Cisco ASA with Dual ISPs one for Internet and one for VPN example

I had a situation recently where  the 2Mb Internet connection at one of our offices was becoming congested. To try and allieve the congestion I had a new ADSL line installed at the office with the intention on splitting traffic through the ASA. On the ASA 5505 it is not possible to load balance beween the ISPs, so I thought I would leave the exisitng 2Mb connection for VPN traffic only and use the new ADSL connection for Internet traffic. It took me a while to figure out how to do this, and so I thought I would document it here, because actually the solution is pretty simple.

In order to achieve this all you have to do is set up static routes to define the default route through one connection, and the remote VPN peer, and traffic destined for the remote LAN subnet through the other connection. The diagram below explains the set up in a bit more detail:

Cisco ASA with 2 ISPs one for Internet and One for VPN

Cisco ASA with 2 ISPs one for Internet and One for VPN

Firstly set up 3 vlans and their interface associations:

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

switchport access vlan 12

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 10.0.1.254 255.255.255.0

interface Vlan2

nameif VPN

security-level 0

ip address 172.16.1.1 255.255.255.0

interface Vlan12

no forward interface Vlan1        (If using a security plus or higher license on your ASA 5505 you may not need this command in your set up)

nameif Internet

security-level 50

ip address 192.168.1.1 255.255.255.0

You then need to configure your static routes:

route Internet 0.0.0.0 0.0.0.0 192.168.1.254 1 

(ASA sends all traffic out of this default route via the ISP 1 ADSL connection, unless defined in the other static routes below)

route VPN 10.2.2.0 255.255.255.0 172.16.1.254 1   

 (This static route sends all traffic destined for the remote office subnet i.e. the interesting traffic defined for encryption, over the VPN via the ISP 2 connection)

route VPN 172.16.2.1 255.255.255.255 172.16.1.254 1  

(This static route sends all traffic destined for the remote office VPN Peer via the ISP 2 connection)

The actual setup of the site to site VPN connection is beyond the scope of this article but there is plenty of information elsewhere.

Advertisements

allow PPTP client through Cisco ASA 8.4 to external PPTP server

In order to allow a PPTP VPN client through a Cisco ASA firewall in order to access an external PPTP server you need to add the following to your configuration.

policy-map global_policy

class inspection_default

inspect pptp

Restart a VPN tunnel on a Cisco ASA or PIX

To reset and restart VPN tunnels on a Cisco ASA or PIX firewall simply type:

clear crypto isakmp sa

Upgrade flash memory in a Cisco 877 Router

Undo the 2 screws on the back on the router as shown:

Opening the case of a Cisco 877 Router

 

Then undo the 3 screws securing the protective metal case beneath:

Accessing the flash and RAM slots in a Cisco 877 router

 

Swap the flash memory for the new larger bit:

Swapping the flash memory

 

Replace the case, plug in the power, connect the router to your computer using a console cable, and then power it on.

Fire up hyperterm or some similar program and connect to the router. It may complain about an inconsistent sector list in flashfs on boot up, and will also tell you that there is no bootable IOS image file in the flash memory. Once you are at the ROMMON prompt issue the following command:

format flash:

click ‘y’ and press enter to confirm the format operation

Once the format is complete, connect a LAN patch lead from you computer to the router. Assign an IP address to the LAN adapter of your computer such as 192.168.1.1/24. Fire up a bit of TFTP server software on your computer, such as Cisco TFTP server, or Solarwinds TFTP server

At the rommon prompt type the following,  making sure you assign an IP address to the router that is in the same subnet as the IP that you assigned your computer, e.g.

IP_ADDRESS=192.168.1.254

then assign a subnet mask:

IP_SUBNET_MASK=255.255.255.0

then a default gateway:

DEFAULT_GATEWAY=192.168.1.254

then a TFTP server (i.e. the IP address you assigned your computer’s LAN adapter):

TFTP_SERVER=192.168.1.1

and finally the filename of the IOS image that you want to transfer back on to your router

TFTP_FILE=c870-advsecurityk9-mz.124-15.T12.bin

If you want to review the variables that you have set above any time just type:

set

Next issue the tftpdnld command to copy the IOS image to the flash memory of your router using tftp:

tftpdnld

Click ‘y’ to continue. This will take a few minutes. After that reboot the router and you’re done:

reset

 

 

 

Allow telnet, SSH, or HTTPS remote management on a Cisco 800 series using a Zone Based Firewall

I have recently installed some Cisco 877 routers at some of our branch offices, and wanted to allow remote management of these devices from the LAN at our central location over the VPN. With the Zone based firewall enabled there is no access allowed to the ‘Self’ zone from remote locations by default, as you would expect. This process is pretty straightforward when you are using Cisco PIX or ASA firewalls as you can use the management-access inside command, and then easily define which subnets you want to be able to access which remote management tools. There is no equivalent command when using an IOS router, so you need to configure the appropriate access list, class map, and policy map

In this example the site to site VPN is already configured as is the zone based firewall which was configured by SDM. The following subnets are defined for the LANs at each location:

192.168.1.0/24 – This is the head office LAN subnet which I want to allow access to the remote router over the VPN tunnel

192.168.2.0/24 – This is the branch office LAN subnet which is attached to the Cisco 877

The ip address of the 877 router at the branch office is:

192.168.2.254

Firstly, create an access list to define which services you want to allow access to, from the head office subnet:

router(config)# ip access-list extended remote-manage

router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.254 eq 22

This allows SSH access from the 192.168.1.0/24 subnet to the router

router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.254 eq telnet

This allows telnet access from the 192.168.1.0/24 subnet to the router

router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.254 eq 443

This allows HTTPS access from the 192.168.1.0/24 subnet to the router

Next, create the following class maps:

router(config)# class-map type inspect match-any remote-manage

router(config-cmap)# match access-group name remote-manage

router(config)# class-map type inspect match-any router-access

router(config-cmap)# match class-map remote-manage

Finally, add this policy map

router(config)# policy-map type inspect sdm-permit

router(config-pmap)#class type inspect router-access

router(config-pmap-c)# inspect

You should now be able to telnet, SSH and use SDM to access the router from the head office subnet. If you need to allow any other subnets or hosts to access the router remotely simply add them to the access-list you created earlier. It could be that you want to allow SSH access to the external Internet facing IP of the router which you could do by adding the following (where X.X.X.X is the external IP of the router):

router(config)# ip access-list extended remote-manage

router(config-ext-nacl)# permit tcp any host X.X.X.X eq 22

This would allow any Internet host to access the external IP of the router using SSH, although it would be preferable to lock this down to specific IP addresses or subnets that you already own.

Downloads stall or stop on a Cisco 877 Router using Zone Based Firewall

I was setting up a Cisco 877 router on an ADSL 2 BT Broadband connection this week and came across an issue when downloading large files from the Internet. With the router configured, and connected everything appeared to be working OK. The ADSL connection was stable, and the VPN tunnel was up and transferring data happily. I performed a few more checks, one of which was to run a speed test using speedtest.net. The test started fine downloading at around 6.5Mb per sec but when it got halfway through it stalled and didn’t complete. Following this I tried to download a 600MB ISO file using my web browser. It downloaded about 100MB and then stalled. Subsequent attempts produced similar results, although sometimes I could only download a couple of MB, and sometimes 50MB to 100MB, but at some point the download would stop and not get any further.

Interestingly, I didn’t seem to get this problem when transferring files over the Site to Site VPN connection, as I transferred around 400MB of data across the VPN without issue. This made me think that it it could be something to do with traffic inspection on the zone based firewall. I did a little digging on the Internet, and found some information relating to out of order packets on Cisco equipment using the Zone Based Firewall. Other reports suggested that if you remove the zone based firewall, downloads proceed normally. It seemed quite a few people have had the same issue that I was having, and there were a few steps that could be taken for verification.

Firstly, in configuration mode set the logging level on the device to ‘debugging’:

 router(config)# logging buffered 51200 debugging 

Next, turn on logging of dropped packets:

 router(config)# ip inspect log drop-pkt

At this stage if you are running in a telnet session you can use the following command to output debug messages to your session:

router(config)# terminal monitor

Alternatively, you can view the log file after testing by running:

router# show logging

After adding the commands to log dopped packets, I kicked off the ISO download again and waited for it to stall. Sure enough after it stopped downloading I got the following message logged (IP addresses have been removed):

%FW-6-DROP_PKT: Dropping tcp session X.X.X.X:80 X.X.X.X:52334 due to Out-Of-Order Segment with ip ident 0

Apparently the zone based firewall has a bit of an issue with out of order packets, but fortunately support for out of order packets has been introduced in IOS versions 15 and above. This 877 router was running IOS version c870-advsecurityk9-mz.124-24.T7.bin. There was only the standard 24MB flash in this router so I upgraded to IOS version c870-advsecurityk9-mz.151-1.T4.bin.

After applying this upgrade the issue was fixed, and downloads proceeded normally.

References:

https://supportforums.cisco.com/thread/2089462

http://www.dslreports.com/forum/r24332834-Config-Zonebased-firewall-and-outororder-dropped-packets

Cisco ASA (8.4) to PIX (6.x) Site to Site VPN example

Here is a basic example of a site to site VPN between a Cisco ASA firewall running version 8.3 or higher, and a Cisco PIX firewall running version 6.x

Configuration for the Cisco ASA side of the connection:

Define network objects for your internal subnets:

object network Main-Office
subnet 192.168.1.0 255.255.255.0

object network Branch-Office
subnet 192.168.2.0 255.255.255.0

Create an access list for the VPN traffic using the network objects that you have created:

access-list VPN-to-Branch-Office extended permit ip object Main-Office object Branch-Office

Use double NAT (effictively no nat) to ensure the traffic travelling across the VPN tunnel will not have NAT applied to it:

nat (inside,outside) source static Main-Office Main-Office destination static Branch-Office Branch-Office

Create a transform set using the encryption of your choice, in this case AES 128:

crypto ipsec ikev1 transform-set myset-aes128 esp-aes esp-sha-hmac

Ensure IKE version 1 is enabled on the outside interface:

crypto ikev1 enable outside

Create a policy for phase 1 of the VPN connection:

crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400

Configure a tunnel group containing the Pre Shared Key:

tunnel-group 172.16.0.2 type ipsec-l2l
tunnel-group 172.16.0.2 ipsec-attributes
ikev1 pre-shared-key My53cr3tPSK

Create a crypto map for phase 2 of the VPN connection:

crypto map myvpnmap 10 match address VPN-to-Branch-Office
crypto map myvpnmap 10 set pfs group5
crypto map myvpnmap 10 set peer 172.16.0.2            (This should be set to the ip of the outside interface of the PIX you are connecting to)
crypto map myvpnmap 10 set ikev1 transform-set myset-aes128
crypto map myvpnmap interface outside

 

Configuration for the Cisco PIX side of the connection:

Configure an access list for the VPN tunnel:

access-list 100 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

Make sure NAT is not applied to traffic passing across the VPN tunnel:

nat (inside) 0 access-list 100

Configure the PIX to permit IPSEC:

sysopt connection permit-ipsec

Create a policy for phase 1 of the VPN connection:

isakmp enable outside

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400

Configure keepalives to match the default setting on the ASA of 10 seconds retry 2 seconds:

isakmp keepalive 10

Create a transform set to match the ASA end of the connection, in this case AES 128:

crypto ipsec transform-set myset-aes128 esp-aes esp-sha-hmac

Create a crypto map for phase 2 of the VPN connection:

crypto map myvpnmap 10 ipsec-isakmp
crypto map myvpnmap 10 match address 100
crypto map myvpnmap 10 set pfs group5
crypto map myvpnmap 10 set peer 172.168.0.1               (This should be set to the ip of the outside interface of the ASA you are connecting to)
crypto map myvpnmap 10 set transform-set myset-aes128
crypto map myvpnmap interface outside

Configure the Pre Shared Key to match the other end of the connection

isakmp key My53cr3tPSK address 172.16.0.1 netmask 255.255.255.255 no-xauth no-config-mode