天亮了说晚安's Blog

本文转自：https://www.petenetlive.com/KB/Article/0000039 Problem You want to set up a Cisco ASA to authenticate users (VPN access for example). Solution Kerberos can only be used as an authentication protocol on the ASA, so its fine for allowing VPN connections but not for assigning policies etc. To work both the ASA and the domain need to be showing accurate time. Step 1: Set the ASA to get time from an External NTP Server 1. Log onto the ASA > Go to “Enable Mode” > Issue the following command; User Access Verification Password: Type help or '?' for a list of available commands. Petes-ASA> enable Password: ******** Petes-ASA# configure terminal Petes-ASA(config)# ntp server 130.88.212.143 source outside Note that’s a public time server in the UK (Manchester University) that I use. you may want to use another. 2. To check the ASA has synchronised issue the a ‘show ntp status‘ command, If you s......Read More

本文转自：https://www.petenetlive.com/KB/Article/0001104 Problem I got sent to Holland this week to look at a firewall deployment, and while I was sat in the Airport, I was going over the job I had to do, when I realised the solution I had suggested had a problem see below; My brief was to provide remote AnyConnect VPN into the network so the client could get their network setup, and manage things remotely. However as I drew the network out in my head I realised that the situation above was what was going to happen. How was I going to fix that? Well firstly I thought ‘Just put 192.16.1.1 on the management firewall, and move .2 and .3 to the main firewalls’. Well thats fine, but it does not leave me room for expansion, or if the client needs to add remote access to a production network. (Which will be needed in the future). Then I thought ‘Can I put a static route on the main firewalls to route 192.168.100.0/24 to the management firewall’. Which is a......Read More

本文转自：https://www.petenetlive.com/KB/Article/0000069 Problem Below is a walk through for setting up a client to gateway VPN Tunnel using a Cisco ASA appliance.This was done via the ASDM console. The video was shot with ASA version 8.4(2) and ASDM 6.4(5) and the setup process is a lot less painful than it used to be. The original article was written with ASA version 8.0(4) and ASDM 6.1(3), which was a little more difficult so I will leave that procedure below just in case 🙂 ASDM cannot be used on the normal port on the outside interface when using SSL VPN SSL VPN AnyConnect from within an RDP session is not supported (and fails – even with a /console switch). SSL (HTTPS ot TCPport 443) needs to be free (i.e. NOT port forwarded to a web server / exchange server etc). Solution For Older Versions of the ASA/ASDM 1. Open up the&nbs......Read More

本文转自：https://www.petenetlive.com/KB/Article/0000628 Problem Note: With Anyconnect 4 Cisco now use Plus and Apex AnyConnect licensing. When Cisco released the 8.2 version of the ASA code, they changed their licensing model for AnyConnect Licenses. There are two licensing models, Premium and Essentials. Solution Cisco ASA AnyConnect Premium Licenses. You get two of these free with your firewall*, with a ‘Premium License’ you can use the AnyConnect client software for remote VPN Access, and you can access Clientless SSL facilities via the web portal. *As pointed out by @nhomsany “The two default premium licenses available are NOT cross-platform, (i.e. only Mac or Windows). Additionally you can use this license’ model with the Advanced Endpoint Assessment License’, this is the license’ you require for Cisco Secure Desktop. You can also use this license’......Read More

本文转自：https://www.petenetlive.com/KB/Article/0001272 Problem I was setting up a Cisco ASA this week and needed to enable the ability for users to reset their domain passwords when they are about to expire. To actually test that, I needed a test user that had their password either about to expire, or actually expired. As I dint want to wait 42 days, or setup a password policy just for one user, I needed to find a ‘quick and dirty’ fix for one user. Solution You need to open Active Directory Users and Computers, and you need to have ‘Advanced options’ enabled. Locate your user and open their properties > Attribute Editor > Attributes > pwdLastSet. If you want to set it to expired, then set its value to Zero. It should change to <never>, which is not strictly true, it actually changes to 12:00AM January 1st 1601. Note: If you set its value to -1 and apply the change it resets the attribute to the current day and time (you ma......Read More

本文转自：https://www.petenetlive.com/KB/Article/0001273 Problem If you have remote users who connect via VPN, and a policy that forces them to change their password periodically, this can result in them getting locked out without the ability to change their password (externally). If your Cisco ASA is using LDAP to authenticate your users, then you can use your remote AnyConnect VPN solution to let them reset their passwords remotely. Solution Standard LDAP runs over TCP port 389, to allow the ASA to reset the password for the users, it needs to be connected via LDAPS ((TCP Port 636). Your AD server needs to be able to authenticate via LDAPS, by default it will not. I’ve already covered how to set that up in another post see the following article. Windows Server 2012 – Enable LDAPS So, assuming your AD server(s) that the Cisco ASA is authenticating against is already setup, you need to ensure that your AAA Settings for LDAP is set to use port 636. Ena......Read More

本文转自：https://www.petenetlive.com/KB/Article/0000049 Problem You would like to enable remote access for your clients using the Cisco VPN Client software. Solution Before you start – you need to ask yourself “Do I already have any IPSECVPN’s configured on this firewall?” Because if its not already been done, you need to enable ISAKMP on the outside interface. To accertain whether yours is on, or off, issue a “show run crypto isakmp” command and check the results, if you do NOT see “crypto isakmp enable outside” then you need to issue that command. PetesASA# show run crypto isakmp crypto isakmp enable outside << Mines already enabled. crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 PetesASA# 1. Firstly we need to set up Kerberos AAA, if you wanted to use the ASDM to do this CLICK HERE however, to do the same via command line see the commands belo......Read More

本文转自：https://www.petenetlive.com/KB/Article/0000688 Problem Last week I was configuring some 2008 R2 RADIUS authentication, for authenticating remote VPN clients to a Cisco ASA Firewall. I will say that Kerberos Authentication is a LOT easier to configure, so you might want to check that first. Solution Step 1 Configure the ASA for AAA RADIUS Authentication 1. Connect to your ASDM, > Configuration > Remote Access VPN. > AAALocal Users > AAA Server Groups. 2. In the Server group section > Add. 3. Give the group a name and accept the defaults > OK. 4. Now (with the group selected) > In the bottom (Server) section > Add. 5. Specify the IP address, and a shared secret that the ASA will use with the 2008 R2 Server performing RADIUS > OK. 6. Apply. Configure AAA RADIUS from command lin......Read More

本文转自：https://www.petenetlive.com/KB/Article/0000071 Problem Below is a walkthrough for setting up a client to gateway VPN Tunnel using a Cisco ASA appliance.This is done via the ASDM console. Though if (Like me) you prefer using the Command Line Interface I’ve put the commands at the end. You will need a RADIUS server, WIndows Server (2000 and 2003) Has its own RADIUS bolt on called Windows IAS Step 1 Below is a walkthrough on how to set this up. It also uses the Cisco VPN client – the version used is v5 which is still in beta at the time of writing. Solution Note: This is an old post and covers setup on Server 2003, for a more modern version, (Server 2012/2016/2019) of this procedure, see the following article; Windows Server Setup RADIUS for Cisco ASA 5500 Authentication Step 1 Install RADIUS (Server 2003 Windows IAS) Note: for Server 2008 go here and for Server 2012 go here. 1. Assuming you don’t already ha......Read More

本文转自：https://www.petenetlive.com/KB/Article/0000685 Problem Note: The procedure is the same for Server 2016 and 2019 This week I was configuring some 2008 R2 RADIUS authentication, so I thought I’d take a look at how Microsoft have changed the process for 2012. The whole thing was surprisingly painless. I will say that Kerberos Authentication is a LOT easier to configure, but I’ve yet to test that with 2012, (watch this space). Solution Step 1 Configure the ASA for AAA RADIUS Authentication 1. Connect to your ASDM, > Configuration. 2. Remote Access VPN. 3. AAA Local Users > AAA Server Groups. 4. In the Server group section > Add. 5. Give the group a name and accept the defaults > OK. 6. Now (with the group selected) > In the bottom (Server) section > Add. 7. Specify the IP address, and a shared secret that the AS......Read More