Clear Xlate

Is your Kung Fu Strong?

2010-10-20T10:08:00.000-05:00

"My Kung Fu Is Strong" I thought was one of those nerd quotes that everyone just knew; especially given how it was used a second time in the movie Twilight: New Moon. Okay so maybe none of us saw this, unless forced to. The original use of this line however comes from the 2003 movie "The Core". So to help everyone understand and get on the same page, let me paraphrase / explain its origins:

Without giving the premise of the movie away – - D.J. Qualls plays a computer geek/hacker and the government is trying to recruit him for a secret, black-ops mission. His known hacking skills are notorious – - he’s hacked the NSA, FBI and NASA’s computer databases.

His character, “Rat”, explains that he uses a program that he wrote himself called “Kung Fu” – - When asked by a FBI agent how he managed to hack the NSA’S Computer system – he replies with “Your kung fu is not strong”

Other “Rat” quotes from the movie that I liked:

When the FBI agent was doubting “Rat’s” skill level…

Taz ‘Rat’ Finch: How many languages do you speak?
Dr. Conrad Zimsky: Five, actually.
Taz ‘Rat’ Finch: I speak one. One Zero One Zero Zero. With that I could steal your money, your secrets, your sexual fantasies, your whole life. In any country, any time, any place I want. We multitask like you breathe. I couldn’t think as slow as you if I tried.

Personally I thought that last one was hilarious!

ASA Order of Operations

2010-03-29T14:58:00.002-05:00

Several years ago I went to networkers in Las Vegas while there I attended an ASA seminar. In that seminar as a slide detailing the ASA "order of operations". This was darn handy and since you cannot get the slides anymore I recreated and improved upon it. This has become very helpful over the years to share with customers as well a priceless troubleshooting aid!

Enjoy!

Using the ASA to filter URLs

2010-02-19T10:03:00.001-06:00

! ACLs will identify the protocol and port of the packets your filter will be checking
! This example is to block domains so www and https packets will be checked
!
access-list BLOCK_HTTPDOMAINS remark Defines packets to be checked in filter
access-list BLOCK_HTTPDOMAINS extended permit tcp any any eq www
access-list BLOCK_HTTPDOMAINS extended permit tcp any any eq https
!
! Individual named regex entries will define each separate domain to be filtered
!
regex DOMAIN01 "\.facebook\.com"
regex DOMAIN02 "\.myspace\.com"
regex DOMAIN03 "\.twitter\.com"
!
! Assign the ACL packet definition to a class map
!
class-map BLOCKHTTP_CLASS
match access-list BLOCK_HTTPDOMAINS
!
! Define a class map to contain regex entries, with match any
!
class-map type regex match-any DOMAINBLOCK_LIST
match regex DOMAIN01
match regex DOMAIN02
match regex DOMAIN03
!
! New class map with nested regex class map that defines the type 'inspect'
!
class-map type inspect http match-all DOMAINBLOCK_CLASS
match request header host regex class DOMAINBLOCK_LIST
!
policy-map type inspect http HTTP_INSPECT_POLICY
match request method connect
    drop-connection log
class DOMAINBLOCK_CLASS
    reset log
!
! Nested policy maps
!
policy-map INSIDE_POLICY
class BLOCKHTTP_CLASS
    inspect http HTTP_INSPECT_POLICY
!
! Apply to either the global policy or a specific inside policy (this example)
!
service-policy INSIDE_POLICY interface INSIDE
!

Changing ISPs aka Remote Move of ASA

2010-02-19T09:48:00.002-06:00

You have a remote site that is changing ISPs perhaps it has grown and needs a bigger pipe or perhaps you are just saving money by changing carriers. Regardless of the reason there is an ASA present at that site and your users are not IT. The users can however move the Ethernet cable from provider one to provider two but you have to make changes to the ASA. The ASA however is going to need three changes in order to function with the new provider:

New IP Address / Subnet Mask on the outside interface
Removal of old default route
Addition of new default route

Faced with this challenge I figured certainly I am not the first person with remote ASAs that need to work on a new network. Hi ho hi ho off a googling I go, found nothing, so went to wikipedia, netpro, cisco wikipedia (huge disappointment) and even spoke with some fellow engineers. Had some ideas but none of them worked, at last forced with no choice I turned to the TAC.

Bad news, there is no way to accomplish this change without being on the inside of the ASA, so sayeth the TAC!

Dear Mr. Chambers can you turn a battalion of your programmers to this task? Want to know how important it is? Come lets talk someone through the above three steps….. Thank you John! I can call you John can’t I?

I am Not Unimportant Enough to have a Blog!

2010-02-19T09:47:00.000-06:00

About ten years ago, someone told me about these cell phone thingamagies people were starting to carry around. They seemed like a neat idea. One day a friend asked me when I was going to get one. “I’m not important enough for a cell phone,” I answered. Who did I need to talk to on a moment’s notice? What was I doing that was so important that it couldn’t wait for me to get to a land line? Nothing.

But now I have an iphone! At some point, cell phones became ubiquitous, a virtual necessity for daily life. I am no more important now than I was ten years ago, so I can only conclude that cell phones have become less important to match me. For all of that, I sometimes wonder how I once lived without mine.
But after a bit more thought it occurred to me: so many people are blogging these days, it has become a near-omnipresent social phenomenon. It has become unimportant, and I am just unimportant enough to be a part of it, with that said

I created this blog to help share the various special tricks, secrets, undocumented (or poorly documented), features of the Cisco ASA. This is what I will primarily be posting about but since its my blog there might be the occasional political observation and joke shared, sometimes they will be one in the same!