dokucama

User Tools

Site Tools

Trace:
network_stuff:cisco:asa

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
network_stuff:cisco:asa [2020/07/30 17:04] jotasandokunetwork_stuff:cisco:asa [2023/11/02 14:38] (current) – external edit 127.0.0.1
Line 1: Line 1:
 **__CISCO ASA__**\\ **__CISCO ASA__**\\
-//Configuration:\\+//Configuration:\\//
   - Set ip addresses   - Set ip addresses
   - Set security levels   - Set security levels
Line 31: Line 31:
 \\ \\
 Concept of **service policy** : Concept of **service policy** :
-  show service policy set connection detail+  show service policy set connection detail   # shows what inspections are applied, and what class-maps they are assigned to.
 This is to see all the class-map with the number of packets and rate they are hit This is to see all the class-map with the number of packets and rate they are hit
 \\ \\
Line 86: Line 86:
   show conn all   show conn all
   show access-list    <-- for the hit count    show access-list    <-- for the hit count 
 +
 +
 +----
 +
 \\ \\
-\\ +__**NAT**__\\ 
-__**NAT**__ + 
-Essential resource: NAT cheat sheet: See: [[http://packetpushers.net/cisco-nat-cheat-sheet]]/+[[http://blog.packetsar.com/wp-content/uploads/Cisco_NAT_Cheat_Sheet.pdf]] 
 + 
 +{{ :network_stuff:cisco:nat1.png?400 |}}
 \\ \\
 {{ :network_stuff:cisco:asa_order_operations1.jpg?600 |}} {{ :network_stuff:cisco:asa_order_operations1.jpg?600 |}}
Line 168: Line 174:
 **Unified NAT** is used instead of NAT order meaning to down and more specific first order.  **Unified NAT** is used instead of NAT order meaning to down and more specific first order. 
 \\ \\
 +
  
 ---- ----
 +
 +__INSERT ACCESS LIST IN POSITIONS__:\\
 +
 +  access-list outside-in line 1 extended permit tcp object-group mycompany1-networks object tanium-internal eq 17472 # Ao line x is what you’re looking for on where to put the new rule
 +  show access list # blah it’ll show you the rule number order
 +  
 +
 +----
 +
 +
  
 **Troubleshooting**  **Troubleshooting** 
Line 181: Line 198:
   show conn count   show conn count
   show processes cpu-usage sorted non-zero   show processes cpu-usage sorted non-zero
-  fw01/dc.grapeshot.co.uk/pri/act# show perfmon +  fw01/dc.mycompany1.co.uk/pri/act# show perfmon 
      
   PERFMON STATS:                     Current      Average   PERFMON STATS:                     Current      Average
Line 279: Line 296:
 \\ \\
  
-  sh vpn-sessiondb remote (IPSec Remote VPN Clients) +  show vpn-sessiondb remote (IPSec Remote VPN Clients) 
-  sh vpn-sessiondb l2l (L2L Tunnels) +  show vpn-sessiondb l2l (L2L Tunnels) 
-  sh vpn-sessiondb svc (SSL VPN / Anyconnect Clients)+  show vpn-sessiondb svc (SSL VPN / Anyconnect Clients) 
 +  show vpn-sessiondb anyconnect # (SSL VPN / Anyconnect Clients) 
 +  
 \\ \\
 To clear down a tunnel: To clear down a tunnel:
Line 337: Line 356:
 \\ \\
 **NAT** **NAT**
-  sh nat+  show nat
 Several exempts: Several exempts:
   from inside to inside  <<< Review when and how natting is needed inside same sec-level ifaces. network-control   from inside to inside  <<< Review when and how natting is needed inside same sec-level ifaces. network-control
Line 491: Line 510:
 \\ \\
  
-  ldngs28vpnfw01# sh crypto isakmp sa+  ldngs28vpnfw01# show crypto isakmp sa
  
   Active SA: 11   Active SA: 11
Line 502: Line 521:
 \\ \\
          
-  ldngs28vpnfw01# sh crypto ipsec sa peer 213.61.9.96+  ldngs28vpnfw01# show crypto ipsec sa peer 213.61.9.96
   peer address: 213.61.9.96   peer address: 213.61.9.96
   Crypto map tag: outside_map, seq num: 7, local addr: 94.142.184.25   Crypto map tag: outside_map, seq num: 7, local addr: 94.142.184.25
Line 824: Line 843:
 Network Operations profile: Network Operations profile:
  
-ukvpn.marketaxess.com/NETOPSSLVPN+ukvpn.mycompany4.com/NETOPSSLVPN
    
  
Line 949: Line 968:
  
  
-vpn.marketaxess.com +vpn.mycompany4.com 
-usvpn.marketaxess.com (legacy?) +usvpn.mycompany4.com (legacy?) 
-ukvpn.marketaxess.com+ukvpn.mycompany4.com
  
 Anyconnect. To check who is currently connected: Anyconnect. To check who is currently connected:
Line 976: Line 995:
  
  
-Essential resource: NAT cheat sheet: See: http:packetpushers.net/cisco-nat-cheat-sheet+Essential resource: NAT cheat sheet: See: [[http://blog.packetsar.com/wp-content/uploads/Cisco_NAT_Cheat_Sheet.pdf]] 
 +\\ 
 +{{:network_stuff:cisco:nat1.png?700|}}
  
- +{{:network_stuff:cisco:nat2.png?700|}} 
  
 Packet flow: Packet flow:
Line 1114: Line 1135:
  
 Unified NAT is used instead of NAT order meaning to down and more specific first order.  Unified NAT is used instead of NAT order meaning to down and more specific first order. 
 +
    
 Review "Sample Error Messages" from http:www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html Review "Sample Error Messages" from http:www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html
Line 1298: Line 1320:
  
  
 +----
 +
 +  conf t
 +  pager 0 # to stop scroll pauses
 +  
  
 ---- ----
 +
  
 **FIREPOWER** ( new evolved asa ) \\ **FIREPOWER** ( new evolved asa ) \\
   * Sourcefire was acquired by Cisco several years ago and now going to change name to NGIPS Firepower center   * Sourcefire was acquired by Cisco several years ago and now going to change name to NGIPS Firepower center
   * This is what is added to the asa access ctrl and vpn [[https://blogs.cisco.com/security/3-reasons-to-upgrade-from-cisco-asa-to-cisco-firepower-ngfw-today]]   * This is what is added to the asa access ctrl and vpn [[https://blogs.cisco.com/security/3-reasons-to-upgrade-from-cisco-asa-to-cisco-firepower-ngfw-today]]
-  * NGIPS : Intrution prention, is not even degraded wheb we turn it on!+  * The 4100 Series platforms can run either the Cisco ASA Firewall or Cisco Firepower Threat Defense (FTD) 
 + 
 +  * NGIPS : Intrusion prention, is not even degraded wheb we turn it on!
     * Threat intelligence, policy information and event data     * Threat intelligence, policy information and event data
   * Cisco NGFW shares policy information with the **Cisco Identity Services Engine (ISE)** so that ISE can automatically enforce policy on devices.   * Cisco NGFW shares policy information with the **Cisco Identity Services Engine (ISE)** so that ISE can automatically enforce policy on devices.
  
-Management:\\ +MANAGEMENT:\\
   * Firepower Device Manager (FDM)   * Firepower Device Manager (FDM)
-  * Firepower Management Center (FMC) +  * Cisco Firepower Management Center (FMC) 
-  * Defense Orchestrator (CDO) +  * Cisco Defense Orchestrator (CDO)
- +
  
 ---- ----
network_stuff/cisco/asa.1596128645.txt.gz · Last modified: (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki