Posts Tagged ‘ASA’

Cisco ASA Auto and Manual NAT discussion

I’ve recently done more thinking about Cisco’s NAT changes and wanted to jot down a couple of examples of solving NAT problems in both Auto NAT (Network Object NAT) and Manual NAT (Twice NAT.)

Branch Office example with one public static IP Address which is assigned to the outside interface of your ASA FW. If you need to do static NAT w/ port-address-translation to several internal servers on your DMZ (static PAT) you’ll find this one handy. If any of your servers need to have more than one port forwarded to the internet, I prefer to go w/ Manual NAT versus Auto NAT due to readability.

Example using Auto NAT:

object network myWebServer
  host 10.1.1.1
  nat (dmz,outside) static interface service tcp http http

object network myDNSServer
  host 10.1.1.2
  nat (dmz,outside) static interface service udp domain domain

object network myWebServer-01 // I've got to declare it multiple times??!! This feels WRONG!!
  host 10.1.1.1
  nat (dmz,outside) static interface service tcp https https

object network myEmailServer
  host 10.1.1.3
  nat (dmz,outside) static interface service tcp smtp smtp

Example using Manual NAT:

object network myWebServer
  host 10.1.1.1
object service http
  service tcp source eq www
object service https
  service tcp source eq 443

nat (dmz,outside) source static myWebServer interface service http http
nat (dmz,outside) source static myWebServer interface service https https

If you ask me, in this scenario, Manual NAT is a better solution vs Auto NAT. I’m rather disappointed that Cisco doesn’t allow group service objects to be used in Manual NAT yet but at least I’m not having to create bogus network objects multiple times when I’m using Manual NAT.

Here’s another example of using NAT at a small branch office when you’ve got 2 Public static IPs with one being used on the ASA’s outside interface and the other IP being used amongst multiple servers in a DMZ.

Example using Auto NAT:

object network STATIC209_165_201_11
  host 209.165.201.11

object network myDNSServerUDPDNS
  host 10.1.1.1
  nat (dmz,outside) static STATIC209_165_201_11 service udp domain domain

object network myDNSServerTCPDNS
  host 10.1.1.1
  nat (dmz,outside) static STATIC209_165_201_11 service tcp domain domain

object network myWWWServer
  host 10.1.1.3
  nat (dmz,outside) static STATIC209_165_201_11 service tcp http http

NOTE: See how we're using the 2nd public IP address vs. the outside's interface?

Example using Manual NAT:

object network STATIC209_165_201_11
  host 209.165.201.11

object network myDNSServer
  host 10.1.1.1

object network myWWWServer
  host 10.1.1.3

object service udpdns
 service udp source eq domain 

 object service tcpdns
 service tcp source eq domain 

object service tcphttp
 service tcp source eq http

nat (dmz,outside) source static myDNSServer STATIC209_165_201_11 service udpdns udpdns
nat (dmz,outside) source static myDNSServer STATIC209_165_201_11 service tcpdns tcpdns
nat (dmz,outside) source static myWWWServer STATIC209_165_201_11 service tcphttp tcphttp

To me at least, Manual NAT is more readable when starring at configs and tracking down bugs.

Here’s a couple useful links:

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/nat_overview.html

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/nat_objects.html

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/nat_rules.html

http://osimatrix.wordpress.com/2011/03/29/cisco-asa-8-3-basic-nat-guide-simple-yet-practical-overview/

http://www.fir3net.com/Cisco-ASA/cisco-asa-83-no-nat-nat-exemption.html

http://www.fir3net.com/Cisco-ASA/cisco-asa-83-nat.html

http://tunnelsup.com/tup/2011/06/24/nat-for-cisco-asas-version-8-3/

http://packetpushers.net/understanding-when-a-cisco-asa-nat-rule-can-override-the-asa-routing-table/

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp51777 (static NAT/PAT migration examples.)

http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html (Cisco ASA new Features by Release.)

http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html (Some very good config examples from Cisco.)

http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/nat_overview.html#wp1118157 (Cisco’s NAT Rule Table.)

 

 

Cisco ASA 5505 recovery

I recently upgraded my ASA5505 to 9.1(1) and had heard while I was configuring my ASA5515-x that an interim release, 9.1(1)4 was available. When I started using the newer release a lot of my problems went away thankfully so I decided to upgrade to 9.1(1)4 on the ASA5505. Well sure enough, I encountered an error and instead of trying to debug it I fell back into my “Windows” experience and did a reload on the device instead.

It would POST no problems but got hung on “Bootloading” and stayed there. So I finally decided after an hour of powering it off & on to try and do a full recovery by using rommon. I already had the tftp server ready so how hard can it be to upload an IOS image to the device?? I mean seriously? WHAT COULD POSSIBLY GO WRONG…

I logged in to rommon and set the initial variables:

ADDRESS=192.168.1.1

SERVER=192.168.1.2

GATEWAY=192.168.1.2

IMAGE=asa911-4-k8.bin

PORT=Ethernet0/0

I then attempted to ping the tftp server which is on 192.168.1.2. No love. The tftp server couldn’t ping the ASA either. Well this isn’t going well at all! After about an hour of messing around w/ settings and verifying good link connectivity I finally just issues “tftp” on the ASA5505 and the image loaded! W00T! Now came the fun part! That image I loaded was only in memory and not installed on the compact flash card! In fact, it couldn’t see the compact flash card at all (which was the problem. Appears that my FAT file system went tits up!) So w/o thinking I issued “reload” again. And I was right back at “Bootloading…” screen. This go around, I issued the “erase flash:” command while inside the rommon. Downloaded the image again from the tftp server. Once again, the IOS image is loaded in memory. This time I issued “format flash:” and I now could configure my ASA5505 to once again download the image from my tftp server and write it to my compact flash. I also did some initial configuration and wrote to memory.

 

Next reboot, I was up and running minus a couple of important things:

1) I was missing my activation key. I thankfully had it over on Cisco’s website since I upgraded the device to Security Plus years ago so I fetched it from here: http://www.cisco.com/web/go/license and looked for my devices available licenses. Once found, I applied it in global config mode and issued another reload.

2) I uploaded my saved config which I had saved previously. Things weren’t working as I had expected. I had to log into interface config mode and issue my “no shut” commands to rectify that situation! 😛

3) I also needed to generate an RSA key pair for ssh with “crypto key generate rsa” in global config mode.

4) There was something else but of course I have forgotten that!

 

See the links below for other good reference material.

https://supportforums.cisco.com/thread/153353 ( no config-register in case you’re continously booting in rommon)

http://www.tech21century.com/using-the-rommon-to-load-a-new-image-on-cisco-asa-firewall/ (URL says it all.)

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/admin_trouble.html#wp1076206 (using rommon)

http://www.gomjabbar.com/2011/07/17/recovering-a-license-activation-key-for-the-cisco-asa/ (again, URL speaks volumes)

http://evilrouters.net/2011/12/16/how-to-upgrade-license-cisco-asa-firewall/ (ditto)

http://www.gomjabbar.com/2011/07/31/cisco-asa-device-management-%E2%80%93-ssh-keys-and-fingerprints/ (ssh keys)

 

 

 

vsftpd, FTPES & CentOS 5.5 part 2

 

This is the second part of my FTPES, vsftpd & CentOS article. In the first part I walked you thru how I built a certificate, sent the CSR off to my CA and finally, modified the vsftpd.conf file. In this part I’ll show you how to test the service via command-line so you can actually see the certificate and how to punch a hole thru your FW because the data part of your FTP session is now encrypted.

First, let’s talk about verifying the configuration. One of the obvious things you can do is open up a command prompt session and attempt to log into your ftp server. Once connected, does it accept an anonymous connection? Was that what you wanted? Also, was the plain jane ftp command allowing you to log in or did you get a 331 error, “Non-anonymous sessions must use encryption.” If you’ve configured it correctly it shouldn’t allow you to login at all. So how do you test it using encryption? By using openssl w/ s_client of course! Use…

openssl s_client -starttls ftp -connect yourserver.example.com:21

This will allow you to not only log into your server using encryption via command-line but also verify that you’ve got the proper certificate & certificate chain installed. I personally tried connecting w/ out the starttls option but wasn’t successful (instead I get a “SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol” error message. I beleive this is because I’m using vsftpd in explicit mode not impicit mode.) The openssl s_client command can also be used for a number of other encrypted services for debugging certificates which is extremely helpful!

So you’ve verified that FTPES does work on the local LAN but doesn’t seem to work thru your FW. This is where passive ftp comes into play because your FTP traffic is now encrypted and your FW can’t do an inspection to determine which port is going to be used next and open it up for you ahead of time. Most FWs come with some sort of FTP inspect feature but we just killed it because that data is totally encrypted now and it’s unable to sniff the FTP traffic and sense which port needs to be opened. You won’t have to turn on passive FTP because it’s on by default with vsftpd. You should specify the port range and I also turned on pasv_address too:

pasv_enable=YES
pasv_addr_resolve=YES
pasv_address=yourserverhere.example.com
pasv_min_port=63000
pasv_max_port=65535

Once done, this will force your vsftpd server to use a port range of 63000 to 65535 for data connections. Alot of the commands I used above can be found w/in the man page for vsftpd.conf (along with their default values!)

Now you just need to open up that same range on your FW device (NOTE: Each FW is going to be different!) On my Cisco Adaptive Security appliance (ASA) I’m defining an object-group first for the port range like such:

object-group service ftp_passive tcp
  description ftp passive range
  port-object range 63000 65535

Then I use that port range in my outside ACL for inbound traffic like such:

access-list outside_access_in extended permit tcp any host YOUR_PUBLIC_IP object-group ftp_passive
.
.
.

Just be sure to use your public IP address for ‘YOUR_PUBLIC_IP’ in the above ACE. Now when it comes to ACL rules there’s tons of different ways to allow traffic so I won’t go into much more detail here other than how I punched a hole thru my FW to allow the encrypted vsftpd data channel traffic through.

That’s about it folks. Remember, if you’re having problems with your configuration, break it down into simple pieces and troubleshoot it that way versus trying to eat the entire problem at once!

-Q

Oh, almost forgot. Here’s a couple links that might be helpful!

http://en.wikipedia.org/wiki/Ftp
http://en.wikipedia.org/wiki/FTPES
http://it.toolbox.com/blogs/unix-sysadmin/troubleshooting-ssltls-mail-services-29266
http://www.wowtutorial.org/tutorial/26.html
http://vsftpd.beasts.org/
http://www.openssl.org/docs/apps/s_client.html
http://blogs.iis.net/robert_mcmurray/archive/2008/11/10/ftp-clients-part-2-explicit-ftps-versus-implicit-ftps.aspx

Return top
 
Icons made by Freepik from www.flaticon.com is licensed by CC BY 3.0