Tuesday 29 November 2022

control plane ACL ASA

control plane acccess lists on the ASA

If you want to stop an IP address from trying to access anyconnect, asdm, trying to form a VPN thats what you need

OUTSIDE_IN access list does not block it as the services itself is on the Firewall and does not pass through the interface


access-list cp-outside extended deny ip object-group BAD_IPS any log
access-group cp-outside in interface OUTSIDE control-plane
no implicit deny on these so you dont need a permit any any as that will cause the access list not to work


no logging hide username
Posted by at No comments:

Monday 28 November 2022

find locked out accounts in windows

 Enable AD auditing on all the DC's

Search the event logs on their AD for event id 4771 in security section

Lockout tools may help

https://www.microsoft.com/en-us/download/details.aspx?id=18465


ManageEngine AD audit plus can help too (just parses event logs)

Posted by at No comments:

ftp passve mode issues

FTP passive mode not working

Some issues seen:

1 ftp inspect on ASA

2 sometimes the server transmits t he inside IP instead of public. Sometimes the FW's or the client are fixing this up but an old client might not and tries to connect to an inside IP.


https://www.ibm.com/support/pages/remote-ftp-client-doing-passive-mode-gets-internal-ip-address-returned-227-entering-passive-mode-message



Passive mode 

client connects to server on random source port  eg 55555  to destination port 21

connection goes back from server source port 21 to the destination port on client 55555


Active mode

they setup a data and a control connection on different ports


Posted by at No comments:

Tuesday 15 November 2022

tftp transfer speed degrades or stops

 Had an issue where tftp transfer was good at the start then degraded.

The issue in this case was the exec-timeout was set to 5 minutes. I increased to 30 mins and all was good. Also worth looking at tftp block size

Posted by at No comments:

Monday 14 November 2022

website not loading file is downloaded instead

Inside the file was some hex with nothing in it. It seems the headers were getting messed up so the client got some data from the web server, didn't know what to do with it so downloaded it.

This was an issue with https inspection on the firewall. A hotfix install fixed the issue. 

Check for any FW or IPS device in between client and server.

Check FW logs + web server logs (does traffic make it to inside server)

Check NAT -> inside IP

Is inside webserver up and working

Is inside web server getting the traffic

Took packet capture on outside could see the cert handshake trying over and over which indicates SSL issue.




Posted by at No comments:

Wednesday 9 November 2022

Palo alto BPA

Log into your palo alto firewall

On Device -> Support 

In the Tech Support File section 

Click generate Tech support file (takes a while)

Then download the tech support file


Log into support web site:

https://support.paloaltonetworks.com/

Will have to login with google authenticator 


Login with your account.

Select the customer account in the top left drop down

On the left hand side go to tools -> Best Practice Assessment

Click on "Generate New BPA" in the top right

Select the downloaded tech support file


Select architecture classfications

Untrust = Internet etc





Posted by at No comments:
Labels: , , , ,

ikev2 s2s VPN on cisco ASA

Customer did an update and all the old IKEv1 and old cipher VPNs were not working due to security settings and SW update. I didn't have time to figure out which ciphers worked so switched VPNs to IKEv2

Enable IKEv2 on outside interface

crypto ikev2 enable OUTSIDE


Group policy for VPN peer (IKEv2 selected, always on settings)

You may have other settings you need to config here

group-policy GroupPolicy_x.x.x.x internal

group-policy GroupPolicy_x.x.x.x attributes

 vpn-idle-timeout none

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol ikev2


IKEv2 P1 policy

*NOTE* Saw an issue where a policy was selected even though the lifetimes didn't match (other settings did). The VPN came up but was having issues rekeying. Not coming back up on its own. Check the lifetimes match under "sh crypto isakmp sa" on both sides of the VPN. In my case the HQ already had an ikev2 pol with 86400 lifetime and other VPNs using that.

 crypto ikev2 policy 1

 encryption aes-256

 integrity sha256

 group 21

 prf sha256

 lifetime seconds 86400


IKEv2 P2 proposal

crypto ipsec ikev2 ipsec-proposal IKEV2_AES_256_SHA_256

 protocol esp encryption aes-256

 protocol esp integrity sha-256


Crypto MAP

crypto map MYMAP 10 match address CUST_VPN

crypto map MYMAP 10 set peer x.x.x.x

crypto map MYMAP 10 set ikev2 ipsec-proposal IKEV2_AES_256_SHA_256

crypto map MYMAP 10 set security-association lifetime seconds 3600


Encryption domain

access-list CUST_VPN extended permit ip object-group LOCAL-NETS object-group REMOTE-NETS

object-group network LOCAL-NETS

 network-object 192.168.10.0 255.255.255.0

 object-group network REMOTE-NETS

 network-object 172.30.10.0 255.255.255.0


NoNat

nat (INSIDE,OUTSIDE) source static  LOCAL-NETS  LOCAL-NETS destination static REMOTE-NETS REMOTE-NETS no-proxy-arp route-lookup


Tunnel group

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x general-attributes

 default-group-policy GroupPolicy_x.x.x.x

 tunnel-group x.x.x.x ipsec-attributes

 ikev2 remote-authentication pre-shared-key StrongPassWordHere

 ikev2 local-authentication pre-shared-key StrongPassWordHere



Posted by at No comments:

Tuesday 8 November 2022

Find subdomains DNS

 https://dnsdumpster.com/


Posted by at No comments:
Subscribe to: Posts (Atom)