Palo Alto Firewall - FQDN in ACL objects

Create FQDN obejct for ACL

# set address Contonso fqdn www.contonso.com

Configure this object in to ACL

Check for correct DNS resolution via CLI:

# request system fqdn show

To refresh DNS entries:

# request system fqdn refresh

CISCO - Unicast Reverse Path Forwarding

Unicast Reverse Path Forwarding

uRPF is design to help protect layer 3 devices from malicious traffic by checking reachability of the source IP address. If uRPF is enabled Layer 3 device will check incoming traffic against FIB (CEF) table the source IP is reachable. This will stop spoofed traffic passing via LAYER 3 device. There are two modes for uRPF, strict and loose. In strict mode source IP of the packet arriving on the interface needs be reachable by interface on which packet arrives. In loose mode source IP can be reachable by any interface. Loose mode is ideal for network with asymmetric routing. Strict mode will be ideal for ISP and Customer edge network.

Configuration:

First enable IP Cisco Express Forwarding switching on your device if it is not already enabled:

Router(config)# ip cef

Enable uRPF on Fastethernet 0/0

in Loose Mode:

Router(config)# interface FastEthernet 0/0

Router(config-if)# ip verify unicast source reachable-via any

in Strict Mode:

Router(config)# interface FastEthernet 0/0

Router(config-if)# ip verify unicast source reachable-via rx

Option:

allow-default - allow to use default gateway

allow-self-ping - allow ping interface

list - implement access control list

Show Command:

show cef interface FastEthernet 0/0

Enable uRPF on Cisco ASA and FWSM

CLI:

ip verify reverse-path interface interface_name

Show command:

ASA5520# show ip verify statistics

interface outside: 21 unicast rpf drops

interface inside: 2738 unicast rpf drops

interface vpn: 0 unicast rpf drops

Cisco Switch - Private VLAN - PVLAN and PVLAN Edge

Private VLAN is functionality that offers more granule control for single

broadcast domain. There two option for private vlan ports. Ports in private VLAN could be in community vlan or isolated vlan. Differences are that ports in community vlan are able to communicate with each other and with promiscuous port and ports in private vlan are able to communicate only with ports in promiscuous mode. Promiscuous port is usually port that is uplink to another switch so it would also trunk port or it is port connected to default gateway device.

Terminology:

Primary VLAN:  single broadcast domain.

Secondary Community VLAN: Ports in this VLAN can communicate with each other and with promiscuous ports

Secondary Isolated VLAN: Ports in this VLAN are able to communicate only with promiscuous ports.

Config:

!!!! vtp mode transparent!!!!

vlan 600

private-vlan community

vlan 400

private-vlan isolated

vlan 200

private-vlan primary

private-vlan association 400,600

port g0/23 isolated port config:

switchport mode private-vlan host

switchport private-vlan host-association 200 400

ports g0/24 - g0/26 community ports:

switchport mode private-vlan host

switchport private-vlan host-association 200 600

int gig0/20 primary promiscuous port:

switchport mode private-vlan promiscuous

switchport private-vlan mapping 200, 400, 600

switchport mode trunk

PVLAN Edge

int gig0/18

switchport protected

Show cli:

show vlan brief

show vlan private-vlan type

show vlan private-vlan

Cisco Router - DHCP configuration

Set up static mapping for device that requires permanent IP address rather than IP assign by DHCP server (for example for printer)

Requirements:

Static IP for printer

MAC address of the printer

IP DHCP pool: 172.19.142.0 255.255.255.0 

Excluded IP: 172.19.142.0 172.19.142.99 and 172.19.142.200 172.19.142.255 (our excluded IPs)

Static IP (printer): 172.19.142.211

Set up excluded addresses:

(Static IP needs to be one of excluded IPs)

#ip dhcp excluded-address 172.19.142.0 172.19.142.99

#ip dhcp excluded-address 172.19.142.200 172.19.142.255

Set up DHCP pool:

#ip dhcp pool LAN_POOL

    import all

    network 172.19.142.0 255.255.255.0

    domain-name cisco.local

    default-router 172.19.142.254

    dns-server 172.19.142.17 172.19.140.16

    lease 0 2

Set up Static IP Mapping:

#ip dhcp pool STATIC

    host 172.19.142.211 255.255.255.0  (printers IP)

    hardware-address d485.6440.b314   (printers MAC address)

    domain-name cisco.local

    default-router 172.19.142.254

    dns-server 172.19.142.17 172.19.140.16

Clear DHCP address from router database:

#sh ip dhcp binding (to see DHCP database)

#clear ip dhcp binding 1.1.1.1 (This will clear IP address from router database, but the device will still respond on old IP. To assign new IP: reboot of the device or clear old IP with ipconfig /renew)

Juniper SRX – Commit error: Missing mandatory statement

After changing configuration on Juniper SRX and trying to save config with commit cli I have receive error below:

root# commit

[edit]

  'system'

    Missing mandatory statement: 'root-authentication'

error: commit failed: (missing statements)

Solution to this error is to set up root password. As this device was brand new root password was not set and I was unable to commit ather changes to CLI.

To set root password “JUNIPER” follow this CLI:

root#set system root-authentication plain-text-password

New password: JUNIPER

Retype new password: JUNIPER

root# commit

Kali Linux – Backtrack VPN button is grey out

After starting my kali Linux (previously know as Backtrack) my VPN add button is grey out and I am not able to add IPSec VPN connection to ASA gateway.

By running commands below in terminal VPN option become available:

apt-get update

apt-get install network-manager-openvpn network-manager-pptp network-manager-pptp-gnome network-manager-vpnc network-manager-vpnc-gnome