OK I figured this out. Sorry for the time waste here netpros. Despite me saying there was not an ACL entry in there that allowed it, there was. The reason the packet tracer worked is because I was not specific enough with the source ports when running it. Only the destination ports. The ACL was to allow VoIP to work with our voice provider and is pretty loose as the provider never could tell me what ports they use. Just wanted a huge range opened. Anyway this is solved and again sorry for the stupidity.
... View more
Have a strange issue here (or what I feel is strange). I have an ASA 5515X series box setup using two interfaces, inside and outside. Using NAT to translate between interfaces. Fairly simple setup. I have a handful of services I allow through the device from outside:some WWW/TLS traffic, email traffic, etc by way of an outside ACL configured on the outside interface. Recently I discovered one of the translated devices had a rogue RDP connection terminated on it from the Internet. The ACL configuration for this device only allowed Email and web traffic to it. Yet there was the RDP connection. I tried connecting to the RDP server off net and sure enough the connection was allowed in. I looked through the ACL to try and figure out how this connection was getting through. I could not find any rule allowing RDP access to this machine in the ACL. I ran packet-tracer to test the connection on the device:
packet-tracer input outside tcp 188.8.131.52 3753 <public NAT IP> 3389
Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
So testing in packet tracer shows that the traffic should be dropped by the ACL protecting the outside interface.
Yet when I try connecting RDP offnet the traffic bypasses the ACL somehow and gets to the machine:
CAB01-ASA5515X-A# sh conn | i 10.20.50.116 UDP outside 184.108.40.206:56835 inside 10.20.50.116:3389, idle 0:00:18, bytes 147162, flags -
Here is the relevant configuration:
object network mailtest-int host 10.20.50.116 description Internal VDI Workstation Test Mail Server object network mailtest-ext host <public IP> description External VDI Workstation Test Mail Server
object network mailtest-int nat (inside,outside) static mailtest-ext
object-group service mail tcp description Mail Server Ports port-object eq 366 port-object eq 465 port-object eq 587 port-object eq 993 port-object eq 995 port-object eq imap4 port-object eq pop3 port-object eq smtp port-object eq 1000 port-object eq 3000 port-object eq 3101 port-object eq 4069 port-object eq https port-object eq www
access-list outside-in remark Any to Email Test Server for Email Services access-list outside-in extended permit tcp any object mailtest-int object-group mail access-group outside-in in interface outside
So why would the device show the traffic as being dropped in packet tracer but then turn around and allow the traffic through, especially when there is not an ACL entry that allows the traffic. I cannot find a single rule in this ACL that would allow it. Is it possible some kind of connection outbound from the PC is getting reused and allowing RDP inbound bypassing the ACL? If I put a deny rule specifically for blocking RDP traffic in the ACL like so:
access-list outside-in remark Deny RDP access to Email Test Machine access-list outside-in extended deny tcp any object mailtest-int eq 3389
the traffic gets blocked. If I put an explicit catch all deny any any at the end of the ACL the traffic still gets allowed. I don't normally have that rule as the flow of traffic would be from lower security level to higher security level. Firewall is running Cisco Adaptive Security Appliance Software Version 9.9(1). This host and configurations were recently moved from one site to another. The same basic FW configuration for this host was on the original ASA at the original site and this same issue came up there. Same problem. No RDP access allowed but yet it works. Normally I am trying to get traffic through this thing, not the other way around. Not sure whats going on here. Any help is appreciated. Thanks in advance.
... View more
I gave up here and called TAC. It works the way I thought it did in the first scenario. Each host in the ACL can only accept the number of connections configured in the set connection part of the policy. Thanks.
... View more
I got this to work following this thread:
The last post from Fabian L did the trick. This issue for me was that Split-DNS was working, but using IPv6 for doing lookups for IPv6 hosts outside the tunnel. Anyconnect was simply dropping those packets instead of splitting them out because IPv6 was not enabled in the Anyconnect client. I added IPv6 split tunneling using a bogus IPv6 IP block. This allows the Anyconnect connection to know what IPv6 traffic to split out so that the client can make normal local IPv6 DNS queries and thus allow IPv6 connectivity for IPv6 split tunnel clients. Keeps the Anyconnect client from just dropping all IPv6 traffic which would be needed for clients using native IPv6 with their ISPs. Here are the relevant config additions for reference:
group-policy colo-anyconnect-ras attributes
ipv6-split-tunnel-policy tunnelspecified split-tunnel-network-list value colo-ras-split-tunnel
split-dns value domain.com split-tunnel-all-dns disable address-pools value colo-ras ipv6-address-pools value colo-ras-ipv6
ipv6 local pool colo-ras-ipv6 <ipv6 Address Block Goes Here>/80 100
access-list colo-ras-split-tunnel extended permit ip <IPv6 Address Block/80
So this has the effect of allowing IPv6 traffic to selectively traverse the Anyconnect tunnel based on the access list colo-ras-split-tunnel . Now I don't need IPv6 traffic over the tunnel at all, but since I am specifying what should go over it, this has the side affect of telling Anyconnect what traffic should NOT go over it. Anyconnect then splits the traffic out for IPv6 lookups to the Internet for the Anyconnect clients which use native IPv6. Anyway its all figured out. Hope this helps someone else with the same issue.
... View more
Setting up some MPF protections for some of our Internet services. I am using MPF to create a class to match traffic out of an ACL, and then am applying some connection limits and parameters on the traffic specified in said ACL. See the relevant configuration:
class-map webserver-protect-class description Webserver Protection Class used to protect Webservers from DOS attacks match access-list webserver-protection
description Policy to control and protect Internet Services
class webserver-protect-class set connection conn-max 300 embryonic-conn-max 20
access-list webserver-protection extended permit tcp any object-group web-servers-int object-group web
So the ACL just lists a group of destination hosts and services using object-groups. What I am trying to determine is with the above MPF configuration, are the conn-max limits I am imposing going to be set for each host listed in the ACL, or are the limits the total limits for all hosts in the ACL? So for example if I match 10.10.10.5, 10.10.10.6, 10.10.10.7 for WWW connections in the ACL, and impose a 300 conn-max in the MPF policy, does the conn-max apply to 10.10.10.5, 10.10.10.6, and 10.10.10.7 for WWW traffic individually such that each host has a conn-max of 300, or is the 300 conn-max setting a 300 connection total for all of the 10.10.10.5-7 hosts such that only 300 connections across 10.10.10.5-7 as a total are allowed. In other words, only 300 connections are allowed between 10.10.10.5-7 as a total. I think its the former but when I run the command sh service-policy interface OUTSIDE, it seems to show a total in the output so I want to clarify:
Class-map: webserver-protect-class Set connection policy: conn-max 300 embryonic-conn-max 20 current conns 84, drop 0
In the output is it showing a total of all the hosts in the ACL and the number of connections that are open amongst all of them? Hopefully this makes sense what I am asking. Thanks in advance for any help here.
... View more
Not sure what has happened here but after upgrading my ASA to 9.9.1 from 9.6.3, a global MPF policy I had applied was removed from the configuration. This policy was doing default traffic inspection as well as DNS inspection for use with DNS doctoring. I tried re-applying the policy to the device. The device would take the command but not actually add the command to the configuration. I also use an interface policy for traffic policing and DDOS protection so at first I thought the device was no longer allowing the use of both an interface policy and a global policy together. I tried to shift some of the inspection configurations to the interface policy. I got that to work but noticed that one of the commands I added there would not take. Here is what I had in the global policy:
policy-map global_policy class inspection_default inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect ipv6 inspect icmp
So after moving this inspection config to the interface policy, I noticed that all commands showed in the configuration except for the ' user-statistics scanning ' part. So I removed that from the global policy and re-added the service-policy command to add the global policy to the configuration. This time the device took the command and added it to the configuration. So it seems somewhere between 9.6.3 and 9.9.1, the user-statistics scanning command has been removed or no longer works. With that command as part of the policy-map, I cannot apply the policy and have it stick in the config. The device takes the command and gives no errors but the command does not show in the configuration. Does anyone know if the ' user-statistics scanning ' command has been deprecated? Whats the deal here? Thanks in advance for any help.
... View more
Yes thanks for the reply here. I thought about this some just before seeing your post and it became clear the only way to get this one was in two steps, as you pointed out. I tried converting the PS to exe file and use just that. I could get the file to download, and actually execute, but for some reason the exe did not actually do anything. Worked fine by itself when executing this locally, but did nothing when executed using Anyconnect. Was running but never did anything coded in the original PS script. I just killed it in Task Manager.
I also tried to upload two scripts to the ASA: The batch file I wrote and the PS script I wrote. The thinking here is that this would allow me an easy way to get both scripts downloaded to the local machine for executin. It did just that but seemed to confuse the ASA as to which script needed to be run. The end result is nothing would run so I moved on.
I finally got this working tonight after some throwback Windows batch coding re-education(thank goodness for Powershell is all I can say). For those who are interested here is what I ended up doing.
I created a batch file that connects to a network share, copies down the Powershell script I wrote to C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Script using robocopy, and then executes it using the following command:
powershell.exe -ExecutionPolicy Bypass -File "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Script\UserRDP.ps1
Executing the script this way allows you to bypass the configured powershell execution policy on the local machine, allowing the script to run, while not needing to reconfigure the machine at all.
While I would prefer to just have the ASA include PS scripts as a valid scripting option for OnConnect scripts, this current method does work. What is this 1995? Batch scripts really? It also allows me the opportunity to not only download the PS scripts themselves, but also any needed support files (since this script was an interactive forms based script, I included a nice image file in the form which I downloaded as part of my download commands).
Anyway thanks for the replies.
... View more
I was trying to bring up more of a GUI environment for users instead of regular command windows. Where I work, console windows frighten people. So was bringing up a windows form where users can enter some text in the forms box. Stuff like that. More than just the typical net use commands and whatnot.
How would one call a script from another script using the onconnect anyconnect tools? The way I need this to work is to have the script on the ASA, have it downloaded to the local machine, and then executed. I can call a batch file, and execute powershell from the batch calling the powershell exe and the path to the ps script file, but it seems for that to work the PS script file would already need to be on the machine. In my case its not.
So if I were to have a batch file as the onconnect script I run, and in it run powershell.exe -path <path to powershell script to run>, how can I get the powershell file from the ASA to the local client for it to execute. Or when the admin guide says you can call scripts from other scripts, what they mean is that the scripts called from other scripts would need to either be shell commands, or batch files already on the local disk of the VPN client machine. Is there no way I can do the following:
VPNLogin---->Onconnect----->commands.bat---->run powershellscript.ps1. It seems like all you can do with the onconnect scripts is load a single script on the ASA.
There is some sort of PStoexe converter available from MS but have a hard time believing all functionality will still be there in the resulting exe.
Any thoughts here will be appreciated.
... View more
Hello All. Has anyone tried using the onconnect scripting tools for ASA Anyconnect VPNs using Windows Powershell scripts? Trying to deploy a script which starts an RDP session after connecting to the VPN. Script works locally fine, and downloads through Anyconnect, but cannot execute. The issue is that Windows will not run PS scripts from the current directory by default. Need to use .\scriptname.ps1 to get them to run. If anyone knows the trick to getting PS to run via Anyconnect onconnect tools I would appreciate the help. Options are
get anyconnect to run the script using .\ in front of the command or
use a batch file to call the PS script.
I am told you can have scripts call other scripts using the onconnect tools, but have not been able to find a single example of how to get it to work. Thanks in advance for the help.
... View more
Greetings all. So I have an issue with the Split-DNS feature over Anyconnect SSL client based VPN. Running Anyconnect 4.3 with ASA code 9.6(3)1. We use both the split-tunneling and split-dns features to selectively direct network and dns queries to our remote DNS servers and networks. This works fine for most of our users. We are not yet using IPv6 over our VPN setups because we still have too many legacy devices on our network which do not support IPv6 fully.
Some of my users have been experiencing an issue where Split-dns is not working for them. Lookups for names sent over the tunnel using split-dns work fine, but any lookups not sent over the tunnel fail. Meaning that a lookup of host.internaldomain.com work fine, but a lookup of www.google.com would fail. If they disconnect from the VPN, Internet resolution works for them. As a work around I have them disable IPv6 on their network adapter, and then the split-dns feature works perfectly. With IPv6 enabled on their end, split-dns feature stops working. I run IPv6 on my home network and do not have any issues with the split-dns feature and therefore cannot reproduce their problem. When looking at my anyconnect client, I see the following in the information section:
Cisco AnyConnect Secure Mobility Client 4.3.03086 (Fri Jan 12 08:57:58 2018)
Connection Information Tunnel Mode (IPv4): Split Include Tunnel Mode (IPv6): Drop All Traffic
What I am wondering is if because our clients are using "Drop All Traffic" for IPv6, when the trouble users machines try and do lookups outside the tunnel, they use an IPv6 DNS server as configured by their ISP, and because the VPN tunnel is set to drop all IPv6 traffic, the lookup never works because it gets dropped. You can see here in my Windows IPCONFIG output that I have an IPv6 DNS server listed as one of my local resolvers:
DNS Servers . . . . . . . . . . . : 2001:470:X:X::X 172.16.0.20 172.16.0.21
But when I do Internet lookups (lookups outside the tunnel) it works fine with my IPv6 config. Is there some sort of config in the splitdns feature to not do anything with IPv6 name lookups over the tunnel? Any idea on what I have wrong here? I really am not sure why disabling IPv6 on their client machines would have any affect but it does.
Here is my config for split DNS:
group-policy colo-anyconnect-ras attributes wins-server none dns-server value 10.20.20.105 10.20.20.106 vpn-simultaneous-logins 3 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value colo-ras-split-tunnel default-domain value internaldomain.int split-dns value domain.com internaldomain.int domain2.com split-tunnel-all-dns disable address-pools value colo-ras
Any help is much appreciated. Thanks.
... View more
We have an old legacy application which connects to a third party via SSL. The third party provider is limiting connections to using TLS 1.2 beginning in June. Our legacy application can only support TLS 1.0. Upgrading the application seems to be not possible at the moment according to our development team. We use a Cisco ASA 5515X at our border. I was wondering if there was any way to have an ASA 'proxy' TLS sessions for a particular inside host and connect to an Internet host using TLS 1.2 on behalf of the inside host? So something like the inside host (with the ASA as the default route) connects to the ASA outbound, the ASA intercepts this connection, holds it open while connecting to the requested outside host via TLS 1.2. I noticed that the ASA has a TLS proxy of sorts for use with securing VoIP sessions, but I wondered if it could be leveraged here for what I am trying to do. Is there any other way I can have the ASA intercept older TLS sessions and have them be upgraded to TLS 1.2? Thanks in advance for any ideas.
... View more
Thanks for the reply here.Yes agreed that DAP is most likely a better way to go with this. I was under the impression that DAP required an Advanced Endpoint Assessment license to function which I did not have when I originally set this up so I used attribute maps. I have never been sure if that means that you can use DAP for auth parameters (AD group membership for example) and not configure policies that require endpoint assessment (presence of registry keys, etc.), or if that means any DAP configured on here would not work. I just went with attribute maps and moved on.
I had to get a different VPN license to enable higher end SSL encryption (TLS 2.0) recently. When I looked at the license today it seems I now have both endpoint assessment and Anyconnect premium enabled now as a result:
AnyConnect Premium Peers : 250 perpetual AnyConnect Essentials : 250 perpetual Other VPN Peers : 250 perpetual Total VPN Peers : 250 perpetual Shared License : Disabled perpetual AnyConnect for Mobile : Enabled perpetual AnyConnect for Cisco VPN Phone : Enabled perpetual Advanced Endpoint Assessment : Enabled perpetual
So I should be OK now to use DAP. In looking at the options for DAP for GP assignment, it still seems to only support AD group membership as a way to assign ASA VPN Group Policies (Attribute ID: memberOf). Again to use this I would still need to create multiple AD groups, (as in if user A is part of group A and group B then assign policy A, but if they are just part of group B assign policy B). This will work but requires multiple AD groups configured on domain controllers to work which I was hoping to avoid. Is there no way to just assign a policy based on username? I don't see it in ASDM for DAP configuration.
On a side note, if I now have Anyconnect essentials enabled, what would be the impact to client-based Anyconnect VPN users by turning it off if I now have Anyconect premium licenses available on my ASA. Will they just start using the premium licenses when they connect rather the the essentials licenses. Any impact to the Anyconnect client install portal page? Thanks again for the reply here. Appreciate setting me set straight on this issue.
EDIT: Looking through the link you provided, it seems that DAP takes the place of ASA tunnel groups and group polices. I'll look into the use of DAP some more. Thanks for the link.
... View more