I wanted to do another config guide for this considering the design of my LAN has changed and the ASA version I am running is 8.4. The old ASA/AIP config post can be found here
On the ASA:
• The inside interface is going to be used to communicate with the IPS so here is the setup:
!
interface Vlan1
nameif inside
security-level 100
allow-ssc-mgmt <-- allows you to manage the ASA from this network
ip address x.x.200.1 255.255.255.0
• For the purposes of management I have defined the IPS as three different "objects" (https, SNMP and SSH):
object network IPS-443
host x.x.x.x
!
object network IPS-SNMP
host x.x.x.x
!
object network IPS-ssh
host x.x.x.x
• I also added access-lists to allow these through:
!
access-list outside_access_in extended permit tcp any object IPS-443 eq https
access-list outside_access_in extended permit udp any object IPS-SNMP eq snmp
access-list outside_access_in extended permit tcp any object IPS-ssh eq ssh
!
• Since the ASA is now on the inside of the network and the outside interface leads to my internal network I have to NAT things:
nat (outside,inside) source static any any destination static IPS-443 IPS-443
nat (outside,inside) source static any any destination static IPS-SNMP IPS-SNMP
nat (outside,inside) source static any any destination static IPS-ssh IPS-ssh
• A slightly different version of the class map from the original ASA/IPS config guide, now with a match any:
!
class-map ips_class
match any
!
policy-map ips_policy
class ips_class
ips inline fail-open
!
service-policy ips_policy interface outside
• Now what I thought was missing from the last post was the configuration from the IPS, so here it is:
service host
network-settings
host-ip x.x.200.2/24,x.x.200.1 < --- thats the ASA's inside network
access-list 0.0.0.0/0
!
ntp-server x.x.100.1 <-- router on the LAN acting as NTP server
summertime-option recurring
summertime-zone-name GMT-08:00
!
auto-upgrade
cisco-server enabled
schedule-option calendar-schedule
times-of-day 14:09:33
days-of-week sunday
days-of-week monday
days-of-week tuesday
days-of-week wednesday
days-of-week thursday
days-of-week friday
days-of-week saturday
!
service ssh-known-hosts
rsa1-keys x.x.x.x
length 2048
!
service web-server
!
service analysis-engine
virtual-sensor vs0
physical-interface GigabitEthernet0/0 <-- this is an ASA 5505 so this is not a physical interface.
I hope that helps. I'll include a new drawing to illustrate this at some point.
Wednesday, December 7, 2011
Friday, September 23, 2011
Router Recovery
This update is intended to show how to recover a router after it has choked on a software image and is now stuck in an rommon state.
• Enabling tftp service on your server/laptop
Sometimes you need to start (or maybe even kill) the tftp service on your laptop and the commands below will do the trick:
sudo launchctl load -F /System/Library/LaunchDaemons/tftp.plist
sudo launchctl unload /System/Library/LaunchDaemons/tftp.plist
• Download fresh image
Once the tftp service is enabled you need to go get yourself an image from cisco.com. Be warned, the image you want may not be the image your router can run. The reason the router choked on the image may have to do with the amount of available memory so be sure to look at the requirements before you pull one off the cisco shelf.
• Placing of image
Maybe not needed but I'll mention it anyway. Images (and anything you want to push or pull via tftp) go into the /private/tftpboot directory. You'll need to move the file after download with something like this:
system:Downloads user$ mv c2600-io3-mz.122-26c.bin /private/tftpboot/
- After this you'll need to change the permissions on the file so it can be accessed:
cd /private/tftpboot/
system:tftpboot user$ sudo chmod 777 c2600-io3-mz.122-26c.bin
• Router configuration
- All you need to do is enter a static IP (example uses 192.168.1.10) on your system and connect an ethernet cable to the router and issue the commands listed below (giving the router a 192.168.1.5 address):
rommon 1 > IP_ADDRESS=192.168.1.5
rommon 2 > IP_SUBNET_MASK=255.255.255.0
rommon 3 > DEFAULT_GATEWAY=192.168.1.1
rommon 4 > TFTP_SERVER=192.168.1.10
rommon 5 > TFTP_FILE=c2600-io3-mz.122-26c.bin
rommon 6 > tftpdnld
IP_ADDRESS: 192.168.1.5
IP_SUBNET_MASK: 255.255.255.0
DEFAULT_GATEWAY: 192.168.1.1
TFTP_SERVER: 192.168.1.10
TFTP_FILE: c2600-io3-mz.122-26c.bin
- Now the router wants to make sure you know your about the summon the RMA demons if this dosn't go well. They scare you with this message:
Invoke this command for disaster recovery only.
WARNING: all existing data in all partitions on flash will be lost!
Do you wish to continue? y/n: [n]: y
- Now the routers receives the image from your system via tftp:
.
Receiving c2600-io3-mz.122-26c.bin from 192.168.1.10 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (lots of these)
- All good and now for some cleanup:
File reception completed.
Copying file c2600-io3-mz.122-26c.bin to flash.
Erasing flash at 0x60fc0000
program flash location 0x60580000
All you need to do now is reload and say a small prayer.
rommon 7 > reload
As always,good luck!
• Enabling tftp service on your server/laptop
Sometimes you need to start (or maybe even kill) the tftp service on your laptop and the commands below will do the trick:
sudo launchctl load -F /System/Library/LaunchDaemons/tftp.plist
sudo launchctl unload /System/Library/LaunchDaemons/tftp.plist
• Download fresh image
Once the tftp service is enabled you need to go get yourself an image from cisco.com. Be warned, the image you want may not be the image your router can run. The reason the router choked on the image may have to do with the amount of available memory so be sure to look at the requirements before you pull one off the cisco shelf.
• Placing of image
Maybe not needed but I'll mention it anyway. Images (and anything you want to push or pull via tftp) go into the /private/tftpboot directory. You'll need to move the file after download with something like this:
system:Downloads user$ mv c2600-io3-mz.122-26c.bin /private/tftpboot/
- After this you'll need to change the permissions on the file so it can be accessed:
cd /private/tftpboot/
system:tftpboot user$ sudo chmod 777 c2600-io3-mz.122-26c.bin
• Router configuration
- All you need to do is enter a static IP (example uses 192.168.1.10) on your system and connect an ethernet cable to the router and issue the commands listed below (giving the router a 192.168.1.5 address):
rommon 1 > IP_ADDRESS=192.168.1.5
rommon 2 > IP_SUBNET_MASK=255.255.255.0
rommon 3 > DEFAULT_GATEWAY=192.168.1.1
rommon 4 > TFTP_SERVER=192.168.1.10
rommon 5 > TFTP_FILE=c2600-io3-mz.122-26c.bin
rommon 6 > tftpdnld
IP_ADDRESS: 192.168.1.5
IP_SUBNET_MASK: 255.255.255.0
DEFAULT_GATEWAY: 192.168.1.1
TFTP_SERVER: 192.168.1.10
TFTP_FILE: c2600-io3-mz.122-26c.bin
- Now the router wants to make sure you know your about the summon the RMA demons if this dosn't go well. They scare you with this message:
Invoke this command for disaster recovery only.
WARNING: all existing data in all partitions on flash will be lost!
Do you wish to continue? y/n: [n]: y
- Now the routers receives the image from your system via tftp:
.
Receiving c2600-io3-mz.122-26c.bin from 192.168.1.10 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (lots of these)
- All good and now for some cleanup:
File reception completed.
Copying file c2600-io3-mz.122-26c.bin to flash.
Erasing flash at 0x60fc0000
program flash location 0x60580000
All you need to do now is reload and say a small prayer.
rommon 7 > reload
As always,good luck!
Thursday, January 27, 2011
SSH Key based authentication
It seems like I'm always connecting to servers via ssh and I hate having to remember my password. I remember a long time ago someone showed me how to place your public key on the server so you could log in automatically but then I forgot how to do it. Well thats what this BLOG is for - here are the steps to doing it.
• Generate the Keys
• Copy your public key to the server and visa versa
• Connect and authorize
• Generate the Keys
All you need to do this is enter ssh-keygen into the terminal and you will be taken through a few steps.
#1 It will ask you where you want to save it. The default is in /Users/yourname/.ssh/id_rsa. Just stick with that.
#2 It will ask if you would like to add a passphrase to the key or leave it empty - enter a password that you can easily remember - you will need to enter the password twice. After you enter the passphrase it will display the key's randomart image.
• Copy your public key to the server
Now that the keys have been created you need to move the public one to the server. Navigate to the ~/.ssh directory and inside there you will find something like this:
-rw------- 1 user staff 1743 Jan 21 21:09 id_rsa
-rw-r--r-- 1 root staff 416 Jan 21 21:09 id_rsa.pub
-rw-r--r-- 1 user staff 4252 Jan 11 22:19 known_hosts
The file you want is the id_rsa.pub file so go ahead and do a "more" on that and copy the contents to the clipboard. Now go to the server you want to add this to and log in FOR THE LAST TIME (HA!) and navigate to the ~/.ssh and touch a file and name it "authorized_keys". Then do a chmod 644 ~/.ssh/authorized_keys. After thats complete do a sudo pico authorized_keys and paste in the key info you copied to your clipboard.
• Copy your server key to you:
Same process, go to the server and do this:
1. ssh-keygen - save it to the defaut location, enter a password
2. create the authorized_keys file, chmod 644
3. pico and paste the key from YOUR machine's id_rsa.pub file
Now you have the key from the server in your authorized_keys file and the server has your key in it's authorized_keys.
• Connect and authorize
Now that the key is in both places all you need to do is log out and log back in. Once you connect from your machine to the server you will see a pop up window (in the OS, not in the terminal) that asks you to authorize the connection with your public key (the password that you entered in when you created the key) and once you do this you will have completed the handshake and never again will you need to enter a password for this server.
It's just that easy! Enjoy.
• Generate the Keys
• Copy your public key to the server and visa versa
• Connect and authorize
• Generate the Keys
All you need to do this is enter ssh-keygen into the terminal and you will be taken through a few steps.
#1 It will ask you where you want to save it. The default is in /Users/yourname/.ssh/id_rsa. Just stick with that.
#2 It will ask if you would like to add a passphrase to the key or leave it empty - enter a password that you can easily remember - you will need to enter the password twice. After you enter the passphrase it will display the key's randomart image.
• Copy your public key to the server
Now that the keys have been created you need to move the public one to the server. Navigate to the ~/.ssh directory and inside there you will find something like this:
-rw------- 1 user staff 1743 Jan 21 21:09 id_rsa
-rw-r--r-- 1 root staff 416 Jan 21 21:09 id_rsa.pub
-rw-r--r-- 1 user staff 4252 Jan 11 22:19 known_hosts
The file you want is the id_rsa.pub file so go ahead and do a "more" on that and copy the contents to the clipboard. Now go to the server you want to add this to and log in FOR THE LAST TIME (HA!) and navigate to the ~/.ssh and touch a file and name it "authorized_keys". Then do a chmod 644 ~/.ssh/authorized_keys. After thats complete do a sudo pico authorized_keys and paste in the key info you copied to your clipboard.
• Copy your server key to you:
Same process, go to the server and do this:
1. ssh-keygen - save it to the defaut location, enter a password
2. create the authorized_keys file, chmod 644
3. pico and paste the key from YOUR machine's id_rsa.pub file
Now you have the key from the server in your authorized_keys file and the server has your key in it's authorized_keys.
• Connect and authorize
Now that the key is in both places all you need to do is log out and log back in. Once you connect from your machine to the server you will see a pop up window (in the OS, not in the terminal) that asks you to authorize the connection with your public key (the password that you entered in when you created the key) and once you do this you will have completed the handshake and never again will you need to enter a password for this server.
It's just that easy! Enjoy.
Wednesday, January 5, 2011
ASA 5505 AIP Module Configuration
This post is related to my experience getting the security services module or ASA-SSC-AIP-5 as it is known configured and doing something useful. We are going to cover the following things in this post:
• Getting into the module
• Configuring an IP
• Applying a license
• Setting up a schedule for it to download updated signatures
• Telling the ASA to pass the IPS traffic so it can do something useful
• Backing up the configuration
• Monitoring what the IPS is doing
• Resetting the module or formatting it
• Creating a Service Account
_________________________________________________________
• Getting into the module
First you need to SSH to the ASA and then do a show module to see the status of the IPS. It should look something like this:
!
asa# show mod
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5505 Adaptive Security Appliance ASA5505
1 ASA 5500 Series AIP Security Services Card-5 ASA-SSC-AIP-5
!
Mod SSC Application Name Status SSC Application Version
--- ------------------------------ ---------------- --------------------------
1 IPS Up 6.2(2)E4
In order to do anything beyond looking at the status of the module you will need to get into the ASDM and run through the initial configuration for the IPS.
• Configuring an IP
The configuration assistant will ask you to name the device and to select the network that you want the IPS on. In this case we have it on the inside 192.168.X.0/24 network and have assigned it a .167 address. The username and password are also needed and thats about it. Once you have this completed you can select the Intrusion Prevention tab next to the Firewall Dashboard on the home screen of the ASDM or you can open an https connection to the IP of you gave to the IPS and using Cisco IDM manage the IPS.
• Applying a license
Under configuration you can select the IPS module tab and then scroll down till you licensing. The file that you were given can be uploaded to the module by defining the local path from the update license field.
• Setting up a schedule for it to download updated signatures
In the ASDM you have an easy signature retrieval setup section, the only trouble is that if you leave it set to the default hourly boundary (like 02:00 am) it will error out with something like this: http error response: 500 error
The reason has to do with the time so it's easy enough to set it to something else (like 02:01 am) and it will work fine. Here is a link to the page that describes the fix.
• Telling the ASA to pass the IPS traffic so it can do something useful
The basic setup I have is to send traffic to the Sensor for inspection and if the module fails go around it rather than stop processing. Here is what it looks like on the ASA:
!
class-map ips_class
match access-list IPS
!
policy-map ips_policy
class ips_class
ips inline fail-open <---- important for uptime
! service-policy ips_policy interface outside
! access-list IPS extended permit ip any any
!
• Backing up the configuration
First you need to go into your server (configuration destination accepting ssh connections) and create the config file you are goign to copy over - something like asa-ips.cfg. Now do a chmod 777 and then go to the ASA (or more specifically the IPS module) and then issue this command:
IPS# copy current-config scp://serveripaddress/path/filename-ips.cfg
Password: ******
Generating current config: ..........
It should fail saying something like this:
!
Protocol major versions differ: 1 vs. 2
Unsupported remote protocol version for host, 192.168.X.X - must support SSH version 1
I tried many ways to get the configuration off the box (even changing the SSH version on the server to support v1, which eventually worked). The reason for this error message is that the server I was sending the file to was not known by the sensor. In order to correct this you need to perform the following:
IPS# ssh host-key 192.168.x.x
!
It comes back with a message about the key it's pulled back from the server. You say yes to this. If you now do a "show host-keys" or a "show host-keys 192.168.x.x" you will see that the sensor has pulled in the key for the server and will now pass it's configuration file to it.
Now try the command and after what seems like a century it will produce the config file and pass it to the server. If you have any questions about this process you can look at this link.
I'm sure why this is but I was able to alter the configuration on the server (vi /etc/sshd_config and under #Port 22 change it to "Protocol 1") and reload it. Now you should be able to issue the scp command and succeed in backing up the config.
• Monitoring what the Sensor is doing
In order to verify that the Sensor is in fact "seeing" traffic and acting on it you can enable signatures 2000 and 2004. These are for ICMP messages (pings) and once enabled you should be able to see them trigger by pinging something behind the IPS.
• Resetting the module or formatting it
From the ASA you can reload or reset the module with the following command:
asa# hw-module module 1 ?
allow-ip Allow specific hosts/network to access the module
ip Configure management IP parameters
password-reset Reset the CLI password on the module
recover Configure recovery of this module
reload Reload the module
reset Reset the module
shutdown Shut down the module
• Creating a Service Account
This link has some great info on how to create a services account on the IPS so you can do all kinds of cool unix commands. I created an account in an attempt to get tftp to work but I ended up altering the server to support SSH V1 instead:
http://flylib.com/books/en/2.464.1.133/1/
• Getting into the module
• Configuring an IP
• Applying a license
• Setting up a schedule for it to download updated signatures
• Telling the ASA to pass the IPS traffic so it can do something useful
• Backing up the configuration
• Monitoring what the IPS is doing
• Resetting the module or formatting it
• Creating a Service Account
_________________________________________________________
• Getting into the module
First you need to SSH to the ASA and then do a show module to see the status of the IPS. It should look something like this:
!
asa# show mod
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5505 Adaptive Security Appliance ASA5505
1 ASA 5500 Series AIP Security Services Card-5 ASA-SSC-AIP-5
!
Mod SSC Application Name Status SSC Application Version
--- ------------------------------ ---------------- --------------------------
1 IPS Up 6.2(2)E4
In order to do anything beyond looking at the status of the module you will need to get into the ASDM and run through the initial configuration for the IPS.
• Configuring an IP
The configuration assistant will ask you to name the device and to select the network that you want the IPS on. In this case we have it on the inside 192.168.X.0/24 network and have assigned it a .167 address. The username and password are also needed and thats about it. Once you have this completed you can select the Intrusion Prevention tab next to the Firewall Dashboard on the home screen of the ASDM or you can open an https connection to the IP of you gave to the IPS and using Cisco IDM manage the IPS.
• Applying a license
Under configuration you can select the IPS module tab and then scroll down till you licensing. The file that you were given can be uploaded to the module by defining the local path from the update license field.
• Setting up a schedule for it to download updated signatures
In the ASDM you have an easy signature retrieval setup section, the only trouble is that if you leave it set to the default hourly boundary (like 02:00 am) it will error out with something like this: http error response: 500 error
The reason has to do with the time so it's easy enough to set it to something else (like 02:01 am) and it will work fine. Here is a link to the page that describes the fix.
• Telling the ASA to pass the IPS traffic so it can do something useful
The basic setup I have is to send traffic to the Sensor for inspection and if the module fails go around it rather than stop processing. Here is what it looks like on the ASA:
!
class-map ips_class
match access-list IPS
!
policy-map ips_policy
class ips_class
ips inline fail-open <---- important for uptime
! service-policy ips_policy interface outside
! access-list IPS extended permit ip any any
!
• Backing up the configuration
First you need to go into your server (configuration destination accepting ssh connections) and create the config file you are goign to copy over - something like asa-ips.cfg. Now do a chmod 777 and then go to the ASA (or more specifically the IPS module) and then issue this command:
IPS# copy current-config scp://serveripaddress/path/filename-ips.cfg
Password: ******
Generating current config: ..........
It should fail saying something like this:
!
Protocol major versions differ: 1 vs. 2
Unsupported remote protocol version for host, 192.168.X.X - must support SSH version 1
I tried many ways to get the configuration off the box (even changing the SSH version on the server to support v1, which eventually worked). The reason for this error message is that the server I was sending the file to was not known by the sensor. In order to correct this you need to perform the following:
IPS# ssh host-key 192.168.x.x
!
It comes back with a message about the key it's pulled back from the server. You say yes to this. If you now do a "show host-keys" or a "show host-keys 192.168.x.x" you will see that the sensor has pulled in the key for the server and will now pass it's configuration file to it.
Now try the command and after what seems like a century it will produce the config file and pass it to the server. If you have any questions about this process you can look at this link.
I'm sure why this is but I was able to alter the configuration on the server (vi /etc/sshd_config and under #Port 22 change it to "Protocol 1") and reload it. Now you should be able to issue the scp command and succeed in backing up the config.
• Monitoring what the Sensor is doing
In order to verify that the Sensor is in fact "seeing" traffic and acting on it you can enable signatures 2000 and 2004. These are for ICMP messages (pings) and once enabled you should be able to see them trigger by pinging something behind the IPS.
• Resetting the module or formatting it
From the ASA you can reload or reset the module with the following command:
asa# hw-module module 1 ?
allow-ip Allow specific hosts/network to access the module
ip Configure management IP parameters
password-reset Reset the CLI password on the module
recover Configure recovery of this module
reload Reload the module
reset Reset the module
shutdown Shut down the module
• Creating a Service Account
This link has some great info on how to create a services account on the IPS so you can do all kinds of cool unix commands. I created an account in an attempt to get tftp to work but I ended up altering the server to support SSH V1 instead:
http://flylib.com/books/en/2.464.1.133/1/
Subscribe to:
Posts (Atom)