Saturday, August 27, 2016

Factory Reset a Juniper SSG5 Firewall

I was restoring a Juniper SSG5 firewall to its default settings. There are two ways in doing this: a quick way is using the reset pinhole at the back and the other is by typing its serial number via command line. I prefer doing the latter and here's how I did it



login: 0162052012003235   // USE THE SERIAL NUMBER FOR BOTH LOGIN/PASSWORD
password:
!!! Lost Password Reset !!! You have initiated a command to reset the device to factory defaults, clearing all

current configuration and settings. Would you like to continue?  y/[n] y

!! Reconfirm Lost Password Reset !! If you continue, the entire configuration of the device will be erased. In

addition, a permanent counter will be incremented to signify that this device has been reset. This is your last

chance to cancel this command. If you proceed, the device will return to factory default configuration, which is:

System IP: 192.168.1.1; username: netscreen, password: netscreen. Would you like to continue?  y/[n] y
In reset ...


Juniper Networks SSG5 Boot Loader Version 1.3.3 (Checksum: D8BC25A8)
Copyright (c) 1997-2006 Juniper Networks, Inc.

Total physical memory: 256MB
    Test - Pass
    Initialization - Done

Hit any key to run loader
Hit any key to run loader
Hit any key to run loader
Hit any key to run loader

Loading default system image from on-board flash disk...
Done! (size = 13,369,344 bytes)

Image authenticated!

Start loading...
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
..............................................................
Done.



Juniper Networks, Inc
SSG5/SSG20 System Software
Copyright, 1997-2008

Version 6.3.0r12.0
Cksum:26cde5cd
Load Manufacture Information ... Done

Initialize FBTL 0........ Done
Load NVRAM Information ... (6.3.0)Done
Install module init vectors
Changed to l3 mode
Install modules (01270800,020b4000) ...
PPP IP-POOL initiated, 256 pools

Initializing DI 1.1.0-ns

*********************************************************
System time: 24Sept2013:21:51:00
If this is the initial device startup,
use the "set clock" command to set the system clock.
*********************************************************
system init done..
System change state to Active(1)

login: netscreen
password:
ssg5-serial-> get system
Product Name: SSG5-Serial
Serial Number: 0162052012003235, Control Number: 00000000
Hardware Version: 0710(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Flash Type: Samsung
Software Version: 6.3.0r12.0, Type: Firewall+VPN
Feature: AV-K
BOOT Loader Version: 1.3.3
Compiled by build_master at: Wed Aug 8 05:12:11 PDT 2012
Base Mac: a8d0.e5d2.2c80
File Name: ssg5ssg20.6.3.0r12.0, Checksum: 26cde5cd
, Total Memory: 256MB

Date 09/24/2013 21:59:41, Daylight Saving Time enabled
The Network Time Protocol is Disabled
Up 0 hours 8 minutes 41 seconds Since 24Sept2013:21:51:00
Total Device Resets: 1, Last Device Reset at: 09/24/2013 20:48:01

<OUTPUT TRUNCATED>

ssg5-serial-> save
Save System Configuration  ...
Done

Saturday, August 13, 2016

Creating ASA Security Context Backup in Solarwinds NCM (and Pokemon Go)

Pokemon Go was just recently released in Southeast Asia (it almost got banned in some countries) and the game craze is phenomenal. Kids and adults (including me) hang out at popular Poke Stops and Poke Gyms. There's even Pokemon Lure parties being organized everywhere. I hope to catch 'em all soon!


My daughter Sophia and I try to catch Pokemons together in parks and even inside our home since there's always a Pokemon lure near our place.


I was initially doing manual backup on all our ASA security context, which was quite tedious even though we only have several ASA firewalls across the Asia Pacific (APAC) region. But when our monitoring was migrated to Solarwinds, we were able to leverage and use the Network Configuration Manager (NCM) for backing up ASA contexts.

You should configure SNMP and AAA on each ASA context in order for NCM to pull up its configuration. Other core configuration for this setup are creating the Layer 2 VLAN on the switch, Layer 3 IP address for the VLAN gateway (I used a /27 IP subnet to have 30 hosts or ASA contexts), routing to Solarwinds server and a Layer 3 subinterface on the individual ASA context.


Switch

vlan 999
 name Solarwinds


Router

interface GigabitEthernet0/0.999
 description Solarwinds Monitoring Interface
 encapsulation dot1Q 999
 ip address 172.27.255.129 255.255.255.224


ASA

changeto system

<SYSTEM>

interface GigabitEthernet0/1.999
 description Solarwinds Monitoring Interface
 vlan 999

context CUSTOMER-A
 allocate-interface GigabitEthernet0/1.999


changeto context CUSTOMER-A

<CUSTOMER-A>

username admin password Passw0rd! privilege 15

interface GigabitEthernet0/1.999
 nameif Solarwinds
 security-level 100
 ip address 172.27.255.130 255.255.255.224

route Solarwinds 10.111.0.0 255.255.255.0 172.27.255.129

ssh 10.111.0.0 255.255.255.0 Solarwinds

snmp-server group MyGroup v3 priv
snmp-server user Admin MyGroup v3 auth md5 Passw0rd! priv aes 128 Passw0rd!
snmp-server host Solarwinds 10.111.0.71 version 3 Admin

crypto key generate rsa modulus 2048

aaa-server ACS protocol tacacs+
aaa-server ACS (Solarwinds) host 10.111.0.99
 key Passw0rd!  

aaa authentication http console ACS LOCAL
aaa authentication ssh console ACS LOCAL
aaa authentication telnet console ACS LOCAL
aaa authentication enable console ACS LOCAL
aaa authorization command ACS LOCAL


I was able to poll the individual ASA context via SNMP and download both the running and startup config.