Das Blinken Lichten

You could add this to my ‘Commands I always forget’ post, but since I’m going to turn this into a little bit of a walk through I decided to make it into it’s own post.  Most admins use two commands to verify IPSec VPN security associations.  Those, of course, are…

ASA# show crypto isakmp sa

and

ASA# show crypto ipsec sa

Both of these commands provide you with a wealth of information about the IPSec connection.  However, what about if you start talking about SSL VPN sessions?  Or WebVPN sessions?  Since these technically aren’t IPSec connections, they don’t show up in the ‘show crpypto’ commands.  Below I’ll walk through a couple of commands which show you some more information about all types of VPN connections.

How to see current WebVPN Sessions
ASA# show vpn-sessiondb webvpn
Session Type: WebVPN
Username     : langemakj              Index        : 13
Public IP    : 10.20.30.78
Protocol     : Clientless
License      : SSL VPN
Encryption   : RC4                    Hashing      : SHA1
Bytes Tx     : 147092                 Bytes Rx     : 31993
Group Policy : GP_SSLVPN              Tunnel Group : TG_SSLVPN
Login Time   : 14:04:01 CST Thu Jul 29 2010
Duration     : 0h:00m:11s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none
Notes: So as you can see, this gives you a ton of info on the connection including the users group policy, tunnel group, and their public IP (Note: I’m testing off of the internal ASA interface hence the RFC 1918 addressing).

How to log off current WebVPN Sessions
ASA# vpn-sessiondb logoff name langemakj
Do you want to logoff the VPN session(s)? [confirm]
INFO: Number of sessions with name "langemakj" logged off : 1
Notes: What’s interesting about the log off procedure is that its done by tunnel group or username.  Note in this instance, I don’t even have to note that it’s a WebVPN session that I want to log off.  Conversely, if I wanted to log off all of the WebVPN sessions I could just input ‘vpn-sessiondb logoff webvpn’ which would log off all users connected to WebVPN.

Wrap up
So now that we have an idea of how it works with WebVPN connections, let’s use the trusty ‘?’ to see what else we can do with the ‘vpn-sessiondb’.

ASA# show vpn-sessiondb ?
  detail       Show detailed output
  email-proxy  Email-Proxy sessions
  full         Output formatted for data management programs
  index        Index of session
  l2l          IPsec LAN-to-LAN sessions
  ratio        Show VPN Session protocol or encryption ratios
  remote       IPsec Remote Access sessions
  summary      Show VPN Session summary
  svc          SSL VPN Client sessions
  vpn-lb       VPN Load Balancing Mgmt sessions
  webvpn       WebVPN sessions
  |            Output modifiers
  <cr>

As you can see, you can use the vpn-sessiondb command to look at each type of VPN connection.  While I usually still use the ‘show crypto’ commands for IPSec connections, you HAVE to use the vpn-sessiondb for AnyConnect and WebVPN.  Play around with it, remember, the ‘?’ is your best friend!

I had the opportunity to configure ISP failover on an ASA the other day and I thought I’d share the configuration as well as a couple of tips on using it.  I recall that when I started working on ASA’s I would always read that ‘dual ISP’ support was a feature of the Security Plus (Sec+) licensing set.  To me, that always meant that it was its own feature and had its own configuration commands.  As it turns out, that’s not the case.  In fact, the only reason you really need Sec+ to accomplish this is so that you have can have an additional ‘full’ interface.  The rest of the configuration is really just a SLA monitor, tracked default routes, and a extra global NAT pool.  Let’s walk through the configuration on a 5505.  I’m going to only touch the major parts of this so please don’t consider this a full build.

Notes
-Insert your relevant information between <>
-Console prompts are show in green
-Text in blue are variable names I made up, feel free to change them

Configure your interfaces
Inside Interface
ASA(config)# interface Vlan1
ASA(config-if)#description Inside Interface
ASA(config-if)# nameif inside
ASA(config-if)# ip address <Inside IP> <Inside Mask>

Outside Interface
ASA(config)# interface Vlan2
ASA(config-if)# description Primary ISP
ASA(config-if)# nameif outside
ASA(config-if)# ip address <ISP 1 IP> <ISP 1 Mask>

Backup ISP Interface
ASA(config)# interface Vlan3
ASA(config-if)# description Backup ISP
ASA(config-if)# nameif backupisp
ASA(config-if)# security-level 0
ASA(config-if)# ip address <ISP 2 IP> <ISP 2 Mask>

Assign them to switchports
ASA(config)# interface Ethernet0/0
ASA(config-if)# switchport access vlan 2
ASA(config)# interface Ethernet0/1
ASA(config-if)# switchport access vlan 3
Notes: VLAN 1 is the default so I’m not assigning it, just use one of the other ports for it.

Configure NAT
Define your Global pools
ASA(config)# global (outside) 1 <An IP in your Primary ISPs pool that you want to use for NAT/PAT>
ASA(config)# global (backupisp) 1 <An IP in your Backup ISPs pool that you want to use for NAT/PAT>
Notes: You need to define both the primary and backup address as global pools to match up against the NAT pool.  I totally forgot about that during the install and couldn’t figure out why I wasn’t passing traffic.

Define your inside NAT
ASA(config)# nat (inside) 1 0.0.0.0 0.0.0.0
Notes: Some people use a specific network here, I always just use 0 0 if its a small setup

Configure the SLA Monitor
ASA(config)# sla monitor 10
ASA(config-sla-monitor)# type echo protocol ipIcmpEcho 4.2.2.2 interface outside
ASA(config-sla-monitor-echo)# num-packets 3
ASA(config-sla-monitor-echo)# timeout 1000
ASA(config-sla-monitor-echo)# frequency 3
ASA(config)# sla monitor schedule 10 life forever start-time now
Notes: Ok, so here is the actual ‘failover’ piece of all of this. So I’ll break it down piece by piece. 
Line 1 – Configures a SLA monitor with the ID of 10
Line 2 – Configures the monitoring protocol and the target of the monitoring probe.  In this case I chose 4.2.2.2 since I have been able to ping that magical IP address since the beginning of time.  You also need to tell it which interface to source the ICMP traffic from.  In this case, it would be the outside interface. 
Line 3 – Sets the number of packets to be sent in each probe.
Line 4 – Configures the timeout period in milliseconds. 
Line 5 – Configures the frequency of the probe in seconds. 
Line 6 – Instructs the ASA to start SLA monitor 10 now and let it run for forever. 

Configure the Route tracking
ASA(config)#route outside 0.0.0.0 0.0.0.0 <ISP 1 Default route> 1 track 1
ASA(config)#route backupisp 0.0.0.0 0.0.0.0 <ISP 2 Default route> 254
Notes: Here we define the default network routes out to the internet.  Notice that we define out normal default route with an administrative distance of 1.  However, we also add the ‘track 1’ statement at the end.  This means that this route being in the routing table is dependant on tracked item 1 (If you don’t know what that means hold on, we’ll get there soon enough).  We also install a second route for the backup ISP which HAS to have a higher administrative distance than the primary ISP’s default route. 

ASA(config)# track 1 rtr 10 reachability
Notes: This is where the magic happens.  The above statement reads like this in plain English.  “Keep an eye on SLA monitor 10 and when it fails any routes associated with me also fail”.  So what happens is when the SLA monitor fails, the tracked route gets removed from the routing table, and the route with the higher administrative distance comes in and takes its place since its the best available route. 

Summary
So it’s a pretty cool setup if you are ONLY looking for outbound internet failover.  Keep in mind that all of your static NATs, external DNS entries, VPNs, etc won’t work when your primary ISP fails (assuming that’s the IP they are all assigned on).  This particular client had me make a primary and a backup PCF file for their Cisco VPN clients so that they could access the VPN when they were in a failover state.  Then I just added the backup ISP interface to the crypto map for their client VPN and turned on ISAKMP on the backup ISP interface.  Keep in mind though that the backup VPN will only work when the backup ISP circuit is live and the primary VPN will only work when the primary ISP circuit is live.  Both will never work at the same time.

I have recently been purchasing some new routers for my lab and I find myself having to do the password recovery procedure to gain access.  In all truthfulness, its more of a “get access and wipe the router” sort of procedure however I usually copy off the config off before wiping just out of pure curiosity.  So here’s what I do….

1 – Connect to the router with your console cable

2 – Power up the router and start pressing the ‘Break’ key on your keyboard

3 – If the router detects you pushing the ‘Break’ key it should put the router into ROMMON

4 – When the router enters ROMMON mode you should be presented with a ‘rommon’ numbered prompt.  Enter the following commands…

monitor: command "boot" aborted due to user interrupt
rommon 1 > confreg 0×2142

You must reset or power cycle for new config to take effect

rommon 2 > reset

Essentially this tells the router to ignore its startup-config when booting.  The reset command reboots the router.

5 – When the router finishes loading you should receive the standard ‘first boot’ prompts asking you about entering the initial configuration dialog.  Say no to any prompts.

6 – At this point, I usually plug a ethernet interface on the router into my network and configure an IP address on the router so that I can copy the current config off.  Its important to note here that all we did was tell the router to ignore it’s startup config.  Its still fully intact at this point.

Router> enable
Router# config t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# int faste0/0
Router(config-if)# ip address 10.20.30.23 255.255.255.0
Router(config-if)# no shut
Router(config-if)# exit
Router(config)# exit
Router# copy startup-config tftp
Address or name of remote host []? 10.20.30.51                                             
Destination filename [8772106002209363-confg]? 1841-Original-Config                                                              
.!!  
2666 bytes copied in 3.104 secs (859 bytes/sec)

7 – Now that we have a good copy of the original config I reset the config register, wipe nvram, and reload the router.  When it comes back online it will be like a brand new router.

Router# config t
Router(config)# config-register 0×2102                                              
Router(config)# exit                            
Router(config)# write erase
*May 12 23:00:00.891: %SYS-5-CONFIG_I: Configured from console by console
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]    
[OK]   
Erase of nvram: complete                                       
*May 12 23:00:10.531: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvr   
Router# reload                      

System configuration has been modified. Save? [yes/no]: n                                                        
Proceed with reload? [confirm]    

Summary                        
Im sure there are tons of documents out there that tell you how to do this, it just helps me remember when I write it all down.  It should be noted that this is usually used as a password recovery procedure.  In that case the startup-config is copied in the running-config after you enter enable mode.  Once the startup-config is loaded you can enter config mode and reset the enable and line passwords since you were in enable mode prior to loading the original config. 

I’ve been trying to spend some time lately playing with my ASA again.  I’ve recently found myself playing with NAT and DMZ functionality.  I have to admit that for what appears to be  simple concept there is a lot material to digest.  I’m also trying to look into the new ASA code release and get up to speed on the new NAT config commands.  Unfortunately my ASA doesn’t have a Security Plus license so I don’t have full DMZ functionality.

So if someone from Cisco is reading this and wants to send me a Security Plus activation code so I can blog about it that would be cool : )