My Network Security Journal

Tuesday, January 25, 2022

Cisco ASA failover key Command

I needed to add the failover key <KEY> command in a Cisco ASA firewall pair. The failover pair is working but the previous admin forgot to add this command. I used two Cisco ASAv firewalls in my GNS3 lab to simulate if it's relatively safe to add the said command and wouldn't break the failover pair. It's still advisable to do this in an approved maintenance window.

ASAv-1# show version

Cisco Adaptive Security Appliance Software Version 9.8(1)

Firepower Extensible Operating System Version 2.2(1.47)

Device Manager Version 7.8(1)

Compiled on Wed 10-May-17 15:38 PDT by builders

System image file is "boot:/asa981-smp-k8.bin"

Config file at boot was "startup-config"

ASAv-1 up 16 mins 35 secs

Hardware: ASAv, 2048 MB RAM, CPU Pentium II 1900 MHz,

Model Id: ASAv10

Internal ATA Compact Flash, 8192MB

Slot 1: ATA Compact Flash, 8192MB

BIOS Flash Firmware Hub @ 0x0, 0KB

0: Ext: Management0/0 : address is 0ce5.a655.f500, irq 11

1: Ext: GigabitEthernet0/0 : address is 0ce5.a655.f501, irq 11

2: Ext: GigabitEthernet0/1 : address is 0ce5.a655.f502, irq 10

3: Ext: GigabitEthernet0/2 : address is 0ce5.a655.f503, irq 10

4: Ext: GigabitEthernet0/3 : address is 0ce5.a655.f504, irq 11

5: Ext: GigabitEthernet0/4 : address is 0ce5.a655.f505, irq 11

6: Ext: GigabitEthernet0/5 : address is 0ce5.a655.f506, irq 10

7: Ext: GigabitEthernet0/6 : address is 0ce5.a655.f507, irq 10

License mode: Smart Licensing

ASAv Platform License State: Unlicensed

No active entitlement: no feature tier and no throughput level configured

*Memory resource allocation is more than the permitted limit.

Licensed features for this platform:

Maximum VLANs : 50

Inside Hosts : Unlimited

Failover : Active/Standby // ASAv SUPPORTS ACTIVE/STANDBY BY DEFAULT

Encryption-DES : Enabled

Encryption-3DES-AES : Enabled

Security Contexts : 0

Carrier : Disabled

AnyConnect Premium Peers : 2

AnyConnect Essentials : Disabled

Other VPN Peers : 250

Total VPN Peers : 250

AnyConnect for Mobile : Disabled

AnyConnect for Cisco VPN Phone : Disabled

Advanced Endpoint Assessment : Disabled

Shared License : Disabled

Total TLS Proxy Sessions : 2

Botnet Traffic Filter : Enabled

Cluster : Disabled

Serial Number: 9A81V5LKN5F

Image type : Release

Key version : A

Configuration last modified by enable_15 at 03:03:53.969 UTC Tue Jan 25 2022

-----

ASAv-2# show version

Cisco Adaptive Security Appliance Software Version 9.8(1)

Firepower Extensible Operating System Version 2.2(1.47)

Device Manager Version 7.8(1)

Compiled on Wed 10-May-17 15:38 PDT by builders

System image file is "boot:/asa981-smp-k8.bin"

Config file at boot was "startup-config"

ASAv-2 up 1 min 53 secs

Hardware: ASAv, 2048 MB RAM, CPU Pentium II 1900 MHz,

Model Id: ASAv10

Internal ATA Compact Flash, 8192MB

Slot 1: ATA Compact Flash, 8192MB

BIOS Flash Firmware Hub @ 0x0, 0KB

0: Ext: Management0/0 : address is 0ce5.a6d4.2800, irq 11

1: Ext: GigabitEthernet0/0 : address is 0ce5.a6d4.2801, irq 11

2: Ext: GigabitEthernet0/1 : address is 0ce5.a6d4.2802, irq 10

3: Ext: GigabitEthernet0/2 : address is 0ce5.a6d4.2803, irq 10

4: Ext: GigabitEthernet0/3 : address is 0ce5.a6d4.2804, irq 11

5: Ext: GigabitEthernet0/4 : address is 0ce5.a6d4.2805, irq 11

6: Ext: GigabitEthernet0/5 : address is 0ce5.a6d4.2806, irq 10

7: Ext: GigabitEthernet0/6 : address is 0ce5.a6d4.2807, irq 10

License mode: Smart Licensing

ASAv Platform License State: Unlicensed

No active entitlement: no feature tier and no throughput level configured

*Memory resource allocation is more than the permitted limit.

Licensed features for this platform:

Maximum VLANs : 50

Inside Hosts : Unlimited

Failover : Active/Standby

Encryption-DES : Enabled

Encryption-3DES-AES : Enabled

Security Contexts : 0

Carrier : Disabled

AnyConnect Premium Peers : 2

AnyConnect Essentials : Disabled

Other VPN Peers : 250

Total VPN Peers : 250

AnyConnect for Mobile : Disabled

AnyConnect for Cisco VPN Phone : Disabled

Advanced Endpoint Assessment : Disabled

Shared License : Disabled

Total TLS Proxy Sessions : 2

Botnet Traffic Filter : Enabled

Cluster : Disabled

Serial Number: 9AK137KWDWB

Image type : Release

Key version : A

Configuration last modified by enable_15 at 03:17:50.569 UTC Tue Jan 25 2022

Configure failover on ASAv-1 and ASAv-2 without the failover key command.

ASAv-1# configure terminal

ASAv-1(config)# interface GigabitEthernet0/6 // DIRECT CABLE TO ASAv-2 G0/6

ASAv-1(config-if)# no shutdown

ASAv-1(config-if)# failover lan unit primary

ASAv-1(config)# failover lan interface FAILOVER GigabitEthernet0/6

INFO: Non-failover interface config is cleared on GigabitEthernet0/6 and its sub-interfaces

ASAv-1(config)# failover link FAILOVER GigabitEthernet0/6

ASAv-1(config)# failover interface ip failover 10.0.0.1 255.255.255.252 standby 10.0.0.2

ASAv-1(config)# failover

ASAv-1(config)# .

No Active mate detected

Beginning configuration replication: Sending to mate.

End Configuration Replication to mate

The ASAv pair started to sync and form the failover pair (or cluster) even without the failover key command.

ASAv-2# configure terminal

ASAv-2(config)# interface GigabitEthernet0/6

ASAv-2(config-if)# no shutdown

ASAv-2(config-if)# failover lan unit secondary

ASAv-2(config)# failover lan interface FAILOVER GigabitEthernet0/6

INFO: Non-failover interface config is cleared on GigabitEthernet0/6 and its sub-interfaces

ASAv-2(config)# failover interface ip failover 10.0.0.1 255.255.255.252 standby 10.0.0.2

ASAv-2(config)# failover

ASAv-2(config)# ..

Detected an Active mate

Beginning configuration replication from mate.

WARNING: Disabling auto import may affect Smart Licensing

WARNING: Local user database is empty and there are still 'aaa' commands for 'LOCAL'.

Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...

Trustpoint CA certificate accepted.

WARNING: Failover is enabled but standby IP address is not configured for this interface.

WARNING: Trustpoint _SmartCallHome_ServerCA is already authenticated.

WARNING: This command will not take effect until interface 'inside' has been assigned an IPv4 address

End configuration replication from mate.

The failover failed due to the monitored interfaces on ASAv-2. The only interface connected in ASAv-2 is a direct cable to ASAv-1 used for the failover interface (G0/6).

ASAv-1# ping 10.0.0.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/20 ms

ASAv-1# show failover

Failover On

Failover unit Primary

Failover LAN Interface: FAILOVER GigabitEthernet0/6 (up)

Reconnect timeout 0:00:00

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 3 of 61 maximum

MAC Address Move Notification Interval not set

Version: Ours 9.8(1), Mate 9.8(1)

Serial Number: Ours 9A81V5LKN5F, Mate 9AK137KWDWB

Last Failover at: 03:20:54 UTC Jan 25 2022

This host: Primary - Active

Active time: 52 (sec)

slot 0: empty

Interface outside (200.1.1.1): Normal (Waiting)

Interface inside (172.16.1.1): Normal (Waiting)

Interface dmz (10.1.1.1): Normal (Waiting)

Other host: Secondary - Failed

Active time: 0 (sec)

Interface outside (0.0.0.0): No Link (Waiting)

Interface inside (0.0.0.0): No Link (Waiting)

Interface dmz (0.0.0.0): No Link (Waiting)

ASAv-1# show failover state

State Last Failure Reason Date/Time

This host - Primary

Active None

Other host - Secondary

Failed Ifc Failure 03:21:27 UTC Jan 25 2022

outside: No Link

inside: No Link

dmz: No Link

====Configuration State===

Sync Done

====Communication State===

Mac set

ASAv-1# show failover history

==========================================================================

From State To State Reason

==========================================================================

03:02:35 UTC Jan 25 2022

Not Detected Disabled No Error

03:20:19 UTC Jan 25 2022

Disabled Negotiation Set by the config command

03:20:54 UTC Jan 25 2022

Negotiation Just Active No Active unit found

03:20:54 UTC Jan 25 2022

Just Active Active Drain No Active unit found

03:20:54 UTC Jan 25 2022

Active Drain Active Applying Config No Active unit found

03:20:54 UTC Jan 25 2022

Active Applying Config Active Config Applied No Active unit found

03:20:54 UTC Jan 25 2022

Active Config Applied Active No Active unit found

==========================================================================

I've temporarily removed monitoring on all interfaces using the no monitor-interface <INTERFACE> and added the prompt hostname priority command to distinguish between Primary and Secondary ASAv. The failover worked afterwards and Secondary ASAv status changed to Standby Ready.

ASAv-1(config)# no monitor-interface outside

ASAv-1(config)# no monitor-interface inside

ASAv-1(config)# no monitor-interface dmz

ASAv-1(config)# prompt hostname priority

ASAv-1/pri(config)#

ASAv-1/sec#

Switching to Ok for reason Interface check.

ASAv-1/pri# show failover

Failover On

Failover unit Primary

Failover LAN Interface: FAILOVER GigabitEthernet0/6 (up)

Reconnect timeout 0:00:00

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 0 of 61 maximum

MAC Address Move Notification Interval not set

Version: Ours 9.8(1), Mate 9.8(1)

Serial Number: Ours 9A81V5LKN5F, Mate 9AK137KWDWB

Last Failover at: 03:20:54 UTC Jan 25 2022

This host: Primary - Active

Active time: 277 (sec)

slot 0: empty

Interface outside (200.1.1.1): Normal (Not-Monitored)

Interface inside (172.16.1.1): Normal (Not-Monitored)

Interface dmz (10.1.1.1): Normal (Not-Monitored)

Other host: Secondary - Standby Ready

Active time: 0 (sec)

Interface outside (0.0.0.0): No Link (Not-Monitored)

Interface inside (0.0.0.0): No Link (Not-Monitored)

Interface dmz (0.0.0.0): No Link (Not-Monitored)

ASAv-1/pri# show failover state

State Last Failure Reason Date/Time

This host - Primary

Active None

Other host - Secondary

Standby Ready Ifc Failure 03:21:27 UTC Jan 25 2022

outside: No Link

inside: No Link

dmz: No Link

====Configuration State===

Sync Done

====Communication State===

Mac set

ASAv-1/pri# failover exec mate show run // VERIFY CONFIG IN ASAv-2

: Saved

: Serial Number: 9AK137KWDWB

: Hardware: ASAv, 2048 MB RAM, CPU Pentium II 1900 MHz

ASA Version 9.8(1)

hostname ASAv-1

enable password $sha512$5000$5bps8k/6inHnfDTz/HO44A==$PjXAl3nW8pK5BfcT6tJYwA== pbkdf2

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface GigabitEthernet0/0

description ### TO R1 F1/0: INTERNET ###

nameif outside

security-level 0

ip address 200.1.1.1 255.255.255.0

interface GigabitEthernet0/1

description ### TO IOU_SW01 E0/0: INSIDE ###

nameif inside

security-level 100

ip address 172.16.1.1 255.255.255.0

interface GigabitEthernet0/2

description ### TO R2 DMZ SERVER ###

nameif dmz

security-level 50

ASAv-1/pri# failover exec mate show run failover

failover

failover lan unit secondary

failover lan interface FAILOVER GigabitEthernet0/6

failover link FAILOVER GigabitEthernet0/6

failover interface ip FAILOVER 10.0.0.1 255.255.255.252 standby 10.0.0.2

So I added the failover key command and confirmed it didn't "break" the ASA failover pair. The command was also immediately sync'd to ASAv-2.

ASAv-1/pri# configure terminal

ASAv-1/pri(config)# failover key cisco

ASAv-1/pri(config)# end

ASAv-1/pri# show run failover

failover

failover lan unit primary

failover lan interface FAILOVER GigabitEthernet0/6

failover key *****

failover link FAILOVER GigabitEthernet0/6

failover interface ip FAILOVER 10.0.0.1 255.255.255.252 standby 10.0.0.2

ASAv-1/pri# failover exec mate show run failover

failover

failover lan unit secondary

failover lan interface FAILOVER GigabitEthernet0/6

failover key *****

failover link FAILOVER GigabitEthernet0/6

failover interface ip FAILOVER 10.0.0.1 255.255.255.252 standby 10.0.0.2

ASAv-1/pri# sh failover

Failover On

Failover unit Primary

Failover LAN Interface: FAILOVER GigabitEthernet0/6 (up)

Reconnect timeout 0:00:00

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 0 of 61 maximum

MAC Address Move Notification Interval not set

Version: Ours 9.8(1), Mate 9.8(1)

Serial Number: Ours 9A81V5LKN5F, Mate 9AK137KWDWB

Last Failover at: 03:20:54 UTC Jan 25 2022

This host: Primary - Active

Active time: 416 (sec)

slot 0: empty

Interface outside (200.1.1.1): Normal (Not-Monitored)

Interface inside (172.16.1.1): Normal (Not-Monitored)

Interface dmz (10.1.1.1): Normal (Not-Monitored)

Other host: Secondary - Standby Ready

Active time: 0 (sec)

Interface outside (0.0.0.0): No Link (Not-Monitored)

Interface inside (0.0.0.0): No Link (Not-Monitored)

Interface dmz (0.0.0.0): No Link (Not-Monitored)

Friday, October 15, 2021

Cisco ASA Mutiple Context-Based ASA Firewall login Command

Here's a link about AAA and local username database in a Cisco ASA Multiple mode/Context-based Firewall. You should use the login command instead of enable in order to use the local username account (with privilege 15) for AAA fallback wherein the remote authentication server such TACACS+ or RADIUS is not reachable. This would allow you to jump to a context and issue any show and global config commands.

ciscoasa/pri/act> enable

Username: cisco-admin

Password: ***********

ciscoasa/pri/act# changeto context admin

ciscoasa/pri/act/admin# show run interface Manamgement0/0

Fallback authorization. Username 'enable_15' not in LOCAL database

Command authorization failed

ciscoasa/pri/act/admin# configure terminal

Command authorization failed

ciscoasa/pri/act> login

Username: cisco-admin

Password: ***********

ciscoasa/pri/act# changeto context admin

ciscoasa/pri/act/admin# show run interface Manamgement0/0

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

Sunday, July 4, 2021

Configuring Objects in a Cisco ASA Firewall

Here's a link about Cisco ASA Objects. I needed to "harden" our SIP connection to an external SIP gateway in the Internet. So instead of configuring multiple ACL entries, I configured Network and Service Objects on the Cisco ASA Firewall.

ciscoassa# configure terminal
ciscoassa(config)# object-group network SIP-EXTERNAL
ciscoassa(config-network-object-group)# network-object ?

network-object-group mode commands/options:
Hostname or A.B.C.D                     Enter an IPv4 network address
Hostname/<0-128> or X:X:X:X::X/<0-128> Enter an IPv6 prefix
host                                    Enter this keyword to specify a
                                          single host object
object                                  Enter this keyword to specify a
                                          network object
ciscoassa(config-network-object-group)# network-object host 208.7.8.1
ciscoassa(config-network-object-group)# network-object host 208.7.8.2

ciscoassa(config)# object-group network SIP-INTERNAL
ciscoassa(config-network-object-group)# network-object host 192.168.1.6
ciscoassa(config-network-object-group)# network-object host 192.168.1.7

ciscoassa(config)# object-group service SIP-PROTOCOLS
ciscoassa(config-service-object-group)# service-object ?

dual-service-object-group mode commands/options:
<0-255> Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
object   Enter this keyword to specify a service object
ospf
pcp
pim
pptp
sctp
snp
tcp
tcp-udp Both TCP & UDP
udp
ciscoassa(config-service-object-group)# service-object udp ?

dual-service-object-group mode commands/options:
destination Keyword to specify destination
source       Keyword to specify source
<cr>
dual-service-object-group mode commands/options:
<0-65535>          Enter port number (0 - 65535)
biff
bootpc
bootps
cifs
discard
dnsix
domain
echo
http
isakmp
kerberos
mobile-ip
nameserver
netbios-dgm
netbios-ns
nfs
ntp
pcanywhere-status
pim-auto-rp
radius
radius-acct
rip
secureid-udp
sip
snmp
snmptrap
sunrpc
syslog
tacacs
talk
tftp
time
vxlan
who
www
xdmcp
ciscoassa(config-service-object-group)# service-object udp destination ?

dual-service-object-group mode commands/options:
eq     Port equal to operator
gt     Port greater than operator
lt     Port less than operator
neq    Port not equal to operator
range Port range operator
ciscoassa(config-service-object-group)# service-object udp destination eq 5060
ciscoassa(config-service-object-group)# service-object tcp destination eq 5060
ciscoassa(config-service-object-group)# service-object udp destination range 5000 60000

ciscoassa(config)# show object
object-group network SIP-EXTERNAL
network-object host 208.7.8.1
network-object host 208.7.8.2
object-group service SIP-PROTOCOLS
service-object udp destination eq sip
service-object tcp destination eq sip
service-object udp destination range 5000 60000
object-group network SIP-INTERNAL
network-object host 192.168.1.6
network-object host 192.168.1.7

ciscoassa(config)# access-list SIP-OUTSIDE-IN extended permit ?

configure mode commands/options:
<0-255>       Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
object        Specify a service object after this keyword
object-group Specify a service or protocol object-group after this keyword
ospf
pcp
pim
pptp
sctp
snp
tcp
udp
ciscoassa(config)# access-list SIP-OUTSIDE-IN extended permit object-group ?

configure mode commands/options:
WORD Service or protocol object-group name
ciscoassa(config)# access-list SIP-OUTSIDE-IN extended permit object-group SIP-PROTOCOLS ?

configure mode commands/options:
A.B.C.D                Source IP address
X:X:X:X::X/<0-128>     Source IPv6 address/prefix
any                    Abbreviation for source address/mask of
                         0.0.0.0/0.0.0.0 OR source prefix ::/0
any4                   Abbreviation of source address and mask of 0.0.0.0
                         0.0.0.0
any6                   Abbreviation for source prefix ::/0
host                   Use this keyword to configure source host
interface              Use interface address as source address
object                 Keyword to enter source object name
object-group           Network object-group for source address
object-group-security Keyword to specify security object-group for source
object-group-user      Keyword to specify user object-group for source
security-group         Keyword to specify inline security-group
user                   Keyword to specify user for source
user-group             Keyword to specify user-group for source
ciscoassa(config)# access-list SIP-OUTSIDE-IN extended permit object-group SIP-PROTOCOLS object-group SIP-EXTERNAL ?

configure mode commands/options:
A.B.C.D                Destination IP address
X:X:X:X::X/<0-128>     Destination IPv6 address/prefix
any                    Abbreviation for destination address/mask of
                         0.0.0.0/0.0.0.0 OR destination prefix ::/0
any4                   Abbreviation for destination address and mask of
                         0.0.0.0 0.0.0.0
any6                   Abbreviation for destination prefix ::/0
host                   Use this keyword to configure destination host
interface              Use interface address as destination address
object                 Keyword to enter destination object name
object-group           Network object-group for destination address
object-group-security Keyword to specify security object-group for
                         destination
security-group         Keyword to specify inline security-group
ciscoassa(config)# access-list SIP-OUTSIDE-IN extended permit object-group SIP-PROTOCOLS object-group SIP-EXTERNAL object-group SIP-INTERNAL   // ONLY A SINGLE ACE

ciscoassa(config)# show run access-list
access-list SIP-OUTSIDE-IN extended permit object-group SIP-PROTOCOLS object-group SIP-EXTERNAL object-group SIP-INTERNAL

ciscoassa(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list SIP-OUTSIDE-IN line 1 extended permit object-group SIP-PROTOCOLS object-group SIP-EXTERNAL object-group SIP-INTERNAL (hitcnt=0) 0xc506ba7b
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.1 host 192.168.1.6 eq sip (hitcnt=0) 0xa581f8ec
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.1 host 192.168.1.7 eq sip (hitcnt=0) 0xe8109d83
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.2 host 192.168.1.6 eq sip (hitcnt=0) 0xcd331db8
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.2 host 192.168.1.7 eq sip (hitcnt=0) 0x401975dd
access-list OUTSIDE_IN line 1 extended permit tcp host 208.7.8.1 host 192.168.1.6 eq sip (hitcnt=0) 0x22d073e8
access-list OUTSIDE_IN line 1 extended permit tcp host 208.7.8.1 host 192.168.1.7 eq sip (hitcnt=0) 0x08a4966a
access-list OUTSIDE_IN line 1 extended permit tcp host 208.7.8.2 host 192.168.1.6 eq sip (hitcnt=0) 0x9747ecca
access-list OUTSIDE_IN line 1 extended permit tcp host 208.7.8.2 host 192.168.1.7 eq sip (hitcnt=0) 0x41479753
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.1 host 192.168.1.6 range 5000 60000 (hitcnt=0) 0x98df0f49
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.1 host 192.168.1.7 range 5000 60000 (hitcnt=0) 0x3542d660
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.2 host 192.168.1.6 range 5000 60000 (hitcnt=0) 0xcbde7f33
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.2 host 192.168.1.7 range 5000 60000 (hitcnt=0) 0x2b5bdc5b

Saturday, April 17, 2021

Cisco ASA Firewall 'shun' Command

There's a quick and easy way to block an external (public) IP address without creating an ACL is to use the Cisco ASA Firewall shun feature. This is useful when you don't have Firepower service enabled in your ASA (just a stateful firewall). Below is an example of an IP address who's reported hosting malware.

C:\Users\User>ping 183.131.207.66

Pinging 183.131.207.66 with 32 bytes of data:
Reply from 183.131.207.66: bytes=32 time=74ms TTL=48
Reply from 183.131.207.66: bytes=32 time=76ms TTL=48
Reply from 183.131.207.66: bytes=32 time=74ms TTL=48
Reply from 183.131.207.66: bytes=32 time=73ms TTL=48

Ping statistics for 183.131.207.66:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 73ms, Maximum = 76ms, Average = 74ms

ciscoasa# shun ?

Hostname or A.B.C.D Specify source IP address of a mischievous host
ciscoasa# shun 183.131.207.66
Shun 183.131.207.66 added in context: single_vf
Shun 183.131.207.66 successful

ciscoasa# show shun
shun (outside) 183.131.207.66 0.0.0.0 0 0 0

I was unable to ping and HTTPS to the site/IP afterwards.

C:\Users\User>ping 183.131.207.66

Pinging 183.131.207.66 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 183.131.207.66:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

To remove the shunned host IP, just simply use the no shun <IP ADDRESS> command.

ciscoasa# no shun 183.131.207.66

ciscoasa#

ciscoasa# show shun

ciscoasa#

Saturday, March 13, 2021

Configuring NetFlow (NSEL) in a Cisco ASA Firewall

Here's a nice Cisco link for configuring NetFlow Secure Event Logging (NSEL) in a Cisco ASA Firewall. The Cisco ASA supports NetFlow version 9.

ciscoasa# configure terminal

ciscoasa(config)# flow-export ?

configure mode commands/options:
active       Configure Netflow parameters for active connections
delay        Configure delay for exporting NetFlow events
destination Configure a destination to which NetFlow records will be sent
enable       Enable the export of flow information through NetFlow
               (deprecated)
template     Specify the template specific configurations
ciscoasa(config)# flow-export destination ?

configure mode commands/options:
Current available interface(s):
inside       Name of interface GigabitEthernet0/1
outside      Name of interface GigabitEthernet0/0
ciscoasa(config)# flow-export destination inside ?

configure mode commands/options:
Hostname or A.B.C.D Destination IP address or name
ciscoasa(config)# flow-export destination inside 192.168.1.6 ?

configure mode commands/options:
<1-65535> UDP port number
ciscoasa(config)# flow-export destination inside 192.168.1.6 2055

ciscoasa(config)# flow-export template ?

configure mode commands/options:
timeout-rate Specify the time before templates are resent
ciscoasa(config)# flow-export template timeout-rate ?

configure mode commands/options:
<1-3600> Timeout in minutes (default 30 minutes)
ciscoasa(config)# flow-export template timeout-rate 5 // DEFAULT IS 30 MINS

ciscoasa(config)# flow-export delay ?

configure mode commands/options:
flow-create Specify delay after which flow creation event will be exported
ciscoasa(config)# flow-export delay flow-create ?

configure mode commands/options:
<1-180> Delay in seconds
ciscoasa(config)# flow-export delay flow-create 60

WARNING: The current delay flow-create value configuration may cause flow-update events to appear before flow-creation event. // JUST A WARNING FOR 5 SECOND DIFFERENCE WITH flow-export active refresh-interval VALUE

ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class class-default // MATCH ALL TRAFFIC
ciscoasa(config-pmap-c)# flow-export event-type all destination 192.168.1.6
ciscoasa(config-pmap-c)# end

ciscoasa# show run flow
flow-export destination inside 192.168.1.6 2055
flow-export template timeout-rate 5
flow-export delay flow-create 60

ciscoasa# show run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
inspect sip
class tcp-traffic
set connection advanced-options allow-probes
class class-default
flow-export event-type all destination 192.168.1.6
policy-map dynamic-filter_snoop_policy
class dynamic-filter_snoop_class
inspect dns dynamic-filter-snoop
!
ciscoasa# write memory
Building configuration...
Cryptochecksum: 9efb8040 ea39e168 2f4ab26e 3f75b246

105044 bytes copied in 1.210 secs (105044 bytes/sec)
[OK]

ciscoasa# show flow-export ?

counters Display flow-export run-time counters
ciscoasa# show flow-export counters

destination: inside 192.168.1.6 2055
Statistics:
    packets sent                                             5514
Errors:
    block allocation failure                                    0
    invalid interface                                           0
    template send failure                                       0
    no route to collector                                       0
    failed to get lock on block                                 0
    source port allocation failure                              0

Below is a snippet of the output in Solarwinds' NetFlow Traffic Analyzer (NTA).

There's no increase in ASA CPU utilization observed after NetFlow was enabled.

ciscoasa# show cpu usage
CPU utilization for 5 seconds = 4%; 1 minute: 4%; 5 minutes: 4%

ciscoasa# show processes cpu-usage
Hardware:   ASA5515
Cisco Adaptive Security Appliance Software Version 9.8(4)10
ASLR enabled, text region 7f6204493000-7f6208801234
PC         Thread       5Sec     1Min     5Min   Process
0x0000560200394ce3   0x00007f4ac6ad7880     0.0%     0.0%     0.0%   zone_background_idb
0x00005602010644ed   0x00007f4ac6acce20     0.0%     0.0%     0.0%   webvpn_task
0x00005601ffbb58c8   0x00007f4ac6af27e0     0.0%     0.0%     0.0%   WebVPN KCD Process
0x0000560200ec7b92   0x00007f4ac6ad9920     0.0%     0.0%     0.0%   vpnlb_timer_thread
0x0000560200ec7dca   0x00007f4ac6adf020     0.0%     0.0%     0.0%   vpnlb_thread
0x0000560200eab718   0x00007f4ac6abf840     0.0%     0.0%     0.0%   vpnfol_thread_unsent
0x0000560200eab5c5   0x00007f4ac6abff80     0.0%     0.0%     0.0%   vpnfol_thread_timer
0x0000560200eab058   0x00007f4ac6abfbe0     0.0%     0.0%     0.0%   vpnfol_thread_sync
0x0000560200eaac2f   0x00007f4ac6ac0320     0.0%     0.0%     0.0%   vpnfol_thread_msg
0x00005601ff7f61e8   0x00007f4ac6ad3000     0.0%     0.0%     0.0%   VPN director state sync

ciscoasa# show processes cpu-usage | exclude 0.0
Hardware:   ASA5515
Cisco Adaptive Security Appliance Software Version 9.8(4)10
PC         Thread       5Sec     1Min     5Min   Process
   -          -         4.6%     3.9%     4.1%   DATAPATH-0-1386