Be Careful with TCP Syslog and the ASA

I wanted to take just a moment to share a little gotcha that could take you by surprise. To demonstrate, I have a simple topology with an ASA in the middle. I am inspecting ICMP so ping traffic is stateful and flows properly.

TCP Syslog
To confirm connectivity,  I can ping from csr1000v-2 from csr1000v-1

csr1000v-1#ping repeat 5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/6/16 ms

Now for the ASA change that can catch an administrator off guard Continue reading

Posted in Uncategorized | 2 Comments

Manual URL Filtering in Firepower

A few days ago, someone asked me the following two questions–

  1. Is a URL filtering license required to manually filter sites in Firepower?
  2. Are wildcards supported as filtering criteria?

The short answer to the first question is simply no. There is no requirement for a term-based URL filtering license to do manual filtering. The URL license enables filtering AND logging based on web categories and risks levels. If this license is not installed and attached to a Firepower device, any policy containing those elements cannot be deployed. However, URL filtering rules that contain only manual URLs can be applied and do function properly.

Selected URLs

The second question requires a slightly longer answer. With URL filtering, Firepower considers the protocol, fqdn, path and filename. For example, the following is a URL for the article I wrote last Thursday. Continue reading

Posted in Uncategorized | Leave a comment

Accessing ASA CLI in Firepower Threat Defence

I’ve recently loaded Firepower Threat Defense on an ASA5525 for my home Internet firewall. For those unfamiliar with FTD, it is basically a combination of critical ASA features and all of the Cisco Firepower features in a single image and execution space. So unlike Firepower Services, which runs separately inside the same ASA sheet metal,  FTD takes over the hardware. Once the image installed onto the hardware, the firewall is attached to and managed by a Firepower Management Console.

For those that still want to (or need to) get under the covers to understand the underpinnings or do some troubleshooting of the ASA features, it is still possible to access the familiar CLI. The process first requires an ssh connection to the management IP of the FTD instance, then access expert mode and enter the lina_cli command.

MacBook:~ paulste$ ssh [email protected]
Last login: Thu Jun 23 18:16:43 2016 from

Copyright 2004-2016, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.0.1 (build 37)
Cisco ASA5525-X Threat Defense v6.0.1 (build 1213)

//go into expert mode
> expert

//enter sudo lina_cli -- my su password was the admin pw I set during installation
[email protected]:~$ sudo lina_cli

Attaching to ASA console ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.

//enable password was blank for me
firepower> en

Now the typical ASA show commands are avaialble. For example–

show run dhcpd (yes, you can actually make your FTD device a DHCP server) Continue reading

Posted in Security, Technology | 3 Comments

Simple ASA to IOS VPN

Occasionally you just need a cheat sheet to configure something up. This is meant to be exactly that, a quick configuration of lan to lan IPSec between an ASA and IOS based router.


Host (for testing)

! /// Host is simply here to emulate a
! /// client on one end of the network
hostname Host
interface GigabitEthernet0/1
 description to iosv-1
 ip address
ip route

iosv-1 (IOS IPSec Endpoint)

Continue reading

Posted in Uncategorized | 1 Comment

Internet Connected Water Heater

So I have to admit that I’m the crusty old curmudgeon who is way behind on things like home automation. After a recent issue with my water heater I opted to replace it with one that utilizes heat pump technology. I know a lot of people are installing tankless models and I strongly considered that path. My challenges were as follows–

  • Relatively High Demand (replacing an 80 Gallon Conventional Electric)
  • Conventional 80 Gallon Electric Models are difficult to purchase (at least in consumer models)
  • Tankless Owners seem to prefer gas over electric models
  • Venting a tankless gas heater would require relocation of plumbing

Given these constraints, I stumbled into the hybrid water heater models. These are big tank models that utilize heat pump technology as a preferred method of moving heat into the water. As demand increases, traditional resistance coils can be invoked to generate heat. Continue reading

Posted in Uncategorized | 4 Comments

Syncing IOS Clock from Cellular Provider

I recently had a request to enable time synchronization from a Cellular provider to a 3G model of the Cisco 819. Looking through several documentation sources, I found an example of EEM policy utilizing GPS data in this manner.

LTE GPS Antenna Guide Cisco Integrated Services Router (ISR G2) and Connected Grid Router

After looking at the TCL script outlined in the above document, I thought it would be an easy modification to achieve this result with the cellular network data. After fighting with the script and EEM policy for a couple of hours, I stepped back and looked at the options for creating an EEM Applet. My goal was to achieve similar results but utilizing the time provided by the cellular carrier. This article outlines my process and the final configuration. Continue reading

Posted in Network, Technology | Leave a comment

What’s Wrong With the Internet?

How many times have you received that call or even made the statement that “The Internet is Down?” Or perhaps the “Internet is Slow?” Obviously these statements are very rarely true. As a whole, the Internet is functional and it is FAST. However these statements seem true from the perspective of the individual making them. My frustration is that we never have visibility into the data necessary to assess the health of the Internet from a relevant, holistic perspective over time. As a result, consumers and providers have a limited view of problems that randomly present in this manner.

The Problem

When I think about the impact Internet hiccups have on me, I realize that I could do things much differently if it delivered consistent reliability. Even if it wasn’t as reliable as infrastructures like the PSTN, having some semblance of trust in knowing when and how my connections might fail or degrade would help. The resulting improvements would allow me to use more robust tools like video and voice over the Internet and put my cell phone away. I can’t tell you how many times I’ve spent hours chasing ghosts. These transient issues tend to get resolved when they worsens and the root cause is more easily identifiable. Increasing the trust we have in our services would materially change the way in which we use them. Continue reading

Posted in Rant, Technology | 4 Comments

Merry Christmas 2015 to All

I wanted to thank all of the PacketU readers for their comments and feedback this year. From my family to yours, I want to wish everyone a very Merry Christmas and a Happy New Year.


See you in ’16!

Posted in Uncategorized | Leave a comment

DNC – What does “dropped the firewall” even mean?

In a CNN article that discusses Sander’s access to the Clinton campaign information, I found the following statement–

The breach occurred when the vendor, NGP VAN, which supplies access to the database of voter information for both campaigns dropped the firewall, and at least one Sanders campaign staffer accessed Clinton campaign voter data. The accused staffer, Josh Uretsky, Sanders’ national data director, was fired from the campaign.

I have to ask, what does that even mean? So NGP VAN is using a firewall to isolate data between candidates? Are there no controls in the application? And what does it mean to drop a firewall? 

I have to assume that this would indicate a “permit any” or maybe some other bypass. I’d love to know the technical details around this situation.

Firewalls aren’t magical boxes and this is a “dumbed down” if not inaccurate response.

I’d love to hear from you, so share your experiences by commenting below.
Continue reading

Posted in Uncategorized | 5 Comments

Internet Redundancy with ASA SLA and IPSec

I’ve seen a lot of examples of redundant Internet connections that use SLA to track a primary connection. The logic is that the primary Internet connection is constantly being validated by pinging something on that ISP’s network and routing floats over to a secondary service provider in the event of a failure. I was recently challenged with how this interacted with IPSec. As a result I built out this configuration and performed some fairly extensive testing.

It is worth noting that this is not a substitute for a properly multi-homed Internet connection that utilizes BGP. It is, however, a method for overcoming the challenges often found in the SMB environments where connections are mostly outbound or can alternatively be handled without completely depending on either of the service provider owned address spaces.

In this article, we will start out with a typical ASA redundant Internet connection using IP SLA. Then we will overlay a IPSec Site to Site configuration and test the failover process.


The base configuration for this lab is as follows. Continue reading

Posted in CCIE Security, CCNA Security, Certification, Security, Technology | 6 Comments

Black Friday, Technology Glitches and Revenue Lost

This morning my wife was trying to purchase something from She ran into an issue at the point of transaction. The error that was being returned looked like the credit card number was invalid. Since the first attempt was on a mobile device, she attempted the transaction again from a computer. This was met with the same challenge. Ultimately, three different credit cards were attempted and none seemed to work. After reviewing the card account activity, I could see a total of about 5 authorizations against the 3 cards.

My wife contacted BELK by phone and they asked us to call our cc company (which I begrudgingly did). Finally they were able to process the cart transaction manually and admitted that we weren’t the only people experiencing the problem. They went on to say that their systems were very slow and that they were having issues with transactions internally too.
Continue reading

Posted in Rant, Technology | Tagged | 3 Comments

Spearphishing Attacks Against Hostmonster Customers

I tend to see a lot of phishing emails. The message I received this morning caught my eye. It was fairly well crafted and obviously targeted. After searching the Internet, I found that some GoDaddy customers have received something similar. This seems to be making its way around the internet to website administrators. The most curious thing to me is how someone associated the email address with a Hostmonster account.

Phishing Email Message

Screen Shot 2015-11-18 at 6.58.02 AM

As can be seen above, the message read–

Your account contains more than 4035 directories and may pose a potential performance risk to the server. Please reduce the number of directories for your account to prevent possible account deactivation.

In order to prevent your account from being locked out we recommend that you create special temp directory.

The link goes to kct67<dot>ru.

Message headers also suggest a Russian origin–

Received: by with SMTP id 11csp1084546qgx;
        Tue, 17 Nov 2015 20:25:39 -0800 (PST)
X-Received: by with SMTP id k202mr1408853lfe.161.1447820739327;
        Tue, 17 Nov 2015 20:25:39 -0800 (PST)
Return-Path: <[email protected]>
Received: from ( [])
        by with ESMTPS id xd10si580044lbb.198.2015.
        for <[email protected]>
        (version=TLSv1 cipher=RC4-SHA bits=128/128);
        Tue, 17 Nov 2015 20:25:39 -0800 (PST)
Received-SPF: pass ( domain of [email protected] designates as permitted sender) client-ip=;
       spf=pass ( domain of [email protected] designates as permitted sender) [email protected]
Received: from pike.intph ([]
	by with esmtp (Exim 4.77 (FreeBSD))
	(envelope-from <[email protected]>)
	id 1ZyuJH-000K6k-JN
	for [email protected]; Wed, 18 Nov 2015 07:25:31 +0300
Received: (from [email protected])
	by (8.14.5/8.13.8/Submit) id tAI4P7lP079360;
	Wed, 18 Nov 2015 07:25:07 +0300 (MSK)
	(envelope-from qce)

My word of advice would be that site administrators exercise caution when opening messages from their hosting providers. In addition, it certainly makes sense to change applicable passwords on a regular basis.

Posted in Uncategorized | 1 Comment