AT&T u-Verse Static IP work around with pfSense

First off, I’d like to give AT&T an honorable mention (sarcasm) for using the fucking worst, P.O.S. garbage, DSL Modems on the planet: 2WIRE. These things are ridiculous. You’d think that if a provider was able to route a /28 subnet to your home/business, that they’d be able to properly manage that subnet through their “firewall” or whatever you want to call it. The way this normally works is through routing a network range to your device. But AT&T and 2WIRE ensure that for every public static IP address you have, it has to have a unique MAC address and it must look like a different device all together. This is asinine.

So, with the help of my business partner, we’ve come up with a solution on how to get a set of static IP addresses to work so that you can host services on AT&T u-Verse. The way we accomplished this was through the use of an open source and free operating system named, “pfSense”. I’m sure there are other systems out there that we could have used, or just done it in Linux, but pfSense is really robust and has a nice interface. So that’s what we went with.

Additionally, I’m sure not everyone and their mother have an HP DL380 running in their basement, but… welcome to the Erdmanor. I have a DL380 in my basement. So what we’ve done is virtualized a firewall. We’re running pfSense in a virtual machine on the DL 380, which is running ESXi 5.5. I know ESXi 6.0 has been out for a few months now, but to be honest, I’m just too damn lazy to upgrade my box.

Anyways, here’s how we configured the virtual firewall. In ESX, we provisioned the system to have 8 network adapters, a 10GB HDD, 2GB RAM, and 1 virtual CPU. From there we added the VM to access the three different network segments (DMZ, Internal, Outside), and created the interfaces within pfSense. Then we programmed the AT&T gateway to use the external addresses that were provided by them, making sure that the proper interfaces and MAC addresses lined up between the ESX server, the AT&T gateway and the pfSense console. Also, in the AT&T gateway, we setup the system to be in DMZplus Mode, which you can read about in the screenshot below.








Now that our AT&T gateway is properly forwarding External IP traffic to the proper interfaces on our pfSense firewall, we can go through and create all the inbound NATs, firewall rules and network security that we wish to have.

If you have any further questions on how to set this up, just ask!


VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Cisco ASA 8.3(and up) packet capturing

In the course of time, it becomes necessary to run packet captures in order to understand where issues are within a network. In this case, I’ve done this so many times I figured it would be easy enough to write a quick blog on it.

DISCLAIMER: Make sure you know what access-list or lists you’re modifying in Config mode.

###   Here we will go over exactly how
###   to create a packet capture and
###   how to view it via the CLI as well as
###   how to download it in PCAP file

### enter system global config mode
Configure terminal
conf t

### START with creating an access list that is going to capture data from ALL directions needed
### Make sure that if you're just monitoring traffic between two hosts, that you setup your ACL like this:

ErdmanorASA(config)# access-list temp_packet_capture permit ip host host log error
ErdmanorASA(config)# access-list temp_packet_capture permit ip host host log error

### you may need to know some interface specific information, so don’t forget to:
ErdmanorASA(config)# sh ip add
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside         CONFIG
GigabitEthernet0/1       inside          CONFIG
GigabitEthernet0/2       DMZ             CONFIG
GigabitEthernet0/3.1     failover      unset
GigabitEthernet0/3.2     failover-state unset
Management0/0            TESTDMZ         CONFIG
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside         CONFIG
GigabitEthernet0/1       inside          CONFIG
GigabitEthernet0/2       DMZ             CONFIG
GigabitEthernet0/3.1     failover      unset
GigabitEthernet0/3.2     failover-state unset
Management0/0            TESTDMZ         CONFIG

### Here we are going to apply the packet capture on an interface (in this case the “inside” interface”)
### we’re specifying to capture the last 10000000 packets
ErdmanorASA(config)# capture steve interface inside access-list temp_packet_capture buffer 10000000 packet-length 1522

### this command shows any current captures that are taking place (your capture should be in there if you set one up)
ErdmanorASA(config)# sh capture
capture steve type raw-data access-list temp_packet_capture buffer 10000000 packet-length 1522 interface Inside [Capturing - 301082 bytes]
capture steve2 type raw-data access-list temp_packet_capture buffer 10000000 packet-length 1522 interface Ouside [Capturing - 298168 bytes]

### show the capture you just made
ErdmanorASA(config)# sh capture temp_packet_capture

ErdmanorASA(config)# show cap steve

2024 packets captured

   1: 16:30:31.895690 > S 4293989912:4293989912(0) win 14600 <mss 1380,sackOK,timestamp 408760499 0,nop,wscale 9>
   2: 16:30:31.895903 > S 4128260078:4128260078(0) ack 4293989913 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 173100302 408760499>
   3: 16:30:31.896193 > . ack 4128260079 win 29 <nop,nop,timestamp 408760499 173100302>
   4: 16:30:31.896514 > P 4293989913:4293990409(496) ack 4128260079 win 29 <nop,nop,timestamp 408760499 173100302>
   5: 16:30:32.097300 > P 4293989913:4293990409(496) ack 4128260079 win 29 <nop,nop,timestamp 408760550 173100302>
   6: 16:30:32.097452 > . ack 4293990409 win 256 <nop,nop,timestamp 173100322 408760499,nop,nop,sack sack 1 {4293989913:4293990409} >
   7: 16:30:32.469412 > P 4128260079:4128260495(416) ack 4293990409 win 256 <nop,nop,timestamp 173100359 408760499>
   8: 16:30:32.469564 > . ack 4128260495 win 31 <nop,nop,timestamp 408760643 173100359>
   9: 16:30:32.469625 > P 4293990409:4293990490(81) ack 4128260495 win 31 <nop,nop,timestamp 408760643 173100359>
  10: 16:30:32.469824 > P 4293990490:4293990572(82) ack 4128260495 win 31 <nop,nop,timestamp 408760643 173100359>

ErdmanorASA(config)#   sh log | grep
%ASA-6-302014: Teardown TCP connection 1082311710 for outside: to inside: duration 0:00:00 bytes 7295 TCP Reset-I
%ASA-6-302014: Teardown TCP connection 1082311788 for outside: to inside: duration 0:00:00 bytes 5856 TCP FINs
ErdmanorASA(config)#   sh log | grep
%ASA-6-302014: Teardown TCP connection 1082312752 for outside: to inside: duration 0:00:00 bytes 7295 TCP Reset-I
%ASA-6-302014: Teardown TCP connection 1082312815 for outside: to inside: duration 0:00:00 bytes 5856 TCP FINs

###To clean-up the ASA when you're done

### to kill the capture you created
no capture temp_packet_capture

ErdmanorASA(config)# access-list temp_packet_capture permit ip host host log error
ErdmanorASA(config)# access-list temp_packet_capture permit ip host host log error

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Cisco ASAs: Baseline Configurations

So, I’ve been dabbling around in the Cisco field for many years now. I started taking Cisco Academy courses at a local college in the Fall of 2002 and since then I’ve completed all the CCNA, CCNP and most recently the CCNA Security courses. By no means am I calling myself an expert, the best Cisco Engineer on the planet, or even on par with a Cisco engineer that’s been in the field for at least a year or so. But what I am saying is that, I feel that I’ve got a decent background.

I bought a Cisco ASA 5505 a few years ago, played with it for a while and then got side tracked with other work. I even forgot I even owned the device for a while, until I took my CCNA Security course in the Fall of 2012.

Again, my purpose of this blog site is to help give back to the community. So I just want to throw down a little ASA knowledge for anyone interested in buying an ASA for home use. This stuff is even transferable to the high class 5510’s up to the 5585’s.

Now, I host my own services for many reasons; mail, web, remote access, etc… Mainly the reason I do this is because for every service I run out of my house, the more knowledge I gain in IT management, Securing networks, and knowing what it takes to run both sides of the house (IT and Security). What I want to do here is go over how to create a baseline configuration for a Cisco ASA unit. It really is easier than you think.


So lets get going here!


If you’ve got a brand new Cisco ASA, right out of the box and you’re about to plug it in, you’re in a perfect spot. If you bought one off eBay or something like that, you’ll want to wipe the configuration on the device.

In order to wipe an ASA you need to know the enable password to the device, or you need to boot it into recovery mode. If you’re having issues with the password, I recommend you just reset it with the information on Cisco’s website.

I’m doing this work from a Debian box, but you can do this from virtually any OS. You’ll need a Cisco serial cable, which you should’ve gotten with your purchase of an ASA. For those of you who haven’t seen one, they look like this:
Cisco Serial Cable

And if you’re connecting with a laptop made in the last few years you’ll need a USB to serial adapter. Many computers don’t even have Serial ports anymore, so this adapter is essential.
USB to Serial (RS-232)

To connect to the Cisco ASA, connect your USB connector to your computer, and the Cisco serial cable to your ASA device. Then the easiest thing to use is Putty, which you can get from the Putty Website. There is the installer for pretty much every Windows OS as well as the source code that you can compile on just about every Unix/Linux platform out there.

After you get Putty installed and running, you can modify the settings to your liking. I like being able to see all the scroll-back of my sessions, so I normally set that to “999999” or something like that, and I also save all session output to putty.log on the Desktop of whatever OS I’m on at the time.

To connect to your Cisco ASA, on the main screen, click on “Serial” verify that your serial port is properly setup and click “Connect”. For Windows based machines, your USB to Serial connector usually will create a COM port that you’ll have to verify in the “Device Manager”. In Linux, the USB to Serial Adapter creates a device in your “/dev” directory, usually named “/dev/ttyUSB0”, but again, you’ll want to verify that. Also, most Linux distro’s require that you access that device as Root. You may have to start Putty from the Command line like this:

sudo putty


You should see this window appear after a few seconds:

Putty Screen in Linux


Alright enough messing around. Connect to your ASA and then power it on. You’ll see a bunch of scroll back as your device is starting. Like this:

Embedded BIOS Version 1.0(12)6 08/21/06 17:26:53.43

Low Memory: 632 KB
High Memory: 251 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
 00  01  00   1022   2080  Host Bridge        
 00  01  02   1022   2082  Chipset En/Decrypt 11
 00  0C  00   1148   4320  Ethernet           11
 00  0D  00   177D   0003  Network En/Decrypt 10
 00  0F  00   1022   2090  ISA Bridge        
 00  0F  02   1022   2092  IDE Controller    
 00  0F  03   1022   2093  Audio              10
 00  0F  04   1022   2094  Serial Bus         9
 00  0F  05   1022   2095  Serial Bus         9

Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(12)6) #0: Mon Aug 21 19:34:06 PDT 2006

Platform ASA5505

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Launching BootLoader...
Default configuration file contains 1 entry.

Searching / for images to boot.

Loading /asa845-k8.bin... Booting...
Platform ASA5505

IO memory blocks requested from bigphys 32bit: 9672
�dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/hda1: 96 files, 10581/31033 clusters
dosfsck(/dev/hda1) returned 0
Processor memory 109051904, Reserved memory: 41943040

Total SSMs found: 0

Total NICs found: 10
88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002
88E6095 rev 2 Ethernet @ index 08 MAC: 0019.0724.43f6
88E6095 rev 2 Ethernet @ index 07 MAC: 0019.0724.43f5
88E6095 rev 2 Ethernet @ index 06 MAC: 0019.0724.43f4
88E6095 rev 2 Ethernet @ index 05 MAC: 0019.0724.43f3
88E6095 rev 2 Ethernet @ index 04 MAC: 0019.0724.43f2
88E6095 rev 2 Ethernet @ index 03 MAC: 0019.0724.43f1
88E6095 rev 2 Ethernet @ index 02 MAC: 0019.0724.43f0
88E6095 rev 2 Ethernet @ index 01 MAC: 0019.0724.43ef
y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 0019.0724.43f7
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
Verify the activation-key, it might take a while...
Running Permanent Activation Key:  

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
Inside Hosts                      : 50             perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has a Base license.

Cisco Adaptive Security Appliance Software Version 8.4(5)

  ****************************** Warning *******************************
  This product contains cryptographic features and is
  subject to United States and local country laws
  governing, import, export, transfer, and use.
  Delivery of Cisco cryptographic products does not
  imply third-party authority to import, export,
  distribute, or use encryption. Importers, exporters,
  distributors and users are responsible for compliance
  with U.S. and local country laws. By using this
  product you agree to comply with applicable laws and
  regulations. If you are unable to comply with U.S.
  and local laws, return the enclosed items immediately.

  A summary of U.S. laws governing Cisco cryptographic
  products may be found at:

  If you require further assistance please contact us by
  sending email to
  ******************************* Warning *******************************

Copyright (c) 1996-2012 by Cisco Systems, Inc.

                Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

Reading from flash...
Flash read failed

Cryptochecksum (changed):  

Pre-configure Firewall now through interactive prompts [yes]?


From here the ASA is going to ask a series of questions in order to get a very minimal configuration setup. You can go through them or not. Either way will be fine. I’m going to go through the prompts just to show what questions are asked:

Pre-configure Firewall now through interactive prompts [yes]?
Firewall Mode [Routed]: Routed
Enable password [<use current password>]: {strong-password-here}
Allow password recovery [yes]?
Clock (UTC):
  Year [2012]:
  Month [Dec]:
  Day [21]:
  Time [22:57:31]: 18:00:35
Management IP address:
Management network mask:
Host name: Erdmanor-ASA
Domain name:
IP address of host running Device Manager:

The following configuration will be used:
Enable password:
Allow password recovery: yes
Clock (UTC): 18:00:35 Dec 21 2012
Firewall Mode: Routed
Management IP address:
Management network mask:
Host name: Erdmanor-ASA
Domain name:

Use this configuration and write to flash? yes
INFO: Security level for "management" set to 0 by default.
Cryptochecksum: e661f916 9e00a961 ba015bae 20f4d894

2081 bytes copied in 1.50 secs (2081 bytes/sec)


It’s very import here that you setup your ASA with Routed mode. The reason why is that the only way to have an Internal, External and DMZ interface on your network with a base licensed ASA is to have it in Routed mode. According to Cisco, “For the Base license, allow this interface to be the third VLAN by limiting it from initiating contact to one other VLAN using the following command:

hostname(config-if)# no forward interface vlan number

Where number specifies the VLAN ID to which this VLAN interface cannot initiate traffic.

With the Base license, you can only configure a third VLAN if you use this command to limit it.

For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an inside business network, and a third VLAN assigned to your home network. The home network does not need to access the business network, so you can use the no forward interface command on the home VLAN; the business network can access the home network, but the home network cannot access the business network.

If you already have two VLAN interfaces configured with a nameif command, be sure to enter the no forward interface command before the nameif command on the third interface; the adaptive security appliance does not allow three fully functioning VLAN interfaces with the Base license on the ASA 5505 adaptive security appliance.”


My suggestion here is that our Outside interface should never initiate traffic to the Internal network. The purpose of the Internal network is to communicate with Internet Hosts and the DMZ. It is the most secure network we have, therefore we should never accept incoming traffic. The DMZ will accept all incoming traffic and if there are any reverse proxies, then the DMZ will hold all of those systems and communicate to the internal for any Internet host. A few examples of this would be a Reverse SMTP Proxy or a HTTP or HTTPS Reverse Proxy. There is NEVER a reason for the Internal network to accept Internet traffic…… unless you have a lazy admin, or your company doesn’t know shit about security.


By default, interfaces on the same security level cannot communicate with each other. Allowing communication between same security interfaces lets traffic flow freely between all same security interfaces without access lists. If you enable NAT control, you do not need to configure NAT between same security level interfaces. If you enable same security interface communication, you can still configure interfaces at different security levels as usual. While I highly discourage this!, if you want to enable interfaces on the same security level so that they can communicate with each other, enter the following command:

hostname(config)# same-security-traffic permit inter-interface


So let’s see. What should we start with? Well, if you saw my blog on network architecture you’ll know that we should start things off securely. Let’s get a DMZ up and running as well as our internal and external interfaces.

conf t
(config)# interface vlan 1
(config-if)# ip address ( ### Change this to match your internal network
(config-if)# nameif Inside
(config-if)# security-level 100
(config-if)# no shut
(config-if)# exit
(config)# interface vlan 100
(config-if)# ip address (outside IP) ### Change this to match your ISP Static IP Address
(config-if)# nameif Outside
(config-if)# security-level 0
(config-if)# no shut
(config-if)# exit
(config)# interface vlan 200
(config-if)# ip address ( ### Change this to match your DMZ network
(config-if)# nameif DMZ
(config-if)# security-level 50
(config-if)# no forward interface vlan 100
(config-if)# end
write mem

What we’ve done here is setup the three VLANs that we’ll be using in our network. Once you setup these VLANs, issue the “end” command followed by the “write mem” command to save your current running config. Then issue the “show run” command to view your config.


Now, let’s get rid of some junk configurations that Cisco throws in there.

conf t
(config)# no service-policy global_policy global
(config)# clear config call-home
(config)# no ftp mode passive
(config)# no snmp-server enable
(config)# no telnet timeout 5
(config)# end
wr mem


Now you can go back and check your config again by issuing the “show run” command.

So, let’s get off this console connection and get our SSH running. Once SSH is running we can not only access our Cisco ASA from the Linux command line where most of us are more comfortable, but we can also build up some pretty sweet Python scripts that we can use to manage our ASA much easier. My coworker Adrian, (AKA, IronGeek), wrote up some pretty bad ass Python scripts to do some various management tasks on some higher end 5500 Series ASA’s (fully tested on 5510, 5520 and 5540’s).

(config)# crypto key generate rsa modulus 2048
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.

Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...
(config)# ssh inside
(config)# ssh timeout 45
(config)# ssh version 2
(config)# aaa aut
(config)# aaa authen
(config)# aaa authentication ssh console LOCAL
WARNING: local database is empty! Use 'username' command to define local users.
(config)# aaa authentication enable console LOCAL
WARNING: local database is empty! Use 'username' command to define local users.
(config)# username steve password MyP@ssw0rd! privilege 15

You got 2 warning messages here. The first command that warned you the local user database was empty was telling the ASA to look at the local user database for authentication. The second warning was for the same reason, but the command was telling the ASA that you also wanted user authentication for the “enable” command.


Perfect, now lets get out of this console connection and configure this thing over SSH.

ssh steve@
The authenticity of host ' (' can't be established.
RSA key fingerprint is 54:df:df:3e:we:5b:yj:20:ng:46:f4:a7:9p:a3:e6:8x.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (RSA) to the list of known hosts.
steve@'s password:
Type help or '?' for a list of available commands.
Erdmanor-ASA> en
Password: *********


Now that we’ve got management access setup, let’s get a real config going on this thing. The first way that’s going to be possible is if we give it a Default Gateway so that it knows where to send traffic. Your Internet Service Provider (ISP) should have given you a default gateway IP Address. If they haven’t, it is usually your ISP’s on-site equipment; usually some type of router.


Now lets start creating our Object groups. Beginning with ASA version 8.3, network objects are used to configure all forms of NAT. A network object is created and it is within this object that NAT is configured. In this step, network object “inside-net” is used to translate the inside network addresses to the global address of the outside ASA interface. Cisco says that this type of object configuration is called Auto-NAT.


You’re really going to want to create as MANY object groups as you can think of for all of your network segments. There’s a LOT of overhead here. You’re better off starting out making a list of all your servers, their functions, their open ports and what needs to be accessed from the Internet, then coming back and making your object groups. I went through all this crap when I put this together, you can do the same (it’s really not that difficult, and if you’re at a business and you dont already have this stuff documented, shame on you!).


Let’s start with the default “quad-zero” route and then specify the internal, external and DMZ networks. The “nat” statements we’re going to add to the DMZ and Internal network specify that all Internal traffic will leave through the “Outside-hide-nat” network, and be split up across the IP addresses in the range.

(config)# route outside
(config)# object network outside-hide-nat
(config-network-object)# range
(config-network-object)# exit
(config)# object network internal-network
(config-network-object)# subnet
(config-network-object)# nat (inside,outside) dynamic outside-hide-nat
(config-network-object)# exit
(config)# object network dmz-network
(config-network-object)# subnet
(config-network-object)# nat (DMZ,Outside) dynamic outside-hide-nat
(config-network-object)# end
# wr mem
Building configuration...
Cryptochecksum: 9a5cd00b 1dcb8169 b07905cf 8b7904ed

2961 bytes copied in 1.120 secs (2961 bytes/sec)


Alright, so now we have basic Internet access from both our networks (the DMZ and Internal). Now we need to configure our ASA to forward specific traffic to our DMZ servers. It is very important that you realize we’re using Port Address Translation (PAT) here. There are other ways to do NAT, but we have more ports to open up to internal servers than we have external IP addresses. We have over 5 Internal Servers and only 4 Public IP addresses we can use for inbound traffic.

What we’ll do here is create more objects first.

object network openvpn
object network https-exchange
object network dns-external-1
object network dns-external-2
object network external-rdp
object network external-ssh


Now we need to create the proper PAT NAT statements for all of our externally accessible services. To do this, first we need to identify a new network object and specify a unique name for each inbound service. Then we’ll specify the host that it’s talking to in our DMZ, then we can create the inbound NAT and tie it to a service.

(config)# object network client-openvpn
(config-network-object)# host
(config-network-object)# nat (Inside,Outside) static service tcp https https  
(config-network-object)# exit


See how easy that is? Let’s look at this stuff for a quick minute though. First there is the network object name, “Client-OpenVPN”. Then we specify the DMZ host IP Address that the name is attached to. Then we create the PAT. The NAT statement specifies the static address is a outside public address and then specifies that it’s a TCP service type and specifies its outside port is 443, mapping to the inside host port number 443.


Now, we’ve got one done, lets get the rest:

(config)# object network openvpn-site2site
(config-network-object)# host
(config-network-object)#  nat (Inside,Outside) static service udp 7777 7777
(config-network-object)# exit
(config)# object network http-20
(config-network-object)# host
(config-network-object)#  nat (Inside,Outside) static service tcp www www
(config-network-object)# exit
(config)# object network http-25
(config-network-object)# host
(config-network-object)#  nat (Inside,Outside) static service tcp www www
(config-network-object)# exit
(config)# object network https-25
(config-network-object)# host
(config-network-object)#  nat (Inside,Outside) static service tcp https https
(config-network-object)# exit
(config)# object network https-exchange
(config-network-object)# host
(config-network-object)#  nat (Inside,Outside) static service tcp https https
(config-network-object)# exit
(config)# object network smtp-in
(config-network-object)# host
(config-network-object)#  nat (Inside,Outside) static service tcp smtp smtp
(config-network-object)# exit
(config)# object network dns-external-1
(config-network-object)# host
(config-network-object)#  nat (Inside,Outside) static service udp domain domain
(config-network-object)# exit
(config)# object network dns-external-2
(config-network-object)# host
(config-network-object)#  nat (Inside,Outside) static service udp domain domain
(config-network-object)# exit
(config)# object network external-rdp
(config-network-object)# host
(config-network-object)#  nat (Inside,Outside) static service tcp 3389 3389
(config-network-object)# exit
(config)# object network external-ssh
(config-network-object)# host
(config-network-object)#  nat (Inside,Outside) static service tcp ssh ssh
(config-network-object)# exit
(config)# wr mem


Now that we have our internal objects created, as well as our PAT NAT objects created, now we can move
along and create our access list for our outside interface. This access list will control Internet
traffic inbound to our servers, specify the port number we’ll be using for each server service and then specify to log the event. Then we’ll place the access list on the external interface.

(config)# access-list outside-traffic-inbound extended permit udp any host eq domain log
(config)# access-list outside-traffic-inbound extended permit udp any host eq domain log
(config)# access-list outside-traffic-inbound extended permit tcp any host eq www log
(config)# access-list outside-traffic-inbound extended permit tcp any host eq www log
(config)# access-list outside-traffic-inbound extended permit tcp any host eq 3389 log
(config)# access-list outside-traffic-inbound extended permit tcp any host eq ssh log
(config)# access-list outside-traffic-inbound extended permit tcp any host eq https log
(config)# access-list outside-traffic-inbound extended permit tcp any host eq https log
(config)# access-list outside-traffic-inbound extended permit tcp any host eq https log
(config)# access-list outside-traffic-inbound extended permit udp any host eq 5656 log
(config)# access-list outside-traffic-inbound extended permit tcp any host eq smtp log
(config)# access-list outside-traffic-inbound extended deny ip any any log
(config)# access-group outside-traffic-in in interface Outside
(config)# wr mem
Building configuration...
Cryptochecksum: 7f5a5aab aabeeafa dff03aeb ef264ed5

3404 bytes copied in 1.110 secs (3404 bytes/sec)



Fantastic. Now, the process we just ran through for creating inbound NATs for DNS traffic into the DMZ, that process can be repeated for any other service you are running on your network. Running Microsoft Exchange? You’ll want to allow TCP 443 into it. An SSH server? TCP 22 for that. An SMTP reverse proxy for SPAM filtering? TCP 25 into that.

Well… you get the picture. Just repeat process! 🙂



Now, to complete a network properly we shouldn’t just let anyone out over any port. There’s no egress filtering going on here. Let’s specify what ports our internal users, as well as our servers, are allowed to communicate on over the internet. The only way that’s going to be possible is to create more network objects and more access lists.



Obviously, there’s no reason to ever be browsing the Internet from a server. Don’t be lazy, just do it right. Start by creating a network object containing either the subnet your Windows servers are on, or, you can just specify the host IP addresses your Windows servers have.

object-group network Windows-Servers
 description Microsoft Windows Servers Group
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host



Now let’s make a network object that contains the most common used IP ranges owned and operated by Microsoft:

object-group network Microsoft-Internet
 description Microsoft server networks External IP ranges



Now all we need is an ACL to allow the servers to talk outbound:

access-list inside-traffic-outbound extended permit tcp object-group Windows-Servers object-group Microsoft-Internet eq www
access-list inside-traffic-outbound extended permit tcp object-group Windows-Servers object-group Microsoft-Internet eq https



Let’s do the same thing for our Ubuntu Servers. We have Linux Mint, Debian, and Ubuntu on the network, so we’ll just tie them all together:

object-group network Linux-OS-Updates
 description Linux Mint - Debian - and Ubuntu server networks External IP ranges



And again we need to create our ACLs:

access-list inside-traffic-outbound extended permit tcp object-group Linux-Systems object-group Linux-OS-Updates eq www
access-list inside-traffic-outbound extended permit tcp object-group Linux-Systems object-group Linux-OS-Updates eq https



I also talk on a couple networks like AOL IM, ICQ and Facebook Chat so my computer needs access out to those servers.

So again create the object group, with the IP Ranges for AOL, ICQ and Facebook:

object-group network aim-icq-fb
 description networks for Facebook, AOL IM and ICQ Instant Messangers



And again, allow traffic out with an ACL:

access-list inside-traffic-outbound extended permit tcp host object-group aim-icq-fb eq aol
access-list inside-traffic-outbound extended permit tcp host object-group aim-icq-fb eq 5222


Also, if you’re running a Spam Filtering server in your DMZ, yet your mail server is in your Internal Network, then you’ll have to create a NAT from your DMZ to your internal, which you can use the same process again.


Also, dont forget to allow your Exchange server send mail and you DNS servers perform lookups!!


access-list inside-traffic-outbound extended permit tcp object https-exchange any eq smtp
access-list inside-traffic-outbound extended permit udp object-group Internal-DNS-Servers any eq domain



Lastly, if you want your DMZ or Internal to have access to the Internet, make sure to build an Access List to allow traffic out! Haha, wont get far without that!


Have fun with this. There’s a million ways to tweak what you’re trying to do!






References for this blog go to:




VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Serious network architecture that works for everyone.

I started writing this blog post as a way to setup a reverse proxy for mail inspection, but it turned out that a network architecture blog focused on security of the perimeter was more important. I’ve gone over in my head with all the companies that have told me, “Ohhh we don’t need this” or, “this is too much administrative overhead” or, “We don’t need this much complexity, we’re just manufacturing “widgets” , or something like that. And to those people, I say this: “I am so sick and tired of hearing excuses of why you think it’s okay to be lazy. Do it right, do it now, and save yourself the headaches of a breach.” We’ll talk about the costs associated with being penetrated some other time, but it’s EXPENSIVE!

If you’re planning to do this right, then you’ll want/need to have a multi-tier DMZ for your public facing services. We’re not talking about internal servers or your internal network at this point (though after thinking about it, the exact same concept can be carried out on the Internal network too). In this blog, I’m merely trying to tell you about your externally facing services. This blog will go over proper placement for Internet facing services. The VAST majority of companies out there don’t go to this level of sophistication, but its totally possible for any company to do this and if you really want to secure your network infrastructure, then you’ll at least attempt this.

Before we start, I’ll say this. I’m going to try my best to describe this as granular as possible. There are a TON of intricacies here that need to be thought out. I’ll provide a rudimentary Visio diagram to help on this, but you’ll need to map out your own network and break it down in a way you can understand.

The main point of network segmentation and building a secure network architecture is based on one of the most talked about security areas: The Principle of Least Privilege. Do your end users need access to databases? How about other network services? How about filesharing with eachother? How about shared resources for just once specific department (should engineering folks be able to communicate with financial systems)? Please think about the level of access people should have to services while going through this blog.

You’re first level DMZ should house only your front end web servers (or load balancers in front of those servers), DNS servers and your proxy servers, nothing more. These systems are extremely visible to the public and will be processing thousands of requests per day, so if anything happens to them, trust me people will notice. Remember, these are front end systems, so you don’t need much of anything out there. I’ll be going over how to set those services up on a future blog, but for now just remember, least privilege. Internet users dont need direct access to the webserver, they do need access to a reverse proxy server that inspects the traffic going to the web server(s).

From here, you can create your second tier that will house your web servers (if you have load balancers or proxy servers in front of them out in tier one), mail servers, SFTP servers, if you’re using LDAP or AD you could add a read-only domain controller (RO-DC) for authentication (but NO Internet access), and things like that. These systems should be using local firewalls as well as network layer firewalls to control access to them. Web servers dont need to talk to anything except the back-end SQL BD and the end user. Both of those firewalls should specify that the only systems they’re allowed to talk to is the server in tier 1 that proxies data to it, and if there is a server behind it in tier three.

Then there is an optional third tier where you would house your back-end database servers and any other servers deemed unnecessary for tier two. when I say optional, I dont mean just throw it away and put SQL over in tier 2. I mean, if you dont have a SQL back-end you can eliminate tier 3. Another RO-DC could be posted here for authentication services(again, NO Internet access!). If you’re running MS-SQL or Oracle SQL servers here, you can have services level authentication (or any other services for that matter) authenticating to that RO-DC. Same goes for tier two.

Lastly, I’ll mention a Management network that will have access to all three tiers. You’ll obviously have admins (even if it’s just yourself) that will need to run updates on those boxes or perform other administrative functions on those systems. Don’t forget to allow yourself access to that. But that doesn’t mean “IP ANY ANY” from the management network into those tiers either! Dont be LAZY, be smart and do it right.

In my Visio diagram, I used some old hardware, and multiple physical switches, but don’t forget, you can trunk VLANs and do some pretty cool configurations with Cisco gear, especially the new ASA’s. See it here: DIAGRAM LINK

So from tier 1, your DNS server should only be servicing requests from your 3 DMZs, and the Internet. I would say, you shouldn’t open this up to your internal clients, because you should already have internal DNS servers for Active Directory (or what ever LDAP service you’re using). At most, you should only be allowing 53/udp inbound to that DNS server from the Internet, and allow SSH inbound to that server from your management network. That’s IT! For your proxy server or load balancer, you should allow 80/tcp and 443/tcp inbound from the Internet and allow in whatever port your load balancer needs from the management network. So in this scenario, you should have 80 and 443/tcp and 53/udp open from the Internet to tier 1. Simple, see?

Tier two only has ports open FROM tier 1 into tier 2 (and management network into tier 2). The people out on the Internet will NEVER communicate directly with tier 2, there’s just no need.

And lastly, tier 3 will only accept communications from tier 2 and the management tier. No end user needs to communicate with the SQL DB’s directly, so why let them?

The only thing I’ve left out here is the RO-DCs. What do they communicate with? Well, the way I would set them up is have the 2 real Domain Controllers in the management network. This should be a totally different domain than your internal network. Name the domain whatever you want (fubar.dmz or whatever). Your RO-DCs are only acting as a proxy to the domain. Nothing is stored on them, so you’ve got really nothing to lose.

So that’s really about it. If you’ve got any questions, contact me via my LinkedIn profile. There’s a link to that right on my home page near the bottom of the left column.


Enjoy!! 🙂

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Cisco Fun

So, I decided to go back to school (after 3 or so semesters off) and take some fun classes. Last time I went I was stuck in some shit Liberal Arts classes. I wont bore you with that. So this semester I’m taking Red Hat Admin 1, which I’m flying through at an obscene rate, and Cisco Security 1. Now, when I started college back in fall of 2002, I started with CCNA classes. I loved them; took 8 semesters of Cisco CCNA and CCNP courses. SO it’s been a while, but I figured I should take some new Cisco classes.

Well, it’s been great so far. Tonight, in my home lab I hooked up my 2600 routers and did some labs on password resets (easy, but good to know), and I also hooked up my 2 Cisco PIX 515’s and learned how to do a password reset on those too.

Now I learned that both of my PIX firewalls are still running 5.3 software… these things are from the stone age!!!

Also in my quest was working on some client work. They have a ASA 5510. In working on that, I thought to update my 5505. It’s been a while, so I went through and reconfigured a bunch of stuff. In the process I figured out it only supports 3 VLANs. 2 of those are for the Inside and Outside networks and a third, DMZ type VLAN, that isn’t allowed to initiate communications to any other VLAN. Come on Cisco, this is ridiculous. I need something with a serious amount of more horsepower and abilities.

The ASA 5505 is probably great for some people, but not me. Any one out there interested in buying this thing? It’s a couple years old but I have the 8.4 software on it and am willing to sell it at a good price!


VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)