Category: asa

Troubleshooting Cisco ASA 5500 Firewalls

How to view interfaces and descriptions?
#show nameif

How to remove the entire access list?
# clear config access-list <ACL-Name>
–There are many things you can delete with the clear config command, be careful with how you use this command.

How to view the interface name, IP address and state of the interface, similar to show ip int brief on a router?
# show interface ip brief
— The IP and Interface is backwards compared to a Cisco Router

How to find out what unit is the active and standby units in a HA pair?
# show failover
– This will tell you what unit is active and standby, it will also tell you if the standby unit is ready or not to become active. It will also tell you if the interfaces are monitor and if they are down.

How to view interface statistics and port status
# show interface gigabit <slot/port>
– This is very similar to “show interface” on a router or a switch

How to view line numbers and the hit counters on an access list?
# show access-list -> will show all access lists
# show access-list <ACL-NAME>

How to view information on Cooling fans, Power supplies, Temperature and Voltage
# show environment
***This is going to be different on different models

How to find the IP address a known IP address is NAT’d to?
# show xlate -> Shows all NAT translations
# show xlate | include <known IP address> -> Shows the NAT translation for a specific IP address
– This is very useful on Version 8.3 and above because the public and private IP’s are not together in the configuration. Part of it is up in the object groups, the rest is down in the NAT section.

How to view each connection going through the ASA?
# show conn

How to view the files on the flash card?
# show flash

How to view the IOS file the system will use on the next bootup?
# show bootvar

How to view CPU utilization and process information? ***command may vary by model and software release
# show cpu -> Shows 5 Second, 1 minute, and 5 minute average
# show processes [cpu-hog|cpu-usage|internals|memory] ->

Packet tracer is a great tool to see if a data flow is allowed through the firewall. This only works on Routed firewalls, it does not work in transparent mode. Cisco should get a pat on the back for this one!!

# packet-tracer input <incoming-interface> <Protocol-icmp|rawip|tcp|udp> <source-IP> <Source port> <Destination IP> <Destination port>

Example: #packet-tracer input inside tcp 192.168.1.1 1024 172.16.1.1 80
**Source port does not matter, I like to use 1024
Follow the output down the screen and it will tell you where it fails, or it will tell you it is allowed. Usually when it is dropped by ACL, it does not tell you what ACL is blocking it.

The ASA has a built in packet capture feature built into it. You can easily get a packet capture of any traffic flow going through the ASA.

1. Create your ACL with the specifics of what you are looking for

Access-list 100 permit tcp host <source ip> host <destination ip> eq port
Access-list 100 permit tcp host <destination ip> host <source ip> eq port

2. Create your capture’s and apply them to the inbound interface on the ASA

capture <capture name> access-list <acl name/number> buffer 700000 interface <interface traffic is entering> packet-length <packet length: ex:1518)

3. Have user perform a test
4. Copy the capture to your PC

Use a web browser and go to https://<ASA’s IP>/capture/<capture name>/pcap

It will prompt you to log in, then to download the file.

You can look at the output on the ASA with the “show capture <capture-name>” command.

*** I recommend creating your ACL for traffic in both directions. If you don’t, you will only see traffic in one direction.

Cisco ASA Tunnel Stuff

A few handy LAN-to-LAN Tunnel VPN commands:

To display all current IKE security associations (SAs) at a peer.

show crypto isakmp sa

To display all current IPsec SA’s.

show crypto ipsec sa

restarting all your ISAKMP VPN Tunnels:

clear crypto isakmp sa

If you need to reset one VPN then you need to reset the IPSEC SA to the peer IP at the other end of your tunnel.

clear ipsec sa peer x.x.x.x

Checking the uptime of a vpn tunnel using the following:

show vpn-sessiondb detail l2l

 

To get ASA 8.4 running on GNS3:

1-Download and Install GNS3 from the below url:

http://www.gns3.net/download

2- Download the required files from the below address:

http://www.mediafire.com/download.php?ssadit26tl3llms

or

https://rapidshare.com/files/2538881267/asa.zip

3- Configure GNS3 preferrences -> QEMU -> ASA with below settings

RAM: 1024 MiB
Number of NICs: 6
Qemu options: -m 1024 -icount auto -hdachs 980,16,32

Initrd: C:\ASA\asa842-initrd.gz
Kernel: C:\ASA\asa842-vmlinuz
Kernel cmd line: -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

4- Activate the licenses using below codes:

activation-key 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5

activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6