A common question I get is can I NAT more than one public IP to a private IP using the Cisco ASA (or PIX) firewall.
The simple answer is yes, but you can't using the "static" command as you would expect or else you'll get the error "ERROR: duplicate of existing static".
So the following configuration will fail;
static (Inside,Outside) 201.10.10.2 10.10.10.1 netmask 255.255.255.255
static (Inside,Outside) 100.20.30.3 10.10.10.1 netmask 255.255.255.255
However using policy NAT on the PIX/ASA using code 7.x and beyond (Tested on 8.x) the following will work.
access-list policy_1 extended permit ip host 10.10.10.1 any
access-list policy_2 extended permit ip host 10.10.10.1 any
static (Inside,Outside) 201.10.10.2 access-list policy_1
static (Inside,Outside) 100.20.30.3 access-list policy_2
Interestingly if you ping 100.20.30.3 from the outside you see the echo-reply come from 201.10.10.2. ICMP isn't stateful through the firewall so the Policy NAT will use the first IP in the list as the source address of any outgoing initiated flow.
Bob
Thursday 7 February 2008
Tuesday 5 February 2008
[Technical] - Using a Cisco ASA to authenticate an SSL VPN user to a Microsoft AD using LDAP. (IE: Without Radius)
For this example I used a Cisco ASA5520 running 8.0(3) authenticating against a Microsoft Windows 2003 domain. (company1.co.uk)
The logic here will allow SSL VPN users to connect so long as they are a member of either the SupportStaff or Managers group within the Microsoft active directory. Members of the Managers group within the AD will have more restricted access that members of SupportStaff. If an AD user isn’t a member of one of these groups, they will be denied access.
The following key aspects of configuration need to be completed;
Configure Your AAA server details. The user “ldap_user” is a standard user within the Microsoft AD, ideally this users password (ldap_users_password) should be set to never expire.
aaa-server Company1-LDAP protocol ldap
aaa-server Company1-LDAP host 10.1.1.2
ldap-base-dn dc=company1,dc=co,dc=uk
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-dn “ldap_user”
ldap-login-password “ldap_users_password”
server-type microsoft
ldap-attribute-map Company1-Map
Define your ldap attribute map. This will tell the Cisco ASA which locally configured group policy to apply depending on the group membership status, within the Microsoft AD of the user connecting via the SSL VPN.
ldap attribute-map Company1-Map
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=SupportStaff,OU=User Accounts,DC=1stquote,DC=co,DC=uk" ALLOWSupportAccess
map-value memberOf "CN=Managers,OU=User Accounts,DC=1stquote,DC=co,DC=uk" ALLOWManagerAccess
Then Create access lists for the split-tunnel policy (if appropriate) and for any traffic filters you wish to apply to the SSL VPN.
access-list Managers-Split-Tunnel standard permit host 10.1.1.15
access-list Managers-Split-Tunnel standard permit host 10.1.1.25
access-list Support-Split-Tunnel standard permit 10.0.0.0 255.0.0.0
access-list Restrict-Manager-Access extended permit tcp any host 10.1.1.15 eq smtp
access-list Restrict-Manager-Access extended permit tcp any host 10.1.1.25 eq www
access-list Restrict-Manager-Access extended deny ip any any
Define an IP address pool for remote users;
ip local pool ssl_vpn_pool 10.9.9.1-10.9.9.100 mask 255.255.255.0
Enable webvpn and specify the location of your svc on your ASA.
webvpn
enable outside
svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
svc enable
Define your group-policies. These determine if a user can login and once logged in what access they have by tying back to the access-lists. Also a policy needs to be created that denies access. The LDAP map links policies to users and the NOACCESS policy is defined in the tunnel group as the default policy.
group-policy ALLOWSupportAccess internal
group-policy ALLOWSupportAccess attributes
banner value Welcome you are logged in with Support rights and full access.
dns-server value 10.1.2.3
vpn-simultaneous-logins 1
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Support-Split-Tunnel
default-domain value company1.co.uk
webvpn
svc ask none default svc
group-policy ALLOWManagerAccess internal
group-policy ALLOWManagerAccess attributes
banner value You are logged in as a Manager with limited access.
dns-server value 10.1.2.3
vpn-simultaneous-logins 1
vpn-filter value Restrict-Manager-Access
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Manager-Split-Tunnel
default-domain value company1.co.uk
webvpn
svc ask none default svc
hidden-shares none
file-entry disable
file-browsing disable
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec svc webvpn
webvpn
svc ask none default svc
Finally the tunnel-group sets the various settings for SSL VPN access to the Cisco ASA and ties the other parts of the config together.
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool ssl_vpn_pool
authentication-server-group Company1-LDAP
authorization-server-group Company1-LDAP
authorization-server-group (inside) Company1-LDAP
default-group-policy NOACCESS
password-management password-expire-in-days 7
authorization-required
To troubleshoot any issues enable the following debugs.
debug aaa authentication enabled at level 1
debug aaa authorization enabled at level 1
debug aaa common enabled at level 15
debug ldap enabled at level 15
Look for the following to ensure the user is authenticated.
[3891] Performing Simple authentication for Phil to 10.1.1.2
[3891] LDAP Search:
Base DN = [dc=company1,dc=co,dc=uk]
Filter = [sAMAccountName=Phil]
Scope = [SUBTREE]
[3891] User DN = [CN=Phil,OU=User Accounts,DC=company1,DC=co,DC=uk]
[3891] Talking to Active Directory server 10.1.1.2
[3891] Reading password policy for Phil, dn:CN=Phil,OU=User Accounts,DC=company1,DC=co,DC=uk
[3891] Read bad password count 0
[3891] Binding as user
[3891] Performing Simple authentication for Phil to 10.1.1.2
[3891] Processing LDAP response for user Phil
[3891] Checking password policy
[3891] Authentication successful for Phil to 10.1.1.2
Look for the following to ensure the user is authorized and the LDAP is mapping as expected.
[3891] memberOf: value = CN=SupportStaff,OU=User Accounts,DC=company1,DC=co,DC=uk
[3891] mapped to IETF-Radius-Class: value = ALLOWSupportACCESS
...
user attributes:
1 Class(25) 12 "ALLOWSupportACCESS[00]"
Thanks for looking and as always feedback on this example is always welcome.
Bob.
The logic here will allow SSL VPN users to connect so long as they are a member of either the SupportStaff or Managers group within the Microsoft active directory. Members of the Managers group within the AD will have more restricted access that members of SupportStaff. If an AD user isn’t a member of one of these groups, they will be denied access.
The following key aspects of configuration need to be completed;
- aaa-server
- ldap attribute-map
- access-lists
- ip address pools
- webvpn parameters
- group-policy
- tunnel-group
Configure Your AAA server details. The user “ldap_user” is a standard user within the Microsoft AD, ideally this users password (ldap_users_password) should be set to never expire.
aaa-server Company1-LDAP protocol ldap
aaa-server Company1-LDAP host 10.1.1.2
ldap-base-dn dc=company1,dc=co,dc=uk
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-dn “ldap_user”
ldap-login-password “ldap_users_password”
server-type microsoft
ldap-attribute-map Company1-Map
Define your ldap attribute map. This will tell the Cisco ASA which locally configured group policy to apply depending on the group membership status, within the Microsoft AD of the user connecting via the SSL VPN.
ldap attribute-map Company1-Map
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=SupportStaff,OU=User Accounts,DC=1stquote,DC=co,DC=uk" ALLOWSupportAccess
map-value memberOf "CN=Managers,OU=User Accounts,DC=1stquote,DC=co,DC=uk" ALLOWManagerAccess
Then Create access lists for the split-tunnel policy (if appropriate) and for any traffic filters you wish to apply to the SSL VPN.
access-list Managers-Split-Tunnel standard permit host 10.1.1.15
access-list Managers-Split-Tunnel standard permit host 10.1.1.25
access-list Support-Split-Tunnel standard permit 10.0.0.0 255.0.0.0
access-list Restrict-Manager-Access extended permit tcp any host 10.1.1.15 eq smtp
access-list Restrict-Manager-Access extended permit tcp any host 10.1.1.25 eq www
access-list Restrict-Manager-Access extended deny ip any any
Define an IP address pool for remote users;
ip local pool ssl_vpn_pool 10.9.9.1-10.9.9.100 mask 255.255.255.0
Enable webvpn and specify the location of your svc on your ASA.
webvpn
enable outside
svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
svc enable
Define your group-policies. These determine if a user can login and once logged in what access they have by tying back to the access-lists. Also a policy needs to be created that denies access. The LDAP map links policies to users and the NOACCESS policy is defined in the tunnel group as the default policy.
group-policy ALLOWSupportAccess internal
group-policy ALLOWSupportAccess attributes
banner value Welcome you are logged in with Support rights and full access.
dns-server value 10.1.2.3
vpn-simultaneous-logins 1
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Support-Split-Tunnel
default-domain value company1.co.uk
webvpn
svc ask none default svc
group-policy ALLOWManagerAccess internal
group-policy ALLOWManagerAccess attributes
banner value You are logged in as a Manager with limited access.
dns-server value 10.1.2.3
vpn-simultaneous-logins 1
vpn-filter value Restrict-Manager-Access
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Manager-Split-Tunnel
default-domain value company1.co.uk
webvpn
svc ask none default svc
hidden-shares none
file-entry disable
file-browsing disable
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec svc webvpn
webvpn
svc ask none default svc
Finally the tunnel-group sets the various settings for SSL VPN access to the Cisco ASA and ties the other parts of the config together.
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool ssl_vpn_pool
authentication-server-group Company1-LDAP
authorization-server-group Company1-LDAP
authorization-server-group (inside) Company1-LDAP
default-group-policy NOACCESS
password-management password-expire-in-days 7
authorization-required
To troubleshoot any issues enable the following debugs.
debug aaa authentication enabled at level 1
debug aaa authorization enabled at level 1
debug aaa common enabled at level 15
debug ldap enabled at level 15
Look for the following to ensure the user is authenticated.
[3891] Performing Simple authentication for Phil to 10.1.1.2
[3891] LDAP Search:
Base DN = [dc=company1,dc=co,dc=uk]
Filter = [sAMAccountName=Phil]
Scope = [SUBTREE]
[3891] User DN = [CN=Phil,OU=User Accounts,DC=company1,DC=co,DC=uk]
[3891] Talking to Active Directory server 10.1.1.2
[3891] Reading password policy for Phil, dn:CN=Phil,OU=User Accounts,DC=company1,DC=co,DC=uk
[3891] Read bad password count 0
[3891] Binding as user
[3891] Performing Simple authentication for Phil to 10.1.1.2
[3891] Processing LDAP response for user Phil
[3891] Checking password policy
[3891] Authentication successful for Phil to 10.1.1.2
Look for the following to ensure the user is authorized and the LDAP is mapping as expected.
[3891] memberOf: value = CN=SupportStaff,OU=User Accounts,DC=company1,DC=co,DC=uk
[3891] mapped to IETF-Radius-Class: value = ALLOWSupportACCESS
...
user attributes:
1 Class(25) 12 "ALLOWSupportACCESS[00]"
Thanks for looking and as always feedback on this example is always welcome.
Bob.
Subscribe to:
Posts (Atom)
