Monday, January 23, 2017

When configuring security contexts on the ASA which three resource class limits can be set using a rate limit

ciscoasa/sec# show resource types
Rate limited resource types:
  
  Conns           Connections/sec
  Inspects        Inspects/sec
  Syslogs         Syslogs/sec

Absolute limit types:
  Conns           Connections
  Hosts           Hosts
  Mac-addresses   MAC Address table entries
  ASDM            ASDM Connections
  SSH             SSH Sessions
  Telnet          Telnet Sessions
  Xlates          XLATE Objects
  All             All Resources
ciscoasa/sec#




Resource Names and Limits 



Resource Name



Rate or Concurrent



Minimum and Maximum Number per Context



System Limit 1



Description

mac-addresses

Concurrent

N/A

65,535

For transparent firewall mode, the number of MAC addresses allowed in the MAC address table.

conns

Concurrent or Rate

N/A

Concurrent connections: See the "Supported Platforms and Feature Licenses" section on page A-1 for the connection limit for your platform.

Rate: N/A

TCP or UDP connections between any two hosts, including connections between one host and multiple other hosts.

inspects

Rate

N/A

N/A

Application inspections.

hosts

Concurrent

N/A

N/A

Hosts that can connect through the adaptive security appliance.

asdm

Concurrent

1 minimum

5 maximum

32

ASDM management sessions.

Note ASDM sessions use two HTTPS connections: one for monitoring that is always present, and one for making configuration changes that is present only when you make changes. For example, the system limit of 32 ASDM sessions represents a limit of 64 HTTPS sessions.

ssh

Concurrent

1 minimum

5 maximum

100

SSH sessions.

syslogs

Rate

N/A

N/A

System log messages.

telnet

Concurrent

1 minimum

5 maximum

100

Telnet sessions.

xlates

Concurrent

N/A

N/A

Address translations.

Which log level provides the most detail on the Cisco Web Security Appliance

wsa01> advancedproxyconfig
[]> wccp

Enter values for the various "wccp" options:

Enter the log level for debugging WCCP :
[0]> 3
On AsyncOS version 7.5 and above: The logging level for WCCP logs and/or proxy logs can be changed in GUI under "System Administration  > Log Subscriptions  >  <Corresponding-WCCP-Log-Name>"
The logging levels will show the following data&colon;
7.1 log level (CLI)7.5 Log level (GUI)Information seen in logs at the configured log level
          0CriticalErrors
          1WarningErrors, CONFIG,
          2InformationErrors, CONFIG, INFO
          3Debug
Errors, CONFIG, INFO, STATE
          4TraceErrors, CONFIG, INFO, STATE, CHANGE (state changes)

Dynamic Arp Inspection (DAI)

Configuring DAI

First check state of DHCP snooping table.

Example of IP arp inspection configured on VLAN 123.  Arp access control list OUR-ARP-ACL is configured for the port where router is connected and is trusted
Port 2 where an attacker is configured as untrusted port, rate limited. It is policed and err-disabled if violated.



Example of an CAM poisoning attack and ping sweep causing port to err-disable,. Additional validation of source, destination and IP address to increase security.  
\










Friday, January 20, 2017

Why isn’t the syslog server receiving any syslog messages from ASA


















If the logging filters is disabled for the syslog servers then syslog messages wlll not get send to the syslog server even it is enabled globally and syslog servers are specified. 





Applying Logging Filters

To apply filters, perform the following steps:

 1. Choose the Filter on severity option to filter syslog messages according to their severity level.

 2. Choose the Use event list option to filter syslog messages according to an event list.

 3. Choose the Disable logging from all event classes option to disable all logging to the selected destination.

 4. Click New to add a new event list. To add a new event list, see the “Creating a Custom Event List”.

 5. Choose the event class from the drop-down list. Available event classes change according to the device mode that you are using.

 6. Choose the level of logging messages from the drop-down list. Severity levels include the following:

 • Emergency (level 0, system is unusable)

Note Using a severity level of zero is not recommended.

 • Alert (level 1, immediate action is needed)

 • Critical (level 2, critical conditions)

 • Error (level 3, error conditions)

 • Warning (level 4, warning conditions)

 • Notification (level 5, normal but significant conditions)

 • Informational (level 6, informational messages only)

 • Debugging (level 7, debugging messages only)

 7. Click Add to add the event class and severity level, and then click OK.

The selected logging destination for a filter appears at the top.

Tuesday, January 17, 2017

When creating a SNMP v3 user a SNMP group option must be associated with it.


What is the default logging buffer size in memory of the Cisco ASA adaptive security appliance


ASA Active/Active failover















ASA in routed and multiple context mode. ASA must be similar in hardware and configuration for ACTIVE/ACTIVE failover.  Both firewall must be in same operating mode, context mode, and same major and minor software versions.

Two contexts named Ctx-1 and Ctx-2 are used.  Ctx-1 is the admin context

admin-context Ctx-1
context Ctx-1
  allocate-interface GigabitEthernet0
  allocate-interface GigabitEthernet1
  config-url disk0:/Ctx-1.cfg
  join-failover-group 1
!

context Ctx-2
  allocate-interface GigabitEthernet1
  allocate-interface GigabitEthernet2
  config-url disk0:/Ctx-2.cfg
  join-failover-group 2
!





Primary Active ASA configuration:

failover group 1
  preempt 120
failover group 2
  secondary
  preempt 120


failover lan unit primary
failover lan interface fail-config GigabitEthernet3
failover link fail-state GigabitEthernet4
failover interface ip fail-config 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip fail-state 2.2.2.1 255.255.255.252 standby 2.2.2.2

failover



Similarly to the primary, ASA in routed and multiple context mode. ASA must be similar in hardware and configuration for ACTIVE/ACTIVE failover.  Ensure that no context configuration (CFG) files exist otherwise running config file is merged with existing


In system context, "no shut" the interfaces used for failover.

Secondary Active ASA configuration:



failover lan unit secondary
failover lan interface fail-config GigabitEthernet3
failover link fail-state GigabitEthernet4
failover interface ip fail-config 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip fail-state 2.2.2.1 255.255.255.252 standby 2.2.2.2

failover


In system space, allocate interfaces to the contexts, "no shut" the interfaces. Chnage the prompt to display the current context and priority

prompt hostname context priority


Once secondary ASA is found, the configuration is replicated to the secondary ASA from the primary.  Any new changed needs to be made on the primary firewall.

ASA1/sec> .

        Detected an Active mate
Beginning configuration replication from mate.
ERROR: Password recovery was not changed, unable to access
the configuration register.
Removing context 'Ctx-2' (2)... Done
Removing context 'Ctx-1' (1)... Done
COREDUMP UPDATE: open message queue fail: No such file or directory/2
INFO: Admin context is required to get the interfaces

Creating context 'Ctx-1'... Done. (3)

WARNING: Skip fetching the URL disk0:/Ctx-1.cfg
INFO: Creating context with default config
INFO: Admin context will take some time to come up .... please wait.
Creating context 'Ctx-2'... Done. (4)

WARNING: Skip fetching the URL disk0:/Ctx-2.cfg
INFO: Creating context with default config
Crashinfo is NOT enabled on Full Distribution Environment

        Group 1 Detected Active mate

        Group 2 Detected Active mate
End configuration replication from mate.

INFO: UC-IME is enabled, issuing 1000 free TLS licenses for UC-IME

INFO: Issuing "tls-proxy maximum-sessions 11000" command due to license change
INFO: UC proxy will be limited to maximum of 10000 sessions by the UC Proxy license on the device

INFO: "tls-proxy maximum-sessions" config is changed, please save the running-config before system reboot