To see the pre shared key for any Sites to Site VPN simply type the following in CLI:
more system:running-config | begin tunnel-group
This will change:
tunnel-group 10.55.55.55 type ipsec-l2l
tunnel-group 10.55.55.55 ipsec-attributes
pre-shared-key *****
Into:
tunnel-group 10.55.55.55 type ipsec-l2l
tunnel-group 10.55.55.55 ipsec-attributes
pre-shared-key fgaJcXri3zVq
More information about seeing the pre shared key on 6.3 here:
http://www.packetsent.com/2011/11/display-vpn-preshared-key-on-cisco-pix.html
Tuesday, May 21, 2013
How to Make PPTP Connections Work Through a Cisco ASA
The most common reason I find that PPTP connections do not work is because the inspect for PPTP it not enabled.
This is how you enable the inspect in the default inspection class:
conf t
policy-map global_policy
class inspection_default
inspect pptp
end
wr mem
This is needed whenever PAT is being used.
More details here:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1432892
This is how you enable the inspect in the default inspection class:
conf t
policy-map global_policy
class inspection_default
inspect pptp
end
wr mem
This is needed whenever PAT is being used.
More details here:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1432892
How to Capture ARP Requests on a Cisco ASA
Many times I have had to prove that the firewall was not receiving any ARP replies from the workstation / router / switch / or server here is how I did it:
Log into the CLI and create a capture looking for only ARP request:
capture [CAP_NAME] interface [INT_NAME] ethernet-type arp
//Example
ASA# capure arpcap interface servers ethernet-type arp
ASA# show capture arpcap
//This is an example of a devices that is not responding to ARP:
1: 20:26:41.822046 arp who-has 10.55.55.55 tell 10.55.55.1
2: 20:26:43.622508 arp who-has 10.55.55.55 tell 10.55.55.1
3: 20:26:44.622462 arp who-has 10.55.55.55 tell 10.55.55.1
//We can see the firewall (10.55.55.1) is requesting an ARP for 10.55.55.55 but there is no reply
//This is an example of a devices that is responding to ARP requests:
1: 20:30:59.077226 arp who-has 10.55.55.55 tell 10.55.55.1
2: 20:30:59.077562 arp reply 10.55.55.55 is-at 0:45:00:07:a7:00
//We can see the firewall (10.55.55.1) is requesting an ARP for 10.55.55.55 and gets a reply that it has mac address 0:45:00:07:a7:00
You of course and also do a show arp to see the current arp table but the capture will prove the device is not arping or it will help you find if two or multiple devices are arping for the same IP address.
Log into the CLI and create a capture looking for only ARP request:
capture [CAP_NAME] interface [INT_NAME] ethernet-type arp
//Example
ASA# capure arpcap interface servers ethernet-type arp
ASA# show capture arpcap
//This is an example of a devices that is not responding to ARP:
1: 20:26:41.822046 arp who-has 10.55.55.55 tell 10.55.55.1
2: 20:26:43.622508 arp who-has 10.55.55.55 tell 10.55.55.1
3: 20:26:44.622462 arp who-has 10.55.55.55 tell 10.55.55.1
//We can see the firewall (10.55.55.1) is requesting an ARP for 10.55.55.55 but there is no reply
//This is an example of a devices that is responding to ARP requests:
1: 20:30:59.077226 arp who-has 10.55.55.55 tell 10.55.55.1
2: 20:30:59.077562 arp reply 10.55.55.55 is-at 0:45:00:07:a7:00
//We can see the firewall (10.55.55.1) is requesting an ARP for 10.55.55.55 and gets a reply that it has mac address 0:45:00:07:a7:00
You of course and also do a show arp to see the current arp table but the capture will prove the device is not arping or it will help you find if two or multiple devices are arping for the same IP address.
Cisco ASA Renaming Network Objects, Service Objects, Access Lists, and Details about Object-Groups
Renaming objects on the ASA is very simple:
NOTE: You cannot rename object-groups as of version 9.1 make sure you pick the correct name the first time!
Updating the objects names will automatically update the references in the policy.
Renaming Network Objects:
object network OLD_NAME rename NEW_NAME
Renaming Service Objects:
object service OLD_NAME rename NEW_NAME
Renaming Access Lists:
access-list OLD_NAME rename NEW_NAME
NOTE: You cannot rename object-groups as of version 9.1 make sure you pick the correct name the first time!
Updating the objects names will automatically update the references in the policy.
Renaming Network Objects:
object network OLD_NAME rename NEW_NAME
Renaming Service Objects:
object service OLD_NAME rename NEW_NAME
Renaming Access Lists:
access-list OLD_NAME rename NEW_NAME
Tuesday, June 5, 2012
How to Download Packet Captures as a PCAP File to Use in Wireshark on a Cisco ASA
If you need to download your packet captures on a Cisco ASA/PIX so you can import them into Wireshark it is a very simple process.
I assume the following is true:
Command Format:
https://FW_IP/admin/capture/CAP_NAME
I assume the following is true:
1. You have http (ASDM) access to the firewall
2. You already have a capture with captured packets: (See here how to create a capture)
2. You already have a capture with captured packets: (See here how to create a capture)
If you want to just see the capture in the browser first to make sure there are packets you can do the following:
Command Format:
https://FW_IP/admin/capture/CAP_NAME
Example:
https://10.55.55.55/admin/capture/jcap
Once you know you have data in your capture you can download the pcap by doing the following:
Command Format:
https://FW_IP/admin/capture/CAP_NAME/pcap
Once you know you have data in your capture you can download the pcap by doing the following:
Command Format:
https://FW_IP/admin/capture/CAP_NAME/pcap
Example:
https://10.55.55.55/admin/capture/jcap/pcap
https://10.55.55.55/admin/capture/jcap/pcap
How to Capture traffic on a Cisco ASA with No Config Changes
Problem: You need to capture traffic between 1.1.1.1 and 2.2.2.2
Command Format:
capture [CAP_NAME] interface [INT_NAME] match ip host x.x.x.x host x.x.x.x
Example:
And while this rule looks like it would only capture traffic if sources from 1.1.1.1 it is actually automatically bidirectional so will capture traffic if it sources from either address.
In previous version of ASA/PIX code (7.2 and below) you had to go into config mode add a bi-directional access-list and then apply the packet capture. As of 7.2.1 you no longer have to do that and it makes creating captures a lot quicker and no configuration changes are made to the firewall since no access-list are created.
Command Format:
capture [CAP_NAME] interface [INT_NAME] match ip host x.x.x.x host x.x.x.x
Example:
capture jcap interface inside match ip host 1.1.1.1 host 2.2.2.2
And while this rule looks like it would only capture traffic if sources from 1.1.1.1 it is actually automatically bidirectional so will capture traffic if it sources from either address.
To see and manage your captures issue the following command:
show capture - This will list all fo the captures running on the ASA/PIX
show capture [CAP_NAME] - this will show the actually packets captured in the captures
clear capture [CAP_NAME] - this will clear the captures for one capture
no cap [CAP_NAME] - this will completely remove and stop the capture
There are many more options such as ports and protocols you can find those in the reference guide here:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c1.html#wp2129312
##############################
Here are some more captures I regularly use:
Change the capture to gather whole subnets:
Example:
show capture [CAP_NAME] - this will show the actually packets captured in the captures
clear capture [CAP_NAME] - this will clear the captures for one capture
no cap [CAP_NAME] - this will completely remove and stop the capture
There are many more options such as ports and protocols you can find those in the reference guide here:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c1.html#wp2129312
##############################
Here are some more captures I regularly use:
Change the capture to gather whole subnets:
Example:
capture jcap interface inside match ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0
If you need to see all the the traffic to and from one address you could make a capture like this:
Example:
If you need to see all the the traffic to and from one address you could make a capture like this:
Example:
capture jcap interface inside match ip host 1.1.1.1 any
Capture ARP request and replies with the following:
Example:
Capture ARP request and replies with the following:
Example:
capture arpcap interface inside ethernet-type arp
How to failover the standby ASA from the primary ASA
If for some reason you cant access the standby firewall but need you reload it and only have access to the primary firewall you can easily reboot the standby firewall by issuing the following command via cli:
failover reload-standby
failover reload-standby
Subscribe to:
Posts (Atom)