Cisco Blog: Configurations Archives

May 21, 2009

Base Config: ASA WebVPN

This is becoming a common configuration for me. Here's a base template I use:

ip local pool WebVPNPool 192.168.251.10-192.168.251.100 mask 255.255.255.0

webvpn
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.3.0254-k9.pkg 2
svc enable
tunnel-group-list enable

group-policy WebVPNPolicy internal
group-policy WebVPNPolicy attributes
dns-server value X.X.X.X
vpn-tunnel-protocol svc
group-lock value WebVPNAccessProfile
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value business.local
address-pools value WebVPNPool
webvpn
svc ask none default svc
hidden-shares none
file-entry disable
file-browsing disable
url-entry disable

tunnel-group WebVPNAccessProfile type remote-access
tunnel-group WebVPNAccessProfile general-attributes
default-group-policy WebVPNPolicy
tunnel-group WebVPNAccessProfile webvpn-attributes
group-alias WebVPN enable

Posted by JC at 10:49 AM | Comments (16)

September 24, 2008

Implementing QoS on PIX/ASA

While doing some web searches, I ran across this post from Anthony Sequeira, an old friend of mine from the KnowledgeNet days. Excellent description and examples of implementing Priority Queuing on an ASA - plenty of other ASA QoS links to follow here too.

Posted by JC at 8:06 AM | Comments (2)

April 23, 2007

QoS over VPN Tunnel Configuration

Cisco has posted a nice configuration allowing you to implement QoS over a VPN...Okay, I know there's no "true" QoS over the Internet, but a configuration like this can at least increase your chances of having clean VoIP phones running from a home/small office. Just click below!

www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml

Posted by JC at 11:34 AM | Comments (1)

August 8, 2006

Bi-Directional NAT on PIX Firewalls

For those of you that work with PIX firewalls on a regular basis, you might know that when you upgrade to use the ASDM GUI, it no longer supports the alias command (kudos to the no-longer-supported alias command). The first time I saw the error message from teh ASDM GUI, it made me feel like a moron. It was something like:

"Alias commands are no longer supported in ASDM. Before you can use the configuration utility, you must convert all alias entries to bidirectional NAT."

So matter of fact...meanwhile, I'm staring at the screen thinking, "what the heck is bidirectional NAT?" A search of Cisco's website provided no useful information.

Mike Storm (a fellow instructor of mine at Interface TT in Phoenix, AZ) did a quick write-up describing what took me 6 hours to figure out. You can grab it here.

Posted by JC at 6:05 PM | Comments (15)

January 8, 2006

PIX Syslog

It seems to be PIX week here. I've had more requests for PIX configurations than anything! Anyhow, just a quick configuration to make a PIX correctly log to a SYSLOG server:

logging on
logging standby
logging timestamp
logging trap notifications (or warnings - notifications will send a ton of info)
logging facility 18
logging host inside/outside ip address

I also like to use the command logging device-id string name. This tags all messages in my syslog with an identifier so I know what device sent the message (by name rather than IP address).

Posted by JC at 10:15 PM | Comments (1)

December 30, 2005

Basic PIX Configuration

Everyone needs a good, basic PIX Firewall configuration on-hand from time to time. Here is one I set up for a client that does the following:

1. NAT overload from an inside network to an outside network
2. Accept incoming PPTP VPN connections from ouside clients
3. Turns on the web-based GUI on the PIX

: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
:These two lines activate the outside (Ethernet0) and inside (Ethernet1) interfaces
nameif ethernet0 outside security0
nameif ethernet1 inside security100
:These two lines assign names to the interfaces
enable password ------ encrypted
:Sets the password for privileged mode
passwd -------- encrypted
:Sets the telnet password
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
:Fixup protocols allow advanced applications to work through NAT. All the above fixup protocol configuration is in the PIX by default.
names
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 102 permit icmp any any
access-list 102 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 103 permit ip any any
:Same access-list syntax as a router. These are used below.
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.248
:Sets the outside interface IP address
ip address inside 192.168.1.1 255.255.255.0
:Sets the inside interface IP address
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 192.168.2.10-192.168.2.50
:Defines a local DHCP pool of addresses for the PIX to give to incoming PPTP VPN clients
pdm logging informational 100
pdm history enable
:This tracks access to the PDM (the web-based GUI) built-in to the PIX
arp timeout 14400
global (outside) 1 interface
:This is a HUGE command. It turns on NAT translation for all addresses matching NAT rule 1 (shown below) to be translated through the outside interface (to the Internet, in this case)
nat (inside) 0 access-list 101
:This creates NAT rule 0 which tells NAT not to translate addresses that are defined in access list 101 (shown above). This keeps NAT from translating any communication between internal clients (192.168.1.0/24) and VPN clients (192.168.2.0/24).
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
:This creates NAT rule 1 which matches ALL addresses coming from the inside interface
conduit permit icmp any any
:Conduits are the old form of access-lists. This one permits all ICMP messages to the PIX
route outside 0.0.0.0 0.0.0.0 x.x.x.x
:Sets a default route to the ISP router (represented with x.x.x.x)
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
:Turns on the HTTP interface to the PIX, but only allows internal users (192.168.1.0/24) to access it. This enables the PDM (the web-based GUI) on the PIX
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
:Also a very huge command. This allows PPTP connections to the PIX firewall without the need for an access-list permitting PPTP. You can also use commands like sysopt connection permit-ipsec to permit IPSEC VPN connections
telnet 192.168.1.0 255.255.255.0 inside
:Allows telnet access to the PIX only from the internal subnet
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
:Allows PIX to accept PPTP connections
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
:Allows PPTP users to authenticate using any of the above methods (listed from weakest to strongest)
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
:Points the PIX to hand out IP addresses to incoming VPN clients from the DHCP pool called "pptp-pool" (shown above in the config)
vpdn group 1 client configuration dns 192.168.1.252
vpdn group 1 client configuration wins 192.168.1.251
:Points the VPN clients to the right DNS and WINS server addresses
vpdn group 1 pptp echo 60
:Sends an "echo" (kinda like a keepalive) once every 60 seconds. If a response is not heard, VPN is torn down
vpdn group 1 client authentication local
:Authenticates VPN users using a local user database (shown below)
vpdn username jonesr password *********
vpdn username cepa password *********
vpdn username bob password *********
:Three VPN users allowed to connect
vpdn enable outside
:Turns on VPN connectivity on the outside interface
dhcpd lease 3600
dhcpd ping_timeout 750
username cisco password -------- encrypted privilege 15
:If I telnet with this username/password, I go straight to privileged mode
terminal width 80
: end

Posted by JC at 7:41 PM | Comments (8)

Cisco Blog

The world of all things Cisco