Friday, October 02, 2009

firewall-wizards Digest, Vol 42, Issue 3

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: asa 5505 vpn ipsec l2l problem (Christopher J. Wargaski)
2. Re: secure firewall rule management program (Pietro Bertera)
3. Re: asa 5505 vpn ipsec l2l problem (Paul Melson)
4. Re: asa 5505 vpn ipsec l2l problem (Farrukh Haroon)
5. Re: Cisco AnyConnect VPN Client SSL for linux; (R. DuFresne)
6. Re: asa 5505 vpn ipsec l2l problem (Eric Gearhart)


----------------------------------------------------------------------

Message: 1
Date: Fri, 2 Oct 2009 09:06:06 -0500
From: "Christopher J. Wargaski" <wargo1@gmail.com>
Subject: Re: [fw-wiz] asa 5505 vpn ipsec l2l problem
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<17065120910020706n234b2382ia52b18144b7a45c4@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Hello--

Is the SA established? If so, try starting with a much simpler ACL
for the crypto map match. For example:

access-list acl extended permit ip host 192.168.11.11 host 10.1.100.13
access-list acl extended permit ip host 192.168.11.11 host 10.1.100.250
access-list acl extended permit ip host 192.168.11.11 host 10.1.100.105
access-list acl extended permit ip host 192.168.11.12 host 10.1.100.13
access-list acl extended permit ip host 192.168.11.12 host 10.1.100.250
access-list acl extended permit ip host 192.168.11.12 host 10.1.100.105

Make sure that the same ACL is on the other peer. If this works, begin
restricting the traffic, say starting with all TCP. Continue
restricting the ACL until it it is how you want it, or it no longer
works.

cjw

On Fri, Oct 2, 2009 at 7:09 AM, Hrvoje Popovski <hrvoje@srce.hr> wrote:
> hello eveyone,
>
> i have asa 5505 with Base license and 7.2.4 sofware.
>
> Licensed features for this platform:
> Maximum Physical Interfaces : 8
> VLANs ? ? ? ? ? ? ? ? ? ? ? : 3, DMZ Restricted
> Inside Hosts ? ? ? ? ? ? ? ?: 10
> Failover ? ? ? ? ? ? ? ? ? ?: Disabled
> VPN-DES ? ? ? ? ? ? ? ? ? ? : Enabled
> VPN-3DES-AES ? ? ? ? ? ? ? ?: Enabled
> VPN Peers ? ? ? ? ? ? ? ? ? : 10
> WebVPN Peers ? ? ? ? ? ? ? ?: 2
> Dual ISPs ? ? ? ? ? ? ? ? ? : Disabled
> VLAN Trunk Ports ? ? ? ? ? ?: 0
>
>
> i'm trying to create l2l ipsec tunnel reading manual on
> http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/site2sit.html
>
> and when i'm applying acl in crypto map
> crypto map abcMap 1 match address acl
> i'm getting this log:
> Ignoring msg to mark SA with specified coordinates <abcMap, 1> dead
>
> i don't have any debug messages (debug crypto ipsec 100)
> google it but haven't found any answer.
>
> thank you for your answers!


------------------------------

Message: 2
Date: Fri, 2 Oct 2009 16:15:37 +0200
From: "Pietro Bertera" <pietro@bertera.it>
Subject: Re: [fw-wiz] secure firewall rule management program
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <20091002141537.GA6146@bertuccia.int.xsec.it>
Content-Type: text/plain; charset=us-ascii

> Anyone have suggestions for a good, secure webified firewall rule
> management program? I.e. the kind of thing where users submit
> requests for firewall holes and there's support for workflow so that a
> requested rule goes to an approver for approval, and if approved, it
> then goes to an implementer for implementation. COTS or free is fine.

I use FWbuilder (http://www.fwbuilder.org/) for rule management.
You can implement the rule application workflow with a set of script or
deploy tool.

regards,
Pietro


------------------------------

Message: 3
Date: Fri, 2 Oct 2009 12:05:54 -0400
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] asa 5505 vpn ipsec l2l problem
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>,
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <001201ca437a$3a242980$ae6c7c80$@com>
Content-Type: text/plain; charset="us-ascii"

> and when i'm applying acl in crypto map
> crypto map abcMap 1 match address acl
> i'm getting this log:
> Ignoring msg to mark SA with specified coordinates <abcMap, 1> dead
>
> i don't have any debug messages (debug crypto ipsec 100) google it but
haven't found
> any answer.
>
> thank you for your answers!
>
> acl
> access-list acl extended permit tcp host 192.168.11.11 host 10.1.100.13 eq
4000
> access-list acl extended permit tcp host 192.168.11.11 host 10.1.110.250
eq 4000
> access-list acl extended permit tcp host 192.168.11.11 eq ftp host
10.1.100.105 eq ftp
> access-list acl extended permit tcp host 192.168.11.11 host 10.1.100.105
eq ftp-data
> access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.13 eq
4000
> access-list acl extended permit tcp host 192.168.11.12 host 10.1.110.250
eq 4000
> access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.105
eq ftp
> access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.105
eq ftp-data


You can only use 'permit ip' in an access-list used for crypto map match,
and your access-list is set to use tcp.

If you need to filter VPN traffic down to the port and protocol level, use
the access-list applied to the outside interface, not the access-list
applied to the VPN tunnel's crypto map.

PaulM


------------------------------

Message: 4
Date: Fri, 2 Oct 2009 21:02:23 +0300
From: Farrukh Haroon <farrukhharoon@gmail.com>
Subject: Re: [fw-wiz] asa 5505 vpn ipsec l2l problem
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: firewall-wizards@listserv.cybertrust.com
Message-ID:
<eff3217d0910021102s21562dewf3501277eb239f0@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Run these three debugs

debug crypto engine
debug crypto isakmp 127
debug crypto ipsec 127

and then see if you get any more meaningful debugs.

Regards

Farrukh Haroon
CCIE Security

On Fri, Oct 2, 2009 at 3:09 PM, Hrvoje Popovski <hrvoje@srce.hr> wrote:

> hello eveyone,
>
> i have asa 5505 with Base license and 7.2.4 sofware.
>
> Licensed features for this platform:
> Maximum Physical Interfaces : 8
> VLANs : 3, DMZ Restricted
> Inside Hosts : 10
> Failover : Disabled
> VPN-DES : Enabled
> VPN-3DES-AES : Enabled
> VPN Peers : 10
> WebVPN Peers : 2
> Dual ISPs : Disabled
> VLAN Trunk Ports : 0
>
>
> i'm trying to create l2l ipsec tunnel reading manual on
>
> http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/site2sit.html
>
> and when i'm applying acl in crypto map
> crypto map abcMap 1 match address acl
> i'm getting this log:
> Ignoring msg to mark SA with specified coordinates <abcMap, 1> dead
>
> i don't have any debug messages (debug crypto ipsec 100)
> google it but haven't found any answer.
>
> thank you for your answers!
>
> acl
> access-list acl extended permit tcp host 192.168.11.11 host 10.1.100.13 eq
> 4000
> access-list acl extended permit tcp host 192.168.11.11 host 10.1.110.250 eq
> 4000
> access-list acl extended permit tcp host 192.168.11.11 eq ftp host
> 10.1.100.105 eq ftp
> access-list acl extended permit tcp host 192.168.11.11 host 10.1.100.105 eq
> ftp-data
> access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.13 eq
> 4000
> access-list acl extended permit tcp host 192.168.11.12 host 10.1.110.250 eq
> 4000
> access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.105 eq
> ftp
> access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.105 eq
> ftp-data
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20091002/f5e709fa/attachment.html>

------------------------------

Message: 5
Date: Fri, 2 Oct 2009 14:28:09 -0400 (EDT)
From: "R. DuFresne" <dufresne@sysinfo.com>
Subject: Re: [fw-wiz] Cisco AnyConnect VPN Client SSL for linux;
To: ArkanoiD <ark@eltex.net>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <Pine.LNX.4.64.0910021426440.2675@darkstar.sysinfo.com>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Thanks all, looking over openvpn now. So to get it to work with cisco I
need a patch that kinda breaks it?

I'm not seeing a link for a patch, anyone have such?

Thanks,

Ron DuFresne


On Thu, 1 Oct 2009, ArkanoiD wrote:

> IIRC it is basically openvpn with several broken DTLS headers. There was a patch
> that enables "cisco-compatible" mode in openvpn.
>
> On Tue, Sep 29, 2009 at 10:39:13PM -0400, R. DuFresne wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>>
>>
>> This might be slightly off topic, perhaps not.
>>
>>
>> Does anyone know of a linux client for the Cisco AnyConnect VPN Client SSL
>> tool? Prefer one not redhat specific, we use slackware.
>>
>>
>> Thanks,
>>
>> Ron DuFresne
>> - --
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>

- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

These things happened. They were glorious and they changed the world...,
and then we fucked up the endgame. --Charlie Wilson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFKxkY7st+vzJSwZikRAsB6AKC5oVz0LcfEosnEzbiTTGugTcUybgCfTE7z
eayl5NLylgH+pMWvOMaKWJc=
=jM5s
-----END PGP SIGNATURE-----


------------------------------

Message: 6
Date: Fri, 2 Oct 2009 11:33:12 -0700
From: Eric Gearhart <eric@nixwizard.net>
Subject: Re: [fw-wiz] asa 5505 vpn ipsec l2l problem
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<5792267e0910021133s6671cb14q5466ec20716b2e5d@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

On Fri, Oct 2, 2009 at 5:09 AM, Hrvoje Popovski <hrvoje@srce.hr> wrote:

> hello eveyone,
>
> i have asa 5505 with Base license and 7.2.4 sofware.
>
> i'm trying to create l2l ipsec tunnel reading manual on
>
> http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/site2sit.html
>
> and when i'm applying acl in crypto map
> crypto map abcMap 1 match address acl
> i'm getting this log:
> Ignoring msg to mark SA with specified coordinates <abcMap, 1> dead
>
> i don't have any debug messages (debug crypto ipsec 100)
> google it but haven't found any answer.
>
> thank you for your answers!
>
> acl
> access-list acl extended permit tcp host 192.168.11.11 host 10.1.100.13 eq
> 4000
> access-list acl extended permit tcp host 192.168.11.11 host 10.1.110.250 eq
> 4000
> access-list acl extended permit tcp host 192.168.11.11 eq ftp host
> 10.1.100.105 eq ftp
> access-list acl extended permit tcp host 192.168.11.11 host 10.1.100.105 eq
> ftp-data
> access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.13 eq
> 4000
> access-list acl extended permit tcp host 192.168.11.12 host 10.1.110.250 eq
> 4000
> access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.105 eq
> ftp
> access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.105 eq
> ftp-data
>


If you're not seeing IPsec build the tunnel with debug crypto, I would guess
that traffic is getting NAT'd out, and not hitting the tunnel (by the way,
you probably only need debug crypto ipsec 5, not 100...)


Do you have NAT setup on the 5505? If you do, do you have a NAT exclude ACL
setup that excludes "your device networks -> remote device networks"?

--
Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20091002/097f5b14/attachment.html>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 42, Issue 3
***********************************************

at

5 comments:

  1. Anonymous2:28 AM

    Good day! Do you use Twitter? I'd like to follow you if that would be okay. I'm undoubtedly enjoying your blog and look
    forward to new posts.

    My webpage - exercises to increase vertical jump

    ReplyDelete
  2. Anonymous5:14 AM

    Keep on writing, great job!

    Look into my web blog - cyberpresidents.com

    ReplyDelete
  3. Anonymous4:31 PM

    Hi everyone, it's my first pay a visit at this web site, and article is truly fruitful designed for me, keep up posting these articles.

    Feel free to surf to my web site - exercises to increase vertical jump

    ReplyDelete
  4. Anonymous4:31 PM

    Hi everyone, it's my first pay a visit at this web site, and article is truly fruitful designed for me, keep up posting these articles.

    my homepage; exercises to increase vertical jump

    ReplyDelete
  5. Anonymous3:18 AM

    Amazing blog! Is your theme custom made or did you download it from somewhere?
    A design like yours with a few simple tweeks would really make my
    blog shine. Please let me know where you got your theme.
    Many thanks

    Here is my blog: workouts for vertical leap

    ReplyDelete