Cisco/CLI: Unterschied zwischen den Versionen

Aus SchnallIchNet
Wechseln zu: Navigation, Suche
(IPSec debugging)
(Cheat Sheet)
Zeile 100: Zeile 100:
 
object network ADDR_STGMON001 host 192.168.11.89
 
object network ADDR_STGMON001 host 192.168.11.89
 
</pre>
 
</pre>
 +
 +
 +
=== Show running config beginning from pattern ===
 +
 +
# more system:running-config | beg tunnel-group 213.95.87.244
  
  
Zeile 201: Zeile 206:
  
 
  write mem
 
  write mem
 
 
  
 
== IPSec ==
 
== IPSec ==

Version vom 2. Mai 2018, 10:42 Uhr

Firmware upgrade

Upload new firmware to flash before starting.

! Remove old boot image
no boot system disk0:/asa963-1-smp-k8.bin

! Add new image as primary boot with old as backup
boot system disk0:/asa964-3-smp-k8.bin
boot system disk0:/asa963-1-smp-k8.bin

! Save changes to config
write memory

! This will cause the standby firewall to reload
failover reload-standby

! After getting messages that standby has rebooted, verify that failover is ready
show failover

! This forces active firewall to become standby, and standby to active
no failover active


Cheat Sheet

Another thing you can do with the ASDM client is to enable command previews.
This allows you to configure things in the ASDM but before it sends them to the firewall it will show you the CLI that is being used.
This is enabled through the ASDM > Tools > Preferences > Preview commands before sending them to the device


Disable pager

terminal pager 0


Show NAT/PAT translation table

show xlate


Show access-group

will show you access lists bound to each interface:

show running-config | include access-group 
# sh run | incl access-gr
access-group inside_to_outside_dmz in interface inside
access-group stgoffice_to_inside_outside in interface stgoffice
access-group dmz_to_inside_outside in interface dmz
access-group guestwireless_to_inside_outside in interface guestwlan
access-group bmw_to_inside_dmz in interface bmw
access-group allowarius in interface outside-itenos
access-group outside_to_inside_dmz in interface outside-telekom


Show access-list

will show you the rules with all groups expanded and resolve names to IPs.
It also shows you the hit count of the rule so you can see if it’s not being used.
Lastly it shows you the access list sequence number if you need to put a rule in the middle of the ruleset:

show access-list <access-list name>
# sh access-list inside_to_outside_dmz
access-list inside_to_outside_dmz; 381 elements; name hash: 0x9b447bd7
access-list inside_to_outside_dmz line 1 remark Allow access to SHDEAGB
access-list inside_to_outside_dmz line 2 extended permit ip object NET_RZ object SHDEAGB (hitcnt=0) 0xb3e4ce53
access-list inside_to_outside_dmz line 2 extended permit ip 10.3.11.0 255.255.255.0 10.1.1.0 255.255.255.0 (hitcnt=0) 0xb3e4ce53
access-list inside_to_outside_dmz line 3 remark Allow access to VPN clients
access-list inside_to_outside_dmz line 4 extended permit ip object-group NET_RFC1918 object AnyConnect (hitcnt=1519518) 0xbacaa3e8
access-list inside_to_outside_dmz line 4 extended permit ip 10.0.0.0 255.0.0.0 10.219.112.0 255.255.255.0 (hitcnt=1495910) 0x7e937191
access-list inside_to_outside_dmz line 4 extended permit ip 192.168.0.0 255.255.0.0 10.219.112.0 255.255.255.0 (hitcnt=23461) 0x484233c3
access-list inside_to_outside_dmz line 4 extended permit ip 172.16.0.0 255.240.0.0 10.219.112.0 255.255.255.0 (hitcnt=147) 0xda51da6b
access-list inside_to_outside_dmz line 5 extended permit ip object-group NET_RFC1918 object NET_Stuttgart_Office (hitcnt=7856134) 0xcec84ac2
access-list inside_to_outside_dmz line 5 extended permit ip 10.0.0.0 255.0.0.0 10.3.14.0 255.255.254.0 (hitcnt=7492424) 0x6f88731b
access-list inside_to_outside_dmz line 5 extended permit ip 192.168.0.0 255.255.0.0 10.3.14.0 255.255.254.0 (hitcnt=363163) 0x6ba488f1
access-list inside_to_outside_dmz line 5 extended permit ip 172.16.0.0 255.240.0.0 10.3.14.0 255.255.254.0 (hitcnt=547) 0x71ac3184


Show access-list beginning at a specific line:

sh access-list dmz_to_inside_outside | beg line 71


Show object (oneline)

See objects on one line:

show running-config object in-line
# show running-config object in-line | incl 11.89
object network ADDR_STGMON001 host 192.168.11.89


Show running config beginning from pattern

# more system:running-config | beg tunnel-group 213.95.87.244


Delete NAT/PAT table entry

clear xlate lport 500 type dynamic local 1.2.3.4


Packet tracer

Test an access list:

If you are trying to see what traffic would do when hitting an access list, you can use packet tracer. Here is the syntax:

packet-tracer input <input interface name> <protocol> <source ip> <source port> <destination ip> <destination port>
# packet-tracer input inside tcp 192.168.68.10 1234 8.8.8.8 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 62.x.y.1 using egress ifc  outside-telekom

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside-telekom
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


Capture traffic

Create a packet capture If you want to capture traffic in real time, you can setup a trace on the firewall. Syntax:

capture <cap> interface <intname> match <protocol> <source> <destination>

To start capture:

# cap billcap inter outside-telekom match ip any host 8.8.8.8

To view capture detail:

show capture <capname>

To restart capture:

clear capture <capname>

To remove capture:

no capture <capname>

To view all running captures:

show capture

To download capture from firewall:

https://<FWIP>/admin/capture/<capname>/pcap


Show NAT

will show you the nat rules in the order they are processed:

show nat  

will give more detail including resolving the objects to IP addresses:

show nat detail


Write running config to Flash

write mem

IPSec

yadda yadda

IPSec Tunnel-Template

route outside-interface-name 192.168.160.0 255.255.255.0 <IP of outside-interface-name>

object network NET_FIRMNAME 
 subnet 192.168.0.0 255.255.255.0

object-group network GRP_FIRMNAME_REMOTE_ACCESS
 network-object object NET_10.0.0.0_24
 network-object object NET_DMZ
 network-object object NET_Server

access-list DC_to_FIRMNAME_ENCDOM extended permit ip object-group GRP_FIRMNAME_REMOTE_ACCESS object NET_FIRMNAME
access-list FIRMANEACL extended permit icmp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS
access-list FIRMANEACL extended permit tcp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS EQ 3389
access-list FIRMANEACL extended permit tcp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS EQ 22
access-list FIRMANEACL extended permit tcp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS EQ 6556

nat (inside,outside-telekom) source static GRP_FIRMNAME_REMOTE_ACCESS GRP_FIRMNAME_REMOTE_ACCESS destination static NET_FIRMNAME NET_FIRMNAME no-proxy-arp route-lookup
nat (dmz,outside-telekom) source static GRP_FIRMNAME_REMOTE_ACCESS GRP_FIRMNAME_REMOTE_ACCESS destination static NET_FIRMNAME NET_FIRMNAME no-proxy-arp route-lookup

group-policy FIRMNAMEACCESSPOLICY internal
group-policy FIRMNAMEACCESSPOLICY attributes
 vpn-filter value FIRMANEACL
 vpn-tunnel-protocol ikev1 ikev2

tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 general-attributes
 default-group-policy FIRMNAMEACCESSPOLICY
tunnel-group 1.2.3.4 ipsec-attributes
 ikev1 pre-shared-key <PSK>
 ikev2 remote-authentication pre-shared-key <PSK>
 ikev2 local-authentication pre-shared-key <PSK>
 

crypto map outside-telekom_map 40 match address DC_to_FIRMNAME_ENCDOM
crypto map outside-telekom_map 40 set peer 1.2.3.4
crypto map outside-telekom_map 40 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside-telekom_map 40 set ikev2 ipsec-proposal AES256
crypto map outside-telekom_map 40 set pfs group5
crypto map outside-telekom_map 40 set security-association lifetime kilobytes unlimited


Clear tunnel-group completely without previously deconfiguring general- and ipsec-attributes:

clear configure tunnel-group 1.2.3.4

IPSec debugging

Basic

Show established isakmp sa's:

show crypto isakmp sa
show isakmp sa


Show established ipsec sa's:

show crypto ipsec sa
show ipsec sa
show ipsec sa peer a.b.c.d


Start show/follow logs (Debuglevel = 100):

debug crypto isakmp 100

or

debug crypto ipsec 100


And stop logs:

no debug crypto isakmp

or

no debug crypto ipsec


Tear down tunnel

Find session index:

# show vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection   : 100.11.12.13
Index        : 7186                   IP Addr      : 100.11.12.13   <-- note index number
Protocol     : IKEv1
Encryption   : IKEv1: (1)AES256       Hashing      : IKEv1: (1)SHA1
Bytes Tx     : 0                      Bytes Rx     : 0
Login Time   : 12:35:24 CEST Mon Apr 30 2018
Duration     : 1h:39m:56s

Kill session:

(config)# vpn-sessiondb logoff index 7186

SSL-VPN / Anyconnect

yadda yadda


SSL-VPN Client info

shows overall stats for current/cumulative/peak connections:

show vpn-sessiondb

shows user info:

show vpn-sessiondb anyconnect

shows user info on 1 line so it’s useful for searching:

show vpn-sessiondb full anyconnect


Certificate handling

yadda


Show Certs

show crypto ca certificate


Import SSL/TLS Cert and Key

Unfortionally you'll have to use a base64 encoded PKCS12 formatted file:

crypto ca import trustpoint-remote.domain.tld-2020 pkcs12 <password>

Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
-----BEGIN PKCS12-----
MIIVmQIBAzCCFV8GCSqGSIb3DQEHAaCCFVAEghVMMIIVSDCCD/8GCSqGSIb3DQEHBqCCD/Awgg/s
AgEAMIIP5QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQI72fdKN6IkNECAggAgIIPuMXN/b7v
       <snip>
hTI1xlJM6sI+Axo3UwflV10Kc+KsGBfNjnlxQDElMCMGCSqGSIb3DQEJFTEWBBRrAoZRSm257M2O
mu49GEiimnYqAjAxMCEwCQYFKw4DAhoFAAQUOmTsXE2LkxjxBKjPHWA9mizi+XkECGu5W+dQgEbq
AgIIAA==
-----END PKCS12-----
quit
% The CA cert is not self-signed.

% Do you also want to create trustpoints for CAs higher in
% the hierarchy? [yes/no]: yes
INFO: Import PKCS12 operation completed successfully


Now activate the trustpoint on interface 'outside'

ssl trust-point trustpoint-remote.domain.tld-2020 outside