mac-addresses
|
Concurrent
|
N/A
|
65,535
|
For transparent firewall mode, the number of MAC addresses allowed in the MAC address table.
|
conns
|
Concurrent or Rate
|
N/A
|
Concurrent connections: See the "Supported Platforms and Feature Licenses" section on page A-1 for the connection limit for your platform.
Rate: N/A
|
TCP or UDP connections between any two hosts, including connections between one host and multiple other hosts.
|
inspects
|
Rate
|
N/A
|
N/A
|
Application inspections.
|
hosts
|
Concurrent
|
N/A
|
N/A
|
Hosts that can connect through the adaptive security appliance.
|
asdm
|
Concurrent
|
1 minimum
5 maximum
|
32
|
ASDM management sessions.
Note ASDM sessions use two HTTPS connections: one for monitoring that is always present, and one for making configuration changes that is present only when you make changes. For example, the system limit of 32 ASDM sessions represents a limit of 64 HTTPS sessions.
|
ssh
|
Concurrent
|
1 minimum
5 maximum
|
100
|
SSH sessions.
|
syslogs
|
Rate
|
N/A
|
N/A
|
System log messages.
|
telnet
|
Concurrent
|
1 minimum
5 maximum
|
100
|
Telnet sessions.
|
xlates
|
Concurrent
|
N/A
|
N/A
|
Address translations.
|
Monday, January 23, 2017
When configuring security contexts on the ASA which three resource class limits can be set using a rate limit
Which log level provides the most detail on the Cisco Web Security Appliance
wsa01> advancedproxyconfig []> wccp Enter values for the various "wccp" options: Enter the log level for debugging WCCP : [0]> 3 |
On AsyncOS version 7.5 and above: The logging level for WCCP logs and/or proxy logs can be changed in GUI under "System Administration > Log Subscriptions > <Corresponding-WCCP-Log-Name>"
The logging levels will show the following data:
7.1 log level (CLI) | 7.5 Log level (GUI) | Information seen in logs at the configured log level |
0 | Critical | Errors |
1 | Warning | Errors, CONFIG, |
2 | Information | Errors, CONFIG, INFO |
3 | Debug |
Errors, CONFIG, INFO, STATE
|
4 | Trace | Errors, CONFIG, INFO, STATE, CHANGE (state changes) |
Dynamic Arp Inspection (DAI)
Configuring DAI
First check state of DHCP snooping table.
Example of IP arp inspection configured on VLAN 123. Arp access control list OUR-ARP-ACL is configured for the port where router is connected and is trusted
Port 2 where an attacker is configured as untrusted port, rate limited. It is policed and err-disabled if violated.
First check state of DHCP snooping table.
Example of IP arp inspection configured on VLAN 123. Arp access control list OUR-ARP-ACL is configured for the port where router is connected and is trusted
Port 2 where an attacker is configured as untrusted port, rate limited. It is policed and err-disabled if violated.
Example of an CAM poisoning attack and ping sweep causing port to err-disable,. Additional validation of source, destination and IP address to increase security.
\
Friday, January 20, 2017
Why isn’t the syslog server receiving any syslog messages from ASA
If the logging filters is disabled for the syslog servers then syslog messages wlll not get send to the syslog server even it is enabled globally and syslog servers are specified.
To apply filters, perform the following steps:
1. Choose the Filter on severity option to filter syslog messages according to their severity level.
2. Choose the Use event list option to filter syslog messages according to an event list.
3. Choose the Disable logging from all event classes option to disable all logging to the selected destination.
4. Click New to add a new event list. To add a new event list, see the “Creating a Custom Event List”.
5. Choose the event class from the drop-down list. Available event classes change according to the device mode that you are using.
6. Choose the level of logging messages from the drop-down list. Severity levels include the following:
• Emergency (level 0, system is unusable)
Note Using a severity level of zero is not recommended.
• Alert (level 1, immediate action is needed)
• Critical (level 2, critical conditions)
• Error (level 3, error conditions)
• Warning (level 4, warning conditions)
• Notification (level 5, normal but significant conditions)
• Informational (level 6, informational messages only)
• Debugging (level 7, debugging messages only)
7. Click Add to add the event class and severity level, and then click OK.
The selected logging destination for a filter appears at the top.
Tuesday, January 17, 2017
ASA Active/Active failover
ASA in routed and multiple context mode. ASA must be similar in hardware and configuration for ACTIVE/ACTIVE failover. Both firewall must be in same operating mode, context mode, and same major and minor software versions.
Two contexts named Ctx-1 and Ctx-2 are used. Ctx-1 is the admin context
admin-context Ctx-1
context Ctx-1
allocate-interface GigabitEthernet0
allocate-interface GigabitEthernet1
config-url disk0:/Ctx-1.cfg
join-failover-group 1
!
context Ctx-2
allocate-interface GigabitEthernet1
allocate-interface GigabitEthernet2
config-url disk0:/Ctx-2.cfg
join-failover-group 2
!
Primary Active ASA configuration:
failover group 1
preempt 120
failover group 2
secondary
preempt 120
failover lan unit primary
failover lan interface fail-config GigabitEthernet3
failover link fail-state GigabitEthernet4
failover interface ip fail-config 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip fail-state 2.2.2.1 255.255.255.252 standby 2.2.2.2
failover
Similarly to the primary, ASA in routed and multiple context mode. ASA must be similar in hardware and configuration for ACTIVE/ACTIVE failover. Ensure that no context configuration (CFG) files exist otherwise running config file is merged with existing
In system context, "no shut" the interfaces used for failover.
Secondary Active ASA configuration:
failover lan unit secondary
failover lan interface fail-config GigabitEthernet3
failover link fail-state GigabitEthernet4
failover interface ip fail-config 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip fail-state 2.2.2.1 255.255.255.252 standby 2.2.2.2
failover
In system space, allocate interfaces to the contexts, "no shut" the interfaces. Chnage the prompt to display the current context and priority
prompt hostname context priority
Once secondary ASA is found, the configuration is replicated to the secondary ASA from the primary. Any new changed needs to be made on the primary firewall.
ASA1/sec> .
Detected an Active mate
Beginning configuration replication from mate.
ERROR: Password recovery was not changed, unable to access
the configuration register.
Removing context 'Ctx-2' (2)... Done
Removing context 'Ctx-1' (1)... Done
COREDUMP UPDATE: open message queue fail: No such file or directory/2
INFO: Admin context is required to get the interfaces
Creating context 'Ctx-1'... Done. (3)
WARNING: Skip fetching the URL disk0:/Ctx-1.cfg
INFO: Creating context with default config
INFO: Admin context will take some time to come up .... please wait.
Creating context 'Ctx-2'... Done. (4)
WARNING: Skip fetching the URL disk0:/Ctx-2.cfg
INFO: Creating context with default config
Crashinfo is NOT enabled on Full Distribution Environment
Group 1 Detected Active mate
Group 2 Detected Active mate
End configuration replication from mate.
INFO: UC-IME is enabled, issuing 1000 free TLS licenses for UC-IME
INFO: Issuing "tls-proxy maximum-sessions 11000" command due to license change
INFO: UC proxy will be limited to maximum of 10000 sessions by the UC Proxy license on the device
INFO: "tls-proxy maximum-sessions" config is changed, please save the running-config before system reboot
Windows 10 can’t oprn using the built-in administrator account
Microsoft can’t be opened using the Built-in Administrator account. Sign in with a different account and try again.
Microsoft now added additional security is in place much like the Internet Explorer Enhanced Security that we have grown to love and hate.
In order to get around this message and be able to use your Built-in Administrator account to run administrative tasks, follow the following steps to get up and running.
- Navigate to your local security policy on your Windows 10 workstation – You can do this by typing secpol.msc at a search/run/command prompt.
- Under Local Policies/Security Options navigate to “User Account Control Admin Approval Mode for the Built-in Administrator account“
- Set the policy to Enabled
Wednesday, January 11, 2017
DHCP Pool and static reservations
To create DHCP reservations, you should first create the scope and then create the reservations separately with unique names. The L3 device will know that the reserved device is a part of the scope (global DHCP pool) and make them a subset of it because their host IP addresses are within the scope CIDR block.
For example, you want to create a printer scope on 10.xxx.5.0/24 with you company settings and you have 3 printers that you want to have permanent DHCP reservations. You decide that they will be 10.xxx.5.21, 22, and 23. You obtain the MAC addresses from the printers as 0000.1111.2222, 5555.4444.3333, and 6666.5555.4444 respectively. You would create a dhcp pool for printers with you network, domain-name, dns-server, and default-router (and more features if you need them). Then you would create a reservation for each printer by giving it a unique pool name, the host IP address, and the MAC address with an "01" for Ethernet in front of it. Note that the reservation name does not have to relate to the global ip dhcp pool at all.
The configuration would look like this:
conf t
!
ip dhcp pool Printers
network 10.xxx.5.0 255.255.255.0
domain-name yourcompany.global.pvt
dns-server 10.xxx.10.100
default-router 10.xxx.5.1
ip dhcp pool Print-21
host 10.xxx.5.21 255.255.255.0
client-id 010000.1111.2222
!
ip dhcp pool Print-22
host 10.xxx.5.22 255.255.255.0
client-id 015555.4444.3333
!
ip dhcp pool Print-23
host 10.xxx.5.23 255.255.255.0
client-id 016666.5555.4444
!
end
wr mem
This will work on most all Cisco L3 devices. Note that some printers may need to use BootP instead of DHCP and therefore the client-id statement would be different. That is easily found on Cisco configuration guides.
For example:
Sample Config:
ip dhcp excluded-address 10.1.1.1
ip dhcp excluded-address 10.1.1.2
ip dhcp pool VLAN1
network 10.1.1.0 255.255.255.0
domain-name test.local
default-router 10.1.1.1
****YES WORKS***
ip dhcp pool RESERVE_POOL
host 10.1.1.10 255.255.255.0
client-id 0120.4747.d0c8.9a
****NO******
ip dhcp pool RESERVE_POOL
host 10.1.1.10 255.255.255.0
client-id 2047.47d0.c89a
****N0******
ip dhcp pool RESERVE_POOL
host 10.1.1.10 255.255.255.0
hardware-addr 0120.4747.d0c8.9a
*****NO*******
ip dhcp pool RESERVE_POOL
host 10.1.1.10 255.255.255.0
hardware-addr 2047.47d0.c89a
Note when excluding a static address 10.1.1.10:
Switch(config)#ip dhcp excluded-address 10.1.1.10
% Address 10.1.1.10 is already excluded.