ASA/PIX Cisco – Page 2

Category: ASA/PIX Cisco (page 2 of 2)

Teach ASA to speak NTP

Time is precious, even more when you need accurate logging to know when someone breaks into your systems. Let’s configure NTP time synchronization on our ASA 5510.
Configs are pretty simple, but worth remembering a thing or two.

ASA can not be NTP server as opposed to IOS.
You can use prefer optional keyword with ntp server command but … it works if you have multiple servers having “the same accuracy” by Cisco.com words. In people’s language they mean the same stratum. If your ASA has 2 servers – one of stratum 2 and other of stratum 3 , even if you put stratum 3 server as preferred the one of stratum 2 will be selected.
Authentication is available but oprional. The only algorithm of choice is MD5.
You can have multiple trusted keys at the same time, I guess they will be tried in turn (needs verification).

Ok then, back to CLI – NTP server is 153.6.3.3, use authentication, MD5.

TokyoASA1(config)# ntp authentication-key 1 md5 CISCO
TokyoASA1(config)# ntp trusted-key 1
TokyoASA1(config)# ntp server 153.6.3.3 ?
key Configure peer authentication key
prefer Prefer this peer when possible
source Interface for source address
<cr>
TokyoASA1(config)# ntp server 153.6.3.3 key 1
TokyoASA1(config)# ntp authenticate

TokyoASA1# debug ntp ?
adjust NTP clock adjustments
authentication NTP authentication
events NTP events
loopfilter NTP loop filter
packets NTP packets
params NTP clock parameters
select NTP clock selection
sync NTP clock synchronization
validity NTP peer clock validity

TokyoASA1# sh ntp stat

Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is cfa3cae4.3dd6a89e (15:40:20.241 UTC Sun Aug 23 2010)
clock offset is -377969342.9594 msec, root delay is 2.04 msec
root dispersion is 15262547.68 msec, peer dispersion is 16000.00 msec

TokyoASA1# sh ntp ass

address ref clock st when poll reach delay offset disp
~153.6.3.3 .LOCL. 1 26 64 0 2.0 -37796 16000.
* master (synced), # master (unsynced), + selected, – candidate, ~ configured

Some debug comes next :

TokyoASA1# NTP: Authentication key 1
NTP: 153.6.3.3 reachable
NTP: sync change
NTP: peer stratum change

TokyoASA1# sh ntp stat

Clock is synchronized, stratum 2, reference is 153.6.3.3
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is cf9e06b2.e6239822 (06:41:54.898 UTC Wed May 19 2010)
clock offset is -2.9681 msec, root delay is 1.95 msec
root dispersion is 21.58 msec, peer dispersion is 18.57 msec

Redundant interfaces in Cisco ASA

August 23, 2010 / Yuri / 4 Comments

In Checkpoint they call it interface bonding – when will I stop dragging this Checkpoint everywhere ? – in Cisco ASA they called it interface redundancy. The idea is to provide for the physical link failure. That is – you combine two physical interfaces on the ASA into a virtual one, then you configure all the Layer 3 parameters on this virtual interface. At the same time only ONE of the interfaces in a group is active, if it fails ASA transparently switches to the next available interface in a group and all traffic passes through it. By default the first added to the group interface becomes active and all the rest become passive. At the end of the article there is some dry theory and facts, but now let’s plunge into code.
Warning !The moment you assign some physical interface to be a member of the redundant virtual interface ALL the existing configs on such interface are wiped out.
Create redundant interface (group) and assign 2 physical interfaces to it :

Santa#conf t
Santa(config)# interface Redundant1
Santa(config-if)# member-interface Ethernet0/0
Santa(config-if)# member-interface Ethernet0/2
Santa(config-if)#no nameif
Santa(config-if)#no security-level
Santa(config-if)#no ip address

Now basically we can start configuring nameif , IP address and security level for this Redundant1 interface but let’s be more creative and create some VLANs on it.

So far :

Santa#show run int

interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/2
no nameif
no security-level
no ip address

Santa(config)# interface Redundant1.120

Santa(config-subif)# vlan 120
Santa(config-subif)# nameif dmz
Santa(config-subif)# security-level 50
Santa(config-subif)# ip address 10.0.0.12 255.255.255.0

To remind you state of the physical interfaces comprising the Redundant 1 is :

interface Ethernet0/2
no nameif
no security-level
no ip address

interface Ethernet0/0
no nameif
no security-level
no ip address

interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/2
no nameif
no security-level
no ip address

Santa(config)# interface Redundant1.100
Santa(config-subif)# vlan 100
Santa(config-subif)# nameif outside
Santa(config-subif)# security-level 0
Santa(config-subif)# ip address 139.61.77.12 255.255.255.0

Now some verification is looming (pay attention to the bottom of the output where you can see which interface is currently active and how many state changes have happened so far) :

Santa# sh int redundant 1 detail

Interface Redundant1 “”, is up, line protocol is up

Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001b.d589.9892, MTU not set
IP address unassigned
1870 packets input, 150617 bytes, 0 no buffer
Received 1329 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
766 L2 decode drops
264 packets output, 24326 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (9/18) software (0/0)
output queue (curr/max packets): hardware (0/2) software (0/0)
Control Point Interface States:
Interface number is 10
Interface config status is active
Interface state is active
Redundancy Information:
Member Ethernet0/0(Active), Ethernet0/2
Last switchover at 07:25:35 UTC August 19 2010

And what about some debug ? Of course:

Santa(config)# debug redundant-interface ?

exec mode commands/options:
error errors
event events

Now let’s initiate shut on physical interface Ethernet0/2 that is now active

redundant interface Redundant1 switchover, active idx 1, stby idx 0

redundant interface Redundant1 switching active from Ethernet0/2 to Ethernet0/0.

Send gratuitous ARP on Redundant1.100.
Send gratuitous ARP on Redundant1.120.
redundant interface Redundant1 switch active to Ethernet0/0 done.

Switch has happened, now verify it:

Santa(config-if)# sh int redundant 1 det

Interface Redundant1 “”, is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001b.d589.9892, MTU not set
IP address unassigned
2284 packets input, 187559 bytes, 0 no buffer
Received 1544 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
797 L2 decode drops
296 packets output, 27430 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (8/18) software (0/0)
output queue (curr/max packets): hardware (0/5) software (0/0)

Control Point Interface States:

Interface number is 10
Interface config status is active
Interface state is active
Redundancy Information:

Member Ethernet0/0(Active), Ethernet0/2
Last switchover at 07:57:11 UTC August 19 2010

Having done a bit practice the dry theory comes next.

You can define up to 8 Redundant interfaces (if you have ASA 5580 why not?);
All the interfaces in the same group should be of the same type (Ethernet with Fiber won’t go well) ;
Only one interface is passing production traffic at any given moment;
Redundant interface gets by default MAC address of the first added to it interface, configurable;<
When fail over happens to the second interface, it takes over MAC address of its previously active neighbour to prevent loss of traffic. If MAC is configured especially and manually it remains the same;
You can force some interface to become Active using the command:
Santa# redundant-interface redundant active-member <if_name>
Redundant interfaces are compatible with fail over feature.

For even more information , see:
ASA 8.3 interface configuration

Playing with RIP on ASA

August 23, 2010 / Yuri / 1 Comment

Cisco ASA and RIP
RIP has been with ASA for years and in this article I will try to cover all possible scenarios in configuring, misconfiguring. debugging and verifying it. As I come up with new ideas how to break the RIP on ASA I will update this article as well.
As it would be expected ASA has a bit limited version of RIP daemon as compared with IOS one. Major tasks you my be required to do :

Enable RIP on the ASA;
Dictate the version to work with – RIP v1 or RIP v2;
Specify networks RIP protocol will be active for;
Exclude some interfaces from active advertising RIP on them but allow to get
RIP updates on them , i.e. passive interface(s);
Decide whether you want auto-summarization or not. Default is on;
Enable Rip updates authentication and whether it should be
encrypted (MD5 mode) or clear text (text mode);
If using authentication define authentication keys under relevant interfaces;
To make your life harder you will be asked to redistribute;
Finally verify and debug RIP operation.

SO let’s get our hands dirty.
Enable RIP routing process.

ASA#conf t
ASA(config)# router rip
TokyoASA(config-router)#

Set it to run exclusively version 2 . ASA doesn’t know to mix version
2 and 1 as IOS does.

TokyoASA(config-router)# version 2

Networks to be active for . You should specify classful nets or even if you specify anything different after you enter such networks ASA will automatically turn them into classful ones anyway.

TokyoASA(config-router)# network 5.0.0.0

Verifying configuration so far:

TokyoASA(config-router)# sh run router

router rip
network 5.0.0.0
version 2

You will most probably want to disable summarization :

TokyoASA(config-router)# no auto-summary

Exclude some interface from advertising on it:
– To suppress on ALL interfaces in one go:

TokyoASA(config-router)# passive-interface default

– To be more specific:

TokyoASA(config-router)# passive-interface outside

Authentication is configured exclusively under the interface :
– Dictate which authentication mode to use.

TokyoASA(config-if)# rip authentication mode md5

– Specify the key (password) and its id.

TokyoASA(config-if)# rip authentication key MYKEY key_id 33

Here is how it looks in show run interface :

interface Ethernet0/0
nameif outside
security-level 0
ip address 136.6.12.12 255.255.255.0
rip authentication mode md5
rip authentication key <removed> key_id 33

Redistribute. Just redistributing learned in other ways networks into the RIP would be boring. As usual you redistribute connected, static, ospf and rip (when working with the rest of the protocols).

TokyoASA(config-router)# redistribute ?

router mode commands/options:
connected Connected
ospf Open Shortest Path First (OSPF)
rip Routing Information Protocol (RIP)
static Static routes

Much more interesting is to implement some policy while redistributing using route-maps. As expected route-maps here are not what we used to know in IOS.
So what can you match for me ?

TokyoASA(config-route-map)# match ?

route-map mode commands/options:
interface Match first hop interface of route
ip Match IP address or next-hop or route-source
metric Match metric of route
route-type Match route-type of route

The most familiar and useful match on ACL lies here:

TokyoASA(config-route-map)# match ip ?

route-map mode commands/options:
address Match address of route or match packet
next-hop Match next-hop address of route
route-source Match advertising source address of route

TokyoASA(config-route-map)# match ip address FILTER-ACL
TokyoASA(config-route-map)# route-map RIPv2 permit 10
match ip address FILTER-ACL
match interface inside
TokyoASA(config-router)# redistribute connected route-map RIPv2 metric 13

About rest of the match conditions, I’ll cover them when talking about OSPF in ASA.

TokyoASA(config-route-map)# match route-type ?

route-map mode commands/options:
external Match external route (OSPF type 1/2)
internal Match internal route (including OSPF intra/inter area)
local Match locally generated route
nssa-external Match nssa-external route (OSPF type 1/2)

Filtering out routes in updates.
If you want to filter some networks in updates use distribute-list.

TokyoASA(config-router)# distribute-list MYACL ?

router mode commands/options:
in Filter incoming routing updates
out Filter outgoing routing updates

Now some debug is due.
Enable rip debug:

TokyoASA1# debug rip
TokyoASA1# sh debug

debug rip routing
debug rip database
debug rip events

Normal functioning protocol debug output:

add 10.0.2.0 255.255.255.0 via 0.0.0.0, connected metric [0/0]network
0.0.6.136 is now variably masked
add 136.6.0.0 255.255.0.0 via 0.0.0.0, connected metric [0/0]
RIP-DB: redist 10.0.0.0 255.255.255.0(metric 0, last interface dmz1) to RIP
RIP-DB: redist 10.0.2.0 255.255.255.0(metric 0, last interface dmz1) to RIP
RIP-DB: Get redist for network 10.0.2.0
RIP-DB: adding 10.0.2.0 255.255.255.0 (metric 0) via 0.0.0.0 on Ethernet0/2.120 to RIP database
RIP-DB: rip_create_ndb create 10.0.2.0 255.255.255.0, (best metric 4294967295)
RIP-DB: rip_create_rdb Create 10.0.2.0 255.255.255.0, (metric 0) via 0.0.0.0, Ethernet0/2.120(permanent)
RIP-DB: add 10.0.2.0 255.255.255.0 (metric 0) via 0.0.0.0 on Ethernet0/2.120 (donot_age)
RIP-DB: Adding new rndb entry 10.0.2.0 255.255.255.0
RIP-DB: rip_create_ndb create 10.0.0.0 255.0.0.0, (best metric 4294967295)
RIP-DB: rip_create_rdb Create 10.0.0.0 255.0.0.0, (metric 0) via 0.0.0.0, Null0(permanent)
RIP-DB: Created rip ndb summary entry for 10.0.0.0 255.0.0.0
RIP-DB: Adding new rndb entry 10.0.0.0 255.0.0.0 rip_route_adjust for dmz1 coming up
RIP: sending request on dmz1 to 224.0.0.9 rip_route_adjust for dmz1 coming up
RIP: sending request on dmz1 to 224.0.0.9
RIP: sending v2 flash update to 224.0.0.9 via dmz1 (10.0.2.120)
RIP: build flash update entries – suppressing null update
RIP: sending v2 update to 224.0.0.9 via dmz1 (10.0.2.120)
RIP: build update entries – suppressing null update

Now the authentication has been enabled but keys on 2 peers are not the same:

RIP: sending v2 update to 224.0.0.9 via inside (136.6.121.12)
RIP: build update entries
10.0.0.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0 136.6.23.0 255.255.255.0 via 0.0.0.0, metric 2, tag 0 136.6.123.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0 136.6.124.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0
RIP: Update contains 4 routes
RIP: Update queued
RIP: sending v2 update to 224.0.0.9 via dmz1 (10.0.0.120)
RIP: build update entries
136.6.23.0 255.255.255.0 via 0.0.0.0, metric 2, tag 0 136.6.121.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0 136.6.123.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0 136.6.124.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0
RIP: Update contains 4 routes
RIP: Update queued
RIP: Update sent via inside rip-len:92
RIP: Update sent via dmz1 rip-len:92
RIP: ignored v2 packet from 136.6.123.3 (invalid authentication)
RIP: sending v2 update to 224.0.0.9 via inside (136.6.121.12)
RIP: build update entries
10.0.0.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0 136.6.23.0 255.255.255.0 via 0.0.0.0, metric 2, tag 0 136.6.123.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0 136.6.124.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0
RIP: Update contains 4 routes
RIP: Update queued
RIP: sending v2 update to 224.0.0.9 via dmz1 (10.0.0.120)
RIP: build update entries

SMTP inspection with policy-map in ASA

May 26, 2010 / Yuri /

This is the first time I was disappointed by the cisco.com or Checkopint:ASA 1:0. I have had a simple task at hand – configure SMTP inspection in ASA 8.0(3) and cisco.com documentation didn’t help me at all. But first the task:Secure internal mail server by preventing it from sending spam outbound. It comes to mind two very simple but largely effective measures – block mails with From: field set to any domain but ours, and block attempts to relay Through the internal mail server mails destined to any domain but ours. In Checkpoint I can do it quite simply with SMTP Resource. Unfortunately in ASA it is not the case. Let’s look at final SMTP inspection I configured in ASA.
Input :
Internal server having outside IP address of 199.202.2.3 serves two domains apple.com and microsoft.com
Task:
– block mails with From: field set to any domain but apple.com or microsoft.com
– block mail relying for any domain but microsoft.com or apple.com
NOTE. Here I did this config on the production client so had no room for experimenting with all “what ifs” Identify mails direction from inside server outbound. I did it as didn’t find reliable info about sender-address match condition – does it match in any direction if applied globally on all traffic ? I mean , if it just looks at Mail from: field and acts on mails in both directions then it would block mails coming in from any domain but client’s own.
To prevent even checking this on client I did this ACL that will apply this SMTP inspection to outgoing mails
anyway.

BigInJapan(config)#access-list Mail-server permit tcp host 199.202.2.3 any eq 25

To block mails with From filed other than client’s domains I use regex that matches client’s domains and the use negation with NOT.

BigInJapan(config)# regex PermittedSenders “@microsoft.com|@apple.com “

Create policy-map where all the tweaked parameters are set (as of ASA 8.2 there is still no class-map type inspect esmtp) .

BigInJapan (config)# policy-map type inspect esmtp NoSpamOutside

Match all mails that Mail from field is anything but *@microsoft.com or *@apple.com. Action is reset and log.
It is more secure I guess to drop instead of reset as in drop malware would have to wait until some timeout, but I didn’t care here anyway.

BigInJapan(config-pmap)# match not sender-address regex PermittedSenders
BigInJapan(config-pmap-c)# reset log
BigInJapan(config-pmap-c)# exit

Various parameters. Here you set internal domain the mail server is serving, so trying to deliver mails to any other domain would be seen as illegal relaying and dropped. But also I was surprised to know here that policy-map mail-relay parameter can be used only once, leaving you without this protection if you have multiple domains served from the same server. So below is theoretical configuration if my client had just one domain on his server.

BigInJapan(config-pmap)# parameters
BigInJapan(config-pmap-p)# mail-relay apple.com action drop-connection log
BigInJapan(config-pmap-p)# exit
BigInJapan(config-pmap)# exit

Now create general policy-map to tie it all together.

BigInJapan(config)# policy-map NoSpamFromUs
BigInJapan(config-pmap)# class Mail-server
BigInJapan(config-pmap-c)# inspect esmtp NoSpamOutside
BigInJapan(config-pmap-c)# exit
BigInJapan(config-pmap)# exit

And apply it on some interface.

Important: according to Hucaby’s ASA handbook application protocol inspection is applied AFTER the NAT rules are done, so you need to use in your class-map/ACL IPs that are after the translation. Internal IP of the mail server is 192.168.3.3 that is statically NATed to 199.202.2.3, so I used 199.202.2.3 in class-map’s ACL.

On which interface to apply the policy-map I guess doesn’t matter but to be sure I did it on the outside.

BigInJapan(config)# service-policy NoSpamFromUs interface outside

Link to Inspection page in ASA 8.
Applying Application Layer Protocol Inspection

IP Options are evil – drop them , drop them on Cisco Asa/IOS Microsoft ISA Juniper or Checkpoint

January 23, 2010 / Yuri / 1 Comment

As you probably noticed IP header has variable length placeholder for the IP Options field. It has been there since the beginning , once a good idea for debug now turned into trouble. RFC 791 states that hosts/routers supporting IP protocol must implement Ip Options filed . It is up to the vendor to decide what to do with this optional field, but it must understand it. Still, wouldn’t be a problem if not modern architecture of the routing equipment that was designed to do most efficiently Routing , i.e. pass from interface to interface gigabytes of traffic. Therefore routing functions are highly optimized and most of the time are implemented in hardware . All other types of traffic unfortunately are not, and in most of the cases processing , lets call it Control traffic, is being left to poor router CPU and done in software. That brought the troubles into the IP world – relatively small amounts of control traffic (including Ip Options packets) may bring down otherwise
powerful router in just minutes.
To prevent this attack vendors implemented protection measures to drop entirely or selectively IP packets that has Ip Options filed set. Below is quick cheat sheet how to do it in some gear :
Checkpoint firewall NG/NGX – packets with Ip Options are dropped by default except for the “Router Alert” option (0x94) for the IGMPv2 and PIM protocols [or so CP claim, will have to verify later] and not even logged. To start logging dropped packets go to Policy -> Global Properties -> Log and Alerts -> check Ip dropped packets : Log
There is a value related to it that is on by default : Global Properties -> SmartDashboard customization -> Advanced Configuration -> Configure -> Firewall 1 -> Stateful inspection -> enable_ip_options (check/uncheck) but unchecking it removes from firewall VM chain module that inspects these Options at all and all Ip Options packets are dropped . So all packets bearing Ip Options are happily dropped even before security rules , here:

[Expert@splat60]# fw ctl chain
in chain (9):
0: -7f800000 (9095dd60) (ffffffff) IP Options Strip (ipopt_strip)
1: – 1fffff6 (9095ee80) (00000001) Stateless verifications (asm)

Also Checkpoint say you can decide which Ip Options will be allowed later BUT only when installing the firewall: “The set of permitted options must be configured during installation … the enable_ip_options setting in SmartDashboard is then used to enable or disable this functionality. Contact Check Point support for instructions on configuring the set of allowed IP options.”

Microsoft ISA 2000 server:
– If Enable Packet Filtering is not checked then do it in IP Packet Filters -> Properties – > General tab. On the Packet Filters tab check Enable Filtering IP Options .
Microsoft ISA 2004 Server:
– IP options filtering is enabled by default
– Go to Configuration node of the server in question in Management console -> General -> Additional Security Policy
Define IP Preferences . Here you will have 3 options to deal with Ip Options packets:
a) Deny packets with any IP options;
b) Deny packets with selected IP options;
c) Deny packets with all except selected IP options
The same options are available in ISA 2006 , click on Configure IP Protection link – > IP Preference settings

IOS Cisco router :

Juniper router:
You just add ip-options term to the filter and apply it to the interface of interest. In the example below I block only Route Record type of Ip Options, if you use any then it will block any type:

[edit firewall family inet filter NOICMP term 3]

firewall {
    family inet {
        filter NOICMP {
            term 1 {
                from {
                    address {
                        192.168.2.100/32;
                    }
                }
                then {
                    reject;
                }
            }
            term 2 {
                from {
                    ip-options route-record;
                }
                then {
                    reject;
                }
            }
            term 3 {
                from {
                    address {
                        192.168.2.0/24;
                    }
                }
                then accept;
            }
        }
    }
}

Apply to the interface:

interfaces {
    em0 {
        unit 0 {
            enable;
            family inet {
                filter {
                    input NOICMP;
                }
                address 192.168.2.133/24;
            }
        }
    }

Other possible arguments to ip-options clause:

set term 3 from ip-options ?

Possible completions:

<range>              Range of values
  [                    Open a set of values
  any                  Any IP option
  loose-source-route   Loose source route
  route-record         Route record
  router-alert         Router alert
  security             Security
  stream-id            Stream ID
  strict-source-route  Strict source route
  timestamp            Timestamp

Windows 2008.
By default it doesnt allow/forward packets with Source Routing set, and that’s good. For completeness
here is how to enable (or check whether it is enabled) source-routed forwarding:
BillG> netsh interface ipv4 set global sourceroutingbehavior=drop| forward| dontforward
– or-
Registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter
Key: DisableIPSourceRouting
DWORD value: 0

Verify:
In Security any measure/protection/method is as good as the proof you can present that it actually works.
Windows:
– Ping with Record Route field set:
BillG> ping –r 9 192.2.2.1
– Ping with Strict Routing field set:
BillG> ping –k <1st_hop_router_IP> <2nd_hop_router_IP…> <target>
– Ping with Loose Routing field set:
BillG> ping -j <1st_hop_router_IP> <2nd_hop_router_IP…> <target>
– Ping with Timestamp option set:
BillG> ping –s 3 8.8.8.8
Linux:
– Ping with Record Route field set:
root@darktstar:~/nmap# ping -R 8.8.8.8
– Ping with Timestamp option set:
root@darkstar:~/nmap# ping -T tsonly 8.8.8.8
Linux,BSD,Unix :
This handy utility sends bunch of packets to the target to test what Ip Options the target supports:
freebsd# fragtest ip-opt 192.168.2.133
ip-opt: sec lsrr ts esec cipso satid ssrr
I run fragroute above against Juniper (8.3) that was configured in the example earlier to block only Record Route option, as you can see it is indeed missing in the output list that enumerates what Ip Options the target supports [ see Reference for fragroute details]

References for further details:
Juniper: JUNOS Enterprise Routing, 1st Edition, By Doug Marschke; Harry Reynolds, 2008
Microsoft ISA : Microsoft® ISA Server 2006 Unleashed ,By Michael Noel, 2007
Fragroute http://monkey.org/~dugsong/fragroute/
Windows 2008: Windows® Server 2008 TCP/IP Protocols and Services,By Joseph Davies, 2008

Cisco ASA privilege separation for a local user or read only user on ASA

January 18, 2010 / Yuri / 6 Comments

Today I had the need to create a user in ASA that would have read-only permissions and also could issue
only 2 commands: show run and show conn. Here is how to do it.
[showmyads]
We talk here about user with local authentication (with TACACS it is much easier).
Just as in Cisco routers you assign specific command to some privilege level different from its default level , then create user with this privilege level :

1) Assign command to specific privilege level ( I pick here level 3 , but it may be any but 15):

(config)# privilege show level 3 mode exec command running-config
(config)# privilege show level 3 mode exec command conn

2) create username with privilege of the command you want him to give
(config)# username Joedoe password asdlgfuwe privilege 3

Now you have 2 options – create general enable password for this given level (3 here) ,so
any user after successful login can enter > enable 3 and enter it to get to level 3 enable
mode. Or , as I did here, not creating enable level 3 password at all and the user will have to enter its
privilege level using login command.
3) now user can connect by ssh (if allowed by Ip of course) :
#ssh Joedoe@10.10.10.7
Joedoe@10.10.10.7password:<enter user’s pass here>
ASA> login
Username: Joedoe
Password: **********
# sh curpriv
Username : Joedoe
Current privilege level : 3
Current Mode/s : P_PRIV

Reference:
Cisco ASA Configuration Guide 8.0

Finding the station/IP using/abusing most of the bandwidth – PIX/ASA

December 6, 2008 / Yuri / 2 Comments

[showmyads]Here is a short how-to I wrote some (well ,long) time ago for the newcomers to our department. It was written for the PIX , but applies to ASA as well in most cases,see for ASA notes for differences.
Usually it starts with client complaining about slow internet, or users that already work in net are ok but new ones can’t connect, sometimes PIX crashes periodically (depends on case – every few hours), seldom but client directly asks what station in LAN is bombing the PIX with connections.
Here are the steps to try to see what is going on:

1) Always worth knowing the current state of the PIX, lots of connections consume lots of memory
and this after all causes crash/slowness of processing/

Mambo# show memory
Free memory:        42557840 bytes
Used memory:        24551024 bytes
————-     —————-
Total memory:       67108864 bytes

2) as you may know PIX is a NAT machine – every connection (outbound/inbound)
should pass NAT translation, which creates (every connection) xlate entry (in IOS it is called
NAT table) (ASA note:you may disabel NAT ,not to say it may work in Transparent mode)

Mambo# show xlate count
1613 in use, 5246 most used
; In abused PIX you would see dozens of thousands of xlate entries, e.g. 55550

; beyond xlate entry, every connection creates conn entry in PIX memory to enable stateful
;inspection, to see their count use :

Mambo# show conn count
5271 in use, 34824 most used

; next command will show on which interface there is more traffic – to know what side of the PIX is being attacked

Mambo# show traffic
outside:
        received (in 980818.730 secs):
                1113941822 packets      498552059 bytes
                1004 pkts/sec   0 bytes/sec
        transmitted (in 980818.730 secs):
                1170564303 packets      2054434346 bytes
                1000 pkts/sec   2002 bytes/sec
inside:
        received (in 980818.730 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec
        transmitted (in 980818.730 secs):
                76 packets      4560 bytes
                0 pkts/sec      0 bytes/sec
dmz:
        received (in 980818.730 secs):
                186616723 packets       3287127501 bytes
                1 pkts/sec      3001 bytes/sec
        transmitted (in 980818.730 secs):
                196403614 packets       1465915834 bytes

Now the main part – how to find out which IP is abusing the resources:

Mambo# show local-host | incl host|count|embryonic

local host: <10.10.1.142>, conn(s)/limit = 0/0
            embryonic(s)/limit = 0/0, incomplete(s) = 0
local host: <10.10.1.53>, conn(s)/limit = 106/0
            embryonic(s)/limit = 106/0, incomplete(s) = 0
local host: <10.10.1.205>, conn(s)/limit = 14/0
            embryonic(s)/limit = 0/0, incomplete(s) = 0
local host: <10.10.1.191>, conn(s)/limit = 4/0
            embryonic(s)/limit = 0/0, incomplete(s) = 0
local host: <10.10.1.193>, conn(s)/limit = 4/0
            embryonic(s)/limit = 1/0, incomplete(s) = 0
………………………………………………………………………..
local host: <10.10.1.36>, conn(s)/limit = 22/0
            embryonic(s)/limit = 0/0, incomplete(s) = 0
local host: <10.10.1.180>, conn(s)/limit = 1/0
            embryonic(s)/limit = 0/0, incomplete(s) = 0

Legend:

local host     : Local IP of station in LAN
conn(s)/limit :   number of conn entries (connections) and their possible limit for this IP
embryonic(s)/limit : number of embryonic (half-open) connections to this IP and their limit

Looking at this output we could easily find station with most connections.

Next, to get more info (if needed)

Mambo# sh local-host 10.10.1.19
Interface Inside: 73 active, 96 maximum active, 0 denied
local host: <10.10.1.19>, conn(s)/limit = 105/0
            embryonic(s)/limit = 45/0, incomplete(s) = 0
AAA:
Xlate(s):
    PAT Global 216.163.137.3(40901) Local 10.10.1.19(3653)
    PAT Global 216.163.137.3(30938) Local 10.10.1.19(1439)
    PAT Global 216.163.137.3(61195) Local 10.10.1.19(3815)
    PAT Global 216.163.137.3(39325) Local 10.10.1.19(2387)
    PAT Global 216.163.137.3(12515) Local 10.10.1.19(1043)
    PAT Global 216.163.137.3(21891) Local 10.10.1.19(2368)
    ……………………………………………….

    PAT Global 216.163.137.3(64086) Local 10.10.1.19(4928)
;NOTE – here 216.163.137.3 is IP of outside interface of PIX

To temporary block some station – it will not be able to create new connections
and exsiting ones will be deleted. This block is active until next reboot.
Mambo# shun 10.10.1.19
To see active shuns:
Mambo# show shun
To disable shun
Mambo# no shun 10.10.1.19
Personal NOTE: Such call is a sure sign of unordered/amateurish network administration . And it always starts with the key phrase – “Your line is down, we have no Internet”. On my answer, after I look at MRTG
graphs of the client line and see 100% usage, that “Of course , you are using up all your bandwidth” they reply “It is impossible, can you tell me who is abusing the line ?” While I may spend 10 mins
explaing this ‘sysadmin’ that PIX/ASA/etc is not a statistics/monitoring device and other solutions exist for that and MRTG is free etc., I usually give up on them and save myself 10
mins of my time and just give them what they want . In the next post I will write about doing the same in Cisco router.

yurisk.info

Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise