Cisco ASA Archives - Network Guy

Updating Cisco ASA HA Cluster

Michel — Mon, 11 Jul 2016 06:43:32 +0000

Last week I updated a Cisco ASA HA cluster within a work project. The customer runs about 200 EasyVPN and IPsec VPN Site2Site connections. Our goal was to update the Cisco ASA HA cluster without an interrupt. The installed firmware version was 8.6(1)2 and we wanted to go straight to 9.4(2)11. In this case I was using two notebooks and connect them directly to the console port. After copying the file from TFTP to flash, we saw the message “No Cfg structure found in downloaded image file”. So the version 8.6 couldn’t handle the new file format of the 9.4 image. We need to insert a stopover and installed the version 9.1.3, later 9.4.2. Here is a spreadsheet for your upgrade process:

Current ASA Image	First Upgrade	Final Upgrade
8.2.x	8.4.6	8.4.7 or later, 9.1.3 or later
8.3.x	8.4.6	8.4.7 or later, 9.1.3 or later
8.4.1 through 8.4.4.10	8.4.6, 9.0.2	8.4.7 or later, 9.1.3 or later
8.5.x	9.0.2	9.1.3 or later
8.6.1	9.0.2	9.1.3 or later
9.0.1	9.0.2	9.1.3 or later
9.0.1.1 and later (to include 9.0.2 and later)	Not Applicable	9.1.3 or later
9.1.1	9.1.2	9.1.3 or later
9.1.1.1 and later	Not Applicable	9.1.3 or later

The following spreadsheet shows the update-steps for a Cisco ASA HA cluster. If you need to insert a stopover, repeat the steps 3-10:

Step	Cisco ASA primary	Cisco ASA secondary
1	Save the configuration (write memory) and document your configuration (pager lines 0; show run)
2	Viewing the boot variables (show bootvar)
3	Copy the firmware image and ASDM image from TFTP to Flash (copy tftp flash)
4	Setting the primary device to standby (no failover active)
5	Setting the boot firmware and ASDM image (delete the old “boot system xxx” entry and configure the new image to boot)
6	reload
7		Check HA-cluster status (show failover state)
8	Setting the primary device as active again (failover active)
9		Step 2-6
10	Save the configuration (write memory)
11	Restart the secondary device (failover reload-standby)
12	Check HA-cluster status (show failover state)
13	Save the configuration (write memory) and document your configuration (pager lines 0; show run)
14	Compare both configurations (the one before updating the cluster and the current configuration with the new firmware; you can use Notepad++ for this)

There are some different failover states.

One host is down or rebooting:

This host – Primary Activ
Other host – Secondary Failed

While syncing:

This host – Primary Activ
Other host – Bulk Sync

Cluster running in good state:

This host – Primary Activ
Other host – Secondary Standby Ready

After updating the Cisco ASA cluster (with the unexpected stepover) all VPN tunnels are working fine, no one had a disconnect :)

The post Updating Cisco ASA HA Cluster appeared first on Network Guy.

Cisco ASA AES encryption disabled

Michel — Mon, 04 May 2015 13:05:01 +0000

Today I wanted to configure a site2site VPN on my Cisco ASA in my laboratory. When I tried to configure the transform-set I received the following error message:

Firewall(config)# crypto ipsec ikev1 transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
The 3DES/AES algorithms require a VPN-3DES-AES activation key.

I’ve never saw this message before. It was very confusing seeing the 3DES-AES feature disabled:

Firewall(config)# show activation-key
Serial Number: *****
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000

Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Disabled perpetual

You can request this license for free at cisco.com! Go to the Product License Registration, Login with your Cisco CCO ID and mouseover “Get Other Licenses” and choose “Security Products” and “Cisco ASA 3DES/AES License”:

type in the serial number of your device (“show version”) and get the license! You will receive the license by mail or can download it via the portal. To activate the license, go to your Cisco ASA device and type in “activation-key 0x3487fs3…” in the configuration level. Save config and restart for glory! :)

The post Cisco ASA AES encryption disabled appeared first on Network Guy.

Link Aggregation with Cisco ASA

Michel — Wed, 05 Feb 2014 14:50:25 +0000

Interesting project that I got some days ago: I need to connect a Cisco ASA redundantly to a HP Switch Switch cluster (clustered with IRF protocol) and VLAN tag support. I configured a bridge-aggregation interface at the HP 5920AF-24XG like this (VLANs were already configured):

interface Bridge-Aggregation1
description Link to Cisco ASA

interface Ten-GigabitEthernet1/0/8
port link-aggregation group 1

interface Ten-GigabitEthernet2/0/8
port link-aggregation group 1

interface Bridge-Aggregation1
description Link to Cisco ASA
port link-type hybrid
port hybrid vlan 1 23 tagged

Configuring Ten-GigabitEthernet1/0/8 done.
Configuring Ten-GigabitEthernet2/0/8 done.

after this I saved the current Cisco ASA configuration to the flash and to my TFTP server. You can’t configure a port-channeling on used ports or can change the naming (like “inside”) directly to another interface. The interface name depends on so many configuration parameters like firewall and VPN settings. So I saved the current-configuration, edit it with a text editor, copied it from the TFTP to the startup-config and reload the device. Never do this from remote, please connect a serial cable to the Cisco ASA and make this changes via console. At startup you can see directly if commands are not recognized and you don’t need network access.

I took the two first interfaces because they have full gigabit support (Cisco ASA 5510). I first created the Port-Channel:

interface Port-channel1
description Link-Aggregation
no nameif
no security-level
no ip address

than I declared the interfaces to this port-channel:

interface Ethernet0/0
channel-group 1 mode on
no nameif
no security-level
no ip address

interface Ethernet0/1
channel-group 1 mode on
no nameif
no security-level
no ip address

Now we can configure sub-interfaces for our vlan tagged interfaces. The sub-interface number isn’t the vlan tag number but I would recommend to set it equal for your own harmony :)

interface Port-channel1
description Link-Aggregation
no nameif
no security-level
no ip address

interface Port-channel1.1
vlan 1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

interface Port-channel1.23
vlan 23
nameif dmz
security-level 75
ip address 192.168.23.1 255.255.255.0

you can now look at both devices, if the aggregation is working. Example HP Stack:

[IRF1]display link-aggregation verbose
Loadsharing Type: Shar — Loadsharing, NonS — Non-Loadsharing
Port Status: S — Selected, U — Unselected
Flags: A — LACP_Activity, B — LACP_Timeout, C — Aggregation,
D — Synchronization, E — Collecting, F — Distributing,
G — Defaulted, H — Expired

Aggregate Interface: Bridge-Aggregation1
Aggregation Mode: Static
Loadsharing Type: Shar
Port Status Priority Oper-Key
——————————————————————————–
XGE1/0/8 S 32768 4
XGE2/0/8 S 32768 4

Example Cisco ASA:

ASA5510# show port-channel
Channel-group listing:
———————–

Group: 1
———-
Span-cluster port-channel: No
Ports: 2 Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: ON
Minimum Links: 1
Load balance: src-dst-ip

there are several options for load balancing:

ASA5510(config-if)# port-channel load-balance ?

interface mode commands/options:
dst-ip Dst IP Addr
dst-ip-port Dst IP Addr and TCP/UDP Port
dst-mac Dst Mac Addr
dst-port Dst TCP/UDP Port
src-dst-ip Src XOR Dst IP Addr
src-dst-ip-port Src XOR Dst IP Addr and TCP/UDP Port
src-dst-mac Src XOR Dst Mac Addr
src-dst-port Src XOR Dst TCP/UDP Port
src-ip Src IP Addr
src-ip-port Src IP Addr and TCP/UDP Port
src-mac Src Mac Addr
src-port Src TCP/UDP Port
vlan-dst-ip Vlan, Dst IP Addr
vlan-dst-ip-port Vlan, Dst IP Addr and TCP/UDP Port
vlan-only Vlan
vlan-src-dst-ip Vlan, Src XOR Dst IP Addr
vlan-src-dst-ip-port Vlan, Src XOR Dst IP Addr and TCP/UDP Port
vlan-src-ip Vlan, Src IP Addr
vlan-src-ip-port Vlan, Src IP Addr and TCP/UDP Port

you can find more information here.

The post Link Aggregation with Cisco ASA appeared first on Network Guy.

Enabling passive FTP through Cisco ASA

Michel — Wed, 19 Sep 2012 14:30:24 +0000

As I explained 1:1 NAT (with example for PPTP passthrough) in this post you can also add more PAT just based on your access-list. I recognized a problem at one customer that FTP needs an inspection firewall entry. The customer runs a passive FTP server on tcp port 3002 which I forwarded to inside:

object network MyFTPserver
host 192.168.23.33

object network MyFTPserver
nat (inside,outside) static 88.77.66.24

access-list world_in extended permit tcp any object MyFTPserver eq 3002

access-group world_in in interface outside

He could connect from outside but can’t list the folders so I configured a inspection firewall setting:

class-map class_ftp
match port tcp eq 3002

policy-map global_policy
class class_ftp
inspect ftp

service-policy global_policy global

After this input the problem was solved!

The post Enabling passive FTP through Cisco ASA appeared first on Network Guy.

Cisco ASA NAT examples with software version 8.4

Michel — Thu, 30 Aug 2012 12:26:36 +0000

I know that they take LSD (yes Lysergic acid diethylamide) at Cisco like Kevin Herbert but can they consume less? Every release of a new 8.x software version of the Cisco ASA has new NAT statements and logic. This week I replaced an old Cisco PIX 6.x with a new Cisco ASA 8.4(4)1 (asa844-1-k8.bin) and ran into some logic traps and I decided to write some examples here for you in case that this can help you. My customer has a provider router but the examples are also working with a PPPoE uplink (except multiple IPNAT commands).

NAT from inside to outside:

object network MyInternalNetwork
subnet 192.168.23.0 255.255.255.0
object network MyInternalNetwork
nat (inside,outside) dynamic interface

You will see that an incoming packet will be first translated and than be checked by the firewall. PAT for port-forwarding a network service (in this example https tcp 443):

object network MyExchangeServer
host 192.168.23.5
object network MyExchangeServer
nat (inside,outside) static interface service tcp https https
access-list world_in extended permit tcp any object MyExchangeServer eq https
access-group world_in in interface outside

1:1 NAT (with example for PPTP passthrough):

object network MyPPTPserver
host 192.168.23.10
object network MyPPTPserver
nat (inside,outside) static 88.77.66.23
access-list world_in extended permit tcp any object MyPPTPserver eq pptp
access-list world_in extended permit gre any object MyPPTPserver
access-group world_in in interface outside

No-NAT Statements (for not natting into connected VPN-networks):

object network MyHeadquarter
subnet 192.168.23.0 255.255.255.0
object network MyBranchOffice
subnet 192.168.80.0 255.255.255.0
nat (inside,any) source static MyHeadquarter MyHeadquarter destination static MyBranchOffice MyBranchOffice no-proxy-arp

don’t forget to place no-proxy-arp at the end of the NAT statement, otherwhise your Cisco ASA will answer on every ARP-Broadcast “YES THAT’S ME HERE IS MY MAC-ADDRESS!!!11111” -.-

If you have any further wishes on NAT-config-examples or older NAT-statements (just like for Cisco ASA software version 8.0, 8.1, 8.2 and/or 8.3) just let me know!

The post Cisco ASA NAT examples with software version 8.4 appeared first on Network Guy.