Changing Cisco VPN Client .pcf files on client computers

I have a customer that uses Cisco VPN Client. They are going to change ISP which means that they are going to change IP adresses. The VPN profiles today are set up using the IP so I found a VB script to edit the pcf file and a login script sample to execute it.

VB Script:

Const ForReading = 1
Const ForWriting = 2




strFileName = Wscript.Arguments(0)

strOldText = "Host=Old Address"
strNewText = "Host=New Address"

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(strFileName, ForReading)

strText = objFile.ReadAll
objFile.Close
strNewText = Replace(strText, strOldText, strNewText)

Set objFile = objFSO.OpenTextFile(strFileName, ForWriting)
objFile.WriteLine strNewText
objFile.Close

Login Script:

if NOT EXIST("\serverlogs$VPNfixed_" + @wksta + ".txt")
  AT (16,21) "Fixing VPN Files...                "
   
  ; Defining Logfile
  
  $VpnLogfile="\serverlogs$VPNfixed_" + @wksta + ".txt" 

 ; Fixing the files
   
  IF EXIST("C:Program FilesCisco SystemsVPN ClientProfilesFILE.pcf")
   Shell '%comspec% /c \servernetlogonfixvpn.vbs "C:Program FilesCisco SystemsVPN ClientProfilesFILE.pcf"'
  Endif
  IF EXIST("C:ProgramCisco SystemsVPN ClientProfilesFILE.pcf")
   Shell '%comspec% /c \servernetlogonfixvpn.vbs "C:ProgramCisco SystemsVPN ClientProfilesFILE.pcf"'
  Endif

  ; Writing loglines

  Open(1,$VpnLogfile,5)
  $Logline=@Date + "," + @time + "," + @Userid + "," + @wksta + @CRLF
  writeline(1,$LogLine)
  Close(1)
Endif

The login script has some logic checking if the update has been done before in which case it will be skipped. It will also create a logfile for checking which computers has been updated.

PIX-to-ASA Dynamic-to-Static VPN – Part 2

This is a follow-up on the about setting up PIX-to-ASA Dynamic-to-Static VPN and this time the ASA is static and the Pix is dynamic.

Here is the config:

ASA Config

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 10.10.10.10 255.255.255.0
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
access-list traffic_from_inside extended permit ip any 192.168.4.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
global (outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map INDUS_DYNAMIC 1 set transform-set ESP-3DES-MD5
crypto map outside_map_1 90 ipsec-isakmp dynamic INDUS_DYNAMIC
crypto map outside_map_1 interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *

PIX Config

access-list inside_outside permit ip any 192.168.1.0 255.255.255.0
access-list outside_inside permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list NAT-0-INSIDE permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_10 permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
ip address outside dhcp setroute
ip address inside 192.168.4.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NAT-0-INSIDE
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 10.10.10.10
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 10.10.10.10 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

Problems with ASA 5505 on a dynamic IP broadband connection… sometimes

I just installed a ASA5505 at one of my customers remote office which does not have a static IP address. The problem was that the ASA dis not get a dynamic IP address from the ISP.

This is apparently a known problem (at least here in sweden). It seems to affect customers of Bredbandsbolaget and Telia. Below are some links about the problem.

There seems to be a inofficial release from Cisco that fixes this problem.

Links

IT Proffs
Ogenstad.net

PIX-to-ASA Dynamic-to-Static VPN – Part 1

I had to set up a Pix to Pix VPN tunnel where one of the Pixes had a dynamic IP Adress. Here is the sample configs:

Static Side (Pix):

access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_filial permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

ip address outside X.X.X.X Y.Y.Y.Y

nat (inside) 0 access-list inside_outbound_nat0_acl

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key 1234567890 address 0.0.0.0 netmask 0.0.0.0
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

Dynamic Address (ASA):

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!

access-list CRYPTO-TO-XXX extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list INSIDE_OUTBOUND_NAT0_ACL extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list INSIDE_OUTBOUND_NAT0_ACL

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map CRYPTO 10 match address CRYPTO-TO-XXX
crypto map CRYPTO 10 set pfs group1
crypto map CRYPTO 10 set peer X.X.X.X
crypto map CRYPTO 10 set transform-set ESP-3DES-SHA
crypto map CRYPTO interface outside
crypto isakmp enable outside
crypto isakmp policy 100
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
 pre-shared-key 1234567890

Source Links:

Configuring PIX to PIX Dynamic-to-Static IPSec with NAT and Cisco VPN Client
PIX/ASA 7.x PIX-to-PIX Dynamic-to-Static IPsec with NAT and VPN Client Configuration Example

Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance

Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance

To recover from the loss of passwords, perform the following steps:


Step 1 Connect to the security appliance console port according to the “Accessing the Command-Line Interface” section.

Step 2 Power off the security appliance, and then power it on.

Step 3 During the startup messages, press the Escape key when prompted to enter ROMMON.

Step 4 To set the security appliance to ignore the startup configuration at reload, enter the following command:

rommon #1> confreg

The security appliance displays the current configuration register value, and asks if you want to change the value:

Current Configuration Register: 0x00000011

Configuration Summary:

boot TFTP image, boot default image from Flash on netboot failure

Do you wish to change this configuration? y/n [n]:

Step 5 Record your current configuration register value, so you can restore it later.

Step 6 At the prompt, enter Y to change the value.

The security appliance prompts you for new values.

Step 7 Accept the default values for all settings, except for the “disable system configuration?” value; at that prompt, enter Y.

Step 8 Reload the security appliance by entering the following command:

rommon #2> boot

The security appliance loads a default configuration instead of the startup configuration.

Step 9 Enter privileged EXEC mode by entering the following command:

hostname> enable

Step 10 When prompted for the password, press Return.

The password is blank.

Step 11 Load the startup configuration by entering the following command:

hostname# copy startup-config running-config

Step 12 Enter global configuration mode by entering the following command:

hostname# configure terminal

Step 13 Change the passwords in the configuration by entering the following commands, as necessary:

hostname(config)# password password

hostname(config)# enable password password

hostname(config)# username name password password

Step 14 Change the configuration register to load the startup configuration at the next reload by entering the following command:

hostname(config)# config-register value

Where value is the configuration register value you noted in Step 5. 0x1 is the default configuration register. For more information about the configuration register, see the Cisco Security Appliance Command Reference.

Step 15 Save the new passwords to the startup configuration by entering the following command:

hostname(config)# copy running-config startup-config

Upgrading Software on Cisco Pix

How do I upgrade software on my Cisco Pix

Use the copy tftp flash Command to Upgrade the PIX

Complete these steps in order to upgrade the PIX with the use of the copy tftp flash command.

  1. Copy the PIX Firewall binary image (pixnnn.bin) to the root directory of the TFTP server.

  2. Issue the copy tftp flash command from the PIX prompt.

  3. Enter the remote host IP address.

  4. Enter the PIX binary filename (has the pixnnn.bin name format).

  5. Type yes.

Example – Upgrade the PIX Firewall with the copy tftp flash Command

pixfirewall#copy tftp flash Address or name of remote host [127.0.0.1]? 172.18.125.3 Source file name [cdisk]?pix611.bin copying tftp://172.18.125.3/pix611.bin to flash[yes|no|again]?yes !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Received 2562048 bytes. Erasing current image. Writing 2469944 bytes of image. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Image installed. pixfirewall# 

Source: Cisco Systems

MTU problems resulting in VPN trouble…

I have spent the day trying to troubleshoot a problem with a customers VPN connection. Here is a little ino on what i found:

Background:

The customer is using Microsoft PPTP VPN client to connect to a Cisco Pix 515. All of a sudden when they connect to VPN it seems to be working, they can ping but they cannot connect to any resources. This results among other things in Terminal Services not being able to connect and you will only get a black screen.

Resolution:

It seems that the problem is that the VPN tunnel is not allowing MTU larger than 1256.

I found this out by using a tool I found on the internet called mturoute.exe (There is a lot of other fun stuff on this site)

mturoute.zip (25,57 KB)

This tool examins the MTU of a link. When I found this out I tried to edit the MTU size tor the VPN connection in Windows according to this article.

To do this edit this value in the registry:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNdisWanParametersProtocols
 
Change the value of TunnelMTU to decimal 1256.
 
I created a reg file (below) and imported it:
 
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNdisWanParametersProtocols]
“PPPProtocolType”=dword:00000021
“ProtocolType”=dword:00000800
“ProtocolMTU”=dword:00000514
“TunnelMTU”=dword:000004e8
 
I still do not know why this suddenly is a problem but I will update here as soon as I find out.

Misc Troubleshooting

Here are some nice troubleshooting tips:

Tear down IPSEC tunnel: clear ipsec sa

  • clear crypto ipsec sa — This command resets the IPsec SAs after failed attempts to negotiate a VPN tunnel.

  • clear crypto isakmp sa — This command resets the ISAKMP SAs after failed attempts to negotiate a VPN tunnel.

    Capture packets on interface:

          capture CAPTURENAME access-list ACCESSLISTNAME interface INSIDE/OUTSIDE

    Check hits on access-lists: sh access-list

    Use more system:running-config to be able to read and verify the pre-shared keys in clear text.

    Links

    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00807f2d37.shtml

  • The Alias Command

    You can use the alias command for two purposes

    1) You need to Destination NAT of one destination address to another   

    • In dnat, the PIX changes the destination IP of an application call from one IP address to another IP address.

    • This process is used when you want the actual application call from the internal client to the server in a perimeter (dmz) network by its external IP address. This does not “doctor” the DNS replies.

      alias(inside) 99.99.99.99 192.168.100.10 255.255.255.255

      !— This sets up the Destination NAT. In this example the DNS reply is not
      !— doctored by the PIX because the external address (99.99.99.99) does not
      !— match the foreign IP address in the alias command (the second IP).
      !— But the call is “dnat-ed” because the destination address
      !— in the call matches the dnat IP address in the alias command (the first IP).

    2) You can use it to perforn DNS doctoring of DNS repliedfrom an external DNS Server

    • In DNS Doctoring, the PIX changes the DNS response from a DNS server to be a different IP address than the DNS server actually answered for a given name.

    This process is used when you want the actual application call from the internal client to connect to an internal server by its internal IP address.

    • alias (inside) 10.10.10.10 99.99.99.99 255.255.255.255

      !— This command sets up DNS Doctoring. It is initiated from the clients in
      !— the “inside” network. It watches for DNS replies that contain
      !— 99.99.99.99. Then it replaces the 99.99.99.99 address with the 10.10.10.10
      !— address in the “DNS reply” sent to the client PC.

    Source: Cisco Corp

    Cisco Pix – Standard Site-To-Site VPN Setup

    sysopt connection permit-ipsec
    access-list CRYPTO-TO-SOLNA permit ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0
    access-list NAT-0 permit ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0

    nat (inside) 0 access-list NAT-0
    isakmp enable outside
    isakmp policy 100 encryption 3des
    isakmp policy 100 hash sha
    isakmp policy 100 authentication pre-share
    isakmp policy 100 group 1
    isakmp policy 100 lifetime 86400
    isakmp key 1234567890 address 212.75.70.2
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map SOLNA 10 ipsec-isakmp
    crypto map SOLNA 10 match address CRYPTO-TO-SOLNA
    crypto map SOLNA 10 set peer 212.75.70.2
    crypto map SOLNA 10 set transform-set ESP-3DES-SHA
    crypto map SOLNA 10 set pfs group1
    crypto map SOLNA 10 set security-association lifetime seconds 28800
    crypto map SOLNA interface outside

    sysopt connection permit-ipsec
    access-list CRYPTO-TO-STHLM permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0
    access-list NAT-0 permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0

    nat (inside) 0 access-list NAT-0
    isakmp enable outside
    isakmp policy 100 encryption 3des
    isakmp policy 100 hash sha
    isakmp policy 100 authentication pre-share
    isakmp policy 100 group 1
    isakmp policy 100 lifetime 86400
    isakmp key 1234567890 address 212.75.71.2
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map SOLNA 10 ipsec-isakmp
    crypto map SOLNA 10 match address CRYPTO-TO-STHLM
    crypto map SOLNA 10 set peer 212.75.71.2
    crypto map SOLNA 10 set transform-set ESP-3DES-SHA
    crypto map SOLNA 10 set pfs group1
    crypto map SOLNA 10 set security-association lifetime seconds 28800
    crypto map SOLNA interface outside