dokucama

User Tools

Site Tools

Trace:
network_stuff:cisco:asa

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
network_stuff:cisco:asa [2020/08/23 11:24] jotasandokunetwork_stuff:cisco:asa [2023/11/02 14:38] (current) – external edit 127.0.0.1
Line 86: Line 86:
   show conn all   show conn all
   show access-list    <-- for the hit count    show access-list    <-- for the hit count 
 +
 +
 +----
 +
 \\ \\
-\\ +__**NAT**__\\ 
-__**NAT**__ + 
-Essential resource: NAT cheat sheet: See: [[http://packetpushers.net/cisco-nat-cheat-sheet]]/+[[http://blog.packetsar.com/wp-content/uploads/Cisco_NAT_Cheat_Sheet.pdf]] 
 + 
 +{{ :network_stuff:cisco:nat1.png?400 |}}
 \\ \\
 {{ :network_stuff:cisco:asa_order_operations1.jpg?600 |}} {{ :network_stuff:cisco:asa_order_operations1.jpg?600 |}}
Line 168: Line 174:
 **Unified NAT** is used instead of NAT order meaning to down and more specific first order.  **Unified NAT** is used instead of NAT order meaning to down and more specific first order. 
 \\ \\
 +
  
 ---- ----
 +
 +__INSERT ACCESS LIST IN POSITIONS__:\\
 +
 +  access-list outside-in line 1 extended permit tcp object-group mycompany1-networks object tanium-internal eq 17472 # Ao line x is what you’re looking for on where to put the new rule
 +  show access list # blah it’ll show you the rule number order
 +  
 +
 +----
 +
 +
  
 **Troubleshooting**  **Troubleshooting** 
Line 181: Line 198:
   show conn count   show conn count
   show processes cpu-usage sorted non-zero   show processes cpu-usage sorted non-zero
-  fw01/dc.grapeshot.co.uk/pri/act# show perfmon +  fw01/dc.mycompany1.co.uk/pri/act# show perfmon 
      
   PERFMON STATS:                     Current      Average   PERFMON STATS:                     Current      Average
Line 279: Line 296:
 \\ \\
  
-  sh vpn-sessiondb remote (IPSec Remote VPN Clients) +  show vpn-sessiondb remote (IPSec Remote VPN Clients) 
-  sh vpn-sessiondb l2l (L2L Tunnels) +  show vpn-sessiondb l2l (L2L Tunnels) 
-  sh vpn-sessiondb svc # (SSL VPN / Anyconnect Clients) +  show vpn-sessiondb svc # (SSL VPN / Anyconnect Clients) 
-  sh vpn-sessiondb anyconnect # (SSL VPN / Anyconnect Clients)+  show vpn-sessiondb anyconnect # (SSL VPN / Anyconnect Clients)
      
 \\ \\
Line 339: Line 356:
 \\ \\
 **NAT** **NAT**
-  sh nat+  show nat
 Several exempts: Several exempts:
   from inside to inside  <<< Review when and how natting is needed inside same sec-level ifaces. network-control   from inside to inside  <<< Review when and how natting is needed inside same sec-level ifaces. network-control
Line 493: Line 510:
 \\ \\
  
-  ldngs28vpnfw01# sh crypto isakmp sa+  ldngs28vpnfw01# show crypto isakmp sa
  
   Active SA: 11   Active SA: 11
Line 504: Line 521:
 \\ \\
          
-  ldngs28vpnfw01# sh crypto ipsec sa peer 213.61.9.96+  ldngs28vpnfw01# show crypto ipsec sa peer 213.61.9.96
   peer address: 213.61.9.96   peer address: 213.61.9.96
   Crypto map tag: outside_map, seq num: 7, local addr: 94.142.184.25   Crypto map tag: outside_map, seq num: 7, local addr: 94.142.184.25
Line 826: Line 843:
 Network Operations profile: Network Operations profile:
  
-ukvpn.marketaxess.com/NETOPSSLVPN+ukvpn.mycompany4.com/NETOPSSLVPN
    
  
Line 951: Line 968:
  
  
-vpn.marketaxess.com +vpn.mycompany4.com 
-usvpn.marketaxess.com (legacy?) +usvpn.mycompany4.com (legacy?) 
-ukvpn.marketaxess.com+ukvpn.mycompany4.com
  
 Anyconnect. To check who is currently connected: Anyconnect. To check who is currently connected:
Line 978: Line 995:
  
  
-Essential resource: NAT cheat sheet: See: http:packetpushers.net/cisco-nat-cheat-sheet+Essential resource: NAT cheat sheet: See: [[http://blog.packetsar.com/wp-content/uploads/Cisco_NAT_Cheat_Sheet.pdf]] 
 +\\ 
 +{{:network_stuff:cisco:nat1.png?700|}}
  
- +{{:network_stuff:cisco:nat2.png?700|}} 
  
 Packet flow: Packet flow:
Line 1116: Line 1135:
  
 Unified NAT is used instead of NAT order meaning to down and more specific first order.  Unified NAT is used instead of NAT order meaning to down and more specific first order. 
 +
    
 Review "Sample Error Messages" from http:www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html Review "Sample Error Messages" from http:www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html
Line 1300: Line 1320:
  
  
 +----
 +
 +  conf t
 +  pager 0 # to stop scroll pauses
 +  
  
 ---- ----
 +
  
 **FIREPOWER** ( new evolved asa ) \\ **FIREPOWER** ( new evolved asa ) \\
network_stuff/cisco/asa.1598181872.txt.gz · Last modified: (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki