04-06-2022 12:50 AM - edited 04-06-2022 01:57 AM
Hello
Sorry to borther you. I have some biginner question don't have idea even read document.
Thanks for your time and help.
1. below is my current firewall rule. our vpn come from outside interface. If I would like create ACL to control vpn traffic.
How can I define? There is no rule in outside interface, how data can be passed? I can not decrease allow ip or port range to control traffic.
I understand cause of security level, outside traffice can not go to inside. So I need to define acls at inside in?
2. for ssh management. I have below settings but still can not ssh from allow network.
I try to run crypto key generate rsa modulus 1024, it said alread have key.
below settings already have.
ssh 10.1.10.0 255.255.255.0 inside
ssh 192.168.103.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
ssh version 2
3. I can not create anyconnect vpn through wizard because of not have anyconnect image beside my hand.
What option I have. If I choose a blank txt file to pass this step. what will happen?
04-06-2022 06:08 AM - edited 04-06-2022 07:37 AM
You need to config the VPN to allow management pass through. check link above.
and By default the Traffic is allow from VPN,
no sysop connection vpn-permit
disable the default behave.
04-06-2022 06:14 PM
Hello
Thanks for your reply. I found a way to control. Please correct me if this is wrong or not good.
reference above link, below acl allow 10.10.10.1 access to 192.168.1.0 23(telnet) port
1. access-list vpnfilt-ra permit tcp 10.10.10.1 255.255.255.255 192.168.1.0 255.255.255.0 eq 23
2. I create a policy group
policy-group pg_vpnfilt-ra
policy-group pg_vpnfilt-ra attri
vpn-filter vpnfilt-ra
3. set to tunnel-group
tunnel-group tg_vpnfilt-ra attr
default policy-group pg_vpnfilt-ra
show vpnsessoindb detail l2l
there is vpn-filte show acl applied.
show asp table filter will show table
show access-list will show traffice hit
But below acl from the link, I think it's explain is wrong. it should means source port instead of dest port.
access-list vpnfilt-l2l permit tcp 10.0.0.0 255.255.255.0 eq 23
192.168.1.0 255.255.255.0
04-06-2022 08:42 AM
1. To control AnyConnect clients' ability to connect, you need to use a control plane ACL. We seldom see this done though as it is very cumbersome to manager effectively.
2. For your ssh question where are you trying to connect from (your IP address) and what error message do you see?
3. A valid AnyConnect image is required.
04-07-2022 12:56 AM
Hello Marvin
Thanks for reply.
I need to control anyconnect traffic instead of connection. As my another reply, I feel I had got the way.
2. the error is: no any response. not show login prompt. I am from 10.1.10.119 which is allow network and can ping to firewall.
3. as I see there is anyconnect configuration is working fine on device, but no relate image on device flash. So I assume these configuration is setup by CLI? I manual create group policy, ikev1 connection profile and tunnel-group to archive this. But the result is I can connect but not able to access split-tunnel server. what I should check?
Thank you.
04-07-2022 02:50 AM
1. Your ACL should specify the protocol, destination host and port that you wish to restrict your VPN client to.
2. Is there any relevant output in the log when trying and failing to connect via ssh?
3. You can create a remote access VPN setup completely within ASDM, from cli or a combination of both. However IPsec IKEv1 has nothing to do with remote access VPN on ASA these days. 95% (or more) of customers use SSL VPN (actually TLS). The other much less common option is IPsec IKEv2.
04-07-2022 03:30 AM - edited 04-07-2022 03:34 AM
Hello Marvin
below picture what exactly I had do in my GNS test.
2. how can I check the log and how can I know SSH is listening?
3.I am very agree SSL is more modern. I can setup complete SSL VPN OR L2L vpn on Sophos XG within 10 minutes and fortigate within 1 hour but not success on ASA after days hard learning.
my device is ASA Version 8.6(1)2 ASA5512-K9. Does it support SSL? It even not support TLS 1.2. I don't have other option(hardware), I have to work on it. As I know ikev2 need license, I am not sure doe it support. I need to check at tomorrow.
Post running config need to mask many information, so I try to settle without post. Would you please let me know if I have better remote access option on my device?
Thank you.
04-07-2022 05:55 AM
GNS is not exactly ASA, even when running ASA image.
You can check listening ports with "show asp table socket". Additionally the ASDM log should have some entries when you try to connect if you have "asdm logging informational" and "logging enable" configured.
I suppose you have no support on your hardware? The ASA version you are running is very very old - like the first one that supported that hardware from ~10 years ago. You are right it won't support TLS 1.2 but any modern ASA code will. It will still support SSL/TLS 1.0 (even though it's not advised to use that since it is deprecated). As far as licensing, ASA supports 2 SSL VPN clients but you still require an AnyConnect image. That version of ASA and software shipped with one - it may have been deleted at some point over the years.
04-07-2022 08:11 AM
Hello Marvin
Thanks for your reply.
before I have test device, GNS3 is my best option. At least it let me understand question1.
For question 2, I am asking for live device not GNS3. I can not connect even in same subnet. I mean suppose no layer 2 network rule block me connection.
3. There are some anyconnect connection profile is working, I have one msi beside my hand. I can install it and connect success to ASA. Does this is what I am looking for? I see below code in configuration file. If double confirm not found in flash, I can achieve by cli setup?
Q4. I manual create group policy, ikev1 connection profile and tunnel-group to archive this. But the result is I can connect but not able to access split-tunnel server. what I should check? Would you mind have some suggestion?
webvpn
enable outside
character-encoding gb2312
anyconnect image disk0:/AnyConnect/anyconnect-win-2.5.3055-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/AnyConnect/anyconnect-linux-2.5.3055-k9.pkg 2 regex "Linux"
anyconnect image disk0:/AnyConnect/anyconnect-linux-64-2.5.3055-k9.pkg 3 regex "Linux"
anyconnect image disk0:/AnyConnect/anyconnect-dart-win-2.5.3055-k9.pkg 4 regex "Windows NT"
anyconnect image disk0:/AnyConnect/anyconnect-macosx-i386-2.5.3055-k9.pkg 5 regex "Intel Mac OS X"
anyconnect image disk0:/AnyConnect/anyconnect-macosx-powerpc-2.5.3055-k9.pkg 6 regex "PPC Mac OS X"
anyconnect enable
04-07-2022 08:32 AM
For ssh please share the output of the command I mentioned already as well as the relevant log messages.
You keep mentioning ikev1. IPsec IKEv1 is only used for the long-discontinued Cisco VPN client (not AnyConnect) or site-to-site VPNs. If you are connecting with AnyConnect check your route details (gear icon of AnyConnect GUI) and make sure you are passing the necessary routes (subnets) for your server to the client.
04-07-2022 06:36 PM
Hello Marvin
Sorry, I may confuse at anyconnect and Cisco VPN client. I think they are same thing. I use Cisco VPN client to connect. I am trying to build VPN for it. I had attach masked running-config. EZVPN_2 is new profile I trying to build. Would you mind read and advise?
Thanks for your value time.
below result show SSH is listening, I found my IP will shun by keep ping. But even I clear from shun, I still can not ssh to it and no log show in real-time log viewer. logging level is debugging. I don't know what caus sync attack, but it stopped auto. It should not be the reason. I use a not shun server to SSH, but still fail. In current situation, I am considering some unknown blocking device working in middle.
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics
Protocol Socket Local Address Foreign Address State
TCP 000162bf 192.168.103.70:22 0.0.0.0:* LISTEN
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide