Dear All, I have many VPN site-site on ASA 5520 to different routers, ASA,...
I need to monitor the VPN tunnel (UP,DOWN,Traffic), using snmp Any idea how to do that? As the VPN tunnels change the OID each time, and can not track the peer IP Thanks in advanced MKD On Mon, May 28, 2012 at 9:40 PM, <[email protected]> wrote: > Send CCIE_Security mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://onlinestudylist.com/mailman/listinfo/ccie_security > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of CCIE_Security digest..." > > > Today's Topics: > > 1. Re: Regex with Cisco ASA (Mohamed Abdin) > 2. Re: Regex with Cisco ASA (Karthik sagar) > 3. Multihome NAT on a Router (Ben Shaw) > 4. ip tcp intercept with NAT doesn't work (Ben Shaw) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 28 May 2012 18:12:35 +0200 > From: Mohamed Abdin <[email protected]> > To: Karthik sagar <[email protected]> > Cc: "[email protected]" > <[email protected]> > Subject: Re: [OSL | CCIE_Security] Regex with Cisco ASA > Message-ID: > <CAHM0u+TpCLtjcbpWr--+W_M2i2xuN3uRtdTyq=DAJO+jpD56=w...@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Dears, > > If you checked that link > http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html > you will find that it is! > > hostname(config)# regex loginname1 "ying\@yahoo.com" > > hostname(config)# regex loginname2 "Kevin\@yahoo.com" > > hostname(config)# regex loginname3 "rahul\@yahoo.com" > > hostname(config)# regex loginname4 "darshant\@yahoo.com" > > > Regards, > Mohamed Abdin > > > On Mon, May 28, 2012 at 2:23 PM, Karthik sagar <[email protected]> wrote: > >> No, I don't think @ is a special character in regex. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > </archives/ccie_security/attachments/20120528/c481b2e0/attachment-0001.html> > > ------------------------------ > > Message: 2 > Date: Mon, 28 May 2012 21:44:54 +0530 > From: Karthik sagar <[email protected]> > To: Mohamed Abdin <[email protected]> > Cc: "[email protected]" > <[email protected]> > Subject: Re: [OSL | CCIE_Security] Regex with Cisco ASA > Message-ID: > <cac7aea3aygju1n9ljwo7nxectbtzua+3ewybh5mks5z5t5t...@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > The same document also has > > hostname(config)# regex user1 "[email protected]" > > hostname(config)# regex user2 "[email protected]" > > hostname(config)# regex user3 "[email protected]" > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > </archives/ccie_security/attachments/20120528/ca276f72/attachment-0001.html> > > ------------------------------ > > Message: 3 > Date: Tue, 29 May 2012 04:55:28 +1000 > From: Ben Shaw <[email protected]> > To: [email protected] > Subject: [OSL | CCIE_Security] Multihome NAT on a Router > Message-ID: > <CAFUip_5cFy4uiCe3kTvayn7jVLz--dTDGX=jjycxjoyecn5...@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Hi All > > the extended blueprint lists "Multihome NAT on a Router" as one of the > topics to understand on the lab. I have configured the following basic > configuration (without IP SLA) for Dynamic PAT to allow internal clients to > access the internet via redundant internet links as demonstrated here > http://stack.nil.com/ipcorner/SmallSiteMultiHoming/. Obviously the > configuration below requires internal clients to initiate the connection > outbound with the current default route dictating the exit interface on the > router which therefore defines the packet's public IP and return address > for response traffic. > > > interface FastEthernet0/0 > ip address 10.0.165.254 255.255.255.0 > ip nat inside > > interface FastEthernet0/1.139 > ip address 10.0.139.1 255.255.255.0 > ip nat outside > > interface FastEthernet0/1.141 > ip address 10.0.141.2 255.255.255.0 > ip nat outside > > ip route 0.0.0.0 0.0.0.0 10.0.139.2 > ip route 0.0.0.0 0.0.0.0 10.0.141.1 10 > > ip nat inside source route-map 51 interface FastEthernet0/1.139 overload > ip nat inside source route-map 52 interface FastEthernet0/1.141 overload > > route-map 51 permit 10 > match interface FastEthernet0/1.139 > > route-map 52 permit 10 > match interface FastEthernet0/1.141 > > This seems to work fine. I wanted to get others opinions though on if any > other type of NAT should be covered in a multihomed set up i.e. static > source translation. I took a look at this page > http://www.my-ccie.com/category/ccie-rs/nat/ which has a section on the > topic. It demonstrates a method to do static source translation but I don't > think it would work in the real world as it relies on having the inside > local address translated to two inside global addresses and also creating > route-maps using ACLs which assume one knows the source address of > internet-based hosts accessing the NAT'd. The first point of having two > different inside global addresses I suppose could be handled by DNS > rotation but the second point requiring to know the client IP addresses I > don't think is manageable. > > Can anyone let me know if there would be a way to do static source NAT > (insider server publishing) in such a setup? I have assumed that this point > in the blueprint is not using an BGP to accomplish the task which means the > functionality would be limited. > > Thanks > Ben > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > </archives/ccie_security/attachments/20120529/52324c0a/attachment-0001.html> > > ------------------------------ > > Message: 4 > Date: Tue, 29 May 2012 05:40:55 +1000 > From: Ben Shaw <[email protected]> > To: [email protected] > Subject: [OSL | CCIE_Security] ip tcp intercept with NAT doesn't work > Message-ID: > <cafuip_5yd+oph9fyrt8z5nzioaj+fram4coydbfiv1psfgh...@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > HI All, > > not sure if this ever got resolved but I noticed that TCP intercept seemed > to work for me fine in both intercept and watch mode with NAT enabled. I > didn't expect it to as from the docs it says TCP intercept can't be used > with NAT but by adjusting the thresholds very low and blocking response > traffic on an upstream router to my HTTP client I was able to emulate a SYN > attack on a web server (NAT'd host) and have the router go agressive and > start dropping embyronic connections. > > Here is my configuration > > > access-list 160 permit ip any any > ! > ip tcp intercept list 160 > ip tcp intercept max-incomplete low 2 high 3 > ip tcp intercept mode watch > ip tcp intercept drop-mode random > ! > ip nat inside source static 10.0.165.10 10.0.139.10 > > > Though the config above shows watch mode, I also tried with intercept > mode.I was targetting the address of 10.0.139.10 and got the following > debug output. I am using IOS 12.4(24)T6. > > > *May 28 19:20:52.750: NAT*: s=10.0.164.10, d=10.0.139.10->10.0.165.10 > [52567] > *May 28 19:20:52.750: INTERCEPT: new connection (10.0.164.10:1144 SYN -> > 10.0.165.10:80) > *May 28 19:20:52.754: NAT*: s=10.0.165.10->10.0.139.10, d=10.0.164.10 > [18643] > *May 28 19:20:52.754: NAT: s=10.0.139.2, d=10.0.139.10->10.0.165.10 [20335] > *May 28 19:20:53.746: NAT*: s=10.0.164.10, d=10.0.139.10->10.0.165.10 > [52590] > *May 28 19:20:53.746: INTERCEPT: new connection (10.0.164.10:1145 SYN -> > 10.0.165.10:80) > *May 28 19:20:53.750: NAT*: s=10.0.165.10->10.0.139.10, d=10.0.164.10 > [18645] > *May 28 19:20:53.750: NAT: s=10.0.139.2, d=10.0.139.10->10.0.165.10 [20336] > *May 28 19:20:54.830: NAT*: s=10.0.164.10, d=10.0.139.10->10.0.165.10 > [52608] > *May 28 19:20:54.830: INTERCEPT: new connection (10.0.164.10:1146 SYN -> > 10.0.165.10:80) > *May 28 19:20:54.834: NAT*: s=10.0.165.10->10.0.139.10, d=10.0.164.10 > [18647] > *May 28 19:20:54.834: NAT: s=10.0.139.2, d=10.0.139.10->10.0.165.10 [20340] > *May 28 19:20:55.726: NAT*: s=10.0.164.10, d=10.0.139.10->10.0.165.10 > [52627] > *May 28 19:20:55.730: %TCP-6-INTERCEPT: getting aggressive, count (3/3) 1 > min 8 > *May 28 19:20:55.730: INTERCEPT: Possible attack! Aborting half-open > connection SYNSENT (10.0.164.10:1144 <-> 10.0.165.10:80) > *May 28 19:20:55.730: INTERCEPT(*): (10.0.164.10:1144 RST -> 10.0.165.10:80) > *May 28 19:20:55.730: INTERCEPT: new connection (10.0.164.10:1147 SYN -> > 10.0.165.10:80) > *May 28 19:20:55.730: NAT*: s=10.0.165.10->10.0.139.10, d=10.0.164.10 > [18649] > *May 28 19:20:55.734: NAT: s=10.0.139.2, d=10.0.139.10->10.0.165.10 [20341] > *May 28 19:20:56.358: NAT*: s=10.0.165.10->10.0.139.10, d=10.0.164.10 > [18652] > *May 28 19:20:56.362: NAT: s=10.0.139.2, d=10.0.139.10->10.0.165.10 [20342] > *May 28 19:20:56.618: NAT*: s=10.0.164.10, d=10.0.139.10->10.0.165.10 > [52646] > *May 28 19:20:56.618: INTERCEPT: Possible attack! Aborting half-open > connection SYNSENT (10.0.164.10:1147 <-> 10.0.165.10:80) > *May 28 19:20:56.618: INTERCEPT(*): (10.0.164.10:1147 RST -> 10.0.165.10:80) > *May 28 19:20:56.618: INTERCEPT: new connection (10.0.164.10:1148 SYN -> > 10.0.165.10:80) > *May 28 19:20:56.622: NAT*: s=10.0.165.10->10.0.139.10, d=10.0.164.10 > [18654] > *May 28 19:20:57.462: NAT*: s=10.0.164.10, d=10.0.139.10->10.0.165.10 > [52663] > *May 28 19:20:57.462: INTERCEPT: Possible attack! Aborting half-open > connection SYNSENT (10.0.164.10:1148 <-> 10.0.165.10:80) > *May 28 19:20:57.466: INTERCEPT(*): (10.0.164.10:1148 RST -> 10.0.165.10:80) > *May 28 19:20:57.466: INTERCEPT: new connection (10.0.164.10:1149 SYN -> > 10.0.165.10:80) > *May 28 19:20:57.466: NAT*: s=10.0.165.10->10.0.139.10, d=10.0.164.10 > [18655] > *May 28 19:20:57.466: NAT: s=10.0.139.2, d=10.0.139.10->10.0.165.10 [20343] > *May 28 19:20:57.782: NAT*: s=10.0.165.10->10.0.139.10, d=10.0.164.10 > [18657] > *May 28 19:20:59.630: NAT: expiring 10.0.139.10 (10.0.165.10) tcp 80 (80) > *May 28 19:21:00.186: NAT*: s=10.0.165.10->10.0.139.10, d=10.0.164.10 > [18660] > *May 28 19:21:00.190: NAT: s=10.0.139.2, d=10.0.139.10->10.0.165.10 [20347] > *May 28 19:21:00.474: NAT*: s=10.0.164.10, d=10.0.139.10->10.0.165.10 > [52698] > *May 28 19:21:00.474: INTERCEPT: client packet passed in SYNSENT ( > 10.0.164.10:1149 -> 10.0.165.10:80) > *May 28 19:21:00.654: NAT: expiring 10.0.139.10 (10.0.165.10) tcp 80 (80) > *May 28 19:21:01.678: NAT: expiring 10.0.139.10 (10.0.165.10) tcp 80 (80) > *May 28 19:21:02.922: NAT*: s=10.0.165.10->10.0.139.10, d=10.0.164.10 > [18667] > *May 28 19:21:02.926: NAT: s=10.0.139.2, d=10.0.139.10->10.0.165.10 [20348] > *May 28 19:21:03.214: NAT: expiring 10.0.139.10 (10.0.165.10) tcp 80 (80) > *May 28 19:21:04.342: NAT*: s=10.0.165.10->10.0.139.10, d=10.0.164.10 > [18669] > *May 28 19:21:04.346: NAT: s=10.0.139.2, d=10.0.139.10->10.0.165.10 [20352] > *May 28 19:21:05.262: NAT: expiring 10.0.139.10 (10.0.165.10) tcp 80 (80) > *May 28 19:21:06.490: NAT*: s=10.0.164.10, d=10.0.139.10->10.0.165.10 > [52762] > *May 28 19:21:06.490: INTERCEPT: client packet passed in SYNSENT ( > 10.0.164.10:1149 -> 10.0.165.10:80) > *May 28 19:21:06.750: NAT*: s=10.0.165.10->10.0.139.10, d=10.0.164.10 > [18675] > *May 28 19:21:06.754: NAT: s=10.0.139.2, d=10.0.139.10->10.0.165.10 [20353] > *May 28 19:21:12.466: INTERCEPT: SYNSENT timing out (10.0.164.10:1149 <-> > 10.0.165.10:80) > *May 28 19:21:12.466: INTERCEPT(*): (10.0.164.10:1149 RST -> 10.0.165.10:80) > *May 28 19:21:14.990: NAT: expiring 10.0.139.10 (10.0.165.10) tcp 80 (80) > *May 28 19:21:18.574: NAT: expiring 10.0.139.10 (10.0.165.10) tcp 80 (80) > *May 28 19:21:21.134: NAT: expiring 10.0.139.10 (10.0.165.10) tcp 80 (80) > *May 28 19:21:23.746: INTERCEPT: SYNSENT timing out (10.0.164.10:1145 <-> > 10.0.165.10:80) > *May 28 19:21:23.746: INTERCEPT(*): (10.0.164.10:1145 RST -> 10.0.165.10:80) > *May 28 19:21:23.746: %TCP-6-INTERCEPT: calming down, count (1/2) 1 min 6 > *May 28 19:21:24.830: INTERCEPT: SYNSENT timing out (10.0.164.10:1146 <-> > 10.0.165.10:80) > *May 28 19:21:24.830: INTERCEPT(*): (10.0.164.10:1146 RST -> 10.0.165.10:80) > *May 28 19:21:56.974: NAT: expiring 10.0.139.10 (10.0.165.10) tcp 80 (80) > 1841-02(config)# > > Thanks > Ben > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: </archives/ccie_security/attachments/20120529/95b80f72/attachment.html> > > End of CCIE_Security Digest, Vol 71, Issue 90 > ********************************************* _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
