Archive for the ‘Cisco Security – Firewalls’ Category

ASA 8.4x – Redundant Interfaces and Port-Channel configurations

Posted: October 6, 2013 in Cisco Security - Firewalls
0

!– Make sure all interfaces are not in shutdown state and enter redundant and port-channel commands.

ASA1(config)# int eth0/0
ASA1(config-if)# channel-group 1 mode active
ASA1(config-if)# no shut

ASA1(config-if)# int et0/2
ASA1(config-if)# channel-group 1 mode active
ASA1(config-if)# no shut

ASA1(config)# int port-channel 1
ASA1(config-if)# nameif outside
ASA1(config-if)# ip address 160.60.0.12 255.255.255.0

ASA1(config)# int redundant 1
ASA1(config-if)# member-interface eth0/1
ASA1(config-if)# member-interface eth0/3
ASA1(config-if)# nameif inside
ASA1(config-if)# ip address 20.0.0.12 255.255.255.0
ASA1(config-if)# no shut

!– Show run
interface Ethernet0/0
channel-group 1 mode active
no nameif
no security-level
no ip address

interface Ethernet0/1
no nameif
no security-level
no ip address

interface Ethernet0/2
channel-group 1 mode active
no nameif
no security-level
no ip address

interface Ethernet0/3
no nameif
no security-level
no ip address

interface Management0/0
shutdown
no nameif
no security-level
no ip address

interface Redundant1
member-interface Ethernet0/1
member-interface Ethernet0/3
nameif inside
security-level 100
ip address 20.0.0.12 255.255.255.0

interface Port-channel1
nameif outside
security-level 0
ip address 160.60.0.12 255.255.255.0

!– Configure routing
ASA1(config)# router ospf 1
ASA1(config-router)# network 20.0.0.0 255.255.255.0 area 1
ASA1(config-router)# network 160.60.0.0 255.255.255.0 are 0
ASA1(config-router)# log-adj-changes

!– Create network object for inside and dynamic PAT
ASA1(config)# object network INSIDE
ASA1(config-network-object)# subnet 20.0.0.0 255.255.255.0
ASA1(config-network-object)# nat (inside,outside) dynamic interface

ASA1(config)# access-list OUT-IN ext permit icmp any any
ASA1(config)# access-group OUT-IN in int outside

ASA1# sh int ip br 
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  up                    up
Ethernet0/1                unassigned      YES unset  up                    up
Ethernet0/2                unassigned      YES unset  up                    up
Ethernet0/3                unassigned      YES unset  up                    up
Management0/0              unassigned      YES unset  administratively down up
Port-channel1              160.60.0.12     YES manual down                  down
Redundant1                 20.0.0.12       YES manual up                    up

!– Make sure that switch ports are also configured for channel-group so the Port-channel1 interface is not down.

SW2(config)#int f0/41
SW2(config-if)#channel-group 1 mode active
Creating a port-channel interface Port-channel 1
SW2(config)#int f0/12
SW2(config-if)#channel-group 1 mode active

ASA1# ping 160.60.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 160.60.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ASA1# sh interface redundant 1 detail
Interface Redundant1 “inside”, is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 001e.7a36.6d41, MTU 1500
IP address 20.0.0.12, subnet mask 255.255.255.0
334 packets input, 26940 bytes, 0 no buffer
Received 244 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
74 L2 decode drops
142 packets output, 11258 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 2 interface resets
0 late collisions, 0 deferred
162 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (510/254)
output queue (blocks free curr/low): hardware (510/253)
Traffic Statistics for “inside”:
106 packets input, 6761 bytes
142 packets output, 8555 bytes
2 packets dropped
1 minute input rate 0 pkts/sec,  41 bytes/sec
1 minute output rate 0 pkts/sec,  45 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec,  16 bytes/sec
5 minute output rate 0 pkts/sec,  16 bytes/sec
5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 9
Interface config status is active
Interface state is active
Redundancy Information:
Member Ethernet0/1(Active), Ethernet0/3
Last switchover at 14:08:54 UTC Sep 18 2013

!– If you shut down Eth0/1, the active interface becomes Eth0/3 and we should loose one, two pings:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

ASA1#  sh int red 1
Interface Redundant1 “inside”, is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 001e.7a36.6d41, MTU 1500
IP address 20.0.0.12, subnet mask 255.255.255.0
29393 packets input, 3455064 bytes, 0 no buffer
Received 260 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
82 L2 decode drops
29183 packets output, 3437408 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 2 interface resets
0 late collisions, 0 deferred
162 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (510/254)
output queue (blocks free curr/low): hardware (510/253)
Traffic Statistics for “inside”:
29157 packets input, 2911127 bytes
29183 packets output, 2911931 bytes
6 packets dropped
1 minute input rate 140 pkts/sec,  14009 bytes/sec
1 minute output rate 140 pkts/sec,  14004 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec,  16 bytes/sec
5 minute output rate 0 pkts/sec,  16 bytes/sec
5 minute drop rate, 0 pkts/sec
Redundancy Information:
Member Ethernet0/3(Active), Ethernet0/1
Last switchover at 14:08:54 UTC Sep 18 2013

!– Check out port channel status

ASA1# sh port-channel 1 detail
Ports: 2   Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: LACP/ active
Minimum Links: 1
Maximum Bundle: 8
Load balance: src-dst-ip
Ports in the group:
——————-
Port: Et0/0
————
Port state    = bndl
Channel group =    1        Mode = LACP/ active
Port-channel  = Po1

Flags:  S – Device is sending Slow LACPDUs   F – Device is sending fast LACPDUs.
A – Device is in active mode.        P – Device is in passive mode.

Local information:
LACP port     Admin     Oper    Port        Port
Port      Flags   State      Priority      Key       Key     Number      State
—————————————————————————–
Et0/0     SA      bndl       32768         0x1       0x1     0x1         0x3d

Partner’s information:
Partner Partner    LACP Partner  Partner   Partner  Partner     Partner
Port      Flags   State      Port Priority Admin Key Oper Key Port Number Port State
———————————————————————————–
Et0/0     SA      bndl       32768         0x0       0x1      0x10d       0x3d

Port: Et0/2
————
Port state    = bndl
Channel group =    1        Mode = LACP/ active
Port-channel  = Po1

Flags:  S – Device is sending Slow LACPDUs   F – Device is sending fast LACPDUs.
A – Device is in active mode.        P – Device is in passive mode.

Local information:
LACP port     Admin     Oper    Port        Port
Port      Flags   State      Priority      Key       Key     Number      State
—————————————————————————–
Et0/2     SA      bndl       32768         0x1       0x1     0x3         0x3d

Partner’s information:
Partner Partner    LACP Partner  Partner   Partner  Partner     Partner
Port      Flags   State      Port Priority Admin Key Oper Key Port Number Port State
———————————————————————————–
Et0/2     SA      bndl       32768         0x0       0x1      0x12a       0x3d

ASA1# sh port-channel 1 load-balance
EtherChannel Load-Balancing Configuration:
src-dst-ip

EtherChannel Load-Balancing Addresses UsedPer-Protocol:
Non-IP: Source XOR Destination MAC address
IPv4: Source XOR Destination IP address
IPv6: Source XOR Destination IP address

!– this is output when one of the interfaces is down, no load balacing:

ASA1# sh int e0/0 | in packets output
63320 packets output, 7471910 bytes, 0 underruns

ASA1# sh int e0/2 | in packets output
16482 packets output, 1941871 bytes, 0 underruns

!– Check port channel summary and notice that one of the interface is down.

ASA1# sh port-channel summary
Flags:  D – down        P – bundled in port-channel
I – stand-alone s – suspended
H – Hot-standby (LACP only)
U – in use      N – not in use, no aggregation/nameif
M – not in use, no aggregation due to minimum links not met
w – waiting to be aggregated
Number of channel-groups in use: 1
Group  Port-channel  Protocol    Ports
——+————-+———–+———————————————–
1      Po1(U)            LACP    Et0/0(P)   Et0/2(D)

#########################################################################

Configuring ASA in Multi Mode, Active/Active

Posted: October 6, 2013 in Cisco Security - Firewalls
0

!– Change ASA mode from single to multi on both units
ASA1(config)# mode multi
ASA2(config)# mode multi

!– Check out the warning messages:
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
The old running configuration file will be written to flash
Converting the configuration – this may take several minutes for a large configuration
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple

!– In system context on primary firewall, enable physical interfaces, create subinterfaces, create contexts, assign interfaces to contexts, setup context1 to be admin context.

ASA1(config)# int et0/0
ASA1(config-if)# no shut
ASA1(config)# int eth0/1
ASA1(config-if)# no shut
ASA1(config)# int et0/3
ASA1(config-if)# no shut

ASA1(config)# int eth0/1.11
ASA1(config-subif)# vlan 11
ASA1(config-subif)# no shut

ASA1(config)# int eth0/1.13
ASA1(config-subif)# vlan 13
ASA1(config-subif)# no shut

ASA1(config)# context CTX1
Creating context ‘CTX1’… Done. (3)
ASA1(config-ctx)# description == CTX1 ==
ASA1(config-ctx)# allocate-interface eth0/1.11
ASA1(config-ctx)# allocate-interface et0/0
ASA1(config-ctx)# config-url disk0:/CTX1-ActiveActive.cfg

!– dedicate CTX1 as admin context
ASA1(config)# admin-context CTX1

ASA1(config)# context CTX2
Creating context ‘CTX2’… Done. (3)
ASA1(config-ctx)# description == CTX2 ==
ASA1(config-ctx)# allocate-interface eth0/0
ASA1(config-ctx)# allocate-interface eth0/1.13
ASA1(config-ctx)# config-url disk0:/CTX2-ActiveActive.cfg

!– Switch to CTX1 and configure it: apply interface ip and security levels, create dynamic pat for inside to outside basic communication, create basic acl to permit ping, setup interface monitoring as requested:

ASA1(config)# changeto context CTX1

ASA1/CTX1(config)# int eth0/1.11
ASA1/CTX1(config-if)# nameif inside
ASA1/CTX1(config-if)# ip address 10.0.0.13 255.255.255.0 standby 10.0.0.14
ASA1/CTX1(config-if)# no shut

ASA1/CTX1(config-if)# int eth0/0
ASA1/CTX1(config-if)# nameif outside
ASA1/CTX1(config-if)# ip address 150.50.0.13 255.255.255.0 standby 150.50.0.14
ASA1/CTX1(config-if)# no shut
ASA1/CTX1(config)# object network inside
ASA1/CTX1(config-network-object)# subnet 10.0.0.0 255.255.255.0
ASA1/CTX1(config-network-object)# nat (inside,outside) dynamic interface
ASA1/CTX1(config)# access-list OUTSIDE-IN permit icmp any any echo-rep
ASA1/CTX1(config)# access-group OUTSIDE-IN in int outside

ASA1/CTX1(config)# monitor-interface inside
ASA1/CTX1(config)# no monitor-interface outside

!– Switch to CTX2 and configure it: apply interface ip and security levels, create dynamic pat for inside to outside basic communication, create basic acl to permit ping, setup interface monitoring as requested:

ASA1/CTX1# changeto context CTX2

ASA1/CTX2(config)# int eth 0/0
ASA1/CTX2(config-if)# nameif outside
ASA1/CTX2(config-if)# ip address 150.50.0.31 255.255.255.0 standby 150.50.0.41
ASA1/CTX2(config-if)# no shut

ASA1/CTX2(config-if)# int eth0/1.13
ASA1/CTX2(config-if)# nameif inside
ASA1/CTX2(config-if)# ip address 10.0.1.13 255.255.255.0 standby 10.0.1.14
ASA1/CTX2(config-if)# no shut

ASA1/CTX2(config)# object network inside
ASA1/CTX2(config-network-object)# subnet 10.0.1.0 255.255.255.0
ASA1/CTX2(config-network-object)# nat (inside,outside) dynamic interface
ASA1/CTX2(config)# access-list OUTSIDE-IN permit icmp any any echo-reply
ASA1/CTX2(config)# access-group OUTSIDE-IN in int outside

ASA1/CTX2(config)# monitor-interface inside
ASA1/CTX2(config)# no monitor-interface outside

!– In system context on primary firewall, setup failover commands (this unit is primary), create failover groups, assigning context to failover groups, activate failover:

ASA1/CTX2# changeto system

ASA1(config)# int eth0/3
ASA1(config-if)# no shut
ASA1(config-if)# failover lan unit primary
ASA1(config)# failover lan interface FAIL eth0/3
INFO: Non-failover interface config is cleared on Ethernet0/3 and its sub-interfaces
ASA1(config)# failover link FAIL eth0/3
ASA1(config)# failover interface ip FAIL 1.1.1.1 255.255.255.0 standby 1.1.1.2

ASA1(config)# failover group 1
ASA1(config-fover-group)# primary
ASA1(config-fover-group)# preempt
ASA1(config-fover-group)# interface-policy 1
ASA1(config-fover-group)# polltime interface msec 500 holdtime 5

ASA1(config)# failover group 2
ASA1(config-fover-group)# secondary
ASA1(config-fover-group)# preempt
ASA1(config-fover-group)# interface-policy 1
ASA1(config-fover-group)# polltime interface msec 500 hold 5

ASA1(config)# context CTX1
ASA1(config-ctx)# join-failover-group 1
ASA1(config)# context CTX2
ASA1(config-ctx)# join-failover-group 2

ASA1(config)# failover

!– On secondary firewall, bring up failover interface, setup failover commands (unit secondary)
!– Note that only few commands will be needed; all other config details are replicated via failover.

ASA2(config)# int eth0/3
ASA2(config-if)# no shut

ASA2(config)# failover lan unit secondary
ASA2(config)# failover lan interface FAIL eth0/3
ASA2(config)# failover link FAIL eth0/3
ASA2(config)# failover interface ip FAIL 1.1.1.1 255.255.255.0 standby 1.1.1.2

!– Activate failover
ASA2(config)# failover

How to verify:

!– show failover in system context

ASA1(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: FAIL Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.4(3), Mate 8.4(5)
Group 1 last failover at: 14:47:42 UTC Sep 11 2013
Group 2 last failover at: 14:47:55 UTC Sep 11 2013

This host: Secondary
Group 1 State: Standby Ready
Active time: 0 (sec)
Group 2 State: Active
Active time: 113 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.4(3)) status (Up Sys)
CTX1 Interface outside (150.50.0.14): Normal (Not-Monitored)
CTX1 Interface inside (10.0.0.14): Unknown (Waiting)
CTX2 Interface outside (150.50.0.31): Normal (Not-Monitored)
CTX2 Interface inside (10.0.1.13): Unknown (Waiting)
slot 1: empty

Other host: Primary
Group 1 State: Active
Active time: 388 (sec)
Group 2 State: Standby Ready
Active time: 274 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.4(5)) status (Up Sys)
CTX1 Interface outside (150.50.0.13): Normal (Not-Monitored)
CTX1 Interface inside (10.0.0.13): Unknown (Waiting)
CTX2 Interface outside (150.50.0.41): Normal (Not-Monitored)
CTX2 Interface inside (10.0.1.14): Unknown (Waiting)
slot 1: empty

Stateful Failover Logical Update Statistics
Link : FAIL Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 16 0 18 0
sys cmd 16 0 16 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 0 0 2 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 18
Xmit Q: 0 1 16
ASA1(config)#

!– Once the failed interface recovers, the original primary unit takes over the primary role and the messages pops up on the screen.

#telnet or ping thru firewall
#show monitor-interface in context

filter vlan on switch interface to force switchover (“switch trunk allowed vlan remove 11”)

!– Note that once you allow back vlan 11, the primary unit will preempt.

ASA1#
Group 1 preempt mate

##### Theory #####

In the system context on the primary unit:
– setup interfaces (no shut),
– create subinterfaces,
– assign subinterface to vlan, and
– do interface no shut
– create contexts and assign interfaces to the context,
– setup failover commands,
– create failover groups,
– setup primary, preempt and interface policy and polltime.
– Next step is to switch to context and join context to correct failover group.
– Activate failover within config-t.

On the switch, setup trunk interfaces for outside and inside interfaces allowing correct vlans.

Then switch to context1 and setup interface names, ip addresses, objects, nat, access list and interface monitoring.
Then switch to context 2 and setup interface names, ip addresses, objects, nat, access list and interface monitoring.

On secondary unit enter only failover commands (same as from primary unit), bring up failover interface and activate failover.

###########################################################################

How to configure enhanced object group in ASA 8.x and up

Posted: October 6, 2013 in Cisco Security - Firewalls
0

#object-group service SERVICES
#service-object icmp echo
#service-object tcp destination eq telnet
#service-object udp destination eq syslog

#object network R1
#host 20.0.0.1
#nat (inside,outside) static 160.60.0.1

#access-list OUT-IN extended permit object-group SERVICES host 160.60.0.2 object R1
#access-group OUT-IN in interface outside

ASA1# sh access-list
access-list OUT-IN; 3 elements; name hash: 0x456198c2
access-list OUT-IN line 1 extended permit object-group SERVICES host 160.60.0.2 object R1 (hitcnt=3)
access-list OUT-IN line 1 extended permit icmp host 160.60.0.2 host 20.0.0.1 echo (hitcnt=2)
access-list OUT-IN line 1 extended permit tcp host 160.60.0.2 host 20.0.0.1 eq telnet (hitcnt=1)
access-list OUT-IN line 1 extended permit udp host 160.60.0.2 host 20.0.0.1 eq syslog (hitcnt=0)
ASA1#
##### Theory #####

Object groups allow for combining different type of IP protocols (TCP, UDP), port numbers and ICMP error codes into a single unit. The ACL will have one line for all configured protocols/ports instead of one line per protocol/port.

################################################################

Allow ping and tracert thru ASA and debug ICMP

Posted: October 5, 2013 in Cisco Security - Firewalls
0

OUTSIDE_IN -> |outside Interface |

|outside Interface| -> OUTSIDE_OUT

!– allow traceroute return packets 
!– allow traceroute return packets 
!– allow pings across firewall
!– allow pings across firewall

access-list OUTSIDE_IN extended permit icmp any any unreachable
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any echo 
access-list OUTSIDE_IN extended permit icmp any any echo-reply

! Egress ACL: permit ping packets
access-list OUTSIDE_OUT extended permit icmp any any echo
access-list OUTSIDE_OUT extended permit icmp any any echo-reply

 !–to allow ASA to ping to any destination but not to respond to ping:
icmp permit any echo-reply outside

!– allow ASA to perform traceroute and to accept pMTU messages
# icmp permit any time-exceeded outside
# icmp permit any unreachable outside

#debug icmp trace

ICMP echo request from inside:150.1.2.2 to outside:136.1.123.12 ID=16 seq=0 len=72
ICMP echo request translating inside:150.1.2.2 to outside:136.1.123.33
ICMP echo request from inside:150.1.2.2 to outside:136.1.123.12 ID=16 seq=1 len=72
ICMP echo request translating inside:150.1.2.2 to outside:136.1.123.33
ASA3# sh xlate
1 in use, 2 most used
Flags: D – DNS, e – extended, I – identity, i – dynamic, r – portmap,
s – static, T – twice, N – net-to-net
ICMP PAT from any:150.1.2.2/16 to any:136.1.123.33/16 flags ri idle 0:00:29 timeout 0:00:30

Example:
ACL No one can ping firewall but firewall can ping out on all interfaces.
Firewall responds to traceroute and pMTU discovery:

icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp permit any unreachable outside

icmp permit any echo-reply inside
icmp permit any time-exceeded inside
icmp permit any unreachable inside

icmp permit any echo-reply dmz1
icmp permit any time-exceeded dmz1
icmp permit any unreachable dmz1

icmp permit any echo-reply dmz2
icmp permit any time-exceeded dmz2
icmp permit any unreachable dmz2

##### A bit of theory #####

The traceroute command is used to discover the routes that packets actually take when traveling to their destination. The device sends out a sequence of User Datagram Protocol (UDP) datagrams to an invalid port address at the remote host.
Three datagrams are sent, each with a Time-To-Live (TTL) field value set to one. The TTL value of 1 causes the datagram to “timeout” as soon as it hits the first router in the path; this router then responds with an ICMP Time Exceeded Message (TEM) indicating that the datagram has expired.
Another three UDP messages are now sent, each with the TTL value set to 2, which causes the second router to return ICMP TEMs. This process continues until the packets actually reach the other destination.

Since these datagrams are trying to access an invalid port at the destination host, ICMP Port Unreachable Messages are returned, indicating an unreachable port; this event signals the Traceroute program that it is finished.

The purpose behind this is to record the source of each ICMP Time Exceeded Message to provide a trace of the path the packet took to reach the destination

For IPv4 packets, Path MTU Discovery works by setting the Don’t Fragment (DF) option bit in the IP headers of outgoing packets. Then, any device along the path whose MTU is smaller than the packet will drop it, and send back an Internet Control Message Protocol (ICMP) Fragmentation Needed (Type 3, Code 4) message containing its MTU, allowing the source host to reduce its Path MTU appropriately. The process is repeated until the MTU is small enough to traverse the entire path without fragmentation.

IPv6 routers do not support fragmentation or the Don’t Fragment option. For IPv6, Path MTU Discovery works by initially assuming the path MTU is the same as the MTU on the link layer interface through which the traffic is being sent. Then, similar to IPv4, any device along the path whose MTU is smaller than the packet will drop the packet and send back an ICMPv6 Packet Too Big (Type 2) message containing its MTU, allowing the source host to reduce its Path MTU appropriately. The process is repeated until the MTU is small enough to traverse the entire path without fragmentation.

The ping command uses a series of Internet Control Message Protocol (ICMP) Echo messages to determine:
– Whether a remote host is active or inactive.
– The round-trip delay in communicating with the host.
– Packet loss.

The ping command first sends an echo request packet to an address, then waits for a reply. The ping is
successful only if:
– the echo request gets to the destination, and
– the destination is able to get an echo reply back to the source within a predetermined time called a
timeout. The default value of this timeout is two seconds on Cisco routers.

The TTL value of a ping packet cannot be changed.

################################################################

Configuring failover on ASA 8.4 and higher

Posted: October 3, 2013 in Cisco Security - Firewalls
1

ASA primary unit failover commands:

!– enables failover interface

ASA1(config)#inte et0/3    

ASA1(config-if)# no shut

ASA1(config)# int e0/0
ASA1(config-if)# nameif outside
ASA1(config-if)# ip address 160.10.0.13 255.255.255.0 standby 160.10.0.14
ASA1(config-if)# no shut

ASA1(config-if)# int e0/1
ASA1(config-if)# nameif inside
ASA1(config-if)# ip address 10.0.0.13 255.255.255.0 standby 10.0.0.14
ASA1(config-if)# no shut

!-Enables rip routing protocol
ASA1(config)# router rip      
ASA1(config-router)# ver 2
ASA1(config-router)# network 10.0.0.0
ASA1(config-router)# network 160.10.0.0
ASA1(config-router)# no auto-summary

!- Default NAT to permit inside to outside traffic
ASA1(config)# object net ANY-INSIDE
ASA1(config-network-object)# subnet 0 0
ASA1(config-network-object)# nat (inside,outside) dynamic interface
ASA1(config-network-object)# exit

!- Permits icmp for testing

ASA1(config)# access-list OUT-IN permit icmp any any echo-reply        
ASA1(config)# access-group OUT-IN in interface outside

!– Failover commands

ASA1(config)# failover lan unit primary
ASA1(config)# failover lan interface FAILOVER-INT et0/3
ASA1(config)# failover  link FAILOVER-INT e0/3
ASA1(config)# failover interface ip FAILOVER-INT 1.1.1.13 255.255.255.0 standby 1.1.1.14
ASA1(config)# failover

ASA1(config)# monitor-interface outside
ASA1(config)# monitor-interface inside

ASA1(config)# failover polltime unit msec 200 holdtime msec 800
ASA1(config)# failover polltime interface msec 500 holdtime 5
ASA1(config)# failover interface-policy 1

Secondary unit failover commands:

ASA2(config)# int e0/3
ASA2(config-if)# no shut
ASA2(config-if)# exit

ASA2(config)# failover lan unit secondary
ASA2(config)# failover lan interface FAILOVER-INT e0/3
ASA2(config)# failover link FAILOVER-INT e0/3

ASA2(config)# failover interface ip FAILOVER-INT 1.1.1.13 255.255.255.0 standby 1.1.1.14
ASA2(config)# failover

************WARNING****WARNING****WARNING********************************
Mate version 8.4(5) is not identical with ours 8.4(6)
************WARNING****WARNING****WARNING********************************

ASA1# sh failover state

State          Last Failure Reason      Date/Time
This host  –   Primary
Active         None
Other host –   Secondary
Standby Ready  Comm Failure             14:33:36 UTC Sep 6 2013

This shows that failover link commands was not entered. Once command is entered like this:

ASA1(config)# failover link FAILOVER-INT et0/3

 

When everything looks good:

ASA1# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER-INT Ethernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.4(5), Mate 8.4(6)
Last Failover at: 14:33:20 UTC Sep 6 2013
This host: Primary – Active
Active time: 1005 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(5)) status (Up Sys)
Interface outside (160.10.0.13): Normal (Monitored)
Interface inside (10.0.0.13): Normal (Monitored)
slot 1: empty
Other host: Secondary – Standby Ready
Active time: 0 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(6)) status (Up Sys)
Interface outside (160.10.0.14): Normal (Monitored)
Interface inside (10.0.0.14): Normal (Monitored)
slot 1: empty

Stateful Failover Logical Update Statistics
Link : FAILOVER-INT Ethernet0/3 (up)
Stateful Obj    xmit       xerr       rcv        rerr
General         11         0          10         0
sys cmd         10         0          10         0
up time         0          0          0          0
RPC services    0          0          0          0
TCP conn        0          0          0          0
UDP conn        0          0          0          0
ARP tbl         0          0          0          0
Xlate_Timeout   0          0          0          0
IPv6 ND tbl     0          0          0          0
VPN IKEv1 SA    0          0          0          0
VPN IKEv1 P2    0          0          0          0
VPN IKEv2 SA    0          0          0          0
VPN IKEv2 P2    0          0          0          0
VPN CTCP upd    0          0          0          0
VPN SDI upd     0          0          0          0
VPN DHCP upd    0          0          0          0
SIP Session     0          0          0          0
Route Session   0          0          0          0
User-Identity   1          0          0          0

Logical Update Queue Information
Cur     Max     Total
Recv Q:         0       2       10
Xmit Q:         0       25      108

ASA1#
************WARNING****WARNING****WARNING********************************
Mate version 8.4(6) is not identical with ours 8.4(5)
************WARNING****WARNING****WARNING*****************************

!– You can run commands on standby unit by issuing:

ASA1# failover exec standby show run router rip
router rip
network 136.1.0.0
version 2
no auto-summary

!– once you establish connection thru ASA, check connections on primary and standby. This show that statefull tracking is happening.

ASA1# sh conn
11 in use, 13 most used
TCP outside 160.10.0.2:23 inside 10.0.0.1:38081, idle 0:00:01, bytes 67, flags UIO
ASA1#

ASA1# failover exec standby show conn
11 in use, 13 most used
TCP outside 160.10.0.2:23 inside 10.0.0.1:38081, idle 0:01:07, bytes 67, flags UIO
ASA1#

!– When you shut down switch interface where primary outside interface is connected to, the switchover happens:

ASA1(config)#
Switching to Standby

!– Check failover status on secondary unit:

ASA1# sh failover 
Failover On
Failover unit Secondary
Failover LAN Interface: FAILOVER Ethernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.4(3), Mate 8.4(5)
Last Failover at: 16:10:44 UTC Sep 9 2013
This host: Secondary – Active
Active time: 117 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(3)) status (Up Sys)
Interface outside (160.10.0.13): Normal (Waiting)
Interface inside (10.0.0.13): Normal (Monitored)
slot 1: empty
Other host: Primary – Failed
Active time: 844 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(5)) status (Up Sys)
 Interface outside (160.10.0.14): No Link (Waiting)
Interface inside (10.0.0.14): Normal (Monitored)
slot 1: empty

Stateful Failover Logical Update Statistics
Link : FAILOVER Ethernet0/3 (up)
Stateful Obj    xmit       xerr       rcv        rerr
General         76         0          82         0
sys cmd         75         0          75         0
up time         0          0          0          0
RPC services    0          0          0          0
TCP conn        1          0          4          0
UDP conn        0          0          0          0
ARP tbl         0          0          2          0
Xlate_Timeout   0          0          0          0
IPv6 ND tbl     0          0          0          0
VPN IKEv1 SA    0          0          0          0
VPN IKEv1 P2    0          0          0          0
VPN IKEv2 SA    0          0          0          0
VPN IKEv2 P2    0          0          0          0
VPN CTCP upd    0          0          0          0
VPN SDI upd     0          0          0          0
VPN DHCP upd    0          0          0          0
SIP Session     0          0          0          0
Route Session   0          0          0          0
User-Identity   0          0          1          0

Logical Update Queue Information
Cur     Max     Total
Recv Q:         0       5       648
Xmit Q:         0       1       188
ASA1#

##### A bit of theory #####

In failover, one firewall unit is designated as primary and the other as secondary. Initially, the primary unit is active and the secondary is standby. Only one unit is active and forwards traffic at any given time, while the other remains in standby mode. When the active unit fails, the standby assumes the role of the active unit by taking its IP/MAC addresses. The unit still remains known as the “secondary” unit, but it operates in an “active” mode. Failover is available in both transparent firewall and routed firewall modes.

The firewall supports two types of failover: stateful and regular. During the regular failover process, the states of the currently active sessions, which include NAT translations, etc., are not copied between the active and standby units. After a failover, users must re-initiate their connections. Stateful failover preserves all connection states during a failover, making the switchover process nearly seamless from the end user perspective. The configurations of both units are kept synchronized at all times, because the commands from the active unit are always replicated to the standby

Failover occur under three general conditions:

1. The active unit detects system health issues (software, hardware or power failure).

In this case the active unit become a standby and secondary become primary unit immediately.

2. The standby unit detects loss of contact with the active unit across the failover interface.

Both units constantly send keepalive message to each other across the failover link. If the standby unit loses 3 consecutive keepalives, it will try to restore contact with the active unit. The standby unit will broadcast ARP requests out of all interfaces, asking for the IP address of the active unit. If it receives the ARP response on the failover link, nothing changes. If the response is only received on the non-failover link, the standby unit marks the failover link as non-functional but does not fail over. Manual intervention is required to fix the problem. If no response is received on any interface, the standby unit fails over.

3. The active unit detects loss of the monitored interfaces above the configured threshold.

By default, when interface monitoring is enabled, every single physical interface failure would force the active unit to give its role to the standby. In the most simple case, if the unit detects loss of carrier on the interface, it immediately declares the interface to be down. To account for more complex cases, interface monitoring is performed by sending and receiving keepliave packets to the standby unit. If the active unity does not receive any hello packets for the duration of half of the hold-interval, it will attempt to count packets on the monitored interface to see if any traffic enters the interface. If this does not succeed, the unit will attempt to send ARP requests for known destinations to provoke some responses and see if this generates traffic. If all attempts to generate a receive traffic fails, the unit will initiate failover.

By default, the firewall monitors all physical interfaces with IP addresses assigned. At the same time, sub-interfaces are not monitored by default. With default settings, any interface failure will trigger failover.

################################################################

Basic configuration for ASA 5505 running IOS 8.4 and higher

Posted: October 3, 2013 in Cisco Security - Firewalls
0

Configure the internal interface vlan

ASA1 (config)# interface Vlan 1
ASA1(config-if)# nameif inside
ASA1(config-if)# security-level 100
ASA1(config-if)# ip address 192.168.1.1 255.255.255.0
ASA1(config-if)# no shut

Configure the external interface vlan (connected to Internet)
ASA1 (config)# interface Vlan 2
ASA1(config-if)# nameif outside
ASA1(config-if)# security-level 0
ASA1(config-if)# ip address 200.200.200.1 255.255.255.0
ASA1(config-if)# no shut

Assign Ethernet 0/0 to Vlan 2
ASA1 (config)# interface Ethernet0/0
ASA1(config-if)# switchport access vlan 2
ASA1(config-if)# no shut

Enable the rest interfaces with no shut
ASA1 (config)# interface Ethernet0/1
ASA1(config-if)# no shut

Do the same for Ethernet0/1 to 0/7.

Configure PAT on the outside interface
ASA1 (config)# global (outside) 1 interface
ASA1 (config)# nat (inside) 1 0.0.0.0 0.0.0.0
ASA1 (config)#object network obj_any
ASA1 (config)#subnet 0.0.0.0 0.0.0.0
ASA1 (config)#nat (inside, outside) dynamic interface

Configure default route towards the ISP (assume default gateway is 200.200.200.2)
ASA1 (config)# route outside 0.0.0.0 0.0.0.0 200.200.200.2 1

The above steps are the absolutely necessary steps you need to configure for making the appliance operational. The next steps would include Access Control Lists, Static NAT, DHCP, DMZ zones, authentication etc.

################################################################

Configure RIPv2 on routers using clear-text and MD5 hash for authC.

Posted: October 2, 2013 in Cisco Security - Firewalls
0

Configure RIPv2 on routers using clear-text and MD5 hash for authC

Simple diagram:
R1-> rip clear-text <-R3-> rip MD5 <-R2

Router1:

Router1(config)#key chain TEXT                                                   !– key chain name
Router1(config-keychain)#key 1                                                   !– key identifier
Router1(config-keychain-key)#key-string CLEARTEXT          !– key chain string

Router1(config)#router rip
Router1(config-router)#ver 2
Router1(config-router)#network 140.1.0.0                             !–RIP advertized networks
Router1(config-router)#network 160.1.0.0
Router1(config-router)#no auto-summary

Router1(config)#int f0/0
Router1(config-if)#ip rip authentication mode text                 !–clear-text authc mode
Router1(config-if)#ip rip authentication key-chain TEXT       !–key-chain name used for authc

Router2:
Router2(config)#router rip
Router2(config-router)#version 2
Router2(config-router)#network 140.1.0.0
Router2(config-router)#network 160.1.0.0
Router2(config-router)#no auto-summary
Router2(config-router)#exit

Router2(config)#key chain MD5
Router2(config-keychain)#key 1
Router2(config-keychain-key)#key-string MD5HASH

Router2(config-keychain-key)#int f0/0
Router2(config-if)#ip rip authentication mode md5
Router2(config-if)#ip rip authentication key-chain MD5

Router 3:
Router3(config)#key chain TEXT
Router3(config-keychain)#key 1
Router3(config-keychain-key)#key-string CLEARTEXT

Router3(config)#key chain MD5
Router3(config-keychain)#key 1
Router3(config-keychain-key)#key-string MD5HASH

Router3(config)#route rip
Router3(config-router)#version 2
Router3(config-router)#network 140.1.0.0
Router3(config-router)#network 160.1.0.0
Router3(config-router)#no auto-summary

Router3(config)#int f0/1
Router3(config-if)#ip rip authentication mode text
Router3(config-if)#ip rip authentication key-chain TEXT

Router3(config-if)#int f0/0
Router3(config-if)#ip rip authentication mode md5
Router3(config-if)#ip rip authentication key-chain MD5

Verify:
Router3#sh ip route rip
160.1.0.0/32 is subnetted, 2 subnets
R       160.1.1.1 [120/1] via 140.1.13.1, 00:00:27, FastEthernet0/1

Router1#
Router1#sh ip route rip

140.1.0.0/16 is variably subnetted, 3 subnets, 2 masks
R        140.1.23.0/24 [120/1] via 140.1.13.3, 00:00:15, FastEthernet0/0
160.1.0.0/32 is subnetted, 2 subnets
R        160.1.3.3 [120/1] via 140.1.13.3, 00:00:15, FastEthernet0/0
Router1#

Router3#debug ip rip

RIP: received packet with text authentication CLEARTEXT
RIP: received v2 update from 140.1.13.1 on FastEthernet0/1
160.1.1.1/32 via 0.0.0.0 in 1 hops
RIP: sending v2 update to 224.0.0.9 via Loopback0 (160.1.3.3)
RIP: build update entries
140.1.13.0/24 via 0.0.0.0, metric 1, tag 0
140.1.23.0/24 via 0.0.0.0, metric 1, tag 0
160.1.1.1/32 via 0.0.0.0, metric 2, tag 0
RIP: ignored v2 packet from 160.1.3.3 (sourced from one of our addresses)
RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (140.1.

Wrong authentication shows this error outputs:

Router2#
RIP: ignored v2 packet from 136.1.23.3 (invalid authentication)
RIP: sending v2 update to 224.0.0.9 via Loopback0 (150.1.2.2)
RIP: build update entries
136.1.23.0/24 via 0.0.0.0, metric 1, tag 0
RIP: ignored v2 packet from 150.1.2.2 (sourced from one of our addresses)
RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (136.1.23.2)
RIP: build update entries
150.1.2.2/32 via 0.0.0.0, metric 1, tag 0
RIP: ignored v2 packet from 136.1.23.3 (invalid authentication)
RIP: sending v2 update to 224.0.0.9 via Loopback0 (150.1.2.2)
RIP: build update entries
136.1.23.0/24 via 0.0.0.0, metric 1, tag 0

##### Theory #####
RIP authentication is configured in three steps:

1. define a global key chain
2. enable authentication mode (clear-text or MD5) on the RIP interfaces
3. apply the key chain to the interface
Note that for MD5 based authentication, the key number in the key chain must match between the neighbors.

Verification – check if the routes from the RIP neighbor are installed in the routing table, authentication was successful.

################################################################

Newer Entries