Saturday, September 28, 2013

Configuring Dynamic Inside PAT on an ASA (pre-8.3)

There are four pieces of information necessary for an ASA to perform NAT:

* Original source IP address (and port) in the packet

* Interface where the original packet enters the ASA (ingress interface)

* Interface where the packet will exit the ASA (egress interface)

* Translated address (and, optionally, port) to insert into the packet

Dynamic inside PAT creates many-to-one translations, allowing several local (original) IP addresses to share a single global (translated) IP address. It does so by creating a temporary translation of both the original IP address and the original source port number to a global IP address and unique global port number, for each translated session. These translations are created and added to the translation table for each outbound TCP or UDP session requiring PAT. These are removed from the NAT table when the OSI Layer 4 session closes.

You can define an available IP address, or you can use of the ASA's IP address on the egress interface. Using the ASA interface IP is particularly usefeul in environments where you are provided with only one IP address (usually dynamic) by an ISP.

Dynamic PAT is typically used for client hosts that need outbound connectivity only, and when there are not enough global IP addresses available to assign a unique global address to each local host.






ASA802(config)# nat ?

configure mode commands/options:
  (  Open parenthesis for the name of the network interface where the
     hosts/network designated by the local IP address are accessed
ASA802(config)# nat (?

configure mode commands/options:
Current available interface(s):

  inside   Name of interface Ethernet0/1
  outside  Name of interface Ethernet0/0
ASA802(config)# nat (inside) ?

configure mode commands/options:
  <0-2147483647>  The <nat_id> of this group of hosts/networks. This <nat_id>
                  will be referenced by the global command to associate a
                  global pool with the local IP address. <nat_id> '0' is used
                  to indicate no address translation for local IP. The limit is
                  65535 with access-lists
ASA802(config)# nat (inside) 1 ?

configure mode commands/options:
  Hostname or A.B.C.D  The hosts/networks in this <nat_id> group, '0' indicates
                       all networks or the default <nat_id> group
  access-list          Specify access-list name after this keyword
ASA802(config)# nat (inside) 1 10.1.1.0 ?

configure mode commands/options:
  A.B.C.D  IP netmask to apply to the local IP address
  <cr>
ASA802(config)# nat (inside) 1 10.1.1.0 255.255.255.0 ?

configure mode commands/options:
  <0-65535>    The maximum number of simultaneous TCP connections the local IP
               hosts are to allow, default is 0 which means unlimited
               connections. Idle connections are closed after the time
               specified by the timeout conn command
  dns          Rewrite DNS address record
  norandomseq  Disable TCP sequence number randomization
  outside      Enable Outside NAT
  tcp          Configure TCP specific parameters
  udp          Configure UDP specific parameters
  <cr>
ASA802(config)# nat (inside) 1 10.1.1.0 255.255.255.0 tcp ?

configure mode commands/options:
  <0-65535>  The maximum number of simultaneous TCP connections the local IP
             hosts are to allow, default is 0 which means unlimited
             connections. Idle connections are closed after the time specified
             by the timeout conn command
ASA802(config)# nat (inside) 1 10.1.1.0 255.255.255.0 tcp 0 ?

configure mode commands/options:
  <0-65535>  The maximum number of embryonic connections per host, default is
             0, which means unlimited connections. An embryonic connection is a
             connection request that has not finished the necessary handshake
             between source and destination
  <cr>
ASA802(config)# nat (inside) 1 10.1.1.0 255.255.255.0 tcp 0 0 ?

configure mode commands/options:
  norandomseq  Disable TCP sequence number randomization
  udp          Configure UDP specific parameters
  <cr>
ASA802(config)# nat (inside) 1 10.1.1.0 255.255.255.0 tcp 0 0 udp ?

configure mode commands/options:
  <0-65535>  The maximum number of simultaneous UDP connections the local IP
             hosts are to allow, default is 0 which means unlimited
             connections. Idle connections are closed after the time specified
             by the timeout conn command
ASA802(config)# nat (inside) 1 10.1.1.0 255.255.255.0 tcp 0 0 udp 0
ASA802(config)# global ?

configure mode commands/options:
  (  Open parenthesis for the external network interface name
ASA802(config)# global (?

configure mode commands/options:
Current available interface(s):

  inside   Name of interface Ethernet0/1
  outside  Name of interface Ethernet0/0
ASA802(config)# global (outside) ?

configure mode commands/options:
  <0-2147483647>  The id of the NAT group that will draw from these global
                  addresses
ASA802(config)# global (outside) 1 ?

configure mode commands/options:
  WORD       Enter IP address or a range of IP addresses <start_ip>[-<end_ip>]
  interface  Specifies PAT using the IP address at the interface
ASA802(config)# global (outside) 1 interface

ASA802# show xlate
0 in use, 1 most used


My PC is still not able to ping the Internet (8.8.8.8) and there's no output on the NAT Table (0 in use). So I've manually created a policy (Modular Policy Framework or MPF) to allow ICMP or ping and applied it under the ASA's inside interface. I've also enabled the nat-control (disabled by default) to enforce packets from the inside interface to the outside interface to match a NAT rule.

policy-map inside-policy
 class inside-class
  inspect icmp
!
service-policy inside-policy interface inside  

ASA802(config)# nat?

configure mode commands/options:
  nat    nat-control
ASA802(config)# nat-control


ASA802# show xlate
2 in use, 2 most used
PAT Global 200.1.1.1(1024) Local 10.1.1.10(2985)
PAT Global 200.1.1.1(14) Local 10.1.1.10 ICMP id 1
ASA802# show xlate detail
2 in use, 2 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
       r - portmap, s - static
ICMP PAT from inside:10.1.1.10/1 to outside:200.1.1.1/15 flags ri
TCP PAT from inside:10.1.1.10/2985 to outside:200.1.1.1/1024 flags ri

Saturday, September 14, 2013

Configure Syslog and Debug Facility on an ASA

Most issues with remote management access appears in the ASA system logs (or to a remote syslog server). Use the show logging command or the ASDM real-time log viewer in order to examine the log files on the ASA.

ciscoasa(config)# logging ?

configure mode commands/options:
  asdm                      Set logging level or list for ASDM
  asdm-buffer-size          Specify ASDM logging buffer size
  buffer-size               Specify logging memory buffer size
  buffered                  Set buffer logging level or list
  class                     Specify logging event class
  console                   Set console logging level or list
  debug-trace               Enable logging of redirect debug-trace output to
                            syslog
  device-id                 Specify the device-id to be included in all
                            non-EMBLEM formatted syslog messages
  emblem                    Enable logging Emblem format on all output
                            supported destinations
  enable                    Enable logging to all output supported destinations
  facility                  Specify the syslog facility, the default is 20
  flash-bufferwrap          Save logging buffer to flash when buffer
                            wrap-around
  flash-maximum-allocation  Specify logging maximum flash space allocation
  flash-minimum-free        Specify logging minimum flash free space threshold
  flow-export-syslogs       Enable/Disable syslogs whose information is
                            captured by NetFlow
  from-address              Specify the from address for the mail logging
  ftp-bufferwrap            Save logging buffer using FTP when buffer
                            wrap-around
  ftp-server                Specify FTP server parameters
  history                   Set the SNMP message level or list for sending
                            syslog traps
  host                      Send syslog messages to a host
  list                      Specify logging event list
  mail                      Set mail logging level or list
  message                   Specify a message to be allowed
  monitor                   Specify that syslog messages appear on Telnet
                            sessions to the Firewall console
  permit-hostdown           Allow new connection even if TCP syslog server is
                            down
  queue                     Specify queue size for storing syslog messages,
                            default is 512, 0 means unlimited (subject to
                            available memory)
  rate-limit                Specify logging rate-limit parameters
  recipient-address         Specify the mail logging recipient address and
                            level
  standby                   Enable logging on standby unit with failover
                            enabled, warning: this option causes twice as much
                            traffic on the syslog server
  timestamp                 Enable logging timestamp on syslog messages
  trap                      Set logging level or list for syslog server

exec mode commands/options:
  savelog  Save logging buffer to flash

ciscoasa(config)# logging enable
ciscoasa(config)# logging buffered  ?

configure mode commands/options:
  <0-7>          Enter syslog level (0 - 7)
  WORD           Specify the name of logging list
  alerts         Immediate action needed           (severity=1)
  critical       Critical conditions               (severity=2)
  debugging      Debugging messages                (severity=7)
  emergencies    System is unusable                (severity=0)
  errors         Error conditions                  (severity=3)
  informational  Informational messages            (severity=6)
  notifications  Normal but significant conditions (severity=5)
  warnings       Warning conditions                (severity=4)
ciscoasa(config)# logging buffered debugging
ciscoasa(config)#
%ASA-5-111008: User 'enable_15' executed the 'logging buffered debugging' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'logging buffered debugging'
ciscoasa(config)# show logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 2 messages logged
    Trap logging: disabled
    Permit-hostdown logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: disabled


If you wish to log all messages from all severity levels, it is strongly recommended that you do so to the internal buffer, and never to the console. In fact, it is generally recommended to leave console logging disabled.

The Cisco ASDM also contains a powerful event viewer that you can use to display a real-time messages from the ASA. This event viewer is particularly useful when you are troubleshooting ASA software and configuration issues, or when you are monitoring real-time activity over the ASA.

You enable logging to the internal ASDM event viewer by configuring the ASDM logging destination and specifying a logging filter, in the same manner as for other logging destinations.

ciscoasa(config)# logging asdm ?

configure mode commands/options:
  <0-7>          Enter syslog level (0 - 7)
  WORD           Specify the name of logging list
  alerts         Immediate action needed           (severity=1)
  critical       Critical conditions               (severity=2)
  debugging      Debugging messages                (severity=7)
  emergencies    System is unusable                (severity=0)
  errors         Error conditions                  (severity=3)
  informational  Informational messages            (severity=6)
  notifications  Normal but significant conditions (severity=5)
  warnings       Warning conditions                (severity=4)
ciscoasa(config)# logging asdm informational







If the syslog messages don't pinpoint the issue, consider debugging management protocols on the ASA, such as the following:

* debug ssh: Debugs the SSH daemons to determine low-level protocol failures, such as algorithm or version incompatibility.

* debug http: Debugs HTTP exchanges to determine problems with the ASDM image.

* debug snmp: Debugs SNMP exchanges to help determine problems with SNMP authentication and OIDs.

ciscoasa# debug ssh ?

  <1-255>  Specify an optional debug level (default is 1)
  <cr>
ciscoasa# debug ssh
debug ssh  enabled at level 1
%ASA-5-111008: User 'enable_15' executed the 'debug ssh' command.
ciscoasa#
%ASA-6-302013: Built inbound TCP connection 1304 for management:10.1.1.10/3919 (10.1.1.10/3919) to identity:10.1.1.1/22 (10.1.1.1/22)
%ASA-3-315004: Fail to establish SSH session because RSA host key retrieval failed.
%ASA-6-315011: SSH session from 10.1.1.10 on interface management for user "" disconnected by SSH server, reason: "Internal error" (0x00)
Device ssh opened successfully.
SSH0: SSH client: IP = '10.1.1.10'  interface # = 2
SSH: unable to retrieve default host public key.  Please create a defauth RSA key pair before using SSH
SSH0: Session disconnected by SSH server - error 0x00 "Internal error"
%ASA-6-302014: Teardown TCP connection 1304 for management:10.1.1.10/3919 to identity:10.1.1.1/22 duration 0:00:00 bytes 0 TCP FINs

ciscoasa# debug http
debug http enabled at level 1.
ciscoasa# %ASA-5-111008: User 'enable_15' executed the 'debug http' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'debug http'
ciscoasa#
%ASA-3-710003: TCP access denied by ACL from 10.1.1.10/3966 to management:10.1.1.1/443
%ASA-7-710005: TCP request discarded from 10.1.1.10/3966 to management:10.1.1.1/443
%ASA-3-710003: TCP access denied by ACL from 10.1.1.10/3966 to management:10.1.1.1/443
%ASA-7-710005: TCP request discarded from 10.1.1.10/3966 to management:10.1.1.1/443


Finally, you can also troubleshoot possible issues between an ASA and a remote AAA server by using the debug tacacs or debug radius commands. You can specify conditional debugging (such as limiting to a single username) to avoid excessive output and performance issues.

ciscoasa# debug aaa ?

  accounting
  authentication
  authorization
  common
  internal
  shim
  <cr>
ciscoasa# debug aaa authentication
debug aaa authentication enabled at level 1
ciscoasa# %ASA-5-111008: User 'enable_15' executed the 'debug aaa authentication' command.
ciscoasa# exit

Logoff

Username: %ASA-5-611103: User logged out: Uname: enable_15

Username: cisco
Password: *****
%ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = cisco
%ASA-6-611102: User authentication failed: Uname: cisco
%ASA-6-605004: Login denied from serial to console for user "cisco"
Username: John
Password: *****
%ASA-6-113012: AAA user authentication Successful : local database : user = John
%ASA-6-113008: AAA transaction status ACCEPT : user = John
Type help or '?' for a list of available commands.
%ASA-6-611101: User authentication succeeded: Uname: John
%ASA-6-605005: Login permitted from serial to console for user "John"
ciscoasa> enable
Password: 
ciscoasa# %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15

Sunday, September 1, 2013

Configuring AAA Access Using Remote AAA Server (TACACS+)

Configuring the use of  AAA authentication on the ASA is a three-step process::

Step 1: Create a AAA server group, if none already exists, and configure how servers in the group are accessed (protocol, port, and how to determine if a server is failing communication).

Step 2: Populate the server group with member servers. Define the location of each server and assign a symmetric password, which will be used to encrypt the communication session (or portions thereof, depending on the protocol used) between the ASA and the remote AAA server. This same password must be configured on the server when defining the ASA as a AAA client.

Step 3: Enable user authentication for each remote management access channel (the consoles). Define which authentication server group will be used for each console upon which AAA authentication is enabled (note that you define a group here, not a specific server).

For this scenario, we configured the ASA to authenticate the login info of the user "John" via TACACS+ protocol to the ACS (Access Control Server) before providing access to the firewall.

FIREWALL(config)# aaa authentication ?

configure mode commands/options:
  enable              Enable
  exclude             Exclude the service, local and foreign network which
                      needs to be authenticated, authorized, and accounted
  http                HTTP
  include             Include the service, local and foreign network which
                      needs to be authenticated, authorized, and accounted
  listener            Configure an HTTP or HTTPS authentication listener
  match               Specify this keyword to configure an ACL to match
  secure-http-client  Specify this keyword to ensure HTTP client authentication
                      is secured (over SSL)
  serial              Serial
  ssh                 SSH
  telnet              Telnet
FIREWALL(config)# aaa authentication enable ?

configure mode commands/options:
  console  Specify this keyword to identify a server group for administrative
           authentication
FIREWALL(config)# aaa authentication enable console ?

configure mode commands/options:
  LOCAL  Predefined server tag for AAA protocol 'local'
  WORD   Name of RADIUS or TACACS+ aaa-server group for administrative
         authentication
FIREWALL(config)# aaa authentication enable console TEST-TACACS
FIREWALL(config)# aaa-server ?

configure mode commands/options:
  WORD < 17 char  Enter a AAA server group tag

exec mode commands/options:
  WORD < 17 char  Enter a AAA server group tag
FIREWALL(config)# aaa-server TEST-TACACS ?

configure mode commands/options:
  (                    Open parenthesis for the name of the network interface
                       where the designated AAA server is accessed
  deadtime             Specify the amount of time that will elapse between the
                       disabling of the last server in the group and the
                       subsequent re-enabling of all servers
  host                 Enter this keyword to specify the IP address for the
                       server
  max-failed-attempts  Specify the maximum number of failures that will be
                       allowed for any server in the group before that server
                       is deactivated
  protocol             Enter the protocol for a AAA server group

exec mode commands/options:
  active  transition a FAILED AAA server to ACTIVE
  fail    transition an ACTIVE AAA server to FAILED
FIREWALL(config)# aaa-server TEST-TACACS protocol ?

configure mode commands/options:
  http-form  Protocol HTTP form-based
  kerberos   Protocol Kerberos
  ldap       Protocol LDAP
  nt         Protocol NT
  radius     Protocol RADIUS
  sdi        Protocol SDI
  tacacs+    Protocol TACACS+
FIREWALL(config)# aaa-server TEST-TACACS protocol tacacs+
FIREWALL(config-aaa-server-group)# ?

AAA server configuration commands:
  accounting-mode      Enter this keyword to specify accounting mode
  exit                 Exit from aaa-server group configuration mode
  help                 Help for AAA server configuration commands
  max-failed-attempts  Specify the maximum number of failures that will be
                       allowed for any server in the group before that server
                       is deactivated
  no                   Remove an item from aaa-server group configuration
  reactivation-mode    Specify the method by which failed servers are
                       reactivated
FIREWALL(config-aaa-server-group)# max-failed-attempts ?

aaa-server-group mode commands/options:
  <1-5>  Maximum number of failures (1-5)
FIREWALL(config-aaa-server-group)# max-failed-attempts 3
FIREWALL(config-aaa-server-group)# exit
FIREWALL(config)# aaa-server TEST-TACACS (inside) ?

configure mode commands/options:
  host  Enter this keyword to specify the IP address for the server
FIREWALL(config)# aaa-server TEST-TACACS (inside) host 10.1.1.20 ?

configure mode commands/options:
  WORD     Alphanumeric keyword up to 128 characters used as the encryption key
           for communicating with the AAA server.
  timeout  Specify the maximum time to wait for response from configured server
  <cr>
FIREWALL(config)# aaa-server TEST-TACACS (inside) host 10.1.1.20 cisco123
FIREWALL(config)# test ?

exec mode commands/options:
  aaa-server                    Test aaa-server configuration
  dynamic-access-policy-record  Test DAP posture assesment.
  regex                         Test a regular expression
  sso-server                    Test sso-server configuration
FIREWALL(config)# test aaa-server ?

exec mode commands/options:
  ad-agent        Test connectivity to the AD agent server
  authentication  Test connectivity to the authentication server
  authorization   Test connectivity to the authorization server
FIREWALL(config)# test aaa-server authentication ?

exec mode commands/options:
  WORD < 17 char  Enter a AAA server group tag
FIREWALL(config)# test aaa-server authentication TEST-TACACS ?

exec mode commands/options:
  delegate     Test Kerberos constrained delegation
  host         Enter this keyword to specify the IP address for the server
  impersonate  Test Kerberos protocol transition
  password     Password keyword
  self         Test Kerberos self-ticket retrieval
  username     Username keyword
  <cr>
FIREWALL(config)# test aaa-server authentication TEST-TACACS username ?

exec mode commands/options:
  WORD  Enter the username
FIREWALL(config)# test aaa-server authentication TEST-TACACS username John ?

exec mode commands/options:
  delegate     Test Kerberos constrained delegation
  impersonate  Test Kerberos protocol transition
  password     Password keyword
  <cr>
FIREWALL(config)# test aaa-server authentication TEST-TACACS username John password cisco123
Server IP Address or name: 10.1.1.20
INFO: Attempting Authentication test to IP address <10.1.1.20> (timeout: 12 seconds)
INFO: Authentication Successful
FIREWALL(config)# show aaa-server TEST-TACACS
Server Group:    TEST-TACACS
Server Protocol: tacacs+
Server Address:  10.1.1.20
Server port:     49
Server status:   ACTIVE, Last transaction at 17:56:06 UTC Mon Jul 1 2013
Number of pending requests              0
Average round trip time                 18ms
Number of authentication requests       27
Number of authorization requests        0
Number of accounting requests           0
Number of retransmissions               0
Number of accepts                       3
Number of rejects                       24
Number of challenges                    0
Number of malformed responses           0
Number of bad authenticators            0
Number of timeouts                      0
Number of unrecognized responses        0


Below are the configuration screenshots for the ACS/TACACS+ server: