Saturday, November 30, 2019

Configuring Traffic Telemetry on Cisco IOS Router and ASA Firewall

Task 1: Configure Traffic Telemetry Methods on Cisco IOS Software


Configure Timezone and NTP on IOS Router.

CSRv#show clock
.01:59:59.016 UTC Tue Nov 26 2019

CSRv#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
CSRv(config)#clock timezone ?
  WORD  name of time zone

CSRv(config)#clock timezone SGT ?
  <-23 - 23>  Hours offset from UTC

CSRv(config)#clock timezone SGT +8
CSRv(config)#ntp ?
  access-group        Control NTP access
  allow               Allow processing of packets
  authenticate        Authenticate time sources
  authentication-key  Authentication key for trusted time sources
  broadcastdelay      Estimated round-trip delay
  clock-period        Length of hardware clock tick
  leap-handle         To handle the leap seconds
  logging             Enable NTP message logging
  master              Act as NTP master clock
  max-associations    Set maximum number of associations
  maxdistance         Maximum Distance for synchronization
  mindistance         Minimum distance to consider for clockhop
  orphan              Threshold Stratum for orphan mode
  panic               Reject time updates > panic threshold (default 1000Sec)
  passive             NTP passive mode
  peer                Configure NTP peer
  server              Configure NTP server
  source              Configure interface for source address
  trusted-key         Key numbers for trusted time sources

CSRv(config)#ntp server ?
  A.B.C.D     IP address of peer
  WORD        Hostname of peer
  X:X:X:X::X  IPv6 address of peer
  ip          Use IP for DNS resolution
  ipv6        Use IPv6 for DNS resolution
  vrf         VPN Routing/Forwarding Information

CSRv(config)#ntp server 162.159.200.1


Notice the Stratum (st) is 3.

CSRv#show ntp ?
  associations  NTP associations
  config        NTP server/peer configs
  information   NTP Information
  packets       NTP Packet statistics
  status        NTP status

CSRv#show ntp associations

  address         ref clock       st   when   poll reach  delay  offset   disp
*~162.159.200.1   10.35.8.220      3     17     64     3  4.958 122.502 64.168
 ~34.208.249.133  185.198.26.172   3      8     64     1 207.95   3.648 3939.1
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

CSRv#show clock
10:06:02.329 SGT Tue Nov 26 2019

CSRv#show ntp associations detail
162.159.200.1 configured, ipv4, our_master, sane, valid, stratum 3
ref ID 10.35.8.220    , time E1870784.42F966EF (10:08:04.261 SGT Tue Nov 26 2019)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 47.91 msec, root disp 0.50, reach 37, sync dist 337.06
delay 4.95 msec, offset 122.5023 msec, dispersion 4.45, jitter 305.03 msec
precision 2**25, version 4
assoc id 37157, assoc name 162.159.200.1
assoc in packets 10, assoc out packets 10, assoc error packets 0
org time 00000000.00000000 (08:00:00.000 SGT Mon Jan 1 1900)
rec time E18707B9.C9D12A48 (10:08:57.788 SGT Tue Nov 26 2019)
xmt time E18707B9.C9D12A48 (10:08:57.788 SGT Tue Nov 26 2019)
filtdelay =     7.94    5.96    5.96    5.90    5.96    6.95    4.95    5.97
filtoffset =  713.29  565.80  415.93  262.40  131.09  126.46  122.50  117.90
filterror =     0.97    1.96    2.97    4.00    4.89    4.92    4.95    4.98
minpoll = 6, maxpoll = 10

34.208.249.133 configured, ipv4, insane, invalid, stratum 3
ref ID 185.198.26.172 , time E1870173.AC385C83 (09:42:11.672 SGT Tue Nov 26 2019)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 25.72 msec, root disp 40.78, reach 1, sync dist 1030.81
delay 206.93 msec, offset 697.8032 msec, dispersion 439.69, jitter 433.26 msec
precision 2**20, version 4
assoc id 37156, assoc name 34.208.249.133
assoc in packets 3093, assoc out packets 3094, assoc error packets 0
org time 00000000.00000000 (08:00:00.000 SGT Mon Jan 1 1900)
rec time E18707B2.DF6E3407 (10:08:50.872 SGT Tue Nov 26 2019)
xmt time E18707B2.DF6E3407 (10:08:50.872 SGT Tue Nov 26 2019)
filtdelay =   206.93  207.96  207.92  207.96  207.95    0.00    0.00    0.00
filtoffset =  697.80  557.71  419.95  282.83    3.64    0.00    0.00    0.00
filterror =     0.98    1.91    2.84    3.77    5.61 16000.0 16000.0 16000.0
minpoll = 6, maxpoll = 10


Configure local and remote logging (syslog) on the IOS Router.

CSRv(config)#logging ?
  Hostname or A.B.C.D  IP address of the logging host
  alarm                Configure syslog for alarms
  buffered             Set buffered logging parameters
  buginf               Enable buginf logging for debugging
  cns-events           Set CNS Event logging level
  console              Set console logging parameters
  count                Count every log message and timestamp last occurance
  delimiter            Append delimiter to syslog messages
  discriminator        Create or modify a message discriminator
  dmvpn                DMVPN Configuration
  esm                  Set ESM filter restrictions
  exception            Limit size of exception flush output
  facility             Facility parameter for syslog messages
  filter               Specify logging filter
  history              Configure syslog history table
  host                 Set syslog server IP address and parameters
  message-counter      Configure log message to include certain counter value
  monitor              Set terminal line (monitor) logging parameters
  on                   Enable logging to all enabled destinations
  origin-id            Add origin ID to syslog messages
  persistent           Set persistent logging parameters
  queue-limit          Set logger message queue size
  rate-limit           Set messages per second limit
  reload               Set reload logging level
  server-arp           Enable sending ARP requests for syslog servers when first configured
  snmp-trap            Set syslog level for sending snmp trap
  source-interface     Specify interface for source address in logging transactions
  trap                 Set syslog server logging level
  userinfo             Enable logging of user info on privileged mode enabling

CSRv(config)#logging on
CSRv(config)#logging buffered ?
  <0-7>              Logging severity level
  <4096-2147483647>  Logging buffer size
  alerts             Immediate action needed           (severity=1)
  critical           Critical conditions               (severity=2)
  debugging          Debugging messages                (severity=7)
  discriminator      Establish MD-Buffer association
  emergencies        System is unusable                (severity=0)
  errors             Error conditions                  (severity=3)
  filtered           Enable filtered logging
  informational      Informational messages            (severity=6)
  notifications      Normal but significant conditions (severity=5)
  warnings           Warning conditions                (severity=4)
  xml                Enable logging in XML to XML logging buffer
  <cr>

CSRv(config)#logging buffered debugging
CSRv(config)#logging host ?
  Hostname or A.B.C.D  IP address of the syslog server
  ipv6                 Configure IPv6 syslog server

CSRv(config)#logging host 192.168.1.130


Download and run Kiwi Syslog Server (free version) in Win7 machine (192.168.1.130).

Add a device in Kiwi Syslog under File > Setup.


I generated syslogs on the CSRv by bouncing an interface.

CSRv(config)#do show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet1       192.168.1.140   YES NVRAM  up                    up     
GigabitEthernet2       unassigned      YES NVRAM  administratively down down   
CSRv(config)#interface g2
CSRv(config-if)#no shutdown
CSRv(config-if)#do terminal monitor
CSRv(config-if)#
CSRv(config-if)#shutdown
CSRv(config-if)#end
CSRv#
Nov 26 02:25:16.874: %LINK-5-CHANGED: Interface GigabitEthernet2, changed state to administratively down
CSRv#
Nov 26 02:25:17.910: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.168.1.100)


Issue a show logging on CSRv to verify Syslog setup.

CSRv#show logging
Syslog logging: enabled (0 messages dropped, 2 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.


No Inactive Message Discriminator.


    Console logging: level debugging, 104 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 34 messages logged, xml disabled,
                     filtering disabled
        Logging to: vty1(2)
    Buffer logging:  level debugging, 105 messages logged, xml disabled,
                    filtering disabled
    Exception Logging: size (4096 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled

No active filter modules.
         
    Trap logging: level informational, 73 message lines logged
        Logging to 192.168.1.130  (udp port 514, audit disabled,
              link up),
              3 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled
        Logging Source-Interface:       VRF Name:

Log Buffer (4096 bytes):
55.489: AAA/AUTHEN/LOGIN (00000FC3): Pick method list 'ACCESS-1'
.Nov 24 12:10:03.028: AAA: parse name=tty3 idb type=-1 tty=-1
.Nov 24 12:10:03.028: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0
.Nov 24 12:10:03.028: AAA/MEMORY: create_user (0x7FD2F9B9DDE0) user='john-ise' ruser='NULL' ds0=0 port='tty3' rem_addr='192.168.1.100' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
.Nov 24 12:10:03.029: AAA/AUTHEN/START (1022751880): port='tty3' list='ACCESS-1' action=LOGIN service=ENABLE
.Nov 24 12:10:03.029: AAA/AUTHEN/START (1022751880): using "default" list
.Nov 24 12:10:03.029: AAA/AUTHEN/START (1022751880): Unknown type for server group "ACCESS-1". Skip it
.Nov 24 12:10:03.029: AAA/AUTHEN (1022751880): status = UNKNOWN
.Nov 24 12:10:03.029: AAA/AUTHEN/START (1022751880): Method=ENABLE
.Nov 24 12:10:03.030: AAA/AUTHEN (1022751880): status = GETPASS
.Nov 24 12:10:05.889: AAA/AUTHEN/CONT (1022751880): continue_login (user='(undef)')
.Nov 24 12:10:05.889: AAA/AUTHEN (1022751880): status = GETPASS
.Nov 24 12:10:05.890: AAA/AUTHEN/CONT (1022751880): Method=ENABLE
.Nov 24 12:10:05.890: AAA/AUTHEN(1022751880): password incorrect
.Nov 24 12:10:05.890: AAA/AUTHEN (1022751880): status = FAIL
.Nov 24 12:10:05.890: AAA/MEMORY: free_user (0x7FD2F9B9DDE0) user='NULL' ruser='NULL' port='tty3' rem_addr='192.168.1.100' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
.Nov 24 12:12:09.670: AAA: parse name=tty3 idb type=-1 tty=-1
.Nov 24 12:12:09.670: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0
.Nov 24 12:12:09.670: AAA/MEMORY: create_user (0x7FD35F807A70) user='john-ise' ruser='NULL' ds0=0 port='tty3' rem_addr='192.168.1.100' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
.Nov 24 12:12:09.670: AAA/AUTHEN/START (1262379625): port='tty3' list='ACCESS-1' action=LOGIN service=ENABLE
.Nov 24 12:12:09.671: AAA/AUTHEN/START (1262379625): using "default" list
.Nov 24 12:12:09.671: AAA/AUTHEN/START (1262379625): Unknown type for server group "ACCESS-1". Skip it
.Nov 24 12:12:09.671: AAA/AUTHEN (1262379625): status = UNKNOWN
.Nov 24 12:12:09.671: AAA/AUTHEN/START (1262379625): Method=ENABLE
.Nov 24 12:12:09.671: AAA/AUTHEN (1262379625): status = GETPASS
.Nov 24 12:12:12.258: AAA/AUTHEN/CONT (1262379625): continue_login (user='(undef)')
.Nov 24 12:12:12.258: AAA/AUTHEN (1262379625): status = GETPASS
.Nov 24 12:12:12.259: AAA/AUTHEN/CONT (1262379625): Method=ENABLE
.Nov 24 12:12:12.259: AAA/AUTHEN(1262379625): password incorrect
.Nov 24 12:12:12.259: AAA/AUTHEN (1262379625): status = FAIL
.Nov 24 12:12:12.259: AAA/MEMORY: free_user (0x7FD35F807A70) user='NULL' ruser='NULL' port='tty3' rem_addr='192.168.1.100' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
.Nov 24 12:25:08.532: %SYS-5-CONFIG_I: Configured from console by john-ise on vty0 (192.168.1.100)
.Nov 24 12:36:59.735: %SYS-5-CONFIG_I: Configured from console by john-ise on vty0 (192.168.1.100)
.Nov 24 12:37:11.693: %SYS-5-CONFIG_I: Configured from console by john-ise on vty0 (192.168.1.100)
.Nov 26 01:46:34.940: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.168.1.100)
.Nov 26 01:58:43.282: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.168.1.100)
.Nov 26 01:58:56.796: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.168.1.100)
.Nov 26 02:00:47.653: %SYS-6-CLOCKUPDATE: System clock has been updated from 02:00:47 UTC Tue Nov 26 2019 to 10:00:47 SGT Tue Nov 26 2019, configured from console by admin on vty0 (192.168.1.100).
Nov 26 02:05:44.684: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.168.1.100)
Nov 26 02:11:59.785: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.130 port 0 CLI Request Triggered
Nov 26 02:12:00.786: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.130 port 514 started - CLI initiated
Nov 26 02:25:16.874: %LINK-5-CHANGED: Interface GigabitEthernet2, changed state to administratively down
Nov 26 02:25:17.910: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.168.1.100)

Download and run Colasoft Capsaoft NetFlowAnalyzer (free version) in Win7 machine (192.168.1.130).


Configure NetFlow v9 Exporter.

CSRv(config)#flow ?
  exporter  Define a Flow Exporter
  monitor   Define a Flow Monitor
  record    Define a Flow Record

CSRv(config)#flow exporter ?
  WORD  Flow Exporter name

CSRv(config)#flow exporter EXP-1
CSRv(config-flow-exporter)#?
  default          Set a command to its defaults
  description      Provide a description for this Flow Exporter
  destination      Export destination configuration
  dscp             Optional DSCP
  exit             Exit from Flow Exporter configuration mode
  export-protocol  Export protocol version
  mtu              Optional MTU
  no               Negate a command or set its defaults
  option           Select an option for exporting
  source           Originating interface
  template         Flow Exporter template configuration
  transport        Transport protocol
  ttl              Optional TTL or hop limit

CSRv(config-flow-exporter)#destination ?
  Hostname or A.B.C.D     Destination IPv4 address or hostname
  Hostname or X:X:X:X::X  Destination IPv6 address or hostname

CSRv(config-flow-exporter)#destination 192.168.1.100
CSRv(config-flow-exporter)#transport ?
  udp  UDP transport protocol

CSRv(config-flow-exporter)#transport udp 9996
CSRv(config-flow-exporter)#export-protocol ?
  ipfix       IPFIX (Version 10)
  netflow-v5  NetFlow Version 5
  netflow-v9  NetFlow Version 9

CSRv(config-flow-exporter)#export-protocol netflow-v9


Configure NetFlow v9 Monitor

CSRv(config)#flow monitor MON-1
CSRv(config-flow-monitor)#?
  cache        Configure Flow Cache parameters
  default      Set a command to its defaults
  description  Provide a description for this Flow Monitor
  exit         Exit from Flow Monitor configuration mode
  exporter     Add an Exporter to use to export records
  no           Negate a command or set its defaults
  record       Specify Flow Record to use to define Cache
  statistics   Collect statistics

CSRv(config-flow-monitor)#exporter ?
  EXP-1  User defined

CSRv(config-flow-monitor)#exporter EXP-1
CSRv(config-flow-monitor)#record ?
  netflow           Traditional NetFlow collection schemes
  netflow-original  Traditional IPv4 input NetFlow with origin ASs

CSRv(config-flow-monitor)#record netflow ?
  ipv4  Traditional IPv4 NetFlow collection schemes
  ipv6  Traditional IPv6 NetFlow collection schemes

CSRv(config-flow-monitor)#record netflow ipv4 ?
  as                      AS aggregation schemes
  as-tos                  AS and TOS aggregation schemes
  bgp-nexthop-tos         BGP next-hop and TOS aggregation schemes
  destination-prefix      Destination Prefix aggregation schemes
  destination-prefix-tos  Destination Prefix and TOS aggregation schemes
  original-input          Traditional IPv4 input NetFlow with ASs
  original-output         Traditional IPv4 output NetFlow with ASs
  prefix                  Source and Destination Prefixes aggregation schemes
  prefix-port             Prefixes and Ports aggregation scheme
  prefix-tos              Prefixes and TOS aggregation schemes
  protocol-port           Protocol and Ports aggregation scheme
  protocol-port-tos       Protocol, Ports and TOS aggregation scheme
  source-prefix           Source AS and Prefix aggregation schemes
  source-prefix-tos       Source Prefix and TOS aggregation schemes

CSRv(config-flow-monitor)#record netflow ipv4 original-output


Apply NetFlow v9 on CSRv interface.

CSRv(config)#interface g1
CSRv(config-if)#ip flow ?
  monitor  Apply a Flow Monitor

CSRv(config-if)#ip flow monitor ?
  MON-1  User defined

CSRv(config-if)#ip flow monitor MON-1 ?
  input      Apply Flow Monitor on input traffic
  multicast  Apply Flow Monitor on multicast traffic
  output     Apply Flow Monitor on output traffic
  sampler    Optional Sampler to apply to this Flow Monitor
  unicast    Apply Flow Monitor on unicast traffic

CSRv(config-if)#ip flow monitor MON-1 output


I configured NAT on CSRv and generated some traffic.

CSRv#ping 8.8.8.8 source 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
.....
Success rate is 0 percent (0/5)

CSRv#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
CSRv(config)#interface g1
CSRv(config-if)#ip nat outside
CSRv(config-if)#interface loopback1
CSRv(config-if)#ip nat inside
CSRv(config-if)#access-list 10 permit 10.1.1.0 0.0.0.255
CSRv(config)#ip nat inside source list 10 interface g1 overload

CSRv#ping 8.8.8.8 source 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/14/27 ms

CSRv#telnet 192.168.1.3
Trying 192.168.1.3 ... Open

### C3560 SENSS LAB ###

User Access Verification

Password:

SW1>enable
Password:
SW1#


CSRv#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
### ASA SENSS LAB ###


User Access Verification

Password:
User enable_1 logged in to LAB-ASA5515x
Logins over the last 37 days: 9.  Last login: 05:29:18 UTC Nov 25 2019 from 192.168.1.100
Failed logins since the last login: 0. 
Type help or '?' for a list of available commands.
LAB-ASA5515x> enable
Password: *****
LAB-ASA5515x#


CSRv#ssh -l root 192.168.1.110
Password:
Linux kali 5.2.0-kali2-amd64 #1 SMP Debian 5.2.9-2kali1 (2019-08-22) x86_64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Nov 26 00:41:21 2019 from 192.168.1.100
root@kali:~#


In Colasoft Capsa, select the LAN adapter: Ethernet > select Full Analysis (default) > click Start.
 

Expand Full Analysis > Protocol Explorer > MAC Explorer > IP Explorer.


Go to Summary tab.

Notice the VMware host CSRv 192.168.140.
 

Go to Protocol tab > IP Conversation (at the bottom).


Go to Protocol tab > TCP Conversation.

Notice the Telnet TCP 23 session from CSRv (192.168.1.140) to SW1 (192.168.1.3).
 

Go to Protocol tab > UDP Conversation.

Notice the NetFlow UDP 9996 session from CSRv (192.168.1.140) to Win10 PC (Local) and NTP UDP 123 session to NTP server sg.pool.ntp.org (162.159.200.1).
 

Go to IP Endpoint tab > IP Conversation.


Go to IP Endpoint tab > TCP Conversation.


Go to IP Endpoint tab > UDP Conversation.


Go to IP Conversation tab > TCP Conversation.


Go to IP Conversation tab > UDP Conversation.


Go to TCP Conversation > Packets.


Go to TCP Conversation > select a TCP session > Data Flow.

Notice CSRv (192.168.1.140) high number dynamic source port 35332 > destination TCP port 23 (Telnet) to SW1 (192.168.1.3.).
 


Go to UDP Conversation > select a session/flow > Packets.

Notice the raw Packet Info capture at the bottom.
 


Click the right arrow to view more tabs (click left to go to previous tabs).

Go to Port tab. Notice the top talker ports: HTTP TCP 80, HTTPS/SSL TCP 443 and Telnet TCP 23.



Go to Matrix tab > select various Top 100 graphs on the left.





Go to Packet tab. You can view real-time packet capture.


Go to Log tab. Select various Log on the left.







To verify NetFlow export statistics, issue a show flow exporter statistics command.

CSRv#show flow exporter statistics
Flow Exporter EXP-1:
  Packet send statistics (last cleared 01:00:32 ago):
    Successfully sent:         298                   (19128 bytes)

  Client send statistics:
    Client: Flow Monitor MON-1
      Records added:           339
        - sent:                339
      Bytes added:             16950
        - sent:                16950


To view view NetFlow monitor (MON-1) cache, issue a show flow monitor <MONITOR-NAME> cache format table command.

CSRv#show flow monitor ?
  MON-1   User defined
  broker  Show the flow monitor broker
  name    Name a specific Flow Monitor
  type    Type of the Flow Monitor
  |       Output modifiers
  <cr>

CSRv#show flow monitor MON-1 ?
  cache       Flow monitor cache contents
  statistics  Flow monitor statistics
  |           Output modifiers
  <cr>

CSRv#show flow monitor MON-1 cache ?
  filter  Display only matching flow records
  format  Specify cache display format
  sort    Sort the resulting flow records
  |       Output modifiers
  <cr>

CSRv#show flow monitor MON-1 cache format ?
  csv     Flow monitor cache contents in csv format
  record  Flow monitor cache contents in record format
  table   Flow monitor cache contents in table format

CSRv#show flow monitor MON-1 cache format table
  Cache type:                               Normal (Platform cache)
  Cache size:                               200000
  Current entries:                               5
  High Watermark:                                9

  Flows added:                                 377
  Flows aged:                                  372
    - Inactive timeout    (    15 secs)        372

IPV4 SRC ADDR    IPV4 DST ADDR    TRNS SRC PORT  TRNS DST PORT  INTF OUTPUT           FLOW SAMPLER ID  IP TOS  IP PROT  ip src as  ip dst as  ipv4 next hop addr  ipv4 src mask  ipv4 dst mask  tcp flags  intf input                 bytes        pkts    time first     time last
===============  ===============  =============  =============  ====================  ===============  ======  =======  =========  =========  ==================  =============  =============  =========  ====================  ==========  ==========  ============  ============
192.168.1.140    192.168.1.100               23          60689  Gi1                                 0  0xC0          6          0          0  192.168.1.100                 /32            /24  0x18       Null                        1423          30  14:31:20.706  14:31:35.110
192.168.1.140    192.168.1.100               23          60688  Gi1                                 0  0xC0          6          0          0  192.168.1.100                 /32            /24  0x18       Null                        9940          93  14:31:03.090  14:31:25.622
192.168.1.140    192.168.1.1              53251             23  Gi1                                 0  0xC0          6          0          0  192.168.1.1                   /32            /24  0x1A       Null                        2528          61  14:31:09.032  14:31:25.818
192.168.1.140    192.168.1.3              50180             23  Gi1                                 0  0xC0          6          0          0  192.168.1.3                   /32            /24  0x1A       Null                        1152          27  14:31:31.732  14:31:35.310
192.168.1.140    192.168.1.100            50605           9996  Gi1                                 0  0x00         17          0          0  192.168.1.100                 /32            /24  0x00       Null                         412           3  14:31:11.556  14:31:26.574
192.168.1.140    192.168.1.100               23          60604  Gi1                                 0  0xC0          6          0          0  192.168.1.100                 /32            /24  0x18       Null                         675           6  14:31:40.016  14:31:41.398
         

Task 2: Configure Traffic Telemetry Methods on Cisco ASA

Configure ASA Time Zone via ASDM under Configuration > Device Setup > System Time > Clock > Time Zone: (GMT +08:00) Singapore.


Configure a public NTP server sg.pool.ntp.org (162.159.200.123) under Configuration > Device Setup > System Time > NTP > Add.



Click Apply > Send.



LAB-ASA5515x# show ntp ?

  associations  NTP associations
  status        NTP status
LAB-ASA5515x# show ntp associations
      address         ref clock     st  when  poll reach  delay  offset    disp
 ~162.159.200.123  10.35.8.220       3    45    64    0     4.6  -39655  16000.
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

LAB-ASA5515x# show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is e189bbab.dc87df4c (11:21:15.861 SGT Thu Nov 28 2019)
clock offset is -39655.2650 msec, root delay is 52.60 msec
root dispersion is 55546.46 msec, peer dispersion is 16000.00 msec


NTP is slow so you'll need to wait for few minutes for ASA to sync with the NTP server.

Notice a stratum of 3.

LAB-ASA5515x# ping 162.159.200.123
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 162.159.200.123, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms

LAB-ASA5515x# show ntp associations      
      address         ref clock     st  when  poll reach  delay  offset    disp
*~162.159.200.123  10.35.8.220       3    24    64   17     3.5    0.44  1893.5
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

LAB-ASA5515x# show ntp associations detail

162.159.200.123 configured, our_master, sane, valid, stratum 3
ref ID 10.35.8.220, time e189bc42.50cc575c (11:23:46.315 SGT Thu Nov 28 2019)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 47.99 msec, root disp 0.56, reach 7, sync dist 3918.243
delay 3.49 msec, offset 0.4444 msec, dispersion 3891.94
precision 2**25, version 3
org time e189bc44.33b4a2ce (11:23:48.201 SGT Thu Nov 28 2019)
rcv time e189bc44.340a7d51 (11:23:48.203 SGT Thu Nov 28 2019)
xmt time e189bc44.331f4ac9 (11:23:48.199 SGT Thu Nov 28 2019)
filtdelay =     3.49    6.15    6.36    0.00    0.00    0.00    0.00    0.00
filtoffset =    0.44   -1.14   -1.65    0.00    0.00    0.00    0.00    0.00
filterror =    15.63   16.60   17.58 16000.0 16000.0 16000.0 16000.0 16000.0


Configure Syslog on the ASA under Configuration > Device Management > Logging > Logging Setup > select Enable Logging.
 

Configure a remote Syslog Server under Configuration > Device Management > Logging > Syslog Servers > Add.


Select Interface: inside > type IP Address: 192.168.1.130 > leave the default Protocol: UDP and Port: 514 > click OK.



Configure Logging Filters on the ASA under Configuration > Device Management > Logging > Logging Filters.


Double-click ASDM, Internal Buffer and Syslog Servers > set the Severity level to Debugging.

Under Syslog from All Event Classes > select Filter on severity > select Debugging > click OK.
 

Click Apply > Send.
















 



Configure a Modular Policy Framework (MPF) to enable sending of NetFlow traffic to the collector under Configuration > Firewall > Service Policy Rules .


Select inspection_default class > Add > Insert After.



Select Global - applies to all interfaces (default) > Next.


Select Create a new traffic class > type a name: ALL-TRAFFIC-NETFLOW > select Any traffic > click Next.


Enable Send for Collector: 192.168.1.100 > click OK.


Click Finish.












No comments:

Post a Comment