My CCIE by Adrian Brayton: 2011

Wednesday, November 30, 2011

Cisco Bootstrap / ROMMON Upgrade

Here we are going to upgrade the Bootstrap on a Cisco 1841 ISR but would be the same on Cisco 2800 / 3800 series.

There really isn't a lot to it but since you will probably only do it a handful of times during your career I thought it was a worthy post.

First things that you need to do is download the latest image from Cisco and will look something like this.

C1841_RM2.srec.124-13r.T5

You can check to see what revision your router is running by entering this command:

#show version

Look for this line in the output, it will vary depending on your device and image.

ROM: System Bootstrap, Version 12.3(8r)T8, RELEASE SOFTWARE (fc1)

We are going to upgrade the current image to (124-13r)

Once you have the file, you need to get it onto your routers flash card or put it on a USB drive.

All you have to do is type this command and thats it.

Router#upgrade rom-monitor file flash:C1841_RM2.srec.124-13r.T5

This command will result in a 'power-on reset' of the router!
Continue? [yes/no]: y
ROMMON image upgrade in progress.
Erasing boot flash eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
Programming boot flash ppppppppppp

Now Reloading
System Bootstrap, Version 12.3(8r)T8, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2004 by cisco Systems, Inc.

And here we are:

System Bootstrap, Version 12.4(13r)T5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2007 by cisco Systems, Inc.

Thats it for today!

Sunday, November 13, 2011

ASA - ASDM

When you open the ASDM on your ASA and your tired of accepting the "untrusted" certificate multiple times. All you need to do is create a self-signed certificate and this will go away. I am showing (2) ways to do it, the first is through the ASDM and the second via the CLI.

NOTE: When you create the certificate, keep in mind that all you have done is create it. When you launch the ASDM again you will still need to accept the certificates but this time they will be stored on your computer and from this point on you should no longer have to.

All you need to do is navigate to Device Management => Certificate Management => Identity Certificates.
Just press "Add" and you will see something similiar to the screen shot I have attached.

The trustpoint name & Certificate Subject will self populate but it can be anything you choose and thats it.

If you are looking to accomplish the same thing with the CLI, here is the command structure. You can also go through it with ASDM and preview the commands before there sent | Tools => Preferences => Communications.

#crypto ca trustpoint ASDM_ASA_Self_Signed

#id-usage ssl-ipsec

#no fqdn

#subject-name CN=ASA1

#enrollment self

#crypto ca enroll ASDM_ASA_Self_Signed noconfirm

Saturday, November 12, 2011

Cisco ASA Factory Default Configuration

This post contains a few options related to a factory default configuration on a Cisco ASA 5505. The first part shows how to reset the ASA to factory default configuration from the CLI and the commands that are automatically executed once you press enter. The second part is just a clean, fresh from the factory configuration.

asa2(config)# configure factory-default

Based on the inside IP address and mask, the DHCP address
pool size is reduced to 250 from the platform limit 256

WARNING: The boot system configuration will be cleared.
The first image found in disk0:/ will be used to boot the
system on the next reload.
Verify there is a valid image on disk0:/ or the system will
not boot.

Begin to apply factory-default configuration:
Clear all configuration
Executing command: interface Ethernet 0/0
Executing command: switchport access vlan 2
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/1
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/2
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/3
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/4
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/5
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/6
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/7
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface vlan2
Executing command: nameif outside
INFO: Security level for "outside" set to 0 by default.
Executing command: no shutdown
Executing command: ip address dhcp setroute
Executing command: exit
Executing command: interface vlan1
Executing command: nameif inside
INFO: Security level for "inside" set to 100 by default.
Executing command: ip address 192.168.1.1 255.255.255.0
Executing command: security-level 100
Executing command: allow-ssc-mgmt
ERROR: SSC card is not available
Executing command: no shutdown
Executing command: exit
Executing command: object network obj_any
Executing command: subnet 0.0.0.0 0.0.0.0
Executing command: nat (inside,outside) dynamic interface
Executing command: exit
Executing command: http server enable
Executing command: http 192.168.1.0 255.255.255.0 inside
Executing command: dhcpd address 192.168.1.5-192.168.1.254 inside
Executing command: dhcpd auto_config outside
Executing command: dhcpd enable inside
Executing command: logging asdm informational
Factory-default configuration is completed
ciscoasa(config)#

_______________________

ciscoasa# sh run
: Saved
:
ASA Version 8.4(1)
!
hostname ciscoasa
enable password mrc2YGsms0Df41/U encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5ee3fb383a35c98a6d5891329d759d6c
: end
ciscoasa#

Tuesday, October 18, 2011

TCL Notes - Part 2

This is an example of a simple script as well as how to run them from either the TCL shell or global exec mode. I will have an example of how to fire off a TCL script using EEM at a later date.

Let's get started -

The command below get's passed off to IOS because the TCL interpreter doesn't understand what to do with it, thus the output looks like it was from global exec. It does populate the variable "mybuffer" with the output seen.

2811_Home(tcl)#set mybuffer [exec "show ip interface brief"]
Load for five secs: 2%/0%; one minute: 2%; five minutes: 3%
Time source is NTP, 20:10:08.650 CST Tue Oct 18 2011

Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.1.1 YES NVRAM up up
FastEthernet0/1 10.1.2.1 YES NVRAM up up
FastEthernet0/1.3 10.1.3.1 YES NVRAM up up
Dot11Radio0/0/0 unassigned YES NVRAM up up
NVI0 192.168.1.1 YES unset up up

What this script is doing is looking for the first instance of "10.1.2." in the variable "mybuffer" which was populated by "show ip interface brief" command. If found, it will return the line "We found my inside subnet 10.1.2.0 / 24!" and if not it will return a (-1).

Here is the complete script, written in a simple text editor and saved as a ".tcl" file.

set mybuffer [exec "show ip interface brief"]
set foundposition [string first "10.1.2." $mybuffer]
if {$foundposition > -1} {
puts "We found my inside subnet 10.1.2.0 / 24!"
}

I copied the file to my router...

2811_Home#copy usbflash0: flash
Source filename []? my-tcl.tcl
Destination filename [my-tcl.tcl]?
Copy in progress...C
181 bytes copied in 0.416 secs (435 bytes/sec)

2811_Home#sh flash
Load for five secs: 11%/0%; one minute: 4%; five minutes: 3%
Time source is NTP, 20:19:55.263 CST Tue Oct 18 2011
-#- --length-- -----date/time------ path
1 59171892 Oct 14 2011 06:08:04 c2800nm-adventerprisek9_ivs-mz.124-22.T5.bin
33 5561 Aug 27 2011 20:10:16 2811_internet_ips-CONFIG
35 12757876 Sep 07 2011 02:55:20 IOS-S556-CLI.pkg
42 180 Oct 20 2011 01:31:54 my-tcl.tcl

Here are (2) ways in which to execute to script.

2811_Home#tclsh
2811_Home(tcl)#source flash:my-tcl.tcl
We found my inside subnet 10.1.2.0 / 24!

2811_Home#tclsh flash:my-tcl.tcl
We found my inside subnet 10.1.2.0 / 24!

Thats it for now...

Sunday, October 16, 2011

TCL Notes

I have been spending a little time working with TCL, a scripting language which is open source but is also available in the majority of Cisco's IOS. If you would like more information, check out Cisco Press - TCL Scripting for Cisco IOS.

TCL Scripting (Some of the Basics)

R1(tcl)#

set a "This is"

set b " a test!"

Router(tcl)#append a $b

This is a test!

______________

r1(tcl)#set x 1
1
r1(tcl)#incr x
2

r1(tcl)#set y 2
2
r1(tcl)#incr y
3
r1(tcl)#incr y 2
5
______________

r1(tcl)#set m 2
2
r1(tcl)#expr $m+2
4
r1(tcl)#puts $m
2
______________

" " Double quotes allow substitutions

{ } Braces need to be open / closed and DONT allow substitutions.

[ ] This is for command substitution and invokes the TCL interpreter to process the characters between the open and closed brackets.

This allows for an array variable
$variable

$variable (index)

r1(tcl)#set x(2) 200
200
r1(tcl)#set y(3) 300
300
r1(tcl)#puts $x(2)
200

r1(tcl)#set n(m) 1000
1000
r1(tcl)#puts $n(m)
1000

r1(tcl)#set {I am awesome!} Adrian
Adrian

r1(tcl)#set c cool
cool
r1(tcl)#set d "I am $c"
I am cool
r1(tcl)#puts {You are $c}
You are $c
______________

Append is similar to lappend but the variable's are contained in quotes.

r1(tcl)#set a "This is "
This is
r1(tcl)#set b "my script"
my script
r1(tcl)#append a $b
This is my script
r1(tcl)#puts $a
This is my script
______________

List Append (lappend) add's a variable to a string / list separated by white space.

r1(tcl)#lappend oscar This is
This is
r1(tcl)#lappend oscar my script
This is my script
r1(tcl)#puts $oscar
This is my script
______________

List Index (lindex) will extract elements from a list but will not modify the list.

As you can see we have extracted data from this list. Keep in mind that the list is read from left to right and start's at the number zero.

r1(tcl)#puts $a
This is my script

r1(tcl)#lindex $a 2
my
r1(tcl)#
r1(tcl)#lindex $a 0
This

r1(tcl)#puts $a
This is my script
______________

List Insert (linsert) will add new elements to a list.

r1(tcl)#set a [linsert $a 3 awesome ]
This is my awesome script
r1(tcl)#

r1(tcl)#puts $adrian
This is my awesome list

r1(tcl)#llength $adrian
5
______________

r1(tcl)#lsearch $adrian y
-1
r1(tcl)#lsearch $adrian my
2

r1(tcl)#lsearch -regexp $adrian y
2

r1(tcl)#lsearch -regexp $adrian i
0

r1(tcl)#lsearch -global $adrian i
bad search mode "-global": must be -exact, -glob, or -regexp
r1(tcl)#lsearch -glob $adrian i
-1

r1(tcl)#puts $adrian
This is my list

r1(tcl)#lsearch -regexp $adrian "is"
0
r1(tcl)#
______________

r1(tcl)#set a "This is my script"
This is my script
r1(tcl)#puts $a
This is my script
______________

r1(tcl)#set a [lreplace $a 3 3 really awesome script]
This is my really awesome script
r1(tcl)#puts $a
This is my really awesome script

r1(tcl)#set b "My dogs name is oscar"
My dogs name is oscar
r1(tcl)#set b [lreplace $b 0 4 I also have a dog named shelby!]
I also have a dog named shelby!
r1(tcl)#
______________

r1(tcl)#puts $c
Pulling info from a file

r1(tcl)#set d [lrange $c 2 4]
from a file
r1(tcl)#puts $d
from a file
______________

List Sort puts a string of variables in alphabetical order.

r1(tcl)#puts $d
from a file

r1(tcl)#set d [lsort $d]
a file from

r1(tcl)#lsort -ascii -decreasing $d
from file a
r1(tcl)#lsort -ascii -increasing $d
a file from
r1(tcl)#
______________

r1(tcl)#proc my_script {} {
+>(tcl)#puts "This is my script"
+>(tcl)#}

r1(tcl)#set z {}

r1(tcl)#puts $z

r1(tcl)#for {set z 0} {$z<10} {incr z} {
+>(tcl)#my_script
+>(tcl)#}
This is my script
This is my script
This is my script
This is my script
This is my script
This is my script
This is my script
This is my script
This is my script
This is my script
______________

r1(tcl)#for {set m 0} {$m<5} {incr m} {puts " $m. This is a script"}
0. This is a script
1. This is a script
2. This is a script
3. This is a script
4. This is a script

r1(tcl)#set cpuinfo {r1 50 90 r2 10 20}
r1 50 90 r2 10 20

r1(tcl)#$info { set CPUavg [expr ($CPU1+$CPU2)/2] ; puts "$router $CPUavg" }
r1 70
r2 15
______________

r1(tcl)#set y 0 ; while {$y < 5} { set T [expr ($y*2)] ; puts "$y. Twice $y is $T" ; incr y }
0. Twice 0 is 0
1. Twice 1 is 2
2. Twice 2 is 4
3. Twice 3 is 6
4. Twice 4 is 8

More to come...

Wednesday, July 13, 2011

Cisco ASA 8.4 IOS - Remote Access VPN

Below is the minimal configuration needed to implement remote access VPN's on a Cisco ASA 5505 running 8.4. Please keep in mind that the names that I used in my configuration is of my dog but it's best practice to use a name that describes what / who its for.

Enable ISAKMP on the interface:

ASA-2(config)# crypto ikev1 enable outside

ASA-2(config)# crypto ikev1 policy 1

ASA-2(config-ikev1-policy)# encryption 3des

ASA-2(config-ikev1-policy)# authentication pre-share

ASA-2(config-ikev1-policy)# hash md5

Setup your Group Policies & Tunnel Policies

ASA-2(config)# group-policy oscar_GP internal

ASA-2(config)# group-policy oscar_GP attributes

ASA-2(config-group-policy)# vpn-tunnel-protocol ikev1

ASA-2(config-group-policy)# address-pools value oscar_pool

*******************

ASA-2(config)# tunnel-group oscar_tg type remote-access

ASA-2(config)# tunnel-group oscar_tg general-attributes

ASA-2(config-tunnel-general)# default-group-policy oscar_GP

ASA-2(config-tunnel-general)# authentication-server-group LOCAL

ASA-2(config)# tunnel-group oscar_tg ipsec-attributes

ASA-2(config-tunnel-ipsec)# ikev1 pre-shared-key C1sc0

*******************

ASA-2(config)# crypto ipsec ikev1 transform-set oscar_trans esp-3des esp-md5-hmac

ASA-2(config)# ip local pool oscar_pool 10.1.2.140-10.1.2.145 mask 255.255.255.0

ASA-2(config)# crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set oscar_trans

ASA-2(config)#username oscar password omEMDQBc9noujG1X encrypted privilege 15

ASA-2(config)# crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

ASA-2(config)# crypto map outside_map interface outside

Sunday, July 3, 2011

Cisco IOS IPS (Intrusion Prevention System) - 2801 ISR

Below is the basic configuration needed to get the IPS feature up and running on an IOS router.

First thing that we need to do is create a directory on your flash to store all of your files, you can name it whatever you like but something to describe what's in there is usually best practice.

r1#mkdir flash:/oscar_ips
Create directory filename [oscar_ips]?
Created dir flash:/oscar_ips

We need to name the IPS:

r1(config)#ip ips name oscar

We need to tell the IPS where to store it's signature files:

r1(config)#ip ips config location flash:/oscar_ips

Lets retire all of the signatures before we decide on which ones we want to turn on and unless you have a lot of memory in your router, you won't be able to turn them all on.

r1(config-ips-category)#category ?
adware/spyware Adware/Spyware (more sub-categories)
all All Categories
attack Attack (more sub-categories)
ddos DDoS (more sub-categories)
dos DoS (more sub-categories)
email Email (more sub-categories)
instant_messaging Instant Messaging (more sub-categories)
ios_ips IOS IPS (more sub-categories)
l2/l3/l4_protocol L2/L3/L4 Protocol (more sub-categories)
network_services Network Services (more sub-categories)
os OS (more sub-categories)
other_services Other Services (more sub-categories)
p2p P2P (more sub-categories)
reconnaissance Reconnaissance (more sub-categories)
releases Releases (more sub-categories)
viruses/worms/trojans Viruses/Worms/Trojans (more sub-categories)
web_server Web Server (more sub-categories)

r1(config)#ip ips signature-category
r1(config-ips-category)#category all
r1(config-ips-category-action)#retired true
r1(config-ips-category-action)#exit

Since I am using a 2801 with 256MB of RAM, lets just turn on the basics. (Note: I have tried turning them all on and this is what happens:

--------------------------------------------------------------------
Possible software fault. Upon reccurence, please collect
crashinfo, "show tech" and contact Cisco Technical Support.
--------------------------------------------------------------------
-Traceback= 0x630B74C8 0x63624B48 0x63604504 0x6363D7B0 0x6349B5F4 0x6349BC3C 0x63496C10 0x6363B2E0 0x6363F2B8 0x616B7CD8 0x616B8420 0x616DDC88 0x630AF450 0x630AF434
$0 : 00000000, AT : 65E60000, v0 : 0D0D0D0D, v1 : 68636248
a0 : 00000000, a1 : 681CCEB4, a2 : 00000001, a3 : 00000009
t0 : 0000C100, t1 : 00000000, t2 : 00000000, t3 : FFFF00FF
t4 : 00000000, t5 : 0D0D0D0D, t6 : 00000002, t7 : 00000000
s0 : 681CCEB4, s1 : 65D5C044, s2 : 00000008, s3 : 00000000
s4 : 681CCC68, s5 : 680521C8, s6 : 669ACF04, s7 : 681CCC68
t8 : 00000000, t9 : 6541A234, k0 : 3041E801, k1 : 00100000
gp : 65E6DDB0, sp : 68051ED0, s8 : 6781AF04, ra : 630B73E8
EPC : 630B74C8, ErrorEPC : BFCC6038, SREG : 3401C103
MDLO : 0000004D, MDHI : 00002A9E, BadVaddr : 0D0D0D11
DATA_START : 0x63F08CB0
Cause 00000014 (Code 0x5): Address Error (store) exception

*Jul 3 18:31:04.635: %REGISTRY-3-STUB_CHK_OVERWRITE: Attempt made to overwrite a set stub function in . -Process= "Init", ipl= 3, pid= 3, -Traceback= 0x61667464 0x603774C4 0x630ECB68 0x6165BCE0 0x6165BFC0 0x630AF450 0x630AF434)

OK, that was fun!

r1(config-ips-category)#category ios_ips basic
r1(config-ips-category-action)#retired false
r1(config-ips-category-action)#exit
r1(config-ips-category)#exit

Do you want to accept these changes? [confirm]

We need to assign the IPS that we just enabled to an interface, I have chosen in / out on the same interface.

r1(config)#inter fa 0/1

r1(config-if)#ip ips oscar in

r1(config-if)#ip ips oscar out

Jul 3 18:55:57.107: %IPS-6-ENGINE_BUILDS_STARTED: 18:55:57 UTC Jul 3 2011
Jul 3 18:55:57.107: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines
Jul 3 18:55:57.119: %IPS-6-ENGINE_READY: atomic-ip - build time 12 ms - packets for this engine will be scanned
Jul 3 18:55:57.119: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 12 msut

Now we have to create "add" Cisco's public key to verify that the signature package is authentic. You can get the key located below from Cisco.com and this file "IOS-S359-CLI.pkg" which are the actual signatures.

r1(config)#crypto key pubkey-chain rsa

r1(config-pubkey-chain)#named-key realm-cisco.pub
Translating "realm-cisco.pub"

r1(config-pubkey-key)#key-string
Enter a public key as a hexidecimal number ....
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001

r1(config-pubkey)#quit

Now we have everything that we need in place, now we just need to copy the files to "idconf".

r1#copy flash:IOS-S359-CLI.pkg idconf

r1#
Jul 4 13:00:42.547: %IPS-6-ENGINE_BUILDS_STARTED: 13:00:42 UTC Jul 4 2011
Jul 4 13:00:42.547: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines
Jul 4 13:00:42.559: %IPS-6-ENGINE_READY: atomic-ip - build time 12 ms - packets for this engine will be scanned
Jul 4 13:00:42.559: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 12 ms
Jul 4 13:00:45.491: Applying Category configuration to signatures ...
Jul 4 13:01:25.047: %IPS-6-ENGINE_BUILDS_STARTED: 13:01:25 UTC Jul 4 2011
Jul 4 13:01:25.047: %IPS-6-ENGINE_BUILDING: multi-string - 11 signatures - 1 of 13 engines
Jul 4 13:01:25.067: %IPS-6-ENGINE_READY: multi-string - build time 20 ms - packets for this engine will be scanned
Jul 4 13:01:25.091: %IPS-6-ENGINE_BUILDING: service-http - 649 signatures - 2 of 13 engines
Jul 4 13:01:34.911: %IPS-6-ENGINE_READY: service-http - build time 9820 ms - packets for this engine will be scanned
Jul 4 13:01:34.947: %IPS-6-ENGINE_BUILDING: string-tcp - 1127 signatures - 3 of 13 engines
Jul 4 13:02:15.767: %IPS-6-ENGINE_READY: string-tcp - build time 40820 ms - packets for this engine will be scanned
Jul 4 13:02:15.771: %IPS-6-ENGINE_BUILDING: string-udp - 75 signatures - 4 of 13 engines
Jul 4 13:02:16.623: %IPS-6-ENGINE_READY: string-udp - build time 852 ms - packets for this engine will be scanned
Jul 4 13:02:16.627: %IPS-6-ENGINE_BUILDING: state - 31 signatures - 5 of 13 engines
Jul 4 13:02:16.711: %IPS-6-ENGINE_READY: state - build time 84 ms - packets for this engine will be scanned
Jul 4 13:02:16.775: %IPS-6-ENGINE_BUILDING: atomic-ip - 304 signatures - 6 of 13 engines
Jul 4 13:02:17.979: %IPS-6-ENGINE_READY: atomic-ip - build time 1204 ms - packets for this engine will be scanned
Jul 4 13:02:18.031: %IPS-6-ENGINE_BUILDING: string-icmp - 3 signatures - 7 of 13 engines
Jul 4 13:02:18.087: %IPS-6-ENGINE_READY: string-icmp - build time 56 ms - packets for this engine will be scanned
Jul 4 13:02:18.087: %IPS-6-ENGINE_BUILDING: service-ftp - 3 signatures - 8 of 13 engines
Jul 4 13:02:18.111: %IPS-6-ENGINE_READY: service-ftp - build time 24 ms - packets for this engine will be scanned
Jul 4 13:02:18.115: %IPS-6-ENGINE_BUILDING: service-rpc - 75 signatures - 9 of 13 engines
Jul 4 13:02:18.495: %IPS-6-ENGINE_READY: service-rpc - build time 376 ms - packets for this engine will be scanned
Jul 4 13:02:18.495: %IPS-6-ENGINE_BUILDING: service-dns - 38 signatures - 10 of 13 engines
Jul 4 13:02:18.563: %IPS-6-ENGINE_READY: service-dns - build time 68 ms - packets for this engine will be scanned
Jul 4 13:02:18.563: %IPS-6-ENGINE_BUILDING: normalizer - 9 signatures - 11 of 13 engines
Jul 4 13:02:56.947: %IPS-6-ENGINE_BUILDS_STARTED: 13:02:56 UTC Jul 4 2011
Jul 4 13:02:56.963: %IPS-6-ENGINE_BUILDING: multi-string - 11 signatures - 1 of 13 engines
Jul 4 13:02:56.975: %IPS-6-ENGINE_READY: multi-string - build time 12 ms - packets for this engine will be scanned
Jul 4 13:02:57.407: %IPS-6-ENGINE_BUILDING: service-http - 649 signatures - 2 of 13 engines
Jul 4 13:02:57.799: %IPS-6-ENGINE_READY: service-http - build time 392 ms - packets for this engine will be scanned
Jul 4 13:02:58.747: %IPS-6-ENGINE_BUILDING: string-tcp - 1127 signatures - 3 of 13 engines
Jul 4 13:02:59.359: %IPS-6-ENGINE_READY: string-tcp - build time 612 ms - packets for this engine will be scanned
Jul 4 13:02:59.911: %IPS-6-ENGINE_BUILDING: string-udp - 75 signatures - 4 of 13 engines
Jul 4 13:02:59.939: %IPS-6-ENGINE_READY: string-udp - build time 28 ms - packets for this engine will be scanned
Jul 4 13:02:59.991: %IPS-6-ENGINE_BUILDING: state - 31 signatures - 5 of 13 engines
Jul 4 13:03:00.003: %IPS-6-ENGINE_READY: state - build time 12 ms - packets for this engine will be scanned
Jul 4 13:03:00.367: %IPS-6-ENGINE_BUILDING: atomic-ip - 304 signatures - 6 of 13 engines
Jul 4 13:03:01.059: %IPS-6-ENGINE_READY: atomic-ip - build time 692 ms - packets for this engine will be scanned
Jul 4 13:03:01.319: %IPS-6-ENGINE_BUILDING: string-icmp - 3 signatures - 7 of 13 engines
Jul 4 13:03:01.375: %IPS-6-ENGINE_READY: string-icmp - build time 52 ms - packets for this engine will be scanned
Jul 4 13:03:01.379: %IPS-6-ENGINE_BUILDING: service-ftp - 3 signatures - 8 of 13 engines
Jul 4 13:03:01.383: %IPS-6-ENGINE_READY: service-ftp - build time 0 ms - packets for this engine will be scanned
Jul 4 13:03:01.435: %IPS-6-ENGINE_BUILDING: service-rpc - 75 signatures - 9 of 13 engines
Jul 4 13:03:01.467: %IPS-6-ENGINE_READY: service-rpc - build time 32 ms - packets for this engine will be scanned
Jul 4 13:03:01.535: %IPS-6-ENGINE_BUILDING: service-dns - 38 signatures - 10 of 13 engines
Jul 4 13:03:01.555: %IPS-6-ENGINE_READY: service-dns - build time 16 ms - packets for this engine will be scanned
Jul 4 13:03:01.583: %IPS-6-ENGINE_BUILDING: normalizer - 9 signatures - 11 of 13 engines
Jul 4 13:03:01.739: %IPS-6-ENGINE_READY: service-msrpc - build time 44 ms - packets for this engine will be scanned
Jul 4 13:03:01.755: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 4812 ms

Now you have an IPS running on your router!

More to come...

Wednesday, June 29, 2011

Cisco ASA NAT 8.4

This is a very simple example of the new NAT structure beginning with IOS version 8.3 on a Cisco ASA appliance. There are more examples on the way...

I have (2) routers, R1 is on the "inside" and R2 is on the "outside".

We will be translating the subnet 1.1.1.0 / 24

This is the range "pool" of address's to use in the translation of subnet 1.1.1.0/24

object network TEST
range 10.1.1.5 10.1.1.10

object network TEST_Inside
subnet 1.1.1.0 255.255.255.0
nat (inside,outside) dynamic TEST

************
R2#debug ip icmp

*Jun 29 17:27:05.551: ICMP: echo reply sent, src 10.1.1.25, dst 10.1.1.5

************
ASA# sh nat translated interface outside

Auto NAT Policies (Section 2)

1 (inside) to (outside) source dynamic TEST_Inside TEST

translate_hits = 7, untranslate_hits = 14

ciscoasa#

************
R1#ping 10.1.1.25 source 1.1.1.1

Packet sent with a source address of 1.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Saturday, June 25, 2011

Cisco IOS to ASA (8.4) - Basic IPSec Site-to-Site VPN

R1 -

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ipexpert address 10.1.1.2

crypto ipsec transform-set oscar esp-3des esp-md5-hmac

crypto map shelby 1 ipsec-isakmp

set peer 10.1.1.2

set transform-set oscar

match address 100

access-list 100 permit ip host 2.2.2.2 host 1.1.1.1

interface FastEthernet0/0

ip address 10.1.1.25 255.255.255.0

duplex auto

speed auto

crypto map shelby

****************************

ASA -

crypto ipsec ikev1 transform-set oscar esp-3des esp-md5-hmac

crypto map shelby 1 match address abby

crypto map shelby 1 set peer 10.1.1.25

crypto map shelby 1 set ikev1 transform-set oscar

crypto map shelby interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

tunnel-group adrian type ipsec-l2l

tunnel-group 10.1.1.25 type ipsec-l2l

tunnel-group 10.1.1.25 ipsec-attributes

ikev1 pre-shared-key *****

access-list abby extended permit ip host 2.2.2.2 host 1.1.1.1

access-list abby extended permit ip host 1.1.1.1 host 2.2.2.2

Monday, June 20, 2011

Cisco IOS - Basic IPSec Site-to-Site VPN

This is the basic configuration needed to bring up an IPSec tunnel between (2) IOS routers (This was done on a pair of 2801's)

Please keep in mind that the names used do not have to match on both side's.

R1

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2

crypto isakmp key c1sco address 10.1.12.2

crypto ipsec transform-set shelby esp-3des esp-md5-hmac

crypto map CMAP 10 ipsec-isakmp
set peer 10.1.12.2
set transform-set shelby
match address 100

interface Serial0/3/0
ip address 10.1.12.1 255.255.255.0
clock rate 64000
crypto map CMAP

interface Loopback0

ip address 1.1.1.1 255.255.255.255

ip route 2.2.2.0 255.255.255.0 10.1.12.2

access-list 100 permit ip host 1.1.1.1 host 2.2.2.2

r1#ping 2.2.2.2 source lo0

Packet sent with a source address of 1.1.1.1
!!!!!

r1#show crypto session

Crypto session current status

Interface: Serial0/3/0
Session status: UP-ACTIVE
Peer: 10.1.12.2 port 500
IKE SA: local 10.1.12.1/500 remote 10.1.12.2/500 Active
IPSEC FLOW: permit ip host 1.1.1.1 host 2.2.2.2
Active SAs: 2, origin: crypto map

*************

R2

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2

crypto isakmp key c1sco address 10.1.12.1

crypto ipsec transform-set shelby esp-3des esp-md5-hmac

crypto map CMAP 10 ipsec-isakmp
set peer 10.1.12.1
set transform-set shelby
match address 100

interface Loopback0
ip address 2.2.2.2 255.255.255.255

interface Serial0/3/0
ip address 10.1.12.2 255.255.255.0
crypto map CMAP

ip route 1.1.1.0 255.255.255.0 10.1.12.1

access-list 100 permit ip host 2.2.2.2 host 1.1.1.1

Tuesday, June 14, 2011

IPSEC - ISAKMP Perfect Forwarding Secrecy / Diffie-Hellman

Diffie-Hellman (DH)

Diffie-Hellman (DH) is a public-key cryptography protocol that allows two devices to establish a shared secret over an unsecure communications channel (ISAKMP Phase 1 / IPSec Phase 2)

Diffie-Hellman Group 1 — 768-bit DH Group.

Diffie-Hellman Group 2 — 1024-bit DH Group.

Diffie-Hellman Group 5 — 1536-bit DH Group.

________________________

Perfect Forward Secrecy (PFS)

The PFS determines the length (complexity) of the IPSec "Session keys" (used in the encryption and decryption of data in the IPSec tunnel (IPSEC Security Association (SA) )), and is derived from the public and private keys.

PFS has four groups:

Group1: Specifies that IPSec should use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.

Group2: Specifies that IPSec should use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.

Group5: Specifies that IPSec should use the 1536-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.

Group7: Specifies that IPSec should use group7 (ECC) where the elliptical curve field size is 163-bits, for example, with the movianVPN client.

The crypto map set pfs command sets IPSec to ask for Perfect Forward Secrecy (PFS) when new security associations are requested for this crypto map entry. Alternatively, it asks that IPSec requires PFS when requests are received for new security associations.

To specify that IPSec not request PFS, issue the no crypto map set pfs command. This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries.
Note: By default, PFS is not requested.

With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs, which requires additional processing time.

PFS adds another level of security because if one key is ever cracked by an attacker, only the data sent with that key is compromised. During negotiation, the no crypto map set PFS command causes IPSec to request PFS when new security associations are requested for the crypto map entry.

The default (group1) is sent if the set pfs statement does not specify a group. If the peer initiates the negotiation and the local configuration specifies PFS, the peer must perform a PFS exchange or the negotiation fails.

If the local configuration does not specify a group, a default of group1 is assumed and an offer of either group1 or group2 is accepted. If the local configuration specifies group2, that group must be part of the peer offer or the negotiation fails.

Saturday, June 11, 2011

IPSec

IKE - Internet Key Exchange | Uses uses the framework provided by ISAKMP

ISAKMP - Internet Security Association Key Management Protocol

IPSec -

Phase 1 - The first phase is used to create a secure and authentic communication channel between the peers.

The are (2) mode’s to est. Phase 1 SA (Security Association):

Main mode - Typically used for Site-to-Site VPN

(6) packet / 3 round trips to est. SA

Aggressive - Typically used for Remote-Access

(3) packets total to est. SA

These are the default when pre-shared keys are being used.

ISAKMP Attributes negotiated during Phase 1:

Encryption - DES, 3DES, (AES 128, 192, 256)
Hashing - MD5 , SHA
Authentication Method - Pre-shared Keys, RSA or DSA Signature
DH (Diffie - Hellman) Group - 1, 2, 5, 7

Once the ISAKMP SA negotiation is complete, Phase 2 IPsec SA will then be negotiated over an encrypted channel.

All the payloads are encrypted in phase 2 negotiations except for the IP header.

IPSec Pass-Through / NAT-T - These are technologies used to avoid packet drop should the device be behind a PAT device.

IPSec Attributes negotiated during Phase 2:

Encryption - DES, 3DES, (AES 128, 192, 256)
Hashing - MD5 , SHA or Null
Identity Information - Network, Protocol, port number
Lifetime
Mode - Tunnel , Transport
PFS group - None, 1, 2, or 5

IPSec Protocols

AH (Authentication Header) IP Protocol 51
ESP (Encapsulation Security Payload) IP Protocol 50

These protocols as an IPSec header allowing the peer to decrypt the data.

(Cisco ASA does not support AH encapsulation)

Sunday, April 24, 2011

Cisco ASA - Active / Passive

If you need to set up a pair of ASA 55XX for Active / Passive, here is the base configuration needed to get this up and running. Please keep in mind that both ASA’s need to be running identical code and below is the minimal amount of configuration needed, there are many more configuration options available.

The commands below are to be entered into the Primary ASA:

#failover (This is the last command you should enter, this turns on the failover)

#failover lan unit primary

#failover lan interface failover GigabitEthernet1/1

#failover replication http (This is optional as HTTP sessions don’t get replicated to the stand-by device)

#failover mac address GigabitEthernet0/0 c471.fe43.f830 f866.f24d.0d4a (The first mac address is the primary and the second is the passive ASA)

#failover mac address GigabitEthernet0/1 c471.fe43.f831 f866.f24d.0d4b

#failover mac address GigabitEthernet0/2 c471.fe43.f832 f866.f24d.0d4c

#failover mac address GigabitEthernet0/3 c471.fe43.f833 f866.f24d.0d4d

#failover mac address GigabitEthernet1/0 c471.fe43.fd34 588d.096c.b2d0

#failover link failover GigabitEthernet1/1

#failover interface ip failover 172.16.169.1 255.255.255.252 standby 172.16.169.2

The commands below are to be entered into the Passive ASA:

#failover (This is the last command you should enter, this turns on the failover)

#failover lan unit secondary

#failover lan interface failover GigabitEthernet1/1

#failover interface ip failover 172.16.169.1 255.255.255.252 standby 172.16.169.2 (The IP are correct, they have to match what is on the Primary device)

Tuesday, April 19, 2011

Nexus - AAA w/ VRFs & VDCs

If you are looking to configure AAA on a nexus 70XX and the subnet you are going to use to contact the ACS server is in a VRF and / or the non-default VDC (VDC 2, 3, 4) then you will have to do things a little different than you might be used to.

First, make sure that the TACACS+ feature is enabled or none of the options below will be available.

Second, all AAA commands are local to each individual VDC so you will need to do this with each one.

The configuration on the ACS server will remain the same and you are also able to test from exec mode:

#test aaa server tacacs+ 10.1.1.1 vrf VRF-NAME-HERE jdoe cisco123

Now, onto the fun stuff...

You will need to define your TACACS server / keys before preceding onto the next part:

#tacacs-server host 10.1.1.1 key 0 cisco123

#tacacs-server host 10.1.1.2 key 0 cisco123

Add this line after you create your server group:

#aaa authentication login default group Tacserver_DMZ

This is where it varies slightly from what you might be used to. You need to create a “aaa server group” in order to use a different VRF.

#aaa group server tacacs+ Tacserver_DMZ
    server 10.1.1.1
   (You dont need to add the key as they will use the ones already stated earlier.)
    server 10.1.1.2
    use-vrf DMZ_TEST
    source-interface Vlan10
    (This is the SVI that will be used to contact the ACS Server but you can also use interfaces, loopback interfaces ect.)

You might also want to add these few commands under your VRF context also:

#vrf context DMZ_TEST
ip domain-name cisco.com
ip name-server 10.1.1.100 10.1.1.200

That should get you going in the right direction!

Thursday, April 14, 2011

Nexus - Removing an Allocated Ethernet Port.

When it comes to allocating ports to a VDC (Virtual Device Context),there is a lot of information on the web to help you out.

Now, lets just say that you want to remove a port from a VDC.

Until you know how to do it, it is not the normal Cisco way of doing a "no" in front of the command.

Usually you will just enter the non-default VDC:

#vdc servers

Now you can allocate ports, something like this:

allocate interface Ethernet1/2,Ethernet1/4,Ethernet1/6,Ethernet1/8
allocate interface Ethernet2/2,Ethernet2/4,Ethernet2/6,Ethernet2/8

In order to get these ports back to the default VDC, it makes sense once someone explains it.

Even if you are in the default VDC, you need to enter the "default" VDC

#vdc "name of default VDC"

Now once you are there, you just do the same thing to get them back.

#allocate interface Ethernet1/2,Ethernet1/4,Ethernet1/6,Ethernet1/8

Now the ports have no configuration and are ready to be re-used.

Saturday, January 1, 2011

Lab 2 Cisco 360 Notes

When you enable OSPF authentication on a link and do a "show ip ospf" you get the output below but you can clearly see that authentication has been configured on the interface. If you do a "debug ip ospf packet" you will see that " aut:2 " MD5 is being used.

Note: aut:0 / No authentication | aut:1 / Clear text authentication.

R2#sh ip ospf

<output omitted>

Area has no authentication

interface FastEthernet0/0
ip address 172.16.20.2 255.255.255.128
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 c1sco
ip ospf mtu-ignore
duplex auto
speed auto
end

R2#deb ip ospf packet
OSPF packet debugging is on
R2#
*Jan 1 15:03:30.239: OSPF: rcv. v:2 t:1 l:48 rid:172.16.200.1
      aid:0.0.0.3 chk:0 aut:2 keyid:1 seq:0x2B916A81 from FastEthernet0/0

***********
ICMP Router Discovery Protocol (IRDP)

SW3 -

interface FastEthernet0/10
no switchport
ip address 172.16.30.10 255.255.255.128
ip irdp

interface FastEthernet0/0.50
encapsulation dot1Q 50
ip address 172.16.30.3 255.255.255.128
ip irdp
ip irdp multicast
ip irdp maxadvertinterval 20
ip irdp minadvertinterval 20
ip irdp holdtime 60
!

***********
IPv6 Tunneling

R1 -

interface Tunnel15 - To R5
no ip address
ipv6 address FEC0::15:1/112
ipv6 ospf 1 area 0
tunnel source BVI1
tunnel destination 172.16.10.5
tunnel mode ipv6ip (Non-Cisco Proprietary)

interface Tunnel16 - To R6
no ip address
ipv6 address FEC0::16:1/112
ipv6 ospf 1 area 56
tunnel source BVI1
tunnel destination 172.16.10.6
(GRE - Default and Cisco Proprietary)

R5 -

interface Tunnel15 - To R1
no ip address
ipv6 address FEC0::15:5/112
ipv6 ospf 1 area 0
tunnel source FastEthernet0/0.10
tunnel destination 172.16.10.1
tunnel mode ipv6ip (Non-Cisco Proprietary)

R6 -

interface Tunnel16 - To R1
no ip address
ipv6 address FEC0::16:6/112
ipv6 ospf 1 area 56
tunnel source FastEthernet0/0
tunnel destination 172.16.10.1
(GRE - Default and Cisco Proprietary)

***********

SW3#show spanning-tree mst configuration
Name      []
Revision 0     Instances configured 3

Instance Vlans mapped
-------- ---------------------------------------------------------------------
0         1-109,131-139,161-4094
1         110-130
2         140-160
-------------------------------------------------------------------------------

SW3(config)#spanning-tree mst 1 priority 24576

SW3#sh spanning-tree mst 1

##### MST1    vlans mapped:   110-130
Bridge        address 0013.1a06.6580 priority      24577 (24576 sysid 1)
Root          this switch for MST1

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/13           Desg FWD 200000    128.13   P2p
Fa0/14           Desg FWD 200000    128.14   P2p

***********
RSPAN -

The link that we are monitoring is a trunk and has numerous VLANs traversing the link. Below you will see we are only interested in the traffic from v120 and v130.

monitor session 1 source interface Fa0/16
monitor session 1 filter vlan 120 , 130
monitor session 1 destination remote vlan 999

sw1#sh monitor session 1
Session 1
---------
Type                   : Remote Source Session
Source Ports           :
    Both               : Fa0/16
Filter VLANs           : 120,130
Dest RSPAN VLAN        : 999

What you see configured here in that we are taking the interesting traffic from the trunk and adding all of it to v120 as the sniffer is attached to an access port belonging to v120.

monitor session 1 destination interface Fa0/16 ingress untagged vlan 120
monitor session 1 source remote vlan 999

sw2#sh monitor session 1
Session 1
---------
Type                   : Remote Destination Session
Source RSPAN VLAN      : 999
Destination Ports      : Fa0/16
    Encapsulation      : Native
          Ingress : Enabled, default VLAN = 120
    Ingress encap : Untagged

Pages