Saturday, December 12, 2015

Cisco ASA mac-address auto Command

We used to manage two Cisco ASA firewalls in our network environment: one to terminate site-to-site IPsec VPNs for remote client sites connecting back to our HQ and another ASA firewall to run multiple security context. The second ASA is used to NAT multiple downstream clients but now I just use a single ASA with 9.x image having site-to-site IPsec VPNs under the admin context and NAT on multiple security context. I've demonstrated a context-based ASA firewall using 9.0 code running S2S VPN in a previous blog.

I was creating a new context for a customer last time and after configuring nameif on the shared outside interface, management traffic (like ping and SNMP) to our upstream Internet edge router was cut off. I tried to troubleshoot and then recalled that by default, all context uses the same MAC address for its shared outside interface. The best practice is to have a unique MAC address on the outside interface for individual security context. We can manually assign a unique MAC address on the shared outside interface for each context or do it automatically under system context using the mac-address auto command. I was able to ping the Internet again under the new context and our NMS was able to poll the ASA via SNMP after issuing this command.


ciscoasa# show interface g0/0 | include MAC 
        MAC address a46c.2a65.83d9, MTU not set

ciscoasa/admin# show interface g0/0 | include MAC   
        MAC address  a46c.2a65.83d9, MTU 1500

ciscoasa/NEW# show interface g0/0 | include MAC   
        MAC address  a46c.2a65.83d9, MTU 1500

ciscoasa/admin# changeto context NEW
ciscoasa/NEW(config)# interface GigabitEthernet0/0
ciscoasa/NEW(config-if)# mac-address a46c.2a65.1111    // MANUAL APPROACH; NETWORK TRAFFIC WENT BACK TO NORMAL

ciscoasa/NEW(config)# interface GigabitEthernet0/0
ciscoasa/NEW(config-if)# no mac-address a46c.2a65.1111
ciscoasa/NEW(config-if)# changeto system
ciscoasa(config)# mac-address auto
INFO: Converted to mac-address auto prefix 33748

ciscoasa# show interface g0/0 | include MAC    // SYSTEM CONTEXT
        MAC address a46c.2a65.83d9, MTU not set

ciscoasa/admin# show interface g0/0 | include MAC     // ADMIN CONTEXT
        MAC address a2d4.8300.0004, MTU 1500

ciscoasa/NEW# show interface g0/0 | include MAC    // NEW CONTEXT
        MAC address a2d4.8300.0002, MTU 1500

Saturday, December 5, 2015

Site-to-Site IPsec VPN on Context ASA 9.0

I practically use security context to PAT (and NAT) clients using a different outside public IP address on a context-based Cisco ASA firewall. This makes the ASA configuration scalable and more manageable. I also used to run a separate ASA firewall just to terminate site-to-site IPsec VPNs but with the Cisco ASA Software release 9.0, I'm now able to run IKEv1 (and IKEv2) VPNs on a context-based ASA. I wasn't successful establishing the IPSec VPN tunnel right after its configuration so I ran some debugs:

Aug 19 06:30:54 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Aug 19 06:30:54 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Aug 19 06:30:54 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Aug 19 06:30:54 [IKEv1 DEBUG]IP = 116.21.19.9, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 7
Aug 19 06:30:54 [IKEv1 DEBUG]IP = 116.21.19.9, constructing ISAKMP SA payload
Aug 19 06:30:54 [IKEv1 DEBUG]IP = 116.21.19.9, constructing Fragmentation VID + extended capabilities payload
Aug 19 06:30:54 [IKEv1]IP = 116.21.19.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108

Aug 19 06:30:54 [IKEv1]IP = 116.21.19.9, Tunnel Rejected: The maximum tunnel count allowed has been reached
Aug 19 06:30:54 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, IKE MM Responder FSM error history (struct &0x00007fff36a117d0)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_SND_MSG6_H, EV_SND_MSG_OK-->MM_SND_MSG6_H, EV_SND_MSG-->MM_SND_MSG6, EV_SND_MSG-->MM_BLD_MSG6, EV_ENCRYPT_OK-->MM_BLD_MSG6, NullEvent-->MM_BLD_MSG6, EV_ENCRYPT_MSG-->MM_BLD_MSG6, EV_CHECK_IA
Aug 19 06:30:54 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, IKE SA MM:ce5a3ed0 terminating:  flags 0x0100c002, refcnt 0, tuncnt 0
Aug 19 06:30:54 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, sending delete/delete with reason message
Aug 19 06:30:54 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, constructing blank hash payload
Aug 19 06:30:54 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, constructing IKE delete payload
Aug 19 06:30:54 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, constructing qm hash payload
Aug 19 06:30:54 [IKEv1]IP = 116.21.19.9, IKE_DECODE SENDING Message (msgid=e1881a02) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76


Even though my IKE Phase 1 and Phase 2 policies on both VPN peers were correct, they're still unable to establish a security association (SA). I found out that for multiple ASA context, we need to explicitly define the VPN class resource for each context. We first create a class (IPSEC-VPN) where we set the VPN resource and then add the specific context (admin) to the said class.

ciscoasa# configure terminal
ciscoasa(config)# class ?

configure mode commands/options:
  WORD  Symbolic name of the class

ciscoasa(config)# class  IPSEC-VPN
ciscoasa(config-class)# ?

Class configuration commands:
  limit-resource  Configure the resource limits
  no              Negate a command or set its defaults

ciscoasa(config-class)# limit-resource ?

class mode commands/options:
  rate    Enter this keyword to specify a rate/sec
Following resources available:
  ASDM    ASDM Connections
  All     All Resources
  Conns   Connections
  Hosts   Hosts
  Routes  Routing Table Entries
  SSH     SSH Sessions
  Telnet  Telnet Sessions
  VPN     VPN resources
  Xlates  XLATE Objects

ciscoasa(config-class)# limit-resource vpn ?

class mode commands/options:
  Burst  Burst limit over the configured limit. This burst limit is not
         guaranteed. The context may take this resource if it is available on
         the device at run time.
  Other  Other VPN sessions which include Site-to-Site, IKEv1 RA and L2tp
         Sessions. These are guaranteed for a context and shouldn't exceed the
         system capacity when combined across all contexts.
  ikev1  Configure IKEv1 specific resources.

ciscoasa(config-class)# limit-resource vpn other ?

class mode commands/options:
  WORD  Value of resource limit (in <value> or <value>%)

ciscoasa(config-class)# limit-resource vpn other 10    // I HAD 10 SECURITY CONTEXT LICENSE INSTALLED

ciscoasa(config-class)# context admin
ciscoasa(config-ctx)# ?

Context configuration commands:
  allocate-interface   Allocate interface to context
  allocate-ips         Allocate IPS virtual sensor to context
  config-url           Configure URL for a context configuration
  description          Provide a description of the context
  exit                 Exit from context configuration mode
  help                 Interactive help for context subcommands
  join-failover-group  Join a context to a failover group
  member               Configure class membership for a context
  no                   Negate a command
  scansafe             Enable scansafe inspection in this context

ciscoasa(config-ctx)# member ?

context mode commands/options:
  WORD  Class name

ciscoasa(config-ctx)# member IPSEC-VPN
ciscoasa(config-ctx)# end
ciscoasa# changeto context admin
ciscoasa/admin# debug crypto ikev1 255
ciscoasa/admin# debug crypto ipsec 255

<OUTPUT TRUNCATED>

Aug 19 06:40:22 [IKEv1]Group = 116.21.19.9, IP = 116.21.19.9, PHASE 1 COMPLETED
Aug 19 06:40:22 [IKEv1]IP = 116.21.19.9, Keep-alive type for this connection: DPD
Aug 19 06:40:22 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, Starting P1 rekey timer: 82080
Aug 19 06:40:22 [IKEv1 DECODE]IP = 116.21.19.9, IKE Responder starting QM: msg id = 0848596d

IPSEC: Increment SA NP ref counter for inbound SPI 0xA6685BB5, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:5281)
IPSEC: Completed inbound permit rule, SPI 0xA6685BB5
    Rule ID: 0x00007fff369ff5d0
IPSEC: Decrement SA NP ref counter for inbound SPI 0xA6685BB5, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:4645)
IPSEC: Decrement SA NP ref counter for inbound SPI 0xA6685BB5, old value: 1, new value: 0, (ctm_np_vpn_context_cb:10167)
IPSEC: Increment SA HW ref counter for inbound SPI 0xA6685BB5, old value: 0, new value: 1, (ctm_nlite_ipsec_create_hw_ibsa:743)
Aug 19 06:40:22 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, Pitcher: received KEY_UPDATE, spi 0xa6685bb5
Aug 19 06:40:22 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, Starting P2 rekey timer: 27360 seconds.
Aug 19 06:40:22 [IKEv1]Group = 116.21.19.9, IP = 116.21.19.9, PHASE 2 COMPLETED (msgid=0848596d)
Aug 19 06:40:35 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, Sending keep-alive of type DPD R-U-THERE (seq number 0x382b231e)
Aug 19 06:40:35 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, constructing blank hash payload
Aug 19 06:40:35 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, constructing qm hash payload
Aug 19 06:40:35 [IKEv1]IP = 116.21.19.9, IKE_DECODE SENDING Message (msgid=ddb7337f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80


ciscoasa/admin# show crypto isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 116.21.19.9
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE


ciscoasa/admin# show crypto ipsec sa
interface: outside
    Crypto map tag: VPN_CMAP, seq num: 818, local addr: 202.7.2.12

      access-list SYDNEY_TO_PERTH extended permit ip host220.10.7.14 host 220.10.7.14
      local ident (addr/mask/prot/port): (220.10.7.14/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (116.21.19.9/255.255.255.255/0/0)
      current_peer: 220.10.7.14

      #pkts encaps: 1569732, #pkts encrypt: 1585121, #pkts digest: 1585121
      #pkts decaps: 1824463, #pkts decrypt: 1824463, #pkts verify: 1824463

      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1569732, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 15389, #pre-frag failures: 0, #fragments created: 30778
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 87450
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 202.7.2.12/0, remote crypto endpt.: 116.21.19.9
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 5AE3F513
      current inbound spi : 36AE99F5

<OUTPUT TRUNCATED>