My Network Security Journal

Sunday, October 16, 2016

Cisco ASA FirePower Network Discovery

You need to perform network discovery in order for FireSight to know which hosts or networks to protect. The Default network discovery action is to perform Network discovery only, which can be found under Policies > Access Control. By default, all network and application are inspected, specified by the network ::/0, and this can be found under Policy > Network Discovery

You specify the internal network you want to discover under Object > Individual Object > Add Network. Don't specify any external network (Internet) to avoid overwhelming the FireSight database.

You can then modify the network discovery policy under Policy >Networks > click the pencil icon on 0.0.0.0/0 > Edit Rule > click on the newly created object (Private Networks) then click Add > Click Save and click Apply (beside the check icon).

FireSight can do fingerprint on well-known OS. If it's not supported, you can manually create your own custom OS fingerprint by going to Policies > Network Discovery > Custom Operating System > click Create Custom Fingerprint.

You can create or customize your network topology by clicking on Policies > Network Discovery > Custom Topology > Create Topology. This helps put labels on topology tree for easy identification in FireSight.

You can add more networks to your topology by clicking on Add Network and then Save.

Once the networks (or subnet) are added, you enable the topology by clicking on the gray icon (put a check and make it blue) beside the edit (pencil) icon.

Some additional post settings you can enable on FireSight and one of them is to capture server banner which is under Policies > Network Discovery > Advanced > Capture Banner.

Next, you can choose between Active (from Nmap scan) and Passive (gathered from host/network traffic) network discovery output if FireSight detects an identity conflict.

Once all network discovery settings are complete, click Apply for FireSight to start performing the network discovery.

Sunday, October 2, 2016

Configuring Site-to-Site IPsec VPN Using CCP and ASDM

I was troubleshooting a site-to-site IPsec VPN connection with a client who's using a Palo Alto (PA) firewall on their network. There's a great link which helped me understand and troubleshoot a PA firewall. We were exchanging our IKE Phase 1 and Phase 2 policies configured between our VPN router and their PA firewall and after a couple of sleepless nights (damn that PFS!), we were able to establish the VPN tunnel. Maybe I should take up Palo Alto PCNSE cert next year.

Router##show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
17.8.17.44   202.7.2.2     QM_IDLE           1010 ACTIVE

IPv6 Crypto ISAKMP SA

Router#show crypto ipsec sa

interface: GigabitEthernet0/1
    Crypto map tag: CMAP, local addr 202.7.2.2

   protected vrf: (none)
   local ident (addr/mask/prot/port): (172.27.193.162/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (10.5.202.0/255.255.255.0/0/0)
   current_peer 17.8.17.44 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 380030, #pkts encrypt: 380030, #pkts digest: 380030
    #pkts decaps: 366102, #pkts decrypt: 366102, #pkts verify: 366102
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 202.7.2.2, remote crypto endpt.: 17.8.17.44
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0x826B1D60(2188057952)
     PFS (Y/N): Y, DH group: group2

It's challenging to configure and to troubleshoot VPNs but you won't get lost once you've built a foundation of the basic IKE policies and IPsec framework. I was able to review my CCNA Security and ASA basics last year but forgot about to post this lab for a site-to-site IPsec VPN between an IOS router and ASA firewall.

Router(config)#hostname R1
R1(config)#interface fastethernet0/0
R1(config-if)#ip address 209.165.200.225 255.255.255.248
R1(config-if)#no shutdown
R1(config-if)#
*Jul 7 12:24:32.875: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#interface serial0/0/0
R1(config-if)#ip address 10.1.1.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#
*Jul 7 12:24:59.615: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down
R1(config-if)#clock rate 64000
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 serial0/0/0

Router(config)#hostname R2
R2(config)#interface serial0/0/0
R2(config-if)#ip address 10.1.1.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
*Jul 7 12:23:52.779: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
*Jul 7 12:23:53.779: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
R2(config-if)#do ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2(config-if)#interface serial0/0/1
R2(config-if)#ip address 10.2.2.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#clock rate 64000
R2(config-if)#
*Jul 7 12:24:14.411: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to down
R2(config-if)#exit
R2(config)#ip route 209.165.200.224 255.255.255.248 serial0/0/0
R2(config)#ip route 172.16.3.0 255.255.255.0 serial0/0/1

Router(config)#hostname R3
R3(config)#interface fastethernet0/1
R3(config-if)#ip address 172.16.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#interface serial0/0/1
R3(config-if)#ip address 10.2.2.1 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#exit
*Jul 7 12:31:11.111: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Jul 7 12:31:12.111: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
R3(config)#ip route 0.0.0.0 0.0.0.0 serial0/0/1

R3(config)#enable secret cisco
R3(config)#line vty 0 4
R3(config-line)#password cisco
R3(config-line)#login
R3(config-line)#line console 0
R3(config-line)#password cisco
R3(config-line)#login

R3(config)#ip http server
R3(config)#username admin privilege 15 secret cisco123
R3(config)#ip http authentication local

ciscoasa> enable
Password: <ENTER>
ciscoasa# conf t
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: n

In the future, if you would like to enable this feature,
issue the command "call-home reporting anonymous".

Please remember to save your configuration.

ciscoasa(config)# hostname CCNAS-ASA
CCNAS-ASA(config)# enable password class
CCNAS-ASA(config)# domain-name ccnasecurity.com
CCNAS-ASA(config)# passwd cisco
CCNAS-ASA(config)# interface ethernet0/0
CCNAS-ASA(config-if)# switchport access vlan 2
CCNAS-ASA(config-if)# no shutdown
CCNAS-ASA(config-if)# interface ethernet0/1
CCNAS-ASA(config-if)# switchport access vlan 1
CCNAS-ASA(config-if)# no shutdown
CCNAS-ASA(config-if)# interface ethernet0/2
CCNAS-ASA(config-if)# switchport access vlan 3
CCNAS-ASA(config-if)# no shutdown
CCNAS-ASA(config-if)# interface vlan 1
CCNAS-ASA(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
CCNAS-ASA(config-if)# security-level 100
CCNAS-ASA(config-if)# ip address 192.168.1.1 255.255.255.0
CCNAS-ASA(config-if)# interface vlan 2
CCNAS-ASA(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
CCNAS-ASA(config-if)# security-level 0
CCNAS-ASA(config-if)# ip address 209.165.200.226 255.255.255.248
CCNAS-ASA(config-if)# interface vlan 3
CCNAS-ASA(config-if)# no forward interface vlan 1
CCNAS-ASA(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
CCNAS-ASA(config-if)# security-level 70
CCNAS-ASA(config-if)# ip address 192.168.2.1 255.255.255.0
CCNAS-ASA(config-if)# object network inside-net
CCNAS-ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0
CCNAS-ASA(config-network-object)# nat (inside,outside) dynamic interface
CCNAS-ASA(config-network-object)# exit
CCNAS-ASA(config)# object network dmz-server
CCNAS-ASA(config-network-object)# host 192.168.2.3
CCNAS-ASA(config-network-object)# nat (dmz,outside) static 209.165.200.227
CCNAS-ASA(config-network-object)# exit
CCNAS-ASA(config)# access-list OUTSIDE-DMZ extended permit ip any host 192.168.2.3
CCNAS-ASA(config)# access-group OUTSIDE-DMZ in interface outside
CCNAS-ASA(config)# route outside 0 0 209.165.200.225
CCNAS-ASA(config)# username admin password cisco123
CCNAS-ASA(config)# aaa authentication telnet console LOCAL
CCNAS-ASA(config)# aaa authentication ssh console LOCAL
CCNAS-ASA(config)# aaa authentication http console LOCAL
CCNAS-ASA(config)# http server enable
CCNAS-ASA(config)# http 192.168.1.0 255.255.255.0 inside
CCNAS-ASA(config)# ssh 192.168.1.0 255.255.255.0 inside
CCNAS-ASA(config)# telnet 192.168.1.0 255.255.255.0 inside
CCNAS-ASA(config)# telnet timeout 10
CCNAS-ASA(config)# ssh timeout 10
CCNAS-ASA(config)# policy-map global_policy
CCNAS-ASA(config-pmap)# class inspection_default
CCNAS-ASA(config-pmap-c)# inspect icmp
CCNAS-ASA(config-pmap-c)# exit
CCNAS-ASA(config-pmap)# exit
CCNAS-ASA(config)# crypto key generate rsa modulus 1024
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.

Do you really want to replace them? [yes/no]: y
Keypair generation process begin. Please wait...
CCNAS-ASA(config)#

R3(config)#crypto isakmp policy 1    // JAVA DOWNGRADED FOR ASDM; CONFIGURE R3 S2S IPSEC VPN VIA CLI
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption 3des
R3(config-isakmp)#hash sha
R3(config-isakmp)#group 2
R3(config-isakmp)#lifetime 86400
R3(config-isakmp)#exit
R3(config)#crypto isakmp key cisco12345 address 209.165.200.226
R3(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac
R3(cfg-crypto-trans)#exit
R3(config)#access-list 100 permit ip 172.16.3.0 0.0.0.255 192.168.1.0 0.0.0.255
R3(config)#crypto map CMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R3(config-crypto-map)#set peer 209.165.200.226
R3(config-crypto-map)#set transform-set TSET
R3(config-crypto-map)#match address 100
R3(config-crypto-map)#exit
R3(config)#interface serial0/0/1
R3(config-if)#crypto map CMAP
R3(config-if)#
*Jul 7 13:12:27.235: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

CCNAS-ASA# debug crypto ?

ca          Set PKI debug levels
condition   Set IPSec/ISAKMP debug filters
engine      Set crypto engine debug levels
ike-common Set IKE common debug levels
ikev1       Set IKEV1 debug levels
ikev2       Set IKEV2 debug levels
ipsec       Set IPSec debug levels
ss-api      Set Crypto Secure Socket API debug levels
vpnclient   Set EasyVPN client debug levels
CCNAS-ASA# debug crypto ikev1 ?

<1-255> Specify an optional debug level (default is 1)
timers   debug the ikev1 timers
<cr>
CCNAS-ASA# debug crypto ikev1

R3#ping 192.168.1.3 source 172.16.3.3

CCNAS-ASA# show crypto isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 10.2.2.1
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE   // IPSEC ESTABLISHED IN ASA

There are no IKEv2 SAs

CCNAS-ASA# show crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: 209.165.200.226

      access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.16.3.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)
      current_peer: 10.2.2.1

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4   // DUE TO GENERATED ICMP
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 209.165.200.226/0, remote crypto endpt.: 10.2.2.1/0
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: D933E94D
      current inbound spi : 6A6DC4E8

    inbound esp sas:
      spi: 0x6A6DC4E8 (1785578728)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 12288, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373999/3517)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000001F
    outbound esp sas:
      spi: 0xD933E94D (3644057933)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 12288, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373999/3517)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
209.165.200.226 10.2.2.1        QM_IDLE           1001    0 ACTIVE   // IPSEC ESTABLISHED IN ASA

IPv6 Crypto ISAKMP SA

R3#show crypto ipsec sa

interface: Serial0/0/1
    Crypto map tag: CMAP, local addr 10.2.2.1

   protected vrf: (none)
   local ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 209.165.200.226 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 11, #recv errors 0

     local crypto endpt.: 10.2.2.1, remote crypto endpt.: 209.165.200.226
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1
     current outbound spi: 0x6A6DC4E8(1785578728)

     inbound esp sas:
      spi: 0xD933E94D(3644057933)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: FPGA:1, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4456786/3543)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x6A6DC4E8(1785578728)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: FPGA:2, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4456786/3543)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

R3#ping 192.168.1.3 source 172.16.3.3 repeat 10    // TO GENERATE MORE IPSEC VPN TRAFFIC STATS

Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
Packet sent with a source address of 172.16.3.3
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 84/90/124 ms

Saturday, September 3, 2016

Retrieving the Serial Number on a Standby ASA Fireawall (via failover exec)

I was trying to get the serial number of a standby ASA firewall and instead of asking a remote tech to get the chassis serial number, I issued the failover exec command on the Primary ASA firewall to do show commands and get info for the Secondary ASA firewall.

ASA01/pri/act/admin# failover ?

exec Execute command on the designated unit
ASA01/pri/act/admin# failover exec ?

active   Execute command on the active unit
mate     Execute command on the peer unit
standby Execute command on the standby unit
ASA01/pri/act/admin# failover exec standby ?

LINE Command String
ASA01/pri/act/admin# failover exec standby show inventory   // SERIAL NUMBER FROM show inventory IS USED FOR SMARTNET
Name: "Chassis", DESCR: "ASA 5525-X with SW, 8 GE Data, 1 GE Mgmt, AC"
PID: ASA5525           , VID: V04     , SN: FGL19514123

ASA01/pri/act/admin# failover exec standby show interface ip brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         20.7.2.12   YES manual up                    up
GigabitEthernet0/1.400     172.27.24.5     YES manual up                    up
Management0/0              unassigned      YES unset down                  down

ASA01/pri/act/admin# failover exec standby show version

Cisco Adaptive Security Appliance Software Version 9.4(2)11 <context>
Device Manager Version 7.1(3)

Compiled on Mon 22-Feb-16 22:54 PST by builders

ASA01 up 107 days 22 hours
failover cluster up 108 days 13 hours

Hardware:   ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
            ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-SB-PLUS-0005
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0026
                             Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4

0: Int: Internal-Data0/0    : address is 00fe.c8e5.10ac, irq 11
1: Ext: GigabitEthernet0/0 : address is 00fe.c8e5.10b1, irq 5
2: Ext: GigabitEthernet0/1 : address is 00fe.c8e5.10ad, irq 5
3: Ext: GigabitEthernet0/2 : address is 00fe.c8e5.10b2, irq 10
4: Ext: GigabitEthernet0/3 : address is 00fe.c8e5.10ae, irq 10
5: Ext: GigabitEthernet0/4 : address is 00fe.c8e5.10b3, irq 5
6: Ext: GigabitEthernet0/5 : address is 00fe.c8e5.10af, irq 5
7: Ext: GigabitEthernet0/6 : address is 00fe.c8e5.10b4, irq 10
8: Ext: GigabitEthernet0/7 : address is 00fe.c8e5.10b0, irq 10
9: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0
12: Ext: Management0/0       : address is 00fe.c8e5.10ac, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 200            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 10             perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Enabled        perpetual
Cluster Members                   : 2              perpetual

This platform has an ASA5525 VPN Premium license.

Failover cluster licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 200            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 20             perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 4              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Total UC Proxy Sessions           : 4              perpetual
Botnet Traffic Filter             : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Enabled        perpetual

This platform has an ASA5525 VPN Premium license.

Serial Number: FCH19497ABC    SERIAL NUMBER FROM show version IS USED FOR ASA FEATURE LICENSING (AnyConnect, security context, UC phone proxy, etc.)
Running Permanent Activation Key: 0xd02ad148 0xf05363e7 0x5563850c 0xc6d844bc 0x401fdxyz
Configuration register is 0x1

Image type          : Release
Key version         : A

Configuration last modified by admin at 18:08:36.255 UTC Thu Jun 30 2016

Saturday, August 27, 2016

Factory Reset a Juniper SSG5 Firewall

I was restoring a Juniper SSG5 firewall to its default settings. There are two ways in doing this: a quick way is using the reset pinhole at the back and the other is by typing its serial number via command line. I prefer doing the latter and here's how I did it

login: 0162052012003235   // USE THE SERIAL NUMBER FOR BOTH LOGIN/PASSWORD
password:
!!! Lost Password Reset !!! You have initiated a command to reset the device to factory defaults, clearing all

current configuration and settings. Would you like to continue? y/[n] y

!! Reconfirm Lost Password Reset !! If you continue, the entire configuration of the device will be erased. In

addition, a permanent counter will be incremented to signify that this device has been reset. This is your last

chance to cancel this command. If you proceed, the device will return to factory default configuration, which is:

System IP: 192.168.1.1; username: netscreen, password: netscreen. Would you like to continue? y/[n] y
In reset ...

Juniper Networks SSG5 Boot Loader Version 1.3.3 (Checksum: D8BC25A8)
Copyright (c) 1997-2006 Juniper Networks, Inc.

Total physical memory: 256MB
    Test - Pass
    Initialization - Done

Hit any key to run loader
Hit any key to run loader
Hit any key to run loader
Hit any key to run loader

Loading default system image from on-board flash disk...
Done! (size = 13,369,344 bytes)

Image authenticated!

Start loading...
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
..............................................................
Done.

Juniper Networks, Inc
SSG5/SSG20 System Software
Copyright, 1997-2008

Version 6.3.0r12.0
Cksum:26cde5cd
Load Manufacture Information ... Done

Initialize FBTL 0........ Done
Load NVRAM Information ... (6.3.0)Done
Install module init vectors
Changed to l3 mode
Install modules (01270800,020b4000) ...
PPP IP-POOL initiated, 256 pools

Initializing DI 1.1.0-ns

*********************************************************
System time: 24Sept2013:21:51:00
If this is the initial device startup,
use the "set clock" command to set the system clock.
*********************************************************
system init done..
System change state to Active(1)

login: netscreen
password:
ssg5-serial-> get system
Product Name: SSG5-Serial
Serial Number: 0162052012003235, Control Number: 00000000
Hardware Version: 0710(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Flash Type: Samsung
Software Version: 6.3.0r12.0, Type: Firewall+VPN
Feature: AV-K
BOOT Loader Version: 1.3.3
Compiled by build_master at: Wed Aug 8 05:12:11 PDT 2012
Base Mac: a8d0.e5d2.2c80
File Name: ssg5ssg20.6.3.0r12.0, Checksum: 26cde5cd
, Total Memory: 256MB

Date 09/24/2013 21:59:41, Daylight Saving Time enabled
The Network Time Protocol is Disabled
Up 0 hours 8 minutes 41 seconds Since 24Sept2013:21:51:00
Total Device Resets: 1, Last Device Reset at: 09/24/2013 20:48:01

<OUTPUT TRUNCATED>

ssg5-serial-> save
Save System Configuration ...
Done

Saturday, August 13, 2016

Creating ASA Security Context Backup in Solarwinds NCM (and Pokemon Go)

Pokemon Go was just recently released in Southeast Asia (it almost got banned in some countries) and the game craze is phenomenal. Kids and adults (including me) hang out at popular Poke Stops and Poke Gyms. There's even Pokemon Lure parties being organized everywhere. I hope to catch 'em all soon!

My daughter Sophia and I try to catch Pokemons together in parks and even inside our home since there's always a Pokemon lure near our place.

I was initially doing manual backup on all our ASA security context, which was quite tedious even though we only have several ASA firewalls across the Asia Pacific (APAC) region. But when our monitoring was migrated to Solarwinds, we were able to leverage and use the Network Configuration Manager (NCM) for backing up ASA contexts.

You should configure SNMP and AAA on each ASA context in order for NCM to pull up its configuration. Other core configuration for this setup are creating the Layer 2 VLAN on the switch, Layer 3 IP address for the VLAN gateway (I used a /27 IP subnet to have 30 hosts or ASA contexts), routing to Solarwinds server and a Layer 3 subinterface on the individual ASA context.

Switch

vlan 999
name Solarwinds

Router

interface GigabitEthernet0/0.999
description Solarwinds Monitoring Interface
encapsulation dot1Q 999
ip address 172.27.255.129 255.255.255.224

ASA

changeto system

<SYSTEM>

interface GigabitEthernet0/1.999
description Solarwinds Monitoring Interface
vlan 999

context CUSTOMER-A
allocate-interface GigabitEthernet0/1.999

changeto context CUSTOMER-A

<CUSTOMER-A>

username admin password Passw0rd! privilege 15

interface GigabitEthernet0/1.999
nameif Solarwinds
security-level 100
ip address 172.27.255.130 255.255.255.224

route Solarwinds 10.111.0.0 255.255.255.0 172.27.255.129

ssh 10.111.0.0 255.255.255.0 Solarwinds

snmp-server group MyGroup v3 priv
snmp-server user Admin MyGroup v3 auth md5 Passw0rd! priv aes 128 Passw0rd!
snmp-server host Solarwinds 10.111.0.71 version 3 Admin

crypto key generate rsa modulus 2048

aaa-server ACS protocol tacacs+
aaa-server ACS (Solarwinds) host 10.111.0.99
key Passw0rd!

aaa authentication http console ACS LOCAL
aaa authentication ssh console ACS LOCAL
aaa authentication telnet console ACS LOCAL
aaa authentication enable console ACS LOCAL
aaa authorization command ACS LOCAL

I was able to poll the individual ASA context via SNMP and download both the running and startup config.

Saturday, July 9, 2016

Cisco ASA URL Filtering via DNS Inspection Policy Map

One of our Ipoque DPI appliance suddenly failed but activated its fail-to-wire feature. I had to temporarily perform URL filtering on the ASA 5525-X by creating regular expression (regex) for the domains to be blocked and apply a DNS inspection policy to block DNS lookups. For this example, I want to block domains such as Youtube, Facebook and Piratebay.

regex Youtube "youtube\.com"
regex Facebook "facebook\.com"
regex Piratebay "piratebay\.org"

class-map type regex match-any DomainBlockList
match regex Youtube
match regex Facebook
match regex Piratebay

policy-map type inspect dns PM-DNS-inspect
match domain-name regex class DomainBlockList
drop-connection log // DROP SPECIFIED DOMAINS AND ALLOW EVERYTHING ELSE

policy-map global_policy
class inspection_default
no inspect dns preset_dns_map // REMOVE DEFAULT DNS INSPECTION POLICY
inspect dns PM-DNS-inspect

I've also enabled syslog to verify if the regex and DNS filtering policy are working.

logging enable
logging buffered informational
logging timestamp

ciscoasa# show log
Syslog logging: enabled
    Facility: 20
    Timestamp logging: enabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level informational, 1948 messages logged
    Trap logging: disabled
    Permit-hostdown logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: disabled
inside:192.168.1.10/53050 (172.27.25.254/14713)
May 23 2016 17:09:30: %ASA-4-410003: DNS Classification: Dropped DNS request (id 7944) from inside:192.168.1.10/53050 to outside:8.8.8.8/53; matched Class 22: match domain-name regex class DomainBlockList
May 23 2016 17:09:30: %ASA-4-507003: udp flow from inside:192.168.1.10/53050 to outside:8.8.8.8/53 terminated by inspection engine, reason - inspector disconnected, dropped packet.
May 23 2016 17:09:30: %ASA-6-302016: Teardown UDP connection 511 for outside:8.8.8.8/53 to inside:192.168.1.10/53050 duration 0:00:00 bytes 0
May 23 2016 17:09:33: %ASA-6-302014: Teardown TCP connection 495 for outside:172.20.80.21/9100 to inside:192.168.1.10/50128 duration 0:00:30 bytes 0 SYN Timeout
May 23 2016 17:09:34: %ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.10/50132 to outside:172.27.25.254/13351
May 23 2016 17:09:34: %ASA-6-302013: Built outbound TCP connection 512 for outside:172.20.80.21/9100 (172.20.80.21/9100) to inside:192.168.1.10/50132 (172.27.25.254/13351)
May 23 2016 17:09:34: %ASA-6-302015: Built outbound UDP connection 513 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:192.168.1.10/53050 (172.27.25.254/14713)
May 23 2016 17:09:34: %ASA-4-410003: DNS Classification: Dropped DNS request (id 7944) from inside:192.168.1.10/53050 to outside:8.8.8.8/53; matched Class 22: match domain-name regex class DomainBlockList
May 23 2016 17:09:34: %ASA-4-507003: udp flow from inside:192.168.1.10/53050 to outside:8.8.8.8/53 terminated by inspection engine, reason - inspector disconnected, dropped packet.
May 23 2016 17:09:34: %ASA-6-302016: Teardown UDP connection 513 for outside:8.8.8.8/53 to inside:192.168.1.10/53050 duration 0:00:00 bytes 0
May 23 2016 17:09:35: %ASA-6-305011: Built dynamic UDP translation from inside:192.168.1.10/53051 to outside:172.27.25.254/9577
May 23 2016 17:09:35: %ASA-6-302015: Built outbound UDP connection 514 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:192.168.1.10/53051 (172.27.25.254/9577)
May 23 2016 17:09:35: %ASA-6-305011: Built dynamic UDP translation from inside:192.168.1.10/53052 to outside:172.27.25.254/38752
May 23 2016 17:09:35: %ASA-6-302015: Built outbound UDP connection 515 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:192.168.1.10/53052 (172.27.25.254/38752)
May 23 2016 17:09:35: %ASA-6-302016: Teardown UDP connection 515 for outside:8.8.8.8/53 to inside:192.168.1.10/53052 duration 0:00:00 bytes 72
May 23 2016 17:09:35: %ASA-6-302016: Teardown UDP connection 514 for outside:8.8.8.8/53 to inside:192.168.1.10/53051 duration 0:00:00 bytes 72
May 23 2016 17:09:37: %ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.1.10/50127 to outside:172.27.25.254/39345 duration 0:01:00
May 23 2016 17:09:40: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.10/52130 to outside:172.27.25.254/50331 duration 0:00:30
May 23 2016 17:09:40: %ASA-6-302014: Teardown TCP connection 497 for outside:216.146.46.10/445 to inside:192.168.1.10/50129 duration 0:00:30 bytes 0 SYN Timeout
May 23 2016 17:09:41: %ASA-6-302014: Teardown TCP connection 498 for outside:216.146.46.11/445 to inside:192.168.1.10/50130 duration 0:00:30 bytes 0 SYN Timeout
May 23 2016 17:09:43: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.10/60600 to outside:172.27.25.254/9592 duration 0:00:30
May 23 2016 17:09:43: %ASA-6-305012: Teardown dynamic ICMP translation from inside:192.168.1.10/1 to outside:172.27.25.254/44940 duration 0:00:30
May 23 2016 17:09:50: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.10/52188 to outside:172.27.25.254/40294 duration 0:00:30
May 23 2016 17:09:56: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.10/53050 to outside:172.27.25.254/14713 duration 0:00:30
May 23 2016 17:10:00: %ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.10/50133 to outside:172.27.25.254/40275
May 23 2016 17:10:00: %ASA-6-302013: Built outbound TCP connection 516 for outside:172.20.80.21/9100 (172.20.80.21/9100) to inside:192.168.1.10/50133 (172.27.25.254/40275)

Below is the full config that was applied on my lab ASA 5505 running version 8.3.

ciscoasa# show run
: Saved
:
ASA Version 8.3(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 172.27.25.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
regex Piratebay "piratebay\.org"
regex Youtube "youtube\.com"
regex Facebook "facebook\.com"
boot system disk0:/asa832-k8.bin
ftp mode passive
object network INSIDE-PAT
subnet 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network INSIDE-PAT
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 172.27.25.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map type regex match-any DomainBlockList
match regex Youtube
match regex Facebook
match regex Piratebay
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect dns PM-DNS-inspect
parameters
match domain-name regex class DomainBlockList
drop-connection log
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns PM-DNS-inspect
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:84d1dbdacf047ec442ba73e29b20eecd
: end

Friday, July 1, 2016

FireSight GUI Menu Navigation

Just some additional post setup features or settings that you might want to note in FireSight.

NAT and VPN options under Devices tab are applicable to the dedicated FirePower appliance only. You can't run these features with the ASA FirePower module.

Objects are similar to ASA object or alias which are used to simply policy creation.

AMP is for managing malware protection for FireAMP endpoints. This is where you download the latest update from FireSight cloud database.

You can create local admin accounts under Local > User Management > Create Users. By default, there's an admin account (default password is Sourcefire). You can also integrate user accounts to external database such as LDAP and RADIUS and specify different privilege levels.

FireSight also has a syslog function under System > Monitoring > Syslog, which can be used for troubleshooting.

The device's health statistics such as uptime, memory and disk usage, etc. can be found under Monitoring > Statistics and click the device under Select Device(s). You can check the health stats on both the ASA with FirePower module and the FireSight Defense Center (DC).

You can perform backup and restore under Tools. You can also schedule system backup and its frequency.

Click on Help > About to check the FireSight DC serial number and current OS version and Help > Support site to redirect you to the TAC support website.

You can change the current user's password under admin > User Preference and also change the dashboard page settings such as home page and time zone preference.