Cisco/CLI: Unterschied zwischen den Versionen
Cbs (Diskussion | Beiträge) (→IPSec Tunnel-Template) |
Cbs (Diskussion | Beiträge) |
||
Zeile 5: | Zeile 5: | ||
This allows you to configure things in the ASDM but before it sends them to the firewall it will show you the CLI that is being used.<br/> | This allows you to configure things in the ASDM but before it sends them to the firewall it will show you the CLI that is being used.<br/> | ||
This is enabled through the ASDM > Tools > Preferences > Preview commands before sending them to the device | This is enabled through the ASDM > Tools > Preferences > Preview commands before sending them to the device | ||
+ | |||
+ | |||
+ | === Disable pager === | ||
+ | |||
+ | terminal pager 0 | ||
Version vom 12. Oktober 2017, 14:23 Uhr
Inhaltsverzeichnis
Cheat Sheet
Another thing you can do with the ASDM client is to enable command previews.
This allows you to configure things in the ASDM but before it sends them to the firewall it will show you the CLI that is being used.
This is enabled through the ASDM > Tools > Preferences > Preview commands before sending them to the device
Disable pager
terminal pager 0
Show access-group
will show you access lists bound to each interface:
show running-config | include access-group
# sh run | incl access-gr access-group inside_to_outside_dmz in interface inside access-group stgoffice_to_inside_outside in interface stgoffice access-group dmz_to_inside_outside in interface dmz access-group guestwireless_to_inside_outside in interface guestwlan access-group bmw_to_inside_dmz in interface bmw access-group allowarius in interface outside-itenos access-group outside_to_inside_dmz in interface outside-telekom
Show access-list
will show you the rules with all groups expanded and resolve names to IPs.
It also shows you the hit count of the rule so you can see if it’s not being used.
Lastly it shows you the access list sequence number if you need to put a rule in the middle of the ruleset:
show access-list <access-list name>
# sh access-list inside_to_outside_dmz access-list inside_to_outside_dmz; 381 elements; name hash: 0x9b447bd7 access-list inside_to_outside_dmz line 1 remark Allow access to SHDEAGB access-list inside_to_outside_dmz line 2 extended permit ip object NET_RZ object SHDEAGB (hitcnt=0) 0xb3e4ce53 access-list inside_to_outside_dmz line 2 extended permit ip 10.3.11.0 255.255.255.0 10.1.1.0 255.255.255.0 (hitcnt=0) 0xb3e4ce53 access-list inside_to_outside_dmz line 3 remark Allow access to VPN clients access-list inside_to_outside_dmz line 4 extended permit ip object-group NET_RFC1918 object AnyConnect (hitcnt=1519518) 0xbacaa3e8 access-list inside_to_outside_dmz line 4 extended permit ip 10.0.0.0 255.0.0.0 10.219.112.0 255.255.255.0 (hitcnt=1495910) 0x7e937191 access-list inside_to_outside_dmz line 4 extended permit ip 192.168.0.0 255.255.0.0 10.219.112.0 255.255.255.0 (hitcnt=23461) 0x484233c3 access-list inside_to_outside_dmz line 4 extended permit ip 172.16.0.0 255.240.0.0 10.219.112.0 255.255.255.0 (hitcnt=147) 0xda51da6b access-list inside_to_outside_dmz line 5 extended permit ip object-group NET_RFC1918 object NET_Stuttgart_Office (hitcnt=7856134) 0xcec84ac2 access-list inside_to_outside_dmz line 5 extended permit ip 10.0.0.0 255.0.0.0 10.3.14.0 255.255.254.0 (hitcnt=7492424) 0x6f88731b access-list inside_to_outside_dmz line 5 extended permit ip 192.168.0.0 255.255.0.0 10.3.14.0 255.255.254.0 (hitcnt=363163) 0x6ba488f1 access-list inside_to_outside_dmz line 5 extended permit ip 172.16.0.0 255.240.0.0 10.3.14.0 255.255.254.0 (hitcnt=547) 0x71ac3184
Show access-list beginning at a specific line:
sh access-list dmz_to_inside_outside | beg line 71
Show object (oneline)
See objects on one line:
show running-config object in-line
# show running-config object in-line | incl 11.89 object network ADDR_STGMON001 host 192.168.11.89
Packet tracer
Test an access list:
If you are trying to see what traffic would do when hitting an access list, you can use packet tracer. Here is the syntax:
packet-tracer input <input interface name> <protocol> <source ip> <source port> <destination ip> <destination port>
# packet-tracer input inside tcp 192.168.68.10 1234 8.8.8.8 80 Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 62.x.y.1 using egress ifc outside-telekom Phase: 3 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Result: input-interface: inside input-status: up input-line-status: up output-interface: outside-telekom output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
Capture traffic
Create a packet capture If you want to capture traffic in real time, you can setup a trace on the firewall. Syntax:
capture <cap> interface <intname> match <protocol> <source> <destination>
To start capture:
# cap billcap inter outside-telekom match ip any host 8.8.8.8
To view capture detail:
show capture <capname>
To restart capture:
clear capture <capname>
To remove capture:
no capture <capname>
To view all running captures:
show capture
To download capture from firewall:
https://<FWIP>/admin/capture/<capname>/pcap
Show NAT
will show you the nat rules in the order they are processed:
show nat
will give more detail including resolving the objects to IP addresses:
show nat detail
Write running config to Flash
write mem
IPSec
yadda yadda
IPSec Tunnel-Template
route outside-interface-name 192.168.160.0 255.255.255.0 <IP of outside-interface-name> object network NET_FIRMNAME subnet 192.168.0.0 255.255.255.0 object-group network GRP_FIRMNAME_REMOTE_ACCESS network-object object NET_10.0.0.0_24 network-object object NET_DMZ network-object object NET_Server access-list DC_to_FIRMNAME_ENCDOM extended permit ip object-group GRP_FIRMNAME_REMOTE_ACCESS object NET_FIRMNAME access-list FIRMANEACL extended permit icmp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS access-list FIRMANEACL extended permit tcp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS EQ 3389 access-list FIRMANEACL extended permit tcp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS EQ 22 access-list FIRMANEACL extended permit tcp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS EQ 6556 nat (inside,outside-telekom) source static GRP_FIRMNAME_REMOTE_ACCESS GRP_FIRMNAME_REMOTE_ACCESS destination static NET_FIRMNAME NET_FIRMNAME no-proxy-arp route-lookup nat (dmz,outside-telekom) source static GRP_FIRMNAME_REMOTE_ACCESS GRP_FIRMNAME_REMOTE_ACCESS destination static NET_FIRMNAME NET_FIRMNAME no-proxy-arp route-lookup group-policy FIRMNAMEACCESSPOLICY internal group-policy FIRMNAMEACCESSPOLICY attributes vpn-filter value FIRMANEACL vpn-tunnel-protocol ikev1 ikev2 tunnel-group 1.2.3.4 type ipsec-l2l tunnel-group 1.2.3.4 general-attributes default-group-policy FIRMNAMEACCESSPOLICY tunnel-group 1.2.3.4 ipsec-attributes ikev1 pre-shared-key <PSK> ikev2 remote-authentication pre-shared-key <PSK> ikev2 local-authentication pre-shared-key <PSK> crypto map outside-telekom_map 40 match address DC_to_FIRMNAME_ENCDOM crypto map outside-telekom_map 40 set peer 1.2.3.4 crypto map outside-telekom_map 40 set ikev1 transform-set ESP-AES-256-SHA crypto map outside-telekom_map 40 set ikev2 ipsec-proposal AES256 crypto map outside-telekom_map 40 set pfs
IPSec debugging
Basic
Show established isakmp sa's:
show crypto isakmp sa show isakmp sa
Show established ipsec sa's:
show crypto ipsec sa show ipsec sa
show ipsec sa peer a.b.c.d
Start show/follow logs:
debug crypto isakmp
or
debug crypto ipsec
And stop logs:
no debug crypto isakmp
or
no debug crypto ipsec
SSL-VPN / Anyconnect
yadda yadda
SSL-VPN Client info
shows overall stats for current/cumulative/peak connections:
show vpn-sessiondb
shows user info:
show vpn-sessiondb anyconnect
shows user info on 1 line so it’s useful for searching:
show vpn-sessiondb full anyconnect