Thursday, February 14, 2013

Cisco Router password recovery

The Recovery process is simple and it hardly takes five minutes, but time depends on how fast your router boots. 
  1. First of all connect to the console port, start  terminal application, and power on the router. When you see the boot process beginning, hit the Break sequence. (Break sequence is usually Ctrl+Page Break, but it might differ according to terminal settings.) Doing this interrupts the boot process and drops the router into ROMMON.
  2. At the ROMMON prompt, enter the command # config-register 0x2142 to set the configuration register to 0x2142.
  3. Restart the router by power cycling it or by issuing the command reset.
  4. When the router reloads, the configuration register setting of 0x2142 instructs the router to ignore the startup-config file in NVRAM. You will be asked if you want to go through Setup mode because the router thinks it has no startup-configuration file. Exit from Setup mode.
  5. Press Return and enable command enable to go into privileged EXEC command mode. No password is required because the startup config file was not loaded.
  6. Load the configuration manually by entering # copy startup-config running-config.
  7. Go into the Global Configuration mode using the command configure terminal and change the password with the command enable password password or enable secret password.
  8. Save the new password by entering # copy running-config startup-config.
  9. Go to the global config prompt, and change the configuration register back to the default setting with the command # config-register 0x2102. Exit back to the privileged exec prompt.
  10. Reboot the router using the reload command. You will be asked to save your changes; you can do so if you have made additional configuration changes.

Posted by at No comments:

Cisco ASA 55xx Firewall : Basic Configuration

Cisco ASA 5510 security appliance is the second model in the ASA series (ASA 5505, 5510, 5520 etc) and is fairly popular since is intended for small to medium enterprises. Like the smallest ASA 5505 model, the 5510 comes with two license options: The Base license and the Security Plus license. The second one (security plus) provides some performance and hardware enhancements over the base license, such as 130,000 Maximum firewall connections (instead of 50,000), 100 Maximum VLANs (instead of 50), Failover Redundancy, etc. Also, the security plus license enables two of the five firewall network ports to work as 10/100/1000 instead of only 10/100.


Next we will see a simple Internet Access scenario which will help us understand the basic steps needed to setup an ASA 5510. Assume we assign a static public IP address 100.100.100.1 from our ISP. Also, the internal LAN network belongs to subnet 192.168.10.0/24. Interface Ethernet0/0 will be connected on the outside (towards the ISP), and Ethernet0/1 will be connected to the Inside LAN switch.

The firewall will be configured to supply IP addresses dynamically (using DHCP) to the internal hosts. All outbound communication (from inside to outside) will be translated using Port Address Translation (PAT) on the outside public interface (Step 4).

Required configuration steps for this basic scenario:

Step1: Configure a privileged level password (enable password)
 By default there is no password for accessing the ASA firewall, so the first step before doing anything else is to configure a privileged level password, which will be needed to allow subsequent access to the appliance. Configure this under Configuration Mode:

ASA5510(config)# enable password mysecretpassword


Step2: Configure the public outside interface
ASA5510(config)# interface Ethernet0/0
 ASA5510(config-if)# nameif outside
 ASA5510(config-if)# security-level 0
 ASA5510(config-if)# ip address 100.100.100.1 255.255.255.252
 ASA5510(config-if)# no shut


Step3: Configure the trusted internal interface
ASA5510(config)# interface Ethernet0/1
 ASA5510(config-if)# nameif inside
 ASA5510(config-if)# security-level 100
 ASA5510(config-if)# ip address 192.168.10.1 255.255.255.0
 ASA5510(config-if)# no shut

Step 4: Configure PAT on the outside interface
ASA5510(config)# global (outside) 1 interface
 ASA5510(config)# nat (inside) 1 0.0.0.0 0.0.0.0

Step 5: Configure Default Route towards the ISP (assume default gateway is 100.100.100.2)
ASA5510(config)# route outside 0.0.0.0 0.0.0.0 100.100.100.2 1

Step 6: Configure the firewall to assign internal IP and DNS address to hosts using DHCP
ASA5510(config)# dhcpd dns 200.200.200.10
 ASA5510(config)# dhcpd address 192.168.10.10-192.168.10.200 inside
 ASA5510(config)# dhcpd enable inside

This is a basic configuration in order to make the appliance operational. There are many more configuration features that you need to implement to increase the security of your network, such as Static and Dynamic NAT, Access Control Lists to control traffic flow, DMZ zones, VPN etc.
Posted by at No comments:

Wednesday, February 13, 2013

using Cisco Alias exec commands

  1. Building a common alias list always helps when using multiple commands for studying. This is especially helpful with common show commands that can wear on your hands ... and your time limit. here is an alias list. The cool thing about aliases is that you can use them in configuration mode, and you can also append to the base commands.

    For example:

    R1(config)#do sir 192.168.0.0
R1(config)#do srs router eigrp
     
    alias exec srb show run | begin
alias exec sri show run | include
alias exec srs show run | section
     
    alias exec sir show ip route
alias exec siib show ip interface brief
alias exec sis show interfaces status
     
    alias exec sib show ip bgp
alias exec sibs show ip bgp summary
alias exec sibn show ip bgp neighbor
     
    alias exec sio show ip ospf
alias exec sion show ip ospf neighbor
alias exec sioi show ip ospf interface
alias exec siod show ip ospf database
     
    alias exec siet show ip eigrp topology
alias exec siei show ip eigrp interface
alias exec sien show ip eigrp neighbor
     
    alias exec sird show ip rip database
Posted by at 1 comment:

Wednesday, February 6, 2013

SPAN On Cisco Catalyst Switches - Monitor & Capture Network Traffic/Packets

Thanks to www.firewall.cx for providing the context of this article. I've actually had to setup a SPAN port when setting up the Enterasys Dragon IPS/IDS. This setup allowed all internet based traffic to be copied onto the analyzer and sent us Admins any notifications on suspicious traffic. Very useful!

 

SPAN Terminology

  • Ingress Traffic: Traffic that enters the switch
  • Egress Traffic: Traffic that leaves the switch
  • Source (SPAN) port: A port that is monitored
  • Source (SPAN) VLAN: A VLAN whose traffic is monitored
  • Destination (SPAN) port: A port that monitors source ports. This is usually the point to which a network analyzer is connected.
  • Remote SPAN (RSPAN): When Source ports are not located on the same switch as the Destination port. RSPAN is an advanced feature that requires a special VLAN to carry the monitored traffic and is not supported by all switches.


Source SPAN ports are monitored for received (RX), transmitted (TX) or bidirectional (both) traffic.  Traffic entering or exiting the Source SPAN ports is mirrored to the Destination SPAN port. Typically, you would connect a PC with a network analyzer (Wire Shark or Colasoft) on the Destination SPAN port, and configure it to capture and analyze the traffic.
The amount of information you can obtain from a SPAN session really depends on how well the captured data can be interpreted and understood. Tools such as Capsa Enterprise will not only show the captured packets but automatically diagnose problems such as TCP retransmissions, DNS failures, slow TCP responses, ICMP redirect messages and much more. These capabilities help any engineer to quickly locate network problems which otherwise could not be easily found.

Limitations of Source Ports

A source port has the following characteristics:
  • It can be any port type such as Ether Channel, Fast Ethernet, Gigabit Ethernet and so forth.
  • It can be monitored in multiple SPAN sessions.
  • It cannot be a destination port (that’s where the packet analyzer is connected)
  • Each source port can be configured with a direction (ingress, egress, or both) to monitor. For Ether Channel sources, the monitored direction applies to all physical ports in the group.
  • Source ports can be in the same or different VLANs.
  • For VLAN SPAN sources, all active ports in the source VLAN are included as source ports.

 

Limitations of Destination Ports

Each SPAN session must have a destination port that receives a copy of the traffic from the source ports and VLANs.
A destination port has these characteristics:
  • A destination port must reside on the same switch as the source port (for a local SPAN session).
  • A destination port can be any Ethernet physical port.
  • A destination port can participate in only one SPAN session at a time.
  • A destination port in one SPAN session cannot be a destination port for a second SPAN session.
  • A destination port cannot be a source port.
  • A destination port cannot be an Ether Channel group.

Limitations of SPAN on Cisco Catalyst Models

Following are the limitations of SPAN on various Cisco Catalyst switches:
  • Cisco Catalyst 2950 switches are only able to have one SPAN session active at a time and can monitor source ports. These switches cannot monitor VLAN source.
  • Cisco Catalyst switches can forward traffic on a destination SPAN port in Cisco IOS 12.1(13)EA1 and later
  • Cisco Catalyst 3550, 3560 and 3750 switches can support up to two SPAN sessions at a time and can monitor source ports as well as VLANs
  • The Catalyst 2970, 3560, and 3750 Switches do not require the configuration of a reflector port when you configure an RSPAN session.
  • The Catalyst 3750 Switches support session configuration with the use of source and destination ports that reside on any of the switch stack members.
  • Only one destination port is allowed per SPAN session and the same port cannot be a destination port for multiple SPAN sessions. Therefore, you cannot have two SPAN sessions that use the same destination port.

Configuring SPAN On Cisco Catalyst Switches

Our test-bed was a Cisco Catalyst 3550 Layer 3 switch, however, the commands used are fully supported on all Cisco Catalyst 2940, 2950, 2955, 2960, 2970, 3550, 3560, 3560−E, 3750, 3750−E and 4507R Series Switches.
The diagram below represents a typical network setup where there is a need to monitor traffic entering (Ingress) and exiting (Egress) the port to which the router connects (FE0/1). This strategically selected port essentially monitors all traffic entering and exiting our network.



Since router R1 connects to the 3550 Catalyst switch on port FE0/1, this port is configured as the Source SPAN port. Traffic copied from FE0/1 is to be mirrored out FE0/24 where our monitoring workstation is waiting to capture the traffic.

Because serious network procedures require serious tools, we opted to work with Colasoft’s Capsa Enterprise edition, our favourite network analyser. With Caspa Enterprise, we were able to capture all packets at full network speed and easily identify TCP sessions and data flows that we were interested in. If you haven’t tried Capsa Enterprise yet, we would highly recommend you do by visiting Colasoft’s website and downloading a copy.
Once we have our network analyser setup and running, the first step is to configure FastEthernet 0/1 as a source SPAN port:
 
Catalyst-3550(config)# monitor session 1 source interface fastethernet 0/1

Next, configure FastEthernet 0/24 as the destination SPAN port:
 
Catalyst-3550(config)# monitor session 1 destination interface fastethernet 0/24

After entering both commands, we noticed our destination’s SPAN port LED (FE0/24) began flashing in synchronisation with that of FE0/1’s LED – an expected behaviour considering all FE0/1 packets were being copied to FE0/24.
Confirming the monitoring session and operation requires one simple command, show monitor session 1:
Catalyst-3550#  show monitor session 1Session 1
---------
Type                  : Local Session
Source Ports      :
    Both              : Fa0/1
Destination Ports: Fa0/24
    Encapsulation : Native
          Ingress: Disabled

To display the detailed information from a saved version of the monitor configuration for a specific session, issue the show monitor session 1 detail command:
 
Catalyst-3550# show monitor session 1 detail
Session 1
---------
Type              : Local Session
Source Ports      :
    RX Only         : None
    TX Only         : None
    Both              : Fa0/1
Source VLANs    :
    RX Only       : None
    TX Only       : None
    Both            : None
Source RSPAN VLAN : None
Destination Ports      : Fa0/24
    Encapsulation       : Native
          Ingress:         Disabled
Reflector Port           : None
Filter VLANs              : None
Dest RSPAN VLAN    : None
 
Notice how the Source Ports section shows Fa0/1 for the row named Both. This means that we are monitoring both RX & TX packets for Fa0/1, while the Destination Port is set to Fa0/24.
Posted by at No comments:
Subscribe to: Comments (Atom)