Sunday, July 9, 2017

Installing Firepower on Cisco ASA

Cisco ASA Firepower installation process is little bit complicated and require multiple steps in order to do


First please check the simple topology:



 
Part 1 installing FMC [FireSight Management Center] vm

You can download the .OVf file from Cisco.com and install it by using Esxi Vsphere tool to import
the file which is linux based
The following is used for installation process on the esxi

  1. Open vsphere client
  2. Go to file > deploy OVF template
  3. Browse the .ovf file on your computer
  4. Click next
  5. Choose think provisioned as a size on disk
  6. Choose the name of the VM for example [FireSight VM]
  7. Choose the data store on your host
  8. Select the network mapping
  9. Finish then power it on

Note: there is no need to allocate resources because the vm is already have the resources allocated.


Installation Process:

  1. After powering on the vm wait for the counter to finish
  2. After the machine starts you can login to it using admin as username and password is Admin123
  3. To login into root you need to use command sudo su -   and the password is Admin123
  4. You need to add IP address for the FMC and you must be on Root user to be able to change settings
  5. After you login as "root" type the command #configure-network then you will have auto-config questions
  1. IPv4 configs
  2. Subnet mask
  3. Gateway
The Network settings will be updated.

NOTE: you need to enable the IP address of FMC to reach internet, so you need to add the IP on the firewall
 and also create route under static routing

After everything is done you can use the following command on your browser to login to FMC https://172.16.14.50    
for example.

NOTE: Management Interface will need to be shutdown and ip removed from it.

Part two Cisco Firepower image+ package upload to firewall and installation

You will need the following in order to accomplish this:
  1. IOS version stable and recommended by cisco I used IOS 9.6.3.1 which was recommended by Cisco
  2. ASASFR boot image which is ".img"
  3. ASASFR system package which is ".pkg"
  4. FTP server which will be used to upload both .img and .pkg to the Firewall and SFR
  5. TFTP server  which will be used to upload Cisco IOS for ASA Firewall

Start installation of Cisco Firepower .img File:

  1. Locate the image when you upload into Disk0:/ on the Firewall and of course you must have
  2.  SSD installed on the Firewall
  3. Copy the correct full name of the image for example "asasfr-5500x-boot-6.2.0-2.img"

Before you start installing the SFR make sure to do the following:

  1. Shutdown IPS module and uninstall it.
  2. Shutdown CXSC module and uninstall it
  3. Shutdown SFR module and uninstall it


This can be done using the commands:
#sw-module module ips shutdown
#sw-module module ips uninstall
#sw-module module CXSC shutdown
#sw-module module CXSC uninstall
And same for SFR module

Make sure that they are down by using the command #show sw-module and see if they are "DOWN"

After this process you will need to start installing the Boot Image that you already uploaded to the Firewall Disk0:/

We will use the following commands to install it:

#sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-6.2.0-2.img
#sw-module module sfr recover boot    [you can enable debugging to follow up the process during the
 boot process #debug module-boot

NOTE: in here you will need to wait for the process for 15 minutes so don’t rush it!!!!

Now after the installation finishes you will need to login to the SFR in order to upload the package file to it
 using FTP so first we will need to have IP address on the SFR
In order to upload the Package file to it
Lets setup these IP information:
#session sfr console  [note if the installation wasn’t finished then you won't be able to do this command]
Use the username admin and password Admin123 to login to the SFR console

Now start configure it #ASASFR-BOOT> setup
You will now be prompted to add information for IPv4, IPv6, NTP, DNS, Domain …etc. then you will be
asked if you want to apply it n/y??

After you finished the setup part, you will have ip address reachable in order to transfer the package to
 the Boot Image and install it

Use FTP tool like FileZilla for the transfer, locate the package file on it and create username and password
that will be used to access your FTP server and get the file

FTP command ASASFR-BOOT > system install ftp://username:password@IP-address/ASASFR.pkg    
The FTP process will take some time because the package size is big.

After upload finish the SFR will start to extract.

You will be asked if you want to upgrade then just say "Y" and press enter.

NOTE: this process will take up to 15 minutes so don’t rush it!!!!!

After this finishes and if everything is ok you should see the result by using
#show module   [it should be up]
FMC-ASA# show module sfr

---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Up               6.2.0-362

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
 sfr Up                 Up                   




#show failover  [you must see the SFR card in here and in UP/UP state]

Last Failover at: 18:16:40 AST Jul 6 2017
        This host: Primary - Active
                Active time: 241396 (sec)
                slot 0: ASA5512 hw/sw rev (1.0/9.6(3)1) status (Up Sys)
                  Interface Outside (X.X.X.X): Normal (Monitored)
                  Interface Inside (10.211.250.253): Normal (Monitored)
                  Interface DMZ (172.16.16.253): Normal (Monitored)
                slot 1: SFR5512 hw/sw rev (N/A/6.2.0-362) status (Up/Up)
                  ASA FirePOWER, 6.2.0-362, Up, (Not-Monitored)
        Other host: Secondary - Standby Ready
                Active time: 402 (sec)
                slot 0: ASA5512 hw/sw rev (1.0/9.6(3)1) status (Up Sys)
                  Interface Outside (X.X.X.X): Normal (Monitored)
                  Interface Inside (10.211.250.252): Normal (Monitored)
                  Interface DMZ (172.16.16.252): Normal (Monitored)
                slot 1: SFR5512 hw/sw rev (N/A/6.2.0-362) status (Up/Up)
                  ASA FirePOWER, 6.2.0-362, Up, (Not-Monitored)


NOTE: you might face some problem if you have the SFR installed on Different slot on active from the one on
 standby so you must use this command on the active
#no monitor-interface service-module   [this is very important because it can cause the 
standby ASA to become active at the same time and
cause connection problem]



Ok, after the SFR Card becomes UP you can start configuring it
#session sfr       [username admin and password Admin123]

Now setup IP addresses for the SFR itself [note the previous IP addresses were for the Boot Image not for the SFR system]
These IP's will be used to connect the SourceFire "firepower" to Firesight.




Now, Let's connect the Cisco Firepower to Cisco FireSight

  1. Connect to SSH on the IP address of the SFR module "172.16.14.51"
  2. Input the username admin and password is Admin123 "default"
  3. Add the command system> configure manager add 172.16.14.50 cisco1234   
  4.  (where 172.16.14.50 is the Firesight server, and cisco1234 is shared key between two systems)
  5. Go to 172.16.14.50 (firesight) and then go to >Devices >device management> add device
  6. Full the information for the Firepower and then click on register

At the same time you can use Firepower command line to check if the registration was completed
system> show managers and see if the status is complete or still pending.








Hope this was useful!

Samer R. Saleem






















Sunday, July 2, 2017

OSPF DR/BDR Election Manipulation- quick review

DR/BDR is very important part of Broadcast and Non-Broad cast multi-access OSPF network types and it is needed in an Area in order to get LSA1 from OSPF routers and rely LSA2 to the OSPF routers about the network information for all OSPF routers, please know that the below information is my notes that i have been writing down from my study for CCIE.

DR/BDR on OSPF is determined per interface level so you can have for each vlan/interface different DR/BDR from the other
You can increase priority for the DR by setting #ip ospf priority 255 [the maximum is 255] and [0] means the router or the
interface will not participate in election.

Choosing the DR is by priority, highest router id, highest loopback ip, highest physical interface ip
Choosing the DR/BDR is only on broadcast and non-broadcast network types on the OSPF

NOTE: preemption is not supported, so any device need to wait for the DR to fail until it can take over.
NOTE: if no router declared itself as DR then the router will say that I am the DR/BDR


You can check DR/BDR election process by #debug ip ospf adj    [and shutdown the DR router and monitor the debug messages]
*Jul  1 17:43:06.361: OSPF-1 ADJ   Et0/0: Neighbor change event
*Jul  1 17:43:06.361: OSPF-1 ADJ   Et0/0: DR/BDR election
*Jul  1 17:43:06.361: OSPF-1 ADJ   Et0/0: Elect BDR 150.1.1.1
*Jul  1 17:43:06.361: OSPF-1 ADJ   Et0/0: Elect DR 150.1.1.1
*Jul  1 17:43:06.361: OSPF-1 ADJ   Et0/0: Elect BDR 0.0.0.0
*Jul  1 17:43:06.361: OSPF-1 ADJ   Et0/0: Elect DR 150.1.1.1

On the hub/spoke the Full state will be with the DR only, so it must be HUB configured as DR in order each spoke will form
 full adjacency with it.
Because spokes are not active to talk OSPF between each other so the spoke will form full adjacency with DR and the BDR only.
If spoke becomes DR, the OSPF database will be broken and the routing will be incomplete.
That’s why you need to make sure all spokes priority are set to 0

NOTE: both DR/BDR will receive LSA1 in Area but only DR will rely the information back to the rest of the network. So if R5 was BDR but not DR, the OSPF DB will be broken
Because for example: R2 will send LSA1 to R5 and R4 but only R4 will be able to reply the information to all the routers but it's not the HUB so the process will fail.

NOTE: when you here the OSPF DB is broken, think about the DR location in the Network.

Python-Jinja template configuration generator for Cisco devices and printout configs to external text files

 In this post, I worked on collecting a code that works with Jinja template. the nice thing in working with Jinja is that you can have basel...