Tag: Cisco

Configure Cisco ASA to Capture Specific Port Traffic

On a Cisco ASA you can configure capturing of data to allow for deeper troubleshooting of issues. With the recent issue of the Heartbleed bug, I needed a way to capture HTTPS traffic and inspect remote hosts for the vulnerability. If the site was vulnerable, I would create a temporary block until that site patched.
On the Cisco ASA I setup an access-list:

access-list heartbleed line 1 extended permit tcp any any eq https

I create a capture:

capture heartbleed access-list heartbleed interface inside

Then I can view the capture:

show capture heartbleed

Example output of the above command:

1025: 09:52:27.882385 10.147.204.104.55665 > 74.125.228.5.443: . ack 3734113485 win 64860
1026: 09:52:27.882858 192.168.1.104.55666 > 74.125.228.5.443: . ack 3798098736 win 64860
1027: 09:52:27.883239 192.168.1.104.55666 > 74.125.228.5.443: . ack 3798101496 win 64860
1028: 09:52:27.883438 192.168.1.104.55666 > 74.125.228.5.443: . ack 3798104256 win 64860

Alternatively, while the capture is enabled it is accessible via the web interface of the ASA.

https://192.168.1.1/admin/capture/heartbleed

Test Cisco ASA VPN Authentication

Had an issue with a user that was failing to log into the VPN from remote.  Couldn’t initially figure it out while at home while troubleshooting the authentication.  So here’s how to test authentication from the Cisco ASA CLI.

ciscoasa# test aaa-server authentication AUTH2K8 host 192.168.1.2 username rkreider password s3cr3t

The blue highlights are values that need specified. If not sure of the AAA-SERVER, use the following command to list all the authentication servers.

ciscoasa# show aaa-server

This lists all the aaa-servers; to narrow it down, as in my case, I specified some additional arguments.

ciscoasa# show aaa-server authentication protocol nt

Here is a list of available protocols.

ciscoasa# show aaa-server protocol ?
  http-form  Protocol HTTP form-based
  kerberos   Protocol Kerberos
  ldap       Protocol LDAP
  nt         Protocol NT
  radius     Protocol RADIUS
  sdi        Protocol SDI
  tacacs+    Protocol TACACS+

So the output from showing the aaa-server type of NT is follows for me.

Server Group:    AUTH2K8
Server Protocol: nt
Server Address:  192.168.1.2
Server port:     139
Server status:   ACTIVE, Last transaction at 13:16:58 EDT Wed Mar 26 2014
Number of pending requests              0
Average round trip time                 0ms
Number of authentication requests       435
Number of authorization requests        0
Number of accounting requests           0
Number of retransmissions               0
Number of accepts                       389
Number of rejects                       31
Number of challenges                    0
Number of malformed responses           0
Number of bad authenticators            0
Number of timeouts                      15
Number of unrecognized responses        0

I used the highlighted values in my test case. Again, here is my command.

ciscoasa# test aaa-server authentication AUTH2K8 host 192.168.1.2 username rkreider password s3cr3t
INFO: Attempting Authentication test to IP address <192.168.1.2> (timeout: 12 seconds)
ERROR: Authentication Rejected: AAA failure
ciscoasa# test aaa-server authentication AUTH2K8 host 192.168.1.2 username rkreider password sup3rs3cr3t
INFO: Attempting Authentication test to IP address <192.168.1.2> (timeout: 12 seconds)
INFO: Authentication Successful

My issue was actually related to a setting on the account profile in Active Directory restricting server logons which inherently prevented authentication from working.

Cisco 7960 How to Create Conference Call

cisco

How to create a conference, or “3-way” call on Cisco 7960 phone…

  1. Begin with one caller already on the line (It does not matter who initiates the first call)
  2. Press the “More” then press the “Conference” SoftKey that is located just below the display screen.
  3. Dial the number of the phone number of the person you wish to add to the conference.
  4. Once the second party is on the line, press the “Conference” button again to join all parties together.

Subsequent additions to your conference call can be added by following steps 2, 3 & 4 with a maximum
conference of 4 callers, including yourself.

Cisco IOS EEM: Send Email on VPN Connection

I set up a Cisco router to send an email whenever a VPN user connected.  I did this for accounting purposes before I moved to RADIUS.  I’ll put this up here because someone else may be interested in this for their own use.

Step 1:  Environment Variable Setup

I like to configure variables to use throughout my EEM applets so I don’t get crazy with having to remember everything.  These setup a few such as a mail server, from email, to email.

router(config)#event manager environment _email_server 192.168.1.10
router(config)#event manager environment _email_from alerts@domain.local
router(config)#event manager environment _email_to admin@domain.local

Step 2: Create Event Manager Applet

Creating the applet is quite simple.

router(config)#event manager applet audit-vpn-login-ok

This creates the applet and puts you into its config mode to allow you to configure additional information.

Step 3: Identify what to look for

I simply look for a syslog pattern that corresponds to a Virtual-Access adapter being created (which indicates in my setup that a VPN has been established successfully).

router(config-applet)#event syslog pattern "LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access.*up"

After I tell it what to look for, I give it some actions.

Step 4: Configure Actions

For information purposes, I run a “show crypto ipsec sa | include local crypto” which stores the output of that command to a $_cli_results variable. This is helpful for telling me which IP address created the VPN. I could further this by looking for a username segment, but in this simple example, I’m sticking to just what IP established the VPN.

router(config-applet)#action 1.0 cli command "enable"
router(config-applet)#action 1.5 cli command "sh crypto ipsec sa | i local crypto"

Now I send the Email using the variables defined above and also include the $_cli_result (output of the command above stored as a variable) in the body.

router(config-applet)#action 2.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: VPN User Connected" body "Connection:n$_cli_result"

Finally, I send a syslog message notifying a VPN connection established as well.

router(config-applet)#action 2.5 syslog priority notifications msg "VPN UP - Mail Sent"

Full Code

router(config)#event manager environment _email_server 192.168.1.10
router(config)#event manager environment _email_from alerts@domain.local
router(config)#event manager environment _email_to admin@domain.local
router(config)#event manager applet audit-vpn-login-ok
router(config-applet)#event syslog pattern "LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access.*up"
router(config-applet)#action 1.0 cli command "enable"
router(config-applet)#action 1.5 cli command "sh crypto ipsec sa | i local crypto"
router(config-applet)#action 2.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: VPN User Connected" body "Connection:n$_cli_result"
router(config-applet)#action 2.5 syslog priority notifications msg "VPN UP - Mail Sent"

Cisco EEM Applet – Send Email Notification on Internet Circuit Failure

I needed to setup notification to be sent via email when a circuit went down and failed over to a backup circuit on a Cisco Router 2921.  Here’s what I did.

Create IP SLA

I create my IP SLA to monitor ICMP of the internet…

router(config)#ip sla 1
router(config)#icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0
router(config)#ip sla schedule 1 life forever start-time now

Note: Instead of specifying source-interface GigabitEthernet0/0, I could configure a route to use that interface’s gateway. In my setup, I have 2 WAN links, so I need to be specific at the least in which interface I’m monitoring.

Create Track Object

Now that the IP SLA is set up, I can set up a track object to monitor up/down state of IP SLA

router(config)#track 1 ip sla 1 reachability
router(config)#delay down 5 up 10

This means that if the remote IP (8.8.8.8) is unreachable for 5 seconds, it is down. If it comes back up and is reachable for 10 seconds, it is considered up.
With both of these in place, now I can create my event monitor applet.

Create Event Monitor Applet

I define a few variables to make life easier when writing future applets.

router(config)#event manager environment _email_server 192.168.1.10
router(config)#event manager environment _email_from alerts@domain.local
router(config)#event manager environment _email_to oncall@domain.local

This sets up 3 variables I can use later in my action stanzas by simply referencing $_email_server, $_email_from and $_email_to.
Now, I configure the applet.

router(config)#event manager applet internet_down
router(config-applet)#event track 1 state down
router(config-applet)#action 1.0 syslog msg Primary Internet Circuit Down
router(config-applet)#action 1.1 mail server $_email_server to $_email_to from $_email_from subject Circuit Down body Primary Internet Circuit Down.

Conclusion

That’s all there is to it. You could add another applet, say, internet_up to track 1 state up and send a different message when circuit comes back up. I do have a second applet to notify of circuit up since I have 2 WAN links I monitor on a single router and both WAN links failover to each other to provide reliability for the multiple VLANs on the network that require high availability.

Resources

Cisco documentation for Embedded Event Manager
Cisco EEM Configuration Example for ISR