Teo En Ming's Guide to Configuring SSL VPN for Cisco ASA 5506-X Firepower Firewall with Let’s Encrypt SSL Certificates, LDAP/Active Directory Primary Authentication and Duo 2FA Secondary Authentication

From: Turritopsis Dohrnii Teo En Ming
Date: Mon Aug 03 2020 - 06:35:00 EST

Subject: Teo En Ming's Guide to Configuring SSL VPN for Cisco ASA 5506-X Firepower Firewall with Let’s Encrypt SSL Certificates, LDAP/Active Directory Primary Authentication and Duo 2FA Secondary Authentication

Author: Mr. Turritopsis Dohrnii Teo En Ming (Targeted Individual)
Country: Singapore
Date Published: 3rd August 2020 Monday Singapore Time
Type of Publication: Plain Text

INTRODUCTION
============

Cisco ASA firewall appliances use open source software.

Cisco Adaptive Security Appliance Software, version 9.8
Copyright (c) 1996-2019 by Cisco Systems, Inc.
For licenses and notices for open source software used in this product, please visit
http://www.cisco.com/go/asa-opensource

The basic configuration of the Cisco ASA 5506-X Firepower firewall was completed by a previous IT consultant previously (date unknown), so I shall not cover it here. I will cover configuration of the Cisco ASA 5506-X Firepower firewall from Phase 1 onwards, as described below.

The Cisco ASA 5506-X Firepower firewall costs about SGD$1000 in Singapore, with refurbished units costing around SGD$500.

PHASE 1: Basic Configuration of SSL VPN on Cisco ASA 5506-X Firepower Firewall
==============================================================================

Reference Guide: Cisco ASA Anyconnect Remote Access VPN
Link: https://networklessons.com/cisco/asa-firewall/cisco-asa-anyconnect-remote-access-vpn

Cisco ASA firewall CLI commands:

enable

config t

You can download Cisco AnyConnect Secure Mobility Client version 3.1.03103 at the following link.

http://www.firewall.cx/downloads/doc_details/98-anyconnect-secure-mobility-client-win-mac-linux.html?tmpl=component

Install Filezilla FTP server on the Active Directory Domain Controller.

Create ftp username “anonymous” with empty password.

copy ftp://anonymous@<IP address of FTP server>/ anyconnect-win-3.1.03103-k9.pkg

delete flash:filename.pkg

config t

webvpn

anyconnect image flash:/anyconnect-win-3.1.03103-k9.pkg

enable outside

anyconnect enable

sysopt connection permit-vpn

http redirect OUTSIDE 80

ip local pool VPN_POOL 192.168.168.100-192.168.168.200 mask 255.255.255.0

192.168.168.0 is the VPN Pool.

access-list SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0

192.168.1.0 is the inside network behind the Cisco ASA firewall.

group-policy ANYCONNECT_POLICY internal

group-policy ANYCONNECT_POLICY attributes

vpn-tunnel-protocol ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT_TUNNEL

dns-server value 8.8.8.8

webvpn

anyconnect keep-installer installed

anyconnect ask none default anyconnect

anyconnect dpd-interval client 30

exit

tunnel-group MY_TUNNEL type remote-access

tunnel-group MY_TUNNEL general-attributes

default-group-policy ANYCONNECT_POLICY

address-pool VPN_POOL

exit

tunnel-group MY_TUNNEL webvpn-attributes

group-alias TEO_EN_MING_CORPORATION_SSL_VPN_USERS enable

username teo-en-ming password password

username teo-en-ming attributes

service-type remote-access

copy run start

PHASE 2: Installing 90-day Free Let's Encrypt SSL Certificate on Cisco ASA 5506-X Firepower Firewall SSL VPN
============================================================================================================

show flash

Check for asdm-xxx.bin

Go to https://<IP address of Cisco ASA 5506-X firewall>

Install Java Web Start

Install ASDM Launcher

On the Cisco ASDM:

Device IP address / Name: <private IP address of Cisco ASA 5506-X firewall>
Username: <empty>
Password: cisco <default password>

Follow the rest of the instructions at the following link.

Reference Guide: INSTALLING A FREE CERTIFICATE ON A CISCO ASA FIREWALL FOR ANYCONNECT
Link: https://www.ipconfigz.com/installing-a-free-certificate-on-a-cisco-asa-firewall-for-anyconnect/

copy run start

config t

pager 0

show run

PHASE 3: Configure LDAP/Active Directory Primary Authentication for Cisco ASA 5506-X SSL VPN
============================================================================================

Reference Guide: Configure LDAP Authentication for WebVPN Users
Link: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98625-asa-ldap-authentication.html

dsquery user -samid administrator
"CN=Administrator,CN=Users,DC=teo-en-ming-corp,DC=com"

enable

configure terminal

aaa-server LDAP_SRV_GRP protocol ldap

aaa-server LDAP_SRV_GRP (inside_1) host <private IP address of AD DC server>

ldap-base-dn dc=teo-en-ming-corp,dc=com

ldap-login-dn cn=ldapadmin,cn=users,dc=teo-en-ming-corp,dc=com

ldap-login-password password

ldap-naming-attribute sAMAccountName

ldap-scope subtree

server-type microsoft

exit

tunnel-group MY_TUNNEL general-att

authentication-server-group LDAP_SRV_GRP

Testing LDAP Authentication in Phase 3
======================================

debug ldap 255

test aaa-server authentication LDAP_SRV_GRP host <IP address of AD DC server> username administrator password password

Troubleshooting for Phase 3
============================

[1] Troubleshooting LDAP Connections to Active Directory Using Apache Directory Studio
Link: https://www.jamf.com/jamf-nation/articles/224/troubleshooting-ldap-connections-to-active-directory-using-apache-directory-studio

[2] Cisco – LDAP AAA Error ‘AAA Server has been removed”
Link: https://www.petenetlive.com/KB/Article/0001271

[3] ASA 9.8, Bridge groups, and LDAP authentication
Link: https://www.reddit.com/r/Cisco/comments/80qezi/asa_98_bridge_groups_and_ldap_authentication/

In this discussion, a Cisco ASA software bug has been found which prevents the Cisco ASA firewall from communicating with the LDAP server/Active Directory Domain Controller. To resolve this issue, a firmware upgrade is required.


PHASE 4: How to Install Duo 2FA Secondary Authentication for Cisco ASA 5506-X SSL VPN
=====================================================================================

Follow the Duo Authentication setup instructions at the following link.

Reference Guide: Cisco ASA SSL VPN for Browser and AnyConnect
Link: https://duo.com/docs/ciscoasa-ldap

Then follow the guide below.

Reference Guide: CISCO ASA Enable DNS Lookup Problem
Link: https://community.cisco.com/t5/network-security/cisco-asa-enable-dns-lookup-problem/td-p/1764736

conf t

dns domain-lookup Outside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

exit

Phase 5: Upgrade Firmware and ASDM of Cisco ASA 5506-X Firepower Firewall
=========================================================================

copy run start

Follow the rest of the instructions at the following link.

Reference Guide: ASA 9.x : Upgrade a Software Image using ASDM or CLI Configuration Example
Link: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/200142-ASA-9-x-Upgrade-a-Software-Image-using.html

Phase 6: Configure NAT Exemption on the Cisco ASA 5506-X Firewall
=================================================================

Why do we need to configure NAT exemption on the Cisco ASA 5506-X Firepower firewall? Because otherwise, the Cisco AnyConnect Secure Mobility Client cannot access the remote LAN
behind the Cisco ASA firewall.

access-list NAT-EXEMPT extended permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0

object network obj-vpn_ip_address_pool

subnet 192.168.168.0 255.255.255.0

nat (inside_1,outside) source static any any destination static obj-vpn_ip_address_pool obj-vpn_ip_address_pool

no access-list SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0

MUST READ ARTICLES FOR PHASE 6
==============================

[1] Quick guide: AnyConnect Client VPN on Cisco ASA 5505
Link: https://www.techrepublic.com/blog/smb-technologist/quick-guide-anyconnect-client-vpn-on-cisco-asa-5505/

QUOTE:

"Do not use the same subnet as your inside network. So, if you're using 192.168.100.0/24 for the inside, use 192.168.104.0/24 for your VPN pool."

[2] How to configure NAT Exemption in version 8.3 for VPN in Cisco ASA?
Link: http://networkqna.com/how-to-configure-nat-exemption-in-version-8-3-for-vpn-in-cisco-asa/

Phase 7: Configuring Dynamic DNS (DDNS)
=======================================

The Cisco ASA 5506-X Firepower Firewall does not support Dynamic DNS update using the HTTP POST method. The Cisco ASA only supports DDNS update using the Internet Engineering Task Force (IETF) method.

Since the Cisco ASA does not support the HTTP Post method, it CANNOT work with NO-IP and DynDNS DDNS service providers.

The following are the results of my research on the Internet:

[01] With its sole reliance on the IETF method, websites such as DynDns.org cannot be updated using the ASA, however support has been added for HTTPS using port 443.

Link: https://www.globalknowledge.com/ca-en/resources/resource-library/articles/implementing-dynamic-dns-on-cisco-ios-router-and-asa/

[02] If you're asking if you can get the ASA5505 to "register" with dyndns, the answer is no. Howeve, it appears that someone got a feature request added, though, under Cisco BugID CSCsl46782 . (If you don't have a Cisco service contract, you can't view the details). However, it looks like it has an extremely low priority and I wouldn't expect it to be added anytime soon.

Link: https://serverfault.com/questions/272825/dyndns-updating-ip-address-via-cisco-asa-5505

PROPOSED WORKAROUND SOLUTION FOR PHASE 7
========================================

I would propose installing Dynamic DNS updater client software on AD DC server or any of your office computers which are permanently powered on.

ACTUAL SOLUTION FOR PHASE 7
===========================

Sign up for free No-IP account.

Create hostname teo-en-ming-corp.ddns.net, and point it to public IP address of the Cisco ASA firewall.

Install no-ip dynamic update client (duc) in any 24x7 computer behind the Cisco ASA firewall.

Create DNS CNAME record sslvpn.teo-en-ming-corp.com and point it to teo-en-ming-corp.ddns.net

Phase 8: Synchronizing Users from Active Directory to Duo
=========================================================

Follow the setup instructions at the following link.

Reference Guide: Synchronizing Users from Active Directory
Link: https://duo.com/docs/adsync

dsquery user -samid teoenming
"CN=Turritopsis Dohrnii Teo En Ming,OU=Users,OU=Singapore,DC=teo-en-ming-corp,DC=com"

Phase 9: Enrolling Users at Duo
===============================

Reference Guide: Enrolling Users at Duo
Link: https://duo.com/docs/enrolling-users

Duo Admin Panel Login
Link: https://admin.duosecurity.com/

Phase 9 is the final phase.

===EOF===







-----BEGIN EMAIL SIGNATURE-----

The Gospel for all Targeted Individuals (TIs):

[The New York Times] Microwave Weapons Are Prime Suspect in Ills of
U.S. Embassy Workers

Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html

********************************************************************************************

Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic
Qualifications as at 14 Feb 2019 and refugee seeking attempts at the United Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan (5 Aug 2019) and Australia (25 Dec 2019 to 9 Jan 2020):

[1] https://tdtemcerts.wordpress.com/

[2] https://tdtemcerts.blogspot.sg/

[3] https://www.scribd.com/user/270125049/Teo-En-Ming

-----END EMAIL SIGNATURE-----