Category: configuration

Advertising a default route in BGP

There are four ways to distribute a default route in BGP.

Three of them, the network 0.0.0.0, the default-information originate and redistribution from another routing protocol, are all similar in the resulting effect: they will inject the default route into BGP RIB and it will be advertised to all BGP neighbors. The difference is in the origin of the default route that is injected into BGP. Specifically:

  • network 0.0.0.0 will inject the default route into BGP only if the default route is currently present in the routing table.
  • redistribution will inject the default route into BGP only if the default route is currently present in the routing table and if it has been learned by a specific source protocol we are redistributing from.
  • default-information originate causes the default route to be artificially generated and injected into the BGP RIB, regardlessly of whether it is present in the routing table. The newly injected default will be advertised to all BGP peers (because it now resides in the BGP RIB)

The fourth method:

  • neighbor X.X.X default-originate is similar to the default-information originate in that the default route is “artificially generated” (it does not need to be present in the routing table in order to make the advertisement effective)*.
  • However, the neighbor X.X.X.X default-originate is different from the the default-information originate in that the default route will be advertised only to this specific BGP neighbor and not to all existing BGP neighbors as with the previous approaches. The default route will not be installed in the BGP RIB of the router that is configured with the neighbor X.X.X.X default-originate command and so it won’t be generally advertised to all BGP neighbors.

*By doing the ‘default-originate’, you request a routerA (provider A) to send a route 0.0.0.0/0 via BGP out to RouterB (customer B).This is useful in many cases where customer B doesn’t really want toaccept a full BGP feed(for example in stub autonomous systems).

Troubleshooting Cisco ASA 5500 Firewalls

How to view interfaces and descriptions?
#show nameif

How to remove the entire access list?
# clear config access-list <ACL-Name>
–There are many things you can delete with the clear config command, be careful with how you use this command.

How to view the interface name, IP address and state of the interface, similar to show ip int brief on a router?
# show interface ip brief
— The IP and Interface is backwards compared to a Cisco Router

How to find out what unit is the active and standby units in a HA pair?
# show failover
– This will tell you what unit is active and standby, it will also tell you if the standby unit is ready or not to become active. It will also tell you if the interfaces are monitor and if they are down.

How to view interface statistics and port status
# show interface gigabit <slot/port>
– This is very similar to “show interface” on a router or a switch

How to view line numbers and the hit counters on an access list?
# show access-list -> will show all access lists
# show access-list <ACL-NAME>

How to view information on Cooling fans, Power supplies, Temperature and Voltage
# show environment
***This is going to be different on different models

How to find the IP address a known IP address is NAT’d to?
# show xlate -> Shows all NAT translations
# show xlate | include <known IP address> -> Shows the NAT translation for a specific IP address
– This is very useful on Version 8.3 and above because the public and private IP’s are not together in the configuration. Part of it is up in the object groups, the rest is down in the NAT section.

How to view each connection going through the ASA?
# show conn

How to view the files on the flash card?
# show flash

How to view the IOS file the system will use on the next bootup?
# show bootvar

How to view CPU utilization and process information? ***command may vary by model and software release
# show cpu -> Shows 5 Second, 1 minute, and 5 minute average
# show processes [cpu-hog|cpu-usage|internals|memory] ->

Packet tracer is a great tool to see if a data flow is allowed through the firewall. This only works on Routed firewalls, it does not work in transparent mode. Cisco should get a pat on the back for this one!!

# packet-tracer input <incoming-interface> <Protocol-icmp|rawip|tcp|udp> <source-IP> <Source port> <Destination IP> <Destination port>

Example: #packet-tracer input inside tcp 192.168.1.1 1024 172.16.1.1 80
**Source port does not matter, I like to use 1024
Follow the output down the screen and it will tell you where it fails, or it will tell you it is allowed. Usually when it is dropped by ACL, it does not tell you what ACL is blocking it.

The ASA has a built in packet capture feature built into it. You can easily get a packet capture of any traffic flow going through the ASA.

1. Create your ACL with the specifics of what you are looking for

Access-list 100 permit tcp host <source ip> host <destination ip> eq port
Access-list 100 permit tcp host <destination ip> host <source ip> eq port

2. Create your capture’s and apply them to the inbound interface on the ASA

capture <capture name> access-list <acl name/number> buffer 700000 interface <interface traffic is entering> packet-length <packet length: ex:1518)

3. Have user perform a test
4. Copy the capture to your PC

Use a web browser and go to https://<ASA’s IP>/capture/<capture name>/pcap

It will prompt you to log in, then to download the file.

You can look at the output on the ASA with the “show capture <capture-name>” command.

*** I recommend creating your ACL for traffic in both directions. If you don’t, you will only see traffic in one direction.