ASA code 9.7

Started by Dieselboy, January 17, 2017, 08:32:21 PM

Previous topic - Next topic
Print
Go Down Pages1 2 3
User actions

Dieselboy

January 17, 2017, 08:32:21 PM
Heard that 9.7 is planned to be released tomorrow. Word is that it will support VTI tunnels (Like IOS) :) I hope it works, this will simplify my network so much!
At the moment I'm passing IPSEC through my ASA-X to an inside Cisco 2921 router specifically for the VTI tunnels. I run OSPF across multiple tunnels to allow fast failover. Downsides to this is that the ASA-X cannot see this traffic and so my layer 7 inspection (antimalware, IPS etc) does not work for VPN traffic. I also have some static routes configured to make this work :( but these static routes do not break anything (like failover) they just tell my core routers where the loopback IP's are (VPN terminates on a loopback on the 2921).

See told you it was a little bit complex.

:awesome:

Can't wait for ASA 9.7 - bug free!

wintermute000

#1
January 18, 2017, 02:32:35 AM
That's big news if true.  I've seen deals go to the competition due to route based vpn feature requirement

deanwebb

#2
January 18, 2017, 07:11:05 AM
Quote from: wintermute000 on January 18, 2017, 02:32:35 AM
That's big news if true.  I've seen deals go to the competition due to route based vpn feature requirement

Indeed. Probably why they brought in the feature.

Now we need to research the upgrade path from 7.2 to 9.7 for some of our more abandoned firewalls...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

#3
January 18, 2017, 02:57:43 PM
Hahahahahaha enjoy. Total syntax rewrite time.

icecream-guy

#4
January 19, 2017, 06:34:48 AM
Quote from: wintermute000 on January 18, 2017, 02:57:43 PM
Hahahahahaha enjoy. Total syntax rewrite time.


maybe we'll get our 2 yeas old feature request...Two factor authentication into ASDM.  That'd be great....
:professorcat:

My Moral Fibers have been cut.

deanwebb

#5
January 19, 2017, 10:20:31 AM
Quote from: wintermute000 on January 18, 2017, 02:57:43 PM
Hahahahahaha enjoy. Total syntax rewrite time.

May even have to replace the hardware running the 7.2 code... we shall see...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

#6
January 19, 2017, 11:43:22 AM
Quote from: deanwebb on January 19, 2017, 10:20:31 AM
Quote from: wintermute000 on January 18, 2017, 02:57:43 PM
Hahahahahaha enjoy. Total syntax rewrite time.

May even have to replace the hardware running the 7.2 code... we shall see...

or at least upgrade the memory, but I think the hardware is EOL so there is not memory available to upgrade to. 
:professorcat:

My Moral Fibers have been cut.

Dieselboy

#7
January 20, 2017, 01:41:35 AM
Code still isn't out so either my TAC engineer is telling porkies or the usual delayed releases from Cisco.

Quick question about 2-factor auth. Back in the UK we were using RSA tokens which cost like 1500 pounds for just a few tokens. Later on I saw some software tokens installed on blackberries.

Google has something similar, whilst daydreaming in a meeting earlier this week I had a though, could we use 2-factor auth. using the Google thing? I plan on setting this up for us for our AWS accounts.

deanwebb

#8
January 20, 2017, 08:59:08 AM
Delayed release. Everyone expected it today.

And software tokens do the same thing as hardware tokens. It's just that hardware tokens are something to use that's not on the device in order to provide security.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

DanC

#9
January 25, 2017, 05:17:31 PM
http://www.cisco.com/c/en/us/td/docs/security/asa/asa97/release/notes/asarn97.html

Finally they've introduced support for Layer 2 switching on the 5506! That's been a real bugbear of mine!

New default configuration for the ASA 5506-X series using Integrated Routing and Bridging
A new default configuration will be used for the ASA 5506-X series. The Integrated Bridging and Routing feature provides an alternative to using an external Layer 2 switch. For users replacing the ASA 5505, which includes a hardware switch, this feature lets you replace the ASA 5505 with an ASA 5506-X or other ASA model without using additional hardware.
The new default configuration includes:
outside interface on GigabitEthernet 1/1, IP address from DHCP
inside bridge group BVI 1 with GigabitEthernet ½ (inside1) through 1/8 (inside7), IP address 192.168.1.1
inside --> outside traffic flow
inside ---> inside traffic flow for member interfaces
(ASA 5506W-X) wifi interface on GigabitEthernet 1/9, IP address 192.168.10.1
(ASA 5506W-X) wifi <--> inside, wifi --> outside traffic flow
DHCP for clients on inside and wifi. The access point itself and all its clients use the ASA as the DHCP server.
Management 1/1 interface is Up, but otherwise unconfigured. The ASA FirePOWER module can then use this interface to access the ASA inside network and use the inside interface as the gateway to the Internet.
ASDM access—inside and wifi hosts allowed.
NAT—Interface PAT for all traffic from inside, wifi, and management to outside.
If you are upgrading, you can either erase your configuration and apply the default using the configure factory-default command, or you can manually configure a BVI and bridge group members to suit your needs. Note that to easily allow intra-bridge group communication, you need to enable the same-security-traffic permit inter-interface command (this command is already present for the ASA 5506W-X default configuration).

Looks like the VTI is in there too :)

Virtual Tunnel Interface (VTI) support for ASA VPN module
The ASA VPN module is enhanced with a new logical interface called Virtual Tunnel Interface (VTI), used to represent a VPN tunnel to a peer. This supports route based VPN with IPsec profiles attached to each end of the tunnel. Using VTI does away with the need to configure static crypto map access lists and map them to interfaces.
We introduced the following commands: crypto ipsec profile, interface tunnel, responder-only, set ikev1 transform-set, set pfs, set security-association lifetime, tunnel destination, tunnel mode ipsec, tunnel protection ipsec profile, tunnel source interface.

Dieselboy

#10
January 28, 2017, 01:23:41 AM Last Edit: January 28, 2017, 01:33:05 AM by Dieselboy
Niceeeee
I saw this come out earlier this week. I am on leave from Tuesday so I've halted big changes. I'll dive into this when I come back in a few weeks because it will make my life easier! And hopefully by then all the bugs will have been reported and resolved :)

About the L2 switching  :zomgwtfbbq:
So "same security traffic intra interface" doesn't work on the 5506? I have set up tons of 5505's and own one myself. No problem with l2 switching there :-s (unless it's really routed internally and I am unaware?)
What is the issue with the 5506?(Or rather what was the issue? )

DanC

#11
January 28, 2017, 05:17:09 PM
Hey Dieselboy, the 5506 (until 9.7) doesn't support any L2 switching at all. Crazy, I know! I made the mistake of ordering 3 for a project and it wasn't until implementation that I found out. Do a quick google and you'll see a lot of people complaining about it which I why I guess they've introduced IRB into the new code. Who the hell needs 8 x 1Gbps L3 ports on a SOHO device!? :|

deanwebb

#12
January 30, 2017, 09:18:37 AM
Quote from: DanC on January 28, 2017, 05:17:09 PM
Who the hell needs 8 x 1Gbps L3 ports on a SOHO device!? :|

GAMERZ DOIN IT RITE W/ SRS BSNS

:professorcat: :matrix:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

#13
March 01, 2017, 01:25:36 AM
I configured VTI tunnel yesterday evening and I can ping between a 2901 ISR and ASA5515-X using a VTI tunnel.
Only BGP and static routes are supported on the ASA so I decided to use static routes.

Once traffic started flowing across the tunnel, the primary ASA Crashed, so the secondary ASA immediately took over and then crashed. Both are registering page faults and listing exact filepaths to the OS like:
Thread Name: DATAPATH-0-1956
Page fault: Address not mapped

Because of how this failed, I think it might be caused by some other config on the ASA pair. IPv6 VTI tunnel is not supported but I do have IPv6 running on the wan interface, I'm wondering if this might be the problem.

As this is a HA pair I configured the VTI tunnel with the "standby" IP. I'm not sure if this is the problem and whether standby IP is not required for VTI tunnel.
Currently the TAC case is stuck with a guy in the US who's off shift. /Annoying. I thought I would of had a quick response on this one, considering I logged the case with:

3 x A4 pages of initial case notes, explaining exactly what I done, what happened and what the desired outcome was. Software versions and the setup / design. What I require from the TAC case (expected outcome). I also mentioned the above points about IPv6 and the standby IP as concerns / possible considerations for cause.
1 x high-level diagram to help explain the long case notes
all four crash dumps from both ASA's
the backup of the asa configuration export
The console output at the time of the crash

What did I miss? The engineer did come back with "did you get a tech support". So I'll do that.

deanwebb

#14
March 01, 2017, 10:59:36 AM
DID YOU GET TECH SUPPORT???? HE ASKS THAT????

:kiwf:

That's not tech support, that's panic in the face of a tricky issue, totally unacceptable. Do you have a channel you can use to escalate the issue and get it reassigned? We had to do that on one really messy call when the TAC guy basically tried to push everything back on us and finally made his last mistake when he took a comment I made out of context and canceled a request to send out a test device to the affected site.

And then went on vacation 30 seconds after canceling the request.

:rage:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.
Print
Go Up Pages1 2 3
User actions