Cisco ASA named to number port mapping

 aol                              5120

  bgp                              179

  chargen                          19

  cifs                             3020

  citrix-ica                       1494

  cmd                              514

  ctiqbe                           2748

  daytime                           13

  discard                            9

  domain                            53

  echo                               7

  exec                              512

  finger                            79

  ftp                               21

  ftp-data                           20

  gopher                             70

  h323                              1720

  hostname                          101

  http                              80

  https                             443

  ident                             113

  imap4                             143

  irc                               194

  kerberos                          88

  klogin                            543

  kshell                            544

  ldap                              389

  ldaps                             636

  login                             513

  lotusnotes                        1352

  lpd                                515

  netbios-ssn                        139

  nfs                             2049

  nntp                            119

  pcanywhere-data                 5631

  pim-auto-rp                     496

  pop2                            109

  pop3                            110

  pptp                            1723

  rsh                             514

  rtsp                            554

  sip                             5060

  smtp                            25

  sqlnet                          1522

  ssh                             22

  sunrpc                          111

  tacacs                          49

  talk                            517

  telnet                          23

  uucp                            540

  whois                           43

  www                             80

Cisco ASA syslog messages

http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs.html

Some useful ones

302013 - built inbound TCP connection

302014 - teardown TCP connection

725012 - Device chooses cipher cipher for the SSL session

725008 - ssl client propose cipher

725007 - teardown new ssl connection / terminated

725001 - starting ssl handshake

725002 - ssl handsake completed

725003 - ssl request to resume previous session

113005 - The AAA authentication on a connection has failed. The username is hidden when invalid or unknown, but appears when valid or the no logging hide username command has been configured

Static NAT on checkpoint

https://sc1.checkpoint.com/documents/R76/CP_R76_Firewall_WebAdmin/6724.htm

Create your objects
Edit properties on inside object
Configure Static NAT with public IP
Install policy
Configure ACLs to allow the traffic
Install polucy

How to save hosts cisco anyconnect client

https://supportforums.cisco.com/discussion/11489861/anyconnect-30-profile-drop-down-list

Save .xml files in  %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">;
  <ServerList>
    <HostEntry>
      <HostName>VPN2</HostName>
      <HostAddress>VPN2 ADDRESS</HostAddress>
    </HostEntry>
  </ServerList>
</AnyConnectProfile>

get dell serial number from cmd prompt

wmic bios get serialnumber

packet capture on ASA

access-list CAP_OUT_ACL extended permit tcp host 172.20.178.12 host 172.20.188.12 eq 443
access-list CAP_IN_ACL extended permit tcp host 172.20.188.12 host 172.20.178.12 eq 443
capture CAP_OUT interface WAN access-list CAP_OUT_ACL
capture CAP_IN interface WAN access-list CAP_IN_ACL

clear capture CAP_OUT
clear capture CAP_IN

sh capture
sh capture CAP_OUT

packet-tracer for juniper screen os ... sort of

http://kb.juniper.net/InfoCenter/index?page=content&id=KB5536&actp=search

Set logging the debug to the console (not sure that this is required might be an old command)
set console dbuf

Set your filters to match the interesting traffic
set ffilter src-ip xx.xx.xx.xx dst-ip yy.yy.yy.yy
set ffilter src-ip yy.yy.yy.yy dst-ip xx.xx.xx.xx

unset ffilter ? (to remove, usually use id "0")

Start the debug
Debug flow basic
(can also use 'debug flow drop' to only see drop/deny)

Generate your traffic
ping yy.yy.yy.yy

Stop the debug
Press ESC when finished or 'undebug all'

Show the debug output
get db stream

Clear the debug to do a fresh test without a wall of text
clear db

There is a lot of output but if you read through you should see the routing, nat and policy(ACL) matching and what happened to the traffic.

cheatsheet making site

http://www.cheatography.com/

simple ftp program for windows

http://smallftpd.sourceforge.net/

cisco release designation definitions

From https://www.cisco.com/public/library/iosplanner/reldesignation.html

Normally only install GD deployments as they are considered stable. Usually a version or two behind the latest release. Only use LD and ED to patch a specific bug or issue. These versions are more likely to contain bugs.

Release Designations Defined 

Deferral (DF) The purpose of the Deferral Advisory is to announce the removal of affected IOS image(s) from Cisco's offerings (i.e.CCO) and to introduce its replacement IOS image(s). At the time that the Deferral of an IOS image is advised, customers are strongly urged to migrate from the affected image(s) to the replacement image(s). Early Deployment (ED)  Software releases that provide new features and new platform support in addition to bug fixes. Cisco IOS CTED, STED, SMED, and XED are variations of ED software releases. Maintenance Deployment (MD)  A Cisco software release that provides bug fix support and ongoing software maintenance. General Deployment (GD)  Date at which this software release reached the "General Deployment" milestone in its lifecycle. A Major Release of Cisco IOS software reaches the "General Deployment" milestone when Cisco feels it is suitable for deployment anywhere in customer networks where the features and functionality of the release are required. Criteria for reaching the "General Deployment" milestone are based on, but not limited to, customer feedback surveys from production and test networks using the releases, CE bug reports, and reported field experience. Only Major Releases are candidates to reach the General Deployment milestone. Note: GD will not be applied to any future Cisco IOS Software maintenance releases or rebuilds starting from Cisco IOS Software Release 12.4. Please refer to the Cisco IOS Software General Deployment (GD) Program Retirement Product Bulletin for more information:http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6968/ps6350/product_bulletin_cisco_ios_software_gd_program_retirement.html. Limited Deployment (LD)  A Major Release of Cisco IOS software is said to be in the "Limited Deployment" phase of its lifecycle during the period between initial FCS and the General Deployment (GD) milestones. Note:LD will not be applied to any future Cisco IOS Software maintenance releases or rebuilds starting from Cisco IOS Software Release 12.4. Please refer to the Cisco IOS Software General Deployment (GD) Program Retirement Product Bulletin for more information:http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6968/ps6350/product_bulletin_cisco_ios_software_gd_program_retirement.html.

Cisco ASA anyconnect remote access VPN

Set up a network object to use later
object network CUST_RA_NET_172.19.166.0_24
 subnet 172.19.166.0 255.255.255.0

Set up ACL for use in the group policy
Also look at your outside in ACL as this is where the VPN users come from
access-list CUST-Rmte-ACL remark ACL to allow RA users to connect to the jump server
access-list CUST-Rmte-ACL extended permit tcp object MG_RA_NET_172.19.166.0_24 host 172.19.150.4 object-group DMZ_PORTS_ALLOWED_OUT
access-list CUST-Rmte-ACL extended permit tcp object MG_RA_NET_172.19.166.0_24 host 172.19.150.3 object-group DMZ_PORTS_ALLOWED_OUT

Set up an IP pool 
RA users get assigned an address from this pool when they connect
ip local pool CUST-pool 172.19.166.200-172.19.166.230 mask 255.255.255.0

Setup your Group Policy
There are many options that can be configured here this is just a basic one
group-policy CUST-Rmte-Users internal
group-policy CUST-Rmte-Users attributes
 banner value Warning:
 banner value
 banner value This system is restricted to authorized users for business purposes only and is subject to the Security Policy.
 banner value
 banner value Unauthorized access or use is a violation of company policy and the law.
 banner value
 banner value This system may be monitored for administrative and security reasons.
 banner value
 banner value By proceeding, you acknowledge that you have read and understand this notice and you consent to the system monitoring
 wins-server none
 dns-server none
 vpn-filter value CUST-Rmte-ACL
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelall
 default-domain value custdomain.com
 split-tunnel-all-dns enable
 address-pools value CUST-pool

Tunnel Group

tunnel-group CUST-Rmte type remote-access

tunnel-group CUST-Rmte general-attributes

 default-group-policy CUST-Rmte-Users (or NoAccess, depend if set GP with ldap map later)

tunnel-group CUST-Rmte webvpn-attributes

 group-alias CUST enable

Quick enable/disable (make it appear in anyconnect prompt or not)

tunnel-group CUST-Rmte webvpn-attributes

 group-alias CUST enable

Set up your users

username johndoe password 1234

username johndoe attributes

 vpn-group-policy CUST-Rmte-Users

Don't forget NAT

RA users come from OUTSIDE

In this case we don't want to translate them and let them connect to another internal server

nat (OUTSIDE,DMZ) source static CUST_RA_NET_172.19.166.0_24 CUST_RA_NET_172.19.166.0_24 destination static obj-172.19.150.0 obj-172.19.150.0 no-proxy-arp route-lookup

============================
Setting up so we can match anyconnect profiles to AD groups
You need aaa servers for each profile as they map to the LDAP MAP.
You should create a group policy, aaa-server groups ad ldap map for each one your want to use.

Setup group policy
group-policy GP-AC-WX-EXTERNAL internal
group-policy GP-AC-WX-EXTERNAL attributes
 banner value Warning:
 banner value
 banner value This system is restricted to authorized users for business purposes only and is subject to the Security Policy.
 banner value
 banner value Unauthorized access or use is a violation of company policy and the law.
 banner value
 banner value This system may be monitored for administrative and security reasons.
 banner value
 banner value By proceeding, you acknowledge that you have read and understand this notice and you consent to the system monitoring
 banner value
 wins-server none
 dns-server value 10.10.0.1 10.10.0.2
 vpn-simultaneous-logins 3
 vpn-filter value AC_VPN_FILTER_ACL
 vpn-tunnel-protocol ssl-client ssl-clientless
 default-domain value MYCUST.lgov
 webvpn
  anyconnect ssl dtls none

NoAccess group policy 

group-policy NoAccess internal

group-policy NoAccess attributes

wins-server none

dns-server value 10.65.65.1 10.65.65.2

vpn-simultaneous-logins 0

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless

default-domain value WCCC.LGOV

address-pools none

ipv6-address-pools none

Find the CN path of the group in AD

dsquery group -name AnyconnectGroup

Setup the map 
Make sure your test user is a member of AnyconnectGroup
ldap attribute-map WXCC_EXT_LDAP_MAP
map-name  memberOf Group-Policy
  map-value memberOf "CN=AnyconnectGroup,OU=SITE1 Groups,DC=MYCUST,DC=lgov" GP-AC-WX-EXTERNAL
  map-name  msRADIUSFramedIPAddress IETF-Radius-Framed-IP-Address
  map-value msRADIUSFramedIPAddress "msRADIUSFramedIPAddress" IETF-Radius-Framed-IP-Address (reads the static IP configured in from)

Find the CN path for the ASA user
dsquery user -name asa

Setup aaa servers
Look out for users being inside containers or OU's
aaa-server WXCC_EXT_LDAP protocol ldap
aaa-server WXCC_EXT_LDAP (inside) host 10.10.0.111
 timeout 3
 ldap-base-dn dc=MYCUST, dc=lgov
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password P@55w0rd
 ldap-login-dn CN=ASA,OU=Managed Service Accounts,DC=wxcc,DC=lgov
 server-type microsoft
 ldap-attribute-map WXCC_EXT_LDAP_MAP

aaa-server WXCC_EXT_LDAP (inside) host 10.10.0.112
 timeout 3
 ldap-base-dn dc=MYCUST, dc=lgov
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password P@55w0rd
 ldap-login-dn CN=ASA,OU=Managed Service Accounts,DC=wxcc,DC=lgov
 server-type microsoft
 ldap-attribute-map WXCC_EXT_LDAP_MAP

Testing
Connect the AC client
Check assigned IP
Ping/RDP/HTTPS to the LAN
Is DNS working ? Correct DNS servers set ?

Default domain configured ?
Intranet access

Browse into file shares

Customer test web apps

Test connecting as different users to diff profiles are we blocked from logging in ?

NPS server
conditions

calling from ASA
member of windows group

zip up multiple folders or directories into a single file

Say we have some folders

folder1
folder2
folder3

And we want to zip them into a single file old-logs.tar.gz

tar czvf old-logs.tar.gz folder*

nmap

nmap -sP 192.168.1.0 /24 (icmp ping the network see if anyone responds)

nmap -sP -PT80 192.168.1.0 /24 (see if port 80 responds)

nmap -P0 --top-ports 192.168.1.127-254 > file (scan a range top 10 ports only output to file)

nmap -sS 192.168.1.254

-sS (SYN scan)
-sT (TCP connect)
-sU (UDP port scans)

-O (detect OS)
-sV (service version, which version of sendmail is running on port 25)

-P0 (don't ping just scan)

-T (pre set timing options used to avoid IDS/IPS)

-p (choose ports)

-F (fast scan)
-n (dont do revers DNS lookup)

Cisco ASA: web interface not working

I had to troubleshoot a Cisco ASA today, where the client wasn’t able to connect to the management web interface anymore via https. The customer didn’t install ASDM locally, but always starts the Java-based version.

After upgrading the Cisco ASA to software version 8.2(1) and a reboot, the client wasn’t able to connect to the web interface anymore. I was able to connect to the firewall with my locally installed ASDM client, but I couldn’t access the web interface either.

While troubleshooting I first tried the basic settings, like management access-list, regenerate crypto keys and change the management port. All these options didn’t help, but the strange thing was that the web interface was working remotely.

While working with Mozilla I received the following error:

cannot communicate securely with peer: no common encryption algorithm(s).

In Google Chrome I receive the following error:

Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.

And of course Internet Explorer didn’t gave any usable information. I started looking at the supported encryption algorithms within the firewall with a show version. I noticed that VPN-3DES-AES was disabled. The next step was the enable the VPN-3DES-AES ciphers. The upgrade license for this feature is available for free athttp://www.cisco.com/go/license.

I activated the VPN-3DES-AES feature, but still wasn’t able to connect to the firewall with the web interface. I checked the SSL encryption used by the firewall.

fw01# show ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: des-sha1
Disabled ciphers: 3des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 null-sha1
No SSL trust-points configured
Certificate authentication is not enabled

The firewall still didn’t enable the ciphers supported in my browser. If the VPN-3DES-AES license isn’t installed, only the cipher des-sha1 is enabled by default. I added the correct ciphers with the following command:

fw01(config)# ssl encryption aes256-sha1 aes128-sha1 3des-sha1

After adding the command I was able to connect to the ASA with both the web interface and the ASDM.

Taken from:
http://www.booches.nl/2010/12/cisco-asa-web-interface-not-working/

Getting strong encryption license for Cisco ASA

How to obtain strong-crypto licenses for ASA

Update from Mike Wenstrom

The process to obtain K9 activation key has changed. Here's a summary of the steps:

Strong Crypto (3DES/AES) License

Q. How can I obtain strong-crypto licenses for my ASA?

A. ASA strong crypto (3DES / AES) keys are available at: http://www.cisco.com/go/license

1. Enter your CCO userid and password
2. Click the “Continue to Product License Activation” link.
3. Click Get Other Licenses > IPS, Crypto, Other…
4. Select Security Products > Cisco ASA 3DES/AES License, click Next
5. Enter ASA Serial number and click Next
   • If this is the first time you have applied for a strong crypto product, review and accept the terms of the license windows. You may need to return to http://www.cisco.com/go/license  and complete the steps above.
6. In the 3. Review and Submit window, click the I Agree with the terms of the License  check box, review your contact information, and click Submit
7. An email will be sent you with the ASA Activation key and instructions on how to apply the key

https://supportforums.cisco.com/document/67701/asa-versions-image-names-and-
licensing#How_to_obtain_strong-crypto_licenses_for_ASA

Cisco ASA Error writing disk0:/.private/startup-config (I/O error)

The flash has got messed up. You can try:

• backup config  
• fsck disk0 
• If that fails format disk0
• tftp config back on

This is documented below but if you are under warranty you can just get a replacement ASA.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-
firewalls/81884-asa5500-disk0-error.html

slowness on login to linux server

Had a server which was taking 10 seconds to login after moving it from a hub to a VLAN on a switch. Sub interfaces were also created on the ASA.

Checked all the speed and duplex on the switch ports and server all looked good.
Linux command for checking network card info
sudo ethtool eth0

Sent some large ping packets back and forth was fine.

Found the issue was /etc/resolv.conf
The server couldn't reach the DNS servers configured in there

We changed the DNS servers to reachable ones and the issue was resolved.

The server must have been trying to resolve our IP address during login.

can't access internet after creating sub interfaces on cisco ASA

I moved some interfaces into sub interfaces. Everything looked good in the config but I wasn't getting any internet connection from my hosts after the changes.

When I cleared out the config on the physical interface the ASA removed all the NAT statements for me. Good thing I had a backup of the config before making any changes. I just put all the NAT's back in and everything was good again.

errors and discards

Errors indicate packets that were received but couldn't be processed because there was a problem with the packet. In most cases, when you're seeing inbound errors on a router interface the issue is upstream of that device. Could be a bad cable, misconfiguration on one end or the other, or etc. In most cases, these issues are resolved outside of the router where you're seeing the errors. Errors reporting is documented within RFC 1213 (among others including RFC 1573) and typically is pulled from the IF-MIB (ifInErros and ifOutErrors).

With discards, the situation is almost the opposite. The packets were received with no errors but were dumped before being passed on to a higher layer protocol. A typical cause of discards is when the router needs to regain some buffer space. In the case of discards, the issue is almost always with the router that's reporting the discards (not witha a next hop device, bad cable, etc). RFC 1213 also documents discard reporting and they're right beside the errors within the IF-MIB.

In any healthy network, traffic needs to be discarded at certain points. Consider configuring a switchport to trunk mode. For security reasons, the administrator only allows VLANs 1 and 2 on the link with the switchport trunk allowed vlan 1,2 command. If a packet is received with a VLAN tag of 3, it will be dropped. In this case, a discard will be incremented indicating the interface is working as configured.

The causes of discards can be many, including (but not limited to) the following:

• the device lacks resources to do anything with the packet (such as full buffers).
• the device does not have a route to send the packet to the destination,
• the device has been configured to discard certain traffic or

• “InDiscards”, are almost always caused by a port that is receiving tagged frames for a VLANID that that port is not a member of.

• “NoResourcesPktsDropped” on the other hand are generally caused by a switch that’s “low on/out of” buffer memory, so it will start dropping packets.

• Rx discards could be faulty cabling, interface or NIC. One reason is mismatched VLANs. Check the Configured VLANs on each switch port. The port with the RX discards will be “missing” a VLAN as compared to the other end of the trunk. The switch just “discards” the packets arriving on the missing VLAN. Once the VLANs were matched up, the discards stopped. All broadcast traffic in that vlan will be discarded by the switch port.

• TX discards usually equates to output drops in Show interface.  That is generally from the port queue’s filling up and tail dropping because it cannot transmit the data fast enough out the port. Transmit discards are *not* errors.The first fix is to stop using UDP for the transfer and use TCP for the window control. Transmit Discards indicate that packets were not transmitted because of network congestion. It can’t handle any more packets, so the switch tries to queue them up. Once the queues/buffers are full, the packets are discarded.

• Also, note that average utilization is a bad indicator of peak utilization. You can have a very low average utilization but still have out discards if there’s a spike of traffic greater than link speed + egress buffer.

• CRC or duplex mismatches would show as errors not discards. A vlan interface like any other interface has resources assigned , buffers etc.  When these are over run you see discards. If the other interfaces that have the errors are Ethernet, you may want to check that both sides of that interface are set to the same speed/duplex, if they are not, you will transmit/receive discards and errors.Changing interfaces may help.

• If you have ACLs on your vlan, the packets that are dropped because of that ACL may be shown as discards.

• ARP table refresh.  On many platforms, the ARP table entries are held for 4 hours. thus, Every 4 hours, ARP cache would be flushed and suddenly your may see thousands of ARP requests a second, causing some interfaces to fill buffer space.

• The discards can also be caused by packets with an MTU size that is too large and have the DF bit set.

• “A discard can occur because a packet was sent to a TCP/UDP port for which there was no listener.  E.g. if someone tried to make a telnet connection to the IP address on the VLAN interface, but telnet was disabled.”

From:

http://hasanmansur.com/2012/12/15/layer-2-discards-troubleshooting-rx-tx-discards/

See also

https://supportforums.adtran.com/docs/DOC-6490

Using NPS / RADIUS for logins on network (and other devices)

https://aaronwalrath.wordpress.com/2010/06/22/install-windows-2008-r2-nps-for-radius-authentication-for-cisco-router-logins/


Check user has allow remote access (dial-in tab)  AD users and computers
Check user is a member of the right  AD group if using one in your RADIUS pol

NPS server setup both DC1 + DC2
NPS radius clients match and password matches
NPS policy setup and match
NPS server install wireshark
NPS server enable auditing.
NPS server registered in AD

After adding new RADIUS clients stop/start the NPS server

Side note - Upgraded a 3750E to 15.2 and it broke Radius
Change to calling the Group

Turn aaa on 
aaa new-model

Setup radius servers
radius server NPS-1
address ipv4 172.16.35.63 auth-port 1812 acct-port1813
pac key **********
!
radius server NPS-2
address ipv4 172.16.35.43 auth-port 1812 acct-port 1813
pac key ********
!

Setup radius group
aaa group server radius RADIUS-GROUP
server name NPS-1
server name NPS-2

Set source interface
ip radius source-interface

throw away email account websites

http://www.throwawaymail.com/ 

www.10minutemail.com

www.guerrillamail.com

www.Mailinator.com

www.slippery.email

www.spam4.me