First we need to disable RPF source address check for the ASAv as it will route traffic from net to net. We could do allowed-address pairs on a per neutron port basis or just enable: firewall_driver = neutron.agent.firewall.NoopFirewallDriver (and comment out the other driver) in /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini then sudo systemctl restart neutron-openvswitch-agent
Create Nova Compute Flavor for the ASAv The ASAv requires a nova compute flavor consisting of 4096M of memory and 2 vCPUs
nova flavor-create asa-flavor <flavor id> 4096
To view the existing flavor ids issue the nova flavor-list command.
Use a flavor id which is not currently being used. Glance an Image for the ASAv We need to create an image for Openstack. We create this image based on a qcow2 image which can be obtained from Cisco's website. In the example below you will have to adjust the URL location of the image along with the actual name of the ASAv qcow2 image.
glance image-create --name ASAv --disk-format qcow2 --container-format bare --location http://<ip address of server hosting image>/asav951-203-anyconnect.qcow2 --is-public true
Make sure the image was successfully created
We now need to modify these images with custom parameter which will change the nic type to e1000 and the disk bus to ide:
Prepare the Day 0 Configuration FileYou can prepare a Day 0 configuration file before you launch the ASAv. This file is a text file that contains the ASAv configuration that will be applied when the ASAv is launched. This initial configuration is placed into a text file named “day0-config” in a working directory you chose. At the minimum, the Day 0 configuration file must contain commands that will activate the management interface and set up the SSH server for public key authentication, but it can also contain a complete ASA configuration.
Boot the Image with Nova At this point we have a good image which we can now boot. We can do this using the nova boot command. It is important to note the order of the nic interfaces when booting the ASAv. The first interface in the nova boot command is the Management interface, the second is the Inside network and the third is the Outside network.
nova boot ASAv --image ASAv --nic net-id=<numeric id of management network in neutron>,v4-fixed-ip=192.168.0.12 --nic net-id=<numeric id of inside network in neutron>,v4-fixed-ip=192.168.200.1 --nic net-id=<numeric id of outside network in neutron>,v4-fixed-ip=192.168.100.11 --flavor 11 --config-drive=true --file day0-config=/home/localadmin/day0-config
hostname ciscoasav enable password 8Ry2YjIyt7RRXU24 encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain passwd nDzzbb5hq84gn0CE encrypted names ! interface GigabitEthernet0/0 nameif inside security-level 100 ip address 192.168.200.1 255.255.255.0 ! interface GigabitEthernet0/1 nameif outside security-level 0 ip address 192.168.100.11 255.255.255.0 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface Management0/0 management-only nameif management security-level 100 ip address 192.168.0.12 255.255.255.0 ! ftp mode passive access-list PERMIT_ICMP extended permit icmp any any pager lines 23 mtu inside 1500 mtu outside 1500 mtu management 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected access-group PERMIT_ICMP global timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 user-identity default-domain LOCAL aaa authentication ssh console LOCAL no snmp-server location no snmp-server contact crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet 0.0.0.0 0.0.0.0 inside telnet 0.0.0.0 0.0.0.0 outside telnet 0.0.0.0 0.0.0.0 management telnet timeout 5 ssh stricthostkeycheck ssh 0.0.0.0 0.0.0.0 inside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 management ssh timeout 60 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept dynamic-access-policy-record DfltAccessPolicy username cisco password FL/j2s7kdjDy.q93 encrypted ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect rtsp inspect sunrpc inspect xdmcp inspect netbios inspect tftp inspect ip-options inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect esmtp inspect sqlnet inspect sip inspect skinny ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email [email protected] destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly 9 subscribe-to-alert-group configuration periodic monthly 9 subscribe-to-alert-group telemetry periodic daily crypto key generate rsa modulus 1024
To mimimize all open windows Command-Option-H-M For a very simple HTTP server, execute this in the directory you would like to serve. The default port is 8000. So http://<ip address>:8000/ will get you to there. python -m SimpleHTTPServer
By default OS X logs all of the download you have made since the installation of the operating system. From what I have seen this isn't cleaned with off the shelf privacy cleaners. Could be a valuable tool to those doing OS X forensics. You can view this download database with: sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* 'select LSQuarantineDataURLString from LSQuarantineEvent' To delete this database: sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* 'delete from LSQuarantineEvent'
There is a really nice "hidden" setting in both Lion and Mountain Lion which allows for changing the look of the stack list menu. Apple really should make this the default: defaults write com.apple.dock use-new-list-stack -bool YES; killall Dock
Show full path in Finder defaults write com.apple.finder _FXShowPosixPathInTitle -bool YES; killall Finder
Clear DNS cache in OS X 10.10 dscacheutil -flushcache
Keeps the display from sleeping. Maintains this state until caffeinate is terminated. OS X Mountain Lion only. caffeinate -d
You might noticed that OS X occasionally shows duplicate application entries when doing a file "open with" in finder. This can be easily fixed by running the command: /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/ LaunchServices.framework/Versions/A/Support/lsregister -kill -r -domain local -domain user;killall Finder; echo "Open With has been rebuilt, Finder will relaunch"
I have found the following nettop commands useful in my troubleshooting of IPv6 connections
nettop -n -m route
It is possible to get quite a speed boost out of Mail.app by stripping all the bloat out of its Envelope index. Since mail.app uses sqlite we can use the vacuum command. The below command works in OS X Lion:
sqlite3 ~/Library/Mail/V2/MailData/Envelope\ Index vacuum;
To monitor file writes and reads to and from the disk. The activity will be recorded in the output.txt file. Use control-C to quit.
You may notice if you use network shares that OS X leaves .DSShare files on the network shares. While these aren’t visable to OS X users, if you have other users accessing the same share they will see these files in every directory. Since these files simply save the appearance of the folder in OS X, disabling it shouldn’t have any adverse effect:
I'll be presenting an Introduction to IPv6 and its implications on network security and investigations on Monday September 17th at 3:30PM at the High Tech Crime Investigation Association Conference taking place at the Hershey Lodge in Hershey, PA.
I am working on a python script for IPv6 malicious packet handling. The script requires Scapy which can be downloaded from http://www.secdev.org/projects/scapy/
Be sure you are running at least Scapy (2.2.0-dev) The script was tested on Backtrack 5 R2
Currently the script performs the following tests: 1. Send HbH Header Flood Test handling of a large number of HbH headers directed at a L3 device. Could DOS a router if there isn't proper policing of packets to the CPU.
2. Send RH0 Packets Test for the filtering and/or handling of RH0 packets. RH0 packets have been deprecated and shouldn't be accepted.
3. Send Packets with two RH0 Headers Tests the corner case of two RH0 headers; one after the other.
4. RA deamon killer Some RA daemons will crash if you send RAs towards them with a spoofed source of themselves with a lifetime of zero
5. RA Flood Send a flood of RAs with random prefixs. Will DOS Windows and possible other devices.
6. Hide Layer 4 Info for ACL Bypass Test the handling of ACL and firewall rules with the layer 4 information "hidden" in the second fragment. Some firewalls will pass this since it doesn't find the layer 4 information in the first fragment.
You can download the current version of the script from github: ipv6-test.py
Properly configuring Sendmail can be a real pain. Especially when all you need is to simply get email off of a system and send to remote email addresses. For this, SSMTP may be the solution. For my setup I simply want to send email from my system through Gmail.
Replace AuthUser and AuthPass with your Google Gmail username and password. The username should not have @gmail appended. Also change [email protected] to be the email address which should originate the email.
To make things easier I also setup a separate gmail account which just handles my outbound email from the system. If you use the same gmail account to send and then view the received email; it will never appear in the inbox.
The easiest solution is to create a separate gmail account to originate the email.
Personally, I am using SSMTP to send voicemail messages attached to an email from the Asterisk VoIP System. All I had to change in the Asterisk voicemail.conf file was the following:
My voicemail is then attached to an email as a wave file.
Traditionally installing and uploading images on Cisco router has been done with TFTP. As the IOS images have grown larger and larger some TFTP servers have problems with supporting these large file sizes. Secure Copy - scp can be used in place of TFTP to interact with the IOS file system. This eliminates many of the problems related to TFTP with the added benefit of security. Below is an IOS config snippet for making this work:
! AAA authentication and authorization must be configured properly for SCP to work. aaa new-model aaa authentication login default local aaa authorization exec default local ! Set your login credentials as appropriate username user privilege 15 password 0 securepass ! SSH must be configured and functioning properly. ip ssh time-out 120 ip ssh authentication-retries 3 ip scp server enable
At this point you can use any scp client to interact with the IOS filesystem. So for example on a Unix-like filesystem:
I turned up a 6over4 tunnel to Hurricane Electric with the IPv6 traffic from the tunnel passing through a Cisco ASA firewall. The stability and performance of the HE tunnel have been fantastic. Here is how it is setup:
While the Cisco ASA doesn’t support direct termination of IPv6 tunnels, it does have very rich support for IPv6 firewalling. The approach would be to take another external router which would sit outside of the ASA firewall and use that for tunnel termination. From there, bring the IPv6 inside interface of the router terminating the tunnel and connect that to an ASA interface which only has an IPv6 address.
You will need at least one additional static IP address on your outside network in order for this to work. Many Cable ISPs will offer this if you sign up for business level services usually for a nominal additional fee. It may still work with a dynamic address if it doesn't change all that much.
When you signup with HE they will provide two /64 networks and a /48. The first /64 IPv6 network is for the actual tunnel going from your external tunnel router to the HE tunnel server. The second /64 is for the connection between the inside interface of your tunnel router and the ASA. The final /48 is for internal subnets behind the ASA firewall.
As far as software goes, the ASA should be running software 8.2 or higher while the external IOS router could be running a recent image of 12.4T or Release 15. In my case I am using an 1800 series router running release 15.1.3T Advanced Enterprise.
Cisco ASA Firewall Configuration:
interface Vlan6 description ipv6 to HE Tunnel nameif ipv6-tunnel security-level 25 no ip address ipv6 address 2001:DB8:2222::1/64
interface Tunnel0 description Hurricane Electric IPv6 Tunnel Broker no ip address ip flow ingress ipv6 address 2001:DB8:1111::2/64 ipv6 enable tunnel source 126.96.36.199 tunnel mode ipv6ip tunnel destination 188.8.131.52
interface FastEthernet0 ip address 184.108.40.206 255.255.255.248 ip access-group inbound in no ip redirects ip flow ingress duplex auto speed auto no ip address ipv6 address 2001:DB8:1111:1/64 ipv6 enable