http://svendsen.me/change-clish-to-bash-and-back/
what works for me
In CLISH -> type "expert"
In expert -> type "/etc/clish"
clish might be in a different location for you try "locate clish" "whereis clish"
Try "csh" or "/etc/csh"
On PH CP's
I had to do
cd $FWDIR
cd bin
cphaprob -a if
Monday, 18 December 2017
Tuesday, 12 December 2017
clear config on an interface cisco ASA
Go into conf t
clear configure interface gigabitEthernet 0/4
Sets it back like this so be careful
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
clear configure interface gigabitEthernet 0/4
Sets it back like this so be careful
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
Friday, 1 December 2017
setup syslog on cisco ASA
Syslog is UDP traffic on port 514
The ASA will send traffic on its own IP address from SRC port 514 to dst server IP and port 514
192.168.1.254.514 > 192.168.1.100.514: udp 201
Usual config to enable
logging enable
logging timestamp
logging trap debugging
logging enable
logging timestamp
logging trap debugging
logging facility 23
logging device-id ipaddress inside system
logging host INSIDE x.x.x.x
logging host INSIDE x.x.x.x
no logging hide username
Syslog over S2S VPN
First make sure the VPN is up and working
logging enable
logging timestamp
logging trap debugging
logging asdm debugging
logging device-id ipaddress inside
logging device-id ipaddress inside system (system Specifies to use the cluster system IP address of the interface to present an integrated view for all units)
Logging host can differ not sure why
logging host inside 10.36.0.200
logging host outside 10.36.0.200 (some cases I had to use outside ASA v8.2)
You will get a warning (because route is to outside) but it will work
WARNING: configured logging host interface conflicts with route table entry
You also need to have management access configured like so
management-access inside
Set route
route outside 10.36.0.200 255.255.255.255 100.100.200.200 1
Good idea to make sure you allow ssh on the outside (public IP) and inside (LAN IP) so you can SSH in and check/change settings
ssh 180.100.100.100 255.255.255.255 outside
ssh 192.168.200.200 255.255.255.255 inside
Permit host down
logging permit-hostdown
More detail
Examples:
logging host dmz1 192.168.1.5 udp 1026 format emblem
The format emblem keyword enables EMBLEM format logging for the syslog server with UDP only. The interface_name argument specifies the interface through which you access the syslog server. The syslog_ip argument specifies the IP address of the syslog server. The tcp[/ port ] or udp[/ port ] keyword and argument pair specify that the ASA and ASASM should use TCP or UDP to send syslog messages to the syslog server.
You can configure the ASA to send data to a syslog server using either UDP or TCP, but not both. The default protocol is UDP if you do not specify a protocol.
If you specify TCP, the ASA discover when the syslog server fails and as a security protection, new connections through the ASA are blocked. To allow new connections regardless of connectivity to a TCP syslog server, see Step 3. If you specify UDP, the ASA continue to allow new connections whether or not the syslog server is operational. Valid port values for either protocol are 1025 through 65535. The default UDP port is 514. The default TCP port is 1470.
logging trap debugging
Specifies which syslog messages should be sent to the syslog server. You can specify the severity level number (1 through 7) or name. For example, if you set the severity level to 3, then the ASA send syslog messages for severity levels 3, 2, and 1. You can specify a custom message list that identifies the syslog messages to send to the syslog server.
logging permit-hostdown
(Optional) If you negate this command and syslog server goes down then traffic stops flowing
logging facility 23
(Optional) Sets the logging facility to a value other than 20, which is what most UNIX systems expect.
logging buffered
Specifies which syslog messages should be sent to the internal log buffer, which serves as a temporary storage location. New messages are appended to the end of the list. When the buffer is full, that is, when the buffer wraps, old messages are overwritten as new messages are generated, unless you configure the ASA to save the full buffer to another location. To empty the internal log buffer, enter the clear logging buffer command.
logging buffer-size 16384
Changes the size of the internal log buffer. The buffer size is 4 KB.
logging savelog latest-logfile.txt
Saves the current log buffer content to the internal flash memory.
logging asdm debugging
logging console debugging
Specifies which syslog messages should be sent to the console port.
logging monitor debugging
Specifies which syslog messages should be sent to a Telnet or SSH session.
terminal monitor
Enables logging to the current session only. If you log out and then log in again, you need to reenter this command. To disable logging to the current session, enter the terminal no monitor command.
logging standby
send logs from the standby ASA as well
logging list
More here:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/monitor_syslog.html
setting up syslog on cisco router
Send commands typed to syslog
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
Send debugging logs to syslog
Send our origin id as our ip
Set facility to local0
Set source interfaces to gig0/0
Set logging host IP address of the syslog server
Switch logging on for all destinations
logging trap debugging
logging origin-id ip
logging facility local0
logging source-interface GigabitEthernet0/0
logging host x.x.x.x
logging on
Make sure your have routes to your syslog server
Also firewall rules, you need syslog (udp 514 open)
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
Send debugging logs to syslog
Send our origin id as our ip
Set facility to local0
Set source interfaces to gig0/0
Set logging host IP address of the syslog server
Switch logging on for all destinations
logging trap debugging
logging origin-id ip
logging facility local0
logging source-interface GigabitEthernet0/0
logging host x.x.x.x
logging on
Make sure your have routes to your syslog server
Also firewall rules, you need syslog (udp 514 open)
Friday, 17 November 2017
installing line cards cisco in 6500
Install 720 sup in 6500
Fully open ejector levers on the new sup
Sups should be installed in
slot5 or slot6
Remove slot cover
look inside and make sure there is enough clearance, look at cables from other slots and anything inside the 6500.
line up the card and slot it in, push in slowly
Push down and in on the levers, left one then the right one you should feel it click in.
The LEDs should be green we don't want orange or red that needs to be investigated.
Install line card
Same process as above. Cards should be hot swappable but its always a good idea to schedule a maintenance window for this work.
Fully open ejector levers on the new sup
Sups should be installed in
slot5 or slot6
Remove slot cover
look inside and make sure there is enough clearance, look at cables from other slots and anything inside the 6500.
line up the card and slot it in, push in slowly
Push down and in on the levers, left one then the right one you should feel it click in.
The LEDs should be green we don't want orange or red that needs to be investigated.
Install line card
Same process as above. Cards should be hot swappable but its always a good idea to schedule a maintenance window for this work.
Friday, 10 November 2017
Clearing cache for cisco amp
Some times you might get a false positive. Cisco will update their signatures but you might have one in your cache. To make the alert go away you have to clear cache update and scan again, it should come up clean.
Removal of the FireAMP Cache and History Files on Windows
https://www.cisco.com/c/en/us/support/docs/security/sourcefire-fireamp-endpoints/118565-technote-fireamp-00.html#anc1
Clear Cache firepower FMC/sensor
Follow following steps to clear cache on DC and Sensor (from CSCuu81183):
Management Center:
SSH into the Management Center
Become root: sudo su -
# pmtool restartbyid SFDataCorrelator
# pmtool disablebyid SFDataCorrelator
# cd /etc/sf
# rm malw_cache_seed_file.dc
# pmtool enablebyid SFDataCorrelator
Firepower Device:
SSH into the Firepower device
Become root: sudo su -
# pmtool restartbyid SFDataCorrelator
# pmtool disablebyid SFDataCorrelator
# cd /etc/sf
# rm malw_cache_seed_file.sensor
# pmtool enablebyid SFDataCorrelator
# pmtool restartbytype snort
# pmtool disablebytype snort
# cd /var/sf/detection-engines/<uuid> (you can find the UUID for this step by running de_info.pl and copying the UUID for the Primary Detection Engine)
# rm -rf instance?*/malw_seed*
# pmtool enablebytype snort
Removal of the FireAMP Cache and History Files on Windows
https://www.cisco.com/c/en/us/support/docs/security/sourcefire-fireamp-endpoints/118565-technote-fireamp-00.html#anc1
Clear Cache firepower FMC/sensor
Follow following steps to clear cache on DC and Sensor (from CSCuu81183):
Management Center:
SSH into the Management Center
Become root: sudo su -
# pmtool restartbyid SFDataCorrelator
# pmtool disablebyid SFDataCorrelator
# cd /etc/sf
# rm malw_cache_seed_file.dc
# pmtool enablebyid SFDataCorrelator
Firepower Device:
SSH into the Firepower device
Become root: sudo su -
# pmtool restartbyid SFDataCorrelator
# pmtool disablebyid SFDataCorrelator
# cd /etc/sf
# rm malw_cache_seed_file.sensor
# pmtool enablebyid SFDataCorrelator
# pmtool restartbytype snort
# pmtool disablebytype snort
# cd /var/sf/detection-engines/<uuid> (you can find the UUID for this step by running de_info.pl and copying the UUID for the Primary Detection Engine)
# rm -rf instance?*/malw_seed*
# pmtool enablebytype snort
Wednesday, 8 November 2017
Cisco umbrella install and setup doc's
Good Youtube setup video
https://www.youtube.com/watch?v=8B7xP6wV9dg
https://docs.umbrella.com/product/umbrella/1-ad-integration-setup-overview/
Prereqs (firewall rules)
https://docs.umbrella.com/product/umbrella/2-prerequisites/
Setting up the VA's
https://docs.umbrella.com/product/umbrella/3-setup-dns-forwarding-with-your-vas/
https://docs.umbrella.com/deployment-umbrella/docs/active-directory-integration-with-the-virtual-appliances
Troubleshoot doc's:
Troubleshoot doc's:
AD connector
https://support.umbrella.com/hc/en-us/articles/230902468-Provide-Support-with-AD-Connector-Logs
On the DC's you need to run an script (connect to VA) and install a windows service so it can look in on AD users. You also need an OpenDNS_Connector user setup in AD.
In umbrella dashboard
AD server = Script (needs to be assigned to VA after its run)
AD Connector = service
On the DC's you need to run an script (connect to VA) and install a windows service so it can look in on AD users. You also need an OpenDNS_Connector user setup in AD.
In umbrella dashboard
AD server = Script (needs to be assigned to VA after its run)
AD Connector = service
More Docs:
AD integration VA vs Roaming client
https://support.umbrella.com/hc/en-us/articles/115004651366-AD-Integration-Delivery-via-VA-vs-Roaming-Client
By default the roaming client will switch itself off when it detects a VA on the LAN with it "VA backoff" this default option can be changed.
https://support.umbrella.com/hc/en-us/articles/230901168#VirtualAppliance
Comms flow (good diagrams on how it works)
https://docs.umbrella.com/deployment-umbrella/docs/appx-a-communication-flow-and-troubleshooting
Why use VA
https://docs.umbrella.com/deployment-umbrella/docs/1-introduction#section-why-should-i-use-virtual-appliances
VA setup guide
https://docs.umbrella.com/deployment-umbrella/docs/2-prerequisites-1#section-networking-requirements
Limitations
Umbrella can't work with RDS/citrix where multiple users are logging into the same server this is because the user ID it got from the login event. The work around is to create an internal network object for that server and assign it to a policy with a higher priority. Every user will have the same access from that one policy.
https://docs.umbrella.com/deployment-umbrella/docs/8-sites-and-internal-networks
RDP, when you RDP to a server the source IP shows as the server you RDP'd from not the server you RDP'd to. This can lead to identity switching issues
Prepare AD
https://docs.umbrella.com/deployment-umbrella/docs/4-prepare-your-active-directory-environment
Summary steps
Set domain controller DNS forwarders to umbrella
208.67.222.222 (resolver1.opendns.com)
208.67.220.220 (resolver2.opendns.com)
Remove any other DNS forwarders from other ISP etc.
In each windows domain
Run the script on each DC (get files from umbrella dashboard)
Install the AD connector (get files from umbrella dashboard)
You only need to install one AD connector but two is a good idea. You can put one on each DC if you like.
Setup OpenDNS_Connector user. Record password in PW manager.
Config public IP range(s)
Config public IP ranges under deployments > core identities > networks
Install 2 VA's in VMware. (get files from umbrella dashboard)
You need 2 VA because you need to give out DNS servers
You need VA's for user ID
VA Install
Download OVA from Dashboard
Open VMware
Deploy the OVA file
Should be next, next finish to deploy the ova
CTRL + B to get into config mode
exit to get out of config mode (need to wait a little bit)
default password Is Umbrella[orgid] eg Umbrella1234567
OrgID can be got from the dashboard URL /o/123456
You will be asked to change password. Won't be able to paste. PW must be recored.
config va name <name>
config va interface <ipaddress> <netmask> <gateway>
config localdns add 192.168.1.10
config localdns add 192.168.1.20
Create firewall rules to allow your VA's and DC's out to umbrella
Ensure OSCP sites are allowed also
Assign your VA's and DCs to a site in umbrella cloud
Configure any internal domains needed (internal DNS servers need to be able to resolve)
Block top level domains (.ru .cn .cc .xyz etc)
https://docs.umbrella.com/deployment-umbrella/docs/add-top-level-domains-to-destination-lists
careful of
.co (columbia but can block .com, .co.uk as well)
.io (used by tech)
.ai (used by ai tech)
.in (India, used linked.in, logme.in)
Block anonymizer app category
Policies -> Policy components -> application settings
Edit default settings
Tick Anonymizer
Click Save
Then go to Policies -> Management -> DNS policies
Edit your policy
Edit the Application Setting applied -> Tick Anonymizer (or select default settings)
Click Save
Create umbrella DNS policies (will need customer input)
Cisco recommends most specific to least (this may not work for you but a good starting point)
1 - AD user policies (to specific users)
2 - AD group policies (to AD groups)
3 - Roaming computer (roaming computer ID's)
4 - Network / site (can setup internal networks /24 etc and /32 for hosts)
5 - Default policy (if we didn't match any other ID, give the default)
Check cloud for any issues with DCs/VA's and resolve
Set update window and upgrade VA's to latest
In the umbrella dashboard set the auto-upgrade window watch out for the time zone. Also upgrade your VA's (one at a time) to the latest software version
DNS config
Workstations and non-DC Servers
- set the DNS servers to VA IPs
DCs
- DNS servers set to loopback (127.0.0.1) and other DC IP
- External forwarders set to umb external servers 208.67.220.220 and 208.67.222.222
On Prem Mail servers
The other exception to that are mail servers, on-prem mail servers aren't as common these days:
Mail servers
- DNS servers set to loopback and other DC(s)
Change DHCP
Change DHCP/deploy a script to set all clients to use the VA's as their DNS servers.
Change firewall rules
Only allow internal DNS to VA IPs
Only allow external DNS to umbrella IPs. Block/log other DNS.
208.67.222.222 (resolver1.opendns.com)
208.67.220.220 (resolver2.opendns.com)
You may want a temp rule to allow IT to use 8.8.8.8 (google) or 1.1.1.1 (cloudflare) for testing or temp admin tasks.
Test sites
https://welcome.umbrella.com/
http://www.examplemalwaredomain.com/
internetbadguys.com
Tuesday, 7 November 2017
destination NAT on cisco ASA over VPN
My DMZ = 100.64.0.0 /24
We wanted to reach 172.20.20.10 which is on the customer side but this conflicted with a network on our side.
Decided to use 172.22.20.10 as a NAT IP.
Changes on my side
object-group network MY_LAN
network-object 100.64.0.0 255.255.255.0
object-group network NAT_NET
network-object 172.22.20.0 255.255.255.0
Added below to VPN ACL
access-list CUST_VPN_ACL extended permit ip object-group MY_LAN object-group NAT_NET
no nat
nat (DMZ,OUTSIDE) source static MY_LAN MY_LAN destination static NAT_NET NAT_NET no-proxy-arp route-lookup
Customer side:
Added to vpn
access-list MYSIDE_VPN extended permit ip object-group NAT_NET object-group MY_LAN
HOST_REAL_IP = 172.20.20.10
HOST_XLATED_IP = 172.22.20.0 /24
nat (WIFI,OUTSIDE) source static HOST_REAL_IP HOST_XLATED_IP destination static MY_LAN MY_LAN
I could ping 172.22.20.10 and it responded.
We wanted to reach 172.20.20.10 which is on the customer side but this conflicted with a network on our side.
Decided to use 172.22.20.10 as a NAT IP.
Changes on my side
object-group network MY_LAN
network-object 100.64.0.0 255.255.255.0
object-group network NAT_NET
network-object 172.22.20.0 255.255.255.0
Added below to VPN ACL
access-list CUST_VPN_ACL extended permit ip object-group MY_LAN object-group NAT_NET
no nat
nat (DMZ,OUTSIDE) source static MY_LAN MY_LAN destination static NAT_NET NAT_NET no-proxy-arp route-lookup
Customer side:
Added to vpn
access-list MYSIDE_VPN extended permit ip object-group NAT_NET object-group MY_LAN
HOST_REAL_IP = 172.20.20.10
HOST_XLATED_IP = 172.22.20.0 /24
nat (WIFI,OUTSIDE) source static HOST_REAL_IP HOST_XLATED_IP destination static MY_LAN MY_LAN
I could ping 172.22.20.10 and it responded.
Monday, 6 November 2017
test if a URL is blocked cisco umbrella
nslookup internetbadguys.com
Check the IP returned. If its one of the block IPs listed below
https://support.umbrella.com/hc/en-us/articles/115001357688-What-are-the-Cisco-Umbrella-Block-Page-IP-Addresses-
Friday, 3 November 2017
basic inside acl for cisco asa
object-group service PORTS_ALLOWED_OUT
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq ssh
service-object udp destination eq domain (check)
service-object tcp destination eq ftp-data
service-object tcp destination eq ftp
service-object tcp destination eq telnet
service-object tcp destination eq smtp
service-object tcp destination eq 123
service-object tcp destination eq rtsp
service-object tcp destination eq 873
service-object tcp destination eq 993
access-list INSIDE_OUT remark *** Allow ping ***
access-list INSIDE_OUT extended permit icmp any any
access-list INSIDE_OUT remark *** Allow standard ports out ***
access-list INSIDE_OUT extended permit object-group PORTS_ALLOWED_OUT any any
access-list INSIDE_OUT extended deny ip any any log
88 - kerberos
445 - microsoft DS
137 - netbios
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq ssh
service-object udp destination eq domain (check)
service-object tcp destination eq ftp-data
service-object tcp destination eq ftp
service-object tcp destination eq telnet
service-object tcp destination eq smtp
service-object tcp destination eq 123
service-object tcp destination eq rtsp
service-object tcp destination eq 873
service-object tcp destination eq 993
access-list INSIDE_OUT remark *** Allow ping ***
access-list INSIDE_OUT extended permit icmp any any
access-list INSIDE_OUT remark *** Allow standard ports out ***
access-list INSIDE_OUT extended permit object-group PORTS_ALLOWED_OUT any any
access-list INSIDE_OUT extended deny ip any any log
88 - kerberos
445 - microsoft DS
137 - netbios
Wednesday, 25 October 2017
Allow ssh access on cisco ASA
make sure ip domain name is set
generate your rsa key pair (crypto key generate)
make sure you allow the public IP you are coming from
Make sure you have username setup
aaa authentication ssh console LOCAL
Always test before leaving site
generate your rsa key pair (crypto key generate)
make sure you allow the public IP you are coming from
Make sure you have username setup
aaa authentication ssh console LOCAL
Always test before leaving site
Monday, 23 October 2017
packet capture on cisco router/switch
*** Setup ACL
ip access-list extended CAP_ACL
permit ip host x host y
*** Setup buffer
monitor capture buffer CAP_BUFF circular
*** Filter the buffer with the ACL
monitor capture buffer CAP_BUFF filter access-list CAP_ACL
*** Setup the cap point and on what interface
monitor capture point ip cef CAP_POINT fa0/0 both
*** Assign the buffer to point
monitor capture point associate CAP_POINT CAP_BUFF
*** Show the setup
show monitor capture buffer CAP_BUFF
*** Start the cap
monitor capture point start CAP_POINT
*** Send the test traffic
send test traffic ping or telnet on the port etc
*** Stop the cap
monitor capture point stop CAP_POINT
*** show brief
show monitor capture buffer CAP_BUFF brief
*** export the capture to tftp server
monitor capture buffer CAP_BUFF export tftp://10.50.50.22/mycap.pcap
*** Open the pcap in wireshark
ip access-list extended CAP_ACL
permit ip host x host y
*** Setup buffer
monitor capture buffer CAP_BUFF circular
*** Filter the buffer with the ACL
monitor capture buffer CAP_BUFF filter access-list CAP_ACL
*** Setup the cap point and on what interface
monitor capture point ip cef CAP_POINT fa0/0 both
*** Assign the buffer to point
monitor capture point associate CAP_POINT CAP_BUFF
*** Show the setup
show monitor capture buffer CAP_BUFF
*** Start the cap
monitor capture point start CAP_POINT
*** Send the test traffic
send test traffic ping or telnet on the port etc
*** Stop the cap
monitor capture point stop CAP_POINT
*** show brief
show monitor capture buffer CAP_BUFF brief
*** export the capture to tftp server
monitor capture buffer CAP_BUFF export tftp://10.50.50.22/mycap.pcap
*** Open the pcap in wireshark
For 3850 - but it didn't work for me
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/epc/configuration/xe-16/epc-xe-16-book/nm-packet-capture-xe.html#GUID-DCB20ADF-1F8E-434B-AE97-54802879F34F
Thursday, 12 October 2017
list of DHCP options and other voice bits
list of DHCP options
https://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml
Common options
option 3 = router
option 6 = DNS servers
option 15 = domain_name
option 150 = TFTP server
option 128 = PXE - undefined (vendor specific)
Vendor options
some phone systems use their own option for example
nortel use 128 and 191
How to set options
You can set them on the domain controller under DHCP -> Scope -> scope options
Cisco phone registration process
Step 1: Phone Loads Software (Image) and Starts the Configuration Process
Step 2a: Phone Sends DHCP Request
Step 2b: DHCP Server Sends DHCP Response
Step 3a: Phone Sends TFTP Request for a Configuration File
Step 3b: TFTP Server Sends the Default Configuration File
Step 4a: TFTP Server Sends the Specific Configuration File of the Phone
Step 4b: Phone Registration Finishes
Check voice vlan is allow and native vlan matches
Cisco
switchport mode trunk
switchport trunk allowed vlan 102
switchport trunk native vlan 102
3Com on other side
port trunk permit vlan 102 (allowed vlan)
port trunk pvid vlan 102 (native vlan)
https://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml
Common options
option 3 = router
option 6 = DNS servers
option 15 = domain_name
option 150 = TFTP server
option 128 = PXE - undefined (vendor specific)
Vendor options
some phone systems use their own option for example
nortel use 128 and 191
How to set options
You can set them on the domain controller under DHCP -> Scope -> scope options
Cisco phone registration process
Step 1: Phone Loads Software (Image) and Starts the Configuration Process
Step 2a: Phone Sends DHCP Request
Step 2b: DHCP Server Sends DHCP Response
Step 3a: Phone Sends TFTP Request for a Configuration File
Step 3b: TFTP Server Sends the Default Configuration File
Step 4a: TFTP Server Sends the Specific Configuration File of the Phone
Step 4b: Phone Registration Finishes
Check voice vlan is allow and native vlan matches
Cisco
switchport mode trunk
switchport trunk allowed vlan 102
switchport trunk native vlan 102
3Com on other side
port trunk permit vlan 102 (allowed vlan)
port trunk pvid vlan 102 (native vlan)
Wednesday, 4 October 2017
Upgrading the firepower
New method is FMC, deploy, sensor, deploy.
Step1
Update your VDB and geolocation to the latest.
Run a backup and download
Its a good idea to take screenshots of ACL and other policy settings rules just in case.
Since 6.2 you need to upgrade FMC first, then sensor.
To upgrade from the web GUI the FMC sh upgrade file can be downloaded here
Downloads Home > Products > Security > Firewalls > Firewall Management > Firepower Management Center > Virtual Appliance > FireSIGHT System Software-6.2.0
See here
Network sensor sh files available here
Downloads Home > Products > Security > Firewalls > Next-Generation Firewalls (NGFW) > ASA 5500-X with FirePOWER Services > ASA 5525-X with FirePOWER Services > FirePOWER Services Software for ASA-6.2.0
see here
In later versions you can run a readiness check first. Most logs are found in /var/log/sf
From version 6.3.0 you can upgrade direct to major versions
Lets say we are on 6.2.1 and want to go to 6.4.0.2
We can upgrade directly to 6.4.0 and then up to 6.4.0.2
Remember you need to deploy after each install.
Wednesday, 27 September 2017
enable Microsoft NLB on cisco switch
Microsoft don't follow the rules of some RFC and Cisco doesn't like it
Some things we need from the server admin first
Real servers IP + MAC
Cluster (virtual) IP + MAC
real server1: 192.168.64.11
real server2 192.168.64.12
cluster ip: 192.168.64.13
Confirm the mac addresses and see what vlan they are on
sh arp | i 192.168.64.11
sh arp | i 192.168.64.12
See what ports those mac addresses are seen on (if its a trunk to another switch then you'll have to do same config over there)
sh mac address-table | i xxxx.xxxx.xxxx
sh mac address-table | i yyyy.yyyy.yyyy
Create static mapping for the cluster IP to cluster MAC
arp 192.168.64.13 zzzz.zzzz.zzzz ARPA
Create static mapping for cluter mac to the ports where the real servers are
mac-address-table static zzzz.zzzz.zzzz vlan 64 interface GigabitEthernet5/1
You should be able to ping the cluster IP now (you might have to visit other switches)
ping 192.168.64.13
Some things we need from the server admin first
Real servers IP + MAC
Cluster (virtual) IP + MAC
real server1: 192.168.64.11
real server2 192.168.64.12
cluster ip: 192.168.64.13
Confirm the mac addresses and see what vlan they are on
sh arp | i 192.168.64.11
sh arp | i 192.168.64.12
See what ports those mac addresses are seen on (if its a trunk to another switch then you'll have to do same config over there)
sh mac address-table | i xxxx.xxxx.xxxx
sh mac address-table | i yyyy.yyyy.yyyy
Create static mapping for the cluster IP to cluster MAC
arp 192.168.64.13 zzzz.zzzz.zzzz ARPA
Create static mapping for cluter mac to the ports where the real servers are
mac-address-table static zzzz.zzzz.zzzz vlan 64 interface GigabitEthernet5/1
You should be able to ping the cluster IP now (you might have to visit other switches)
ping 192.168.64.13
Thursday, 21 September 2017
troubleshooting wifi networks
Restrict your APs to use channels 1, 6, and 11. If they can use them all they hop around the place and often end up in the wrong place.
Check controller, check uptime.
Check controller and AP uplinks
Are WLANs properly segregated ?
Download and install Inssider and review other networks. Around. Watch during the time of the issue are other networks appearing ?
Signal strength (db)
closer to 0 is better
acceptable range
-30 to -90
I get -40 when right beside the AP
-30 to -50 = good
-60 to -70 = decent
you want at east -75
-70 to -90 will work but performance will be bad
Are clients 2.4G or 5G ? Is there lots of networks on 2 but 5 is free ?
Are all devices compatible
If you are still having issues. You can look at other radio waves interfering but need more hardware (see inssider and wispy)
Check controller, check uptime.
Check controller and AP uplinks
Are WLANs properly segregated ?
Download and install Inssider and review other networks. Around. Watch during the time of the issue are other networks appearing ?
Signal strength (db)
closer to 0 is better
acceptable range
-30 to -90
I get -40 when right beside the AP
-30 to -50 = good
-60 to -70 = decent
you want at east -75
-70 to -90 will work but performance will be bad
Are clients 2.4G or 5G ? Is there lots of networks on 2 but 5 is free ?
Are all devices compatible
If you are still having issues. You can look at other radio waves interfering but need more hardware (see inssider and wispy)
Wednesday, 20 September 2017
failed to locate egress interface for ... on cisco asa
Came across this issue. Couldn't ssh over the VPN. They had set management-access OUTSIDE but ssh was blocked on the outside by the provider.
needed management-access INSIDE
I could ssh over the VPN
I could still connect the ASDM over the public IP
https://supportforums.cisco.com/t5/vpn/failed-to-locate-egress-interface/td-p/2323400
needed management-access INSIDE
I could ssh over the VPN
I could still connect the ASDM over the public IP
https://supportforums.cisco.com/t5/vpn/failed-to-locate-egress-interface/td-p/2323400
Wednesday, 13 September 2017
DNS checking website
https://www.whatsmydns.net/
useful for checking if 3rd party has created the txt record or not when setting up SSL certs with godaddy.
the txt record needs to be created on the main .domain.com not subdomain.domain.com
useful for checking if 3rd party has created the txt record or not when setting up SSL certs with godaddy.
the txt record needs to be created on the main .domain.com not subdomain.domain.com
Thursday, 24 August 2017
stacking cisco switches
Before ordering
- Visual inspection of the racks
- Can we space the stack 1u apart from each member
- Usually need one 3m stack cable (top<->bottom), do we need to more ?
- Do we have power is it normal plug or female power cable ?
- Are power cables cisco notch or not ?
After the gear arrives we need to visit site to do the following:
• Check we got everything in the delivery.
• Unbox all the gear, take a picture of the serials.
• Check the power cables make sure they didn't ship the EU ones.
• Check if we got the correct power cables, do they matchup with what’s available in the racks, normal sockets or UPS (C13)
• Install any network modules and SFPs• Put the ears on get the stack going (See building the stack below)
• Provision and set priority (See building the stack below)
• If we have dual power supplies, can the racks accommodate the extra cables?
• Check the front of the rack, could the switch be replaced are there any network cables in the way?
• Is there room to install the new stack with a space between each switch?
• Check the back of the rack, keep in mind new switches are longer and stack cables come out further, can the switch be replaced, any cables in the way?
• Get a backup of the config on the current stack
• Take note of VLANs and trunk ports
Next site visit
• Convert the config
• Install the new switches in the rack
• Swap over cables
• Deal with any issues after end user testing
Building the stack
All switches need to be on the same licence and software before they will form a stack.
Boot one switch at a time and run the licence command below and check the software version.
Download and update the software version to latest stable release recommended by cisco if required.
It will need a reboot after running it. Also switch provision / priority.
WR and shut them all down.
Connect stack cables, boot master first, 10 seconds and boot the rest
Commands
license right-to-use activate ipservices all acceptEULA
switch 1 provision ws-c3850-48p (? Get the switch make by sh ver and enter that here)
switch 2 provision ws-c3850-48p
conf t
switch 1 priority 15
switch 2 priority 14
Top left to bottom right
right to next left
right to next lefts
continue until finished
Power stack cabling
Yellow cable -> yellow port
Green -> green
Copying the bin file from tftp server on my laptop to switch
copy tftp://10.56.3.200/cat3k_caa-universalk9.16.03.03.SPA.bin flash:
Install modes
Bundle Mode = BIN FILE
The switch can't boot an image over 400mb. The later images are nearly 500mb. Bundle mode the bin file is extracted into memory on boot. Install mode the bin file is extracted to several packages with a packages.conf pointing to the packages. Install mode is the recommended.
Converting BUNDLE -> INSTALL
request platform software package expand switch 1 file flash:cat3k_caa-universalk9.16.03.03.SPA.bin to flash:
Copy the bin and extract on all switches in the stack
Set your boot to packages.conf
boot system switch all flash:packages.conf
Enable the stack port
In rare cases the switch might ship with stack port disabled
switch 1 stack port 1 enable
sh switch
Auto upgrade other switches
software auto-upgrade
wr
Stack show commands
show switch
show switch 2
show switch detail
show switch nei
show switch stack-ports
show switch stack-ports summary - to see cable lengths
show redundancy
show redundancy state
More on upgrading the stack
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-8/release_notes/ol-16-8-3850.html#id_67699
Saturday, 12 August 2017
renumbering switch stacks
Boot up one switch set it as master (priority 15)
set all its other values
Boot up second switch set it as backup (pri 14)
and other values
Create the stack between the two devices.
Now add other switches to the stack and give them numbers etc.
set start priorty
provision switch 1 ws-3850-u etc
switch 2 renumber switch 1
Once you swap switch numbers you can't swap them again
Make the swaps you can
write mem
reload (takes about 10mins on 3850)
Check again
sh switch
Move the remaining switches
set all its other values
Boot up second switch set it as backup (pri 14)
and other values
Create the stack between the two devices.
Now add other switches to the stack and give them numbers etc.
set start priorty
provision switch 1 ws-3850-u etc
switch 2 renumber switch 1
Once you swap switch numbers you can't swap them again
Make the swaps you can
write mem
reload (takes about 10mins on 3850)
Check again
sh switch
Move the remaining switches
Wednesday, 26 July 2017
Cisco ASA some hardening commands
Hardware
At time of writing the old ASA hardware should be replaced. I would recommended the palo alto firewalls as the best layer7/application firewall at the moment. You can replace with Cisco FTD/FMC but in my opinion the product hasn't matured yet. You can also purchase an FTD firewall and install the ASA code on it so it operates just like old ASA, however you lose the application/IPS(snort) features for FTD/FMC. If you need this you would want a separate IPS/IDS system.
Software
Upgrade to the latest recommended release for ASA/ASDM/anyconnect software.
The latest recommended release is likely to be more stable
The very latest release will have the latest bug/security fixes but might contain unknown bugs.
Its a call you'll have to make which to use latest or latest recommended. Most people take the cautious approach and use latest recommended.
https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#id_65776
ASDM
Some would recommend to disable ASDM as it provides a larger attack surface. However, it is also very useful for day-to-day operation, troubleshooting and management so you will need to make a judgement call/business decision on that. Staff my not have the skills to administer via CLI only. Somethings are just much easier to do in ASDM like certs and anyconnect config. You can move it to a port like 8080 but it won't provide any security benefit.
If you are using ssh key-exchange group dh-group14-sha1 you may get a warning "the first key-exchange algorithm supported by the server is". Change this to
ssh key-exchange group dh-group14-sha256
This command sets the Diffie-Hellman group to be used for key exchange. Group 14 is a 2048-bit group, which provides strong security.
You may need to upgrade the sofware on your ASA to get the latest ciphers
Lock down your SSH access only allow it from certain IP's or networks on the INSIDE/OUTSIDE.
ssh 200.30.40.1 255.255.255.255 OUTSIDE
ssh 192.168.100.10 255.255.255.255 INSIDE
The most cautious approach would be to not allow SSH from outside/internet but again this is a decision to be made. I would allowed it but lock to only trusted IPs.
Authentication
Authentication
You should try to move away from local accounts with passwords that don't change. If you must use local accounts then make sure you use type 9 (at time of writing stronger encryption). You will need to keep local accounts for emergency situations but they should not be used for day to day operations. Ideally we would get an alert if someone logged in with a local account.
Consider radius so windows/network username and password is used to login. Requires setup and config of NPS or radius server in your windows environment. User passwords can be set to a PW policy and set to expire etc. Access can be controlled with AD groups etc.
The best thing to use is 2FA like Cisco Duo. Duo makes setting up 2FA easier than most vendors like RSA. Also requires Duo server/config/setup. Duo is free for up to 7 users then there is a cost. With this setup when you login you also get a prompt on your phone to confirm its you. If a hacker manages to get a password they still can't login as they can't complete the 2FA as you have your phone.
I do usually recommend to leave the console authentication access as local. So remote SSH connections are using radius/2FA but console connections at the physical firewall will use local username and password. This is in case of a network down emergency where you need to get in. You can secure access to your console port by choosing a secure datacentre or if in your own office locked server room with keypad/fob lock and CCTV etc.
Telnet
Telnet
Telnet should be disabled and not used its not secure (sends password in plain text on the wire)
no telnet 192.168.1.0 255.255.255.0 inside
Disable aggressive mode VPNs (PSK is transferred in plain text)
crypto ikev1 am-disable
Disable aggressive mode VPNs (PSK is transferred in plain text)
crypto ikev1 am-disable
or
crypto isakmp am-disable
crypto isakmp am-disable
router:
crypto isakmp aggressive-mode disable
SSL/TLS
SSL and TLS both get called SSL as a general term.
TLS has replaced SSL.
SSL/TLS
SSL and TLS both get called SSL as a general term.
TLS has replaced SSL.
SSLv2 and SSLv3 are old/defunct (TLS1.0 and TLS1.1 also gone now)
Latest version of TLS (at time of writing) is v1.2 and you should be using this everywhere. If possible.
Anyconnect 3.x doesn't support tlsv1.2, only anyconnect 4.x does.
Latest version of TLS (at time of writing) is v1.2 and you should be using this everywhere. If possible.
Anyconnect 3.x doesn't support tlsv1.2, only anyconnect 4.x does.
You may need to buy anyconnect APEX license for your ASA to get access to download anyconnect 4 software.
Use tlsv1.2 when acting as a server (you need anyconnect 4.x for tlsv1.2)
ssl server-version tlsv1.2
Use tlsv1.2 when acting as a server (you need anyconnect 4.x for tlsv1.2)
ssl server-version tlsv1.2
This command sets the minimum TLS version for incoming SSL connections to the ASA. It ensures that the ASA will only accept TLS 1.2 or higher for connections to its services (e.g., ASDM, AnyConnect VPN).
Use tlsv1.2when acting as a client (you need anyconnect 4.x for tlsv1.2)
ssl client-version tlsv1.2
Use tlsv1.2when acting as a client (you need anyconnect 4.x for tlsv1.2)
ssl client-version tlsv1.2
outgoing SSL connections initiated by the ASA. It ensures that the ASA will only use TLS 1.2 or higher when connecting to other servers.
Select SSL ciphers for outbound connections (these may change over time)
ssl cipher default custom "DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA"
Inbound tlsv1 (negate this command to disable tlsv1)
ssl cipher tlsv1 fips
Inbound tlsv1.1 ciphers (negate this command to disable tlsv1.1)
ssl cipher tlsv1.1 fips
Inbound tlsv1.2 ciphers (this is the one you should use)
ssl cipher tlsv1.2 fips
Select SSL ciphers for outbound connections (these may change over time)
ssl cipher default custom "DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA"
Inbound tlsv1 (negate this command to disable tlsv1)
ssl cipher tlsv1 fips
Inbound tlsv1.1 ciphers (negate this command to disable tlsv1.1)
ssl cipher tlsv1.1 fips
Inbound tlsv1.2 ciphers (this is the one you should use)
ssl cipher tlsv1.2 fips
This command specifies the cipher suite to be used for TLS 1.2 connections. The "high" keyword indicates that only strong ciphers will be used.
Inbound dtlsv1 (used by anyconnect 4.x)
ssl cipher dtlsv1 custom "DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA"
Inbound dtlsv1 (used by anyconnect 4.x)
ssl cipher dtlsv1 custom "DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA"
This command specifies the cipher suite to be used for DTLS 1.2 connections. The "high" keyword indicates that only strong ciphers will be used.
Summary of commands
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher dtlsv1.2 high
ssl cipher tlsv1.2 high
ssl dh-group group14
show ssl
nmap -p 443 --script ssl-enum-ciphers X.X.X.X
Turn on RPF (block spoofing)
ip verify reverse-path interface interface_name
Remove old VPN encryption/hashing algorithms
3des and sha1 have been broken.
eg no crypto ipsec ikev1 transform-set LOW esp-3des esp-sha-hmac
Keep in mind if you have VPNs that use this transform set LOW and you removed it, you would break all of those VPNs. You should migrate them to the latest algorithms. That can turn into a bit of a project dealing with 3rd parties trying to get them to update their VPN settings.
Turn on RPF (block spoofing)
ip verify reverse-path interface interface_name
Remove old VPN encryption/hashing algorithms
3des and sha1 have been broken.
eg no crypto ipsec ikev1 transform-set LOW esp-3des esp-sha-hmac
Keep in mind if you have VPNs that use this transform set LOW and you removed it, you would break all of those VPNs. You should migrate them to the latest algorithms. That can turn into a bit of a project dealing with 3rd parties trying to get them to update their VPN settings.
Most VPNs are running on IKEv1 but this has been replaced by IKEv2. To migrate all your VPNs you would need to involve third parties that would turn into a project deepening on how many VPNs you have.
Find and remove "permit ip any any" type rules
Its a common one to find a FULL_INTERNET_ACCESS_GROUP or IT_ADMINS that should be removed. Another common thing people like to do is remove the global NAT so no one has internet access. You provide a NAT to your proxy server (and other servers that need a public IP), deploy the proxy with GPO forcing everyone to use the proxy. You can run into issues here with software updates and licensing etc. Most modern proxies can allow MS and adobe updates. If you are forced to use a full access group it should be time based or regularly checked that its disabled. It should only be used as a last resort. Vendors should be able to provider what ports/IPs their software needs access to to update and license.
Find and remove "permit ip any any" type rules
Its a common one to find a FULL_INTERNET_ACCESS_GROUP or IT_ADMINS that should be removed. Another common thing people like to do is remove the global NAT so no one has internet access. You provide a NAT to your proxy server (and other servers that need a public IP), deploy the proxy with GPO forcing everyone to use the proxy. You can run into issues here with software updates and licensing etc. Most modern proxies can allow MS and adobe updates. If you are forced to use a full access group it should be time based or regularly checked that its disabled. It should only be used as a last resort. Vendors should be able to provider what ports/IPs their software needs access to to update and license.
Principle of least privilege
https://en.wikipedia.org/wiki/Principle_of_least_privilege
It seems like a simple idea to follow. Only allow the access that is needed. However often small software vendors don't even know what ports their application uses. When IT admins are trying to get a system working they often allow too many ports or full access in an attempt to get something working. Often these "temp" rules get forgotten about and sysadmin is onto the next p1 issue. You need to replace these with rules allow the correct source + destination on the correct ports/protocols. This can turn into a project depending on how big your ruleset is. You would need to speak with each business unit and gather info on what apps are needed and create the correct rules etc.
Lock down DNS
Most malware/botnets are using multiple dns names like botnethome.cc as a way to contact the bot herder. Similar to removing the global nat. Block all DNS requests and only allow DNS requests to your authorised DNS servers. That way malware can't use 8.8.8.8 or their own public DNS server to lookup their CnC domains. Cisco umbrella is a good product here for DNS protection. Only allow DNS requests from the LAN to the cisco umbrella VA's (DNS servers). Only allow the VA's out to the cisco umbrella public DNS. All other DNS should be blocked. This way if malware tries to look up botnethome.cc it will pass through your systems where it can be logged/blocked and alert you to an issue. DNSfilter is a cheaper alternative, I haven't used it myself though 1$ per user.
Get a security company to run tests / audits
The best thing to do is get an outside security company to run scans/test/audit on your ASA. Best to contract an IT security company to run the audit. Your MSP might like to say everything is fine and they have been doing a great job keeping the FW updated. You can use your existing MSP company to fix the issues the audit raises. They will let you know what issues you have and should fix. Often these companies will just run an out of the box tool and forward you the report it generates and a nice big bill. There are many tools you can use to do it yourself for example:
https://www.titania.com/products/nipper/ (for ASA)
https://www.tenable.com/products/nessus (for general vulnerabilities)
The advantage with using an IT security company is they will be able to explain each issue and let you know how serious it is and give advice on remediation.
Some tools work better with different firewalls. Palo alto have their own BPA tool which is free and very good.
Cisco active adviser
Cisco active advisor
install desktop app
install dot net 4.6.2
needs java also but was not asked
must have access to all network gear on (create FW rules)
SSH (tcp 22)
HTTPS (tcp 443)
HTTP (tcp 80)
Telnet (tcp 23)
add login username + password
for enable password leave the username space blank
can use subnets 192.168.0.0/24
It takes about 4 days to scan a /16 network
If the host name is blank it is probably part of a switch stack
commands run by CAA (all show commands so no risk)
show arp
show cdp neighbors
show health-monitor
show inventory
show ip int brief
show int description
show mac address-table [synchronize statistics]
show module switch [1|2]
show running-config [all]
show switch
show system
show tech-support wireless (if successful also then runs "show tech-support")
show version
show vtp [status|password]
It has some issues logging into older devices.
install desktop app
install dot net 4.6.2
needs java also but was not asked
must have access to all network gear on (create FW rules)
SSH (tcp 22)
HTTPS (tcp 443)
HTTP (tcp 80)
Telnet (tcp 23)
add login username + password
for enable password leave the username space blank
can use subnets 192.168.0.0/24
It takes about 4 days to scan a /16 network
If the host name is blank it is probably part of a switch stack
commands run by CAA (all show commands so no risk)
show arp
show cdp neighbors
show health-monitor
show inventory
show ip int brief
show int description
show mac address-table [synchronize statistics]
show module switch [1|2]
show running-config [all]
show switch
show system
show tech-support wireless (if successful also then runs "show tech-support")
show version
show vtp [status|password]
It has some issues logging into older devices.
Wednesday, 12 July 2017
tunnel interface not working gre
I've had issues with GRE tunnel and vdsl using tunnel interface not working
Even though settings are correct the tunnel interface seems to be holding onto old settings
Remove the tunnel interface and put it back with a different name
Even though settings are correct the tunnel interface seems to be holding onto old settings
Remove the tunnel interface and put it back with a different name
SSL cert decorder
https://www.sslshopper.com
Digicert have an application you can download for windows too
openssl can be used on linux
Monday, 10 July 2017
SAN certs
Standard SSL cert = web.domain.com
Wildcard cert = *.domain.com
Unlimited sub domains.
SAN cert = up.domain.com
to.domain.com
five.domain.com
in-these.domain.com
certs.domain.com
Up to 5 sub domains
Generally used with phone systems
Some companies use them to cover their standard sub domains
webmail.domain.com
mx.domain.com
remote.domain.com
Wildcard cert = *.domain.com
Unlimited sub domains.
SAN cert = up.domain.com
to.domain.com
five.domain.com
in-these.domain.com
certs.domain.com
Up to 5 sub domains
Generally used with phone systems
Some companies use them to cover their standard sub domains
webmail.domain.com
mx.domain.com
remote.domain.com
read csr information in linux
Extract information from the CSR
$ openssl req -in shellhacks.com.csr -text -noout
Verify the signature
$ openssl req -in shellhacks.com.csr -noout -verify
Whom the certificate will be issued to?
$ openssl req -in shellhacks.com.csr -noout -subject
Show the public key
$ openssl req -in shellhacks.com.csr -noout -pubkey
get public ip from cmd on windows
nslookup myip.opendns.com resolver1.opendns.com
You can also use this script to write it to a file. Then you can use bginfo to display it on the desktop.
'<script language="vbscript">
' Set the URL where we can get the public IP
const URL = "http://ifconfig.me/all.xml"
set xmldoc = CreateObject("Microsoft.XMLDOM")
xmldoc.async=false
xmldoc.load(URL)
' Loop to get the public IP from the XML
for each x in xmldoc.documentElement.childNodes
if x.NodeName = "ip_addr" then
myip = x.text
end if
next
' echo for testing
'wscript.echo myip
'Output IP to file so bginfo can read it
Set objFSO=CreateObject("Scripting.FileSystemObject")
outFile="P:\Users\jack\Documents\scripts\ext-ip.txt"
Set objFile = objFSO.CreateTextFile(outFile,True)
objFile.Write myip
objFile.Close
You can also use this script to write it to a file. Then you can use bginfo to display it on the desktop.
'<script language="vbscript">
' Set the URL where we can get the public IP
const URL = "http://ifconfig.me/all.xml"
set xmldoc = CreateObject("Microsoft.XMLDOM")
xmldoc.async=false
xmldoc.load(URL)
' Loop to get the public IP from the XML
for each x in xmldoc.documentElement.childNodes
if x.NodeName = "ip_addr" then
myip = x.text
end if
next
' echo for testing
'wscript.echo myip
'Output IP to file so bginfo can read it
Set objFSO=CreateObject("Scripting.FileSystemObject")
outFile="P:\Users\jack\Documents\scripts\ext-ip.txt"
Set objFile = objFSO.CreateTextFile(outFile,True)
objFile.Write myip
objFile.Close
Wednesday, 5 July 2017
static port nat on cisco router
Label your interfaces
int dialer 1
ip nat outside
int inside
ip nat inside
ip nat inside source static tcp 192.168.4.10 8080 interface dialer 1 8080
This will nat the public IP of dialer1 port 8080 to 192.168.4.10 port 8080
int dialer 1
ip nat outside
int inside
ip nat inside
ip nat inside source static tcp 192.168.4.10 8080 interface dialer 1 8080
This will nat the public IP of dialer1 port 8080 to 192.168.4.10 port 8080
Tuesday, 4 July 2017
IOException when trying to connect cisco IPS with Cisco IME
When trying to connect to an old IPS the self signed cert is old and not liked by java/web browser.
I already had tried updating java and adding the IP to the java security exceptions list but it didn't resolve.
The fix was as follows:
Log into the ASA and go into enable mode
Run "Session ips console" to get into the IPS
tls generate-key
Log back into IPS via the Cisco IME software
https://popravak.wordpress.com/2014/03/10/ioexception-when-trying-to-connect-to-cisco-ips/
I had to get updated lic file from 'licensing@cisco.com' and manually apply it.
Once that was done I manually uploaded the latest signature file (wouldn't apply without updated license)
I found that auto updates won't work unless you have at least version 7.1(11)E4 this is because cisco switched to using SHA2. You need to update the software on the IPS to resolve.
Updating the IPS
Backup your config first (need IP config etc)
Update the secondary ASA/IPS
Need to setup again
Apply license
Apply signature
Failover
Update the primary ASA/IPS
Failback
Make sure to update the secondary ASA first
http://www.cisco.com/c/en/us/support/docs/security/intrusion-prevention-system/116155-configure-product-00.html#anc9
Make sure to download the correct file for your ASA. I had 5515 and needed the .aip file.
https://software.cisco.com/download/release.html?mdfid=283674966&flowid=24482&softwareid=282549758&release=7.1(11)E4&relind=AVAILABLE&rellifecycle=&reltype=all
Enter the sw-module module ips recover configure image disk0:/imagename.aip
I already had tried updating java and adding the IP to the java security exceptions list but it didn't resolve.
The fix was as follows:
Log into the ASA and go into enable mode
Run "Session ips console" to get into the IPS
tls generate-key
Log back into IPS via the Cisco IME software
https://popravak.wordpress.com/2014/03/10/ioexception-when-trying-to-connect-to-cisco-ips/
I had to get updated lic file from 'licensing@cisco.com' and manually apply it.
Once that was done I manually uploaded the latest signature file (wouldn't apply without updated license)
I found that auto updates won't work unless you have at least version 7.1(11)E4 this is because cisco switched to using SHA2. You need to update the software on the IPS to resolve.
Updating the IPS
Backup your config first (need IP config etc)
Update the secondary ASA/IPS
Need to setup again
Apply license
Apply signature
Failover
Update the primary ASA/IPS
Failback
Make sure to update the secondary ASA first
http://www.cisco.com/c/en/us/support/docs/security/intrusion-prevention-system/116155-configure-product-00.html#anc9
Make sure to download the correct file for your ASA. I had 5515 and needed the .aip file.
https://software.cisco.com/download/release.html?mdfid=283674966&flowid=24482&softwareid=282549758&release=7.1(11)E4&relind=AVAILABLE&rellifecycle=&reltype=all
Enter the sw-module module ips recover configure image disk0:/imagename.aip
Thursday, 29 June 2017
tnsping works but connectivity fails TNS-12502
Had an issue with an oracle database
tnsping worked but connecting to the database failed.
This oracle setup used some VIPs (Scan IPs) and real DB server IP's.
Only access to the scan IP's was requested so FW was blocking the rest.
TNS-12502 error was returned from the server.
The way I could see it working in the packet captures was the client connects to the scan ip which returns the IP of the real DB server, then the client connects to the real DB server IP.
So TNSping worked, however when they tried to connect to the DB server it failed
To resolve grant access to all VIPs and real server IPs
tnsping worked but connecting to the database failed.
This oracle setup used some VIPs (Scan IPs) and real DB server IP's.
Only access to the scan IP's was requested so FW was blocking the rest.
TNS-12502 error was returned from the server.
The way I could see it working in the packet captures was the client connects to the scan ip which returns the IP of the real DB server, then the client connects to the real DB server IP.
So TNSping worked, however when they tried to connect to the DB server it failed
To resolve grant access to all VIPs and real server IPs
Wednesday, 7 June 2017
configure BVI (bridge-group) on ASA5506X
Step 1: Upgrade ASA to 9.7 (asdm 771) You need 9.8 otherwise BVI doesn't work with VPNs :( really disappointed with the ASA5506.
Step 2: Take a backup of your current config, If you have already created your inside interface you need to clear it out. You will lose some other config when you do this (NAT, DHCP etc).
Step3 : Create the BVI virtual interface (the number will match the bridge-group number we use later to assign ports)
interface BVI2
nameif inside
security-level 100
ip address 10.32.11.254 255.255.255.0
Step 4: Assign other ports to the bridge group (bridge-group 2 matches with BVI2 interface number) you need to give each port a nameif or it won’t work (don’t ask me how I know that)
interface GigabitEthernet1/2
bridge-group 2
nameif inside_1
security-level 100
interface GigabitEthernet1/8
bridge-group 2
nameif inside_2
security-level 100
Step 5: Setup your DHCP / ACL’s / NATs again as it might have gotten cleared out
dhcpd address 10.32.11.10-10.32.11.199 inside
dhcpd dns 10.32.0.4 10.32.0.5 interface inside
dhcpd enable inside
Step 2: Take a backup of your current config, If you have already created your inside interface you need to clear it out. You will lose some other config when you do this (NAT, DHCP etc).
Step3 : Create the BVI virtual interface (the number will match the bridge-group number we use later to assign ports)
interface BVI2
nameif inside
security-level 100
ip address 10.32.11.254 255.255.255.0
Step 4: Assign other ports to the bridge group (bridge-group 2 matches with BVI2 interface number) you need to give each port a nameif or it won’t work (don’t ask me how I know that)
interface GigabitEthernet1/2
bridge-group 2
nameif inside_1
security-level 100
interface GigabitEthernet1/8
bridge-group 2
nameif inside_2
security-level 100
Step 5: Setup your DHCP / ACL’s / NATs again as it might have gotten cleared out
dhcpd address 10.32.11.10-10.32.11.199 inside
dhcpd dns 10.32.0.4 10.32.0.5 interface inside
dhcpd enable inside
Tuesday, 30 May 2017
Monday, 22 May 2017
source NAT on juniper SSG
I wanted to source NAT my traffic so it appears to come from 10.58.x.x range so it could go over my VPN.
I was able to do this with a DIP on juniper. The DIP must be created on the tunnel interface which is attached to the VPN that we want to travel over.
Since the tunnel interface is unnumbered I confgured the extended IP
10.58.254.1 /24 (I know this range is free)
For the DIP range I gave 10.58.254.2 - 10.58.254.254
set interface tunnel.4 ext ip 10.58.254.1 255.255.255.0 dip 4 10.58.254.2 10.58.254.254
You need a policy to allow the traffic and do the NAT.
The policy should be at the top so other rules won't overlap/interfere.
The policy should be at the top so other rules won't overlap/interfere.
set policy id 123 from "Trust" to "Untrust" "LOCAL_NETS_2_NAT" "REMOVE_VPN_NETS" "ANY" nat src dip-id 4 permit log
The 10.58.x.x/16 network already had a policy to allow the traffic and was already in the encryption domain.
Did a debug flow basic and it seems to have worked, will test now.
WebGUI
Network -> Interfaces -> Edit tunnel.4
DIP tab -> New
Fill in IP range 10.58.254.2 - 10.58.254.254
Select port translation
Select in the same subnet as the extended IP fill in 10.58.254.1/24
Create you NAT policy
Policy -> Policies
Select source and destination networks
Service = ANY
Action = Permit
Click Advanced button
Tick Source Translation
Select the DIP you created on tun.4
Click ok
Subscribe to:
Posts (Atom)