24. April 2014 · Comments Off on Creating Read-Only User Accounts on Cisco ASA5500 · Categories: Cisco · Tags: , , , , , ,

All users configured on the ASA are assigned a privilege level. This privilege level is specified when configuring the username as follows:

hostname(config)# username name password password privilege priv_level

The privilege level can be any value from 0 (least permissive) to 15 (most permissive), with 2 being the default. Do note that if you want to grant the user access to privileged EXEC mode, you should use the range from 2 to 15. For the purpose of assigning read-only access to a user, we will use a privilege level of 5.

AAA refers to authentication, authorization and accounting. It allows us to authenticate who the user is, authorize what that user is allowed to do, and then keep an accounting record showing what that user has done. In order to create a read-only user account, we need to define which commands the user should be granted access to. This requires knowledge of who the user is, so we first need to ensure that user authentication is configured.

To enable AAA authentication, use the following command:

More »

17. April 2014 · Comments Off on OpenSSL Heartbeat (Heartbleed) Vulnerability (CVE-2014-0160) and its High-Level Mechanics · Categories: Cisco, Linux, Microsoft, Office365, VMWARE, Windows · Tags: , , , , , , ,

Cisco Devices are not effected as they are running OpenSSL version 0.9.8 on the newest 9.01 IOS Software. Most Cisco Firewalls have Older IOS versions and therefore have older versions of OpenSSL.

The heartbleed bug was introduced in OpenSSL 1.0.1 and is present in
• 1.0.1
• 1.0.1a
• 1.0.1b
• 1.0.1c
• 1.0.1d
• 1.0.1e
• 1.0.1f
The bug is not present in 1.0.1g, nor is it present in the 1.0.0 branch nor the 0.9.8 branch of OpenSSL.

28. November 2013 · Comments Off on Password Recovery Procedures for Cisco Products · Categories: Cisco · Tags: , ,

This post is an index of password recovery procedures for Cisco products. For security reasons, the password recovery procedures listed here require physical access to the equipment.

Index

Routers

Cisco 2600 Series Routers Cisco 3600 Series Routers Cisco 3700 Series Routers
Cisco 801, 802, 803, 804, 805, 811, and 813 Series Routers Cisco 806, 826, 827, 828, 831, 836 and 837 Series Routers Cisco SOHO 76, 77, 78, 91, 96, and 97 Routers

 

Integrated Services Routers (ISR) Products

Cisco 1800 Series Routers Cisco 2800 Series Routers Cisco 3800 Series Routers
Cisco 2900 Series Routers Cisco 1900 Series Routers

 

High-End Routers

Cisco 12000 Series Routers Cisco uBR7100 Cisco 7200 Series Routers
Cisco 7000 Series Routers Cisco uBR7200 Cisco AGS
Cisco 7000 Series Route Switch Processor (RSP7000) Cisco uBR10000 Route Processor Module
Cisco 7100 Series Routers Cisco 7500 Series Routers Cisco XR 12000 Series Routers

 

LAN Switches

EtherSwitch/FastSwitch/FastHub Catalyst 2800 Series Switches Catalyst 4000/2980G/2948G Series Switches running Catalyst OS
Catalyst 1200 Series Switches Catalyst 2900-XL/3500-XL Series Switches Catalyst 4000/4500/4900 Switches running Cisco IOS
Catalyst 1600 Series Switches Catalyst 2901-2 Series Switches Catalyst 5500/5000/2926G/2926 Series Switches
Catalyst 1700 Series Switches Catalyst 2948G-L3/4908G-L3/4840G Series Switches Catalyst 6000 Series Switches Running Native IOS
Catalyst 1800 Series Switches Catalyst 2940, 2950/2955, 2960, 2970 Series Switches Catalyst 6500/6000 Series Switches running Catalyst OS
Catalyst 1900/2820 Series Switches Catalyst 3000/3100/3200 Series Switches Cisco Catalyst 6500 Series SSL Services Module in Native (IOS) Mode
Catalyst 2100 Series Switches Catalyst 3550, 3560, 3750 Series Switches Catalyst 8510-CSR Series Switch
Catalyst 2600 Series Switches Catalyst 2970 Switch Catalyst 2950 and Catalyst 2955 Switch
Catalyst 3550 Multilayer Switch Catalyst 3560 Switch Catalyst 3750 Switch
Catalyst 3900 Series Switches Catalyst 8540-CSR Series Switch Catalyst 6500 with Supervisor 720 Running Cisco IOS Software Prior to 12.2(17)SX

More »

09. November 2013 · Comments Off on Subnetting · Categories: Cisco · Tags: , ,

subnetting

 

23. June 2013 · Comments Off on MicroNugget – ASA VPN Connection Profiles · Categories: Cisco · Tags: , , , , , , ,

04. June 2013 · Comments Off on DNS dropped because packets to big for configured 512? · Categories: Cisco · Tags: , , , ,

6-4-2013 12-02-03 PM

you can safely increase the dns packet length to 1500 ,  512 is the default.

“fixup protocol dns maximum-length 1500 ”

Background on fixup protocol dns

Use the fixup protocol dns command to specify the maximum DNS packet length. DNS requires application inspection so that DNS queries are not subject to the generic UDP handling based on activity timeouts. Instead, UDP connections associated with DNS queries and responses are torn down as soon as a reply to a DNS query has been received.

The port assignment for the Domain Name System (DNS) is not configurable.

Set the maximum length for the DNS fixup as shown in the following example:

pixfirewall(config)# fixup protocol dns maximum-length 1500

pixfirewall(config)# show fixup protocol dns

fixup protocol dns maximum length 1500

17. December 2012 · Comments Off on Reveal the Site-to-Site VPN key on an ASA · Categories: Cisco · Tags: , , , ,

Ive needed to know what the site-to-site vpn key is when reconfiguring a firewall.  No one knew what the password is & I was under the impression that I would have to just reset the password on both ends. Well, Ive learned that a command can provide more information without having to reset the vpn key on the other side. If you do a ‘show run’ on the ASA, you will see that you can not see what the key is. It just gives you an: *

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *

Ok, I need that password. So, Ive learned that if you do a “more system:/running-config”, it will show you that pass key.
Below is what is displayed when I enter the command:

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key !Password1!!

 

16. December 2012 · Comments Off on How To SSH From A Cisco Router · Categories: Cisco · Tags:

To get to other client firewalls (which only allows SSH access).  Here is how to SSH from any Cisco router or switch to another device:

ssh -l zope 172.16.10.1

the SSH command, -l means “username”, which is “zope” for me, and then the target address you are trying to reach .  In this case 172.16.10.1

24. November 2012 · Comments Off on How to Upgrade the ASA5500 using CLI · Categories: Cisco · Tags: , , , , ,

Version 9.0 of the Cisco ASA software has now been released. Here are some of the major features in the new release.

Filter ICMP by ICMP code
Clustering of multiple ASAs
OSPFv3 and EIGRP support
IPv6 support on outside interface for VPNs
NAT for IPv6 and NAT64
DHCPv6 relay
Unified ACLs for v4 and v6
Clientless SSL VPN – Support for new browsers and HTML5
Site to Site VPN in multiple context mode
Dynamic routing in multiple context mode
Mixed firewall support in multiple context mode

So Today I decided to upgrade my ASA5505 to Version 9.0(1).  Below are the steps to upgrade your ASA More »

23. November 2012 · Comments Off on Cisco ASA Port Forwarding in 8.3 from the CLI the easy way · Categories: Cisco · Tags: , , , , ,

In this example, we want to be able to access a Media Server behind the firewall.  We’ll assume you are using port 32400, the Media Server’s internal IP address is 10.11.12.13/24, I’ll give you the steps, then I’ll explain.

Step 1: Create a new object group for you web server.

asa5505(config)# object network MediaServer

Step 2: Add the IP of the web server to the network group.

asa5505(config-network-object)# host 10.11.12.13

Step 3: Forward the port via the NAT command.

asa5505(config-network-object)# nat (inside,outside) static interface service tcp 32400 32400

Step 4: Exit back to the root and add the access list

 asa5505(config)# access-list outside_access_in permit tcp any object MediaServer eq 32400 any

That’s it!  Now, let’s explain what’s going on here.  Cisco has started moving more and more towards use of object groups in their configs.  It makes things easier, especially when you have a situation where you have 20 web servers behind the firewall and you want to add 1 more in.  Rather than having to rewrite a whole bunch of ACL’s, you just add the IP of the new web server into the object group and everything is done for you.  So here our Media Server is 10.11.12.13.  If you want to send port 80 to more than 1 IP on your internal network, just add more IP’s to that object group.

This works for ANY port forward.  If you want to RDP into a machine, simply replace port 32400 with 3389.  There is one caveat.  You can only do one port forward per object group.  So let’s say that our Media Server is also an FTP server and you want port 21 to forward as well as port 32400.  You’re going to have to create a whole new object group (object network FTPServer), put the same IP in the group (host 10.11.12.13), do the nat command again (nat (inside,outside) static interface service tcp ftp ftp), exit back to the root of config, and add the access list (access-list outside_access_in  permit tcp any object FTPServer eq ftp).

This should get you up and running in no time