VPN Debugging Commands to extract .elg and .xml files for troubleshooting

 

fwaccel off (turn SecureXL off)

vpn debug trunc
vpn debug on
vpn debug on TDERROR_ALL_ALL=5

Replicate the issue or wait for some time for VPN re-establishment

vpn debug off

vpn debug trunc off

fwaccel on (turn SecureXL on)

upload the following files to Checkpoint TAC so that they can run it inside their IKE utility:
$FWDIR/log/ike.elg
$FWDIR/log/vpnd.elg

Advertisement

Steps: Adding HA devices to Panorama

1. Enable Config Sync (untick on both)(commit).
2. Specify Panorama Server on HA Firewalls and Enable Policy, Objects and Templates options (commit).
3. Add Firewalls as Manages devices in Panorama using serial numbers (Tick Group HA Peers) (commit Panorama).
4. Import Device configuration to Panorama (Post Rule/Leave ticked) (Primary)
5. Import Device configuration to Panorama (Post Rule/Leave ticked) (Secondary)
6. Commit (Panorama) (Creates Device Groups and Templates for both).
7. Remove Secondary Template and Device Group and Add both to the Primary Device Group and Template.
8. Export Configuration (Push and commit) Device Group config to Secondary only and Make the Primary suspended for Secondary to takeover.
9. Export Configuration (Push and commit) Device Group config to Primary now and Failback to the Primary.
(Both Should be showing In Sync under Managed Devices under Device Group and Templates)

Why Conduct Pen Test?

Why conduct a penetration test?

An organisation should carry out a penetration test:

When penetration testing is conducted within the UK, there are a number of laws that govern the activities that form part of a penetration test.

For the majority of tests, these laws include the following:

In order to ensure that penetration testing is conducted in line with UK law and also to ensure that the test is conducted as efficiently as possible, a testing consent form must always be used to capture the exact scope of the test and provides those responsible for an organisation’s infrastructure with a means of providing their consent.

Upload ASA software image without ASDM (CLI)(Using SCP)

(use pscp for windows)
https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

ASA:

ssh scopy enable

PC:
pscp C:\Users\fali\Desktop\asa964-17-lfbff-k8.SPA

ABCCorp@196.29.167.170:disk0:asa964-17-lfbff-k8.SPA

(use pscp -1 …… for version 1)

ASA: 

no boot system disk0:/asa952-6-lfbff-k8.SPA
boot system disk0:/asa964-17-lfbff-k8.SPA
boot system disk0:/asa952-6-lfbff-k8.SPA
wr mem
reload in 8:00

RA VPN Profiles and Policies Flow (Pre and Post Login)

1.DAP rules (Dynamic Access Policy)(NAC)(e.g. if firewall present on client machine etc.)
2.User Profile rules (User Account)(e.g. Two simultanous logins)
3.User Profile Group rules (Group Policy attached to the User profile)(e.g. WebTypeACL)
4.Connection Profile Group rules (selected at pre-login based on URL, Alias or Cert)(e.g. no http from portal)
DefaultWebVPNGroup
DefaultRAGroup
Custom connection profile
5.DfltGrpPolicy Group rules (e.g. connection time 33 mins)

Connection Profile (aka Tunnel Group) controls the “Pre-logoin Policy”

After login, ASA knows who the user is and post-login policies(permissions,authorizations,restrictions,etc) come. Top always win if there is conflict.

Example flow.

Capture and Monitor traffic Checkpoint

# fw accel off (Turn Off secureXL)

# tcpdump -nei eth1-08 port 22 or 23 -w /var/log/FTP_tcpd_ethx.pcap
# tcpdump -nei Mgmt port 22 or 23 -w /var/log/FTP_tcpd_ethy.pcap

# fw monitor -p all -e ‘accept host(10.50.x.);’

# fw monitor -e “accept src=10.200.7.30 and dst=172.24.32.101;”
# fw monitor -e “accept dst=10.200.7.30 and src=172.24.32.101;”

# fw monitor -p all -e ‘accept host(10.50.x.);’ -o /var/log/FTP_fwmon_.pcap
# fw ctl zdebug drop > /var/log/FTP_fwdrop.dbg

# fw monitor -e “accept port(22) or port(23);” -o /var/log/FTP_fwmon_.pcap
# fw ctl zdebug drop > /var/log/FTP_fwdrop.dbg

# fw monitor -p all -e ‘accept host(193.112.66.10);’ -o /var/log/Mon_internal1.pcap
# fw ctl zdebug drop | grep 193.112.66.10 > /var/log/Mon_fwdrop1.dbg

# fw monitor -p all -e ‘accept net(172.18.92.0,24);’ -o /var/log/Mon_internal1.pcap

# fw monitor -p all -e ‘accept host(52.3.211.188);’ -o /var/log/Mon_external.pcap
# fw ctl zdebug drop | grep 52.3.211.188 > /var/log/Mon_fwdrop2.dbg

# fw accel on

Debug ip scp

debug ip scp

To troubleshoot secure copy (SCP) authentication problems, use the debug ip scp command in privileged EXEC mode. To disable debugging output, use the no form of this command.

debug ip scp

no debug ip scp

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release Modification
12.2(2)T This command was introduced.
12.0(21)S This command was integrated into Cisco IOS Release 12.0(21)S.
12.2(22)S This command was integrated into Cisco IOS Release 12.2(22)S.
12.2(25)S This command was integrated into Cisco IOS Release 12.2(25)S.
12.2(18)SXD This command was integrated into Cisco IOS Release 12.2(18)SXD.

Examples

The following example is output from the debug ip scp command. In this example, a copy of the file scptest.cfg from a UNIX host running configuration of the router was successful.

Router# debug ip scp
4d06h:SCP:[22 -> 10.11.29.252:1018] send <OK>
4d06h:SCP:[22 <- 10.11.29.252:1018] recv C0644 20 scptest.cfg
4d06h:SCP:[22 -> 10.11.29.252:1018] send <OK>
4d06h:SCP:[22 <- 10.11.29.252:1018] recv 20 bytes
4d06h:SCP:[22 <- 10.11.29.252:1018] recv <OK>
4d06h:SCP:[22 -> 10.11.29.252:1018] send <OK>
4d06h:SCP:[22 <- 10.11.29.252:1018] recv <EOF>

The following example is also output from the debug ip scp command, but in this example, the user has privilege 0 and is therefore denied:

Router# debug ip scp
4d06h:SCP:[22 -> 10.11.29.252:1018] send Privilege denied.

Related Commands

Command Description
ip scp server enable Enables SCP server-side functionality.