HSRPv1. We use OSPF as our IGP (single area). We do not have any EGP as we just default route out of Cisco ASA's to our providers at each site (each site has its own Internet connection). The ASAs at the colo serve VPN connections for remote users and I redistribute the VPN host routes into OSPF for the VPN clients connectivity to our office site over VPN. The firewalls at each site also inject their default routes into OSPF. We use typical DHCP relay on the vlan interfaces. So we want to continue supporting IPv4 and will run both IPv6 and v4 dual stack. I have a /48 IPv6 allocation from our Colo provider. So again would like some guidance on the best way to deploy IPv6. Specifics are as follows: 1. I have read that OSPFv3 is required to support IPv6. Should I run my existing OSPFv2 for existing v4 routing and run OSPFv3 for v6 or just run OSPFv3 for both using the address family feature 2. My switches all with the IP Services license or the Enterprise Services (4507R) do not seem to be able to do the OSPFv3 Address Families (router ospfv3 1 address-family ipv4)to use the same OSPF version for both protocols. I could not find any reference to the Address Families in the feature navigator for these switches. Anyone know if this is available for these. 3. We need to use HSRPv2 to support IPv6. I think v2 uses a different Multicast Address. Can I just add the command 'version 2' in the HSRP config without affecting my current v4 HSRP configurations and then add another HSRP group for the v6 addressing? Could it be that simple? 4. The issue of v6 NAT still seems to be hotly debated. I like NAT for what it can do for you when it comes to renumber time, not so much for any sort of security mechanism. Since we are at a colo a renumber is never out of the realm of possibility. I was going to roll with no NAT but just would like to get comments from others about what they think. I am just not sure either way. 5. My provider gave me a small allocation for the outside interface of my ASA. What I was going to do was not run NAT between the outside and inside interfaces, assign an IP out of my routed v6 allocation to the INSIDE interface, default route to the provider gear via the outside interface and small v6 allocation network, and then place an outside v6 ACL on the outside interface. Hosts on the inside interface would connect to the Internet using their assigned address from my v6 allocation and there would be no NAT. Does anyone see any reason this would not work? I am using v4 NAT so was wondering if it would be an issue to run NAT for v4 but not for v6? As always thanks in advance for your help.
... View more
Thanks for the reply. I understand normally you would want have the hostnames match to get the cert warning to go away. What I was wondering is if you could tell the ASA to use something other than the hostname for matching. My devices hostnames are based on function/location etc. I don't really want to give that away to users by having them connect to some cab01-asa-10.domain.com URL. I would prefer to not change the hostname either to match the URL I give users just to support this functionality. The wildcard cert works if I set up local host entries on my machine for the hostname of the device so I know changing the hostname will fix the issue. Would like to avoid that if possible. Does anyone know if I change the hostname do I need to do anything with the cert/trustpoint already configured to get it to work? Maybe reload the cert for use with the new hostname? Thanks again for the reply.
... View more
Greetings, Setting up WebVPN for ASA5515X. Everything works as designed except I am getting security warnings when initiating connection. Something to the effect of: Untrsted VPN Server Blocked I use a Netsol issued Wildcard Certificate. It been imported with the keys and the cert chain. Seems when I connect to the ASA using SSL VPN I have to connect using the hostname and domain name configured on the ASA for it to not throw security warnings. Is there some way to tell the ASA to match using something other than the configured local hostname and domain so I can stop these warnings? Thanks in advance.
... View more
OK I tired a few tracer expirements and it seems that the order of operations is different depending on the traffic flow: packet-tracer input outside tcp 12345 www Phase: 1 Type: UN-NAT Subtype: static Result: ALLOW Config: object network host-int nat (inside,outside) static host-ext dns Additional Information: NAT divert to egress interface inside Untranslate x.x.x.x/80 to 10.10.x.x/80 Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group outside-in in interface outside packet-tracer input inside udp 10.10.10.20 12345 22.214.171.124 53 Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside-out in interface inside access-list inside-out extended permit udp object-group dc-int any eq domain object-group network dc-int description: Internal Domain Controllers network-object object dc1 network-object object dc2 Additional Information: Phase: 3 Type: NAT Subtype: Result: ALLOW Config: object network server-int-net nat (inside,outside) dynamic server-public Additional Information: Dynamic translate 10.10.10.x/12345 to x.x.x.x/12345 So it seems going inside to outside its acl---->nat and going outside to inside its nat----->acl. So this explains why using the private addresses in the outbound ACL works. Understood it depends on the configurations in place. I added the inside/inbound list back as I had it originally and the trace output is what I see. Love the packet-tracer command. Very useful stuff. Thanks again for the help to an ASA noob.
... View more
OK thanks for checking this. I'll just configure the addresses as I have them in the original PIX configuration. Thats what I started doing in the first place but then thought I would check with the experts on if I needed to do what is proposed in the post. Thanks again for checking this.
... View more
Yes the sorry for the confusion. As listed in the example, the ACL is affecting traffic coming into the inside interface from internal networks that is destined for the External interface. I should have been more clear. With traffic from outside to inside, the ACL needs to have the real IP in the ACL as NAT occurs first and then the ACL is applied which is different than it used to be. My thinking was that since the ACL I am talking about affects traffic flows from the inside (inbound to inside interface) to the outside interface, I would need to again allow the public address in the ACL as the source address would be changed when going to the outside interface since nat would occur first and then the ACL is applied. So the source addresses would be public since NAT has already occurred and then the ACL would be applied. Am I missing this. Sorry for being dense. Trying to get my head around the new operations rules with ASA. Thanks for all the replies.
... View more
Greetings all. My company just purchased some new ASA 5515CX firewalls which I am working on deploying. These are replacing some aged Pre 8.3 PIX 515E firewalls so I am in the process of manually converting the configuration over to the new 9.x codebase. I want to confirm the syntax of an outbound ACL for the new post 8.3 commandset. So current on the PIX firewalls I have an ACL on the inside interface which controls traffic destined to the Internet. Here is an example of one of the lines in the ACL and supporting configurations: access-list inside-out remark DCs to any for DNS access-list inside-out extended permit udp object-group dc-int any eq domain access-list inside-out extended permit tcp object-group dc-int any eq domain object-group network dc-int network-object dc1-int 255.255.255.255 network-object dc2-int 255.255.255.255 name 10.10.x.x dc1-int name 10.10.x.x dc2-int access-group inside-out in interface inside So now these hosts will be getting natted to a public address outbound. With the new order of operation rules in 8.3+ will I think I need to create ACLs that use the natted source address in them instead of the private address as I have now. Something like this: access-list inside-out remark DCs to any for DNS access-list inside-out extended permit udp object-group dc-ext any eq domain access-list inside-out extended permit tcp object-group dc-ext any eq domain object-group network dc-ext network-object dc1-ext 255.255.255.255 network-object dc2-ext 255.255.255.255 object network dc1-ext host x.x.x.x object network dc2-ext host x.x.x.x My point here is that in the ACL I need to use the natted source address (the address which the internal private source address will be changed to going out) instead of the private source address like in the pre-8.3 code. Can anyone confirm this for me please or set me straight? Thanks in advance NewtoASA
... View more
Anyone......I have a hard time believing this has never come up before. I know the Barracuda devices can do this somehow. Again, I am not at all familiar with Ironport gear so I am at a disadvantage here. Any help would be great. Thanks.
... View more
Thanks for the reply. I should have been more clear. So for connections inbound from Internet clients, it seems the source IP is that of the C170 from the perspective of the Email server. Connection path would look like this: client-------->C170--------->Email Server For these connections, when the connection goes from the C170 to the Email server, the source IP is changed from that of the client, to that of the C170 because I believe the connection is actually being proxied. I would like to know if there is some configuration that would allow the source IP (in this case the clients source IP) to be preserved when the connection is sent to the Email server. Some sort of transparent proxy option perhaps? I really do not know anything about this C170 device, but things I read do not seem to indicate there is a way to do this. Just trying to see if anyone can confirm. Thanks.
... View more
All, We have a customer using an Ironport C170 Email firewall device. It seems the Ironport proxies Email traffic to the configured MTA using its own source IP instead of the client IP address. This is causing an issue for our customer as they need to be able to filter and do some post processing based on source IP. I am totally unfamiliar with the Ironport series as we do not use them here and searches do not reveal a way to have the Ironport preserve the source address. Could anyone more familiar with this device enlighten me on if source preservation is possible with this. Seems to be a true proxy device so I am not sure there is a way but thought I would throw it to the experts to be sure. Thanks in advance for replies.
... View more