23 November 2012

Cisco ASA: Anyconnect - How to source how many users and which users are logged in via Anyconnect?

With standard IPSEC/ISAKMP I am used to running "show crypto isa sa detail" style commands to figure out how many and who is logged into a client VPN session. With AnyConnect the above commands don't work. As AnyConnect is typically configured as a SSL VPN client, you have to use a different set of commands to troubleshoot. The below is for the Cisco ASA product set... there should be something similar for IOS devices.


FW01# show vpn-sessiondb anyconnect 
Session Type: AnyConnect
Username     : bob                Index        : 71
Assigned IP  : 10.0.1.1            Public IP    : x.x.x.x
Protocol     : AnyConnect-Parent SSL-Tunnel
License      : AnyConnect Essentials
Encryption   : RC4                    Hashing      : none SHA1
Bytes Tx     : 399272098              Bytes Rx     : 10860313
Group Policy : VPN_CLIENT_POLICY      Tunnel Group : VPN
Login Time   : 09:04:59 EST Fri Nov 23 2012
Duration     : 7h:02m:46s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none
[...]
The above shows all active users logged into the SSL VPN client. You get their username, public IP and mapped VPN IP as well as the encryption mechanisms used. Pretty handy.

If you are just after an overview of how many users are connected the below is a good starting point. For the below I had 3 active VPN tunnels in use below.


FW01# show vpn-sessiondb          
---------------------------------------------------------------------------
VPN Session Summary                                                      
---------------------------------------------------------------------------
                               Active : Cumulative : Peak Concur : Inactive
                             ----------------------------------------------
AnyConnect Client            :      3 :         20 :           4 :        0
  SSL/TLS/DTLS               :      3 :         20 :           4 :        0
Clientless VPN               :      0 :          4 :           1
  Browser                    :      0 :          4 :           1
---------------------------------------------------------------------------
Total Active and Inactive    :      3             Total Cumulative :     24
Device Total VPN Capacity    :    250
Device Load                  :     1%
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
                               Active : Cumulative : Peak Concurrent  
                             ----------------------------------------------
Clientless                   :      0 :          7 :               2
AnyConnect-Parent            :      3 :         17 :               4
SSL-Tunnel                   :      3 :         22 :               4
---------------------------------------------------------------------------
Totals                       :      6 :         46
---------------------------------------------------------------------------
 Hope this helps someone. Thanks for reading.

9 November 2012

Cisco ASA - How to allow client VPN access to site-to-site VPN reachable networks? (Hairpin routing)

Hello!

First thing is first, these were both fantastic resources/guides on how to get this working and I really can't stress this more "GO READ THEM FIRST":

The above links pretty much show the "how to get it setup". The below will consider a basic topology as follows:

"SITE-TO-SITE VPN REACHABLE OFFICE" --> "HEAD OFFICE ASA" <-- "REMOTE VPN CLIENT USER CONNECTING TO HEAD OFFICE"

The goal being to allow the VPN client user to reach the site-to-site VPN office via the head office ASA. The main steps to get  this working with ASA code 8.4 are:
  • Interesting-traffic ACLs - So, on the head office ASA, you basically need to allow the VPN client pool to be considered a source for traffic traversing the site-to-site VPN connection (i.e. adjusting the ACL for interesting traffic for the site-to-site VPN). For the remote site-to-site reachable office, the VPN router needs to have the VPN client pool marked as a VPN-interesting destination network across the VPN. Lastly, for client VPNs configuration on the head office ASA you need to make sure the client VPN configuration allows the client pool network access to the site-to-site VPN reachable networks as well.
  • NAT/NO-NAT statements - These are a bit mind-bending. Essentially, on the ASA side you need a "nat (outside,outside) [...]" statement which says "don't NAT traffic coming in on the outside interface from the VPN client pool going to site-to-site VPN reachable networks". You also need to pay attention to the "(inside,outside)" NO-NAT statements controlling how the internet-facing dynamic overload NAT takes effect. I'll cover this off in more detail the end as essentially this is the only thing that the above guides lacked...
  • Allowing intra-interface traffic traversal - ASAs by default don't allow "hairpin" routing... this means that if a packet is received on an interface (e.g. outside) and is destined to a network that according to the routing table is reachable via the same interface (e.g. outside) then drop the traffic. As client VPN and site-to-site VPN are both, from the ASA's perspective, reachable via the "same" interface of the ASA (outside) the packets are normally dropped. The command "same-security-traffic permit intra-interface" allows the ASA to process and allow same-interface routing of packets
Pretty much that is a summarized version of the linked documents. The issue I had twice over the last two days was that the NO-NAT for "(inside,outside)" traffic destination was taking effect and causing the ASA to sprout some error along the lines of:
"route lookup failed for host <VPN-CLIENT-IP> outside to <SITE-TO-SITE VPN REACHABLE IP> inside"
Essentially the no NAT rule I had in place doing overall inside to outside processing was as follows:
nat (inside,outside) source static any any destination static NO_NAT NO_NAT  
The NO_NAT object group simply defines all remote networks we don't want to NAT traffic on when traffic goes from inside to outside interfaces. The above config worked fine up until the point I needed the VPN client to hairpin route. Essentially on 8.4 code, any any NATs are evil. They take effect regardless of positioning in the rule-set and regardless of whether a NAT should logically match another rule above/etc.

The resolution is very easy though:
nat (inside,outside) source static SITE_LANS SITE_LANS destination static NO_NAT NO_NAT
This says that we don't NAT traffic to the NO_NAT destinations unless the source IP is from the site's LAN network ranges.

I found the best way to troubleshoot this was by:
  • Using ASDM logging and filtering by a specific traffic flow that "should" work (this is how I spotted the "route lookup failed" error) 
  • Using the "packet-tracer" utility to figure out which NAT statement it is being used by the ASA for a packet received on the outside interface going to a site-to-site VPN reachable IP.
Hope this helps someone!

5 August 2012

How to configure basic Anyconnect Essentials on Cisco ASA?

Over the last few days I've struggled to find a nice concise guide to configuring AnyConnect on an ASA for the specific requirements needed for some work I've been doing. So... here is a basic configuration that addresses the following requirements:
  1. Authenticate VPN users to local database of ASA (no radius/LDAP servers used)
    • VPN-only users will not have admin access to ASA.
  2. Allow AnyConnect VPNs to access the ASA's LAN network across the VPN
  3. AnyConnect must run on a non-default port (TCP 442 was chosen for this example)
  4. NAT translate ports of router's outside IP address to internal servers
    • HTTPS and SMTP port will be NAT translated to a specific server on the LAN
This configuration is for ASA code 8.4. This won't work for 8.2 or below (different CLI commands for NAT and Anyconnect). 

The configuration follows...

Define the interface settings. Inside/Outside + IPs:
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.128
!
Define some object groups for NAT statements later on...
object service SMTP
 service tcp source eq smtp
object service HTTPS
 service tcp source eq https
object network 192.168.16.2
 host 192.168.16.2
object network 192.168.16.0
 subnet 192.168.16.0 255.255.255.0
object-group network NO_NAT
 network-object 10.1.88.0 255.255.255.128
 network-object 10.1.88.128 255.255.255.128
Define an ACL for VPN Client access.
access-list VPN_CLIENT_ACL remark === ACL for range the VPN users will access across VPN
access-list VPN_CLIENT_ACL standard permit 192.168.1.0 255.255.0.0
ip local pool VPN_CLIENT_POOL 10.1.1.1-10.1.1.254 mask 255.255.255.0
Define NAT statements for PAT of outside interface (192.168.1.2 is actually the name of an object-group):
nat (inside,outside) source static 192.168.1.2 interface service HTTPS HTTPS
nat (inside,outside) source static 192.168.1.2 interface service SMTP SMTP
Define NAT statements for NO-NAT traffic (i.e. traffic destinations we never want to apply NAT on)
nat (inside,outside) source static any any destination static NO_NAT NO_NAT
Define NAT statement for overload NAT (i.e. everyone from object group 192.168.1.0 can be overloaded with NAT to appear as 1.1.1.1 on way out to internet).
object network 192.168.1.0
 nat (inside,outside) dynamic interface
Define AAA to use local database for ASDM/SSH.
aaa authentication ssh console LOCALaaa authentication http console LOCAL 
Define default route to internet via next hop 1.1.1.2.
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
Define global anyconnect settings (image locations, port used, interface anyconnect is enabled on, etc)
webvpn
 port 442
 enable outside
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-3.0.08057-k9.pkg 2
 anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3
 anyconnect enable
 tunnel-group-list enable
Define group-policy settings for VPN clients to use (anything not defined here is inherited from default group-policy (do a show run all to see it)
group-policy VPN_CLIENT_POLICY internal
group-policy VPN_CLIENT_POLICY attributes
 dns-server value 192.168.1.2
 vpn-simultaneous-logins 25
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_CLIENT_ACL
 default-domain value domain.com
 address-pools value VPN_CLIENT_POOL
Define local accounts:
username testaccount password xxxxxx encrypted
username testaccount attributes
 service-type remote-access
username admin password xxxxxx encrypted privilege 15
Define VPN profile
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
 address-pool VPN_CLIENT_POOL
 default-group-policy VPN_CLIENT_POLICY
 tunnel-group VPN webvpn-attributes
 group-alias VPN enable
In the above: 
  • Under the webvpn section there is the port 442 which moves Anyconnect to terminate to TCP port 442 rather then default 443 (HTTPS).
  • The outside interface IP has it's TCP ports for HTTPS and SMTP NAT translated to 192.168.1.2 in this example through the use of static NAT translations. 
  • We have a NO_NAT NAT statement which defines that we don't NAT anything going to the VPN Pool's IP (i.e. the IPs VPN users use - In this case 10.1.1.x/24) 
  • We have a global overload NAT which defines that on the way out to the internet from the inside interface we will be hidden behind the outside IP address of the ASA (i.e. 1.1.1.1 in this example). 
  • We also have two user accounts setup, 
    • admin account which has full admin/VPN access 
    • testaccount one which has access only to VPN (not to ASA admin).
I'll stop here for now.... Hope this helps someone.

3 August 2012

Can you bridge ADSL PPPoA to an ASA using PPPoE... and make it work?

No.

ASA/PIX only support PPPoE as a PPP negotiation method. PPPoA and PPPoE have different methods of negotiating and to my knowledge there is no way to make them tunnel/work in unison from a bridged  Cisco router to the Cisco ASA running PPPoE.

Background here is that today I was asked to configure a Cisco 887VA router and Cisco ASA 5510 together so that the ASA would have the public IP of the internet service on it's outside interface. This would mean running the 887VA in bridged mode (which is possible) and running PPP on the ASA 5510. This scenario is fine provided the ISP supports PPPoE for the internet service. If the ISP does PPPoA only... then forget it because the ASA only suppports PPPoE. The reasons why are that PPPoA requires specific ATM drivers/interactions which the ASA will never support (it has to do with ATM being CELL based technology vs packet-based). PPPoE is designed to be encapsulated by Ethernet (i.e. it is more abstracted from the medium used then PPPoA).

This post helped me understand the PPPoE/PPPoA a lot better: http://www.petri.co.il/forums/showthread.php?t=1728

Looks like I'm stuck configuring double-NAT for this one... oh well. If anyone knows better let me know. I tried this in my lab and just couldn't find a way to make this work.


11 May 2012

Where is "show dsl int atm 0" on newer 887VA / EHWIC-VA-DSL?

Frequently in my career as a network engineer you need to find the true reason for why an issue is occurring. For ADSL it is important to know things like noise margins, attenuation and error counts as well as DSL sync statistics such as are you syncing at ADSL1/ADSL2/ADSL2+. With Cisco's recent refresh of equipment a few commands I relied upon with daily troubleshooting of ADSL ("show dsl interface atm 0") suddenly disappeared. I thought I'd help others who may be looking for the similar commands on the new router models.

Behold!
"show controllers vdsl 0 brief"
Example output:
RT01#show controllers vdsl 0/0/0 brief
Controller VDSL 0/0/0 is UP
Daemon Status:           Up                        XTU-R (DS)              XTU-C (US)
Chip Vendor ID:         'BDCM'                   'ALCB'
Chip Vendor Specific:   0x0000                   0x0000
Chip Vendor Country:    0xB500                   0xB500
Modem Vendor ID:        'CSCO'                   '    '
Modem Vendor Specific:  0x4602                   0x0000
Modem Vendor Country:   0xB500                   0x0000
Serial Number Near:   FOCxxxxxxx2911/K9  15.2(1)
Serial Number Far:
Modem Version Near:    15.2(1)
Modem Version Far:     0x0000
Modem Status:            TC Sync (Showtime!)
DSL Config Mode:         AUTO
Trained Mode:            G.992.1 (ADSL) 
Annex ATC Mode:                 
ATMSelftest Result:         0x00
DELT configuration:      disabled
DELT state:              not running
Trellis:                 ON                       
ONSRA:                     disabled                        disabled 
SRA count:              0                       0
Bit swap:                enabled                         enabled 
Bit swap count:         0                       0
Line Attenuation:         7.5 dB                  7.0 dB
Signal Attenuation:       7.5 dB                  0.0 dB
Noise Margin:            18.5 dB                 24.0 dB
Attainable Rate:        12132 kbits/s            1120 kbits/s
Actual Power:            15.6 dBm                 9.1 dBm
Total FECS:             0                        0
Total ES:               0                        0
Total SES:              0                        0
Total LOSS:             0                        0
Total UAS:              0                        0
Total LPRS:             0                        0
Total LOFS:             0                        0
Total LOLS:             0                        0
Full inits:             1Failed full inits:      0
Short inits:            0Failed short inits:     0
Firmware        Source          
File Name (version)--------        ------          -------------------
VDSL            embedded        
VDSL_LINUX_DEV_01212008 (1)
Modem FW  Version:      110331_1212-4.02L.03.A2pv6C032b.d23f
Modem PHY Version:      A2pv6C032b.d23f
                  
                   DS Channel1     DS Channel0   US Channel1       US Channel0Speed (kbps):
                          0             7616            0               384
SRA Previous Speed:       0                0             0                 0
Previous Speed:           0                0             0                 0
Total Cells:              0         92746827             0                 0
User Cells:               0          1160177             0                 0
Reed-Solomon EC:          0                0             0                 0
CRC Errors:               0                0             0                 0
Header Errors:            0                0             0                 0
Interleave (ms):       0.00            16.00          0.00              0.25
Actual INP:            0.00             2.00          0.00              0.00
Training Log :  StoppedTraining 
Log Filename : flash:vdsllog.bin
From this command you can see the attenuation (7.0dB/7.5dB), noise margin (18.5dB/24dB) and the actual data rate we're synced at (bottom table in the "DS Channel0" and "US Channel0" for row "Speed (kbps)" - 7.6Mbps DOWN/384Kbps UP in this case).

That's it. Hope it helps someone out there! I've been hunting for this one for a while.

2 April 2012

Cisco 887VAG - Unable to get the 3G working

Today I was tasked with configuring a Cisco 887VAG's 3G interface... and had some issues. Here in Australia I've done plenty of 3G on Cisco router configurations so this one kind of frustrated me a little
The basics of the issue are that the Cisco 887VAG doesn't seem to support "encapsulation ppp" even though the router happily accepts the command.
The configuration for most 3G varieties with Cisco looks something like the following:

TEST#
cellular 0 gsm profile create 1 <APN> chap <username@domain.com.au> <password>
TEST(config)#
chat-script gsm "" "ATDT*98*1#" TIMEOUT 60 "CONNECT"
!
interface Cellular0
description NextG Modem Dialer Interface
no ip address
encapsulation ppp
dialer in-band
dialer pool-member 1
async mode interactive
!
interface Dialer1
ip address negotiated
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string gsm
dialer persistent
dialer-group 1
no fair-queue
no cdp enable
ppp chap hostname <username@domain.com.au>
ppp chap password <password>
ppp ipcp dns request
!
!
ip route 0.0.0.0 0.0.0.0 Dialer1 250
!
!
access-list 1 permit any
dialer-list 1 protocol ip list 1
!
!
line 3
script dialer gsm
no exec
transport input all
transport output telnet
In the above, you have a 3G profile, a cellular interface and dialer interface all joined together. On the 887VAG the encapsulation ppp command spat out an issue as follows:
TEST(config)#int cell 0
TEST(config-if)#encapsulation ppp
Cellular0: Only SLIP encapsulation supported

Without PPP we can't authenticate. Without authentication... it won't allow me to connect. Regardless, I couldn't find much information out there on this specific issue so I thought a blog entry would be handy. I've got a TAC case lodged with Cisco now... will update as more information comes to hand.
The Cisco 887VAG is running:
TEST#show ver

Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(4)M3, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Tue 06-Dec-11 22:52 by prod_rel_team
ROM: System Bootstrap, Version 15.1(2r)T2, RELEASE SOFTWARE (fc1)

TEST uptime is 1 hour, 11 minutes
System returned to ROM by power-on
System restarted at 00:56:10 UTC Mon Apr 2 2012
System image file is "flash:c880data-universalk9-mz.151-4.M3.bin"
Last reload type: Normal ReloadTEST(config)#int cell 0

=======================================

Update 1:
As John Marshall indicated in the comments below, there is a configuration guide available from Cisco here. I was directed to that guide by TAC just over the last week or so. I've had some delays with getting through to TAC for me due to SmartNet coverage and so forth.

For me, the guide indicated didn't work.... I have several devices all fresh from factory. I tried setup a second 887VAG with the guide configuration from scratch like for like to what John did and still no go.

I'm making some progress with TAC now... we will see how we go. Oh, and the SIM definitely works (it was confirmed on a 887G on my desk using the old style configuration security).

This isn't all to say I haven't been making "some" progress though. The cellular interface on the new routers "HAS" to be slip encapsulation. It is just the way the new modem interfaces with the chassis. Refer to the configuration guide from Cisco for more information on that.

I'll probably write another post with configuration/troubleshooting steps once I get it sorted completely... for the moment I'm still stuck but am working with TAC to get this resolved.

For the meantime here are some useful commands:
  • debug cellular 0 messages all - If you want to see if the cellular interface is doing "something" chuck this command in to have a look at the back/forth between the cellular interface and the cell tower.
  • show cell 0 radio history all - This shows you RSSI history on the modem much like "show proc cpu history" shows you CPU loading history. Cool.
  • debug ppp negotiation / debug ppp authentication - In theory (at least on the old routers) these commands were useful because they confirmed either you were at the PPP level of the connection. I'm not sure if these work on the newer models though... yet. I plan to find out.
Useful information:
  • The cellular profile referenced by the "AT" command seems to still be configured using the "cell 0 gsm profile create" command according to the guide
  • The chat-script line referenced by the old (AT98*1)/new (AT!SCACT=1,1) routers differs but achieves the same thing. These are the AT commands the chassis runs to initiate a connection on the onboard Sierra Wireless card to connect using a profile. The differences are mainly cosmetic and you shouldn't need to tinker with them beyond defining "1" as the profile.
What I am thinking:
  • At the moment if I telnet into the modem itself (you shouldn't need to do this) and run the AT command specified by Cisco's guide I get an error:

    Router#telnet 1.1.1.1 2003
    Trying 1.1.1.1, 2003 ... Open
    AT!SCACT=1,1
    +CME ERROR: no network service

    Now I also tried creating a profile on the modem itself using AT commands that specified PAP authentication... and when I ran the AT command described above "OK". Which means "successful". Frustrating. (I've been careful to only play with AT commands on one device in case it breaks it)
I'll continue to work through with Cisco...

=======================================

Update 2: Resolution
In the end the Cisco provided configuration in the link above (or in comments) is correct. Use that configuration. My issue was related to the cellular profile not being the correct type. Telstra need IPv4 type profiles for internet. I was configuring PPP type profiles. I will write up a more detailed guide at some point.

29 March 2012

Outlook 2010 and the curse of the invisible mail rules...

I just had a fun morning troubleshooting outlook. My mailbox had certain rules stopping noisy/mis-configured monitoring servers from popping up in my inbox all day. The monitoring server was repaired today and I wanted to remove the rule that pushed the "noise" mail to a particular folder and marked it as read... Easy enough, navigated to manage rules in Outlook 2010 and... huh? It looks like there are no rules pushing the false-positive alerts to the folder. Mails are still definitely being redirected though. This must be fixed!

Just to be sure, I disable all rules in Outlook and wait for a few monitoring alerts to come through and of course they are still being caught by an invisible rule somewhere, and being moved to the specific folder and marked as read. So what's going on here?

A few minutes Google-teching the issue I came across a few possible ways to resolve the issue.

  1. Quick-rebuild the Outlook profile - Remove profile in Windows Mail control panel item and pull it down again from Exchange server. This didn't work for me...
  2. Hard-rebuild of Outlook profile - Remove the profile completely (navigate to and delete AppData files/etc) and pull it down from the server again. Again, this didn't work for me...
  3. Break the rule - Removed the Outlook folder that contains the moved monitoring mails and also rebooted Outlook with a "/clearrules" argument - This worked...

I know that removing folders that rules rely upon to breaks the Outlook rule logic thus the rule stops... so this may have resolved it. I am thinking the "/clearrules" flag also helped as well.

Which one fixed it? Not exactly sure... but it works now. Regardless, hopefully this helps someone else...