Teo En Ming's Guide to Configuring SSL VPN for Cisco ASA 5506-X Firepower Firewall with Let’s Encrypt SSL Certificates, LDAP/Active Directory Primary Authentication and Duo 2FA Secondary Authentication
Subject: Teo En Ming's Guide to Configuring SSL VPN for Cisco ASA 5506-X Firepower Firewall with Let’s Encrypt SSL Certificates, LDAP/Active Directory Primary Authentication and Duo 2FA Secondary Authentication
Author: Mr. Turritopsis Dohrnii Teo En Ming (Targeted Individual)
Country: Singapore
Date Published: 3rd August 2020 Monday Singapore Time
Type of Publication: Plain Text
INTRODUCTION
============
Cisco ASA firewall appliances use open source software.
Cisco Adaptive Security Appliance Software, version 9.8
Copyright (c) 1996-2019 by Cisco Systems, Inc.
For licenses and notices for open source software used in this product, please visit
http://www.cisco.com/go/asa-opensource
The basic configuration of the Cisco ASA 5506-X Firepower firewall was completed by a previous IT consultant previously (date unknown), so I shall not cover it here. I will cover configuration of the Cisco ASA 5506-X Firepower firewall from Phase 1 onwards, as described below.
The Cisco ASA 5506-X Firepower firewall costs about SGD$1000 in Singapore, with refurbished units costing around SGD$500.
PHASE 1: Basic Configuration of SSL VPN on Cisco ASA 5506-X Firepower Firewall
==============================================================================
Reference Guide: Cisco ASA Anyconnect Remote Access VPN
Link: https://networklessons.com/cisco/asa-firewall/cisco-asa-anyconnect-remote-access-vpn
Cisco ASA firewall CLI commands:
enable
config t
You can download Cisco AnyConnect Secure Mobility Client version 3.1.03103 at the following link.
http://www.firewall.cx/downloads/doc_details/98-anyconnect-secure-mobility-client-win-mac-linux.html?tmpl=component
Install Filezilla FTP server on the Active Directory Domain Controller.
Create ftp username “anonymous” with empty password.
copy ftp://anonymous@<IP address of FTP server>/ anyconnect-win-3.1.03103-k9.pkg
delete flash:filename.pkg
config t
webvpn
anyconnect image flash:/anyconnect-win-3.1.03103-k9.pkg
enable outside
anyconnect enable
sysopt connection permit-vpn
http redirect OUTSIDE 80
ip local pool VPN_POOL 192.168.168.100-192.168.168.200 mask 255.255.255.0
192.168.168.0 is the VPN Pool.
access-list SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0
192.168.1.0 is the inside network behind the Cisco ASA firewall.
group-policy ANYCONNECT_POLICY internal
group-policy ANYCONNECT_POLICY attributes
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
dns-server value 8.8.8.8
webvpn
anyconnect keep-installer installed
anyconnect ask none default anyconnect
anyconnect dpd-interval client 30
exit
tunnel-group MY_TUNNEL type remote-access
tunnel-group MY_TUNNEL general-attributes
default-group-policy ANYCONNECT_POLICY
address-pool VPN_POOL
exit
tunnel-group MY_TUNNEL webvpn-attributes
group-alias TEO_EN_MING_CORPORATION_SSL_VPN_USERS enable
username teo-en-ming password password
username teo-en-ming attributes
service-type remote-access
copy run start
PHASE 2: Installing 90-day Free Let's Encrypt SSL Certificate on Cisco ASA 5506-X Firepower Firewall SSL VPN
============================================================================================================
show flash
Check for asdm-xxx.bin
Go to https://<IP address of Cisco ASA 5506-X firewall>
Install Java Web Start
Install ASDM Launcher
On the Cisco ASDM:
Device IP address / Name: <private IP address of Cisco ASA 5506-X firewall>
Username: <empty>
Password: cisco <default password>
Follow the rest of the instructions at the following link.
Reference Guide: INSTALLING A FREE CERTIFICATE ON A CISCO ASA FIREWALL FOR ANYCONNECT
Link: https://www.ipconfigz.com/installing-a-free-certificate-on-a-cisco-asa-firewall-for-anyconnect/
copy run start
config t
pager 0
show run
PHASE 3: Configure LDAP/Active Directory Primary Authentication for Cisco ASA 5506-X SSL VPN
============================================================================================
Reference Guide: Configure LDAP Authentication for WebVPN Users
Link: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98625-asa-ldap-authentication.html
dsquery user -samid administrator
"CN=Administrator,CN=Users,DC=teo-en-ming-corp,DC=com"
enable
configure terminal
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (inside_1) host <private IP address of AD DC server>
ldap-base-dn dc=teo-en-ming-corp,dc=com
ldap-login-dn cn=ldapadmin,cn=users,dc=teo-en-ming-corp,dc=com
ldap-login-password password
ldap-naming-attribute sAMAccountName
ldap-scope subtree
server-type microsoft
exit
tunnel-group MY_TUNNEL general-att
authentication-server-group LDAP_SRV_GRP
Testing LDAP Authentication in Phase 3
======================================
debug ldap 255
test aaa-server authentication LDAP_SRV_GRP host <IP address of AD DC server> username administrator password password
Troubleshooting for Phase 3
============================
[1] Troubleshooting LDAP Connections to Active Directory Using Apache Directory Studio
Link: https://www.jamf.com/jamf-nation/articles/224/troubleshooting-ldap-connections-to-active-directory-using-apache-directory-studio
[2] Cisco – LDAP AAA Error ‘AAA Server has been removed”
Link: https://www.petenetlive.com/KB/Article/0001271
[3] ASA 9.8, Bridge groups, and LDAP authentication
Link: https://www.reddit.com/r/Cisco/comments/80qezi/asa_98_bridge_groups_and_ldap_authentication/
In this discussion, a Cisco ASA software bug has been found which prevents the Cisco ASA firewall from communicating with the LDAP server/Active Directory Domain Controller. To resolve this issue, a firmware upgrade is required.
PHASE 4: How to Install Duo 2FA Secondary Authentication for Cisco ASA 5506-X SSL VPN
=====================================================================================
Follow the Duo Authentication setup instructions at the following link.
Reference Guide: Cisco ASA SSL VPN for Browser and AnyConnect
Link: https://duo.com/docs/ciscoasa-ldap
Then follow the guide below.
Reference Guide: CISCO ASA Enable DNS Lookup Problem
Link: https://community.cisco.com/t5/network-security/cisco-asa-enable-dns-lookup-problem/td-p/1764736
conf t
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
exit
Phase 5: Upgrade Firmware and ASDM of Cisco ASA 5506-X Firepower Firewall
=========================================================================
copy run start
Follow the rest of the instructions at the following link.
Reference Guide: ASA 9.x : Upgrade a Software Image using ASDM or CLI Configuration Example
Link: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/200142-ASA-9-x-Upgrade-a-Software-Image-using.html
Phase 6: Configure NAT Exemption on the Cisco ASA 5506-X Firewall
=================================================================
Why do we need to configure NAT exemption on the Cisco ASA 5506-X Firepower firewall? Because otherwise, the Cisco AnyConnect Secure Mobility Client cannot access the remote LAN
behind the Cisco ASA firewall.
access-list NAT-EXEMPT extended permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0
object network obj-vpn_ip_address_pool
subnet 192.168.168.0 255.255.255.0
nat (inside_1,outside) source static any any destination static obj-vpn_ip_address_pool obj-vpn_ip_address_pool
no access-list SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0
MUST READ ARTICLES FOR PHASE 6
==============================
[1] Quick guide: AnyConnect Client VPN on Cisco ASA 5505
Link: https://www.techrepublic.com/blog/smb-technologist/quick-guide-anyconnect-client-vpn-on-cisco-asa-5505/
QUOTE:
"Do not use the same subnet as your inside network. So, if you're using 192.168.100.0/24 for the inside, use 192.168.104.0/24 for your VPN pool."
[2] How to configure NAT Exemption in version 8.3 for VPN in Cisco ASA?
Link: http://networkqna.com/how-to-configure-nat-exemption-in-version-8-3-for-vpn-in-cisco-asa/
Phase 7: Configuring Dynamic DNS (DDNS)
=======================================
The Cisco ASA 5506-X Firepower Firewall does not support Dynamic DNS update using the HTTP POST method. The Cisco ASA only supports DDNS update using the Internet Engineering Task Force (IETF) method.
Since the Cisco ASA does not support the HTTP Post method, it CANNOT work with NO-IP and DynDNS DDNS service providers.
The following are the results of my research on the Internet:
[01] With its sole reliance on the IETF method, websites such as DynDns.org cannot be updated using the ASA, however support has been added for HTTPS using port 443.
Link: https://www.globalknowledge.com/ca-en/resources/resource-library/articles/implementing-dynamic-dns-on-cisco-ios-router-and-asa/
[02] If you're asking if you can get the ASA5505 to "register" with dyndns, the answer is no. Howeve, it appears that someone got a feature request added, though, under Cisco BugID CSCsl46782 . (If you don't have a Cisco service contract, you can't view the details). However, it looks like it has an extremely low priority and I wouldn't expect it to be added anytime soon.
Link: https://serverfault.com/questions/272825/dyndns-updating-ip-address-via-cisco-asa-5505
PROPOSED WORKAROUND SOLUTION FOR PHASE 7
========================================
I would propose installing Dynamic DNS updater client software on AD DC server or any of your office computers which are permanently powered on.
ACTUAL SOLUTION FOR PHASE 7
===========================
Sign up for free No-IP account.
Create hostname teo-en-ming-corp.ddns.net, and point it to public IP address of the Cisco ASA firewall.
Install no-ip dynamic update client (duc) in any 24x7 computer behind the Cisco ASA firewall.
Create DNS CNAME record sslvpn.teo-en-ming-corp.com and point it to teo-en-ming-corp.ddns.net
Phase 8: Synchronizing Users from Active Directory to Duo
=========================================================
Follow the setup instructions at the following link.
Reference Guide: Synchronizing Users from Active Directory
Link: https://duo.com/docs/adsync
dsquery user -samid teoenming
"CN=Turritopsis Dohrnii Teo En Ming,OU=Users,OU=Singapore,DC=teo-en-ming-corp,DC=com"
Phase 9: Enrolling Users at Duo
===============================
Reference Guide: Enrolling Users at Duo
Link: https://duo.com/docs/enrolling-users
Duo Admin Panel Login
Link: https://admin.duosecurity.com/
Phase 9 is the final phase.
===EOF===
REFERENCES
==========
[1] https://lkml.org/lkml/2020/8/3/295
[2] http://lkml.iu.edu/hypermail/linux/kernel/2008.0/00978.html
[3] https://marc.info/?l=linux-kernel&m=159645090202824&w=2
[4] https://lwn.net/ml/linux-kernel/151ee41881749de4afc3e67a967e6156%40teo-en-ming.com/
[5] http://lists.linuxfromscratch.org/pipermail/lfs-chat/2020-August/029140.html
Author: Mr. Turritopsis Dohrnii Teo En Ming (Targeted Individual)
Country: Singapore
Date Published: 3rd August 2020 Monday Singapore Time
Type of Publication: Plain Text
INTRODUCTION
============
Cisco ASA firewall appliances use open source software.
Cisco Adaptive Security Appliance Software, version 9.8
Copyright (c) 1996-2019 by Cisco Systems, Inc.
For licenses and notices for open source software used in this product, please visit
http://www.cisco.com/go/asa-opensource
The basic configuration of the Cisco ASA 5506-X Firepower firewall was completed by a previous IT consultant previously (date unknown), so I shall not cover it here. I will cover configuration of the Cisco ASA 5506-X Firepower firewall from Phase 1 onwards, as described below.
The Cisco ASA 5506-X Firepower firewall costs about SGD$1000 in Singapore, with refurbished units costing around SGD$500.
PHASE 1: Basic Configuration of SSL VPN on Cisco ASA 5506-X Firepower Firewall
==============================================================================
Reference Guide: Cisco ASA Anyconnect Remote Access VPN
Link: https://networklessons.com/cisco/asa-firewall/cisco-asa-anyconnect-remote-access-vpn
Cisco ASA firewall CLI commands:
enable
config t
You can download Cisco AnyConnect Secure Mobility Client version 3.1.03103 at the following link.
http://www.firewall.cx/downloads/doc_details/98-anyconnect-secure-mobility-client-win-mac-linux.html?tmpl=component
Install Filezilla FTP server on the Active Directory Domain Controller.
Create ftp username “anonymous” with empty password.
copy ftp://anonymous@<IP address of FTP server>/ anyconnect-win-3.1.03103-k9.pkg
delete flash:filename.pkg
config t
webvpn
anyconnect image flash:/anyconnect-win-3.1.03103-k9.pkg
enable outside
anyconnect enable
sysopt connection permit-vpn
http redirect OUTSIDE 80
ip local pool VPN_POOL 192.168.168.100-192.168.168.200 mask 255.255.255.0
192.168.168.0 is the VPN Pool.
access-list SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0
192.168.1.0 is the inside network behind the Cisco ASA firewall.
group-policy ANYCONNECT_POLICY internal
group-policy ANYCONNECT_POLICY attributes
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
dns-server value 8.8.8.8
webvpn
anyconnect keep-installer installed
anyconnect ask none default anyconnect
anyconnect dpd-interval client 30
exit
tunnel-group MY_TUNNEL type remote-access
tunnel-group MY_TUNNEL general-attributes
default-group-policy ANYCONNECT_POLICY
address-pool VPN_POOL
exit
tunnel-group MY_TUNNEL webvpn-attributes
group-alias TEO_EN_MING_CORPORATION_SSL_VPN_USERS enable
username teo-en-ming password password
username teo-en-ming attributes
service-type remote-access
copy run start
PHASE 2: Installing 90-day Free Let's Encrypt SSL Certificate on Cisco ASA 5506-X Firepower Firewall SSL VPN
============================================================================================================
show flash
Check for asdm-xxx.bin
Go to https://<IP address of Cisco ASA 5506-X firewall>
Install Java Web Start
Install ASDM Launcher
On the Cisco ASDM:
Device IP address / Name: <private IP address of Cisco ASA 5506-X firewall>
Username: <empty>
Password: cisco <default password>
Follow the rest of the instructions at the following link.
Reference Guide: INSTALLING A FREE CERTIFICATE ON A CISCO ASA FIREWALL FOR ANYCONNECT
Link: https://www.ipconfigz.com/installing-a-free-certificate-on-a-cisco-asa-firewall-for-anyconnect/
copy run start
config t
pager 0
show run
PHASE 3: Configure LDAP/Active Directory Primary Authentication for Cisco ASA 5506-X SSL VPN
============================================================================================
Reference Guide: Configure LDAP Authentication for WebVPN Users
Link: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98625-asa-ldap-authentication.html
dsquery user -samid administrator
"CN=Administrator,CN=Users,DC=teo-en-ming-corp,DC=com"
enable
configure terminal
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (inside_1) host <private IP address of AD DC server>
ldap-base-dn dc=teo-en-ming-corp,dc=com
ldap-login-dn cn=ldapadmin,cn=users,dc=teo-en-ming-corp,dc=com
ldap-login-password password
ldap-naming-attribute sAMAccountName
ldap-scope subtree
server-type microsoft
exit
tunnel-group MY_TUNNEL general-att
authentication-server-group LDAP_SRV_GRP
Testing LDAP Authentication in Phase 3
======================================
debug ldap 255
test aaa-server authentication LDAP_SRV_GRP host <IP address of AD DC server> username administrator password password
Troubleshooting for Phase 3
============================
[1] Troubleshooting LDAP Connections to Active Directory Using Apache Directory Studio
Link: https://www.jamf.com/jamf-nation/articles/224/troubleshooting-ldap-connections-to-active-directory-using-apache-directory-studio
[2] Cisco – LDAP AAA Error ‘AAA Server has been removed”
Link: https://www.petenetlive.com/KB/Article/0001271
[3] ASA 9.8, Bridge groups, and LDAP authentication
Link: https://www.reddit.com/r/Cisco/comments/80qezi/asa_98_bridge_groups_and_ldap_authentication/
In this discussion, a Cisco ASA software bug has been found which prevents the Cisco ASA firewall from communicating with the LDAP server/Active Directory Domain Controller. To resolve this issue, a firmware upgrade is required.
PHASE 4: How to Install Duo 2FA Secondary Authentication for Cisco ASA 5506-X SSL VPN
=====================================================================================
Follow the Duo Authentication setup instructions at the following link.
Reference Guide: Cisco ASA SSL VPN for Browser and AnyConnect
Link: https://duo.com/docs/ciscoasa-ldap
Then follow the guide below.
Reference Guide: CISCO ASA Enable DNS Lookup Problem
Link: https://community.cisco.com/t5/network-security/cisco-asa-enable-dns-lookup-problem/td-p/1764736
conf t
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
exit
Phase 5: Upgrade Firmware and ASDM of Cisco ASA 5506-X Firepower Firewall
=========================================================================
copy run start
Follow the rest of the instructions at the following link.
Reference Guide: ASA 9.x : Upgrade a Software Image using ASDM or CLI Configuration Example
Link: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/200142-ASA-9-x-Upgrade-a-Software-Image-using.html
Phase 6: Configure NAT Exemption on the Cisco ASA 5506-X Firewall
=================================================================
Why do we need to configure NAT exemption on the Cisco ASA 5506-X Firepower firewall? Because otherwise, the Cisco AnyConnect Secure Mobility Client cannot access the remote LAN
behind the Cisco ASA firewall.
access-list NAT-EXEMPT extended permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0
object network obj-vpn_ip_address_pool
subnet 192.168.168.0 255.255.255.0
nat (inside_1,outside) source static any any destination static obj-vpn_ip_address_pool obj-vpn_ip_address_pool
no access-list SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0
MUST READ ARTICLES FOR PHASE 6
==============================
[1] Quick guide: AnyConnect Client VPN on Cisco ASA 5505
Link: https://www.techrepublic.com/blog/smb-technologist/quick-guide-anyconnect-client-vpn-on-cisco-asa-5505/
QUOTE:
"Do not use the same subnet as your inside network. So, if you're using 192.168.100.0/24 for the inside, use 192.168.104.0/24 for your VPN pool."
[2] How to configure NAT Exemption in version 8.3 for VPN in Cisco ASA?
Link: http://networkqna.com/how-to-configure-nat-exemption-in-version-8-3-for-vpn-in-cisco-asa/
Phase 7: Configuring Dynamic DNS (DDNS)
=======================================
The Cisco ASA 5506-X Firepower Firewall does not support Dynamic DNS update using the HTTP POST method. The Cisco ASA only supports DDNS update using the Internet Engineering Task Force (IETF) method.
Since the Cisco ASA does not support the HTTP Post method, it CANNOT work with NO-IP and DynDNS DDNS service providers.
The following are the results of my research on the Internet:
[01] With its sole reliance on the IETF method, websites such as DynDns.org cannot be updated using the ASA, however support has been added for HTTPS using port 443.
Link: https://www.globalknowledge.com/ca-en/resources/resource-library/articles/implementing-dynamic-dns-on-cisco-ios-router-and-asa/
[02] If you're asking if you can get the ASA5505 to "register" with dyndns, the answer is no. Howeve, it appears that someone got a feature request added, though, under Cisco BugID CSCsl46782 . (If you don't have a Cisco service contract, you can't view the details). However, it looks like it has an extremely low priority and I wouldn't expect it to be added anytime soon.
Link: https://serverfault.com/questions/272825/dyndns-updating-ip-address-via-cisco-asa-5505
PROPOSED WORKAROUND SOLUTION FOR PHASE 7
========================================
I would propose installing Dynamic DNS updater client software on AD DC server or any of your office computers which are permanently powered on.
ACTUAL SOLUTION FOR PHASE 7
===========================
Sign up for free No-IP account.
Create hostname teo-en-ming-corp.ddns.net, and point it to public IP address of the Cisco ASA firewall.
Install no-ip dynamic update client (duc) in any 24x7 computer behind the Cisco ASA firewall.
Create DNS CNAME record sslvpn.teo-en-ming-corp.com and point it to teo-en-ming-corp.ddns.net
Phase 8: Synchronizing Users from Active Directory to Duo
=========================================================
Follow the setup instructions at the following link.
Reference Guide: Synchronizing Users from Active Directory
Link: https://duo.com/docs/adsync
dsquery user -samid teoenming
"CN=Turritopsis Dohrnii Teo En Ming,OU=Users,OU=Singapore,DC=teo-en-ming-corp,DC=com"
Phase 9: Enrolling Users at Duo
===============================
Reference Guide: Enrolling Users at Duo
Link: https://duo.com/docs/enrolling-users
Duo Admin Panel Login
Link: https://admin.duosecurity.com/
Phase 9 is the final phase.
===EOF===
REFERENCES
==========
[1] https://lkml.org/lkml/2020/8/3/295
[2] http://lkml.iu.edu/hypermail/linux/kernel/2008.0/00978.html
[3] https://marc.info/?l=linux-kernel&m=159645090202824&w=2
[4] https://lwn.net/ml/linux-kernel/151ee41881749de4afc3e67a967e6156%40teo-en-ming.com/
[5] http://lists.linuxfromscratch.org/pipermail/lfs-chat/2020-August/029140.html
Comments
Post a Comment