Cisco/CLI: Unterschied zwischen den Versionen

Aus SchnallIchNet
Wechseln zu: Navigation, Suche
(Certificate handling)
 
(8 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 101: Zeile 101:
 
</pre>
 
</pre>
  
 +
 +
=== Show object-group by name ===
 +
 +
sh run object-group id <GRP_Name>
 +
 +
 +
=== Show running config beginning from pattern ===
 +
 +
# more system:running-config | beg tunnel-group 100.11.12.13
  
 
=== Delete NAT/PAT table entry ===
 
=== Delete NAT/PAT table entry ===
Zeile 154: Zeile 163:
 
</pre>
 
</pre>
  
 +
 +
==== accelerated security path filter tables ====
 +
 +
This shows the detailed compiled filter list for an ACL (in/out)
 +
 +
show asp table filter [access-list <acl-name>] [hits]
 +
 +
<pre>
 +
out id=0x7f6c84f1ccb0, priority=13, domain=filter-aaa, deny=false
 +
        hits=0, user_data=0x7f6c6fcd8840, filter_id=0xf(CARANOACL), protocol=6
 +
        src ip=192.168.160.0, mask=255.255.255.0, port=3389
 +
        dst ip=10.219.106.60, mask=255.255.255.255, port=0
 +
out id=0x7f6c7df487e0, priority=13, domain=filter-aaa, deny=false
 +
        hits=0, user_data=0x7f6c6fcd86c0, filter_id=0xf(CARANOACL), protocol=6
 +
        src ip=10.219.106.60, mask=255.255.255.255, port=3389
 +
        dst ip=192.168.160.0, mask=255.255.255.0, port=0
 +
</pre>
  
 
=== Capture traffic ===
 
=== Capture traffic ===
Zeile 201: Zeile 227:
  
 
  write mem
 
  write mem
 +
 +
 +
== NAT / PAT ==
 +
 +
yadda
 +
 +
 +
=== Types and Rules ===
 +
 +
# Manual NAT Policies (Section 1)
 +
## These are manual NAT rules (BEFORE AUTO-Rules)
 +
# Auto NAT Policies (Section 2)
 +
## These are NAT rules created automatically by adding NAT to the 'network object' object
 +
# Manual NAT Policies (Section 3)
 +
## These are manual NAT rules (AFTER AUTO-Rules)
 +
 +
 +
 +
=== Create NAT rules ===
 +
 +
Create a (default) NAT Rule (BEFORE-AUTO)
 +
 +
nat (guestwlan,dmz) source static NET_GUESTWIRELESS NET_GUESTWIRELESS destination static ADDR_STGKEMPHADMZ_85_EXT ADDR_STGKEMPHADMZ_85 no-proxy-arp
 +
 +
 +
Create a (default) NAT Rule (BEFORE-AUTO) at a specific line number
 +
 +
nat (guestwlan,dmz) '''9''' source static NET_GUESTWIRELESS NET_GUESTWIRELESS destination static ADDR_STGKEMPHADMZ_85_EXT ADDR_STGKEMPHADMZ_85 no-proxy-arp
 +
 +
 +
Create an AUTO-NAT Rule<br/><br/>
 +
 +
1st of all create the 'network object' object (if not exists)
 +
 +
network object YOUR_NAME_OF_OBJECT
 +
  host 10.11.12.13
 +
  exit
 +
 +
 +
Now edit the network object again and add the NAT entry directly to the object:
 +
 +
network object YOUR_NAME_OF_OBJECT
 +
  nat (dmz,outside) static 8.8.8.8
 +
  exit
 +
 +
This creates an AUTO-NAT Rule incomming from the 'dmz' interface and outgoing to the 'outside' interface,<br/>
 +
which translates the internal IP 10.11.12.13 to the routable IP 8.8.8.8 before leaving the network towards the internat *lol*<br/>
 +
Be aware that the network object is listed within the config on 2 seperate places. So if you grep for YOUR_NAME_OF_OBJECT in config you'll get it listed twice!<br/><br/>
 +
 +
 +
Create a NAT Rule (AFTER-AUTO) (untested!)
 +
 +
nat (guestwlan,dmz) '''after-auto''' source static NET_GUESTWIRELESS NET_GUESTWIRELESS destination static ADDR_STGKEMPHADMZ_85_EXT ADDR_STGKEMPHADMZ_85 no-proxy-arp
 +
  
  
Zeile 291: Zeile 371:
  
 
  no debug crypto ipsec
 
  no debug crypto ipsec
 +
 +
 +
==== Tear down tunnel ====
 +
 +
Find session index:
 +
 +
<pre>
 +
# show vpn-sessiondb l2l
 +
 +
Session Type: LAN-to-LAN
 +
 +
Connection  : 100.11.12.13
 +
Index        : 7186                  IP Addr      : 100.11.12.13  <-- note index number
 +
Protocol    : IKEv1
 +
Encryption  : IKEv1: (1)AES256      Hashing      : IKEv1: (1)SHA1
 +
Bytes Tx    : 0                      Bytes Rx    : 0
 +
Login Time  : 12:35:24 CEST Mon Apr 30 2018
 +
Duration    : 1h:39m:56s
 +
</pre>
 +
 +
Kill session:
 +
 +
(config)# vpn-sessiondb logoff index 7186
  
 
== SSL-VPN / Anyconnect ==
 
== SSL-VPN / Anyconnect ==
Zeile 329: Zeile 432:
 
crypto ca import trustpoint-remote.domain.tld-2020 pkcs12 <password>
 
crypto ca import trustpoint-remote.domain.tld-2020 pkcs12 <password>
  
 +
Enter the base 64 encoded pkcs12.
 +
End with the word "quit" on a line by itself:
 
-----BEGIN PKCS12-----
 
-----BEGIN PKCS12-----
 
MIIVmQIBAzCCFV8GCSqGSIb3DQEHAaCCFVAEghVMMIIVSDCCD/8GCSqGSIb3DQEHBqCCD/Awgg/s
 
MIIVmQIBAzCCFV8GCSqGSIb3DQEHAaCCFVAEghVMMIIVSDCCD/8GCSqGSIb3DQEHBqCCD/Awgg/s
Zeile 349: Zeile 454:
  
 
  ssl trust-point trustpoint-remote.domain.tld-2020 outside
 
  ssl trust-point trustpoint-remote.domain.tld-2020 outside
 +
 +
 +
== SSL/TLS cipher handling ==
 +
 +
yadda
 +
 +
 +
=== show ciphers ===
 +
 +
All:
 +
 +
# show ssl ciphers all
 +
These are the ciphers for the given cipher level; not all ciphers
 +
are supported by all versions of SSL/TLS.
 +
These names can be used to create a custom cipher list
 +
  ECDHE-ECDSA-AES256-GCM-SHA384 (tlsv1.2)
 +
  ECDHE-RSA-AES256-GCM-SHA384 (tlsv1.2)
 +
  DHE-RSA-AES256-GCM-SHA384 (tlsv1.2)
 +
  [...]
 +
 +
Configured:
 +
 +
# show running-config ssl
 +
 +
 +
=== set ciphers ===
 +
 +
ssl cipher default custom "AES128-SHA:AES256-SHA"
 +
ssl cipher tlsv1 custom "AES128-SHA:AES256-SHA"
 +
ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"
 +
ssl cipher dtlsv1 custom "AES128-SHA:AES256-SHA"

Aktuelle Version vom 29. November 2018, 14:13 Uhr

Firmware upgrade

Upload new firmware to flash before starting.

! Remove old boot image
no boot system disk0:/asa963-1-smp-k8.bin

! Add new image as primary boot with old as backup
boot system disk0:/asa964-3-smp-k8.bin
boot system disk0:/asa963-1-smp-k8.bin

! Save changes to config
write memory

! This will cause the standby firewall to reload
failover reload-standby

! After getting messages that standby has rebooted, verify that failover is ready
show failover

! This forces active firewall to become standby, and standby to active
no failover active


Cheat Sheet

Another thing you can do with the ASDM client is to enable command previews.
This allows you to configure things in the ASDM but before it sends them to the firewall it will show you the CLI that is being used.
This is enabled through the ASDM > Tools > Preferences > Preview commands before sending them to the device


Disable pager

terminal pager 0


Show NAT/PAT translation table

show xlate


Show access-group

will show you access lists bound to each interface:

show running-config | include access-group 
# sh run | incl access-gr
access-group inside_to_outside_dmz in interface inside
access-group stgoffice_to_inside_outside in interface stgoffice
access-group dmz_to_inside_outside in interface dmz
access-group guestwireless_to_inside_outside in interface guestwlan
access-group bmw_to_inside_dmz in interface bmw
access-group allowarius in interface outside-itenos
access-group outside_to_inside_dmz in interface outside-telekom


Show access-list

will show you the rules with all groups expanded and resolve names to IPs.
It also shows you the hit count of the rule so you can see if it’s not being used.
Lastly it shows you the access list sequence number if you need to put a rule in the middle of the ruleset:

show access-list <access-list name>
# sh access-list inside_to_outside_dmz
access-list inside_to_outside_dmz; 381 elements; name hash: 0x9b447bd7
access-list inside_to_outside_dmz line 1 remark Allow access to SHDEAGB
access-list inside_to_outside_dmz line 2 extended permit ip object NET_RZ object SHDEAGB (hitcnt=0) 0xb3e4ce53
access-list inside_to_outside_dmz line 2 extended permit ip 10.3.11.0 255.255.255.0 10.1.1.0 255.255.255.0 (hitcnt=0) 0xb3e4ce53
access-list inside_to_outside_dmz line 3 remark Allow access to VPN clients
access-list inside_to_outside_dmz line 4 extended permit ip object-group NET_RFC1918 object AnyConnect (hitcnt=1519518) 0xbacaa3e8
access-list inside_to_outside_dmz line 4 extended permit ip 10.0.0.0 255.0.0.0 10.219.112.0 255.255.255.0 (hitcnt=1495910) 0x7e937191
access-list inside_to_outside_dmz line 4 extended permit ip 192.168.0.0 255.255.0.0 10.219.112.0 255.255.255.0 (hitcnt=23461) 0x484233c3
access-list inside_to_outside_dmz line 4 extended permit ip 172.16.0.0 255.240.0.0 10.219.112.0 255.255.255.0 (hitcnt=147) 0xda51da6b
access-list inside_to_outside_dmz line 5 extended permit ip object-group NET_RFC1918 object NET_Stuttgart_Office (hitcnt=7856134) 0xcec84ac2
access-list inside_to_outside_dmz line 5 extended permit ip 10.0.0.0 255.0.0.0 10.3.14.0 255.255.254.0 (hitcnt=7492424) 0x6f88731b
access-list inside_to_outside_dmz line 5 extended permit ip 192.168.0.0 255.255.0.0 10.3.14.0 255.255.254.0 (hitcnt=363163) 0x6ba488f1
access-list inside_to_outside_dmz line 5 extended permit ip 172.16.0.0 255.240.0.0 10.3.14.0 255.255.254.0 (hitcnt=547) 0x71ac3184


Show access-list beginning at a specific line:

sh access-list dmz_to_inside_outside | beg line 71


Show object (oneline)

See objects on one line:

show running-config object in-line
# show running-config object in-line | incl 11.89
object network ADDR_STGMON001 host 192.168.11.89


Show object-group by name

sh run object-group id <GRP_Name>


Show running config beginning from pattern

# more system:running-config | beg tunnel-group 100.11.12.13

Delete NAT/PAT table entry

clear xlate lport 500 type dynamic local 1.2.3.4


Packet tracer

Test an access list:

If you are trying to see what traffic would do when hitting an access list, you can use packet tracer. Here is the syntax:

packet-tracer input <input interface name> <protocol> <source ip> <source port> <destination ip> <destination port>
# packet-tracer input inside tcp 192.168.68.10 1234 8.8.8.8 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 62.x.y.1 using egress ifc  outside-telekom

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside-telekom
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


accelerated security path filter tables

This shows the detailed compiled filter list for an ACL (in/out)

show asp table filter [access-list <acl-name>] [hits]
out id=0x7f6c84f1ccb0, priority=13, domain=filter-aaa, deny=false
        hits=0, user_data=0x7f6c6fcd8840, filter_id=0xf(CARANOACL), protocol=6
        src ip=192.168.160.0, mask=255.255.255.0, port=3389
        dst ip=10.219.106.60, mask=255.255.255.255, port=0
out id=0x7f6c7df487e0, priority=13, domain=filter-aaa, deny=false
        hits=0, user_data=0x7f6c6fcd86c0, filter_id=0xf(CARANOACL), protocol=6
        src ip=10.219.106.60, mask=255.255.255.255, port=3389
        dst ip=192.168.160.0, mask=255.255.255.0, port=0

Capture traffic

Create a packet capture If you want to capture traffic in real time, you can setup a trace on the firewall. Syntax:

capture <cap> interface <intname> match <protocol> <source> <destination>

To start capture:

# cap billcap inter outside-telekom match ip any host 8.8.8.8

To view capture detail:

show capture <capname>

To restart capture:

clear capture <capname>

To remove capture:

no capture <capname>

To view all running captures:

show capture

To download capture from firewall:

https://<FWIP>/admin/capture/<capname>/pcap


Show NAT

will show you the nat rules in the order they are processed:

show nat  

will give more detail including resolving the objects to IP addresses:

show nat detail


Write running config to Flash

write mem


NAT / PAT

yadda


Types and Rules

  1. Manual NAT Policies (Section 1)
    1. These are manual NAT rules (BEFORE AUTO-Rules)
  2. Auto NAT Policies (Section 2)
    1. These are NAT rules created automatically by adding NAT to the 'network object' object
  3. Manual NAT Policies (Section 3)
    1. These are manual NAT rules (AFTER AUTO-Rules)


Create NAT rules

Create a (default) NAT Rule (BEFORE-AUTO)

nat (guestwlan,dmz) source static NET_GUESTWIRELESS NET_GUESTWIRELESS destination static ADDR_STGKEMPHADMZ_85_EXT ADDR_STGKEMPHADMZ_85 no-proxy-arp


Create a (default) NAT Rule (BEFORE-AUTO) at a specific line number

nat (guestwlan,dmz) 9 source static NET_GUESTWIRELESS NET_GUESTWIRELESS destination static ADDR_STGKEMPHADMZ_85_EXT ADDR_STGKEMPHADMZ_85 no-proxy-arp


Create an AUTO-NAT Rule

1st of all create the 'network object' object (if not exists)

network object YOUR_NAME_OF_OBJECT
  host 10.11.12.13
  exit


Now edit the network object again and add the NAT entry directly to the object:

network object YOUR_NAME_OF_OBJECT
  nat (dmz,outside) static 8.8.8.8
  exit

This creates an AUTO-NAT Rule incomming from the 'dmz' interface and outgoing to the 'outside' interface,
which translates the internal IP 10.11.12.13 to the routable IP 8.8.8.8 before leaving the network towards the internat *lol*
Be aware that the network object is listed within the config on 2 seperate places. So if you grep for YOUR_NAME_OF_OBJECT in config you'll get it listed twice!


Create a NAT Rule (AFTER-AUTO) (untested!)

nat (guestwlan,dmz) after-auto source static NET_GUESTWIRELESS NET_GUESTWIRELESS destination static ADDR_STGKEMPHADMZ_85_EXT ADDR_STGKEMPHADMZ_85 no-proxy-arp



IPSec

yadda yadda

IPSec Tunnel-Template

route outside-interface-name 192.168.160.0 255.255.255.0 <IP of outside-interface-name>

object network NET_FIRMNAME 
 subnet 192.168.0.0 255.255.255.0

object-group network GRP_FIRMNAME_REMOTE_ACCESS
 network-object object NET_10.0.0.0_24
 network-object object NET_DMZ
 network-object object NET_Server

access-list DC_to_FIRMNAME_ENCDOM extended permit ip object-group GRP_FIRMNAME_REMOTE_ACCESS object NET_FIRMNAME
access-list FIRMANEACL extended permit icmp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS
access-list FIRMANEACL extended permit tcp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS EQ 3389
access-list FIRMANEACL extended permit tcp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS EQ 22
access-list FIRMANEACL extended permit tcp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS EQ 6556

nat (inside,outside-telekom) source static GRP_FIRMNAME_REMOTE_ACCESS GRP_FIRMNAME_REMOTE_ACCESS destination static NET_FIRMNAME NET_FIRMNAME no-proxy-arp route-lookup
nat (dmz,outside-telekom) source static GRP_FIRMNAME_REMOTE_ACCESS GRP_FIRMNAME_REMOTE_ACCESS destination static NET_FIRMNAME NET_FIRMNAME no-proxy-arp route-lookup

group-policy FIRMNAMEACCESSPOLICY internal
group-policy FIRMNAMEACCESSPOLICY attributes
 vpn-filter value FIRMANEACL
 vpn-tunnel-protocol ikev1 ikev2

tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 general-attributes
 default-group-policy FIRMNAMEACCESSPOLICY
tunnel-group 1.2.3.4 ipsec-attributes
 ikev1 pre-shared-key <PSK>
 ikev2 remote-authentication pre-shared-key <PSK>
 ikev2 local-authentication pre-shared-key <PSK>
 

crypto map outside-telekom_map 40 match address DC_to_FIRMNAME_ENCDOM
crypto map outside-telekom_map 40 set peer 1.2.3.4
crypto map outside-telekom_map 40 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside-telekom_map 40 set ikev2 ipsec-proposal AES256
crypto map outside-telekom_map 40 set pfs group5
crypto map outside-telekom_map 40 set security-association lifetime kilobytes unlimited


Clear tunnel-group completely without previously deconfiguring general- and ipsec-attributes:

clear configure tunnel-group 1.2.3.4

IPSec debugging

Basic

Show established isakmp sa's:

show crypto isakmp sa
show isakmp sa


Show established ipsec sa's:

show crypto ipsec sa
show ipsec sa
show ipsec sa peer a.b.c.d


Start show/follow logs (Debuglevel = 100):

debug crypto isakmp 100

or

debug crypto ipsec 100


And stop logs:

no debug crypto isakmp

or

no debug crypto ipsec


Tear down tunnel

Find session index:

# show vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection   : 100.11.12.13
Index        : 7186                   IP Addr      : 100.11.12.13   <-- note index number
Protocol     : IKEv1
Encryption   : IKEv1: (1)AES256       Hashing      : IKEv1: (1)SHA1
Bytes Tx     : 0                      Bytes Rx     : 0
Login Time   : 12:35:24 CEST Mon Apr 30 2018
Duration     : 1h:39m:56s

Kill session:

(config)# vpn-sessiondb logoff index 7186

SSL-VPN / Anyconnect

yadda yadda


SSL-VPN Client info

shows overall stats for current/cumulative/peak connections:

show vpn-sessiondb

shows user info:

show vpn-sessiondb anyconnect

shows user info on 1 line so it’s useful for searching:

show vpn-sessiondb full anyconnect


Certificate handling

yadda


Show Certs

show crypto ca certificate


Import SSL/TLS Cert and Key

Unfortionally you'll have to use a base64 encoded PKCS12 formatted file:

crypto ca import trustpoint-remote.domain.tld-2020 pkcs12 <password>

Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
-----BEGIN PKCS12-----
MIIVmQIBAzCCFV8GCSqGSIb3DQEHAaCCFVAEghVMMIIVSDCCD/8GCSqGSIb3DQEHBqCCD/Awgg/s
AgEAMIIP5QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQI72fdKN6IkNECAggAgIIPuMXN/b7v
       <snip>
hTI1xlJM6sI+Axo3UwflV10Kc+KsGBfNjnlxQDElMCMGCSqGSIb3DQEJFTEWBBRrAoZRSm257M2O
mu49GEiimnYqAjAxMCEwCQYFKw4DAhoFAAQUOmTsXE2LkxjxBKjPHWA9mizi+XkECGu5W+dQgEbq
AgIIAA==
-----END PKCS12-----
quit
% The CA cert is not self-signed.

% Do you also want to create trustpoints for CAs higher in
% the hierarchy? [yes/no]: yes
INFO: Import PKCS12 operation completed successfully


Now activate the trustpoint on interface 'outside'

ssl trust-point trustpoint-remote.domain.tld-2020 outside


SSL/TLS cipher handling

yadda


show ciphers

All:

# show ssl ciphers all
These are the ciphers for the given cipher level; not all ciphers
are supported by all versions of SSL/TLS.
These names can be used to create a custom cipher list
  ECDHE-ECDSA-AES256-GCM-SHA384 (tlsv1.2)
  ECDHE-RSA-AES256-GCM-SHA384 (tlsv1.2)
  DHE-RSA-AES256-GCM-SHA384 (tlsv1.2)
  [...]

Configured:

# show running-config ssl


set ciphers

ssl cipher default custom "AES128-SHA:AES256-SHA"
ssl cipher tlsv1 custom "AES128-SHA:AES256-SHA"
ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"
ssl cipher dtlsv1 custom "AES128-SHA:AES256-SHA"