Reverse SSH by EtherealMind
It's finally been done! Greg Ferro at EtherealMind has put together a GREAT tutorial on reverse SSH. Now if I could only get enough memory on this 3640 to do it here at Ascolta.! At any rate, nice job Greg!
So it's no secret that the Cisco ASA code version 8.0(2) and (3) have been out for a bit. What's the big deal if you are an SNPA student? To start lets take a look at what is currently in SNPA version 5.0:
- Basic Configuration
- addressing and address translations
- Access-lists
- What can pass thru this machine
- AAA
- Who are you? What can you do? What did you do?
- Routing and Switching
- Static Routes, OSPF, RIP, VLANS, Multicast Routing
- Modular Policy Framework
- The real power of the ASA
- IPSec VPN
- Site-to-site and “Easy” VPN
- Review of SNPA 5.0 (cont)
- SSL VPN
- The new wave of VPN using a web browser
- Failover
- for redundancy
- Transparent Firewalls
- hides the firewall
- ASDM
- GUI interface
- IPS Module
- Really in the IPS class- this is getting the ASA to talk to the module)
- System Maintenance
- License Keys, Upgrades, Backup
Now lets look at some of the new 8.x stuff:
- Bulk of New Features related to VPN
- Some other enhancements to firewall features
- AnyConnect VPN which is A VPN Client that works on Vista, MAC, Linux, etc.
- EIGRP, Just like on the Routers
- TLS Proxy for Encrypted Voice Inspection which is New part of the Modular Policy Framework
- NAC
- Threat Detection which is a New Feature in the code that detects attacks and scans auto-magically! When it sees attacks it alerts you.
- Secure Logging, This is a feature many people are be interested in
- Interface Redundancy which is Kinda like sub-interfaces but not.
- HA Remote Command Execution which lets you Execute Commands to a remote device when doing Active/Active failover
- IPS virtualization where the ASA can use more that one IPS device (handy when in multiple context mode)
- Transparent Mode NAT so Now you can do NAT when operating in transparent mode.
- Object Group Enhancements including a New Service Object
- Live Hit count on ACLs in ADSM which is Just a really cool feature!
- Local CA Server
- and finally User Differentiation which lets you differentiate between local users and remote-access users.
So again, Whats the big deal? It's a big deal because there are a number of enhancements that are not covered in the current SNPA course nor on the exam….but they will be soon!
10 things you need to know about getting your CCNA!
- You have to take the exam at a Pearson VUE test center. Obvious one I know, but realize this, a year ago you could use both Prometric as well as Pearson VUE. Today, Prometric has been dropped because of cheating issues so you have to use Pearson VUE, same company as Pearson Education; these are the folks that publish Cisco Press books. Coincidence? Nah!
- The Exam DOES have simulations on it so be familiar with it. You can get an overview of the test engine on the Cisco Web Site. Dont waste time at the test center trying to figure it out.
- If you dont have a login to the Cisco Web Site you should get one. Why? Because it gets you access to the CCNA Prep Center. It's free so sign up!
- Cisco wants you to pass the test. Why? Because you will be likely to continue using and recommending their products as well as continuing with more certifications like the CCNP, CCSP, CCVP and so on.
- You can learn the same material in just about any book you buy but nothing will compare to Instructor-led training. I prepared with the Sybex book years ago. NOTHING made any sense. Much of the background and context was lost. Once I had an instructor in front of me to answer the background and context questions it all came together.
- You can learn everything from reading alone but it will be easier if you practice on real equipment. When you do it you remember it. Simple fact. I suggest a simulator for the CCNA level stuff. You can also get labs on ebay for a fair price that you can add equipment to as you further your certification level. All you need for the CCNA is a switch and a router. Actually 2 switches. There is an emulator out there but there are two critical flaws in it. 1.) You currently can't emulate a switch, 2.) You have to get your own IOS using a login to a CCO account. A CCO account is a login to the Cisco Connection Online (CCO).
- Your time doesn't start until you start clicking around in the interface.
- You can ask for more paper. You have to give it back when you are done and most places give you a laminated sheet and dry erase now.
- If you have any memory charts write them down before you start the test. This way it doesn't cut into your time.
- Take the combined exam because in the end you get fewer questions. Really Cisco split up the certification into two exams but it hasn't always been that way. In the past it was one exam with all the material on it. You can spend the money to take both exams but I wouldn't.
I'm sure there are more but off hand this is my list. Feel free to use the comments to add your own tips and dont forget to subscribe to this blogs feed for more CCNA tips, tutorials, and recommendations.
How-to: MPF on ASA to deny FTP Commands.
Well enough of that, so that you actually gain some sort of knowledge from this post I've decided to stick with some Modular Policy Framework today. The following config is related to FTP Protocol Inspection:
Start by making an FTP connection through the ASA. With default values it should work. You'll need to download a file to make sure that both the data channel and the control channel are working properly.
Next, create a policy-map type-inspect for FTP. THis is where you are going to specify that commands you want to deny. In this case we are going to say that the "get" command is not allowed. If the "get" is matched the action to be performed is a reset.
MyAsa(config)# policy-map type inspect ftp BLOCK_GET
MyAsa(config-pmap)# match request-command get
MyAsa(config-pmap-c)#reset
MyAsa(config-pmap-c)#exit
MyAsa(config-pmap)#exit
Next you want to apply the inspection policy map but you cant apply it all by itself. You have to apply it within a L3/L4 policy map. In the following configuration we are going to use the existing "global_policy" to apply out reset to FTP. You'll access the class inspection_default which is what the ASA uses to identify FTP traffic on TCP port 21. Use the "inspect" command to tell the ASA to inspect FTP, add the "strict" option and tie it to the policy-map type inspect that we created earlier.
MyAsa(config)# policy-map global_policy
MyAsa(config-pmap)# class inspection_default
MyAsa(config-pmap-c)# inspect ftp strict BLOCK_GET
MyAsa(config-pmap-c)# exit
MyAsa(config-pmap)# exit
MyAsa(config)#
The way that you test this is by dropping the previous FTP connection that you had up, and establish it again. The connection should establish. It looks like it works, but as soon as you try to grab something the FTP application you are using sends a "get" and the connection is reset. Use the following show command to verify.
MyAsa(config)# show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
<—-text omitted—–>
Inspect: ftp strict BLOCK_GET, packet 105, drop 0, reset- drop 12
Thats it for today. Don't forget to subscibe to this blog for more how-to's like this.
IE-WB-2 Lab 1. I'm finally digging in.
At any rate, I went at it until 10:40pm and my eyes are hazy. My wife is asleep on the couch and my newborn, (3 weeks old) is getting fussy. Time to wake up Mom.
Before I go however, here are the highlights from what I did- General Setup. Easy stuff with the PIX, basic ACLs and such. A failover config on the ASA and some OSPF authentication. No rack time until Wednesday. Tuesday Night Ill watch some Advanced Technologies CoD.
Bed Time…
E-Learning: Is it worth it?
Today I am supposed to be teaching an online class. The problem is that the agenda isnt working and i have no slides to present. You would think that this is a no brainer but its not. Probably because we use a system called Centra Symposium. Not the greatest environment I’ve worked in, however from an instructors perspective here is my take:
On the Plus Side:
- It has great tools – thats a plus
- Whiteboard
- Web Safari
- Markup for slides
- It has chat in addition to VoIP
On the negative side:
- Its hard to manage a class on the backend.
- All Slides need to be uploaded ahead of time. An instructor cant use his or her own slides.
- You can markup a slide and save it to the agenda on the fly but it gets lost at the end of the agenda
I’m sure there is more but I’ll leave it at that. But what about the others? Personally I have used Adobe Connect, Microsoft Live Meeting, and MeetingPlace. They have have their strong points. The one I like the least is MeetingPlace. The one I like the best is Microsoft Live Meeting 8 as it has the ease of grabbing my own slides and the audio seems to be good.
As far as Adobe Connect goes, I’m a mixed review. As an instructor I didn’t like it because my audio seemed to fade in and out. As a Student I took the CCIE Bootcamp from Internetwork Expert and they did a GREAT job. The interface was smooth and I didnt have any issues. The voice quality was good and I really enjoyed the experience.
Well thats my rant for now. Feel Free to comment. I’d love to know what you think or what your experiences have been. Also, don’t forget to subscribe if you haven’t already.
CCIE Security Revision Coming Soon?
It looks like changes are coming soon for the CCIE Security. For me, when I heard this this morning it was a big “Uh, Oh!” I guess its inevitable.
Yusuf Bhaiji, the Project Manager for the CCIE Security is hosting an “Ask the Expert” over on the Cisco NetPro Forums. When asked about the NAC appliance and the MARS he responds with the following:
“If you are asking about the new revision and update in the lab exam, all I can tell you is that we are working on it; a final announcement is yet to be made. The announcement will provide complete details for the new v3.0 blueprint and the new hardware and software revisions. “
This is both good and bad for me. I am scheduled for my exam in August so I should be ok with the 6-month buffer they give you to take the old exam. Is this going to affect your efforts? Do you think its about time for an update? Feel free to commend and dont forget to subscribe to my blog by clicking the banner on the top left side of this page!
Thats it for now but believe me I will be following this topic.
My First Book Still Makes the List
Its been 4 years since I wrote the AAA book and it still makes it on the CCIE Recommended reading list, which is funny to be since I have yet to take the test myself. People have asked me why I haven’t updated it. The reason is because It is still accurate. There isn’t anything in it that really changed, of course more capabilities have been added to it but for now it will remain Un-updated. Besides where am I going to find the time? I have written the CCSP Quick Reference Sheets (With the exception of IPS) and I am currently writing a wireless Manuscript the be released later this year.
Anyhow, Its still nice to see it on the recommended list.
CCIE Security Recommended Reading List
mnemonics are cool!
Greg at Etherealmind posted a memory tool regarding mnemonics to remember the OSI Model. I love the idea and as an instructor its good to have a few handy. Here is what I have come up with over the past few years as a trainer. Some are from GroupStudy and others I have just heard.
We – weight
Love – local preference
Old – originate
Apples – as-path
Oranges – Origin
&
Mangos – MED
Really – router-id
or
“We Love Oranges AS Oranges Mean Pure Refreshment”
W Weight (Highest)
L Local_Pref (Highest)
O Originate (local originate)
AS As_Path (shortest)
O Origin Code (IGP < EGP < Incomplete)
M MED (lowest)
P Paths (External Paths preferred Over Internal)
R Router ID (lowest)
Then there is this one from GroupStudy:
Discard all Worries before Leaving Rome As the Original Mis-information Sound’s like a Neighbor’s Idea.
Discard = DISCARD unreachable next hop.
Worries= highest WEIGHT
Leaving=highest LOCALpreference
Rome=Originated on this ROUTER
As=shortest AS_PATH
Original=ORIGIN code
Mis-information=lowest MED
Sound=SOURCE (external or internal)
Neighbor’s=Closet IGP NEIGHBOR
Idea=lowest router ID
and also I thought of this one….
Dont Sell People Fake Bananas
Data, Segment, Packets, Frames, Bits.
Thats all I got. I’d I’m Spent.
SNPA READING LIST
Here is my recommendations for the CCSP SNPA prep.
I know the quick reference sheet is really good! The ECG is a big help if you want something that explains it in detail.