Create an access-list to block all these Microsoft Windows services ports:
Here's my list that blocks Windows TEST LAB network from messing up the production environment.
access-list 199 deny tcp any any eq 389
access-list 199 deny udp any any eq 389
access-list 199 deny tcp any any eq 636
access-list 199 deny tcp any any eq 3268
access-list 199 deny tcp any any eq 3269
access-list 199 deny tcp any any eq 88
access-list 199 deny udp any any eq 88
access-list 199 deny tcp any any eq 445
access-list 199 deny udp any any eq 445
access-list 199 deny tcp any any eq 135
access-list 199 deny udp any any eq 135
access-list 199 deny tcp any any eq 5722
access-list 199 deny tcp any any eq 646
access-list 199 deny udp any any eq 646
access-list 199 deny udp any any eq netbios-dgm
access-list 199 deny tcp any any eq 9389
access-list 199 deny udp any any eq bootps
access-list 199 deny udp any any eq 2535
access-list 199 deny udp any any eq netbios-ns
access-list 199 deny tcp any any eq 139
access-list 199 permit ip any any
Here's the complete lists of ports used by Windows.
http://technet.microsoft.com/en-us/library/cc875824.aspx
But I only used the above to block my TEST LAB windows environment from crossing over the production network.
Get into interface mode and apply the access list from entering.
interface GigabitEthernet0/2
no switchport
ip address 172.16.0.1 255.255.255.252
ip access-group 199 in
end
done.
9/30/2014
Good EXPECT script to use on Cisco / Other Network Devices
Expect script is a great way to make config changes across 40 or more switches/routers in your company without telnet or ssh into each device.
The script can be modified to suit your needs. I modified Paul's http://paulgporter.net/2012/12/08/30/comment-page-1/#comment-1703 script to meet my needs.
SSH for EXPECT is at the end. Below is for TELNET EXPECT:
STEPS:
1. Install EXPECT on your CENTOS or linux box
yum install expect
- The expect command should be installed in /usr/bin/expect.
Create your expect script:
2. Make a text file and put all IP Addresses of your devices:
[root@localhost script]# vi device-list
172.x.x.1
172.x.x.2
172.x.x.3
etc.
3. Create expectrun.sh file and put the following in it:
[root@localhost script]# vi expectrun.sh
#!/bin/bash
# Collect the current user's ssh and enable passwords
echo -n "Enter the SSH password for YOURUSERNAME"
read -s -e password
echo -ne '\n'
echo -n "Enter the Enable password for YOURUSERNAME"
read -s -e enable
echo -ne '\n'
# Set terminal to vt100 so Nexus devices don't complain
export TERM=vt100
# Feed the expect script a device list & the collected passwords
for device in `cat device-list`; do
./expectscript.exp $device $password $enable ;
done
4. Create the "EXPECT" script called, expectscript.exp and put the following:
[root@localhost script]# vi expectscript.exp
#!/usr/bin/expect
# Set variables
set hostname [lindex $argv 0]
set username "YOURUSERNAME"
set password [lindex $argv 1]
set enablepassword [lindex $argv 2]
# Path to Where to put the Log file results
log_file -a /root/script/results.log
# Display the device we are working on and the time
send_user "\n"
send_user ">>>>> Working on $hostname @ [exec date] <<<<<\n"
send_user "\n"
# Telnet
#spawn telnet $hostname
#expect "Username: " sleep .1;
#send "$username\r";
#sleep .1;
#expect "Password:"
#send "$password\r";
# Telnet
spawn telnet $hostname
expect "Username: "
send "$username\r"
expect "*assword: "
send "$password\r"
# Check to see if we're already in enable mode, if not get us there
expect {
default { send_user "\nEnable Mode Failed - Check Password\n"; exit 1 }
"*#" {}
"*>" {
send "enable\n"
expect "*assword"
send "$enablepassword\n"
expect "*#"
}
}
# Let's GET into configure mode
send "conf t\n"
expect "(config)#"
# Enter your commands here. Examples listed below
send "aaa authorization commands 1 default group tacacs+ local \n"
expect "(config)#"
send "aaa authorization commands 15 default group tacacs+ local \n"
expect "(config)#"
send "aaa authorization config-commands \n"
expect "(config)#"
#send "service timestamps log datetime msec localtime\n"
#expect "(config)#"
#send "clock timezone PST -8\n"
#expect "(config)#"
#send "clock summer-time PDT recurring\n"
#expect "(config)#"
#send "service timestamps debug datetime msec localtime\n"
#expect "(config)#"
send "end\n"
expect "#"
send "write mem\n"
expect "#"
send "exit\n"
expect ":~\$"
exit
5. Now RUN the expectrun.sh script:
[root@localhost script]# ./expectrun.sh
========================
NOTE: FOR SSH to devices instead of using telnet:
The Cisco IOS image used must be a k9(crypto) image in order to support SSH. For example c3750e-universalk9-mz.150-1.SE2.bin is a k9 (crypto) image.
[root@localhost script]# vi expectscript.exp
DELETE THE TELNET REFERENCE:
# Telnet
spawn telnet $hostname
expect "Username: "
send "$username\r"
expect "*assword: "
send "$password\r"
ADD the following for SSH to WORK:
# For SSH to devices and don't check keys
spawn ssh -o StrictHostKeyChecking=no $username\@$hostname
# Need to SSH to Work. Allow script to handle ssh connection issues
expect {
timeout { send_user "\nTimeout Exceeded - Check Host\n"; exit 1 }
eof { send_user "\nSSH Connection To $hostname Failed\n"; exit 1 }
"*#" {}
"*assword:" {
send "$password\n"
}
}
THAT'S IT.
9/17/2014
IPSEC: Failed Anti-Replay Checking FIXED
Sep 12 08:19:22|402119: IPSEC: Received an ESP packet from (user= sKOPL) to -- that failed anti-replay checking.
A failed anti-replay checking appears on the ASA is when the ASA stops an attacker from duplicating packets of the real data to its own.
IP security (IPsec) authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet in an increasing order.
By default it's set to 64 packets.
Increasing it to 512 or 1024 will fix it.
1. enable
2. configure terminal
3. crypto ipsec security-association replay window-size [N]
Sets the size of the SA replay window globally.
A failed anti-replay checking appears on the ASA is when the ASA stops an attacker from duplicating packets of the real data to its own.
IP security (IPsec) authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet in an increasing order.
By default it's set to 64 packets.
Increasing it to 512 or 1024 will fix it.
1. enable
2. configure terminal
3. crypto ipsec security-association replay window-size [N]
Sets the size of the SA replay window globally.
9/10/2014
Types of Access-list Made Easy
Below are the types of Access list that are easy to understand.
Access list rules: These are the rules of Access-lists.
Types of access lists:
1. Standard Access list: filtered by source ip address.
2. Extended Access List: filtered by source, dest, port, tos, etc.
3. Dynamic Access list: AKA: lock in key. First need to authenticate, then the acl is allowed. Ex. telnet in and login first.
4. Established or Reflexive Access-list: example, router has access to internet.
5. Time-based Access-list: normal extended access list that has a time based on it.
Example, from 8-5pm all this access-list applies.
Access list rules: These are the rules of Access-lists.
- Access list is read from top to bottom.
- Stops at the first match.
- There's an Invisible implicit DENY at the bottom.
- ACL is applied to an interface INBOUND OR OUTBOUND.
Types of access lists:
1. Standard Access list: filtered by source ip address.
2. Extended Access List: filtered by source, dest, port, tos, etc.
3. Dynamic Access list: AKA: lock in key. First need to authenticate, then the acl is allowed. Ex. telnet in and login first.
4. Established or Reflexive Access-list: example, router has access to internet.
- permit ip tcp any any ESTABLISHED. Allow only the established session to return from the internet. Is replaced by Context-based access control (CBAC) AND THEN BY Zoned Based Access list / firewall. Define inspect rules. or in ASA MFP.
5. Time-based Access-list: normal extended access list that has a time based on it.
Example, from 8-5pm all this access-list applies.
- Example, to throttle only web traffic to 5 mbps: create an extended access list with time based range from 8-5 matching certain subnets to any destination, then apply to the QOS policy and policing on the interface to not go above that value.
How To Get Cisco ASA Up and Running in a Few simple STEPS:
It's quite simple to get the Cisco ASA up and running to protect and secure your inside network in a few simple steps.
You'll need to config the:
Step 1.
ASA(config)#
interface Ethernet0/0
description ***This is the interface going to your INTERNAL INSIDE NETWORK***
nameif INSIDE
security-level 100
ip address 192.168.10.1 255.255.255.0 standby 192.168.100.2 --standby is OPTIONAL IF you have dual ASA, else NO need.
interface Ethernet0/1
description ***This is the interface going to your ISP facing router***
nameif OUTSIDE
security-level 0
ip address YOURPUBLIC-IP-FROM-ISP 255.255.255.224 standby PUBLIC-IP2-FROM-ISP ---standby is OPTIONAL IF you have dual ASA, else NO need.
STEP 2:
ASA(config)#
nat (INSIDE) 1 0.0.0.0 0.0.0.0 -- This will NAT all SUBNETS in your internal network. to a public IP address, to you can access the internet.
STEP 3:
ASA(config)#
global (OUTSIDE) 1 8.4.4.9 netmask 255.255.255.0 --This will NAT id 1 in your internal network to a public IP address (in this case 8.4.4.9), so you can access the internet.
STEP 4:
Secure your network from Ping SCANS.
Create an access-list to ping out, but outside folks can not ping in. This will put your network in "STEALTH MODE" basically.
ASA(config)#
access-list INBOUND_ACL extended permit icmp any any echo-reply
access-list INBOUND_ACL extended permit icmp any any source-quench
access-list INBOUND_ACL extended permit icmp any any unreachable
access-list INBOUND_ACL extended permit icmp any any time-exceeded
STEP 5:
Apply the access-list to the OUTSIDE interface:
ASA(config)#
access-group INBOUND_ACL in interface OUTSIDE
STEP 6:
Create a static default route for your ASA to reach to the Internet:
ASA(config)#
route OUTSIDE 0.0.0.0 0.0.0.0 8.4.4.254 1 -- enter your default route for your ASA to your ISP router for next hop.
STEP 7:
Create a static route for the ASA to reach internal network:
ASA(config)#
route INSIDE 192.168.10.0 255.255.255.0 192.168.10.1 1 -- Put a route in the routing table to tell the ASA how to get to the inside network.
route INSIDE 192.168.11.0 255.255.255.0 192.168.10.1 1 -- You can add more subnets if you have more different INSIDE networks.
done.
Let me know if this helps.
You'll need to config the:
- inside/outside interface,
- nat,
- assign outside nat IP,
- default route,
- inside route, and you're done.
Step 1.
ASA(config)#
interface Ethernet0/0
description ***This is the interface going to your INTERNAL INSIDE NETWORK***
nameif INSIDE
security-level 100
ip address 192.168.10.1 255.255.255.0 standby 192.168.100.2 --standby is OPTIONAL IF you have dual ASA, else NO need.
interface Ethernet0/1
description ***This is the interface going to your ISP facing router***
nameif OUTSIDE
security-level 0
ip address YOURPUBLIC-IP-FROM-ISP 255.255.255.224 standby PUBLIC-IP2-FROM-ISP ---standby is OPTIONAL IF you have dual ASA, else NO need.
STEP 2:
ASA(config)#
nat (INSIDE) 1 0.0.0.0 0.0.0.0 -- This will NAT all SUBNETS in your internal network. to a public IP address, to you can access the internet.
STEP 3:
ASA(config)#
global (OUTSIDE) 1 8.4.4.9 netmask 255.255.255.0 --This will NAT id 1 in your internal network to a public IP address (in this case 8.4.4.9), so you can access the internet.
STEP 4:
Secure your network from Ping SCANS.
Create an access-list to ping out, but outside folks can not ping in. This will put your network in "STEALTH MODE" basically.
ASA(config)#
access-list INBOUND_ACL extended permit icmp any any echo-reply
access-list INBOUND_ACL extended permit icmp any any source-quench
access-list INBOUND_ACL extended permit icmp any any unreachable
access-list INBOUND_ACL extended permit icmp any any time-exceeded
STEP 5:
Apply the access-list to the OUTSIDE interface:
ASA(config)#
access-group INBOUND_ACL in interface OUTSIDE
STEP 6:
Create a static default route for your ASA to reach to the Internet:
ASA(config)#
route OUTSIDE 0.0.0.0 0.0.0.0 8.4.4.254 1 -- enter your default route for your ASA to your ISP router for next hop.
STEP 7:
Create a static route for the ASA to reach internal network:
ASA(config)#
route INSIDE 192.168.10.0 255.255.255.0 192.168.10.1 1 -- Put a route in the routing table to tell the ASA how to get to the inside network.
route INSIDE 192.168.11.0 255.255.255.0 192.168.10.1 1 -- You can add more subnets if you have more different INSIDE networks.
done.
Let me know if this helps.
9/09/2014
Troubleshooting Cisco Router / Switch Interface utilization Overload:
Ethernet interface utilization overload affects performance. Here are some ways to fix port utilization issues.
1. high cpu / memory utilization will affect the interfaces.
2. Packet drops... this can be normal. But high cpu / mem usage will drop more packets.
3. unreachable destinations will cause overload.
Things to check:
1. Verify router / switch switching mode:
TIPS: enable CEF will most likely fix high CPU overload, if you have it disabled.
router(config)# ip cef
router(config)# int fa0/0
router(config-if)# ip route-cache or ip route-cache cef (if supported)
2. verify by cef / arp cache.
router# SHOW ADJACENCY
3. verify routing table to the destination is correct.
1. high cpu / memory utilization will affect the interfaces.
2. Packet drops... this can be normal. But high cpu / mem usage will drop more packets.
3. unreachable destinations will cause overload.
Things to check:
1. Verify router / switch switching mode:
- Process switching: This is the original.
- Everything is process switch ..goes to data plane...then control plane..then passed back to the data plane. This is very CPU intensive.
- Fast switching: Came out in late 80s - 90s. 1st packet goes in the switch and caches the packet information. The next packet just stays at the data plane and just forwards through. This is less CPU intensive as only the first packet in that flow punts to the CPU.
- CEF: This is on by default: router(config)# ip cef : This eliminates the packet 1 issue. When the router boots, it simulates as if every route in the ip table was accessed. So, it pre-caches.
- It never goes to the control plane only stays in the data plane. But not compatible with access control or QOS implementation, it may not be effective with other features you use.
TIPS: enable CEF will most likely fix high CPU overload, if you have it disabled.
router(config)# ip cef
router(config)# int fa0/0
router(config-if)# ip route-cache or ip route-cache cef (if supported)
2. verify by cef / arp cache.
router# SHOW ADJACENCY
3. verify routing table to the destination is correct.
Troubleshooting Cisco Router / Switch Memory Overload:
Troubleshooting Cisco Memory Overload:
If you see the following below, your Cisco Router / Switch memory is low or none existance.
1. syslog message: SYS-2-MALLOCFAIL: a process asks for memory, but none were available.
2. when show commands return blank outputs: There's no memory.
3. On a Console port, you plug in a console port and see "UNABLE TO CREATE EXEC" : There's no memoory or too many processes.
Check the following:
1. Is it a wrong IOS image.? Not enough memory to run the IOS.
2. Memory Leak due to bad IOS image (reload image every 1 month, etc.)
3. Worm or virus focused on the IOS. Upgrade IOS to fix.
4. BGP eating too much memory (show process memory and check the BGP process to fix).
If you see the following below, your Cisco Router / Switch memory is low or none existance.
1. syslog message: SYS-2-MALLOCFAIL: a process asks for memory, but none were available.
2. when show commands return blank outputs: There's no memory.
3. On a Console port, you plug in a console port and see "UNABLE TO CREATE EXEC" : There's no memoory or too many processes.
Check the following:
1. Is it a wrong IOS image.? Not enough memory to run the IOS.
2. Memory Leak due to bad IOS image (reload image every 1 month, etc.)
3. Worm or virus focused on the IOS. Upgrade IOS to fix.
4. BGP eating too much memory (show process memory and check the BGP process to fix).
9/03/2014
Troubleshooting Cisco CPU Processor Overload
Below are some troubleshooting tips on Cisco CPU Processor Overload issues:
router# show proc cpu
Below are the major cpu processes on Cisco Switches / Router.
1. ARP Input Process:
This is arp messages the router is originating.
If have to do a lot of arp messages.
2. Net Background process:
Creates packet buffers.
when packets come in and hardware buffer is full, need this software buffers.
If interface is getting overloaded, this cpu utilization process can go up.
3. IP Background Process:
Geared around handling config changes to interfaces.
If you Have a flapping interface for example, like the need to shutdown / reenable interface and interface modification.
4. TCP Timer Process:
This is responsible for handling TCP process handled by the router itself, not packets through the router. Ex., ssh, telnet session to the router itself.
If above is suspected can check by or Fix by:
1. Default route pointed to an interface: point to a Default IP Address instead.
2. Interface throttles, overuns, ingores: memory may not be enough to handle the traffic.
3. show tcp statistics / brief: for TCP Timer process.
4. show process cpu | exclude 0.00% or | history
Let me know if this helps.
router# show proc cpu
Below are the major cpu processes on Cisco Switches / Router.
1. ARP Input Process:
This is arp messages the router is originating.
If have to do a lot of arp messages.
2. Net Background process:
Creates packet buffers.
when packets come in and hardware buffer is full, need this software buffers.
If interface is getting overloaded, this cpu utilization process can go up.
3. IP Background Process:
Geared around handling config changes to interfaces.
If you Have a flapping interface for example, like the need to shutdown / reenable interface and interface modification.
4. TCP Timer Process:
This is responsible for handling TCP process handled by the router itself, not packets through the router. Ex., ssh, telnet session to the router itself.
If above is suspected can check by or Fix by:
1. Default route pointed to an interface: point to a Default IP Address instead.
2. Interface throttles, overuns, ingores: memory may not be enough to handle the traffic.
3. show tcp statistics / brief: for TCP Timer process.
- Show active TCP session TO, NOT THROUGH the router. If see too high, may have a DDOS to your router. Resolve by having an access-list to filter on the vty port.
4. show process cpu | exclude 0.00% or | history
Let me know if this helps.
Subscribe to:
Posts (Atom)