Posts Tagged ‘asa’

Information regarding the Cisco ASA Botnet License.

What is it?

Botnet Traffic Filter is an extra license that can be applied to a Cisco ASA firewall that provides detection and automatic blocking of known bots and botnets. The firewall grabs updates from Cisco’s website to know which IPs to look for and block.

Besides stopping outside botnets from coming into the network the botnet filter is also very effective at identifying which hosts may have malicious software within the network. It will stop internal hosts from going out to a known botnet IP. It has the ability to listen for call-home or command/control behavior seen within the network.

 

License

It is time based. The SKU is something like L-ASA55xx-BOT-1YR=

It costs between $200-$500 per year. I will only fully work on version 8.2.2 and up.

Purchase license. Apply it using the activation-key command.

Requires the 3DES/AES license (this license is free but does not ship with an ASA).

 

Initial Configuration

The firewall needs to communicate to update-manifests.ironport.com. This means it has to have a valid DNS lookup mechanism. To get this going do something like the following:

dns domain-lookup INSIDE
DNS server-group DefaultDNS
name-server 10.2.2.2

There are over 70,000 DNS names that are in the Cisco database and only 5000 IP addresses. To effectively look at each domain name, DNS snooping must be turned on. To do that issue the following commands:

 class-map dynamic-filter_snoop_class
match port udp eq domain

policy-map global_policy
class dynamic-filter_snoop_class
inspect dns preset_dns_map dynamic-filter-snoop

 

Next turn on the dynamic-filters. I like to start by blocking everything that is blacklisted and whitelist the CEO’s IP from being blocked. Do this by issuing the following commands:

dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable interface OUTSIDE
dynamic-filter drop blacklist interface OUTSIDE
dynamic-filter whitelist
address 10.1.4.4 255.255.255.255

 

Checking to see what’s happening

Verify the ASA is downloading the rules:

show dynamic-filter updater-client

Verify traffic is being inspected:

show dynamic-filter statistics

View which hosts are being blocked:

show dynamic-filter reports infected-host all

 

Using Splunk to see even more

If you are collecting syslogs within in Splunk you can create a cool dashboard to give statistics based over time. Here is the code for a dashboard that could be used for that purpose (note this would require the Splunk for Cisco ASA plugin):

<?xml version=’1.0′ encoding=’utf-8′?>
<form>
<label>Botnet Information by host</label>

<!– define master search template; leave time unbounded so that the time input can be used –>

<fieldset>

<input type=”text” token=”host”>
<label>Host</label>
</input>

<!– add default TimePicker –>
<input type=”time” />

</fieldset>

<row>
<chart>
<title>Botnet activity. Tracked by whether the source or destination is blacklisted</title>
<searchTemplate>$host$ error_code=338007 OR error_code=338006 OR error_code=338008 | rex field=_raw “, (?&lt;srcdst&gt;[\w]+) \d” | timechart span=1hr count by srcdst</searchTemplate>
<option name=”charting.chart”>line</option>
<option name=”charting.legend.placement”>right</option>
</chart>
</row>

<row>
<chart>
<title>External blacklisted IPs are targetting these systems</title>
<searchTemplate>$host$ error_code=338007 | rex field=_raw “from (?&lt;Source&gt;[^\']+) to (?&lt;Destination&gt;[^\']+), source.*threat-level: (?&lt;Threat_Level&gt;[^\']+), category: (?&lt;Category&gt;[^\']+)” | timechart span=30min count by Destination</searchTemplate>
<option name=”charting.chart”>line</option>
<option name=”charting.legend.placement”>right</option>
</chart>
</row>
<row>
<chart>
<title>Internal systems that are targetting external blacklisted IPs</title>
<searchTemplate>$host$ error_code=338008 OR error_code=338006 | rex field=_raw “from (?&lt;Source&gt;[^\']+) to.*resolved from dynamic list:(?&lt;Destination&gt;[^\']+), threat-level: (?&lt;Threat_Level&gt;[^\']+), category: (?&lt;Category&gt;[^\']+)” | timechart span=30m count by Source</searchTemplate>
<option name=”charting.chart”>line</option>
<option name=”charting.legend.placement”>right</option>
</chart>
</row>

<row>

<single>
<searchTemplate>$host$ error_code=444005 earliest_time=-1d | rex field=_raw “will expire in (?&lt;avg&gt;[^\']+) days” | chart min(avg)</searchTemplate>
<title>Botnet license expires in this many days (444005)</title>
</single>
<single>
<searchTemplate>$host$ error_code=338007 | chart count</searchTemplate>
<title>Total denied incoming connections due to botnet filter</title>
</single>
<single>
<searchTemplate>$host$ error_code=338006 OR error_code=338008 | chart count</searchTemplate>
<title>Total denied outgoing connections due to botnet filter</title>
</single>

</row>
<row>

<table>
<title>Top 10 denied traffic flows due to blacklisted source IP (338007)</title>
<searchTemplate>$host$ error_code=338007 | rex field=_raw “from (?&lt;Source&gt;[^\']+) to (?&lt;Destination&gt;[^\']+), source.*threat-level: (?&lt;Threat_Level&gt;[^\']+), category: (?&lt;Category&gt;[^\']+)” | stats count by Source Destination Threat_Level Category | sort 10 -count</searchTemplate>
</table>

<table>
<title>Top 10 denied traffic flows due to blacklisted destination IP (338006, 338008)</title>
<searchTemplate>$host$ error_code=338008 OR error_code=338006 | rex field=_raw “from (?&lt;Source&gt;[^\']+) to.*resolved from dynamic list:(?&lt;Destination&gt;[^\']+), threat-level: (?&lt;Threat_Level&gt;[^\']+), category: (?&lt;Category&gt;[^\']+)” | stats count by Source Destination Threat_Level Category | sort 10 -count</searchTemplate>
</table>

</row>

<row>

<table>
<title>Top 10 addresses for message: URL Timed Out, Removing Rule (338303)</title>
<searchTemplate>$host$ error_code=338303 | rex field=_raw “Address (?&lt;avg&gt;[^\']+) timed out” | stats count by avg | sort 10 -count</searchTemplate>
</table>

</row>

</form>

 

 

 

More information on Cisco’s website:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_botnet.html#wp1129967

 

 

To copy a file from an FTP server to the flash of a ASA you could do the following:

copy ftp flash

Which will then prompt you for all the details (username/password/location/file). But there is a better way which will allow you to put all of that information on one line.

To indicate all of the details on one line you can do:

copy ftp://ftpuser:[email protected]/asa/asa825-41-k8.bin flash

This indicates the username is ftpuser, with the password of PassworD with the location of the ftp server  at 192.168.5.50 with the filename asa825-41-k8.bin

Consider the following network.

Things to notice:

Subnets 22.22.22.0/24 and 33.33.33.0/24 are being routed to the outside of the ASA.

There is a static NAT statement in the ASA to translate the real IP 192.168.5.22 to 22.22.22.22

There is a static NAT statement in the ASA to translate the real IP 192.168.5.33 to 33.33.33.33

 

So how do you get this to work properly?

In ASA pre-8.3 code the ASA would ARP for the static NATs it would have regardless if it’s connected or not.

In ASA 8.3-8.4(4), THIS IS IMPOSSIBLE

In ASA 8.4(5)+ Cisco realized their major mistake and implemented the command:

arp permit-nonconnected

 

When else can I use this?

Another scenario to use this is when you have a router with multiple IPs on its interface that is connected to an ASA with a single IP. The ASA won’t accept any packets for the other subnets that the router thinks is connected. By applying this command it will accept packets for the other subnets.

 

What’s the risk?

Well, by enabling this feature it could facilitate denial of service (DoS) attack against the ASA; a user on any interface could send out many ARP replies and overload the ASA ARP table with false entries.

 

 

Today we are going to set up a Cisco ASA firewall to send WCCP (port 80) web inspection traffic to a Cisco Ironport WSA (Web Security Appliance).

Suppose the following:

Ironport WSA IP address: 192.168.5.55

Inside IP of ASA firewall: 192.168.5.1

Inside IP address range: 192.168.0.0/16

 

Cisco ASA firewall configuration:

! Define the Ironport IP Address in an ACL
access-list ACL-IRONPORT-WSA extended permit ip host 192.168.5.55 any

! Define what traffic should be inspected
access-list ACL-WEBPROXY-TRAFFIC extended permit tcp 192.168.0.0 255.255.0.0 any eq www

! Apply the WCCP configuration
wccp web-cache redirect-list ACL-WEBPROXY-TRAFFIC group-list ACL-IRONPORT-WSA
wccp interface INSIDE web-cache redirect in

 

Now configure the Ironport.

Navigate to Network -> Transparent Redirection

Make the type WCCP v2 Router

Add a service with a name of WEB_CACHE, a router IP of 192.168.5.1 (ASA Inside IP) and port 80 (Standard).

 

At this point you can do a ‘show wccp’ on the ASA and you should see “Total Packets Redirected” rising. From within the Ironport go to Reporting -> Overview and you should see statistics of what traffic is now flowing through the Ironport.

 

Troubleshooting techniques:

• Verify basic connectivity. Check interface IP addresses. Verify network access between both ASA and Ironport.
• Show commands on ASA: show wccp
• Debug commands on firewall: debug wccp packet, debug wccp events
• Verify the ports caught in the traffic ACL are the same as the ports used for WCCP and there’s a listener (service) on Ironport to interpret them.

Suppose you are trying to troubleshoot a site to site VPN tunnel that is designed like this:

Upon doing `show ipsec sa peer` on the blue ASA you see the following:

interface: OUTSIDE
Crypto map tag: MAP-OUTSIDE, seq num: 200, local addr: 11.11.11.11

local ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.22.0/255.255.255.0/0/0)
current_peer: 22.22.22.22

#pkts encaps: 61, #pkts encrypt: 61, #pkts digest: 61
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 61, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

The problem above shows that Phase 1 of the tunnel is successfully establishing but phase 2 has problems. Specifically the firewall is encrypting packets but not decrypting them.

If an ASA or router is getting encaps but not decaps, this means it is encrypting the data and sending it but has not received anything to decrypt in return.

• Verify the other end has a route outside for the interesting traffic.
• Check that both VPN ACL’s are not mismatched.
• Double check NAT’s to make sure the traffic is not NAT’ing correctly.
• Is what you are trying to ping even responding back? Often what you’re sending traffic to is not able to accept or is not responding to this traffic. I prefer to put a packet capture on the remote end firewall to see if the traffic is coming back into that firewall.

 

Blue firewall: Juniper SRX 210 (JunOS 10.0R1.8)

Red firewall: Cisco ASA 5510 (OS 8.4)

This is a script to create a site to site VPN tunnel between a Cisco ASA and a Juniper SRX. The Juniper SRX will be using a policy based VPN.

 

 

Blue Juniper SRX

# Create the IKE proposal
set security ike proposal IKE-SHA-AES128-DH1 authentication-method pre-shared-keys
set security ike proposal IKE-SHA-AES128-DH1 dh-group group2
set security ike proposal IKE-SHA-AES128-DH1 encryption-algorithm aes-128-cbc
set security ike proposal IKE-SHA-AES128-DH1 authentication algorithm sha1
set security ike proposal IKE-SHA-AES128-DH1 lifetime-seconds 86400

# Create the IKE policy
set security ike policy IKE-POLICY-HQ mode main
set security ike policy IKE-POLICY-HQ proposals IKE-SHA-AES128-DH1
set security ike policy IKE-POLICY-HQ pre-shared-key ascii-text s3kreTKey

# Create an IKE gateway
set security ike gateway IKE-GATEWAY-HQ ike-policy IKE-POLICY-HQ
set security ike gateway IKE-GATEWAY-HQ address 22.22.22.22
set security ike gateway IKE-GATEWAY-HQ external-interface ge-0/0/0.0

# Create an IPSec proposal/transform set
set security ipsec proposal IPSEC-SHA-AES128-ESP encryption-algorithm aes-128-cbc
set security ipsec proposal IPSEC-SHA-AES128-ESP authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-SHA-AES128-ESP protocol esp
set security ipsec proposal IPSEC-SHA-AES128-ESP lifetime-seconds 3600

# Create a IPSec policy
set security ipsec policy VPN-POLICY-HQ proposals IPSEC-SHA-AES128-ESP

# Create the IPSec VPN
set security ipsec vpn VPN-HQ ike gateway IKE-GATEWAY-HQ
set security ipsec vpn VPN-HQ ike ipsec-policy VPN-POLICY-HQ

# Add some networks into the address book
set security zones security-zone OUTSIDE address-book address NET-REMOTE-VPN 172.16.22.0/24
set security zones security-zone INSIDE address-book address NET-LOCAL 192.168.11.0/24

# Create the policies to define the interesting traffic
set security policies from-zone INSIDE to-zone OUTSIDE policy VPN-POLICY-HQ-OUT match source-address NET-LOCAL
set security policies from-zone INSIDE to-zone OUTSIDE policy VPN-POLICY-HQ-OUT match destination-address NET-REMOTE-VPN
set security policies from-zone INSIDE to-zone OUTSIDE policy VPN-POLICY-HQ-OUT match application any
set security policies from-zone INSIDE to-zone OUTSIDE policy VPN-POLICY-HQ-OUT then permit tunnel ipsec-vpn VPN-HQ
set security policies from-zone INSIDE to-zone OUTSIDE policy VPN-POLICY-HQ-OUT then permit tunnel pair-policy VPN-POLICY-HQ-IN

set security policies from-zone OUTSIDE to-zone INSIDE policy VPN-POLICY-HQ-IN match source-address NET-REMOTE-VPN
set security policies from-zone OUTSIDE to-zone INSIDE policy VPN-POLICY-HQ-IN match destination-address NET-LOCAL
set security policies from-zone OUTSIDE to-zone INSIDE policy VPN-POLICY-HQ-IN match application any
set security policies from-zone OUTSIDE to-zone INSIDE policy VPN-POLICY-HQ-IN then permit tunnel ipsec-vpn VPN-HQ
set security policies from-zone OUTSIDE to-zone INSIDE policy VPN-POLICY-HQ-IN then permit tunnel pair-policy VPN-POLICY-HQ-OUT

# You want to exclude the VPN traffic from being NAT’d
set security nat source rule-set NAT-INTERFACE rule NO-NAT match source-address 192.168.11.0/24
set security nat source rule-set NAT-INTERFACE rule NO-NAT match destination-address 172.16.22.0/24
set security nat source rule-set NAT-INTERFACE rule NO-NAT then source-nat off

# My config already had a rule in the rule-set. So I had to move the new rule above the old rule so it processes the no nat first.
insert source rule-set NAT-INTERFACE rule NO-NAT before rule RULE-NAME

Red Cisco ASA Firewall

! Define the interesting traffic
access-list ACL-VPN-SRX extended permit ip 172.16.22.0 255.255.255.0 192.168.11.0 255.255.255.0

! Set the IKE parameters
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

! Create the IPSec settings
crypto ipsec ikev1 transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto map MAP-VPN 10 match address ACL-VPN-SRX
crypto map MAP-VPN 10 set peer 11.11.11.11
crypto map MAP-VPN 10 set ikev1 transform-set ESP-AES128-SHA
crypto map MAP-VPN interface OUTSIDE

! Create the tunnel group
tunnel-group 11.11.11.11 type ipsec-l2l
tunnel-group 11.11.11.11 ipsec-attributes
ikev1 pre-shared-key s3kreTKey

! In my case I needed to tell this VPN traffic to not be NAT’d as it goes through the firewall
object network OBJ-172.16.22.0
subnet 172.16.22.0 255.255.255.0
object network OBJ-192.168.11.0
subnet 192.168.11.0 255.255.255.0
nat (INSIDE,OUTSIDE) source static OBJ-172.16.22.0 OBJ-172.16.22.0 destination static OBJ-192.168.11.0 OBJ-192.168.11.0 no-proxy-arp description No NAT for VPN to SRX

There is a great tool to generate the Juniper SRX code on Juniper’s site:

https://www.juniper.net/customers/support/configtools/vpnconfig.html

 

To build the Juniper config I used this page as a reference guide:

http://www.juniper.net/techpubs/en_US/junos/topics/example/policy-based-vpn-using-j-series-srx-series-device-configuring.html

 

 

 

Today I was given a problem that our Cisco Ironport was not accepting email from outside people sending mail to inside people (backstory: this occurred right after we moved our Ironport to a different location). I looked in Ironport and spotted a lot of messages failing to be delivered. Specifically the error in Ironport was:
Message 1006902 aborted: Receiving aborted

I spent a long time doing packet captures to try to troubleshoot and determined the remote end was sending a reset which made me think this is the sender’s problem and not mine. However I was wrong.

The next thing I checked was the MX Record at MXToolbox.com (a great site for looking up DNS records and stuff). Specifically the SMTP test showed this:

Specifically I didn’t like seeing this warning:
SMTP Reverse DNS Mismatch — Warning – Reverse DNS does not match SMTP Banner
and
SMTP TLS — Warning – Does not support TLS

But what does that mean? I specifically wanted to know what two strings are being compared that resulted in a mismatch. Well in the case above the two strings it was comparing were *********************** and mail3.example.com. For some reason this took me a long time to realize the ********************* was the banner… You can see it in the image above after 220.

Looking around on the internet it turns out that our Cisco ASA we have in front of the Ironport has “inspect esmtp” turned on (which is on by default). Upon turning that inspect off the issue immediately cleared up and the results were this:

Mail was then flowing into the Ironport properly and being delivered as expected. Looking back at the problem if I would have looked at the logs in the ASA I would have seen these syslogs:

ASA-4-108004: ESMTP Classification: Dropped connection for ESMTP Request from outside:75.75.75.75/35314 to DMZ:10.0.25.101/25; matched Class 4: header line length gt 998
%ASA-4-507003: tcp flow from outside:75.75.75.75/35314 to PUBLIC_DMZ:10.0.25.101/25 terminated by inspection engine, reason - inspector disconnected, dropped packet.

This tutorial is to show you how to install a HTTPS/SSL certificate on an ASA. This is often used when WebVPN or AnyConnect is configured which uses SSL. Without a certificate installed the users is given warnings and errors about a missing or invalid certificate.

This has nothing to do with authentication. It’s simply the https certificate which is needed for a secure communication to be set up.

Suppose you are working for a place called http://company.com and they want to set up their ASA to allows users to VPN into the network. To access the VPN you can either use IPSec or SSL. Suppose their choice was SSL and they want the URL of the ASA to be https://vpn.company.com. This tutorial will help set the HTTPS certificate for that URL.

It is easier for me to use ASDM when dealing with certificates so this tutorial uses ASDM exclusively.

Step 1 – Create an Identity Certificate

Under Configuration -> Device Management -> Certificate Management -> Identity Certificates

Click Add.

Give the Trustpoint a Name.

Choose “Add” a new identity certificate

Choose the key pair to use for encryption.

Click “Select” for the certificate subject DN. In this section it is important to make the CN = the URL of the ASA that this certificate will be serving. It doesn’t need to have any trailing slashes. So if the URL is “https://example.com/owa” you can simply make the CN “example.com”.

Click “advanced”.

Fill in the FQDN field. This should be exactly the same as CN.

Click Add certificate.

Step 2 – Send the certificate to the CA

After completing step 1 you will be presented with the option of saving your certificate.

Send this certificate to the CA such as Symantec or Verisign. They will then process it and send you back your public certificate

Step 3 – Installing your certificate

Go back to the ASDM: Configuration -> Device Management -> Certificate Management -> Identity Certificates

Click the certificate you made earlier. Then click Install.

Paste in the certificate the CA sent you. Paste in everything including the BEGIN CERTIFICATE and END CERTIFICATE portions but make sure there are no trailing spaces or carriage returns. You do not need any of the intermediate keys, simply the public cert.

Step 4 – Enabling your certificate on an interface

Go to Configuration -> Remote Access VPN -> Network (client) access -> AnyConnect Connection Profiles

Click Device Certificate

Choose the certificate you installed as the one to use for when users HTTPS to this device.

 

That’s it! Test the functionality by going to the URL of your ASA by using HTTPS.

 

 

 

 

Below is a config to create a VPN tunnel between a Cisco ASA (Blue side) to a Juniper SSG ScreenOS (Red Side).

Juniper Settings:

ethernet0/0: 22.22.22.22, Untrust
bgroup0: 172.16.22.1, Trust

Cisco ASA config (Blue):

!^^^^^^^ ISAKMP (Phase 1) ^^^^^^^!
! must match with the other side in order for Phase 1 to complete.
! Lower policy numbers will likely be used before higher ones.
crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

! Enable ISAKMP on the outside interface
crypto isakmp enable OUTSIDE
! Define the pre-shared-key
tunnel-group 22.22.22.22 type ipsec-l2l
tunnel-group 22.22.22.22 ipsec-attributes
pre-shared-key sekretk3y

!^^^^^^^ IPSEC (Phase 2) ^^^^^^^!
! Define the interesting traffic in the ACL
access-list ACL-RED-VPN permit ip 192.168.11.0 255.255.255.0 172.16.22.0 255.255.255.0
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
! Create a crypto map entry that defines the tunnel
crypto map MAP-OUTSIDE 20 set peer 22.22.22.22
! ACL must be exactly the opposite of the other sides ACL
crypto map MAP-OUTSIDE 20 match address ACL-RED-VPN
! Transform set must match other side identically
crypto map MAP-OUTSIDE 20 set transform-set ESP-AES128-SHA
crypto map MAP-OUTSIDE 20 set security-association lifetime kilobytes 10000
! Apply crypto map to an interface
crypto map MAP-OUTSIDE interface OUTSIDE

!^^^^^^^ Routes and No-NATS ^^^^^^^!
! Point the destination network out the outside interface with a next hop as the default gateway.
route OUTSIDE 172.16.22.0 255.255.255.0 11.11.11.1
! Make sure that the VPN traffic is NOT NAT’d
access-list ACL-INSIDE-NONAT extended permit ip 192.168.11.0 255.255.255.0 172.16.22.0 255.255.255.0
nat (INSIDE) 0 access-list ACL-INSIDE-NONAT

Juniper SSG-5 ScreenOS config (Red):

# Create a tunnel interface
set interface tunnel.1 zone Untrust
set interface tunnel.1 ip unnumbered interface ethernet0/0

# Create the gateway (IKE settings)
# note that “sec-level standard” means the IKE policies will try to use:  pre-g2-3des-sha and pre-g2-aes128-sha
set ike gateway “VPN-GATEWAY” ip 11.11.11.11 outgoing-interface ethernet0/0 preshare “sekretk3y” sec-level standard

# Configure VPN IPSEC settings
set vpn “VPN” gateway “VPN-GATEWAY” replay tunnel idletime 0 proposal “nopfs-esp-aes128-sha”
set vpn “VPN” id 1 bind interface tunnel.1
set vpn “VPN” proxy-id local-ip 172.16.22.0/24 remote-ip 192.168.11.0/24 “ANY”

# Configure a route for the remote end traffic
set vrouter trust-vr route 192.168.11.0/24 interface tunnel.1

# Create 2 address book entries and create two policies to permit this traffic
set address Untrust “192.168.11.0/24″ 192.168.11.0/24
set address Trust “172.16.22.0/24″ 172.16.22.0/24
set policy top from “Trust” to “Untrust” “172.16.22.0/24″ “192.168.11.0/24″ “ANY” Permit log count
set policy top from “Untrust” to “Trust” “192.168.11.0/24″ “172.16.22.0/24″ “ANY” Permit log count

Notes:

Coming at this from my Cisco background I had to learn some new ways of looking at this.

The traffic that can go over the tunnel is called the proxy-id. It is defined in the vpn settings. You also have to then permit this traffic in a policy between the two zones of your tunnel interface and whatever internal interface you have. In my case my Trust interface was bgroup0.

 

Troubleshooting:

Some show commands to see what’s going on:

get sa

get ike gateway

get event

Try creating a packet capture to see what is happening to the packet. With a packet capture you can see what is going on between the two VPN peers, or why your interesting traffic is not making it through the SSG.

clear db
set console dbuf
set ffilter src-ip 1.1.1.1 dst-ip 2.2.2.2
debug flow basic

# generate some traffic

# to see the capture:
get dbuf stream

# to stop capturing:
undebug all

 

 

Here is a basic reference sheet for looking up equivalent commands between a Cisco ASA and a Juniper SSG firewall running ScreenOS.

Cisco ASA	Juniper SSG
show log	get event
show ip	get interface
show version	get system
show int (for i/o of bytes)	get counter statistics
show cpu usage	get performance cpu
show conn	get session
show clock	get clock
ssh x.x.x.0 y.y.y.0 inside	set admin manager-ip x.x.x.0 y.y.y.0 set ssh enable
show run [cry isakmp|tunnel-group]?	get ike gateway
show cry isak sa	get sa
interface Ethernet1 shutdown	set interface ethernet0/0 phy link-down
interface Ethernet1 no shutdown	unset interface ethernet0/0 phy link-down
show failover	get nsrp
route outside 1.1.1.0 255.255.255.0 1.1.1.2	set route 1.1.1.0/24 interface bgroup3/0 gateway 1.1.1.2
logging host INSIDE 1.1.1.1 logging trap notification	set syslog config 172.16.200.200 facilities local5 set syslog src-interface ethernet1/0 set syslog enable
ntp server 1.1.1.1 source OUTSIDE	set ntp server 1.1.1.1 set ntp server src-interface ethernet3/0 set clock ntp exec ntp update
capture CAP1 match ip host 1.1.1.1 host 2.2.2.2	clear db set console dbuf set ffilter src-ip 1.1.1.1 dst-ip 2.2.2.2 debug flow basic — OR — snoop filter ip src-ip 1.1.1.1 dst-ip 2.2.2.2 direction both clear dbuf snoop
show capture CAP1	get dbuf stream
clear capture CAP1	undebug all unset ffilter — OR — snoop filter delete

Additional reading material regarding Juniper SSG and ScreenOS commands:
http://www.juniper.net/techpubs/software/screenos/screenos6.2.0/index.html