Converting Cisco 9120 AP to a 9800 Series Embedded Wireless Controller Setup

First of all download the EWC image from Cisco.com. Notice that though you have a 9120 model AP, the EWC image is based on the 9800 platform.

You must also have a TFTP server up and reachable from AP. I use the freeware TFTPd64 on my PC.

Unzip the C9100 EWC AP image bundle to the TFTP folder and you will see a readme.txt file, open it.

When the AP is in EWC mode, you should have ap1g7 as the AP image and C9800-AP-iosxe-wlc.bin as the EWC image. Both should be uploaded to the AP via TFTP to do the conversion.

Though it is a fresh AP, it is a best practice to do the hardware reset before even the conversion. Plug the console cable and hold the reset button at the back of the AP and given the power either through an injector or via a POE switch. 

Note that IEEE 802.3af which can only give a max power of 15.4 W per port will not be able to boot up this AP. You will need at least IEEE 802.3at which is called POE+

Now on the console, give the default username and password Cisco, Cisco and enable password as Cisco and enter the following commands.

capwap ap ip 192.168.100.101 255.255.255.0 192.168.100.254

ap-type ewc-ap tftp://192.168.10.10/ap1g7 tftp://192.168.10.10/C9800-AP-iosxe-wlc.bin

the IP 192.168.10.10 is my TFTP server.

After you enter the last command it will trigger a reset and reboot will come up with EWC mode CLI.

You will asked to enter in to the initial configuration wizard like in routers, just hit NO for this one.

Note that if this did not appear like this perhaps because of a previous configuration which is not wiped out from reset, you will see the prompt with a host name like EWC> or some other hostname. If it happened continuously, just reload and configure through the wizard..

We will start with going to config mode and giving the hostname

configure terminal

 hostname EWC

Now let's create the local user admin

 user-name admin

  privilege 15

  password 0 Cisco123

  exit

Now specify the credentials used to log into APs joined to this EWC

 

ap profile default-ap-profile

  mgmtuser username admin password 0 Cisco123 secret 0 Cisco123

  exit

Now configure management interface IP address and subnet

 

interface gigabitEthernet 0

 ip address 192.168.100.100 255.255.255.0

 exit

Now configure the management default gateway IP address

 

ip default-gateway 192.168.100.254

Now enable web interface of EWC

 ip http server

 ip http secure-server

Finally save the configuration to make use of the above commands.

 end

write memory

Now if you are in the same subnet / VLAN as the EWC is, you can log in to the EWC via the browser.

You can use the username you created to log in to the GUI now,

username: admin

password: Cisco123

After you logged into the EWC you will notice that there are no APs joined to the controller. This is because the conversion made a factory reset on AP and your EWC is now in 192.168.100.0/24 subnet and the AP is now in 192.168.1.0/24 default subnet.

Now log into the AP from EWC CLI internally using the following command

wireless ewc-ap ap shell username admin

use the admin password Cisco123, enable password will also be Cisco123

If this username and password is not taking use the default Cisco username and password Cisco to get in to the AP.

If you hit show ip interface brief, you will see the AP and the EWC are in different VLANs.

You will need to give the IP address of AP again to match the EWC subnet.

capwap ap ip 192.168.100.101 255.255.255.0 192.168.100.254

Now the AP will register in EWC and anything regarding the AP will be configured via GUI easily.

Joining Other APs to the EWC

The other APs need to have the correct images to join this EWC, so the following configuration must be there on EWC to identify the TFTP location.

wireless profile image-download default

 image-download-mode tftp

 tftp-image-server 192.168.10.10

 tftp-image-path /

On the other APs, you need to configure the IP address and mask. The controller IP should be configured if they are placed in a different VLAN than EWC, just like a normal light weight AP.

capwap ap ip 192.168.100.102 255.255.255.0 192.168.100.254

capwap ap primary-base EWC 192.168.100.100

Additional Notes:-

You can factory reset the AP using EWC CLI by the following command

wireless ewc-ap factory-reset

You can convert EWC back to CAPWAP mode using the following command in AP CLI

ap-type capwap

Creating Multiple SSIDs and Map with VLANs in Cisco 9120 AP / 9800 EWLC

The model I use is Cisco 9120AXI-E and the IOS-XE version is 17.05.01

First check whether the proper license is activated in your AP.

You will need to go the Expert mode in GUI to create VLANs. Otherwise the option will not be visible in the Configuration section.

Click on the Settings mark ⛭ (preferences) on GUI and select Expert mode and hit Save.

Now you will see an option to create VLANs in Configuration > Layer2

Click on it.

Now +Add and give the VLAN number, tick on IP options and give an IP and subnet mask to the SVI of the VLAN.

For my lab I created VLAN 10 and VLAN 20 with following IP details.

VLAN 10 - 

SVI 192.168.10.1  mask 255.255.255.0

VLAN 20 - 

SVI 192.168.20.1  mask 255.255.255.0

Now go to the Wireless Setup > Basic to create the SSIDs.

Hit +Add to create a Location

Don't forget to enter the native VLAN ID in General page here. In my case it is 100.

Now go to the next page > Wireless Networks and +Add to create SSIDs.

Here I created SSID-01 and gave the VLAN as 10 and the Security Method as WPA2 Personal which only needs a pre shared key to connect.

Also created SSID-02 and gave the VLAN as 20 and gave the same Security Method.

Now you will need to create a DHCP Pool for the Clients to connect.

Go to Administration > DHCP Pools and create 2 DHCP pools for 2 VLANs. 

Remember to add Gateway and DNS IPs on the Advanced page when creating these pools.

Following were my configuration.

VLAN 10 -

NETWORK 192.168.10.0

MASK 255.255.255.0

RANGE 192.168.10.15-192.168.10.25

GATEWAY 192.168.10.254

DNS 8.8.8.8

VLAN 20 -

NETWORK 192.168.20.0

MASK 255.255.255.0

RANGE 192.168.20.15-192.168.20.25

GATEWAY 192.168.20.254

DNS 8.8.8.8

192.168.10.254 and 192.168.20.254 are in the core switch of the network.

Now the Access switch must be configured like you connect a Flex mode AP.

interface GigabitEthernet1/0/1

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 100

 switchport trunk allowed vlan 10,20,100

 switchport mode trunk

Native VLAN takes the management plane traffic and all other APs in the cluster should have the communication through this VLAN which in my case is 100.

Other trunking should be well configured between CORE and Access Switch too.

When a client connects to SSID-01, it gets an IP from VLAN 10 and the traffic is forwarded to the DHCP given gateway of 192.168.10.254 and the routing table of CORE switch takes care of the rest.

Port Forwarding from Home Router to a Sever behind VMWare NAT Interface

If you ever wanted to let someone access your VMWare servers from public internet, this post is for you. 

The server is behind the NAT interface (VMnet8) of your VMWare Workstation in your PC which is the most common method for IT guys for their testing etc.

The diagram on the right side explains what I did.

Here I used my home router ZTE F660 which is a fiber optic router provided by my ISP.

The server I used for this was a Windows Server with IIS service enabled.

VMWare is installed in my laptop and it is connected to the home router via WiFi.

So my goal was to give my public IP to a friend of mine to access my Windows IIS Server through his web browser.

Port Forwarding in Router

In my ZTE, I went to Application > Port Forwarding and added a rule like the following. 

This should be same like in your home router.

Notice my Laptop IP is 192.168.1.10 in my home LAN. So I am forwarding the traffic coming from any WAN IP to my public IP's port 80 to my laptop's port 80.

I just need to take care of the LAN side IP only for port forwarding.

Port Forwarding in VMWare Virtual Network Adaptor

Type Virtual Network Adaptor in Windows search and click on Change the Settings.

Select VMnet8 in the list (whatever the NAT interface you have) and click on NAT settings.

Just add a port forwarding rule like the following which says to forward the traffic coming to host (my laptop) port 80 to the server IP's (10.1.1.100) port 80

Now the routing part is done, additionally you may need to turn off your laptop firewall / server firewall while your friend is accessing or you may configure rules to allow the traffic.

If your public IP is also a dynamic one like mine, and need to give a permanent address to your servers for a while you may try DDNS to get a URL.

If you are interested to get some idea about it, you can go here. 

Notes on Wireshark Filtering Commands

Packet analysis is a crucial skill for application level troubleshooting. Primary tool is Wireshark and following are some commands which will often come in handy to filter the interested traffic.

Filtering Conditions

These are the filtering criteria to be matched and displayed. You just need to type the line in filter tool bar. 

Logical Operators

You can just type the name of the operator in English or you can use the logical symbols like you do in programming to make a logical filter which will display the logical truth result of 2 or more conditions.

Using above commands, conditions & operators you can write complex statements like the following to filter packets in a capture.

Ex:- !(ip.flags == 0x40) && ip.addr==10.227.54.142

Additional Notes:-

If you want to filter packets by a protocol name, you just need to type the protocol name

Ex:- 'dns' will display all the DNS packets

Ex:- 'http' will display all the http packets

If you want to find TCP packets with ACK flag set, you should use 'tcp.flags.ack == 1' 

If you want the TCP packets with acknoledgement number equal to 1 'tcp.ack == 1'

Use 'frames.len > 1514' will display the jumbo frames.

Get a CSR (Certificate Signing Request) Signed from Windows CA

Now I am going to use my own Root CA to sign a CSR which I got from a Cisco ISE server. My Root CA is based on Windows 2016 server as you can see on the following post.

Create Your Own Root CA (Certificate Authority) Server

This will come in handy when you need free certificates to use in labs etc. OK let's start..

I am going to http://10.1.1.150/certsrv and click on Request a certificate

Click on advanced certificate request on the next page.

Now right click and open the certificate request .pem file in a note pad and copy the content paste it on the dialog box and select the Certificate Template to be Web Server and click on Submit.

Now select Base 64 encoded and click on Download certificate on the next page to download the signed certificate.

Create Your Own Root CA (Certificate Authority) Server

This is just about Windows Server CA service related configuration. This helped me to practice certificate involved configuration in firewalls etc. Windows guys know these but to help networking guys carry out their labs, I am sharing what I did to create my CA server.

I am using Windows 2016 Server..

Go to Server Manager > Manage > Add Roles & Features

Next Next Next until you get Server Roles

Tick Active Directory Certificate Services

Again Hit Next Next Next until the following selection page and tick the following four items like I have done.

Then again Next Next Next and Install..

Now after the configuration finished, you can see the following blue highlighted line (Configure Active Directory Certificate Services on the destination server) on the results.

Hit Next on the optout window (credentials) and select the following 2 items only and hit Next.

(last 2 items should also be configured but because they reply on the 1st 2 items, they are only selected at the moment)

I selected Enterprise CA on the next window, and Root CA on the next window..

Selected Create a new private key on the next window and selected SHA 256 on the Cryptography window (most newer servers prefer this). 

Renamed the CA name to WIN-CA just because it is easy to remember and didn't change the other defaults on the following window.

Now I hit only Next Next Next without changing anything until I met Configure button on Confirmation page..

After the configuration succeeded it will ask "Do you want to configure additional role services?" This is just asking you whether you want to configure the 2 items which we skipped on the Role Services window.

Hit Yes..

Hit Next on the optout window and select the remaining 2 items and hit Next..

I selected CA name on the next page and hit Next, selected Windows Integration Authentication on the next window and hit Next again, selected Use the built-in application pool identity on Service Account for CES window.

Again selected Windows Integration Authentication on the next window and hit Next..

Select the Certificate we just created on the next window by clicking on it and hit Next..

Next window will configure them all..

Now the CA services configuration is over..

Go to the IP address of the server from a web browser and type http://ip-address/certsrv

You will be asked to give credentials, I used the administrator credentials.

Now here we can download the CA certificate from the last link.

Click on it and select Base 64 and click on Download CA Certificate on the next page.

On the right side of the snap I have pasted here the CA certificate from the CA server I created..

Application and Interrelationship of Cisco FMC Policies

There are many policies we hear when we deal with Cisco FMC which makes it confusing where to find and where to apply. In this post, I'm going to make a brief note on all of them and and their interrelationship.

Policies are reusable set of rules/conditions. The different kinds of policies in FMC are Access Control Policy, Intrusion Policy, Malware & File Policy, DNS Policy, Identity Policy, SSL Policy, Prefilter Policy, Network Analysis Policy, Network Discovery Policy, NAT Policy, QoS Policy,  Settings Policy, Correlation Policy and Health Policy. 😵 I think I named all..

Following are short descriptions for the above rules.

Access Control Policy - From all of above, the Access Control Policy (ACP) is the main type of policy which most of other policies are packaged in.

1 FTD can only have 1 Access Control Policy

Access Control Policy rules have it's legacy firewall rule functionality with added next-generation features which are defined in most of other types of polices.

Intrusion Policy - This defines set of intrusion detection and prevention configurations which inspect traffic for security violations and, in inline deployments, can block or alter malicious traffic.

Malware & File Policy - This is a set of configurations that the system uses to perform malware protection and file control, as part of your overall access control configuration.

DNS Policy - DNS based Security Intelligence allows you to whitelist or blacklist traffic based on the domain name requested by a client.

Identity Policy - Identity policies contain identity rules. Identity rules associate sets of traffic with a realm and an authentication method: passive authentication, active authentication, or no authentication.
This is a requirement when we plan to use the users or group in our Access Control Policy

SSL Policy - An SSL policy determines how the system handles encrypted SSL traffic (https etc) on your network. 

Prefilter Policy - This is basically to drop traffic or bypass the firewall inspections totally which is unwanted even to go through the FTD.

Network Analysis Policy - These are for traffic preprocessing options. Cisco is saying that Network analysis-related preprocessing occurs after Security Intelligence blacklisting and SSL decryption, but before intrusion or file inspection begins.

Network Discovery Policy -  This is there to identify what are attached to the network.
It is used to build Host Profiles of devices including information like OS, services, web apps, protocols, users, IOC tags, VLAN tags, malware events, vulnerabilities, scan results, hostname, mac address, scan results and much more..

NAT Policy - This is to configure the Network Address Translation settings of a FTD.

QoS Policy - This is to configure the QoS settings for a FTD.

Settings Policy - This is where you configure the basic settings of a FTD like ARP Inspection, Banner etc.

Correlation Policy - This is basically If This --> Then That functionality of the FMC. It can be used to respond in real-time to threats / specific event types/ specific hosts / specific users or network traffic conditions.

Health Policy - This is to monitor overall functionality and performance of the whole Firepower system. So this policy can apply to both FMC itself and to FTDs.

Now let's look the interrelationship of the above polices.

When you click on Policies tab, the 1st menu is the Access Control and the default selection is Access Control menu item. In line to Access Control, you can see Network Discovery and Correlation are there. Those 2 are also types of policies you can configure in FMC which is for FMC.

"in FMC which is for FMC" means the policies used in FMC itself, not to deploy in FTDs..

The items you can see in the Access Control drop down are the policies which can be attached to Access Control Policies or to Access Control Policy rules.

Following is an example output in Access Control Page where the ACPs are listed.

(click on the image to view in full size)

Here you can see that there are 4 Access Control Polices created on the FMC and the ACPs can be configured hierarchically. Also notice the rounded tab which is the place to create Network Analysis Policies. 

Let's go inside the ACP.

Shield is for IPS Policy (Intrusion) and Files mark is for Malware & File Policy.. So you can see that they are attached to the Rule 01 but Prefilter, SSL & Identity Policies are attached to whole Access Control Policy not to a particular Access Control Rule. 

If you go to Edit rule (via pencil) you will find the places to add the IPS and Malware & File Policy.

You can see the place to attach DNS Policy under Security Intelligence tab in ACP.

In Advanced Tab, you can see the place to bind the Network Analysis Policy.

You can find the Settings Policy under Devices > Platform Settings

Following are the things you can change in it.

Health Policy is bit different from other policies because it can be used to monitor both FMC and FTDs. You can find it on System > Health > Policy and assign it to a device by clicking the  in front of the policy. Also you can do the same thing by Devices > Choose the device then click Device, there you will see the applied Health Policy.

Summary

Checking Open Ports (Telnetting, TCPING & Scanners)

You can use various methods to check open ports of a server. Old school Telnet is the command prompt tool you can use easily for a 1 targeted host.

Telnet

Let's say I need to know whether https (TCP port 443) is available at facebook.com

The command would be;

telnet facebook.com 443

If it is open, it will give an output telling connecting... and then the screen will be totally black..

To quit from  the connection, you should hit Ctrl + ] keys and type quit.

Now let's try the same thing from Cisco CLI;

To quit from the session, you should hit Ctrl + Shift + 6 and release and enter X

It will go back to the Cisco CLI again but will not really disconnect the session, If you hit Enter it will continue the session again. So you need to type disconnect and hit enter..

TCPING

TCPING is a small Windows command prompt tool I use which does basically the same thing in a different way. You can download it from their official site

https://www.elifulkerson.com/projects/tcping.php

I have unzipped the folder and pasted the contents into the System32 folder.

It is simple; tcping facebook.com 443 command will show the replies if open.

Scanners

If you need to scan an entire network/subnet for open ports, you should use a network scanner. There are plenty of them and they are very easy to use. One I use in Windows is Advanced IP Scanner..

Allow Pings (ICMP) & Traceroutes through Cisco ASA Firewalls

ASA Firewalls does not allow ICMP traffic to pass through it's interfaces by default. For real scenarios it is better that way in terms of security concerns. But for lab purposes and to verify implementations you will need it to be allowed from Firewall.

Why ICMP is blocked by ASA?

Short answer is because it is not in the list of state full inspection protocols. 

You can see the default inspection protocols list on the capture.

So you may need to configure access-control rules for both source and destination interfaces but it will bypass the firewall functionality. Firewall should remember the legitimate ICMP traffic and allow only the return traffic to pass through.

So you will need to add ICMP to the default inspection policy in global policy which is under the service policies.

Doing it in CLI is simple;

policy-map global_policy

 class inspection_default

  inspect icmp

  inspect icmp error

Make ASA Visible in Traceroutes

By default ASA is not visible in traceroutes as it does not decrement the TTL. To make it visible in a traceroute, we will need to add the following configuration to the default class in global policy.

policy-map global_policy

 class class-default

  set connection decrement-ttl

Switching to CLISH, Firepower Linux CLI & LINA in Cisco FTD Software

Last month I documented a practical about some basic understanding of ASA Engine and the Firepower Engine of Cisco FTD. 

You can go through it from here. Anyhow I believe one more dedicated post is required to show how we can move back and forth from 3 CLIs.

The 3 CLIs in Cisco FTD are;

1. Converged FTD CLISH (Command Line Interface Shell)
2. Firepower Linux CLI (Snort CLI)
3. LINA (Linux on ASA)

Converged FTD CLISH inherits some Firepower Linux management plane commands and most of the data plane related Cisco ASA commands.

Firepower Linux CLI is just plain Linux access to the Firepower Engine. You will need this to view the Management Plane routing stuff for Cisco FMC.

LINA is just classic Cisco ASA privilege level commands without config mode. This is where the Data Plane routing stuff is in.

Let's start exploring the commands and finally summarize with a graph..

When you SSH to the FTD, initially you will go to the Converged FTD CLISH cli with the user mode you logged in.

It shows just a ' > ' which indicates the very basic mode of operation in CLISH cli.

If you want to go to the LINA cli from here you can enter the following command.

system support diagnostic-cli

Now you can go to privilege mode by command enable, just like in classic ASA cli.

If you want to jump back to the CLISH mode from here, you can use a key sequence

Ctrl + A then release the keys and enter D

Or just you can type exit 2 times in LINA cli to logoff and to detach from it, which will lead back to CLISH cli.

If you want to go to the Firepower Linux shell from here you can enter expert and proceed. This is also called the expert mode which is advanced Linux access.

To go to the root, enter sudo su and the password just like in other Linux distros.

You can go to the LINA cli from here just by entering the following command.

sfconsole

If you enter the Ctrl + A then D sequence now, this will lead you to the Firepower Linux cli because you were there before switching to LINA.

You can also type lina_cli to go to LINA cli, but this command is deprecated in newer FTDs.

You can also type clish to go back to to the CLISH cli from root. But keep in mind that this mode is pretty useless. (useless than the default converged CLISH cli of user mode). You will see you can't even enter system support diagnostic-cli command from here.

If you exit from here now, it will go back to the root's advanced cli where you were in expert mode.

Following is a summary of the modes and commands for a quick reference.

Note:-

There is another CLI you will very rarely meet in FTDs. This is in Firepower Appliances and we call it FXOS. It is just like the LINA so you may get confused just by seeing it. To go to the Service Module 1 where the FTD software (Converged CLISH) is installed, you can type the following command..

FXOS# connect module 1 console

It will navigate to the following  looking CLI which is the service module. You should enter the following command to go to the FTD software ( the Converged CLISH we know)

Firepower-Module1> connect ftd

Now you are in the FTD software and all the above things we discussed will be working..

If you want to go back to Service Module or FXOS, just hit type exit..