See that some traffic actually gets redirected to the module.
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class global-class
csc fail-open

Class-map: global-class
CSC: packet sent 324010194
CSC: packet received 359600712

Getting details from the Service Module, please wait…
ASA 5500 Series Content Security Services Module-10
Model: ASA-SSM-CSC-10-K9
Hardware version: 1.0
Serial Number: JAF777777
Firmware version: 1.0(11)5
Software version: CSC SSM 6.3.1172.4
MAC Address Range: c333.7333.b333 to c333.7333.b333
App. name: CSC SSM
App. Status: Up
App. Status Desc: CSC SSM scan services are available
App. version: 6.3.1172.4
Data plane Status: Up
Status: Up
HTTP Service: Up
Mail Service: Up
FTP Service: Up
Activated: Yes
Mgmt IP addr: 192.168.21.119
Mgmt web port: 8443

Mod Card Type Model Serial No.
— ——————————————– —————— ———–
0 ASA 5510 Adaptive Security Appliance ASA5510 JMX333333
1 ASA 5500 Series Content Security Services Mo ASA-SSM-CSC-10-K9 JAF333333

Mod MAC Address Range Hw Version Fw Version Sw Version
— ——————————— ———— ———— —————
0 3333.3333.3333 to 3333.3333.3333 2.0 1.0(11)5 8.2(3)
1 3333.3333.3333 to 3333.3333.3333 1.0 1.0(11)5 CSC SSM 6.3.1172.4

Mod SSM Application Name Status SSM Application Version
— —————————— —————- ————————–
1 CSC SSM Up 6.3.1172.4

Mod Status Data Plane Status Compatibility
— —————— ——————— ————-
0 Up Sys Not Applicable
1 Up Up

- Now let’s enter the module itself

Opening command session with slot 1.
Connected to slot 1. Escape character sequence is ‘CTRL-^X’.

login: cisco
Password:
***NOTICE***
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority to import,
export, distribute or use encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and local country laws. By using
this product you agree to comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.
Trend Micro InterScan for Cisco CSC SSM Setup Main Menu
———————————————————————

1. Network Settings
2. Date/Time Settings
3. Product Information
4. Service Status
5. Password Management
6. Restore Factory Default Settings
7. Troubleshooting Tools
8. Reset Management Port Access Control List
9. Ping
10. Exit …

Enter a number from [1-10]:

- Are all services are actually running ?
Enter a number from [1-10]: 4

Service Status
———————————————————————

The CSC SSM RegServer service is running
The CSC SSM URLFD service is running
The CSC SSM ScanServer service is running
The CSC SSM HTTP service is running
The CSC SSM FTP service is running
The CSC SSM Notification service is running
The CSC SSM Mail service is running
The CSC SSM GUI service is running
The CSC SSM SysMonitor service is running
The CSC SSM Failoverd service is running
The CSC SSM LogServer service is running
The CSC SSM SyslogAdaptor service is running
The CSC SSM Syslog-ng service is running
The CSC SSM TMCM-Agent service is not enabled
- Troubleshooting information is rather overwhelming

Enter a number from [1-7]: 2

Troubleshooting Tools – Show System Information
———————————————————————

1. Show System Information on Screen
2. Upload System Information
3. Return to Troubleshooting Tools Menu

Enter a number [1-3]: 1
++++++++++++++++++++++
Thu Feb 17 08:04:17 IST 2011 (2)

System is : Up

#@ Product Information
Trend Micro InterScan for Cisco CSC SSM
Version: 6.3.1172.4
Upgrade History: 6.3.1172.4
Engineering Build:
SSM Model: SSM-10
SSM S/N: JAF7777777

#@ Scan Engine and Pattern Information
Virus Scan Engine: 9.2.1012 (Updated: 2010-10-14 07:51:11)
Virus Pattern: 7.841.00 (Updated: 2011-02-17 05:51:23)
Spyware/Grayware Pattern: 1.151.00 (Updated: 2011-02-17 06:51:20)
AntiSpam Engine: 6.5.1024 (Updated: 2010-10-14 07:51:54)
AntiSpam Rule: 17960 (Updated: 2011-02-16 16:53:55)
IntelliTrap Pattern: 0.151.00 (Updated: 2011-02-01 09:07:20)
IntelliTrap Exception Pattern: 0.631.00 (Updated: 2011-02-15 08:51:15)

#@ License Information
Product:Base License
License profile host info check OK.
Version:Standard
Activation Code:PX-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Seats:000100
Status:Activated
Expiration date:10/6/2011
Product:Plus License
License profile host info check OK.
Version:Standard
Activation Code:PX-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Status:Activated
Expiration date:10/6/2011

Daily Node Count: 221
Current Node Count: 85

#@ Kernel Information
Linux ssm 2.6.17.8 #13 PREEMPT Fri Nov 6 06:32:00 PST 2009 i686 unknown

ASDP Driver 1.1(0) is UP:
Total Connection Records: 159623
Connection Records in Use: 156
Free Connection Records: 159467

—— Shared Memory Segments ——–
key shmid owner perms bytes nattch status
0×00003186 4653056 root 666 2621440 1
0×00000000 4456449 root 600 16 2 dest
0×00000000 4620290 root 600 1000000 1 dest
0×00000000 4685827 root 600 1048576 1 dest
0×00000000 4718596 root 600 1048576 1 dest
0×00000000 4325381 isvw 600 24632 22 dest

—— Semaphore Arrays ——–
key semid owner perms nsems
0x000207fb 0 root 777 2
0×00020823 32769 root 777 2
0×00020802 65538 root 777 2
0x000207db 98307 root 777 2
0x00020fa1 131076 root 777 2
0x9abbcf71 1277957 root 660 2
0x325cb3f2 1310726 root 660 2
0x000207d3 229383 root 777 2
0x9abbceae 262152 root 660 2
0x001503cf 327689 root 777 2
0x929c6e9c 360458 isvw 660 2
0x0012040e 393227 isvw 777 2
0x000e039b 425996 isvw 777 2
0×00020863 458765 isvw 777 2
0x00020fe4 1048590 root 777 2

—— Message Queues ——–
key msqid owner perms used-bytes messages

#@ Disk Information
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/hda2 223843 166878 45407 79% /mnt/rw
/dev/hda2 223843 166878 45407 79% /dev
/dev/hda2 223843 166878 45407 79% /etc
/dev/hda2 223843 166878 45407 79% /home
/dev/hda2 223843 166878 45407 79% /lib/modules
/dev/hda2 223843 166878 45407 79% /opt
none 256000 0 256000 0% /opt/trend/isvw/temp
none 50176 22844 27332 46% /opt/trend/isvw/log
none 4096 0 4096 0% /opt/trend/isvw/quarantine
none 5120 0 5120 0% /opt/trend/isvw/queue
none 103424 4912 98512 5% /opt/trend/isvw/tmpfs
none 101376 18032 83344 18% /opt/trend/isvw/lib/mail/cache
none 100352 0 100352 0% /coredump
none 8192 180 8012 2% /var
/dev/boot 19067 8401 9682 46% /boot
none 205824 40 205784 0% /tmp
Filesystem Inodes Used Available Use% Mounted on
/dev/hda2 58000 2503 55497 4% /mnt/rw
/dev/hda2 58000 2503 55497 4% /dev
/dev/hda2 58000 2503 55497 4% /etc
/dev/hda2 58000 2503 55497 4% /home
/dev/hda2 58000 2503 55497 4% /lib/modules
/dev/hda2 58000 2503 55497 4% /opt
none 126902 5 126897 0% /opt/trend/isvw/temp
none 126902 36 126866 0% /opt/trend/isvw/log
none 126902 9 126893 0% /opt/trend/isvw/quarantine
none 126902 11 126891 0% /opt/trend/isvw/queue
none 126902 58 126844 0% /opt/trend/isvw/tmpfs
none 126902 21 126881 0% /opt/trend/isvw/lib/mail/cache
none 126902 1 126901 0% /coredump
none 126902 71 126831 0% /var
/dev/boot 4944 25 4919 1% /boot
none 126902 12 126890 0% /tmp

# Detail file listing:

#@ File Descriptor Information
file: 829 0 98926
inode: 7949 0

#@ Memory Information
# Detail (meminfo):
MemTotal: 1015216 kB
MemFree: 451272 kB
Buffers: 12344 kB
Cached: 233652 kB
SwapCached: 0 kB
Active: 421388 kB
Inactive: 113212 kB
HighTotal: 131072 kB
HighFree: 240 kB
LowTotal: 884144 kB
LowFree: 451032 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Dirty: 24 kB
Writeback: 0 kB
Mapped: 318252 kB
Slab: 22296 kB
CommitLimit: 507608 kB
Committed_AS: 2035636 kB
PageTables: 3396 kB
VmallocTotal: 114680 kB
VmallocUsed: 1812 kB
VmallocChunk: 112736 kB
HugePages_Total: 0
HugePages_Free: 0
HugePages_Rsvd: 0
Hugepagesize: 4096 kB

# Reported to ASDM:
mem_unknown=61440
mem_cached=233644
mem_total=1015216
mem_est_free=591156
mem_buffers=12344
mem_free=452608
mem_used=424060
mem_tmpfs=46000

#@ Process Information
top – 08:04:18 up 8 days, 11:49, 1 user, load average: 0.08, 0.07, 0.03
Tasks: 68 total, 2 running, 65 sleeping, 0 stopped, 1 zombie
Cpu(s): 0.5%us, 1.9%sy, 2.2%ni, 93.5%id, 0.1%wa, 0.0%hi, 1.8%si, 0.0%st
Mem: 1015216k total, 563944k used, 451272k free, 12344k buffers
Swap: 0k total, 0k used, 0k free, 233652k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
10541 root 20 5 697m 85m 5528 S 11.8 8.7 1:02.42 iwss-process
8125 isvw 16 0 2992 1276 1108 S 3.9 0.1 74:01.21 sysmonitor
1 root 16 0 2364 520 444 S 0.0 0.1 0:01.28 init
2 root 34 19 0 0 0 R 0.0 0.0 0:01.34 ksoftirqd/0
3 root 10 -5 0 0 0 S 0.0 0.0 0:00.11 events/0
4 root 10 -5 0 0 0 S 0.0 0.0 0:00.01 khelper
5 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 kthread
7 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 kblockd/0
8 root 20 -5 0 0 0 S 0.0 0.0 0:00.00 kseriod
67 root 15 0 0 0 0 S 0.0 0.0 0:00.00 pdflush
69 root 25 0 0 0 0 S 0.0 0.0 0:00.00 kswapd0
70 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 aio/0
205 root 11 -5 0 0 0 S 0.0 0.0 0:10.24 kjournald
7718 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 kjournald
7965 root 23 5 11244 5524 1164 S 0.0 0.5 0:00.39 urlfd
7967 isvw 16 0 26060 3596 2024 S 0.0 0.4 0:30.17 regserver
8040 root 16 0 2364 572 484 S 0.0 0.1 0:00.17 crond
8066 root 16 0 2372 588 504 S 0.0 0.1 0:00.01 getty
8069 root 17 0 2368 584 504 S 0.0 0.1 0:00.00 getty
8072 root 16 0 2368 588 508 S 0.0 0.1 0:00.00 getty
8077 root 16 0 2368 596 508 S 0.0 0.1 0:00.00 klogd
8078 root 0 -20 52456 1316 1056 S 0.0 0.1 0:15.75 servmod
8079 root 16 0 2080 988 824 S 0.0 0.1 0:00.02 bash
8118 root 16 0 2048 952 820 S 0.0 0.1 0:00.00 issyslog
8124 root 16 0 2368 716 596 S 0.0 0.1 0:03.36 top2ini
8127 root 21 0 3764 1396 1200 S 0.0 0.1 0:00.20 sshd
8128 root 15 0 2368 564 476 S 0.0 0.1 0:08.42 telnetd
8143 root 16 0 3144 1440 1092 S 0.0 0.1 0:01.23 issyslog.exe
8147 root 16 0 1652 528 444 S 0.0 0.1 0:00.20 vmstat
8213 root 16 0 9448 1132 932 S 0.0 0.1 0:00.13 failoverd
8237 root 15 0 1760 764 588 S 0.0 0.1 0:00.15 syslog-ng
8262 isvw 21 0 383m 112m 17m S 0.0 11.3 1:15.03 java
10404 isvw 16 0 0 0 0 Z 0.0 0.0 0:00.00 cat
23838 root 16 0 13564 2256 1832 S 0.0 0.2 0:00.02 isdelvd
23975 root 20 5 52700 35m 6132 S 0.0 3.6 0:08.88 imssd
24041 root 20 5 52700 32m 3024 S 0.0 3.3 0:00.04 imssd
24042 isvw 20 5 53280 35m 5644 S 0.0 3.6 0:00.77 imssd
24043 isvw 20 5 53216 35m 5680 S 0.0 3.6 0:00.74 imssd
24044 isvw 20 5 53152 35m 5564 S 0.0 3.6 0:00.69 imssd
24045 isvw 20 5 53332 35m 5708 S 0.0 3.6 0:00.95 imssd
24046 isvw 20 5 53244 35m 5728 S 0.0 3.6 0:01.09 imssd
24047 isvw 20 5 53280 35m 5672 S 0.0 3.6 0:01.02 imssd
24048 isvw 20 5 53152 35m 5636 S 0.0 3.6 0:00.69 imssd
24049 isvw 20 5 53280 35m 5672 S 0.0 3.6 0:01.15 imssd
24050 isvw 20 5 53152 35m 5636 S 0.0 3.6 0:00.94 imssd
24051 isvw 20 5 53152 35m 5608 S 0.0 3.6 0:00.77 imssd
24052 isvw 20 5 53328 35m 5716 S 0.0 3.6 0:01.06 imssd
24053 isvw 20 5 53152 35m 5680 S 0.0 3.6 0:01.03 imssd
24054 isvw 20 5 53244 35m 5720 S 0.0 3.6 0:00.93 imssd
24055 isvw 20 5 53292 35m 5624 S 0.0 3.6 0:00.76 imssd
24056 isvw 20 5 53252 35m 5684 S 0.0 3.6 0:00.79 imssd
24057 isvw 20 5 53284 35m 5736 S 0.0 3.6 0:00.83 imssd
24058 isvw 20 5 53152 35m 5608 S 0.0 3.6 0:00.69 imssd
24059 isvw 20 5 53152 35m 5640 S 0.0 3.6 0:00.87 imssd
24060 isvw 20 5 53292 35m 5624 S 0.0 3.6 0:00.84 imssd
24061 isvw 20 5 53152 35m 5616 S 0.0 3.6 0:00.97 imssd
25989 isvw 25 0 7676 1432 928 S 0.0 0.1 0:00.01 tmlogserv
8575 root 21 5 22812 2776 2312 S 0.0 0.3 0:00.00 isftpd
8585 root 21 5 35308 3360 2580 S 0.0 0.3 0:00.66 isftpd
10351 root 15 0 0 0 0 S 0.0 0.0 0:00.00 pdflush
10476 root 20 5 53824 48m 3804 S 0.0 4.9 0:01.63 scanserver
12539 root 15 0 2072 928 676 S 0.0 0.1 0:00.00 login
12569 root 16 0 2912 1884 868 S 0.0 0.2 0:00.82 setup.bin
14363 root 16 0 2212 1128 832 S 0.0 0.1 0:00.00 sh
14364 root 16 0 2368 452 380 S 0.0 0.0 0:00.00 more
14365 root 24 0 2268 752 400 S 0.0 0.1 0:00.00 sh
14491 root 24 0 2268 692 340 S 0.0 0.1 0:00.00 sh
14492 root 21 0 1992 836 652 R 0.0 0.1 0:00.00 top

#@ Hardware Information
SSM-IPS10-K9
field 0×00 type 0×0040 CONTROLLER TYPE 1177
field 0×01 type 0×0041 HW REV 1.0
field 0×02 type 0x00CB PID ASA-SSM-CSC-10-K9
field 0×03 type 0×0089 VID V02
field 0×04 type 0×0087 TOP 68 LEVEL PN 22-444-02
field 0×05 type 0×0082 PCB 73 LEVEL PN 22-444-02
field 0×06 type 0×0042 PCB REV 65.48
field 0×07 type 0x00C1 PCB SN JAF7777777
field 0×08 type 0x00C2 CHASSIS SN JAF7777777
field 0×09 type 0×0088 NEW DEVIATION NUM 00000000
field 0x0A type 0x00C4 MFG TEST INFO 0000000000000000
field 0x0B type 0×0081 RMA NUM 00000000
field 0x0C type 0×0004 RMA HIST INFO 00
field 0x0D type 0x00C6 CLEI CODES COUCAB5CAB
field 0x0E type 0x00DA DESC ASA 5500 Series Content Security Services Module-10
field 0x0F type 0x00C3 CHASSIS MAC ADDR C8:4C:33:33:33:03
field 0×10 type 0×0043 MAC ADDR_BLK SZ 1
field 0×11 type 0x008C UNKNOWN TYPE 01000B05

#@ Ethernet Interface Information
cisco_asd Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP MTU:1496 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

dummy0 Link encap:Ethernet HWaddr 0E:66:36:3C:B8:59
BROADCAST NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

eth0 Link encap:Ethernet HWaddr 00:00:00:02:00:02
UP BROADCAST RUNNING MULTICAST MTU:1796 Metric:1
RX packets:219824061 errors:0 dropped:0 overruns:0 frame:0
TX packets:239771533 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2266716309 (2.1 GiB) TX bytes:2448412682 (2.2 GiB)
Base address:0xcc00 Memory:f8100000-f8120000

eth1 Link encap:Ethernet HWaddr C8:4C:33:33:33:03
inet addr:192.168.21.119 Bcast:192.168.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7022387 errors:0 dropped:0 overruns:0 frame:0
TX packets:2435439 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1155121379 (1.0 GiB) TX bytes:510057499 (486.4 MiB)
Base address:0xbc00 Memory:f8200000-f8220000

eth2 Link encap:Ethernet HWaddr 00:00:00:02:00:01
inet addr:127.0.2.1 Bcast:127.0.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:757828 errors:0 dropped:0 overruns:0 frame:0
TX packets:196896 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:84163835 (80.2 MiB) TX bytes:18269211 (17.4 MiB)
Interrupt:169 Memory:f8300000-f8300fff

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.255.255.255
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:116078 errors:0 dropped:0 overruns:0 frame:0
TX packets:116078 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:14822499 (14.1 MiB) TX bytes:14822499 (14.1 MiB)

#@ Connection Information
sockets: used 271
TCP: inuse 231 orphan 2 tw 395 alloc 233 mem 40
UDP: inuse 2
RAW: inuse 0
FRAG: inuse 0 memory 0

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:5060 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1812 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:65014 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:7000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN
udp 0 0 127.0.0.1:32792 0.0.0.0:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 11391777 /var/run/isvw/sshttp.sock
unix 2 [ ACC ] STREAM LISTENING 11391785 /var/run/isvw/ssptnupdt.sock
unix 2 [ ACC ] STREAM LISTENING 11391778 /var/run/isvw/ssftp.sock
unix 2 [ ACC ] STREAM LISTENING 11391779 /var/run/isvw/sssmtp.sock
unix 2 [ ACC ] STREAM LISTENING 11391780 /var/run/isvw/sspop3.sock
unix 2 [ ACC ] STREAM LISTENING 11391781 /var/run/isvw/ssfiletype.sock
unix 2 [ ACC ] STREAM LISTENING 11253560 /dev/log
unix 3 [ ACC ] STREAM LISTENING 2257 /var/run/log.sock
unix 2 [ ACC ] STREAM LISTENING 2259 /var/run/log.sock2
unix 2 [ ACC ] STREAM LISTENING 1530 /var/run/urlf.sock

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 209.26.19.126:80 192.168.1.31:42573 TIME_WAIT
tcp 0 0 194.18.243.10:80 192.168.2.54:4818 FIN_WAIT2
tcp 0 0 134.11.14.127:80 192.168.1.125:3274 TIME_WAIT
tcp 0 0 150.127.24.146:80 192.168.2.54:4840 FIN_WAIT2

References:
Product data sheet – CSC module datasheet

And about error message – it is a known bug that will be fixed in the next release of the firmware for the module . Still, I opened the ticket with TAC and they provided interim patch to take care of this restartin gLogServer service. Also , they (Cisco) say it is harmless bug not causing any outage.

I started a new blog about preparing/thinking/sweating/labbing for/about/for/in Cisco CCIE Security Lab exam. You are welcome to read it here : ccie-security-blog.com. The first post is titled “Tips on how to fail your CCIE Security Lab exam” and summarizes my first attempt I took in November in Brussels.

Also it inevitable means I will post less and less here , about Checkpoint, so bear with me until I attain this coveted badge, CCIE Security Expert.

Cheers,

Happy New Year everyone!

Case 1. Cisco IOS router acting as Ezvpn server , users are authenticated locally by the router. Let’s name it – group is JUNIPER , and the local user is John.Chambers and we want to confine this user to this group for ever.
Enable group locking for specific group (don’t forget to do the same for all VPN groups)

Now restrict user to be able to use this group only. For that you have to reconfigure user to look like username followed by delimeter (that can be any of @, %, /, \) and then group name , to be concrete

from now on user John.Chambers will be able to authenticate with Cisco only using John.Chambers@JUNIPER . It overrides any user for VPN connection that already exists, that is if there is already user John.Chambers it will not be able to connect with the group JUNIPER . On the other hand anyone getting PSK of the VPN group JUNIPER will fail authentication if the user is not explicitly reconfigured in the new format.
Case 2 . Cisco IOS router users are authenticated using external Radius server. Unlike local authentication, with Radius you create the user as usual – John.Chambers but then assign it in the Settings cisco-av-pair attribute called user-vpn-group, like this:
ipsec:user-vpn-group=JUNIPER
Case 3.ASA Local username authentication.
No fancy username/group configuration here, you just lock username to a group under general attributes of the user.

Case 4. ASA Radius authentication .
Here also the VPn group is forced for the user settings using the following attribute:
[3076\085] Tunnel-Group-Lock JUNIPER

Now define with access-list what traffic to inspect, you may use specific IPs or just general SNMP ports – udp 161 and 162:

Bind ACL to class-map:

Use the class-map in policy map with enabling snmp-map inspection :

And finally apply the policy map on some interface

As you already know this setup will exchange community strings in clear text and also no packet is cryptographically authenticated/verified. What a shame for “Adaptive Security Appliance” . The fix is on the way. It is called SNMP v3 and has 3 security levels to choose from:
noAuthNoPriv – packets are neither authenticated nor encrypted . Basically the model used so far by SNMP v1 and v2c – everything clear text.
authNoPriv – packets are authenticated , that is user is sent in clear text but its password is not , (configurable) MD5 or SHA algorithm.
authPriv – the highest level, all SNMP packets are both authenticated using MD5 or SHA and their content is encrypted with DES/3DES/AES (128,196,256) algorithm.
Using the list above let’s configure our ASA for each level .
General steps:

• Configure snmp-server group for every security level you want to use ;
• Creatre user for each security level you wan to use and assign it to the snmp-server group of your choice
• Create usual snmp-server host entry but adding version 3 and username to be used by this host. NOTE You can have only one such command per host but no matter which out of 3 security levels you specify in this command it will allow the other 2 to be used in querying as well

noAuthNoPriv.

Querying the ASA:

authNoPriv.

Querying the ASA:

authPriv.
Here everything will be encrypted.

N.B. To my surprise there is no such thing as debug snmp . Actually it does exist, but entering this command gives no error and produces no debug either.
Noticed by the way. In logs you can see all the passwords you entered while configuring SNMP, not very secure I would rather say .

Now create tracking process to be later applied to the static route:

And finally we create static route and attach to it the created track :

Now let’s see some statistics on the track:

The final configuration looks like

And by the way it really works – when track is down the route to which it is attached magically disappeared
from the routing table as should.

• ASA can not be NTP server as opposed to IOS.
• You can use prefer optional keyword with ntp server command but … it works if you have multiple servers having “the same accuracy” by Cisco.com words. In people’s language they mean the same stratum. If your ASA has 2 servers – one of stratum 2 and other of stratum 3 , even if you put stratum 3 server as preferred the one of stratum 2 will be selected.
• Authentication is available but oprional. The only algorithm of choice is MD5.
• You can have multiple trusted keys at the same time, I guess they will be tried in turn (needs verification).

Ok then, back to CLI – NTP server is 153.6.3.3, use authentication, MD5.

Some debug comes next :

Now basically we can start configuring nameif , IP address and security level for this Redundant1 interface but let’s be more creative and create some VLANs on it.

So far :

Santa(config-subif)# vlan 120
Santa(config-subif)# nameif dmz
Santa(config-subif)# security-level 50
Santa(config-subif)# ip address 10.0.0.12 255.255.255.0

To remind you state of the physical interfaces comprising the Redundant 1 is :

interface Ethernet0/0
no nameif
no security-level
no ip address

interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/2
no nameif
no security-level
no ip address

Now some verification is looming (pay attention to the bottom of the output where you can see which interface is currently active and how many state changes have happened so far) :

Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001b.d589.9892, MTU not set
IP address unassigned
1870 packets input, 150617 bytes, 0 no buffer
Received 1329 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
766 L2 decode drops
264 packets output, 24326 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (9/18) software (0/0)
output queue (curr/max packets): hardware (0/2) software (0/0)
Control Point Interface States:
Interface number is 10
Interface config status is active
Interface state is active
Redundancy Information:
Member Ethernet0/0(Active), Ethernet0/2
Last switchover at 07:25:35 UTC August 19 2010

exec mode commands/options:
error errors
event events

redundant interface Redundant1 switching active from Ethernet0/2 to Ethernet0/0.

Send gratuitous ARP on Redundant1.100.
Send gratuitous ARP on Redundant1.120.
redundant interface Redundant1 switch active to Ethernet0/0 done.

Switch has happened, now verify it:

Control Point Interface States:

Interface number is 10
Interface config status is active
Interface state is active
Redundancy Information:

Member Ethernet0/0(Active), Ethernet0/2
Last switchover at 07:57:11 UTC August 19 2010

Having done a bit practice the dry theory comes next.

• You can define up to 8 Redundant interfaces (if you have ASA 5580 why not?);
• All the interfaces in the same group should be of the same type (Ethernet with Fiber won’t go well) ;
• Only one interface is passing production traffic at any given moment;
• Redundant interface gets by default MAC address of the first added to it interface, configurable;<
• When fail over happens to the second interface, it takes over MAC address of its previously active neighbour to prevent loss of traffic. If MAC is configured especially and manually it remains the same;
• You can force some interface to become Active using the command:
  Santa# redundant-interface redundant active-member <if_name>
• Redundant interfaces are compatible with fail over feature.

For even more information , see:
ASA 8.3 interface configuration

• Enable RIP on the ASA;
• Dictate the version to work with – RIP v1 or RIP v2;
• Specify networks RIP protocol will be active for;
• Exclude some interfaces from active advertising RIP on them but allow to get
  RIP updates on them , i.e. passive interface(s);
• Decide whether you want auto-summarization or not. Default is on;
• Enable Rip updates authentication and whether it should be
  encrypted (MD5 mode) or clear text (text mode);
• If using authentication define authentication keys under relevant interfaces;
• To make your life harder you will be asked to redistribute;
• Finally verify and debug RIP operation.

SO let’s get our hands dirty.
Enable RIP routing process.

Set it to run exclusively version 2 . ASA doesn’t know to mix version
2 and 1 as IOS does.

Networks to be active for . You should specify classful nets or even if you specify anything different after you enter such networks ASA will automatically turn them into classful ones anyway.

Verifying configuration so far:

You will most probably want to disable summarization :

Exclude some interface from advertising on it:
- To suppress on ALL interfaces in one go:

- To be more specific:

Authentication is configured exclusively under the interface :
- Dictate which authentication mode to use.

- Specify the key (password) and its id.

Here is how it looks in show run interface :

Redistribute. Just redistributing learned in other ways networks into the RIP would be boring. As usual you redistribute connected, static, ospf and rip (when working with the rest of the protocols).

Much more interesting is to implement some policy while redistributing using route-maps. As expected route-maps here are not what we used to know in IOS.
So what can you match for me ?

The most familiar and useful match on ACL lies here:

About rest of the match conditions, I’ll cover them when talking about OSPF in ASA.

Filtering out routes in updates.
If you want to filter some networks in updates use distribute-list.

Now some debug is due.
Enable rip debug:

Normal functioning protocol debug output:

Now the authentication has been enabled but keys on 2 peers are not the same: