03 Jan

Cisco ASA REST API – Part III: Checking if prefix is directly connected

First published: 03/Jan/2017
Last update: 03/Jan/2017

It’s time to do some programming and really use REST API for something good. The first script will be used to check if specified prefix is directly connected to any of firewall interfaces. Script requires two arguiments: checked IP address and IP address of firewall. The execution of script will be as below


$ ./IfDirectlyConnected.pl
Usage: IfDirectlyConnected.pl [Checked IP Address] [Firewall Management IP]

At this demo script require IP addresses to be used and is not checking if arguments are IP addresses, just simply validating if two it’s executed with two arguments.

Please take a moment to look back to my post Cisco ASA REST API – Lab topology and programming language where I explained the topology of simulated network and presented IP addresses assigned to each device. Routing is configured and all subnets are reachable.

We will test te script on asav-1 firewall. The expected results are as follow:


$ ./IfDirectlyConnected.pl 10.0.12.5 172.16.1.51
Checking address 10.0.12.5 on firewall 172.16.1.51
RESULT: Destination route is directly connected

$ ./IfDirectlyConnected.pl 10.0.24.5 172.16.1.51
Checking address 10.0.24.5 on firewall 172.16.1.51
RESULT: Route in routing table but not directly connected

$ ./IfDirectlyConnected.pl 10.0.99.5 172.16.1.51
Checking address 10.0.99.5 on firewall 172.16.1.51
RESULT: Subnet not in routing table

Script is available on my GitHub

Read More

14 Nov

Cisco ASA REST API – Lab topology and programming language

First published: 31/Oct/2016
Last update: 31/Oct/2016
ASA REST API version: 1.2.2

Before we start using Cisco ASA REST API let’s get familiar with network topology that will be used in chapters.

screen-shot-2016-11-01-at-22-24-21

Whole simulation is run on Cisco VIRL installed as VMWare VM and is using included ASAv and lxc-sshd images. VIRL is cheap and provide us wide range of virtual devices we can choose from for our simulation. ASAv is running image 9.5(2)204 which has preinstalled ASDM 7.5(2) and REST API version  1.2.2.200.

For your convenience the topology and all scripts will be available on GitHub Repository

Read More

31 Oct

Cisco ASA REST API – Part II: How it’s really working?

First published: 31/Oct/2016
Last update: 31/Oct/2016
ASA REST API version: 1.3.2

In previous chapter we configured ASA to support REST API interface and executed simply query. It was nice to see something in action but let’s now think how it’s working and how we can use it.

Every operation you can do using REST API you can also execute via traditional CLI commands or simplifying your life a little by using ASDM. Many of parameters you can fetch using SNMP or from syslog. So is it just another way to manage your device? Answer is both yes and no. Yes, because it is way of managing the device. No, because using REST API you have to stop thinking that you configure service but you are programming it usually as a part of bigger script or application.

REST API on ASA

REST API on ASA side is small plugin loaded into device flash memory and then activated using CLI.

 

rest-api-diagram

Read More

24 Oct

Cisco ASA REST API – Part I: Getting started

First published: 24/Oct/2016
Last update: 31/Oct/2016
ASA REST API version: 1.3.2

REST is an acronym of Representational State Transfer (REST) API. This API provide administrators an option to perform CRUD operations which is Create, Read, Update, Delete. It fully rely on HTTPS as transport protocol and requires programming skills from administrators. But if you gain some experience its a good way of learning and getting familiar with whole new world when you more program devices than configure it.

Read More

21 Oct

Juniper error messages that says nothing

I wrote in the past that sometimes error messages are completely misleading and not connected to the problem that is blocking changes commit. Here is another example, I’m leaving it here because Google was not helpful on this 😉

I’ve been trying to configure DHCP server on SRX, firmware 12.1X46-D60.4, using the new approach that support both IPv4 and IPv6. DHCP parameters are now defined under access section

user@SRX# show access address-assignment pool LAN 
family inet {
    network 192.168.100.0/24;
    range Dynamic {
        low 192.168.100.101;
        high 192.168.100.140;
    }
    dhcp-attributes {
        maximum-lease-time 86400;
        domain-name lan;
        name-server {
            192.168.100.1;
        }
        router {
            192.168.100.1;
        }
    }
    host HOST1 {
        hardware-address d1:51:99:37:4d:79;
        ip-address 192.168.1.2;
    }
    host HOST2 {
        hardware-address 2d:f0:e2:51:74:55;
        ip-address 192.168.1.10;
    }
    host HOST3 {
        hardware-address d1:51:99:37:4d:79;
        ip-address 192.168.1.5;
    }
}

Attempt to commit the change result in error message

user@SRX# commit check 
error: Check-out failed for General authentication process (/usr/sbin/authd) without details
error: configuration check-out failed

Hmm.. yes, so the problem is…. no, that’s not the right guess.

The error message is not really helpful because the problem is that for two static assignments same MAC address was specified. Yes, error message was really helpful in this case….

20 Apr

ASA SSH internal error and misleading messages

We all know that error messages may be misleading. Also Internet boards or vendor documentation may not be accurate or helpful, sometimes can even move troubleshooting in wrong area. Simple example from Cisco ASA showing following error message:

%ASA-6-315011: SSH session from 192.168.1.2 on interface Management for user "root" disconnected by SSH server, reason: "Internal error" (0x00)

One would think that there is problem with SSH subsystem. Quick search at Google can confirm suspicious as this error happening when no RSA key is present on system. But if regenerating RSA key over and over using different modulus or changing SSH setting is not helping you doubt that’s correct reason. Truth is that on out-of-the-box ASA this is also a symptom of lack of local AAA authentication. To solve the problem you have to add:

aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL

So error message was not really related nor giving correct clue what real reason of problem was. Vendors should really work on better and more detailed error messages.

27 Nov

ESXi 5.5 on VMWare Workstation and only one NIC visible

Something less strictly networking but I started setting up some lab environment on my home PC. It’s good that you can run hypervisors as virtual machines in virtualized environment. I installed two ESX 5.5 hypervisors. ESX by default creates four Ethernet interfaces. First interface is bridged to my LAN, others were supposed to be used for internal connections but it happened that hypervisor itself cannot see them. For some unknown reason only first interface was visible.

It happened that only first network interface is defined as e1000, rest had no interface type definition, therefor VM detected those as some AMD PCI cards and couldn’t use them. Fix for this simple – find .vmx configuration file and add device type manually

ethernet1.present = "TRUE"
ethernet1.virtualDev = "e1000"
ethernet1.vnet = "VMnet3"
ethernet1.connectionType = "custom"
ethernet1.wakeOnPcktRcv = "FALSE"
ethernet1.addressType = "generated"