Search This Blog

Monday, December 7, 2015

Check Point MSVCR100.dll error



When installing Check Point Smart Console on 64 bit systems you man encounter the following error:


This, as the error indicates, related to MSVCR100.dll, the solution is to install Microsoft Visual C++ 2010 Redistributable Package 32 bit instaed of the 64 bit.

You can download the package from the following URL:

Wednesday, December 2, 2015

Cisco AnyConnect LDAP configuration




Device:
Cisco ASA 5506X-SFR
Software version:
9.5(1)
ASDM version:
7.5(1)
Client version:
Anyconnect 3.1.12020-k9

First configure LDAP server group under Remote Access VPN -> AAA/Local Users -> AAA Server Groups:


Then configure beneath LDAP server:


Next configure address pool under Remote Access VPN -> Network (Client) Access -> Address Assignment -> Address Pools:


Now configure group policy under Remote Access VPN -> Network (Client) Access -> Group Policies:


You can leave all parameters inherit, in this case all traffic will be tunneled through the ASA, in order to change it go to Advanced -> Split Tunneling uncheck Policy and choose Tunnel Network Below, and uncheck Network List, click on Manage, create standard access-list with the ASA internal networks, and select this ACL in the Network List:


Now go to Remote Access VPN -> AnyConnect Connection Profiles and click on Add to configure new connection profile, type in a name, choose AAA as authentication method and choose the LDAP server, choose the client address pool and default group policy we made:


Check SSL Enabled and IPsec Enabled for this given profile and we are ready to connect.

Now let’s add DAP (Dynamic Access Policy) based on LDAP attribute, go to Remote Access VPN -> AAA/Local Users -> LDAP Attribute Map and click Add, in the LDAP Attribute Name type memberOf (case sensitive) and under Cisco Attribute Name choose Group-Policy:


Click on Mapping of Attribute Value and click Add, under LDAP Attribute Value type the syntax for the corresponding group (here in my example a group called VPN-USERS):


The syntax is as follow: CN=VPN-USERS,OU=Groups,DC=lab,DC=local

And in the Cisco Attribute Value type in the group policy name we just made, here in my example RA-ANYCONNECT-GroupPolicy.

In this attribute map we have linked between LDAP attributes receive from the LDAP server to Cisco known (by the ASA) parameters.

Now go to Remote Access VPN -> AAA/Local Users -> AAA Server Groups and click edit on the server configured in the Servers in the Selected Group for the LDAP group, under LDAP Attribute Map choose the map we’ve just created:


Now we can start configure DAP based on user or group, go to Remote Access VPN -> Network (Client) Access -> Dynamic Access Policies and click Add, type in the policy name, set ACL priority (all policies are evaluated from high to low), choose whenever the attribute should have ANY, ALL or NONE and click Add to configure LDAP attribute type with ID of memberOf and the value that we want to use, here is the group name VPN-USERS but we can also use the username for example:


Then we can configure different settings for the particular user/group, here I choose the Network ACL Filters (client) and set an ACL for the group:


Because DfltAccessPolicy is the last DAP configure an ACL with deny any which will require the remote users to be matched with prior policies else they will be denied.



Wednesday, November 25, 2015

Cisco ASA syslog through IPsec tunnel

In this scenario we have a Cisco ASA which connected to remote branch using IPsec tunnel and we want to send all syslog messages to a remote syslog server through the IPsec tunnel.
Network diagram:


For this we will have to use the management interface (and no I don’t mean the dedicated management interface) which can be found under Device Management -> Management Access -> Management Interface:



This feature instructs the ASA which interface to use for management purposes such SNMP, Syslog, icmp replay and more.

When you try to ping the ASA interface you will get an answer only if you reside on the same interface which you tried to ping (and of course allow icmp under Device Management -> Management Access -> icmp).

So back to remote syslog configuration, first configure the interface which you want the ASA will use to send syslog messages, here I select the INTERNAL interface (as in the image above).

Then configure the syslog server as follow:


Note that I choose interface INTERNAL rather than EXTERNAL.

In CLI you may see the following message:

ASA-1(config)# logging host INTERNAL 10.2.0.100
WARNING:  configured logging host interface conflicts with route table entry

Just ignore it, this is a cosmetic issue following bug CSCur60060.

Using Management interface will allow also remote access client to connect to the ASA using ASDM or SSH.