*Coder Blog

Life, Technology, and Meteorology

Category: Cisco ASA

Moving back a generation

This week, I’m doing something rare and actually stepping back a generation of hardware. I usually try to keep the latest and greatest around here, within reason, but with this I just can’t help it.

Back in 2008 I purchased a Cisco ASA 5505 firewall/router. It has worked perfectly since then, and I probably only use 10% of its amazing feature set. I have it configured to forward a bunch of ports (using NAT/PAT), provide VPN service for my devices while I’m out of the office, and do basic packet inspection to avoid DoS attacks and other issues. The router has never once crashed on me and has stayed online for hundreds of days at a time without any issue.

So why am I replacing it? Well, it turns out that Cisco’s licensing absolutely cripples the 5505. I have a 10 user license, which I thought would be plenty when I bought it. Of course, this was before all the extra mobile devices, game devices, webcams, and printers were added to the network. I quickly passed this 10 device limit and am well on my way to three times that. Everything has WiFi built-in these days, and 10 devices just doesn’t cut it anymore.

I looked into what it would cost to upgrade the ASA to a 50 user license and an unlimited license. The upgrade to a 50 user license is around $250, and the unlimited license is a $350 upgrade. That’s more than I spent on the router hardware itself.

For the past couple years, I’ve gotten around the limitation by segmenting the network. I put my main systems (development Mac, the file server, etc) on the primary network connected to ASA, and have connected everything else to a second subnet that uses an Airport Extreme as a gateway. So the ASA only sees a few devices on the primary network, and everything else hides behind the Airport. This works pretty well, but the Airport Extreme bottlenecks communication between the two subnets, and devices on the primary network can’t connect to devices on the secondary network.

I’m tired of it. So this week when I saw someone on Craigslist was selling a PIX 515e firewall, I jumped at the chance to have an unrestricted network. Even though the PIX is a few years older, it’s a higher-end model so it can handle 50% more bandwidth than the ASA (up to 190 mbps). If I ever wanted to segment the network again, the PIX supports up to 25 VLANs. And the previous owner added a memory upgrade, so it runs the same OS version that my newer ASA has. There really isn’t a drawback I can see.

Of course I am still keeping the Airport Extreme on the network. I definitely don’t want to give up wireless. But now the Airport can act as a bridge and allow two-way traffic between wired and wireless clients. I also brought all wired devices from the secondary network back onto the primary, where they can talk to each other directly using a 24 port gigabit smart switch. It is a much faster and cleaner setup.

Here’s a shot of the home network rack since the upgrade.

Home Office Rack

Enabling Ping and Traceroute on the Cisco ASA 5505

Today I found some time to sit down and figure out why my ASA box was denying ping, traceroute and other ICMP traffic. Denying all ICMP traffic is the most secure option, and I think Cisco made a good choice by making this the default. However, I really wanted to be able to ping and traceroute from inside my network to the outside world, if for no other reason than to check the latency of my servers. Here’s how to do it in ASDM.

First, open an ASDM connection to your router. Go into the Configuration screens and click on Firewall to configure the firewall options. Then click on Service Policy Rules to configure the services that the firewall software will monitor. Select the global policy (first and only one in the list), and click on the Edit button. Switch to the Rule Actions (3rd) tab, and in the list check to enable ICMP. You can leave ICMP Error unchecked. Close that and Apply the changes.

Now, if you just want to be able to ping, stop here and you are done. However, traceroute will not work with this setup. For traceroute to work, you have to complete this follow-up task.

While still under the Firewall configuration switch to the Access Rules item. Add an access rule to permit ICMP traffic. Click the Add button, make sure the interface is set to outside, action is Permit, and Source/Destination is any. Under Service, click the … button and select the icmp line and click OK. Click OK again in the Add Access Rule dialog and Apply the results to finish the process.

Setting up a Mac/iPhone VPN to a Cisco ASA Router

I bought a Cisco ASA 5505 about 6 months ago, and love it so far. While setting up a VPN between my iPod touch and the ASA was straightforward, I was less fortunate when trying to get the same thing working from my MacBook Pro. Here’s a description of how to configure the ASA VPN so both devices work.

First, let me give a brief outline of what I am trying to do. I want both my iPod touch and my MacBook Pro to be able to connect to the Cisco ASA box over a VPN interface. Once the VPN has been established, I want all of my internet traffic to go first to the ASA and then out to the rest of the internet from there (otherwise known as split-tunneling in network jargon). With a default VPN setup on the ASA, this works fine from the iPhone, but from the Mac I was only able to access the internal network. The rest of my internet traffic just wouldn’t get sent. Note that this configuration will not work with Mac OS X’s L2TP VPN client, you’ll need to install the Cisco VPN client instead.

The solution isn’t too difficult. First, setup a fairly default VPN configuration on the ASA. Use the VPN Wizard on the ASDM console with the following settings…

Page 1
VPN Tunnel Type: Remote Access
VPN Tunnel Interface: outside
Check the box to enable inbound IPsec sessions to bypass interface access lists.

Page 2
Select Cisco VPN Client for the client type.

Page 3
Select Pre-shared key for authentication method, typing a password into the Pre-Shared Key field.
Type in a Tunnel Group Name to use, which will be used again later. I’ll use VPNGroup as an example.

Page 4
Authenticate using the local user database.

Page 5
Make sure your ASDM username is in the list on the right side, so you are able to connect to the VPN with that account.

Page 6
If you haren’t already, create a IP address pool to use for VPN connections. This is an IP range within your internal network. I use 192.168.1.128 with a subnet mask of 255.255.255.240.

Page 7
Type in your primary and secondary DNS servers into the box. I also set my default domain name to my domain (gauchosoft.com).

Page 8
Leave everything default: Encryption is 3DES, Authentication is SHA, and DH Group is 2.

Page 9
Again, leave everything default. Encryption is 3DES and Authentication is SHA.

Page 10
Leave everything as-is, except check the box at the bottom to enable split tunneling.

Page 11
Click Finish and you are done.

Now, your iPhone should be working just fine. Just go into the VPN preferences and setup a new IPSec configuration with your server, user account/password, and group name/pre-shared secret. Unfortunately, the Mac will not be able to access the entire internet when connected to the VPN. To fix this issue, some additional configuration needs to take place in a terminal connection to the ASA box. If you haven’t already, enable SSH access to the ASA box and login. Then run the following commands: (comments in red)

cisco-gw> enable
Password: your password here
cisco-gw# config terminal

cisco-gw(config)# access-list outside_nat extended permit ip 192.168.1.128 255.255.255.240
Use your pool network and subnet mask in the last two args above.
cisco-gw(config)# nat (outside) 1 access-list outside_nat

cisco-gw(config)# group-policy DfltGrpPolicy attributes
cisco-gw(config-group-policy)# dns-server value 208.67.222.222
Replace IP above with first DNS server
cisco-gw(config-group-policy)# nem enable
cisco-gw(config-group-policy)# exit

cisco-gw(config)# group-policy VPNGroup attributes
Replace VPNGroup above with your group from earlier.
cisco-gw(config-group-policy)# split-tunnel-policy tunnelall
cisco-gw(config-group-policy)# split-tunnel-network-list none
cisco-gw(config-group-policy)# exit

cisco-gw(config)# write memory

That’s it! Just open the Cisco VPN Client on your Mac and add a new connection profile with the group and user settings you configured on the ASA.

© 2017 *Coder Blog

Theme by Anders NorenUp ↑