Cisco ASA Packet Captures for Fun and Profit

by Tony Mattke on March 11, 2013



As many of you know my background isn’t in enterprise, but I currently fill that role in my $job. In order to succeed I’ve had to develop many new skills including learning Cisco Wireless, UCS, a little Fibre Channel, and of course Cisco ASA. While I have been using firewalls for many years, I’ve never used the ASA for anything more than a user firewall, or for supporting a small branch. So yes, my skills are lacking in the ASA market compared to other technologies, and when you get deep into the grind with any product you’re going to need some new tricks to aid in your troubleshooting. This is where ASA paacket captures come into place.

Define Interesting Traffic

As with any packet capture, or even log viewing the amount of noise involved generally dwarfs the data you actually want to find. In order to ease your pain Cisco has allowed us filter out packet capture using an ACL.

FW# access-list FOO line 1 extended permit ip any host 10.2.1.5 
FW# access-list FOO line 2 extended permit ip host 10.2.1.5 any

Once you have your traffic defined, you need to setup your capture. Below I’ve defined a capture named appropriately, FOO, capturing headers from our outside interface that matches our ACL with a 100,000 byte buffer. In ASA 8.0 and above you can do the same capture without the ACL using the match option, which captures traffic bi-directionally.

FW# capture FOO type raw-data access-list CAP buffer 100000 interface outside headers-only
!
! 8.0 and above
FW# capture FOO type raw-data match tcp any host 10.2.1.5 buffer 100000 interface outside headers-only

Viewing your capture

Viewing your capture on the firewall is easy enough using the show capture command. You can do some basic filtering using the built in IOS | include / exclude as well. 

FW# sh capture FOO 

1446 packets captured
-snip-
1062: 10:53:32.978983 10.2.1.5.443 > 10.5.3.7.50344: . 2979731571:2979732951(1380) ack 3788440994 win 8204 
1063: 10:53:32.978999 10.2.1.5.443 > 10.5.3.7.50344: . 2979732951:2979734331(1380) ack 3788440994 win 8204 
1064: 10:53:32.979014 10.2.1.5.443 > 10.5.3.7.50344: P 2979734331:2979734949(618) ack 3788440994 win 8204 
1065: 10:53:32.982691 10.5.3.7.50344 > 10.2.1.5.443: . ack 2979734949 win 16560 
1066: 10:53:34.712441 10.5.3.7.50348 > 10.2.1.5.9960: S 3576506984

For more detailed information you can use the detail or dump option with the show command.

While viewing the files on the firewall is handy in a pinch, it is far from your only option. You can also copy the capture off the firewall using tftp or ftp using the copy command copy /pcap capture:FOO tftp:. The firewall exports the capture in PCAP file format, which allows you to retrieve the file and open it up in Wireshark! Although if you don’t run a tftp or ftp server on your desktop, an even handier option may be to simply access the file in your web browser using the following url. https://FIREWALL_IP/capture/FOO/pcap

You need to allow http access from your workstation on the interface you’re entering

Another cool trick is setting up a circular buffer to continually watch interesting traffic. Something I’m using on one of my current projects is a capture that watches for flows that are denied via ACL.

FW# capture denied type asp-drop acl-drop buffer 4194304 circular-buffer headers-only

Now, once you’re done tracking down what you broke, you probably want to stop the capture, and remove the files. This is done by simply issuing a no capture NAME command from the CLI.

Like I said, I’m not a firewall guru, but this can certainly go a long way to make you look like one to your systems guys when they forget to tell your their web app opens a java client that needs to communicate on TCP/9960….. Not that they’d actually do that or anything.

If any of you have any other cool tricks you can do with ASA Packet Captures please feel free to leave a comment below so I can update the article and give you credit!

{ 3 comments }

Fixing iMessage on Hackintosh

by Tony Mattke on January 23, 2013



Mid December 2012 Apple shut down the Messages Beta for Lion, soon after many hackintosh users started noticing issues with signing into iMessage. At some point in time, people far smarter than me managed to patch a little used bootloader called Clover to allow us to log into iMessage, but Clover is young and still full of random issues. Honestly, it never liked the system id on my partition, so I was never able to use it. But now, it seems that someone has patched our widely used Chameleon bootloader! I’ve tested it on my own hackintosh, and many users are also reporting success.

The instructions are simple enough, and should only take you 3 minutes + a reboot to implement and test!

  1. Download the following files to your hackintosh
  2. Execute the following commands
    3. sudo mkdir /Extra/modules
    cd /Extra/modules
    sudo unzip ~/Downloads/FileNVRAM.dylib.zip
    sudo rm -rf __MACOSX
    sudo rm -rf ACPICodec.dylib

    If you have ACPICodec.dylib in your /Extra/modules folder, you need to delete it.

  3. Unzip the Chameleon installer, and run it — make sure you install to your boot disk
  4. Reboot, and try to login to iMessage

Hopefully this will take care of your issues. If not, it was worth a try! I highly recommend the Insanely Mac Forum for researching any issues you may be having. After all, where do you think I learned how to do this?

{ 10 comments }

ASA Double Nat in 8.4+

by Tony Mattke on September 28, 2012



Recently I was faced with an issue outside my normal expertise… those of you that know me realize I am anything but a security engineer. But in reality, you must always expand your horizons. One of the projects I’m working on involves migrating between two edge networks. Obviously, for a time there has to be traffic using both networks while you migrate services from one network to the other. This creates an issue from services that may be NAT’d from the inside of the network, where as the current (read: old) default route takes them out a different connection..
In order to solve this, you need to either change the default route, which may not be possible, or start NAT’ing the source address of your traffic. It took me a bit of time to get the details worked out, so I wanted to share what I found out.

Plain Jane Static NAT

Since 8.3, NAT has changed quite a bit. The most obvious change is the use of Object groups pretty much everywhere. In some ways, this simplifies the config. In others, not so much. Basic static NAT takes the form of a single object group that defines the inside host, and the static NAT statement. 

object network SERVER
  host 10.72.14.29
  nat (OUTSIDE,INSIDE) static 12.98.16.42

NAT + PAT

The biggest thing that kept giving me issues was that I was attempting to reuse the normal static NAT config, and build a separate PAT config for the source address. Once I realized I was being a tool, the solution came rather quickly. This NAT statement is configured in the same manner as Identity NAT, used to prevent address translations to certain destinations. First you define two object groups, one for the NAT address, and one for the real inside address of the server.

object network SERVER_NAT
  host 12.98.16.42
!
object network SERVER_INSIDE
  host 10.72.14.29
!
nat (OUTSIDE,INSIDE) source dynamic any interface destination static SERVER_NAT SERVER_INSIDE

Next comes this slighly confusing NAT statement…

nat (OUTSIDE,INSIDE) — this is familiar, should make sense to most of us.

source dynamic any interface — this states that our source address is using dynamic NAT/PAT, the traffic could originate from anywhere, and should be NAT’d to the interface it leaves the firewall on. This is the key to our source NAT/PAT configuration…

destination static SERVER_NAT SERVER_INSIDE — finally, this just states the our destination is a static NAT statement, translating our object group SERVER_NAT, to the address in the object group SERVER_INSIDE.

fin

So, hopefully this makes sense… if not, please remember that RouterJockey.com provides no warranties or promises and that you’re just as hopelessly screwed as I am. Thanks for stopping by!

{ 3 comments }

CCIE Potential

by Tony Mattke on April 24, 2012



INE published a great info-graphic on the earning potential of Cisco’s certifications and I felt the need to share it here. It covers a range of topics from average salaries on all three tiers of proficiency, to top locations for positions, always remember that the information included is in no way meant as career advice.

{ 2 comments }

QinQ: IEEE 802.1Q Tunneling

by Tony Mattke on April 19, 2012



In situations where service providers want to offer transparent LAN services that preserve a customers VLAN tags across your Layer-2 network, This amendment to the IEEE 802.1q standard allows us to use a single VLAN to transport multiple VLANS across the MAN or WAN. In doing so, we stack on an extra 802.1q tag to the customer’s traffic at the provider’s edge (PE). The original 802.1Q specification allows a single VLAN header to be inserted into an Ethernet frame. QinQ allows multiple VLAN headers to be inserted into a single frame, this is essential when implementing Metro Ethernet networks.

QinQ Configuration

First we need to ensure our transport switches can support the baby giant frames. To check the current MTU on the switch you can issue the command show system mtu and in global configuration mode, you can use system mtu 1504 to change the switches MTU to the recommended 1504 bytes..

SW1# show system mtu
System MTU size is 1500 bytes
SW1# configure terminal
SW1(config)# system mtu 1504
Changes to the System MTU will not take effect until the next reload is done.

The actual QinQ configuration takes place entirely on the transport switches, no modifications are required on the customer equipment. The first step is to configure the trunk between our two backbone switches. We’ll be using VLAN 101 for Customer-A, and 201 for Customer-B. As you will see, the configuration is rather quick and simple.

SW1(config)# interface fa1/0/48
SW1(config-if)# switchport trunk encapsulation dot1q
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk allowed vlan 101,201

SW2(config)# interface fa1/0/48
SW2(config-if)# switchport trunk encapsulation dot1q
SW2(config-if)# switchport mode trunk
SW2(config-if)# switchport trunk allowed vlan 101,201

[ read more... ]

{ 2 comments }

Cisco IPS Fun

by Tony Mattke on March 30, 2012



Since I’ve recently had some fun working with the Cisco 5585-X and the IPS blades, I wanted to document some of the information I learned while getting them online. Some of this came from various sources around the ‘net including the TAC IPS group, other parts are from consultants, or what we just figured out on our own while working with it. The first thing you need to understand is how traffic gets to / from the IPS. The easiest way to explain it, is that the IPS sits inside the firewall. It will be sent traffic, from a matched ACL, after the interface has performed it’s own inbound ACL filtering. In our situation, we simply defined an ACL that stated permit ip any any — but depending on the application, you may only want to filter traffic in certain directions. Below, we have an example that filters traffic with a destination defined in our object-group. The ACL you defined is matched in a class-map, which is matched in your global_policy policy-map. The command ips inline fail-open sensor vs0 actually sends the traffic (via the backplane) to the IPS blade. This command also states, that if the ASA detects an issue with the IPS, to bypass it, and continue to pass traffic as if it was never installed. To cease the flow of traffic to the sensor, remove this command from the policy-map… This would be rather usefull if a bad set of signatures were deployed and the IPS was erroneously dropping traffic.

object-group network IPS-RANGES
 network-object 10.0.0.0 255.0.0.0
 network-object 4.2.2.0 255.255.255.0
!
access-list IPS-ACL permit ip any object-group IPS-RANGES
!
class-map IPS-CLASSMAP
 match access-list IPS-ACL
!
policy-map global_policy
class IPS-CLASSMAP
 ips inline fail-open sensor vs0

[ read more... ]

{ 1 comment }

Another Wicked Vim Tip

by Tony Mattke on March 28, 2012



As a follow up to my blog post on the PacketPushers blog, I wanted to share with you another time saving tip for getting our jobs done not only quickly, but helping to remove one of the tedious steps in firewall maintenance. Today, I needed to add a large chunk of ACEs to my INSIDE-IN ACL (about 6 times larger than my example here, but spread across a couple devices..) Luckily, I used my head when it came time to start adjusting line numbers. The first thing I did was to write out my ACEs, and instead of filling in the line numbers, I just used XXX. (I would be deploying this in a few places, so I saved a couple versions as well..)

Sample output included below: IP Addresses were changed to protect the innocent…
[ read more... ]

{ 2 comments }

MDS Fibre Channel Switching Basics for Network Engineers

by Tony Mattke on December 23, 2011




Recently I’ve been lucky enough to be challenged with learning a bit about Fibre Channel Switching, but I’m even luckier in that I’m getting to know it on a set of MDS switches running NX-OS (previously referred to as SAN-OS). So far, I’ve learned the basics of getting things to work, but nothing really beyond that. As the SAN world has always been a mystery to me, I figured I would share what I’ve learned with other engineers that are at least looking for a baseline look into the storage network.

New Terminology

First, lets familureize ourselves with a few terms that we may run into when dealing with the very basics of FC switching…

  • WWN: World Wide Name, think 8-byte MAC address. Also pWWN/sWWN (Port/Switch WWN) — This is the addressing of the Fibre Channel world. All of our configs are going to use pWWNs (Port World Wide Names, which actually refer to the node, or N_port)
  • vSAN: A vSAN is a virtual collection of ports, sort of like a VRF, or even a vDC (but within the same management plane) — Each port can only be a member of one vSANs. — From my understanding, This is a Cisco specific technology typically used to create at least one unique vSAN per switch. This defines the two (or more) distinct fabric paths.
  • Zone: a Zone is a grouping of ports inside a vSAN used to control which devices can speak with other devices. Devices can be members of multiple zones. Devices in different Zones cannot speak to each other. — Think VLAN.
  • N_port: Node Port — Could be a Host, or Storage device.
  • F_port: Fabric port — Connects to an N_port
  • FLOGI: Fibre Channel Logins — Used to exchange device information. Including WWNs

[ read more... ]

{ 11 comments }

← Previous Entries