installing line cards cisco in 6500

Install 720 sup in 6500

Fully open ejector levers on the new sup

Sups should be installed in
slot5 or slot6

Remove slot cover
look inside and make sure there is enough clearance, look at cables from other slots and anything inside the 6500.
line up the card and slot it in, push in slowly
Push down and in on the levers, left one then the right one you should feel it click in.

The LEDs should be green we don't want orange or red that needs to be investigated.


Install line card

Same process as above. Cards should be hot swappable but its always a good idea to schedule a maintenance window for this work.

Clearing cache for cisco amp

Some times you might get a false positive. Cisco will update their signatures but you might have one in your cache. To make the alert go away you have to clear cache update and scan again, it should come up clean.


Removal of the FireAMP Cache and History Files on Windows
https://www.cisco.com/c/en/us/support/docs/security/sourcefire-fireamp-endpoints/118565-technote-fireamp-00.html#anc1


Clear Cache firepower FMC/sensor

Follow following steps to clear cache on DC and Sensor (from CSCuu81183):

Management Center:
SSH into the Management Center
Become root: sudo su -
# pmtool restartbyid SFDataCorrelator
# pmtool disablebyid SFDataCorrelator
# cd /etc/sf
# rm malw_cache_seed_file.dc
# pmtool enablebyid SFDataCorrelator

Firepower Device:
SSH into the Firepower device
Become root: sudo su -
# pmtool restartbyid SFDataCorrelator
# pmtool disablebyid SFDataCorrelator
# cd /etc/sf
# rm malw_cache_seed_file.sensor
# pmtool enablebyid SFDataCorrelator
# pmtool restartbytype snort
# pmtool disablebytype snort
# cd /var/sf/detection-engines/<uuid> (you can find the UUID for this step by running de_info.pl and copying the UUID for the Primary Detection Engine)
# rm -rf instance?*/malw_seed*
# pmtool enablebytype snort

Cisco umbrella install and setup doc's

Good Youtube setup video

https://www.youtube.com/watch?v=8B7xP6wV9dg

AD
https://docs.umbrella.com/product/umbrella/1-ad-integration-setup-overview/

Prereqs (firewall rules)
https://docs.umbrella.com/product/umbrella/2-prerequisites/

Setting up the VA's
https://docs.umbrella.com/product/umbrella/3-setup-dns-forwarding-with-your-vas/

https://docs.umbrella.com/deployment-umbrella/docs/active-directory-integration-with-the-virtual-appliances

Troubleshoot doc's:

AD connector

https://support.umbrella.com/hc/en-us/articles/230902468-Provide-Support-with-AD-Connector-Logs

On the DC's you need to run an script (connect to VA) and install a windows service so it can look in on AD users. You also need an  OpenDNS_Connector user setup in AD.

In umbrella dashboard
AD server  = Script (needs to be assigned to VA after its run)
AD Connector = service

More Docs:

AD integration VA vs Roaming client

https://support.umbrella.com/hc/en-us/articles/115004651366-AD-Integration-Delivery-via-VA-vs-Roaming-Client

By default the roaming client will switch itself off when it detects a VA on the LAN with it "VA backoff" this default option can be changed.

https://support.umbrella.com/hc/en-us/articles/230901168#VirtualAppliance

Comms flow (good diagrams on how it works)

https://docs.umbrella.com/deployment-umbrella/docs/appx-a-communication-flow-and-troubleshooting

Why use VA

https://docs.umbrella.com/deployment-umbrella/docs/1-introduction#section-why-should-i-use-virtual-appliances

VA setup guide

https://docs.umbrella.com/deployment-umbrella/docs/2-prerequisites-1#section-networking-requirements

Limitations

Umbrella can't work with RDS/citrix where multiple users are logging into the same server this is because the user ID it got from the login event. The work around is to create an internal network object for that server and assign it to a policy with a higher priority. Every user will have the same access from that one policy.

https://docs.umbrella.com/deployment-umbrella/docs/8-sites-and-internal-networks

RDP, when you RDP to a server the source IP shows as the server you RDP'd from not the server you RDP'd to. This can lead to identity switching issues

Prepare AD

https://docs.umbrella.com/deployment-umbrella/docs/4-prepare-your-active-directory-environment

Summary steps

Set domain controller DNS forwarders to umbrella 

208.67.222.222 (resolver1.opendns.com)

208.67.220.220 (resolver2.opendns.com)

Remove any other DNS forwarders from other ISP etc.

In each windows domain

Run the script on each DC (get files from umbrella dashboard)

Install the AD connector (get files from umbrella dashboard)

You only need to install one AD connector but two is a good idea. You can put one on each DC if you like.

Setup OpenDNS_Connector user. Record password in PW manager.

Config public IP range(s)

Config public IP ranges under deployments > core identities > networks

Install 2 VA's in VMware. (get files from umbrella dashboard)

You need 2 VA because you need to give out DNS servers

You need VA's for user ID

VA Install

Download OVA from Dashboard

Open VMware

Deploy the OVA file

Should be next, next finish to deploy the ova

CTRL + B to get into config mode

exit to get out of config mode (need to wait a little bit)

default password Is Umbrella[orgid] eg Umbrella1234567

OrgID can be got from the dashboard URL /o/123456

You will be asked to change password. Won't be able to paste. PW must be recored.

config va name <name>

config va interface <ipaddress> <netmask> <gateway>

config localdns add 192.168.1.10

config localdns add 192.168.1.20

Create firewall rules to allow your VA's and DC's out to umbrella

Ensure OSCP sites are allowed also

Assign your VA's and DCs to a site in umbrella cloud

Configure any internal domains needed (internal DNS servers need to be able to resolve)

Block top level domains (.ru .cn .cc .xyz etc)

https://docs.umbrella.com/deployment-umbrella/docs/add-top-level-domains-to-destination-lists

careful of 

.co (columbia but can block .com, .co.uk as well)

.io (used by tech)

.ai (used by ai tech)

.in (India, used linked.in, logme.in)

Block anonymizer app category

Policies -> Policy components -> application settings

Edit default settings

Tick Anonymizer

Click Save

Then go to Policies -> Management -> DNS policies

Edit your policy

Edit the Application Setting applied -> Tick Anonymizer (or select default settings)

Click Save

Create umbrella DNS policies (will need customer input)

Cisco recommends most specific to least (this may not work for you but a good starting point)

1 - AD user policies (to specific users)

2 - AD group policies (to AD groups)

3 - Roaming computer (roaming computer ID's)

4 - Network / site (can setup internal networks /24 etc and /32 for hosts)

5 - Default policy (if we didn't match any other ID, give the default)

Check cloud for any issues with DCs/VA's and resolve

Set update window and upgrade VA's to latest

In the umbrella dashboard set the auto-upgrade window watch out for the time zone. Also upgrade your VA's (one at a time) to the latest software version

DNS config

Workstations and non-DC Servers

- set the DNS servers to VA IPs

DCs

- DNS servers set to loopback (127.0.0.1) and other DC IP

- External forwarders set to umb external servers 208.67.220.220 and 208.67.222.222

On Prem Mail servers

The other exception to that are mail servers, on-prem mail servers aren't as common these days:

Mail servers

 - DNS servers set to loopback and other DC(s)

Change DHCP

Change DHCP/deploy a script to set all clients to use the VA's as their DNS servers.

Change firewall rules 

Only allow internal DNS to VA IPs

Only allow external DNS to umbrella IPs. Block/log other DNS.

208.67.222.222 (resolver1.opendns.com)

208.67.220.220 (resolver2.opendns.com)

You may want a temp rule to allow IT to use 8.8.8.8 (google) or 1.1.1.1 (cloudflare) for testing or temp admin tasks.

Test sites 

https://welcome.umbrella.com/

http://www.examplemalwaredomain.com/

internetbadguys.com

destination NAT on cisco ASA over VPN

My DMZ = 100.64.0.0 /24
We wanted to reach 172.20.20.10 which is on the customer side but this conflicted with a network on our side.

Decided to use 172.22.20.10 as a NAT IP.


Changes on my side

object-group network MY_LAN
 network-object 100.64.0.0 255.255.255.0

object-group network NAT_NET
 network-object 172.22.20.0 255.255.255.0

Added below to VPN ACL
access-list CUST_VPN_ACL extended permit ip object-group MY_LAN object-group NAT_NET

no nat
nat (DMZ,OUTSIDE) source static MY_LAN MY_LAN destination static NAT_NET NAT_NET no-proxy-arp route-lookup

Customer side:

Added to vpn
access-list MYSIDE_VPN extended permit ip object-group NAT_NET object-group MY_LAN

HOST_REAL_IP = 172.20.20.10
HOST_XLATED_IP = 172.22.20.0 /24

nat (WIFI,OUTSIDE) source static HOST_REAL_IP HOST_XLATED_IP destination static MY_LAN MY_LAN

I could ping 172.22.20.10 and it responded.

test if a URL is blocked cisco umbrella

nslookup internetbadguys.com

Check the IP returned. If its one of the block IPs listed below

https://support.umbrella.com/hc/en-us/articles/115001357688-What-are-the-Cisco-Umbrella-Block-Page-IP-Addresses-

basic inside acl for cisco asa

object-group service PORTS_ALLOWED_OUT
 service-object tcp destination eq www
 service-object tcp destination eq https
 service-object tcp destination eq ssh
 service-object udp destination eq domain (check)
 service-object tcp destination eq ftp-data
 service-object tcp destination eq ftp
 service-object tcp destination eq telnet
 service-object tcp destination eq smtp
 service-object tcp destination eq 123
 service-object tcp destination eq rtsp
 service-object tcp destination eq 873
 service-object tcp destination eq 993

access-list INSIDE_OUT remark *** Allow ping ***
access-list INSIDE_OUT extended permit icmp any any
access-list INSIDE_OUT remark *** Allow standard ports out ***
access-list INSIDE_OUT extended permit object-group PORTS_ALLOWED_OUT any any
access-list INSIDE_OUT extended deny ip any any log


88  - kerberos
445 - microsoft DS
137 - netbios