R0#debug ip packet detail 101
IP packet debugging is on (detailed) for access list 101
R0#debug aaa authent
R0#debug aaa authentication
AAA Authentication debugging is on
R0#
R0#
R0#
R0#
*Mar 1 01:55:28.799: AAA/BIND(00000007): Bind i/f
*Mar 1 01:55:28.803: AAA/AUTHEN/LOGIN (00000007): Pick method list 'default'
*Mar 1 01:55:28.819: IP: tableid=0, s=192.168.115.254 (local), d=192.168.115.100 (FastEthernet0/0), routed via FIB
*Mar 1 01:55:28.819: IP: s=192.168.115.254 (local), d=192.168.115.100 (FastEthernet0/0), len 44, sending
*Mar 1 01:55:28.819: TCP src=44579, dst=49, seq=1941678704, ack=0, win=4128 SYN
*Mar 1 01:55:30.823: IP: tableid=0, s=192.168.115.254 (local), d=192.168.115.100 (FastEthernet0/0), routed via FIB
*Mar 1 01:55:30.823: IP: s=192.168.115.254 (local), d=192.168.115.100 (FastEthernet0/0), len 44, sending
*Mar 1 01:55:30.827: TCP src=44579, dst=49, seq=1941678704, ack=0, win=4128 SYN
*Mar 1 01:55:31.627: IP: tableid=0, s=192.168.115.254 (local), d=192.168.115.100 (FastEthernet0/0), routed via FIB
*Mar 1 01:55:31.627: IP: s=192.168.115.254 (local), d=192.168.115.100 (FastEthernet0/0), len 40, sending
*Mar 1 01:55:31.631: TCP src=44579, dst=49, seq=1941678705, ack=1103661260, win=4128 ACK
*Mar 1 01:55:31.635: IP: tableid=0, s=192.168.115.254 (local), d=192.168.115.100 (FastEthernet0/0), routed via FIB
*Mar 1 01:55:31.639: IP: s=192.168.115.254 (local), d=192.168.115.100 (FastEthernet0/0), len 83, sending
*Mar 1 01:55:31.639: TCP src=44579, dst=49, seq=1941678705, ack=1103661260, win=4128 ACK
*Mar 1 01:55:31.847: IP: tableid=0, s=192.168.115.254 (local), d=192.168.115.100 (FastEthernet0/0), routed via FIB
*Mar 1 01:55:31.847: IP: s=192.168.115.254 (local), d=192.168.115.100 (FastEthernet0/0), len 40, sending
*Mar 1 01:55:31.851: TCP src=44579, dst=49, seq=1941678748, ack=1103661288, win=4100 ACK
*Mar 1 01:55:36.571: IP: tableid=0, s=192.168.115.254 (local), d=192.168.115.100 (FastEthernet0/0), routed via FIB
*Mar 1 01:55:36.575: IP: s=192.168.115.254 (local), d=192.168.115.100 (FastEthernet0/0), len 62, sending
*Mar 1 01:55:36.575: TCP src=44579, dst=49, seq=1941678748, ack=1103661288, win=4100 ACK
*Mar 1 01:55:37.051: IP: tableid=0, s=192.168.115.254 (local), d=192.168.115.100 (FastEthernet0/0), routed via FIB
*Mar 1 01:55:37.051: IP: s=192.168.115.254 (local), d=192.168.115.100 (FastEthernet0/0), len 40, sending
*Mar 1 01:55:37.051: TCP src=44579, dst=49, seq=1941678770, ack=1103661306, win=4082 ACK
CONFIG:
R0#sho run
Building configuration...
Current configuration : 1089 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R0
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$FGPM$.ZJO8E/kwowrMca3fsrym0
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login consoleport none
!
!
aaa session-id common
memory-size iomem 5
ip cef
!
!
!
!
ip domain name pekoe.local
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.115.254 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
access-list 101 permit ip host 192.168.115.254 host 192.168.115.100
!
!
!
!
!
tacacs-server host 192.168.115.100 single-connection
tacacs-server key cisco123
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
login authentication consoleport
line aux 0
line vty 0 4
transport input ssh
!
!
end
R0#
CCNA Security Commands
##########
##########
### ROUTER COMMANDS ###
##########
##########
enable secret C1SCO
%
line con 0
password C1SCO
login
%
line aux 0
password C1SCO
login
%
line vty 0 4
login
password C1SCO
%
service password-encryption
%
username Bob secret 0 C1SCO
%
security authentication failure rate 5 log
%
line con 0
exec-timeout 2 30
%
line aux 0
exec-timeout 2 30
%
line vty 0 4
exec-timeout 2 30
%
privilege exec level 5 debug
enable secret level 5 C1SCO
%
aaa new-model
enable view
parser view HELPDESK
secret 0 C1SCO
command exec include all copy
commands exec include traceroute
commands exec include ping
%
secure boot-image
secure boot-config
%
login block-for 30 attempts 5 within 10
login quiet-mode access-class 101
login delay 3
login on-failure log
login on-success log
%
banner motd $
%
ip http server
ip http secure-server
ip http authentication local
username Bill privilege 15 secret 0 C1SCO
%
aaa authentication login default local
aaa authentication arap
aaa authentication banner
aaa authentication enable default
aaa authentication fail-message
aaa authentication local-override
aaa authentication login
aaa authentication nasi
aaa authentication password-prompt
aaa authentication ppp
aaa authentication username-prompt
%
line console 0
login authentication console-in
%
int s3/0
ppp authentication chap dial-in
%
aaa authorization commands 1 Bill local
aaa authorization commands 15 Bob local
%
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting auth-proxy default start-stop group tacacs+
%
debug aaa authentication
debug aaa authorization
debug aaa accounting
%
tacacs-server host 192.168.10.75 single connection
tacacs-server key shared1
%
auto-secure
%
ip domain-name ciscopress.com
crypto key zeroise rsa
crypto key generate rsa general-keys modulus 1024
ip ssh time-out 120
ip ssh authentication-retries 4
ling vty 0 4
transport input ssh
%
show crypto key mypubkey rsa
%
access-list compiled
%
access-list 150 deny ip 12.1.1.0 0.0.0.255 any log
access-list 150 deny ip 127.0.0.0 0.255.255.255 any log
interface e0/1
ip access-group 150 in
%
access-list 114 permit icmp 12.2.1.0 0.0.0.255 any echo
access-list 114 permit icmp 12.2.1.0 0.0.0.255 any parameter-problem
access-list 114 permit icmp 12.2.1.0 0.0.0.255 any packet-too-big
access-list 114 permit icmp 12.2.1.0 0.0.0.255 any source-quech
access-list 114 deny icmp any any log
interface e0/1
ip access-group 114 out
%
access-list 90 permit host 12.2.1.3 log
access-list 90 deny any log
line vty 0 4
login authentication vty-sysadmin
transport input ssh
access-class 90 in
%
access-list 12 deny 12.2.2.0 0.0.0.255
access-list 12 permit any
router rip
distribute-list 12 out
version 2
no auto-summary
network 12.0.0.0
%
ip access-list 104 deny ip any any
ip access-list 103 permit http any any
ip inspect name FWRULE tcp
interface S0
ip access-group 103 out
ip access-group 104 in
ip inspect FWRULE out
%
crypto isakmp policy 1
authentication pre-share
hash sha
encryption aes 128
group 2
lifetime 86400
%
crypto isakmp key SECRET address 172.30.2.2
crypto ipsec transform-set MYSET esp-aes esp-sha
access-list 101 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.0.255
crypto map ROUTER1_TO_ROUTER2 ipsec-isakmp
set peer 172.30.2.2
match address 101
set transform-set MYSET
%
interface serial 1/0
crypto map ROUTER1_TO_ROUTER2
ip route 192.168.0.0 255.255.255.0 172.30.2.2
%
##########
##########
### SWITCH COMMANDS ###
##########
##########
%
interface gigabitethernet 0/3
switchport mode access
%
interface gigabitethernet 0/4
switchport trunk encapsulation dot1q
switchport mode trunk
switch nonegotiate
%
interface gigabitethernet 0/5
switchport trunk native vlan 400
%
interface gigabitethernet 0/6
spanning-tree guard root
%
interface gigabitethernet 0/7
spanning-tree portfast bpduguard
%
ip dhcp snooping
%
interface gigabitethernet 0/8
ip dhcp snooping trust
%
ip arp inspection vlan 100
%
interface gigabitethernet 0/9
ip arp inspection trust
%
monitor session 1 source interface gigabitethernet0/10
monitor session 1 destination interface gigabitethernet0/11
%
access-list 100 permit tcp any host 10.1.1.2 eq telnet
vlan access-map ALLOWTELNET 10
match ip address 100
action forward
%
vlan filter ALLOWTELNET vlan-list 1-100
%
interface gigabitethernet 0/12
switchport mode access
switchport port-security
switchport port-security maximum 5
switchport port-security violation protect
switchport port-security mac-address 1234.1234.1234
switchport port-security mac-address sticky
%
show port-security
%
radius-server host 192.168.10.1
radius-server key RADIUS!123
%
##########
### ROUTER COMMANDS ###
##########
##########
enable secret C1SCO
%
line con 0
password C1SCO
login
%
line aux 0
password C1SCO
login
%
line vty 0 4
login
password C1SCO
%
service password-encryption
%
username Bob secret 0 C1SCO
%
security authentication failure rate 5 log
%
line con 0
exec-timeout 2 30
%
line aux 0
exec-timeout 2 30
%
line vty 0 4
exec-timeout 2 30
%
privilege exec level 5 debug
enable secret level 5 C1SCO
%
aaa new-model
enable view
parser view HELPDESK
secret 0 C1SCO
command exec include all copy
commands exec include traceroute
commands exec include ping
%
secure boot-image
secure boot-config
%
login block-for 30 attempts 5 within 10
login quiet-mode access-class 101
login delay 3
login on-failure log
login on-success log
%
banner motd $
%
ip http server
ip http secure-server
ip http authentication local
username Bill privilege 15 secret 0 C1SCO
%
aaa authentication login default local
aaa authentication arap
aaa authentication banner
aaa authentication enable default
aaa authentication fail-message
aaa authentication local-override
aaa authentication login
aaa authentication nasi
aaa authentication password-prompt
aaa authentication ppp
aaa authentication username-prompt
%
line console 0
login authentication console-in
%
int s3/0
ppp authentication chap dial-in
%
aaa authorization commands 1 Bill local
aaa authorization commands 15 Bob local
%
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting auth-proxy default start-stop group tacacs+
%
debug aaa authentication
debug aaa authorization
debug aaa accounting
%
tacacs-server host 192.168.10.75 single connection
tacacs-server key shared1
%
auto-secure
%
ip domain-name ciscopress.com
crypto key zeroise rsa
crypto key generate rsa general-keys modulus 1024
ip ssh time-out 120
ip ssh authentication-retries 4
ling vty 0 4
transport input ssh
%
show crypto key mypubkey rsa
%
access-list compiled
%
access-list 150 deny ip 12.1.1.0 0.0.0.255 any log
access-list 150 deny ip 127.0.0.0 0.255.255.255 any log
interface e0/1
ip access-group 150 in
%
access-list 114 permit icmp 12.2.1.0 0.0.0.255 any echo
access-list 114 permit icmp 12.2.1.0 0.0.0.255 any parameter-problem
access-list 114 permit icmp 12.2.1.0 0.0.0.255 any packet-too-big
access-list 114 permit icmp 12.2.1.0 0.0.0.255 any source-quech
access-list 114 deny icmp any any log
interface e0/1
ip access-group 114 out
%
access-list 90 permit host 12.2.1.3 log
access-list 90 deny any log
line vty 0 4
login authentication vty-sysadmin
transport input ssh
access-class 90 in
%
access-list 12 deny 12.2.2.0 0.0.0.255
access-list 12 permit any
router rip
distribute-list 12 out
version 2
no auto-summary
network 12.0.0.0
%
ip access-list 104 deny ip any any
ip access-list 103 permit http any any
ip inspect name FWRULE tcp
interface S0
ip access-group 103 out
ip access-group 104 in
ip inspect FWRULE out
%
crypto isakmp policy 1
authentication pre-share
hash sha
encryption aes 128
group 2
lifetime 86400
%
crypto isakmp key SECRET address 172.30.2.2
crypto ipsec transform-set MYSET esp-aes esp-sha
access-list 101 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.0.255
crypto map ROUTER1_TO_ROUTER2 ipsec-isakmp
set peer 172.30.2.2
match address 101
set transform-set MYSET
%
interface serial 1/0
crypto map ROUTER1_TO_ROUTER2
ip route 192.168.0.0 255.255.255.0 172.30.2.2
%
##########
##########
### SWITCH COMMANDS ###
##########
##########
%
interface gigabitethernet 0/3
switchport mode access
%
interface gigabitethernet 0/4
switchport trunk encapsulation dot1q
switchport mode trunk
switch nonegotiate
%
interface gigabitethernet 0/5
switchport trunk native vlan 400
%
interface gigabitethernet 0/6
spanning-tree guard root
%
interface gigabitethernet 0/7
spanning-tree portfast bpduguard
%
ip dhcp snooping
%
interface gigabitethernet 0/8
ip dhcp snooping trust
%
ip arp inspection vlan 100
%
interface gigabitethernet 0/9
ip arp inspection trust
%
monitor session 1 source interface gigabitethernet0/10
monitor session 1 destination interface gigabitethernet0/11
%
access-list 100 permit tcp any host 10.1.1.2 eq telnet
vlan access-map ALLOWTELNET 10
match ip address 100
action forward
%
vlan filter ALLOWTELNET vlan-list 1-100
%
interface gigabitethernet 0/12
switchport mode access
switchport port-security
switchport port-security maximum 5
switchport port-security violation protect
switchport port-security mac-address 1234.1234.1234
switchport port-security mac-address sticky
%
show port-security
%
radius-server host 192.168.10.1
radius-server key RADIUS!123
%
CCIE Security 2.X Verification Commands “Cheat Sheet”
PIX/ASA 7.2
AAA
debug radiusdebug tacacs
show aaa-server protocol PROTOCOL_NAME
test aaa-server
Access Control Lists
show access-listshow run | include ACCESS_LIST_NAME
show run object-group
show run time-range
Application Inspection
show conn state STATE_TYPE detailshow service-policy
Configuring Interfaces
show firewallshow int
show int ip brief
show ip
show mode
show nameif
show run interface INTERFACE_NAME
show version
Connections and Translations
clear xlateshow conn
show conn detail
show local-host all
clear local-host all (clears all connections)
show log
show run | begin policy-map
show run global
show run nat
show xlate
test regex
Failover
debug fo rxipdebug fo txip
show failover
show ip
IP Routing
deug ospf eventdebug rip
show ospf database
show ospf interface
show ospf neighbor
show ospf PROCESS_ID
show ospf virtual-links
show route
Multicast
show igmp interfaceshow mroute
show pim interface
show pim neighbor
PKI
debug crypto ca messagesdebug crypto ca transactions
show crypto ca certificates
show crypto ca crls
show crypto key mypubkey rsa
Quality of Service
show priority-queue statisticsshow run class-map
show run policy-map
show service-policy global
show service-policy interface INTERFACE_NAME
show service-policy priority
show service-policy shape
Security Contexts
show admin-contextshow context
show mode
System Management
show clockshow crypto key mypubkey rsa
show logging
show ntp status
show running-config
show snmp-server statistics
show ssh sessions
show startup-config
Transparent Firewall
debug arp-inspectiondebug l2-indication
debug mac-address-table
show access-list
show arp-inspection
show conn
show firewall
show mac-address-table
VPNs
debug crypto ipsecdebug crypto isakmp
show crypto ipsec sa
show crypto isakmp sa detail
show route
WebVPN
debug menu wbvpndebug ssl cipher
show vpn-sessiondb summary
show vpn-sessiondb webvpn
Subscribe to:
Posts (Atom)