Monday, November 23, 2020

MD5 Checksum

Windows (cmd)-> Certutil -hashfile <filename> MD5

Linux -> md5sum <filename>

Cisco -> verify /md5 bootflash:<filename>

at No comments:

Thursday, October 29, 2020

Cisco Firewall

 


FMC/Firepower Magement Center
                    🔝
Logical Device FTD/Firepower Threat Defense)
                    🔝
Firepower Chassis (4100) -> FXOS CLI or https://managementIP (FCM/Firepower Chassis Manager)

Remarks:
Logical Device can be instance Native (use all resources of the chassis) -> only one FTD is possible. 
Logical Device can be instance Container -> multiple FTDs are possible.
(container creation is only possible from FMC?)

ASDM
🔝
ASA

Troubleshooting:

packet-tracer simulates a flow and shows the result

https://networkology.net/2013/03/06/using-packet-tracer-for-validating-icmp-traffic/

TCP and UDP being statefully inspected by default, you just have to run the packet-tracer on the source interface and you can be sure the return traffic will be allowed through.  With ICMP, it’s a different story.

Because the ASA does not statefully inspect ICMP  packets (by default) you have to vouch for the return packets as well. So you’ll be running two packet-tracer commands to verify that ICMP packets go through and come back.

So here’s how you verify ICMP echo and echo-reply using packet-tracer;

For verifying echo packets, type=8 code=0

packet-tracer input inside icmp 10.1.1.2 8 0 172.21.1.2 detailed

For verifying echo-reply packets, type=0 code=0

packet-tracer input outside icmp 172.21.1.2 0 0 10.1.1.2 detailed

Packet-tracer does more than just inject a 'virtual'  packet into the data-plane. One can also add the 'trace' option to  the capture command, so that actual packets the security appliance  receives (which are matched by the capture) are also traced.

access-list icmp8844 extended permit icmp any4 host 8.8.4.4 
access-list icmp8844 extended permit icmp host 8.8.4.4 any4 
capture myicmp type raw-data access-list icmp8844 trace interface TYPE2-INSIDE
capture myicmpreturn type raw-data access-list icmp8844 trace interface TYPE2-OUTSIDE

To view the packet-trace from captured packet #3 in the capture, use the command:  ASA# "show capture mycap trace packet-number 3"


at No comments:

Thursday, October 22, 2020

certbot renewal iptables rules

 [root@owncloud ~]# cat certificaterenew.sh 
#!/bin/bash
echo "Adding temporary lines to iptables"
iptables -I INPUT 1 -p tcp -s 52.28.236.88 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 1 -p tcp -s 66.133.109.36 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 1 -p tcp -s 18.196.96.172 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 1 -p tcp -s 3.128.26.105 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 1 -p tcp -s 64.78.149.164 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 1 -p tcp -s 34.209.232.166 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
certbot renew
echo "Deleting temporary lines from iptables"
iptables -D INPUT 1
iptables -D INPUT 1
iptables -D INPUT 1
iptables -D INPUT 1
iptables -D INPUT 1
iptables -D INPUT 1
at No comments:

Wednesday, September 23, 2020

FTD firewall capture

 >capture icmp trace detail interface cedge301-dia match icmp any any 


> show capture

capture icmp type raw-data trace detail interface cedge301-dia [Capturing - 536 bytes] 

  match icmp any any 


> show capture icmp 

5 packets captured

   1: 07:12:31.147178       802.1Q vlan#200 P0 192.168.0.1 > 8.8.8.8: icmp: echo request 

   2: 07:12:33.149726       802.1Q vlan#200 P0 192.168.0.1 > 8.8.8.8: icmp: echo request 

   3: 07:12:35.141884       802.1Q vlan#200 P0 192.168.0.1 > 8.8.8.8: icmp: echo request 

   4: 07:12:37.154777       802.1Q vlan#200 P0 192.168.0.1 > 8.8.8.8: icmp: echo request 

   5: 07:12:39.146690       802.1Q vlan#200 P0 192.168.0.1 > 8.8.8.8: icmp: echo request 

5 packets shown


> show capture icmp packet-number 1 

5 packets captured

   1: 07:12:31.147178       802.1Q vlan#200 P0 192.168.0.1 > 8.8.8.8: icmp: echo request 

1 packet shown

> show capture icmp trace 


5 packets captured


   1: 07:12:31.147178       802.1Q vlan#200 P0 192.168.0.1 > 8.8.8.8: icmp: echo request 

Phase: 1

Type: CAPTURE

Subtype: 

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x2aaad3b18430, priority=13, domain=capture, deny=false

        hits=3, user_data=0x2aaad240bea0, cs_id=0x0, l3_type=0x0

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000

        input_ifc=cedge301-dia, output_ifc=any


Phase: 2

Type: ACCESS-LIST

Subtype: 

Result: ALLOW

Config:

Implicit Rule

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x2aaad399b7f0, priority=1, domain=permit, deny=false

        hits=274029, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=cedge301-dia, output_ifc=any


Phase: 3

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 10.0.29.182 using egress ifc  Outside-interface


Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group CSM_FW_ACL_ global

access-list CSM_FW_ACL_ advanced permit ip ifc cedge301-dia any4 ifc Outside-interface any4 rule-id 268435458 

access-list CSM_FW_ACL_ remark rule-id 268435458: ACCESS POLICY: MainPolicy - Mandatory

access-list CSM_FW_ACL_ remark rule-id 268435458: L7 RULE: Trust-inside-to-outside

Additional Information:

 This packet will be sent to snort for additional processing where a verdict will be reached

 Forward Flow based lookup yields rule:

 in  id=0x2aaad3adfb20, priority=12, domain=permit, deny=false

        hits=281, user_data=0x2aaac757ea00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=cedge301-dia

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=Outside-interface, vlan=0, dscp=0x0

        input_ifc=any, output_ifc=any


Phase: 5

Type: CONN-SETTINGS

Subtype: 

Result: ALLOW

Config:

class-map class-default

 match any

policy-map global_policy

 class class-default

  set connection advanced-options UM_STATIC_TCP_MAP

service-policy global_policy global

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x2aaad39b2e60, priority=7, domain=conn-set, deny=false

        hits=281, user_data=0x2aaad23ca100, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=cedge301-dia, output_ifc=any


Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x2aaad1846550, priority=0, domain=nat-per-session, deny=true

        hits=12362, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=any, output_ifc=any


Phase: 7

Type: IP-OPTIONS

Subtype: 

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x2aaad39a13e0, priority=0, domain=inspect-ip-options, deny=true

        hits=287, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=cedge301-dia, output_ifc=any


Phase: 8

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

 match default-inspection-traffic

policy-map global_policy

 class inspection_default

  inspect icmp 

service-policy global_policy global

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x2aaad39afe80, priority=70, domain=inspect-icmp, deny=false

        hits=6, user_data=0x2aaad2b08bc0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

        input_ifc=cedge301-dia, output_ifc=any


Phase: 9

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x2aaad39b1120, priority=70, domain=inspect-icmp-error, deny=false

        hits=6, user_data=0x2aaad2b09700, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

        input_ifc=cedge301-dia, output_ifc=any


Phase: 10

Type: CAPTURE

Subtype: 

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x2aaad3b1fce0, priority=13, domain=capture, deny=false

        hits=2, user_data=0x2aaad240bea0, cs_id=0x2aaad240bd70, reverse, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

        input_ifc=cedge301-dia, output_ifc=any


Phase: 11

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 Reverse Flow based lookup yields rule:

 in  id=0x2aaad1846550, priority=0, domain=nat-per-session, deny=true

        hits=12364, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=any, output_ifc=any


Phase: 12

Type: IP-OPTIONS

Subtype: 

Result: ALLOW

Config:

Additional Information:

 Reverse Flow based lookup yields rule:

 in  id=0x2aaad3933830, priority=0, domain=inspect-ip-options, deny=true

        hits=12300, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=Outside-interface, output_ifc=any


Phase: 13

Type: CAPTURE

Subtype: 

Result: ALLOW

Config:

Additional Information:

 Reverse Flow based lookup yields rule:

 out id=0x2aaad3b20390, priority=13, domain=capture, deny=false

        hits=1, user_data=0x2aaad240bea0, cs_id=0x2aaad240bd70, reverse, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

        input_ifc=any, output_ifc=cedge301-dia


Phase: 14

Type: FLOW-CREATION

Subtype: 

Result: ALLOW

Config:

Additional Information:

New flow created with id 12375, packet dispatched to next module

Module information for forward flow ...

snp_fp_inspect_ip_options

snp_fp_snort

snp_fp_inspect_icmp

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat


Module information for reverse flow ...

snp_fp_inspect_ip_options

snp_fp_inspect_icmp

snp_fp_snort

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat


Phase: 15

Type: EXTERNAL-INSPECT

Subtype: 

Result: ALLOW

Config:

Additional Information:

Application: 'SNORT Inspect'


Phase: 16

Type: SNORT

Subtype: 

Result: ALLOW

Config:

Additional Information:

Snort Trace:

Packet: ICMP

Session: new snort session

AppID: service ICMP (3501), application unknown (0)

Firewall: trust/fastpath rule, id 268435458, allow

Snort id 1, NAP id 1, IPS id 0, Verdict WHITELIST

Snort Verdict: (fast-forward) fast forward this flow


Phase: 17

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 10.0.29.182 using egress ifc  Outside-interface


Phase: 18

Type: ADJACENCY-LOOKUP

Subtype: next-hop and adjacency

Result: ALLOW

Config:

Additional Information:

adjacency Active

next-hop mac address 5000.0042.0004 hits 374 reference 1


Result:

input-interface: cedge301-dia

input-status: up

input-line-status: up

output-interface: Outside-interface

output-status: up

output-line-status: up

Action: allow


at No comments:

Tuesday, September 22, 2020

FTP firewall in EVE-NG add to FMC


Add & Boot device

Login admin/Admin123

configure IPv4

manage locally -> yes

show network

In case reconfig is needed: configure network ipv4 manual <ip> <subnet> <gw>

Validate ping from FTD to FMC: ping systems <ip FMC>


Adding FTD to FMC

configure manager add <ip fmc> <password>

In GUI of FMC add the device

Once this is done FTD GUI is no longer accessible.


To revert: configure manager delete, configure manager local

at No comments:

Friday, June 12, 2020

redistributing bgp in eigrp


redistributing internal bgp (ibgp) in eigrp


1)under "router bgp" the following is needed
"bgp redistribute-internal"
2)under "router eigrp" the following is needed
"default-metric <value> <value> <value> <value> <value> <value> "
"redistribute bgp <AS> route-map <route-map>"

(eBGP routes don't need the redistribute-internal command)


eigrp into bgp

https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/213952-configure-bgp-to-advertise-a-default-rou.html

default-route:
network 0.0.0.0/0 or default-information originate 

(note: "default-information originate always" is different. This one creates a default-route  in the BGP RIB even when  there's no default  in EIGRP)
at No comments:

Wednesday, April 22, 2020

How to do Source AND Destination NAT on the same router



How to do Source AND Destination NAT on the same router

(I used https://blog.ine.com/2008/02/15/the-inside-and-outside-of-nat as a reference. But it uses Frame Relay, I wanted to do the same for Ethernet.)

 Setup:
            OUTSIDE                            INSIDE

 R1-10.0.28.65------10.0.28.66-R2-172.16.24.2------------172.16.24.1-R3

 Traffic is originated from the OUTSIDE first.

 Config of R2:
interface Gi1
  ip address 10.0.28.66 255.255.255.252
  ip nat outside

 interface Gi2
  ip address 172.16.24.2 255.255.255.0
  ip nat inside

 ! NAT translation is bidirectional. Traffic from outside to inside with a
! Destination of 10.0.28.66 will also hit this rule, even if it says " inside
! source"
ip nat inside source static  172.16.24.1 10.0.28.66


! Reply traffic from inside to outside -> Router R2 does first a route lookup ,then
! NAT translation. This means that the we cannot use 172.16.24.2 as a source
! static translation. The return packet will arrive on R3 and he will see it as 
! local and not even do the NAT translation. By using 172.16.245.25.100 and adding ! a static route towards 10.0.28.65, the route lookup will be done and then the 
! NAT translation.

ip nat outside source static 10.0.28.65 172.16.25.100
ip route 172.16.24.254 255.255.255.255 10.0.28.65

 (it may be necessary to announce 172.16.25.100 in the rest of the network for the traffic to find it's way back to R2)
???
inside local    inside global     outside local   outside global
172.16.24.1     10.0.28.66        172.16.24.2     10.0.28.65
????
at No comments:
Subscribe to: Posts (Atom)

YAML Files for ESP32

 Gree Versati III https://gist.github.com/slanckma/3bad4ff49545488a3719766bdf0cdc76 TUF-2000M Water flow sensor https://gist.github.com/slan...

  • eve-ng : When a node won't start
      /var/log/syslog shows: Jun 18 11:21:18 labusraeveng01 iol_wrapper[105334]: 18/5 15:21:18.639 ERR#011Error while connecting local AF_UNIX: ...
  • Arista Zero Touch Provisioning
    zerotouch cancel -> only for current uptime (reload will start ZTP again) zerotouch disable -> forever to reenable zerotouch do: ...
  • OpenWRT linksys with TC and NETEM
      install openwrt on e4200v2  Open ssh and http on the WAN (disable firewall) Via GUI of openwrt (LuCi) install tc-full and kmod-netem Injec...