Monday, January 23, 2017

When configuring security contexts on the ASA which three resource class limits can be set using a rate limit

ciscoasa/sec# show resource types
Rate limited resource types:
  
  Conns           Connections/sec
  Inspects        Inspects/sec
  Syslogs         Syslogs/sec

Absolute limit types:
  Conns           Connections
  Hosts           Hosts
  Mac-addresses   MAC Address table entries
  ASDM            ASDM Connections
  SSH             SSH Sessions
  Telnet          Telnet Sessions
  Xlates          XLATE Objects
  All             All Resources
ciscoasa/sec#




Resource Names and Limits 



Resource Name



Rate or Concurrent



Minimum and Maximum Number per Context



System Limit 1



Description

mac-addresses

Concurrent

N/A

65,535

For transparent firewall mode, the number of MAC addresses allowed in the MAC address table.

conns

Concurrent or Rate

N/A

Concurrent connections: See the "Supported Platforms and Feature Licenses" section on page A-1 for the connection limit for your platform.

Rate: N/A

TCP or UDP connections between any two hosts, including connections between one host and multiple other hosts.

inspects

Rate

N/A

N/A

Application inspections.

hosts

Concurrent

N/A

N/A

Hosts that can connect through the adaptive security appliance.

asdm

Concurrent

1 minimum

5 maximum

32

ASDM management sessions.

Note ASDM sessions use two HTTPS connections: one for monitoring that is always present, and one for making configuration changes that is present only when you make changes. For example, the system limit of 32 ASDM sessions represents a limit of 64 HTTPS sessions.

ssh

Concurrent

1 minimum

5 maximum

100

SSH sessions.

syslogs

Rate

N/A

N/A

System log messages.

telnet

Concurrent

1 minimum

5 maximum

100

Telnet sessions.

xlates

Concurrent

N/A

N/A

Address translations.

Which log level provides the most detail on the Cisco Web Security Appliance

wsa01> advancedproxyconfig
[]> wccp

Enter values for the various "wccp" options:

Enter the log level for debugging WCCP :
[0]> 3
On AsyncOS version 7.5 and above: The logging level for WCCP logs and/or proxy logs can be changed in GUI under "System Administration  > Log Subscriptions  >  <Corresponding-WCCP-Log-Name>"
The logging levels will show the following data&colon;
7.1 log level (CLI)7.5 Log level (GUI)Information seen in logs at the configured log level
          0CriticalErrors
          1WarningErrors, CONFIG,
          2InformationErrors, CONFIG, INFO
          3Debug
Errors, CONFIG, INFO, STATE
          4TraceErrors, CONFIG, INFO, STATE, CHANGE (state changes)

Dynamic Arp Inspection (DAI)

Configuring DAI

First check state of DHCP snooping table.

Example of IP arp inspection configured on VLAN 123.  Arp access control list OUR-ARP-ACL is configured for the port where router is connected and is trusted
Port 2 where an attacker is configured as untrusted port, rate limited. It is policed and err-disabled if violated.



Example of an CAM poisoning attack and ping sweep causing port to err-disable,. Additional validation of source, destination and IP address to increase security.  
\










Friday, January 20, 2017

Why isn’t the syslog server receiving any syslog messages from ASA


















If the logging filters is disabled for the syslog servers then syslog messages wlll not get send to the syslog server even it is enabled globally and syslog servers are specified. 





Applying Logging Filters

To apply filters, perform the following steps:

 1. Choose the Filter on severity option to filter syslog messages according to their severity level.

 2. Choose the Use event list option to filter syslog messages according to an event list.

 3. Choose the Disable logging from all event classes option to disable all logging to the selected destination.

 4. Click New to add a new event list. To add a new event list, see the “Creating a Custom Event List”.

 5. Choose the event class from the drop-down list. Available event classes change according to the device mode that you are using.

 6. Choose the level of logging messages from the drop-down list. Severity levels include the following:

 • Emergency (level 0, system is unusable)

Note Using a severity level of zero is not recommended.

 • Alert (level 1, immediate action is needed)

 • Critical (level 2, critical conditions)

 • Error (level 3, error conditions)

 • Warning (level 4, warning conditions)

 • Notification (level 5, normal but significant conditions)

 • Informational (level 6, informational messages only)

 • Debugging (level 7, debugging messages only)

 7. Click Add to add the event class and severity level, and then click OK.

The selected logging destination for a filter appears at the top.

ASA Active/Active failover















ASA in routed and multiple context mode. ASA must be similar in hardware and configuration for ACTIVE/ACTIVE failover.  Both firewall must be in same operating mode, context mode, and same major and minor software versions.

Two contexts named Ctx-1 and Ctx-2 are used.  Ctx-1 is the admin context

admin-context Ctx-1
context Ctx-1
  allocate-interface GigabitEthernet0
  allocate-interface GigabitEthernet1
  config-url disk0:/Ctx-1.cfg
  join-failover-group 1
!

context Ctx-2
  allocate-interface GigabitEthernet1
  allocate-interface GigabitEthernet2
  config-url disk0:/Ctx-2.cfg
  join-failover-group 2
!





Primary Active ASA configuration:

failover group 1
  preempt 120
failover group 2
  secondary
  preempt 120


failover lan unit primary
failover lan interface fail-config GigabitEthernet3
failover link fail-state GigabitEthernet4
failover interface ip fail-config 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip fail-state 2.2.2.1 255.255.255.252 standby 2.2.2.2

failover



Similarly to the primary, ASA in routed and multiple context mode. ASA must be similar in hardware and configuration for ACTIVE/ACTIVE failover.  Ensure that no context configuration (CFG) files exist otherwise running config file is merged with existing


In system context, "no shut" the interfaces used for failover.

Secondary Active ASA configuration:



failover lan unit secondary
failover lan interface fail-config GigabitEthernet3
failover link fail-state GigabitEthernet4
failover interface ip fail-config 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip fail-state 2.2.2.1 255.255.255.252 standby 2.2.2.2

failover


In system space, allocate interfaces to the contexts, "no shut" the interfaces. Chnage the prompt to display the current context and priority

prompt hostname context priority


Once secondary ASA is found, the configuration is replicated to the secondary ASA from the primary.  Any new changed needs to be made on the primary firewall.

ASA1/sec> .

        Detected an Active mate
Beginning configuration replication from mate.
ERROR: Password recovery was not changed, unable to access
the configuration register.
Removing context 'Ctx-2' (2)... Done
Removing context 'Ctx-1' (1)... Done
COREDUMP UPDATE: open message queue fail: No such file or directory/2
INFO: Admin context is required to get the interfaces

Creating context 'Ctx-1'... Done. (3)

WARNING: Skip fetching the URL disk0:/Ctx-1.cfg
INFO: Creating context with default config
INFO: Admin context will take some time to come up .... please wait.
Creating context 'Ctx-2'... Done. (4)

WARNING: Skip fetching the URL disk0:/Ctx-2.cfg
INFO: Creating context with default config
Crashinfo is NOT enabled on Full Distribution Environment

        Group 1 Detected Active mate

        Group 2 Detected Active mate
End configuration replication from mate.

INFO: UC-IME is enabled, issuing 1000 free TLS licenses for UC-IME

INFO: Issuing "tls-proxy maximum-sessions 11000" command due to license change
INFO: UC proxy will be limited to maximum of 10000 sessions by the UC Proxy license on the device

INFO: "tls-proxy maximum-sessions" config is changed, please save the running-config before system reboot











Windows 10 can’t oprn using the built-in administrator account

 Microsoft can’t be opened using the Built-in Administrator account.  Sign in with a different account and try again.

Microsoft now added additional security is in place much like the Internet Explorer Enhanced Security that we have grown to love and hate.
In order to get around this message and be able to use your Built-in Administrator account to run administrative tasks, follow the following steps to get up and running.
  • Navigate to your local security policy on your Windows 10 workstation – You can do this by typing secpol.msc at a search/run/command prompt.
  • Under Local Policies/Security Options navigate to “User Account Control Admin Approval Mode for the Built-in Administrator account
  • Set the policy to Enabled

Wednesday, January 11, 2017

DHCP Pool and static reservations

To create DHCP reservations, you should first create the scope and then create the reservations separately with unique names. The L3 device will know that the reserved device is a part of the scope (global DHCP pool) and make them a subset of it because their host IP addresses are within the scope CIDR block.
For example, you want to create a printer scope on 10.xxx.5.0/24 with you company settings and you have 3 printers that you want to have permanent DHCP reservations. You decide that they will be 10.xxx.5.21, 22, and 23. You obtain the MAC addresses from the printers as 0000.1111.2222, 5555.4444.3333, and 6666.5555.4444 respectively. You would create a dhcp pool for printers with you network, domain-name, dns-server, and default-router (and more features if you need them). Then you would create a reservation for each printer by giving it a unique pool name, the host IP address, and the MAC address with an "01" for Ethernet in front of it. Note that the reservation name does not have to relate to the global ip dhcp pool at all.

The configuration would look like this:
conf t
!
ip dhcp pool Printers
network 10.xxx.5.0 255.255.255.0
domain-name yourcompany.global.pvt
dns-server 10.xxx.10.100
default-router 10.xxx.5.1

ip dhcp pool Print-21
host 10.xxx.5.21 255.255.255.0
client-id 010000.1111.2222
!
ip dhcp pool Print-22
host 10.xxx.5.22 255.255.255.0
client-id 015555.4444.3333
!
ip dhcp pool Print-23
host 10.xxx.5.23 255.255.255.0
client-id 016666.5555.4444
!
end
wr mem

This will work on most all Cisco L3 devices. Note that some printers may need to use BootP instead of DHCP and therefore the client-id statement would be different. That is easily found on Cisco configuration guides.

For example:

 MAC address of PC is2047.47D0.C89A
   
Sample Config:

ip dhcp excluded-address 10.1.1.1
ip dhcp excluded-address 10.1.1.2

ip dhcp pool VLAN1
 network 10.1.1.0 255.255.255.0
 domain-name test.local
 default-router 10.1.1.1

   
   ****YES WORKS***
   ip dhcp pool RESERVE_POOL
 host 10.1.1.10 255.255.255.0
 client-id 0120.4747.d0c8.9a

 ****NO******
   ip dhcp pool RESERVE_POOL
 host 10.1.1.10 255.255.255.0
 client-id 2047.47d0.c89a

 ****N0******
   ip dhcp pool RESERVE_POOL
 host 10.1.1.10 255.255.255.0
 hardware-addr 0120.4747.d0c8.9a


 *****NO*******
    ip dhcp pool RESERVE_POOL
 host 10.1.1.10 255.255.255.0
 hardware-addr 2047.47d0.c89a

Note when excluding a static address 10.1.1.10:
Switch(config)#ip dhcp excluded-address 10.1.1.10

% Address 10.1.1.10 is already excluded.