So, you have discovered in your authentication logs that an ip range explicitly blocked, denied by default or even geo-blocked is somehow still attempting to gain VPN access? Since VPN traffic is going to the FTD and not through the FTD, it is handled by the control-plane rather than the data-plane. Fortunately, a solution is available, although imperfect, through the use of FlexConfig.
Continue reading Firepower Access Control Policy not blocking VPN connections
There are several names for a null route, such as a “bit bucket”, a “black hole”, or just a null0 route. They all refer to the same basic mechanism that points traffic to a virtual interface on a router. That in turn is used for managing unwanted traffic to prevent loops or entering routes into the RIB (routing information base) of a router.
Continue reading What is a null route and why do I need one?Many admins inadvertently design a sinkhole by null routing unused ranges within their core in order to limit unnecessary traffic. Some may even advertise these ranges from a Linux server running zebra or quagga for advanced alerting while monitoring for the propagation of worms or enumeration scans. In this post, we will discuss a similar idea for DNS using Firepower.
Continue reading FIREPOWER DNS Sinkhole
Sometimes you may want to quickly block a scanning/probing IP address without having to deal directly with the Access Control Policy. This can be done in the FMC within the Events view. Go to Analysis -> Connections -> Events
Depending on volume of traffic, you may have to click ‘Edit Search‘ and look by Initiator or Responder IP. Once found, right-click on the IP address and select ‘Blacklist IP Now‘ and confirm,
Continue reading Blacklist an IP in Firepower
Cisco’s ASR1000 series of routers come in many form factors that all provide a number of different features, and options in terms of scalability. One thing common to all of the devices in this product line is that their IOS XE software that performs all of the standard routing operations for the platform is running on top of a Linux kernel. This post describes how to enter a linux shell on your router and run some basic linux commands to really get an idea of what your router has going on under the hood so to speak.
Do so at your own risk, as Cisco’s advises to only use this under their supervision of Cisco Support. This post is limited to viewing different things to get an idea of what is underlying on the system. It’s best to err on the side of caution and NOT do this on a production router, and be expecially careful to not edit/delete anything that’s vital as a mistake at this level of the router can cause major issues with any or all functions of the device.
With that being said, let’s dig in. For this demonstration I opened a shell into the RP, or the route processor of the router. The ASR1000 series routers consists of a chassis/slots/cards, which make up the physical Continue reading Logging into a Linux shell from a Cisco ASR1000 Series Router
Many network devices such as Cisco routers and switches use tftp in order to download their IOS config updates. tftp can also be used for network based installs or for booting up diskless systems. Knowing how to setup a tftp server comes in quite handy when circumstances like these arise.
Let’s say we’re dealing with a private network– 192.168.100.0/24. We’ll designate our tftp server and tftp test client as 192.168.100.5 and 192.168.100.105 respectively. You will need superuser privileges on both your server and client in order to successfully perform all of these commands.
Log on to 192.168.100.5 and download the necessary programs; make sure they survive reboots:
# yum install tftp-server xinetd
# chkconfig tftp on Continue reading How to Setup a TFTP Server Under CentOS/RHEL 6 
The Network Logician 