TCP header
UDP header
ICMP header
http://nmap.org/book/tcpip-ref.html
Friday, June 25, 2010
Monday, June 21, 2010
Cisco ASA - How to show VPN and SSH users who is currently connected via SSH or RemoteVPN connection?
Question:
Is it possible to monitor directly on ASA (ssh connection), who is currently connected via SSH or RemoteVPN connection?
Answers:
to view VPN connections via the command line you can use:
ASA# show vpn-sessiondb
VPN:
sh vpn-sessiondb remote (IPSec Remote VPN Clients)
sh vpn-sessiondb l2l (L2L Tunnels)
sh vpn-sessiondb svc (SSL VPN / Anyconnect Clients)
SSH:
sh ssh sessions (show users connected to ASA via SSH)
http://www.dslreports.com/forum/r22984757-Cisco-ASA-show-VPN-and-SSH-users
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s7_72.html#wp1135352
Is it possible to monitor directly on ASA (ssh connection), who is currently connected via SSH or RemoteVPN connection?
Answers:
to view VPN connections via the command line you can use:
ASA# show vpn-sessiondb
VPN:
sh vpn-sessiondb remote (IPSec Remote VPN Clients)
sh vpn-sessiondb l2l (L2L Tunnels)
sh vpn-sessiondb svc (SSL VPN / Anyconnect Clients)
SSH:
sh ssh sessions (show users connected to ASA via SSH)
http://www.dslreports.com/forum/r22984757-Cisco-ASA-show-VPN-and-SSH-users
Cisco Security Appliance Command Reference, Version 7.2
show service-policy through show xlate Commands
Saturday, June 19, 2010
SYN + RST tcp flag = close port
The port is closed if SYN packet sent from source replied with RST packet from the destination.
The port is open if SYN packet sent from source replied with SYN/ACK packet from the destination.See TCP Three Way Handshake
Destination, 192.168.0.3 reply to source, 192.168.0.5 with RST packet
It means that http service or TCP80 is not listening at the destination, 192.168.0.3
Source Destination Summary -------------------------------------------------------------------------------------- [192.168.0.5] [192.168.0.3] TCP: D=80 S=44545 SYN SEQ=3017830046 LEN=0 WIN=4096 [192.168.0.3] [192.168.0.5] TCP: D=44545 S=80 RST ACK=3017830047 WIN=0
Reference:
http://www.networkuptime.com/nmap/page4-5.shtml
Friday, June 18, 2010
Three Way Handshake process: To establish TCP communication
TCP three-way handshake refers to the procedure used by Transmission Control Protocol (TCP) for establishing a session.
http://www.networkdictionary.com/networking/t.php
http://www.knowplace.org/pages/howtos/firewalling_with_netfilter_iptables/ip_overview.php
http://www.networkdictionary.com/networking/t.php
Four Way Handshake process: To teardown established TCP connection
TCP four-way handshake refers to the procedure used by Transmission Control Protocol (TCP) for tearing down a session.
http://www.firewall.cx/tcp-analysis-section-4.php
http://www.knowplace.org/pages/howtos/firewalling_with_netfilter_iptables/ip_overview.php
Source & Destination IP Address, Protocol & Services
As a firewall engineer, I receive a lot of request to open ports from certain location to a server. Unfortunately, there are a lot of users still don't understand what is source ip address, destination ip address and service.
Let me explain it in a simple way
All Internet packets have a source IP address and a destination IP address.
http://en.wikipedia.org/wiki/Network_address_translation
Every TCP and UDP packet contains both a source IP address and source port number as well as a destination IP address and destination port number.
http://en.wikipedia.org/wiki/Port_address_translation
Source IP Address (SIP) is IP address of machine you are coming from or the address of the sender of the packet.
As example, SIP in the diagram below is 192.168.1.1.
Destination IP address (DIP) is IP address of machine you are trying to connect to or indicates the receiver of the packet.
As example, DIP in the diagram below is 100.100.100.1
http://en.wikipedia.org/wiki/IPv4
http://www.networkcomputing.com/netdesign/ip101.html
A port number is a number assigned to a particular network service on a host. It is a field in a TCP or UDP header that identifies the application that either sent (source port) or should receive (destination port) the data inside the data segment.
For example, SMTP usually uses port TCP 25, while HTTP is usually port TCP 80.
http://www.lsoft.com/manuals/Maestro/2.1/Admin/WebHelp/Glossary_of_Terms.htm
http://www.proprofs.com/mwiki/index.php/Ultimate_Cisco_CCNA_INTRO_Glossary_&_Acronyms
http://en.wikipedia.org/wiki/Port_number
http://www.tech21century.com/connections-and-translations-on-cisco-asa-firewalls/
Base on network diagram above:
Source IP Address: 192.168.1.1 (Translated to 20.20.20.1)
Source Port: 1030
Destination IP Address: 100.100.100.1
Destination Port:80
Source Ports
The source port, which can be a random number, is assigned to the client and is used to keep track of user sessions. The combination of port number and IPaddress
is called a "socket."
Destination Ports
The destination port is used to route packets on a server to the appropriate network application. For example, port 80 is the standard port number for HTTP traffic, and port 80 packets are processed by a Web server. Destination ports are typically well-known ports (0-1023) for common Internetapplications such as HTTP, FTP and SMTP. It can also be a registered port (1024-49151) that vendors use for proprietary applications. See well-known port.
http://www.pcmag.com/encyclopedia_term/0,2542,t=TCPIP+port&i=52617,00.asp
http://www.firewall.cx/tcp-analysis-section-1.php
Let me explain it in a simple way
All Internet packets have a source IP address and a destination IP address.
http://en.wikipedia.org/wiki/Network_address_translation
Every TCP and UDP packet contains both a source IP address and source port number as well as a destination IP address and destination port number.
http://en.wikipedia.org/wiki/Port_address_translation
Source IP Address (SIP) is IP address of machine you are coming from or the address of the sender of the packet.
As example, SIP in the diagram below is 192.168.1.1.
Destination IP address (DIP) is IP address of machine you are trying to connect to or indicates the receiver of the packet.
As example, DIP in the diagram below is 100.100.100.1
http://en.wikipedia.org/wiki/IPv4
http://www.networkcomputing.com/netdesign/ip101.html
A port number is a number assigned to a particular network service on a host. It is a field in a TCP or UDP header that identifies the application that either sent (source port) or should receive (destination port) the data inside the data segment.
For example, SMTP usually uses port TCP 25, while HTTP is usually port TCP 80.
http://www.lsoft.com/manuals/Maestro/2.1/Admin/WebHelp/Glossary_of_Terms.htm
http://www.proprofs.com/mwiki/index.php/Ultimate_Cisco_CCNA_INTRO_Glossary_&_Acronyms
http://en.wikipedia.org/wiki/Port_number
Base on network diagram above:
Source IP Address: 192.168.1.1 (Translated to 20.20.20.1)
Source Port: 1030
Destination IP Address: 100.100.100.1
Destination Port:80
Source Ports
The source port, which can be a random number, is assigned to the client and is used to keep track of user sessions. The combination of port number and IP
Destination Ports
The destination port is used to route packets on a server to the appropriate network application. For example, port 80 is the standard port number for HTTP traffic, and port 80 packets are processed by a Web server. Destination ports are typically well-known ports (0-1023) for common Internet
http://www.pcmag.com/encyclopedia_term/0,2542,t=TCPIP+port&i=52617,00.asp
http://www.firewall.cx/tcp-analysis-section-1.php
Subscribe to:
Posts (Atom)
Related post:
