Friday, November 18, 2016

Allow Pings (ICMP) & Traceroutes through Cisco ASA Firewalls

ASA Firewalls does not allow ICMP traffic to pass through it's interfaces by default. For real scenarios it is better that way in terms of security concerns. But for lab purposes and to verify implementations you will need it to be allowed from Firewall.

How ICMP is blocked by Firewalls?

It is done by the inspection rules under default service policy. What ASA does is remember the traffic which passes through it from higher security zones to lower security zones so that their return traffic will be allowed to enter. It is called the stateful inspection. Inspection rules define which traffic to inspect; by default ICMP is not in that list. So it does not remember the ICMP traffic so that the return traffic will not allowed to pass through.

Note that "from higher security zones to lower security zones" are highlighted because if the security level is equal, traffic will not needed to be inspected and any traffic will pass through. But even between zones of same security levels, your pings will be dropped because routing traffic between interfaces/zones which are on same security levels are disabled by default on the ASA.

Allow ICMP through Interfaces/Zones of Different Security Levels

Go to ASDM > Configuration > Firewall > Service Policy Rules

(click on the images to view in original size)

You can see the global default service policy is applied with 13 inspection rules.

Hover over the mouse pointer to see the traffic types which is inspected.

Now select the service policy and click edit or just double click on the service policy to go to Edit Service Policy Rule.

Go to Rule Actions and tick ICMP and ICMP Error

Click Ok and Hit Apply.

Now the pings and traceroutes will be working from INSIDE PC to OUTSIDE PC

Note: From OUTSIDE to INSIDE will be never pinged because the INSIDE security level is higher than the OUTSIDE security level.

Allow ICMP through Interfaces/Zones of Same Security Levels 

If the security levels are same, no need to change the service policy rules.

Just go to ASDM > Device Setup > Interface Settings > Interfaces and tick Enable traffic between two or more interfaces which are configured with same security levels and Hit Apply.

Ping & Traceroute Output Characters Legend - Cisco IOS

Ping Command

The ping command in Cisco IOS is used to determine 3 things
 - Connectivity or Active / Inactive state of a remote host
 - Round trip delay in communicating with a host
 - Packet Loss

Following output characters can be obtained after issuing a ping:

Traceroute Command

The traceroute command in Cisco IOS is used to determine the path that packets actually take when traveling to their destination.

Following output characters can be obtained after issuing a traceroute:

Note: Outputs of Cisco ASA for the above basic troubleshooting commands can be slightly different, As an example "?" in a ping command output is used to indicate a simple timeout. Default timeout to get an echo reply is 2 seconds on Cisco routers and Firewalls.

Monday, November 14, 2016

Create a Low Cost Remote Access Server using a Raspberry Pi

Most of the time Network Engineers use a dedicated laptop with internet connection to access and troubleshoot their networks remotely when they do not have physical access. This is what I call a Remote Access Server here (I don't know what others call it) & I am going to create a low cost solution for this using existing software tools you know. I spent about 50$ for the entire setup.

Before you go through this, go through my previous post Get Raspberry Pi into Networking to complete the basic setup needed.

Install TeamViewer & Fine Tuning

Now download Teamviewer Host for Raspberry Pi from here from the Pi's web browser.
Go to Downloads and right click on the package and install it.

After installation is completed, go to the desktop via TightVNC and go to Menu > Internet > TeamViewer Host and accept terms and conditions and on the app, go to settings > Security and disable the random password from drop down menu.

You can enter following command in Terminal to get the Teamviewer ID and other info from CLI.
teamviewer info 

Now enter the following command to set a static password which will really work.
sudo teamviewer passwd <your password>

This password will be used to log into Teamviewer later on.

Now go to Terminal and enter following command to edit the config.txt file to change the console resolution to match your PC. Resolution of my PC is 1920x1080
sudo nano /boot/config.txt

Now uncomment disable_overscan=1 and framebuffer_widthframebuffer_height parameters and change the values like the following capture.

Hit Ctrl+X and Y and Enter to save and exit.
Hit sudo reboot and after reboot access through your PC's Teamviewer giving the ID and password.

Now you can install other necessary software like Wireshark, SecureCRT or PAC Manager to SSH access etc.

Install Wireshark

Enter following command to download and install Wireshark
sudo apt-get install wireshark

Hit Yes for the dialog box which will prompt

Now enter,
sudo usermod -a -G wireshark pi

Hit sudo reboot and after reboot go to desktop from either TeamViewer or TightVNC and got to
Menu > Internet > Wireshark

Install Putty and Console to a Cisco Device

Start with plugging your console cable to one of the USB ports on your Pi.

Enter following command to Install Putty
sudo apt-get install putty

Time to find out the port of the USB-Serial cable is using. Therefore enter,
dmesg | grep tty

Look at the last line which says ttyUSB0  which means my Pi is using ttyUSB0

While selecting Putty's serial connection select /dev/ttyUSB0


Make sure to change default usernames and passwords after everything is done because it is critical to add some security to this box which could manage the network you work with.