1) username xxxx password xxxx
2) passwd xxxxx
3) ssh x.x.x.x x.x.x.x {inside/outside}
4) crypto key generate rsa modulus {512/768/1024/2048}
5) aaa authentication ssh console LOCAL
https://learningnetwork.cisco.com/docs/DOC-2820
Penetration Testing, Vulnerability Assessment, Malware Analysis, Reverse Engineering, Packet Analysis, Wireshark, tshark, tcpdump, Tips & Tricks, Notes, Network Security, Unix, Solaris, Firewalls, Cisco ASA, Cisco PIX, Checkpoint, Netscreen
Friday, August 13, 2010
Wednesday, August 11, 2010
How to find files in Ms Windows using command line
dir c:\Local\Data\xxx\ /s /b | find "string"
Find
http://technet.microsoft.com/en-us/library/cc725655%28WS.10%29.aspx
Dir
http://technet.microsoft.com/en-us/library/cc755121%28WS.10%29.aspx
Examples
To display all lines from Pencil.ad that contain the string "Pencil Sharpener", type:find "Pencil Sharpener" pencil.ad
To find a string that contains text within quotation marks, you must enclose the entire string in quotation marks. Then you must use two quotation marks for each quotation mark contained within the string. To find "The scientists labeled their paper "for discussion only." It is not a final report." in Report.doc, type:
find "The scientists labeled their paper ""for discussion only."" It is not a final report." report.doc
If you want to search for a set of files, you can use the find command within the for command. To search the current directory for files that have the extension .bat and that contain the string "PROMPT", type:
for %f in (*.bat) do find "PROMPT" %f
To search your hard disk to find and display the file names on drive C that contain the string "CPU", use the pipe (|) to direct the output of the dir command to the find command as follows:
dir c:\ /s /b | find "CPU"
Because find searches are case-sensitive and dir produces uppercase output, you must either type the string "CPU" in uppercase letters or use the /i command-line option with find.
Saturday, August 7, 2010
EtherChannel, Port Channel, Trunking, Port trunking, Link aggregation
Po1, which stands for the interface "port-channel1". This is the logical interface created when an Etherchannel is built. We are now using both physical paths between the two switches at one time!
http://ezinearticles.com/?Cisco-CCNA-/-CCNP-Certification:-How-And-Why-To-Build-An-Etherchannel&id=93114
Etherchannel/port-channel
On different Cisco switches it is possible to create logical connections that are made-up off different fysical interface. It is needed that these interface do have the same speed.
Cisco switch show command’s
http://www.edgenetworks.nl/etherchannel.html
EtherChannel is a port trunking (link aggregation being the general term) technology or port-channel architecture used primarily on Cisco switches. It allows grouping several physical Ethernet links to create one logical Ethernet link for the purpose of providing fault-tolerance and high-speed links between switches, routers and servers. An EtherChannel can be created from between two and eight active Fast Ethernet, Gigabit Ethernet or 10-Gigabit Ethernet ports, with an additional one to eight inactive (failover) ports which become active as the other active ports fail. EtherChannel is primarily used in the backbone network, but can also be used to connect end user machines.
http://en.wikipedia.org/wiki/EtherChannel
Trunking
In modern communications, trunking is a concept by which a communications system can provide network access to many clients by sharing a set of lines or frequencies instead of providing them individually. This is analogous to the structure of a tree with one trunk and many branches. Examples of this include telephone systems and the VHF radios commonly used by police agencies. More recently port trunking has been applied in computer networking as well.
http://en.wikipedia.org/wiki/Trunking
Link aggregation/Port trunking
Link aggregation or IEEE 802.1AX-2008 is a computer networking term which describes using multiple network cables/ports in parallel to increase the link speed beyond the limits of any one single cable or port, and to increase the redundancy for higher availability.
http://en.wikipedia.org/wiki/Link_aggregation
http://en.wikipedia.org/wiki/Port_trunking
http://ezinearticles.com/?Cisco-CCNA-/-CCNP-Certification:-How-And-Why-To-Build-An-Etherchannel&id=93114
Etherchannel/port-channel
On different Cisco switches it is possible to create logical connections that are made-up off different fysical interface. It is needed that these interface do have the same speed.
Cisco switch show command’s
· show interfaces port-channel [channel-group-number]
· show etherchannel [channel-group-number] summary
http://www.edgenetworks.nl/etherchannel.html
EtherChannel between a switch and a server.
EtherChannel is a port trunking (link aggregation being the general term) technology or port-channel architecture used primarily on Cisco switches. It allows grouping several physical Ethernet links to create one logical Ethernet link for the purpose of providing fault-tolerance and high-speed links between switches, routers and servers. An EtherChannel can be created from between two and eight active Fast Ethernet, Gigabit Ethernet or 10-Gigabit Ethernet ports, with an additional one to eight inactive (failover) ports which become active as the other active ports fail. EtherChannel is primarily used in the backbone network, but can also be used to connect end user machines.
http://en.wikipedia.org/wiki/EtherChannel
Trunking
In modern communications, trunking is a concept by which a communications system can provide network access to many clients by sharing a set of lines or frequencies instead of providing them individually. This is analogous to the structure of a tree with one trunk and many branches. Examples of this include telephone systems and the VHF radios commonly used by police agencies. More recently port trunking has been applied in computer networking as well.
http://en.wikipedia.org/wiki/Trunking
Link Aggregation between a switch and a server
Link aggregation/Port trunking
Link aggregation or IEEE 802.1AX-2008 is a computer networking term which describes using multiple network cables/ports in parallel to increase the link speed beyond the limits of any one single cable or port, and to increase the redundancy for higher availability.
http://en.wikipedia.org/wiki/Link_aggregation
http://en.wikipedia.org/wiki/Port_trunking
How to use the OSI Model to Troubleshoot Networks
When a get a call from a user that explains a problem they are having, I would immediately visualize the OSI model. The user might say that they can’t bring up a graphic they are trying to download from the Internet. That graphic is brought up in an application. (layer 7 of the OSI model). I could either start at the top or the bottom, depending on what I suspected was the problem. I would usually start at the bottom (termed the “bottom up approach”). At the bottom of the OSI model is the physical layer (layer 1). So, I would proceed to ask them questions like this:
by David Davis, vExpert, VCP, CCIE 9369 - January 7, 2009
http://www.petri.co.il/csc_how_to_use_the_osi_model_to_troubleshoot_networks.htm
- Is your network cable plugged in? (physical)
- Is there a link light on the Ethernet switch and Ethernet NIC? (data-link)
- Do you have an IP address? (network)
- Can you ping your default gateway? (network, testing LAN IP connectivity)
- Do you have DNS server information?
- Can you ping your DNS server? (network, testing IP connectivity)
- Do you have a firewall configured? (network on up to application)
- Can you ping the host you are trying to get to by name? (application, DNS and network WAN IP connectivity)
- What format is the graphic in? Do you have a viewer for that format? (presentation)
- Can your web browser open up another website? (basic application troubleshooting)
by David Davis, vExpert, VCP, CCIE 9369 - January 7, 2009
http://www.petri.co.il/csc_how_to_use_the_osi_model_to_troubleshoot_networks.htm
WebVPN troubleshooting
Problems in authentication
1. Error in authentication
Type your username and password:
2. Slow Internet connection
If your Internet connection is slow or unstable, it might cause authentication error as a result of time out. Check your Internet connection.
3. Losing connection
Once you've logged in, every new URL that opens will begin with: https:///
If a new window opens without it, it's a sign you've lost connection to the VPN service.
4. Proxy settings
If you are connected successfully and you can't reach sites with your browser (The problem repeats itself especially when connected behind a router) - try to change your proxy settings.
Reference:
Thursday, August 5, 2010
AAA: Authentication, Authorization and Accounting
control traffic based on the IP address and protocol -> access lists
control access for specific users or groups -> authentication
control use for specific users or groups -> authorization
Authentication -> who the user is
Authorization -> what the user can do
Accounting -> what the user did
PIX/ASA : Cut-through Proxy for Network Access using TACACS+ and RADIUS Server Configuration Exampl
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml
AAA protocol
http://en.wikipedia.org/wiki/AAA_protocol
control access for specific users or groups -> authentication
control use for specific users or groups -> authorization
Authentication -> who the user is
Authorization -> what the user can do
Accounting -> what the user did
PIX/ASA : Cut-through Proxy for Network Access using TACACS+ and RADIUS Server Configuration Exampl
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml
Authentication
Authentication refers to the process where an entity's identity is authenticated, typically by providing evidence that it holds a specific digital identity such as an identifier and the corresponding credentials. Examples of types of credentials are passwords, one-time tokens, digital certificates, and phone numbers (calling/called).Authorization
The "authorization" function determines whether a particular entity is authorized to perform a given activity, typically logging on to an application or service. Authorization may be determined based on a range of restrictions, for example time-of-day restrictions, or physical location restrictions, or restrictions against multiple logins by the same entity or user. Examples of types of service include, but are not limited to: IP address filtering, address assignment, route assignment, Quality of Service/differential services, bandwidth control/traffic management, compulsory tunneling to a specific endpoint, and encryption.Accounting
Accounting refers to the tracking of the consumption of network resources by users. This information may be used for management, planning, billing, or other purposes. Real-time accounting refers to accounting information that is delivered concurrently with the consumption of the resources. Batch accounting refers to accounting information that is saved until it is delivered at a later time. Typical information that is gathered in accounting is the identity of the user, the nature of the service delivered, when the service began, and when it ended.AAA protocol
http://en.wikipedia.org/wiki/AAA_protocol
Saturday, July 31, 2010
How to make an international phone call
Example, call from Malaysia to USA
00 = Country exit code
1 = Country code which is USA
Reference:
Call from Malaysia to United States
http://www.countrycodes.com/search_usa.php?t=250&f=146
Country Codes for International Calling & Area Codes
http://www.countrycodes.com/
00 + 1 +
Area Code
+ Tel #00 = Country exit code
1 = Country code which is USA
Reference:
Call from Malaysia to United States
http://www.countrycodes.com/search_usa.php?t=250&f=146
Country Codes for International Calling & Area Codes
http://www.countrycodes.com/
tcpdump
How to find right interface
route get
netstat -nr
To list all network interfaces
tcpdump -D
ifconfig -a | grep :
To capture traffic from interface eth0, source ip = 10.10.10.10 & destination ip = 10.10.10.11
tcpdump -i eth0 src 10.10.10.10 and dst 10.10.10.11
Reference:
A tcpdump Tutorial and Primer
http://danielmiessler.com/study/tcpdump/
Check The Routes
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch35_:_Configuring_Linux_VPNs#Check_The_Routes
Using TCPdump
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch35_:_Configuring_Linux_VPNs#Using_TCPdump
SANS POCKET REFERENCE GUIDE: TCP/IP and tcpdump
http://www.sans.org/security-resources/tcpip.pdf?ref=3871
route get
netstat -nr
To list all network interfaces
tcpdump -D
ifconfig -a | grep :
To capture traffic from interface eth0, source ip = 10.10.10.10 & destination ip = 10.10.10.11
tcpdump -i eth0 src 10.10.10.10 and dst 10.10.10.11
Reference:
Manpage of TCPDUMPhttp://www.tcpdump.org/tcpdump_man.html
A tcpdump Tutorial and Primer
http://danielmiessler.com/study/tcpdump/
Check The Routes
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch35_:_Configuring_Linux_VPNs#Check_The_Routes
Using TCPdump
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch35_:_Configuring_Linux_VPNs#Using_TCPdump
SANS POCKET REFERENCE GUIDE: TCP/IP and tcpdump
http://www.sans.org/security-resources/tcpip.pdf?ref=3871
Checkpoint: fw monitor
Let say we want to monitor the following informations:
Source IP = 10.10.10.10
Destination IP = 10.10.10.11
Reference:
How to use fw monitor (page 36)
http://www.checkpoint.com/techsupport/downloads/html/ethereal/fw_monitor_rev1_01.pdf
FW MONITOR
http://www.cpug.org/check_point_resources/FW MONITOR_expert.doc
Source IP = 10.10.10.10
Destination IP = 10.10.10.11
[Expert@cpmodule]# fw monitor -e 'accept src=10.10.10.10 or dst=10.10.10.11;'
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
^C
monitor: caught sig 2
monitor: unloading
[Expert@cpmodule]# cat $FWDIR/tmp/monitorfilter.pf
#define src ip_src
#define dst ip_dst
#define sport th_sport
#define dport th_dport
#include "tcpip.def"
accept src=10.10.10.10 or dst=10.10.10.11;
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
^C
monitor: caught sig 2
monitor: unloading
[Expert@cpmodule]# cat $FWDIR/tmp/monitorfilter.pf
#define src ip_src
#define dst ip_dst
#define sport th_sport
#define dport th_dport
#include "tcpip.def"
accept src=10.10.10.10 or dst=10.10.10.11;
Reference:
How to use fw monitor (page 36)
http://www.checkpoint.com/techsupport/downloads/html/ethereal/fw_monitor_rev1_01.pdf
FW MONITOR
http://www.cpug.org/check_point_resources/FW MONITOR_expert.doc
Cisco: View Active SSH Sessions
Issue this command in order to check the number of SSH sessions that are connected and the connection state to the PIX:
PIX/ASA 7.x: SSH/Telnet on the Inside and Outside Interface Configuration Example
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml#active
Reference:pix#show ssh session SID Client IP Version Mode Encryption Hmac State Username 0 10.1.1.2 1.99 IN aes128-cbc md5 SessionStarted pix OUT aes128-cbc md5 SessionStarted pix
PIX/ASA 7.x: SSH/Telnet on the Inside and Outside Interface Configuration Example
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml#active
Cisco: View Active Telnet Sessions - who
who
To display active Telnet administration sessions on the adaptive security appliance, use the who command in privileged EXEC mode.
Usage Guidelines
The who command allows you to display the TTY_ID and IP address of each Telnet client that is currently logged into the adaptive security appliance.
Examples
This example shows the output of the who command when a client is logged into the adaptive security appliance through a Telnet session:
hostname# who
0: 100.0.0.2
hostname# who 100.0.0.2
0: 100.0.0.2
hostname#
Related Commands
Command | Description |
---|---|
kill | Terminate a Telnet session. |
telnet | Adds Telnet access to the adaptive security appliance console and sets the idle timeout. |
Reference:
who
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1634239
Wednesday, July 28, 2010
How to find source interface or right access-list group
1. Check source ip
2. show route | grep
3.1. show run | grep access-group for Cisco PIX
or
3.2. show run access-group Cisco ASA
2. show route | grep
3.1. show run | grep access-group for Cisco PIX
or
3.2. show run access-group Cisco ASA
Cisco ASA: Packet-Tracer
The packet-tracer command lets you do the following:
How to use packet-tracer
src_int = Source Interface
protocol = icmp / rawip / tcp / udp
src_addr = Source IP Address
src_port = Source port
dst_addr = Destination IP Address
dst_port = Destination port
Examples:
1. To enable packet tracing from inside host 10.2.25.3 to external webserver 209.165.202.158, enter the following
ASA5510# packet-tracer input inside tcp 10.2.25.3 3000 209.165.202.158 http
or
ASA5510# packet-tracer input inside tcp 10.2.25.3 3000 209.165.202.158 80
where;
inside is Source Interface
tcp is protocol
10.2.25.3 is Source IP Address
3000 is Source port
209.165.202.158 is Destination IP Address
Reference:
Cisco ASA Troubleshooting Tool Kit
http://www.networkblueprints.com/troubleshooting/cisco-asa-troubleshooting-tool-kit
PIX/ASA 7.2(1) and later: Intra-Interface Communications
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
Packet capture and sniffing using the Cisco ASA Firewall
http://www.networkstraining.com/packet-capture-and-sniffing-using-the-cisco-asa-firewall/
Cisco ASA troubleshooting command packet-tracer
http://informationsecuritytips.com/2009/04/cisco-asa-troubleshooting-command-packet-tracer/
- Debug all packet drops in production network.
- Verify the configuration is working as intended.
- Show all rules applicable to a packet along with the CLI lines which caused the rule addition.
- Show a time line of packet changes in a data path.
- Inject tracer packets into the data path.
How to use packet-tracer
packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]
src_int = Source Interface
protocol = icmp / rawip / tcp / udp
src_addr = Source IP Address
src_port = Source port
dst_addr = Destination IP Address
dst_port = Destination port
Examples:
1. To enable packet tracing from inside host 10.2.25.3 to external webserver 209.165.202.158, enter the following
ASA5510# packet-tracer input inside tcp 10.2.25.3 3000 209.165.202.158 http
or
ASA5510# packet-tracer input inside tcp 10.2.25.3 3000 209.165.202.158 80
where;
inside is Source Interface
tcp is protocol
10.2.25.3 is Source IP Address
3000 is Source port
209.165.202.158 is Destination IP Address
http / 80 is Destination port
Reference:
Cisco ASA Troubleshooting Tool Kit
http://www.networkblueprints.com/troubleshooting/cisco-asa-troubleshooting-tool-kit
PIX/ASA 7.2(1) and later: Intra-Interface Communications
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
Packet capture and sniffing using the Cisco ASA Firewall
http://www.networkstraining.com/packet-capture-and-sniffing-using-the-cisco-asa-firewall/
Cisco ASA troubleshooting command packet-tracer
http://informationsecuritytips.com/2009/04/cisco-asa-troubleshooting-command-packet-tracer/
ICMP: Internet Control Message Protocol
Reference:
http://security.maruhn.com/iptables-tutorial/x4634.htm
http://www.faqs.org/docs/iptables/icmpconnections.html
ICMP Echo request, Type 8 Code 0
ICMP Echo reply, Type 0 Code 0
Reference:
http://en.wikipedia.org/wiki/Ping
http://www.linuxtopia.org/Linux_Firewall_iptables/x270.html
Shorcut: Windows Explorer
explorer /e, C:\
You can use the following switches with the Explorer.exe command.
You can use the following switches with the Explorer.exe command.
Switch | Result |
---|---|
/n | Opens a new single-pane Window for the default selection. This is usually the root of the drive on which Windows is installed. |
/e | Starts Windows Explorer using its default view. |
/e, | Starts Windows Explorer using its default view with the focus on the specified folder. |
/root, | Opens a window view of the specified object. |
/select, | Opens a window view with the specified folder, file or program selected. |
Tuesday, July 27, 2010
ICAO spelling alphabet
A - Alpha
B - Bravo
C -Charlie
D - Delta
E - Echo
F - Foxtrot --> France, Frank
G - Golf
H - Hotel
I - India
J - Juliet
K - Kilo
L - Lima
M - Mike
N - November
O - Oscar
P - Papa
Q - Quebec --> Queen
R - Romeo --> Robert, Roger
S - Sierra -->Sugar
T - Tango
U - Uniform
V - Victor
W -Whiskey --> Willie, William
X - X-ray
Y - Yankee
Z - Zulu
Reference:
http://en.wikipedia.org/wiki/NATO_phonetic_alphabet
http://answers.yahoo.com/question/index?qid=20070522234919AABgqAS
B - Bravo
C -Charlie
D - Delta
E - Echo
F - Foxtrot --> France, Frank
G - Golf
H - Hotel
I - India
J - Juliet
K - Kilo
L - Lima
M - Mike
N - November
O - Oscar
P - Papa
Q - Quebec --> Queen
R - Romeo --> Robert, Roger
S - Sierra -->Sugar
T - Tango
U - Uniform
V - Victor
W -
X - X-ray
Y - Yankee
Z - Zulu
Royal Navy | Western Front slang or "signalese" | RAF phonetic alphabet | U.S. phonetic alphabet | |
---|---|---|---|---|
1914–1918 (WWI) | 1924–1942 | 1943–1956 | 1941–1956 | |
Apples Butter Charlie Duff Edward Freddy George Harry Ink Johnnie King London Monkey Nuts Orange Pudding Queenie Robert Sugar Tommy Uncle Vinegar Willie Xerxes Yellow Zebra | Ack Don Edward Freddie Gee Harry Ink Johnnie King London Emma Nuts Oranges Pip Queen Robert Esses Toc Uncle Vic William X-ray Yorker Zebra | Ace Don Edward Freddie George Harry Ink Johnnie King London Monkey Nuts Orange Pip Queen Robert Sugar Toc Uncle Vic William X-ray Yorker Zebra | Able/Affirm Baker Charlie Dog Easy Fox George How Item/Interrogatory Jig/Johnny King Love Mike Nab/Negat Oboe Peter/Prep Queen Roger Sugar Tare Uncle Victor William X-ray Yoke Zebra | Able Baker Charlie Dog Easy Fox George How Item Jig King Love Mike Nan Oboe Peter Queen Roger Sugar Tare Uncle Victor William X-ray Yoke Zebra |
http://en.wikipedia.org/wiki/NATO_phonetic_alphabet
http://answers.yahoo.com/question/index?qid=20070522234919AABgqAS
Monday, July 26, 2010
Cisco Switch: show interface status
core-switch#sh int status
Port | Name | Status | Vlan | Duplex | Speed | Type |
Gi3/9 | to | notconnect | 105 | full | 1000 | 1000BaseSX |
Gi3/14 | disabled | 1 | full | 1000 | No Transceiver | |
Gi4/24 | connected | 108 | full | 1000 | 1000BaseT | |
Gi6/4 | connected | 108 | a-full | a-1000 | 10/100/1000BaseT | |
Fa7/13 | connected | 108 | a-full | a-100 | 10/100BaseTX | |
Fa8/17 | notconnect | 108 | half | auto | 10/100BaseTX |
Name | Medium | Specified distance |
---|---|---|
1000BASE‑CX | Shielded single twisted-pair cable | 25 meters |
1000BASE‑SX | Multi-mode fiber | 220 to 550 meters dependent on fiber diameter and bandwidth[2] |
1000BASE‑LX | Multi-mode fiber | 550 meters[3] |
1000BASE‑LX | Single-mode fiber | 5 km[3] |
1000BASE‑LX10 | Single-mode fiber using 1,310 nm wavelength | 10 km |
1000BASE‑ZX | Single-mode fiber at 1,550 nm wavelength | ~ 70 km |
1000BASE‑BX10 | Single-mode fiber, over single-strand fiber: 1,490 nm downstream 1,310 nm upstream | 10 km |
1000BASE‑T | Twisted-pair cabling (Cat‑5, Cat‑5e, Cat‑6, or Cat‑7) | 100 meters |
1000BASE‑TX | Twisted-pair cabling (Cat‑6, Cat‑7) | 100 meters |
Reference:
http://en.wikipedia.org/wiki/1000baseSX
http://en.wikipedia.org/wiki/Fast_Ethernet
http://forums.speedguide.net/showthread.php?t=75915
http://www.routerzone.eu/wiki/index.php/Show_interface_status_command
PIX/ASA: Upgrade a Software Image using ASDM or CLI Configuration Example
ASA5510#show disk0:
-#- --length-- -----date/time------ path
6 5124096 Jan 01 2003 00:06:22 asa702-k8.bin
7 5623108 Feb 12 2007 00:23:48 asdm-522.bin
10 5539756 Feb 12 2007 00:14:18 asdm-521.bin
11 8294400 Dec 07 2006 05:47:20 asa721-24-k8.bin
12 6002680 Dec 21 2006 03:58:30 asdm-52034.bin
13 8312832 Feb 12 2007 22:46:30 asa722-k8.bin
23949312 bytes available (38932480 bytes used)
!--- Command to set "asa722-k8.bin" as the boot image.
ASA5510(config)# boot system disk0:/asa722-k8.bin
!--- Command to set "asdm-522.bin" as the ASDM image.
ASA5510(config)# asdm image disk0:/asdm-522.bin
ASA5510# write memory
ASA5510# reload
To verify ASA boot image
1. show run boot
2. show boot
To verify ASDM image
1. show run asdm
2. show asdm image
Reference:
PIX/ASA: Upgrade a Software Image using ASDM or CLI Configuration Example
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9f9.shtml
Thursday, July 22, 2010
Cisco Switch: Find out an IP from MAC address
1. sh mac-adress table int f0/x
,where x is the port number.
2. log into the default gatway router
3 sh ip arp xxxx.xxxx.xxxx
, where xxxx.xxxx.xxxx is the MAC address
If you have the MAC already, skip #1.
Reference:
Cisco - Find out an IP from MAC address on CAtalyst 2950
http://www.velocityreviews.com/forums/t39860-find-out-an-ip-from-mac-address-on-catalyst-2950-a.html
,where x is the port number.
2. log into the default gatway router
3 sh ip arp xxxx.xxxx.xxxx
, where xxxx.xxxx.xxxx is the MAC address
If you have the MAC already, skip #1.
Reference:
Cisco - Find out an IP from MAC address on CAtalyst 2950
http://www.velocityreviews.com/forums/t39860-find-out-an-ip-from-mac-address-on-catalyst-2950-a.html
HowTo: Find switchport for a MAC Address on a Cisco Catalyst Switch
If you have a big network with multiple Access Switches connecting to the core switches or routers then tracing a device like a PC or a laptop for troubleshooting or security purposes is one of those tasks that you often end up doing. This is not a difficult task but can certainly be time consuming.
Lets start with an IP address on hand. If you have an IP address on hand quickly ping and check if the device is pingable. If yes, then simply logon to one of your core switches or routers and do a simple sh ip arp
From the above you know the MAC Address of for the device:
IP Address : 192.168.1.15
MAC Address : 0000.1111.1111
Now, do a show mac-address command on the core switch or router. This will show the interface to which it is connected or through which it is learned.
Example 1:
You will get a response similar to this:
If your port is a FastEthernet port (Fa0/nn) like this example shows, you know that you are connected to FastEthernet port 0/24 on switch 10.10.125.5 (rssv125-sw5).
However, many times you will get a response similar to this:
The Gi0/n indicates you are connected to a gigabit port. Since the gigabit ports only go to other switches, you know you are connected to another switch. To see what the neighboring switches are, use CDP (Cisco Discovery Protocol).
Now go back to the telnet step above and run through it again except this time use the 10.10.125.4 IP address from the show cdp neighbor output. Repeat until you find the switch and port you are connected to.
Example 2:
This indicates that the device is either connected to the port or though another switch which is connected to the interface. Looking at this, it is very likely that this is a uplink (TenGigabit Ethernet link) to another Distribution or Access switch.
Sometimes, the output might show as follows [note the Po1]
This indicates that there is a etherchannelis being setup. So do a "show etherchannel" command to find the phsycial ports that are paired.
This shows the ports Te1/1 or Te2/1 as a source through which the address is learnt.
Now, do a "show cdp neighbors" to show the directly connected devices.
That tells you, it is the Access switch 1 that is connected to Te1/1 and not the device itself.
Now, log onto the Access switch and do a "show mac-adddress-table" command for the MAC address and that should show the interface to which it is connected
[NOTE: unless it is a distribution switch to again there are a bunch of Access switches connected in which case, you need to go through the whole procedure as above again]
As you can see which port the device is connected and on which switch.
Now do a "show interface" command to show the port details.
Hardware is C6k 1000Mb 802.3, address is xxxx.xxxx.xxxx (bia xxxx.xxxx.xxxx)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s
…..
…
..
.
There you go you found the device switchport that you tried to trace!!!
Reference:
1. HowTo: Find switchport for a MAC Address on a Cisco Catalyst Switch
http://www.itsyourip.com/cisco/howto-find-switchport-for-a-mac-address-on-a-cisco-catalyst-switch/
2. How to Determine Which Switch and Port You are Connected To
http://www.tech-recipes.com/rx/874/how_to_determine_switch_port_connected/
3. Troubleshooting Switch Port and Interface Problems
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008015bfd6.shtml
4.Dettermine which switch port connected to which switch and which port
https://learningnetwork.cisco.com/message/80118
Lets start with an IP address on hand. If you have an IP address on hand quickly ping and check if the device is pingable. If yes, then simply logon to one of your core switches or routers and do a simple sh ip arp
Core1# sh ip arp 192.168.1.15
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.15 22 0000.1111.1111 ARPA Vlan1
Internet 192.168.1.15 22 0000.1111.1111 ARPA Vlan1
From the above you know the MAC Address of for the device:
IP Address : 192.168.1.15
MAC Address : 0000.1111.1111
Now, do a show mac-address command on the core switch or router. This will show the interface to which it is connected or through which it is learned.
Example 1:
rssv125-sw5# show mac-address-table address 0002.3F39.BFE6
You will get a response similar to this:
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
59 0002.3f39.bfe6 DYNAMIC Fa0/24
Total Mac Addresses for this criterion: 1
If your port is a FastEthernet port (Fa0/nn) like this example shows, you know that you are connected to FastEthernet port 0/24 on switch 10.10.125.5 (rssv125-sw5).
However, many times you will get a response similar to this:
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
59 0002.3f39.bfe6 DYNAMIC Gi0/1
Total Mac Addresses for this criterion: 1
The Gi0/n indicates you are connected to a gigabit port. Since the gigabit ports only go to other switches, you know you are connected to another switch. To see what the neighboring switches are, use CDP (Cisco Discovery Protocol).
rssv125-sw5# show cdp neighbor Gi0/1 detail
The response should be something similar to this:
Device ID: rssv125-sw4
Entry address(es):
IP address: 10.10.125.4
Platform: cisco WS-C3550-24-PWR, Capabilities: Switch IGMP
Interface: GigabitEthernet0/1, Port ID (outgoing port): GigabitEthernet0/1
[snip]
Example 2:
Core1# sh mac-address-table address 0000.1111.1111
Legend: * – primary entry
age – seconds since last seen
n/a – not available
age – seconds since last seen
n/a – not available
vlan mac address type learn age ports
——+—————-+——–+—–+———-+————————–
Supervisor:
* 1 0000.1111.1111 dynamic Yes 10 Te1/1
——+—————-+——–+—–+———-+————————–
Supervisor:
* 1 0000.1111.1111 dynamic Yes 10 Te1/1
This indicates that the device is either connected to the port or though another switch which is connected to the interface. Looking at this, it is very likely that this is a uplink (TenGigabit Ethernet link) to another Distribution or Access switch.
Sometimes, the output might show as follows [note the Po1]
Legend: * – primary entry
age – seconds since last seen
n/a – not available
age – seconds since last seen
n/a – not available
vlan mac address type learn age ports
——+—————-+——–+—–+———-+————————–
Supervisor:
* 1 0000.1111.1111 dynamic Yes 10 Po1
——+—————-+——–+—–+———-+————————–
Supervisor:
* 1 0000.1111.1111 dynamic Yes 10 Po1
This indicates that there is a etherchannelis being setup. So do a "show etherchannel" command to find the phsycial ports that are paired.
Core1# show etherchannel summary
Flags: D – down P – bundled in port-channel
I – stand-alone s – suspended
H – Hot-standby (LACP only)
R – Layer3 S – Layer2
U – in use f – failed to allocate aggregator
Flags: D – down P – bundled in port-channel
I – stand-alone s – suspended
H – Hot-standby (LACP only)
R – Layer3 S – Layer2
U – in use f – failed to allocate aggregator
M – not in use, minimum links not met
u – unsuitable for bundling
w – waiting to be aggregated
Number of channel-groups in use: 6
Number of aggregators: 6
u – unsuitable for bundling
w – waiting to be aggregated
Number of channel-groups in use: 6
Number of aggregators: 6
Group Port-channel Protocol Ports
——+————-+———–+———————————————–
1 Po1(SU) - Te1/1(P) Te2/1(P)
——+————-+———–+———————————————–
1 Po1(SU) - Te1/1(P) Te2/1(P)
This shows the ports Te1/1 or Te2/1 as a source through which the address is learnt.
Now, do a "show cdp neighbors" to show the directly connected devices.
Core1# sh cdp neighbors
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
Access1 Ten 1/1 129 R S I WS-C6509 Ten 1/1
Access1 Ten 1/1 129 R S I WS-C6509 Ten 1/1
That tells you, it is the Access switch 1 that is connected to Te1/1 and not the device itself.
Now, log onto the Access switch and do a "show mac-adddress-table" command for the MAC address and that should show the interface to which it is connected
[NOTE: unless it is a distribution switch to again there are a bunch of Access switches connected in which case, you need to go through the whole procedure as above again]
Access1# show mac-address-table 0000.1111.1111
vlan mac address type learn age ports
——+—————-+——–+—–+———-+————————–
Supervisor:
* 1 0000.1111.1111 dynamic Yes 10 Gi1/24
——+—————-+——–+—–+———-+————————–
Supervisor:
* 1 0000.1111.1111 dynamic Yes 10 Gi1/24
As you can see which port the device is connected and on which switch.
Now do a "show interface" command to show the port details.
Access1>sh int gigabitEthernet 1/24
GigabitEthernet1/24 is up, line protocol is up (connected)Hardware is C6k 1000Mb 802.3, address is xxxx.xxxx.xxxx (bia xxxx.xxxx.xxxx)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s
…..
…
..
.
There you go you found the device switchport that you tried to trace!!!
Reference:
1. HowTo: Find switchport for a MAC Address on a Cisco Catalyst Switch
http://www.itsyourip.com/cisco/howto-find-switchport-for-a-mac-address-on-a-cisco-catalyst-switch/
2. How to Determine Which Switch and Port You are Connected To
http://www.tech-recipes.com/rx/874/how_to_determine_switch_port_connected/
3. Troubleshooting Switch Port and Interface Problems
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008015bfd6.shtml
4.Dettermine which switch port connected to which switch and which port
https://learningnetwork.cisco.com/message/80118
Tuesday, July 20, 2010
Cisco PIX to ASA migration guide
There are two ways to convert a PIX configuration to an ASA configuration:
LAN-Based Failover
interface gb-ethernet1 1000auto
interface gb-ethernet2 1000auto
interface gb-ethernet2 vlan50 logical
interface gb-ethernet2 vlan55 logical
interface ethernet0 100full
interface ethernet1 100full
nameif gb-ethernet0 outside security0
nameif gb-ethernet1 inside security100
nameif gb-ethernet2 dmz security8
nameif ethernet0 eng security4
nameif ethernet1 mkt security4
nameif vlan50 vlan50 security10
nameif vlan55 vlan55 security12
ip address outside 5.5.5.45 255.255.255.0
ip address inside 14.36.8.48 255.255.0.0
ip address dmz 1.1.1.6 255.255.255.0
ip address mkt 2.2.2.2 255.255.255.0
ip address vlan50 50.1.1.1 255.0.0.0
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 5.5.5.68
failover ip address inside 14.36.199.34
failover ip address mkt 2.2.2.4
failover ip address vlan50 50.1.1.2
failover lan unit primary
failover lan interface mkt
failover link vlan55
failover lan enable
Reference:
1. Migration Guide for Converting Cisco PIX Configurations to Cisco ASA 5500 Series Configurations
http://www.cisco.com/en/US/docs/security/asa/migration/guide/pix2asa.html
2. Migration from PIX 500 Series Security Appliances to ASA 5500 Series Adaptive Security Appliances
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808554ed.shtml
1•manual conversion
2•tool-assisted conversion
LAN-Based Failover
PIX 6.3(5) configuration (before conversion):
interface gb-ethernet0 1000autointerface gb-ethernet1 1000auto
interface gb-ethernet2 1000auto
interface gb-ethernet2 vlan50 logical
interface gb-ethernet2 vlan55 logical
interface ethernet0 100full
interface ethernet1 100full
nameif gb-ethernet0 outside security0
nameif gb-ethernet1 inside security100
nameif gb-ethernet2 dmz security8
nameif ethernet0 eng security4
nameif ethernet1 mkt security4
nameif vlan50 vlan50 security10
nameif vlan55 vlan55 security12
ip address outside 5.5.5.45 255.255.255.0
ip address inside 14.36.8.48 255.255.0.0
ip address dmz 1.1.1.6 255.255.255.0
ip address mkt 2.2.2.2 255.255.255.0
ip address vlan50 50.1.1.1 255.0.0.0
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 5.5.5.68
failover ip address inside 14.36.199.34
failover ip address mkt 2.2.2.4
failover ip address vlan50 50.1.1.2
failover lan unit primary
failover lan interface mkt
failover link vlan55
failover lan enable
Converted ASA configuration:
interface GigabitEthernet0/0
ip address 5.5.5.45 255.255.255.0 standby 5.5.5.68
nameif outside
security-level 0
: Original Interface id gb-ethernet1
interface GigabitEthernet0/1
ip address 14.36.8.48 255.255.0.0 standby 14.36.199.34
nameif inside
security-level 100
: Original Interface id gb-ethernet2
interface GigabitEthernet0/2
ip address 1.1.1.6 255.255.255.0
nameif dmz
security-level 8
: Original Interface id gb-ethernet2_50
interface GigabitEthernet0/2.50
vlan 50
ip address 50.1.1.1 255.0.0.0 standby 50.1.1.2
nameif vlan50
security-level 10
: Original Interface id gb-ethernet2_55
interface GigabitEthernet0/2.55
vlan 55
no ip address
no shutdown
: Original Interface id ethernet0
interface GigabitEthernet0/3
no ip address
no shutdown
nameif eng
: Original Interface id ethernet1
: Failover
interface GigabitEthernet1/0
security-level 4
failover
failover timeout 0:00:00
:::: your failover poll timer syntax has been corrected from'failover poll 15' to
'failover polltime 15'
failover polltime 15
failover lan unit primary
::::failover lan interface mkt -> failover lan interface mkt GigabitEthernet1/0
failover lan interface mkt GigabitEthernet1/0
failover interface ip mkt 2.2.2.2 255.255.255.0 standby 2.2.2.4
::::failover link vlan55 -> failover link vlan55 GigabitEthernet0/2.55
failover link vlan55 GigabitEthernet0/2.55
failover interface ip vlan55 0.0.0.0 0.0.0.0 standby 0.0.0.0
:::: Not supported - failover lan enable
ip address 5.5.5.45 255.255.255.0 standby 5.5.5.68
nameif outside
security-level 0
: Original Interface id gb-ethernet1
interface GigabitEthernet0/1
ip address 14.36.8.48 255.255.0.0 standby 14.36.199.34
nameif inside
security-level 100
: Original Interface id gb-ethernet2
interface GigabitEthernet0/2
ip address 1.1.1.6 255.255.255.0
nameif dmz
security-level 8
: Original Interface id gb-ethernet2_50
interface GigabitEthernet0/2.50
vlan 50
ip address 50.1.1.1 255.0.0.0 standby 50.1.1.2
nameif vlan50
security-level 10
: Original Interface id gb-ethernet2_55
interface GigabitEthernet0/2.55
vlan 55
no ip address
no shutdown
: Original Interface id ethernet0
interface GigabitEthernet0/3
no ip address
no shutdown
nameif eng
: Original Interface id ethernet1
: Failover
interface GigabitEthernet1/0
security-level 4
failover
failover timeout 0:00:00
:::: your failover poll timer syntax has been corrected from'failover poll 15' to
'failover polltime 15'
failover polltime 15
failover lan unit primary
::::failover lan interface mkt -> failover lan interface mkt GigabitEthernet1/0
failover lan interface mkt GigabitEthernet1/0
failover interface ip mkt 2.2.2.2 255.255.255.0 standby 2.2.2.4
::::failover link vlan55 -> failover link vlan55 GigabitEthernet0/2.55
failover link vlan55 GigabitEthernet0/2.55
failover interface ip vlan55 0.0.0.0 0.0.0.0 standby 0.0.0.0
:::: Not supported - failover lan enable
Reference:
1. Migration Guide for Converting Cisco PIX Configurations to Cisco ASA 5500 Series Configurations
http://www.cisco.com/en/US/docs/security/asa/migration/guide/pix2asa.html
2. Migration from PIX 500 Series Security Appliances to ASA 5500 Series Adaptive Security Appliances
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808554ed.shtml
Subscribe to:
Posts (Atom)