Friday, October 6, 2017

Cisco ASA - L2L VPN Filters

Hey all,

Suppose you have a Cisco ASA with a L2L VPN to an untrusted partner, and you have a requirement that large swaths of the network are included in the crypto map to this partner. However, you want to only permit particular ports, to particular hosts. Thankfully, Cisco ASAs support what's called a vpn-filter that can do exactly that.

VPN-filters are an excellent tool, and can be used in this exactly same way for Cisco AnyConnect client VPNs. If you want to learn more about how to use these filtering in a dynamic system, where login is handled by external auth, like AD, but hosts are filtered, read this. Here, though, we'll focus on L2L VPNs.

First of all, create your objects, object-groups, and access list that you'll apply to the VPN. These type of "vpn-filter" ACLs are applied inbound, so the source of traffic is remote.

! Create partner objects
object network RemotePartner_Subnet1
object-group network RemotePartner_VPNGroup
 network-object object RemotePartner_Subnet1

! Create objects for our network
object network MyNetwork_Subnet1
object-group network MyNetwork_VPNGroup
 network-object object MyNetwork_Subnet1

! Create services/port filtering object
object-group service web tcp
 port-object eq www
 port-object eq https

! Create inbound ACL to use as a vpn-filter, include icmp for testing purposes
access-list Remote_2_MyNetwork_vpnFilter extended permit tcp object RemotePartner_VPNGroup object-group MyNetwork_VPNGroup object-group web
access-list Remote_2_MyNetwork_vpnFilter extended permit icmp any any

! Create a group policy to reference the vpn filter
group-policy MyNetwork_2_RemotePartner attributes
 vpn-filter value Remote_2_MyNetwork_vpnFilter
 vpn-tunnel-protocol ikev1

! Update the tunnel group for the remote peer to map to the group policy
tunnel-group general-attributes
 default-group-policy MyNetwork_2_RemotePartner

Done! Now your L2L VPN is filtered inbound on your side, and doesn't require any action by the remote partner in the event you need to add a few hosts or further restrict the access.

Good luck out there.

Saturday, September 30, 2017

Cisco ASA - Strong SuiteB Encryption - ECDHE

Hey all!

So you have Cisco ASAs that handle your client remote access, and you want to be sure you're using the strongest technical security you can configure. Cisco ASAs make this pretty easy to do, but you need to be aware of a few things:

  1. This change is global, to all SSL cryptography. This means you can't just switch over a couple of group policies for testing. It's recommended to make this change during off-hours so you can test yourself
  2. The change won't kick all the SSL tunnels that are built, so you can certainly make the change, test a connection, then switch back mid-day without an impact to your users
  3. This change also affects the web page that users access pre-VPN to download the AnyConnect client and access any bookmarks and other features exposed over clientless VPN. This does include the Cisco ASDM, which requires a Java update to work properly after this change. I'll cover this more down below. 

TLS Version

First of all, use only TLS version 1.2. SSL 3.0/TLS1.0 has been found to have significant weaknesses, and TLS 1.1 is not longer recommended due to the additional features added in version 1.2. To make this change, run the following command. This limits all SSL connections to the ASA to use only version 1.2 (or greater, when available). When version 1.3 becomes standard, you'll want to update to that, but 1.3 is not yet implemented in ASA code.

ASAHostname(config)# ssl server-version ?

configure mode commands/options:
  tlsv1    Enter this keyword to accept SSLv2 ClientHellos and negotiate TLSv1
           (or greater)
  tlsv1.1  Enter this keyword to accept SSLv2 ClientHellos and negotiate
           TLSv1.1 (or greater)
  tlsv1.2  Enter this keyword to accept SSLv2 ClientHellos and negotiate
           TLSv1.2 (or greater)

ASAHostname(config)# ssl server-version tlsv1.2


Second, make sure that the ciphers used to encrypt the data are classified by Cisco as "High" security.
ASAHostname(config)# ssl cipher tlsv1.2 high

This classification includes:
ASAHostname# show ssl ciphers high 
  ECDHE-ECDSA-AES256-GCM-SHA384 (tlsv1.2)
  ECDHE-RSA-AES256-GCM-SHA384 (tlsv1.2)
  DHE-RSA-AES256-GCM-SHA384 (tlsv1.2)
  AES256-GCM-SHA384 (tlsv1.2)
  ECDHE-ECDSA-AES256-SHA384 (tlsv1.2)
  ECDHE-RSA-AES256-SHA384 (tlsv1.2)
  DHE-RSA-AES256-SHA256 (tlsv1.2)
  AES256-SHA256 (tlsv1.2)

DH Group

Third, make sure that the Diffie-Hellman Group used to exchange data uses larger moduli, which should keep the key exchange tamper resistant against more powerful computers.

ASAHostname(config)# ssl dh-group ?    

configure mode commands/options:
  group1   Configure DH group 1 - 768-bit modulus
  group2   Configure DH group 2 - 1024-bit modulus
  group5   Configure DH group 5 - 1536-bit modulus
  group14  Configure DH group 14 - 2048-bit modulus, 224-bit prime order
           subgroup (FIPS)
  group24  Configure DH group 24 - 2048-bit modulus, 256-bit prime order
           subgroup (FIPS)

ASAHostname(config)# ssl dh-group group24


Your change is done, you can now test your VPN with AnyConnect. Also visit the page using a browser from the outside to view the clientless page and verify that security is classes as solid using Chrome.

I also recommend Qualsys' SSL Labs testing toolkit, which is free. Make sure to check the box "do not show the results on the board" to keep your results private.

ASDM Fix ("Unable to launch device manager from...")

Because of the enforced strong encryption on the ASA, the default download of Java doesn’t contain the encryption libraries required to run the ASDM GUI application to manage the firewall. If Java is not updated with these libraries, the following error will be seen:

To allow Java to connect, the Java Cryptography Extension pack must be downloaded and pasted over the existing files in the local Java install. The JCE pack for Java family 8 can be found here:

Both new library files must be dropped into this path: C:\Program Files (x86)\Java\(Java version path)\lib\security\. For instance, on a test machine this exact path is used: C:\Program Files (x86)\Java\jre1.8.0_131\lib\security\.

Keep an eye on this folder, though - every time Java updates itself, it will wipe out the JCE packs that you added, and you'll need to re-drop the JCE into the folder again.

Happy encrypting,

Wednesday, February 1, 2017

GNS3: DMVPN with FVRF (Front Door VRF)

Hey all! 

I'm building up my iWan skills, and in the most recent CVD (Cisco Validated Design) for iWan, Cisco recommends setting up an FVRF (Front Door VRF) for each internet connection you have at a site. 

FVRFs allow your WAN routing to exist in a separate VRF from your internal network. There is security there, but it also allows for your default routes to the internet to not even risk being redistributed into your internal routing domain.

Now, I don't have access to any images in GNS3 to run the full iWan, but I do have images capable of running FVRFs, so that's what I've built here.

Download the GNS3 and Do It Yourself

There's nothing better for learning than building the thing yourself. Here's a completed GNS3 file with all features deployed. Please download and play with it yourself!

Files are here:!AliOPzHSO-Gng6BvZdB1wkuBgPnrFA

Good luck out there.