I ran into a few problem with a ASA 5558-X reading a simple USB disk undre 9.3.1.
Here's a ASA 9.4.1 usb-disk and it's filesystem.
9.4.1
9.3.1
The 2nd problem ospf ospf table was populated with ospf learned routes in another ASA after we had the cluster split running 9.4.1 and 9.3.1.
************WARNING****WARNING****WARNING********************************
Mate version 9.4(1) is not identical with ours 9.3(1)
************WARNING****WARNING****WARNING********************************
*****
Funny thing all ospf-routes where in the correct multi-context route table but NO ospf neighbors shown or existed.
note: I'm also running a dual ospf process between the outside external and inside internal
We had to immediately reboot the stand-by 9.3.1 cluster to bring it up to 9.4.1 and allow the 2 cisco ASA to re-sync.
That by far was the weirdest issues that I ever seen during any upgrades. I would have open a cisco TAC ticket, but I'm sure cisco TAC would have just stated to upgrade to 9.4.1 to begin with.
The 9.4.1 upgrade strategy allows you to upgrade to 9.4.1 directly from 9.3x, but I never would have expect the OSPF database to get corrupted.
A upgrade to 9.4.1 fixed the issues.
NOTE: I found a interesting command option that I never knew.
You can query ospf routes per ospf directly by specifying the ospf-process ID
e.g ( proc 44 vrs 45 )
FWMAcontext2/act/FWMAFW1# show route ospf 44 | inc 0.0.0.0
Gateway of last resort is 192.0.2.17 to network 0.0.0.0
O*IA 0.0.0.0 0.0.0.0 [110/11] via 192.0.2.17, 00:06:29, EXTERNAL02
FWMAcontext2/act/FMAFW1#
FWMAcontext2/act/FWMAFW1# show route ospf 45 | incl 10.2.2.0
O 10.2.2.0 255.255.255.0
FWMAcontext2/act/FWMAFW1#
I hope this helps someone else. If you don't specify the proc-ID you get ALL ospf route for that context.
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
Wednesday, June 17, 2015
Cisco ASA un attended reboots
The ASA has the ability to execute pre-scheduled reboots for unattended reboots. This is great for when you have a need to reboot a cisco ASA cluster, but don't want to wake up for it at 02:00AM.
e.g
The cli cmd reload save-config in 00:10 noconfirm wil reboot the unit after saving the cfg and the cfg with no confirmation in 10minutes.
To validate if any reloads are schedule execute the following command
show reload
To cancel a reload, execute the following command reload cancel.
In a heavy users environment it's ideal to include a reason on the command line so you can warn all active login of the reason for the reboot
Even a bigger detailed note should be used imho
e.g
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
e.g
The cli cmd reload save-config in 00:10 noconfirm wil reboot the unit after saving the cfg and the cfg with no confirmation in 10minutes.
To validate if any reloads are schedule execute the following command
show reload
To cancel a reload, execute the following command reload cancel.
In a heavy users environment it's ideal to include a reason on the command line so you can warn all active login of the reason for the reboot
Even a bigger detailed note should be used imho
e.g
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
NX3500 upgrade
New software was release by CSCO for the Nexus 3500 so I'm giving it a test run. What I found interesting was the name format ( A4 vrs A6 ), not sure if this was a oversight or we sub A6 and A4 train running.
vrs
(before)
(after)
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
15-JUN-2015 Release 6.0(2)A4(6) |
vrs
10-APR-2015 Release 6.0(2)A6(2) |
(before)
(after)
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
PFsense vpn dialup ( debug log )
The ipsec logs for PFsense is excellent to use for validating a dynamic vpn client and issues with establishing connectivity.
If you are every curious on the proposals that your client submits, just review the logs after a client attempts access. Here's a MACOSX 10.10.3 host using the native client;
( notice how we failed due to lack of matching proposals )
So out of all of the proposal the client submitted , none matched the single proposal offered by the pfsense gateway. Various vpnclients native or non-native can supported a a wide range of proposals.
A difference of the client OS version or type ( window/mac/andorid/iphone/....) can change the proposal offerings submitted by the client.
If your failing authentication ( xauth ) you will see a log message similar to the below.
Sometimes you have the right authentication and ciphers but the dh-grp key strength is wrong
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
If you are every curious on the proposals that your client submits, just review the logs after a client attempts access. Here's a MACOSX 10.10.3 host using the native client;
( notice how we failed due to lack of matching proposals )
So out of all of the proposal the client submitted , none matched the single proposal offered by the pfsense gateway. Various vpnclients native or non-native can supported a a wide range of proposals.
A difference of the client OS version or type ( window/mac/andorid/iphone/....) can change the proposal offerings submitted by the client.
If your failing authentication ( xauth ) you will see a log message similar to the below.
Sometimes you have the right authentication and ciphers but the dh-grp key strength is wrong
To review the ipsec.conf file you can use the WebGUI cmdline tool and more the cfg file.
e.g
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
Thursday, June 11, 2015
8 Tips for the huawei eudemon 1000
Here's my 8 tips for the eudemon firewall
1: The Eudemon 1000 supports route transparent or composite mode, the firewall mode composite cmd set the firewall for both ( default = routed )
2: Be aware of the zone priority and how the work. A higher priority to a low is considered outbound the reverse is considered inbound. A interface can be in one zone only BUT not the local zone
3: ACL are number-range specific beaware of the differences
2000-2999 == BASIC ACL ( source address only )
3000-3999= ADVANCE ACL ( source port/dest port , source address/dest address upper layer protocol service )
5000-5999 FIREWALL ACL ( src dest address and dest port )
4: Use the lock cli-cmd from the cli to lock others out when configuring the firewall
5: The display this cli-cmd show what's configured in that system view that your currently located in
6: The system-view immediately cli-cmd is great to execute the config change immediately, but use with care. Any mistake could be service impacting
7: The preview all configuration cli-cmd helps to validate the configurations before the commit. You should use it 100% of the time IMHO.
8: Execute the display configuration <filename> before loading a previous saved config to validate the configuration B4 loading.
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
1: The Eudemon 1000 supports route transparent or composite mode, the firewall mode composite cmd set the firewall for both ( default = routed )
2: Be aware of the zone priority and how the work. A higher priority to a low is considered outbound the reverse is considered inbound. A interface can be in one zone only BUT not the local zone
3: ACL are number-range specific beaware of the differences
2000-2999 == BASIC ACL ( source address only )
3000-3999= ADVANCE ACL ( source port/dest port , source address/dest address upper layer protocol service )
5000-5999 FIREWALL ACL ( src dest address and dest port )
4: Use the lock cli-cmd from the cli to lock others out when configuring the firewall
5: The display this cli-cmd show what's configured in that system view that your currently located in
6: The system-view immediately cli-cmd is great to execute the config change immediately, but use with care. Any mistake could be service impacting
7: The preview all configuration cli-cmd helps to validate the configurations before the commit. You should use it 100% of the time IMHO.
8: Execute the display configuration <filename> before loading a previous saved config to validate the configuration B4 loading.
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
NX-OS flexlinks and vpc
I was trying a new vpc config on a NX-OS switch running "6.0(2)A6(2)" and found that when the feature flexlink is enabled will prevent the feature vpc from being executed. likewise if the feature vpc is enabled you can't enable flexlink.
Checkout these screenshots
So now what are flexlinks?
It's a means for providing a redundant backup uplink with the limitation that you can't run vpc on the switch. With flexlink you define a pair of links with one member placed active and the 2nd member as backup.If the active member goes down, the 2nd member will become active.
So keep that in mind before you defined redundant members and if you plan on using vpc or flexlinks.
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
Checkout these screenshots
So now what are flexlinks?
It's a means for providing a redundant backup uplink with the limitation that you can't run vpc on the switch. With flexlink you define a pair of links with one member placed active and the 2nd member as backup.If the active member goes down, the 2nd member will become active.
So keep that in mind before you defined redundant members and if you plan on using vpc or flexlinks.
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
Saturday, June 6, 2015
GOOG compute-engine kicking the tires ( w/ the fortigate )
Yes, I was shocked, Ive asked then about this feature over 10 months ago and they told me they are working on it. So I guess they are still drafting out ipv6 design and deployment.
Now the vm instance are quick and simple to engage. GOOG has a few CAN'd images available, but still no virtual firewall instances from any major vendor.
The start up on my simple vm-instance it's quick and almost instant.
They do offer a few means for accessing the cli of the vm-instance, I used the integral https browser which seems to work very good and quick. No need to install key or modify anything. Even if you had no ssh client, this method would work for most all OSes.
Now to setup a vpn to your fortigate, the GOOG side of things was like steps 1-2-3 . You can build a vpn in like under 1 minute. In fact you can't select anything, but the ike-version and remote network and ipsec-endpoint plus the PSK. You do more work on the fortigate when it comes to vpn creation.
NOTE: I selected ikev2 for this blog post
And for the fortigate, I 've crafted the following using just a single cipher and with the proposal aes128-sha1.
NOTE: this is a route based vpn so we have a route installed to reach the remote compute network 10.240.0.0/16
A simple ping after adding a firewall-policy to allow the traffic, shows I can reach my newly created vm-instance.
GOOG made snapshot creations simple as 1-2-3. You can named the snapshot description if you so desire.
- every thing is simple to execute
- you could walk your mom thru, on how to launch a VM-instance
- status updates are given just about every time you do anything
- accessing your vm-instance is so simple for ipsec LAN2LAN
To learn more about google compute engine;
http://en.wikipedia.org/wiki/Google_Compute_Engine
It's a simple, very well defined, and reliable virtual hosting cloud. The only things with GOOG;
- how much trust do you have with data in the google cloud?
- and do you have means for a 100% deletion of sensitive data?
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
Wednesday, June 3, 2015
Wireshark under maxosx 10.10.3
I've had big issues under the 10.10.3 Yosemite update. Now with 10.10.3 and a fresh new wireshark install things are back to normal.
Wireshark is one of the best free protocol analyzer on the market and has had great MACOSX support.
The protocol analysis for various protocols is great. I find myself using the follow a tcp session most of the time.
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
Wireshark is one of the best free protocol analyzer on the market and has had great MACOSX support.
The protocol analysis for various protocols is great. I find myself using the follow a tcp session most of the time.
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
A simple review of the Huawei Eudemon 1000E WebGUI nterface
In this post, we will look at the simple interface of the Eudemon 1000 firewall from Huawei.
1st thing, Huawei is one of the biggest telecomms/network equipment maker in the ASIAPAC area. It's gross revenues are actually higher than CISCO or HP & probably bigger than the top 2 equipment makers in the USA combined.
They have a firewall that used from the Enterprise to SP realm that matches most other vendor firewalls along the lines of a dell-sonicwall, hp, cisco, etc....
The WebGUI interface allows for a english or chinese language selection depending on code. I don't believe any other languages has been offered at this time.
The dashboard is quick and response when compared to other vendors firewalls dashboards. It has a smooth and slick feel , & the menu is straight forward and simple arrangement.
The unit has a wizard that can set the basic interface, dhcp and route information. It also allows you to set unit hostname and time/date.
The firewall has a WebGUI cli access interfaces if you choose to use cli. The CLI will allow you execute all actions present in the WebGUI and more.
NOTE: Not all options and settings are available in the WebGUI
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
1st thing, Huawei is one of the biggest telecomms/network equipment maker in the ASIAPAC area. It's gross revenues are actually higher than CISCO or HP & probably bigger than the top 2 equipment makers in the USA combined.
They have a firewall that used from the Enterprise to SP realm that matches most other vendor firewalls along the lines of a dell-sonicwall, hp, cisco, etc....
The WebGUI interface allows for a english or chinese language selection depending on code. I don't believe any other languages has been offered at this time.
The dashboard is quick and response when compared to other vendors firewalls dashboards. It has a smooth and slick feel , & the menu is straight forward and simple arrangement.
The unit has a wizard that can set the basic interface, dhcp and route information. It also allows you to set unit hostname and time/date.
The firewall has a WebGUI cli access interfaces if you choose to use cli. The CLI will allow you execute all actions present in the WebGUI and more.
NOTE: Not all options and settings are available in the WebGUI
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
Subscribe to:
Posts (Atom)