Cisco ASA site-to-site VPN

Recently I needed to create a site-to-site VPN to interconnect two remote sites for a client and choose the CISCO ASA5505 to do so. Being my first time using this device I was drawn to the beautiful ADSM, complete with a Wizard to create the site-to-site VPN, it was too good to be true. For unexplained reasons, the configuration produced by the Wizard failed, tried multiple times, full reset on the ASA and nothing couldn’t get it to work. What next? The good old console cable and some reading got me in the right track.
Below are some tips/steps/guidelines, call it whatever you like, that I use to create the site-to-site VPN, Cisco calls it lan-to-lan (L2L) sometimes.
– Create an access-list to instruct what traffic to encrypt
– Exempt traffic on the inside interface that is going to be encrypted from being NATed
– Create Phase 2 configuration: transform set and crypto map configuration
– Create Phase 1 configuration
– Tunnel group
– Tweaks

Sample configuration

For an example I’ll use the following network configuration and that the public interface is named outside while the internal is named inside.
Site A: London
Public IP: 1.1.1.1
Private network: 192.168.1.0 mask 255.255.255.0
Site B: Manchester
Public IP: 2.2.2.2
Private network: 192.168.2.0 mask 255.255.255.0
Pre-shared Key: MY-PRE-SHARED-KEY

London ASA configuration

 

!---Access list for identify site-to-site traffic to encrypt
access-list ACL_CM_LondontoManchester extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
!---Access list for VPN traffic to bypass NAT
access-list ACL_NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
!---Prevents VPN traffic from undergoing NAT
nat (inside) 0 access-list ACL_NONAT

!---Phase 2 Configuration of IPSec
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
!---IPsec configuration for static LAN-to-LAN tunnel
crypto map CM_outside 5 match address ACL_CM_LondontoManchester
crypto map CM_outside 5 set pfs group1
crypto map CM_outside 5 set peer 2.2.2.2
crypto map CM_outside 5 set transform-set ESP-AES-128-SHA
crypto map CM_outside 5 set security-association lifetime seconds 28800
!---apply crypto map to outside interface
crypto map CM_outside interface outside

!---Enable Phase 1 isakmp to public interface
crypto isakmp enable outside
!---Phase 1 Configuration
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 1
lifetime 28800
exit

!---NAT-T configuration
crypto isakmp nat-traversal 50
!---Allow IPsec tunnel traffic to bypass ACLs
sysopt connection permit-vpn

!---Define tunnel group
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key MY-PRE-SHARED-KEY
exit

Manchester ASA configuration

!---Access list for identify site-to-site traffic to encrypt
access-list ACL_CM_ManchestertoLondon extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
!---Access list for VPN traffic to bypass NAT
access-list ACL_NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
!---Prevents VPN traffic from undergoing NAT
nat (inside) 0 access-list ACL_NONAT

!---Phase 2 Configuration of IPSec
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
!---IPsec configuration for static LAN-to-LAN tunnel
crypto map CM_outside 5 match address ACL_CM_ManchestertoLondon
crypto map CM_outside 5 set pfs group1
crypto map CM_outside 5 set peer 1.1.1.1
crypto map CM_outside 5 set transform-set ESP-AES-128-SHA
crypto map CM_outside 5 set security-association lifetime seconds 28800
!---apply crypto map to outside interface
crypto map CM_outside interface outside

!---Enable Phase 1 isakmp to public interface
crypto isakmp enable outside
!---Phase 1 Configuration
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 1
lifetime 28800
exit

!---NAT-T configuration
crypto isakmp nat-traversal 50
!---Allow IPsec tunnel traffic to bypass ACLs
sysopt connection permit-vpn

!---Define tunnel group
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key MY-PRE-SHARED-KEY
exit

Here is my automated ASA site-to-site VPN config tool

Find and excute

I use this command quite often to set the permissions on multiple files or directories recursively inside a directory tree. I’ve prepared a couple of sample commands first one change the permissions on files only, second change permissions on directories only.

The base command is

user$ find ./ -type _x_ -execdir _command_ {} +
argument list:
./ - the current directory.
-type _x_ what to look for replace _x_ with, d for directories, f for files, l for links and many more in the man page of the find command.
-execdir _command_ the command and its argument to execute on the target, from the directory were the file is located.
{} +  find replaces this with the target file.

The first example set the permissions to rw-r–r– (644) on all files inside a directory tree.

user$ find ./ -type f -execdir chmod 644 {} +

The second is to change the permissions of directories for rwxr-xr-x (or 755) for all the directories in a directory tree

user$ find ./ -type d -execdir chmod 755 {} +

Now imagine that you want to list all the links and its associated target

user$ find ./ -type l -exec file {} +

NOTE: this time I’m using -exec and not -execdir this because I want to see the relative path from where I’m executing the command.

Posted in KB

Use netcat to dump incoming packets

Use linux netcat to create a server that will listen for incoming connections on a specific port and dump the contents of the network traffic.

user$ nc -l -p port
-l Is used to specify that nc should listen for an incoming connection, rather than initiate a connection to a remote host. Any hostname/IP address and port arguments restrict the source of inbound connections to only that address and source port
-p Specifies the source port nc should use, subject to privilege restrictions and availability
Posted in KB

Recover a pop3 password

This is my POP password retrieval script, it creates a TCP server on port 110 that waits for incoming connections and replies with +OK to any message, displaying both server and client messages to the console. So in order to recover a lost POP password, start this script on a machine with perl installed. Now change the POP server on settings of the client to the machine where the script is running.

Here is sample communication between a POP server and client
Server: Connected to pop.server.net (127.0.0.1).
Server: +OK hostname POP3 Server ready
Client: user myusername@domain.net
Server: +OK myusername@domain.net is a valid mailbox
Client: pass MyPasword
Server: +OK valid username and password
From the above output we can conclude that the password for that mailbox is MyPassword
#!/usr/bin/perl -w
# Author: Luis "sheep" Tavares
# Name: POP Password retrival
# Version: 1.0
# OS: Tested on Linux FC4

# Change the settings to match your system.
my $host = 'localhost';
my $port = '110';
my $proto = 'tcp';

#
# You shouldn't need to edit below this point.
#

use IO::Socket::INET;

# POP responses
my $conn_new = "+OK connected for password retrivaln";
my $conn_OK = "+OKn";

my $sock = new IO::Socket::INET->new(
        Localhost => $host,
        LocalPort => $port,
        Proto => $proto,
        Listen => 1,
        Reuse => 1
        );
die "Could not create socket: $!n" unless $sock;

print "Waiting for incomming connections on $proto/$portnPress ctrl+c to abortn";

my $new_sock = $sock->accept();
print $new_sock $conn_new; # Must print an +OK as soon the client connects.

while ( <$new_sock> )
{
        print $_; # Data from the client is displayed on the screen
        print $new_sock $conn_OK; # We are a happy bunny reply +OK to everything
}
close($sock);
Posted in KB

Self sign certificates using openssl

Introduction

Hi all, this is my first tutorial which is an updated version of the tutorial written by Dylan Beattie about Self-Signing IIS 5 SSL Certificates Using OpenSSL 

Only Certificate Authorities (CA) can generate certificates. A few examples VerisignGlobal sign and thawte, these ones are trusted by Microsoft Internet Explorer by default; and this leaves you with two options: get a certificate from one of those root CAs or generate your own root CA and self sign your certificates.

The main downside and sometimes pain of the second method, is that if the client machine doesn’t have your root CA certificate installed on his machine, some applications will refuse the certificate presented by your server, because the client machine doesn’t know the root CA. This can be easily overcome by installing the root CA certificate on the client machine. I’ll try to write an how-to accomplish this.

Back to your self-signed certificates.
To create self-signed certificates OpenSSL must be installed and configured. I won’t explain either the installation or the configuration but I can point you to Dylan’s website that contains one openssl.conf that you can use to generate your certificates.

Create the CA key and root certificate

First thing lets create your CA private key. Please keep your CA private key well protected.
While creating the CA private key, you will be asked to Enter PEM pass phrase, don’t lose it as it will be asked every time you need to generate a certificate.

user$ openssl genrsa -des3 -out keys/ca.key 1024

Now that we have a CA private key let’s create our root CA certificate.

user$ openssl req -config openssl.conf -new -x509 -days 1001 -key keys/ca.key -out certs/ca.cer

Create a certificate request

Certificate requests can be generated by applications or appliances, such as Microsoft IIS and Citrix Access Gateway. To see on how to create the certificate that can be used in IIS read Microsoft KB298805 article.

Signing the request

Fist you must copy the certificate request to your root CA machine. Then, assuming that you are using the same directory structure as mentioned before type the following command; adjusting the arguments when necessary, I’m mainly referring to the -in and -out arguments.

user$ openssl ca -policy policy_anything -config openssl.conf -cert certs/ca.cer -in requests/certreq.txt -keyfile keys/ca.key -days 360 -out certs/iis.cer
After the certificate has been generated copy it to back to the machine that generated the request and complete the certificate installation as appropriate.
Posted in KB