Archive for the ‘Networking’ Category

Map certificates to Tunnel Groups on Cisco ASA FWs

May 9th, 2013 Comments off

Yesterday I noticed some strange messages in my syslog

Turned out that on ASA Firewalls that have more than 1 Connection Profiles that use certificate authentication, you will need to map the certificates to the Tunnel Groups

Mapping the certificates to specific tunnel-groups can be done in the CLI or in the ASDM. Since the trend or push now by Cisco is mostly using the ASDM, you might as well get used to it. In all honesty, it’s extremely functional and once you get used to it very easy to navigate.


Then pick a name for the rule and select the Connection Profile


For security reasons, I would always set anything that has to do with the Default tunnels, policies, maps, etc. to disconnect in a separate DAP policy. That way if a connection attempt is made that you have not explicitly defined or allowed, it will be terminated. For this reason we will chose the “New” button and name our map something intuitive that will allow us to immediately associate it to the tunnel we are mapping it to! For instance if your tunnel is called “marketing_tunnel” and your policy for that tunnel is “marketing_policy” – name your map “marketing_certmap”. Trust me; this makes life much easier on a busy ASA when you are troubleshooting. Also create your certificate maps in the order of importance that will make the “Priority” relative by default. Chose the connection profile (tunnel-group) you wish to map this rule to and click “Ok”.

Next we need to define the criteria (certificate values) that will be used for the certificate map. As of 8.4, there are four sections to the criterion: Field, Component, Operator, and Value.


In the above example we are using criteria that would specify the name and domain of the person or device trying to authenticate. For this device it would be something like or All of this information must be present on the certificate it was issued or it won’t be passed to the ASA during the authentication process.

In the example above, we are specifying that the certificate issuer is being used to map the connection to a specific tunnel group. You may have more than one CA in your organization, each one used for different purposes. For Example: A CA that is used for laptops authenticating to the wireless infrastructure, A CA that is used for the users to authenticate to the VPN, and a CA that is used for your mobile devices to authenticate wireless and VPN. In all of these circumstances, because the CN for each CA will be different – you can assign each type of device to a different tunnel-group, and apply different policies or restrictions to those tunnel groups.

Categories: Networking, Security

Cisco ASA: AnyConnect Client Profile

March 20th, 2013 Comments off

Started with Cisco AnyConnect 2.5 client , Cisco provides some interesting features. One of them is Client Profile

Building the client profiles is easy enough, in ASDM you just select the Remote Access VPN tab and drill down to AnyConnect Client Profile under Network (client) Access. Select Add, give the profile a name, and configure your policy.

Here is an example of using Client Profile to hide the real VPN URL

Some other options are
client profile

Categories: Networking

Cisco ASA: How to enable Group URL selection for a connection profile

February 7th, 2013 Comments off

A client asked me to simplify the login process for VPN users. There are 20 connection profiles. By using Group URL I can either map it directly to a domain name or use URL Redirect

Ex: For group A to login, users now can use either

Here is the how to, in 1 picture


Categories: Networking

ASA Troubleshooting: Packet-Tracer and Capture

January 21st, 2013 Comments off

Cisco has released an incredible new feature in ASA software version 7.2(1) that virtually eliminates the guesswork. Packet-tracer allows a firewall administrator to inject a virtual packet into the security appliance and track the flow from ingress to egress. Along the way, the packet is evaluated against flow and route lookups, ACLs, protocol inspection, NAT, and IDS. The power of the utility comes from the ability to simulate real-world traffic by specifying source and destination addresses with protocol and port information.

Packet-tracer is available both from the CLI and in the ASDM. The ASDM version even includes animation (the value of which is questionable, but it is fun to watch), and the ability to navigate quickly to a failed policy.

CLI syntax:


Packet-tracer does more than just inject a ‘virtual’ packet into the data-plane. One can also add the ‘trace’ option to the capture command, so that actual packets the security appliance receives (which are matched by the capture) are also traced.

To view the packet-trace from captured packet #3 in the capture, use the command:

Categories: Networking

Blocking Google Talk (Or any other Internet service)

December 12th, 2012 Comments off

A quick search we can easily see that Google Talk runs on 4 servers and uses 4 ports.
1. Connect to the Cisco ASA, and go to configure terminal mode.
2. Lets name our four Google Talkservers.

3. Then lets create a group for those servers.

4. And then a group for the ports we want to block.

5. To tie it all together we can simply add one ACL.

Note: This assumes you have an ACL called “outbound” thats applied to your outbound traffic, yours may have a different name, to find out issue a “show run access-group” command like so, your outbound ACL will be allied “in interface inside”. If yours is called something different then change the command above accordingly. If you don’t have one at all skip to step 6.

6. Only carry this step out if you DO NOT have an ACL applied to outbound traffic. and AFTER you have carried out step 5.

Categories: Networking