How to install a Godaddy SSL certificate on a Cisco ASA firewall

The first step in getting an SSL certificate for your Cisco ASA is to generate a CSR request.
1.  Open ASDM > Configuration > Device Management
2.  Certificate Management > Identity Certificates > Add
3.  Add a New Identity Certificate > New
4.  Click the “Enter new key pair name” radio button.  Enter your FQDN of your firewall (VPN.MyDomain.com)
5.  Change the size to 2048
6.  Click generate now.
7.  On the next screen choose the following attributes and fill in the values then click add.
CN = FQDN of your domain (vpn.MyDomain.com)
OU = Department of your business responsible (IT)
O = Legal name of organization
C = Country abbreviation (US)
ST = State abbreviation (AZ)
L = City (Scottsdale)
8.  Click ok once these are all added
9.  Click advanced
10.  In the FQDN type again your FQDN (Vpn.MyDomain.com)
11.  Click Ok and Add Certificate.
12.  You will be prompted to save this certificate to your PC which you should do.
13.  Login to your Godaddy account and copy and paste all the text from the CSR.
14.  Once you submit your CSR you can download the certificate to your PC in .crt format.
15.  Go back to the ASDM Certificate Management > Identity Certificates.  Select your previously generated CSR and click the install button.  Browse to the .crt file you were provided with from Godaddy.
16.  Now that you have installed the certificate you must tell the ASA to use it for SSL.  To do this in the Device Management on the ASA browse to advanced > SSL settings.
17.  Select the interface for your VPN clients and click edit.  Now select your new certificate
 
Congrats you should now be able to brose to your external web interface and see it is a trusted site!
 
 
 
 
 

Cisco ASDM will not launch with version 7.x

If you have the latest version of Java 7 and you’re using ASDM 7.x it will not work.  You must uninstall Java and downgrade to version 6!  Found here – http://www.oldapps.com/java.php

When connecting Cisco ipsec VPN client through 3G or 4G card you are unable to ping your remote network

If you are experiencing this issue it is a simple fix.  You just need to download this DNE fix.
 
http://www.citrix.com/go/lp/dne.html

Cisco ipsec VPN Client for Windows 8 error VPN Client failed to enable virtual adapter

If you download the latest version(as of this writing 5.0.07.0440) of the latest ipsec vpn client for the Cisco ASA you may notice an error when trying to connect through Windows 8. In order to get around this error and make it work you must modify your registry. It is a very simple tweak. Open regedit and browse to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCVirtA. Once here look on the right hand side for DisplayName. You will see its current setting is something like “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows”. Simply change this to “Cisco Systems VPN Adapter for 64-bit Windows”. Once this is finished close regedit reboot your PC and voila your vpn will now work!

Cisco ASA 8.3 and above NAT ranges how to

object network obj-Server1
host 192.168.1.5
object service MyRange
service tcp destination range 50 100
nat (outside,inside) source static any any destination static interface obj-Server1 services MyRange MyRange
access-list outside_access_in extended permit tcp any host 192.168.1.5 range 50 100
access-list outside_access_in in interface outside

Setting up a Cisco secure IPSEC tunnel on an iPAD

Settings>General>Network

VPN

Add VPN Configuration

IPSec –
Description: CompanyVPN
Server: vpn.company.com
Account: Your domain username
Password: Your domain password
Group Name: ipsec group name
Secret: ipsec secret shared key

Slide VPN to on and you should be connected

Nat rules change after 8.3 upgrade breaks VPN

Normal Nat statment
access-list nonat extended permit ip
nat (inside) 0 access-list nonat-inside
New nat statment
object network vpnpool
subnet
exit
nat (inside,outside) source static any any destination static vpnpool vpnpool
This NAT rule says to keep the source address for anything coming from the internal interface going to the range designated by the vpnpool object while also keeping the destination address the same.
Seems like a strange way of going about this but this is all i have come across so far. Anyone else has a better way please leave a comment.

What is IPv6

IPv6 is the successor to IPv4.  IPv4 and IPv6 are the internet protocols that all networks use to communicate.  IPv4 is still dominate today on the internet.  The reason for IPv6 is simple, the world is running out of IPv4 addresses.  So IPv6 was created in 1998 to create more available public IP addresses.  IPv4 gives you about 4 billion addresses.  To put this in perspective the size of a subnet alone in IPv6 is 2 to the 64th power.  Or the square of the entire IPv4 internet.  To further put this in perspective with IPv6 you can have 340 trillion trillion trillion unique addresses.
IPv6 uses 128-bit addresses where IPv4 only uses 32bit addresses.  This greatly increases the amount of IP’s available.  This eliminates the need for NAT or network address translation.  This is where you can assing different ports on your firewall but use the same external IP.  It will then route to different hosts inside your network.
IPv6 clients can autoconfigure themselves when they are connected to an IPv6 network using Stateless Address Autoconfiguration.  The way they accomplish this is through ICMPv6 router discovery messages.  When you first plugin to an IPv6 network your host sends a link-local multicast router solicitation request.  Which is basically a request for its configuration.  Routers then send a router advertisement packet that contain the network layer settings.  If you don’t wish to use Stateless Adress Autoconfiguration there are two other options DHCPv6 or you can statically configure your address.
The security in IPv6 has also changed.  Where IPSec was an option in IPv4 it is not in IPv6, it is mandatory. 
In addition to the other changes mobile IPv6 or MIPv6 does not have triangular routing issues.  Therefore in theory you could move an entire subnet without any renumbering.  Your routers however would have to support NEMO or Network Mobility.  However, since NEMO or MIPv6 are widely depolyed this is not common.
IPv6 addresses are written as follows 112:ec9:97b4::9b3f:481:8445.  IPv6 addresses are typically broken down into 2 logical parts.  The 64-bits for the subnet and 64-bits for the host part of the address.  Broadcast addresses no longer exist in IPv6 you now have three different types of addresses.  They are unicast, anycast, and multicast.  Unicast is a uniquely identifying address for a host.  Anycast is an address that is unique to a group of hosts, typically located in different physical locations, so that data can flow to the closest one.  Multicast has not changed it allows you to deliver a packet to multiple hosts.
As far as DNS goes you may be familiary with A host records.  Or a name that points to an IPv4 address.  With IPv6 you have a AAAA record which points to its IPv6 host. 
Dual IP stack implementation is in place in most modern operating systems.  It is a transitional way running IPv4 and IPv6 concurrently.  This way programmers can write applications to accept connections on the IPv4 or IPv6 interfaces.  Something else you will run into are hybrid dual stack IPv6/IPv4 addresses.  These are special addresses where the first 80 bits are set to 0, the next 16 are set to 1, and the last 32 bits are your IPv4 address.  An example of a hybrid dual stack is as follows, ::ffff:192.168.1.1 You can see it looks like an IPv4 address with the ::ffff: prefix.
Tunneling is a popular method of encapsulating IPv6 packets in IPv4 packets. Which uses IPv4 as the link layer for IPv6. This direct encapsulation is indicated by IP protocol 41. If protocol 41 is being blocked on a router or NAT device you can also use UDP packets to encapsulate your IPv6 data. Automatic tunneling is a process where the routing infrastructure determines the tunnel endpoints. 6to4 tunneling is recommended for automatic tunneling is uses the protocol 41 encapsulation. Your endpoints are determined by using IPv4 anycast address on the remote side. Then embedding this address on the local IPv6 side. 6to4 is widely deployed today and is probably the most common method of encapsulting. Configured tunneling is another method of encapsulation. This is a process in which you explicitly configure your endpoints for your tunnels. This can be done by the OS or manually by the adminsitrator. There is also a method called automated tunneling where you use a tunnel broker. For larger networks it is recommended to use configured routing because of its ease of troubleshooting compared to automatic tunneling. Automated tunneling is a compromise between automatic tunneling and configured tunneling. It gives the best of both worlds.
If you have a host that is IPv6 only keep in mind you must use a dual stack application layer proxy, i.e. a web proxy. However, it must support both IPv4 and IPv6.

Subnet Mask Cheat Sheet

  Hosts Netmask Amount of a Class C
/30 4 255.255.255.252 1/64
/29 8 255.255.255.248 1/32
/28 16 255.255.255.240 1/16
/27 32 255.255.255.224 1/8
/26 64 255.255.255.192 1/4
/24 256 255.255.255.0 1
/23 512 255.255.254.0 2
/22 1024 255.255.252.0 4
/21 2048 255.255.248.0 8
/20 4096 255.255.240.0 16
/19 8192 255.255.224.0 32
/18 16384 255.255.192.0 64
/17 32768 255.255.128.0 128
/16 65536 255.255.0.0 256