Tag Archives: Cisco

Cisco.com & Wget

Ever since cisco updated their website (you know like, a year ago), I’ve struggled to find a way to wget software onto a box.

This week, I found a bodge using firefox. Sign into cisco.com and go through the normal process, accepting agreements and begin the download.

Once the download starts, pause it… right click and copy the download link:

Copy link from downloads

Copy link from downloads

Then from your terminal/linux box, you can paste the url into wget:

wget -O ise-1.1.3.124.i386.iso "https://secure-us.esd.cisco.com/files/swc/sec/4_SDSP_59/bah/bah/ha?uid=linickxdotcom&key=go"

- Quick gotcha alert, the link you paste must be in speachmarks/double quotes or the full url will not paste correctly.

Cisco ISE, Andriod: ‘network setup assistant’ unable to detect server

The title should just about cover it, ^that^ is the error message I saw when trying to provision an Android Tablet using Identity Services Engine.

The answer is hidden on pg36 of the provisioning guide, you see that there http request..

howto_61_byod_provisioning_PG36

The client software sends a http request to it’s default gateway, which for me was the Ciso WLC (Wireless LAN Controller); what is supposed to happen is that http request is re-directed to the ISE, BUT that will only happen if the ACL pushed down blocks it.

So block http to the ip address of the WLC, assuming that you are sending the correct AV pair down the WLC will re-direct the android to ISE and the rest of the provisioning process should work.

It took me ages to find that, hopefully this will help you!

Checkpoint, Gaia, TACACS – two lines of config

If you have a checkpoint firewall, you probably know about Gaia… and if you have more than one firewall admin, you probably want to individually authenticate them to the operating system (as apposed to a encrypted file of usernames & passwords which get’s passed around the office)

 add rba role TACP-0 domain-type System all-features
 set aaa tacacs-servers authentication server 10.10.10.10 key mysecretkey

What you need to know about the above…

  • If a user can successfully authenticate by TACACS they become a super user, if you need different roles read up on “role based administration”, TACP-15 and the enable_tacacs command.
  • The config has been tested on Cisco ACS 5.4, the default TACACS “default device administration” profile works with no changes.
  • This is tacacs authentication only, authorization is handled by the local RBA.

Hacking Cisco ISE UDI

ISE Virtual Machine that thinks it a CAM
The back story… you’ve deployed your ISE appliance and the world is great! Your management need you to make a change “right now” but that virtual machine in the lab you have been using for testing is 91 days old and the eval no longer works. You raise a case to get budget and a PO over to Cisco for a lab ISE appliance or license but this change is critical, if only there was a way to use your appliance license on your VM?

Perhaps you should log into your ISE appliance and make a note of the Product Identifier (PID), Version Identifier (VID) and the Serial Number (SN).

What you might want to do now is shutdown your ISE VM and mount the disk… I always have a CentOS server kicking around for this kind of thing, so if I was to do this, I would mount the ISE virtual disk as an extra disk that CentOS has access to.

From within CentOS you can use fdisk -l to view the hard drive partitions… When you’re hacking a VM you mount as many of the ISE partitions as you can (some will fail) to see what’s there. On my test machine /dev/sdb7 was the partition of interest as it had an /opt directory (cisco always install stuff in opt).

Inside mount-point/opt/system/bin/ you might find a file called cars_udi_util, that’s the puppy that the license is bound to.

What you might want to do is rename that file and replace it with something that always gives the “right” answer. Attached is cars_udi_util.txt, a shell script I have been testing, edit the top of the file and insert the PID/VID/SN you found earlier.

Now save the cars_udi_util.txt to mount-point/opt/system/bin/cars_udi_util, that’s right remember to remove the .txt!

Unmount the disk, shutdown Centos and boot up ISE.

Now I’ve been hacking my machine and after this change the services wouldn’t start (show application status ise) to fix that I ran application reset-config ise from the ISE CLI Shell, rebooted and Voila! …The machine booted up with a blank default config.

After changing the default admin password (from cisco) it would now be possible for you to use your proper appliance license on your VM… of course this is only a temporary thing and I fully expect & recommend you undo these changes as soon as your new license arrives from Cisco.

Happy Hacking!

Cisco ASA Firewalls and IP Ranges in ACLS

I’ve google’d and I cannot find a way of creating a firewall range style object in an ASA, you know the kind of thing whereby you want to allow IP addresses 192.168.1.10 thru 192.168.1.20 in an ACL.

In my frustration I have given up and created a shell script which converts a CSV into an ASA output, simply create a two column CSV with Col A containing your starting IP and Col B containing you end IP.

The script is a recursive loop so should support large outputs such as 10.1.2.10 to 10.2.1.20 howvere I’m not actually sure you’d want that in your firewall config but I wrote the computability for the fun it!

Have fun, click “more” below if you can’t see the script!

Continue reading

Cisco ACS 5.2 works in VirtualBox

My how to get ACS 5.1  running in VirtualBox is one of my more popular posts; recently I was asked if 5.2 would work, the answer is yes!

I’ve posted an updated ks.cfg … if you compare it to the old one the only real difference is an updated set of version numbers, all the other instructions are exactly the same….well, except now centos 4.7 can be found in the vault :)

Next I plan to see if I can make this work in EC2 as I recon a cloud based ACS server would be pretty cool, wish me luck and enjoy the 5.2 goodness!

Cisco: Uninstalling the CSD ActiveX Control

I’m installing Cisco Secure Desktop (CSD) for a customer and needed to re-test the installation process. Within internet explorer’s (IE Version 7 & 8 ) managed add-on feature, I noticed that the CSD ActiveX Control doesn’t have an uninstall feature.

To remove the control I had to close IE, browse to…

C:\Windows\Downloaded Program Files

..and remove the following files..

CSDWebInstaller.inf
CSDWebInstaller.ocx

When re-starting IE the control was gone and I could test the re-install, I hope this helps some other googler! :cool:

Cisco ASA – First steps to a Check Point Style Policy

I’ve just spotted this in the Cisco ASA 8.3 release notes

You can now configure access rules that are applied globally, as well as access rules that are applied to an interface. If the configuration specifies both a global access policy and interface-specific access policies, the interface-specific policies are evaluated before the global policy.

The following command was modified: access-group global

For users/companies which have migrated from Check Point to Cisco (usually to save on licensing fees), getting their head around a new interface level policy rather than a system (global) level is usually a bit of a challenge.

I’m looking forward to seeing if this really helps with policy migrations!

Cisco ACS 5.1 in VirtualBox

After much swearing and hackerizing I’m happy to post a screenshot of Cisco’s ACS running in VirtualBox :)

Before I explain what I’ve done, a quick message for “the stupids”

No I won’t post a virtual machine for you to download
Buy a license or an appliance

The rest of this post is a run though of what I did, if you get bored easily skip to the summary.

The story is I’ve got a customer who wants dot1x with ACS5 and I need a box to play with before breaking their network; having read through the docs on cisco.com I noticed that vmware was a supported platform for evaluation, as awesome as that is, carrying around an ESXi server isn’t as convenient as you’d think so I boldly dropped the CD into my VirtualBox and booted to see what happened…. if only it was that simple!!!!!

As expected the installer crapped out early on complaining that VirtualBox is not a valid hardware configuration, so I decided to have a poke around the ISO image and had a moment of realisation.. THANK YOU CISCO FOR CHOOSING CENTOS!

Cisco choosing an open-source installation mechanism means that with a bit of googling I could customise the install process to work in VirtualBox…. sweeet!

To get started I followed the install guide to build a VirtualBox appliance that resembled the supported vmware machine, some things to note:

  • The disk is on a SCSI controller
  • The processor is PAE
  • You need a serial port enabled

This is a summary of my VirtualBox configuration…

  • General
    • Name: Cisco ACS 5
    • OS Type: Red Hat
  • System
    • Base Memory: 1024 MB
    • Processor(s):1
    • Boot Order:Floppy, CD/DVD-ROM, Hard Disk
    • VT-x/AMD-V:Enabled
    • Nested Paging:Enabled
  • Display
    • Video Memory:12 MB
    • 3D Acceleration:Disabled
    • 2D Video Acceleration:Disabled
    • Remote Display Server:Disabled
  • Storage
    • IDE Controller
      IDE Primary Master (CD/DVD):Empty
    • Floppy Controller
      Floppy Device 0:Empty
    • SCSI Controller
      SCSI Port 0:CiscoACS.vdi (Normal, 65.00 GB)
  • Misc
    • Audio
      Disabled
    • Network
      Adapter 1:PCnet-FAST III (Host-only adapter, ‘vboxnet0′)
    • Serial Ports
      Port 1:COM1, Disconnected
    • USB
      Disabled
    • Shared Folders
      None

If you’re hoping to follow my process, I assume you’ve already downloaded from cisco a copy of the ACS_v5.1.0.44.iso and sorted an eval license.

Looking at the contents of the CD I could see that the KickStart file was rejecting my hardware configuration. In my early attempts I edited ks.cfg removing everything between %pre and %post removed the line that said %include and rebuilt the ISO; this had limited success, I could boot further on my new ISO but found that anaconda crapped out as it was unable to find the CD from which it booted … Very Odd!

Messing with the kickstart file and having to rebuild the ISO each time got boring very quickly, especially since it wouldn’t boot into anaconda stage two. I decided to move to a network based installed, I setup a web server on my laptop, downloaded CentOS-4.7-i386-bin1of4.iso and booted my guest from that using linux askmethod at the loader. On my web server I copied the contents of the ACS CD into a directory (including . hidden files), during the centos boot I was able to install “everything” from the ACS directory on web server giving me yet more limited success (Everything was installed – including the Cisco packages – but unusable).

The next step was to get my web installation to read my kickstart file, the ks.cfg has a load of finalization which looked like it created files that the cisco packages would need. I had to change the permissions of the directory to give me write access (CD files copied as RO since the CD was RO). So my edited ks.cfg has nothing between %pre & %post plus the %include line deleted, the result had massive drawback, I’d inadvertently removed the disk layout; I have since concluded that my earlier attempt with everything installed but broke also had issues due to incorrect filesystem partitions.

To put the filesystem layout back into the kickstart file I inserted the following:

part / --fstype ext3 --size=100 --grow
part /localdisk --fstype ext3 --size=5120
part /recovery --fstype ext3 --size=1008
part /storedconfig --fstype ext3 --size=981
part /storeddata --fstype ext3 --size=2048
part swap --size=2048

To get the Centos Server to now boot from both the kickstart file and install from my webserver I now have to boot with linux ks=http://192.168.56.1/~nick/ACS/ks.cfg (this is instead of linux askmethod) and replace the line that says cdrom with url --url http://192.168.56.1/~nick/ACS.

After all that trial & error I was finally there! I have attached my ks.cfg for your reference and here is a summary of the steps to reproduce.

Install Summary:

  1. Download ACS
  2. Download Centos
  3. Install a web server
  4. Copy the contents of the ACS CD to your web server (look out for .discinfo)
  5. Replace ks.cfg with your edited version (or mine)
  6. Create a virtualbox machine
  7. Boot the VirtualBox machine from the CentOS CD with linux ks=http://URL
  8. As soon as you see a blue “installer” screen eject the CentOS CD
  9. Wait
  10. Done

Note: During my playing the anaconda installer crapped out a couple of times, just starting the process again seemed to fix the issue, some bottleneck on virtualbox disk accesses could be the problem.

Hope that all makes sense, happy hacking!

Cisco IOS Zone Based Firewall Example

Today’s challenge was to get to grips with Cisco’s ZBFW, there are a few examples out there if you google but this cisco pdf was the best resource I found.

I’m going to share with you my GNS3 config, my first gotcha was getting the “right” IOS version, the latest advanced sec 12.4 image for the 3725 doesn’t cut it, you need to get a copy of c3725-advsecurityk9-mz.124-15.T7.bin.

My plan was simple, I wanted to re-create this following pseudo ASA style configuration:

access-list inside permit icmp any any
access-list inside permit tcp any any eq telnet
access-list outside permit tcp any host 192.168.10.100 eq telnet
access-group inside in interface inside
access-group outside in interface outside

What’s funny is that is 5 lines of code for ZBFW it’s more than 20! Yes the IOS FW isn’t a statefull firewall like the ASA but still more than 4 times the work… anyway, moving on…

The ZBFW is broken into four parts:

  • Assign Zones to Interfaces
  • Create a class-map to define interesting traffic
  • Create a policy-map to give your class an action
  • Create a zone pair to give you class a direction

As you can see in the picture, I have three routers Inside, Outside & Gateway; we will generate traffic from Inside -> Outside (and vice versa) and Gateway will be our firewall. In this blog post I’ll discuss the inside -> outside policy, read though the attached config to work out how outside->inside works :)

Creating zones and applying them to interfaces is the easy bit…

!
zone security inside
 description LAN
zone security outside
 description Internet
!
interface FastEthernet0/0
 ip address 10.10.10.10 255.255.255.0
 zone-member security outside
!
interface FastEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 zone-member security inside

ZBFW supports traffic matching by protocol, ACL or both. To start with I need to create a class map equivalent of:

access-list inside permit icmp any any

So that looks like:

class-map type inspect match-any myinspectclass
 match protocol icmp

Our action to this applied via the policy map will be “inspect” … not “permit” like the access list, what we want to happen is the echo-request (echo) packet passing from the inside interface to the outside to be inspected so that the echo-reply packet is let back in…

policy-map type inspect myinspectpolicy
 class type inspect myinspectclass
  inspect

To apply this inside -> outside we create a zone-pair…

zone-pair security in-out source inside destination outside
 service-policy type inspect myinspectpolicy

Part 1 done. breath, take a break.

We can now ping from inside to outside, but outside to inside fails. Part two is to create a separate “flow” to allow telnet out. Now we could update our existing class-map, but it’s much clearer to create a new one, first we need an access-list…

ip access-list extended telnet_any
 permit tcp any any eq telnet

This will restrict our TCP protocol inspection to permit only telnet, without this ACL the following class map would permit (inspect) any TCP.

class-map type inspect match-all inspecttelnetclass
 match access-group name telnet_any
 match protocol tcp

Now that we have defined our traffic we can using the existing policy that permits the ICMP traffic through to permit this TCP thru, so this is the new policy map that replaces the one above:

policy-map type inspect myinspectpolicy
 class type inspect myinspectclass
  inspect
 class type inspect inspecttelnetclass
  inspect

The policy map will work top down, permitting ICMP traffic thru flow 1 (rule 1) and telnet through flow 2…. we don’t need to touch the zone pair :)

Attached is my GNS3 .net file and the three router configs [1,2,3], hopefully it all makes sense :cool:

Getting Terminal / Console Connectivity in MAC OS X

It took me a couple of Googles to work this out… I have a Belkin f5u103v USB-to-Serial adapter and needed a console connection to a Cisco switch.

To get started install this driver from apple (I think it needed a reboot).

If this was successful when you connect the USB-to-Serial you’ll be asked if you want to setup a modem / network connection… say no. From a terminal you should now see a new device similar to mine…

NickBook:~ nick$ ls /dev/cu*
/dev/cu.Bluetooth-Modem	/dev/cu.PL2303-00001004	/dev/cu.Bluetooth-PDA-Sync
NickBook:~ nick$

The PL device disappears when I unplug the USB adapter. Next you then need a copy of minicom, I installed macports and did port install minicom.

Since I don’t want to re-invent the wheel now go to http://www.macosxhints.com/article.php?story=20040521145713551 and Start at STEP 3 to configure minicom (Obviously you’ll replace /dev/cu.USA19QI191P1.1 with something similar to /dev/cu.PL2303-00001004 ) once finished you’ll be set.. happy terminal session!

Cisco NAC (Clean Access) CLI Commands.

I can never find these when I want them…

also, from the release notes show version…

cat /perfigo/build

.. there are some other useful scripts in /perfigo/common/bin such as

/perfigo/common/bin/fostate.sh

… is used for checking failover state, if you can think of any more please post them in the comments ;)

Irritating ASDM & Java issues…

Follow up from this tweet. Every time I tried to connect to the ASA’s ASDM Java would crash with a Null Pointer exception, I tried everything from deleting the .asdm folder in my home directory (my documents on windows), uninstalling the asdm launcher didn’t help, neither did clearing java’s cache or uninstalling and re-installing java.

In the end i had to downgrade, very frustrating!

Cisco ASA Syntax Highlighting with Notepad++

When using windows, Notepad++ is my editor of choice. When editing PHP files, it’s nice to see coloured highlighting confirming your syntax is correct.

As I regularly have to review & build Cisco ASA Firewall configs I thought it would be nice to add a little colour :)

Notepad++ supports a user defined language system whereby users can create their own syntax highlighting. As google couldn’t find anyone else who’d had a go at this before I thought I’d have a crack at being the 1st.

Attached to this post you’ll find userDefineLang_ASA.xml, what you need to do is..

1. Download the user-defined language to your computer
2. Open the file with your favourite text editor (such as notepad++ or notepad)
3. Click start, run, type (or paste in) %APPDATA%\Notepad++ then click ok
4. Open userDefineLang.xml with a text editor
5. If this is the first userdefined language you are adding, copy/paste the entire first file (which you downloaded) into the userDefineLang.xml, replacing all that was there. If this is the second or more language you add, simply copy everything from the first file starting at to and paste it at the end of the userDefineLang.xml right before
6. Save the newly improved userDefineLang.xml

Reference: http://notepad-plus.sourceforge.net/uk/download.php

Now my implementation is quite simple at this stage, I’ve copied all the top level commands, i.e. anything from an initial “?” such as “show”, but I haven’t gone thru grabbing level two such as “run” as in “show run”. I have however added the most common level two commands so you should see something useful.

Comments or improvements welcome :cool: