Networking-Blog

My WordPress Blog

Working with NSG access and Azure Bastion

When working with Azure Bastion, you can use network security groups (NSGs).

In this diagram:

  • The Bastion host is deployed to the virtual network.
  • The user connects to the Azure portal using any HTML5 browser.
  • The user navigates to the Azure virtual machine to RDP/SSH.
  • Connect Integration – Single-click RDP/SSH session inside the browser
  • No public IP is required on the Azure VM.

Network security groups

This section shows you the network traffic between the user and Azure Bastion, and through to target VMs in your virtual network:

AzureBastionSubnet

Azure Bastion is deployed specifically to AzureBastionSubnet.

  • Ingress Traffic:
    • Ingress Traffic from public internet: The Azure Bastion will create a public IP that needs port 443 enabled on the public IP for ingress traffic. Port 3389/22 are NOT required to be opened on the AzureBastionSubnet.
    • Ingress Traffic from Azure Bastion control plane: For control plane connectivity, enable port 443 inbound from GatewayManager service tag. This enables the control plane, that is, Gateway Manager to be able to talk to Azure Bastion.
  • Egress Traffic:
    • Egress Traffic to target VMs: Azure Bastion will reach the target VMs over private IP. The NSGs need to allow egress traffic to other target VM subnets for port 3389 and 22.
    • Egress Traffic to other public endpoints in Azure: Azure Bastion needs to be able to connect to various public endpoints within Azure (for example, for storing diagnostics logs and metering logs). For this reason, Azure Bastion needs outbound to 443 to AzureCloud service tag.

Target VM Subnet

This is the subnet that contains the target virtual machine that you want to RDP/SSH to.

  • Ingress Traffic from Azure Bastion: Azure Bastion will reach to the target VM over private IP. RDP/SSH ports (ports 3389/22 respectively) need to be opened on the target VM side over private IP. As a best practice, you can add the Azure Bastion Subnet IP address range in this rule to allow only Bastion to be able to open these ports on the target VMs in your target VM subnet.

The overall NSG would look like this:

WLC L3 Security Web Authentication

In this post we will see how to implement and configure WLC to support internal Webauth.
Web authentication is a Layer 3 security feature that causes the controller to not allow IP traffic (except DHCP and DNS -related packets) from a particular client until that client has correctly supplied a valid username and password.
Web authentication is mostly used to deploy a guest-access network. We must remember that web authentication does not provide data encryption. Webauth is an authentication method without encryption.

Web authentication can be performed using:
Default login window on the WLC
Modification of the default login window on the WLC
A customised login window that we download to the controller


In this post we will only see the starting 3 ways because I don’t have any external webserver.

Let’s start with Configuration of WLC. We will follow these steps:

Create a dynamic interface and fill all the required details.
Create a WLAN and apply the settings.
Configure WLC for Webauth (Internal).
Create local user for testing.
Verification

  1. Create a dynamic interface and fill all the required details.
    From WLC GUI, Choose Controller > Interface > New and fill the details:

    Interface Name: webauth
    Vlan Id: 10

    Click Apply
  2. Click on created Interface and then add the following details:
    Vlan Identifier-10
    IP Address—192.168.10.0
    Netmask—255.255.255.0 (24 bits)
    Gateway—192.168.10.254
    Primary DHCP Server—192.168.20.3(WLC Management IP for internal DHCP server)

    Click Apply

Click Apply to save the changes.

3. Create a WLAN and apply the settings:
From the WLC GUI, click WLAN in the menu at the top, and click New on the upper right side. This page will appear. Fill Profile name and SSID.

Click Apply.

A new WLANs > Edit window appears.
Check the status box to enable the WLAN.
From the Interface menu, select the name of the VLAN interface (webauth) that we created above.
Check the Broadcast SSID box

Click on Security Tab
Click Layer 2 security and set to None.

Click the Layer 3 tab
Check the Web Policy box and choose the Authentication option.

Then click Apply from upper right side to save changes.

4. Configure WLC for Webauth(Internal).
Internal web authentication is the by default web authentication type on WLCs. NO need to change the configuration.

5. Create local user for testing:
We can use 3 ways:
Local authentication, RADIUS server, LDAP server
In this post we will tests with Local authentication.

WLC GUI, choose Security > AAA > Local Net Users > New
Enter the username, password and WLAN profile from drop down box.

Assign to the correct WLAN Profile webauth

Click Apply
Here we created 2 users:
Username: Sandeep, Password: webauth123
Username: Sandeep1, Password: webauth12345

6. Verification
On Laptop Connect to Webauth SSID

7. Then a new browser will automatically open or we have to manually enter virtual interface IP from WLC : https://1.1.1.1/login.html. A Login window will appears
***In my WLC I have Virtual interface IP as 2.2.2.2

8. Enter the username and password of the Local Net User that we created:
Username: sandeep, Password: webauth123

9. Modification of the default login window on the WLC

  1. Login to WLC and modify the default login window by choosing Security > Web Auth > Web Login Page and click on Apply to save it. I changed the headline and message content.

2. Now connect to webauth WLAN. Login page will appear like this.

3. Enter the username and password.

10. A customized login window that we download to the controller

To download a customized login page, first start a TFTP/FTP server and put the login page in their root directory then login to WLC GUI, click on Commands and the details.

  1. Change the WLAN setting.
    WLAN > click on WLAN ID then Security > Layer3,
    Select the Over-ride Global Config box
    Choose Customized (Downloaded) webauth type from drop down box and select the login and login failure page then click apply.

2. Enter the username/Password and click on I agree with Policy Above.

Here is the complete Web Authentication Process(How it works: )

Privilege Level 15 with Cisco ISE

In this post, I’m going to show you how to assign privilege level 15 with Cisco ISE through RADIUS.

In addition, there are some other configuration required to be applied on the network devices themselves mainly to enable AAA and RADIUS authentication and authorisation. We will go only through the most relevant configuration parts in this post.

Let’s get started with ISE configuration. First we will create a new authorisation profile and we will call it R1_PRIV_15. The option we are after is called Web Authentication (Local Web Auth). This option allows ISE to push Cisco AV Pair attribute priv-lvl=15 inside the RADIUS packets to the network device:

Let’s enable this option, and verify what attributes will be associated with it:

As we can see, by enabling the Web Authentication (Local Web Auth) option we can see the Cisco AV Pair attribute priv-lvl=15 in the attributes details section.

ADD the NETWORK DEVICE

Now let’s create a network device and configure its Device Type as IOS. The Device Type will be used in the top conditions on the policy set, we will see this later. We are going to call the network device Router-01:

JOIN ISE TO THE AD

Now let’s make sure we have the AD group LabAdmins already added:

As we can see the last group on the list is the LabAdmins group.

ISE POLICY SET

Now let’s create a new policy set and call it ADMIN_ACCESS_PRIV_15. As mentioned above this policy set will have some conditions on the top to match the traffic coming from the network device Router-01. The conditions are the Device Type which we configured as IOS, the RADIUS NAS Port Type which is Virtual in this case, and the RADIUS Service Type which is Login.

All these conditions should match for any SSH connection to Router-01. The point here is to make the policy set as much accurate as possible to match the exact traffic that should be served by itself. In the authentication section we will configure the authentication against the AD which is already joined to ISE.

And finally in the authorisation section we will configure a rule with a condition to check if the users are located in the AD group LabAdmins, if so, then the authorisation profile we created earlier which is called R1_PRIV_15 will be applied, instead if no match, the default authorisation rule will be applied which will deny accesses:

ROUTER RADIUS CONFIGURATION

Now that we have applied all the required configuration on ISE, let’s move on and apply the required configuration on the Router-01. Mainly what we need is to enable AAA, configure the RADIUS authentication and authorisation, associating AAA authentication and authorisation method lists to the VTY lines, and restricting the accesses to the VTY lines for SSH only:

One thing worth mentioning here is that if we want to use the RADIUS Service Type in our conditions on ISE, then we need to enable radius-server attribute 6 on-for-login-auth, if not the RADIUS Service Type would be ignored in the RADIUS packets.

VERIFICATION

All the required configurations are now in place. Let’s do some tests by initiating SSH connection from the client, and trying to connect to the router with the admin1 username which is located in the AD group LabAdmins:

As we can see, we have successfully logged into the router, and we have been straightaway placed into privilege level 15. We can verify that by looking at the # symbol or by using the command show privilege. We can also verify the connected username by using the command show users:

Finally, let’s look at RADIUS debugs and see what are the most relevant attributes for our SSH connection that have been exchanged between Router-01 and ISE:

This wraps up this Privilege Level 15 with Cisco ISE post. I hope you enjoyed it, and as always, I would love to hear your feedback. Thanks for reading!

Cisco Catalyst 2960 switch IOS recovery

Sometimes in my lab happens that students delete IOS of the switch from its flash. Unfortunately switches does not have rommon to realize quick IOS recovery over tftp. Only one way is over Xmodem.

Cat 2960 switchIOS recovery

To speed up the process of the recovery we may setup Xmodem speed to higher rate as default 9600 bits:

Set the speed rate to 115200 baud on the switch prompt of the switch:

switch: set BAUD 115200

Of course we lose our console session and therefore we need to restart it with the correct speed settings. Then  we may realize the recovery.

Enter copy command:

copy xmodem: flash:filename

for our Cat2960-24TTL:

switch:copy xmodem: flash:c2960-lanbasek9-mz.122-52.SE.bin
Begin the Xmodem or Xmodem-1K transfer now...
CCC

and start sending of the file over console Xmodem software.

Recovery over HyperTerminal

Choose Transfer > Send File.

ht

 

 

 

 

 

and than we choose as protocol the Xmodem and in filename click Browse and select the Cisco IOS image (.bin file) from the disk to be uploaded.

ht2

 

 

 

 

 

 

 

 

 

 


and click Send to send the file,

ht3

Recovery over Putty

Putty does not support Xmodem protocol, tears.

Final steps

To boot the new image that we just copied over with the Xmodem procedure issue the boot flash:filename command, as the example shows:

switch: boot flash:c2960-lanbasek9-mz.122-52.SE.bin

After the Xmodem recovery, we set the BAUD rate back to 9600. If the set BAUD 9600 command does not bring the baud rate to 9600,
issue the unset BAUD command in order to bring the baud rate to a default value of 9600 bps.

CONFIGURE SFTP – SSH RSA AUTHENTICATION

 

SFTP provides an alternative method for client authentication. It’s called SFTP public key
authentication. This method allows users to login to your SFTP service without entering a
password and is often employed for automated file transfers.

We will need to use SecureCRT to generate the RSA Private & Public keys. Private keys are
imported into client SFTP software for the connecting host and the Public key is imported
into the SFTP user directory on the FTP Server. You can also copy the Public Key directly into
the FTP server directory into the FTP user account. This will overall bind the FTP user to use
the RSA SSH Public key.

 

Generate and create Private & Public key using SecureCRT :

Use SecureCRT to create an RSA Private & Public key.

key1_200
key2_200
key3_200
key4_200
key5_200
You will have the choice of storing your public key in a file that matches the IETF standard format) or in the OpenSSH format. If you are connecting to an OpenSSH server, you may want to use the OpenSSH format to simplify the process involved with setting up the remote server with your public-key file. If you are connecting to a VShell server, you can use either format since VShell accepts them both. The format (Vandyke does not work with VShell and it has been tried and test. OpenSSH works well.

Untitled

Public– and Private-key files are placed in a local folder on the machine where the client application resides, usually with the filename “Identity“.

 

 

Using Filezilla Client to import the generated and save Private Key :

1. Goto file File, Click on “Site Manager”
2. Click on “New Site”
3. Fill these details :

Host : 192.168.0.1
Protocol : SFTP – SSH File Transfer Protocol
Logon Type : Key file
User : ftpuser
Key file : C:/Users/c_salmana\Documents\Identity

4. Click “OK” to save new site created.

FTPZilla-Site-ManagerFTPZilla-New Site

pk_prop_250

 

Server SFTP – VShell :

Configuring VShell Server to Recognize Your Public-Key File :

In order to use your public key you must transfer the public-key file created by the Key Generation
wizard to the individual user’s folder under the Publickey folder on the SSH2 server.

For example:

C:\Program files\VShell\Publickey\%User%\Identity.pub

NEXUS 5K – ENABLE LACP

 

NEXUS 5K – ENABLE LACP – SERVER NIC TEAM LOAD BALANCING using HP Config Utility

This configuration needs to go under “configure sync” in order for it to sync over to the HA Pair.
Run “show switch-profile status” in order to check for “Profile-Revision” and have configuration
put on the hardware with the highest revision no. If the lower revision no. HA pair is used it will
not be accepted and will not sync configuration over to other HA pair.

This configuration allows the two Ethernet1221/1/1Ethernet1222/1/1 ports where the server is
directly connected with 2 seperate Nics, in order to provide load balancing using the LACP
etherchanneling technology.

The server is using a HP Network Config utility in order to team the network adapters together and
is put in auto mode in order to detect the LACP off the nexus switches.

The feature here it uses is “802.3ad Dynamic with Fault Tolerance“.
The can be seen on the HP utility under statistics and the Speed/Duplex as well as calculated throughput.

 

configure sync
switch-profile OSYS
!
interface port-channel205
description DERRRESYNCBC04
switchport access vlan 704
spanning-tree port type edge
!
interface Ethernet121/1/1
switchport access vlan 704
spanning-tree port type edge
channel-group 205 mode active
!
interface Ethernet122/1/1
switchport access vlan 704
spanning-tree port type edge
channel-group 205 mode active
!
!
verify
commit
!
!

Diagnostics :

show port-channel summary

205   Po205(SU)   Eth      LACP      Eth121/1/1(P)  Eth122/1/1(P)

!

show interface Eth121/1/1

Ethernet121/1/1 is up
Hardware: 100/1000 Ethernet, address: d4a0.2aff.c0c2 (bia d4a0.2aff.c0c2)
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec
  reliability 255/255, txload 1/255, rxload 1/255
!

show interface Eth122/1/1

Ethernet122/1/1 is up
  Hardware: 100/1000 Ethernet, address: 04da.d2d7.98c2 (bia 04da.d2d7.98c2)
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec
  reliability 255/255, txload 1/255, rxload 1/255
!
!

show interface port-channel 205

port-channel205 is up
 vPC Status: Up, vPC number: 262348
  Hardware: Port-Channel, address: d4a0.2aff.c0c2 (bia d4a0.2aff.c0c2)
  Description: DERRRESYNCBC04
  MTU 1500 bytes, BW 2000000 Kbit, DLY 10 usec
  reliability 255/255, txload 1/255, rxload 1/255

 

HP Teaming Tool

 

Setting up NetFlow Lite on the 2960x Switch

Step 1: create a flow record

flow record flows
match datalink mac source address input
match datalink mac destination address input
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect transport tcp flags
collect interface input
collect flow sampler
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
!
!

Step 2: create a flow exporter

flow exporter export-to-inside
description flexible NF v9
destination 172.24.21.58
source Vlan98
transport udp 9996
template data timeout 60
!
!lets export some cool option templates
option interface-table
option exporter-stats
option sampler-table
!
!
!

Step 3: create a flow monitor

flow monitor nftest
record flows
exporter export-to-inside
cache timeout active 60
statistics packet protocol
!
!

Step 4 : Define a sampler :

sampler my-random-sampler
mode random 1 out-of 100
!
!

Step 5: Apply the flow monitor ‘nftest’ to each interface with the defined
sampler ‘my-random-sampler input” is for ingress

interface GigabitEthernet1/0/47
ip flow monitor nftest sampler my-random-sampler input
!
interface GigabitEthernet1/0/48
ip flow monitor nftest sampler my-random-sampler input
.
.

Diagnostics :

show flow exporter
show flow exporter export-to-inside statistics

Flow Exporter export-to-inside:
Packet send statistics (last cleared 00:13:03 ago):
Successfully sent: 0 (0 bytes)
Enqueued to process level: 18 (13924 bytes)

Client send statistics:
Client: Option options interface-table
Records added: 112
– sent: 112
Bytes added: 11200
– sent: 11200

Client: Option options exporter-statistics
Records added: 2
– sent: 2
Bytes added: 56
– sent: 56

Client: Option options sampler-table
Records added: 2
– sent: 2
Bytes added: 94
– sent: 94

Client: Flow Monitor nftest
Records added: 10
– sent: 10
Bytes added: 590
– sent: 590

How to resolve high CPU utilization on routers

These are common symptoms of high CPU utilization:

  • High percentages in the output of the show processes cpu commandIf you have the show processes cpu command output or a show tech-support command from enable mode, display potential issues and fixes from your Cisco device by referring to the Output Interpreter tool.
    .
  • Input queue drops
  • Slow performance

    .
    .

  • Services on the router fail to respond, for instance: 
    • Slow response in Telnet or unable to Telnet to the router.
    • Slow or no response to the ping command.
    • The router does not send routing updates.
  • If the router is being overloaded with traffic or the traffic not taking the optimal switching path through the router, the issue can also be caused by the Blaster and Nachi worms.
  •    You can see what are the processes shooting your CPU utilization using following command:
  • You can also check your CPU history in graphical pattern using “show processes cpu history”  command to see High CPU spike.

    .
    .

    Resolution

     

    To resolve this issue, determine the accessibility of the router by performing these steps:

    1. Determine if you are able to issue the show commands on the router. If so, start collecting more information immediately using these show commands.
    2. Determine if the router is inaccessible and if this problem is reproducible. If so, power-cycle the router. Before reproducing the problem, configure the scheduler interval 500 command; this schedules low priority processes to run every 500 ms. This provides time for you to run some commands, even if CPU usage is at 100 percent. On Cisco 7200 and Cisco 7500 series routers, issue the scheduler allocate 3000 1000 command.
    3. Determine if the router shows symptoms of high CPU utilization at brief and unpredictable intervals. If so, periodically collect the output of the show processes cpu command. This shows if the high CPU utilization is caused by interrupts or by a certain process. Use this UNIX script. Based on the first findings, modify the script to collect data needed for further investigation of the issue.

Configuring Cisco ASA for NetFlow Export via CLI

Configuring Cisco ASA for NetFlow Export via CLI

CISCO ASA UPGRADE FIRMWARE VIA USB :

To display the available file systems on your switch, use the show file systems privileged
EXEC command as shown in this example :

Switch# show file system

File Systems:
          Size(b)            Free(b)          Type         Flags        =Prefixes
* 8238202880   8052273152      disk            rw        disk0: flash:
   31440470016  31296831488    disk            rw        disk1:
               –                        –               network      rw        tftp:
              –                         –               opaque       rw         system:
              –                         –               network     ro          http:
              –                         –               network     ro          https:
              –                         –               network     rw         scp:
              –                         –               network     rw         ftp:
              –                         –               network     wo        cluster:
              –                         –               stub            ro         cluster_trace:
              –                         –               network     rw        smb:


Under 2nd line “31440470016  31296831488    disk            rw        disk1:

“if it say’s “Unknown“, this means the USB pen drive inserted is uncompatible or not formatted
to fat32 partition”.


To see the contents within the USB pen inserted into Cisco ASA hardware :

Run this command in exec mode :

dir disk1:

Directory of disk1:/

134 -rwx 89837568 10:32:20 Jan 09 2017 asa962-smp-k8.bin
135 -rwx 26053720 10:51:02 Jan 09 2017 asdm-762-150.bin


Here we see 2 firmware, 1 for the System and the 2nd is the ASDM. We will now begin the upload process :

Copy them both to flash:

copy disk1: flash:
Source filename []? asa962-smp-k8.bin
Destination filename [asa962-smp-k8.bin]?
Copy in progress…CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCC
Writing file disk0:/asa962-smp-k8.bin
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
89837568 bytes copied in 28.170 secs (3208484 bytes/sec)


Follow the same procedure for
copying the ASDM file
.

Set the system firmware to bootup on every bootup or reload of hardware :

In “configuration t” mode : enters these commands :

boot system disk0:/asa962-smp-k8.bin

Now reboot device and lets check if we are running the upgraded firmwares :

In “exec” mode :


show version
:

Cisco Adaptive Security Appliance Software Version 9.6(2)

Compiled on Tue 23-Aug-16 18:42 PDT by builders
System image file is “disk0:/asa962-smp-k8.bin
Config file at boot was “startup-config”


Let’s check the ASDM version the firewall is running :

show asdm image
Device Manager image file, disk0:/asdm-713.bin

We see it is running the old firmware for the ASDM and has not loaded the upgraded one. We need to tell ASA to load the specific upgraded ASDM.

Here is the command to do so : In “User” mode :

asdm image disk0:/asdm-762-150.bin


Reboot ASA and check by running command :

show asdm image
Device Manager image file, disk0:/asdm-762-150.bin

 

All is complete.