Tuesday, May 21, 2013

How to see a Pre Shared Key for Site to Site VPN on Cisco ASA

To see the pre shared key for any Sites to Site VPN simply type the following in CLI:

more system:running-config | begin tunnel-group

This will change:

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key *****


tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key fgaJcXri3zVq

More information about seeing the pre shared key on 6.3 here:

How to Make PPTP Connections Work Through a Cisco ASA

The most common reason  I find that PPTP connections do not work is because the inspect for PPTP it not enabled.

This is how you enable the inspect in the default inspection class:

conf t

policy-map global_policy
 class inspection_default
  inspect pptp
wr mem

This is needed whenever PAT is being used.

More details here:

How to Capture ARP Requests on a Cisco ASA

Many times I have had to prove that the firewall was not receiving any ARP replies from the workstation / router / switch / or server here is how I did it:

Log into the CLI and create a capture looking for only ARP request:

capture [CAP_NAME] interface [INT_NAME] ethernet-type arp

ASA# capure arpcap interface servers ethernet-type arp
ASA# show capture arpcap

//This is an example of a devices that is not responding to ARP:
   1: 20:26:41.822046 arp who-has tell
   2: 20:26:43.622508 arp who-has tell
   3: 20:26:44.622462 arp who-has tell
//We can see the firewall ( is requesting an ARP for but there is no reply

//This is an example of a devices that is responding to ARP requests:

   1: 20:30:59.077226 arp who-has tell
   2: 20:30:59.077562 arp reply is-at 0:45:00:07:a7:00

//We can see the firewall ( is requesting an ARP for and gets a reply that it has mac address 0:45:00:07:a7:00

You of course and also do a show arp to see the current arp table but the capture will prove the device is not arping or it will help you find if two or multiple devices are arping for the same IP address.

Cisco ASA Renaming Network Objects, Service Objects, Access Lists, and Details about Object-Groups

Renaming objects on the ASA is very simple:

NOTE: You cannot rename object-groups as of version 9.1 make sure you pick the correct name the first time!
Updating the objects names will automatically update the references in the policy.

Renaming Network Objects:
object network OLD_NAME rename NEW_NAME

Renaming Service Objects:
object service OLD_NAME rename NEW_NAME

Renaming Access Lists:
access-list OLD_NAME rename NEW_NAME