Wednesday, June 17, 2015

cisco ASA 9.4.1/9.3.1 woes

I ran into a  few problem with a ASA 5558-X reading a simple USB disk undre 9.3.1.

 Here's a  ASA 9.4.1 usb-disk and it's filesystem.

9.4.1


9.3.1




The 2nd problem ospf  ospf table was populated with ospf learned routes in another  ASA after we had the cluster split running 9.4.1 and 9.3.1.

************WARNING****WARNING****WARNING********************************
   Mate version 9.4(1) is not identical with ours 9.3(1)
************WARNING****WARNING****WARNING********************************
*****


Funny thing all ospf-routes where in the correct multi-context route table but NO ospf neighbors shown or existed.

note: I'm also running a dual  ospf process between the outside external and inside internal

We had to immediately reboot the  stand-by 9.3.1 cluster to bring it up to 9.4.1 and allow the  2 cisco ASA to re-sync.

That by far was the weirdest issues that I ever  seen during any upgrades. I would have open a cisco TAC ticket, but I'm sure cisco TAC would have just stated to upgrade to 9.4.1 to begin with.

The 9.4.1 upgrade strategy allows you to upgrade to 9.4.1 directly from 9.3x, but I never would have expect the OSPF database to get corrupted.


A upgrade to  9.4.1 fixed the issues.

NOTE: I found a interesting command option that I never knew.
You can query ospf routes per ospf directly by specifying the ospf-process ID

e.g ( proc 44 vrs 45 )


FWMAcontext2/act/FWMAFW1# show  route ospf 44 | inc 0.0.0.0
Gateway of last resort is 192.0.2.17 to network 0.0.0.0
O*IA  0.0.0.0 0.0.0.0 [110/11] via 192.0.2.17, 00:06:29, EXTERNAL02
FWMAcontext2/act/FMAFW1#


FWMAcontext2/act/FWMAFW1# show  route ospf 45 | incl 10.2.2.0
O        10.2.2.0 255.255.255.0
FWMAcontext2/act/FWMAFW1#
 

I hope this helps someone else.  If you don't specify the proc-ID you get ALL ospf route for that context.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \



Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

Cisco ASA un attended reboots

The ASA has the ability to execute pre-scheduled reboots for unattended reboots. This is great for when you have a need to reboot a cisco ASA cluster,  but don't want to wake up for it at 02:00AM.

e.g

The cli cmd  reload save-config  in  00:10 noconfirm wil reboot the unit after saving the cfg and the cfg with no confirmation in 10minutes.



To validate if any reloads are schedule execute the following command
show reload 





To cancel a reload, execute the following command reload cancel.

In a heavy users environment it's ideal to include a reason on the command line so you can warn all active login  of the reason for the reboot


Even a bigger detailed note  should be used imho

e.g



Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \


NX3500 upgrade

New software was release by CSCO for the Nexus 3500 so I'm giving it a test run. What I found interesting was the name format ( A4 vrs A6 ), not sure if this was a oversight or we  sub A6 and A4 train running.

15-JUN-2015 Release 6.0(2)A4(6)
 
vrs

10-APR-2015  Release 6.0(2)A6(2)



(before)


(after)




Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

PFsense vpn dialup ( debug log )

The ipsec logs for PFsense is excellent to use for validating a dynamic vpn client and issues with  establishing connectivity.

If you are every curious on the proposals that your client submits, just review the logs after a client attempts access. Here's a MACOSX 10.10.3 host using the native client;

( notice how we failed due to lack of matching proposals )



So out of all of the proposal  the client submitted , none matched the single proposal offered by the pfsense gateway. Various vpnclients native or non-native can supported a a wide range of proposals.

A difference of the  client OS version or type ( window/mac/andorid/iphone/....) can change the proposal offerings submitted by the client.

If your failing authentication ( xauth ) you will see a log message similar to the below.








Sometimes you have the right authentication and ciphers but the dh-grp key strength  is wrong






To review the  ipsec.conf file you can use the WebGUI cmdline tool and more the cfg file.

e.g






Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \





Thursday, June 11, 2015

8 Tips for the huawei eudemon 1000

Here's my 8 tips for  the  eudemon firewall




1: The Eudemon 1000 supports route transparent or composite mode, the  firewall mode composite cmd set the firewall for both ( default  = routed )

2: Be aware of the zone priority and how the work. A higher priority to a low is considered outbound the reverse is considered  inbound. A interface can be in one zone only BUT not the local zone


3: ACL are number-range specific beaware of the differences

 2000-2999 == BASIC ACL ( source address only )

 3000-3999= ADVANCE ACL ( source port/dest port , source address/dest address  upper layer protocol service )

  5000-5999  FIREWALL ACL  ( src dest address and dest port )





4: Use  the lock cli-cmd from the cli to lock others out when configuring the firewall

5: The display this cli-cmd show what's configured in that system view that your currently located in

6: The system-view immediately cli-cmd is great to  execute the config change immediately, but use with  care. Any mistake could be service impacting

7: The preview all configuration cli-cmd helps to validate the  configurations  before the commit. You should use it 100% of the time IMHO.

8:  Execute the display configuration  <filename> before loading a previous saved config to validate the configuration B4 loading.


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

NX-OS flexlinks and vpc

I was trying a new vpc config on a NX-OS switch running "6.0(2)A6(2)" and found that when the feature flexlink is enabled will prevent  the feature vpc from being executed. likewise if the feature vpc is enabled you can't enable flexlink.


Checkout these screenshots






So now what are flexlinks?

It's a means for providing a redundant backup uplink with the limitation that you can't run vpc on the switch. With flexlink you define a  pair of links with one member placed active and the 2nd member as backup.If the active member goes down, the 2nd member will become active.

So keep that in mind before you defined redundant members and if you plan on using vpc or flexlinks.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

Saturday, June 6, 2015

GOOG compute-engine kicking the tires ( w/ the fortigate )

In this post I will walk you around kicking the tires on a GOOG compute engine vm-instance. This task 1st started as me looking for a ipv6 support within the GOOG compute platform. To my disappointment GOOGLE does not support IPV6.



Yes, I was shocked, Ive asked then about this  feature over 10 months ago and they told me they are working on it. So I guess they are still drafting out  ipv6 design and deployment.

Now the vm instance  are quick and simple to engage. GOOG has a few CAN'd images available, but still no virtual firewall instances from any major vendor.



The start up on my simple vm-instance it's quick and almost instant. 

They do offer a few means for accessing the cli of the vm-instance, I used the integral https browser which seems to work very good and quick. No need to install key or modify anything. Even if you had no ssh client, this method would work for most all OSes.



Now to setup a vpn to your fortigate, the GOOG side of things was like steps 1-2-3 . You can build a vpn in like under 1 minute. In fact you can't select anything,  but the ike-version and remote network and ipsec-endpoint plus the PSK. You do more work on the fortigate when it comes to  vpn creation.

NOTE: I selected ikev2 for this blog post





And for the fortigate, I 've crafted the following using just a single cipher and with the proposal aes128-sha1.


NOTE: this is a route based vpn so we have a route installed to reach the remote compute  network 10.240.0.0/16

A simple ping after adding a firewall-policy to allow the traffic, shows I can  reach my newly created vm-instance.


GOOG made snapshot creations simple as 1-2-3. You can named the snapshot description if you so desire.



The thing that impressed me the most about Compute Engine
  •  every thing is simple to execute
  •  you could walk your mom thru, on how to launch a VM-instance
  •  status updates are given just about  every time you do anything
  •  accessing your vm-instance is so simple for ipsec LAN2LAN


Google has limited zones for instances ,  but they seems decent to say the least.



To learn more about google compute engine;

http://en.wikipedia.org/wiki/Google_Compute_Engine

It's a simple, very well defined, and reliable virtual hosting cloud. The only things with GOOG;
  •  how much trust do you have with data in  the google cloud?
  •  and do you have means for a 100% deletion of sensitive data?




Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

Wednesday, June 3, 2015

Wireshark under maxosx 10.10.3

I've had big issues under the 10.10.3 Yosemite update. Now with  10.10.3 and a fresh new wireshark install things are back to normal.

Wireshark is one of the best free protocol analyzer on the market and has had great  MACOSX support.

The protocol analysis for various protocols is great. I find myself using the  follow a tcp session most of the time.


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

A simple review of the Huawei Eudemon 1000E WebGUI nterface

In this post, we will look at the simple interface of the Eudemon 1000 firewall from Huawei. 

1st thing,  Huawei is one of the biggest telecomms/network equipment maker in the ASIAPAC area. It's gross revenues are actually higher than CISCO or HP & probably bigger than the top 2 equipment makers in the USA combined.

They have a firewall that used from the  Enterprise to SP realm  that matches most other vendor firewalls along the lines of a dell-sonicwall, hp, cisco, etc....

The WebGUI interface allows for a english or chinese language selection depending on code. I don't believe any other languages has been offered at this time.






The dashboard is quick and response when compared to other  vendors firewalls dashboards. It has a smooth and slick feel , & the menu is straight forward and simple arrangement.



The unit has a wizard that can set the basic interface, dhcp and route information. It also allows you to set  unit hostname and time/date.














The firewall has a WebGUI cli access interfaces if you choose to use cli. The CLI will allow you  execute all actions present in the WebGUI and more.  

NOTE: Not all options and settings are available in the WebGUI



Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \