My Network Security Journal: Configuring Traffic Telemetry on Cisco IOS Router and ASA Firewall

Task 1: Configure Traffic Telemetry Methods on Cisco IOS Software

Configure Timezone and NTP on IOS Router.

CSRv#show clock

.01:59:59.016 UTC Tue Nov 26 2019

CSRv#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

CSRv(config)#clock timezone ?

WORD name of time zone

CSRv(config)#clock timezone SGT ?

<-23 - 23> Hours offset from UTC

CSRv(config)#clock timezone SGT +8

CSRv(config)#ntp ?

access-group Control NTP access

allow Allow processing of packets

authenticate Authenticate time sources

authentication-key Authentication key for trusted time sources

broadcastdelay Estimated round-trip delay

clock-period Length of hardware clock tick

leap-handle To handle the leap seconds

logging Enable NTP message logging

master Act as NTP master clock

max-associations Set maximum number of associations

maxdistance Maximum Distance for synchronization

mindistance Minimum distance to consider for clockhop

orphan Threshold Stratum for orphan mode

panic Reject time updates > panic threshold (default 1000Sec)

passive NTP passive mode

peer Configure NTP peer

server Configure NTP server

source Configure interface for source address

trusted-key Key numbers for trusted time sources

CSRv(config)#ntp server ?

A.B.C.D IP address of peer

WORD Hostname of peer

X:X:X:X::X IPv6 address of peer

ip Use IP for DNS resolution

ipv6 Use IPv6 for DNS resolution

vrf VPN Routing/Forwarding Information

CSRv(config)#ntp server 162.159.200.1

Notice the Stratum (st) is 3.

CSRv#show ntp ?

associations NTP associations

config NTP server/peer configs

information NTP Information

packets NTP Packet statistics

status NTP status

CSRv#show ntp associations

address ref clock st when poll reach delay offset disp

*~162.159.200.1 10.35.8.220 3 17 64 3 4.958 122.502 64.168

~34.208.249.133 185.198.26.172 3 8 64 1 207.95 3.648 3939.1

* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

CSRv#show clock

10:06:02.329 SGT Tue Nov 26 2019

CSRv#show ntp associations detail

162.159.200.1 configured, ipv4, our_master, sane, valid, stratum 3

ref ID 10.35.8.220 , time E1870784.42F966EF (10:08:04.261 SGT Tue Nov 26 2019)

our mode client, peer mode server, our poll intvl 64, peer poll intvl 64

root delay 47.91 msec, root disp 0.50, reach 37, sync dist 337.06

delay 4.95 msec, offset 122.5023 msec, dispersion 4.45, jitter 305.03 msec

precision 2**25, version 4

assoc id 37157, assoc name 162.159.200.1

assoc in packets 10, assoc out packets 10, assoc error packets 0

org time 00000000.00000000 (08:00:00.000 SGT Mon Jan 1 1900)

rec time E18707B9.C9D12A48 (10:08:57.788 SGT Tue Nov 26 2019)

xmt time E18707B9.C9D12A48 (10:08:57.788 SGT Tue Nov 26 2019)

filtdelay = 7.94 5.96 5.96 5.90 5.96 6.95 4.95 5.97

filtoffset = 713.29 565.80 415.93 262.40 131.09 126.46 122.50 117.90

filterror = 0.97 1.96 2.97 4.00 4.89 4.92 4.95 4.98

minpoll = 6, maxpoll = 10

34.208.249.133 configured, ipv4, insane, invalid, stratum 3

ref ID 185.198.26.172 , time E1870173.AC385C83 (09:42:11.672 SGT Tue Nov 26 2019)

our mode client, peer mode server, our poll intvl 64, peer poll intvl 64

root delay 25.72 msec, root disp 40.78, reach 1, sync dist 1030.81

delay 206.93 msec, offset 697.8032 msec, dispersion 439.69, jitter 433.26 msec

precision 2**20, version 4

assoc id 37156, assoc name 34.208.249.133

assoc in packets 3093, assoc out packets 3094, assoc error packets 0

org time 00000000.00000000 (08:00:00.000 SGT Mon Jan 1 1900)

rec time E18707B2.DF6E3407 (10:08:50.872 SGT Tue Nov 26 2019)

xmt time E18707B2.DF6E3407 (10:08:50.872 SGT Tue Nov 26 2019)

filtdelay = 206.93 207.96 207.92 207.96 207.95 0.00 0.00 0.00

filtoffset = 697.80 557.71 419.95 282.83 3.64 0.00 0.00 0.00

filterror = 0.98 1.91 2.84 3.77 5.61 16000.0 16000.0 16000.0

minpoll = 6, maxpoll = 10

Configure local and remote logging (syslog) on the IOS Router.

CSRv(config)#logging ?

Hostname or A.B.C.D IP address of the logging host

alarm Configure syslog for alarms

buffered Set buffered logging parameters

buginf Enable buginf logging for debugging

cns-events Set CNS Event logging level

console Set console logging parameters

count Count every log message and timestamp last occurance

delimiter Append delimiter to syslog messages

discriminator Create or modify a message discriminator

dmvpn DMVPN Configuration

esm Set ESM filter restrictions

exception Limit size of exception flush output

facility Facility parameter for syslog messages

filter Specify logging filter

history Configure syslog history table

host Set syslog server IP address and parameters

message-counter Configure log message to include certain counter value

monitor Set terminal line (monitor) logging parameters

on Enable logging to all enabled destinations

origin-id Add origin ID to syslog messages

persistent Set persistent logging parameters

queue-limit Set logger message queue size

rate-limit Set messages per second limit

reload Set reload logging level

server-arp Enable sending ARP requests for syslog servers when first configured

snmp-trap Set syslog level for sending snmp trap

source-interface Specify interface for source address in logging transactions

trap Set syslog server logging level

userinfo Enable logging of user info on privileged mode enabling

CSRv(config)#logging on

CSRv(config)#logging buffered ?

<0-7> Logging severity level

<4096-2147483647> Logging buffer size

alerts Immediate action needed (severity=1)

critical Critical conditions (severity=2)

debugging Debugging messages (severity=7)

discriminator Establish MD-Buffer association

emergencies System is unusable (severity=0)

errors Error conditions (severity=3)

filtered Enable filtered logging

informational Informational messages (severity=6)

notifications Normal but significant conditions (severity=5)

warnings Warning conditions (severity=4)

xml Enable logging in XML to XML logging buffer

<cr>

CSRv(config)#logging buffered debugging

CSRv(config)#logging host ?

Hostname or A.B.C.D IP address of the syslog server

ipv6 Configure IPv6 syslog server

CSRv(config)#logging host 192.168.1.130

Download and run Kiwi Syslog Server (free version) in Win7 machine (192.168.1.130).

Add a device in Kiwi Syslog under File > Setup.

I generated syslogs on the CSRv by bouncing an interface.

CSRv(config)#do show ip interface brief

Interface IP-Address OK? Method Status Protocol

GigabitEthernet1 192.168.1.140 YES NVRAM up up

GigabitEthernet2 unassigned YES NVRAM administratively down down

CSRv(config)#interface g2

CSRv(config-if)#no shutdown

CSRv(config-if)#do terminal monitor

CSRv(config-if)#

CSRv(config-if)#shutdown

CSRv(config-if)#end

CSRv#

Nov 26 02:25:16.874: %LINK-5-CHANGED: Interface GigabitEthernet2, changed state to administratively down

CSRv#

Nov 26 02:25:17.910: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.168.1.100)

Issue a show logging on CSRv to verify Syslog setup.

CSRv#show logging

Syslog logging: enabled (0 messages dropped, 2 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

Console logging: level debugging, 104 messages logged, xml disabled,

filtering disabled

Monitor logging: level debugging, 34 messages logged, xml disabled,

filtering disabled

Logging to: vty1(2)

Buffer logging: level debugging, 105 messages logged, xml disabled,

filtering disabled

Exception Logging: size (4096 bytes)

Count and timestamp logging messages: disabled

Persistent logging: disabled

No active filter modules.

Trap logging: level informational, 73 message lines logged

Logging to 192.168.1.130 (udp port 514, audit disabled,

link up),

3 message lines logged,

0 message lines rate-limited,

0 message lines dropped-by-MD,

xml disabled, sequence number disabled

filtering disabled

Logging Source-Interface: VRF Name:

Log Buffer (4096 bytes):

55.489: AAA/AUTHEN/LOGIN (00000FC3): Pick method list 'ACCESS-1'

.Nov 24 12:10:03.028: AAA: parse name=tty3 idb type=-1 tty=-1

.Nov 24 12:10:03.028: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0

.Nov 24 12:10:03.028: AAA/MEMORY: create_user (0x7FD2F9B9DDE0) user='john-ise' ruser='NULL' ds0=0 port='tty3' rem_addr='192.168.1.100' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)

.Nov 24 12:10:03.029: AAA/AUTHEN/START (1022751880): port='tty3' list='ACCESS-1' action=LOGIN service=ENABLE

.Nov 24 12:10:03.029: AAA/AUTHEN/START (1022751880): using "default" list

.Nov 24 12:10:03.029: AAA/AUTHEN/START (1022751880): Unknown type for server group "ACCESS-1". Skip it

.Nov 24 12:10:03.029: AAA/AUTHEN (1022751880): status = UNKNOWN

.Nov 24 12:10:03.029: AAA/AUTHEN/START (1022751880): Method=ENABLE

.Nov 24 12:10:03.030: AAA/AUTHEN (1022751880): status = GETPASS

.Nov 24 12:10:05.889: AAA/AUTHEN/CONT (1022751880): continue_login (user='(undef)')

.Nov 24 12:10:05.889: AAA/AUTHEN (1022751880): status = GETPASS

.Nov 24 12:10:05.890: AAA/AUTHEN/CONT (1022751880): Method=ENABLE

.Nov 24 12:10:05.890: AAA/AUTHEN(1022751880): password incorrect

.Nov 24 12:10:05.890: AAA/AUTHEN (1022751880): status = FAIL

.Nov 24 12:10:05.890: AAA/MEMORY: free_user (0x7FD2F9B9DDE0) user='NULL' ruser='NULL' port='tty3' rem_addr='192.168.1.100' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

.Nov 24 12:12:09.670: AAA: parse name=tty3 idb type=-1 tty=-1

.Nov 24 12:12:09.670: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0

.Nov 24 12:12:09.670: AAA/MEMORY: create_user (0x7FD35F807A70) user='john-ise' ruser='NULL' ds0=0 port='tty3' rem_addr='192.168.1.100' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)

.Nov 24 12:12:09.670: AAA/AUTHEN/START (1262379625): port='tty3' list='ACCESS-1' action=LOGIN service=ENABLE

.Nov 24 12:12:09.671: AAA/AUTHEN/START (1262379625): using "default" list

.Nov 24 12:12:09.671: AAA/AUTHEN/START (1262379625): Unknown type for server group "ACCESS-1". Skip it

.Nov 24 12:12:09.671: AAA/AUTHEN (1262379625): status = UNKNOWN

.Nov 24 12:12:09.671: AAA/AUTHEN/START (1262379625): Method=ENABLE

.Nov 24 12:12:09.671: AAA/AUTHEN (1262379625): status = GETPASS

.Nov 24 12:12:12.258: AAA/AUTHEN/CONT (1262379625): continue_login (user='(undef)')

.Nov 24 12:12:12.258: AAA/AUTHEN (1262379625): status = GETPASS

.Nov 24 12:12:12.259: AAA/AUTHEN/CONT (1262379625): Method=ENABLE

.Nov 24 12:12:12.259: AAA/AUTHEN(1262379625): password incorrect

.Nov 24 12:12:12.259: AAA/AUTHEN (1262379625): status = FAIL

.Nov 24 12:12:12.259: AAA/MEMORY: free_user (0x7FD35F807A70) user='NULL' ruser='NULL' port='tty3' rem_addr='192.168.1.100' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

.Nov 24 12:25:08.532: %SYS-5-CONFIG_I: Configured from console by john-ise on vty0 (192.168.1.100)

.Nov 24 12:36:59.735: %SYS-5-CONFIG_I: Configured from console by john-ise on vty0 (192.168.1.100)

.Nov 24 12:37:11.693: %SYS-5-CONFIG_I: Configured from console by john-ise on vty0 (192.168.1.100)

.Nov 26 01:46:34.940: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.168.1.100)

.Nov 26 01:58:43.282: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.168.1.100)

.Nov 26 01:58:56.796: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.168.1.100)

.Nov 26 02:00:47.653: %SYS-6-CLOCKUPDATE: System clock has been updated from 02:00:47 UTC Tue Nov 26 2019 to 10:00:47 SGT Tue Nov 26 2019, configured from console by admin on vty0 (192.168.1.100).

Nov 26 02:05:44.684: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.168.1.100)

Nov 26 02:11:59.785: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.130 port 0 CLI Request Triggered

Nov 26 02:12:00.786: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.130 port 514 started - CLI initiated

Nov 26 02:25:16.874: %LINK-5-CHANGED: Interface GigabitEthernet2, changed state to administratively down

Nov 26 02:25:17.910: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.168.1.100)

Download and run Colasoft Capsaoft NetFlowAnalyzer (free version) in Win7 machine (192.168.1.130).

Configure NetFlow v9 Exporter.

CSRv(config)#flow ?

exporter Define a Flow Exporter

monitor Define a Flow Monitor

record Define a Flow Record

CSRv(config)#flow exporter ?

WORD Flow Exporter name

CSRv(config)#flow exporter EXP-1

CSRv(config-flow-exporter)#?

default Set a command to its defaults

description Provide a description for this Flow Exporter

destination Export destination configuration

dscp Optional DSCP

exit Exit from Flow Exporter configuration mode

export-protocol Export protocol version

mtu Optional MTU

no Negate a command or set its defaults

option Select an option for exporting

source Originating interface

template Flow Exporter template configuration

transport Transport protocol

ttl Optional TTL or hop limit

CSRv(config-flow-exporter)#destination ?

Hostname or A.B.C.D Destination IPv4 address or hostname

Hostname or X:X:X:X::X Destination IPv6 address or hostname

CSRv(config-flow-exporter)#destination 192.168.1.100

CSRv(config-flow-exporter)#transport ?

udp UDP transport protocol

CSRv(config-flow-exporter)#transport udp 9996

CSRv(config-flow-exporter)#export-protocol ?

ipfix IPFIX (Version 10)

netflow-v5 NetFlow Version 5

netflow-v9 NetFlow Version 9

CSRv(config-flow-exporter)#export-protocol netflow-v9

Configure NetFlow v9 Monitor

CSRv(config)#flow monitor MON-1

CSRv(config-flow-monitor)#?

cache Configure Flow Cache parameters

default Set a command to its defaults

description Provide a description for this Flow Monitor

exit Exit from Flow Monitor configuration mode

exporter Add an Exporter to use to export records

no Negate a command or set its defaults

record Specify Flow Record to use to define Cache

statistics Collect statistics

CSRv(config-flow-monitor)#exporter ?

EXP-1 User defined

CSRv(config-flow-monitor)#exporter EXP-1

CSRv(config-flow-monitor)#record ?

netflow Traditional NetFlow collection schemes

netflow-original Traditional IPv4 input NetFlow with origin ASs

CSRv(config-flow-monitor)#record netflow ?

ipv4 Traditional IPv4 NetFlow collection schemes

ipv6 Traditional IPv6 NetFlow collection schemes

CSRv(config-flow-monitor)#record netflow ipv4 ?

as AS aggregation schemes

as-tos AS and TOS aggregation schemes

bgp-nexthop-tos BGP next-hop and TOS aggregation schemes

destination-prefix Destination Prefix aggregation schemes

destination-prefix-tos Destination Prefix and TOS aggregation schemes

original-input Traditional IPv4 input NetFlow with ASs

original-output Traditional IPv4 output NetFlow with ASs

prefix Source and Destination Prefixes aggregation schemes

prefix-port Prefixes and Ports aggregation scheme

prefix-tos Prefixes and TOS aggregation schemes

protocol-port Protocol and Ports aggregation scheme

protocol-port-tos Protocol, Ports and TOS aggregation scheme

source-prefix Source AS and Prefix aggregation schemes

source-prefix-tos Source Prefix and TOS aggregation schemes

CSRv(config-flow-monitor)#record netflow ipv4 original-output

Apply NetFlow v9 on CSRv interface.

CSRv(config)#interface g1

CSRv(config-if)#ip flow ?

monitor Apply a Flow Monitor

CSRv(config-if)#ip flow monitor ?

MON-1 User defined

CSRv(config-if)#ip flow monitor MON-1 ?

input Apply Flow Monitor on input traffic

multicast Apply Flow Monitor on multicast traffic

output Apply Flow Monitor on output traffic

sampler Optional Sampler to apply to this Flow Monitor

unicast Apply Flow Monitor on unicast traffic

CSRv(config-if)#ip flow monitor MON-1 output

I configured NAT on CSRv and generated some traffic.

CSRv#ping 8.8.8.8 source 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

.....

Success rate is 0 percent (0/5)

CSRv#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

CSRv(config)#interface g1

CSRv(config-if)#ip nat outside

CSRv(config-if)#interface loopback1

CSRv(config-if)#ip nat inside

CSRv(config-if)#access-list 10 permit 10.1.1.0 0.0.0.255

CSRv(config)#ip nat inside source list 10 interface g1 overload

CSRv#ping 8.8.8.8 source 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/14/27 ms

CSRv#telnet 192.168.1.3

Trying 192.168.1.3 ... Open

### C3560 SENSS LAB ###

User Access Verification

Password:

SW1>enable

Password:

SW1#

CSRv#telnet 192.168.1.1

Trying 192.168.1.1 ... Open

### ASA SENSS LAB ###

User Access Verification

Password:

User enable_1 logged in to LAB-ASA5515x

Logins over the last 37 days: 9. Last login: 05:29:18 UTC Nov 25 2019 from 192.168.1.100

Failed logins since the last login: 0.

Type help or '?' for a list of available commands.

LAB-ASA5515x> enable

Password: *****

LAB-ASA5515x#

CSRv#ssh -l root 192.168.1.110

Password:

Linux kali 5.2.0-kali2-amd64 #1 SMP Debian 5.2.9-2kali1 (2019-08-22) x86_64

The programs included with the Kali GNU/Linux system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.

Last login: Tue Nov 26 00:41:21 2019 from 192.168.1.100

root@kali:~#

In Colasoft Capsa, select the LAN adapter: Ethernet > select Full Analysis (default) > click Start.

Expand Full Analysis > Protocol Explorer > MAC Explorer > IP Explorer.

Go to Summary tab.

Notice the VMware host CSRv 192.168.140.

Go to Protocol tab > IP Conversation (at the bottom).

Go to Protocol tab > TCP Conversation.

Notice the Telnet TCP 23 session from CSRv (192.168.1.140) to SW1 (192.168.1.3).

Go to Protocol tab > UDP Conversation.

Notice the NetFlow UDP 9996 session from CSRv (192.168.1.140) to Win10 PC (Local) and NTP UDP 123 session to NTP server sg.pool.ntp.org (162.159.200.1).

Go to IP Endpoint tab > IP Conversation.

Go to IP Endpoint tab > TCP Conversation.

Go to IP Endpoint tab > UDP Conversation.

Go to IP Conversation tab > TCP Conversation.

Go to IP Conversation tab > UDP Conversation.

Go to TCP Conversation > Packets.

Go to TCP Conversation > select a TCP session > Data Flow.

Notice CSRv (192.168.1.140) high number dynamic source port 35332 > destination TCP port 23 (Telnet) to SW1 (192.168.1.3.).

Go to UDP Conversation > select a session/flow > Packets.

Notice the raw Packet Info capture at the bottom.

Click the right arrow to view more tabs (click left to go to previous tabs).

Go to Port tab. Notice the top talker ports: HTTP TCP 80, HTTPS/SSL TCP 443 and Telnet TCP 23.

Go to Matrix tab > select various Top 100 graphs on the left.

Go to Packet tab. You can view real-time packet capture.

Go to Log tab. Select various Log on the left.

To verify NetFlow export statistics, issue a show flow exporter statistics command.

CSRv#show flow exporter statistics

Flow Exporter EXP-1:

Packet send statistics (last cleared 01:00:32 ago):

Successfully sent: 298 (19128 bytes)

Client send statistics:

Client: Flow Monitor MON-1

Records added: 339

- sent: 339

Bytes added: 16950

- sent: 16950

To view view NetFlow monitor (MON-1) cache, issue a show flow monitor <MONITOR-NAME> cache format table command.

CSRv#show flow monitor ?

MON-1 User defined

broker Show the flow monitor broker

name Name a specific Flow Monitor

type Type of the Flow Monitor

| Output modifiers

<cr>

CSRv#show flow monitor MON-1 ?

cache Flow monitor cache contents

statistics Flow monitor statistics

| Output modifiers

<cr>

CSRv#show flow monitor MON-1 cache ?

filter Display only matching flow records

format Specify cache display format

sort Sort the resulting flow records

| Output modifiers

<cr>

CSRv#show flow monitor MON-1 cache format ?

csv Flow monitor cache contents in csv format

record Flow monitor cache contents in record format

table Flow monitor cache contents in table format

CSRv#show flow monitor MON-1 cache format table

Cache type: Normal (Platform cache)

Cache size: 200000

Current entries: 5

High Watermark: 9

Flows added: 377

Flows aged: 372

- Inactive timeout ( 15 secs) 372

IPV4 SRC ADDR IPV4 DST ADDR TRNS SRC PORT TRNS DST PORT INTF OUTPUT FLOW SAMPLER ID IP TOS IP PROT ip src as ip dst as ipv4 next hop addr ipv4 src mask ipv4 dst mask tcp flags intf input bytes pkts time first time last

=============== =============== ============= ============= ==================== =============== ====== ======= ========= ========= ================== ============= ============= ========= ==================== ========== ========== ============ ============

192.168.1.140 192.168.1.100 23 60689 Gi1 0 0xC0 6 0 0 192.168.1.100 /32 /24 0x18 Null 1423 30 14:31:20.706 14:31:35.110

192.168.1.140 192.168.1.100 23 60688 Gi1 0 0xC0 6 0 0 192.168.1.100 /32 /24 0x18 Null 9940 93 14:31:03.090 14:31:25.622

192.168.1.140 192.168.1.1 53251 23 Gi1 0 0xC0 6 0 0 192.168.1.1 /32 /24 0x1A Null 2528 61 14:31:09.032 14:31:25.818

192.168.1.140 192.168.1.3 50180 23 Gi1 0 0xC0 6 0 0 192.168.1.3 /32 /24 0x1A Null 1152 27 14:31:31.732 14:31:35.310

192.168.1.140 192.168.1.100 50605 9996 Gi1 0 0x00 17 0 0 192.168.1.100 /32 /24 0x00 Null 412 3 14:31:11.556 14:31:26.574

192.168.1.140 192.168.1.100 23 60604 Gi1 0 0xC0 6 0 0 192.168.1.100 /32 /24 0x18 Null 675 6 14:31:40.016 14:31:41.398

Task 2: Configure Traffic Telemetry Methods on Cisco ASA

Configure ASA Time Zone via ASDM under Configuration > Device Setup > System Time > Clock > Time Zone: (GMT +08:00) Singapore.

Configure a public NTP server sg.pool.ntp.org (162.159.200.123) under Configuration > Device Setup > System Time > NTP > Add.

Click Apply > Send.

LAB-ASA5515x# show ntp ?

associations NTP associations

status NTP status

LAB-ASA5515x# show ntp associations

address ref clock st when poll reach delay offset disp

~162.159.200.123 10.35.8.220 3 45 64 0 4.6 -39655 16000.

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

LAB-ASA5515x# show ntp status

Clock is unsynchronized, stratum 16, no reference clock

nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6

reference time is e189bbab.dc87df4c (11:21:15.861 SGT Thu Nov 28 2019)

clock offset is -39655.2650 msec, root delay is 52.60 msec

root dispersion is 55546.46 msec, peer dispersion is 16000.00 msec

NTP is slow so you'll need to wait for few minutes for ASA to sync with the NTP server.

Notice a stratum of 3.

LAB-ASA5515x# ping 162.159.200.123

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 162.159.200.123, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms

LAB-ASA5515x# show ntp associations

address ref clock st when poll reach delay offset disp

*~162.159.200.123 10.35.8.220 3 24 64 17 3.5 0.44 1893.5

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

LAB-ASA5515x# show ntp associations detail

162.159.200.123 configured, our_master, sane, valid, stratum 3

ref ID 10.35.8.220, time e189bc42.50cc575c (11:23:46.315 SGT Thu Nov 28 2019)

our mode client, peer mode server, our poll intvl 64, peer poll intvl 64

root delay 47.99 msec, root disp 0.56, reach 7, sync dist 3918.243

delay 3.49 msec, offset 0.4444 msec, dispersion 3891.94

precision 2**25, version 3

org time e189bc44.33b4a2ce (11:23:48.201 SGT Thu Nov 28 2019)

rcv time e189bc44.340a7d51 (11:23:48.203 SGT Thu Nov 28 2019)

xmt time e189bc44.331f4ac9 (11:23:48.199 SGT Thu Nov 28 2019)

filtdelay = 3.49 6.15 6.36 0.00 0.00 0.00 0.00 0.00

filtoffset = 0.44 -1.14 -1.65 0.00 0.00 0.00 0.00 0.00

filterror = 15.63 16.60 17.58 16000.0 16000.0 16000.0 16000.0 16000.0

Configure Syslog on the ASA under Configuration > Device Management > Logging > Logging Setup > select Enable Logging.

Configure a remote Syslog Server under Configuration > Device Management > Logging > Syslog Servers > Add.

Select Interface: inside > type IP Address: 192.168.1.130 > leave the default Protocol: UDP and Port: 514 > click OK.

Configure Logging Filters on the ASA under Configuration > Device Management > Logging > Logging Filters.

Double-click ASDM, Internal Buffer and Syslog Servers > set the Severity level to Debugging.

Under Syslog from All Event Classes > select Filter on severity > select Debugging > click OK.

Click Apply > Send.

Configure a Modular Policy Framework (MPF) to enable sending of NetFlow traffic to the collector under Configuration > Firewall > Service Policy Rules .

Select inspection_default class > Add > Insert After.