Archive for October, 2013

Preventing UDP flood attack

Posted: October 25, 2013 in Cisco Security - IOS
0

Commands are listed here:
ip access-list extended UDP-FLOOD
permit udp any any
!
class-map match-all UDP-CLASS
match access-group name UDP-FLOOD
!
policy-map POLICE-UDP
class UDP-CLASS
police 16000
!
control-plane
service-policy input POLICE-UDP

### Theory ###

Router3(config)#ip access-list extended UDP-FLOOD !– define interesting traffic
Router3(config-ext-nacl)#permit udp any any

Router3(config)#class-map ?
WORD                class-map name
match-all           Logical-AND all matching statements under this classmap
match-any         Logical-OR all matching statements under this classmap
type                     type of the class-mapRouter3(config)#class-map match-all ?
WORD                class-map name

Router3(config)#class-map match-all UDP-CLASS
Router3(config-cmap)#

Router3(config)#policy-map POLICE-UDP
Router3(config-pmap)#?
Policy-map configuration commands:
class                  policy criteria
description     Policy-Map description
exit                   Exit from policy-map configuration mode
no                     Negate or set default values of a command
rename            Rename this policy-mapRouter3(config-pmap)#class ?
WORD             class-map name
class-default    System default class matching otherwise unclassified packets

Router3(config-pmap)#class UDP-CLASS
Router3(config-pmap-c)#?
Policy-map class configuration commands:
bandwidth       Bandwidth
compression     Activate Compression
drop          Drop all packets
exit           Exit from class action configuration mode
fair-queue       Enable Flow-based Fair Queuing in this Class
log                     Log IPv4 and ARP packets
measure           Measure
netflow-sampler     NetFlow action
no             Negate or set default values of a command
police     Police
priority      Strict Scheduling Priority for this Class
queue-limit           Queue Max Threshold for Tail Drop
random-detect     Enable Random Early Detection as drop policy
service-policy       Configure QoS Service Policy
set                        Set QoS values
shape                  Traffic Shaping

Router3(config-pmap-c)#police ?
<8000-2000000000> Bits per second
cir Committed information rate
rate Specify police rate

Router3(config-pmap-c)#police 16000
Router3(config-pmap-c-police)#exit

Router3(config)#control-plane
Router3(config-cp)#?
Control Plane configuration commands:
exit Exit from control-plane configuration mode
fpm Attach fpm package group to the console port
no Negate or set default values of a command
service-policy Configure QOS Service Policy

Router3(config-cp)#service-policy ?
input Assign policy-map to the input of an interface
output Assign policy-map to the output of an interface
type type of the policy-map

Router3(config-cp)#service-policy input POLICE-UDP
Router3(config-cp)#exit
nsole by console
Router3#
###############################################################################

BGP

Posted: October 18, 2013 in Uncategorized
0
Router1(config)#router bgp 1           !–Autonomous system number
!– Flags a network as local to this autonomous system and enters it to the BGP table. Specify a network to announce via BGP
Router1(config)#network 150.1.1.1 mask 255.255.255.255  
!– Specify a neighbor router
Router1(config)#neighbor 136.1.13.3 remote-as 3  
! — Set a password
Router1(config)#neighbor 136.1.13.3 password PASSWORD
Router3(config)#router bgp 3
Router3(config)#network 150.1.3.3 mask 255.255.255.255
Router3(config)#neighbor 136.1.13.1 remote-as 1
Router3(config)#neighbor 136.1.23.2 remote-as 2
Router3(config)#neighbor 136.1.13.1 password PASSWORD   
Router3(config)#neighbor 136.1.23.2 password PASSWORDRouter1(config)#router ?
bgp       Border Gateway Protocol (BGP)
eigrp     Enhanced Interior Gateway Routing Protocol (EIGRP)
isis      ISO IS-IS
iso-igrp  IGRP for OSI networks
mobile    Mobile routes
odr       On Demand stub Routes
ospf      Open Shortest Path First (OSPF)
rip       Routing Information Protocol (RIP)*Oct 18 15:24:04.306: %TCP-6-BADAUTH: No MD5 digest from 136.1.13.3(179) to 136.1.13.1(19226)
*Oct 18 15:24:07.466: %TCP-6-BADAUTH: No MD5 digest from 136.1.13.3(16117) to 136.1.13.1(179)
*Oct 18 15:24:24.302: %BGP-5-ADJCHANGE: neighbor 136.1.13.3 UpRouter1#sh ip bgp summary
BGP router identifier 150.1.1.1, local AS number 1
BGP table version is 4, main routing table version 4
3 network entries using 360 bytes of memory
3 path entries using 156 bytes of memory
3/3 BGP path/bestpath attribute entries using 372 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 936 total bytes of memory
BGP activity 3/0 prefixes, 3/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
136.1.13.3      4            3       7       5        4    0    0 00:00:50                         2

!– To check BGP table
Router1#sh ip bgp
BGP table version is 4, local router ID is 150.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incompleteNetwork          Next Hop            Metric LocPrf Weight Path
*> 150.1.1.1/32     0.0.0.0                  0         32768 i
*> 150.1.2.2/32     136.1.13.3                             0 3 2 i
*> 150.1.3.3/32     136.1.13.3               0             0 3 i
Router1#
!– Wrong password entered:
Router1(config)#router bgp 1
Router1(config-router)#neighbor 136.1.13.3 password ee     !– wrong pass results
*Oct 18 15:27:45.802: %TCP-6-BADAUTH: Invalid MD5 digest from 136.1.13.3(179) to 136.1.13.1(41138)
*Oct 18 15:27:46.974: %TCP-6-BADAUTH: Invalid MD5 digest from 136.1.13.3(179) to 136.1.13.1(41138)
*Oct 18 15:27:49.318: %TCP-6-BADAUTH: Invalid MD5 digest from 136.1.13.3(179) toRouter3#sh ip bgp
%BGP-5-ADJCHANGE: neighbor 136.1.13.1 Up
Router3#sh ip bgp summary
BGP router identifier 150.1.3.3, local AS number 3
BGP table version is 3, main routing table version 3
2 network entries using 240 bytes of memory
2 path entries using 104 bytes of memory
2/2 BGP path/bestpath attribute entries using 248 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 616 total bytes of memory
BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secsNeighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
136.1.13.1      4            1       5       5        2    0    0 00:00:02        1
136.1.23.2      4            2       0       0        1    0    0 never    Active

%BGP-5-ADJCHANGE: neighbor 136.1.23.2 Up

Router3#sh ip bgp summary
BGP router identifier 150.1.3.3, local AS number 3
…..

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
136.1.13.1      4            1       7       9        4    0    0 00:02:29        1
136.1.23.2      4            2       7       8        4    0    0 00:02:17        1

!– Verify authentication on per neighbour basis:
Router3#sh ip bgp neighbors 136.1.23.2
BGP neighbor is 136.1.23.2,  remote AS 2, external link
BGP version 4, remote router ID 150.1.2.2
BGP state = Established, up for 00:02:26
……
Option Flags: nagle, path mtu capable, md5, 0x1000000
IP Precedence value : 6Datagrams (max data segment is 1460 bytes):
Rcvd: 12 (out of order: 0), with data: 6, total data bytes: 212
Sent: 10 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 6, total data bytes: 297
Packets received in fast path: 0, fast processed: 0, slow path: 0
fast lock acquisition failures: 0, slow path: 0
Router3#sh ip bgp neighbors 136.1.13.1
BGP neighbor is 136.1.13.1,  remote AS 1, external link
BGP version 4, remote router ID 150.1.1.1
BGP state = Established, up for 00:02:50
Last read 00:00:01, last write 00:00:28, hold time is 180, keepalive interval is 60 seconds
Neighbor sessions:
1 active, is multisession capable
…….
Option Flags: nagle, path mtu capable, md5, 0x1000000
IP Precedence value : 6Datagrams (max data segment is 1460 bytes):
Rcvd: 13 (out of order: 0), with data: 7, total data bytes: 231
Sent: 12 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 7, total data bytes: 316
Packets received in fast path: 0, fast processed: 0, slow path: 0
fast lock acquisition failures: 0, slow path: 0
!– Failure in authentication
%TCP-6-BADAUTH: Invalid MD5 digest from 136.1.13.1(41138) to 136.1.13.3(179)
!– error message if authentication is not enabled on routers
%TCP-6-BADAUTH: No MD5 digest from 136.1.13.1(179) to 136.1.13.3(49376)
%TCP-6-BADAUTH: No MD5 digest from 136.1.13.1(179) to 136.1.13.3(49376)

##### Theory #####
BGP uses TCP for transport and specifically for authentication TCP option 19 which is MD5 signature option.

##############################################################################################################

EIGRP Authentication

Posted: October 16, 2013 in Uncategorized
0

When entering basic config the existing routing is gone (go figure)…

Router3#
OSPFv3: Interface FastEthernet0/1 going Down
OSPFv3: Neighbor change Event on interface FastEthernet0/1
OSPFv3: DR/BDR election on FastEthernet0/1
OSPFv3: Elect BDR 0.0.0.0
OSPFv3: Elect DR 0.0.0.0
OSPFv3: Elect BDR 0.0.0.0
OSPFv3: Elect DR 0.0.0.0
DR: none    BDR: none
OSPFv3: Flush network LSA immediately
OSPFv3: Remember old DR 150.1.3.3 (id)
OSPFv3: Interface Loopback0 going Down
OSPFv3: Interface FastEthernet0/0 going Down
OSPFv3: Neighbor change Event on interface FastEthernet0/0
OSPFv3: DR/BDR election on FastEthernet0/0
OSPFv3: Elect BDR 0.0.0.0
OSPFv3: Elect DR 0.0.0.0
OSPFv3: Elect BDR 0.0.0.0
OSPFv3: Elect DR 0.0.0.0
DR: none    BDR: none
OSPFv3: Flush network LSA immediately
OSPFv3: Remember old DR 150.1.3.3 (id)
OSPFv3: 150.1.2.2 address FE80::21B:53FF:FEE5:9478 on FastEthernet0/0 is dead, state DOWN
OSPFv3: Neighbor change Event on interface FastEthernet0/0
OSPFv3: DR/BDR election on FastEthernet0/0
OSPFv3: Elect BDR 0.0.0.0

Router3#OSPFv3: Elect DR 0.0.0.0
DR: none    BDR: none

!– New EIGRP config being entered.

Router3(config)#key chain MD5CHAIN
Router3(config-keychain)#key 1
Router3(config-keychain-key)#key-string MD5STRING
Router3(config)#int f0/0
Router3(config-if)#ip authentication mode eigrp 1 md5
Router3(config-if)#ip authentication key-chain eigrp 1 MD5CHAIN

Router3(config)#key chain ROLLOVER
Router3(config-keychain)#key 1
Router3(config-keychain-key)#accept-lifetime 00:00:00 Jan 1 2013 01:00:00 Jan 1 2014
Router3(config-keychain-key)#send-lifetime 00:00:00 Jan 1 2013 01:00:00 Jan 1 2014
Router3(config-keychain)#key 2
Router3(config-keychain-key)#accept-lifetime 23:00:00 Dec 31 2013 01:00:00 Jan  1 2015
Router3(config-keychain-key)#send-lifetime 23:00:00 Dec 31 2013 01:00:00 Jan 1 2015

Router3(config)#int f0/1
Router3(config-if)#ip authentication mode eigrp 1 md5
Router3(config-if)#ip authentication key-chain eigrp 1 ROLLOVER
Router3(config)#router eigrp 1
Router3(config-router)#network 150.1.0.0
Router3(config-router)#network 136.1.0.0

!- Sh run commands related to EIGRP:

key chain MD5CHAIN
key 1
key-string MD5STRING
key chain ROLLOVER
key 1
key-string KEY1
accept-lifetime 00:00:00 Jan 1 2013 01:00:00 Jan 1 2014
send-lifetime 00:00:00 Jan 1 2013 00:00:00 Jan 1 2014
key 2
accept-lifetime 23:00:00 Dec 31 2013 01:00:00 Jan 1 2015
send-lifetime 00:00:00 Jan 1 2014 00:00:00 Jan 1 2015
!
interface FastEthernet0/0
ip address 136.1.23.3 255.255.255.0
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 ROLLOVER
duplex auto
speed auto
ipv6 address 2001:136:1:23::3/64

!
interface FastEthernet0/1
mac-address 0005.0006.0007
ip address 136.1.13.3 255.255.255.0
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 MD5CHAIN
duplex auto
speed auto
ipv6 address 2001:136:1:13::3/64
!

router eigrp 1
network 136.1.0.0
network 150.1.0.0
!

%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 136.1.23.2 (FastEthernet0/0) is up: new adjacency
Router3#
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 136.1.23.2 (FastEthernet0/0) is down: Interface PEER-TERMINATION received
Router3#
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 136.1.23.2 (FastEthernet0/0) is up: new adjacency
Router3#
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 136.1.23.2 (FastEthernet0/0) is down: Auth failure

!– Verification, o verify whether EIGRP-enabled interfaces have authentication configured and which key chain is being used, use below command:
Router3# sh ip eigrp interfaces detail f0/0
EIGRP-IPv4 Interfaces for AS(1)
Xmit Queue   Mean   Pacing Time   Multicast    Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Fa0/0              1        0/0         3       0/1           50           0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Un/reliable mcasts: 0/4  Un/reliable ucasts: 6/8
Mcast exceptions: 0  CR packets: 0  ACKs suppressed: 0
Retransmissions sent: 5  Out-of-sequence rcvd: 1
Topology-ids on interface – 0
Authentication mode is md5,  key-chain is “ROLLOVER”
Router3#

Router3# sh ip eigrp interfaces detail f0/1
EIGRP-IPv4 Interfaces for AS(1)
Xmit Queue   Mean   Pacing Time   Multicast    Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Fa0/1              1        0/0         1       0/1           50           0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Un/reliable mcasts: 0/5  Un/reliable ucasts: 5/1
Mcast exceptions: 0  CR packets: 0  ACKs suppressed: 0
Retransmissions sent: 0  Out-of-sequence rcvd: 1
Topology-ids on interface – 0
Authentication mode is md5,  key-chain is “”MD5CHAIN”

Router3#sh key  chain
Key-chain MD5CHAIN:
key 1 — text “MD5STRING”
accept lifetime (always valid) – (always valid) [valid now]
send lifetime (always valid) – (always valid) [valid now]
Key-chain ROLLOVER:
key 1 — text “KEY1”
accept lifetime (00:00:00 UTC Jan 1 2013) – (01:00:00 UTC Jan 1 2014) [valid now]
send lifetime (00:00:00 UTC Jan 1 2013) – (00:00:00 UTC Jan 1 2014) [valid now]
* key 2 — text “(unset)”
accept lifetime (23:00:00 UTC Dec 31 2013) – (01:00:00 UTC Jan 1 2015)
send lifetime (00:00:00 UTC Jan 1 2014) – (00:00:00 UTC Jan 1 2015)

Router3#sh ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
(sec)         (ms)       Cnt Num
1   136.1.23.2              Fa0/0             12 00:04:12    3   200  0  7
0   136.1.13.1              Fa0/1             10 00:23:51    1   200  0  6

Router3# sh ip eigrp interfaces detail f0/0
EIGRP-IPv4 Interfaces for AS(1)
Xmit Queue   Mean   Pacing Time   Multicast    Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Fa0/0              1        0/0         3       0/1           50           0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Un/reliable mcasts: 0/4  Un/reliable ucasts: 6/8
Mcast exceptions: 0  CR packets: 0  ACKs suppressed: 0
Retransmissions sent: 5  Out-of-sequence rcvd: 1
Topology-ids on interface – 0
Authentication mode is md5,  key-chain is “ROLLOVER”

Router3# sh ip eigrp interfaces detail f0/1
EIGRP-IPv4 Interfaces for AS(1)
Xmit Queue   Mean   Pacing Time   Multicast    Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Fa0/1              1        0/0         1       0/1           50           0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Un/reliable mcasts: 0/5  Un/reliable ucasts: 5/1
Mcast exceptions: 0  CR packets: 0  ACKs suppressed: 0
Retransmissions sent: 0  Out-of-sequence rcvd: 1
Topology-ids on interface – 0
Authentication mode is md5,  key-chain is “MD5CHAIN”

Router3#sh key  chain
Key-chain MD5CHAIN:
key 1 — text “MD5STRING”
accept lifetime (always valid) – (always valid) [valid now]
send lifetime (always valid) – (always valid) [valid now]
Key-chain ROLLOVER:
key 1 — text “KEY1”
accept lifetime (00:00:00 UTC Jan 1 2013) – (01:00:00 UTC Jan 1 2014) [valid now]
send lifetime (00:00:00 UTC Jan 1 2013) – (00:00:00 UTC Jan 1 2014) [valid now]
* key 2 — text “(unset)”
accept lifetime (23:00:00 UTC Dec 31 2013) – (01:00:00 UTC Jan 1 2015)
send lifetime (00:00:00 UTC Jan 1 2014) – (00:00:00 UTC Jan 1 2015)
Router3#

##### Theory #####

EIGRP authentication is a key-chain based. EIGRP only supports MD5, not clear-text. This example shows single authentication key between R1 and R3, and automatic key rotation between R2 and R3.

The potential problem with accept and send configuration is that if the routers’ time is not NTP synchronized, key rollover could happen at different time intervals, which could potentially cause a loss of the EIGRP adjacency. To prevent this, configure multiple authentication keys that accept lifetimes overlap.

###########################################################################################################

Configuring OSPF authC on routers

Posted: October 7, 2013 in Uncategorized
0

R1 – OSPF 0 – R3 – OSPF 1 -R2

R2:
#interface FastEthernet0/0
Router2(config-if)#ip ospf authentication message-digest
Router2(config-if)#ip ospf message-digest-key 1 md5 MD5MD5
Router2(config-if)#ip ospf 1 area 1

R1:
interface FastEthernet0/0
Router1(config-if)#ip ospf authentication
Router1(config-if)#ip ospf authentication-key CLEARTXT
Router1(config-if)#ip ospf 1 area 0

R3:
#router ospf 1
log-adjacency-changes
#area 0 authentication
#area 1 authentication message-digest

interface Vlan11
Router3(config-if)#ip ospf authentication null    !– This will prevent vlan 11 int for ospf authentication

interface FastEthernet0/0
Router3(config-if)#ip ospf message-digest-key 1 md5 MD5MD5
Router3(config-if)#ip ospf 1 area 1

interface FastEthernet0/1
Router3(config-if)#ip ospf authentication-key CLEARTXT
Router3(config-if)#ip ospf 1 area 0

Router1#sh ip ospf int f0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 136.1.13.1/24, Area 0
Process ID 1, Router ID 150.1.1.1, Network Type BROADCAST, Cost: 1
Topology-MTID    Cost    Disabled    Shutdown      Topology Name
0           1         no          no            Base
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 150.1.1.1, Interface address 136.1.13.1
Backup Designated router (ID) 1.1.1.1, Interface address 136.1.13.3
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:05
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 2, maximum is 4
Last flood scan time is 0 msec, maximum is 4 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 1.1.1.1  (Backup Designated Router)
Suppress hello for 0 neighbor(s)
Simple password authentication enabled

Router3#sh ip ospf int f0/1
FastEthernet0/1 is up, line protocol is up
Internet Address 136.1.13.3/24, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 150.1.1.1, Interface address 136.1.13.1
Backup Designated router (ID) 1.1.1.1, Interface address 136.1.13.3
Flush timer for old DR LSA due in 00:00:25
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:00
Supports Link-local Signaling (LLS)
Index 1/4, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.1.1.1  (Designated Router)
Suppress hello for 0 neighbor(s)
Simple password authentication enabled
Router3#

Router3#sh ip ospf int f0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 136.1.23.3/24, Area 1
Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 150.1.2.2, Interface address 136.1.23.2
Backup Designated router (ID) 1.1.1.1, Interface address 136.1.23.3
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:08
Supports Link-local Signaling (LLS)
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.1.2.2  (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
Router3#

Router2#sh ip ospf  int f0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 136.1.23.2/24, Area 1
Process ID 1, Router ID 150.1.2.2, Network Type BROADCAST, Cost: 1
Topology-MTID    Cost    Disabled    Shutdown      Topology Name
0           1         no          no            Base
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 150.1.2.2, Interface address 136.1.23.2
Backup Designated router (ID) 1.1.1.1, Interface address 136.1.23.3
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:08
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 2
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 1.1.1.1  (Backup Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
Router2#

! – Failures in OSPF authentication can be verified as a failure to establish adjacency. The below debug shows a mismatch in authentication type, where R3 has MD5 authentication configured to R1, while R1 has clear-text authentication configured to R3. At the OSPF packet level, type 0 authentication means NULL – or no authentication, type 1 is clear-text, and type 2 is MD5.

Router1#
OSPF: Rcv pkt from 136.1.13.3, FastEthernet0/0 : Mismatch Authentication Key – Clear Text
OSPF: 1.1.1.1 address 136.1.13.3 on FastEthernet0/0 is dead
OSPF: 1.1.1.1 address 136.1.13.3 on FastEthernet0/0 is dead, state DOWN
%OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
OSPF: Neighbor change Event on interface FastEthernet0/0
OSPF: DR/BDR election on FastEthernet0/0
OSPF: Elect BDR 0.0.0.0
OSPF: Elect DR 150.1.1.1
DR: 150.1.1.1 (Id)   BDR: none
OSPF: Rcv pkt from 136.1.13.3, FastEthernet0/0 : Mismatch Authentication Key – Clear Text
OSPF: Build router LSA for area 0, router ID 150.1.1.1, seq 0x80000005, process 1
OSPF: No full nbrs to build NetLSA for interface FastEthernet0/0
OSPF: Build network LSA for FastEthernet0/0, router ID 150.1.1.1

!- A mismatch in the password between two neighbours:

OSPF: Rcv pkt from 136.1.13.3, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 2, we use type 1
OSPF: Rcv pkt from 136.1.13.3, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 2, we use type 1

! – To verify ospf, use:

Router1#sh ip osp neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/BDR        00:00:36    136.1.13.3      FastEthernet0/0
Router1#

Router3#sh ip osp neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
150.1.1.1         1   FULL/DR         00:00:32    136.1.13.1      FastEthernet0/1
150.1.2.2         1   FULL/DR         00:00:39    136.1.23.2      FastEthernet0/0

Router2#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/BDR        00:00:38    136.1.23.3      FastEthernet0/0
Router2#

!- If authentication has been enabled at the global level can be determined by using command show ip ospf:

Router3#sh ip ospf | se area
Supports area transit capability
It is an area border router
Number of areas in this router is 2. 2 normal 0 stub 0 nssa
Number of areas transit capable is 0
Number of interfaces in this area is 1
Number of interfaces in this area is 3 (1 loopback)
Router3#

##### Theory #####

On R1 and R2 ospf authentication is configured at interface level; in R3 ospf authentication is configured globally and interfaces are added into corresponding ospf areas. When OSPF authentication is enabled under the global process, it applies to all interfaces in that area. This means that all interfaces in area 0 run clear-text authentication, and all interfaces in area 1 run MD5 authentication. When OSPF authentication is enabled at the interface level, it overrides the configuration of the global process, but only for that particular interface. The authentication key, however, is always configured at the interface level.

########################################################################################

Packet Capture on ASA using CLI

Posted: October 6, 2013 in Uncategorized
0

!- I suggest capturing only with an access list applied to limit the size of the capture buffer as well as to limit the amount of stuff you will have to wade through when reviewing the capture. You define an access list on the Cisco ASA and then you assign it to an interface so that it will capture the offending traffic for review

#access-list p extended permit ip any host 172.16.1.1
#access-list p extended permit ip host 172.16.1.1 any
#cap p-cap access-list p interface inside

!-show the running capture and its output to the CLI of the device:

#sh capture p-cap

#http://<ASAIPaddress>/admin/capture/<capturename>

This works well for quick viewing but what about a more detailed analysis with something like Wireshark?  Browse to:

#http://<ASA IP Address>/admin/capture/<capturename>/PCAP

This will prompt you to save or open a file.  Save with the “.pcap” extension and open with Wireshark. When you are done capturing you can (and should!) stop the capture with the negated “no” command:

#no capture <capturename>

Be sure to check out the help with this command with the “?” command.  There are plenty of fine tuning options to accommodate your capturing needs.

# capture TEST ?
access-list      Capture packets that match access-list
buffer           Configure size of capture buffer, default is 512 KB
circular-buffer  Overwrite buffer from beginning when full, default is non-circular
ethernet-type    Capture Ethernet packets of a particular type, default is IP
headers-only     Capture only L2, L3 and L4 headers of packet without data in them
interface        Capture packets on a specific interface
match            Capture packets matching five-tuple
packet-length    Configure maximum length to save from each packet, default
is 1518 bytes
real-time        Display captured packets in real-time. Warning: using this option with a slow console connection may result in an excessive amount of non-displayed packets due to performance limitations.
trace            Trace the captured packets
type             Capture packets based on a particular type

########################################################################

Enter commands more efficiently with Cisco command aliases

Posted: October 6, 2013 in Generic IOS
0

Aliases:
srb – Show Running-Config | Begin
sre – Show Running-Config | Exclude
sri – Show Running-Config | Include
srint – Show Running-Config Interface
s – show running-configuration
c – configure terminal sir – show ip route
i – show ip interface brief
pvc – show frame-relay pvc
dwn – show frame-relay map | include down
b – router bgp 1234
ns – no shutdown

Created with:

Router(config)#alias exec srb show running-config | begin
Router(config)#alias exec sre show running-config | exclude
Router(config)#alias exec sri show running-config | include
Router(config)#alias exec srint show running-config interface
Router(config)#alias exec s sh run
Router(config)#alias exec c conf t
Router(config)#alias exec sir sh ip ro
Router(config)#alias exec i sh ip int brie
Router(config)#alias exec dwn sh fram map | inc down
Router(config)#alias configure b router bgp 1234
Router(config)#alias interface ns no shutdown

!- Alias is a Global Configuration command. To use it, enter the alias command and identify which privilege level you want to specify the alias for. Here are some examples:

Use “alias exec” for Privileged Mode (any command you use at the router# prompt).
Use “alias configure” for Global Configuration Mode (any command you use at the router(config)# prompt).
Use “alias interface” for Interface Configuration Mode (any command you use at the router(config-if)# prompt).

After specifying the privilege level, enter the alias you want to create and the command you want it to stand for. You can specify parameters for a command after entering the alias.

For example, to use the shortcut for the show running-config interface command —srint— you can specify the interface for which you want to view configuration information after that command. Here’s an example:

#srint fa0/0

Default Cisco IOS aliases:

p stands for ping.
h stands for help.
lo stands for logout.
u and un stand for undebug.
w stands for where.

You can view these aliases by using the “show alias” command

########################################################################

How to use netsh scripting to change IP address

Posted: October 6, 2013 in Other networking
0

I am sure everyone used netsh by now but instead of typing netsh /? to get help i created a small batch file to change ip address for some of my testing. For my company I am demoing few firewall/url filtering solutions so instead manually changing the ip address i created simple batch file to do it for me.

Isn’t that whole purpose of using netch? So, here we go:

netsh interface ip set address name=”Local Area Connection” source=static addr=10.3.206.210 mask=255.255.255.0 gateway=10.3.206.33 gwmetric=1
netsh interface ip set dns name=”Local Area Connection” source=static addr=4.2.2.2
netsh interface ip add dns name=”Local Area Connection” addr=8.8.8.8 index=2

Name it like PA.bat and run it. Works like a charm.

###############################################################

ASA 8.4x – Redundant Interfaces and Port-Channel configurations

Posted: October 6, 2013 in Cisco Security - Firewalls
0

!– Make sure all interfaces are not in shutdown state and enter redundant and port-channel commands.

ASA1(config)# int eth0/0
ASA1(config-if)# channel-group 1 mode active
ASA1(config-if)# no shut

ASA1(config-if)# int et0/2
ASA1(config-if)# channel-group 1 mode active
ASA1(config-if)# no shut

ASA1(config)# int port-channel 1
ASA1(config-if)# nameif outside
ASA1(config-if)# ip address 160.60.0.12 255.255.255.0

ASA1(config)# int redundant 1
ASA1(config-if)# member-interface eth0/1
ASA1(config-if)# member-interface eth0/3
ASA1(config-if)# nameif inside
ASA1(config-if)# ip address 20.0.0.12 255.255.255.0
ASA1(config-if)# no shut

!– Show run
interface Ethernet0/0
channel-group 1 mode active
no nameif
no security-level
no ip address

interface Ethernet0/1
no nameif
no security-level
no ip address

interface Ethernet0/2
channel-group 1 mode active
no nameif
no security-level
no ip address

interface Ethernet0/3
no nameif
no security-level
no ip address

interface Management0/0
shutdown
no nameif
no security-level
no ip address

interface Redundant1
member-interface Ethernet0/1
member-interface Ethernet0/3
nameif inside
security-level 100
ip address 20.0.0.12 255.255.255.0

interface Port-channel1
nameif outside
security-level 0
ip address 160.60.0.12 255.255.255.0

!– Configure routing
ASA1(config)# router ospf 1
ASA1(config-router)# network 20.0.0.0 255.255.255.0 area 1
ASA1(config-router)# network 160.60.0.0 255.255.255.0 are 0
ASA1(config-router)# log-adj-changes

!– Create network object for inside and dynamic PAT
ASA1(config)# object network INSIDE
ASA1(config-network-object)# subnet 20.0.0.0 255.255.255.0
ASA1(config-network-object)# nat (inside,outside) dynamic interface

ASA1(config)# access-list OUT-IN ext permit icmp any any
ASA1(config)# access-group OUT-IN in int outside

ASA1# sh int ip br 
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  up                    up
Ethernet0/1                unassigned      YES unset  up                    up
Ethernet0/2                unassigned      YES unset  up                    up
Ethernet0/3                unassigned      YES unset  up                    up
Management0/0              unassigned      YES unset  administratively down up
Port-channel1              160.60.0.12     YES manual down                  down
Redundant1                 20.0.0.12       YES manual up                    up

!– Make sure that switch ports are also configured for channel-group so the Port-channel1 interface is not down.

SW2(config)#int f0/41
SW2(config-if)#channel-group 1 mode active
Creating a port-channel interface Port-channel 1
SW2(config)#int f0/12
SW2(config-if)#channel-group 1 mode active

ASA1# ping 160.60.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 160.60.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ASA1# sh interface redundant 1 detail
Interface Redundant1 “inside”, is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 001e.7a36.6d41, MTU 1500
IP address 20.0.0.12, subnet mask 255.255.255.0
334 packets input, 26940 bytes, 0 no buffer
Received 244 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
74 L2 decode drops
142 packets output, 11258 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 2 interface resets
0 late collisions, 0 deferred
162 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (510/254)
output queue (blocks free curr/low): hardware (510/253)
Traffic Statistics for “inside”:
106 packets input, 6761 bytes
142 packets output, 8555 bytes
2 packets dropped
1 minute input rate 0 pkts/sec,  41 bytes/sec
1 minute output rate 0 pkts/sec,  45 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec,  16 bytes/sec
5 minute output rate 0 pkts/sec,  16 bytes/sec
5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 9
Interface config status is active
Interface state is active
Redundancy Information:
Member Ethernet0/1(Active), Ethernet0/3
Last switchover at 14:08:54 UTC Sep 18 2013

!– If you shut down Eth0/1, the active interface becomes Eth0/3 and we should loose one, two pings:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

ASA1#  sh int red 1
Interface Redundant1 “inside”, is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 001e.7a36.6d41, MTU 1500
IP address 20.0.0.12, subnet mask 255.255.255.0
29393 packets input, 3455064 bytes, 0 no buffer
Received 260 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
82 L2 decode drops
29183 packets output, 3437408 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 2 interface resets
0 late collisions, 0 deferred
162 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (510/254)
output queue (blocks free curr/low): hardware (510/253)
Traffic Statistics for “inside”:
29157 packets input, 2911127 bytes
29183 packets output, 2911931 bytes
6 packets dropped
1 minute input rate 140 pkts/sec,  14009 bytes/sec
1 minute output rate 140 pkts/sec,  14004 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec,  16 bytes/sec
5 minute output rate 0 pkts/sec,  16 bytes/sec
5 minute drop rate, 0 pkts/sec
Redundancy Information:
Member Ethernet0/3(Active), Ethernet0/1
Last switchover at 14:08:54 UTC Sep 18 2013

!– Check out port channel status

ASA1# sh port-channel 1 detail
Ports: 2   Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: LACP/ active
Minimum Links: 1
Maximum Bundle: 8
Load balance: src-dst-ip
Ports in the group:
——————-
Port: Et0/0
————
Port state    = bndl
Channel group =    1        Mode = LACP/ active
Port-channel  = Po1

Flags:  S – Device is sending Slow LACPDUs   F – Device is sending fast LACPDUs.
A – Device is in active mode.        P – Device is in passive mode.

Local information:
LACP port     Admin     Oper    Port        Port
Port      Flags   State      Priority      Key       Key     Number      State
—————————————————————————–
Et0/0     SA      bndl       32768         0x1       0x1     0x1         0x3d

Partner’s information:
Partner Partner    LACP Partner  Partner   Partner  Partner     Partner
Port      Flags   State      Port Priority Admin Key Oper Key Port Number Port State
———————————————————————————–
Et0/0     SA      bndl       32768         0x0       0x1      0x10d       0x3d

Port: Et0/2
————
Port state    = bndl
Channel group =    1        Mode = LACP/ active
Port-channel  = Po1

Flags:  S – Device is sending Slow LACPDUs   F – Device is sending fast LACPDUs.
A – Device is in active mode.        P – Device is in passive mode.

Local information:
LACP port     Admin     Oper    Port        Port
Port      Flags   State      Priority      Key       Key     Number      State
—————————————————————————–
Et0/2     SA      bndl       32768         0x1       0x1     0x3         0x3d

Partner’s information:
Partner Partner    LACP Partner  Partner   Partner  Partner     Partner
Port      Flags   State      Port Priority Admin Key Oper Key Port Number Port State
———————————————————————————–
Et0/2     SA      bndl       32768         0x0       0x1      0x12a       0x3d

ASA1# sh port-channel 1 load-balance
EtherChannel Load-Balancing Configuration:
src-dst-ip

EtherChannel Load-Balancing Addresses UsedPer-Protocol:
Non-IP: Source XOR Destination MAC address
IPv4: Source XOR Destination IP address
IPv6: Source XOR Destination IP address

!– this is output when one of the interfaces is down, no load balacing:

ASA1# sh int e0/0 | in packets output
63320 packets output, 7471910 bytes, 0 underruns

ASA1# sh int e0/2 | in packets output
16482 packets output, 1941871 bytes, 0 underruns

!– Check port channel summary and notice that one of the interface is down.

ASA1# sh port-channel summary
Flags:  D – down        P – bundled in port-channel
I – stand-alone s – suspended
H – Hot-standby (LACP only)
U – in use      N – not in use, no aggregation/nameif
M – not in use, no aggregation due to minimum links not met
w – waiting to be aggregated
Number of channel-groups in use: 1
Group  Port-channel  Protocol    Ports
——+————-+———–+———————————————–
1      Po1(U)            LACP    Et0/0(P)   Et0/2(D)

#########################################################################

Configuring ASA in Multi Mode, Active/Active

Posted: October 6, 2013 in Cisco Security - Firewalls
0

!– Change ASA mode from single to multi on both units
ASA1(config)# mode multi
ASA2(config)# mode multi

!– Check out the warning messages:
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
The old running configuration file will be written to flash
Converting the configuration – this may take several minutes for a large configuration
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple

!– In system context on primary firewall, enable physical interfaces, create subinterfaces, create contexts, assign interfaces to contexts, setup context1 to be admin context.

ASA1(config)# int et0/0
ASA1(config-if)# no shut
ASA1(config)# int eth0/1
ASA1(config-if)# no shut
ASA1(config)# int et0/3
ASA1(config-if)# no shut

ASA1(config)# int eth0/1.11
ASA1(config-subif)# vlan 11
ASA1(config-subif)# no shut

ASA1(config)# int eth0/1.13
ASA1(config-subif)# vlan 13
ASA1(config-subif)# no shut

ASA1(config)# context CTX1
Creating context ‘CTX1’… Done. (3)
ASA1(config-ctx)# description == CTX1 ==
ASA1(config-ctx)# allocate-interface eth0/1.11
ASA1(config-ctx)# allocate-interface et0/0
ASA1(config-ctx)# config-url disk0:/CTX1-ActiveActive.cfg

!– dedicate CTX1 as admin context
ASA1(config)# admin-context CTX1

ASA1(config)# context CTX2
Creating context ‘CTX2’… Done. (3)
ASA1(config-ctx)# description == CTX2 ==
ASA1(config-ctx)# allocate-interface eth0/0
ASA1(config-ctx)# allocate-interface eth0/1.13
ASA1(config-ctx)# config-url disk0:/CTX2-ActiveActive.cfg

!– Switch to CTX1 and configure it: apply interface ip and security levels, create dynamic pat for inside to outside basic communication, create basic acl to permit ping, setup interface monitoring as requested:

ASA1(config)# changeto context CTX1

ASA1/CTX1(config)# int eth0/1.11
ASA1/CTX1(config-if)# nameif inside
ASA1/CTX1(config-if)# ip address 10.0.0.13 255.255.255.0 standby 10.0.0.14
ASA1/CTX1(config-if)# no shut

ASA1/CTX1(config-if)# int eth0/0
ASA1/CTX1(config-if)# nameif outside
ASA1/CTX1(config-if)# ip address 150.50.0.13 255.255.255.0 standby 150.50.0.14
ASA1/CTX1(config-if)# no shut
ASA1/CTX1(config)# object network inside
ASA1/CTX1(config-network-object)# subnet 10.0.0.0 255.255.255.0
ASA1/CTX1(config-network-object)# nat (inside,outside) dynamic interface
ASA1/CTX1(config)# access-list OUTSIDE-IN permit icmp any any echo-rep
ASA1/CTX1(config)# access-group OUTSIDE-IN in int outside

ASA1/CTX1(config)# monitor-interface inside
ASA1/CTX1(config)# no monitor-interface outside

!– Switch to CTX2 and configure it: apply interface ip and security levels, create dynamic pat for inside to outside basic communication, create basic acl to permit ping, setup interface monitoring as requested:

ASA1/CTX1# changeto context CTX2

ASA1/CTX2(config)# int eth 0/0
ASA1/CTX2(config-if)# nameif outside
ASA1/CTX2(config-if)# ip address 150.50.0.31 255.255.255.0 standby 150.50.0.41
ASA1/CTX2(config-if)# no shut

ASA1/CTX2(config-if)# int eth0/1.13
ASA1/CTX2(config-if)# nameif inside
ASA1/CTX2(config-if)# ip address 10.0.1.13 255.255.255.0 standby 10.0.1.14
ASA1/CTX2(config-if)# no shut

ASA1/CTX2(config)# object network inside
ASA1/CTX2(config-network-object)# subnet 10.0.1.0 255.255.255.0
ASA1/CTX2(config-network-object)# nat (inside,outside) dynamic interface
ASA1/CTX2(config)# access-list OUTSIDE-IN permit icmp any any echo-reply
ASA1/CTX2(config)# access-group OUTSIDE-IN in int outside

ASA1/CTX2(config)# monitor-interface inside
ASA1/CTX2(config)# no monitor-interface outside

!– In system context on primary firewall, setup failover commands (this unit is primary), create failover groups, assigning context to failover groups, activate failover:

ASA1/CTX2# changeto system

ASA1(config)# int eth0/3
ASA1(config-if)# no shut
ASA1(config-if)# failover lan unit primary
ASA1(config)# failover lan interface FAIL eth0/3
INFO: Non-failover interface config is cleared on Ethernet0/3 and its sub-interfaces
ASA1(config)# failover link FAIL eth0/3
ASA1(config)# failover interface ip FAIL 1.1.1.1 255.255.255.0 standby 1.1.1.2

ASA1(config)# failover group 1
ASA1(config-fover-group)# primary
ASA1(config-fover-group)# preempt
ASA1(config-fover-group)# interface-policy 1
ASA1(config-fover-group)# polltime interface msec 500 holdtime 5

ASA1(config)# failover group 2
ASA1(config-fover-group)# secondary
ASA1(config-fover-group)# preempt
ASA1(config-fover-group)# interface-policy 1
ASA1(config-fover-group)# polltime interface msec 500 hold 5

ASA1(config)# context CTX1
ASA1(config-ctx)# join-failover-group 1
ASA1(config)# context CTX2
ASA1(config-ctx)# join-failover-group 2

ASA1(config)# failover

!– On secondary firewall, bring up failover interface, setup failover commands (unit secondary)
!– Note that only few commands will be needed; all other config details are replicated via failover.

ASA2(config)# int eth0/3
ASA2(config-if)# no shut

ASA2(config)# failover lan unit secondary
ASA2(config)# failover lan interface FAIL eth0/3
ASA2(config)# failover link FAIL eth0/3
ASA2(config)# failover interface ip FAIL 1.1.1.1 255.255.255.0 standby 1.1.1.2

!– Activate failover
ASA2(config)# failover

How to verify:

!– show failover in system context

ASA1(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: FAIL Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.4(3), Mate 8.4(5)
Group 1 last failover at: 14:47:42 UTC Sep 11 2013
Group 2 last failover at: 14:47:55 UTC Sep 11 2013

This host: Secondary
Group 1 State: Standby Ready
Active time: 0 (sec)
Group 2 State: Active
Active time: 113 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.4(3)) status (Up Sys)
CTX1 Interface outside (150.50.0.14): Normal (Not-Monitored)
CTX1 Interface inside (10.0.0.14): Unknown (Waiting)
CTX2 Interface outside (150.50.0.31): Normal (Not-Monitored)
CTX2 Interface inside (10.0.1.13): Unknown (Waiting)
slot 1: empty

Other host: Primary
Group 1 State: Active
Active time: 388 (sec)
Group 2 State: Standby Ready
Active time: 274 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.4(5)) status (Up Sys)
CTX1 Interface outside (150.50.0.13): Normal (Not-Monitored)
CTX1 Interface inside (10.0.0.13): Unknown (Waiting)
CTX2 Interface outside (150.50.0.41): Normal (Not-Monitored)
CTX2 Interface inside (10.0.1.14): Unknown (Waiting)
slot 1: empty

Stateful Failover Logical Update Statistics
Link : FAIL Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 16 0 18 0
sys cmd 16 0 16 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 0 0 2 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 18
Xmit Q: 0 1 16
ASA1(config)#

!– Once the failed interface recovers, the original primary unit takes over the primary role and the messages pops up on the screen.

#telnet or ping thru firewall
#show monitor-interface in context

filter vlan on switch interface to force switchover (“switch trunk allowed vlan remove 11”)

!– Note that once you allow back vlan 11, the primary unit will preempt.

ASA1#
Group 1 preempt mate

##### Theory #####

In the system context on the primary unit:
– setup interfaces (no shut),
– create subinterfaces,
– assign subinterface to vlan, and
– do interface no shut
– create contexts and assign interfaces to the context,
– setup failover commands,
– create failover groups,
– setup primary, preempt and interface policy and polltime.
– Next step is to switch to context and join context to correct failover group.
– Activate failover within config-t.

On the switch, setup trunk interfaces for outside and inside interfaces allowing correct vlans.

Then switch to context1 and setup interface names, ip addresses, objects, nat, access list and interface monitoring.
Then switch to context 2 and setup interface names, ip addresses, objects, nat, access list and interface monitoring.

On secondary unit enter only failover commands (same as from primary unit), bring up failover interface and activate failover.

###########################################################################

How to configure enhanced object group in ASA 8.x and up

Posted: October 6, 2013 in Cisco Security - Firewalls
0

#object-group service SERVICES
#service-object icmp echo
#service-object tcp destination eq telnet
#service-object udp destination eq syslog

#object network R1
#host 20.0.0.1
#nat (inside,outside) static 160.60.0.1

#access-list OUT-IN extended permit object-group SERVICES host 160.60.0.2 object R1
#access-group OUT-IN in interface outside

ASA1# sh access-list
access-list OUT-IN; 3 elements; name hash: 0x456198c2
access-list OUT-IN line 1 extended permit object-group SERVICES host 160.60.0.2 object R1 (hitcnt=3)
access-list OUT-IN line 1 extended permit icmp host 160.60.0.2 host 20.0.0.1 echo (hitcnt=2)
access-list OUT-IN line 1 extended permit tcp host 160.60.0.2 host 20.0.0.1 eq telnet (hitcnt=1)
access-list OUT-IN line 1 extended permit udp host 160.60.0.2 host 20.0.0.1 eq syslog (hitcnt=0)
ASA1#
##### Theory #####

Object groups allow for combining different type of IP protocols (TCP, UDP), port numbers and ICMP error codes into a single unit. The ACL will have one line for all configured protocols/ports instead of one line per protocol/port.

################################################################

Older Entries