Cisco ASA: An Initial Configuration Task List For The ASA 5505 Pre-8.3

Dont do this on anyting over a 5505.  It wont work for you.  This is a quick config task list to get your ASA 5505 up and running quick.  Its the older code, keep that in mind.  This will get you on the Internet, which is the goal of a lot of very small offices who just want some sort of protection.
TASK LIST AND CONFIG:
change hostname
ciscoasa(config)# hostname ASA
configure domain name
ASA(config)# domain-name ASA.com
create crypto key
ASA(config)# crypto key generate rsa mod 2048
configure internal ip addresses
ASA(config)# int vlan 1
ASA(config-if)# no ip add
ASA(config-if)# ip add 192.168.5.1 255.255.255.0
configure outside interface ip address
ASA(config-if)# int vlan 2
ASA(config-if)# no ip address dhcp setroute
ASA(config-if)# ip add 5.5.5.46 255.255.255.252
configure default route
ASA(config-if)# route outside 0.0.0.0 0.0.0.0 5.5.5.45
disable HTTP access to the ASA
ASA(config)# no http 192.168.1.0 255.255.255.0 inside
ASA(config)# no http server enable
allow SSH access to ASA
ASA(config)# ssh 0.0.0.0 0.0.0.0 outside
ASA(config)# ssh 0.0.0.0 0.0.0.0 inside
define a user login instead of the default:
ASA(config)# username shane pass thisismypassword pri 15
ASA(config)# aaa authen ssh cons LOCAL
ASA(config)# aaa authen enable cons LOCAL
ASA(config)# aaa authen serial consol LOCAL

Cisco ASA: How Can You Tell If Your ASA Is Affected By The Heartbleed Vulnerability/Bug

Ive been real busy lately, but I have now taken the time to really investigate the Heartbleed bug for the Cisco ASA.  Here is how you can know for sure IF your ASA is affected.  Here is the versions of OpenSSL affected, according to the CVE site:
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
With that said, you find out your version of ASA.  For example, if your ASA version is 8.4.5.  Then go to Cisco's site at this location: http://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asaroadmap.html#wp54064
Find your version and click on that link.  Then click on the "Open Source License" link and search for 'openssl' and verify your version of openssl.  Some versions dont appear to report the openssl version.  Not sure why.

A Little Better Sleep...

Sometimes being the church God meant for us to be can mean missing church.  I'm not suggesting you quit going to church, but sometimes the world outside those walls needs 'the church' more than those inside them.
Maybe you can relate to this, maybe not.

Cisco CUCM: Where To Set NTP For CallManager 7.X

Right here.

Cisco ASA: How To License The IPS Module

For the IPS module in the ASA, I had to go to the to get the license off the Cisco licensing site.  Not a big deal, you just have to know the process.  Here it is:

1. Verify the current software version your IPS module is running.  You can do this by running a “show module” command.
2. Go to http://cisco.com/go/license.  Log in using your Cisco.com username and password.
3. Click on the “Get New” tab and select “Crypto, IPS and Other Licenses”
4. Select Security products and choose between:
• Cisco Services for IPS service license (Version 6.1 and later) 
• Cisco Services for IPS service license (Version 6.0.x and earlier)
5. Choose your device
6. Specify any required information on the following screen.
7. Check to confirm that you agree to theLicense agreement and specify email addresses where you would like the licenses to be sent.  
8. Click “Get license”.  The license will be emailed within an hour to the specified email addresses.

Now that I have the license, here is how I got it on the IPS module.  Remember, you have to have an IP address on the module already.  You can follow THIS LINK to find out how to get an IP on your module for this.
Turn on your FTP server on your laptop.  Now take a look below.

sensor#
sensor# copy ftp://shane@192.168.100.87/JADXXXXXX_XXXXXXXXXXXXX.lic license-key
Password: *****
sensor# sh ver
Application Partition:

Cisco Intrusion Prevention System, Version 6.0(6)E4

Host:
    Realm Keys          key1.0
Signature Definition:
    Signature Update    S480.0                   2010-03-24
OS Version:             2.4.30-IDS-smp-bigphys
Platform:               ASA-SSM-10
Serial Number:          JADXXXXXX
Licensed, expires:      24-Mar-2015 UTC
Sensor up-time is 24 days.
Using 659283968 out of 1032499200 bytes of available memory (63% usage)
application-data is using 39.8M out of 166.8M bytes of available disk space (25% usage)
boot is using 37.8M out of 68.6M bytes of available disk space (58% usage)


MainApp          N-NUBRA_2009_JUL_15_01_10_6_0_5_57    (Ipsbuild)   2009-07-15T01:15:08-0500   Running
AnalysisEngine   NE-NUBRA_E4_2010_MAR_24_22_44_6_0_6   (Ipsbuild)   2010-03-24T22:47:53-0500   Running
CLI              N-NUBRA_2009_JUL_15_01_10_6_0_5_57    (Ipsbuild)   2009-07-15T01:15:08-0500

Upgrade History:

  IPS-K9-6.0-6-E4   00:14:06 UTC Thu Mar 25 2010

Recovery Partition Version 1.1 - 6.0(6)E4

sensor#

Brocade: The Trend I Keep Seeing...

Dont judge me for what I see.  I just call it like I see it.  This just seems to be the trend.  More Cisco replacements.

Check Point Gaia: Install Of Two 4600s Out Of The Box

I wanted to show you how easy it is for a Gaia install.  Check Point makes it easy.  Im just going to show you the screenshots.  It doesnt take very long.  This is for a pair of 4600s that will be setup as ClusterXL.

Check Point Gaia: Fresh/New Install Of R77.10 On A 4600 Appliance With A USB Drive

At this point, the 4600 appliances come with R75.46 and R77 on them.  Thats all good, but the problem is that I want R77.10 on these 4600s that I have to install.  No worries.  We will do a fresh install.

But I dont carry around a CD or DVD drive with me when I do these installs.  I carry around a USB drive for the install.  Here is what I did on an R77.10 install using a USB drive.

First, Im using the following USB:

First, I have to get my USB ready.  I did this is ISOmorphic, downloadable at the Check Point site.  I had my ISO of R77.10 downloaded already, I just needed to get it on my USB.  Here is how I did it with ISOmorphic:

Press GO! to get it on the drive in a bootable format.  When its done, you have a bootable USB you can put into the appliance.

Turn off your power to your appliance, put in your console cable and put in your USB drive.  After it boots to your USB, you have the following choice below.  I chose 'serial' by typing it in.  Choose what fits in your scenario.

It will go through the install process.  You will see things like the below shots:

Physically:

During install:

You get the idea.  Once its done, you should see this on the display:

Power off the unit and take out the USB drive.  Boot back up.  You should be at Gaia/Check Point R77.10.  WebUI into the appliance and verify for initial setup.

Looks good.  Now go set it up.

Sunday: Are We A Beautifully Created Thing?

I want to encourage you to see yourselves (and others) the way God sees you.  If you like music, check out this song.  I highly recommend this 5 minutes.

Beautiful Things - Gungor

Brocade Switch: ICX6610 Module Numbering Assignments

I have come across a few folks who ask about the numbering assignments to the Brocade switches.  Below, I have an example of what they are for the ICX6610 switch.  It just takes some getting used to.

Ethernet ports are 1/1/X

Stacking ports on the back are 1/2/X

GBIC ports on the front are 1/3/X

If you are looking at a stack, switch 1 will be the 1/X/X.  Switch 2 in the stack will be 2/X/X, and so forth.

Basically, What We Do...

I found this hanging inside a network guy's cube:

Brocade Switch: How To Enable HTTP/Web Access To The ICX/FCX Switch

I was called by a customer who wanted to get into the WebGUI of an Brocade FCX.  Well, I have to admit, I didnt know right off.  Everyone who knows me knows that when it comes to Brocade and Cisco, I'm a CLI guy.  Call me old school I guess, but it works for me.  Anyway, I had to do a little digging and here is how I got the customer HTTPS access (not HTTP):

telnet@FCX#config t
telnet@FCX(config)#crypto-ssl certificate generate
telnet@FCX(config)#username shane pass shane
telnet@FCX(config)#aaa authentication web-server default local
telnet@FCX(config)#exit
telnet@FCX#wr mem
Write startup-config done.

After that, he was able to use HTTPS://ip_address to get into the WebGUI and manage the Brocade FCX switch.

Brocade Switch: "Invalid input -> untagged ethernet X/X/X" : Default Vlan Thoughts

Man this really gets me.  I dont like having to do this, but I guess there is some logic behind this somewhere.  Everyone knows I like the Brocade switches, so dont hate me for pointing this one thing out.  I dont like how you have to change the default vlan ID from VLAN 1 to something else (unless you are not going to use VLAN1).  You dont have to do that in Cisco.  And because you have to change this in Brocade, you get the following kind of config notice when you are trying to configure a port for the default vlan:
ICX6610-48P Router(config)# vlan 1
ICX6610-48P Router(config-vlan-1)#untagg eth 1/1/1
Invalid input -> untagg eth 1/1/1
Type ? for a list
ICX6610-48P Router(config)#default-vlan-id 499
ICX6610-48P Router(config)#vlan 1
ICX6610-48P Router(config-vlan-1)#untagg eth 1/1/1
Added untagged port(s) ethe 1/1/1 to port-vlan 1.

So, one way to look at this is that the default vlan (in Brocade) is the parking lot for any port that does not belong to a usable VLAN.  So, if you have 10 VLANs and you are routing between them, you wont be using the default-vlan.  You will be using that only as a parking lot for any port that doesnt not fit into your 10 VLAN scenario.  So the default is VLAN 1.  Keep note of that and change it when you start configuring a switch.  Almost everyone uses VLAN 1.  I said 'almost'.

Some useful notes I found in the Brocade/Foundry documentation:
1.  When you enable port-based VLANs, all ports in the system are added to the default VLAN. By default, the default VLAN ID is “VLAN 1”. The default VLAN is not configurable. If you want to use the VLAN ID “VLAN 1” as a configurable VLAN, you can assign a different VLAN ID to the default VLAN.

2.  NOTE: Changing the default VLAN name does not change the properties of the default VLAN. Changing the name allows you to use the VLAN ID "1" as a configurable VLAN.

3.  You must specify a valid VLAN ID that is not already in use. For example, if you have already defined VLAN 10, do not try to use “10” as the new VLAN ID for the default VLAN. Valid VLAN IDs are numbers from 1 – 4095.

Brocade ICX Switch: "Command Not Allowed in NI style LAG CLI mode" - Link Aggregation Groups (LAG) Configuration And Notes - The New Port-Channel

Im always a fan of bonding ports together for more throughput.  I mean, when you have capability to do so and the port density, why not?  1 Gig is not as fast as 2 Gig, right?  In the 8.X code that Brocade has come out with, they have retired the "trunk" command.  I found this out the hard way when I upgraded some switches to the 8.X code and then tried to configure the bonded ports.  This is what I got in return:
"Command Not Allowed in NI style LAG CLI mode".
Bummer.  I have no idea what that means, but I do know it means that I cant configure trunks like I used to. Here was the old config way that I tried in the 8.X code:
trunk ethe 1/1/1 to ethe 1/1/4
 port-name "TO VM SWITCHES" ethernet 1/1/1
port-name "TO VM SWITCHES" ethernet 1/1/2
port-name "TO VM SWITCHES" ethernet 1/1/3
port-name "TO VM SWITCHES" ethernet 1/1/4
trunk deploy
 I guess its time to move to another method.
Link Aggregation Groups.  Thats the way now in the 8.X code.  Here is how I configured the bonded ports:

6610(config)# lag LAG01 static id 1
6610(config-lag-LAG01)#ports ethernet 1/1/1 to 1/1/4
6610(config-lag-LAG01)#primary-port 1/1/1
6610(config-lag-LAG01)#deploy
This bonded 4 1Gig ports together for a total of 4Gig.  I like that, and when connecting uplinks, that can be important.  When you have a switch that has 1Gig ports already, you NEED your uplinks to be faster than your server/pc ports.  
When I do a 'show run', this is what it looks like:
lag "LAG01" static id 1
 ports ethernet 1/1/1 to ethernet 1/1/4
 primary-port 1/1/1
 deploy
 port-name Uplink ethernet 1/1/1


So, here are some notes I found on Brocade's site when I had to look up this configuration.
The new LAG configuration procedures supersede the previous configurations procedures for LAGs and Dynamic Link Aggregation. When a Brocade device is upgraded to 08.0.00a any configurations for LAGs or Dynamic Link Aggregation defined in releases prior to 08.0.00a will be converted to a 08.0.00a (and later) compatible LAG configuration. Details about how this conversion is performed are described in “Migrating from a previous release to 08.0.00a LAG or LACP configuration”. 

Brocade software supports the IEEE 802.3ad standard for link aggregation.
This standard describes the Link Aggregation Control Protocol (LACP), a mechanism for allowing ports on both sides of a redundant link to form a trunk link (aggregate link), without the need for manual configuration of the ports into trunk groups.  When you enable link aggregation on a group of ports, the ports can negotiate with the ports at the remote end of the links to establish trunk groups.

Server Room Temperatures

I know we all know this, but you have to keep the server room temperatures down as low as you can.  Some people dont mind 80 and 90 degrees, from what I have personally heard from others.  However, I have been in electronics and I know for sure that electronic devices prefer cooler temperatures.  Just a fact of life and a longer lifespan for a piece of network equipment.  Keep the server room temperatures down low.  You will get longer life out of that equipment if you do.

Cisco 3750-X vs Brocade ICX6450

I had a guy say to me a few days back in a conversation we were having: "So you would put the Brocade in (in the network) over the Cisco"?  He was referring to putting the Brocade ICX6450s sitting on a desk over the Cisco 3750-Xs. My answer: "Yep".  He didnt ask why, but this company is an all Cisco shop.  Nothing wrong with that, but I like to back up what I say with some facts.  You decide for yourself when comparing these two side by side on some important hardware performance specs.
Forwarding Rate:
Cisco 3750-X 48 port (any model)      101.2mpps
Brocade ICX6450 48 port                  132 mpps

Switching Rate:
Cisco 3750-X 48 port (any model)      160 Gbps
Brocade ICX6450 48 port                  176 Gbps

Stacking Bandwidth:
Cisco 3750-X 48 port (any model)       32Gbps
Brocade ICX6450 48 port                   40Gbps

Total Members In A Stack:
Cisco 3750-X 48 port (any model)         9
Brocade ICX6450 48 port                     8

Generic Price (based on a popular equipment sales site):
Cisco 3750X-48T-S                       $8224.99  
Brocade ICX6450 48 port              $3165.99

Brocade Switch: Initial Configuration Of An ICX6610 - Steps To Success

I told someone that I would do a template for an ICX6610 and have since forgotten about it until today.  My apologies for that.  I just went through setting up one for a customer and thought I would write down the steps I went through.  This is, however, generic and not the config.  More of a "this is the steps I took" than a "here is the config I did".  I think it will be helpful either way though.  This is the order:
1. change default vlan id
2. tftp new firmware image
3. upgrade POE image
4. change hostname
5. create vlans 
6. put port in vlans
7. create VE interfaces/ip addresses
8. change number of system static route entries
9. add routes
10. put ports in vlans (voice and data)
11. on the interfaces, configured voice and data vlans (had Cisco phones in the network)
12. on the interfaces, configured inline power class to 2
13. configure login for SSH only

Brocade Switch: "Static Route: Errno(7) Duplicate route entry" On An ICX6610

Have you ever seen this before?
Brocade-6610(config)#ip route 10.20.0.0 255.255.0.0 10.20.0.1
Static Route: Errno(7) Duplicate route entry

Well, first, Errno is not a word.  Second, Im supposed to be able to put in over 2000 static routes if I want to.  However, on the ICX6610, I have to configure it.  The default value for static routes is 64.  Sometimes, I need more than that.  There are some system default values you should be aware of.  Here they are:
Brocade-6610#show default value
sys log buffers:50         mac age time:300 sec       telnet sessions:5

ip arp age:10 min          bootp relay max hops:4     ip ttl:64 hops
ip addr per intf:24

when multicast enabled :
igmp group memb.:260 sec   igmp query:125 sec         hardware drop: enabled

when ospf enabled :
ospf dead:40 sec           ospf hello:10 sec          ospf retrans:5 sec
ospf transit delay:1 sec

when bgp enabled :
bgp local pref.:100        bgp keep alive:60 sec      bgp hold:180 sec
bgp metric:10              bgp local as:1             bgp cluster id:0
bgp ext. distance:20       bgp int. distance:200      bgp local distance:200

System Parameters    Default    Maximum    Current    Configured
ip-arp               4000       64000      4000       4000
ip-static-arp        512        6000       512        512
ip-cache             10000      32768      10000      10000
ip-filter-port       3068       3068       3068       3068
ip-filter-sys        2048       8192       2048       2048
l3-vlan              32         1024       32         32
ip-qos-session       1024       16000      1024       1024
mac                  32768      32768      32768      32768
ip-route             12000      15168      12000      12000
ip-static-route      64         2048       2048       64
vlan                 64         4095       64         64
spanning-tree        32         254        32         32
mac-filter-port      16         256        16         16
mac-filter-sys       32         512        32         32
ip-subnet-port       24         128        24         24
session-limit        8192       16384      8192       8192
view                 10         65535      10         10
virtual-interface    255        512        255        255
hw-traffic-condition 896        896        896        896
rmon-entries         1024       32768      1024       1024
igmp-snoop-mcache    512        8192       512        512
mld-snoop-mcache     512        8192       512        512
ip6-route            908        2884       908        908
ip6-static-route     178        576        181        181
ip6-cache            908        2884       908        908
msdp-sa-cache        4096       8192       4096       4096
hw-ip-route-tcam     16384      16384      16384      16384
ip-vrf               16         16         16         16
ip-route-default-vrf 12000      15168      12000      12000
ip6-route-default-vr 908        2884       908        908
ip-route-vrf         1024       15168      1024       1024
ip6-route-vrf        100        2884       100        100
pim-hw-mcache        1024       6144       1024       1024
pim6-hw-mcache       512        1024       512        512
igmp-snoop-group-add 4096       8192       4096       4096
mld-snoop-group-addr 4096       8192       4096       4096
mac-notification-buf 4000       16000      4000       4000
Brocade-6610#

So here is how you change that static route limitation of 64 routes:
Brocade-6610(config)#system-max ip-static-route 2048
Reload required.  Please write memory and then reload or power cycle.
Brocade-6610(config)#reload

Check Point: How To Configure DynamicID For Two Factor Authentication And One Time Password Usage Via Email

I like this feature out of Check Point.  Two factor authentication, which you can do with most firewalls, is pretty cool.  But I like that the Check Point will also generate you a one time password and send it to you for a second authentication method.  Their documentation is terrible, but here is how to set it up.

Go to your Mobile Access blade and add your Check Point firewall in.  Then, go down to the box circled above, and put in this string in the SMS provider and Email settings after you check the box for "challenge users...":
mail:TO=$EMAIL;SMTPSERVER=smtp.companyname.com;FROM=support@companyname.com;BODY=$RAWMESSAGE
Once you have configured this and you allow SSLVPN user access, the user will login successfully and then be sent a one time password.  The email (in this case) will look like this:

Its not too hard to setup, but again, Check Points documentation is pretty terrible when it comes to this.  But still a cool feature.

33AD

What do you think about when you see this date?  Take 5 minutes.

Check Point Gaia: Upgrading Gaia To R77.10

Check Point has made Gaia easy to upgrade through the WebUI, although I personally am a fan of CLI when doing upgrades.  Simply go to the WebUI, login, then Maintenance --> Upgrade.  Then upload your file and then upgrade.  You see below that it will ask you to take a snapshot first.  I suggest you do that.  Then, it will ask you if you want to upgrade, which is the reason you are doing this.  Say yes to both.
Make sure you do a 'migrate export' and FTP it to your PC before you upgrade.

Reboot and you are done.

Check Point: How To Edit The SSLVPN DynamicID Login Page - "An SMS with a verification code was sent to your phone"

I was working with my customer in trying to get Check Point's DynamicID working, which we did do successfully.  However, one of the  web pages that comes up after you put in your login credentials said something that we didn't really like, for our scenario.  We wanted to only send an email to the user trying to login.  We did not want to send an SMS text message.  But the page that comes up after you login says the following:

"An SMS with a verification code was sent to your phone and should arrive shortly.  Please type the verification code sent to your phone:"

Well, that message gives me the impression that a 'text' message is going to be sent, which we are not doing in this case.  Again, we only wanted to send an email. 

So after a lot of digging and finding no solution for this, I had to hit the Check Point forums and post this to see if anyone knew how to edit that page.  I have to admit, I searched for a while with no resolution.  So I did post into the Check Point forum and a guy named Yehezkel H. replied to my question with the correct answer.  Here is what he said to me:

"You need to edit relevant strings in $CVPNDIR/phpincs/Strings.en_US.php (for English).

Start with E_PROMPT_SENT_SMS_PRE_PHONE and E_PROMPT_SENT_SMS_POST_PHONE."

So, I SSH'ed into the Check Point box and did what he said.  I went to the following location and used VI editor and edited the following:
cd $CVPNDIR/phpincs/
vi Strings.en_US.php

"E_PROMPT_SENT_SMS_PRE_PHONE"           => "An SMS with a verification code was sent to your phone",

"E_PROMPT_SENT_SMS_POST_PHONE"          => "and should arrive shortly.\n\nPlease type the verification code sent to your phone:",

Now, after editing this, it says the following:

"E_PROMPT_SENT_SMS_PRE_PHONE"           => "An email with a verification code was sent to your email account",

"E_PROMPT_SENT_SMS_POST_PHONE"          => "and should arrive shortly.\n\nPlease type the verification code provided in the email sent to you:",

Much better for our scenario.  

Cisco ASA: Error When Password Reset On IPS Module - "Authentication token manipulation error"

This error was really aggravating to me.  Mainly because it was self inflicted.  What does the error message "Authentication token manipulation error" mean?  Here is what it means, per Cisco:

In order to solve this issue, use default password (cisco) two times and then change the password from the config mode. The IDS requires the default password to be entered twice.

I did the above and it works.  I guess I wasn't paying attention.  
login:cisco 
Password:cisco
Enter current password:cisco
Enter new password: *** 
Re-enter new password: ***