ASA VPN Weirdness

Started by Nerm, September 25, 2015, 05:36:39 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Nerm

September 25, 2015, 05:36:39 PM Last Edit: September 25, 2015, 06:06:17 PM by Nerm
I have a customer that called me out because their internal IT guys bought two new Cisco ASA 5506's and setup a VPN between their two locations. The reason they called me out is because the VPN is up but they can't print across it. Now I don't profess to be an acl expert  or an ASA expert, but the acl's on these ASA's just don't make sense to me as it looks like half of them aren't even needed. I also don't think the acl's have anything to do with their printing issue but wanted a second opinion on them first before I wasted a bunch of time troubleshooting something else. It looks to me they just started typing acl's in until they got traffic to pass on the VPN. (IP's and such have been changed to protect the innocent)

Site "A" ASA Config
Code Select

ASA Version 9.4(1)
!
hostname madderm-mad-asa01
enable password rat10adm1n encrypted
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.23.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
object network internal
subnet 192.168.23.0 255.255.255.0
object network remote_internal
subnet 10.3.4.0 255.255.255.0
object-group service Internet-udp udp
description UDP Standard Internet Services
port-object eq domain
port-object eq ntp
port-object eq isakmp
port-object eq 4500
port-object eq 389
port-object eq 88
port-object eq 445
port-object eq 464
port-object eq netbios-ns
port-object eq netbios-dgm
port-object eq bootps
port-object eq 2535
port-object range 1024 5000
port-object range 49152 65535
object-group service Internet-tcp tcp
description TCP Standard Internet Services
port-object eq 445
port-object eq www
port-object eq https
port-object eq smtp
port-object eq 465
port-object eq 587
port-object eq pop3
port-object eq 995
port-object eq ftp
port-object eq ftp-data
port-object eq domain
port-object eq ssh
port-object eq telnet
port-object eq 3389
port-object eq netbios-ssn
port-object eq 42
port-object eq 135
port-object eq 137
port-object eq ldap
port-object eq ldaps
port-object eq 3268
port-object eq 3269
port-object eq 88
port-object eq 9389
port-object eq 5722
port-object eq 464
port-object range 1024 5000
port-object range 49152 65535
port-object eq 8040
port-object eq 9100
port-object eq 8041
object-group service ad-traffic-tcp tcp
port-object eq ssh
port-object eq smtp
port-object eq 42
port-object eq 135
port-object eq 137
port-object eq netbios-ssn
port-object eq ldap
port-object eq ldaps
port-object eq 3268
port-object eq 3269
port-object eq 88
port-object eq domain
port-object eq 445
port-object eq 9389
port-object eq 5722
port-object eq 464
port-object range 1024 5000
port-object range 49152 65535
object-group service ad-traffic-udp udp
port-object eq 389
port-object eq 88
port-object eq domain
port-object eq 445
port-object eq 464
port-object eq ntp
port-object eq netbios-ns
port-object eq netbios-dgm
port-object eq bootps
port-object eq 2535
port-object range 1024 5000
port-object range 49152 65535
access-list inside-in extended permit udp 192.168.23.0 255.255.255.0 any object-group Internet-udp
access-list inside-in extended permit tcp 192.168.23.0 255.255.255.0 any object-group Internet-tcp
access-list inside-in extended permit icmp 192.168.23.0 255.255.255.0 any
access-list inside-in extended permit icmp 10.3.4.0 255.255.255.0 any
access-list inside-in extended permit tcp object remote_internal object internal object-group ad-traffic-tcp
access-list inside-in extended permit udp object remote_internal object internal object-group ad-traffic-udp
access-list inside-in extended permit tcp 10.3.4.0 255.255.255.0 any object-group ad-traffic-tcp
access-list outside-in extended permit icmp any any echo-reply
access-list VPN-INTERESTING-TRAFFIC extended permit ip object internal object remote_internal
access-list VPN-INTERESTING-TRAFFIC extended permit tcp object remote_internal object internal object-group ad-traffic-tcp
access-list VPN-INTERESTING-TRAFFIC extended permit ip object remote_internal object internal
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static internal internal destination static remote_internal remote_internal no-proxy-arp route-lookup
!
object network internal
nat (inside,outside) dynamic interface
access-group outside-in in interface outside
access-group inside-in in interface inside
route outside 0.0.0.0 0.0.0.0 2.2.2.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set pfs
crypto map CRYPTO-MAP 1 set peer 1.1.1.2
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.23.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.23.100-192.168.23.149 inside
dhcpd dns 10.3.4.10 8.8.8.8 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username admin password password encrypted privilege 15
tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes
ikev1 pre-shared-key vpnkey
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous


Site "B" ASA Config
Code Select

ASA Version 9.4(1)
!
hostname madderm-col-asa01
enable password rat10adm1n encrypted
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.252
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.3.4.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
object network internal
subnet 10.3.4.0 255.255.255.0
object network remote_internal
subnet 192.168.23.0 255.255.255.0
object-group service Internet-udp udp
description UDP Standard Internet Services
port-object eq domain
port-object eq ntp
port-object eq isakmp
port-object eq 4500
port-object eq 389
port-object eq 88
port-object eq 445
port-object eq 464
port-object eq netbios-ns
port-object eq netbios-dgm
port-object eq bootps
port-object eq 2535
port-object range 1024 5000
port-object range 49152 65535
object-group service Internet-tcp tcp
description TCP Standard Internet Services
port-object eq 445
port-object eq www
port-object eq https
port-object eq smtp
port-object eq 465
port-object eq 587
port-object eq pop3
port-object eq 995
port-object eq ftp
port-object eq ftp-data
port-object eq domain
port-object eq ssh
port-object eq telnet
port-object eq 3389
port-object eq netbios-ssn
port-object eq 42
port-object eq 135
port-object eq 137
port-object eq ldap
port-object eq ldaps
port-object eq 3268
port-object eq 3269
port-object eq 88
port-object eq 9389
port-object eq 5722
port-object eq 464
port-object range 1024 5000
port-object range 49152 65535
port-object eq 8040
port-object eq 9100
port-object eq 8041
object-group service ad-traffic-tcp tcp
port-object eq ssh
port-object eq smtp
port-object eq 42
port-object eq 135
port-object eq 137
port-object eq netbios-ssn
port-object eq ldap
port-object eq ldaps
port-object eq 3268
port-object eq 3269
port-object eq 88
port-object eq domain
port-object eq 445
port-object eq 9389
port-object eq 5722
port-object eq 464
port-object range 1024 5000
port-object range 49152 65535
object-group service ad-traffic-udp udp
port-object eq 389
port-object eq 88
port-object eq domain
port-object eq 445
port-object eq 464
port-object eq ntp
port-object eq netbios-ns
port-object eq netbios-dgm
port-object eq bootps
port-object eq 2535
port-object range 1024 5000
port-object range 49152 65535
access-list inside-in extended permit udp 10.3.4.0 255.255.255.0 any object-group Internet-udp
access-list inside-in extended permit tcp 10.3.4.0 255.255.255.0 any object-group Internet-tcp
access-list inside-in extended permit icmp 10.3.4.0 255.255.255.0 any
access-list inside-in extended permit icmp 192.168.23.0 255.255.255.0 any
access-list inside-in extended permit tcp object remote_internal object internal object-group ad-traffic-tcp
access-list inside-in extended permit udp object remote_internal object internal object-group ad-traffic-udp
access-list inside-in extended permit tcp 192.16823.0 255.255.255.0 any object-group ad-traffic-tcp
access-list outside-in extended permit icmp any any echo-reply
access-list VPN-INTERESTING-TRAFFIC extended permit ip object internal object remote_internal
access-list VPN-INTERESTING-TRAFFIC extended permit tcp object remote_internal object internal object-group ad-traffic-tcp
access-list VPN-INTERESTING-TRAFFIC extended permit ip object remote_internal object internal
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static internal internal destination static remote_internal remote_internal no-proxy-arp route-lookup
!
object network internal
nat (inside,outside) dynamic interface
access-group outside-in in interface outside
access-group inside-in in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.3.4.0 255.255.255.255 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set pfs
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.3.4.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username admin password password encrypted privilege 15
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
ikev1 pre-shared-key vpnkey
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny

  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

SimonV

#1
September 26, 2015, 03:38:05 AM
Quoteaccess-list VPN-INTERESTING-TRAFFIC extended permit ip object internal object remote_internal
access-list VPN-INTERESTING-TRAFFIC extended permit tcp object remote_internal object internal object-group ad-traffic-tcp
access-list VPN-INTERESTING-TRAFFIC extended permit ip object remote_internal object internal

The second line looks like it's redundant if they are going to permit everything in the next line.

A bit too "generous" on the outbound services as well, but I guess that depends on the level of security/maintenance they want

Quoteobject-group service Internet-udp udp
description UDP Standard Internet Services
port-object eq domain
port-object eq ntp
port-object eq isakmp
port-object eq 4500
port-object eq 389
port-object eq 88
port-object eq 445
port-object eq 464
port-object eq netbios-ns
port-object eq netbios-dgm
port-object eq bootps
port-object eq 2535
port-object range 1024 5000
port-object range 49152 65535
object-group service Internet-tcp tcp
description TCP Standard Internet Services
port-object eq 445
port-object eq www
port-object eq https
port-object eq smtp
port-object eq 465
port-object eq 587
port-object eq pop3
port-object eq 995
port-object eq ftp
port-object eq ftp-data
port-object eq domain
port-object eq ssh
port-object eq telnet
port-object eq 3389
port-object eq netbios-ssn
port-object eq 42
port-object eq 135
port-object eq 137
port-object eq ldap
port-object eq ldaps
port-object eq 3268
port-object eq 3269
port-object eq 88
port-object eq 9389
port-object eq 5722
port-object eq 464
port-object range 1024 5000
port-object range 49152 65535
port-object eq 8040
port-object eq 9100
port-object eq 8041


deanwebb

#2
September 26, 2015, 01:05:34 PM
Don't you need port 9100 to print?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Reggle

#3
September 26, 2015, 03:10:05 PM
Quote from: deanwebb on September 26, 2015, 01:05:34 PM
Don't you need port 9100 to print?
Yup. I see print, ldap, smb, kerberos, ... If you're really allowing that to the internet you might as well just hand out USB sticks with malware.

deanwebb

#4
September 26, 2015, 06:36:20 PM
Oh there it is, I see it at the bottom. Missed it the first time. But if this is a VPN, why limit ports on it? Or is this a VPN to an untrusted source?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Nerm

#5
September 27, 2015, 10:06:44 AM Last Edit: September 28, 2015, 02:09:00 PM by Nerm
After talking to the guys onsite my assumption was correct.

Their initial object-groups and acl's were:
Code Select

object-group service Internet-udp udp
description UDP Standard Internet Services
port-object eq domain
port-object eq ntp
port-object eq isakmp
port-object eq 4500
object-group service Internet-tcp tcp
description TCP Standard Internet Services
port-object eq 445
port-object eq www
port-object eq https
port-object eq smtp
port-object eq 465
port-object eq 587
port-object eq pop3
port-object eq 995
port-object eq ftp
port-object eq ftp-data
port-object eq domain
port-object eq ssh
port-object eq telnet
port-object eq 3389
access-list inside-in extended permit udp 192.168.23.0 255.255.255.0 any object-group Internet-udp
access-list inside-in extended permit tcp 192.168.23.0 255.255.255.0 any object-group Internet-tcp
access-list inside-in extended permit icmp 192.168.23.0 255.255.255.0 any
access-list outside-in extended permit icmp any any echo-reply
access-list VPN-INTERESTING-TRAFFIC extended permit ip object internal object remote_internal


They were then able to ping hosts across the VPN but nothing else worked (eg. AD authentication, dns resolution, printing, etc). At that point they just started adding acl's they thought made sense and added the "ad-traffic" object groups. When that didn't work they just added all the AD/DNS related ports to the internet services object group, but still weren't able to print even after adding port 9100 to the same internet object groups. That is when they called us. Needless to say the first thing I am going to do is clean up these acl's. The "ad-traffic" object groups didn't work because they had acl's for them in the wrong order. That actually took me a minute to catch. Seeing that it is an encrypted VPN I don't understand why they didn't just do a permit all traffic between the VPN subnets.

deanwebb

#6
September 27, 2015, 11:40:35 AM
Exactly my thought. It's an encrypted VPN, so it *should* be like an extension of the inner corporate network. Permit any any all. Limit ports if and only if the VPN is to a partner site where you cannot control security measures.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Nerm

#7
September 27, 2015, 09:32:16 PM
Quote from: deanwebb on September 27, 2015, 11:40:35 AM
Exactly my thought. It's an encrypted VPN, so it *should* be like an extension of the inner corporate network. Permit any any all. Limit ports if and only if the VPN is to a partner site where you cannot control security measures.

Coming from a security guy that sounds like sarcasm lol.

deanwebb

#8
September 28, 2015, 01:34:53 PM
It is.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Nerm

#9
September 28, 2015, 02:08:19 PM
But I thought permit any any was the cure all for firewall related problems.  :problem?:

deanwebb

#10
September 28, 2015, 02:21:56 PM
Quote from: Nerm on September 28, 2015, 02:08:19 PM
But I thought permit any any was the cure all for firewall related problems.  :problem?:
Permit any any all LOG is the cure.

:haha2:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.
Print
Go Up Pages1
User actions