Cisco NAC (Clean Access) CLI Commands.

I can never find these when I want them…

also, from the release notes show version…

cat /perfigo/build

.. there are some other useful scripts in /perfigo/common/bin such as

/perfigo/common/bin/fostate.sh

… is used for checking failover state, if you can think of any more please post them in the comments ;)

Irritating ASDM & Java issues…

Follow up from this tweet. Every time I tried to connect to the ASA’s ASDM Java would crash with a Null Pointer exception, I tried everything from deleting the .asdm folder in my home directory (my documents on windows), uninstalling the asdm launcher didn’t help, neither did clearing java’s cache or uninstalling and re-installing java.

In the end i had to downgrade, very frustrating!

Cisco ASA Syntax Highlighting with Notepad++

When using windows, Notepad++ is my editor of choice. When editing PHP files, it’s nice to see coloured highlighting confirming your syntax is correct.

As I regularly have to review & build Cisco ASA Firewall configs I thought it would be nice to add a little colour :)

Notepad++ supports a user defined language system whereby users can create their own syntax highlighting. As google couldn’t find anyone else who’d had a go at this before I thought I’d have a crack at being the 1st.

Attached to this post you’ll find userDefineLang_ASA.xml, what you need to do is..

1. Download the user-defined language to your computer
2. Open the file with your favourite text editor (such as notepad++ or notepad)
3. Click start, run, type (or paste in) %APPDATA%\Notepad++ then click ok
4. Open userDefineLang.xml with a text editor
5. If this is the first userdefined language you are adding, copy/paste the entire first file (which you downloaded) into the userDefineLang.xml, replacing all that was there. If this is the second or more language you add, simply copy everything from the first file starting at to and paste it at the end of the userDefineLang.xml right before
6. Save the newly improved userDefineLang.xml

Reference: http://notepad-plus.sourceforge.net/uk/download.php

Now my implementation is quite simple at this stage, I’ve copied all the top level commands, i.e. anything from an initial “?” such as “show”, but I haven’t gone thru grabbing level two such as “run” as in “show run”. I have however added the most common level two commands so you should see something useful.

Comments or improvements welcome :cool:

Introduction to CCIE Security Mind Maps on XMIND

In 2004 I certified as a CCSP, well actually back then it was called CSS1, anyway after a couple of year experience I decided that would start walking down the CCIE security path.

Cisco recommends that potential candidates have a CCSP and at least 5 years experience in IT Security, and when I made the decision back in 2006/7 to begin studying I qualified in both cases and figured this was the path for me.

The thing is, the more I studied the more I realised what I didn’t know; I changed employers and began getting some practical experience with Ciscos non-security technology as routing & switching features quite heavily. After 2 years of gathering as much information as I can on both Ciscos security and basic-networking portfolio and think 2009 is the year to stop putting this off and go for it!

I’ve messed about with many different techniques to prepare for the CCIE SEC Written, different ideas ranging from old skool A4/A3 notebooks, to google notebook, delicious keeps a record of some good bookmarks, and I guess my Cisco and security blog posts count!

Meet my latest, and hopefully last plan…


See the rest of my Mind Maps

Yep, I’m mind mapping, not only that but I’m going opensource and the maps are on XMIND. The Maps are far from finished but I’m hoping that this work will not only get me up to standard but also help others, after all you can’t have too many security experts!

If you have any suggestion of good revion resources, NOT testing kings or ways to cheat! Please comment and let me know.

UPDATE: Forgot to post that the .xmind file is also in my dropbox :)

Multiple SYSLOG Receivers with a Cisco NAC Appliance Manager (CAM)

According to Cisco’s documentation on configuring syslog on a CAM, you can only forward the NAC logs to a single external log server. If you’re willing to get down and dirty with the Linux operating system underneath, then this document will show you that this is simply not the case.

To get started, tweak the default logging settings within the NAC web interface, this screen-shot shows I’m sending the syslog to the local host as local6 messages, this change will send a copy of the “normal” NAC event logs to the localhost syslog server.

Next we need to enable the localhost syslog server; the CAM is build upon a Fedora image, so the SYSLOG daemon is already running it’s just not listening on UDP 514 (thus not yet receiving the logs configured above). Change /etc/sysconfig/syslog , the line:
SYSLOGD_OPTIONS="-m 0"
to
SYSLOGD_OPTIONS="-m 0 -r"

Now that the local daemon is recieving the files we need to change /etc/syslog.conf, here we will make two changes, One: we will write a copy of the NAC events to disk – this will allow us to see what events the “NAC application” is sending. The second change we’ll make is the forwarding configuration, we will put in two lines (for both our syslog hosts) so that we send forward the syslogs to two different servers – which was our original intention :)
Add the following lines to /etc/syslog.conf :

# Log Messages sent from Cisco NAC Application to dedicated File
Local6.*	/var/log/CiscoNAC.log

# Forward all syslog messages to host1
*.* 	@loghost1
# Forward all syslog messages to host2
*.* 	@loghost2

*NOTE: loghost1 & loghost2 need to be resolvable via DNS or in /etc/hosts !!

Finally restart the syslog daemon /etc/init.d/syslog restart

Housekeeping
It’s good practice once we’ve made changes to clear up after ourselves, these are some option steps you can take.

Add /var/log/CiscoNAC.log to logrotate, so that it doesn’t just grow and grow until you run out of disk space. This is done by editing /etc/logrotate.d/syslog before /var/log/messages insert /var/log/CiscoNAC.log

You may also want to compress your syslogs, edit /etc/logrotate.conf and uncomment the word compress (remove the “#”) .

Important Note
When performing NAC upgrades, Cisco provide operating system package upgrades & changes, it’s important to check that after an upgrade this config changes still exist, also I take no responsibility for Cisco’s TAC not wanting to support you because of the changes made!

MARS: Zone product or package version does not match

I’ve been having problems getting my Cisco MARS Local and Global controllers to synchronise their topologies. This error message vexed me for a few days, but thankfully Cisco’s TAC solved it for me.

If you read Ciscos troubleshooting guides they will tell you to check that the MARS Local & Global controllers are running the same version, and to check that the SSL certificates are copied/pasted correctly.

If after checking the above Cisco recommendations and the additional basics ( network connectivity / ntp / timezones etc) check that both MARS boxes are running and have downloaded the same version of IPS signatures; under Admin -> IPS Signature Dynamic Update Settings -> Update Now.

It fixed the problem for me!

CS-Mars V6.0 in VMWARE (Franken Mars)

Emulating software is a very grey area for Cisco, they make their money by selling boxes so I guess officially Cisco don’t approve of things like GNS3 and PEMU. BUT cisco make a lot of their money from techies training in Cisco products who then get their management to buy boxes their certified in, as a result cisco appear to turn a blind eye to emulating their products for personal training purposes :)

So, I’m installing a CS-Mars box in the next couple of weeks and wanted to know what’s new in version 6. How to setup version 4 is already document here in this franken cs-mars guide, the thing is to upgrade from 4 to 6 is a re-image of the box. Upon re-imaging my VMWare appliance I realised that the lilo commands linux rw init=/bin/bash didn’t appear to work anymore. As a result I have a v6 mars box I can’t use due to a licensing problem.

To get this working read through both the old instructions, and what I have written.

The init/boot sequence of a mars box looks very much like a centos/fedora boot, so I thought up a cunning new plan. I downloaded the 1st installation CD of centos 5, after booting this CD instead of hitting “enter” and running the anaconda installer I typed linux rescue, this boots my appliance into a root linux shell. (See Update Below, boot from CentOS straight after MARS installs, don’t let MARS boot!)

What happened next was a little hit and miss, if you’re lucky you can type

mkdir /mnt/opt
mount /dev/md2 /mnt/opt

you can then

cd /mnt/opt/janus/release/bin
mv pnlicense pnlicense.org
echo "/bin/echo d84f7ceaf50f9c45683e2efb77752d4f:License verified:4:0:0:4" > pnlicense
chmod +x pnlicense

as per the old documentation.

If you’re unlucky this “mount” will fail, in this case ls /mnt/sysimage if you can’t see any files issue mount /dev/md1 /mnt/sysimage otherwise the plan is to change the root password so that we can edit the pnlicense file later.

Using vi edit /mnt/sysimage/etc/passwd, and change…

pnadmin:x:500:500::/opt/janus/release/bin:/opt/janus/release/bin/pnsh

for

pnadmin:x:500:500::/opt/janus/release/bin:/bin/bash

Next, setup your editor variable, and edit the suders file…

EDITOR=/mnt/sysimage/bin/vi;export EDITOR
visudo -f /mnt/sysimage/etc/suders

and add..

pnadmin ALL=(ALL)       NOPASSWD: ALL

Reboot by exiting the shell.

After the reboot login as pnadmin, you should now get a standard linux bash shell rather than the “hardened” cisco one. Change the root password…

sudo su
passwd root

And put /etc/password back to how it was. Now from the “pn shell” you can type expert and your root password will work and you’ll have root access to your mars box. With you new root access you can change the pnlicense file as described before and complete the setup process. :cool:

UPDATE: As commented by secopt below, to make this work you need to boot from the CentOS disk straight after the MARS image as installed, if you let the MARS OS boot (and start doing the oracle thing) then for some reason the mount commands don’t work!

UPDATE2: The mount command doesn’t work if you let MARS boot the 1st time as it changes the superblock, rokov has posted the following work around below…

  1. Assemble RAID
    mdadm –assemble /dev/md0 /dev/hda3 /dev/hdc3
  2. Change ext3 superblock magick number
    dd if=/dev/md0 skip=2 count=1 | sed ’s/\x5A\x7B/\x53\xEF/’ | dd of=/dev/md0 seek=2 count=1
  3. Mount partition
    mount /dev/md0 /mnt
  4. Do anything you want with it.
  5. Unmount partition and change magic back
    umount /mnt && d if=/dev/md0 skip=2 count=1 | sed ’s/\x53\xEF/\x5A\x7B/’ | dd of=/dev/md0 seek=2 count=1

Strange ASA ARP Replying Behavior

I’ve been implementing a few Cisco ASA’s recently, and I blogged about this strange behavior; well I came across another one yesterday.

Take a look at this debug arp….

CiscoASA# debug arp
debug arp  enabled at level 1
CiscoASA# 
CiscoASA# arp-set: added arp outside 192.168.1.122 001e.7000.1234 and updating NPs at 4301321940
arp-set: added arp inside 192.168.1.61 001a.7100.1234 and updating NPs at 4301321940
arp-in: request at outside from 192.168.1.125 001a.3000.1234 for 192.168.1.120 001e.7a51.1234 arp-in: rqst for me from 192.168.1.125 for 192.168.1.120, on outside arp-set: added arp outside 192.168.1.125 001a.3000.1234 and updating NPs at 4301326660 arp-in: generating reply from 192.168.1.120 001e.7a51.1234 to 192.168.1.125 001a.3000.1234
arp-in: request at outside from 192.168.1.125 001a.3000.1234 for 192.168.1.73 001e.7a51.1234 arp-in: rqst for me from 192.168.1.125 for 192.168.1.73, on outside arp-set: added arp outside 192.168.1.125 001a.3000.1234 and updating NPs at 4301326660 arp-in: generating reply from 192.168.1.73 001e.7a51.1234 to 192.168.1.125 001a.3000.1234 arp-in: request at outside from 192.168.1.125 001a.3000.1234 for 192.168.1.69 001e.7a51.1234
arp-in: rqst for me from 192.168.1.125 for 192.168.1.69, on outside arp-set: added arp outside 192.168.1.125 001a.3000.1234 and updating NPs at 4301326660 arp-in: generating reply from 192.168.1.69 001e.7a51.1234 to 192.168.1.125 001a.3000.1234
arp-in: request at outside from 192.168.1.125 001a.3000.1234 for 192.168.1.123 001e.7a51.1234 arp-in: rqst for me from 192.168.1.125 for 192.168.1.123, on outside arp-set: added arp outside 192.168.1.125 001a.3000.1234 and updating NPs at 4301326660 arp-in: generating reply from 192.168.1.123 001e.7a51.1234 to 192.168.1.125 001a.3000.1234 arp-in: response at outside from 192.168.1.125 001a.3000.1234 for 192.168.1.125 ffff.ffff.ffff arp-in: updating gratuitous ARP 192.168.1.125 - 001a.3000.1234 arp-set: added arp outside 192.168.1.125 001a.3000.1234 and updating NPs at 4301326660 CiscoASA#

The firewall is replying to arp requests even though both the source & destination of the traffic are on the same (outside) interface, now I haven’t manged to work out why the firewall was doing this, but I did find a fix on the cisco forums.

sysopt noproxyarp outside

Names, IPs & MAC’s have been changed to protect the innocent.
:cool:

Cisco NAC SSO Port List

Note to self, the ports I need to allow thru the Un-Authenticated ACL for Active Directory SSO to work…

TCP 88,135,389,636,445,1025,1026 				
UDP 88,389,636 

:)

Cisco ASA and 7905 IP Phone Weirdness

I came accross something odd the other day, I had some Cisco IP Phones on a DMZ interface and the Call Manager was behind the inside interface. If you made a call from a 7940 to a 7940 everything worked fine, if you made a call from a 7905 to a 7940 it failled!

I ran a packet capture and found that the phone was “bouncing” the RTP stream off the firewall rather than connecting directly to the peer phone… very weird! The problem was solved by enabling…

same-security-traffic permit intra-interface

I thought I post this for some future googlers!

Backup Interface on Cisco ASA Firewall

I tweeted a little while ago about Nokia recently supporting interface failover within IPSO, well it looks like Cisco’s ASA Version 8 software can do it now too!

The following example creates two redundant interfaces:

asa(config)# interface redundant 1
asa(config-if)# member-interface gigabitethernet 0/0
asa(config-if)# member-interface gigabitethernet 0/1
asa(config-if)# interface redundant 2
asa(config-if)# member-interface gigabitethernet 0/2
asa(config-if)# member-interface gigabitethernet 0/3

Reference: Adding a Redundant Interface