Sheraz was on the right track. The dumb switch attached to 1/3 couldn't do VLAN tagging nor could any direct connected wired clients. So I changed the config to drop VLAN103 and assign the IP directly to the 1/3 interface. Everything working smoothly now.
... View more
I swear this sub interface used to give out addresses from this pool without issue. Something got wrecked though. Here's the interface + sub interface config: interface GigabitEthernet1/3
no ip address
ip address 10.100.100.1 255.255.255.0 Here's the pertinent dhcp config: dhcpd address 10.100.100.3-10.100.100.25 insideSonos
dhcpd dns isp.dns.1 isp.dns.2 interface insideSonos
dhcpd lease 604800 interface insideSonos
dhcpd enable insideSonos Trial and error previously led me to think it was necessary to disable call-home to get dhcpd to work properly, not 100% convinced this is necessary now. Related to this had executed: no service call-home
clear configure call-home The physical port here will have a dumb switch wired-in so not 100% this NAT config is necessary either. Had configured: object network Sonos
subnet 10.100.100.0 255.255.255.0
object network Sonos
nat (insideSonos,outside) dynamic interface Finally, had defined catch-all ACL for the interface via access-group: access-list ForVLAN103 line 1 extended permit ip any any
access-group ForVLAN103 in interface insideSonos Whether via link runner, client directly wired into port 1/3, or dumb switch wired into port 1/3 — clients do not get a DHCP address. tcpdump on wired-in client shows no inbound bootpc/DHCP frames whatsoever...despite the outbound discover frames from 0.0.0.0 ==> 255.255.255.255. dhcpd state appears correct: asa5506x# show dhcpd state
Context Configured as DHCP Server
Interface insideSonos, Configured for DHCP SERVER dhcp statistics are very uninteresting. dhcpd bindings...well there simply aren't any. Necessary DHCP processes appear to be running on the ASA: asa5506x# show processes | include dhcp
Mwe 0x000055e7be3f66a4 0x00007fa6569cadb8 0x000055e7c5bb4060 47 0x00007fa6569c3030 30896/32768 dhcp_daemon 223
asa5506x# show processes | include DHCP
Msi 0x000055e7be4193b2 0x00007fa6569d5e38 0x000055e7c5bb4060 14 0x00007fa6569ce030 31776/32768 DHCPRA Monitor 222
Mwe 0x000055e7be3f198c 0x00007fa6569e0ec8 0x000055e7c5bb4060 9 0x00007fa6569d9030 31872/32768 DHCPD Timer 221
Msi 0x000055e7be41ac85 0x00007fa65768ae98 0x000055e7c5bb4060 8 0x00007fa657683030 30128/32768 DHCP Network Scope Monitor 75 I think I'm executing a packet-tracer that should shed light on the behavior: asa5506x(config)# packet-tracer input insideSonos udp 0.0.0.0 bootpc 255.255.2$
Subtype: Resolve Egress Interface
found next-hop 255.255.255.255 using egress ifc identity
output-interface: NP Identity Ifc
Drop-reason: (acl-drop) Flow is denied by configured rule Please correct me if this syntax is not useful here. Scratching my head. Not sure why clients can't get an address. What did I configure incorrectly?
... View more
My main misunderstanding is that 'access-list <name> extended' implies that additional ACL statements with the same <name> append to the overall ACL. Sigh. So...appending a 'permit ip any any' to the end of the ACL that is applied via an access-group to the interface in question allows outbound traffic from a client on the VLAN in question fixes the traffic flow problem. Also, 'packet-tracer' is very helpful in debugging this issue.
... View more
I thought I had this sorted out earlier today but...not so much. Deploying a Cisco ASA 5506-x as firewall/router. Trying to accomplish some smarter VLAN'ing to segment traffic on my office/home network. Core switch is Cisco 3560cg. There's some other dumb, PoE switches and a Cisco 2960c further downstream. I have 4 VLANs - 100 = 10.0.20.0/22, 101 = 192.168.20.0/23, 102 = 172.16.20.0/23. and 103 = 10.100.100.0/24. 100 is most secure on the ASA at level 100. 101 and 102 are at level 80. Lastly 103 is at 50. (VLAN 103 is mostly inconsequential b/c it bypasses my switched network.) I'd like clients on VLANs 101 and 102 to rely on DNS servers that exist on VLAN 100. I feel I've tried to accomplish this DNS ACL on the ASA via... individual destination hosts named interfaces multiple services just udp / port 53 object-group of source VLANs object destination network Etc. etc. I'll post the whole ASA config as well but the pertinent config for this issue in the current semi-broken deployment is: object-group service DNS
description DNS over tcp & udp
service-object tcp-udp destination eq domain
object-group network Lesser-VLANs
description Network object group for VLANs 101 & 102
network-object object HomeFamily
network-object object Testing
object-group network VLAN100_DNS_Servers
description iMac5k, iMac27 DNS Server group
network-object host 10.0.20.80
network-object host 10.0.20.19
access-list AllowDNStoVLAN100 extended permit object-group DNS object-group Lesser-VLANs object-group VLAN100_DNS_Servers
access-group AllowDNStoVLAN100 in interface insideHomeFamily
access-group AllowDNStoVLAN100 in interface insideTesting Adding the access-group config instantly makes DNS lookups to 10.0.20.80 / 10.0.20.19 from a client on VLAN 101 or 102 succeed. But doing so renders that same client unable to send/receive HTTP/HTTPS traffic. Which is...umm...suboptimal. Just looking for clues on how to make this work I hope. The whole, sanitized ASA config is attached. I'm fairly adept at the ASA's VPN setup. But am feeling my way through the network, firewall, & router config. Feel free to make overall suggestions / ask questions / etc. Thanks so much to anyone who cares to take a peek and comment. Appreciate the help.
... View more
I have a 5506-X appliance running 9.9(2) software. Have been struggling to get IKEv2 support for native Apple clients working...macOS first then will worry about iOS.
At this point *I think* I'm close.
I've defined a custom IPSec IKEv2 proposal that appears to support what macOS wants:
crypto ipsec ikev2 ipsec-proposal AppleNativeClient protocol esp encryption aes-256 aes 3des protocol esp integrity sha-256 sha-1
I've modified the IKEv2 policies to conform to what macOS offers:
crypto ikev2 policy 10 encryption aes-256 integrity sha256 group 14 prf sha256 lifetime seconds 86400 crypto ikev2 policy 20 encryption aes-256 integrity sha256 group 19 prf sha256 lifetime seconds 86400 crypto ikev2 policy 30 encryption aes-256 integrity sha256 group 5 prf sha256 lifetime seconds 86400 crypto ikev2 policy 40 encryption aes integrity sha group 2 prf sha lifetime seconds 86400 crypto ikev2 policy 50 encryption 3des integrity sha group 2 prf sha lifetime seconds 86400
I've extended the dynamic crypto map to support the 'AppleNativeClient':
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set ikev2 ipsec-proposal AppleNativeClient
(Don't worry this a lab deployment...so default configuration is acceptable.) I've defined a new group-policy to support these Apple native clients:
group-policy IKEv2 internal group-policy IKEv2 attributes dns-server value 10.0.20.80 10.0.20.69 vpn-tunnel-protocol ikev2 default-domain value int.XXXXXX.net address-pools value IPSecIKEv1_IPv4_Pool
Finally, I've modified the 'DefaultRAGroup' for this group-policy...hoping to rely simply on a pre-shared key for starters:
tunnel-group DefaultRAGroup general-attributes default-group-policy IKEv2 tunnel-group DefaultRAGroup ipsec-attributes ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key *****
With the macOS client configured for 'Shared Secret', connection attempts continue to fail. The error message that troubles me most is:
%ASA-3-751020: Local:10.0.20.8:4500 Remote:10.0.21.58:4500 Username:DefaultRAGroup IKEv2 An IPsec remote access connection failed. Attempting to use an NSA Suite B crypto algorithm (AES-GCM/GMAC encryption or SHA-2 integrity) without an AnyConnect Premium license.
I even went to far as to secure a test/temporary AnyConnect Premium license in hopes this might address the issue, no luck. Possibly this message is a distraction...I'm not certain? A little later in the debug, I see:
IKEv2-PROTO-4: (19): Processing IKE_AUTH message IKEv2-PROTO-2: (19): Failed to find a matching policy IKEv2-PROTO-2: (19): Received Policies: ESP: Proposal 1: AES-CBC-256 SHA256 Don't use ESN ESP: Proposal 2: AES-CBC-256 SHA256 Don't use ESN ESP: Proposal 3: AES-CBC-256 SHA256 Don't use ESN ESP: Proposal 4: AES-CBC-128 SHA96 Don't use ESN ESP: Proposal 5: 3DES SHA96 Don't use ESN IKEv2-PROTO-2: (19): Failed to find a matching policy IKEv2-PROTO-2: (19): Expected Policies: IKEv2-PROTO-2: (19): Failed to find a matching policy IKEv2-PROTO-4: (19): Sending no proposal chosen notify
Possibly this is more illustrative of the connection problem...again, not certain. I'm definitely faking my way through this so any help the community can offer would be much appreciated. Thanks in advance.
... View more
There may be an underlying issue with my config. Here's what I'd like to accomplish with EAP-TLS - client presents certificate ACS looks at, say, SAN mail and tries to match a value in AD - success/fail ACS looks at, say, Subject and tries to match a value in AD - success/fail Etc. etc. Perhaps I need to define these among the Identity Store sequences...
... View more
I'm trying to setup at iterative identity policy for EAP-TLS authentication. Basically I'd like one rule to be tested then based on the result either proceed to authorization policy evaluation or go to the next identity policy rule. For example, I have a certificate with no SubjAltName values and a dNSHostName in the subject, issued by a Win2008 R2 CA. I'm actually expecting identity matching to fail for this particular certificate, by the way. I have a list of cert-auth based identity policies, each tied to a unique certificate authentication profile. Resembles something like this - use SAN 'other name' value from certificate use SAN 'mail' value from certificate use all SAN values from certificate use Subject value from certificate use Common Name value from certificate Each policy rule matches 'EAP-TLS' as the eap auth method and 'x509_PKI' as the auth method. I've tried re-arranging the order of the identity policy rules. I've also tried altering the values for the Advanced Options (continue vs. reject vs. drop) if auth fails, user not found, or process failed. Regardless, I find that for the certificate in question identity policy evaluation never goes past the 1st rule. In the case of the no SAN / dNSHostName subject certificate, identity policy evaluation essentially stops b/c 'principal username attribute is missing in client certificate'. While I expect this to happen, my expectation is that the identity policy evauation process will go on to rule #2. However it does not. It's very possible that I'm defining these policies in correctly. Hopefully someone can lend some guidance. Thanks.
... View more
In both my own lab environment and a customer's environment, I'm finding that Microsoft OCS/Lync based video calls fail when the remote Mac OS X client machine is attached to a VPN tunnel via either the built-in Cisco IPSec vpn client or the AnyConnect vpn client. This forum posting leads me to believe the issue is with a lack of support for STUN in the ASA, current version I have running is 8.4(1) - https://supportforums.cisco.com/message/3206916#3206916 Can anyone in the community or from Cisco corroborate this for me? I'd sure appreciate it. Thanks so much.
... View more
Just looking for some real-world background information on these very generic questions. If you employ AES-256, why do you choose it over 3DES (or any other method for that matter) for IKE Policy encryption? If you employ Perfect Forwarding Secrecy, why do you choose to enable it?
... View more
Thanks for the reply and confirmation Nagaraja, appreciate it. Let me make sure I understand what you're saying...I'm a bit of a rookie working with Cisco hardware. Yes, you can configure only one interface (you can call it inside or outside, doesn't matter) and terminate the VPN connection on that. The ASA is wired up on Ethernet 0/1. I'm going to refer to the interface as 'inside' & it has an IP of 10.0.20.47 on my LAN. The Netscreen device maps UDP 4500/500/10000 from the private IP to the public IP 72.214.13.XX. You need to make sure that - 1. Proper NAT is configured for the VPN traffic to exit out of the firewall and access your internal resources. 2. You need to configure "global (outside) 1 interface" followed by "nat (outside) 1 0.0.0.0 0.0.0.0". 3. Or if you are not intending to use NAT, then "nat (outside) 0 0.0.0.0 0.0.0.0". Honestly, I don't know that NAT will be necessary. So in my case, use 'inside' instead and execute similar commands from CLI? 4. You have enabled "same-security-traffic permit intra-interface" command on the firewall Interesting, I'll look up the equivalent action in ASDM as well. 5. You have configured your outer firewall such that all IPSec traffic is entering without any modifications. 6. You have one-to-one NAT configured for the ASA IP on the outer firewall. I believe 5 & 6 are accomplished already, see above statement about mapping UDP ports. 7. ASA has proper routing information so it can talk to internal hosts as well as external devices. How might I verify whether this is done or not? Thanks again.
... View more
I have a feeling I'm trying to bypass the primary functionality of an ASA..but might as well pose the questions. I've got an existing home-office lab network that relies on a Netscreen device as the firewall, using it to map a variety of lab servers/services to the public netblock I have from my ISP. I am installing the ASA for two reasons - testing IPSec VPN & testing SSL VPN. I was hoping to configure up only an 'inside' network interface on the ASA for the home-office/lab network, map the private IP to an available public IP via the Netscreen, and then configure firewall policy on the Netscreen to allow the necessary ports/protocols for IPSec VPN/SSL VPN. Every piece of documentation I'm finding seems to indicate that the ASA's 'outside' interface has to be configured on a different network for, really, any of it's features to work. Can someone help me shed some light - is it possible for the ASA to support incoming VPN connections if only an 'inside' interface is configured? I'm just not interested in setting up another firewall (the ASA) or replacing the existing Netscreen. Thanks for your insight.
... View more