Press "Enter" to skip to content

Category: Cisco

Allow incoming VPN Users Local LAN access + Internet on Cisco ASA

I wanted to try do something on my Cisco ASA to setup incoming IKEV/IPsec/L2TP VPN to allow access to the local LAN and also the internet connection which the ASA Uses. So when a client connects to the VPN, they can access the local lan, as well as the internet connection that sits off from the ASA.

In order to set this up, we have to have something like this going, all performed in enable configuration mode.

  1. Define your VPN Pool of addresses eg
    ip local pool VPNUsers 192.168.20.1-192.168.20.30 mask 255.255.255.224
  2. Relax the security rules between the interfaces a bit
    same-security-traffic permit intra-interface
  3. Create an object for example like VPN, then NAT the outside interface to the outside, this allows routing of internet from VPN to the ASA using the ASA’s ISP connection on outside
    object network VPN
       subnet 192.168.20.0 255.255.255.224
       nat (outside,outside) dynamic interface 
  4. Allow VPN Interface “Hairpin” on same interface and access to local LAN/Internet resources
    nat (outside,inside) source static VPN VPN
    
  5. Create a VPN Clients Out ACL, to allow the VPN Client subnet, access from its subnet to any IP address on the outside (in our case the local LANs or internet)
    access-list VPN_CLIENTS_OUT extended permit ip object VPN any
  6. Modify the group policy tunnel attributes attached to your tunnel. In my scenario below VPN Clients will use the Cloudflare DNS, utilise the correct ACL for access, allowed IKEV or L2TP protocols, all traffic will be tunneled and no split traffic permitted on client, and the IP address pool will be utilised from our VPNUsers pool

    group-policy yourtunnel attributes
      dns-server value 1.1.1.1 
      vpn-filter value VPN_CLIENTS_OUT
      vpn-tunnel-protocol ikev1 l2tp-ipsec 
      split-tunnel-policy tunnelall
      address-pools value VPNUsers
  7. Once the above is implemented, the VPN clients will have access to the Local LAN, and to the Internet connected to the ASA. The above configuration does not take into consideration the complete VPN Tunnel setup, this additional configuration assumes you already have an existing complete tunnel setup.

    This took me some time to get working, so I wanted to put some of my research on my blog incase anyone wishes to do the same, feedback welcome 🙂

1 Comment

Apple IOS 11 & Cisco Wireless – Fast Transition (FT)

I recently have purchased 2 x Cisco 3802 , and 2 x Cisco 1852 Access points to work with the Cisco 2504 WLC Controller. I really wanted to upgrade to AC wifi and take advantage of all that Cisco have to offer in the wireless world and put it through some tests and performance. Initially i found it great on Windows Laptops and Macbooks, however i had major issues with Apple IOS 11 and Apple TV. Connections would constantly drop and would not work as well. I was testing on the 5Ghz/80Mhz band, and i seriously thought there was an issue with this band, as switching things to 2.4Ghz/20Mhz seemed to work better.

I raised a Cisco TAC case to further investigate these issues and we found that:

1) Optimized Roaming was enabled for 802.11a and 802.11b. (On WLC: Wireless > Advanced > Optimized Roaming)
This caused many issues with the Apple TV and Iphones/Ipads, and disabling this fixed the Apple TV, but not fully the Iphones and Ipads.

Optimized Roaming Settings on WLC, remove the ticks

2) Fast Transition was enabled with Adaptive (On WLC: WLANS > “Your SSID” ID > Security > Layer 2 > Fast Transition)
Having Fast Transition enabled caused the significant issues with Iphones and Ipads with wireless connectivity and dropping. Once this was switched off we immediately noticed the performance improvement and roaming.

Set FT to Disable on WLC

Cisco advised that the IOS  11 is buggy when it comes to the implementation of Fast Transition as we went through many debugs. They advised I needed a Apple Enterprise Support contract for Apple to just look at it, which I couldnt afford, so I have left Fast Transition “off”. The enterprise contract is like $5995 USD, or $799 USD per incident, just a bit pricy!

I also asked if there was any benefits to Fast Transition being “on”, and they advised it was only beneficial if my wireless setup is 802.1X and this improves the roaming between AP’s and going through Radius etc. My scenario only had WPA2 Pre-Shared key, so i could leave the Fast Transition set to Off without any issues.

Cisco Apple best practice document found here, advises FT should be set to Adaptive and left on, however as we found IOS 11 has severe issues with their implementation of FT..

I queried Cisco whats going on here.. and why there is so many issues and differentiates from their document and their advise was:

FT will always be suggested on Apple enterprise environment. This can’t be removed from the document simply because new iOS on some devices are having buggy issues with it. This is something that need to be fixed on Apple side and Cisco has nothing to change on the code or document since we are following the IEEE standard that we expect Apple to also follow on their entire product line.
Unfortunately as shared before to engage Apple care , you need to have an “enterprise AppleCare support agreement” contract.
TAC can’t do anything from Cisco side for this case to move further unfortunately.

So for all of you reading and have Cisco Wireless setup, running IOS 11, and are noticing problems with Apple TV/Iphones/Ipads be warned what options are set on the WLC, and how it could affect the wireless experience.

For Apple reading, please look at your FT implementation with Cisco on IOS11, so its less buggy, especially on the 5Ghz bands.

Again, thanks for reading and any feedback welcome.

 

4 Comments

Cisco 897VA for NBN

The next successor to the Cisco 877 I believe is the Cisco 897VA model. This model takes in Ethernet WAN/ADSL/VDSL/SFP Fibre connections. It also has 8 x 1gb user port connections, and 4 ports are PoE capable.

It allows you to do a lot with the connectivity you require, especially when it comes to the Australian NBN multi-technology  mix. It will allow you to terminate your FTTP (Ethernet WAN port) and FTTN (VDSL2 port).

One thing I like about this router is the casing is not plastic like the Cisco 877 and it is metal instead, and it has a nice look and feel to it

Here are some photos of this model:

 

If you are looking for the latest software for this one to work on the NBN as well as Firmware here it is:

IOS:
c800-universalk9-mz.SPA.154-3.M8.bin (Release Date 31 July 2017)

Firmware:
VA_A_39t_B_35j_24m (Firmware)
fwrn-a2pv6c039t.pdf (Firmware Readme)
This firmware is used for Cisco CPEs and recommended for Australia’s National Broadband Network (NBN).

Hopefully this has given you a better insight of the new Cisco 897VA Model, and some nice software to operate it on the NBN or your own specific network.

As always welcome any feedback how this router performs for you 🙂

8 Comments