JohanPersson.nu

I have a customer that uses Cisco VPN Client. They are going to change ISP which means that they are going to change IP adresses. The VPN profiles today are set up using the IP so I found a VB script to edit the pcf file and a login script sample to execute it.

VB Script:

Const ForReading = 1
Const ForWriting = 2
 



strFileName = Wscript.Arguments(0)
 
strOldText = "Host=Old Address"
strNewText = "Host=New Address"
 
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(strFileName, ForReading)
 
strText = objFile.ReadAll
objFile.Close
strNewText = Replace(strText, strOldText, strNewText)
 
Set objFile = objFSO.OpenTextFile(strFileName, ForWriting)
objFile.WriteLine strNewText
objFile.Close

Login Script:

if NOT EXIST("\serverlogs$VPNfixed_" + @wksta + ".txt")
  AT (16,21) "Fixing VPN Files...                "
    
  ; Defining Logfile
   
  $VpnLogfile="\serverlogs$VPNfixed_" + @wksta + ".txt" 
 
  ; Fixing the files
   
  IF EXIST("C:Program FilesCisco SystemsVPN ClientProfilesFILE.pcf")
   Shell '%comspec% /c \servernetlogonfixvpn.vbs "C:Program FilesCisco SystemsVPN ClientProfilesFILE.pcf"'
  Endif
  IF EXIST("C:ProgramCisco SystemsVPN ClientProfilesFILE.pcf")
   Shell '%comspec% /c \servernetlogonfixvpn.vbs "C:ProgramCisco SystemsVPN ClientProfilesFILE.pcf"'
  Endif
 
  ; Writing loglines
 
  Open(1,$VpnLogfile,5)
  $Logline=@Date + "," + @time + "," + @Userid + "," + @wksta + @CRLF
  writeline(1,$LogLine)
  Close(1)
Endif

The login script has some logic checking if the update has been done before in which case it will be skipped. It will also create a logfile for checking which computers has been updated.

This is a follow-up on the about setting up PIX-to-ASA Dynamic-to-Static VPN and this time the ASA is static and the Pix is dynamic.

Here is the config:

ASA Config

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 10.10.10.10 255.255.255.0
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
access-list traffic_from_inside extended permit ip any 192.168.4.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
global (outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map INDUS_DYNAMIC 1 set transform-set ESP-3DES-MD5
crypto map outside_map_1 90 ipsec-isakmp dynamic INDUS_DYNAMIC
crypto map outside_map_1 interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *

PIX Config

access-list inside_outside permit ip any 192.168.1.0 255.255.255.0
access-list outside_inside permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list NAT-0-INSIDE permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_10 permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
ip address outside dhcp setroute
ip address inside 192.168.4.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NAT-0-INSIDE
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 10.10.10.10
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 10.10.10.10 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

I just installed a ASA5505 at one of my customers remote office which does not have a static IP address. The problem was that the ASA dis not get a dynamic IP address from the ISP.

This is apparently a known problem (at least here in sweden). It seems to affect customers of Bredbandsbolaget and Telia. Below are some links about the problem.

There seems to be a inofficial release from Cisco that fixes this problem.

Links

IT Proffs
Ogenstad.net

I had to set up a Pix to Pix VPN tunnel where one of the Pixes had a dynamic IP Adress. Here is the sample configs:

Static Side (Pix):

access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_filial permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

ip address outside X.X.X.X Y.Y.Y.Y

nat (inside) 0 access-list inside_outbound_nat0_acl

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key 1234567890 address 0.0.0.0 netmask 0.0.0.0
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

Dynamic Address (ASA):

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!

access-list CRYPTO-TO-XXX extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list INSIDE_OUTBOUND_NAT0_ACL extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list INSIDE_OUTBOUND_NAT0_ACL

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map CRYPTO 10 match address CRYPTO-TO-XXX
crypto map CRYPTO 10 set pfs group1
crypto map CRYPTO 10 set peer X.X.X.X
crypto map CRYPTO 10 set transform-set ESP-3DES-SHA
crypto map CRYPTO interface outside
crypto isakmp enable outside
crypto isakmp policy 100
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
 pre-shared-key 1234567890

Source Links:

Configuring PIX to PIX Dynamic-to-Static IPSec with NAT and Cisco VPN Client
PIX/ASA 7.x PIX-to-PIX Dynamic-to-Static IPsec with NAT and VPN Client Configuration Example

Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance

To recover from the loss of passwords, perform the following steps:

Step 1 Connect to the security appliance console port according to the “Accessing the Command-Line Interface” section.

Step 2 Power off the security appliance, and then power it on.

Step 3 During the startup messages, press the Escape key when prompted to enter ROMMON.

Step 4 To set the security appliance to ignore the startup configuration at reload, enter the following command:

rommon #1> confreg

The security appliance displays the current configuration register value, and asks if you want to change the value:

Current Configuration Register: 0x00000011

Configuration Summary:

boot TFTP image, boot default image from Flash on netboot failure

Do you wish to change this configuration? y/n [n]:

Step 5 Record your current configuration register value, so you can restore it later.

Step 6 At the prompt, enter Y to change the value.

The security appliance prompts you for new values.

Step 7 Accept the default values for all settings, except for the “disable system configuration?” value; at that prompt, enter Y.

Step 8 Reload the security appliance by entering the following command:

rommon #2> boot

The security appliance loads a default configuration instead of the startup configuration.

Step 9 Enter privileged EXEC mode by entering the following command:

hostname> enable

Step 10 When prompted for the password, press Return.

The password is blank.

Step 11 Load the startup configuration by entering the following command:

hostname# copy startup-config running-config

Step 12 Enter global configuration mode by entering the following command:

hostname# configure terminal

Step 13 Change the passwords in the configuration by entering the following commands, as necessary:

hostname(config)# password password

hostname(config)# enable password password

hostname(config)# username name password password

Step 14 Change the configuration register to load the startup configuration at the next reload by entering the following command:

hostname(config)# config-register value

Where value is the configuration register value you noted in Step 5. 0x1 is the default configuration register. For more information about the configuration register, see the Cisco Security Appliance Command Reference.

Step 15 Save the new passwords to the startup configuration by entering the following command:

hostname(config)# copy running-config startup-config

How do I upgrade software on my Cisco Pix

Use the copy tftp flash Command to Upgrade the PIX

Complete these steps in order to upgrade the PIX with the use of the copy tftp flash command.

1. Copy the PIX Firewall binary image (pixnnn.bin) to the root directory of the TFTP server.

2. Issue the copy tftp flash command from the PIX prompt.

3. Enter the remote host IP address.

4. Enter the PIX binary filename (has the pixnnn.bin name format).

5. Type yes.

Example – Upgrade the PIX Firewall with the copy tftp flash Command

pixfirewall#copy tftp flash Address or name of remote host [127.0.0.1]? 172.18.125.3 Source file name [cdisk]?pix611.bin copying tftp://172.18.125.3/pix611.bin to flash[yes|no|again]?yes !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Received 2562048 bytes. Erasing current image. Writing 2469944 bytes of image. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Image installed. pixfirewall# 

Source: Cisco Systems

I have spent the day trying to troubleshoot a problem with a customers VPN connection. Here is a little ino on what i found:

Background:

The customer is using Microsoft PPTP VPN client to connect to a Cisco Pix 515. All of a sudden when they connect to VPN it seems to be working, they can ping but they cannot connect to any resources. This results among other things in Terminal Services not being able to connect and you will only get a black screen.

Resolution:

It seems that the problem is that the VPN tunnel is not allowing MTU larger than 1256.

I found this out by using a tool I found on the internet called mturoute.exe (There is a lot of other fun stuff on this site)

mturoute.zip (25,57 KB)

This tool examins the MTU of a link. When I found this out I tried to edit the MTU size tor the VPN connection in Windows according to this article.

To do this edit this value in the registry:

Here are some nice troubleshooting tips:

Tear down IPSEC tunnel: clear ipsec sa