Test Connectivity with Telnet

Telnet is a Network protocol that allows users to connect to and administer a devices Command Line Interface (CLI). However all of the information exchanged on a Telnet session is unencrypted, this means is someone is sniffing the traffic from your host to the device it can be read clearly. So now all know telnet is a super un-secure way to access the CLI of a device, and you should always use SSH where you can, but Telnet can be used in another way. Telnet can only be used to verify network connectivity to remote devices that are TCP based, because TCP is a connection-oriented protocol.

I get requests all the time to open up specific ports on the firewall. You can find a list of the well know port numbers here.

Before I start poking holes in the firewall or other device I check to see if it is already open.

Telnet will by default only check and listen on TCP port 23

If a user asks me is https (port 443) is open to and on a specific server you can easily test with Telnet.

You simply add the port number at the end of the telnet command:

 telnet[host/address[port]]

 

As you can see 443 is open. To exit from the Telnet session: 

SHIFT ]

 

This telnet test to port 23 is not open as it does not say Connected to…


If a remote host does not respond to telnet it can mean a number of things.

  1. The Firewall or Firewalls or other networking devices on the path to the remote host is Denying or Dropping the packets. You will be able to confirm that in the logs on the firewall.
  2. The server or remote host on the other side is not up and active
  3. There is no connectivity to the remote host for some other reason

Further troubleshooting is required if you encounter issues.

The Packet Wizard : DHCP Troubleshooting

In todays scenario, I am going to walk through some changes I made and troubleshooting steps for when I recently added a moved a old SSID/Subnet off an old legacy wireless network onto a new network same IP space and SSID that requires RADIUS authentication.

These steps can be applied to many different scenarios for troubleshooting DHCP, I just made these ones specific since it was something I recently had to troubleshoot.

Here is a basic diagram of the setup, showing all the moving parts would be overkill for the diagram. The steps on what to do and troubleshooting are below the diagram.

What you will need:

Authentication Server IP

Authentication Secret Key

DHCP Server IP

Subnet and Mask that is being moved

SSID/Subnet being moved

Work and or Troubleshooting that needs to be done:

  1. Add the VLAN to the switches required
  2. Add the virtual interface on the firewall (gateway)
  3. Trunk the new vlan to the switch and configure the ports
  4. Setup DHCP helper to point to the DHCP server
  5. Allow DHCP traffic from the new subnet to the DHCP server
  6. Configure Radius on new Network
  7. Configure new SSID and network settings on Wireless LAN Controller

Cisco : Enable SSH on Cisco Switch, Router and ASA

When you configure a Cisco device, you need to use a console cable and connect directly to the system to access it. Follow the SSH setup below, will enable SSH access to your Cisco devices, since SSH is not enabled by default. Once you enable SSH, you can then access it remotely using SecureCRT or any other SSH client.

Set hostname and domain-name

The hostname has to have a hostname and domain-name.

switch# config t
switch(config)# hostname tpw-switch
tpw-switch(config)# ip domain-name thepacketwizard.com

Setup Management IP

In the following example, the management ip address will be set to 10.100.101.2 in the 101 VLAN. The default gateway points to the firewall, which is 10.100.101.1

tpw-switch# ip default-gateway 10.100.101.1
tpw-switch# interface vlan 101
tpw-switch(config-if)# ip address 10.100.101.2 255.255.255.0

Generate the RSA Keys

The switch or router should have RSA keys that it will use during the SSH process. So, generate these using crypto command as shown below.

tpw-switch(config)# crypto key generate rsa
  The name for the keys will be: tpw-switch.thepacketwizard.com
  Choose the size of the key modulus in the range of 360 to 2048 for your
    General Purpose Keys. Choosing a key modulus greater than 512 may take
    a few minutes.

How many bits in the modulus [512]: 1024
  % Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Setup the Line VTY configurations

Setup the following line vty configuration, where input transport is set to SSH only. Set the login to local, and password to 7, and make sure Telnet is not enabled:

tpw-switch# line vty 0 4
 tpw-switch(config-line)# transport input ssh
 tpw-switch(config-line)# login local
 tpw-switch(config-line)# password 7
 tpw-switch(config-line)# exit

If you have not set the console line yet, use the following:

tpw-switch# line console 0
tpw-switch(config-line)# logging synchronous
tpw-switch(config-line)# login local

Create the username password

If you don’t have an username created already, here is how:

tpw-switch# config t
Enter configuration commands, one per line.  End with CNTL/Z.
tpw-switch(config)# username thepacketwizard password tpwpassword123
tpw-switch# enable secret tpwenablepassword

Make sure the password-encryption service is turned-on, which will encrypt the password, and when you do “show run”, you’ll see only the encrypted password and not clear-text password.

tpw-switch# service password-encryption

Verify SSH access

From the switch, if you do ‘show ip ssh’, it will confirm that the SSH is enabled on this Cisco device.

tpw-switch# show ip ssh
 SSH Enabled - version 1.99
 Authentication timeout: 120 secs; Authentication retries: 3

After the above configurations, login from a remote machine to verify that you can ssh to this cisco switch.

In the example, 10.100.101.2 is the management ip-address of the switch.

TPW-Remote-Computer# ssh 10.100.101.2
 login as: thepacketwizard
 Using keyboard-interactive authentication.
 Password:

tpw-switch>en
 Password:
 tpw-switch#

You are now setup and logged in on SSH!

To read more on SSH visit: https://en.wikipedia.org/wiki/Secure_Shell

General Troubleshooting : How to determine the proper MTU size with ICMP pings

How to determine the proper MTU size with ICMP pings

To find the proper MTU size, you have to run a special ping to the destination address. This is usually the gateway, local server or an IP address domain name internet (e.g. thepacketwizard.com). You probably want to start around 1800 and move down 10 each time until you get to a ping reply. Once you have a ping reply start moving backup by 2-5 bits to get to the fragmented packet size. Take that value and add 28 to the value to account for the various TCP/IP headers. E.g. let’s say that 1452 was the proper packet size (where you first got an ICMP reply to your ping). The actual MTU size would be 1480, which is the optimum for the network we’re working with. Header size varies depending what the packet is traversing.

 

1500 Standard MTU

– 20 IP Header

– 24 GRE Encaps.

– 52 IPSec Encap.

– 8 PPPoE

– 20 TCP Header

 

Windows

ping  (host) (-f) (-l (packet size))

An example would be:

ping  thepacketwizard.com -f -l 1800

(result = "Packet needs to be fragmented but DF set.")

ping thepacketwizard.com -f -l 1472 

(result = reply)

 

The options used are:

      • -f: set “Don’t Fragment” flag in packet
      • -l size: send buffer size

 

Linux

ping (-M do) (-s (packet size)) (host)

An example would be:

ping thepacketwizard.com -M do -s 1800

(result = "Frag needed and DF set" or "message too long")

ping thepacketwizard.com -M do -s 1472

(result = reply)

 

The options used are:

      • -M <hint>: Select Path MTU Discovery strategy. <hint> may be either “do” (prohibit fragmentation, even local one), “want” (do PMTU discovery, fragment locally when packet size is large), or “dont” (do not set DF flag).
      • -s packetsize: Specifies the number of data bytes to be sent. The default is 56, which translates into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data.

 

Mac

ping (-D) (-s (packet size)) (host)

An example would be:

ping thepacketwizard.com -D -s 1800

(result = "sendto: Message too long")

ping thepacketwizard.com -D -s 1462

(result = reply)

 

The options used are:

      • -D: set the “Don’t Fragment” bit
      • -s packetsize: Specify the number of data bytes to be sent. The default is 56, which translates into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data.

There is a lot to know about MTU check it out on Wikipedia : Wikipedia – MTU

Palo Alto : Reconnaissance Protection Whitelist

Recently I have been implementing a software called Insight VM by Rapid 7 which runs reconnaissance on our network looking for vulnerabilities. Whilst this software is scanning, I was finding the Firewall would block it (like its supposed to) and then complain like crazy that it and its Network was being targeted. 27,000 email over night I decided to research how to solve this issue. Luckily Palo Alto have thought about this.

Here is how to implement Reconnaissance Protection Whitelist:

Select Network>Network Profiles>Zone Protection>Reconnaissance Protection to add a source address exclusion whitelist to your zone protection Profile.

Add an address to your source address exclusion whitelist. You add up to 20 IP addresses or netmask address objects.

Cisco : MACSec (Media Access Control Security)

This describes how to enable MACSec (Media Access Control Security) Encryption between two Catalyst Switches. MACSec is the standard for authenticating and encrypting the data link layer between switches. IEEE 802.1.AE.

Configuring MACSec

interface TenGigabitEthernet1/0/48
   cts manual
   no propagate sgt
   sap pmk 0000000000000000000000000000000000000000000000000000001234ABCDEF mode-list gcm-encrypt null no-encap

Below is an example config for Macsec with AES-256 encryption.   This config needs to be on both sides of the switches.  Was tested on a 3650-12x48UZ running ios-xe version 16.3.2.     Please update the keystring each time you use it with another random set of digits.  The length of the string has to be the same as below (64).

key chain mka_keychain macsec
    key 1234
    cryptographic-algorithm aes-256-cmac
 key-string 7586258746587645873490731985370957385753195709435175415784768466
 lifetime local 00:00:00 Jan 1 2000 infinite
 mka policy mka_policy_256
  key-server priority 2
 macsec-cipher-suite gcm-aes-256
interface GigabitEthernet1/0/1
 switchport mode trunk
 macsec network-link
 mka policy mka_policy_256
 mka pre-shared-key key-chain mka_keychain

Checking to Make sure the MKA Session is up and secure.

Switch#sh mka session

Total MKA Sessions....... 1

      Secured Sessions... 1

      Pending Sessions... 0

====================================================================================================

Interface      Local-TxSCI         Policy-Name      Inherited         Key-Server

Port-ID        Peer-RxSCI          MACsec-Peers     Status            CKN

====================================================================================================

Te1/0/48       00f6.6389.8b30/0037 test             NO                YES

55             00fe.c8d4.44b0/0037 1                Secured           1234000000000000000000000000000000000000000000000000000000000000

Verify MACSec is enabled.

Switch#sh macsec int ten1/0/48

MACsec is enabled
   Replay protect : enabled
   Replay window : 0
   Include SCI : yes
   Use ES Enable : no
   Use SCB Enable : no
   Admin Pt2Pt MAC : forceTrue(1)
   Pt2Pt MAC Operational : no
   Cipher : GCM-AES-256
   Confidentiality Offset : 0

Solarwinds : Download “Set” Command backup for Palo Alto

Download “Set” Command  backup for Palo Alto

Settings > All Settings > NCM Settings > Advanced > Device Templates > Search ‘Palo Alto’ > Select ‘PaloAlto5050’ > Click Copy > Change Template Name ‘PaloAlto5050 – Set’ > Remove the XML information and then Copy and Paste the XML below > Click Save

<Configuration-Management Device="Palo Alto" SystemOID=" 1.3.6.1.4.1.25461.2.3">
 <Commands>
 <Command Name="RESET" Value="set cli pager off${CRLF}set cli config-output-format set${CRLF}configure" RegEx="#" />
 <Command Name="EnterConfigMode" Value="" />
 <Command Name="ExitConfigMode" Value="exit" />
 <Command Name="Startup" Value="saved running-configuration" />
 <Command Name="Running" Value="" />
 <Command Name="DownloadConfig" Value="show ${ConfigType}" />
 <Command Name="UploadConfig" Value="" />
 <Command Name="DownloadConfigIndirect" Value="" />
 <Command Name="SaveConfig" Value="commit" />
 <Command Name="Version" Value="show" />
 </Commands>
 </Configuration-Management>

 

Change the Template being used on the Palo Alto Nodes

Settings > Manage Nodes > Palo Alto > Select All > Edit Properties > Tick Communication > Select Device Template ‘Palo Alto5050 – Set’ > Submit.

Solarwinds : Add/Edit Node

Add Device

Settings > Manage Nodes  > Add Node > Follow the Wizard.

Edit Node

Find Device > Edit Node > NCM Properties

Configurations Normally download to : \SolarWinds\Orion\NCM\Config-Archive

Palo Alto : Enable IPv6 and Create Default Route

To Enable IPv6 on the Firewall

Web GUI

IPv6 firewalling is enabled under Device > Setup > Session:

*** You may have to restart your Firewall for IPv6 to be enabled.

On the CLI

> configure

# set deviceconfig setting session ipv6-firewalling [yes|no]

# commit

Here is the interface configuration I used:

Don’t forget to add a rule in your security policy that allows Your new IPv6 interface to talk to your Gateway.

Add Default Route

You will also have to add a default route under Network > Virtual Routers > Default > Static Routes > IPv6

The default route for IPv6 is ::/0 the next hop is the default gateway address

Cisco : Serial Numbers

Today I have spent some time trying to find serial numbers on multiple Cisco devices, some Routers, Switches, Firewalls and Wireless LAN Controllers. Here is 7 ways I have found:

  1. Locate the serial number tag on the device chassis.
  2. The serial number is displayed in the banner during boot.
  3. “show version” command. (Look for Processor board ID or S/N)
  4. “show inventory” command. (Look for Hw Serial# or SN:)(Also works on WLC’s)
  5. “show diag” command. (Look for Chassis Serial Number)
  6. “show hardware” command. (Look for Processor board ID or S/N)
  7. “show tech-support” command.