Sunday, July 27, 2014

ASA 5500-X Firewall Serial Numbers

I recently configured an ASA 5525-X firewall and needed to activate a security context license. I noticed there were two serial numbers: one on the chassis and another on the show version command output.


According to Cisco, the chassis' serial number is used to tie-up for SmartNet and the show version's serial number is used for the licensing (3DES/AES, Security Context, Botnet, etc).

Here's a link to Cisco's licensing portal (CCO login required) and a sample Product Authorization Key (PAK) or e-license sent via email. The product code for the 10 Security License is L-ASA-SC-10=. The 5525-X supports 2 Security Context by default and a maximum of 20 according to the ASA 5500-X Series matrix.


Here's the full boot up output and default configuration of the ASA device:


Wait for the first 10 seconds for BMC initial!
Wait for the second 10 seconds for BMC initial!
Wait for the third 10 seconds for BMC initial!
Wait for the latest 10 seconds for BMC initial!
Wait for BMC initial successfully, BIOS POST ongoing!
Booting system, please wait.........

Cisco BIOS Version:9B2C109A
Build Date:05/15/2013 16:34:44

CPU Type: Intel(R) Xeon(R) CPU           X3430  @ 2.40GHz, 2394 MHz
Total Memory:8192 MB(DDR3 1333)
System memory:624 KB, Extended Memory:3573 MB


PCI Device Table:
   Bus   Dev   Func   VendID  DevID  Class   IRQ
---------------------------------------------------------
   00    00    00      8086   D130   Bridge Device
   00    03    00      8086   D138   PCI Bridge,IRQ=11
   00    05    00      8086   D13A   PCI Bridge,IRQ=11
   00    08    00      8086   D155   System Device
   00    08    01      8086   D156   System Device
   00    08    02      8086   D157   System Device
   00    08    03      8086   D158   System Device
   00    10    00      8086   D150   System Device
   00    10    01      8086   D151   System Device
   00    16    00      8086   3B64   I/O Port Device,IRQ=11
   00    1A    00      8086   3B3C   USB Controller,IRQ=11
   00    1C    00      8086   3B42   PCI Bridge,IRQ=10
   00    1C    04      8086   3B4A   PCI Bridge,IRQ=10
   00    1C    05      8086   3B4C   PCI Bridge,IRQ=11
   00    1D    00      8086   3B34   USB Controller,IRQ=7
   00    1E    00      8086   244E   PCI Bridge
   00    1F    00      8086   3B16   Bridge Device
   00    1F    02      8086   3B22   SATA DPA,IRQ=5
   00    1F    03      8086   3B30   SMBus,IRQ=11
   01    00    00      10B5   8618   PCI Bridge,IRQ=11
   02    01    00      10B5   8618   PCI Bridge,IRQ=10
   02    03    00      10B5   8618   PCI Bridge,IRQ=5
   02    05    00      10B5   8618   PCI Bridge,IRQ=10
   02    07    00      10B5   8618   PCI Bridge,IRQ=5
   02    09    00      10B5   8618   PCI Bridge,IRQ=10
   02    0B    00      10B5   8618   PCI Bridge,IRQ=5
   02    0D    00      10B5   8618   PCI Bridge,IRQ=10
   02    0F    00      10B5   8618   PCI Bridge,IRQ=5
   03    00    00      8086   10D3   Ethernet,IRQ=10
   04    00    00      8086   10D3   Ethernet,IRQ=5
   05    00    00      8086   10D3   Ethernet,IRQ=10
   06    00    00      8086   10D3   Ethernet,IRQ=5
   07    00    00      8086   10D3   Ethernet,IRQ=10
   08    00    00      8086   10D3   Ethernet,IRQ=5
   09    00    00      8086   10D3   Ethernet,IRQ=10
   0A    00    00      8086   10D3   Ethernet,IRQ=5
   0B    00    00      10B5   8624   PCI Bridge,IRQ=11
   0C    04    00      10B5   8624   PCI Bridge,IRQ=11
   0C    05    00      10B5   8624   PCI Bridge,IRQ=10
   0C    08    00      10B5   8624   PCI Bridge,IRQ=11
   0C    09    00      10B5   8624   PCI Bridge,IRQ=10
   0F    00    00      1000   0A05   Processor,IRQ=11
   11    00    00      177D   0010   Cavium Encryption,IRQ=11
   12    00    00      8086   10D3   Ethernet,IRQ=11
   13    00    00      1A03   1150   PCI Bridge,IRQ=10
   14    00    00      1A03   2000   VGA,IRQ=10
   FF    00    00      8086   2C50   Bridge Device
   FF    00    01      8086   2C81   Bridge Device
   FF    02    00      8086   2C90   Bridge Device
   FF    02    01      8086   2C91   Bridge Device
   FF    03    00      8086   2C98   Bridge Device
   FF    03    01      8086   2C99   Bridge Device
   FF    03    02      8086   2C9A   Bridge Device
   FF    03    04      8086   2C9C   Bridge Device
   FF    04    00      8086   2CA0   Bridge Device
   FF    04    01      8086   2CA1   Bridge Device
   FF    04    02      8086   2CA2   Bridge Device
   FF    04    03      8086   2CA3   Bridge Device
   FF    05    00      8086   2CA8   Bridge Device
   FF    05    01      8086   2CA9   Bridge Device
   FF    05    02      8086   2CAA   Bridge Device
   FF    05    03      8086   2CAB   Bridge Device


Booting from ROMMON

Cisco Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011



Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.

Launching BootLoader...
Boot configuration file contains 1 entry.


Loading disk0:/asa861-2-smp-k8.bin... Booting...
Platform ASA5525

Loading...
IO memory blocks requested from bigphys 32bit: 61984
ÿdosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/sda1: 118 files, 20472/1951812 clusters
dosfsck(/dev/sda1) returned 0
Processor memory 3512373248, Reserved memory: 0

Total NICs found: 13
i82574L rev00 Gigabit Ethernet @ irq10 dev 0 index 08 MAC: 7426.ac5a.debf
i82574L rev00 Gigabit Ethernet @ irq10 dev 0 index 07 MAC: 7426.ac5a.dec3
i82574L rev00 Gigabit Ethernet @ irq05 dev 0 index 06 MAC: 7426.ac5a.debe
i82574L rev00 Gigabit Ethernet @ irq05 dev 0 index 05 MAC: 7426.ac5a.dec2
i82574L rev00 Gigabit Ethernet @ irq10 dev 0 index 04 MAC: 7426.ac5a.debd
i82574L rev00 Gigabit Ethernet @ irq10 dev 0 index 03 MAC: 7426.ac5a.dec1
i82574L rev00 Gigabit Ethernet @ irq05 dev 0 index 02 MAC: 7426.ac5a.debc
i82574L rev00 Gigabit Ethernet @ irq05 dev 0 index 01 MAC: 7426.ac5a.dec0
i82574L rev00 Gigabit Ethernet @ irq11 dev 0 index 00 MAC: 7426.ac5a.debb
ivshmem rev03 Backplane Data Interface     @ index 09 MAC: 0000.0001.0002
en_vtun rev00 Backplane Control Interface  @ index 10 MAC: 0000.0001.0001
en_vtun rev00 Backplane Int-Mgmt Interface     @ index 11 MAC: 0000.0001.0003
en_vtun rev00 Backplane Ext-Mgmt Interface     @ index 12 MAC: 0000.0000.0000
Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-PLUS-0014
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0014
Verify the activation-key, it might take a while...
Running Permanent Activation Key: 0x2c30cf45 0x4cc17a85 0xb9137dd4 0xf418e86c 0x493abcdef

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 200            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Disabled       perpetual

This platform has an ASA5525 VPN Premium license.


Cisco Adaptive Security Appliance Software Version 8.6(1)2

  ****************************** Warning *******************************
  This product contains cryptographic features and is
  subject to United States and local country laws
  governing, import, export, transfer, and use.
  Delivery of Cisco cryptographic products does not
  imply third-party authority to import, export,
  distribute, or use encryption. Importers, exporters,
  distributors and users are responsible for compliance
  with U.S. and local country laws. By using this
  product you agree to comply with applicable laws and
  regulations. If you are unable to comply with U.S.
  and local laws, return the enclosed items immediately.

  A summary of U.S. laws governing Cisco cryptographic
  products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

  If you require further assistance please contact us by
  sending email to export@cisco.com.
  ******************************* Warning *******************************

Copyright (c) 1996-2012 by Cisco Systems, Inc.

                Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

Reading from flash...
!.
Cryptochecksum (unchanged): 71d9aac2 22d7123c d5cac894 e118f10c
Type help or '?' for a list of available commands.
ciscoasa> enable
Password:
ciscoasa# show running-config
: Saved
:
ASA Version 8.6(1)2
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
pager lines 24
logging asdm informational
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:71d9aac222d7123cd5cac894e118f10c
: end


ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 8.6(1)2
Device Manager Version 6.6(1)

Compiled on Fri 01-Jun-12 02:16 by builders
System image file is "disk0:/asa861-2-smp-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 3 mins 17 secs

Hardware:   ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
            ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 4096MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-PLUS-0014
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0014
                             Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4


 0: Int: Internal-Data0/0    : address is 7426.ac5a.debb, irq 11
 1: Ext: GigabitEthernet0/0  : address is 7426.ac5a.dec0, irq 5
 2: Ext: GigabitEthernet0/1  : address is 7426.ac5a.debc, irq 5
 3: Ext: GigabitEthernet0/2  : address is 7426.ac5a.dec1, irq 10
 4: Ext: GigabitEthernet0/3  : address is 7426.ac5a.debd, irq 10
 5: Ext: GigabitEthernet0/4  : address is 7426.ac5a.dec2, irq 5
 6: Ext: GigabitEthernet0/5  : address is 7426.ac5a.debe, irq 5
 7: Ext: GigabitEthernet0/6  : address is 7426.ac5a.dec3, irq 10
 8: Ext: GigabitEthernet0/7  : address is 7426.ac5a.debf, irq 10
 9: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0
12: Ext: Management0/0       : address is 7426.ac5a.debb, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 200            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 2              perpetual  
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Disabled       perpetual

This platform has an ASA5525 VPN Premium license.

Serial Number: FCH18xxxxxx   // LOWER LEFT SERIAL NUMBER ON THE CHASSIS, USED FOR LICENSING PORTAL
Running Permanent Activation Key: 0x2c30cf45 0x4cc17a85 0xb9137dd4 0xf418e86c 0x493cc5ac
Configuration register is 0x1
Configuration has not been modified since last system restart.


ciscoasa#  show inventory
Name: "Chassis", DESCR: "ASA 5525-X with SW, 8 GE Data, 1 GE Mgmt, AC"
PID: ASA5525           , VID: V02     , SN: FGL18xxxxxx   // RIGHT SIDE SERIAL NUMBER ON THE CHASSIS, USED FOR SMARTNET


ciscoasa#  activation-key ?

  <0x0-0xffffffff>  Enter four-or-five-tuple activation-key
  noconfirm         Do not prompt for confirmation
ciscoasa#  activation-key c22ecd45 78ac555a a9637128 fe9838f8 0e1abcde   // SECURITY CONTEXT LICENSE KEY, GENERATED FROM CISCO LICENSING PORTAL AND IT'S TIED TO THE 'SHOW VERSION' SERIAL NUMBER
Validating activation key. This may take a few minutes...
Both Running and Flash permanent activation key was updated with the requested key.

ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 8.6(1)2
Device Manager Version 6.6(1)

Compiled on Fri 01-Jun-12 02:16 by builders
System image file is "disk0:/asa861-2-smp-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 8 mins 35 secs

Hardware:   ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
            ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 4096MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-PLUS-0014
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0014
                             Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4


 0: Int: Internal-Data0/0    : address is 7426.ac5a.debb, irq 11
 1: Ext: GigabitEthernet0/0  : address is 7426.ac5a.dec0, irq 5
 2: Ext: GigabitEthernet0/1  : address is 7426.ac5a.debc, irq 5
 3: Ext: GigabitEthernet0/2  : address is 7426.ac5a.dec1, irq 10
 4: Ext: GigabitEthernet0/3  : address is 7426.ac5a.debd, irq 10
 5: Ext: GigabitEthernet0/4  : address is 7426.ac5a.dec2, irq 5
 6: Ext: GigabitEthernet0/5  : address is 7426.ac5a.debe, irq 5
 7: Ext: GigabitEthernet0/6  : address is 7426.ac5a.dec3, irq 10
 8: Ext: GigabitEthernet0/7  : address is 7426.ac5a.debf, irq 10
 9: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0
12: Ext: Management0/0       : address is 7426.ac5a.debb, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 200            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 10             perpetual 
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Disabled       perpetual

This platform has an ASA5525 VPN Premium license.

Serial Number: FCH18xxxxxx
Running Permanent Activation Key: 0xc22ecd45 0x78ac555a 0xa9637128 0xfe9838f8 0x493cc5ac
Configuration register is 0x1
Configuration has not been modified since last system restart.

ciscoasa# configure terminal
ciscoasa(config)# mode ?

configure mode commands/options:
  multiple   Multiple mode; mode with security contexts
  noconfirm  Do not prompt for confirmation
  single     Single mode; mode without security contexts
ciscoasa(config)# mode multiple   // ASA WILL AUTO REBOOT AFTERWARDS
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash

Converting the configuration - this may take several minutes for a large configuration

The admin context configuration will be written to flash

The new running configuration file was written to flash
Security context mode: multiple



***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
***   change mode
Process shutdown finished


<OUTPUT TRUNCATED>

ciscoasa# show mode
Security context mode: multiple
ciscoasa# show running-config
: Saved
:
ASA Version 8.6(1)2 <system>
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
no mac-address auto
!
interface GigabitEthernet0/0
 shutdown
!
interface GigabitEthernet0/1
 shutdown
!
interface GigabitEthernet0/2
 shutdown
!
interface GigabitEthernet0/3
 shutdown
!
interface GigabitEthernet0/4
 shutdown
!
interface GigabitEthernet0/5
 shutdown
!
interface GigabitEthernet0/6
 shutdown
!
interface GigabitEthernet0/7
 shutdown
!
interface Management0/0
!
class default
  limit-resource All 0
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
!

boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
pager lines 24
no failover
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
console timeout 0

admin-context admin
context admin     // DEFAULT CONTEXT
  allocate-interface Management0/0
  config-url disk0:/admin.cfg
!

prompt hostname context
no call-home reporting anonymous
Cryptochecksum:9cfa9a9c0ce42750fb12f071b3459f3d
: end

Thursday, July 17, 2014

Cisco VPN Client on iPhone

My previous post showed how to connect to a VPN using the AnyConnect app installed on an iPhone. There's a native VPN client, mine's an iPhone 5 runing iOS 7.1, where we could setup and connect to VPN.

We do this by navigating to Settings > VPN.


We select IPsec and enter the server IP address (the ASA's "outside" interface), the local username, Group Name (tunnel profile) and password. These are all configured on the ASA firewall.


We connect by tapping the "VPN" button and input our login credentials using the local user created on the ASA. Click OK and you'll see VPN on top of the iPhone screen.





Saturday, July 12, 2014

Cisco Secure Desktop (CSD) on ASA

When deploying a clientless or full tunnel SSL VPN solution for remote users, guests, and customers to access your resources, you run the risk of those users connecting from devices that are not under your direct control or that contain potentially harmful software such as keyloggers. Therefore, you must be able to provide them with a secure local environment while they are accessing your resources. In addition, after they have completed their work and closed the connection, you must also be able to remove any cached settings or credentials that might have been used during their connection (to prevent replay or session-based attacks, identity theft, and so on).

The Cisco Secure Desktop (CSD) is built specifically for these purposes. By deploying CSD to your users, you can perform checks such as prescan (that is, before they log in), provide a secure local environment and remote connection, encrypt local files, manage local and remote resource access, and when users finish, remove all trace of their working on the specific device until they connect again.

The process of enabling CSD on an ASA is pretty straightforward and begins by obtaining the latest CSD PKG file from Cisco.com (valid login and contract required). After you have obtained a copy of the CSD package (.pkg file), upload it to the ASA's flash so that you can enable it. You can do so by navigating within the ASDM to either Configuration > Remote Access VPN > Secure Desktop Manager > Setup and clicking the Upload File button or navigating to Tools > File Management and using the file transfer menus to upload the PKG file from your local PC to the ASA.

After you have uploaded the necessary PKG file, you can then enable the CSD by choosing Enable Secure Desktop or by entering the csd image <location> and csd enable CLI commands within webvpn configuration mode.


File transfer via ASDM using Tools > File Management > File Transfer and choose from the drop-down method either Between Local PC and Flash or Between Remote Server and Flash.




The commands to enable CSD in CLI are as follows:

ASA5505(config)# webvpn
ASA5505(config-webvpn)# csd ?

webvpn mode commands/options:
  enable    Enable CSD
  hostscan  Cisco Secure Desktop hostscan package file path
  image     Cisco Secure Desktop package file path
ASA5505(config-webvpn)# csd enable
ASA5505(config-webvpn)# csd image ?

webvpn mode commands/options:
  disk0:  Cisco Secure Desktop package file path
  flash:  Cisco Secure Desktop package file path
ASA5505(config-webvpn)# csd image flash:securedesktop-asa-3.2.1.103-k9.pkg
                                           

After uploading CSD to flash, the other CSD menu options becomes available on the left side of the screen right below the original setup menu.








You are given a few options within the prelogin policy that can enable you to determine whether a remote user is connecting from a corporate-owned device, a public device, or other device:

* Registry Check: You can check for a specific key within the Windows Registry.

* File Check: You can check for the existence of a particular local file on the user's device.

* Certificate Check: If your organization takes advantage of an internal or external Public Key Infrastructure (PKI) infrastructure, you can check for certain fields and values within certificates that have been deployed to users or devices.

* OS Check: You can check for a particular OS running on a user's device.

* IP Address Check: You can check for a specific IP address or subnet that a remote user is connecting from.


I created a prelogin policy object that will scan and enforce remote SSL VPN user to use Windows 2000 and above and within the IP address range of 192.168.1.0 /24.




Now we can test and install CSD upon login via SSL VPN portal on the ASA device.






Once successfully logged in to the SSL VPN portal, the CSD is minimized and can be found in the Task Manager.






Saturday, July 5, 2014

AnyConnect VPN Client for iPhone

I tried to download the Cisco AnyConnect on my iPhone to experience VPN connectivity using a smartphone but wasn't successful on my first attempt. After the initial setup on the app, the ASA prompted the client that it had "No license."


I checked my ASA 5505 licenses using the show version command and saw the AnyConnect for Mobile is disabled. So I went to Cisco.com and found out there's a trial license that's good for 90 days (it actually gave me 91 days).

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
Inside Hosts                      : 10             perpetual
Failover                          : Disabled       perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual 
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
Cluster                           : Disabled       perpetual


Here's a link for ASA AnyConnect Mobile 90-day trial license. A valid SmartNet/CCO login is required.


Cisco will send the license key to your registered email address. Issue the activation-key command from privileged EXEC mode. The timebased key will immediately take effect and no reboot is required.

ASA5505# activation-key ?

  <0x0-0xffffffff>  Enter four-or-five-tuple activation-key
  noconfirm         Do not prompt for confirmation
ASA5505# activation-key 11580c70 bc7e2ac4 093d128a 4834133b 8abcdefg
Validating activation key. This may take a few minutes...
The requested key is a timebased key and is activated, it has 91 days remaining.


Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
Inside Hosts                      : 10             perpetual
Failover                          : Disabled       perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Enabled        91 days
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has a Base license.

Serial Number: JMX1423WXYZ
Running Permanent Activation Key: 0x3021cd54 0x20efac90 0xc852410c 0xb95cd094 0xc123456
Running Timebased Activation Key: 0x11580c70 0xbc7e2ac4 0x093d128a 0x4834133b 0x8abcdefg
Configuration register is 0x1
Configuration last modified by cisco at 21:32:03.918 SGT Sat May 3 2014

Here are the screenshots to configure the AnyConnect Mobile on the iPhone.




Tap on the AnyConnect VPN to turn it ON and connect to the VPN.


Click on Details to view the certificate contents.



Type the Tunnel Group (aka Connection Profile), username and password that's created on the ASA.



After the AnyConnect mobile license was installed and the iPhone got connected to the VPN, it automatically created the ASA5505(IPSEC) entry.


 


I received the first IP address 10.1.1.10 from the AnyConnect/VPN DHCP pool.





 


I can now browse my VPN portal home page.


Here are the screenshots and syslogs captured from ASDM Real-Time Log Viewer.




This is the equivalent command in CLI.

ASA5505# show vpn-sessiondb anyconnect

Session Type: AnyConnect

Username     : anyconnect-user        Index        : 7
Assigned IP  : 10.1.1.10              Public IP    : 192.168.1.22
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium, AnyConnect for Mobile
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)RC4  DTLS-Tunnel: (1)AES128
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA1  DTLS-Tunnel: (1)SHA1
Bytes Tx     : 3288                   Bytes Rx     : 43027
Group Policy : GroupPolicy_ANYCONNECT-PROF
Tunnel Group : ANYCONNECT-PROF
Login Time   : 21:50:59 SGT Sat May 3 2014
Duration     : 0h:01m:22s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A               
VLAN         : none