cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1027
Views
15
Helpful
10
Replies

some management and vpn question

gdy1039
Level 1
Level 1

Hello

 

Sorry to borther you. I have some biginner question don't have idea even read document.

Thanks for your time and help.

 

1. below is my current firewall rule. our vpn come from outside interface. If I would like create ACL to control vpn traffic.

How can I define? There is no rule in outside interface, how data can be passed? I can not decrease allow ip or port range to  control traffic.

I understand cause of security level, outside traffice can not go to inside. So I need to define acls at inside in?

微信截图_20220406153940.png

 

 

2. for ssh management. I have below settings but still can not ssh from allow network.

I try to run crypto key generate rsa modulus 1024, it said alread have key.

below  settings already have.

ssh 10.1.10.0 255.255.255.0 inside
ssh 192.168.103.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
ssh version 2

 

3. I can not create anyconnect vpn through wizard because of not have anyconnect image beside my hand.

What option I have. If I choose a blank txt file to pass this step. what will happen?

微信截图_20220406154735.png

 

10 Replies 10

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215442-configure-anyconnect-management-vpn-tunn.html

 

You need to config the VPN to allow management pass through. check link above.

and By default the Traffic is allow from VPN, 
no sysop connection vpn-permit 

disable the default behave.

Hello

 

Thanks for your reply. I found a way to control. Please correct me if this is wrong or not good.

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

reference above link, below acl allow 10.10.10.1 access to  192.168.1.0 23(telnet) port 

1. access-list vpnfilt-ra permit tcp 10.10.10.1 255.255.255.255 192.168.1.0 255.255.255.0 eq 23

2. I create a policy group

policy-group pg_vpnfilt-ra

policy-group pg_vpnfilt-ra attri

vpn-filter vpnfilt-ra

3. set to tunnel-group

tunnel-group tg_vpnfilt-ra attr

default policy-group pg_vpnfilt-ra

 

show vpnsessoindb detail l2l

there is vpn-filte show  acl applied.

 

show asp table filter will show table

show access-list will show traffice hit

 

But below acl from the link, I think it's explain is wrong. it should means source port instead of dest port.

access-list vpnfilt-l2l permit tcp 10.0.0.0 255.255.255.0 eq 23
192.168.1.0 255.255.255.0

 

Marvin Rhoads
Hall of Fame
Hall of Fame

1. To control AnyConnect clients' ability to connect, you need to use a control plane ACL. We seldom see this done though as it is very cumbersome to manager effectively.

2. For your ssh question where are you trying to connect from (your IP address) and what error message do you see?

3. A valid AnyConnect image is required.

Hello Marvin

 

Thanks for reply.

I need to control anyconnect traffic instead of connection. As my another reply, I feel I had got the way.

2. the error is: no any response. not show login prompt.  I am from 10.1.10.119 which is allow network and can ping to firewall.

3. as I see there is anyconnect configuration is working fine on device, but no relate image on device flash. So I assume these configuration is setup by CLI? I manual create group policy, ikev1 connection profile and tunnel-group to archive this. But the result is I can connect but not able to access split-tunnel server. what I should check?

Thank you.

1. Your ACL should specify the protocol, destination host and port that you wish to restrict your VPN client to.

2. Is there any relevant output in the log when trying and failing to connect via ssh?

3. You can create a remote access VPN setup completely within ASDM, from cli or a combination of both. However IPsec IKEv1 has nothing to do with remote access VPN on ASA these days. 95% (or more) of customers use SSL VPN (actually TLS). The other much less common option is IPsec IKEv2.

Hello Marvin

 

below picture what exactly I had do in my GNS test.

未命名图片.png

 

2. how can I check the log and how can I know SSH is listening?

 

3.I am very agree SSL is more modern. I can setup complete SSL VPN OR L2L vpn on Sophos XG within 10 minutes and fortigate within 1 hour but not success on ASA after days hard learning.

my device is  ASA Version 8.6(1)2  ASA5512-K9. Does it support SSL? It even not support TLS 1.2. I don't have other option(hardware), I have to work on it.  As I know ikev2 need license, I am not sure doe it support. I need to check at tomorrow.

Post running config need to mask many information, so I try to settle without post. Would you please let me know if I have better remote access option on my device?

Thank you.

 

GNS is not exactly ASA, even when running ASA image.

You can check listening ports with "show asp table socket". Additionally the ASDM log should have some entries when you try to connect if you have "asdm logging informational" and "logging enable" configured.

I suppose you have no support on your hardware? The ASA version you are running is very very old - like the first one that supported that hardware from ~10 years ago. You are right it won't support TLS 1.2 but any modern ASA code will. It will still support SSL/TLS 1.0 (even though it's not advised to use that since it is deprecated). As far as licensing, ASA supports 2 SSL VPN clients but you still require an AnyConnect image. That version of ASA and software shipped with one - it may have been deleted at some point over the years.

Hello Marvin

 

Thanks for your reply.

before I have test device, GNS3 is my best option. At least it let me understand question1.

 

For question 2, I am asking for live device not GNS3. I can not connect even in same subnet. I mean suppose no layer 2 network rule block me connection.

 

3. There are some anyconnect connection profile is working, I have one msi beside my hand. I can install it and connect success to ASA. Does this is what I am looking for? I see below code in configuration file. If double confirm not found in flash, I can achieve by cli setup?

 

Q4. I manual create group policy, ikev1 connection profile and tunnel-group to archive this. But the result is I can connect but not able to access split-tunnel server. what I should check? Would you mind have some suggestion?

 

webvpn
enable outside
character-encoding gb2312
anyconnect image disk0:/AnyConnect/anyconnect-win-2.5.3055-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/AnyConnect/anyconnect-linux-2.5.3055-k9.pkg 2 regex "Linux"
anyconnect image disk0:/AnyConnect/anyconnect-linux-64-2.5.3055-k9.pkg 3 regex "Linux"
anyconnect image disk0:/AnyConnect/anyconnect-dart-win-2.5.3055-k9.pkg 4 regex "Windows NT"
anyconnect image disk0:/AnyConnect/anyconnect-macosx-i386-2.5.3055-k9.pkg 5 regex "Intel Mac OS X"
anyconnect image disk0:/AnyConnect/anyconnect-macosx-powerpc-2.5.3055-k9.pkg 6 regex "PPC Mac OS X"
anyconnect enable

For ssh please share the output of the command I mentioned already as well as the relevant log messages.

You keep mentioning ikev1. IPsec IKEv1 is only used for the long-discontinued Cisco VPN client (not AnyConnect) or site-to-site VPNs. If you are connecting with AnyConnect check your route details (gear icon of AnyConnect GUI) and make sure you are passing the necessary routes (subnets) for your server to the client.

Hello Marvin

 

Sorry, I may confuse at anyconnect and Cisco VPN client. I think they are same thing. I use Cisco VPN client to connect. I am trying to build VPN for it. I had attach masked running-config. EZVPN_2 is new profile I trying to build. Would you mind read and advise?

Thanks for your value time.

 

below result show SSH is listening, I found my IP will shun by keep ping. But even I clear from shun, I still can not ssh to it and no log show in real-time log viewer. logging level is debugging. I don't know what caus sync attack, but it stopped auto. It should not be the reason. I use a not shun server to SSH, but still fail. In current situation, I am considering some unknown blocking device working in middle.

 

threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics

 

Protocol Socket Local Address Foreign Address State
TCP 000162bf 192.168.103.70:22 0.0.0.0:* LISTEN

 

微信截图_20220408090655.png微信截图_20220408090810.png