Cisco ASA - ERROR: Capture doesn't support access-list containing mixed policies

ISSUE

When trying to run a capture you experience the following error,

asa-skyn3t(config)# access-list cap-acl permit ip any any
asa-skyn3t(config)# capture inside interface inside access-list cap-acl
ERROR: Capture doesn't support access-list <cap> containing mixed policies

SOLUTION

Within ASA 9.0 the 'any' keyword now represents all IPv4 and IPv6 traffic. And the new keywords 'any4' and 'any6' have been introduced to represent either IPv4 or IPv6 traffic.

To resolve the issue perviously seen use the 'any4' or any6' keywords within your ACL,

asa-skyn3t(config)# access-list cap-acl permit ip any4 any4
asa-skyn3t(config)# capture inside interface inside access-list cap-acl

F5 Cookie Decode

1. Take the first segment of the cookie value (839518730) and convert it to its 4-byte hexadecimal equivalent (320A0A0A)
2. Reverse the byte order (0A0A0A32)
3. Convert each byte back to its decimal value
4. 0A = 10, 0A = 10, 0A = 10, 32 = 50
5. The resulting address is 10.10.10.50

The following method was used to decode the port number:

1. Take the second segment of the cookie value (47873) and convert it to the equivalent 2-byte hexadecimal value (BB01)
2. Reverse the byte order (01BB)
3. Convert the value back to its decimal value (443)

Palo Alto Vs Cisco Remote Access VPN

Palo Alto VPN Highlights

Disable Direct Access to Local Networks

Static IP Address Allocation

Apply a Gateway Configuration to Users, Groups, and/or Operating Systems

Welcome Page Management

RDP Connection to a Remote Client

Simplified GlobalProtect License Structure

SSL/TLS Service Profiles for GlobalProtect Portals and Gateways

GlobalProtect IPsec Crypto Profiles for GlobalProtect Client Configurations

There is no confusion between an access to the SSL VPN and an access to the management GUI sincethey reside on different interfaces and IP addresses.

Browser-based GUI: No Java, no client. Just a simple browser. It is also manageable through SSL VPN portals.

Every software that is downloaded on the primary firewall can automatically be synced to the secondary device. 

Securely connect off-premise users to a next-generation firewall

Protect all users, everywhere by Inspecting traffic, Enforcing security policies, Protecting users, apps, devices and data from threats, Secure BYOD with integration with 3rd Party MDM/EMM

Supported mobile Application available for all popular Mobile Operating systems

Cisco VPN Highlights, and Drawbacks compared to Palo Alto

Application ACL Support

Automatic Applet Download

Front-Door VRF Support

GUI Enhancements

Netegrity Cookie-Based Single SignOn Support

NTLM Authentication

RADIUS Accounting

TCP Port Forwarding and Thin Client

URL Obfuscation

User-Level Bookmarking

VPN Session Monitoring: For a quick glance, the VPN session monitor is great to see all phase 1 and phase 2 security associations including the TX/RX packet counts.

AnyConnect remote access VPN client images. If these are not uploaded manually on the second device, the other HA unit will not terminate VPN tunnels in case of a HA active-unit swap.

No Application awareness/Visibility

Supported mobile Application available for all popular Mobile Operating systems

F5 BIG-IP Cookie Remote Information Disclosure

F5 BIG-IP Cookie Remote Information Disclosure vulnerability can be closed by encrypting the cookies

1. Log in to the Configuration utility.
2. Navigate to Local Traffic > Profiles.
3. From the Services menu, select HTTP.
4. Click Create.
5. Enter a name for the HTTP profile.
6. In the Encrypt Cookies box, enter one or more cookie names.
   Note: If you want to specify more than one cookie for the BIG-IP LTM system to encrypt, separate the cookie names with a space.
   Note: In BIG-IP 10.x, cookie names must not contain the period ( . ) character due to a known issue. For more information, refer to SOL12472: The Configuration utility returns an error message when the HTTP profile is configured with a period character in the 'Encrypt Cookies' field.
   
   Note: For BIG-IP persistent cookies, the default cookie name is BIGipServer<pool-name>.
   
   For example:
   
   BIGipServerhttp-pool
7. In the Cookie Encryption Passphrase box, enter a passphrase for the cookie.
8. In the Confirm Cookie Encryption Passphrase box, re-type the passphrase.
9. Click Update.
10. Associate the HTTP profile with the virtual server.

Cisco Nexus 5000 Serieis.Upgrade Steps

Step 1

Download the NX-OS Kick Start and NX-OS System Software files to your TFTP server.

Step 2

Make sure that Nexus 5000 Switch has the enough space to install the new image files by using NX-OS command “ dir bootflash”. If there is enough space you are free to install the new NX-OS image files.

Step 3

If there is no enough memory delete old image files using NX-OS command

Delete boothflash: (kickstart image name)

Delete bootflash:  (system image name)

SF01-MB-1256-010# delete bootflash:n5000-uk9-kickstart.5.0.3.n1.1a.bin

SF01-MB-1256-010# delete bootflash: n5000-uk9.5.0.3.n1.1a.bin

Step 4

Copy the new kickstart and system images to the switch bootflash by using a transfer protocol such as ftp, tftp, scp, or sftp. The examples in this procedure use tftp. Use the following NX-OS command to copy the kick start and image file

Make sure that the TFTP server is started

SF01-MB-1256-010# copy tftp bootflash:

Step 5

Enter the install all NX-OS command to install the new images, specifying the new image names that you downloaded in the Step 1 as shown below

Once all the files are installed the switch will restart and reload with the new Image files.

Packet Capture inside Cisco Catalyst 3560 and 3750 ( Embedded Packet Capture)

1. Access List Creationswitch3560(config)#ip access-list extended cap1testaclswitch3560(config-ext-nacl)#permit icmp any anyswitch3560(config-ext-nacl)#^Zswitch3560#sho ip access-lists cap1testaclExtended IP access list cap1testacl 10 permit icmp any any

2. Monitor Capture Buffer Creationswitch3560#monitor capture ? buffer Control Capture Buffers point Control Capture Pointsswitch3560#monitor capture buffer ? WORD Name of the Capture Bufferswitch3560#monitor capture buffer cap1testbuffer ? circular Circular Buffer clear Clear contents of capture buffer export Export in Pcap format filter Configure filters limit Limit the packets dumped to the buffer linear Linear Buffer(Default) max-size Maximum size of element in the buffer (in bytes) size Packet Dump buffer size (in Kbytes) <cr>switch3560#monitor capture buffer cap1testbuffer size 2048 ? circular Circular Buffer linear Linear Buffer(Default) max-size Maximum size of element in the buffer (in bytes) <cr>switch3560#monitor capture buffer cap1testbuffer size 2048 max-size ? <68-9500> Element size in bytes : 9500 bytes or less (default is 68 bytes)switch3560#monitor capture buffer cap1testbuffer size 2048 max-size 1500 ? circular Circular Buffer linear Linear Buffer(Default) <cr>switch3560#monitor capture buffer cap1testbuffer size 2048 max-size 1500 circular ? <cr>switch3560#monitor capture buffer cap1testbuffer size 2048 max-size 1500 circular access-list Set access listswitch3560#monitor capture buffer cap1testbuffer filter access-list ? <1-199> IP access list <1300-2699> IP expanded access list WORD Access-list nameswitch3560#monitor capture buffer cap1testbuffer filter access-list cap1testacl ? <cr>switch3560#monitor capture buffer cap1testbuffer filter access-list cap1testaclFilter Association succeededswitch3560#sho monitor capture buffer ?
WORD Name of the Capture Buffer
all All capture buffers
merged Merged View of Capture Buffers
switch3560#sho monitor capture buffer cap1testbuffer parameters
Capture buffer cap1testbuffer (circular buffer)
Buffer Size : 2097152 bytes, Max Element Size : 1500 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Configuration:
monitor capture buffer cap1testbuffer size 2048 max-size 1500 circular
monitor capture buffer cap1testbuffer filter access-list cap1testaclswitch3560#monitor capture ?
buffer Control Capture Buffers
point Control Capture Points
switch3560#monitor capture po
switch3560#monitor capture point ?
associate Associate capture point with capture buffer
disassociate Dis-associate capture point from capture buffer
ip IPv4
ipv6 IPv6
start Enable Capture Point
stop Disable Capture Point
switch3560#monitor capture point ip ?
cef IPv4 CEF
process-switched Process switched packets
switch3560#monitor capture point ip pr
switch3560#monitor capture point ip process-switched ?
WORD Name of the Capture Point
switch3560#monitor capture point ip process-switched cap1testpoint ?
both Inbound and outbound and packets
from-us Packets originating locally
in Inbound packets
out Outbound packets
switch3560#monitor capture point ip process-switched cap1testpoint bo
switch3560#monitor capture point ip process-switched cap1testpoint both ? <cr>
switch3560#monitor capture point ip process-switched cap1testpoint bothswitch3560#

3. Attach Buffer to Filterswitch3560#monitor capture buffer cap1testbuffer filter ?switch3560#monitor capture buffer cap1testbuffer filter cap1testacl

4. Verify Buffer Configurationswitch3560#sho monitor capture buffer ?
WORD Name of the Capture Buffer
all All capture buffers
merged Merged View of Capture Buffers
switch3560#sho monitor capture buffer cap1testbuffer parameters
Capture buffer cap1testbuffer (circular buffer)
Buffer Size : 2097152 bytes, Max Element Size : 1500 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Configuration:
monitor capture buffer cap1testbuffer size 2048 max-size 1500 circular
monitor capture buffer cap1testbuffer filter access-list cap1testacel

5.Associate Capture Point to Capture Bufferswitch3560#monitor capture point associate ?
WORD Name of the Capture Point
switch3560#monitor capture point associate cap1testpoint ? WORD Name of the Capture Buffer
switch3560#monitor capture point associate cap1testpoint cap1testbuffer ? <cr>
switch3560#monitor capture point associate cap1testpoint cap1testbuffer

5.verify Capture Point
switch3560#sho monitor capture point cap1testpoint ? | Output modifiers
<cr>
switch3560#sho monitor capture point cap1testpointStatus Information for Capture Point cap1testpointIPv4 Process
Switch Path: IPv4 Process , Capture Buffer: cap1testbufferStatus : Inactive
Configuration:
monitor capture point ip process-switched cap1testpoint both

6.Start Capture Pointswitch3560#monitor capture point start ?
WORD Name of the Capture Point
all All Capture Points
switch3560#monitor capture point start cap1testpoint ? <cr>
switch3560#monitor capture point start cap1testpointswitch3560#sho moni cap poi cap1testpointStatus Information for Capture Point cap1testpointIPv4 Process
Switch Path: IPv4 Process , Capture Buffer: cap1testpointStatus : Active
Configuration:
monitor capture point ip process-switched cap1testpoint both

7. Stop after required time
switch3560#monitor capture point stop cap1testpoint8.View Statiticsswitch3560# show monitor capture buffer cap1testbuffer parametersCapture buffer cap1testbuffer (circular buffer)Buffer Size : 2097152 bytes, Max Element Size : 1500 bytes, Packets : 14
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : cap1testpoint, Status : InactiveConfiguration:
monitor capture buffer cap1testbuffer size 2048 max-size 1500 circularmonitor capture point associate cap1testpoint cap1testbuffermonitor capture buffer cap1testbuffer filter access-list cap1testacl

9.Export to TFTPswitch3560# monitor capture buffer cap1testbuffer export ? flash: Location to dump buffer
ftp: Location to dump buffer
http: Location to dump buffer
https: Location to dump buffer
rcp: Location to dump buffer
scp: Location to dump buffer
tftp: Location to dump buffer
switch3560# monitor capture buffer cap1testbuffer export tftp://192.168.100.1/cap1testbuffer.pcap!!

false "changes in XXX routers" reports Rancid

when control_rancid runs, it actually uses temporary files which are
renamed to routers.{up,down}.  so, the directory must also be writable.

Fix

# cd ~rancid
# chown -R rancid .

Install and Configure RSYSLOG

Install RSYSLOG

[root@server ~]# yum -y install rsyslog

Configure RSYSLOG

Edit /etc/rsyslog.conf

[root@server ~]# vi /etc/rsyslog.conf

Uncomment below lines

# Provides UDP syslog reception #$ModLoad imudp #$UDPServerRun 514 # Provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514

# Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514

Restart the syslog service

[root@server ~]# systemctl restart rsyslog.service

Verify the syslog server listening

[root@server ~]# netstat -antup | grep 514 tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      759/rsyslogd         tcp6       0      0 :::514                  :::*                    LISTEN      759/rsyslogd         udp        0      0 0.0.0.0:514             0.0.0.0:*                           759/rsyslogd         udp6       0      0 :::514                  :::*                                759/rsyslogd

Client setup:

1. Log into syslog server
2. Use an editor to get into the rsyslog config file :  vi /etc/rsyslog.conf (use i to edit) toward the end of the file add the required devices:

:fromhost-ip,isequal,"192.168.0.1"                      /var/log/devicehostname.log

& ~

3. Exit from the file (press Esc and say :wq to save/:q! to quit without saving)
4. Now restart the rsyslog Daemon : service rsyslog restart

Site-to-Site VPN in multiple context mode

Site-to-Site VPN in multiple context mode (ASA 9.x)

Before configuring a Site-to-Site VPN in a multiple context mode ASA, you must assign VPN resources to the context. By default, no VPN site-to-site tunnels are allowed and you must manually configure a resource class to allow any VPN sessions, otherwise you will see the message "Tunnel Rejected: The maximum tunnel count allowed has been reached" in IKE debug outputs.

Example:

ASA 5550 with base license supports 5000 VPN sessions.

You have two contexts and want to share VPN resources assigning 2000 sessions to each context:

asa/admin(config)# changeto system

asa(config)# class vpn-2000

asa(config-class)# limit-resource vpn other 2000

asa(config-class)# limit-resource vpn burst other 1000

asa(config-class)# exit

asa(config)# context context-a

asa(config-ctx)# member vpn-2000

asa(config-ctx)#exit

asa(config)# context context-b

asa(config-ctx)# member vpn-2000

asa(config-ctx)#exit

vpn burst other is the number of VPN sessions allowed beyond the amount assigned to a context with vpn other. Unlike vpn other, which guarantees the sessions to the context, vpn burst other can be oversubscribed; the burst pool is available to all contexts on a first-come, first-served basis.

Cisco Catalyst 3750 and 3560 QOS

Publisher vs Subscriber

These terms are used when discussing Call manager.  Call manager handles call processing in Cisco's implementation of IP Telephony.  So it is this particular area of VoIP that we would hear the terms publisher and subscriber.  The terms are actually from the Microsoft SQL database that earlier version of call manager utilized.  The publisher is the authoritative database for configuration.  So when changes are made in configuration, they are made on the publisher and replicated to the subscribers.  There is only one publisher and can be multiple subscribers.  If the publisher is unavailable, the phones can re-home themselves to a subscriber in order to continue to be functional. This is an illustration as to how they function, but not necessarily best practice.In best practices, the phones should be actually use subscribers as their primary.It's more like the publisher contains the master database in which changes to configuration is made and replicated to the subscribers.  For scalability, it is normal to point phones to subscribers, since there is only one publisher and can be many subscribers.

FTD (Firepower Threat Defence) Unified image on ASA

ASA Clustering Architecture

 ASA Clustering Architecture

One cluster member is elected Master and the other devices are Slaves. The first unit to join the cluster or based on a priority value will become the Master unit. The Master device handles all configuration, management and owns the VIP for the cluster. A new master is elected only if the current Master is down.

The devices use a Cluster Control Link (CCL) for intra-communication (cluster backplane). Each device must have at least one hardware interface dedicated to this and the recommended design is to have an Etherchannel. The CCL is used for the Master election, configuration replication, health monitoring and state replication. Each cluster link needs its own IP address on the same subnet.

Their are two (2) supported data interface modes.

                                           Spanned Etherchannel – Layer 2

• ·         Group one or more interfaces per unit into an EtherChannel that spans all units in the cluster.
• ·         The EtherChannel aggregates the traffic across all the available active interfaces in the channel.
• ·         This is the recommended design
• ·         All units use the same VIP and MAC
•          Supports MCEC (VSS, vPC etc.)

  Individual Mode – Layer 3

• ·         Each device has a seperate IP address on each data interface
• ·         Uses dynamic routing to load-balance traffic (Think ECMP)
• ·         Etherchannels are local to each member
• ·         Interface IPs are assigned from pools configured on the Master unit

In individual mode, each device maintains its own routing adjacency. The disadvantage of this is slower convergence and higher processor utilization due to each unit maintaining it’s own routing table. In spanned Etherchannel mode, the Master ASA runs dynamic routing. Routing and ARP tables are synchronized to the slave devices.

How the ASA manages connections

When a connection is forwarded to a member of the cluster via load balancing, that unit owns both directions of the connection. If any of that connections packets arrive at a different unit, they are forwarded to the owner device over the cluster control link. Because of this it is recommended to have symmetric load-balancing. Symmetric load-balancing is required for both directions of a flow to arrive at the same unit, and for flows to be distributed evenly between ASAs.

For each connection there is also a device that acts as the director. The director handles look-up requests from forwarders and also maintains the connection state to serve as a backup if the owner fails. When the owner receives a new connection, it chooses a director based on a hash algorithm and sends a message to the director to register the new connection.

Cisco ASA 5545-X with Firepower Complete Initial Setup

Download the ASA SFR system software from Cisco.com

Download the boot image to the device.

Download the boot image to your workstation

Copy Boot Image to ASA Flash

Example

ASA# copy http://<HTTP_SERVER>/asasfr-5500x-boot-5.3.1-152.img  disk0:/asasfr-5500x-boot-5.3.1-152.img

Configure SFR module

ASA# sw-module module sfr recover configure image disk0:/file_path

Example below:

ASA# sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-5.3.1-152.img

Load  the ASA SFR boot image using below command

ASA# sw-module module sfr recover boot

    Initial Configuration

Note: The default username is admin, and the default password is Admin123.

Example Below

ASA# session sfr console

Opening console session with module sfr.

Connected to module sfr. Escape character sequence is 'CTRL-^X'.

Cisco ASA SFR Boot Image 5.3.1

asasfr login: admin

Password: Admin123

Enter the setup command in order to configure the system so that you can install the system software package:

asasfr-boot> setup   

Provide below settings                   

·         Host name 

·         Network address.

·         DNS information 

·         NTP information 

 System Software Installation

2.       Enter the system install command:

asasfr-boot >system install [noconfirm] url

Include the noconfirm option if you do not want to respond to confirmation messages. Replace the url keyword with the location of the .pkg file.

Example Below

asasfr-boot >system install http:/<HTTP_SERVER>/asasfr-sys-5.3.1-152.pkg

Verifying

Downloading

Extracting

Package Detail

        Description: Cisco ASA-FirePOWER 5.3.1-152 System Install

        Requires reboot: Yes

Do you want to continue with upgrade? [y]: y

Upgrading

Starting upgrade process ...

Populating new system image

Reboot is required to complete the upgrade. Press 'Enter' to reboot the system.

(press Enter)

Broadcast message from root (ttyS1) (Mon Jun 23 09:28:38 2014):

The system is going down for reboot NOW!

Console session with module sfr terminated.

System Software Configuration

Configure the Firepower Software

Complete these steps in order to configure the Firepower software:

1.       Open a session to the ASA SFR module.

ASA# session sfr

Opening command session with module sfr.

Connected to module sfr. Escape character sequence is 'CTRL-^X'.

Sourcefire ASA5555 v5.3.1 (build 152)

Sourcefire3D login:

2.       Log in with the username admin and the password Sourcefire.

3.       Complete the system configuration as prompted. 

 Register Device with Management Server

Using the Command Line Interface (CLI)

1. Connect to the CLI of the device that you want register with FireSIGHT Management Center. This device could be anyFirePOWER appliance, NGIPS Virtual appliances, or an ASA running FirePOWER services.

Note: If you are using an ASA with FirePOWER services as a managed device, you can open a console session to the module from the ASA CLI. If the ASA is running on multiple context mode, session from the system execution space.

2. Log in with the username admin or another username that has the CLI configuration (Administrator) access level.
3. At the prompt, register the device to a FireSIGHT Management Center using the configure manager add command.

Note: A unique alphanumeric registration key is always required to register a device to a FireSIGHT Management Center. This is a simple key that you specify, and is not the same as a license key.

The command has the following syntax:

> configure manager add <hostname | IPv4_address | IPv6_address | DONTRESOLVE> reg_key <nat_id>

In the above syntax,

• <hostname | IPv4_address | IPv6_address | DONTRESOLVE> specifies either the fully qualified host name or IP address of the FireSIGHT Management Center. If the FireSIGHT Management Center is not directly addressable, useDONTRESOLVE.
• reg_key is an unique alphanumeric registration key required to register a device to the FireSIGHT Management Center.
• nat_id is an optional alphanumeric string used during the registration process between the FireSIGHT Management Center and the device. It is required if the hostname is set to DONTRESOLVE.

In most cases, you must provide the FireSIGHT Management Center's hostname or the IP address along with the registration key, for example:

> configure manager add DC_IP_Address my_reg_key

However, if the device and the FireSIGHT Management Center are separated by a NAT device, enter a unique NAT ID along with the registration key, and specify DONTRESOLVE instead of the hostname, for example:

configure manager add DONTRESOLVE my_reg_key my_nat_id

In the following example, there is no NAT boundary between the FireSIGHT Management Center and the managed device, and123456 is used as a registration key.

> configure manager add 192.0.2.2 123456Manager successfully configured.

Add a Device to the FireSIGHT Management Center

1. Log into the web user interface of the Management Center. Click the Devices tab at the top of the page.

2. Click Add which is located at the top right. A drop down list appears. Click Add Device. A window pops up in the middle of the screen requesting the device informaiton. 


3. In the Host field, enter the IP address of the device.

4. In the Registration Key field, enter the one-time registration key that you specified earlier.
5. Set the rest of the options to your preference. If you used a NAT ID, click on Advanced to expand it and enter the same NAT ID in the Unique NAT ID field.
6. Click Register. You should now be able to manage your device from the FireSIGHT Management Center.