Cisco ASA - How to show logged on users and disconnect them. [SOLVED]

I couldn’t find the one command to show all logged in users, but you can use the following commands:

Console

It’s impossible to show or disconnect console connection.

TELNET

You can see only remote IP address, it’s impossible to show logged in username.

ASA1# who
        0: 192.168.1.2
ASA1#
ASA1# kill 0
ASA1#

SSH

To see SSH users (one user “username” is logged in):

ASA1# show ssh sessions

SID Client IP       Version Mode Encryption Hmac     State            Username
0   192.168.1.2     1.99    IN   aes128-cbc sha1     SessionStarted   username
                            OUT  aes128-cbc sha1     SessionStarted   username
ASA1#
ASA1# ssh disconnect 0
ASA1#

ADSM (HTTPS)

ASA1# show asdm sessions

0 192.168.1.2
ASA1#
ASA1# asdm disconnect 0
ASA1#

VPN

ASA1# show vpn-sessiondb ...

• How to kick off active users:

ASA1# vpn-sessiondb logoff webvpn noconfirm
ASA1# vpn-sessiondb logoff name USERNAME
ASA1# vpn-sessiondb logoff ?

Cisco ASA - Initial setup.

Resetting existed configuration.

You can use either of the following two methods:

write erase
reload

Or you can restore the Factory Default Configuration using configure factory-default command:

(config)# configure factory-default

This command also clears the boot system command, if present, along with the rest of the configuration. The boot system command lets you boot from a specific image, including an image on the external Flash memory card. The next time you reload the ASA after restoring the factory configuration, it boots from the first image in internal Flash memory; if you do not have an image in internal Flash memory, the ASA does not boot.

Or you can clear configuration without reload like “configure replace …” in Cisco IOS.

(config)# clear configure all

I prefer the last one method:

ASA1# conf t
ASA1(config)# clear configure all
ciscoasa(config)#

After that procedure it’s better to check the following:

ASA1# show ver | i ^Cisco
Cisco Adaptive Security Appliance Software Version 8.2(5)
ASA1# show bootvar

BOOT variable =
Current BOOT variable =
CONFIG_FILE variable =
Current CONFIG_FILE variable =
ASA1#

Check “mode” and “context”

ASA has “router mode” and “single context” by default:

ciscoasa# show firewall
Firewall mode: Router
ciscoasa# show mode
Security context mode: single
ciscoasa#

Initializing interfaces.

ASA1# show int ip bri
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0           unassigned      YES unset  administratively down up
GigabitEthernet1           unassigned      YES unset  administratively down up
GigabitEthernet2           unassigned      YES unset  administratively down up
GigabitEthernet3           unassigned      YES unset  administratively down up
GigabitEthernet4           unassigned      YES unset  administratively down up
GigabitEthernet5           unassigned      YES unset  administratively down up
ASA1# sh run all int gi0
!
interface GigabitEthernet0
 shutdown
 no nameif
 no security-level
 no ip address
 delay 10
ASA1#
ASA1# conf t
ASA1(config)# interface gi0
ASA1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1(config-if)# ip address 10.0.0.40 255.255.255.0
ASA1(config-if)# no sh
ASA1(config-if)# show int ip bri
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0           10.0.0.40       YES manual up                    up
GigabitEthernet1           unassigned      YES unset  administratively down up
GigabitEthernet2           unassigned      YES unset  administratively down up
GigabitEthernet3           unassigned      YES unset  administratively down up
GigabitEthernet4           unassigned      YES unset  administratively down up
GigabitEthernet5           unassigned      YES unset  administratively down up
ASA1(config-if)# ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
ASA1(config-if)#

There’s no remote login allowed by default (TELNET, SSH or HTTPS) and no any port is in LISTENING state:

ASA1# sh run | i telnet|ssh|http
telnet timeout 5
ssh timeout 5
ASA1#
ASA1# show asp table socket

Protocol  Socket    Local Address               Foreign Address         State
ASA1#

If you want to allow remote TELNET login:

ASA1# conf t
ASA1(config)# telnet 192.168.1.0 255.255.255.0 inside
ASA1(config)# show asp table socket

Protocol  Socket    Local Address               Foreign Address         State
TCP       00092b7f  192.168.1.1:23              0.0.0.0:*               LISTEN
ASA1(config)#

Тут нужно быть осторожным. По умолчанию, из outside сети TELNET пакеты будут отброшены, тогда как из inside можно будет залогиниться с дефолтным паролем “cisco”, который существует по умолчанию несмотря на то, что никакие логины еще не сконфигурены.

ASA1# show asp table socket

Protocol  Socket    Local Address               Foreign Address         State
TCP       00092b7f  192.168.1.1:23              0.0.0.0:*               LISTEN
TCP       001153d8  192.168.1.1:23              192.168.1.2:47931       ESTAB
ASA1#
ASA1# show conn all
1 in use, 1 most used
TCP inside 192.168.1.2:47931 NP Identity Ifc 192.168.1.1:23, idle 0:03:29, bytes 140, flags UOB
ASA1#
ASA1# show local-host detail all
Interface dmz: 0 active, 1 maximum active, 0 denied
Interface inside: 1 active, 1 maximum active, 0 denied
local host: <192.168.1.2>,
    TCP flow count/limit = 1/unlimited
    TCP embryonic count to host = 0
    TCP intercept watermark = unlimited
    UDP flow count/limit = 0/unlimited

  Conn:
    TCP inside:192.168.1.2/47931 NP Identity Ifc:192.168.1.1/23,
        flags UOB, idle 1m12s, uptime 1m14s, timeout 5m0s, bytes 140
Interface outside: 0 active, 1 maximum active, 0 denied
Interface NP Identity Ifc: 1 active, 1 maximum active, 0 denied
local host: <192.168.1.1>,
    TCP flow count/limit = 1/unlimited
    TCP embryonic count to host = 0
    TCP intercept watermark = unlimited
    UDP flow count/limit = 0/unlimited

  Conn:
    TCP inside:192.168.1.2/47931 NP Identity Ifc:192.168.1.1/23,
        flags UOB, idle 1m12s, uptime 1m14s, timeout 5m0s, bytes 140
ASA1#

ICMP

ICMP открыт со всех сторон, т.е. будут пинговаться все интерфейсы из вне.

ASA1# sh run icmp
icmp unreachable rate-limit 1 burst-size 1
ASA1#

Можно запретить PING из вне (outside):

ASA1# sh run icmp
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
ASA1#

Даже при дефолтных настройках, девайсы из inside не смогут пинговать девайсы, которые расположены в outside так как ответные ICMP пакеты будут резаться:

conf t
 logging console 3
 logging enable

%ASA-3-106014: Deny inbound icmp src outside:10.0.0.201 dst inside:192.168.1.2 (type 0, code 0)
%ASA-3-106014: Deny inbound icmp src outside:10.0.0.201 dst inside:192.168.1.2 (type 0, code 0)
%ASA-3-106014: Deny inbound icmp src outside:10.0.0.201 dst inside:192.168.1.2 (type 0, code 0)
%ASA-3-106014: Deny inbound icmp src outside:10.0.0.201 dst inside:192.168.1.2 (type 0, code 0)
%ASA-3-106014: Deny inbound icmp src outside:10.0.0.201 dst inside:192.168.1.2 (type 0, code 0)

Чтобы понять причину нужно понимать как работает ASA:
* High security-level > Low security-level = ALLOW.
* Low security-level > High security-level:
** Смотрит обратный ли это пакет, т.е. смотрит "State Table (show conn)".
** Смотрит ACL.
** DROP.

Чтобы понять что мешает пройти "ICMP Reply" целесообразно использоваться "packet-tracer". Нам также понадобится таблица ICMP сообщений, которая также доступна в документации: Cisco.com > Support > Products > Security > Firewall > ASA > 5500-X > Configuration Guides > Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6 > Reference > Addresses, Protocols, and Ports.

ASA1# packet-tracer input outside icmp 10.0.0.201 0 0 192.168.1.2

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
%ASA-3-106014: Deny inbound icmp src outside:10.0.0.201 dst inside:192.168.1.2 (type 0, code 0)
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA1#

Как видно, или скорее НЕ видно из выхлопа, все дело в том, что пакет идет из "Lower security-level" интерфейса в "Higher security-level" интерфейс и при этом конечно же будет отброшен. Решить это можно 2мя путями:

1. Включить инспекцию ICMP чтобы появилась запись в "State-Table (show conn)" и тем самым разрешить обратный поток. Ведь по умолчанию инспекция ICMP выключены, по умолчанию только TCP/UDP подвергаются инспекции. Дефолтную политику можно посмотреть так:

ASA1# show run policy-map
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
ASA1#

Добавляем инспекцию ICMP:

ASA1# conf t
ASA1(config)# policy-map global_policy
ASA1(config-pmap)# class inspection_default
ASA1(config-pmap-c)# inspect icmp
ASA1(config-pmap-c)# end
ASA1#

Во время пинга можно увидеть "State Table". Запись будет видна только во время ожидания Reply, т.е. ооочень короткое время (буквально миллисекунды). Поймать это можно если вы запустили что-то типа "ping 10.0.0.201 repeat 10000" и постоянно смотрите выхлоп команды:

ASA1# show conn
1 in use, 41 most used
ICMP outside 10.0.0.201:0 inside 192.168.1.2:12, idle 0:00:00, bytes 144
ASA1#

Второй вариант решения проблемы - написать входящий ACL на интерфейса outside, которого по умолчанию НЕ существует, т.е. все попросту отбрасывается.

ASA1# conf t
ASA1(config)# access-list OUTSIDE_IN permit icmp any any echo-reply
ASA1(config)# access-group OUTSIDE_IN in interface outside
ASA1(config)# end
ASA1#

Barracuda Spam Firewall.

Brief Overview and model comparison (PDF).
Barracuda Spam Firewall - Overview > Barracuda Spam Firewall Quick Start Guide in English (PDF).
Barracuda Spam Firewall Panel Indicators, Ports, and Connectors.

Чтобы найти какую-то тему проще скачать всю документацию целиком Download entire product и затем, используя Ctrl+F по PDF документу, уже искать нужное.

Securing the Barracuda Spam Firewall - В этом разделе указана возможность аутентификации пользователей посредством RADIUS сервера.

При логине по HTTPS снизу страницы можно видеть серийник, версию софта и модель:

Serial #BAR-SF-123456 EAFE
Firmware v5.0.0.020 (2011-03-03 17:09:04)
Model: 400

А вот прикольная инфа о том как получить root-а на таких девайсах.

Cisco ASA - High Availability (HA) overview.

Link High Availability

Dynamic Routing

Тут есть засада (непроверенная), что ECMP возможен только в случае, если next-hop в одинаковых маршрутах доступен через один физический интерфейс ASA, если это два разных интерфейса, то ECMP почему-то балансить трафик НЕ будет. Это стоит проверить в случае боевой системы с новыми ASA5500-X и новым софтом типа 9.X.

Reliable Static Routing

Это уже было описано в другой заметке.

Redundant Interfaces

Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6 > Configuring Interfaces > Starting Interface Configuration (ASA 5510 and Higher) > No Support for Redundant Management Interfaces:

Redundant interfaces do not support Management slot/port interfaces as members. You also cannot set a redundant interface comprised of non-Management interfaces as management-only.

A logical redundant interface consists of a pair of physical interfaces: an active and a standby interface. When the active interface fails, the standby interface becomes active and starts passing traffic. You can configure a redundant interface to increase the ASA reliability. This feature is separate from device-level failover, but you can configure redundant interfaces as well as device-level failover if desired.

The redundant interface uses the MAC address of the first physical interface that you add. If you change the order of the member interfaces in the configuration, then the MAC address changes to match the MAC address of the interface that is now listed first. Alternatively, you can assign a MAC address to the redundant interface, which is used regardless of the member interface MAC addresses. When the active interface fails over to the standby, the same MAC address is maintained so that traffic is not disrupted.

Redundant Interface Guidelines:
• You can configure up to 8 redundant interface pairs.
• All ASA configuration refers to the logical redundant interface instead of the member physical interfaces.
• You cannot use a redundant interface as part of an EtherChannel, nor can you use an EtherChannel as part of a redundant interface. You cannot use the same physical interfaces in a redundant interface and an EtherChannel interface. You can, however, configure both types on the ASA if they do not use the same physical interfaces.
• If you shut down the active interface, then the standby interface becomes active.
• Redundant interfaces do not support Management slot/port interfaces as members. You also cannot set a redundant interface comprised of non-Management interfaces as management-only.

Some quick overview
interface Redundant [num]
 member-interface [physical interface]

• Only one interface is active (not like EtherChannel in Catalyst switching).
• Physical interface should only have physical parameters (speed, duplex, no shutdown, etc?).
• Redundant interface has logical parameters (nameif, security-level, ip address, optional mac-address).
• MAC address taken from first member and will not change after interface switchover AND could be encoded manually.

Configuration is straightforward
conf t
 int gi0/0
  no sh
 int gi0/1
  no sh
 int r1
  nameif outside
  security-level 0
  ip address 10.10.10.1 255.255.255.0
  member-interface gi0/0
  member-interface gi0/1
  mac-address 0000.1111.2222 (optional)

You can find test results and more HERE.

EtherChannel (port-channel)

Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6 > Starting Interface Configuration (ASA 5510 and Higher) > Feature History for ASA 5510 and Higher Interfaces:

EtherChannel feature has been introduces in 8.4(1).

You can configure up to 48 802.3ad EtherChannels of eight active interfaces each.

We introduced the following commands: channel-group, lacp port-priority, interface port-channel, lacp max-bundle, port-channel min-bundle, port-channel load-balance, lacp system-priority, clear lacp counters, show lacp, show port-channel.

Note: EtherChannel is not supported on the ASA 5505.

Node High Availability

ASA supports two types of failover:
• Active/Standby
- Active unit passes traffic
- Standby unit waits
• Active/Active
- Only supported in multiple context mode
- Both units forward traffic (one of ASA is active for one context, another one ASA is active for another one context), but different contexts can be active in same unit then only one ASA will
- Different contexts active in same or different units

Context/Firewall

Active/standby supports:
• Single Context Mode Routed Firewall
• Single Context Mode Transparent Firewall
Active/Active supports:
• Multiple Context Mode Routed Firewall
• Multiple Context Mode Transparent Firewall

Stateless(default)/Statefull

Stateless failover (by default):
• Connection state table not copied from active to standby, thus during switchover all connections dropped and must be reestablished.
Stateful failover:
• Active unit constantly replicated state table (xlates, TCP, UDP, IKE & IPsec SA (Security Associations), ARP, etc) which is much more processor intensive than Stateless failover option.
• Requires dedicated “stateful failover link” or the failover link can be used.

How Standby unit monitors Active node

Standby unit monitors active in two ways:
• Failover link monitoring (Layer 2 polling through hello packets).
• Interface monitoring (inside, outside, etc).

If hello packets not received, interface testing starts:
• Link Uo/Down Test.
• Is there received traffic over the interface?
• ARP Request to hosts from ARP cache.

Some useful Links about Failover

* Cisco Security Appliance Command Line Configuration Guide, Version 7.2 > Configuring Failover.
* Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6 > Information About High Availability.
* CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.1 > Configuring Failover.

Cisco ASA5500 - Building a small lab.

Появилась задача быстро поднять скилл в Cisco ASA5500(-X). Т.е. втал вопрос выбора что же покупать и в каком количестве. Конечно можно многое эмулировать, что я и делал до этого, но лучше иметь под рукой настоящее железо. Чтобы не выкидывать денег зря решил ограничиться самим минимальным набором.

Итак, думаю, что следует иметь пару одинаковых девайсов (для тестов HA/Failover) по позможности самых дешевых/слабеньких, но на которых можно будет тестить многое. Вероятно, пара ASA5510 подойдут. Старшие модели 5500 смысла покупать нет ибо увеличивается только производительность, 5500-X покупать “для дома” слишком накладно.

Из плюсов:
• 2×5510 являются частью лабы для CCIE Security v4 (INE, Security Hardware Specification)
• Девайсы недорогие.
• Если купить пару штук, то можно тестить HA/Failover.

Из минусов:
• Софт на ASA5500 на момент написания статьи только 9.1, тогда как на ASA5500-X доступен 9.2 и даже 9.3.

Важно сразу иметь достаточно DRAM для апгрейда на версию 9.1. Согласно этому документу, ASA5510 поставляется с 256MB и имеет максимум 1GB. Согласно этому документу ASA5510 имеет только один слот для DRAM, т.е. следует сразу купить планку на 1GB: ASA5510-MEM-1GB= (~$10 за штуку).

Admin area