Archive | Cisco

PowerShell script to recreate Azure Network Security Groups (NSGs)

I developed a habit when I was working with ACLs on a Cisco ASA firewall. I would keep a master list for each ACL, and when I needed to make a change, I would remove the entire ACL from the device and then recreate it each time I made a modification. For example I would run the following, and keep adding new rules when needed.

clear configure access-list dmz_acl
access-list dmz_acl extended permit tcp host 1.1.1.1 object-group DCs eq 389
. . . .

Add one line, look at the logs and if traffic is still being blocked then modify and try again.

I wanted the ability to do the same thing with Azure Network Security Groups. I wrote a PowerShell script that would look at the NSGs, dump the settings, and would display the commands to recreate them. here is the script I wrote. I hope it helps some one.

function JBM-AZURE-GetNetworkSecurityGroupRules{
 param(
    [String]$Name ,
    [Switch]$ShowCommands
    )
$Groups=$(Get-AzureNetworkSecurityGroup -Detailed)
If(!$Name){
  Write-Host
  Write-host "Select the number of the NSG"
  $NSGNumb = $(Read-Host -prompt "$($(for($i=0;$i-le $Groups.Count-1;$i++){$AllGroups=$AllGroups+"$i $($Groups[$i].Name)`n"});$AllGroups)" )
  $Name=$Groups[$NSGNumb].Name
}

$NSG=$Groups | where {$_.Name -eq $Name}
If ($NSG){
    $InboundRules=$NSG.Rules | where {$_.Type -eq "Inbound"}
    $OutBoundRules=$NSG.Rules | where {$_.Type -eq "Outbound"}
    Write-Output ""
    Write-Output "Inbound Rules"
    Write-Output $InboundRules | FT
    Write-Output "Outbound Rules"
    Write-Output $OutBoundRules | FT
    if ($ShowCommands){
    Write-Output "New-AzureNetworkSecurityGroup -Name ""$($NSG.Name)"" -Location ""$($NSG.Location)"""
    Write-Output ""
    foreach ($Rule in $($InboundRules | where {$_.Priority -lt 65000})){
        write-Output "Get-AzureNetworkSecurityGroup -Name ""$($NSG.Name)"" | Set-AzureNetworkSecurityRule -Name ""$($Rule.Name)"" -Type ""$($Rule.Type)"" -Priority ""$($Rule.Priority)"" -Action ""$($Rule.Action)"" -SourceAddressPrefix ""$($Rule.SourceAddressPrefix)"" -SourcePortRange ""$($Rule.SourcePortRange)"" -DestinationAddressPrefix ""$($Rule.DestinationAddressPrefix)"" -DestinationPortRange ""$($Rule.DestinationPortRange)"" -Protocol ""$($Rule.Protocol)"""
        Write-Output ""
    }
    foreach ($Rule in $($OutBoundRules | where {$_.Priority -lt 65000})){
        write-Output "Get-AzureNetworkSecurityGroup -Name ""$($NSG.Name)"" | Set-AzureNetworkSecurityRule -Name ""$($Rule.Name)"" -Type ""$($Rule.Type)"" -Priority ""$($Rule.Priority)"" -Action ""$($Rule.Action)"" -SourceAddressPrefix ""$($Rule.SourceAddressPrefix)"" -SourcePortRange ""$($Rule.SourcePortRange)"" -DestinationAddressPrefix ""$($Rule.DestinationAddressPrefix)"" -DestinationPortRange ""$($Rule.DestinationPortRange)"" -Protocol ""$($Rule.Protocol)"""
        Write-Output ""
    }
    }
}
Else {
Write-Host "Can't find a NSG with that name"
}
}

Cisco ASA 5505 from Factory Default to Static Address and defined inside subnet

I have been playing with an ASA 5505 lately. I wanted the ability to start fresh when I could not figure things out. I came up with the following commands to cut and paste into the console, allowing me to “Start over”.

First I reset to factory default and set the internal subnet range

configure factory-default 192.168.123.1 255.255.255.0

You have to hit the space bar a couple of times, then paste in the next sections:

boot system disk0:/asa911-k8.bin
interface Vlan2
 ip address 123.123.123.123 255.255.255.0
route outside 0.0.0.0 0.0.0.0 38.117.203.126
dhcpd dns 8.8.8.8
dhcpd address 192.168.123.5-192.168.123.132 inside
dhcpd enable inside

ssh scopy enable
ssh 192.168.123.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
console timeout 0
username myusername password 3ncrypt3dp4$$w0rd encrypted privilege 15
no call-home reporting anonymous

!-- Optional - allow pings outbound
policy-map global_policy
  class inspection_default
   inspect icmp
   exit
   exit
!

This code above sets the external IP, enabled DHCP internally, enables ssh and scope, creates a user, and allows pings through.

I hope this might help someone.

Problems with SharePoint 2010 menus and javascript using a Cisco WebVPN (ASA)

We noticed that the SharePoint 2010 menus were not working with our Cisco ASA’s WebVPN. If the top level menu had children, they would not show on hover. Then we started noticing that all jQuery based functions stopped working. It seemed that much of the Javascript used with SharePoint 2010 would not work with our ASA. The fix was to add this to the web.config for the SharePoint site:

 <system.web.extensions>
     <scripting>
           <scriptResourceHandler enableCompression="false" enableCaching="true" />
     </scripting>
</system.web.extensions>

Obviously you are adding the scriptResourceHandler to an exiting scripting section and not replacing what is already there.

How to setup a remote syslog server in CentOS 6

I wanted to have a cisco device send it’s logs to a Centos box for troubleshooting. I just wanted to do a “tail -f” against the error logs. Seems that syslog is now rsyslog in Centos 6. To setup rsyslog to accept syslog logs from other devices, you need to:

1. uncomment out the following lines (not the description lines, the ones that start with “$”)

# Provides UDP syslog reception
$ModLoad imudp.so
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp.so
$InputTCPServerRun 514

2. Add a line or two like these below to say where you want the logs written:

:fromhost-ip,startswith,’192.168.1.’ /var/log/remote.log
& ~
:fromhost-ip,isequal,”192.168.1.33″ /var/log/servername.log
& ~

3. service restart rsyslogd

4. add a hole in iptables for 514 (UDP and TCP)

-A INPUT -m state –state NEW -m udp -p udp –dport 514 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 514 -j ACCEPT

5. service iptables restart

6. create a new logrotate.d config file in /etc/logrotate.d:

/var/log/remote.log
{
daily
rotate 5
missingok
notifempty
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}

Cisco ASA and smart tunnels – my experience on OS X 10.7

I have been playing with smart tunnels on my Cisco ASA. The documentation is a little scarce on examples, so I thought I would post what I have found. On OS X, not much appears to work (I only tried with Safari). Maybe this post will help someone, or they will post a comment on how to get these apps working.

Terminal
I was able to get terminal working, but my terminal preferences are ignored. Once Terminal was started, I could ssh into a server behind the ASA:

smart-tunnel list applist Terminal terminal platform mac

Remote Desktop
I was able to get Remote Desktop to launch, but I could not connect to a server behind the ASA. Not sure why:

smart-tunnel list smarttunlist-jbmurphy RemoteDesktop “/Applications/Remote Desktop Connection.app/Contents/MacOS/Remote Desktop Connection” platform mac

Safari
I could get Safari to start, but it would crash as soon as I tried to access a site behind the ASA.

smart-tunnel list smarttunlist-jbmurphy Safari /Applications/Safari.app/Contents/MacOS/Safari platform mac

The error thrown was described by @craigbox here. I also see this in the logs: sandbox: WebProcess(xxxxxx) deny file-write-data /private/tmp/narwhal.log I know that there is new “Sandboxing” with Lion, maybe that is the issue.

Anyway, not a lot of success, but maybe a discussion will follow. I will update if I have anymore luck.

On demand iPhone vpn connection to a Cisco ASA

This was a proof of concept that I worked on with @xrobx99. Thanks @xrobx99 for your help.

We were interested in how our users could access SharePoint behind our firewall on their mobile devices. We currently have an Cisco ASA in front of our organization. Idea is this: user receives an email notification from SharePoint that they need to approve a workflow. Email comes with a link and user clicks it on their Apple iOS device. That click would start an on demand VPN session to our ASA and the user be able to reach the SharePoint. This is how we got it all working.

First, you need to setup certificate authentication for your asa. If you don’t already have a PKI, then you can run a certificate server on your ASA. Looking at this blog post it is not that difficult to setup a local CA. That post describes how to do it via command line, to enable a CA vi asdm go to: Configuration > Remote Access VPN > Certificate Management > Local Certificate Authority

Clicking the enable box generates the following code:

  crypto ca server
      smtp from-address [email protected]
      no shutdown passphrase secret

Next add a user:

After adding a user, grab the One Time Password (OTP) and log into the enrollment site: http://site.name.com/+CSCOCA+/enroll.html. This will download a *.p12 file which I double clicked and added to my keychain (mac user). We will

Add a new tunnel-group

Next step was to set a a group-url for a new tunnel-group. We did this because we wanted the ability to log in with both passwords and certificates. This is what our tunnel groups looked like:

tunnel-group default webvpn-attributes
 group-url https://server.company.com enable
tunnel-group certificate webvpn-attributes
 authentication certificate
 group-url https://mobile.company.com enable

Add Certificate to iPhone Confiuration App

Fire up the iPhone confiruation utility and create a new Configuration Profile. Scroll down to “Credentials” section and add the *.p12 file with the OTP.

Next go to the VPN section to add the address of the ASA and check the on demand box for the the site.

Share the new configuration profile and apply it to your phone.

Now when you try to access a url that matches the on demand urls in the vpn section of the iPhone profile, the AnyConnect client will connect to the url that  allows certificate authentication. The certificate that you included in the profile will authenticate you, and you are in!

This was fun to put together!

Cisco ASA memory issues – disable webvpn cache may fix?

The credit for this article goes to @xrobx99. I wanted to blog about his discovery so that others might find the solution quicker.

We have an Cisco ASA that we had to reboot every month because the memory would keep growing. We thought it was a memory leak (and it may have been in previous revisions), so we just lived with the fact that we had to keep rebooting the ASA to clean up the leak. @xrobx99 found that by default the ASA caches html when using webvpn. Well that explains that! A growing cache could easily be misinterpreted as a memory leak (see CSCtb68311)!

webvpn cache disable

Our memory use has not grown since making the change!

Cisco ASA: tunnel-group commands and Connection Profiles

I have to say, it is difficult to learn Cisco products.  I have been hacking away at my new Cisco ASA 5505, and it is not easy. One of the toughest things is that the ASDM displays the configuration one way, but when you look at the config, it is completely different. For example, ASDM shows Connection Profiles, but the actual code uses tunnel-group. Not even close. The documentation has one line out of 46 pages.

You configure connection profiles using tunnel-group commands. In this chapter, the terms “connection profile” and “tunnel group” are often used interchangeably.

Took me quite a while to figure that out. I guess that is why people go to training (and the 5505 is not a consumer product).

 

Cisco ASA hacking – Getting started

My wife (Team Murphy’s CFO) allowed me to purchase a Cisco ASA 5505 for home. We use ASAs at work, and I am interested in how we can leverage these devices to their fullest. I am new to Cisco and to their IOS (the original IOS). I was impressed, the 5505 was easy to setup, I just swapped out my existing DDWRT and it worked out of the box. The 5505 had DHCP running on the internal interface, and NAT configured correctly.

Next I wanted to change the default network to use a different range. That proved more difficult when trying to do it over a network connection. I know I should be using the serial connection, but I did not want to sit in my coat closet to make the change. I also knew I would be hacking my config, and I wanted a scenario where I could early reset to the defaults. Every time I tried to reset to the defaults, the interface would hang because i was trying to do it over the network (as expected).

I found this link in the ASA documentation that described the default config for an ASA. I also found the environmental variable CONFIG_FILE. My thinking was, I could use the default config listed in the ASA documentation and save it to a file on the flash. If I wanted to return to the defaults, I could just change the  CONFIG_FILE environmental to point to that default config file on disk0:, and I would be back up and running in “factory defaults”.

I took it a step further and I added the following to my “jbmurphy_factory_defaults”:

ssh 192.168.XX.0 255.255.255.0 inside
ssh timeout 5
aaa authentication ssh console LOCAL
ssh scopy enable

These 4 lines enable ssh access to the ASA and allow me to scp my config file to disk0. Now, when I am working on a new config, I can scp it from my filesystem to the onboard storage, and issue a reboot.

That is my workflow so far. Thoughts?

Using a MacBook to connect to a Cisco router

We have a “USBG-232MINI” USB to Serial adapter and I needed to connect to a Cisco router. GNU screen to the rescue!!

The command is

screen /dev/tty.usbserial-A9005yuF 9600 (Where A9005yuF is probably unique)

And to exit hit Control+A then K.