Archive for July, 2014

First, must install a Cisco ad agent on windows server and have Microsoft AD up and running. Agent must be part or active directory.
On AD agent:

C:\cd IBF
C:\IBF\cd CLI
C:\IBF\cd CLI>adactrl.exe show running

C:\IBF\cd CLI>adacfg client create -name ASA02 -ip 172.16.10.1 -secret password

C:\IBF\cd CLI>adacfg client list
C:\IBF\cd CLI>adacfg client erase -name ACHILE-AD

C:\IBF\cd CLI>adacfg dc list
C:\IBF\cd CLI>adacfg dc erase -name AD-POC

On firewall, enter below commands:

object-group user FIREWALL
user cciesecblog\user1
user-group cciesecblog\\ccielab

access-list VLAN19_INBOUND extended permit ip any any
access-list VLAN19_INBOUND extended permit ip object-group-user FIREWALL any any

aaa-server IDENTITY protocol radius
ad-agent-mode

aaa-server IDENTITY (VLAN26) host 172.16.10.100
key password

aaa-server AD-SERVER protocol ldap

aaa-server AD-SERVER (VLAN26) host 172.16.10.200
ldap-base-dn dc=cciesecblog,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password Summer2100!
ldap-login-dn cn=administrator,cn=Users,dc=cciesecblog,dc=com
server-type microsoft

user-identity domain cciesecblog aaa-server AD-SERVER
user-identity default-domain cciesecblog
user-identity action ad-agent-down disable-user-identity-rule
user-identity action domain-controller-down cciesecblog disable-user-identity-rule
user-identity inactive-user-timer minutes 30
user-identity poll-import-user-group-timer hours 1
user-identity ad-agent aaa-server IDENTITY

~~~~~~~~~~~~~~

ASA02-5510(config)# test aaa-server ad-agent IDENTITY
Server IP Address or name:
Server IP Address or name:
Server IP Address or name: 172.16.10.100
INFO: Attempting Ad-agent test to IP address <172.16.10.100> (timeout: 12 seconds)
INFO: Ad-agent Successful
ASA02-5510(config)#

ASA02-5510(config)# show user-identity ad-agent
Primary AD Agent:
Status                    up (registered)
Mode:                     full-download
IP address:               172.16.10.100
Authentication port:      udp/1645
Accounting port:          udp/1646
ASA listening port:       udp/3799
Interface:                VLAN26
Up time:                  39 secs
Average RTT:              0 msec

AD Domain Status:
Domain CCIESECBLOG:       up
ASA02-5510(config)#

ASA02-5510(config)# debug ldap 255
debug ldap  enabled at level 255

ASA02-5510(config)# logging console 7

ASA02-5510(config)# show user-identity ad-groups cciesecblog

[25] Session Start
[25] New request Session, context 0xac3d1014, reqType = Unknown
[25] Fiber started
[25] Creating LDAP context with uri=ldap://172.16.10.200:389
[25] Connect to LDAP server: ldap://172.16.10.200:389, status = Successful
[25] supportedLDAPVersion: value = 3
[25] supportedLDAPVersion: value = 2
[25] Binding as ldapuser
[25] Performing Simple authentication for ldapuser to 172.16.10.200
[25] Simple authentication for ldapuser returned code (49) Invalid credentials
[25] Failed to bind as administrator returned code (-1) Can’t contact LDAP server
[25] Fiber exit Tx=212 bytes Rx=608 bytes, status=-2
[25] Session End

ASA02-5510# sh user-identity ip-of-user user1
cciesecblog\136.1.27.150 (Login)
ASA02-5510#

ASA02-5510# show user-identity user active user cciesecblog\user1 list detail
cciesecblog\user1: 26 active conns; idle 0 mins
136.1.27.150: login 0 mins, idle 0 mins, 26 active conns
ASA02-5510#

ASA02-5510# sh conn user cciesecblog\user1
27 in use, 40 most used
UDP VLAN26 172.16.10.200:53 VLAN19 (cciesecblog\user1)136.1.27.150:1025, idle 0:00:00, bytes 220, flags –
UDP VLAN26 172.16.10.200:389 VLAN19 (cciesecblog\user1)136.1.27.150:1083, idle 0:00:31, bytes 347, flags –
UDP VLAN26 172.16.10.200:389 VLAN19 (cciesecblog\user1)136.1.27.150:1080, idle 0:00:37, bytes 347, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1075, idle 0:00:38, bytes 2804, flags –
UDP VLAN26 172.16.10.200:389 VLAN19 (cciesecblog\user1)136.1.27.150:1064, idle 0:00:56, bytes 347, flags –
UDP VLAN26 172.16.10.200:138 VLAN19 (cciesecblog\user1)136.1.27.150:138, idle 0:00:56, bytes 177, flags –
UDP VLAN26 172.16.10.200:137 VLAN19 (cciesecblog\user1)136.1.27.150:137, idle 0:00:56, bytes 243, flags –
UDP VLAN26 172.16.10.200:389 VLAN19 (cciesecblog\user1)136.1.27.150:1062, idle 0:01:06, bytes 347, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1060, idle 0:01:06, bytes 2763, flags –
UDP VLAN26 172.16.10.200:389 VLAN19 (cciesecblog\user1)136.1.27.150:1059, idle 0:01:10, bytes 347, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1055, idle 0:01:11, bytes 2763, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1054, idle 0:01:11, bytes 2763, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1052, idle 0:01:11, bytes 2760, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1050, idle 0:01:11, bytes 402, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1048, idle 0:01:14, bytes 402, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1045, idle 0:01:19, bytes 397, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1044, idle 0:01:27, bytes 2807, flags –
UDP VLAN26 172.16.10.200:123 VLAN19 (cciesecblog\user1)136.1.27.150:123, idle 0:01:28, bytes 136, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1037, idle 0:01:31, bytes 2807, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1036, idle 0:01:31, bytes 2807, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1034, idle 0:01:31, bytes 421, flags –
UDP VLAN26 172.16.10.200:389 VLAN19 (cciesecblog\user1)136.1.27.150:1027, idle 0:01:32, bytes 438, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1120, idle 0:01:57, bytes 2807, flags –
UDP VLAN26 172.16.10.200:389 VLAN19 (cciesecblog\user1)136.1.27.150:1119, idle 0:02:00, bytes 347, flags –
TCP VLAN26 172.16.10.200:49155 VLAN19 (cciesecblog\user1) 136.1.27.150:1117, idle 0:02:02, bytes 638, flags UIO
ASA02-5510#

ASA02-5510# show user-identity ad-users cciesecblog filter user1

Domain:cciesecblog      AAA Server Group: AD-SERVER
User list retrieved successfully
Number of Active Directory Users: 1
dn: CN=user1,CN=Users,DC=cciesecblog,DC=com
sAMAccountName: user1

ASA02-5510#

ASA02-5510# sh user-identity ad-groups cciesecblog filter ccielab

Domain:cciesecblog      AAA Server Group: AD-SERVER
Group list retrieved successfully
Number of Active Directory Groups: 1
dn: CN=ccielab,CN=Users,DC=cciesecblog,DC=com
sAMAccountName: ccielab

ASA02-5510#

ASA02-5510# show user-identity ad-groups cciesecblog

Domain:cciesecblog      AAA Server Group: AD-SERVER
Group list retrieved successfully
Number of Active Directory Groups: 38
dn: CN=Administrators,CN=Builtin,DC=cciesecblog,DC=com
sAMAccountName: Administrators

Advertisements

ASA supports the following object group types:

Network           = matching on IPv4/IPv6 hosts or subnets.
Protocol            = matching on layer3/layer4 IP protocols.
ICMP-Type      = matching on ICMP Types.
Service              = matching on TCP/UDP ports. A service object group supports multiple sub-types: TCP, UDP, TCP-UDP, Generic (matching on a mixture of source or destination TCP/UDP ports).

ASA02-5510(config)# sh object-group

object-group network R2
network-object host 150.1.22.22
network-object 136.1.29.0 255.255.255.0

object-group network SUBNETS
network-object 172.16.10.0 255.255.255.0
network-object 136.1.19.0 255.255.255.0

object-group network R1-LOOPBACK1
network-object 150.1.11.0 255.255.255.0

object-group service TELNET tcp
port-object eq telnet

object-group service TFTP udp
port-object eq tftp

object-group service OTHER-PORTS
service-object tcp destination eq ftp
service-object udp destination eq ntp

object-group network ALL
group-object SUBNETS
group-object R1-LOOPBACK1

ASA02-5510# sh run access-list
access-list VLAN29 extended permit tcp object-group R2 object-group ALL object-group TELNET
access-list VLAN29 extended permit udp object-group R2 object-group ALL object-group TFTP
access-list VLAN29 extended permit object-group OTHER-PORTS object-group R2 object-group ALL

access-group VLAN29_INBOUND in interface VLAN29

object-group
icmp-type            Specifies a group of ICMP types, such as echo
network               Specifies a group of host or subnet IP addresses
protocol               Specifies a group of protocols, such as TCP, etc
service                 Specifies a group of TCP/UDP ports/services
user                      Specifies single user, local or import user group

network-object-group
description        Specify description text
group-object     Configure an object group as an object
help                     Help for network object-group configuration commands
network-object  Configure a network object
no                        Remove an object or description from object-group

network-object-group mode commands/options:
Hostname or A.B.C.D                   Enter an IPv4 network address
X:X:X:X::X/<0-128>                    Enter an IPv6 prefix
host                                                Enter this keyword to specify a single host object
object                                             Enter this keyword to specify a network object

object-group service TELNET
tcp                   Specifies this object-group is for TCP protocol only
tcp-udp          Specifies this object-group is for both TCP & UDP
udp                 Specifies this object-group is for UDP protocol only

service-object-group
description             Specify description text
group-object          Configure an object group as an object
help                          Help for service object-group configuration commands
no                              Remove an object or description from object-group
port-object              Configure a port object
object-group service OTHER-PORTS
description            Specify description text
group-object         Configure an object group as an object
help                         Help for service object-group configuration commands
no                            Remove an object or description from object-group
service-object       Configure a service object

service-object tcp
dual-service-object-group mode commands/options:
destination             Keyword to specify destination
source                     Keyword to specify source

ASA02-5510(config-service-object-group)# service-object tcp eq 21
ASA02-5510(config-service-object-group)# service-object udp eq 123

Global access list applies logically to the entire firewall in inbound direction to all interface.
If there are existing interface access lists, those will be considered first and instead of having implicit deny any any at the end of interface ALCs, the Global access list is processed and in case of non-matching rule, the implicit deny any any is used at the end of Global access list.

To create global access list using asdm open access rule, add access rule, and for interface choose -Any-

To create global access list using CLI:

#access-list GLOBAL extended permit tcp any any
#access-group GLOBAL global

ACL overrides initial traffic flow policies based on security level: 100- the most trusted and 0 – not trusted.
By default traffic from higher to lower sec level is allowed but not from lower to higher. For this type of traffic we need ACL.
Global access list are not replicated on each interface so they save memory space.

Use packet-trace to check the rule:
packet-tracer input VLAN49 tcp 150.1.1.1 20000 150.1.2.2 21

#show access-list
#show access-group

A logical redundant interface is a pair of one active and one standby physical interface. When the active interface fails, the standby interface becomes active.
The firewall will remove all interface settings when adding the physical interface to a redundant group.
The logical redundant interface will take the MAC address of the first interface added to the group, because this will also become the active interface. This MAC address is not changed with the member interface failures, but changes when you swap the order of the physical interfaces added to the pair; optionally, a vMAC can be configured for the redundant interface. With redundant interfaces, the nameif, security-level, and IP address configuration is done at the logical interface level. This feature is not preemptive.

Etherchannel: ASA supports both active and passive modes, where active initiates the LACP negotiation, and passive expects to receive LACP negotiations.
The logical portchannel interface will take the MAC address of the lowest number interface from the group; optionally, a vMAC can be configured for the etherchannel interface.

interface Ethernet0/0
no nameif
no security-level
no ip address

interface Ethernet0/2
no nameif
no security-level
no ip address

interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/2
nameif OUTSIDE
security-level 0
ip address 136.1.34.17 255.255.255.0

interface Ethernet0/1
channel-group 1 mode passive
no nameif
no security-level
no ip address

interface Ethernet0/3
channel-group 1 mode passive
no nameif
no security-level
no ip address

interface Port-channel1
lacp max-bundle 2 port-channel load-balance src-dst-ip-port
nameif INSIDE
security-level 100
ip address 136.1.93.17 255.255.255.0

ASA03-5510# sh nameif
Interface                Name                     Security
Port-channel1            INSIDE                   100
Redundant1               OUTSIDE                    0
ASA03-5510#

ASA03-5510# sh ip address
System IP Addresses:
Interface                   Name                  IP address                     Subnet mask                   Method
Port-channel1          INSIDE              136.1.93.17                    255.255.255.0                 manual
Redundant1             OUTSIDE           136.1.34.17                    255.255.255.0                 manual

ASA03-5510# sh interface redundant 1 | b Redundancy
Redundancy Information:
Member Ethernet0/0(Active), Ethernet0/2
Last switchover at 17:21:44 UTC Jul 14 2014

ASA03-5510# sh port-channel summary
Flags: D – down P – bundled in port-channel
I – stand-alone s – suspended
H – Hot-standby (LACP only)
U – in use N – not in use, no aggregation/nameif
M – not in use, no aggregation due to minimum links not met
w – waiting to be aggregated
Number of channel-groups in use: 1
Group Port-channel Protocol Ports
——+————-+———–+———————————————–
1 Po1(U) LACP Et0/1(P) Et0/3(P)

ASA03-5510# sh port-channel 1 load-balance
EtherChannel Load-Balancing Configuration:
src-dst-ip-port

EtherChannel Load-Balancing Addresses UsedPer-Protocol:
Non-IP: Source XOR Destination MAC address
IPv4: Source XOR Destination IP address and TCP/UDP (layer-4) port number
IPv6: Source XOR Destination IP address and TCP/UDP (layer-4) port number

ASA03-5510# sh port-channel 1 brief
Ports: 2 Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: LACP/ passive
Minimum Links: 1
Maximum Bundle: 2
Load balance: src-dst-ip-port

– Check ip arp entry to confirm that MAC address fo the first ASA interfaces added to the group show up here:

RTR3#sh ip arp 136.1.34.17
Protocol         Address         Age (min)         Hardware Addr           Type          Interface
Internet         136.1.34.17    0                         001e.1359.4850          ARPA         FastEthernet0/0

ASA03-5510# sh int et0/0 | in MAC
MAC address 001e.1359.4850, MTU not set

CCIE-SW1#sh ip arp 136.1.93.17
Protocol       Address        Age (min)         Hardware Addr            Type         Interface
Internet       136.1.93.17    0                        001e.1359.4851            ARPA       Vlan93

ASA03-5510# sh int et0/1 | in MAC
MAC address 001e.1359.4851, MTU 1500
ASA03-5510#

~~~~~ Switch configurations to support these features.

Redundant interface configs:

#interface FastEthernet0/9                                          #interface FastEthernet0/15
switchport access vlan 34                                       switchport access vlan 34
switchport mode access                                          switchport mode access
spanning-tree portfast                                            spanning-tree portfast

Ether-channel config:
#
interface Port-channel1
switchport access vlan 93
switchport mode access

#interface FastEthernet0/19                               #interface FastEthernet0/23
switchport access vlan 93                                   switchport access vlan 93
switchport mode access                                      switchport mode access
channel-group 1 mode active                            channel-group 1 mode active

 

 

 

 

 

 

– Don’t forget to enable physical interfaces (e0/0, e0/1, e0/2)
– Create sub-interface and assign VLAN to sub-interface and make sure switch port is in trunking mode. The native (untagged) VLAN of the trunk connection maps to the physical interface, and it cannot be assigned to a sub-interface.

ASA03-5510#interface Ethernet0/3
nameif INSIDE
security-level 0
ip address 136.1.93.17 255.255.255.0

ASA03-5510#interface Ethernet0/0.34
vlan 34
nameif outside
security-level 100
ip address 136.1.34.17 255.255.255.0

ASA03-5510# sh nameif
Interface                       Name                     Security
Ethernet0/0.34           outside                   100
Ethernet0/3                 INSIDE                    0

ASA03-5510# sh ip address
System IP Addresses:
Interface                     Name                   IP address      Subnet mask     Method
Ethernet0/0.34         outside                136.1.34.17     255.255.255.0   manual
Ethernet0/3              INSIDE                136.1.93.17     255.255.255.0   manual
Current IP Addresses:
Interface                    Name                   IP address      Subnet mask     Method
Ethernet0/0.34         outside               136.1.34.17     255.255.255.0   manual
Ethernet0/3              INSIDE               136.1.93.17     255.255.255.0   manual
ASA03-5510#

ASA3# show conn

enable logging on ASA:
#logging on
#logging console 7

– Switch configurations:

interface FastEthernet0/13                      interface FastEthernet0/14
description ASA03 0/3                                   description ASA04 0/3
switchport access vlan 93                              switchport trunk allowed vlan 34
switchport mode access                                 switchport mode trunk
spanning-tree portfast

ASA configuration commands:

ASA03-5510(config)# sla monitor 20
ASA03-5510(config-sla-monitor)# type echo protocol ipIcmpEcho 8.8.8.8 interface outside
ASA03-5510(config-sla-monitor-echo)# frequency 3
ASA03-5510(config-sla-monitor-echo)# request-data-size 1392
ASA03-5510(config-sla-monitor-echo)# num-packets 3
ASA03-5510(config-sla-monitor-echo)# timeout 1000
ASA03-5510(config)# sla monitor schedule 20 life forever start-time now
ASA03-5510(config)# track 1 rtr 20 reachability
ASA03-5510(config)# route outside 0.0.0.0 0.0.0.0 10.99.99.2 1 track 1
ASA03-5510(config)# route outside-backup 0.0.0.0 0.0.0.0 10.88.99.2 20

 

# sh sla monitor configuration
SA Agent, Infrastructure Engine-II
Entry number: 110
Owner:
Tag:
Type of operation to perform: echo
Target address: 8.8.8.8
Interface: outside
Number of packets: 3
Request size (ARR data portion): 1392
Operation timeout (milliseconds): 1000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 3
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

# sh sla monitor operational-state
Entry number: 110
Modification time: 06:56:46.879 UTC Tue Aug 5 2014
Number of Octets Used by this Entry: 2056
Number of operations attempted: 22
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 10
Latest operation start time: 06:57:49.881 UTC Tue Aug 5 2014
Latest operation return code: OK
RTT Values:
RTTAvg: 10      RTTMin: 10      RTTMax: 10
NumOfRTT: 3     RTTSum: 30      RTTSum2: 300

 

ASA2# debug icmp trace
ASA2# debug track
ASA2# un all

 

ASA03-5510# sh ip address
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet0/0         outside                 10.99.99.1      255.255.255.0   manual
Ethernet0/1          outside-backup  10.88.99.1      255.255.255.0   manual
Ethernet0/2          inside                   1.1.1.10            255.255.255.0   manual

!— shut down main ISP interface
!— Traceroute shows that traffic is going via backup link (outside-backup interface)

ASA03-5510# sh track
Track 1
Response Time Reporter 20 reachability
Reachability is Down
12 changes, last change 00:00:10
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
ASA03-5510#
ASA03-5510#

ASA03-5510# sh track
Track 1
Response Time Reporter 20 reachability
Reachability is Up
11 changes, last change 00:05:34
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0

ASA03-5510# sh route

C    1.1.1.0 255.255.255.0 is directly connected, inside
C    10.99.99.0 255.255.255.0 is directly connected, outside
C    10.88.99.0 255.255.255.0 is directly connected, outside-backup
S*   0.0.0.0 0.0.0.0 [20/0] via 10.88.99.2, outside-backup

ASA03-5510# traceroute 10.77.99.3

Type escape sequence to abort.
Tracing the route to 10.77.99.3

10.88.99.2 0 msec 0 msec 0 msec   !– via outside-backup
2  10.77.99.3 0 msec *  0 msec

!– the main ISP interface was brought up.

ASA03-5510# sh track
Track 1
Response Time Reporter 20 reachability
Reachability is Down
12 changes, last change 00:01:23
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
ASA03-5510#

ASA03-5510# sh track
Track 1
Response Time Reporter 20 reachability
Reachability is Up
13 changes, last change 00:00:02
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
ASA03-5510#

!– traceroute show that traffic goes via main ISP now. Route was put in automatically,
ASA03-5510# traceroute 10.77.99.3
Type escape sequence to abort.
Tracing the route to 10.77.99.3

10.99.99.2 0 msec 0 msec 0 msec !— via outside interface
2  10.77.99.3 0 msec *  0 msec

ASA03-5510# sh run route !– only sla related routes are in configuration

route outside 0.0.0.0 0.0.0.0 10.99.99.2 1 track 1
route outside-backup 0.0.0.0 0.0.0.0 10.88.99.2 20

ASA03-5510# sh route

C    1.1.1.0 255.255.255.0 is directly connected, inside
C    10.99.99.0 255.255.255.0 is directly connected, outside
C    10.88.99.0 255.255.255.0 is directly connected, outside-backup
S*   0.0.0.0 0.0.0.0 [1/0] via 10.99.99.2, outside

 

!– SLA related configuration:

ASA Version 8.4(3)
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.99.99.1 255.255.255.0
!
interface Ethernet0/1
nameif outside-backup
security-level 0
ip address 10.88.99.1 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 1.1.1.10 255.255.255.0
!

object network inside-host
subnet 1.1.1.0 255.255.255.0

nat (inside,outside) source dynamic inside-host interface
nat (inside,outside-backup) source dynamic inside-host interface
route outside 0.0.0.0 0.0.0.0 10.99.99.2 1 track 1
route outside-backup 0.0.0.0 0.0.0.0 10.88.99.2 20

sla monitor 20
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside
 frequency 5
sla monitor schedule 20 life forever start-time now
!
track 1 rtr 20 reachability