Category: Cisco

TACACSGUI and Aruba AirWave TACACS

TACACSGUI (https://tacacsgui.com) is a free opensource TACACS server with a robust interface. When setting up TACACS in an Aruba Airwave and if you are using TACACSGUI (even the cisco equivalent) normal TACACS users are unable to logon. I did not have any issues like this when I setup TACACS for Aruba Mobility Masters and Mobility Controllers. I only ran into this with Aruba AirWave. AirWave’s interface looked allot older in design when compared to Mobility Master and Mobility Controllers. You need to create an admin role (or service in TACACSGUI) for the user to authenticate as AirWave is expecting a specific role.

Currently as of 1/10/22, TACACSGUI does not have a predefined service or role for Aruba AirWave, so I manually need to create one.

In TACACSGUI, goto Access Control, then Services. Under Services, click the Add button to define a new service.

For the service name, you can call it whatever you like, I called mine: Aruba-Airwave-access. I then selected “Only manual configuration”. In the manual configuration enter the following:

service = AMP { set role = Admin }

Once that is entered, you can save the Service (role). Next you need to add the new service (role) to a user in TACACSGUI

Below is where you add the newly created service (role) to the user. A user can have more than one service (role) in TACACSGUI. In the picture below, this user has only one service associated with them. For example, my user has services (roles) for Airwave, Juniper, and Cisco shell access with a specific privilege level specified.

Here is a picture showing the TACACS configuration settings in Aruba Airwave:

Using Ansible to track down exact port on switch a mac address is connected to

 I have a group of switches that users keep asking me to locate mac address for in order to trace down the exact port and edit that port to assign it in new VLAN. Rather than logging into each switch and tracking down the switch where the mac resides, I created a basic ansible playbook to help me with this. This has been a huge time saver. Hopefully this can help someone else (It helps if your switch ports have descriptions):

---

- name: Find mac address in sec-switches

  hosts: sec-switch

  gather_facts: false

  connection: local

  vars_prompt:

     - name: mac

       prompt: What is the mac address?

       private: no

  tasks:

    -

      name: debugging

      ansible.builtin.debug:

        msg: 'Searching for {{ mac }}'

    -

      name: search

      ios_command:

        commands:

          - "show mac address-table | include {{ mac }}"

      register: printout

    - set_fact:

        intf: |

          {{printout.stdout_lines[0] |

            map('regex_replace','^(?:[^ ]*\ ){12}([^ ]*)') |

            list }}

    -

      name: show int desc

      ios_command:

        commands:

          - "sh interfaces description | inc {{ intf[0].strip() }}"

      register: printout2

    - name: View output

      debug:

        var: printout2

<Snippet of output>

ok: [switch9] => {

    “printout2”: {

        “changed”: false,

        “failed”: false,

        “stdout”: [

            “Gi1/0/42                       up             up       SEG 12 “

        ],

        “stdout_lines”: [

            [

                “Gi1/0/42                       up             up      SEG1 2”

            ]

        ]

    }

}

ok: [switch20] => {

    “printout2”: {

        “changed”: false,

        “failed”: false,

        “stdout”: [

            “Gi1/0/25                       up             up       UPLINK”

        ],

        “stdout_lines”: [

            [

                “Gi1/0/25                       up             up       UPLINK”

Special shout out to rajthecomputerguy, who helped me by suggesting:

Use strip() method to get rid of whitespace debug: var: intf[0].strip() 

Troubleshooting ASA rules with packet-tracer command (Am I blocked by a rule)

Recently I was at a client site where I created new access rules that looked good and should have been working. In order to troubleshoot why my rules were not working, I used the packet-tracer command for testing (ips have been changed). I was able find another rule that was blocking me. Once I removed that rule, I retested via packet-tracer satisfactory and I was able to access externally.

fw5540(config)# packet-tracer input outside tcp 8.8.8.8 80 10.192.37.242 3389

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network SC_Stock
nat (dmz,outside) static SC_Stock_External
Additional Information:
NAT divert to egress interface dmz
Untranslate test_External/3389 to 192.168.1.82/3389

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended deny ip any any log
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

So as you can see the SC_Stock rules were blocking me
***************************************************************

Below I retested satisfactory.
fw5540# packet-tracer input outside tcp 8.8.8.8 80 10.192.37.242 3389

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network SVR_NT4
nat (inside,outside) static 10.192.37.242 service tcp 3389 3389
Additional Information:
NAT divert to egress interface inside
Untranslate 10.192.37.242/3389 to WEBSVR1/3389

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any4 object SVR_NT4 eq 3389
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network SVR_NT4
nat (inside,outside) static 10.192.37.242 service tcp 3389 3389
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 139687922, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Setting up AnyConnect VPN’s on the Cisco ASA 5508x (FTD)

Setting up AnyConnect VPN’s on the Cisco ASA 5508x (FTD)

This was done on FTD vs 6.2.3-83. 

Everything I have found on the Cisco FTD is outdated and the latest FTM interface looks nothing like the articles I have seen on the net. Below is a picture of my interface.

  1. In the Top Menu (Monitoring, Policies, Objects, Device), Select Device
  2.  I then select Remote Access VPN
  3. Create a Connection Profile name ( I entered the client domain-VPN)
  4. For AD Realm/Directory I selected the Realm I created earlier:
  5. I then downloaded from Cisco.com the anyconnect-win-4.5.05030-webdeploy-k9.pkg for Windows clients and uploaded it to the ASA and selected Next.
  6. For the certificate of Device Identity, I selected “Create New Internal Certificate”
  7. I then selected “Upload Certificate and Key” and entered in the certificate and keys I created here:
  8. For the outside interface, I selected my external interface
  9. I then entered the FQDN of my external IP. If you don’t have a FQDN for your external ip, you should it will make your life easier.
  10. For the address pool,  I created a new network: IE 192.168.9.0/24 (I didn’t use IPV6)
  11. For DNS and domain name, I entered my internal DNS servers and internal domain name and selected next.
  12.  I set the VPN as NAT Exempt
  13. Select my inside interface and entered my inside network, selected next and finished

Creating a CSR for a Cisco ASA 5508-x running FTD (via FTM)

Creating a CSR for a Cisco ASA 5508-x running FTD (via FTM)

This was done on FTD vs 6.2.3-83. 

  1. The ASA was unable to create a csr, so I took care of that on my linux pc using openssl. You can also get help with that from this page: https://www.digicert.com/easy-csr/openssl.htm
  2. Once I had the csr, I submitted to godaddy and they sent me back two files.
  3. I combined the 2 files into one file by running the following in a linux terminal: cat whatever.crt gd_bundle.crt > combined.crt
  4. I then held the combined.crt along with my domain.key (created during csr) in a known director for later use with the ASA

Please check out my related article:

Setting up AnyConnect VPN’s on the Cisco ASA 5508x (FTD)

Creating an AD Realm on a Cisco ASA 5508-x running FTD (via FTM)

Creating an AD Realm on a Cisco ASA 5508-x running FTD (via FTM)

This was done on FTD vs 6.2.3-83. 

  1. In the Top Menu (Monitoring, Policies, Objects, Device), Select Objects
  2.  Under the Object types side menu, select Identity Realm
  3.  Enter a Realm name (I entered Client domain).
  4. For me, the Type: Active Directory was grayed out (it was my only choice anyway)
  5. For base DN, I entered: dc=example,dc=com
  6. for AD Primary domain, I entered our domain name
  7. Hostname, I entered the ip of the AD server and port I left at the default of 389
  8. I left encryption as None. I then tested satisfactory and saved the config.

Please check out my related article:

Setting up AnyConnect VPN’s on the Cisco ASA 5508x (FTD)

Issue with Barracuda Spam firewalls and Cisco PIX/ASA

I was working on a client’s barracuda to receive mail directly through the barracuda rather than their current setup.

I was able to remove it from the ASA adding the following to the config via cli: no fixup protocol smtp 25

For more on this you can read: https://blogs.it.ox.ac.uk/networks/2009/11/26/cisco-firewall-smtp-fixup-considered-harmful/

 

(1) “Why can’t anyone send mail to my Barracuda Spam & Virus Firewall over TLS, even though I have it enabled?”
—————————————————————————-

Solution #00003659

Scope:
All Barracuda Spam & Virus Firewalls in use with Cisco network hardware, all firmware versions.

Answer:
If enabled, the Barracuda Spam & Virus Firewall will advertise TLS (secure connection availability) for all incoming SMTP connections (for information on configuring this, see Solution #00000992). It’s possible the sending mail servers aren’t electing to send mail over TLS.

 

If it’s been configured correctly and the sending servers are trying to send mail over TLS, the problem could be that a device between the sending servers and the Barracuda Spam & Virus Firewall is interfering. For instance, a Cisco PIX firewall with the “SMTP Fixup protocol” enabled will mask the 250-STARTTLS echo reply from the Barracuda Spam & Virus Firewall, preventing the sending mail server from realizing that sending mail using a secure connection is an option. The only solution in this case is to disable the “SMTP Fixup protocol” on the Cisco PIX firewall (for instructions on how to do this, click here).

 

Cisco ASA firewalls may also interfere with the 250-STARTTLS SMTP response, but they can be explicitly configured to support ESMTP over TLS. If you are using a Cisco ASA firewall, click here for instructions on how to enable this functionality.

 

Additional Notes:

The Cisco PIX “SMTP Fixup protocol” can cause other problems when used with the Barracuda Spam & Virus Firewall. For more information, see Solution #00001728.

 

Link to This Page:
http://www.barracuda.com/kb?id=50160000000HQ7J