tag:blogger.com,1999:blog-47285461179963779992026-04-02T21:31:57.029-04:00Making networks work one packet at a time.Unknownnoreply@blogger.comBlogger14125tag:blogger.com,1999:blog-4728546117996377999.post-54391403699792377392013-05-21T11:47:00.000-04:002013-05-21T11:47:00.853-04:00

To see the pre shared key for any Sites to Site VPN simply type the following in CLI: more system:running-config | begin tunnel-group This will change: tunnel-group 10.55.55.55 type ipsec-l2l tunnel-group 10.55.55.55 ipsec-attributes pre-shared-key ***** Into: tunnel-group 10.55.55.55 type ipsec-l2l tunnel-group 10.55.55.55 ipsec-attributes

Unknownnoreply@blogger.com3tag:blogger.com,1999:blog-4728546117996377999.post-76373453644036033052013-05-21T11:33:00.000-04:002013-05-21T11:33:31.181-04:00

The most common reason  I find that PPTP connections do not work is because the inspect for PPTP it not enabled. This is how you enable the inspect in the default inspection class: conf t policy-map global_policy  class inspection_default   inspect pptp end wr mem This is needed whenever PAT is being used. More details here: http://www.cisco.com/en/US/

Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-4728546117996377999.post-27626083683118535272013-05-21T11:26:00.001-04:002013-05-21T11:26:19.288-04:00

Many times I have had to prove that the firewall was not receiving any ARP replies from the workstation / router / switch / or server here is how I did it: Log into the CLI and create a capture looking for only ARP request: capture [CAP_NAME] interface [INT_NAME] ethernet-type arp //Example ASA# capure arpcap interface servers ethernet-type arp ASA# show capture arpcap //

Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4728546117996377999.post-75067472433435017882013-05-21T10:27:00.000-04:002013-05-21T10:27:51.778-04:00

Renaming objects on the ASA is very simple: NOTE: You cannot rename object-groups as of version 9.1 make sure you pick the correct name the first time! Updating the objects names will automatically update the references in the policy. Renaming Network Objects: object network OLD_NAME rename NEW_NAME Renaming Service Objects: object service OLD_NAME rename NEW_NAME Renaming

Unknownnoreply@blogger.com9tag:blogger.com,1999:blog-4728546117996377999.post-89032947303890940132012-06-05T13:23:00.001-04:002012-06-05T13:30:25.320-04:00

If you need to download your packet captures on a Cisco ASA/PIX so you can import them into Wireshark it is a very simple process. I assume the following is true: 1. You have http (ASDM) access to the firewall 2. You already have a capture with captured packets: (See here how to create a capture) If you want to just see the capture in the browser first to make sure there are packets you can do

Unknownnoreply@blogger.com3tag:blogger.com,1999:blog-4728546117996377999.post-85258432847809722552012-06-05T13:10:00.000-04:002012-06-05T13:31:49.700-04:00

Problem: You need to capture traffic between 1.1.1.1 and 2.2.2.2 In previous version of ASA/PIX code (7.2 and below) you had to go into config mode add a bi-directional access-list and then apply the packet capture. As of 7.2.1 you no longer have to do that and it makes creating captures a lot quicker and no configuration changes are made to the firewall since no access-list are created.

Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-4728546117996377999.post-85027282583872737002012-06-05T12:36:00.000-04:002012-06-05T12:36:44.704-04:00

If for some reason you cant access the standby firewall but need you reload it and only have access to the primary firewall you can easily reboot the standby firewall by issuing the following command via cli: failover reload-standby

Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-4728546117996377999.post-71373043211544090622012-03-06T14:28:00.004-05:002013-05-26T00:00:32.151-04:00

This is the standard configuration I use to bring up websense on the firewall. There are other options available you can check those out in the Cisco Links url-server (inside) vendor websense host 10.55.55.55 timeout 15 protocol TCP version 4   url-block url-mempool 1500 url-block url-size 4 url-block block 128 filter url http 10.40.40.0 255.255.255.0 0.0.0.0 0.0.0.0 longurl-truncate

Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4728546117996377999.post-57510404014992015742011-12-23T14:46:00.000-05:002012-03-06T11:49:19.132-05:00

Forcing a manual failover via command line can be done in two different ways. ###################################### On the active firewall you can do the following: CiscoASA# no failover active ----------------------------------------------------------------------------- On the standby firewall you can do the following: CiscoASA# failover active ############

Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4728546117996377999.post-9329922187587209462011-12-21T21:36:00.002-05:002011-12-21T21:43:42.587-05:00

If you need to create a subinterface on an ASA  you will need the following information: 1. Identify which interface is going to be used on the firewall 2. Identify which subinterface ID is going to be used. Vaild IDs are 1 through 4294967293 3. Identify which VLAN ID is going to be used, I would recommend using the same VLAN ID as the subinterface ID however only IDs support for

Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-4728546117996377999.post-87718246871342454652011-12-15T11:46:00.000-05:002011-12-15T11:53:10.746-05:00

If you have to RMA an IBM Proventia M firewall and move the policy from one firewall to another one there is a simple test you can perform to make sure the policy on the new RMA firewall is the same as the old one. Once you have applied the snapshot to the new RMA firewall. Run the following command on both firewalls:[root@proventiaM root]# cd /etc/crm/policies/cml/NetworkProtector/fwm/[root@

Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-4728546117996377999.post-50698946381820354442011-12-14T10:00:00.000-05:002013-12-04T12:19:28.023-05:00

If you need to check if an ISS / IBM Proventia M is in High Availability mode or which firewall is primary or secondary check the following via ssh: cat /etc/sysconfig/ham The output will be, no such file, primary, or secondary. [root@proventiaM root]# cat /etc/sysconfig/ham cat: /etc/sysconfig/ham: No such file or directory <-------- Means NOT part of an HA cluster [root@

Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4728546117996377999.post-28490916930483079992011-12-13T22:25:00.003-05:002011-12-13T22:59:14.382-05:00

Save yourself some time and rename your access-list instead of having to recreate them all!On Cisco ASA version 8.0(2) and above you can rename an access-list:access-list OLD_NAME rename NEW_NAMEhttp://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/a1.html#wp1554657

Unknownnoreply@blogger.com11tag:blogger.com,1999:blog-4728546117996377999.post-46575287866667443632011-11-16T12:51:00.003-05:002013-05-21T11:39:31.376-04:00

Displaying the preshared key for vpn site to site tunnels on Pix 6.3 devices, I always thought was impossible until I came across this: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00807f2d37.shtml#solution3 Basically you can get the PSK via the http service on the firewall. You will need to do the following: 1. Enable the http server 2. Allow access

Unknownnoreply@blogger.com34