Perhaps you should log into your ISE appliance and make a note of the Product Identifier (PID), Version Identifier (VID) and the Serial Number (SN).

What you might want to do now is shutdown your ISE VM and mount the disk… I always have a CentOS server kicking around for this kind of thing, so if I was to do this, I would mount the ISE virtual disk as an extra disk that CentOS has access to.

From within CentOS you can use fdisk -l to view the hard drive partitions… When you’re hacking a VM you mount as many of the ISE partitions as you can (some will fail) to see what’s there. On my test machine /dev/sdb7 was the partition of interest as it had an /opt directory (cisco always install stuff in opt).

Inside mount-point/opt/system/bin/ you might find a file called cars_udi_util, that’s the puppy that the license is bound to.

What you might want to do is rename that file and replace it with something that always gives the “right” answer. Attached is cars_udi_util.txt, a shell script I have been testing, edit the top of the file and insert the PID/VID/SN you found earlier.

Now save the cars_udi_util.txt to mount-point/opt/system/bin/cars_udi_util, that’s right remember to remove the .txt!

Unmount the disk, shutdown Centos and boot up ISE.

Now I’ve been hacking my machine and after this change the services wouldn’t start (show application status ise) to fix that I ran application reset-config ise from the ISE CLI Shell, rebooted and Voila! …The machine booted up with a blank default config.

After changing the default admin password (from cisco) it would now be possible for you to use your proper appliance license on your VM… of course this is only a temporary thing and I fully expect & recommend you undo these changes as soon as your new license arrives from Cisco.

Happy Hacking!

In my frustration I have given up and created a shell script which converts a CSV into an ASA output, simply create a two column CSV with Col A containing your starting IP and Col B containing you end IP.

The script is a recursive loop so should support large outputs such as 10.1.2.10 to 10.2.1.20 howvere I’m not actually sure you’d want that in your firewall config but I wrote the computability for the fun it!

Have fun, click “more” below if you can’t see the script!

#!/bin/bash

# Commas separated VAR....
IFS=","
while read name firstip lastip
# Loop around CSV
do

# Split up our first ip into it's octects
firstipfirstoctect=$(echo $firstip | awk -F "." '{print $1}')
firstipsecondoctect=$(echo $firstip | awk -F "." '{print $2}')
firstipthirdoctect=$(echo $firstip | awk -F "." '{print $3}')
firstipforthoctect=$(echo $firstip | awk -F "." '{print $4}')

# Split up our last IP into it's ocects
lastipfirstoctect=$(echo $lastip | awk -F "." '{print $1}')
lastipsecondoctect=$(echo $lastip | awk -F "." '{print $2}')
lastipthirdoctect=$(echo $lastip | awk -F "." '{print $3}')
lastipforthoctect=$(echo $lastip | awk -F "." '{print $4}')

	# Re-set BASH
	unset IFS 

	# Echo out the object GROUP name
	echo "object-group network $name"

	# Loop through 1st Octect
	for a in `seq $firstipfirstoctect $lastipfirstoctect`;
	do
		# test to see if we need to print the whole range
		if [ $firstipfirstoctect -lt $lastipfirstoctect ]
		then
			firstipsecondoctectCOUNTER="0"
			lastipsecondoctectCOUNTER="255"
		fi

		# first IP might not be 1
		if [ $a -eq $firstipfirstoctect ]
		then
			firstipsecondoctectCOUNTER=$firstipsecondoctect
		fi

		# last IP might not be 255
		if [ $a -eq $lastipfirstoctect ]
		then
			lastipsecondoctectCOUNTER=$lastipsecondoctect
		fi

			# Loop through 2nd Octect
			for b in `seq $firstipsecondoctect $lastipsecondoctect`;
			do

				# Same tests as before except, next octect.
				if [ $firstipsecondoctect -lt $lastipsecondoctect ]
				then
					firstipthirdoctectCOUNTER="0"
					lastipthirdoctectCOUNTER="255"
				fi

				if [ $b -eq $firstipsecondoctect ]
				then
					firstipthirdoctectCOUNTER=$firstipthirdoctect
				fi

				if [ $b -eq $lastipsecondoctect ]
				then
					lastipthirdoctectCOUNTER=$lastipthirdoctect
				fi

					# Loop through 3rd Octect
					for c in `seq $firstipthirdoctectCOUNTER $lastipthirdoctectCOUNTER`;
					do

						# copy / paste / tweak
						if [ $firstipthirdoctect -lt $lastipthirdoctect ]
						then
							firstipforthoctectCOUNTER="0"
							lastipforthoctectCOUNTER="255"
						fi

						if [ $c -eq $firstipthirdoctect ]
						then
							firstipforthoctectCOUNTER=$firstipforthoctect
						fi

						if [ $c -eq $lastipthirdoctect ]
						then
							lastipforthoctectCOUNTER=$lastipforthoctect
						fi

							# final octect... echo result.
							for d in `seq $firstipforthoctectCOUNTER $lastipforthoctectCOUNTER`;
							do
								echo " network-object $a.$b.$c.$d  255.255.255.255"
							done

					done
			done
	done

done<./FirewallRanges.csv

I’ve posted an updated ks.cfg … if you compare it to the old one the only real difference is an updated set of version numbers, all the other instructions are exactly the same….well, except now centos 4.7 can be found in the vault

Next I plan to see if I can make this work in EC2 as I recon a cloud based ACS server would be pretty cool, wish me luck and enjoy the 5.2 goodness!

To remove the control I had to close IE, browse to…

C:\Windows\Downloaded Program Files

..and remove the following files..

CSDWebInstaller.inf
CSDWebInstaller.ocx

When re-starting IE the control was gone and I could test the re-install, I hope this helps some other googler!

You can now configure access rules that are applied globally, as well as access rules that are applied to an interface. If the configuration specifies both a global access policy and interface-specific access policies, the interface-specific policies are evaluated before the global policy.

The following command was modified: access-group global

For users/companies which have migrated from Check Point to Cisco (usually to save on licensing fees), getting their head around a new interface level policy rather than a system (global) level is usually a bit of a challenge.

I’m looking forward to seeing if this really helps with policy migrations!

Before I explain what I’ve done, a quick message for “the stupids”

No I won’t post a virtual machine for you to download
Buy a license or an appliance

The rest of this post is a run though of what I did, if you get bored easily skip to the summary.

The story is I’ve got a customer who wants dot1x with ACS5 and I need a box to play with before breaking their network; having read through the docs on cisco.com I noticed that vmware was a supported platform for evaluation, as awesome as that is, carrying around an ESXi server isn’t as convenient as you’d think so I boldly dropped the CD into my VirtualBox and booted to see what happened…. if only it was that simple!!!!!

As expected the installer crapped out early on complaining that VirtualBox is not a valid hardware configuration, so I decided to have a poke around the ISO image and had a moment of realisation.. THANK YOU CISCO FOR CHOOSING CENTOS!

Cisco choosing an open-source installation mechanism means that with a bit of googling I could customise the install process to work in VirtualBox…. sweeet!

To get started I followed the install guide to build a VirtualBox appliance that resembled the supported vmware machine, some things to note:

• The disk is on a SCSI controller
• The processor is PAE
• You need a serial port enabled

This is a summary of my VirtualBox configuration…

• General
  • Name: Cisco ACS 5
  • OS Type: Red Hat
• System
  • Base Memory: 1024 MB
  • Processor(s):1
  • Boot Order:Floppy, CD/DVD-ROM, Hard Disk
  • VT-x/AMD-V:Enabled
  • Nested Paging:Enabled
• Display
  • Video Memory:12 MB
  • 3D Acceleration:Disabled
  • 2D Video Acceleration:Disabled
  • Remote Display Server:Disabled
• Storage
  • IDE Controller
    IDE Primary Master (CD/DVD):Empty
  • Floppy Controller
    Floppy Device 0:Empty
  • SCSI Controller
    SCSI Port 0:CiscoACS.vdi (Normal, 65.00 GB)
• Misc
  • Audio
    Disabled
  • Network
    Adapter 1:PCnet-FAST III (Host-only adapter, ‘vboxnet0′)
  • Serial Ports
    Port 1:COM1, Disconnected
  • USB
    Disabled
  • Shared Folders
    None

If you’re hoping to follow my process, I assume you’ve already downloaded from cisco a copy of the ACS_v5.1.0.44.iso and sorted an eval license.

Looking at the contents of the CD I could see that the KickStart file was rejecting my hardware configuration. In my early attempts I edited ks.cfg removing everything between %pre and %post removed the line that said %include and rebuilt the ISO; this had limited success, I could boot further on my new ISO but found that anaconda crapped out as it was unable to find the CD from which it booted … Very Odd!

Messing with the kickstart file and having to rebuild the ISO each time got boring very quickly, especially since it wouldn’t boot into anaconda stage two. I decided to move to a network based installed, I setup a web server on my laptop, downloaded CentOS-4.7-i386-bin1of4.iso and booted my guest from that using linux askmethod at the loader. On my web server I copied the contents of the ACS CD into a directory (including . hidden files), during the centos boot I was able to install “everything” from the ACS directory on web server giving me yet more limited success (Everything was installed – including the Cisco packages – but unusable).

The next step was to get my web installation to read my kickstart file, the ks.cfg has a load of finalization which looked like it created files that the cisco packages would need. I had to change the permissions of the directory to give me write access (CD files copied as RO since the CD was RO). So my edited ks.cfg has nothing between %pre & %post plus the %include line deleted, the result had massive drawback, I’d inadvertently removed the disk layout; I have since concluded that my earlier attempt with everything installed but broke also had issues due to incorrect filesystem partitions.

To put the filesystem layout back into the kickstart file I inserted the following:

part / --fstype ext3 --size=100 --grow
part /localdisk --fstype ext3 --size=5120
part /recovery --fstype ext3 --size=1008
part /storedconfig --fstype ext3 --size=981
part /storeddata --fstype ext3 --size=2048
part swap --size=2048

To get the Centos Server to now boot from both the kickstart file and install from my webserver I now have to boot with linux ks=http://192.168.56.1/~nick/ACS/ks.cfg (this is instead of linux askmethod) and replace the line that says cdrom with url --url http://192.168.56.1/~nick/ACS.

After all that trial & error I was finally there! I have attached my ks.cfg for your reference and here is a summary of the steps to reproduce.

Install Summary:

1. Download ACS
2. Download Centos
3. Install a web server
4. Copy the contents of the ACS CD to your web server (look out for .discinfo)
5. Replace ks.cfg with your edited version (or mine)
6. Create a virtualbox machine
7. Boot the VirtualBox machine from the CentOS CD with linux ks=http://URL
8. As soon as you see a blue “installer” screen eject the CentOS CD
9. Wait
10. Done

Note: During my playing the anaconda installer crapped out a couple of times, just starting the process again seemed to fix the issue, some bottleneck on virtualbox disk accesses could be the problem.

Hope that all makes sense, happy hacking!

Today’s challenge was to get to grips with Cisco’s ZBFW, there are a few examples out there if you google but this cisco pdf was the best resource I found.

I’m going to share with you my GNS3 config, my first gotcha was getting the “right” IOS version, the latest advanced sec 12.4 image for the 3725 doesn’t cut it, you need to get a copy of c3725-advsecurityk9-mz.124-15.T7.bin.

My plan was simple, I wanted to re-create this following pseudo ASA style configuration:

access-list inside permit icmp any any
access-list inside permit tcp any any eq telnet
access-list outside permit tcp any host 192.168.10.100 eq telnet
access-group inside in interface inside
access-group outside in interface outside

What’s funny is that is 5 lines of code for ZBFW it’s more than 20! Yes the IOS FW isn’t a statefull firewall like the ASA but still more than 4 times the work… anyway, moving on…

The ZBFW is broken into four parts:

• Assign Zones to Interfaces
• Create a class-map to define interesting traffic
• Create a policy-map to give your class an action
• Create a zone pair to give you class a direction

As you can see in the picture, I have three routers Inside, Outside & Gateway; we will generate traffic from Inside -> Outside (and vice versa) and Gateway will be our firewall. In this blog post I’ll discuss the inside -> outside policy, read though the attached config to work out how outside->inside works

Creating zones and applying them to interfaces is the easy bit…

!
zone security inside
 description LAN
zone security outside
 description Internet
!
interface FastEthernet0/0
 ip address 10.10.10.10 255.255.255.0
 zone-member security outside
!
interface FastEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 zone-member security inside

ZBFW supports traffic matching by protocol, ACL or both. To start with I need to create a class map equivalent of:

access-list inside permit icmp any any

So that looks like:

class-map type inspect match-any myinspectclass
 match protocol icmp

Our action to this applied via the policy map will be “inspect” … not “permit” like the access list, what we want to happen is the echo-request (echo) packet passing from the inside interface to the outside to be inspected so that the echo-reply packet is let back in…

policy-map type inspect myinspectpolicy
 class type inspect myinspectclass
  inspect

To apply this inside -> outside we create a zone-pair…

zone-pair security in-out source inside destination outside
 service-policy type inspect myinspectpolicy

Part 1 done. breath, take a break.

We can now ping from inside to outside, but outside to inside fails. Part two is to create a separate “flow” to allow telnet out. Now we could update our existing class-map, but it’s much clearer to create a new one, first we need an access-list…

ip access-list extended telnet_any
 permit tcp any any eq telnet

This will restrict our TCP protocol inspection to permit only telnet, without this ACL the following class map would permit (inspect) any TCP.

class-map type inspect match-all inspecttelnetclass
 match access-group name telnet_any
 match protocol tcp

Now that we have defined our traffic we can using the existing policy that permits the ICMP traffic through to permit this TCP thru, so this is the new policy map that replaces the one above:

policy-map type inspect myinspectpolicy
 class type inspect myinspectclass
  inspect
 class type inspect inspecttelnetclass
  inspect

The policy map will work top down, permitting ICMP traffic thru flow 1 (rule 1) and telnet through flow 2…. we don’t need to touch the zone pair

Attached is my GNS3 .net file and the three router configs [1,2,3], hopefully it all makes sense

To get started install this driver from apple (I think it needed a reboot).

If this was successful when you connect the USB-to-Serial you’ll be asked if you want to setup a modem / network connection… say no. From a terminal you should now see a new device similar to mine…

NickBook:~ nick$ ls /dev/cu*
/dev/cu.Bluetooth-Modem	/dev/cu.PL2303-00001004	/dev/cu.Bluetooth-PDA-Sync
NickBook:~ nick$

The PL device disappears when I unplug the USB adapter. Next you then need a copy of minicom, I installed macports and did port install minicom.

Since I don’t want to re-invent the wheel now go to http://www.macosxhints.com/article.php?story=20040521145713551 and Start at STEP 3 to configure minicom (Obviously you’ll replace /dev/cu.USA19QI191P1.1 with something similar to /dev/cu.PL2303-00001004 ) once finished you’ll be set.. happy terminal session!

In the end i had to downgrade, very frustrating!

As I regularly have to review & build Cisco ASA Firewall configs I thought it would be nice to add a little colour

Notepad++ supports a user defined language system whereby users can create their own syntax highlighting. As google couldn’t find anyone else who’d had a go at this before I thought I’d have a crack at being the 1st.

Attached to this post you’ll find userDefineLang_ASA.xml, what you need to do is..

1. Download the user-defined language to your computer
2. Open the file with your favourite text editor (such as notepad++ or notepad)
3. Click start, run, type (or paste in) %APPDATA%\Notepad++ then click ok
4. Open userDefineLang.xml with a text editor
5. If this is the first userdefined language you are adding, copy/paste the entire first file (which you downloaded) into the userDefineLang.xml, replacing all that was there. If this is the second or more language you add, simply copy everything from the first file starting at to and paste it at the end of the userDefineLang.xml right before
6. Save the newly improved userDefineLang.xml

Reference: http://notepad-plus.sourceforge.net/uk/download.php

Now my implementation is quite simple at this stage, I’ve copied all the top level commands, i.e. anything from an initial “?” such as “show”, but I haven’t gone thru grabbing level two such as “run” as in “show run”. I have however added the most common level two commands so you should see something useful.

Comments or improvements welcome