14 Nov

Cisco ASA REST API – Lab topology and programming language

First published: 31/Oct/2016
Last update: 31/Oct/2016
ASA REST API version: 1.2.2

Before we start using Cisco ASA REST API let’s get familiar with network topology that will be used in chapters.

screen-shot-2016-11-01-at-22-24-21

Whole simulation is run on Cisco VIRL installed as VMWare VM and is using included ASAv and lxc-sshd images. VIRL is cheap and provide us wide range of virtual devices we can choose from for our simulation. ASAv is running image 9.5(2)204 which has preinstalled ASDM 7.5(2) and REST API version  1.2.2.200.

For your convenience the topology and all scripts will be available on GitHub Repository

Read More

31 Oct

Cisco ASA REST API – Part II: How it’s really working?

First published: 31/Oct/2016
Last update: 31/Oct/2016
ASA REST API version: 1.3.2

In previous chapter we configured ASA to support REST API interface and executed simply query. It was nice to see something in action but let’s now think how it’s working and how we can use it.

Every operation you can do using REST API you can also execute via traditional CLI commands or simplifying your life a little by using ASDM. Many of parameters you can fetch using SNMP or from syslog. So is it just another way to manage your device? Answer is both yes and no. Yes, because it is way of managing the device. No, because using REST API you have to stop thinking that you configure service but you are programming it usually as a part of bigger script or application.

REST API on ASA

REST API on ASA side is small plugin loaded into device flash memory and then activated using CLI.

 

rest-api-diagram

Read More

24 Oct

Cisco ASA REST API – Part I: Getting started

First published: 24/Oct/2016
Last update: 31/Oct/2016
ASA REST API version: 1.3.2

REST is an acronym of Representational State Transfer (REST) API. This API provide administrators an option to perform CRUD operations which is Create, Read, Update, Delete. It fully rely on HTTPS as transport protocol and requires programming skills from administrators. But if you gain some experience its a good way of learning and getting familiar with whole new world when you more program devices than configure it.

Read More

21 Oct

Juniper error messages that says nothing

I wrote in the past that sometimes error messages are completely misleading and not connected to the problem that is blocking changes commit. Here is another example, I’m leaving it here because Google was not helpful on this 😉

I’ve been trying to configure DHCP server on SRX, firmware 12.1X46-D60.4, using the new approach that support both IPv4 and IPv6. DHCP parameters are now defined under access section

[email protected]# show access address-assignment pool LAN 
family inet {
    network 192.168.100.0/24;
    range Dynamic {
        low 192.168.100.101;
        high 192.168.100.140;
    }
    dhcp-attributes {
        maximum-lease-time 86400;
        domain-name lan;
        name-server {
            192.168.100.1;
        }
        router {
            192.168.100.1;
        }
    }
    host HOST1 {
        hardware-address d1:51:99:37:4d:79;
        ip-address 192.168.1.2;
    }
    host HOST2 {
        hardware-address 2d:f0:e2:51:74:55;
        ip-address 192.168.1.10;
    }
    host HOST3 {
        hardware-address d1:51:99:37:4d:79;
        ip-address 192.168.1.5;
    }
}

Attempt to commit the change result in error message

[email protected]# commit check 
error: Check-out failed for General authentication process (/usr/sbin/authd) without details
error: configuration check-out failed

Hmm.. yes, so the problem is…. no, that’s not the right guess.

The error message is not really helpful because the problem is that for two static assignments same MAC address was specified. Yes, error message was really helpful in this case….

20 Apr

ASA SSH internal error and misleading messages

We all know that error messages may be misleading. Also Internet boards or vendor documentation may not be accurate or helpful, sometimes can even move troubleshooting in wrong area. Simple example from Cisco ASA showing following error message:

%ASA-6-315011: SSH session from 192.168.1.2 on interface Management for user "root" disconnected by SSH server, reason: "Internal error" (0x00)

One would think that there is problem with SSH subsystem. Quick search at Google can confirm suspicious as this error happening when no RSA key is present on system. But if regenerating RSA key over and over using different modulus or changing SSH setting is not helping you doubt that’s correct reason. Truth is that on out-of-the-box ASA this is also a symptom of lack of local AAA authentication. To solve the problem you have to add:

aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL

So error message was not really related nor giving correct clue what real reason of problem was. Vendors should really work on better and more detailed error messages.

27 Nov

ESXi 5.5 on VMWare Workstation and only one NIC visible

Something less strictly networking but I started setting up some lab environment on my home PC. It’s good that you can run hypervisors as virtual machines in virtualized environment. I installed two ESX 5.5 hypervisors. ESX by default creates four Ethernet interfaces. First interface is bridged to my LAN, others were supposed to be used for internal connections but it happened that hypervisor itself cannot see them. For some unknown reason only first interface was visible.

It happened that only first network interface is defined as e1000, rest had no interface type definition, therefor VM detected those as some AMD PCI cards and couldn’t use them. Fix for this simple – find .vmx configuration file and add device type manually

ethernet1.present = "TRUE"
ethernet1.virtualDev = "e1000"
ethernet1.vnet = "VMnet3"
ethernet1.connectionType = "custom"
ethernet1.wakeOnPcktRcv = "FALSE"
ethernet1.addressType = "generated"
03 Jul

Cisco IPS and packet capturing

I had to perform troubleshooting of management traffic exchanged between IPS module in ASA5525-X and management station. I had some communication problems resulting in denied traffic on firewall placed in between (and it’s not the ASA itself). The best option is always sniffing packet headers on either end, as I had no possibility to do it on management station IPS was the next option.
Read More

19 Apr

BFD – presentation from PLNOG10

BFD – presentation from PLNOG10

A little late but here it is – presentation from my session on PLNOG10 conference that took place in Warsaw 28th Feb – 1st Match. This is one of best conferences for Service Providers in country and region.

This time I was talking about BFD protocol, deployment strategies and caveats. The presentation was in Polish but slides are in English.