Pix ASA Debug icmp

Debug

The debug icmp trace command is used to capture the ICMP traffic of the user.

ciscoasa#debug icmp trace

The user pings the inside interface of the ASA (ping 192.168.1.1). This output is displayed on the console.

ciscoasa# 

!- Output is suppressed.

ICMP echo request from 192.168.1.50 to 192.168.1.1 ID=512 seq=5120 len=32
ICMP echo reply from 192.168.1.1 to 192.168.1.50 ID=512 seq=5120 len=32

!- The user IP address is 192.168.1.50.

In order to disable debug icmp trace, use one of these commands:

no debug icmp trace

undebug icmp trace

undebug all, Undebug all, or un all

Each of these three options helps the administrator to determine the source IP address. In this example, the source IP address of the user is 192.168.1.50. The administrator is ready to learn more about application X and determine the cause of the problem.
No comments:

ASA Capture Feature

ASA Capture Feature

The administrator needs to create an access-list that defines what traffic the ASA needs to capture. After the access-list is defined, the capture command incorporates the access-list and applies it to an interface.

ciscoasa(config)#access-list inside_test permit icmp any host 192.168.1.1
ciscoasa(config)#capture inside_interface access-list inside_test interface inside

The user pings the inside interface of the ASA (ping 192.168.1.1). This output is displayed.

ciscoasa#show capture inside_interface
1: 13:04:06.284897 192.168.1.50 > 192.168.1.1: icmp: echo request

!- The user IP address is 192.168.1.50.

Note: In order to download the capture file to a system such as ethereal, you can do it as this output shows.


!- Open an Internet Explorer and browse with this https link format:

https://[/]/capture/ name>/pcap

Refer to ASA/PIX: Packet Capturing using CLI and ASDM Configuration Example in order to know more about Packet Capturing in ASA.
No comments:

ASA packet-tracer

Use the packet-tracer option.

From previous sections, the ASA administrator has learned enough information to use the packet-tracer option in the ASA.

Note: The ASA supports the packet-tracer command starting in version 7.2.

ciscoasa#packet-tracer input inside tcp 192.168.1.50 1025 172.22.1.1 http

!- This line indicates a source port of 1025. If the source
!- port is not known, any number can be used. 
!- More common source ports typically range
!- between 1025 and 65535.

Phase: 1
Type: CAPTURE
Subtype: 
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: FLOW-LOOKUP
Subtype: 
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.22.1.0 255.255.255.0 outside

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_acl in interface inside
access-list inside_acl extended permit tcp 192.168.1.0 255.255.255.0 any eq www 
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: CAPTURE
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside) 1 192.168.1.0 255.255.255.0
match ip inside 192.168.1.0 255.255.255.0 outside any
dynamic translation to pool 1 (172.22.1.254)
translate_hits = 6, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.1.50/1025 to 172.22.1.254/1028 
using netmask 255.255.255.255

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config: 
nat (inside) 1 192.168.1.0 255.255.255.0
match ip inside 192.168.1.0 255.255.255.0 outside any
dynamic translation to pool 1 (172.22.1.254)
translate_hits = 6, untranslate_hits = 0
Additional Information:

Phase: 10
Type: CAPTURE
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: CAPTURE
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype: 
Result: ALLOW 
Config:
Additional Information:

Phase: 13
Type: CAPTURE
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 94, packet dispatched to next module

Phase: 15
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 172.22.1.1 using egress ifc outside
adjacency Active
next-hop mac address 0030.a377.f854 hits 11

!- The MAC address is at Layer 2 of the OSI model.
!- This tells the administrator the next host 
!- that should receive the data packet.


Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

The most important output of the packet-tracer command is the last line, which is Action: allow.

The three options in Step 3 each show the administrator that the ASA is not responsible for the application X issues. The application X traffic leaves the ASA and the ASA does not receive a reply from the application X server.
No comments:

Show filter

sh interfaces | i Description|line|Internet
show access-list | include hitcnt=[1-9] - filtra los access list y muestra los hitcnt que sean mayo a 0

sh interfaces | i Description|line|Internet
sh int descrip | i up
sh interfaces | i Description|line
sh ip int brie | i up

show ip arp - give you the IP address of the device with the MAC you specified in the command

show ip arp 10.180.21.94 - aca muestra la mac de la ip, la vlan y a que interface corresponde.
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.180.21.94 157 0005.313b.d800 ARPA Vlan2

sh access-lists name - aca con el name o sin el name muestra todos los access-list y tambin muestra los "matches"
estos indican cuantas veces se trato de usar.

sh snmp loc - para ver el loc Risskov M1 LS10 X6,Y17

show interfaces | inc CRC - para ver CRC

show interfaces summary - check out/in put

show interfaces counters etherchannel - etherchannel counters
No comments:

Steps to configure a simple remote access IKE/IPSec connection with examples:

ciscoasa(config)# vpnsetup ipsec-remote-access steps 

Steps to configure a simple remote access IKE/IPSec connection with examples:

1. Configure Interfaces

interface GigabitEthernet0/0
ip address 10.10.4.200 255.255.255.0
nameif outside
no shutdown

interface GigabitEthernet0/1
ip address 192.168.0.20 255.255.255.0
nameif inside
no shutdown

2. Configure ISAKMP policy

crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha

3. Setup an address pool

ip local pool client-pool 192.168.1.1-192.168.1.254

4. Configure authentication method

aaa-server MyRadius protocol radius
aaa-server MyRadius host 192.168.0.254
key $ecretK3y

5. Define tunnel group

tunnel-group client type remote-access
tunnel-group client general-attributes
address-pool client-pool
authentication-server-group MyRadius
tunnel-group client ipsec-attributes
pre-shared-key VpnUs3rsP@ss

6. Setup ipsec parameters

crypto ipsec transform-set myset esp-3des esp-sha-hmac

7. Setup dynamic crypto map

crypto dynamic-map dynmap 1 set transform-set myset
crypto dynamic-map dynmap 1 set reverse-route

8. Create crypto map entry and associate dynamic map with it

crypto map mymap 65535 ipsec-isakmp dynamic dynmap

9. Attach crypto map to interface

crypto map mymap interface outside

10. Enable isakmp on interface

crypto isakmp enable outside
No comments:

Steps to configure a simple site-to-site IKE/IPSec connection with examples:

ciscoasa(config)# vpnsetup site-to-site steps 

Steps to configure a simple site-to-site IKE/IPSec connection with examples:

1. Configure Interfaces

interface GigabitEthernet0/0
ip address 10.10.4.200 255.255.255.0
nameif outside
no shutdown

interface GigabitEthernet0/1
ip address 192.168.0.20 255.255.255.0
nameif inside
no shutdown

2. Configure ISAKMP policy

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha

3. Configure transform-set

crypto ipsec transform-set myset esp-3des esp-sha-hmac

4. Configure ACL

access-list L2LAccessList extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0

5. Configure Tunnel group

tunnel-group 10.20.20.1 type ipsec-l2l
tunnel-group 10.20.20.1 ipsec-attributes
pre-shared-key P@rtn3rNetw0rk

6. Configure crypto map and attach to interface

crypto map mymap 10 match address L2LAccessList
crypto map mymap 10 set peer 10.10.4.108
crypto map mymap 10 set transform-set myset
crypto map mymap 10 set reverse-route
crypto map mymap interface outside

7. Enable isakmp on interface

crypto isakmp enable outside
No comments:

PIX/ASA: Monitor and Troubleshoot

show interface—Shows interface statistics.

show traffic—Shows how much traffic passes through the PIX.

show xlate—Shows the current translations built through the PIX.

show conn—Shows the current connections through the PIX.
No comments:

642-617 Deploying Cisco ASA Firewall Solutions Exam Topics (Blueprint)

Exam Description

The 642-617 Deploying Cisco ASA Firewall Solutions (FIREWALL v1.0) exam is associated with the CCSP, CCNP Security and Cisco Firewall Specialist certifications. This exam tests a candidate's knowledge and skills needed to implement and maintain Cisco ASA-based perimeter solutions. Successful graduates will be able to reduce risk to the IT infrastructure and applications using Cisco ASA features, and provide detailed operations support for the Cisco ASA. Candidates can prepare for this exam by taking the Deploying Cisco ASA Firewall Solutions course.


Exam Topics

The following information provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes the guidelines below may change at any time without notice.


Pre-Production Design

Choose ASA Perimeter Security technologies/features to implement HLD based on given security requirements
Choose the correct ASA model to implement HLD based on given performance requirements 
Create and test initial ASA appliance configurations using CLI 
Determine which ASA licenses will be required based on given requirements 

Complex Operations Support

Optimize ASA Perimeter Security features performance, functions, and configurations

Create complex ASA security perimeter policies such as ACLs, NAT/PAT, L3/L4/L7 stateful inspections, QoS policies, cut-thru proxy, threat detection, botnet detection/filter using CLI and/or ASDM

Perform initial setup on the AIP-SSM and CSC-SSM using CLI and/or ASDM

Configure, verify and troubleshoot High Availability ASAs (A/S and A/A FO) operations using CLI and/or ASDM

Configure, verify and troubleshoot static routing and dynamic routing protocols on the ASA using CLI and/or ASDM

Configure, verify and troubleshoot ASA transparent firewall operations using CLI

Configure, verify and troubleshoot management access/protocols on the ASA using CLI and/or ASDM

Describe Advanced Troubleshooting

Advanced ASA security perimeter configuraiton/software/hardware troubleshooting using CLI and/or ASD fault finding and repairing
No comments:

642-647 VPN v1.0 Exam Topics (Blueprint)

Exam Description

Deploying Cisco ASA VPN Solutions (VPN v1.0) exam is associated with the CCSP, CCNP Security and Cisco VPN Specialist certifications. This exam tests a candidate's knowledge and skills needed to deploy Cisco ASA-based VPN solutions. Successful graduates will be able to reduce risk to the IT infrastructure and applications using Cisco ASA VPN features, and provide detailed operations support for the Cisco ASA. Candidates can prepare for this exam by taking the Deploying Cisco ASA VPN Solutions course.


Exam Topics

The following information provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes the guidelines below may change at any time without notice.


Pre-Production Design



Choose ASA VPN technologies to implement HLD based on given requirements 
Choose the correct ASA model and license to implement HLD based on given performance requirements 
Choose the correct ASA VPN features to implement HLD based on given corporate security policy and network requirements 
Integrate ASA VPN solutions with other security technology domains (CSD, ACS, Device managers, Cert servers, etc.) 




Complex Operations Support



Optimize ASA VPN performance, functions, and configurations 
Configure and verify complex ASA VPN networks using features such as DAP, CSD, Smart tunnels, Anyconnect SSLVPN, Clientless SSLVPN, Site-to-Site VPN, RA VPN, certificates, QOS, etc. to meet security policy requirements. 
Create complex ASA network security rules using such features as ACLs, DAP, VPN profiles, certificates, MPF, etc, to meet the corporate security policy 




Advanced Troubleshooting

Perform advanced ASA VPN configuration and troubleshooting
No comments:
Subscribe to: Posts (Atom)