18 Aug

Generate multicast​ traffic in VIRL using Ostinato

Cisco and VIRL logos

Ostinato is a traffic generator. You can use it to craft packets and send flow into your network. You can even send multiple streams if required. It is a tool that network admins and developers should use for testing the system or application against various scenarios. Ostinato is by default available on Cisco VIRL so we can use it as a packet generator in our simulations.

Ostinato consists of two components – the LXC image run in a simulation that generates the traffic and GUI frontend. In this article, I will show you how to use it to generate a multicast stream in VIRL simulation.

Read More

08 Aug

Cisco Firepower NGIPSv on ESXi

Secure Your Network

Cisco Firepower NGIPS is available on multiple platforms. One of deployment option you have is virtual appliance running on top of ESXi hypervisor. This product is called NGIPSv in Cisco documentation.

Using a single physical machine with ESXi hypervisor in an isolated network is one of the best ways to perform Proof of Concept (PoC) labs for IPS solution. You cannot evaluate the product without testing it in a sandbox where you can try to hack it, infect it or do any other nasty things. This way, you can in single ESXi run NGIPSv, Firepower Management Center (FMCv) and one or more VMs in the back.

Here is a quick step-by-step guide how to deploy NGIPSv in transparent mode on single ESXi host. What we want to accomplish is having NGIPSv in front of other virtual machines. In this scenario, there is no firewall, just NGIPSv sensor. It is of course not the safest, the best practice and the most flexible way to deploy sensor. You should not use it just like that in your production network. I use this setup only for quick demo purposes when I want to show how Cisco Firepower NGIPS solution is working, get network discovery working, some IPS policy and get the end host infected by malware.

Read More

01 Jun

How to manage simulation in VIRL from local network

Cisco and VIRL logos

I’ve been using Cisco VIRL for over two years for both learning technologies and testing new solutions as PoC. Accessing devices in simulation via embedded console link is easy but not efficient. I always wanted to manage simulation in VIRL from my laptop not desktop PC. Also in many scenarios you  may want to connect external servers like netflow collector or IPAM software you wanna test. Also it’s quite handy to have access to running simulation form Internet, isn’t it?

Let me show you how I connect Cisco VIRL running simulation to other devices in my network and to Internet. In this tutorial I assume that you didn’t change default VIRL networking configuration.

Read More

18 May

Upgrading SourceFire module from 5.x to 6.x and recovery procedure

SFR Firmware packages download

Hardware failures happens. If you have active service contract you’ll get new device from Cisco with same hardware parameters. One thing you don’t know is which version of software will be installed. In almost all cases it’s not the one you are using. Installing new firewall firmware on ASA is not a problem but what if you’re running SourceFire Management Center version 6.2 but your device came with 5.x or 6.0 firmware on SFR module? Well, prepare for process that will take few hours – you need to perform recovery procedure which is one of the ways of upgrading SourceFire.

Most common cases when we have to use recovery procedure for SFR are:

  • Problems with booting the SFP module after upgrade performed from Firesight Management Center
  • First software installation on SFR (in example when we just put SSD drives in our ASA to get benefits from Sourcefire NGIPS)
  • Need to upgrade firmware but our module cannot be registered in Firesight Management Center due to firmware mismatch

Last case is the one usually happening when we get new device during RMA process. Each Firesight Management Center have list of compatible firmwares that are supported on modules and unfortunatelly backward compatibility is not full. If you run one of the most common version 6.1 or 6.2 you need to have your modules in at least 6.1 version. Recovery process require that whole memory is erased and new firmware installed.

Read More

15 Feb

Cisco ASA REST API – Part VI: Swift on iPhone

Another not planned chapter 🙂 If you remember from Cisco ASA REST API – Part II: How it’s really working? Cisco mentions in documentation about three programming languages – Perl, Python and JavaScript via node.js. They even provide examples of code for the URI and methods that are supported. But does it mean it’s closed list of languages where REST API can be used? Definitely not! Remember, it’s still using the URI same as in web browser and methods that are same as for web servers. So you can use any programming language you want.

Why Swift? Because I got bored one evening 🙂 Well, that’s partially true. I’ve heard good opinions about Swift language from professional developers. It’s now open language available for many platforms, not only Apple products. I also like to try new things and was curious if learning at least basics of new language by myself would be hard and how quick I can do that. Also Apple was very helpful because of nice tutorial from Apple Developers which show step by step how to use XCode, build application interface and connect code to objects. There are many examples on Internet, I think the hardest thing at the beginning was to understand some language semantic constructions and get familiar with API of system libraries. Also, if you ever start programming in Swift remember that current version is Swift 3.0, but many examples on the web are from older versions and won’t work without minor or major changes to the code.

So what was my concept of an application? Easy, I just wanted to get information about firmware version installed on ASA. But of course if you have idea of other apps then sky is the limit 😉

Read More

17 Jan

Cisco ASA REST API – Part V: Node.js, JavaScript and small HTTP server displaying ACL

I was not planning this chapter and putting away Perl for even a moment, but I have some talk with my VeriFone colleague on scripting, REST API and how creating web server which uses REST API back end to control certain parameters of firewall is not that easy and straightforward. We both have some programming and scripting experience but neither of us is a programmer. We both know more or less several programming languages but we are not proficient. But we both have (at least we thing we have) good fundamental knowledge about programming.

The topic circulated around web page that will let display and manipulate ACL entries on firewall in non-SDN data center. Feature quite simple that most independent firewall management platforms can do. The problem is that most of those applications are using CLI via SSH to send commands and parse output, that’s exactly how Cisco ASDM is working in example, but we wanted something maybe a little more flexible, reliable… We both agreed that JSON is flexible structure that should be easy to use. So how to write a comprehensive script?

Read More

09 Jan

Cisco ASA REST API – Part IV: Debugging REST API Agent

First published: 09/Jan/2017
Last update: 09/Jan/2017

In chapter Cisco ASA REST API – Part I: Getting started primary configuration for REST API has been done on firewalls then in chapter Cisco ASA REST API – Part III: Checking if prefix is directly connected first script in Perl has been created. Let’s now look at ways we can troubleshoot REST API calls and status on Cisco ASA. This may be crucial to detect cause of the problem. Troubleshooting requires command line access to firewall in enabled mode.

In this chapter I will use script I presented previously and also will execute some REST API methods using Firefox RESTClient extension mentioned if first chapter. Because output of debug can be extensive listings will contain only crucial parts.

Debugging REST API means checking particular component for errors or other logs that might be interested for us. Command execution require in first place declaration which component will be debugged.


asav-1# debug rest-api ?

agent Rest-API Agent
cli Rest-API cli handling
client Rest-API client request handling
daemon Rest-API debug/syslog handling
process Starting/Stopping of Rest-API Agent
token-auth Rest-API Token authentication

Read More

03 Jan

Cisco ASA REST API – Part III: Checking if prefix is directly connected

First published: 03/Jan/2017
Last update: 03/Jan/2017

It’s time to do some programming and really use REST API for something good. The first script will be used to check if specified prefix is directly connected to any of firewall interfaces. Script requires two arguiments: checked IP address and IP address of firewall. The execution of script will be as below


$ ./IfDirectlyConnected.pl
Usage: IfDirectlyConnected.pl [Checked IP Address] [Firewall Management IP]

At this demo script require IP addresses to be used and is not checking if arguments are IP addresses, just simply validating if two it’s executed with two arguments.

Please take a moment to look back to my post Cisco ASA REST API – Lab topology and programming language where I explained the topology of simulated network and presented IP addresses assigned to each device. Routing is configured and all subnets are reachable.

We will test te script on asav-1 firewall. The expected results are as follow:


$ ./IfDirectlyConnected.pl 10.0.12.5 172.16.1.51
Checking address 10.0.12.5 on firewall 172.16.1.51
RESULT: Destination route is directly connected

$ ./IfDirectlyConnected.pl 10.0.24.5 172.16.1.51
Checking address 10.0.24.5 on firewall 172.16.1.51
RESULT: Route in routing table but not directly connected

$ ./IfDirectlyConnected.pl 10.0.99.5 172.16.1.51
Checking address 10.0.99.5 on firewall 172.16.1.51
RESULT: Subnet not in routing table

Script is available on my GitHub

Read More

14 Nov

Cisco ASA REST API – Lab topology and programming language

First published: 31/Oct/2016
Last update: 31/Oct/2016
ASA REST API version: 1.2.2

Before we start using Cisco ASA REST API let’s get familiar with network topology that will be used in chapters.

screen-shot-2016-11-01-at-22-24-21

Whole simulation is run on Cisco VIRL installed as VMWare VM and is using included ASAv and lxc-sshd images. VIRL is cheap and provide us wide range of virtual devices we can choose from for our simulation. ASAv is running image 9.5(2)204 which has preinstalled ASDM 7.5(2) and REST API version  1.2.2.200.

For your convenience the topology and all scripts will be available on GitHub Repository

Read More

31 Oct

Cisco ASA REST API – Part II: How it’s really working?

First published: 31/Oct/2016
Last update: 31/Oct/2016
ASA REST API version: 1.3.2

In previous chapter we configured ASA to support REST API interface and executed simply query. It was nice to see something in action but let’s now think how it’s working and how we can use it.

Every operation you can do using REST API you can also execute via traditional CLI commands or simplifying your life a little by using ASDM. Many of parameters you can fetch using SNMP or from syslog. So is it just another way to manage your device? Answer is both yes and no. Yes, because it is way of managing the device. No, because using REST API you have to stop thinking that you configure service but you are programming it usually as a part of bigger script or application.

REST API on ASA

REST API on ASA side is small plugin loaded into device flash memory and then activated using CLI.

 

rest-api-diagram

Read More