My DMZ = 100.64.0.0 /24
We wanted to reach 172.20.20.10 which is on the customer side but this conflicted with a network on our side.
Decided to use 172.22.20.10 as a NAT IP.
Changes on my side
object-group network MY_LAN
network-object 100.64.0.0 255.255.255.0
object-group network NAT_NET
network-object 172.22.20.0 255.255.255.0
Added below to VPN ACL
access-list CUST_VPN_ACL extended permit ip object-group MY_LAN object-group NAT_NET
no nat
nat (DMZ,OUTSIDE) source static MY_LAN MY_LAN destination static NAT_NET NAT_NET no-proxy-arp route-lookup
Customer side:
Added to vpn
access-list MYSIDE_VPN extended permit ip object-group NAT_NET object-group MY_LAN
HOST_REAL_IP = 172.20.20.10
HOST_XLATED_IP = 172.22.20.0 /24
nat (WIFI,OUTSIDE) source static HOST_REAL_IP HOST_XLATED_IP destination static MY_LAN MY_LAN
I could ping 172.22.20.10 and it responded.
Tuesday, 7 November 2017
Monday, 6 November 2017
test if a URL is blocked cisco umbrella
nslookup internetbadguys.com
Check the IP returned. If its one of the block IPs listed below
https://support.umbrella.com/hc/en-us/articles/115001357688-What-are-the-Cisco-Umbrella-Block-Page-IP-Addresses-
Friday, 3 November 2017
basic inside acl for cisco asa
object-group service PORTS_ALLOWED_OUT
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq ssh
service-object udp destination eq domain (check)
service-object tcp destination eq ftp-data
service-object tcp destination eq ftp
service-object tcp destination eq telnet
service-object tcp destination eq smtp
service-object tcp destination eq 123
service-object tcp destination eq rtsp
service-object tcp destination eq 873
service-object tcp destination eq 993
access-list INSIDE_OUT remark *** Allow ping ***
access-list INSIDE_OUT extended permit icmp any any
access-list INSIDE_OUT remark *** Allow standard ports out ***
access-list INSIDE_OUT extended permit object-group PORTS_ALLOWED_OUT any any
access-list INSIDE_OUT extended deny ip any any log
88 - kerberos
445 - microsoft DS
137 - netbios
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq ssh
service-object udp destination eq domain (check)
service-object tcp destination eq ftp-data
service-object tcp destination eq ftp
service-object tcp destination eq telnet
service-object tcp destination eq smtp
service-object tcp destination eq 123
service-object tcp destination eq rtsp
service-object tcp destination eq 873
service-object tcp destination eq 993
access-list INSIDE_OUT remark *** Allow ping ***
access-list INSIDE_OUT extended permit icmp any any
access-list INSIDE_OUT remark *** Allow standard ports out ***
access-list INSIDE_OUT extended permit object-group PORTS_ALLOWED_OUT any any
access-list INSIDE_OUT extended deny ip any any log
88 - kerberos
445 - microsoft DS
137 - netbios
Wednesday, 25 October 2017
Allow ssh access on cisco ASA
make sure ip domain name is set
generate your rsa key pair (crypto key generate)
make sure you allow the public IP you are coming from
Make sure you have username setup
aaa authentication ssh console LOCAL
Always test before leaving site
generate your rsa key pair (crypto key generate)
make sure you allow the public IP you are coming from
Make sure you have username setup
aaa authentication ssh console LOCAL
Always test before leaving site
Monday, 23 October 2017
packet capture on cisco router/switch
*** Setup ACL
ip access-list extended CAP_ACL
permit ip host x host y
*** Setup buffer
monitor capture buffer CAP_BUFF circular
*** Filter the buffer with the ACL
monitor capture buffer CAP_BUFF filter access-list CAP_ACL
*** Setup the cap point and on what interface
monitor capture point ip cef CAP_POINT fa0/0 both
*** Assign the buffer to point
monitor capture point associate CAP_POINT CAP_BUFF
*** Show the setup
show monitor capture buffer CAP_BUFF
*** Start the cap
monitor capture point start CAP_POINT
*** Send the test traffic
send test traffic ping or telnet on the port etc
*** Stop the cap
monitor capture point stop CAP_POINT
*** show brief
show monitor capture buffer CAP_BUFF brief
*** export the capture to tftp server
monitor capture buffer CAP_BUFF export tftp://10.50.50.22/mycap.pcap
*** Open the pcap in wireshark
ip access-list extended CAP_ACL
permit ip host x host y
*** Setup buffer
monitor capture buffer CAP_BUFF circular
*** Filter the buffer with the ACL
monitor capture buffer CAP_BUFF filter access-list CAP_ACL
*** Setup the cap point and on what interface
monitor capture point ip cef CAP_POINT fa0/0 both
*** Assign the buffer to point
monitor capture point associate CAP_POINT CAP_BUFF
*** Show the setup
show monitor capture buffer CAP_BUFF
*** Start the cap
monitor capture point start CAP_POINT
*** Send the test traffic
send test traffic ping or telnet on the port etc
*** Stop the cap
monitor capture point stop CAP_POINT
*** show brief
show monitor capture buffer CAP_BUFF brief
*** export the capture to tftp server
monitor capture buffer CAP_BUFF export tftp://10.50.50.22/mycap.pcap
*** Open the pcap in wireshark
For 3850 - but it didn't work for me
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/epc/configuration/xe-16/epc-xe-16-book/nm-packet-capture-xe.html#GUID-DCB20ADF-1F8E-434B-AE97-54802879F34F
Thursday, 12 October 2017
list of DHCP options and other voice bits
list of DHCP options
https://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml
Common options
option 3 = router
option 6 = DNS servers
option 15 = domain_name
option 150 = TFTP server
option 128 = PXE - undefined (vendor specific)
Vendor options
some phone systems use their own option for example
nortel use 128 and 191
How to set options
You can set them on the domain controller under DHCP -> Scope -> scope options
Cisco phone registration process
Step 1: Phone Loads Software (Image) and Starts the Configuration Process
Step 2a: Phone Sends DHCP Request
Step 2b: DHCP Server Sends DHCP Response
Step 3a: Phone Sends TFTP Request for a Configuration File
Step 3b: TFTP Server Sends the Default Configuration File
Step 4a: TFTP Server Sends the Specific Configuration File of the Phone
Step 4b: Phone Registration Finishes
Check voice vlan is allow and native vlan matches
Cisco
switchport mode trunk
switchport trunk allowed vlan 102
switchport trunk native vlan 102
3Com on other side
port trunk permit vlan 102 (allowed vlan)
port trunk pvid vlan 102 (native vlan)
https://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml
Common options
option 3 = router
option 6 = DNS servers
option 15 = domain_name
option 150 = TFTP server
option 128 = PXE - undefined (vendor specific)
Vendor options
some phone systems use their own option for example
nortel use 128 and 191
How to set options
You can set them on the domain controller under DHCP -> Scope -> scope options
Cisco phone registration process
Step 1: Phone Loads Software (Image) and Starts the Configuration Process
Step 2a: Phone Sends DHCP Request
Step 2b: DHCP Server Sends DHCP Response
Step 3a: Phone Sends TFTP Request for a Configuration File
Step 3b: TFTP Server Sends the Default Configuration File
Step 4a: TFTP Server Sends the Specific Configuration File of the Phone
Step 4b: Phone Registration Finishes
Check voice vlan is allow and native vlan matches
Cisco
switchport mode trunk
switchport trunk allowed vlan 102
switchport trunk native vlan 102
3Com on other side
port trunk permit vlan 102 (allowed vlan)
port trunk pvid vlan 102 (native vlan)
Wednesday, 4 October 2017
Upgrading the firepower
Figure our your upgrade path (can save a lot of time):
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/upgrade/management-center/740/upgrade-management-center-741/planning.html#r_ftd-upgrade-path
6.4 can jump to 7.0
6.6 can jump to 7.2 (user id issues + DH groups on S2S VPNS)
7.0 can jump to 7.4
7.1 can jump to 7.6
7.2 can jump to 7.7
New method is FMC, deploy, sensor, deploy.
Step1
Update your VDB and geolocation to the latest.
Run a backup and download
Its a good idea to take screenshots of ACL and other policy settings rules just in case.
Since 6.2 you need to upgrade FMC first, then sensor.
To upgrade from the web GUI the FMC sh upgrade file can be downloaded here
Downloads Home > Products > Security > Firewalls > Firewall Management > Firepower Management Center > Virtual Appliance > FireSIGHT System Software-6.2.0
See here
Network sensor sh files available here
Downloads Home > Products > Security > Firewalls > Next-Generation Firewalls (NGFW) > ASA 5500-X with FirePOWER Services > ASA 5525-X with FirePOWER Services > FirePOWER Services Software for ASA-6.2.0
see here
In later versions you can run a readiness check first. Most logs are found in /var/log/sf
From version 6.3.0 you can upgrade direct to major versions
Lets say we are on 6.2.1 and want to go to 6.4.0.2
We can upgrade directly to 6.4.0 and then up to 6.4.0.2
Remember you need to deploy after each install.
Step1
Update your VDB and geolocation to the latest.
Run a backup and download
Its a good idea to take screenshots of ACL and other policy settings rules just in case.
Since 6.2 you need to upgrade FMC first, then sensor.
To upgrade from the web GUI the FMC sh upgrade file can be downloaded here
Downloads Home > Products > Security > Firewalls > Firewall Management > Firepower Management Center > Virtual Appliance > FireSIGHT System Software-6.2.0
See here
Network sensor sh files available here
Downloads Home > Products > Security > Firewalls > Next-Generation Firewalls (NGFW) > ASA 5500-X with FirePOWER Services > ASA 5525-X with FirePOWER Services > FirePOWER Services Software for ASA-6.2.0
see here
In later versions you can run a readiness check first. Most logs are found in /var/log/sf
From version 6.3.0 you can upgrade direct to major versions
Lets say we are on 6.2.1 and want to go to 6.4.0.2
We can upgrade directly to 6.4.0 and then up to 6.4.0.2
Remember you need to deploy after each install.
Subscribe to:
Posts (Atom)