Port Forwarding on the Cisco ASA in 8.3 from the ASDM made easy
In my last post I taught you how to forward a port on the ASA 5505 running version 8.3 from the CLI. Some of you prefer to use the ASDM to do you changes, so I guess I'll show you how to do it from there. The ASDM is a bit of a learning curve for someone that's used to the CLI, and most CLI guys hate a GUI with a great passion. I can go either way. I use the ASDM to make some changes simply because I want to learn it and there's some guys coming into the field today that were taught on the GUI rather than a command line.
In this lesson I'm using ASDM version 6.3(1) and ASA version 8.3(1). Since we added a web server in the last post, let's make this one an FTP server. The FTP server's IP is the same as the web server, 10.9.8.7/24 and we're running over the standard FTP port, 21.
First off, we want to start up the ASDM and connect to the ASA. Once there, click on the 
button at the top of the screen, then the 
button near the bottom left, and finally select 
near the top left. You'll now be at a screen that looks something like this:
Click for larger version
Now we need to create a new object, so click on "Add" under Addresses, then "Network Object".
Now we need to fill out our new window. Once you fill out the name, IP address and description, you need to drop down the NAT box and fill it out. Click the "Add Automatic Address Translation Rules" box, leave the type as "static" and set the translated address as the outside interface.
We now need to go to the Advanced menu from the Add Network Object window and setup the port forwarding. The source will be inside, destination is outside. Protocol in this instance is TCP and our port is 21, both real and mapped.
Click "OK" twice and your object will be created as well as the port forward. Now we just need to add the access rule. On the left side of the screen, just above the NAT Rules is your Access Rules. From there we want to click "Add" and "Access Rule".
We need to create the rule on the outside interface, coming from any IP to the FTPServer using FTP as the service.
Once you click OK, your rule is added. You don't have to add a description like I did in the image above this one, I just did that for the hell of it. When you click "Apply" at the bottom of the screen, the ASDM will issue the commands to the ASA. I have preview turned on, so I can always see what commands are being sent to the device before they are actually sent. If you followed all the steps above and you have preview turned on, you'll see the following:
And you'll notice that those are the exact 4 commands that I gave in the last post about doing it from the CLI! Now you can forward any port you want from either the CLI or the ASDM!
On a side note, I know a lot of guys hate the ASDM. When I was writing this post and going through all of this I was kinda upset when I saw that I had 10 pictures for 4 lines of code. The good thing about the ASDM is that you have everything right there at your disposal and you really don't need to know the vernacular of IOS. The drawback is that it will take you longer to get things done at first, but once you get used to it, it can be just as fast.
Port Forwarding on the Cisco ASA in 8.3 from the CLI made easy
So it's been a month and a half since I posted an update, and it's 4:15 am right now. I can't sleep and I found out there's another networking blog out there using the same WP theme as me, so I figured I better put something up here since it was fresh in my mind. Well, now that the niceties are out of the way, let's get to work.
I recently added an ASA 5505 to my home network at the edge. Obviously, when I did, all of my port forwards went to hell because the ASA is now blocking everything. I run a web server on one of my servers here and I like to be able to access it because I keep a lot of tech manuals and other stuff on there. Well, I went about trying to set up port forwarding the old way and learned real quick that this pops up when I do:
ERROR: This syntax of nat command has been deprecated.
Please refer to "help nat" command for more details.
Yeah, that sucks. On the new version of the ASA OS, global has gone the way of the dodo. I did a bunch of searches on Google to figure it out and everything I ran across was very hard to decipher. That's why I'm writing this. You can setup a port forward in 4 quick and easy steps. Just change the things that are underlined to fit your network and you'll be just fine.
In this example, we want to be able to access a web server behind the firewall. We'll assume you are using the standard HTTP port, the web server's internal IP address is 10.9.8.7/24, and that you at least know what you're doing enough to be configuring an ASA in the first place. I'll give you the steps, then I'll explain.
Step 1: Create a new object group for you web server.
asa5505(config)# object network Webserver
Step 2: Add the IP of the web server to the network group.
asa5505(config-network-object)# host 10.9.8.7
Step 3: Forward the port via the NAT command.
asa5505(config-network-object)# nat (inside,outside) static interface service tcp www www
Step 4: Exit back to the root and add the access list
asa5505(config)# access-list outside_access_in permit tcp any object Webserver eq www
That's it! Now, let's explain what's going on here. Cisco has started moving more and more towards use of object groups in their configs. It makes things easier, especially when you have a situation where you have 20 web servers behind the firewall and you want to add 1 more in. Rather than having to rewrite a whole bunch of ACL's, you just add the IP of the new web server into the object group and everything is done for you. After you create the object group (in this instance a network object, you can also create service objects), you add the IP of the specific object (or objects) that you want to point to. So here our web server is 10.9.8.7. If you want to send port 80 to more than 1 IP on your internal network, just add more IP's to that object group.
Now is the fun part. While we're in the object group, we need to NAT port 80 only to that specific object group, hence you're still at "asa5505(config-network-object)#" prompt. Now type "end" to get back to the regular config terminal and we need to open that port in the ACL. Yes, www = 80. You can type either one and you get the same result. If I have to go through and explain NAT, how it works and why I enter in that specific command to forward the port, then there's a possibility that I'd need to send you an invoice for my time because we would be here for a while.
This works for ANY port forward. If you want to RDP into a machine, simply replace port 80 (all those www's you see up there) with 3389. There is one caveat. You can only do one port forward per object group. So let's say that our web server is also an FTP server and you want port 21 to forward as well as port 80. You're going to have to create a whole new object group (object network FTPServer), put the same IP in the group (host 10.9.8.7), do the nat command again (nat (inside,outside) static interface service tcp ftp ftp), exit back to the root of config, and add the access list (access-list outside_access_in permit tcp any object FTPServer eq ftp).
This should get you up and running with you port forwards in no time flat. It is a bit of a pain in the ass to have to create a new object group for every port you want to forward, and maybe there's someone out there that's reading this right now thinking "dude, you don't have to create more than one group! You can just do...". Well, you need to enlighten the world with this knowledge and post it in the comments section. And if you're too scared to do so, shoot me an email to greg(at)gregledet(dot)net.
I'd also like to thank Stefan Fouant for an excellent class today on JUNOS Switching. I learned a lot in his class and you can learn a lot from his website. Check it out and tell him Greg sent ya!
A message about security
When I originally started this blog, it was entitled "Adventures in Networking" and it dealt primarily with networking and, more specific, Cisco network security. Since that time I've written about everything from hurricanes to hacking an Western Digital NAS device and giving a $50 Linksys router the power of a $500 Cisco box. Lately, I've been posting how-to's for all kinds of stuff and it's time to take a step back and talk about security for a little bit.
A web hosting client of mine got his site hacked in the past couple of days. About a year ago, I installed phpBB3 for him and setup his domain on my server. After that, I acted as admin on the forums and stuff like that. Well, phpBB3 got neglected and hadn't been updated in a while. It was running version 3.0.6 while the latest version was 3.0.7-PL1. 4 versions have been released since the last update. When the site got exploited, he looked at me like it was my fault. In fact, he told me something along the lines of "I paid you to build a site that was secure and you didn't do that". Well, I did build him a secure site a year ago, but in the past year, there has been enough holes found in phpBB3 to kill a horse.
I'm sure that any freelancer or businessman out there has had to deal with clients that don't understand what it is exactly you do. This happens a lot to me due to the range of things that I do. But in this instance, the client was under the illusion that I was going to maintain the website and keep it up to date for him. The original invoice that I sent for the site was simply 8 hours of work to get everything installed and setup properly and for a year of hosting. Since that first invoice, I have fixed little errors here and there for him without invoicing him because it's little things that only take a few minutes to take care of. Plus, the guy is a real good friend of mine and has been my friend since before we started doing business together. I do freebies for a lot of my customers from time to time. Maybe I messed up by doing these repairs and not charging him for them and by doing that I lead him to believe that I was doing it all for free.
I logged into the site this morning to notice that it had been defaced. Some hacker managed to get in and screw around with the AdminCP. Language packs were messed with, 300+ accounts were created and a bunch of spam had been posted. I went ahead and fixed everything that happened and went through the process of upgrading phpBB3 to the latest version. It took me about 2½ hours to get it all cleaned up and upgraded. Once I was done, I submitted a service ticket for the work. Here's another place I screwed up. I should have asked him if he wanted me fix it first because we don't have a service agreement between the two companies.
Well, the site got upgraded to the latest version of phpBB3 and it was working fine.... for about 3 hours. That's when our little hacker managed to get back in and lock me out completely. My best guess is that there's a zero-day exploit on phpBB 3.0.7-PL1 that will also work on all previous versions. In that instance, there's not a whole lot I can do about it other than block the proxies that he's used to get to the site with or just shut the site down. Well, I shut it down.
Here's where the main problem starts. The customer assumed that it was my responsibility to update the software for him. I don't go to HP and bitch at them because there's holes in Windows. Once I install the software, it's up to the client to keep that software up to date. All of my other web clients know this and they keep their CMS software up to date. If we would have set up a service contract in which I said I would maintain the security of his site, then it's no problem. It's my responsibility to fix the security issues that come up, but there's no agreement there.
Also, the client wants 100% security. We all know that 100% security does not exist and never will exist. He didn't like the fact that I used open-source software for the site because people can read the source code. Well, the open-source stuff is free, so that's why it was used. But even closed-source software has security holes in it.
To wrap up this rant, I wish people could understand that the only secure computer is one that's powered down and unplugged from the internet. A friend once told me that if you installed a fresh copy of Windows XP (no service packs) on a computer and plugged it directly into the internet, it would be rooted within 12 seconds. 12 seconds! There is no security, only the illusion of it.
-Greg
Wow… I bombed that interview!
Friday I had an interview with a large insurance company in Columbus. Actually, I had 2. I went there to interview for a firewall job and once I was done with that the recruiter pulled me into another interview for a route/switch job. In the first interview, there were 5 guys in there. 4 of them actually spoke to me and 1 just sat in a corner typing away on his laptop. I don't know why, but that made me really nervous. Now, I NEVER get nervous around people, it's just not in me to do so, but this time I got real shaken up. And it hurt me in the next interview.
I was completely honest with the people in the first interview. If I didn't know a question, I told them I didn't know the answer and how I would find the answer. In the second interview though, I drew a complete blank mind. I didn't remember simple trunking protocols, something that I should remember from my CCNA. I stumbled over many questions that they asked and most of the stuff was simple things that any CCNA should know, but my mind was clouded. I choked up, I got even more nervous, and I found out this morning that they passed on me. I was told that I wasn't strong enough to work there.
I haven't heard back from the firewall job yet and I'm hoping that something comes of it. I have been in Ohio for a year and 3 days now and I have worked for a total of 3 weeks. I guess I'm really going to have to hit the books hard and get some of this basic knowledge back to the front of my mind!
Implementing Login Security Enhancements
I wanted to go through a few commands today to help you lock down your Cisco devices a little tighter. I'm just going to go through them one at a time and discuss them as we go.
Router (config)# login block-for <seconds> attempts <attempts> within <seconds>
What this is used for is to block people from running a brute-force or dictionary attack on your password. Normally, the IOS will allow you an unlimited number of attempts to get in, but with this command you can block all logins for a specified number of seconds. Let's say that you replace the options with (in order) 180, 5, 30. That means that if someone fails to login after 5 attempts in 30 seconds, the router will block all logins for 180 seconds. Keep in mind that if an intruder figures out that you're running this, he can perform a kind of DoS attack on you because he'll just keep trying and without plugging in the next command, not even you will be able to login to your own device!
Router (config)# login quite-mode access-class <acl>
Quiet-mode is what the router goes into when it's blocking logins from the previous command. If you put together an access-list, say "access-list 10 permit 192.168.1.0", then only IP addresses from that access-list will be allowed to login while the router is in quiet-mode. Think of it as your back door in when someone is screwing with you.
Router (config)# login on-failure log <every #>
This will log a syslog message every blank-number of attempts on failures. Set this to every 2 or 3 failures, because even though you're the administrator of the box, you're going to fat-finger a password or just mistype it every now and again. If you have good security, you might want to log every successful login, and you do that with...
Router (config)# login on-success log 1
This will create a syslog message every time someone successfully logs in.
Router (config)# security password min-length <number>
I think this is pretty self explanatory. It's always a good practice to require a minimum length password on your devices.
Router (config-line)# exec-timeout <min> <sec>
You'll notice that this command is issued under a VTY or Console line, and you've probably seen it before. The default for this command is 5 minutes, and I can't stand getting kicked out of a router after only 5 minutes. I may be looking something up in Google or something and next thing you know, I've got to log back in. I normally set this to 15 minutes. You can also do a "no exec-timeout" and that will disable it completely, but you should only do this in a lab environment.
Router (config)# service password-encryption
This will encrypt every clear text password that you have on your router. So if you have a console password or something like that, it'll be encrypted.
Hope these help you button things down!
-Greg
A few stray commands to help you button things down.
I just wanted to go through a few things with you guys before we move on to intensive things like DAI and DHCP snooping. These are commands that are good to put into your configs that will help raise your security and, if you need to follow them, help you come into compliance with STIGS.
First off, we really don't want anyone to be able to auto-trunk on your network. Auto-trunking is actually not that hard to do, and it relies on a bad network admin not disabling it from the start. You want your individual ports to be either access or trunk, and you start by entering these commands:
For an access port:
Switch (config-if)# switchport mode access
Switch (config-if)# switchport nonegotiateFor a trunk port:
Switch (config-if)# switchport mode trunk
Switch (config-if)# switchport trunk native vlan 69
Switch (config-if)# switchport trunk allowed vlan 9, 10, 68, 70, 119
Switch (config-if)# switchport nonegotiate
Now, the commands for the access port first told the port "You are an access port", then told it "If someone tells you that they are a trunk and want you to be a truck, tell them to go to hell". There is NO negotiation, get it?
For the trunk port, we told the port "You are a trunk port and here's the VLAN that's native to you", followed by "These are the only VLANs you're allow to pass traffic for". It finishes with "If someone tells you to become an access port, explain to them in a series of 1's and 0's where they can get off". You'll notice that I highlighted the "nonegotiate" commands. That's because you should have already known how to create an access and trunk port, but you probably forgot to tell them that "we do not negotiate with terrorists". Or something like that...
Now I want to speak to you for a minute about STP. Even though Scott Weiland's voice stinks... wait... wrong STP... Spanning Tree Protocol is your friend. We all love it; we all use it (hopefully). Let's guard it.
Switch (config-if)# spanning-tree bpduguard enable
Switch (config-if)# spanning-tree guard root
What we're doing by implementing the BPDU (I call them "bippy-du's") guard is allowing you to enforce the STP domain borders and keep the active topology predictable. The devices behind the ports that have STP PortFast enabled are not able to influence the STP topology. At the reception of BPDUs, the BPDU guard puts the port in errdisable.
The "root guard" feature provides a way to enforce the root bridge placement in the network. The root guard ensures that the port on which root guard is enabled is the designated port. Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together. If the bridge receives superior STP BPDUs on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state. This root-inconsistent state is effectively equal to a listening state. No traffic is forwarded across this port. In this way, the root guard enforces the position of the root bridge.
Now, you can leave it like this, or you can add a timeout to the errdisabled state caused by the Bippy-du's. When BPDU guard disables the port, the port remains in the disabled state unless the port is enabled manually. You can configure a port to reenable itself automatically from the errdisable state. The command is:
Switch (config-if)# errdisable recovery cause bpduguard
Switch (config-if)# errdisable revovery interval 500
The default timeout interval is 300 seconds and, by default, the timeout feature is disabled. If you want to know what ports are in errdisable, enter:
Switch# show interfaces status err-disabled
If you need to get it out of errdisabled manually, you'll need to enter a "shutdown" then "no shutdown" on the port to bring it back up.
-Greg
Categories
- How To's (9)
- Hurricanes (60)
- Networking (44)
- Other stuff (14)
Blogroll
- Adventures in Open Source
- Bejoy's Site
- Charlie Moreno Web Design
- Fark.com
- Greenhat security
- GregoryLedet.com
- JefTek.com
- Packet Life
- Shannon Bray
- Shortest Path First
Social Networking
Recent Comments
- Yepi Friv on iPhone 5, a few days later and where to trade in your old iPhone
- Friv 4 on iPhone 5, a few days later and where to trade in your old iPhone
- Yepi on iPhone 5, a few days later and where to trade in your old iPhone
- Y8 Games on Windows IP conflict when there is no conflict
- Y8 Games on iPhone 5, a few days later and where to trade in your old iPhone
Meta
Certifications
