To see the pre shared key for any Sites to Site VPN simply type the following in CLI:
more system:running-config | begin tunnel-group
This will change:
tunnel-group 10.55.55.55 type ipsec-l2l
tunnel-group 10.55.55.55 ipsec-attributes
pre-shared-key *****
Into:
tunnel-group 10.55.55.55 type ipsec-l2l
tunnel-group 10.55.55.55 ipsec-attributes
pre-shared-key fgaJcXri3zVq
More information about seeing the pre shared key on 6.3 here:
http://www.packetsent.com/2011/11/display-vpn-preshared-key-on-cisco-pix.html
Tuesday, May 21, 2013
How to Make PPTP Connections Work Through a Cisco ASA
The most common reason I find that PPTP connections do not work is because the inspect for PPTP it not enabled.
This is how you enable the inspect in the default inspection class:
conf t
policy-map global_policy
class inspection_default
inspect pptp
end
wr mem
This is needed whenever PAT is being used.
More details here:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1432892
This is how you enable the inspect in the default inspection class:
conf t
policy-map global_policy
class inspection_default
inspect pptp
end
wr mem
This is needed whenever PAT is being used.
More details here:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1432892
How to Capture ARP Requests on a Cisco ASA
Many times I have had to prove that the firewall was not receiving any ARP replies from the workstation / router / switch / or server here is how I did it:
Log into the CLI and create a capture looking for only ARP request:
capture [CAP_NAME] interface [INT_NAME] ethernet-type arp
//Example
ASA# capure arpcap interface servers ethernet-type arp
ASA# show capture arpcap
//This is an example of a devices that is not responding to ARP:
1: 20:26:41.822046 arp who-has 10.55.55.55 tell 10.55.55.1
2: 20:26:43.622508 arp who-has 10.55.55.55 tell 10.55.55.1
3: 20:26:44.622462 arp who-has 10.55.55.55 tell 10.55.55.1
//We can see the firewall (10.55.55.1) is requesting an ARP for 10.55.55.55 but there is no reply
//This is an example of a devices that is responding to ARP requests:
1: 20:30:59.077226 arp who-has 10.55.55.55 tell 10.55.55.1
2: 20:30:59.077562 arp reply 10.55.55.55 is-at 0:45:00:07:a7:00
//We can see the firewall (10.55.55.1) is requesting an ARP for 10.55.55.55 and gets a reply that it has mac address 0:45:00:07:a7:00
You of course and also do a show arp to see the current arp table but the capture will prove the device is not arping or it will help you find if two or multiple devices are arping for the same IP address.
Log into the CLI and create a capture looking for only ARP request:
capture [CAP_NAME] interface [INT_NAME] ethernet-type arp
//Example
ASA# capure arpcap interface servers ethernet-type arp
ASA# show capture arpcap
//This is an example of a devices that is not responding to ARP:
1: 20:26:41.822046 arp who-has 10.55.55.55 tell 10.55.55.1
2: 20:26:43.622508 arp who-has 10.55.55.55 tell 10.55.55.1
3: 20:26:44.622462 arp who-has 10.55.55.55 tell 10.55.55.1
//We can see the firewall (10.55.55.1) is requesting an ARP for 10.55.55.55 but there is no reply
//This is an example of a devices that is responding to ARP requests:
1: 20:30:59.077226 arp who-has 10.55.55.55 tell 10.55.55.1
2: 20:30:59.077562 arp reply 10.55.55.55 is-at 0:45:00:07:a7:00
//We can see the firewall (10.55.55.1) is requesting an ARP for 10.55.55.55 and gets a reply that it has mac address 0:45:00:07:a7:00
You of course and also do a show arp to see the current arp table but the capture will prove the device is not arping or it will help you find if two or multiple devices are arping for the same IP address.
Cisco ASA Renaming Network Objects, Service Objects, Access Lists, and Details about Object-Groups
Renaming objects on the ASA is very simple:
NOTE: You cannot rename object-groups as of version 9.1 make sure you pick the correct name the first time!
Updating the objects names will automatically update the references in the policy.
Renaming Network Objects:
object network OLD_NAME rename NEW_NAME
Renaming Service Objects:
object service OLD_NAME rename NEW_NAME
Renaming Access Lists:
access-list OLD_NAME rename NEW_NAME
NOTE: You cannot rename object-groups as of version 9.1 make sure you pick the correct name the first time!
Updating the objects names will automatically update the references in the policy.
Renaming Network Objects:
object network OLD_NAME rename NEW_NAME
Renaming Service Objects:
object service OLD_NAME rename NEW_NAME
Renaming Access Lists:
access-list OLD_NAME rename NEW_NAME
Subscribe to:
Posts (Atom)