AT&T u-Verse Static IP work around with pfSense

First off, I’d like to give AT&T an honorable mention (sarcasm) for using the fucking worst, P.O.S. garbage, DSL Modems on the planet: 2WIRE. These things are ridiculous. You’d think that if a provider was able to route a /28 subnet to your home/business, that they’d be able to properly manage that subnet through their “firewall” or whatever you want to call it. The way this normally works is through routing a network range to your device. But AT&T and 2WIRE ensure that for every public static IP address you have, it has to have a unique MAC address and it must look like a different device all together. This is asinine.

So, with the help of my business partner, we’ve come up with a solution on how to get a set of static IP addresses to work so that you can host services on AT&T u-Verse. The way we accomplished this was through the use of an open source and free operating system named, “pfSense”. I’m sure there are other systems out there that we could have used, or just done it in Linux, but pfSense is really robust and has a nice interface. So that’s what we went with.

Additionally, I’m sure not everyone and their mother have an HP DL380 running in their basement, but… welcome to the Erdmanor. I have a DL380 in my basement. So what we’ve done is virtualized a firewall. We’re running pfSense in a virtual machine on the DL 380, which is running ESXi 5.5. I know ESXi 6.0 has been out for a few months now, but to be honest, I’m just too damn lazy to upgrade my box.

Anyways, here’s how we configured the virtual firewall. In ESX, we provisioned the system to have 8 network adapters, a 10GB HDD, 2GB RAM, and 1 virtual CPU. From there we added the VM to access the three different network segments (DMZ, Internal, Outside), and created the interfaces within pfSense. Then we programmed the AT&T gateway to use the external addresses that were provided by them, making sure that the proper interfaces and MAC addresses lined up between the ESX server, the AT&T gateway and the pfSense console. Also, in the AT&T gateway, we setup the system to be in DMZplus Mode, which you can read about in the screenshot below.

pfSense1

pfSense2

pfSense3

att-config0

att-config1

att-config2

att-config3



Now that our AT&T gateway is properly forwarding External IP traffic to the proper interfaces on our pfSense firewall, we can go through and create all the inbound NATs, firewall rules and network security that we wish to have.

If you have any further questions on how to set this up, just ask!

Thanks!





VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Backing up Cisco Configurations for Routers, Switches and Firewalls

I will add more about this when I have time. Until then, you should be able to just install python, paramiko and pexpect and run this script as-is (obviously changing the variables).

This should give you all the software you need:

sudo apt-get update
sudo apt-get install python python-pexpect python-paramiko

I plan on GREATLY increasing the ability of this script, adding additional functionality, as well as setting up a bash script that will be able to parse the configs, and perform much deeper backup abilities for ASAs.

I have not tested this on Routers and Switches. I can tell you that the production 5520 HA Pair that I ran this script against was running “Cisco Adaptive Security Appliance Software Version 8.4(2)160”. Theoretically, I would believe that this would work with all 8.4 code and up, including the 9.x versions that are out as of the writing of this blog.

Here you go! Full Scripted interrogation of Cisco ASA 5520 that can be setup to run on a CRON job.

#!/usr/bin/python
import paramiko, pexpect, hashlib, StringIO, re, getpass, os, time, ConfigParser, sys, datetime, cmd, argparse



### DEFINE VARIABLES

currentdate="10-16-2014"
hostnamesfile='vpnhosts'
asahost="192.168.222.1"
tacacsuser='testuser'
userpass='Password1'
enpass='Password2'
currentipaddress="192.168.222.1"
currenthostname="TESTASA"


#dummy=sys.argv[0]
#currentdate=sys.argv[1]
#currentipaddress=sys.argv[2]
#tacacsuser=sys.argv[3]
#userpass=sys.argv[4]
#enpass=sys.argv[5]
#currenthostname=sys.argv[6]

parser = argparse.ArgumentParser(description='Get "show version" from a Cisco ASA.')
parser.add_argument('-u', '--user',     default='cisco', help='user name to login with (default=cisco)')
parser.add_argument('-p', '--password', default='cisco', help='password to login with (default=cisco)')
parser.add_argument('-e', '--enable',   default='cisco', help='password for enable (default=cisco)')
parser.add_argument('-d', '--device',   default=asahost, help='device to login to (default=192.168.120.160)')
args = parser.parse_args()

   


#python vpnbackup.py $currentdate $currentipaddress $tacacsuser $userpass $enpass $currenthostname



def asaLogin():
   
    #start ssh")
    child = pexpect.spawn ('ssh '+tacacsuser+'@'+asahost)
   
    #testing to see if I can increase the buffer
    child.maxread=9999999
   
    #expect password prompt")
    child.expect ('.*assword:.*')
    #send password")
    child.sendline (userpass)
    #expect user mode prompt")
    child.expect ('.*>.*')
    #send enable command")
    child.sendline ('enable')
    #expect password prompt")
    child.expect ('.*assword:.*')
    #send enable password")
    child.sendline (enpass)
    #expect enable mode prompt = timeout 5")
    child.expect ('#.*', timeout=10)
    #set term pager to 0")
    child.sendline ('terminal pager 0')
    #expect enable mode prompt = timeout 5")
    child.expect ('#.*', timeout=10)
    #run create dir function")
    createDir()
    #run create show version")
    showVersion(child)
    #run create show run")
    showRun(child)
    # run showCryptoIsakmp(child)
    showCryptoIsakmp(child)
    # run dirDisk0(child)
    dirDisk0(child)
    # run showInterfaces(child)
    showInterfaces(child)
    #run  showRoute")
    showRoute(child)
    #run showVpnSessionDetail")
    showVpnSessionDetail(child)
    # run showVpnActiveSessions(child)
    showWebVpnSessions(child)
    # run showVpnActiveSessions(child)
    showAnyConnectSessions(child)
    #send exit")
    child.sendline('exit')
    #close the ssh session")
    child.close()
   
   
def createDir():
    if not os.path.exists(currentdate):
        os.makedirs(currentdate)
    if not os.path.exists(currentdate+"/"+currenthostname):
        os.makedirs(currentdate+"/"+currenthostname)
   
   
   
def showVersion(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"sh-ver.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show version")
    child.sendline('show version')
    #expect enable mode prompt = timeout 400")
    child.expect(".*# ", timeout=50)
    #closing the log file")
    fout.close()
   
   
def showRun(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"sh-run.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending more system running-config")
    child.sendline('more system:running-config')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=999)
    #closing the log file
    fout.close()   
   

def showCryptoIsakmp(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"cryptoisakmp.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show crypto isakmp sa")
    child.sendline('show crypto isakmp sa')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=50)
    #closing the log file
    fout.close()   


def dirDisk0(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"dirdisk0.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending dir disk0:")
    child.sendline('dir disk0:')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=75)
    #closing the log file
    fout.close()


def showInterfaces(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"interfaces.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show interface")
    child.sendline('show interface')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=100)
    #closing the log file
    fout.close()


def showRoute(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"show-route.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show route")
    child.sendline('show route')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=300)
    #closing the log file
    fout.close()


def showVpnSessionDetail(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"vpnsession.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show vpn-sessiondb detail")
    child.sendline('show vpn-sessiondb detail')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=50)
    #closing the log file
    fout.close()


def showWebVpnSessions(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"webvpns.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show vpn-sessiondb webvpn")
    child.sendline('show vpn-sessiondb webvpn')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=200)
    #closing the log file
    fout.close()


def showAnyConnectSessions(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"anyconnectvpns.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show vpn-sessiondb anyconnect")
    child.sendline('show vpn-sessiondb anyconnect')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=999)
    #closing the log file
    fout.close()




def main():
    #Nothing has been executed yet
    #executing asaLogin function
    asaLogin()
    #Finished running parTest\n\n Now exiting
   

main()

Here are all the websites that have provided help to me writing these scripts:
http://www.802101.com/2014/06/automated-asa-ios-and-nx-os-backups.html
http://yourlinuxguy.com/?p=300
http://content.hccfl.edu/pollock/Unix/FindCmd.htm
http://paulgporter.net/2012/12/08/30/
http://paklids.blogspot.com/2012/01/securely-backup-cisco-firewall-asa-fwsm.html
http://ubuntuforums.org/archive/index.php/t-106287.html
http://stackoverflow.com/questions/12604468/find-and-delete-txt-files-in-bash
http://stackoverflow.com/questions/9806944/grep-only-text-files
http://unix.stackexchange.com/questions/132417/prompt-user-to-login-as-root-when-running-a-shell-script
http://stackoverflow.com/questions/6961389/exception-handling-in-shell-scripting
http://stackoverflow.com/questions/7140817/python-ssh-into-cisco-device-and-run-show-commands
http://pastebin.com/qGRdQwpa
http://blog.pythonicneteng.com/2012/11/pexpect-module.html
https://pynet.twb-tech.com/blog/python/paramiko-ssh-part1.html
http://twistedmatrix.com/pipermail/twisted-python/2007-July/015793.html
http://www.lag.net/paramiko/
http://www.lag.net/paramiko/docs/
http://stackoverflow.com/questions/25127406/paramiko-2-tier-cisco-ssh
http://rtomaszewski.blogspot.com/2012/08/problem-runing-ssh-or-scp-from-python.html
http://www.copyandwaste.com/posts/view/pexpect-python-and-managing-devices-tratto/
http://askubuntu.com/questions/344407/how-to-read-complete-line-in-for-loop-with-spaces
http://stackoverflow.com/questions/10463216/python-pexpect-timeout-falls-into-traceback-and-exists
http://stackoverflow.com/questions/21055943/pxssh-connecting-to-an-ssh-proxy-timeout-exceeded-in-read-nonblocking
http://www.pennington.net/tutorial/pexpect_001/pexpect_tutorial.pdf
https://github.com/npug/asa-capture/blob/master/asa-capture.py
http://stackoverflow.com/questions/26227791/ssh-with-subprocess-popen

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)