Monday, April 28, 2014

How to configure ASA SSL VPN + IPhone

Hi Guys

I had chance to configure a feature I have always wanted to try out but never got chance, Cisco IP Phone VPN, this allows you to configure a phone to VPN over SSLVPN back to it's home CUCM if you take it out to a foreign network. Designed so you can take a phone out to a exec's site or something (now of course, they will need PoE)

Few things to note:

- Only certain model phones are supported so keep that in mind, Full list is in the URL i will give below

- You have to enable it BEFORE you put the phone out, basically the way it works is when the phone registers to the CUCM it has to download a config file that tells it where to find the VPN settings, the user doesn't just enter them himself

- I was lazy and did it using a username and password which the user had to enter into the phone but this sucks because 1. user has to enter a alphanumeric username/pass into a phone pad 2. These users are pulled from your SSLVPN users and NOT your CUCM users so you best be sinking from an LDAP source and 3. it's one more step to worry about, so don't do in production what I am doing here in a lab enviroment: use certificates to authenticate. If there is enough demand I will do a blog on how to auth via cert

- Works on both ASA and SSLVPN on a router as far as I can tell.


OK so first of all, here is the great tutorial from Cisco, but they are doing on an ASA, we will be doing on a ISR

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/115785-anyconnect-vpn-00.html

So the first thing is of course, a working SSL VPN config, mine looks something like this:

 crypto vpn anyconnect flash0:/webvpn/anyconnect-win-3.1.05160-k9.pkg sequence 1
webvpn gateway SSLVPN
 ip interface Dialer1 port 443
 ssl trustpoint TP-self-signed-4216080960
 inservice
 !
webvpn context SSL_Gateway
 !
 ssl authenticate verify all
 no inservice

webvpn context SSL_gateway
 gateway SSLVPN
 !
 ssl authenticate verify all
 inservice
 !
 policy group default
   functions svc-enabled
   svc address-pool "VPN" netmask 255.255.255.0
   svc keep-client-installed
   svc split include 172.21.1.0 255.255.255.0
   svc split include 10.0.0.0 255.255.255.0
 default-group-policy default



This is not a tutorial on setting up SSLVPN, there are plenty of tutorials out there on the web for that and just because we are using phones now this piece does not really change. In fact before you even begin to configure the SSLVPN on the actual phone I recommend you test the SSLVPN as a normal user in windows and check:

1. The user/pass you intend to use for the phone is able to login
2. the SSL VPN actually works
3. You can ping the CUCM server once your on the VPN

Once your sure of all that, and you have tested thoroughly to ensure the SSLVPN is working fine, it's time to configure the phone.

Now the key to all of this, is that you MUST provision the phone BEFORE you hand it to the user: if you give the user the phone BEFORE you configure all of these settings on their phone it will be too late, they have to register to the corporate network to download this config at least once before you can take it to a remote location and have it register.

The second thing is that you MUST install your SSLVPN certificate into the trust store on CUCM which we will cover.


Login to your CUCM then navigate to the OS administration page. Then navigate to Security -> Certificate Management. Click on upload certificate and select "phone-VPN-Trust" from the dropdown as shown below and upload your certificate from your SSLVPN. Easiest way to get a copy of this is to visit your SSLVPN in your webbrowser of choice and download the certificate that way.



Once this is done, go back to your CUCM administration page, go to advanced features -> VPN -> VPN gateway. Here we can add a gateway and if we have done everything right the SSL Certificate we uploaded previously should be listed in the dropdown.




For the URL you want to enter whatever URL your users use for their normal SSLVPN configuration.

Next you configure the VPN group under Advanced Settings -> VPN -> VPN Group, this is relatively straightforward, here you could specify multiple SSLVPN Gateways if you where lucky enough to have multiple SSLVPN's.



The next stage is to specify the VPN Profile, this is done under Advanced Settings -> VPN -> VPN Profile


You can see this is also where we specify the authentication method, in my example I am using user/pass since that is the easiest but later we will do one with certificates.

Ok Almost there! Last step is to just associate this VPN profile to a common phone profile,  a common phone profile groups together settings common to a particular set of devices, there is a default one "Standard Common Phone Profile" which you could just edit so that EVERY phone has the VPN configuration inserted and therefore anyone could take the phone home if they wanted. That is what I elected to do, Common phone profile configuration is found under:

Device -> Device Settings -> Common Phone Profile


As you can see I have selected the VPN Profile and VPN Group at the bottom.

Once this is done, reset your phone. We can now do quite a bit to verify if the VPN settings have actually taken effect. Below are some screenshots

On a 79XX series, you can go to Settings, Security Configuration and scroll down to VPN Configuration, you can then obtain a lot of information about if the VPN profile has succesfully associated to the phone.








Once we plugged this phone in to an external network, when the phone first booted I got the username/password prompt. After that was entered, the phone succesfully registered!


I hope this helps someone out there.



Tuesday, April 15, 2014

Useful URL Filtering command

Hi Guys

Learnt something new today that there is an option to easily filter with Cisco + Websense, you can point Cisco to a websense server and the Cisco Router will use Websense to decide which URL's are allowed/not allowed!

http://etutorials.org/Networking/Router+firewall+security/Part+IV+Stateful+and+Advanced+Filtering+Technologies/Chapter+10.+Filtering+Web+and+Application+Traffic/URL+Filtering/

Does a better job of explaining than I can.


Saturday, April 12, 2014

New Cisco 2700 Access Points

Hi Guys!

Been ages since I have done a blog but after finishing CCIE DC and moving myself to New Jersey USA I have been super busy.

Anyway I found something I really wanted to blog about which is the new Cisco 2700 Access Points. I love Wireless I find it super interesting.

The NSA Show (A great podcast that you should listen to) does a great job of going over the benefits of the new Cisco 2700 access point, which has First Customer Ship (FCS) in May.

Let's start with the basics.



The Cisco 2700 AP is the latest access point supporting 802.11ac. It has 3x4 spatial streams and a very good receive sensitivity. It is available as external/internal antenna design as you would expect.

Obviously 802.11ac has it's own advantages, but this new AP has several extra advantages over the 2600.

First of all is that this AP does support Cisco Cleanair, all the same Cisco Cleanair functionality available in the Cisco 3700 AP is available in this device.

This AP actually also comes with two ethernet ports, but NOT to meet speed requirements for 802.11ac because, as discussed by people much smarter than me: there is no need for more than a 1 gig link from the AP's because the Physical data rate is 1.3 but the actual throughput that can be pushed through 802.11ac is much less. The ethernet port is used so that devices such as printers etc can be easily bridged onto the wired network.

By far my favorite new feature of this AP is a single, unified software image. So no more will you have to remember to order the correct image: (Autonomous, Controller-based or mesh based) but instead you order one part, which comes as controlled based by default and if you need to move it to autonomous you simply plug into the console port and issue a single command. I am sure that you could also change it to autonomous via the CLI once it had actually booted if you wanted as well.

Cisco are offering a trade in program, 12 percent list price credit for replacing existing cisco access points (REGARDLESS of how old the access points are! Even 1140's etc!) and 18 percent off list price credit for replacing competitor access points.

All in all this is the CHEAPEST 802.11ac access point with 3 spatial streams out there. Go out and buy my friends!