EXAMPLE
Enter the number of the log you wish to tail
EXAMPLE
Enter the number of the log you wish to tail
F1:
interface Vlan1 nameif outside security-level 0 ip address 172.16.1.2 255.255.255.252 ! interface Vlan2 nameif inside security-level 100 ip address 10.0.1.1 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
F2:
interface Vlan1 nameif outside security-level 0 ip address 172.16.2.2 255.255.255.252 ! interface Vlan2 nameif inside security-level 100 ip address 10.0.2.1 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 172.16.2.1 1
First we need to define an ISAKMP policy. ISAKMP is used to establish the initial asymmetrically encrypted channels between the two endpoints so that they can securely negotiate a pair of one-way IPsec security associations (SAs). For more background on IPsec fundamentals, see my IPsec quick and dirty article.
For simplicity, we’ll use a static pre-shared key for ISAKMP authentication (which will be defined in step four).
F1(config)# isakmp policy 1 F1(config-isakmp-policy)# authentication pre-share F1(config-isakmp-policy)# encryption aes-256 F1(config-isakmp-policy)# hash sha F1(config-isakmp-policy)# group 2 F1(config-isakmp-policy)# lifetime 86400 F1(config-isakmp-policy)# exit F1(config)# isakmp enable outside
The finished configuration can be copied verbatim from F1 to F2:
crypto isakmp enable outside crypto isakmp policy 1 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400
An IPsec transform set establishes the encryption and authentication (HMAC) methods to be employed by the IPsec SAs. While it is possible to enable several options, both sides of our VPN will be configured to support only 256-bit AES and SHA-1. Our transform set is named L2L.
F1(config)# crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac F2(config)# crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac
Next we need to create an access list to match plain (unencrypted) traffic which should be encrypted and routed through the IPsec tunnel between the two LANs. This access list will be referenced by the crypto map we’ll create in step five. In the real world, crypto map ACLs can be quite complex. For our purposes, however, we only need to match traffic going between the 10.0.1.0/24 and 10.0.2.0/24 networks.
F1(config)# access-list LAN_Traffic extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
We flip the addresses on F2 to match traffic heading the opposite direction:
F2(config)# access-list LAN_Traffic extended permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
A tunnel group holds tunnel configuration parameters, namely the connection type and authentication method. Since we’re using pre-shred key authentication, we need to name our tunnel group as the IP address of the remote peer. Also, notice that we must define the connection type (ipsec-l2l) before we can configure the pre-shared key.
F1(config)# tunnel-group 172.16.2.2 ? configure mode commands/options: type Enter the type of this group-policy F1(config)# tunnel-group 172.16.2.2 type ipsec-l2l F1(config)# tunnel-group 172.16.2.2 ? configure mode commands/options: general-attributes Enter the general-attributes sub command mode ipsec-attributes Enter the ipsec-attributes sub command mode F1(config)# tunnel-group 172.16.2.2 ipsec-attributes F1(config-tunnel-ipsec)# pre-shared-key ThisIsAWeakKey
The tunnel group configuration on F2 is identical except that its name changes to 172.16.1.2 (F1’s outside interface):
tunnel-group 172.16.1.2 type ipsec-l2l tunnel-group 172.16.1.2 ipsec-attributes pre-shared-key ThisIsAWeakKey
Finally, we need to create a crypto map (named L2L) to tie together the IPsec transform set, access list, and tunnel group configured in the previous steps. First we match LAN-to-LAN traffic using our access list:
F1(config)# crypto map L2L 1 match address LAN_Traffic
Then we set the VPN peer and IPsec transform set to use:
F1(config)# crypto map L2L 1 set peer 172.16.2.2 F1(config)# crypto map L2L 1 set transform-set L2L
The corresponding crypto map on F2 looks like this:
crypto map L2L 1 match address LAN_Traffic crypto map L2L 1 set peer 172.16.1.2 crypto map L2L 1 set transform-set L2L
All that’s left now is to apply the crypto map to the outside interface on each firewall:
F1(config)# crypto map L2L interface outside F2(config)# crypto map L2L interface outside
Reference document for “Nat Exemption” (aka “nonat” or “nat 0” in earlier releases) for basic L2L or basic RA setup.
L2L Example
Topology:
192.168.1.x/24 inside(ASA1)outside ===VPN===outside(ASA2)inside 192.168.2.0/24
If you were configuring ASA1 nat exemption for this L2L tunnel, it would look like this:
object network obj-local
subnet 192.168.1.0 255.255.255.0
object network obj-remote
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote
RA Example
Topology:
192.168.3.0/24 (vpnclient pool) ===VPN===outside(ASA1)inside 192.168.1.0/24
If your were configuring ASA1 nat exemption for this RA tunnel, it would look like this:
object network obj-vpnpool
subnet 192.168.3.0 255.255.255.0
nat (inside,outside) 1 source static any any destination static obj-vpnpool obj-vpnpool
*Note: Due to bug CSCtf89372, I use the “1” in the command above to put the nat exemption statement at the top of all my nat statements.
Using Management-access Inside
In all the above cases, when you convert the nat 0 command in pre 8.3 code to post 8.3 code, you’ll probably notice that you’re converting it from being a nat exemption to static identity nat. Just like in pre 8.3 code, post 8.3 static nats also don’t do a route lookup for an ingress packet. Instead they forcibly place the packet on the egress interface defined in the static command. If you use the packet tracer you’ll see something like this:
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network obj_RDP
nat (inside,outside) static interface service tcp 3389 3389
Additional Information:
NAT divert to egress interface inside
Untranslate 64.102.156.87/3389 to 192.168.1.5/3389
Notice how it says “NAT divert”, well what that means is the ASA just skipped a route-lookeup for the address you’re trying to reach and used the NAT statement to decide how to route that packet. Sometimes this can be a good thing and can be used for various hacks( refer Loadbalancing DUAL ISP on ASA), unfrotunately, if you’re using the VPN to manage your firewall, then you don’t want packets destined to the ASA itself to be “NAT diverted” out some interface. You want those packets to be process by the ASA itself, so in these situations you want to configure the nat command as:
nat (inside,outside) 1 source static any any destination static obj-vpnpool obj-vpnpool route-lookeup
This command makes the ASA do the route-lookup instead of blindly routing the packets.
Whenever you send a piece of e-mail, your e-mail client interacts with the SMTP server to handle the sending. The SMTP server on your host may have conversations with other SMTP servers to deliver the e-mail.
Let’s assume that I want to send a piece of e-mail. My e-mail ID is brain, and I have my account on howstuffworks.com. I want to send e-mail to jsmith@mindspring.com. I am using a stand-alone e-mail client like Outlook Express.
When I set up my account at howstuffworks, I told Outlook Express the name of the mail server — mail.howstuffworks.com. When I compose a message and press the Send button, here’s what happens:
If, for some reason, the SMTP server at HowStuffWorks cannot connect with the SMTP server at Mindspring, then the message goes into a queue. The SMTP server on most machines uses a program called sendmail to do the actual sending, so this queue is called the sendmail queue. Sendmail will periodically try to resend the messages in its queue. For example, it might retry every 15 minutes. After four hours, it will usually send you a piece of mail that tells you there is some sort of problem. After five days, most sendmail configurations give up and return the mail to you undelivered.
The SMTP server understands very simple text commands like HELO, MAIL, RCPT and DATA. The most common commands are:
Great article from ;
http://computer.howstuffworks.com/e-mail-messaging/email2.htm
From the command line ( if cluster, active member )
Log Files are
According to the Policy the Packet should not have been decrypted
PHASE 1 (MAIN MODE)
PHASE 2 (QUICK MODE)
GREAT ARTICLE FROM;
Tacas+ / RADIUS / AAA key points table
When utilizing AAA you can use RADIUS or TACACS. When we mention either of these we are talking about the conversation between a network device i.e. Router, Switch or Firewall (in this case) for authenticating with either a RADIUS server or TACACS server. Router, Switch or Firewall being the client, when trying to authenticate, authorize or account a user trying to login, issue certain commands and of course record this activity (AAA).
essentially it boils down to this when it comes to AAA;
aaa new-model [command used to turn on aaa]
R8(config)#enable secret cisco
R8(config)#username admin privilege 15 secret cisco
R8(config)#username user1 privilege 1 secret cisco
R8(config)#aaa authentication login default group tacacs+ local enable [This is creating a “default” method list for “authentication” which will apply on all lines if no “custom” list is present. this default method list also says, use tacacs server first, local database 2nd and enable password 3rd]
R8(config)#tacacs-server host 10.10.10.10 key 0 cisco [This defines the TACACS server along with the key to use when the router trys to communicate with the TACACS server]
R8#debug tacacs authentication
R8#debug aaa authentication
R8(config-line)#line console 0
R8(config-line)#login authentication default
R8(config-line)#line aux 0
R8(config-line)#login authentication default
R8(config-line)#line vty 0 4
R8(config-line)#login authentication default
R8#telnet 10.10.10.20
Trying 10.10.10.20 … Open
*Mar 1 00:19:40.627: AAA/BIND(00000006): Bind i/f
*Mar 1 00:19:40.631: AAA/AUTHEN/LOGIN (00000006): Pick method list ‘default’
*Mar 1 00:19:40.639: TPLUS: Queuing AAA Authentication request 6 for processing
*Mar 1 00:19:40.639: TPLUS: processing authentication start request id 6
*Mar 1 00:19:40.643: TPLUS: Authentication start packet created for 6()
*Mar 1 00:19:40.643: TPLUS: Using server 10.10.10.10
*Mar 1 00:19:40.651: TPLUS(00000006)/0/NB_WAIT/650E43A4: Started 5 sec timeout
TACACS SERVER CANNOT BE REACHED! so 2nd in the default method list is to use LOCAL DATABASE!(prompt for username then password, from local database)
User Access Verification
Username:
*Mar 1 00:19:45.647: TPLUS(00000006)/0/NB_WAIT/650E43A4: timed out
*Mar 1 00:19:45.647: TPLUS(00000006)/0/NB_WAIT/650E43A4: timed out, clean up
*Mar 1 00:19:45.647: TPLUS(00000006)/0/650E43A4: Processing the reply packet
USING debug authentication / authorization / accounting you can see the value and get an understanding of how it all works.
and below is a CUSTOM method list same a default but you give it a name and apply it to a LINE;
aaa authentication login CUSTOM-METHOD-LIST group tacacs+ local enable
R8(config-line)#login authentication CUSTOM-METHOD-LIST
so you can see above the custom method list named “CUSTOM-METHOD-LIST” has been applied to line vty 0 4 .
!SAME GOES FOR ALL 3 PARTS OF aaa (authentication, authorization and accounting)!
CCNA Sec Vid03 securing the management plane
Typing enable takes you to priviledge level 15, by default > you’re at privledge 1
you can create levels with custom commands for that level.
AAA = Authentication, Authorisation, Accounting
better way of cteating usernames passwords and levels of access.
rather than; (which just prompts for password once connected to the line)
line console 0
password cisco
login
line aux 0
login
password cisco
line vty 0 4
password cisco
login
AAA is better than the next way too, which is using the local database (router config)
line console 0
password cisco
login local
line aux 0
login local
password cisco
line vty 0 4
password cisco
login local
username admin privledge 15 secret 0 cisco
turning on AAA is easy!
basically saying the default way to login is using the local database;
aaa new-model
aaa uses method lists (basically list of authenticationmethods to try befor authenticating a user)
This is called default method list
i.e. when a user tries to authenticate, try [1st, AAA Server, 2nd local database, 3rd enable secret]
aaa new-model [This turns on AAA services. The rouetr can now use AAA]
aaa authentication login default group tacacs+ local enable [This is the defaul method list, this is chosen by default, if no other CUSTOM method list is configured.
If you do have a custom method list created the router will always follow this over the default]
aaa authentication login VTY-LIST local [This is a customer list called VTY-LIST, which I could apply on the VTY lines, as it is a custom list this will be chosen over a default as it is custom
and specially applied to the vty lines, you can do this for any line, and create any list.]
aaa new-model [says we have anew paradym of authentication, authorization and accounting]
defualt method list [applies to all logical interfaces where aaa can be applied]
custom method lists [allows you to apply aaa to individual interfaces as you like, and for which
ever piece of aaa.]
NFP Notes;
Video 02 CCNA Security
Network Foundation Protection NFP
made up of 3 parts;
Management Plane
Control Plane
Data Plane
NFP picture
MANAGEMENT PLANE
dont he give people more access than they need
NTP for accurate logs
timeouts
AAA for controlling who can manage the devices
CONTROL
If a network device has to think about something
i.e. someone ssh’s to it, or it recieves a route update
keepalives, or traffic directed to it’s own IP
address, these are example of the control plane.
Control plane (Any time the CPU on the device has to get involved in processing something)
you can limit amount of session to be open etc so people can not just keep
opening SYN’s for SSH sessions for example.
control plane protection
DATA
The data plane is actually when your device is either
forwarding pakcets or frames for others. I.e. transit packet
securing the data is ually done via ACL’s , IDS/IPS
firewall, port security.
Main benefit of ALL this is (CONCIOUSNESS of these security areas)
C3PL= Cisco Common Clasification Policy Lanuage
MPF = Modular policy framework
MQC = Modular QoS CLI
HAVE IN COMMON;
Common logic to accomplish tasks via;
class maps job = identify traffic, (http. icmp,ssh etc)
policy maps job = action to take , police it, drop, prioritize also work with class map rate limit
service policies job = where the policy map is going to do it’s action (where? control plane)
Great article from;
TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols that provide data encryption and authentication between applications in scenarios where that data is being sent across an insecure network, such as checking your email (How does the Secure Socket Layer work?). The terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is in fact the predecessor of the other — SSL 3.0 served as the basis for TLS 1.0 which, as a result, is sometimes referred to as SSL 3.1. With this said though, is there actually a difference between the two?
While SSL and TLS differ in ways that make them inoperable with each other, they are generally considered equal in terms of security. The main difference is that, while SSL connections begin with security and proceed directly to secured communications, TLS connections first begin with an insecure “hello” to the server and only switch to secured communications after the handshake between the client and the server is successful. If the TLS handshake fails for any reason, the connection is never created.
Both Internet security protocols ensure that your data is encrypted as it is transmitted across the Internet. They also both enable you to be sure that the server that you are communication with is the server you intend to contact and not some “middle man eavesdropper”. This is possible because servers that support SSL and TLS must have certificates issued to them by a trusted third party, like Verisign or Thawte. These certificates verify that the domain name they are issued for really belongs to the server. Your computer will issue warnings to you if you try to connect to a server and the certificate that it gets back is not trusted or doesn’t match the site you are trying to connect to.
If you are mostly concerned about your level of security, you can’t really go wrong choosing either SSL or TLS.
The main benefit in opting for TLS over SSL is that TLS was incepted as an open-community standard, meaning TLS is more extensible and will likely be more widely supported in the future with other Internet standards. TLS is even backwards compatible, possessing the ability to “scale down” to SSL if necessary to support secure client-side connections that only understand SSL.
Another more immediate benefit, however, is that TLS allows both secure and insecure connections over the same port, whereas SSL requires a designated secure-only port. For users connecting to an email server via POP or IMAP, this means that using TLS will allow you to opt for secure connections but easily switch to insecure connections if necessary without needing to change ports. This is not possible with SSL.
However, as discussed in the previous section, it really doesn’t matter which one is used in terms of security.
If neither SSL nor TLS is used, then the communications between you and the server can easily become a party line for eavesdroppers. Your email data and your login information are sent in plaintext for all to see, and there is no guarantee that the server you connect to is not some middle man or interloper.
Best article on how SSL works on the web from;
The Secure Socket Layer, SSL for short, is a protocol by which many services that communicate over the Internet can do so in a secure fashion. Before we discuss how SSL works and what kinds of security it provides, let us first see what happens without SSL.
Let us compare communications between computers on the Internet and communications between people over the telephone. Without SSL, your computer-to-computer communications suffer from the same security problems from which your telephone communications suffer:
This results in two very real security issues for communications over the Internet: 1. knowing for sure that you are connecting to the right servers (i.e. those at your bank and not those at a hacker’s or phisher’s web site), and 2. knowing that your data is safe from prying eyes during transit to those computers. This is where SSL comes in.
To solve these problems to a large degree, most Internet services support use of SSL as a mechanism for securing communications. To illustrate how SSL works, let us use another analogy.
Client wants to communicate with a company to send important information back and forth. Client wants to be 100% sure that s/he is communicating with this particular company and that no one can eavesdrop on or intercept the communications. How can s/he do this?
SSL relies on the concept of “public key cryptography” to accomplish these tasks. In normal encryption, the two parties communicating share a “password” and that password is used to both encrypt and decrypt messages. While this is fast and efficient, how do you communicate these passwords to people you have not yet met in a way that is itself secure?
In “public key cryptography”, each person has two keys — a “public” key and a “private” key. Anything encrypted with the user’s public key can only be decrypted with the private key and vice versa. Each person then tells the world what his public key is and keeps his private key safe and secure, and private.
If John sends Mary a message encrypted with Mary’s public key, then only Mary can open it, as only she has her private key. This is like an envelope that anyone can seal but which only Mary can open.
If John sends Mary a message encrypted with John’s private key, then anyone can open it, as everyone has access to John’s public key. However, successfully opening the message proves that it was sent by John and no one else, as only John has access to his private key. This is like an envelope that only John can seal, but which anyone can open and thus prove that John sealed it.
So, let’s see how SSL actually works for securing your communications over the Internet. Before the communications occur, the following takes place:
Then, when Client wishes to communicate with the company at company.com,
This all sounds great — what are the down sides? There are a few.
Key Length: The statement that “only someone with the private key can decrypt something encrypted with the public key” is true so long as the private key cannot be “guessed”. Hackers may try to do this by trying all possible private key combinations. Older “40bit” keys can be broken by trial and error if one has access to vast computer resources and a good amount of time. These days, keys used in SSL are 128bit or better. There are so many possible keys with 128bit that it would take significantly longer than the age of the universe to “guess” one.
Trust: While use of SSL ensures that your communications cannot be spied on, it comes down to trust to ensure that you are actually communicating with your intended company. This is reflected in the validation of company.com and your trust of the third party organization. Some “secure sites” do not bother to get a third party’s approval and have their keys approved by “themselves”. Others use third parties that are almost free and which spend very little effort in validating the company. In these cases, SSL provides you with no real assurance that you are really talking to your intended company and not some hacker trying to forge their identity to communicate with you in a manner in which you think you are safe.
For defensive use of the web, you should pay attention to warnings generated by SSL when you connect to secure sites. Such warnings include “expired certificates”, “domain name mismatches” — where the domain name presented by the company is different than the one to which you are connecting, and “non trusted certificates” — where the public key (certificate) presented by the company was not validated by a third party that your computer trusts. In all of these cases, you should be wary.
Ciphers: SSL uses one of a large variety of possible “ciphers” to perform the symmetric encryption. Use of a poor/weak cipher can result in fast SSL that is easily compromised. Currently, it is recommended that one use 128-bit or stronger AES encryption as your cipher. See: 256-bit AES Encryption for SSL and TLS: Maximal Security.
Almost any Internet service can be protected with SSL. Common ones include WebMail and other secure web sites such as banking sites and corporate sites, POP, IMAP, and SMTP.
Example:
ASA5510#copy tftp disk0: Address or name of remote host []? 172.16.31.1 Source filename []? asa722-k8.bin Destination filename [asa722-k8.bin]? Accessing tftp://172.16.31.1/asa722-k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Writing file disk0:/asa722-k8.bin... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 8312832 bytes copied in 163.350 secs (50998 bytes/sec) ASA5510#show disk0: -#- --length-- -----date/time------ path 6 5124096 Jan 01 2003 00:06:22 asa702-k8.bin 7 5623108 Feb 12 2007 00:23:48 asdm-522.bin 10 5539756 Feb 12 2007 00:14:18 asdm-521.bin 11 8294400 Dec 07 2006 05:47:20 asa721-24-k8.bin 12 6002680 Dec 21 2006 03:58:30 asdm-52034.bin 13 8312832 Feb 12 2007 22:46:30 asa722-k8.bin 23949312 bytes available (38932480 bytes used) !--- Command to set "asa722-k8.bin" as the boot image. ASA5510(config)# boot system disk0:/asa722-k8.bin !--- Command to set "asdm-522.bin" as the ASDM image. ASA5510(config)# asdm image disk0:/asdm-522.bin ASA5510# write memory ASA5510# reload
Note: When you try to upgrade the image on the ASA from an FTP server, you can use the copy ftp flash command. This command allows you to specify parameters, such as remote IP address and source file name. This procedure is similar to TFTP. However, one limitation with is that you can not modify the remote IP/source interface (like you can with TFTP). In TFTP mode, options specified with the tftp-server command can be pulled and executed. But with FTP, there is no such option. The source interface should always be the outside by default, which cannot be modified. That is, the FTP server should be reachable from the outside interface.