04 May

How to setup VPN between Juniper SRX and AWS Cloud

I’ve said during several conferences where I had a privilege to be a speaker that clouds are one of the futures of computing along with DevOps/SysOps and Machine Learning. But there is no computing if you don’t have the data to compute or you have no way to send it to the cloud in reliable and secure way or you don’t have cloud infrastructure to perform computation. That’s why we need to take a look how to setup VPN between Juniper SRX and AWS Cloud.

I think that hybrid cloud will be the model how many of computer system will work in net few years. Private clouds are not scalable and public clouds cannot address all needs of current systems. So hybrid mode is a solution. But it requires reliable and easy to setup and maintain ways to connect on-premise resourced to public cloud. The technology is here and it’s called VPN.

Read More

03 Apr

CCIE Playground transforms into IT Playground

Time for change for IT Playground

It’s been 7 years since I’ve started this blog. It was 6 months after I gained my CCIE certification and thought it will be good place to share some of interesting technical stuff from projects I’ve been working on. I was then deep into Cisco world due to fact company I was working for was Cisco Gold Partner and majority of projects were done using Cisco products. There was a gap in posting when I had little time to focus on blog but in October 2016 it was back in game. In little refreshed form in term of content.

What’s new on IT Playground?

Now it’s time for little rebranding. As you may noticed content is already not as Cisco-oriented as it used to be. I’m doing different projects now, there are different customers I’m working for, technology moves forward as well. There is more talk about SDN, DevOps, cloud technologies, virtualization etc. CCIE is very important and valuable certification for me but Cisco is not the only vendor worth focusing on.

Therefor I’m moving from ‘CCIE Playground’ to ‘IT Playground’.

I received very good feedback about latest posts on REST API so I’ll still try to show how to real new technologies and fill posts with practical examples. I will focus on design considerations that will be more vendor independent.  Security aspects of solutions will be important as well.

Blog is now available under link https://blog.it-playground.eu

I hope you’ll like it 🙂

Don’t forget to follow me on Facebook and Twitter!

05 Mar

ASAv on Amazon Web Services – login issues

Have you ever tried to run ASAv image on Amazon Web Services (AWS)? Yes, in Marketplace you will find supported image of this firewall (which is actually great thing because you can run it in BYOB model where you use unlicensed mode for testing the features. Same way as you can do on your ESXi.

Deployment is easy with the creator of EC2 instance, just few clicks and there it is. Except small problem – on latest release of 9.6.2.1 I was not able to connect to management interface via SSH. It should be possible by using key assigned to instance during creation but no matter what I’ve done it always asked for password.

There is small but nice workaround of this problem that also enables HTTPS access to ASAv. During the instance deployment we should put zero-day configuration that will be implemented on ASA. In documentation we even have proposal on such config which we further modify by adding HTTP/HTTPS access, additional user account, enable password and aaa local authentication.

The final zero-day configuration should look as below


interface management0/0
management-only
nameif management
security-level 100
ip address dhcp setroute
no shut
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
crypto key generate rsa modulus 2048
http server enable
http 0.0.0.0 0.0.0.0 management
ssh 0 0 management
ssh timeout 30
username admin nopassword privilege 15
username admin attributes
username cisco password cisco privilege 15
enable password cisco
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
service-type admin 

This way we will be able to connect to ASAv instance via ssh/http using local accounts.

15 Feb

Cisco ASA REST API – Part VI: Swift on iPhone

Another not planned chapter 🙂 If you remember from Cisco ASA REST API – Part II: How it’s really working? Cisco mentions in documentation about three programming languages – Perl, Python and JavaScript via node.js. They even provide examples of code for the URI and methods that are supported. But does it mean it’s closed list of languages where REST API can be used? Definitely not! Remember, it’s still using the URI same as in web browser and methods that are same as for web servers. So you can use any programming language you want.

Why Swift? Because I got bored one evening 🙂 Well, that’s partially true. I’ve heard good opinions about Swift language from professional developers. It’s now open language available for many platforms, not only Apple products. I also like to try new things and was curious if learning at least basics of new language by myself would be hard and how quick I can do that. Also Apple was very helpful because of nice tutorial from Apple Developers which show step by step how to use XCode, build application interface and connect code to objects. There are many examples on Internet, I think the hardest thing at the beginning was to understand some language semantic constructions and get familiar with API of system libraries. Also, if you ever start programming in Swift remember that current version is Swift 3.0, but many examples on the web are from older versions and won’t work without minor or major changes to the code.

So what was my concept of an application? Easy, I just wanted to get information about firmware version installed on ASA. But of course if you have idea of other apps then sky is the limit 😉

Read More

26 Jan

Apple App Transport Security (ATS) and ASA self-signed SSL certificate

Apple care about users privacy and security quite well. Of course it’s a matter of opinion but Apple put strong focus on encryption and peer authentication. In 2015 Apple introduced App Transport Security (ATS) as part of their Network Framework With every release they are putting more and more responsibility on developers and content operators to provide proper traffic encryption proper certificate signing and chain etc. That means if application is trying to connect to HTTP server that does not support latest TLSv1.2 connection should fail.

There is no doubt that ATS is good for end users and that’s right direction every corporation should follow. But switching to TLSv1.2 is not something that can be done just like that, obtaining signed certificate expensive option, especially for development environments or if you are writing apps to just test something or for fun. Self-signed certificates are the solution for such cases but there are few problems that we can encounter.

Read More

23 Jan

How to act as your own local CA and sign certificate request from ASA

There are several ways to operate on certificates. The widest spread method is by openssl library and associated command line tools. Library was not and probably is still not free of bugs. But it’s widely spread  among many operating systems which makes it a tool that easily can be used on most popular operating systems. If you are running Windows Server you can install Certificate Services component, Mac users can use Keychain Access which is core component of macOS.

While working with certificates and those tool remember about best practices. Points below are valid as of the end of 2016.

  • Use at least 2048-Bit Private Keys
  • Try to avoid wildcard certificates but remember to cover all FQDN’s in certificates
  • Use strong certificate signature algorithms – SHA256 is standard now,  SHA-1 has been deprecated
  • Use strong encryption for your connection – not really certificate related but worh notifying that TLSv1.2 is now a standard supporting strong cryptographic algorithms
  • Use complete certificate chains
  • Use strong key exchange and forward secrecy

If you want to know more about best practices you may refer to this short manual.

Read More

17 Jan

Cisco ASA REST API – Part V: Node.js, JavaScript and small HTTP server displaying ACL

I was not planning this chapter and putting away Perl for even a moment, but I have some talk with my VeriFone colleague on scripting, REST API and how creating web server which uses REST API back end to control certain parameters of firewall is not that easy and straightforward. We both have some programming and scripting experience but neither of us is a programmer. We both know more or less several programming languages but we are not proficient. But we both have (at least we thing we have) good fundamental knowledge about programming.

The topic circulated around web page that will let display and manipulate ACL entries on firewall in non-SDN data center. Feature quite simple that most independent firewall management platforms can do. The problem is that most of those applications are using CLI via SSH to send commands and parse output, that’s exactly how Cisco ASDM is working in example, but we wanted something maybe a little more flexible, reliable… We both agreed that JSON is flexible structure that should be easy to use. So how to write a comprehensive script?

Read More

09 Jan

Cisco ASA REST API – Part IV: Debugging REST API Agent

First published: 09/Jan/2017
Last update: 09/Jan/2017

In chapter Cisco ASA REST API – Part I: Getting started primary configuration for REST API has been done on firewalls then in chapter Cisco ASA REST API – Part III: Checking if prefix is directly connected first script in Perl has been created. Let’s now look at ways we can troubleshoot REST API calls and status on Cisco ASA. This may be crucial to detect cause of the problem. Troubleshooting requires command line access to firewall in enabled mode.

In this chapter I will use script I presented previously and also will execute some REST API methods using Firefox RESTClient extension mentioned if first chapter. Because output of debug can be extensive listings will contain only crucial parts.

Debugging REST API means checking particular component for errors or other logs that might be interested for us. Command execution require in first place declaration which component will be debugged.


asav-1# debug rest-api ?

agent Rest-API Agent
cli Rest-API cli handling
client Rest-API client request handling
daemon Rest-API debug/syslog handling
process Starting/Stopping of Rest-API Agent
token-auth Rest-API Token authentication

Read More

03 Jan

Cisco ASA REST API – Part III: Checking if prefix is directly connected

First published: 03/Jan/2017
Last update: 03/Jan/2017

It’s time to do some programming and really use REST API for something good. The first script will be used to check if specified prefix is directly connected to any of firewall interfaces. Script requires two arguiments: checked IP address and IP address of firewall. The execution of script will be as below


$ ./IfDirectlyConnected.pl
Usage: IfDirectlyConnected.pl [Checked IP Address] [Firewall Management IP]

At this demo script require IP addresses to be used and is not checking if arguments are IP addresses, just simply validating if two it’s executed with two arguments.

Please take a moment to look back to my post Cisco ASA REST API – Lab topology and programming language where I explained the topology of simulated network and presented IP addresses assigned to each device. Routing is configured and all subnets are reachable.

We will test te script on asav-1 firewall. The expected results are as follow:


$ ./IfDirectlyConnected.pl 10.0.12.5 172.16.1.51
Checking address 10.0.12.5 on firewall 172.16.1.51
RESULT: Destination route is directly connected

$ ./IfDirectlyConnected.pl 10.0.24.5 172.16.1.51
Checking address 10.0.24.5 on firewall 172.16.1.51
RESULT: Route in routing table but not directly connected

$ ./IfDirectlyConnected.pl 10.0.99.5 172.16.1.51
Checking address 10.0.99.5 on firewall 172.16.1.51
RESULT: Subnet not in routing table

Script is available on my GitHub

Read More