| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <151ee41881749de4afc3e67a967e6156@teo-en-ming.com> Date: Mon, 03 Aug 2020 18:34:57 +0800 From: Turritopsis Dohrnii Teo En Ming <ceo@...-en-ming.com> To: linux-kernel@...r.kernel.org Cc: ceo@...-en-ming-corp.com Subject: Teo En Ming's Guide to Configuring SSL VPN for Cisco ASA 5506-X Firepower Firewall with Let’s Encrypt SSL Certificates, LDAP/Active Directory Primary Authentication and Duo 2FA Secondary Authentication Subject: Teo En Ming's Guide to Configuring SSL VPN for Cisco ASA 5506-X Firepower Firewall with Let’s Encrypt SSL Certificates, LDAP/Active Directory Primary Authentication and Duo 2FA Secondary Authentication Author: Mr. Turritopsis Dohrnii Teo En Ming (Targeted Individual) Country: Singapore Date Published: 3rd August 2020 Monday Singapore Time Type of Publication: Plain Text INTRODUCTION ============ Cisco ASA firewall appliances use open source software. Cisco Adaptive Security Appliance Software, version 9.8 Copyright (c) 1996-2019 by Cisco Systems, Inc. For licenses and notices for open source software used in this product, please visit http://www.cisco.com/go/asa-opensource The basic configuration of the Cisco ASA 5506-X Firepower firewall was completed by a previous IT consultant previously (date unknown), so I shall not cover it here. I will cover configuration of the Cisco ASA 5506-X Firepower firewall from Phase 1 onwards, as described below. The Cisco ASA 5506-X Firepower firewall costs about SGD$1000 in Singapore, with refurbished units costing around SGD$500. PHASE 1: Basic Configuration of SSL VPN on Cisco ASA 5506-X Firepower Firewall ============================================================================== Reference Guide: Cisco ASA Anyconnect Remote Access VPN Link: https://networklessons.com/cisco/asa-firewall/cisco-asa-anyconnect-remote-access-vpn Cisco ASA firewall CLI commands: enable config t You can download Cisco AnyConnect Secure Mobility Client version 3.1.03103 at the following link. http://www.firewall.cx/downloads/doc_details/98-anyconnect-secure-mobility-client-win-mac-linux.html?tmpl=component Install Filezilla FTP server on the Active Directory Domain Controller. Create ftp username “anonymous” with empty password. copy ftp://anonymous@<IP address of FTP server>/ anyconnect-win-3.1.03103-k9.pkg delete flash:filename.pkg config t webvpn anyconnect image flash:/anyconnect-win-3.1.03103-k9.pkg enable outside anyconnect enable sysopt connection permit-vpn http redirect OUTSIDE 80 ip local pool VPN_POOL 192.168.168.100-192.168.168.200 mask 255.255.255.0 192.168.168.0 is the VPN Pool. access-list SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0 192.168.1.0 is the inside network behind the Cisco ASA firewall. group-policy ANYCONNECT_POLICY internal group-policy ANYCONNECT_POLICY attributes vpn-tunnel-protocol ssl-client ssl-clientless split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT_TUNNEL dns-server value 8.8.8.8 webvpn anyconnect keep-installer installed anyconnect ask none default anyconnect anyconnect dpd-interval client 30 exit tunnel-group MY_TUNNEL type remote-access tunnel-group MY_TUNNEL general-attributes default-group-policy ANYCONNECT_POLICY address-pool VPN_POOL exit tunnel-group MY_TUNNEL webvpn-attributes group-alias TEO_EN_MING_CORPORATION_SSL_VPN_USERS enable username teo-en-ming password password username teo-en-ming attributes service-type remote-access copy run start PHASE 2: Installing 90-day Free Let's Encrypt SSL Certificate on Cisco ASA 5506-X Firepower Firewall SSL VPN ============================================================================================================ show flash Check for asdm-xxx.bin Go to https://<IP address of Cisco ASA 5506-X firewall> Install Java Web Start Install ASDM Launcher On the Cisco ASDM: Device IP address / Name: <private IP address of Cisco ASA 5506-X firewall> Username: <empty> Password: cisco <default password> Follow the rest of the instructions at the following link. Reference Guide: INSTALLING A FREE CERTIFICATE ON A CISCO ASA FIREWALL FOR ANYCONNECT Link: https://www.ipconfigz.com/installing-a-free-certificate-on-a-cisco-asa-firewall-for-anyconnect/ copy run start config t pager 0 show run PHASE 3: Configure LDAP/Active Directory Primary Authentication for Cisco ASA 5506-X SSL VPN ============================================================================================ Reference Guide: Configure LDAP Authentication for WebVPN Users Link: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98625-asa-ldap-authentication.html dsquery user -samid administrator "CN=Administrator,CN=Users,DC=teo-en-ming-corp,DC=com" enable configure terminal aaa-server LDAP_SRV_GRP protocol ldap aaa-server LDAP_SRV_GRP (inside_1) host <private IP address of AD DC server> ldap-base-dn dc=teo-en-ming-corp,dc=com ldap-login-dn cn=ldapadmin,cn=users,dc=teo-en-ming-corp,dc=com ldap-login-password password ldap-naming-attribute sAMAccountName ldap-scope subtree server-type microsoft exit tunnel-group MY_TUNNEL general-att authentication-server-group LDAP_SRV_GRP Testing LDAP Authentication in Phase 3 ====================================== debug ldap 255 test aaa-server authentication LDAP_SRV_GRP host <IP address of AD DC server> username administrator password password Troubleshooting for Phase 3 ============================ [1] Troubleshooting LDAP Connections to Active Directory Using Apache Directory Studio Link: https://www.jamf.com/jamf-nation/articles/224/troubleshooting-ldap-connections-to-active-directory-using-apache-directory-studio [2] Cisco – LDAP AAA Error ‘AAA Server has been removed” Link: https://www.petenetlive.com/KB/Article/0001271 [3] ASA 9.8, Bridge groups, and LDAP authentication Link: https://www.reddit.com/r/Cisco/comments/80qezi/asa_98_bridge_groups_and_ldap_authentication/ In this discussion, a Cisco ASA software bug has been found which prevents the Cisco ASA firewall from communicating with the LDAP server/Active Directory Domain Controller. To resolve this issue, a firmware upgrade is required. PHASE 4: How to Install Duo 2FA Secondary Authentication for Cisco ASA 5506-X SSL VPN ===================================================================================== Follow the Duo Authentication setup instructions at the following link. Reference Guide: Cisco ASA SSL VPN for Browser and AnyConnect Link: https://duo.com/docs/ciscoasa-ldap Then follow the guide below. Reference Guide: CISCO ASA Enable DNS Lookup Problem Link: https://community.cisco.com/t5/network-security/cisco-asa-enable-dns-lookup-problem/td-p/1764736 conf t dns domain-lookup Outside dns server-group DefaultDNS name-server 8.8.8.8 name-server 8.8.4.4 exit Phase 5: Upgrade Firmware and ASDM of Cisco ASA 5506-X Firepower Firewall ========================================================================= copy run start Follow the rest of the instructions at the following link. Reference Guide: ASA 9.x : Upgrade a Software Image using ASDM or CLI Configuration Example Link: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/200142-ASA-9-x-Upgrade-a-Software-Image-using.html Phase 6: Configure NAT Exemption on the Cisco ASA 5506-X Firewall ================================================================= Why do we need to configure NAT exemption on the Cisco ASA 5506-X Firepower firewall? Because otherwise, the Cisco AnyConnect Secure Mobility Client cannot access the remote LAN behind the Cisco ASA firewall. access-list NAT-EXEMPT extended permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0 object network obj-vpn_ip_address_pool subnet 192.168.168.0 255.255.255.0 nat (inside_1,outside) source static any any destination static obj-vpn_ip_address_pool obj-vpn_ip_address_pool no access-list SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0 MUST READ ARTICLES FOR PHASE 6 ============================== [1] Quick guide: AnyConnect Client VPN on Cisco ASA 5505 Link: https://www.techrepublic.com/blog/smb-technologist/quick-guide-anyconnect-client-vpn-on-cisco-asa-5505/ QUOTE: "Do not use the same subnet as your inside network. So, if you're using 192.168.100.0/24 for the inside, use 192.168.104.0/24 for your VPN pool." [2] How to configure NAT Exemption in version 8.3 for VPN in Cisco ASA? Link: http://networkqna.com/how-to-configure-nat-exemption-in-version-8-3-for-vpn-in-cisco-asa/ Phase 7: Configuring Dynamic DNS (DDNS) ======================================= The Cisco ASA 5506-X Firepower Firewall does not support Dynamic DNS update using the HTTP POST method. The Cisco ASA only supports DDNS update using the Internet Engineering Task Force (IETF) method. Since the Cisco ASA does not support the HTTP Post method, it CANNOT work with NO-IP and DynDNS DDNS service providers. The following are the results of my research on the Internet: [01] With its sole reliance on the IETF method, websites such as DynDns.org cannot be updated using the ASA, however support has been added for HTTPS using port 443. Link: https://www.globalknowledge.com/ca-en/resources/resource-library/articles/implementing-dynamic-dns-on-cisco-ios-router-and-asa/ [02] If you're asking if you can get the ASA5505 to "register" with dyndns, the answer is no. Howeve, it appears that someone got a feature request added, though, under Cisco BugID CSCsl46782 . (If you don't have a Cisco service contract, you can't view the details). However, it looks like it has an extremely low priority and I wouldn't expect it to be added anytime soon. Link: https://serverfault.com/questions/272825/dyndns-updating-ip-address-via-cisco-asa-5505 PROPOSED WORKAROUND SOLUTION FOR PHASE 7 ======================================== I would propose installing Dynamic DNS updater client software on AD DC server or any of your office computers which are permanently powered on. ACTUAL SOLUTION FOR PHASE 7 =========================== Sign up for free No-IP account. Create hostname teo-en-ming-corp.ddns.net, and point it to public IP address of the Cisco ASA firewall. Install no-ip dynamic update client (duc) in any 24x7 computer behind the Cisco ASA firewall. Create DNS CNAME record sslvpn.teo-en-ming-corp.com and point it to teo-en-ming-corp.ddns.net Phase 8: Synchronizing Users from Active Directory to Duo ========================================================= Follow the setup instructions at the following link. Reference Guide: Synchronizing Users from Active Directory Link: https://duo.com/docs/adsync dsquery user -samid teoenming "CN=Turritopsis Dohrnii Teo En Ming,OU=Users,OU=Singapore,DC=teo-en-ming-corp,DC=com" Phase 9: Enrolling Users at Duo =============================== Reference Guide: Enrolling Users at Duo Link: https://duo.com/docs/enrolling-users Duo Admin Panel Login Link: https://admin.duosecurity.com/ Phase 9 is the final phase. ===EOF=== -----BEGIN EMAIL SIGNATURE----- The Gospel for all Targeted Individuals (TIs): [The New York Times] Microwave Weapons Are Prime Suspect in Ills of U.S. Embassy Workers Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html ******************************************************************************************** Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 14 Feb 2019 and refugee seeking attempts at the United Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan (5 Aug 2019) and Australia (25 Dec 2019 to 9 Jan 2020): [1] https://tdtemcerts.wordpress.com/ [2] https://tdtemcerts.blogspot.sg/ [3] https://www.scribd.com/user/270125049/Teo-En-Ming -----END EMAIL SIGNATURE-----
Powered by blists - more mailing lists