yurisk.info » Cisco

snmp-map in ASA is for passing through traffic only

Yuri — Sat, 28 Aug 2010 04:53:42 +0000

I don’t know who to blame – me for not being attentive or Cisco documentation for being vague, but when I read about snmp-map inspection that allows you to block selectively by SNMP version I decided it was the way to protect ASA itself from such queries. And only with the help of Netpro forum at Cisco.com did I learn that this feature is designed to inspect the SNMP traffic that passes THROUGH the ASA and not destined to the ASA itself.
So if you want to limit what version of SNMP ASA will use to answer queries , use usual snmp-server host …
For those who do want to block passing through the ASA SNMP of say version 1 and 2c , here is how:

Louvre(config)# snmp-map no-v1or2-here
deny version 1
deny version 2c

Now define with access-list what traffic to inspect, you may use specific IPs or just general SNMP ports – udp 161 and 162:

Louvre# sh run access-list no-v3
access-list no-v1or2-here extended permit udp any any eq snmptrap
access-list no-v1or2-here extended permit udp any any eq snmp

Bind ACL to class-map:

Louvre(config)# class-map snmp-block-v2or1
match access-list no-v1or2-here

Use the class-map in policy map with enabling snmp-map inspection :

Louvre(config)# policy-map no-snmp-v2or1
class snmp-block-v2or1
inspect snmp no-v1or2-here

And finally apply the policy map on some interface

Louvre(config)# service-policy no-snmp-v2or1interface outside

ASA 8.2 now speaks SNMP v3 decently

Yuri — Wed, 25 Aug 2010 18:43:55 +0000

ASA 8.2 speaks SNMP v3 decently
This article is all about SNMP in ASA. ASA has much less configuration options than IOS does, and this is good. Starting version 8.2 ASA supports version 3 of the SNMP protocol which adds new security model to the whole SNMP stack. But first we will start with old fashioned SNMP v2c (c is for ‘community’) . It takes about 15 secs to do it:

snmp-server location “935 Pennsylvania Avenue, NW”
snmp-server contact “Don’t call us we’ll call you”
snmp-server community *****    // Note this community will be used if more specific one isn’t given per host
snmp-server enable traps snmp authentication linkup linkdown coldstart   //specific traps
snmp-server enable    // you enable server
snmp-server listen-port 161   // in case you want to change, who knows …
snmp-server host outside 195.95.193.8 community ****** version 1 udp-port 162     // only now SNMP polling is enabled and to the given host , also version 1 and port 162 on SNMP management (195.95.193.8) to send traps
no snmp-server enable traps ipsec start stop    // To disable specific traps

As you already know this setup will exchange community strings in clear text and also no packet is cryptographically authenticated/verified. What a shame for “Adaptive Security Appliance” . The fix is on the way. It is called SNMP v3 and has 3 security levels to choose from:
noAuthNoPriv – packets are neither authenticated nor encrypted . Basically the model used so far by SNMP v1 and v2c – everything clear text.
authNoPriv – packets are authenticated , that is user is sent in clear text but its password is not , (configurable) MD5 or SHA algorithm.
authPriv – the highest level, all SNMP packets are both authenticated using MD5 or SHA and their content is encrypted with DES/3DES/AES (128,196,256) algorithm.
Using the list above let’s configure our ASA for each level .
General steps:

Configure snmp-server group for every security level you want to use ;
Creatre user for each security level you wan to use and assign it to the snmp-server group of your choice
Create usual snmp-server host entry but adding version 3 and username to be used by this host. NOTE You can have only one such command per host but no matter which out of 3 security levels you specify in this command it will allow the other 2 to be used in querying as well

noAuthNoPriv.

snmp-server group v3-noauth v3 noauth
snmp-server user Jambo v3-noauth v3
snmp-server host outside 199.252.47.11 version 3 Jambo

Querying the ASA:

snmpwalk -v 3 -u Jambo -l noauthnopriv 155.7.145.89

authNoPriv.

snmp-server group V3-auth v3 auth
snmp-server user AUTH V3-auth v3 auth md5 12345678

Minimum pass length is 8 , and while ASA seems not to care it is a violation and snmpwalk will complain on pass < 8 and bail out .
snmp-server host outside 199.252.47.11 version 3 AUTH

Querying the ASA:

snmpwalk -v 3 -u AUTH -a md5 -A 12345678 -l authnopriv 155.7.145.89

authPriv.
Here everything will be encrypted.

snmp-server group v3-priv v3 priv
snmp-server user very_secure v3-priv v3 auth md5 12345678 v3-priv v3 auth md5 12345678 priv aes 128 12345678
snmp-server host outside 199.252.47.11 version 3 very_secure

N.B. To my surprise there is no such thing as debug snmp . Actually it does exist, but entering this command gives no error and produces no debug either.
Noticed by the way. In logs you can see all the passwords you entered while configuring SNMP, not very secure I would rather say .

(config)# sh log | grep snmp

%ASA-5-111008: User ‘enable_15′ executed the ‘snmp-server user AUTH V3-auth v3 auth md5 12345678′ command.

sla monitor in Cisco ASA land

Yuri — Tue, 24 Aug 2010 13:14:49 +0000

SLA monitoring is finally here. What is it useful for ? To add/remove dynamically routes in ASA depending on results of the SLA status.
Below is configuration steps but while there are many words in the command itself there are not much options there , so the command is long but pretty uniform.

TokyoASA1(config)# sla monitor 33
TokyoASA1(config-sla-monitor)# type echo protocol ipIcmpEcho 150.6.2.2 int outside type echo
TokyoASA1(config-sla-monitor-echo)# ?

default Set a command to its defaults
exit Exit probe configuration
frequency Frequency of an operation
no Negate a command or set its defaults
num-packets Number of Packets
request-data-size Request data size
threshold Operation threshold in milliseconds
timeout Timeout of an operation
tos Type Of Service

TokyoASA1(config-sla-monitor-echo)# frequency ?

sla-monitor-echo mode commands/options:
<1-604800> Frequency in seconds

TokyoASA1(config)# sla monitor schedule 33 ?

ageout How long to keep this Entry when inactive
life Length of time to execute in seconds
recurring Probe to be scheduled automatically every day
start-time When to start this entry

TokyoASA1(config)# sla monitor schedule 33 life forever start after 00:05:00

Now create tracking process to be later applied to the static route:

TokyoASA1(config)# track 1 rtr 33 reachability

And finally we create static route and attach to it the created track :

TokyoASA1(config)# route outside 0 0 136.6.123.3 track 1

Now let’s see some statistics on the track:

TokyoASA1# sh track

Track 1
Response Time Reporter 33 reachability
Reachability is Down
1 change, last change 00:04:03
Latest operation return code: Unknown
Tracked by:
STATIC-IP-ROUTING 0

The final configuration looks like

sla monitor 33
type echo protocol ipIcmpEcho 150.6.2.2 interface outside
num-packets 3
request-data-size 1500
timeout 30
frequency 5
sla monitor schedule 33 life forever start-time after 00:05:00

TokyoASA1# sh sla monitor configuration

SA Agent, Infrastructure Engine-II
Entry number: 33
Owner:
Tag:
Type of operation to perform: echo
Target address: 150.6.2.2
Interface: outside
Number of packets: 3
Request size (ARR data portion): 1500
Operation timeout (milliseconds): 30
Type Of Service parameters: 0×0
Verify data: No
Operation frequency (seconds): 5
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

TokyoASA1# sh sla monitor configuration operational-state

Entry number: 33
Modification time: 15:14:04.168 UTC Sun May 23 2010
Number of Octets Used by this Entry: 1480
Number of operations attempted: 48
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 1
Latest operation start time: 15:22:59.169 UTC Sun May 23 2010
Latest operation return code: OK
RTT Values:
RTTAvg: 1RTTMin: 1RTTMax: 1
NumOfRTT: 3RTTSum: 3RTTSum2: 3

TokyoASA1# debug sla monitor ?

error Output IP SLA Monitor Error Messages
trace Output IP SLA Monitor Trace Messages

TokyoASA1# debug sla monitor trace

TokyoASA1# IP SLA Monitor(33) Scheduler: Starting an operation
IP SLA Monitor(33) echo operation: Sending an echo operation
IP SLA Monitor(33) echo operation: RTT=0 OK
IP SLA Monitor(33) echo operation: RTT=0 OK
IP SLA Monitor(33) echo operation: RTT=1 OK
IP SLA Monitor(33) Scheduler: Updating result
IP SLA Monitor(33) Scheduler: Starting an operation
IP SLA Monitor(33) echo operation: Sending an echo operation
IP SLA Monitor(33) echo operation: RTT=0 OK
IP SLA Monitor(33) echo operation: RTT=0 OK
IP SLA Monitor(33) echo operation: RTT=1 OK

And by the way it really works – when track is down the route to which it is attached magically disappeared
from the routing table as should.

Redundant interfaces in Cisco ASA

Yuri — Mon, 23 Aug 2010 17:54:08 +0000

In Checkpoint they call it interface bonding – when will I stop dragging this Checkpoint everywhere ? – in Cisco ASA they called it interface redundancy. The idea is to provide for the physical link failure. That is – you combine two physical interfaces on the ASA into a virtual one, then you configure all the Layer 3 parameters on this virtual interface. At the same time only ONE of the interfaces in a group is active, if it fails ASA transparently switches to the next available interface in a group and all traffic passes through it. By default the first added to the group interface becomes active and all the rest become passive. At the end of the article there is some dry theory and facts, but now let’s plunge into code.
Warning !The moment you assign some physical interface to be a member of the redundant virtual interface ALL the existing configs on such interface are wiped out.
Create redundant interface (group) and assign 2 physical interfaces to it :

Santa#conf t
Santa(config)# interface Redundant1
Santa(config-if)# member-interface Ethernet0/0
Santa(config-if)# member-interface Ethernet0/2
Santa(config-if)#no nameif
Santa(config-if)#no security-level
Santa(config-if)#no ip address

Now basically we can start configuring nameif , IP address and security level for this Redundant1 interface but let’s be more creative and create some VLANs on it.

So far :

Santa#show run int

interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/2
no nameif
no security-level
no ip address

Santa(config)# interface Redundant1.120

Santa(config-subif)# vlan 120
Santa(config-subif)# nameif dmz
Santa(config-subif)# security-level 50
Santa(config-subif)# ip address 10.0.0.12 255.255.255.0

To remind you state of the physical interfaces comprising the Redundant 1 is :

interface Ethernet0/2
no nameif
no security-level
no ip address

interface Ethernet0/0
no nameif
no security-level
no ip address

interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/2
no nameif
no security-level
no ip address

Santa(config)# interface Redundant1.100
Santa(config-subif)# vlan 100
Santa(config-subif)# nameif outside
Santa(config-subif)# security-level 0
Santa(config-subif)# ip address 139.61.77.12 255.255.255.0

Now some verification is looming (pay attention to the bottom of the output where you can see which interface is currently active and how many state changes have happened so far) :

Santa# sh int redundant 1 detail

Interface Redundant1 “”, is up, line protocol is up

Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001b.d589.9892, MTU not set
IP address unassigned
1870 packets input, 150617 bytes, 0 no buffer
Received 1329 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
766 L2 decode drops
264 packets output, 24326 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (9/18) software (0/0)
output queue (curr/max packets): hardware (0/2) software (0/0)
Control Point Interface States:
Interface number is 10
Interface config status is active
Interface state is active
Redundancy Information:
Member Ethernet0/0(Active), Ethernet0/2
Last switchover at 07:25:35 UTC August 19 2010

And what about some debug ? Of course:

Santa(config)# debug redundant-interface ?

exec mode commands/options:
error errors
event events

Now let’s initiate shut on physical interface Ethernet0/2 that is now active

redundant interface Redundant1 switchover, active idx 1, stby idx 0

redundant interface Redundant1 switching active from Ethernet0/2 to Ethernet0/0.

Send gratuitous ARP on Redundant1.100.
Send gratuitous ARP on Redundant1.120.
redundant interface Redundant1 switch active to Ethernet0/0 done.

Switch has happened, now verify it:

Santa(config-if)# sh int redundant 1 det

Interface Redundant1 “”, is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001b.d589.9892, MTU not set
IP address unassigned
2284 packets input, 187559 bytes, 0 no buffer
Received 1544 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
797 L2 decode drops
296 packets output, 27430 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (8/18) software (0/0)
output queue (curr/max packets): hardware (0/5) software (0/0)

Control Point Interface States:

Interface number is 10
Interface config status is active
Interface state is active
Redundancy Information:

Member Ethernet0/0(Active), Ethernet0/2
Last switchover at 07:57:11 UTC August 19 2010

Having done a bit practice the dry theory comes next.

You can define up to 8 Redundant interfaces (if you have ASA 5580 why not?);<\li>
All the interfaces in the same group should be of the same type (Ethernet with Fiber won’t go well) ;<\li>
Only one interface is passing production traffic at any given moment;<\li>
Redundant interface gets by default MAC address of the first added to it interface, configurable;<\li>
When fail over happens to the second interface, it takes over MAC address of its previously active neighbour to prevent loss of traffic. If MAC is configured especially and manually it remains the same;<\li>
You can force some interface to become Active using the command:
Santa# redundant-interface redundant active-member <\li>
Redundant interfaces are compatible with fail over feature.<\li>

For even more information , see:
ASA 8.3 interface configuration

Playing with RIP on ASA

Yuri — Mon, 23 Aug 2010 05:32:22 +0000

Cisco ASA and RIP
RIP has been with ASA for years and in this article I will try to cover all possible scenarios in configuring, misconfiguring. debugging and verifying it. As I come up with new ideas how to break the RIP on ASA I will update this article as well.
As it would be expected ASA has a bit limited version of RIP daemon as compared with IOS one. Major tasks you my be required to do :

Enable RIP on the ASA;
Dictate the version to work with – RIP v1 or RIP v2;
Specify networks RIP protocol will be active for;
Exclude some interfaces from active advertising RIP on them but allow to get
RIP updates on them , i.e. passive interface(s);
Decide whether you want auto-summarization or not. Default is on;
Enable Rip updates authentication and whether it should be
encrypted (MD5 mode) or clear text (text mode);
If using authentication define authentication keys under relevant interfaces;
To make your life harder you will be asked to redistribute;
Finally verify and debug RIP operation.

SO let’s get our hands dirty.
Enable RIP routing process.

ASA#conf t
ASA(config)# router rip
TokyoASA(config-router)#

Set it to run exclusively version 2 . ASA doesn’t know to mix version
2 and 1 as IOS does.

TokyoASA(config-router)# version 2

Networks to be active for . You should specify classful nets or even if you specify anything different after you enter such networks ASA will automatically turn them into classful ones anyway.

TokyoASA(config-router)# network 5.0.0.0

Verifying configuration so far:

TokyoASA(config-router)# sh run router

router rip
network 5.0.0.0
version 2

You will most probably want to disable summarization :

TokyoASA(config-router)# no auto-summary

Exclude some interface from advertising on it:
- To suppress on ALL interfaces in one go:

TokyoASA(config-router)# passive-interface default

- To be more specific:

TokyoASA(config-router)# passive-interface outside

Authentication is configured exclusively under the interface :
- Dictate which authentication mode to use.

TokyoASA(config-if)# rip authentication mode md5

- Specify the key (password) and its id.

TokyoASA(config-if)# rip authentication key MYKEY key_id 33

Here is how it looks in show run interface :

interface Ethernet0/0
nameif outside
security-level 0
ip address 136.6.12.12 255.255.255.0
rip authentication mode md5
rip authentication key key_id 33

Redistribute. Just redistributing learned in other ways networks into the RIP would be boring. As usual you redistribute connected, static, ospf and rip (when working with the rest of the protocols).

TokyoASA(config-router)# redistribute ?

router mode commands/options:
connected Connected
ospf Open Shortest Path First (OSPF)
rip Routing Information Protocol (RIP)
static Static routes

Much more interesting is to implement some policy while redistributing using route-maps. As expected route-maps here are not what we used to know in IOS.
So what can you match for me ?

TokyoASA(config-route-map)# match ?

route-map mode commands/options:
interface Match first hop interface of route
ip Match IP address or next-hop or route-source
metric Match metric of route
route-type Match route-type of route

The most familiar and useful match on ACL lies here:

TokyoASA(config-route-map)# match ip ?

route-map mode commands/options:
address Match address of route or match packet
next-hop Match next-hop address of route
route-source Match advertising source address of route

TokyoASA(config-route-map)# match ip address FILTER-ACL
TokyoASA(config-route-map)# route-map RIPv2 permit 10
match ip address FILTER-ACL
match interface inside
TokyoASA(config-router)# redistribute connected route-map RIPv2 metric 13

About rest of the match conditions, I’ll cover them when talking about OSPF in ASA.

TokyoASA(config-route-map)# match route-type ?

route-map mode commands/options:
external Match external route (OSPF type 1/2)
internal Match internal route (including OSPF intra/inter area)
local Match locally generated route
nssa-external Match nssa-external route (OSPF type 1/2)

Filtering out routes in updates.
If you want to filter some networks in updates use distribute-list.

TokyoASA(config-router)# distribute-list MYACL ?

router mode commands/options:
in Filter incoming routing updates
out Filter outgoing routing updates

Now some debug is due.
Enable rip debug:

TokyoASA1# debug rip
TokyoASA1# sh debug

debug rip routing
debug rip database
debug rip events

Normal functioning protocol debug output:

add 10.0.2.0 255.255.255.0 via 0.0.0.0, connected metric [0/0]network
0.0.6.136 is now variably masked
add 136.6.0.0 255.255.0.0 via 0.0.0.0, connected metric [0/0]
RIP-DB: redist 10.0.0.0 255.255.255.0(metric 0, last interface dmz1) to RIP
RIP-DB: redist 10.0.2.0 255.255.255.0(metric 0, last interface dmz1) to RIP
RIP-DB: Get redist for network 10.0.2.0
RIP-DB: adding 10.0.2.0 255.255.255.0 (metric 0) via 0.0.0.0 on Ethernet0/2.120 to RIP database
RIP-DB: rip_create_ndb create 10.0.2.0 255.255.255.0, (best metric 4294967295)
RIP-DB: rip_create_rdb Create 10.0.2.0 255.255.255.0, (metric 0) via 0.0.0.0, Ethernet0/2.120(permanent)
RIP-DB: add 10.0.2.0 255.255.255.0 (metric 0) via 0.0.0.0 on Ethernet0/2.120 (donot_age)
RIP-DB: Adding new rndb entry 10.0.2.0 255.255.255.0
RIP-DB: rip_create_ndb create 10.0.0.0 255.0.0.0, (best metric 4294967295)
RIP-DB: rip_create_rdb Create 10.0.0.0 255.0.0.0, (metric 0) via 0.0.0.0, Null0(permanent)
RIP-DB: Created rip ndb summary entry for 10.0.0.0 255.0.0.0
RIP-DB: Adding new rndb entry 10.0.0.0 255.0.0.0 rip_route_adjust for dmz1 coming up
RIP: sending request on dmz1 to 224.0.0.9 rip_route_adjust for dmz1 coming up
RIP: sending request on dmz1 to 224.0.0.9
RIP: sending v2 flash update to 224.0.0.9 via dmz1 (10.0.2.120)
RIP: build flash update entries – suppressing null update
RIP: sending v2 update to 224.0.0.9 via dmz1 (10.0.2.120)
RIP: build update entries – suppressing null update

Now the authentication has been enabled but keys on 2 peers are not the same:

RIP: sending v2 update to 224.0.0.9 via inside (136.6.121.12)
RIP: build update entries
10.0.0.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0 136.6.23.0 255.255.255.0 via 0.0.0.0, metric 2, tag 0 136.6.123.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0 136.6.124.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0
RIP: Update contains 4 routes
RIP: Update queued
RIP: sending v2 update to 224.0.0.9 via dmz1 (10.0.0.120)
RIP: build update entries
136.6.23.0 255.255.255.0 via 0.0.0.0, metric 2, tag 0 136.6.121.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0 136.6.123.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0 136.6.124.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0
RIP: Update contains 4 routes
RIP: Update queued
RIP: Update sent via inside rip-len:92
RIP: Update sent via dmz1 rip-len:92
RIP: ignored v2 packet from 136.6.123.3 (invalid authentication)
RIP: sending v2 update to 224.0.0.9 via inside (136.6.121.12)
RIP: build update entries
10.0.0.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0 136.6.23.0 255.255.255.0 via 0.0.0.0, metric 2, tag 0 136.6.123.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0 136.6.124.0 255.255.255.0 via 0.0.0.0, metric 1, tag 0
RIP: Update contains 4 routes
RIP: Update queued
RIP: sending v2 update to 224.0.0.9 via dmz1 (10.0.0.120)
RIP: build update entries

Tracking the source of DOS attack with Cisco IOS

Yuri — Thu, 28 May 2009 11:23:47 +0000

Problem: Enterprise is under Denial Of Service Attack that brings down key elements of the business or the whole network at all.
To track the attacker is the first step in handling the attack and unless the flood is coming from inside (most probably not in a well managed LAN) you will need help of your Service Provider to find out the origin. Unfortunately Service Provider’s (SP) backbone is not well suited for such forensics, as its business role is
to provide uninterrupted connectivity to ALL the clients , not only you, so SP will not enable ACLs/ip accounting/Netflow on their backbone to identify where the attack is coming from . And if source Ip of the attack is spoofed you can’t do much .

For such cases Cisco came with the nice feature called
ip source tracking that will gather flow statistics for specific destination
IPs (of victim) and periodically will export them for viewing, and will do all this without overloading the backbone router it is enabled on (Of course relevant if your SP is using Cisco gear) . Here are details:

– Enable it globally for the victim IP , here IP being attacked is 63.45.33.22

Edge(config)#ip source-track 63.45.33.22

- If you want (and if this is being done by SP they will not) you may create log entries:
Edge1(config)#ip source-track syslog-interval 2
Then you will see in logs (good for reminding to disable this afterwards) :
May 28 10:55:47.105: %DOS_TRACK-5-CFG: IP Source Tracker configured for 1 hosts

- Also you may define how often to export gathered info to be viewed (seems to depend on the platform ) :

Edge(config)#ip source-track export-interval 60

- And finally , you see the data accumulated so far :

Edge#sh ip source-track
Address SrcIF Bytes Pkts Bytes/s Pkts/s
63.45.33.22 Fa0/0 141G 485M 8244 141

Most important here will be the Source interface (in this router there is only 1 ingress interface , in real backbone you will have few feeds) where you see most of the incoming traffic for this destination IP. Then you (SP) would go to the upstream router connected to this local interface, enable the same source tracking and so on. Up to the last point in the backbone where the attacking traffic enters
the backbone of SP out of some upstream SP . Then SP would have option to contact the abuse of this upstream provider for them to investigate the issue further, or at least divert the attack to the black hole at the entry point, so end client would not be affected at all.

Cisco ip accounting to begin with

Yuri — Sat, 17 Jan 2009 17:15:01 +0000

First of all, Happy New year to All !
As I promised before (last year I’ll look at ip accounting in Cisco world. I’ll say it at the start already – accounting being with us since IOS 10.0 nowadays is getting pushed aside by the powerful Netflow feature.And while it is nowhere being depreciated/end-of-lifed by Cisco , it is presented as being “not enough”for the modern enterprise. I will agree that Netflow indeed provides lots of additional statistics and info , but will remind that it demands from device and the user substantially more as well.
And therefore for many cases is just plain overkill.

So lets look at accounting closer.
When enabled on the interface it creates database of accounting information
containing number of bytes that passed the router between pairs of IP addresses. There are actually more types of accounting but here I’ll talk about 2 types only: IP accounting and IP access-list violations accounting. The first gathers statistics for the traffic passing the router – entering and leaving it (means traffic that destined for or originating from the router itself is not accounted for). The 2nd type gathers info about traffic that is being rejected by the router according to applied ACLs. Both types can be enabled for physical/logical interfaces only (so to say VTY is not in the pack).

Both types share the same database memory space. And talking about memory -
by default router keeps 512 records, after these are exhausted no new accounting info is recorded. As usual , this is configurable (see later).

IP accounting

Here is a sneak preview of accounting at work:

Source Destination Packets Bytes
122.94.42.91 62.20.179.36 2 223

What you see is Ip addresses spotted in the IP packet header as source/destination
, number of packets and bytes. The database is updated continuously as traffic
passes the router.

IP accounting condifuration

- enable on the interface of interest (only outbound traffic is recorded),
i.e traffic leaving interface
- if desired tune number of kept records
- see in CLI gathered info
- see info through SNMP agent (won’t cover here)
- clear active accounting database and copy snapshot to checkpoint database
(done at once)
- see later at any time snapshot in checkpoint database or active records
in real-time

So here is our CLI:
1) Enable on interface
Router(config)#int fa0/1
Router(config-if)#ip accounting [output-packets]

2) [Optional] Tune maximum records value if desired (default 512, maximum 4294967295):
Router(config)#ip accounting-threshold 1200

3) See the active records in the database:

Router#sh ip account
   Source           Destination              Packets               Bytes
68.146.13.6       162.30.79.36                       1                 129
79.82.168.224     162.30.79.36                       1                 126
142.53.125.103    162.30.79.36                    9237              423360
83.171.0.22       162.30.79.36                       1                 129
118.181.13.61     162.30.79.36                       4                 360

4) Copy active database to checkpoint database and wipe out active db records:

Router#clear ip account
Router#sh ip accounting checkpoint

Source           Destination              Packets               Bytes
68.146.13.6       162.30.79.36                       1                 129
79.82.168.224     162.30.79.36                       1                 126
142.53.125.103    162.30.79.36                    9237              423360
83.171.0.22       162.30.79.36                       1                 129
118.181.13.61     162.30.79.36                       4                 360

Usage tip: What is this good for at all? As I started in the previuos post
I use such info to provide some insight to the client of what is going on
(or rather going in/out) in his network at the given moment. So, all these
commands I do on the client’s perimeter equipment which we manage. I have
no slightest inclination to do this for client/whoever on my backbone
gear, and you would be advised not too. Just try to enable accounting on the
router passing gigabits of traffic and you’ll have some ‘splaning to do
afterwards . And in general be advised that many of the posts in my blog come
from Service Provider view and not of the end-client enterprise
(no matter how big it is) standpoint.

5.5) Some extra-bonus configs though – you may configure ACL that will filter
for what IP addresses to gather accounting info only. While trying to catch
who is loading your network would be counter-productive to use such filtering,
for monitoring long-time it makes sense:

Router(config)#ip accounting-list 19.90.14.59 0.0.0.0

Then to database will be written only records involving this IP(s):

Router#sh ip account
Source Destination Packets Bytes
19.90.14.59 162.30.79.37 7 2912

IP access-list violations accounting.

This accounts for traffic blocked by ACL(s) applied to the interface(s)
- To enable :
Router(config-if)#ip accounting access-violations
Accounting will exclude mls traffic when mls is enabled.

- To see the records:
Router#sh ip accounting access-violations
Source Destination Packets Bytes ACL

Accounting data age is 8

* Of course to see something you need to have some blocking ACL applied to the
interface(s) beforehand. As I have no ACL on any interface this db is empty.

USAGE TIP 2: If you use this feature to spot most loading flow, you’ll love this
one-liner that after you pass to it (through std input) print out of
the show ip accounting will sort data by bytes passed in ascending order:

*Hint Darkstar is Linux machine, not router itself .
root@DarkStar:~# sort -n -k4,4

68.146.13.6       162.30.79.36                       1                 129
79.82.168.224     162.30.79.36                       1                 126
142.53.125.103    162.30.79.36                    9237              423360
83.171.0.22       162.30.79.36                       1                 129
118.181.13.61     162.30.79.36                       4                 360

79.82.168.224     162.30.79.36                       1                 126
83.171.0.22       162.30.79.36                       1                 129
68.146.13.6       162.30.79.36                       1                 129
118.181.13.61     162.30.79.36                       4                 360
142.53.125.103    162.30.79.36                    9237              423360

USAGE TIP 3:
To even further improve on the one-liner above below is again one-liner
that not only sorts accounting data by Bytes field but also sums up bytes per
Ip address (here in the 2nd field, but you can esaily modify to your needs):

root@DarkStar:~# sort -n -k4,4 | awk ‘{ips[$2] += $4} END { for (x in ips) print x,ips[x]}’
122.53.125.103   162.30.79.36                       3                 120
59.44.58.120     162.30.79.36                       3                 417
123.203.142.106 162.30.79.36                       1                 177
82.144.177.32    162.30.79.36                       1                 234
218.103.137.105 162.10.79.36                       1                 126
80.37.83.120     162.10.79.36                       1                 126
79.182.121.216   162.10.79.36                       9                 377
207.191.202.251 162.30.79.36                       9                 377
84.195.248.47    162.20.79.36                       7                 304
201.95.211.8     162.40.79.36                       8                 364
79.180.14.184    162.30.79.36                      24                 994
124.64.176.192   162.70.79.36                       5                 227
62.219.133.44    162.30.79.36                      72                3077
91.196.214.6     162.40.79.36                       4                 160
125.125.227.168 162.40.79.36                      15                 797

0
162.20.79.36 304
162.40.79.36 1321
162.30.79.36 5396
162.10.79.36 629
162.70.79.36 227
root@DarkStar:~#

Here I’ll wrap up my short (if you ask me) memo with few links for those interested to deep digger :

1) The whole book dedicated to knowing your network better :

Network Management: Accounting and Performance Strategies
by Benoit Claise – CCIE No. 2686; Ralf Wolter

http://www.ciscopress.com/bookstore/product.asp?isbn=1587051982

Cisco IOS command reference:

http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i1g.html#wp1091971

PS Next post I am planning to do on Netflow , the beast of accounting to be tamed.

Guarding against brute force attack on VTY in Cisco IOS

Yuri — Fri, 10 Oct 2008 09:24:03 +0000

Cisco starting IOS 12.3 introduced a simple but powerful feature to guard against brute force password guessing attack on remote access. The usual template followed when configuring VTY access is:
1) Configure ACL containing management IPs to be allowed to access the router through VTY
2) (Optional) Restrict VTY access protocol to ssh only (transport input ssh)
3) Apply this ACl to VTY : (config-line)# access-class in
4) (Optional) SIngle out one VTY line for a special remote access IP to be used if all VTY lines
are currently in use: (config)# line vty 4
Now I enhanced this template with following features:
#Blocks login for 300 seconds after 5 failed logins within 50 seconds time interval

login block-for 300 attempts 5 within 50
#apply specified ACl to VTY line when above event occurs, it is meant to exempt
#your managemnt IP form being blocked. After timed block expires this ACL gets removed
#from VTY and previous ACL that was applied before the event is reapplied back

login quiet-mode access-class anti-DOS

#Logging rate-limitation to prevent cluttering logs with failed attempts
login on-failure log every 10

ip access-list standard anti-DOS
permit 193.193.193.33
remark Deny VTY access to anyone else if brute-force logins take up all VTY lines

Another nice feature is delay between login attempts:
Sacramento(config)#login delay 2
Delay login is in seconds

Then in logs you will see the following failed attempts:

*May 2 02:04:14.105: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 62.141.52.141] [localport: 22] [Reason: Login Authentication Failed] at 05:04:14 Sat May 2 2009 *May 2 02:04:22.112: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 22 secs, [user: ] [Source: 62.141.52.141] [localport: 22] [Reason: Login Authentication Failed] [ACL: anti-DOS] at 05:04:22 Sat May 2 2009 *May 2 02:09:22.091: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 05:09:22 Sat May 2 2009