Cisco ASA: downloading pcap capture file via browser

Download capture file (pcap) from the ASA for Offline Analysis

There are a couple of ways to download the packet captures for analysis offline. One of the possible ways is that you do this using the following url:

https://<ip_of_asa>/admin/capture/<capture_name>/pcap

Signing certificates requests with certreq.exe

Within a Microsoft PKI Infrastructure, you can use certreq.exe on a MS CA Signing server (with Active Directory Certificate Services installed on it) to sign certificate signing requests (CSR). This method can be used when you want to deploy a certificate for a system which is out of the AD domain.

The workflow exists of the following steps:

1. Generate a CSR on the device where the signed certificate needs to be installed (or you can use OpenSSL to generate a CSR manually);
2. Sign the CSR on your MS ADCS Server with use of the certreq command;
3. Install the signed certificate on the target system.

This post is only about the certreq command. More information about how to create a CSR with OpenSSL can be found here.
 When you have created the CSR, you have to upload it to the MS ADCS server where the certificate is about to be signed. The following syntax can be used in a DOS box on the MS ADCS server:

C:\>certreq -submit -attrib "CertificateTemplate:TemplateName" CertSignRequest.csr
Active Directory Enrollment Policy
..//..
Certificate retrieved(Issued) Issued

Now The following output shows the available options for the certreq command (for reference).

C:\>certreq.exe -?
Usage:
  CertReq -?
  CertReq [-v] -?
  CertReq [-Command] -?

  CertReq [-Submit] [Options] [RequestFileIn [CertFileOut [CertChainFileOut [Ful
lResponseFileOut]]]]
    Submit a request to a Certification Authority.

  Options:
    -attrib AttributeString
    -binary
    -PolicyServer PolicyServer
    -config ConfigString
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -crl
    -rpc
    -AdminForceMachine
    -RenewOnBehalfOf

  CertReq -Retrieve [Options] RequestId [CertFileOut [CertChainFileOut [FullResp
onseFileOut]]]
    Retrieve a response to a previous request from a Certification Authority.

  Options:
    -binary
    -PolicyServer PolicyServer
    -config ConfigString
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -crl
    -rpc
    -AdminForceMachine

  CertReq -New [Options] [PolicyFileIn [RequestFileOut]]
    Create a new request as directed by PolicyFileIn

  Options:
    -attrib AttributeString
    -binary
    -cert CertId
    -PolicyServer PolicyServer
    -config ConfigString
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -user
    -machine
    -xchg ExchangeCertFile

  CertReq -Accept [Options] [CertChainFileIn | FullResponseFileIn | CertFileIn]
    Accept and install a response to a previous new request.

  Options:
    -user
    -machine

  CertReq -Policy [Options] [RequestFileIn [PolicyFileIn [RequestFileOut [PKCS10
FileOut]]]]
    Construct a cross certification or qualified subordination request
    from an existing CA certificate or from an existing request.

  Options:
    -attrib AttributeString
    -binary
    -cert CertId
    -PolicyServer PolicyServer
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -noEKU
    -AlternateSignatureAlgorithm
    -HashAlgorithm HashAlgorithm

  CertReq -Sign [Options] [RequestFileIn [RequestFileOut]]
    Sign a certificate request with an enrollment agent or qualified
    subordination signing certificate.

  Options:
    -binary
    -cert CertId
    -PolicyServer PolicyServer
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -crl
    -noEKU
    -HashAlgorithm HashAlgorithm

  CertReq -Enroll [Options] TemplateName
  CertReq -Enroll -cert CertId [Options] Renew [ReuseKeys]
    Enroll for or renew a certificate.

  Options:
    -PolicyServer PolicyServer
    -user
    -machine

Cisco ASA - VPN Config Template

When I want to configure a site-2-site VPN on a Cisco ASA, I use the following script. Maybe it is useful to others, so I decide to share it. The following content is an example, and you need to alter the values to match them for your own environment.

access-list outside_1_cryptomap remark VPN Description access-list outside_1_cryptomap extended permit ip x.x.x.x 255.255.255.0 y.y.y.y 255.255.0.0
!
access-list vpnfilter-name extended permit ip any4 any4
!
crypto ikev1 policy xx authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
!
!
group-policy grpol-s2s-xxxx internal
group-policy grpol-s2s-xxxx attributes
vpn-idle-timeout none
vpn-filter value vpnfilter-name
vpn-tunnel-protocol ikev1
!
tunnel-group p.p.p.p type ipsec-l2l
tunnel-group p.p.p.p general-attributes
default-group-policy grpol-s2s-xxxx
tunnel-group p.p.p.p ipsec-attributes
ikev1 pre-shared-key vpn-secret
!
crypto map outside_map n match address outside_1_cryptomap
crypto map outside_map n set pfs group5
crypto map outside_map n set peer p.p.p.p
crypto map outside_map n set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map n set security-association lifetime seconds xxxxx
crypto map outside_map n set nat-t-disable

In my job as an IP consultant, I am running into several websites which provide some useful information for my daily work. As I want to share these information with others, I started to collect al these links on a single page. Maybe it is useful for others around the globe... :-).

SWITCHING

• Troubleshooting high CPU in a Cisco Catalyst 4500

SECURITY

• Setup your IIS for SSL Perfect Forward Secrecy and TLS 1.2

Using a 3G/4G mobile internet modem as a WAN connection on a Fortigate firewall

Today, i'm testing a Fortigate security appliance in combination with a 4G USB mobile internet modem. My testing environment is set up with the following specs:

• Fortigate 60D with firmware 5.0 patch 9
• Huawei E398

Here are the steps which has worked for me to successfully setup the USB 4G modem.

Now the first thing to do, is to enable the modem.

FGT60D # config system modem
FGT60D (modem) # set status enable
FGT60D (modem) # end

Now a good thing to do is to check if the modem is detected successfully. To check is I used the following commands:

FGT60D # diagnose sys modem detect
modem is attached.
dialtone is detected.

FGT60D # diagnose sys modem external-modem
External modem vendor: Huawei
External modem vendor id: 12d1
External modem model : E392/E397/E398/E353/E3276
External modem product id: 1506

In some cases, I noticed that no modem was detected. I removed the modem from the USB port and insert it back again. After that the modem was detected. In some cases I needed to reboot the Fortigate unit to get it activated again :-(. I don't know for sure what the reason for this is, but I decided to let it go for now...

After this, when you look at the web GUI under System > Network > Modem, you can see the following:

As you can see, the modem is detected successfully, but it's still inactive. Now let's activate it. You need to enter some commands to get this done. Some parameters are specific to the mobile provider you have. In this case, the settings (APN) are from the dutch provider KPN Mobile. In my case, I want to use the 4G connection when my primary WAN connection goes down.

config system modem
    set status enable
    set pin-init "AT+CPIN=****"
    set mode redundant
    set interface "wan1"
    set phone1 "*99#"
    set extra-init1 "at+cgdcont=1,\"ip\",\"portalmmm.nl\""

You need to enter the correct APN for portalmmm.nl. If everything goed well, you can check the 4G connection with the following commands.

FGT60D # diagnose sys modem query
USB status: Connected
manufacturer: Huawei Technologies Co., Ltd.
model: E398
IMEI number: ******
SIM state: Valid
service status: Valid Service
signal level: 4/4
network name: KPN
network type: UTRAN
location area code:
active profile(AT&V):
<<output omitted>>

Now all should work! You can check if the modem interface comes UP and gets it's Connected state:

Don't forget to configure a policy rule with NAT to allow traffic to the internet through the modem interface.

That's all folks!

Managing certificate requests with OpenSSL

Generate a 2048 bits private key.

$ openssl genrsa -des3 -out private.key 2048

Generate the CSR with the newly created private key with a SHA-2 hash. Compatiblity about the SHA-2 hash can be read here.

$ openssl req -sha256 -new -key private.key -out cert.csr

Create a file which holds the public and private key (password protected).

$ openssl pkcs12 –export –inkey private.key –in signed-csr.cer –out cert.p12

check the CSR:

$ openssl req -text -noout -in csr.req

Generate a self-signed certificate with a lifetime of 1 year:

$ openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout my_key.pem -out my_cert.pem

When you want to make a PFX file, and you want to include the whole trusted CA chain in it, you can do this with the following steps:

1) Make a pem file with all upstream trusted Intermediate's and Root CA in it
2) Use OpenSSL to generate the pkcs12 with the newly pem file included

Step 1: Use an advanced text editor (I use Notepad++) to copy the chain into 1 pem file. Copy first the Intermediate CA in it, and directly after that the Root CA. Save the file. I saved the file as trusted_chain.pem.

Step 2: Use the following OpenSSL command to generate the pksc12 file with the whole chain in it:

$ openssl pkcs12 -export -out incl_chain.pfx -in certificate.pem -certfile trusted_chain.pem

In this example, the private key is included in certificate.pem.