Networking-Blog

My WordPress Blog

Categories

Configuring Cisco ASA for NetFlow Export via CLI

Configuring Cisco ASA for NetFlow Export via CLI

Over  the last few weeks I have taken a number of support calls from customers who were looking for
some assistance configuring their Cisco ASA. So I figured that I would take this opportunity to revisit
some older blog subjects.

In my opinion, the easiest way to get NSEL exporting from these security appliances is through the use
of the ASDM interface. This simple, GUI-based firewall management tool allows you to quickly configure
the Cisco ASA without having to use the cumbersome command-line interface.

And that brings me to the subject of this blog.

Configuring the Cisco ASA using the CLI is really not that much different that configuring NetFlow on
anyother router or switch. You define your timeout value, flow export destination, and which interface
is going to send the export. The difference is that you need to set up a service policy, and access rules that
allow the export. As well as define which events are going to get exported and where.

So let’s get started.

First we need to set up an ACL to catch all IP traffic – to specify the traffic you are interested in

(config)#access-list flow_export_acl extended permit ip any any

If you want to limit what gets logged, you can set ACL to log only events between certain hosts. And
optionally send those events to one collector appliance and log all other events to a second collector.

(config)#  access-list flow_export_acl permit ip host 210.165.200.2 host 210.165.201.3

Next we set up the destination server ip and template rate

(config)#  flow-export destination [interface name] [IP address] [port #]

(config)#  flow-export delay flow-create 15
(config)#  flow-export template timeout-rate 1

** If you are running FW version 8.4.5, you can now set an active flow timeout.
This creates a update event that sends a delta bit count for active conversations.

(config)#  flow-export active refresh-interval 60

Now we want to build the class-map for the flow that matches the ACL

(config)# class-map flow_export_class
(config-cmap)# match access-list flow_export_acl

OK, now it’s time to either add our flow_export_class to the default global policy-map, or build a
new export policy-map

Add to the default global policy-map   ** note – your global policy-map may have a different name
(ie. global-policy or global_policy)

(config)# policy-map global
(config-pmap)# class flow_export_class

And specify the event types that we will export and to where

(config-pmap-c)# flow-export event-type all destination [IP address]

Or, create a new export policy

(config)# policy-map flow_export_policy
(config-pmap)# class flow_export_class

And specify the event types that we will export and to where

(config-pmap-c)# flow-export event-type all destination [IP address]

We’re almost finished

Last thing that we need to do if we created a flow_export_policy, is apply the policy-map to whatever
global policy we have. Otherwise, skip this step and we will use the current global service-policy

(config)# service-policy flow_export_policy global

You can get information about what the ASA is doing in terms of the flow output by using the
following commands:

show flow-export counters

show service-policy global flow ip host [source IP] host [dest IP]

show access-list flow_export_acl

Now that wasn’t too bad, was it?

Cisco ASA
No comments yet.

(No tags)

by admin

CISCO ASA UPGRADE FIRMWARE VIA USB :

To display the available file systems on your switch, use the show file systems privileged
EXEC command as shown in this example :
Switch# show file system

File Systems:
          Size(b)            Free(b)          Type         Flags        =Prefixes
* 8238202880   8052273152      disk            rw        disk0: flash:
   31440470016  31296831488    disk            rw        disk1:
               –                        –               network      rw        tftp:
              –                         –               opaque       rw         system:
              –                         –               network     ro          http:
              –                         –               network     ro          https:
              –                         –               network     rw         scp:
              –                         –               network     rw         ftp:
              –                         –               network     wo        cluster:
              –                         –               stub            ro         cluster_trace:
              –                         –               network     rw        smb:


Under 2nd line “31440470016  31296831488    disk            rw        disk1:

“if it say’s “Unknown“, this means the USB pen drive inserted is uncompatible or not formatted
to fat32 partition”.


To see the contents within the USB pen inserted into Cisco ASA hardware :

Run this command in exec mode :

dir disk1:

Directory of disk1:/

134 -rwx 89837568 10:32:20 Jan 09 2017 asa962-smp-k8.bin
135 -rwx 26053720 10:51:02 Jan 09 2017 asdm-762-150.bin


Here we see 2 firmware, 1 for the System and the 2nd is the ASDM. We will now begin the upload process :

Copy them both to flash:

copy disk1: flash:
Source filename []? asa962-smp-k8.bin
Destination filename [asa962-smp-k8.bin]?
Copy in progress…CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCC
Writing file disk0:/asa962-smp-k8.bin
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
89837568 bytes copied in 28.170 secs (3208484 bytes/sec)


Follow the same procedure for copying the ASDM file.

Set the system firmware to bootup on every bootup or reload of hardware :

In “configuration t” mode : enters these commands :

boot system disk0:/asa962-smp-k8.bin

Now reboot device and lets check if we are running the upgraded firmwares :

In “exec” mode :


show version :

Cisco Adaptive Security Appliance Software Version 9.6(2)

Compiled on Tue 23-Aug-16 18:42 PDT by builders
System image file is “disk0:/asa962-smp-k8.bin
Config file at boot was “startup-config”


Let’s check the ASDM version the firewall is running :

show asdm image
Device Manager image file, disk0:/asdm-713.bin

We see it is running the old firmware for the ASDM and has not loaded the upgraded one. We need to tell ASA to load the specific upgraded ASDM.

Here is the command to do so : In “User” mode :

asdm image disk0:/asdm-762-150.bin


Reboot ASA and check by running command :

show asdm image
Device Manager image file, disk0:/asdm-762-150.bin

 

All is complete.

 

 

 

Cisco ASA
No comments yet.

(No tags)

by admin

Network Security Blocks

On Cisco Pix and ASA Firewalls, there are many different ways to block / drop traffic.

The most obvious way would be to create an Access Control List (ACLs) to block traffic from a specific ip address. This method can be particularly useful as you would be able to control which ip addresses you want to traverse your network.

Another key method to drop any connections already created would be by using the shun command. This is a fantastic command which will help to combat any security threats immediately.  Using this, you can drop traffic for tcp, udp or all protocols. See example below:

For this example I will use the IP address 5.5.5.5 as a threat which needs to be dropped immediately. I will show you a method for dropping specific tcp traffic to 6.6.6.6 followed by dropping any form of traffic to any destination.

 

Example 1: shun 5.5.5.5 6.6.6.6 3389 tcp

 

This will drop all tcp 3389 connections from 5.5.5.5 to 6.6.6.6 only. To further this, you could be vague and not specify  the port, as below:

 

Example 2: shun 5.5.5.5 6.6.6.6 tcp

 

This will drop all tcp connections from 5.5.5.5 to 6.6.6.6 only.

Example 3 shows how you could utilise this to drop all traffic from 5.5.5.5. This is irrelevant of protocol or destination.

Example 3: shun 5.5.5.5

 

The reverse / back out of any of the above commands would be to simply place a “no” at the front.

Hope you find this useful!

Cisco ASA
1 comment

(No tags)

by admin

ASA – REDIRECT PORT TRANSLATION – V8.4

Source port translation from external tcp 3390 to internal tcp 3389 :

It appears when connecting to RDP on 3390, it will hit the Nat rule first which will translate it from 3390 to 3389, from here it will hit the ACL rule “OUTSIDE_access_in” on incoming translation destination port of tcp 3389.

So in theory the tcp 3389 will need to be configured as below on the OUTSIDE firewall rule-set as coming in from the internet.

 

Network Object :

object network RDP_SERVER_20.4
nat (MEDIA,OUTSIDE) static interface service tcp 3389 3390


Service Object :

object-group service RDP_SERVER_20.4_tcp_in tcp
port-object eq 3389
!
OUTSIDE Access in :
access-list OUTSIDE_access_in extended permit tcp any object RDP_SERVER_20.4 object-group RDP_SERVER_20.4_tcp_in
!

Cisco ASA
No comments yet.

(No tags)

by admin

Using Just a Cisco ASA to Block Specific Websites

Block URLs using REGEX’s


object network CDS_Guest_BT_IP
description CHG0044382
host 86.162.16.160
!

! Define the websites we wish to block :
regex REG-URL2 “connect.o-sys.com/lp/CDS_Indy”
regex REG-URL3 “connect.o-sys.com/lp/CDS_Houston”
regex REG-URL4 “connect.o-sys.com/lp/BP”
!

! Set a class to match if the header has any of the URLs in it :
class-map type inspect http match-any CM-BLOCK-URL
match request header host regex REG-URL2
match request header host regex REG-URL3
match request header host regex REG-URL4

! Identify the ACL that will be subject to this inspection
access-list ACL-HTTP-INSPECT extended deny tcp object CDS_Guest_BT_IP object any eq http

! Set a class to match :
class-map CM-BLOCK-HTTP
match access-list ACL-HTTP-INSPECT

! Create a policy map to drop the connection if it matches the class map :
policy-map type inspect http PM-BLOCK-URL
parameters
class CM-BLOCK-URL
drop-connection log

! Apply the policy
policy-map global_policy
class CM-BLOCK-HTTP
inspect http PM-BLOCK-URL

! service-policy global_policy global
! Identify the 1 URL that will be permitted in :
regex REG-URL1 “connect.o-sys.com/lp/CDS”

! Create a class map to pass or permit the traffic if the URL isnt ANY of the regex’s
class-map type inspect http match-all CM-ALLOWED-URLS
match not request header host regex REG-URL1

! Identify the ACL that will be subject to this inspection
access-list ACL-HTTP-INSPECT extended permit tcp object CDS_Guest_BT_IP object any eq http

! Set a class to match :
class-map CM-ALLOW-HTTP
match access-list ACL-HTTP-INSPECT

! Create the policy map to drop any packets that passed the class map
policy-map type inspect http PM-ALLOW-HTTP
parameters
class CM-ALLOWED-URLS
drop-connection log

! Apply the Policy
policy-map global_policy
class CM-ALLOW-HTTP
inspect http PM-ALLOW-HTTP

! service-policy global_policy global

Cisco ASA
No comments yet.

(No tags)

by admin

Cisco ASA Multiple Context Mode – Configuring Virtual Firewalls on Same Chassis

A single Cisco ASA appliance can be partitioned into multiple virtual firewalls known also as
“Security Contexts”. Each security context acts as a separate firewall with its own security policy,
interfaces and configuration. However, some features are not available for virtual firewalls,
such as IPSEC and SSL VPN, Dynamic Routing Protocols, Multicast and Threat Detection.

Each security context that you create on the appliance includes its own configuration file
(filename.cfg) stored on local flash memory. This configuration file contains the security policy,
the included interfaces and the virtual firewall configuration of the specific security context.

By default, an admin context is always created having a configuration file “admin.cfg.
This is just like any other security context except that when a user logs in the admin context
then he has full administrator access to all other security contexts.

When you convert the appliance from single context mode to multiple context mode
(using the command “mode multiple“) the firewall converts the current running configuration
into two files: a new startup configuration that comprises the system configuration, and “admin.cfg
that comprises the admin context (stored in the root directory of the internal Flash memory).

The original running configuration is saved as “old_running.cfg” (in the root directory of the
internal Flash memory).


Configuring Security Contexts

! Enable multiple context mode
ASA(config)# mode multiple

! Then reboot the appliance.

! Configure the administrator context
ASA(config)# admin-context administrator
ASA(config)# context administrator
ASA(config-ctx)# allocate-interface gigabitethernet0/1.10
ASA(config-ctx)# allocate-interface gigabitethernet0/1.11
ASA(config-ctx)# config-url flash:/admin.cfg

 

! Configure other contexts as required
ASA(config)# context customerA
ASA(config-ctx)# allocate-interface gigabitethernet0/2.100
ASA(config-ctx)# allocate-interface gigabitethernet0/2.200
ASA(config-ctx)# config-url flash:/customerA.cfg

! Configure other contexts as required
ASA(config)# context customerB
ASA(config-ctx)# allocate-interface gigabitethernet0/2.111
ASA(config-ctx)# allocate-interface gigabitethernet0/2.222
ASA(config-ctx)# config-url flash:/customerB.cfg

 

To change between the system execution space and a context, or between contexts, see the following commands:

! To change to a context named CustomerA, enter the following command:
ASA# changeto context CustomerA

! The prompt changes to the following:
ASA/CustomerA#

! To change back to the system execution space, enter the following command:
ASA/CustomerA# changeto system

! The prompt changes to the following:
ASA#

 

Summary adding a Context :

System context 5580:

changeto context system

context CONTEXT1
allocate-interface GigabitEthernet7/1

changeto context CONTEXT1

interface GigabitEthernet7/1
description Voice Hosting
nameif Voice
security-level 10
ip address #.#.#.# 255.255.255.252

access-list Voice_access_in extended permit ip any any
!
mtu Staging_Voice_Hosting 1500
!
access-group Voice_access_in in interface Voice
!
route inside #.#.#.# 255.255.255.0 #.#.#.# 1

 

 

Cisco ASA
No comments yet.

(No tags)

by admin

Cisco ASA NAT Conversion Tool

Do you need to convert ASA 8.2 and under code to the new ASA 8.3+ code? The NAT statements are entirely different in the new code. During the upgrade the ASA will try to convert it automatically but this is worthless because it does a horrible job at it. Cisco recommends using auto NAT. This is also bad advice to use Auto NAT because it makes extremly ugly and hard to manage code. This conversion tool will convert your NAT statements to the easist to read and manage code.

Preparing your code

Gather the output from the following commands in your old ASA code:

show run global
show run nat
show run static

If there are any related ACLs in the NAT statements get that configuration also by doing:

show run access-list | include [ACL-NAME]

Paste the output from the commands above into the text area and click convert. You should examine the results to verify the config is accurate.

Privacy Note: None of the data entered into the text area is uploaded to a server. All of the work of this tool is done on the client side. This means it’s safe to enter sensitive data without worrying about it traveling over the internet. You can even connect to this webpage, disconnect from internet and still use the conversion tool without any difference in functionality.

Examples

Static NAT Examples:
static (INSIDE,OUTISDE) 55.55.55.2 192.168.1.2 netmask 255.255.255.255
static (DMZ,OUTSIDE) tcp interface 8080 172.16.0.10 www netmask 255.255.255.255
static (INSIDE,DMZ) 10.10.10.0 172.16.10.0 netmask 255.255.255.0 dns
static (INSIDE,DMZ) 192.168.100.49 172.24.2.49 netmask 255.255.255.255 tcp 255 2000
static (INSIDE,EXT) 172.16.25.25 access-list ACL-NAT2
access-list ACL-NAT2 extended permit ip 192.168.29.0 255.255.255.0 host 10.1.25.205

*New* Global+NAT Example:
nat (INSIDE) 1 10.0.0.0 255.255.255.0
global (OUTSIDE) 1 interface
nat (INSIDE) 2 access-list ACL-NAT3
global (OUTSIDE) 2 22.22.22.128 netmask 255.255.255.128
access-list ACL-NAT3 standard permit host 33.33.33.33

*New* NAT Zero+ACL Example:
nat (INSIDE) 0 access-list ACL-NONAT
access-list ACL-NONAT extended permit ip 192.168.5.0 255.255.255.0 host 172.16.200.205
access-list ACL-NONAT extended permit ip any host 172.16.200.203

Input ASA 8.2 NAT statements


Results

 

Next Steps

Did you use the tool and was it helpful at all? Did it save you any time at all? Please either donate to the site to show your thanks or comment below to tell me how it worked or what to improve upon. Thanks!

Cisco ASA
No comments yet.

(No tags)

by admin

ASA – STATIC NAT DESTINATION TO SOURCE TRANSLATION

From a 3rd Party company there is a Fibre link terminating into interface
GigabitEthernet0/2 – RR_VLAB – 192.168.#.100/24.

The IP Address of the 3rd party is 192.168.#.5/24

The 3rd Party is connecting to network 192.168.#.100/24 on interface
GigabitEthernet0/2 – RR_VLAB to interface
GigabitEthernet0/3 – DMZ_QUICK – 10.0.#.1/24 to access the server 0n IP 10.0.#.2

The 3rd Party is coming into network on interface GigabitEthernet0/2 using these IP Network
addresses :

10.121.67.64 255.255.255.192
10.253.119.251 255.255.255.255
160.50.100.0 255.255.255.0

We need to translate the incoming network address from the 3rd party to a private routable address from
within the network within the RR_VLAB interface network address.

All traffic from the 3rd party to get to the server on the internal network on IP 10.0.#.2 will have their
destination address NaTed to 192.168.#.101 and further translated to IP 10.0.#.2 of the internal server.

Here is the ASA Configuration :
interface GigabitEthernet0/3
 nameif DMZ_QUICK
 security-level 30
 ip address 10.0.#.1 255.255.255.0
!
interface GigabitEthernet0/2
 nameif RR_VLAB
 security-level 10
 ip address 192.168.#.100 255.255.255.0
!

Static Nat Translation :
static (DMZ_QUICK,RR_VLAB) 192.168.#.101 10.0.#.2 netmask 255.255.255.255
!

Routing Table :
S    10.121.67.64 255.255.255.192 [1/0] via 192.168.#.5, RR_VLAB
S    10.253.119.251 255.255.255.255 [1/0] via 192.168.#.5, RR_VLAB
S    160.50.100.0 255.255.255.0 [1/0] via 192.168.#.5, RR_VLAB
C    192.168.#.0 255.255.255.0 is directly connected, RR_VLAB

 

Note : No reverse static NAT translation is configured here. This only applies to 1 way traffic.

 

 

Cisco ASA
No comments yet.

(No tags)

by admin

ASA 5525 – SSM SFP MODULE NOT DISPLAYING IN CLI- ASA-IC-4GE-SFP-A

 

Here is the Cisco TAC link explaining this bug on older firmware releases.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux97494/?referring_site=bugquickviewredir

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuj60109/?reffering_site=dumpcr


show inventory
show controller
show hardware
show module

Unfortunately, these commands doesn’t show installed SFPs on module.
The TAC answer was: “This option (show installed transceivers on ASA-IC-4GE-SFP-A) doesn’t support thru CLI”.

The solution is to upgrade firmware.

 

Cisco ASA
No comments yet.

(No tags)

by admin

How do you throttle Dropbox Traffic? 

object-group network DROPBOX_AS19679
 network-object 108.160.160.0 255.255.240.0
 network-object 199.47.216.0 255.255.252.0

!

access-list ACL_Dropbox extended permit ip object-group Inside object-group DROPBOX_AS19679
access-list ACL_Dropbox extended permit ip object-group DROPBOX_AS19679 object-group Inside
!

You would also need to define an object-group for your “Inside” address blocks

class-map Class_Dropbox
 match access-list ACL_Dropbox
!
policy-map Policy_Police
 class Class_Dropbox
  police input 384000
  police output 384000
 class class-default
!
service-policy Policy_Police interface INSIDE
Cisco ASA
2 comments

(No tags)

by admin