https://blog.webernetz.net/2014/01/28/ipsec-site-to-site-vpn-juniper-screenos-cisco-asa/
Tuesday, 17 January 2017
Tuesday, 10 January 2017
3com / hp switch commands
Find what port a mac address is learned on
display mac-address 0860-6EE5-DFBD
Show all mac addresses learned on a port
display mac-address interface GigabitEthernet 1/0/9
Show connected switches like show cdp on cisco
display ndp
display ndp interface GigabitEthernet 1/0/9
Disable paging (5500)
user-interface vty 0 4
screen-length 0
Display what interfaces are up/down
display brief interfaces
Show the IP address on the VLAN interfaces
display ip interface brief
Create SVI interface
Show running config
display current-configuration
Enable mode
system-view (sometimes you need to type super first)
Show stp status
display stp brief
Show saved config (in case of switch reboot with blank cfg)
display saved-config
display startup
List files on disk
dir (not in expert mode)
display mac-address 0860-6EE5-DFBD
Show all mac addresses learned on a port
display mac-address interface GigabitEthernet 1/0/9
Show connected switches like show cdp on cisco
display ndp
display ndp interface GigabitEthernet 1/0/9
Disable paging (5500)
user-interface vty 0 4
screen-length 0
Display what interfaces are up/down
display brief interfaces
Show the IP address on the VLAN interfaces
display ip interface brief
Create SVI interface
interface vlan-interface 10
ip address etc
Create loopback interface
interface loopback 1
ip address etc
Show running config
display current-configuration
Enable mode
system-view (sometimes you need to type super first)
Show stp status
display stp brief
Show saved config (in case of switch reboot with blank cfg)
display saved-config
display startup
List files on disk
dir (not in expert mode)
Friday, 6 January 2017
setting up packet captures on the cisco ASA
cap capin interface inside match ip host 192.168.1.50 host 200.100.100.100 circular-buffer
This will capture data in both directions
circular buffer means it will overwrite when buffer is full
Otherwise it will fill up and stop capturing
You can use clear cap capin to clear out the data
Will capture all the drops of any type
capture asp-drop type asp-drop all
sh cap asp-drop
You can also look in sh asp drop to see if they are increasing
The capture file can be saved and copied off the ASA:
https://100.100.100.200/capture/my-cap-name/pcap
To save the capture file
copy /pcap capture: disk0:
Copy the file off with CLI or ASDM file transfer.
There is also a way to connect ASDM directly to wireshark.
This will capture data in both directions
circular buffer means it will overwrite when buffer is full
Otherwise it will fill up and stop capturing
You can use clear cap capin to clear out the data
Will capture all the drops of any type
capture asp-drop type asp-drop all
sh cap asp-drop
You can also look in sh asp drop to see if they are increasing
The capture file can be saved and copied off the ASA:
https://100.100.100.200/capture/my-cap-name/pcap
To save the capture file
copy /pcap capture: disk0:
Copy the file off with CLI or ASDM file transfer.
There is also a way to connect ASDM directly to wireshark.
time based ACL on ASA
It can be easier to setup in the ASDM
Set up the time range to end on a certain date
time-range TR_expire_acl
absolute end 14:00 07 January 2017
Create your ACL as normal and add the time range on the end.
access-list INSIDE-OUT extended permit ip host 192.168.10.50 any time-range TR_expire_acl
Set up the time range to end on a certain date
time-range TR_expire_acl
absolute end 14:00 07 January 2017
Create your ACL as normal and add the time range on the end.
access-list INSIDE-OUT extended permit ip host 192.168.10.50 any time-range TR_expire_acl
Thursday, 5 January 2017
TCP reset on ASA
I often see TCP Reset-I or TCP Reset-O in the logs on the ASA. Its not clear what it means.
TCP Reset-I
Means the connection was reset from the interface with the higher security level. Usually the inside interface. Normally this means an application layer issues. Some software on the PC or the application itself reset the connection for some reason. Check windows firewall and for other AV products running on the client. Also check Java security exceptions list. Are there any other firewalls on the inside of your connection, IPS etc ?
TCP Reset-O
The connection was reset from the interface with the lower security level usually the outside interface. The reset came from the other side. Usually a server issue.
If you get these messages in the log you can do a packet capture and collect logs while trying the connect. Once you have that information you can demonstrate the traffic was passed by the firewall but then either the other side sent the reset (TCP Reset-O) or the inside host sent the reset (TCP Reset-I) and move the investigation away from the ASA.
TCP Reset-I
Means the connection was reset from the interface with the higher security level. Usually the inside interface. Normally this means an application layer issues. Some software on the PC or the application itself reset the connection for some reason. Check windows firewall and for other AV products running on the client. Also check Java security exceptions list. Are there any other firewalls on the inside of your connection, IPS etc ?
TCP Reset-O
The connection was reset from the interface with the lower security level usually the outside interface. The reset came from the other side. Usually a server issue.
If you get these messages in the log you can do a packet capture and collect logs while trying the connect. Once you have that information you can demonstrate the traffic was passed by the firewall but then either the other side sent the reset (TCP Reset-O) or the inside host sent the reset (TCP Reset-I) and move the investigation away from the ASA.
I have seen the case where I got a TCP Reset-O in the logs but the issue was actually a NoNat was needed. In that case the user was trying to connect from anyconnect -> ASA -> S2S VPN -> Remote site -> 10.60.46.x. So check your NAT's are all correct too.
Subscribe to:
Posts (Atom)