Configuring RSPAN on Cisco Catalyst Switches

I recently wrote a post on configuring port mirroring (SPAN) on Cisco Catalyst switches.  SPAN (switched port analyzer) allows you to mirror traffic from a source or multiple sources on a switch to a destination interface or interfaces on the same switch.  RSPAN (remote SPAN) takes this a step further and allows you to mirror traffic to an interface on a remote switch or switches.

RSPAN

RSPAN configuration is relatively simple and builds upon existing SPAN functionality and configuration syntax.

• Create an RSPAN VLAN on the source switch, destination switch, and all switches in the transit path.
• Take traffic from a specified source on switch A, and mirror it to an RSPAN VLAN.  
• Then, on switch B, use traffic from this VLAN as the source and mirror it to a physical interface

As shown below, traffic mirrored from the switch on the right to the switch on the left can traverse other switches as long as there is end to end L2 connectivity between them (ie. the RSPAN VLAN exists on all switches).

Basic RSPAN configuration is as follows:

Configuring Port Mirroring (SPAN) on Cisco Catalyst Switches

So you have a network issue.  Or perhaps you don't, but you need to help find the root cause of a performance issue and conclusively show that it's not network related.  In either case, packet analysis is your friend.

At times, it can be convenient (and effective) to capture directly on an affected server or host.  However, you may not always be able to access the affected device.  Even you can, capturing from the affected device is not always the best option due to TCP segmentation offload, checksum offload, and a number of other factors.  (These are outside of the scope of this post, but Kary over at packetbomb.com has a ton of great content on packet analysis including why you shouldn't capture on a host.  See here.)

A network tap is the best solution when absolute precision is required.  However, this can be impractical and is often overkill.  This is where port mirroring comes into play.  Cisco gear provides a number of ways to mirror traffic from a specified source (or sources) and get frames from point A to point B for analysis. 

ASA Remote Access User Prevent SSH Access

When configuring a remote access VPN on an ASA, there are times when an external authentication server (RADIUS, TACACS+, etc) is not available.  In this case, the local AAA database can be used:

asa01(config)# username vpnuser password p@ssw0rd privilege 0
asa01(config)# username vpnuser attributes
asa01(config-username)# service-type remote-access
asa01(config-username)# exit
asa01(config)#

You might think that specifying privilege 0 and service-type remote access as shown above would be enough to prevent this user from logging in through SSH.  However, this may not be the case.  Let's look at the following example:

asa01# sh run user vpnuser
username vpnuser password jpCK6VfivhvBp0Pn encrypted privilege 0
username vpnuser attributes
 service-type remote-access
asa01# sh run aaa
aaa authentication ssh console LOCAL
aaa authorization exec LOCAL
asa01#

With this configuration, it is still possible for "vpnuser" to log in through SSH:

vpnuser@asa01's password:
login as: vpnuser
vpnuser@asa01's password:
Type help or '?' for a list of available commands.
asa01>

This is possible because the above configuration only specifies AAA authentication, not authorization.  Therefore the local user account's password is checked against the local database, but no check is performed to determine whether or not this local user is authorized for EXEC shell access.  This behavior can be changed by enabling management authorization with the following command:

asa01(config)# aaa authorization exec LOCAL
asa01(config)#

Now if we attempt to log in with this same account, the login will fail:

login as: vpnuser
vpnuser@asa01's password:
Access denied
vpnuser@asa01's password:

The ASA configuration guide goes into more detail about this feature here:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html#86134

HOWTO: Basic Cisco ASA AnyConnect VPN 8.2(5)

A while back I posted a how-to for configuring AnyConnect in ASA version 8.3+.  I recently received a request to post the 8.2(5) configuration, so here it is.  The example below uses split tunneling and local authentication.  For RADIUS authentication, see this post.

Before beginning, verify you have the AnyConnect essentials license (without this license, only two simultaneous sessions are permitted).

asa# sh ver | inc AnyConnect
AnyConnect Premium Peers          : 25             perpetual
AnyConnect Essentials             : 25             perpetual
AnyConnect for Mobile             : Enabled        perpetual
AnyConnect for Cisco VPN Phone    : Enabled        perpetual
asa#

HOWTO: Cisco ASA AnyConnect RADIUS Authentication with NPS

Following up on my previous AnyConnect how-to, this post shows how to configure a Cisco ASA to authenticate against a Windows Network Policy Server (NPS) using RADIUS.

First, configure a aaa-server group with the radius protocol.

asa01(config)# aaa-server RADIUS protocol radius
asa01(config-aaa-server-group)# exit
asa01(config)#

Next, specify your NPS server and pre-shared-key.

asa01(config)# aaa-server RADIUS (inside) host 10.24.12.2
asa01(config-aaa-server-host)# key pr3-shar3d-k3y
asa01(config-aaa-server-host)# exit
asa01(config)#

On your NPS server, launch NPS.

HOWTO: Basic Cisco ASA AnyConnect VPN 8.3+

This is a brief how-to style guide for configuring an AnyConnect remote access VPN on an ASA running version 8.3(1) or greater.  The example below uses split tunneling and local authentication.  RADIUS authentication will be covered in a future post. (update: see here)

Before beginning, verify you have the AnyConnect essentials license (without this license, only two simultaneous sessions are permitted).

asa# sh ver | inc AnyConnect
AnyConnect Premium Peers          : 25             perpetual
AnyConnect Essentials             : 25             perpetual
AnyConnect for Mobile             : Enabled        perpetual
AnyConnect for Cisco VPN Phone    : Enabled        perpetual
asa#

ASA pre-8.3 vs post-8.3 NAT explained

In ASA software version 8.3(1), Cisco completely restructured ASA NAT syntax.  Quite a bit has already been written about these changes. However, since this is often a cause of confusion, I will try to provide an explanation of three of the most commonly used forms of NAT on an ASA: dynamic PAT, static NAT, and "nonat."  Below you'll find pre-8.3 and post-8.3 configuration examples with translations into into plain English.  Please feel free to comment if you have any questions.

What is NAT?

I'll start with the basics.  NAT stands for network address translation.  It translates the real IP address of a device to the mapped IP and vice versa.

Real IP: the actual IP address of the device generating the traffic (on the inside interface in the examples below)
Mapped IP: the IP address the ASA translates the real IP address to (on the outside interface in the examples below).

NAT is most often used to translate private RFC 1918 IP addresses to publicly routable IP addresses (there are other less common uses as well).

For example:
A ping is sent from TestVM (192.168.10.2) to R1 (72.163.4.166).  In this example, R1 is on the internet, so the ASA cannot route the private address of 192.168.10.2 to R1.  It must NAT the packet.

We can see this happen in the Wireshark captures below:

ASA Hairpinning and TCP state bypass

So what is hairpinning, anyway?  Hairpinning is when traffic received on an interface is immediately routed back out the same interface.  If you visualize the packet flow, it looks something like a hairpin:

The command "same-security-traffic permit intra-interface" allows us to hairpin traffic on an ASA.  The most common use case is allowing remote access VPN traffic to traverse a site to site VPN tunnel as shown in the diagram above.

However, since we have the ability to hairpin VPN traffic, it seems safe to assume that we can hairpin other traffic as well.

Let’s look at the following scenario: