Feb 4
peterCisco ASA, Firewalls asa, botnet
Since IOS 8.2, the Cisco ASA can protect you against Botnets. Here is some relevant information when you want to use the Botnet Traffic Filter in a Cisco ASA firewall with IOS 8.2.
1. A license is needed: ASA55xx-BOT-1YR=
2. You need to configure DNS snooping in the ASA
3. The following syslog ID’s are used with syslog:
338001
338002
338003
338004
5. Reverse access rules need to be configured.
A tutorial can be found here.
Feb 4
peterAruba Networks
These days i was busy with configuring a remote networking concept which was build with an Aruba Mobility Controller (MC) 3200. This is done in conjunction with RAP2WG remote access-points. This is a basic configuration of the Aruba RAP deployment.
As the procedure to setup the controller can be a little confusing, i decided to post the procedure on my weblog.
In short the following steps need to be done te get the RN setup working (basics);
1. configure the controller basics, e.g. IP address, vlans, trunks, etc.
2. define the aaa profile
3. define the ssid profile
4. define the virtual access-point profile (VAP)
5. define VPN settings
6. define provision profile
7. define AP group
8. whitelist the RAP’s
9. open firewall ports
10. provision the RAP’s (“zero touch”)
Well, let’s start with step 1: define the aaa profile. Al these things can be done through the GUI or the CLI of the MC. If you want, you can alter some settings if you want.
step 1: configure the controller basics such as IP address, gateway, vlans, etc.
A part of this step can be done by the initial configuration dialog which is showing up as you first boot the MC. Some others need to be done afterwards. I configured a vlan (11) in a DMZ zone of a firewall, and a vlan (60) where the wireless clients will be in. I use port Gi1/0 as a trunk to the coreswitch with only the vlans 11 and 60 allowed. I have created a loopback interface for the RAP’s to connect to.
This all is done by the following config;
hostname "Aruba3200"
clock timezone GMT 1
interface loopback
ip address 10.1.1.200
!
vlan 11 "dmz"
vlan 60 "wireless-clients"
interface gigabitethernet 1/0
description "GE1/0"
trusted
switchport mode trunk
switchport trunk allowed vlan 11,60
interface vlan 1
ip address 172.16.0.254 255.255.255.0
!
interface vlan 11
ip address 10.1.1.199 255.255.255.0
!
ip default-gateway 10.1.1.1
step 2: defining aaa profile
aaa profile "wifi-aaa-profile"
authentication-dot1x "default"
step 3: define the ssid profile
I used WPA for encryption, but you can use the one you like.
wlan ssid-profile "wifi-ssid-profile"
essid "justforfun"
opmode wpa-psk-tkip
wpa-passphrase *****
step 4: define the virtual access-point profile (VAP)
Bind the aaa and ssid profiles together in the VAP profile and define the vlan.
wlan virtual-ap "my-vap-profile"
ssid-profile "wifi-ssid-profile"
vlan 60
aaa-profile "wifi-aaa-profile"
step 5: define the VPN settings for the RAP2WG’s (GUI)
The 3DES policy (priority 5 in this example) need to be added for the RAP2WG’s
A IP address pool need to be defined for the RAP2WG’s. These addresses need to be unique in the routing domain.
ip local pool "albron-aps" 10.10.10.1 10.10.10.10
vpdn group l2tp
ppp authentication PAP
step 6: define provisioning profile
ap provisioning-profile "my-provisioning-profile"
remote-ap
master "x.x.x.x" #public IP of the controller, or the NAT address of the firewall
step 7: define the AP group
In the AP group, the vap profile and the provisioning profile comes together.
ap-group "MyAPGroup"
virtual-ap "my-vap-profile"
provisioning-profile "my-provisioning-profile"
step 8: whitelist the RAP’s
The new RAP’s need to be whitelisted (mac addresses) to be accepted by the MC. This can be done in the following part of the GUI. In this part, the RAP’s will be associated with the AP group “MyAPGroup”.
step 9: open firewall ports
Seen from the Internet, you only have to open port udp/4500 (IPSec NAT-T) to the MC.
step 10: provision the RAP
The final step is to provide the RAP with information; the IP address where the MC can be reached. This can be done by connecting a wired PC to E1 of the RAP2WG and port E0 to a regular Internet connection (modem or router). Now, as the RAP2WG has boot up (couple of minutes), open a browser on the wired PC and type in any URL. Now the RAP configuration screen shows up, and the IP address of the mobility controller has to be entered.
When this is done, the RAP2WG is connecting to the mobility controller and registers with it. After a couple of minutes, the RAP has rebooted again and is publishing the configured ESSID.
Feb 4
peterCisco ASA, IOS asa, vpn
Since i configured a lot of site-2-site VPN those days, i created a VPN config snip which i have used as a template. So i you need to configure a site-2-site VPN on a Cisco ASA, you can use this template and customize the fields.
access-list outside_8_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list vpn_filter extended permit ip any any
!
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.10.0 255.255.255.0
!
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
group-policy <policy_name> internal
group-policy <policy_name> attributes
vpn-idle-timeout none
vpn-filter value vpn_filter
vpn-tunnel-protocol IPSec
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy <policy_name>
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key <pre-shared-key>
!
crypto map outside_map 8 match address outside_8_cryptomap
crypto map outside_map 8 set pfs
crypto map outside_map 8 set peer 1.1.1.1
crypto map outside_map 8 set transform-set ESP-AES-256-SHA
crypto map outside_map 8 set security-association lifetime seconds 3600
crypto map outside_map 8 set nat-t-disable
Feb 4
peterIOS, switching
Sometimes, you want to see the serial number of a transceiver in a Cisco switch (e.g, a GLC-SX-MM=). You can see the transceiver serial number by typing the following command;
switch#sh idprom interface gigabitEthernet x/y | i Serial
The i serial is optional to filter out the Serial number.
Feb 4
peterCacti Cacti
In the last weeks, i have been busy with doing some upgrades of CactiEZ 0.8.7c with PA2.2 to 0.8.7e with PA2.5. As always, at first sight everything seems to be OK when the upgrade has finished. But when you have a full blown Cacti server (with a lot of plugins and tweaks running), it can be different..
In some cases, the GRAPHS screen did stay blank when i clicked on the GRAPHS tab after the upgrade. The only thing i could do to see the graphs, was to click the TREE tab, resulting in showing up the graph tree on the left of the screen. Then i have to click on the appropriate graph in the tree to see it.
In a few words, i did the following to fix this problem (it’s not the most neat one:/)
1. Backup your Cacti files!
2. Download the official Cacti 0.8.7e files
3. Overwrite the files in the ‘/var/www/html’ directory on your server with the official Cacti 0.8.7e files
4. Now overwrite the files in the ‘/var/www/html’ directory again with the 0.8.7e/PA2.5 files
Now some files have to be edited for Cacti to function correctly;
5. Edit /var/www/html/include/config.php
Go to rule number 30 and edit the following line;
$database_password = "change_this_to_your_dbpassword";
6. Edit /var/www/html/include/global.php
Add the plugins you have installed with the $plugins statements. You can get those from your backup files.
Now Cacti should operate normal again. When you click the GRAPHS tab, the main graph screen will show up again!
Feb 4
peterGmail, Thunderbird
I use Mozilla Thunderbird to access my Gmail account (via IMAP). The problem i had was that when i deleted a message in Thunderbird, the message did not move to the trash folder. Instead, it was only visible in the All Mail folder.
When i delete a message in Thunderbird, it should be moved to the [Gmail]/Trash folder. To get this accomplished, the following should be done in Thunderbird;
- The Gmail account is defined as a mail.server.serverx definition in the Config Editor
- Type "mail.server.server" under Filter: in Config Editor.
- Go through the list until you spot your Gmail account’s name (say, "Gmail" or your Gmail address) under Value for a preference named mail.server.server*.name (where ‘*’ is replaced with a number).
- Note the server’s number.
- If you find your Gmail account’s name under "mail.server.server2.name", for example, note "2".
- Click on the mail.server.server* line with the right mouse button.
- Select New | String from the menu.
- Type "mail.server.server*.trash_folder_name", replacing the ‘*’ with the noted number.
- In my case it was 2, so i typed "mail.server.server2.trash_folder_name".
- Click OK.
- Type "[Gmail]/Trash" under Enter string value.
- Click OK.
- Close the configuration dialog.
- Restart Mozilla Thunderbird.
Feb 4
peterCacti Cacti
I was struggling with the TCP Port Template for Cacti. I installed the plugin, but the state of the monitored port stays 0 (nan) in the graph.
It seems that this problem is in the /var/www/html/scripts/tcp.php file. Modify lines 54 & 56 as follows;
print "0";
} else {
print "1";
in
return "0";
} else {
return "1";
This should fix the problem.
Feb 4
petereSafe
sometimes it is necessary to do some actions with squid (eproxy) on eSafe on the command-line. For instance, you want a quick stop-and-start of squid or do some debugging. The following options can be used in the CLI environment;
Usage: squid [-hvzCDFNRYX] [-d level] [-s | -l facility] [-f config-file] [-u port] [-k signal]
-d level Write debugging to stderr also.
-f file Use given config-file instead of
/opt/eproxy/etc/squid.conf
-h Print help message.
-k reconfigure|rotate|shutdown|interrupt|kill|debug|check|parse
Parse configuration file, then send signal to
running copy (except -k parse) and exit.
-s | -l facility
Enable logging to syslog.
-u port Specify ICP port number (default: 3130), disable with 0.
-v Print version.
-z Create swap directories
-C Do not catch fatal signals.
-D Disable initial DNS tests.
-F Don’t serve any requests until store is rebuilt.
-N No daemon mode.
-R Do not set REUSEADDR on port.
-S Double-check swap during rebuild.
-X Force full debugging.
-Y Only return UDP_HIT or UDP_MISS_NOFETCH during fast reload.
For instance, when you want to stop-and-start squid (to flush DNS cache), you can use the following;
# /opt/eproxy/sbin/squid –k shutdown
# /opt/eproxy/sbin/squid
Feb 4
petereSafe
Here are some handy tips and tricks to use with eSafe Gateway:
Commands:
# netconfig – quick configure your nic
# service network restart – restart the networking service
# /opt/eSafe/esgstop – stop the eSafe services
# /opt/eSafe/esgstart – start the eSafe services
# /opt/eSafe/esgmenu – launch initial wizard after installation
# /opt/eSafe/esgaddon – launch addon db download (spam or url)
# /opt/eSafe/esver – eSafe version info
miscellaneous:
# /opt/eSafe/update_info.txt – info about last update
Feb 4
petereSafe
Technorati Tags:
esafe,
squidWith the release of esafe Gateway 7.1, a new setup method is introduced: eSafe Proxy. Don’t confuse this one with eSafe Forwarding Proxy. Well, the difference between these two is that eSafe Proxy has a Squid proxy (Aladdin named it eproxy) already installed with it where eSafe Forwarding Proxy hasn’t (the last one has only the files!). The eproxy can be used as a parent proxy for the web scanning component of eSafe Gateway with or without authentication against AD, LDAP, etc.
But when you choose the traditional eSafe Forwarding Proxy, the eproxy is not activated. You have to do some things to get it work. I want to enable eproxy to use it as a parent proxy for the web component of eSafe.
I used the following steps to enable eproxy:
The eproxy files are under /opt/eproxy. When I first started eproxy, I got the following output:
# /opt/eproxy/sbin/squid start
FATAL: No port defined
Squid Cache (Version 2.6.STABLE18): Terminated abnormally.
CPU Usage: 0.010 seconds = 0.000 user + 0.010 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 218
Aborted
So the first thing I had to do is to change the squid config file for the portnumber it’s listening on (normally it’s default..). The config file is located at /opt/eproxy/etc/squid.conf. Edit rule number 936 of this file in deleting the # in front of http_port 3128.
Now eproxy can be started normally.
The only thing left is to make sure squid will be started when the eSafe server reboots. This can be done by making a symbolic link under /etc/rc.d/rc3.d.
# ln -s /opt/eproxy/sbin/squid S90squid
This should do the job.
4IP
RSS
