Networking

Networking

Cisco ASA Cli

Static NAT (SNAT)

object network obj-192.168.1.100 
host 192.168.1.100 
nat (inside,outside) static 192.166.1.101 dns

PAT

Allow outside connections targeting TCP port 80 to redirect to internal port 8080.

object network obj-192.166.1.101-srv_8080
host 192.166.1.101
nat (inside,outside) static 192.166.1.101 service tcp 8080 http

DNAT

In the example bellow, the subnet will be on a port channel named inside2 and will have a obj-group called net-local2

interface port-channel 150
nameif inside2
security-level 100
ip address 172.10.10.0 255.255.255.0
object-group network net-local2
network-object 172.10.10.0 255.255.255.0

after-auto Inserts the rule at the end of section.
You can translate all addresses on the source interface by specifying source dynamic any mapped_obj

nat (inside2,outside) after-auto source dynamic net-local2 interface dns

PAT connections will be visible in show xlate

fw1# show xlate
TCP PAT from inside2:172.10.10.11/51995 to outside:199.199.199.100/51995 flags riD
idle 0:05:37 timeout 0:00:30

For more advanced configs, refer to article below:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/n.html

Configuring Static PAT as a Twice NAT/Manual NAT

object network local-192.168.1.100
host 192.168.1.100

object network external-2.2.2.2
host 2.2.2.2

object service https
service tcp source eq https

object service tcp_8443
service tcp source eq 8443
 
nat (inside,outside) source static local-192.168.1.100 external-2.2.2.2 service tcp_8443 https

DHCP Server

dhcpd address 10.20.106.240-10.20.106.253 inside
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd enable inside

ASDM

asdm image disk0:/asdm-X.bin
http server enable 8080
http <whitelist-ip> 255.255.255.0 OUTSIDE
username admin password PASSWORD privilege 15
https://<asa ip>:8080

Allow non-connected subnets

arp permit-nonconnected

The ASA ARP cache only contains entries from directly-connected subnets by default. You can enable the ARP cache to also include non-directly-connected subnets. We do not recommend enabling this feature unless you know the security risks. This feature could facilitate denial of service (DoS) attack against the ASA; a user on any interface could send out many ARP replies and overload the ASA ARP table with false entries.

You may want to use this feature if you use:

  • Secondary subnets.

  • Proxy ARP on adjacent routes for traffic forwarding.

Route LAN to remote subnet on physical port

interface GigabitEthernet1/8
  description remote
  no nameif
  no security-level
  no ip address

interface GigabitEthernet1/8.100
  description Public VLAN 100 remote
  vlan 100
  nameif remote
  no security-level
  ip address 192.168.1.2 255.255.255.0
    
object network local-net
  subnet 192.168.2.0 255.255.255.0
    
object network remote-net
  subnet 192.168.3.0 255.255.255.0
    
access-list inbound extended permit ip object local-net object remote-net
nat (inside,remote) source static local-net local-net destination static remote-net remote-net

route remote 192.168.3.0 255.255.255.0 192.168.1.1 1

In this example you will be able to connect to "192.168.3.0/24" from your local "192.168.2.0/24" subnet using the 192.168.1.2 port, the remote port will be on the same vlan using the IP 192.168.1.1

Object Groups ASA

object-group service http-https tcp
port-object eq www
port-object eq https
object-group network webservers
network-object host 192.168.1.101
network-object host 192.168.1.102
network-object host 192.168.1.103
access-list OUTSIDE-IN extended permit tcp any object-group webservers object-group http-https
access-group OUTSIDE-IN in interface outside

packet-tracer

packet-tracer input inside icmp 192.168.1.100 8 0 8.8.8.8
packet-tracer input outside tcp 8.8.8.8 80 192.168.1.100 80

Backup/Restore

Create a Backup 

copy running-config disk0:/backup-2017-00-00

Restore a backup

copy disk0:/backup-2017-08-18 startup-config
reload

Allow FTP passive ports

The firewall will block this data communication because it will start from a different source port (20 instead of 21). The purpose therefore of the inspect ftp command on the Cisco ASA is to listen for the initial Command FTP traffic (on port 21) and dynamically open a secondary Data connection between FTP server and client (from port 20). This will allow FTP communication to work. If you disable FTP inspection with the no inspect ftp command, outbound users can start connections only in passive mode, and all inbound FTP is disabled.

policy-map global_policy
 class inspection_default
  no inspect ftp

Mitigating attack traffic

DEFINE TRAFFIC

First of all we define which traffic the MPF policy will be applied to. In the example below we exclude the host 8.8.8.8 whilst inspecting all other traffic.

access-list mpf-policy-acl extended permit ip any any
CREATE CLASS-MAP

Next we assign the previously created access-list to a class-map.

class-map mpf-policy
match access-list mpf-policy-acl
CREATE POLICY-MAP

Then a policy-map is created and the necessary connection limits defined.

policy-map mpf-policy-map
class mpf-policy
set connection conn-max 9500
set connection embryonic-conn-max 5000
set connection per-client-embryonic-max 100
set connection per-client-max 300

Allow LAN management over VPN

management-access inside
nat (inside,any) source static obj-LANSUBNET obj-LANSUBNET destination static obj-VPNSUBNET obj-VPNSUBNET route-lookup
http <VPNSUBNET> 255.255.255.0 inside
ssh <VPNSUBNET> 255.255.255.0 inside

Failover

To run on the Standby FW

failover active

Licensing Info

Different ASA models have different licensing options. To see what the limits of the active license, use the following:

sh version

https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-command-reference-list.html

https://wiki.myhypervisor.ca/books/networking/page/cisco-asa-site-to-site

https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-installation-and-configuration-guides-list.html

https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-configuration-examples-list.html

 

 

 

Cisco ASA Site to Site

Verification: NAT or transparent mode

Value should return ( Firewall mode: Router )

show firewall

Always do a backup!!!

copy running-config disk0:/running-config-backup-DDMMYYYY

ACL / No NAT Rules

Change net-local and and remote for local and remote IP

You do not need to create a object for the LAN if you already have one for another tunnel // You also can not have 2 tunnels with the same remote IP's

object-group network net-local
network-object 10.1.2.0 255.255.255.0
object-group network net-remote
network-object 192.168.1.0 255.255.255.0

Create a cryptomap ACL

access-list outside_1_cryptomap extended permit ip object-group net-local object-group net-remote

Allow traffic between the two sites to bypass NAT

Always check the name of interface on the port channel, the tunnel will not work if your interface is named inside3

nat (inside,outside) source static net-local net-local destination static net-remote net-remote

IKEV1 - Route based

tunnel-group 199.168.1.100 type ipsec-l2l
tunnel-group 199.168.1.100 ipsec-attributes
 ikev1 pre-shared-key *****

crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 lifetime 3600
 group 5

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec profile vpn1
 set ikev1 transform-set ESP-AES-256-SHA
 set security-association lifetime seconds 3600

interface Tunnel1
 nameif int-vpn1
 ip address 192.168.0.1 255.255.255.252 
 tunnel source interface outside
 tunnel destination 199.168.1.100
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile vpn1

access-list vpn1-inbound extended permit ip any any
access-list vpn1-outbound extended permit ip any any
access-group vpn1-inbound in interface int-vpn1
access-group vpn1-outbound out interface int-vpn1

route int-vpn1 10.10.10.0 255.255.255.0 192.168.0.2 1

IKEV1 - Policy based

Create the tunnel group, and configure the pre-shared key. (In ex; 199.168.1.100 = Remote WAN)

tunnel-group 199.168.1.100 type ipsec-l2l
tunnel-group 199.168.1.100 ipsec-attributes
pre-shared-key INSERT_SECURE_PRE_SHARED_KEY_HERE

Declare the most common transform sets (only do once).

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

Phase 1 parameters

crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
### Enable ikev1 on the outside interface - THIS JUST NEED TO BE CONFIGURED ONCE YOU SETUP THE FIRST VPN
crypto ikev1 enable outside
crypto ikev1 am-disable #(// Main mode remove this line for aggressive mode)

Enable ikev1 on the outside interface -THIS JUST NEED TO BE DONE ON THE FIRST IKEV1 VPN

crypto ikev1 enable outside

Set main mode // Do not include this line for aggressive mode

This is a global setting, if you add the line bellow in a ASA that contains a tunnel that uses aggressive mode, it will break the other tunnel

crypto ikev1 am-disable

Phase 2 parameters

If you remove the ACL used by a tunnel, it will remove the line crypto map outside_map 1 match address ACL_NAME // Only set PFS if configured on the remote side, else skip the line

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 199.168.1.100
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set pfs group2
crypto map outside_map 1 set security-association lifetime seconds 3600

Enable the crypto map in the outside interface - THIS JUST NEED TO BE DONE ON THE FIRST IKEV1 VPN

crypto map outside_map interface outside

IKEV2

Create the tunnel group, and configure the pre-shared key. (In ex; 199.168.1.100 = Remote WAN)

group-policy GroupPolicy_IKEv2 internal
group-policy GroupPolicy_IKEv2 attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev2

tunnel-group 199.168.1.100 type ipsec-l2l
tunnel-group 199.168.1.100 general-attributes
default-group-policy GroupPolicy_IKEv2
tunnel-group 199.168.1.100 ipsec-attributes
ikev2 remote-authentication pre-shared-key ***
ikev2 local-authentication pre-shared-key ***

Declare the transform sets

crypto ipsec ikev2 ipsec-proposal ESP-AES-256-SHA
 protocol esp encryption aes-256
 protocol esp integrity sha-1

Phase 1 parameters

crypto ikev2 policy 20 
encryption aes-256
integrity sha
group 2
prf sha 
lifetime seconds 86400

Phase 2 parameters

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 199.168.1.100
crypto map outside_map 1 set ikev2 ipsec-proposal ESP-AES-256-SHA
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto ikev2 enable outside

NAT

If the request needs to go over the nated IP, do no use the ACL / Nat rules above, configure something like this:

nat (INSIDE,OUTSIDE) source static PRENAT_IP POSTNAT_IP destination static DESTINATION_IP DESTINATION_IP
access-list outside_1_cryptomap extended permit ip host NATTED_SOURCE_IP host NATTED_DESTINATION_IP

Troubleshooting/Debug

Useful links:

Test connection (Run command 2x)

packet-tracer input inside icmp 10.1.2.100 8 0 192.168.1.100

Check IKEV1 Logs 

debug crypto ikev1 127

Check IKEV2 Logs

debug crypto ikev2 protocal

Clear tunnel session

clear isakmp sa

Find pre-shared key

more system:running-config | grep pre-shared

Check basic VPN session information

sh isakmp sa

Check details on VPN session (Detailed)

show vpn-sessiondb detail ra-ikev1-ipsec

Capture traffic for the ACL related to the VPN

capture test access-list outside_1_cryptomap interface inside real-time

Once you are done, always remember to save your config

IPv4 Subnet Mask Cheat Sheet

CIDR

Subnet Mask

Total IPs

Usable IPs

/32 255.255.255.255 1 1
/31 255.255.255.254 2 2*
/30 255.255.255.252 4 2
/29 255.255.255.248 8 6
/28 255.255.255.240 16 14
/27 255.255.255.224 32 30
/26 255.255.255.192 64 62
/25 255.255.255.128 128 126
/24 255.255.255.0 256 254
/23 255.255.254.0 512 510
/22 255.255.252.0 1024 1022
/21 255.255.248.0 2048 2046
/20 255.255.240.0 4096 4094
/19 255.255.224.0 8192 8190
/18 255.255.192.0 16,384 16,382
/17 255.255.128.0 32,768 32,766
/16 255.255.0.0 65,536 65,534
/15 255.254.0.0 131,072 131,070
/14 255.252.0.0 262,144 262,142
/13 255.248.0.0 524,288 524,286
/12 255.240.0.0 1,048,576 1,048,574
/11 255.224.0.0 2,097,152 2,097,150
/10 255.192.0.0 4,194,304 4,194,302
/9 255.128.0.0 8,388,608 8,388,606
/8 255.0.0.0 16,777,216 16,777,214
/7 254.0.0.0 33,554,432 33,554,430
/6 252.0.0.0 67,108,864 67,108,862
/5 248.0.0.0 134,217,728 134,217,726
/4 240.0.0.0 268,435,456 268,435,454
/3 224.0.0.0 536,870,912 536,870,910
/2 192.0.0.0 1,073,741,824 1,073,741,822
/1 128.0.0.0 2,147,483,648 2,147,483,646

Linux Routing

Routing

View routes

ip route

ip route

Adding a route

ip addr add 192.168.1.100/24 dev eth0

Add a gateway

ip route add default via 192.168.1.1 dev eth0

Add a route of a subnet to a gateway

ip route add 10.1.2.0/24 via 10.1.2.1 dev eth0

null route (blackhole)

ip route add blackhole 10.1.2.130 # For an IP
ip route add blackhole 10.1.2.10/24 # For a subnet
ip route del blackhole 10.1.2.130 # Remove from blackhole

null route an ip list

for string in $(cat ips.txt); do ip route add blackhole $string; done

 

Juniper Cli

Display

Show Display configuration

show configuration | display set

Show display detail configuration

show configuration | display detail

show arp macs

show ethernet-switching table

File

To navigate the file system you can do

file list /?

Backup

Backup configuration in homedir

save router-config-name

Backup active configuration in homedir

run show configuration | save backup-name

Create a rescue configuration

If the active configuration is corrupted, the device will automatically load the filenamed rescue.gz in the /config directory as the active configuration:

file copy /config/juniper.conf.gz /config/rescue.gz

Completely replace the current candidate configuration with a previously stored file.

load override /var/tmp/router-config
commit

Check configuration before a commit:

commit check

Rollback

Show rollabcks

rollback ?

Compare active config with rollback X

show | compare rollback X

Compare candidate config with active configuration

show  | compare

rollback 0 references the active configuration, so the following command is equivalent to the previous one

rollback X

Replace candidate configuration with rollback X:

We start by loading rollback X

rollback X

Checking everything is fine

show
show | compare

If everything is fine:

commit

Commit version during X minutes

You need to confirm with a commit, or modification will be rollback after X minutes.

commit confirmed X

Show pending auto commits (and commits history):

show system commit

Auto commit at a particular time:

commit at 02:00:00
show system commit

Adding a Vlan

set vlans VLAN444 vlan-id 444

You will then need to add the vlan to an uplink, in this example the uplink is aggregated

set interfaces ae48 unit 0 family ethernet-switching vlan members 444

Vlan Switching 

For Ex33 switches, auto-negotiation is not required.

Setting port to access on a vlan

delete interfaces xe-0/0/0
set interfaces xe-0/0/0 ether-options auto-negotiation
set interfaces xe-0/0/0 unit 0 family ethernet-switching interface-mode access
set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members 4082
set interfaces xe-0/0/0 unit 0 family ethernet-switching recovery-timeout 300

Setting port to aggregated 

delete interfaces xe-0/0/0
set interfaces xe-0/0/0 description member-ae0
set interfaces xe-0/0/0 ether-options auto-negotiation
set interfaces xe-0/0/0 ether-options 802.3ad ae0

Configuring the LACP on the aggregated link

set interfaces ae0 description "aggregate-link"
set interfaces ae0 aggregated-ether-options link-speed 10g
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ae0 unit 0 family ethernet-switching interface-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members 4040
set interfaces ae0 unit 0 family ethernet-switching vlan members 4041
set interfaces ae0 unit 0 family ethernet-switching storm-control default
set interfaces ae0 unit 0 family ethernet-switching recovery-timeout 300
delete protocols rstp interface xe-0/0/0
delete protocols rstp interface xe-1/0/0
set protocols rstp interface ae0 edge
set protocols rstp interface ae0 no-root-port

Firewall Rules

set interfaces vlan unit [VAN_ID] family inet filter input INBOUND-TRAFFIC
set firewall family inet filter INBOUND-TRAFFIC term name-of-rule from source-address [IP]/32
set firewall family inet filter INBOUND-TRAFFIC term name-of-rule from destination-address [IP]/32
set firewall family inet filter INBOUND-TRAFFIC term name-of-rule from destination-port 22
set firewall family inet filter INBOUND-TRAFFIC term name-of-rule then accept

 

 

SAN - Dell Equallogic CLI Notes

group1> member select MEMBERNAME eth sel 1 NEWIPADDRESS NETMASK 
group1> grpparams group-ipaddress IPADDRESS

Then go back and fix the other network.

group1> member select MEMBERNAME eth sel 0 NEWIPADDRESS NETMASK

Then set the new default gateway

group1> member select MEMBERNAME def-gateway IPADDRESS

Supported Update Paths
https://eqlsupport.dell.com/support/download.aspx?id=6442456361

Reset

Press Ctrl/p 
setenv RESETPASSWORD 1
reload
account select grpadmin passwd
group1> reset

Change VLAN

grpparams dcb def-vlan-id 609

Downgrade FW

THIS WILL WIPE THE SAN

Transfer FW, login as "root / grpadmin"

update.sh -override-downgrade

Dell PowerConnect Switch CLI

Adding a VLAN to a port-channel

Add the VLAN to the DB

vlan database
vlan 4082

Check ARP respose from uplinks

show bridge address-table
show bridge address-table vlan <vlan-num>

Add the VLAN to the port-channel for the UPLINKS

interface port-channel 10
switchport trunk allowed vlan add 4082

Add the vlan to the port-channel for the port that needs the vlan

interface port-channel 15
switchport trunk allowed vlan add 4082

Save

copy running-config startup-config

Linux - Netplan

This new tool replaces the static interfaces (/etc/network/interfaces) on ubuntu 18.04

DHCP

network:
 version: 2
 renderer: networkd
 ethernets:
   ens33:
     dhcp4: yes
     dhcp6: no

Static IP

network:
 version: 2
 renderer: networkd
 ethernets:
   ens33:
     dhcp4: no
     dhcp6: no
     addresses: [192.168.1.2/24]
     gateway4: 192.168.1.1
     nameservers:
       addresses: [8.8.8.8,8.8.4.4]
   ens34:
     dhcp4: no
     dhcp6: no
     addresses: [192.168.1.3/24]

Apply changes

netplan apply

netplan apply does not require a service restart or a reboot

NetworkManager

Configuring with wifi nic

network:
  version: 2
  renderer: NetworkManager
  wifis:
          wlx7c8bca0d69b6:
                  dhcp4: no
                  addresses: [192.168.1.100/24]
                  gateway4: 192.168.1.1
                  nameservers:
                          addresses: [192.168.1.1,8.8.8.8]
                  access-points:
                          Raj:
                                  password: MyPass

Links:

https://netplan.io/

Cisco ASA - AnyConnect VPN

Enable webvpn

webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-4.0.00061-k9.pkg 1
 anyconnect image disk0:/anyconnect-macosx-i386-4.0.00061-k9.pkg 2
 anyconnect image disk0:/anyconnect-linux-64-4.0.00061-k9.pkg 3
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
ip local pool webvpn-ippool 172.28.38.10-172.28.38.250 mask 255.255.255.0
object network anyconnect_subnet
 subnet 172.28.38.0 255.255.255.0
 
object network internal_subnet
 subnet 172.28.37.0 255.255.255.0
nat (any,outside) source static internal_subnet internal_subnet destination static anyconnect_subnet anyconnect_subnet
group-policy SSLAccess internal
group-policy SSLAccess attributes
 address-pools value webvpn-ippool
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 
tunnel-group SSLAccess type remote-access
tunnel-group SSLAccess general-attributes
 default-group-policy SSLAccess
 tunnel-group SSLAccess webvpn-attributes
 group-alias VPN
username username password hhcZmvOYAh1el mschap privilege 0
username username attributes
 vpn-group-policy SSLAccess

SplitACL (optional)

group-policy SSLAccess attributes
 dns-server value 8.8.8.8 8.8.4.4
 split-tunnel-network-list value Split-ACL
access-list Split-ACL standard permit 172.28.38.0 255.255.255.0

 

Improve PFsense PPPOE +1Gbps

To improve speeds from 500Mbps on PFsense, Change the following values:

vi /boot/loader.conf.local

net.isr.dispatch=deferred
net.isr.maxthreads="-1"
net.isr.bindthreads="1"


In System > Advanced > Miscellaneous

Enable PowerD and AC Power to Maximum

a.png