Friday, August 13, 2010

Five steps to configure SSH in Cisco ASA

1) username xxxx password xxxx
2) passwd xxxxx
3) ssh x.x.x.x x.x.x.x {inside/outside}
4) crypto key generate rsa modulus {512/768/1024/2048}
5) aaa authentication ssh console LOCAL

https://learningnetwork.cisco.com/docs/DOC-2820

Wednesday, August 11, 2010

How to find files in Ms Windows using command line

dir c:\Local\Data\xxx\ /s /b | find "string"

Find
http://technet.microsoft.com/en-us/library/cc725655%28WS.10%29.aspx

Dir
http://technet.microsoft.com/en-us/library/cc755121%28WS.10%29.aspx

Examples

To display all lines from Pencil.ad that contain the string "Pencil Sharpener", type:

find "Pencil Sharpener" pencil.ad


To find a string that contains text within quotation marks, you must enclose the entire string in quotation marks. Then you must use two quotation marks for each quotation mark contained within the string. To find "The scientists labeled their paper "for discussion only." It is not a final report." in Report.doc, type:

find "The scientists labeled their paper ""for discussion only."" It is not a final report." report.doc


If you want to search for a set of files, you can use the find command within the for command. To search the current directory for files that have the extension .bat and that contain the string "PROMPT", type:

for %f in (*.bat) do find "PROMPT" %f 


To search your hard disk to find and display the file names on drive C that contain the string "CPU", use the pipe (|) to direct the output of the dir command to the find command as follows:

dir c:\ /s /b | find "CPU" 


Because find searches are case-sensitive and dir produces uppercase output, you must either type the string "CPU" in uppercase letters or use the /i command-line option with find.

Saturday, August 7, 2010

EtherChannel, Port Channel, Trunking, Port trunking, Link aggregation

Po1, which stands for the interface "port-channel1". This is the logical interface created when an Etherchannel is built. We are now using both physical paths between the two switches at one time!
http://ezinearticles.com/?Cisco-CCNA-/-CCNP-Certification:-How-And-Why-To-Build-An-Etherchannel&id=93114

Etherchannel/port-channel
On different Cisco switches it is possible to create logical connections that are made-up off different fysical interface. It is needed that these interface do have the same speed.

Cisco switch show command’s
· show interfaces port-channel [channel-group-number]
· show etherchannel [channel-group-number] summary

http://www.edgenetworks.nl/etherchannel.html
 EtherChannel between a switch and a server.

EtherChannel is a port trunking (link aggregation being the general term) technology or port-channel architecture used primarily on Cisco switches. It allows grouping several physical Ethernet links to create one logical Ethernet link for the purpose of providing fault-tolerance and high-speed links between switches, routers and servers. An EtherChannel can be created from between two and eight active Fast Ethernet, Gigabit Ethernet or 10-Gigabit Ethernet ports, with an additional one to eight inactive (failover) ports which become active as the other active ports fail. EtherChannel is primarily used in the backbone network, but can also be used to connect end user machines.
http://en.wikipedia.org/wiki/EtherChannel

Trunking
In modern communications, trunking is a concept by which a communications system can provide network access to many clients by sharing a set of lines or frequencies instead of providing them individually. This is analogous to the structure of a tree with one trunk and many branches. Examples of this include telephone systems and the VHF radios commonly used by police agencies. More recently port trunking has been applied in computer networking as well.
http://en.wikipedia.org/wiki/Trunking

Link Aggregation between a switch and a server

Link aggregation/Port trunking
Link aggregation or IEEE 802.1AX-2008 is a computer networking term which describes using multiple network cables/ports in parallel to increase the link speed beyond the limits of any one single cable or port, and to increase the redundancy for higher availability.
http://en.wikipedia.org/wiki/Link_aggregation
http://en.wikipedia.org/wiki/Port_trunking

How to use the OSI Model to Troubleshoot Networks

When a get a call from a user that explains a problem they are having, I would immediately visualize the OSI model. The user might say that they can’t bring up a graphic they are trying to download from the Internet. That graphic is brought up in an application.  (layer 7 of the OSI model). I could either start at the top or the bottom, depending on what I suspected was the problem. I would usually start at the bottom (termed the “bottom up approach”). At the bottom of the OSI model is the physical layer (layer 1). So, I would proceed to ask them questions like this:
  • Is your network cable plugged in? (physical)
  • Is there a link light on the Ethernet switch and Ethernet NIC? (data-link)
  • Do you have an IP address? (network)
  • Can you ping your default gateway? (network, testing LAN IP connectivity)
  • Do you have DNS server information?
  • Can you ping your DNS server? (network, testing IP connectivity)
  • Do you have a firewall configured? (network on up to application)
  • Can you ping the host you are trying to get to by name? (application, DNS and network WAN IP connectivity)
  • What format is the graphic in? Do you have a viewer for that format? (presentation)
  • Can your web browser open up another website? (basic application troubleshooting
How to use the OSI Model to Troubleshoot Networks
by David Davis, vExpert, VCP, CCIE 9369 - January 7, 2009
http://www.petri.co.il/csc_how_to_use_the_osi_model_to_troubleshoot_networks.htm

WebVPN troubleshooting

Problems in authentication

1. Error in authentication
Type your username and password:

2. Slow Internet connection
If your Internet connection is slow or unstable, it might cause authentication error as a result of time out. Check your Internet connection.

3. Losing connection
Once you've logged in, every new URL that opens will begin with: https:///
If a new window opens without it, it's a sign you've lost connection to the VPN service.

4. Proxy settings
If you are connected successfully and you can't reach sites with your browser (The problem repeats itself especially when connected behind a router) - try to change your proxy settings. 

Reference:

Thursday, August 5, 2010

AAA: Authentication, Authorization and Accounting

control traffic based on the IP address and protocol -> access lists
control access for specific users or groups -> authentication
control use for specific users or groups -> authorization

Authentication -> who the user is
Authorization -> what the user can do
Accounting -> what the user did

PIX/ASA : Cut-through Proxy for Network Access using TACACS+ and RADIUS Server Configuration Exampl
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml

Authentication
Authentication refers to the process where an entity's identity is authenticated, typically by providing evidence that it holds a specific digital identity such as an identifier and the corresponding credentials. Examples of types of credentials are passwords, one-time tokens, digital certificates, and phone numbers (calling/called).

Authorization
The "authorization" function determines whether a particular entity is authorized to perform a given activity, typically logging on to an application or service. Authorization may be determined based on a range of restrictions, for example time-of-day restrictions, or physical location restrictions, or restrictions against multiple logins by the same entity or user. Examples of types of service include, but are not limited to: IP address filtering, address assignment, route assignment, Quality of Service/differential services, bandwidth control/traffic management, compulsory tunneling to a specific endpoint, and encryption.

Accounting
Accounting refers to the tracking of the consumption of network resources by users. This information may be used for management, planning, billing, or other purposes. Real-time accounting refers to accounting information that is delivered concurrently with the consumption of the resources. Batch accounting refers to accounting information that is saved until it is delivered at a later time. Typical information that is gathered in accounting is the identity of the user, the nature of the service delivered, when the service began, and when it ended.

AAA protocol
http://en.wikipedia.org/wiki/AAA_protocol

Saturday, July 31, 2010

How to make an international phone call

Example, call from Malaysia to USA

00 + 1 +
Area Code
+ Tel #

00 = Country exit code
1 =  Country code which is USA

Reference:
Call from  Malaysia to United States
http://www.countrycodes.com/search_usa.php?t=250&f=146

Country Codes for International Calling & Area Codes
http://www.countrycodes.com/

tcpdump

How to find right interface 

route get 
netstat -nr


To list all network interfaces
tcpdump -D
ifconfig -a | grep :

To capture traffic from interface eth0, source ip = 10.10.10.10 & destination ip = 10.10.10.11
tcpdump -i eth0 src 10.10.10.10 and dst 10.10.10.11

Reference:
Manpage of TCPDUMP
http://www.tcpdump.org/tcpdump_man.html

A tcpdump Tutorial and Primer
http://danielmiessler.com/study/tcpdump/

Check The Routes
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch35_:_Configuring_Linux_VPNs#Check_The_Routes

Using TCPdump

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch35_:_Configuring_Linux_VPNs#Using_TCPdump

SANS POCKET REFERENCE GUIDE: TCP/IP and tcpdump
http://www.sans.org/security-resources/tcpip.pdf?ref=3871

Checkpoint: fw monitor

Let say we want to monitor the following informations:

Source IP = 10.10.10.10
Destination IP = 10.10.10.11

[Expert@cpmodule]# fw monitor -e 'accept src=10.10.10.10 or dst=10.10.10.11;'
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
^C
monitor: caught sig 2
monitor: unloading
[Expert@cpmodule]# cat $FWDIR/tmp/monitorfilter.pf
#define src ip_src
#define dst ip_dst
#define sport th_sport
#define dport th_dport
#include "tcpip.def"
accept src=10.10.10.10 or dst=10.10.10.11;

Reference:
How to use fw monitor (page 36)
http://www.checkpoint.com/techsupport/downloads/html/ethereal/fw_monitor_rev1_01.pdf

FW MONITOR
http://www.cpug.org/check_point_resources/FW MONITOR_expert.doc

Cisco: View Active SSH Sessions

Issue this command in order to check the number of SSH sessions that are connected and the connection state to the PIX:
pix#show ssh session
 
SID Client IP       Version Mode Encryption Hmac     State            Username
0   10.1.1.2        1.99    IN   aes128-cbc md5      SessionStarted   pix
                            OUT  aes128-cbc md5      SessionStarted   pix
Reference:
PIX/ASA 7.x: SSH/Telnet on the Inside and Outside Interface Configuration Example
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml#active

Cisco: View Active Telnet Sessions - who

who


To display active Telnet administration sessions on the adaptive security appliance, use the who command in privileged EXEC mode. 


Usage Guidelines


The who command allows you to display the TTY_ID and IP address of each Telnet client that is currently logged into the adaptive security appliance.

Examples


This example shows the output of the who command when a client is logged into the adaptive security appliance through a Telnet session:

hostname# who
0: 100.0.0.2
hostname# who 100.0.0.2
0: 100.0.0.2
hostname#

Related Commands


Command

Description

kill

Terminate a Telnet session.

telnet

Adds Telnet access to the adaptive security appliance console and sets the idle timeout.


Reference:
who
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1634239

Wednesday, July 28, 2010

How to find source interface or right access-list group

1. Check source ip
2. show route | grep

3.1. show run | grep access-group for Cisco PIX
or
3.2. show run access-group Cisco ASA

Cisco ASA: Packet-Tracer

The packet-tracer command lets you do the following:
  • Debug all packet drops in production network.
  • Verify the configuration is working as intended.
  • Show all rules applicable to a packet along with the CLI lines which caused the rule addition.
  • Show a time line of packet changes in a data path.
  • Inject tracer packets into the data path.
The packet-tracer command provides detailed information about the packets and how they are processed by the security appliance. In the instance that a command from the configuration did not cause the packet to drop, the packet-tracer command will provide information about the cause in an easily readable manner. For example if a packet was dropped because of an invalid header validation, a message is displayed that says, “packet dropped due to bad ip header (reason).”

How to use packet-tracer


packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]

src_int = Source Interface
protocol = icmp / rawip / tcp / udp

src_addr = Source IP Address
src_port = Source port
dst_addr = Destination IP Address
dst_port = Destination port


Examples:
1. To enable packet tracing from inside host 10.2.25.3 to external webserver 209.165.202.158, enter the following

ASA5510# packet-tracer input inside tcp 10.2.25.3 3000 209.165.202.158 http
or
ASA5510# packet-tracer input inside tcp 10.2.25.3 3000 209.165.202.158 80

where;
inside  is Source Interface
tcp  is protocol
10.2.25.3 is Source IP Address
3000 is Source port
209.165.202.158 is Destination IP Address
http / 80 is Destination port


Reference:
Cisco ASA Troubleshooting Tool Kit
http://www.networkblueprints.com/troubleshooting/cisco-asa-troubleshooting-tool-kit

PIX/ASA 7.2(1) and later: Intra-Interface Communications
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

Packet capture and sniffing using the Cisco ASA Firewall
http://www.networkstraining.com/packet-capture-and-sniffing-using-the-cisco-asa-firewall/

Cisco ASA troubleshooting command packet-tracer
http://informationsecuritytips.com/2009/04/cisco-asa-troubleshooting-command-packet-tracer/

ICMP: Internet Control Message Protocol



Reference:
http://security.maruhn.com/iptables-tutorial/x4634.htm
http://www.faqs.org/docs/iptables/icmpconnections.html 


ICMP Echo request, Type 8 Code 0

ICMP Echo reply, Type 0 Code 0


Reference:
http://en.wikipedia.org/wiki/Ping
http://www.linuxtopia.org/Linux_Firewall_iptables/x270.html

Shorcut: Windows Explorer

explorer /e, C:\

You can use the following switches with the Explorer.exe command.

SwitchResult
/n Opens a new single-pane Window for the default selection.
This is usually the root of the drive on which Windows is installed.
/eStarts Windows Explorer using its default view.
/e, Starts Windows Explorer using its default view with the focus on the specified folder.
/root, Opens a window view of the specified object.
/select, Opens a window view with the specified folder, file or
program selected.

Examples

The following examples describe the use of Windows Explorer switches.
  • Explorer /n
    This command opens an Explorer window using the default setting. This is usually the root of the drive on which Windows is installed.
  • Explorer /e
    This command starts Windows Explorer using the default view.
  • Explorer /e,C:\Windows
    This command starts Windows Explorer using the default view, with the focus on C:\Windows.
  • Explorer /root, C:\Windows\Cursors
    This command starts Windows Explorer at the C:\Windows\Cursors folder. This example uses C:\Windows\Cursors as the "root" directory for Windows Explorer.

    NOTE: Note the comma after the "/root" switch in the command.
  • Explorer /select, C:\Windows\Cursors\banana.ani
    This command starts Windows Explorer with the "C:\Windows\Cursors\banana.ani" file selected.

    NOTE: Note the comma after the "/select" switch in the command.
The Windows Explorer switches can be combined in a single command. The following example shows the combination of the Windows Explorer command-line switches.
  • Explorer /root, \\server\share, select, Program.exe
    This command starts Windows Explorer using the remote share as its "root" folder, along with the Program.exe file selected.

Change the Windows Explorer Default Startup Folder

To change the default startup folder for Windows Explorer:
  1. Click Start, point to All Programs, point to Accessories, and then right-click Windows Explorer.
  2. On the menu that appears, click Properties.
  3. In the Target box, append the "/root" command-line switch to the "%SystemRoot%\Explorer.exe" command, using the startup location that you want. For example, if you want Windows Explorer to start at the root of drive C, edit the command to the following:
    %SystemRoot%\Explorer.exe /root, C:\
  4. Click OK.
Reference: How To Customize the Windows Explorer Views in Windows XP http://support.microsoft.com/kb/307856

Tuesday, July 27, 2010

ICAO spelling alphabet

A - Alpha
B - Bravo
C -Charlie
D - Delta
E - Echo
F - Foxtrot   --> France, Frank
G - Golf
H - Hotel
I - India
J - Juliet
K - Kilo
L - Lima
M - Mike
N - November
O - Oscar
P - Papa
Q - Quebec    --> Queen
R - Romeo    --> Robert, Roger
S - Sierra    -->Sugar
T - Tango
U - Uniform
V - Victor
W - Whiskey   --> Willie, William
X - X-ray
Y - Yankee
Z - Zulu



Military alphabets before 1956
United Kingdom United States
Royal Navy Western Front slang
or "signalese"
RAF phonetic alphabet U.S. phonetic
alphabet
1914–1918 (WWI) 1924–1942 1943–1956 1941–1956
Apples
Butter
Charlie
Duff
Edward
Freddy
George
Harry
Ink
Johnnie
King
London
Monkey
Nuts
Orange
Pudding
Queenie
Robert
Sugar
Tommy
Uncle
Vinegar
Willie
Xerxes
Yellow
Zebra
Ack
Beer
Charlie
Don
Edward
Freddie
Gee
Harry
Ink
Johnnie
King
London
Emma
Nuts
Oranges
Pip
Queen
Robert
Esses
Toc
Uncle
Vic
William
X-ray
Yorker
Zebra
Ace
Beer
Charlie
Don
Edward
Freddie
George
Harry
Ink
Johnnie
King
London
Monkey
Nuts
Orange
Pip
Queen
Robert
Sugar
Toc
Uncle
Vic
William
X-ray
Yorker
Zebra
Able/Affirm
Baker
Charlie
Dog
Easy
Fox
George
How
Item/Interrogatory
Jig/Johnny
King
Love
Mike
Nab/Negat
Oboe
Peter/Prep
Queen
Roger
Sugar
Tare
Uncle
Victor
William
X-ray
Yoke
Zebra
Able
Baker
Charlie
Dog
Easy
Fox
George
How
Item
Jig
King
Love
Mike
Nan
Oboe
Peter
Queen
Roger
Sugar
Tare
Uncle
Victor
William
X-ray
Yoke
Zebra

Reference:
http://en.wikipedia.org/wiki/NATO_phonetic_alphabet
http://answers.yahoo.com/question/index?qid=20070522234919AABgqAS

Monday, July 26, 2010

Cisco Switch: show interface status

core-switch#sh int status
Port    Name               Status       Vlan       Duplex  Speed Type
Gi3/9   to    notconnect   105           full   1000 1000BaseSX
Gi3/14                    
disabled     1             full   1000 No Transceiver
Gi4/24        connected    108           full   1000 1000BaseT
Gi6/4         connected    108         a-full a-1000 10/100/1000BaseT
Fa7/13                    
connected    108         a-full  a-100 10/100BaseTX
Fa8/17                    
notconnect   108           half   auto 10/100BaseTX

Name Medium Specified distance
1000BASE‑CX Shielded single twisted-pair cable 25 meters
1000BASE‑SX Multi-mode fiber 220 to 550 meters dependent on fiber diameter and bandwidth[2]
1000BASE‑LX Multi-mode fiber 550 meters[3]
1000BASE‑LX Single-mode fiber 5 km[3]
1000BASE‑LX10 Single-mode fiber using 1,310 nm wavelength 10 km
1000BASE‑ZX Single-mode fiber at 1,550 nm wavelength ~ 70 km
1000BASE‑BX10 Single-mode fiber, over single-strand fiber: 1,490 nm downstream 1,310 nm upstream 10 km
1000BASE‑T Twisted-pair cabling (Cat‑5, Cat‑5e, Cat‑6, or Cat‑7) 100 meters
1000BASE‑TX Twisted-pair cabling (Cat‑6, Cat‑7) 100 meters

Reference:
http://en.wikipedia.org/wiki/1000baseSX
http://en.wikipedia.org/wiki/Fast_Ethernet
http://forums.speedguide.net/showthread.php?t=75915

http://www.routerzone.eu/wiki/index.php/Show_interface_status_command

PIX/ASA: Upgrade a Software Image using ASDM or CLI Configuration Example


ASA5510#show disk0:
-#- --length-- -----date/time------ path
  6 5124096    Jan 01 2003 00:06:22 asa702-k8.bin
  7 5623108    Feb 12 2007 00:23:48 asdm-522.bin
 10 5539756    Feb 12 2007 00:14:18 asdm-521.bin
 11 8294400    Dec 07 2006 05:47:20 asa721-24-k8.bin
 12 6002680    Dec 21 2006 03:58:30 asdm-52034.bin
 13 8312832    Feb 12 2007 22:46:30 asa722-k8.bin
23949312 bytes available (38932480 bytes used)

!--- Command to set "asa722-k8.bin" as the boot image.
ASA5510(config)# boot system disk0:/asa722-k8.bin

!--- Command to set "asdm-522.bin" as the ASDM image.
ASA5510(config)# asdm image disk0:/asdm-522.bin
ASA5510# write memory
ASA5510# reload



To verify ASA boot image
1. show run boot
2. show boot


To verify ASDM image
1. show run asdm
2. show asdm image


Reference:
PIX/ASA: Upgrade a Software Image using ASDM or CLI Configuration Example
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9f9.shtml

Thursday, July 22, 2010

Cisco Switch: Find out an IP from MAC address

1. sh mac-adress table int f0/x
,where x is the port number.
2. log into the default gatway router
3 sh ip arp xxxx.xxxx.xxxx
, where xxxx.xxxx.xxxx is the MAC address

If you have the MAC already, skip #1.

Reference:
Cisco - Find out an IP from MAC address on CAtalyst 2950
http://www.velocityreviews.com/forums/t39860-find-out-an-ip-from-mac-address-on-catalyst-2950-a.html

HowTo: Find switchport for a MAC Address on a Cisco Catalyst Switch

If you have a big network with multiple Access Switches connecting to the core switches or routers then tracing a device like a PC or a laptop for troubleshooting or security purposes is one of those tasks that you often end up doing. This is not a difficult task but can certainly be time consuming.

Lets start with an IP address on hand. If you have an IP address on hand quickly ping and check if the device is pingable. If yes, then simply logon to one of your core switches or routers and do a simple sh ip arp

Core1# sh ip arp 192.168.1.15
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.1.15           22   0000.1111.1111  ARPA   Vlan1

From the above you know the MAC Address of for the device: 
IP Address : 192.168.1.15
MAC Address : 0000.1111.1111


Now, do a show mac-address command on the core switch or router. This will show the interface to which it is connected or through which it is learned.

Example 1:
rssv125-sw5# show mac-address-table address 0002.3F39.BFE6

You will get a response similar to this:

Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
59 0002.3f39.bfe6 DYNAMIC Fa0/24
Total Mac Addresses for this criterion: 1


If your port is a FastEthernet port (Fa0/nn) like this example shows, you know that you are connected to FastEthernet port 0/24 on switch 10.10.125.5 (rssv125-sw5).
However, many times you will get a response similar to this:

Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
59 0002.3f39.bfe6 DYNAMIC Gi0/1
Total Mac Addresses for this criterion: 1

The Gi0/n indicates you are connected to a gigabit port. Since the gigabit ports only go to other switches, you know you are connected to another switch. To see what the neighboring switches are, use CDP (Cisco Discovery Protocol).

rssv125-sw5# show cdp neighbor Gi0/1 detail
The response should be something similar to this:
Device ID: rssv125-sw4
Entry address(es):
IP address: 10.10.125.4
Platform: cisco WS-C3550-24-PWR, Capabilities: Switch IGMP
Interface: GigabitEthernet0/1, Port ID (outgoing port): GigabitEthernet0/1
[snip]
Now go back to the telnet step above and run through it again except this time use the 10.10.125.4 IP address from the show cdp neighbor output. Repeat until you find the switch and port you are connected to.



Example 2:
Core1# sh mac-address-table address 0000.1111.1111
Legend: * – primary entry
        age – seconds since last seen
        n/a – not available
  vlan   mac address     type    learn     age              ports
——+—————-+——–+—–+———-+————————–
Supervisor:
*   1  0000.1111.1111   dynamic  Yes         10   Te1/1

This indicates that the device is either connected to the port or though another switch which is connected to the interface. Looking at this, it is very likely that this is a uplink (TenGigabit Ethernet link) to another Distribution or Access switch.
Sometimes, the output might show as follows [note the Po1]

Legend: * – primary entry
        age – seconds since last seen
        n/a – not available
  vlan   mac address     type    learn     age              ports
——+—————-+——–+—–+———-+————————–
Supervisor:
*   1  0000.1111.1111   dynamic  Yes         10   Po1

This indicates that there is a etherchannelis being setup. So do a "show etherchannel" command to find the phsycial ports that are paired.

Core1# show etherchannel summary
Flags:  D – down        P – bundled in port-channel
        I – stand-alone s – suspended
        H – Hot-standby (LACP only)
        R – Layer3      S – Layer2
        U – in use      f – failed to allocate aggregator
        M – not in use, minimum links not met
        u – unsuitable for bundling
        w – waiting to be aggregated
Number of channel-groups in use: 6
Number of aggregators:           6
Group  Port-channel  Protocol    Ports
——+————-+———–+———————————————–
1      Po1(SU)          -        Te1/1(P)   Te2/1(P)

This shows the ports Te1/1 or Te2/1 as a source through which the address is learnt.

Now, do a "show cdp neighbors" to show the directly connected devices.

Core1# sh cdp neighbors
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
                  S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
Access1          Ten 1/1            129         R S I     WS-C6509  Ten 1/1

That tells you, it is the Access switch 1 that is connected to Te1/1 and not the device itself.
Now, log onto the Access switch and do a "show mac-adddress-table" command for the MAC address and that should show the interface to which it is connected
[NOTE: unless it is a distribution switch to again there are a bunch of Access switches connected in which case, you need to go through the whole procedure as above again]

Access1# show mac-address-table 0000.1111.1111
  vlan   mac address     type    learn     age              ports
——+—————-+——–+—–+———-+————————–
Supervisor:
*   1  0000.1111.1111   dynamic  Yes         10   Gi1/24

As you can see which port the device is connected and on which switch.
Now do a "show interface" command to show the port details.

Access1>sh int gigabitEthernet 1/24
GigabitEthernet1/24 is up, line protocol is up (connected)
  Hardware is C6k 1000Mb 802.3, address is xxxx.xxxx.xxxx (bia xxxx.xxxx.xxxx)
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s
  …..
  …
  ..
  .  
                             
There you go you found the device switchport that you tried to trace!!!


Reference:
1. HowTo: Find switchport for a MAC Address on a Cisco Catalyst Switch
http://www.itsyourip.com/cisco/howto-find-switchport-for-a-mac-address-on-a-cisco-catalyst-switch/

2. How to Determine Which Switch and Port You are Connected To
http://www.tech-recipes.com/rx/874/how_to_determine_switch_port_connected/

3. Troubleshooting Switch Port and Interface Problems
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008015bfd6.shtml

4.Dettermine which switch port connected to which switch and which port
https://learningnetwork.cisco.com/message/80118 

Tuesday, July 20, 2010

Cisco PIX to ASA migration guide

There are two ways to convert a PIX configuration to an ASA configuration:

1•manual conversion

2•tool-assisted conversion 

 
Table 1 Conversion Process Summary

Task

See

Step 1 

Retrieve the PIX configuration from the device.


Step 2 

Convert the PIX conduit and outbound commands.


Step 3 

Convert the PIX configuration to an ASA configuration.


Step 4 

View the converted, intermediate configuration.


Step 5 

Complete the conversion process by installing the converted configuration on an ASA 5500 Series Adaptive Security Appliance running 7.0(x), 7.2(x), or 8.x software.


Step 6 

(Optional) Configure LAN-based failover (if converting from a serial cable failover configuration).


Step 7 

Verify the final, converted configuration.


Step 8 

Deploy your new device.



Table 4 Interface Constructs

PIX 6.3 interface configuration
(before conversion)

ASA 7.2(2) interface configuration
(after conversion)

Static IP and failover:

interface ethernet0 auto
nameif ethernet0 outside security0
ip address outside 192.168.2.1 255.255.255.0
failover ip address outside 192.168.2.2

interface GigabitEthernet0/0
ip address 192.168.2.1 255.255.255.0 standby 192.168.2.2
nameif outside
security-level 0

VLAN:

interface gb-ethernet2 1000auto
interface gb-ethernet2 vlan50 logical
nameif vlan50 vlan50 security10
ip address vlan50 50.1.1.1 255.0.0.0

interface GigabitEthernet0/0
no shutdown
interface GigabitEthernet0/0.50
vlan 50
ip address 50.1.1.1 255.0.0.0
nameif vlan50
security-level 10

Dynamic IP address through DHCP:

interface ethernet0 10baset
nameif ethernet0 outside security0
ip address outside dhcp setroute

interface GigabitEthernet0/0

no ip address 

no shutdown

ip address dhcp setroute

nameif outside

security-level 0

Dynamic IP address through PPPOE:

interface ethernet0 10baset
nameif ethernet0 outside security0
ip address outside pppoe setroute
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname cisco
vpdn group pppoex ppp authentication pap
vpdn username cisco password xxx

interface GigabitEthernet0/0
ip address pppoe setroute
pppoe client route distance 2
pppoe client vpdn group pppoex
nameif outside
security-level 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname cisco
vpdn group pppoex ppp authentication pap
vpdn username cisco password xxx

Table 5 FIXUP Conversion

PIX/ASA 6.3 commands
(before conversion)

PIX/ASA 7.2(2) commands
(after conversion)

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect smtp
inspect sqlnet
inspect tftp

LAN-Based Failover

PIX 6.3(5) configuration (before conversion):
interface gb-ethernet0 1000auto
interface gb-ethernet1 1000auto
interface gb-ethernet2 1000auto
interface gb-ethernet2 vlan50 logical
interface gb-ethernet2 vlan55 logical
interface ethernet0 100full
interface ethernet1 100full
nameif gb-ethernet0 outside security0
nameif gb-ethernet1 inside security100
nameif gb-ethernet2 dmz security8
nameif ethernet0 eng security4
nameif ethernet1 mkt security4
nameif vlan50 vlan50 security10
nameif vlan55 vlan55 security12
ip address outside 5.5.5.45 255.255.255.0
ip address inside 14.36.8.48 255.255.0.0
ip address dmz 1.1.1.6 255.255.255.0
ip address mkt 2.2.2.2 255.255.255.0
ip address vlan50 50.1.1.1 255.0.0.0
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 5.5.5.68
failover ip address inside 14.36.199.34
failover ip address mkt 2.2.2.4
failover ip address vlan50 50.1.1.2
failover lan unit primary
failover lan interface mkt
failover link vlan55
failover lan enable


Converted ASA configuration:

interface GigabitEthernet0/0
ip address 5.5.5.45 255.255.255.0 standby 5.5.5.68
nameif outside
security-level 0
: Original Interface id gb-ethernet1
interface GigabitEthernet0/1
ip address 14.36.8.48 255.255.0.0 standby 14.36.199.34
nameif inside
security-level 100
: Original Interface id gb-ethernet2
interface GigabitEthernet0/2
ip address 1.1.1.6 255.255.255.0
nameif dmz
security-level 8
: Original Interface id gb-ethernet2_50
interface GigabitEthernet0/2.50
vlan 50
ip address 50.1.1.1 255.0.0.0 standby 50.1.1.2
nameif vlan50
security-level 10
: Original Interface id gb-ethernet2_55
interface GigabitEthernet0/2.55
vlan 55
no ip address
no shutdown
: Original Interface id ethernet0
interface GigabitEthernet0/3
no ip address
no shutdown
nameif eng
: Original Interface id ethernet1
: Failover
interface GigabitEthernet1/0
security-level 4
failover
failover timeout 0:00:00
:::: your failover poll timer syntax has been corrected from'failover poll 15' to
'failover polltime 15'
failover polltime 15
failover lan unit primary
::::failover lan interface mkt -> failover lan interface mkt GigabitEthernet1/0
failover lan interface mkt GigabitEthernet1/0
failover interface ip mkt 2.2.2.2 255.255.255.0 standby 2.2.2.4
::::failover link vlan55 -> failover link vlan55 GigabitEthernet0/2.55
failover link vlan55 GigabitEthernet0/2.55
failover interface ip vlan55 0.0.0.0 0.0.0.0 standby 0.0.0.0
:::: Not supported - failover lan enable
 

Reference:
1. Migration Guide for Converting Cisco PIX Configurations to Cisco ASA 5500 Series Configurations
http://www.cisco.com/en/US/docs/security/asa/migration/guide/pix2asa.html
 
2. Migration from PIX 500 Series Security Appliances to ASA 5500 Series Adaptive Security Appliances
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808554ed.shtml

Related post:

Related Posts with Thumbnails