Cisco

Splunk1

Splunk Cisco Centralized Reporting and PCI Compliance

0

Recently needed to look into multiple vendors for PCI Compliance and all the big players want in excess of £50k (RRP) to get an appliance to handle all the logs as the PCI Compliance requirements are quite demanding if you do these checks manually.

There are many SIEM solutions available however I was impressed with the free offering from Splunk which can be used to centralize secuirty data from multiple Cisco solutions.

A SIEM is a Security Information and Event Monitoring tool and its just a software solution to sorting information and able to identify and react to events.

Splunk have a extensive application library which has been developed by customers and Splunk engineers.

They seem to be staying current as they have support for Cisco ASA SourceFire which hasn’t long been released.

Below you can see a dashboard overview of Splunk for Cisco Security

Splunk1

 

You can go even deeper to find a breakdown of the traffic:

Splunk2

Here you can see a Firewall Event Search and you can bring up all information.

 

Splunk3

 

You can also do searches for Usernames or IP Addresses across multiple Cisco Devices to find all information in one place:

splunk4

 

Here you can find the Cisco Security Suite so you can install into your Splunk installation:

 

https://apps.splunk.com/app/525/

 

 

Splunk Video for PCI Compliance and how it meets the requirements (worth a watch)

If you happen to have a team of developers as I do then it shouldn’t be too much work to customize for your system/setup.

CiscoASAIPS-3

Cisco ASA CX PRSM Next Generation IPS Configuration / Tweaking

0

Recently had an issue with the NGIPS module and my engineers were unable to find how to modify and finetune the IPS module as when you create the Object you seem to get basic settings like the below:

 

ASA CX PRSM –> Configurations –> Policies/Settings –> Intrusion Prevention:
NOTE: “Default NG IPS Module” cannot be edited so please create a custom one before you continue

CiscoASAIPS-1

 

To make changes you need to go to:

Components –> Objects –> Filter for “IPS” or whatever you may of called your custom IPS:

Highlight and Select “Edit Object”

CiscoASAIPS-2

 

You can also add Exception for specific threats (IBM Symphony example) below:

You can “allow and don’t monitor” or “allow and monitor”.

 

CiscoASAIPS-3

You can also adjust the sliding scale if you think the default values are too low:

 

 

CiscoASAIPS-4

5508-1

Wireless Client frequent disconnects RLDP and/or Rogue Containment

0

Recently had an issue with a Cisco 5508 WLC where RLDP was enabled and the clients were complaining of being disconnected several times a day.

 

Jumped directly onto the AP via SSH and went through the logs and could see message’s like the following every 2/3 minutes:

 

*Oct 15 10:37:20.851: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Oct 15 10:37:34.983: %LWAPP-5-RLDP: RLDP stopped on slot 0.
*Oct 15 10:37:35.043: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Oct 15 10:37:35.287: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Oct 15 10:37:36.043: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Oct 15 10:37:36.279: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Oct 15 10:37:37.279: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Oct 15 10:39:14.483: %LWAPP-5-RLDP: RLDP started on slot 0.
*Oct 15 10:39:14.959: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Oct 15 10:39:14.999: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Oct 15 10:39:15.967: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Oct 15 10:39:15.987: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Oct 15 10:39:15.991: 000f.7de8.XXXX-no legacy rates; default to lowest CCK/OFDM rate
*Oct 15 10:39:16.987: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Oct 15 10:39:31.175: %LWAPP-5-RLDP: RLDP stopped on slot 0.
*Oct 15 10:39:31.235: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Oct 15 10:39:31.479: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Oct 15 10:39:32.235: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Oct 15 10:39:32.471: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Oct 15 10:39:33.471: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up

Fix/Workaround

The Fix is too disable RLDP or enable only for MonitorOnly (Listen) APs:

If you go Security Tab –> Wireless Protection Policies –> Rogue Policies –> General

You will find the following setting:

5508-1

Either mark for Disable or MonitorModeAPs

Enabling Audit logging on Cisco Router

0

Enabling Audit logging on Cisco Router

Enable logging on the Router:
CiscoR1(config)#logging 10.0.0.10

Define logging level:
CiscoR1(config)#logging trap

Loggin to Cisco router via telnet or ssh(preferred)
CiscoR1#

Enter into Global configuration mode :
CiscoR1# conf t
CiscoR1(config)#

Type archive to enter archive configuration mode:
CiscoR1(config)# archive

Enter into log config mode:
CiscoR1(config-archive)#log config

Enable archive logging:
CiscoR1(config-archive-log-cfg)#logging enable

Specifies the maximum number of entries retained in the configuration log:
CiscoR1(config-archive-log-cfg)#logging size < any number from 0-1000, default:100, recommended 500 >

Suppresses the display of password information in configuration log files:
CiscoR1(config-archive-log-cfg)#hidekeys

Enables the sending of notifications of configuration changes to a remote syslog server.
CiscoR1(config-archive-log-cfg)#notify syslog

Exits to privileged EXEC mode.
CiscoR1(config-archive-log-cfg)#end

Cisco ASA 5515 Next Gen – Active / Passive Failover Configuration Setup

0

Recently took delivery of 2 x Cisco 5515 ASA’s for one of my clients. Simple configuration guide for setting these up in an Active/Passive design.

Brief Overview:

Port0 = LAN
Port1-3 = NOT USED
Port 4 – Failover Link
Port 5 – WAN

Assumptions:
Hardware on both ASA firewalls are identical
The same software versions are installed on both firewalls.
PRIMARY firewall is setup (not massively important as I did this project from scratch)

IP Address:
LAN
Main – 10.20.0.254
Standby – 10.20.0.250

WAN
Main – 77.22.22.6
Standby – 77.22.22.5

Cable directly connected on G0/4 on both ASA’s

LAN cable goes into our core switches and the WAN link is a dual link supplied by our supplier at the Datacentre.

Take backup of the Main firewall running config if you do not already. (copy run flash)

Primary Firewall

CiscoASA(config)# clear configure interface G0/4
CiscoASA(config)# int g0/4
CiscoASA(config-if)# no shut

CiscoASA(config)# interface g0/5
CiscoASA(config-if)# speed 100
CiscoASA(config-if)# duplex full
CiscoASA(config-if)# nameif Outside
CiscoASA(config-if)# security-level 0
CiscoASA(config-if)# ip address 77.22.22.6 255.255.255.0 standby 77.22.22.5
CiscoASA(config-if)# interface g0/0
CiscoASA(config-if)# speed 100
CiscoASA(config-if)# duplex full
CiscoASA(config-if)# speed 100
CiscoASA(config-if)# duplex full
CiscoASA(config-if)# nameif Inside
CiscoASA(config-if)# security-level 100
CiscoASA(config-if)# ip address 10.20.0.254 255.255.255.0 standby 10.20.0.250

CiscoASA(config)# failover lan interface LANFAIL GigabitEthernet0/4
CiscoASA(config)# failover interface ip LANFAIL 192.168.6.250 255.255.255.0 standby 192.168.6.252

CiscoASA(config)# failover key 222333444

SETS FIREWALL AS PRIMARY
CiscoASA(config)# failover lan unit primary

TURN ON FAILOVER
CiscoASA(config)# failover

ENABLE STATEFUL FAILOVER
CiscoASA(config)# failover link failover GigabitEthernet0/4
SAVE CONFIG
CiscoASA(config)# wr

Secondary Firewall

Ensure Cabling correct on primary and secondary firewall

CiscoASA(config)# clear configure interface G0/4
CiscoASA(config)# int g0/4
CiscoASA(config-if)# no shut

ENABLE STATEFUL FAILOVER
CiscoASA(config)# failover lan interface LANFAIL GigabitEthernet0/4

CiscoASA(config)# failover interface ip LANFAIL 192.168.6.250 255.255.255.0 standby 192.168.6.252

CiscoASA(config)# failover key 222333444

SETS FIREWALL AS SECONDARY
CiscoASA(config)# failover lan unit secondary

TURN ON FAILOVER
CiscoASA(config)# failover

You should see this on the console:

Detected an Active mate
Beginning configuration replication from mate.

CiscoASA# show failover

CiscoASA5515# show failover
Failover On
Failover unit Primary
Failover LAN Interface: LANFAIL GigabitEthernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 3 seconds
Interface Poll frequency 3 seconds, holdtime 15 seconds
Interface Policy 1
Monitored Interfaces 2 of 114 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 05:54:13 GMT Sep 2 2014
FINE TUNE

The failover timers can be played with as they are a bit too safe so here is my recommendation:

CiscoASA(config)# failover poll 1 hol 3
CiscoASA(config)# failover poll interface 3
CiscoASA(config)# int g0/4
CiscoASA(config-if)# failover poll interface 3

Cisco 4G LTE Setup – EE UK Configuration

0

This was setup using a Cisco 1911 Router and the 4G Card (EHWIC-4G-LTE-G)

The EHWIC-4G-LTE-G actually turns up with the antennas and the extended cables for the Antennas which i am surprised at as normally Cisco charge extra.

This particular example the Sim Card was for the EE Network in the UK (Orange,T-Mobile,EE)

I thing to note always you cannot bridge the cellular interface if anyone is thinking of handing this off to a ASA or similar firewall you will need to double NAT. If anyone has found a way please do email or drop me a comment.

Below is just the selected bits of the config to get the connection working:

Router#(config)chat-script lte “” “AT!CALL1″ TIMEOUT 30 “OK”

 

controller Cellular 0/0

 

Router#(config-if)
interface Cellular0/0/0

ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string lte
dialer-group 1
async mode interactive

Router#(config-if)
interface Dialer1
no ip address

Router#(config)
ip nat inside source list 101 interface Cellular0/0/0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0

 

Router#(config)
access-list 101 permit ip 172.16.32.0 0.0.0.255 any
dialer-list 1 protocol ip permit

line 0/0/0
script dialer lte
modem InOut
no exec
rxspeed 100000000
txspeed 50000000

 

 

 

 

Cisco IOS Transparent Bridged Mode Inspection/ACL

0

Recently I needed to install a small Cisco 2811 Router in front on my Lync 2013 setup as the Mediation/FrontEnd server didnt like the 1:1 NAT and the Cisco IOS would either cause a 1 way audio or no call connection so I decided on this route.

I have a layer 2 switch which has the internet feed, Main Firewall feed and a feed going to port F0/0 on the 2811.

I basically am going to create a bridge between F0/0 and F0/1 and enable inspection and some access-lists in order to protect the SIP Trunk.

Create the Bridge Group:
Router(config)# bridge 1 irb
Router(config)# bridge 1 protocol ieee

Assign Interfaces to Bridge Group:
Router(config)# interface f0/0
Router(config-if)# bridge-group 1

Router(config)# interface f0/1
Router(config-if)# bridge-group 1

You can create the Bridge Virtual Interface but I haven’t

Router(config)# interface bvi 1
Router(config-if)# ip address 10.20.0.200 255.255.255.0
Router(config-if)# no shut

Router(config)# sh bridge group

Bridge Group 1 is running the IEEE compatible Spanning Tree protocol

Port 2 (FastEthernet0/0) of bridge group 1 is forwarding
Port 3 (FastEthernet0/1) of bridge group 1 is forwarding

Inspection Configuration

Router(config)#  ip inspect name LYNC-IN tcp
Router(config)#  ip inspect name LYNC-IN udp
Router(config)#  ip inspect name LYNC-IN icmp

Create ACL (permit ip any any is just for show put in what you need)

Router(config)# ip access-list extended LYNC-IN
Router(config-ext-nacl)# permit ip any any

My first draft ACL was like this as X.X.X.X is my SIP provider and I wanted to block 5060 tcp/udp from everywhere else.

Extended IP access list LYNC-IN
10 permit tcp host X.X.X.X any eq 5060 (179 matches)
20 permit udp host X.X.X.X any range 20000 60000 (8438 matches)
180 deny tcp any any eq 5060
181 deny udp any any eq 5060 (26 matches)
200 permit ip any any (475520 matches)

Now Apply to the Interface: (F0/0 is my external Interface)

interface FastEthernet0/0
description **INTERNET FACING – PUBLIC IP**
no ip address
ip access-group LYNC-IN in
ip inspect LYNC-IN in
ip virtual-reassembly in
duplex auto
speed auto
bridge-group 1
end

interface FastEthernet0/1
description **WIZLYNC13 – Server**
no ip address
ip virtual-reassembly in
duplex auto
speed auto
bridge-group 1
end

I have used this example specifically to secure a Lync 2013 Mediation server but a Transparent IOS Firewall can be used for many purposed.

 

 

 

 

Cisco CME/CUCME SIP Trunk Configuration Guide/Setup

0

This is a quick post on how to configure a SIP trunk in CME as I have had a few emails now requesting it.

SIP trunk configuration is very simple as you only need to find a SIP Provider and in this example I use a company called OrbTalk (I am based in the UK)

All the configuration is done in SIP-UA under global configuration mode:

sip-ua
credentials username USERNAME password 0 PASSWORD realm orbtalk
authentication username USERNAME password 0 PASSWORD
no remote-party-id
retry invite 2
retry register 10
retry options 1
timers connect 100
registrar dns:sipgw3.orbtalk.co.uk expires 1800
sip-server dns:sipgw3.orbtalk.co.uk
host-registrar

You can check the SIP registration status by using this command:

Show Sip-ua register status and it should show the following:

Cisco2901#show sip-ua register status
Line                                                                           peer                    expires(sec)           registered           P-Associ-URI
================================ ========== ============ ========== ============
USERNAME                                                                -1                      38                           yes
Cisco2901#

What you are looking for is registered = yes.

Although I have an expires of 1800 second Orbtalk have 60 seconds so we always go by the shortest time.

You then need a dial-peer, voice translation-rules and profile and you can start getting calls sent to the SIP provider.

 

Internal / External Call Forwarding Cisco CCME/CME Call Manager Express SIP Trunk

0

I have a client who has a Cisco 2921 Router running CCME and the simplest task would not work which is to call forward to a mobile phone.

When I say internal and external what I mean is the following two scenarios:

External:

0207 888 8888 dials 0203 555 1007 this call forwards to 07540111222

We got this working by adding “calling-number local secondary” to the telephony-service.

But then internal call forwards would not work. Example:

Internal Extension 1010 dials 1007 this call forward to 07540111222 (we would just get a busy tone)

The problem was the SIP trunk provider was getting the SIP header information incorrect so I called Cisco TAC and this is the solution they came up with:

Create a new SIP Call Profile:

voice class sip-profiles 7
request INVITE sip-header Diversion copy “.*<sip:(.*)@.*” u01
request INVITE sip-header From copy “.*<sip:(.*)@.*” u02
request INVITE sip-header From modify “(.*)<sip:1…@(.*)” “\1<sip:44203555\u01@\2″
request INVITE sip-header From modify “(.*)<sip:0.*@(.*)” “\1<sip:\u01@\2″
request INVITE sip-header From modify “(.*)<sip:@(.*)” “\1<sip:\u02@\2″

New voice translation rules and profiles created like below:

voice translation-rule 20
rule 1 /\(^10..\)/ /44203555\1/

voice translation-rule 3
rule 2 /^999$/ /999/
rule 5 /^9\(.*\)/ /\1/

voice translation-profile SIPPrefix
translate calling 20
translate called 3

On the Dial-peer for outgoing calls reference this voice class:

dial-peer voice 3 voip
description **Outgoing Calls to Any Number **
translation-profile outgoing SIPPrefix
destination-pattern 9T
session protocol sipv2
session target sip-server
incoming called-number .
voice-class sip profiles 7
dtmf-relay rtp-nte
codec g711ulaw
no vad

I don’t yet fully understand the logic for the above as I have never written anything like this but as far as I can tell u01 and u02 are used for storing variables.

The logic behind this is the call-forwarding number has to start with 0 and can be any number of digits (look at the line below)
request INVITE sip-header From modify “(.*)<sip:0.*@(.*)” “\1<sip:\u01@\2″

The last line is for normal outgoing calls to allow anything as normal.

Once I research into this some more ill write up a deeper explanation.

CiscoRouterDownload-1

Cisco Router – Slow / Dropping Internet Downloads

1

Recently had a problem with a Cisco Router Failover pair causing me some grief where when you download a large file it was just cutting out or stopping. I tried a few attempts and even tried downloading on our own firewall and the download worked fine so I knew there was no problem at the remote end (Microsoft)

Was trying to download SQL 2012 Express at the time and this kept happening:

CiscoRouterDownload-1

First thing I done was open an ssh  session with the Router and enabled terminal monitor:

Log in and type:

Once that was done I noticed quite a few errors like this appear:

%FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:3558911335 1500 bytes is out-of-order; expected seq:3558888055. Reason: TCP reassembly queue overflow – session 10.0.X.X:52435 to XX.XX.XX.XX:231424

I added this command to global config mode:

All the command above does is increase the size of the tcp queue which has solved this problem.

Downloads are now working perfectly!

Go to Top