I generally dont write documents, but in this case, all of a sudden I thought the world would be better off with more accurate instructions. Since I wanted to add more screenshots, I thought of writing a document instead of feedback. But as you suggested will definitely feedback too.
You were almost accurate, but you seem to have missed out on how to format the payload.txt. It took me several hours of tshooting to understand that the Protocol and IP is not needed in the payload.txt. While in your document the example explicitly indicated that APIC IP and Protocol is needed.
I also understand that it is only practically possible to do this programmatically. In fact I had shared your document to my dev team and they came back saying they are facing error. Then to tshoot I started doing a dry run.
I am glad you took time to respond, its not always the author of a cisco document responds!!
... View more
Cisco Documents are usually accurate, but when it came to the document on Cisco APIC Signature-Based Transactions it was slightly off the mark. This document is for those novices to API like me who cant seem to figure out how to go about performing signature based transactions on APIC.
1. Generate a RSA Private Key and create a X.509 Certificate
openssl req -new -newkey rsa:1024 -days 36500 -nodes -x509 -keyout userabc.key -out userabc.crt -subj '/CN=User ABC/O=Cisco Systems/C=US'
The above command should create two files, a Private Key - userabc.key & X.509 certificate - userabc.crt
2. Display the created certificate in PEM format
openssl x509 -text -in userabc.crt
3. Copy the certificate (Copy contents starting from ---BEGIN CERTIFICATE till ---END CERTIFICATE--)
4. Configure a Local User with admin access to all domain using APIC GUI under Admin-> Security Management -> Local Users
5. Add User Certificate under the created local user - in our case "userabc". Certificate Name: userabc.txt and paste the content copied in step 4
6. Once you have configured, double click the user->double click on the imported user certificate. You can download the configuration as a XML file.
Inside the XML File you can find the DN of the User Certificate.
To download the Certificate
Your XML File should look like this, from there you can extract the DN.
<?xml version="1.0" encoding="UTF-8"?><imdata totalCount="1"><aaaUserCert certificateDecodeInformation="Verified x509 Certificate, format: PEM, size 813 bytes, fingerprint 4a:68:56:53:18:64:f2:03:f1:ae:6a:32:df:71:b6:68:43:ab:b3:6d, notBefore=Nov 30 10:46:31 2017 GMT
, notAfter=Nov 30 10:46:31 2018 GMT
" childAction="" data="-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----" descr="" dn="uni/userext/user-userabc/usercert-userabc.crt" fingerprint="4a:68:56:53:18:64:f2:03:f1:ae:6a:32:df:71:b6:68:43:ab:b3:6d" lcOwn="local" modTs="2017-11-30T09:18:00.281+05:30" name="cnseg.crt" nameAlias="" ownerKey="" ownerTag="" publicKey="-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
" status="" uid="15374"/></imdata>
With this now you are ready to start generating signatures for API Calls
1. First step is to determine the content format of your payload.txt. Your payload must not contain Protocol or IP or Hostname. For Example: If you want to do the below REST API Call.
Then, your payload.txt should contain only the below line
2. Now that you have created the payload.txt, next step is to generate a signature. Use the below openssl commands to create the signature in base64 format
openssl dgst -sha256 -sign userabc.key payload.txt > payload_sig.bin
openssl base64 -A -in payload_sig.bin -out payload_sig.base64
3. Now go to POSTMAN
Choose Method GET and type the full URL of the REST API Call and then click on Cookies
4. Now you have to Add 4 cookies
5. Now click Send!! You should get a 200 OK and list of all tenants.
Note: The Cisco document skips the base64 conversion part and also forgets to mention the exact format of how the payload should be.
Hope this document has helped you.
... View more
I have a production scenario where I need to implement twice NAT in my ASA(8.2(5)). I cannot upgrade this Firewall as of now. The Topology goes like this, (172.16.0.0/12)SPOKE---->(OUTSIDE)ASA(INTERNAL)---->3rdPARTY FW(172.23.102.92) 1. Requirement is, the Spoke Location users should access Webserver 172.23.102.92 via IP:172.25.1.42(This IP is advertised over WAN) 2. Now my 3rd Party wants to NAT my Source Traffic(172.16.0.0/12) to 10.100.43.0/24 and send it. I have done the following config and its not working. ================================ access-list SPOKE-NAT extended permit ip 172.16.0.0 255.240.0.0 ho 172.25.1.42 nat (OUTSIDE) 2 access-list SPOKE-NAT global (INTERNAL) 2 10.100.43.0 netmask 255.255.255.0 access-list P3NAT permit ip ho 172.23.102.92 10.100.43.0 255.255.255.0 static (INTERNAL,OUTSIDE) 172.25.1.42 access-list P3NAT ================================ Upon using Packet Tracer , it says "translating to dynamic pool 2 (no matching global)"
... View more
I came up against a requirement where I am going to pull down my website . I want to display a html page saying "Website is down" via ACE. I want to know whether it is possible when people hit the VIP they get this message.
... View more
This is my scenario. Software Version 7.2(1) I have enabled VPN in the outside Interface. The IPSec Client Pool is in the range 192.168.98.150-192.168.98.175. Enabled "icmp any any" access in both Outside Interface and Inside Interface. ICMP & ICMP Error inspection is enabled. Nat-Control is disabled. The Clients are unable to ping any IP in the "inside" LAN but at the same time they are able to access the devices in the Local LAN using HTTP,HTTPS,SSH & TELNET. CASE 1: access-list NONAT extended permit ip any 192.168.98.0 255.255.255.0 NAT(inside) 0 access-list NONAT I get the following log "portmap translation creation failed for icmp src outside" CASE 2: If I add a static (outside,inside) 192.168.98.0 192.168.98.0 netmask 255.255.255.0 I am able to Ping and the Problem is resolved. Could anyone please explain me this behaviour? Why ICMP alone needs a NAT when TCP & UDP Traffic works just fine. Why a portmap translation error? Why not dynamic Identity NAT?
... View more
How do i modify the Connection timeout for RA VPN. My connections are getting dropped after 60 Minutes. I am using Radius Server. The following is my group-policy configuration and logs. group-policy CLOUD-MGMT attributes dns-server value 220.127.116.11 18.104.22.168 vpn-idle-timeout 35791394 vpn-session-timeout 35791394 password-storage enable ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelspecified split-tunnel-network-list value CLOUD-INFRA Username : Index : 1 Assigned IP : 192.168.98.117 Public IP : 22.214.171.124 Protocol : IPSecOverUDP Encryption : 3DES Hashing : MD5 Bytes Tx : 2695361 Bytes Rx : 71692 Client Type : WinNT Client Ver : 4.8.01.0300 Group Policy : CLOUD-MGMT Tunnel Group : cloud-infra Login Time : 19:43:14 IST Thu Nov 22 2012 Duration : 0h:32m:08s Filter Name : NAC Result : N/A Posture Token: IKE Sessions: 1 IPSecOverUDP Sessions: 1 IKE: Session ID : 1 UDP Src Port : 500 UDP Dst Port : 500 IKE Neg Mode : Aggressive Auth Mode : preSharedKeys Encryption : 3DES Hashing : MD5 Rekey Int (T): 86400 Seconds Rekey Left(T): 84472 Seconds D/H Group : 2 IPSecOverUDP: Session ID : 2 Local Addr : 0.0.0.0/0.0.0.0/0/0 Remote Addr : 192.168.98.117/255.255.255.255/0/0 Encryption : 3DES Hashing : MD5 Encapsulation: Tunnel UDP Dst Port : 10000 Rekey Int (T): 28800 Seconds Rekey Left(T): 26870 Seconds Idle Time Out: 715827 Minutes Idle TO Left : 715828 Minutes Conn Time Out: 60 Minutes Conn TO Left : 28 Minutes Bytes Tx : 2695361 Bytes Rx : 71692 Pkts Tx : 2498 Pkts Rx : 1684 Any Help is appreciated
... View more