control plane ACL ASA

control plane acccess lists on the ASA

If you want to stop an IP address from trying to access anyconnect, asdm, trying to form a VPN thats what you need

OUTSIDE_IN access list does not block it as the services itself is on the Firewall and does not pass through the interface

access-list cp-outside extended deny ip object-group BAD_IPS any log

access-group cp-outside in interface OUTSIDE control-plane

no implicit deny on these so you dont need a permit any any as that will cause the access list not to work

no logging hide username

find locked out accounts in windows

 Enable AD auditing on all the DC's

Search the event logs on their AD for event id 4771 in security section

Lockout tools may help

https://www.microsoft.com/en-us/download/details.aspx?id=18465

ManageEngine AD audit plus can help too (just parses event logs)

ftp passve mode issues

FTP passive mode not working

Some issues seen:

1 ftp inspect on ASA

2 sometimes the server transmits t he inside IP instead of public. Sometimes the FW's or the client are fixing this up but an old client might not and tries to connect to an inside IP.

https://www.ibm.com/support/pages/remote-ftp-client-doing-passive-mode-gets-internal-ip-address-returned-227-entering-passive-mode-message

Passive mode 

client connects to server on random source port  eg 55555  to destination port 21

connection goes back from server source port 21 to the destination port on client 55555

Active mode

they setup a data and a control connection on different ports

tftp transfer speed degrades or stops

 Had an issue where tftp transfer was good at the start then degraded.

The issue in this case was the exec-timeout was set to 5 minutes. I increased to 30 mins and all was good. Also worth looking at tftp block size

website not loading file is downloaded instead

Inside the file was some hex with nothing in it. It seems the headers were getting messed up so the client got some data from the web server, didn't know what to do with it so downloaded it.

This was an issue with https inspection on the firewall. A hotfix install fixed the issue. 

Check for any FW or IPS device in between client and server.

Check FW logs + web server logs (does traffic make it to inside server)

Check NAT -> inside IP

Is inside webserver up and working

Is inside web server getting the traffic

Took packet capture on outside could see the cert handshake trying over and over which indicates SSL issue.

Palo alto BPA

Log into your palo alto firewall

On Device -> Support 

In the Tech Support File section 

Click generate Tech support file (takes a while)

Then download the tech support file

Log into support web site:

https://support.paloaltonetworks.com/

Will have to login with google authenticator 

Login with your account.

Select the customer account in the top left drop down

On the left hand side go to tools -> Best Practice Assessment

Click on "Generate New BPA" in the top right

Select the downloaded tech support file

Select architecture classfications

Untrust = Internet etc

Don't enable Inline cloud analysis under anti spyware section of BPA, drops traffic but doesn't show in the logs.

ikev2 s2s VPN on cisco ASA

Customer did an update and all the old IKEv1 and old cipher VPNs were not working due to security settings and SW update. I didn't have time to figure out which ciphers worked so switched VPNs to IKEv2

Enable IKEv2 on outside interface

crypto ikev2 enable OUTSIDE

Group policy for VPN peer (IKEv2 selected, always on settings)

You may have other settings you need to config here

group-policy GroupPolicy_x.x.x.x internal

group-policy GroupPolicy_x.x.x.x attributes

 vpn-idle-timeout none

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol ikev2

IKEv2 P1 policy

*NOTE* Saw an issue where a policy was selected even though the lifetimes didn't match (other settings did). The VPN came up but was having issues rekeying. Not coming back up on its own. Check the lifetimes match under "sh crypto isakmp sa" on both sides of the VPN. In my case the HQ already had an ikev2 pol with 86400 lifetime and other VPNs using that.

cbc

 crypto ikev2 policy 1

 encryption aes-256

 integrity sha256

 group 21

 prf sha256

 lifetime seconds 28800

gcm

crypto ikev2 policy 160

 encryption aes-gcm-256

 integrity null

 group 21

 prf sha256

 lifetime seconds 28800

cbc vs gcm

aes-256-cbc (works with asa (aes-256) to palo fw aes-256-cbc)

cbc is older, weaker but can run faster on weaker hardware. Since we are running a tunnel within a tunnel on S2S VPN's it should be fine.

gcm is newer, adds authentication (you don't need to use SHA for hashing its all done in gcm) You will config integrity null, more secure, the best practice pick. However some older devices won't support gcm or won't have it as an option so you will have to use cbc in that case

IKEv2 P2 proposal

crypto ipsec ikev2 ipsec-proposal IKEV2_AES_256_SHA_256

 protocol esp encryption aes-256

 protocol esp integrity sha-256

Crypto MAP

crypto map MYMAP 10 match address CUST_VPN

crypto map MYMAP 10 set peer x.x.x.x

crypto map MYMAP 10 set ikev2 ipsec-proposal IKEV2_AES_256_SHA_256

crypto map MYMAP 10 set security-association lifetime seconds 3600

Encryption domain

access-list CUST_VPN extended permit ip object-group LOCAL-NETS object-group REMOTE-NETS

object-group network LOCAL-NETS

 network-object 192.168.10.0 255.255.255.0

 object-group network REMOTE-NETS

 network-object 172.30.10.0 255.255.255.0

NoNat

nat (INSIDE,OUTSIDE) source static  LOCAL-NETS  LOCAL-NETS destination static REMOTE-NETS REMOTE-NETS no-proxy-arp route-lookup

Tunnel group

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x general-attributes

 default-group-policy GroupPolicy_x.x.x.x

 tunnel-group x.x.x.x ipsec-attributes

 ikev2 remote-authentication pre-shared-key StrongPassWordHere

 ikev2 local-authentication pre-shared-key StrongPassWordHere

Find subdomains DNS

 https://dnsdumpster.com/