Cisco/CLI: Unterschied zwischen den Versionen
Cbs (Diskussion | Beiträge) |
Cbs (Diskussion | Beiträge) (→Upgrade firmware) |
||
Zeile 17: | Zeile 17: | ||
<pre> | <pre> | ||
− | ! | + | ! Deactivate old boot image |
no boot system disk0:/asa963-1-smp-k8.bin | no boot system disk0:/asa963-1-smp-k8.bin | ||
Zeile 36: | Zeile 36: | ||
no failover active | no failover active | ||
</pre> | </pre> | ||
− | |||
− | |||
== Cheat Sheet == | == Cheat Sheet == |
Version vom 30. Oktober 2019, 13:21 Uhr
Inhaltsverzeichnis
- 1 Firmware upgrade
- 2 Cheat Sheet
- 2.1 Show/Enable and Disable Logs in terminal
- 2.2 Disable pager
- 2.3 Show NAT/PAT translation table
- 2.4 Show access-group
- 2.5 Show access-list
- 2.6 Show object (oneline)
- 2.7 Show object-group by name
- 2.8 Show running config beginning from pattern
- 2.9 Delete NAT/PAT table entry
- 2.10 Packet tracer
- 2.11 Capture traffic
- 2.12 Show NAT
- 2.13 Write running config to Flash
- 3 NAT / PAT
- 4 IPSec
- 5 SSL-VPN / Anyconnect
- 6 Certificate handling
- 7 SSL/TLS cipher handling
Firmware upgrade
Copy (SCP) firmware to asa
Be sure to explicitly name the file on the target or upload will fail.
ASA will not name the file the same like the sourcefile by its own.
scp asa<VERSION>-<PATCH>-smp-k8.bin asa.domain.tld:disk0:/asa<VERSION>-<PATCH>-smp-k8.bin
Upgrade firmware
Upload new firmware to flash before starting.
! Deactivate old boot image no boot system disk0:/asa963-1-smp-k8.bin ! Add new image as primary boot with old as backup boot system disk0:/asa964-3-smp-k8.bin boot system disk0:/asa963-1-smp-k8.bin ! Save changes to config write memory ! This will cause the standby firewall to reload failover reload-standby ! After getting messages that standby has rebooted, verify that failover is ready show failover ! This forces active firewall to become standby, and standby to active no failover active
Cheat Sheet
Another thing you can do with the ASDM client is to enable command previews.
This allows you to configure things in the ASDM but before it sends them to the firewall it will show you the CLI that is being used.
This is enabled through the ASDM > Tools > Preferences > Preview commands before sending them to the device
Show/Enable and Disable Logs in terminal
Enable:
terminal monitor
Disable:
terminal no monitor
Disable pager
terminal pager 0
Show NAT/PAT translation table
show xlate
Show access-group
will show you access lists bound to each interface:
show running-config | include access-group
# sh run | incl access-gr access-group inside_to_outside_dmz in interface inside access-group stgoffice_to_inside_outside in interface stgoffice access-group dmz_to_inside_outside in interface dmz access-group guestwireless_to_inside_outside in interface guestwlan access-group bmw_to_inside_dmz in interface bmw access-group allowarius in interface outside-itenos access-group outside_to_inside_dmz in interface outside-telekom
Show access-list
will show you the rules with all groups expanded and resolve names to IPs.
It also shows you the hit count of the rule so you can see if it’s not being used.
Lastly it shows you the access list sequence number if you need to put a rule in the middle of the ruleset:
show access-list <access-list name>
# sh access-list inside_to_outside_dmz access-list inside_to_outside_dmz; 381 elements; name hash: 0x9b447bd7 access-list inside_to_outside_dmz line 1 remark Allow access to SHDEAGB access-list inside_to_outside_dmz line 2 extended permit ip object NET_RZ object SHDEAGB (hitcnt=0) 0xb3e4ce53 access-list inside_to_outside_dmz line 2 extended permit ip 10.3.11.0 255.255.255.0 10.1.1.0 255.255.255.0 (hitcnt=0) 0xb3e4ce53 access-list inside_to_outside_dmz line 3 remark Allow access to VPN clients access-list inside_to_outside_dmz line 4 extended permit ip object-group NET_RFC1918 object AnyConnect (hitcnt=1519518) 0xbacaa3e8 access-list inside_to_outside_dmz line 4 extended permit ip 10.0.0.0 255.0.0.0 10.219.112.0 255.255.255.0 (hitcnt=1495910) 0x7e937191 access-list inside_to_outside_dmz line 4 extended permit ip 192.168.0.0 255.255.0.0 10.219.112.0 255.255.255.0 (hitcnt=23461) 0x484233c3 access-list inside_to_outside_dmz line 4 extended permit ip 172.16.0.0 255.240.0.0 10.219.112.0 255.255.255.0 (hitcnt=147) 0xda51da6b access-list inside_to_outside_dmz line 5 extended permit ip object-group NET_RFC1918 object NET_Stuttgart_Office (hitcnt=7856134) 0xcec84ac2 access-list inside_to_outside_dmz line 5 extended permit ip 10.0.0.0 255.0.0.0 10.3.14.0 255.255.254.0 (hitcnt=7492424) 0x6f88731b access-list inside_to_outside_dmz line 5 extended permit ip 192.168.0.0 255.255.0.0 10.3.14.0 255.255.254.0 (hitcnt=363163) 0x6ba488f1 access-list inside_to_outside_dmz line 5 extended permit ip 172.16.0.0 255.240.0.0 10.3.14.0 255.255.254.0 (hitcnt=547) 0x71ac3184
Show access-list beginning at a specific line:
sh access-list dmz_to_inside_outside | beg line 71
Show object (oneline)
See objects on one line:
show running-config object in-line
# show running-config object in-line | incl 11.89 object network ADDR_STGMON001 host 192.168.11.89
Show object-group by name
sh run object-group id <GRP_Name>
Show running config beginning from pattern
# more system:running-config | beg tunnel-group 100.11.12.13
Delete NAT/PAT table entry
clear xlate lport 500 type dynamic local 1.2.3.4
Packet tracer
Test an access list:
If you are trying to see what traffic would do when hitting an access list, you can use packet tracer. Here is the syntax:
packet-tracer input <input interface name> <protocol> <source ip> <source port> <destination ip> <destination port>
# packet-tracer input inside tcp 192.168.68.10 1234 8.8.8.8 80 Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 62.x.y.1 using egress ifc outside-telekom Phase: 3 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Result: input-interface: inside input-status: up input-line-status: up output-interface: outside-telekom output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
accelerated security path filter tables
This shows the detailed compiled filter list for an ACL (in/out)
show asp table filter [access-list <acl-name>] [hits]
out id=0x7f6c84f1ccb0, priority=13, domain=filter-aaa, deny=false hits=0, user_data=0x7f6c6fcd8840, filter_id=0xf(CARANOACL), protocol=6 src ip=192.168.160.0, mask=255.255.255.0, port=3389 dst ip=10.219.106.60, mask=255.255.255.255, port=0 out id=0x7f6c7df487e0, priority=13, domain=filter-aaa, deny=false hits=0, user_data=0x7f6c6fcd86c0, filter_id=0xf(CARANOACL), protocol=6 src ip=10.219.106.60, mask=255.255.255.255, port=3389 dst ip=192.168.160.0, mask=255.255.255.0, port=0
Capture traffic
Create a packet capture If you want to capture traffic in real time, you can setup a trace on the firewall. Syntax:
capture <cap> interface <intname> match <protocol> <source> <destination>
To start capture:
# cap billcap inter outside-telekom match ip any host 8.8.8.8
To view capture detail:
show capture <capname>
To restart capture:
clear capture <capname>
To remove capture:
no capture <capname>
To view all running captures:
show capture
To download capture from firewall:
https://<FWIP>/admin/capture/<capname>/pcap
Show NAT
will show you the nat rules in the order they are processed:
show nat
will give more detail including resolving the objects to IP addresses:
show nat detail
Write running config to Flash
write mem
NAT / PAT
yadda
Types and Rules
- Manual NAT Policies (Section 1)
- These are manual NAT rules (BEFORE AUTO-Rules)
- Auto NAT Policies (Section 2)
- These are NAT rules created automatically by adding NAT to the 'network object' object
- Manual NAT Policies (Section 3)
- These are manual NAT rules (AFTER AUTO-Rules)
Create NAT rules
Create a (default) NAT Rule (BEFORE-AUTO)
nat (guestwlan,dmz) source static NET_GUESTWIRELESS NET_GUESTWIRELESS destination static ADDR_STGKEMPHADMZ_85_EXT ADDR_STGKEMPHADMZ_85 no-proxy-arp
Create a (default) NAT Rule (BEFORE-AUTO) at a specific line number
nat (guestwlan,dmz) 9 source static NET_GUESTWIRELESS NET_GUESTWIRELESS destination static ADDR_STGKEMPHADMZ_85_EXT ADDR_STGKEMPHADMZ_85 no-proxy-arp
Create an AUTO-NAT Rule
1st of all create the 'network object' object (if not exists)
network object YOUR_NAME_OF_OBJECT host 10.11.12.13 exit
Now edit the network object again and add the NAT entry directly to the object:
network object YOUR_NAME_OF_OBJECT nat (dmz,outside) static 8.8.8.8 exit
This creates an AUTO-NAT Rule incomming from the 'dmz' interface and outgoing to the 'outside' interface,
which translates the internal IP 10.11.12.13 to the routable IP 8.8.8.8 before leaving the network towards the internat *lol*
Be aware that the network object is listed within the config on 2 seperate places. So if you grep for YOUR_NAME_OF_OBJECT in config you'll get it listed twice!
Create a NAT Rule (AFTER-AUTO) (untested!)
nat (guestwlan,dmz) after-auto source static NET_GUESTWIRELESS NET_GUESTWIRELESS destination static ADDR_STGKEMPHADMZ_85_EXT ADDR_STGKEMPHADMZ_85 no-proxy-arp
IPSec
yadda yadda
IPSec Tunnel-Template
route outside-interface-name 192.168.160.0 255.255.255.0 <IP of outside-interface-name> object network NET_FIRMNAME subnet 192.168.0.0 255.255.255.0 object-group network GRP_FIRMNAME_REMOTE_ACCESS network-object object NET_10.0.0.0_24 network-object object NET_DMZ network-object object NET_Server access-list DC_to_FIRMNAME_ENCDOM extended permit ip object-group GRP_FIRMNAME_REMOTE_ACCESS object NET_FIRMNAME access-list FIRMANEACL extended permit icmp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS access-list FIRMANEACL extended permit tcp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS EQ 3389 access-list FIRMANEACL extended permit tcp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS EQ 22 access-list FIRMANEACL extended permit tcp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS EQ 6556 nat (inside,outside-telekom) source static GRP_FIRMNAME_REMOTE_ACCESS GRP_FIRMNAME_REMOTE_ACCESS destination static NET_FIRMNAME NET_FIRMNAME no-proxy-arp route-lookup nat (dmz,outside-telekom) source static GRP_FIRMNAME_REMOTE_ACCESS GRP_FIRMNAME_REMOTE_ACCESS destination static NET_FIRMNAME NET_FIRMNAME no-proxy-arp route-lookup group-policy FIRMNAMEACCESSPOLICY internal group-policy FIRMNAMEACCESSPOLICY attributes vpn-filter value FIRMANEACL vpn-tunnel-protocol ikev1 ikev2 tunnel-group 1.2.3.4 type ipsec-l2l tunnel-group 1.2.3.4 general-attributes default-group-policy FIRMNAMEACCESSPOLICY tunnel-group 1.2.3.4 ipsec-attributes ikev1 pre-shared-key <PSK> ikev2 remote-authentication pre-shared-key <PSK> ikev2 local-authentication pre-shared-key <PSK> crypto map outside-telekom_map 40 match address DC_to_FIRMNAME_ENCDOM crypto map outside-telekom_map 40 set peer 1.2.3.4 crypto map outside-telekom_map 40 set ikev1 transform-set ESP-AES-256-SHA crypto map outside-telekom_map 40 set ikev2 ipsec-proposal AES256 crypto map outside-telekom_map 40 set pfs group5 crypto map outside-telekom_map 40 set security-association lifetime kilobytes unlimited
Clear tunnel-group completely without previously deconfiguring general- and ipsec-attributes:
clear configure tunnel-group 1.2.3.4
IPSec debugging
Basic
Show established isakmp sa's:
show crypto isakmp sa show isakmp sa
Show established ipsec sa's:
show crypto ipsec sa show ipsec sa
show ipsec sa peer a.b.c.d
Start show/follow logs (Debuglevel = 100):
debug crypto isakmp 100
or
debug crypto ipsec 100
And stop logs:
no debug crypto isakmp
or
no debug crypto ipsec
Tear down tunnel
Find session index:
# show vpn-sessiondb l2l Session Type: LAN-to-LAN Connection : 100.11.12.13 Index : 7186 IP Addr : 100.11.12.13 <-- note index number Protocol : IKEv1 Encryption : IKEv1: (1)AES256 Hashing : IKEv1: (1)SHA1 Bytes Tx : 0 Bytes Rx : 0 Login Time : 12:35:24 CEST Mon Apr 30 2018 Duration : 1h:39m:56s
Kill session:
(config)# vpn-sessiondb logoff index 7186
SSL-VPN / Anyconnect
yadda yadda
SSL-VPN Client info
shows overall stats for current/cumulative/peak connections:
show vpn-sessiondb
shows user info:
show vpn-sessiondb anyconnect
shows user info on 1 line so it’s useful for searching:
show vpn-sessiondb full anyconnect
Certificate handling
yadda
Show Certs
show crypto ca certificate
Import SSL/TLS Cert and Key
Unfortionally you'll have to use a base64 encoded PKCS12 formatted file:
crypto ca import trustpoint-remote.domain.tld-2020 pkcs12 <password> Enter the base 64 encoded pkcs12. End with the word "quit" on a line by itself: -----BEGIN PKCS12----- MIIVmQIBAzCCFV8GCSqGSIb3DQEHAaCCFVAEghVMMIIVSDCCD/8GCSqGSIb3DQEHBqCCD/Awgg/s AgEAMIIP5QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQI72fdKN6IkNECAggAgIIPuMXN/b7v <snip> hTI1xlJM6sI+Axo3UwflV10Kc+KsGBfNjnlxQDElMCMGCSqGSIb3DQEJFTEWBBRrAoZRSm257M2O mu49GEiimnYqAjAxMCEwCQYFKw4DAhoFAAQUOmTsXE2LkxjxBKjPHWA9mizi+XkECGu5W+dQgEbq AgIIAA== -----END PKCS12----- quit % The CA cert is not self-signed. % Do you also want to create trustpoints for CAs higher in % the hierarchy? [yes/no]: yes INFO: Import PKCS12 operation completed successfully
Now activate the trustpoint on interface 'outside'
ssl trust-point trustpoint-remote.domain.tld-2020 outside
SSL/TLS cipher handling
yadda
show ciphers
All:
# show ssl ciphers all These are the ciphers for the given cipher level; not all ciphers are supported by all versions of SSL/TLS. These names can be used to create a custom cipher list ECDHE-ECDSA-AES256-GCM-SHA384 (tlsv1.2) ECDHE-RSA-AES256-GCM-SHA384 (tlsv1.2) DHE-RSA-AES256-GCM-SHA384 (tlsv1.2) [...]
Configured:
# show running-config ssl
set ciphers
ssl cipher default custom "AES128-SHA:AES256-SHA" ssl cipher tlsv1 custom "AES128-SHA:AES256-SHA" ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA" ssl cipher dtlsv1 custom "AES128-SHA:AES256-SHA"