Net Worker World

  1. Phase I proposal mismatch  Run show crypto isakmp sa  Initiator: MM_WAIT_MSG2 Responder: No info  Most likely this is phase1 proposal mismatch, verify IKEv1 policy, other symptoms:   Initiator log: Information Exchange processing failed All configured IKE versions failed to establish the tunnel Initiator debug: Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Responder log: Error processing payload: Payload ID Responder debug:  All SA proposals found unacceptable 2. IKE version mismatch:  Run  show crypto isakmp sa  no info at both initiator and responder Initiator log: Removing peer from correlator table failed, no match! Reason: User Requested  All configured IKE versions failed to establish the tunnel Initiator debug: Oakley begin quick mode PHASE 1 COMPLETED IKE Initiator sending 1st QM pkt Removing peer from correlator table failed, no match! Session is being torn down. Reason: User Requested Responder log: Tunnel Rejected: Conflicting protocols specified

  Solution 1 - Use of the DefaultL2LGroup This is the simplest way to configure a LAN-to-LAN (L2L) tunnel betwen two ASAs when one ASA gets its address dynamically. The DefaultL2L Group is a preconfigured tunnel group on the ASA and all connections that do not explicitly match any particular tunnel group fall on this connection. Since the Dynamic ASA does not have a constant predetermined IP address, it means the admin cannot configure the static tunnel-group in order to allow the connection come in, in this situation, the DefaultL2L Group can be used in order to allow the dynamic connections. HQ ASA ! Create objects object network obj-172.16.1.0_24  subnet 172.16.1.0 255.255.255.0 object network obj-172.16.2.0_24  subnet 172.16.2.0 255.255.255.0 object network obj-172.16.3.0_24  subnet 172.16.3.0 255.255.255.0 !Create NAT excemption for L2L VPN and dynamic NAT for Internet access. nat (inside,outside) source static obj-172.16.1.0_24 obj-172.16.1.0_24 destination static obj-172.16.2.0_

  Remote 1 uses main mode with default tunnel-group, Remote 2 uses aggressive mode with named tunnel-group. Central ASA ! Create objects object network obj-10.1.2.0_24  subnet 10.1.2.0 255.255.255.0 object network obj-10.1.1.0_24  subnet 10.1.1.0 255.255.255.0 object network obj-10.1.3.0_24  subnet 10.1.3.0 255.255.255.0 !Create NAT exemption for L2L VPN and dynamic NAT for Internet access. nat (inside,outside) source static obj-10.1.2.0_24 obj-10.1.2.0_24 destination static obj-10.1.1.0_24 obj-10.1.1.0_24 no-proxy-arp route-lookup nat (inside,outside) source static obj-10.1.2.0_24 obj-10.1.2.0_24 destination static obj-10.1.3.0_24 obj-10.1.3.0_24 no-proxy-arp route-lookup ! object network obj-10.1.2.0_24  nat (inside,outside) dynamic interface ! Define IKEv1 policy crypto ikev1 policy 10  authentication pre-share  encryption aes-256  hash sha  group 2 ! Enable ikev1 on outside interface  crypto ikev1 enable outside ! Define transform-set crypto ipsec ikev1 transform-set T-SET esp-aes-

 ISE 2.7: 172.16.1.11 AD: 172.16.1.10 vSwitch: 172.16.1.9 1. Install Device Admin license Administration > System > Licensing, [Import License] 2. Enable Device Admin Service Administration > System > Deployment >, click node "ISE27", check "Enable Device Admin Service" 3. Assume ISE is already added to AD, now create two new groups in AD: Network Admin Helpdesk User 4. Add above two AD groups to ISE: Administration > Identity Management > External Identity Sources, expend Active Directory, select the AD "lab.local", click Groups tab, click Add > Select Groups from Directory. 5. Assume device is already added to ISE, configure device TACACS shared secret In device setting window, check "TACACS Authentication Settings", input shared secret. 6. Configure two TACACS Profiles Configure a basic TACACS Profile for Helpdesk Staff Navigate to Work Centers > Device Administration > Policy Elements >  Results > TACACS Pr

  Security Assertion Markup Language (SAML) is an XML-based, open-standard data format used to exchange authentication and authorization data between parties, specifically between an identity provider (IdP) and a service provider. User Agent SP (Service Provider) IDP (Identity Provider) IDP and SP establish Trust When an user wants to access a SP, he must first authenticate with IDP, after successful authentication, IDP generates a SAML ASSERTION, which is sent to SP, then the user can access SP. The user exists in  IDP, SAML configuration specify what attribute to use to identify user, for example, use email address. IDP side SAML configuration IDP XML and SP side SAML configuration SP XML called Metadata Metadata: It is an XML based document that ensures a secure transaction between an IdP and an SP. It allows the IdP and SP to negotiate agreements. Between IDP and SP: message exchange via BINDINGS: HTTP-POST, HTTP-REDURECT, HTTP-ARTIFACT  In case of Azure as IDP, Anyconnect as SP ID

  https://www.uccollabing.com/how-to-read-a-sip-packet-capture/ https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-sip-alg.html

 There are three CLIs while dealing with a FTD deployment on Firepower platform: FSOX CLI --- Firepower-module> CLISH       --- > LINA CLI  --- firepower# Moving between different CLI''s FXOS >>> CLISH      connect ftd CLISH >>> LINA      system support diagnostic-cli LINA >>>CLISH        CTRL+a, d CLISH >>> FXOS      exit   Firepower  4100/ 9300  FXOS CLI Connects Diagram firepower# connect module 1 console (telnet) firepower# connect module 1 console Telnet escape character is '~'. Trying 127.5.1.1... Connected to 127.5.1.1. Escape character is '~'. CISCO Serial Over LAN: Close Network Connection to Exit Firepower-module1>? secure-login => Enable blade secure login show => Display system information. Enter show ? for options config => Configure the system. Enter config ? for options terminalLength => Terminal settings. Enter terminal ? for options ping

 1. Display real time log on FMC or FTD: pigtail for example: pigtail | grep 192.168.2.20                      pigtail | grep sftunnel 2. Restart communication channel manage_procs.pl run it from  the sensor only, run it from FMC will reset all sensors' channel. This scripts are nice to be used when the FMC and FTD have communication problems like heartbeats are not received, policy deployment is failing or events are not received > expert ************************************************************** NOTICE - Shell access will be deprecated in future releases          and will be replaced with a separate expert mode CLI. ************************************************************** admin@FTD:~$ sudo su Password: root@FTD:/home/admin# manage_procs.pl ****************  Configuration Utility  **************  1   Reconfigure Correlator  2   Reconfigure and flush Correlator  3    Restart Comm. channel  4   Update routes  5   Reset all routes  6   Validate Network  0   Exit *****

1. Copy Anyconnect image to ASA flash: copy tftp: flash: 2. Enable Anyconnect on outside interface ASA(config)# webvpn ASA(config-webvpn)# anyconnect enable ASA(config-webvpn)# enable outside ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.7.00136-webdeploy-k9.pkg 3. Create a VPN pool: ASA(config)# ip local pool VPNPOOL 10.0.100.1-10.0.100.250 4.Create an object for the VPN pool ASA(config)# object network VPNPOOL ASA(config-network-object)# subnet 10.0.100.0 255.255.255.0 5. Create NAT exemption for VPN pool nat (inside,outside) source static NET-10.0.0.0_24 NET-10.0.0.0_24 destination static VPNPOOL VPNPOOL no-proxy-arp route-lookup 6. Create a group policy for Anyconnect ASA(config)# group-policy GP-SSLVPN internal ASA(config)# group-policy GP-SSLVPN attributes ASA(config-group-policy)# vpn-tunnel-protocol ssl-client 7. Modify default remote access tunnel group ASA(config)# tunnel-group DefaultWEBVPNGroup general-attributes ASA(config-tunnel-general)# address-pool VPNPO

1. Specify LAN failover physical interface and name it. In this lab, failover and stateful link are sharing the same interface . ASAv1(config)# failover lan unit primary failover lan interface FO GigabitEthernet0/2 failover link FO GigabitEthernet0/2 failover interface ip FO 192.168.254.1 255.255.255.0 standby 192.168.254.2 ASAv2(config)# failover lan unit secondary failover lan interface FO GigabitEthernet0/2 failover link FO GigabitEthernet0/2 failover interface ip FO 192.168.254.1 255.255.255.0 standby 192.168.254.2 2. Enable failover interface ASAv1(config)#int g0/2 ASAv1(config-if)#no shut ASAv2(config)#int g0/2 ASAv2(config-if)#no shut 3. Enable failover ASAv1(config)#failover ASAv2(config)#failover 4. Assign failover pair a new hostname ASAv1(config)#hostname ASA ASA(config)# 5. Verify Failover status ASA# show failover 6. Continue basic configuration on Active ASA, config inside and outside interfaces ASA(config)# int g0/0  ASA(config-if)# ip add 203.0.113.2 255.255.255.0 stand