Home

Installing PKI – Certificate Authority (CA) on ASA

January 25, 2014

Miftah Rahman Config Router, Security , , , , , , Leave a comment

To install CA Certificate, We must configure NTP first (because Certificate has a lifetime)

Click add…and enter the NTP Server (you can go through internet how to make NTP Server, including cisco router)

The 10.1.1.254 is my Gateway Router (and My 2nd CA Server…and also my NTP Server)

Then go to the Clock…just set the time zone and click update displayed time

================================================

Installing CA into ASA is easy..

Just go to Configuration (Remote Access VPN or Site-to-Site VPN or Device Management)

Go to Configuration > Certificate Management > CA Certificates > click add

My CA Server name is “CA”… in ASA we can see this in “issued-by CN=CA

3 ways of inserting CA certificates:

From Downloaded File, Copy Paste the Code, or using SCEP (Simple Certificate Enrollment Protocol)

In More Option…we can ignore (do not check) certificate revocation

======================================

inserting CA certificates:

  • 1st Way: Download the Certificate and Upload it

  • 2nd Way: Copy Paste the whole encryption

  • 3rd Way: Or using SCEP (Simple Certificate Enrollment Protocol)

    10.1.1.4 is the CA Server (PKI Server using Windows Server 2008)

Then we’re ready

===================================

The Question is, how we create CA Server?!?

There are 3 ways of doing this:

  1. Using Server Appliance as CA Server(Windows Server)
  2. Using ASA as CA Server
  3. Using Router as CA Server

*************

  1. Windows Server

link

  1. Make ASA as CA Server

Easy…just go to Certificate Management (same page as adding CA certificates page), then go to Local
Certificate Authority > CA Server

Set passphrase (password if we may say), and another option (Key Size, Lifetime, URL)

  1. Make Router as CA Server

Reminder, Configure NTP First !!! (in this case my router is the NTP…perform it by typing “ntp master“)

  • 1st Step: Create the key (with encryption like RSA/AES) with the name of “CA”, and make it exportable

If we set into 512 bit RSA key, only SSH v1.0 supported…if 1024 bit, the SSH v1.9 is deployed (v1.9 is capable of version 1 and version 2 SSH)

  • 2nd Step: Export the key using PEM file format, store it in NVRAM using 3des encyption with passphrase “cisco123”

  • 3rd Step: dont forget making our router into http server capable !! (because ASA will retrieve it using port 80 which is http port)

  • 4th Step: now we create the PKI Server (CA Server)
    • we name the Server “CA” with database pointing into nvram (just like the key)
    • then store all the minimum info required info for certificate issuing
    • and set the name of issuer using Common Name (CN) “CA”
    • also set the lifetime of CA Certificate is 1 year (365 days)

  • 5th Step: finally…lets bring up this bit*h up with no shut command

Type the password for securing the Certificate Key

Clientless VPN Configuration on Cisco ASDM

January 19, 2014

Miftah Rahman Security , , , , , , , Leave a comment

Clientless VPN adalah VPN yang disediakan untuk orang2 diluar network kita (Outside), dengan hanya bermodalkan Device yang bisa internetan dengan Web Browser-nya, jadi kita kasi akses untuk karyawan kita (yang lagi diluar kantor) untuk akses resource network kita di

Now how do we do that?!? Let’s jump in (uda mulai ikut2an Keith Barker ini gw)

  • The First One…Create Group Policies for User
    • Intinya disini kita define apa aja yang bole diakses dan tidak bole diakses (ACL-nya ASA) dari HTTP, CIFS, sampe FTP

      *CIFS = Common Internet File System (native file sharing protocol for Windows 2000)

  • The Second One…Create Connection Profile
    • Kita Assign Group yang uda kita buat kedalam suatu set of rules (contoh: VPN ini hanya bole diakses lewat mana)
  • The Third One…Create User and Assign Them to Group Policies and Connection Profile (jadi bisa aja user A misalkan, hanya bole akses web tertentu, tapi metode koneksinya bisa pake macem2)

Here is the topology

Sebenernya bisa aja si pake wizard…tapi gw pengen bahas detil2nya

Create a Group Policies for User

Biasa…masuk ke ASDM (cara installnya ada di post gw yang kemaren2), ke Configuration > Remote Access VPN > Group Policies > add

Kasi nama…trus kasi Banner (kaya “banner motd” yang biasa kita buat)

gw pengen user yang masuk ga bole akses web ini tapi bole akses web itu“, centang Web ACL di-uncheck, click Manage > Add > Add ACL

Gw pilih IPv4 Only (bebas lo pilih yang mana), trus kasi nama, klik OK

Nah, kalo sudah klik ACE (Access-list Control Entry)

Disini kita bisa bikin…user yang masuk VPN XXX ga bole masuk ke Web 192.168.1.1 dan 192.168.1.2 (liat…ada Regular Expression disana…REGEX lagi !?!?!, dimana2 REGEX @_@ )

Trus kita bisa bikin Time Based ACL nya…jadi di izinkan/diblok dari kapan sampe kapan

Setelah di create…pilih ACL yang kita buat tadi untuk Web ACL option-nya

(Optional) “gw pengen user yang masuk VPN XXX uda dikasi list Web2 apa aja yang bisa dimasukkin“, ya kita kasi bookmark

Uncheck Bookmark List, klik Manage

Klik tombol Add dan isi sendiri dah

Notice gw bikin 2 bookmark…192.168.1.1 dan 1.3 (koneksi ke 1.1 kita akan liat hasilnya nanti pas di verifikasi test nya)

Masuk ke Portal (di Page yang sama), uncheck
Inherit, trus klik enable untuk enable bookmark url nya

Setelah selesai…jangan lupa Apply & Save

Next…Connection Profile

Tambahin 1 Connection Profile (jangan pake default…default itu last resort yang dipake ASA klo semuanya fail)

Name dan Alias itu sebenernya sama…Cuma “Name” itu pas kita setting ASDM, sedangkan “Alias” itu nama connection yang User akan liat (jadi user akan konek VPN pake XXX-Alias)

DNS itu optional (gw isi ngasal aja, soalnya klo ga disini rewel…rewel kenapa? Check it yourself haha)

Jangan lupa abis di basic configuration, trus klik Clientless SSL VPN

Nah, di bagian Group URLs, kita bisa setting URL alamat tempat user bisa konek ke Network kita via browser (jadi kita harus ketik alamat ini untuk konek VPN via browser)

Trus untuk bisa User dari Outside Network bisa akses Clientless SSL VPN, kita harus centang/checkallow access” untuk Interface dengan label Outside

Dan, centang “Allow user to select profile” biar bisa milih dia mau masuk ke profile mana

Create VPN User

Masuk ke Remote Access VPN > AAA/Local Users > Local Users > Add

Jgn lupa pilih No ASDM, SSH, Telnet Acess untuk user ini

Trus masuk ke VPN Policy-nya

Uncheck
Group Policy dan Connection Profile, ganti dengan yang uda kita buat tadi…jadi si user pake Policy ini dan Profile itu

LETS TEST IT

Cara pertama…masuk ke web browser, trus ketik https: //[ip outside ASA], tampilannya akan menjadi dibawah ini

Klo kita ga centang “allow user to select connection profile“, itu Group DropDown Box ga ada

Cara kedua…langsung aja ketik full URL nya, “https:// [ip]/xxx

Noh…”welcome to XXX Network“, kek masuk VPN SITUS PORNO ini mah HAHAHA

Setelah masuk…isinya Web2 yang sudah di “pre-defined” alias di bookmark ama kita buat si client

Coba liat…karena ada Web ACL…yang atas (disini isi title bla bla bla…) ga bisa dimasukin, yang bisa adalah website “ABC”

====================================
Monitoring VPN

Masuk ke Monitoring > VPN Statistics > Sessions > filter by Clientless SSL VPN

Nah tu….ada yang make VPN kita…dengan klik Logout, maka user itu tidak lagi terkoneksi ke VPN kita

MARI KITA TENDANG ITU BEDEBAH, NONTON GA BAYAR *ups* !!!

================================

Dah, segitu dulu…

Older Entries