Cisco ASA – show local-host, show nat, show conn, clear conn

Cisco ASA connection related commands

Cisco ASA commands - techpain.com

Some useful commands for troubleshooting connections on a Cisco ASA – How to show and clear existing connections, show NAT details, and more.

show local-host all

This command shows local host connections grouped by interface, like so:

hostname# show local-host all
Interface outside: 1 active, 2 maximum active, 0 denied
local host: ,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
105 out 11.0.0.4 in 11.0.0.3 idle 0:01:42 bytes 4464
105 out 11.0.0.4 in 11.0.0.3 idle 0:01:44 bytes 4464
Interface inside: 1 active, 2 maximum active, 0 denied
local host: ,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
105 out 17.3.8.2 in 17.3.8.1 idle 0:01:42 bytes 4464
105 out 17.3.8.2 in 17.3.8.1 idle 0:01:44 bytes 4464
Interface NP Identity Ifc: 2 active, 4 maximum active, 0 denied
local host: ,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
105 out 11.0.0.4 in 11.0.0.3 idle 0:01:44 bytes 4464
105 out 11.0.0.4 in 11.0.0.3 idle 0:01:42 bytes 4464
local host: ,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
105 out 17.3.8.2 in 17.3.8.1 idle 0:01:44 bytes 4464
105 out 17.3.8.2 in 17.3.8.1 idle 0:01:42 bytes 4464
hostname# show local-host 10.1.1.91
Interface third: 0 active, 0 maximum active, 0 denied
Interface inside: 1 active, 1 maximum active, 0 denied
local host: ,
TCP flow count/limit = 1/unlimited
TCP embryonic count to (from) host = 0 (0)
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Xlate:
PAT Global 192.150.49.1(1024) Local 10.1.1.91(4984)
Conn:
TCP out 192.150.49.10:21 in 10.1.1.91:4984 idle 0:00:07 bytes 75 flags UI Interface
outside: 1 active, 1 maximum active, 0 denied
hostname# show local-host 10.1.1.91 detail
Interface third: 0 active, 0 maximum active, 0 denied
Interface inside: 1 active, 1 maximum active, 0 denied
local host: ,
TCP flow count/limit = 1/unlimited
TCP embryonic count to (from) host = 0 (0)
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Xlate:
TCP PAT from inside:10.1.1.91/4984 to outside:192.150.49.1/1024 flags ri
Conn:
TCP outside:192.150.49.10/21 inside:10.1.1.91/4984 flags UI Interface outside: 1 active, 1
maximum active, 0 denied

More details on this command can be found at Cisco.com’s ASA command reference

show conn, clear conn

The ‘show conn’ command show active connection, and the ‘clear conn’ command will remove those connections. This can be useful if you need to reset a connection because your configuration has changed. Here are some examples:

ASA-host1# clear conn ?

address Enter this keyword to specify IP address
all Enter this keyword to clear all conns
port Enter this keyword to specify port
protocol Enter this keyword to specify conn protocol
security-group Enter this keyword to specify security-group attributes
user Enter this keyword to specify conn user
user-group Enter this keyword to specify conn user group

ASA-host1# show conn address 192.168.0.2 | inc outside
TCP outside 8.9.10.11:24460 INT_NAME 192.168.0.2:443, idle 0:00:22, bytes 4827, flags UFRIOB
TCP outside 1.1.1.1:47166 INT_NAME 192.168.0.2:443, idle 0:00:41, bytes 6409, flags UFRIOB
TCP outside 1.2.3.4:1928 INT_NAME 192.168.0.2:443, idle 0:00:13, bytes 20147, flags UIOB
TCP outside 6.7.8.9:60002 INT_NAME 192.168.0.2:443, idle 0:01:02, bytes 6434, flags UFRIOB
TCP outside 9.12.10.11:443 INT_NAME 192.168.0.2:63079, idle 0:00:11, bytes 178430, flags UIO
TCP outside 6.4.5.3:443 INT_NAME 192.168.0.2:63464, idle 0:00:14, bytes 2830, flags UIO
TCP outside 7.4.7.4:443 INT_NAME 192.168.0.2:63426, idle 0:00:20, bytes 2709, flags UIO

ASA-host1# clear conn address 6.7.8.9 port 60002 address 192.168.0.2 port 443
1 connection(s) deleted.

ASA-host1# show conn address 192.168.0.2 | inc outside
TCP outside 8.9.10.11:24460 INT_NAME 192.168.0.2:443, idle 0:00:27, bytes 4827, flags UFRIOB
TCP outside 1.1.1.1:47166 INT_NAME 192.168.0.2:443, idle 0:01:12, bytes 6409, flags UFRIOB
TCP outside 1.2.3.4:1928 INT_NAME 192.168.0.2:443, idle 0:00:33, bytes 42223, flags UIOB
TCP outside 9.12.10.11:443 INT_NAME 192.168.0.2:63079, idle 0:00:42, bytes 178430, flags UIO
TCP outside 6.4.5.3:443 INT_NAME 192.168.0.2:63464, idle 0:00:26, bytes 7477, flags UIO
TCP outside 7.4.7.4:443 INT_NAME 192.168.0.2:63426, idle 0:01:24, bytes 2709, flags UIO

ASA-host1# clear conn address 1.1.1.1 port 47166 address 192.168.0.2 port 443
1 connection(s) deleted.

ASA-host1# show conn address 192.168.0.2 | inc outside
TCP outside 8.9.10.11:24460 INT_NAME 192.168.0.2:443, idle 0:01:30, bytes 4827, flags UFRIOB
TCP outside 1.2.3.4:1928 INT_NAME 192.168.0.2:443, idle 0:01:06, bytes 42223, flags UIOB
TCP outside 9.12.10.11:443 INT_NAME 192.168.0.2:63079, idle 0:00:18, bytes 188600, flags UIO
TCP outside 6.4.5.3:443 INT_NAME 192.168.0.2:63464, idle 0:00:00, bytes 12418, flags UIO

ASA-host1# clear conn address 8.9.10.11 port 24460 address 192.168.0.2 port 443
1 connection(s) deleted.

ASA-host1# clear conn address 192.168.0.2 port 443
2 connection(s) deleted.

ASA-host1# show conn address 192.168.0.2 | inc outside
TCP outside 9.12.10.11:443 INT_NAME 192.168.0.2:63079, idle 0:00:18, bytes 198807, flags UIO
TCP outside 6.4.5.3:443 INT_NAME 192.168.0.2:63464, idle 0:00:13, bytes 22300, flags UIO

show nat

This will show nat statistics, and hits for the NAT rules

show xlate

Shows current translated connections

Share

Favorite Android Apps – March 2017

Useful Android Apps for Network and Systems Admins

An updated list of my favorite Android apps. At the time of this post they are all free and none of them require a rooted device.

Termux – Terminal Emulator

Termux.com
Termux on play.google.com
Termux is a terminal emulator with multiple shells including bash and zsh. It allows for installation of quite a few packages.

Termux Android app

My go to quick start is:
apt update
apt upgrade
apt install coreutils wget tar less openssl openssh sslscan dnsutils vim mlocate htop python tmux nmap rsync php perl man tcpdump tracepath

To launch the built in webserver, use:
'php -S localhost:8000'
(where localhost is the IP of your phone, check first with ‘ifconfig | grep inet’).

I also highly recommend using Termux with the next app in the list, Hacker’s keyboard, as it allows for customization of your keyboard, and adds important keys that you might not use outside of a terminal.

Hacker’s Keyboard

Hacker’s Keyboard gets you the keys you’re missing from the stock Android keyboard, as well as allowing for a highly customized configuration (size, layout, and much more).
Hacker's Keyboard Android App

Microsoft Remote Desktop

Microsoft Remote Desktop is a RDP client for remotely accessing Windows hosts from your Android device.

JuiceSSH

JuiceSSH the best Android SSH client out there. Allows for saving sessions, quick font size change with the volume buttons, and much more.
JuiceSSH - techpain.com

LastPass

LastPass Password Manager - techpain.com
LastPass is a cloud-based Password Manager that allows for easy access across devices.

AndFTP

AndFTP - techpain.com
AndFTP is a easy to use FTP client.

TeamViewer for Remote Control

TeamViewer is a well known remote access tool – Make sure to enable MFA/2FA on your account and use one of Duo or Authy, mentioned next in the list.

Teamviewer for Remote Control - techpain.com

MFA tools – Authy and Duo

Duo and Authy are multi-factor authentication apps for enhanced login security.
Authy on the Google Play store

Duo on the Google Play store

Discord

Discord is mostly known as “chat for gamers” but it is so easy to get up and running that it has quite a few other uses as well.

 

Cisco Technical Support

Cisco Technical Support is a easy way to keep up with your Cisco TAC cases or contracts.

Wifi Analyzer

Wifi Analyzer – pretty self explanatory.

Wifi Analyzer screenshot - techpain

LanDroid

Landroid is an app with a variety of network utilities – ping, traceroute, whois, dig, and a bunch more.

LanDroid screenshot - techpain.com

fing

fing is great for getting info about hosts on your network.
fing Android app

Share

Cleaning the yum cache – yum clean options

YUM - Yellowdog Updater Modifier

yum is an interactive, rpm based, package manager. It performs system updates, installation of new packages, removal of old packages, queries on the installed and/or available packages, and more.

Note the first bit below, yum clean all only cleans files for currently enabled repos. To really clean all you need to use

yum clean all --enablerepo='*'

From the yum man page:

CLEAN OPTIONS

The following are the ways which you can invoke yum in clean mode. Note that “all files” in the commands below means “all
files in currently enabled repositories”. If you want to also clean any (temporarily) disabled repositories you need to
use –enablerepo=’*’ option.

yum clean expire-cache

Eliminate the local data saying when the metadata and mirrorlists were downloaded for each repo. This means yum will revalidate the cache for each repo. next time it is used. However if the cache is still valid, nothing significant was deleted.

yum clean packages

Eliminate any cached packages from the system. Note that packages are not automatically deleted after they are
downloaded.

yum clean headers

Eliminate all of the header files, which old versions of yum used for dependency resolution.

yum clean metadata

Eliminate all of the files which yum uses to determine the remote availability of packages. Using this option will
force yum to download all the metadata the next time it is run.

yum clean dbcache

Eliminate the sqlite cache used for faster access to metadata. Using this option will force yum to download the
sqlite metadata the next time it is run, or recreate the sqlite metadata if using an older repo.

yum clean rpmdb

Eliminate any cached data from the local rpmdb.

yum clean plugins

Tell any enabled plugins to eliminate their cached data.

yum clean all

Does all of the above.

Share

libvirt KVM migration – error: unsupported configuration

libvirt KVM migration – error: unsupported configuration: Target domain max memory does not match source

Libvirt

I recently ran in to trouble trying to migrate a KVM libvirt virtual machine (AKA domain):

[user@hypervisor01 ~]# time virsh migrate --live webserver01 qemu+ssh://hypervisor03.mydomain.com/system --copy-storage-all --persistent --undefinesource --verbose --abort-on-error --xml virtmigrate/webserver01.xml
user@hypervisor03.mydomain.com's password:
error: unsupported configuration: Target domain max memory 8388608 does not match source 9437184

[user@hypervisor01 ~]# tail /var/log/libvirt/libvirtd.log
2015-08-13 07:44:07.781+0000: 4418: error : virDomainDefCheckABIStability:11730 : unsupported configuration: Target domain max memory 8388608 does not match source 9437184

These hypervisors were not using shared storage, so I had previously created updated copies of the configs (in this case, virtmigrate/webserver01.xml) that contained the correct path to their new storage location (source dev). The error I was receiving was due to the memory assigned to webserver01 being changed since I created the updated configs.
The migration config (virtmigrate/webserver01.xml) contained the older, smaller memory parameters:

<memory unit="KiB">8388608</memory>
<currentmemory unit="KiB">
8388608</currentmemory>

While the current/running config contained the larger:

<memory unit="KiB">9437184</memory>
<currentmemory unit="KiB">
9437184</currentmemory>

I updated the migration config virtmigrate/webserver01.xml and it is now working fine.

Here are some additional commands that may be useful in a similar situation.

virsh dominfo (domain): Returns basic information about the domain, including max and used memory

[user@hypervisor01 ~]# virsh dominfo webserver01
Id: 23
Name: webserver01
UUID: bce54f4b-32af-ec6d-7cab-bb57d0e85782
OS Type: hvm
State: running
CPU(s): 4
CPU time: 1578499.8s
Max memory: 9437184 KiB
Used memory: 9437184 KiB
Persistent: yes
Autostart: enable
.....

virsh edit domain: Edit the XML configuration file for a domain, which will affect the next boot of the guest.
This is equivalent to:

virsh dumpxml --inactive --security-info domain > domain.xml
vi domain.xml (make changes)
virsh define domain.xml

except that it does some error checking.

virsh setmaxmem (domain) 16G --config: Set the max memory for a domain, will take effect at next boot of guest

Share

EMC CLARiiON Monitoring – Adding TCP port variable

Modified check_emc_clariion.pl script to specify a different (variable) TCP port for EMC CLARiiON monitoring via Nagios, Cacti, or otherwise.

Nagios

I’ve been using the check_emc_clariion.pl script for a while to monitor an EMC CLARiiON SAN, but recent issues made me realize the need to use the same check for another host. The problem is the hosts are behind a firewall and using port forwarding – fine for one host on the default port (17894), but I needed to specify a different TCP port to use for the new host.

I updated the check_emc_clariion.pl script to include a TCP port variable, for use like so:

root@host:~#/usr/lib/nagios/plugins/check_emc_clariion.pl -H 192.168.100.10 -u user -p password -t faults --warn 50 --crit 70 --tcp_port=17895
The array is operating normally.

Here is a diff of the original script and my changes:

195d194
< $opt_tcp_port 214,217d212 < my $opt_tcp_port = ''; < < ### set tcp port < $opt_tcp_port=17894; 272,273c267 < 'paths=s' => $opt_pathcount,
< 'tcp_port=s' => $opt_tcp_port
---
> 'paths=s' => $opt_pathcount
1056c1050
< open( NAVICLIOUT, "$NAVICLI_CMD -h $opt_host -Port $opt_tcp_port Faults -list |" ); --- > open( NAVICLIOUT, "$NAVICLI_CMD -h $opt_host -Port 17894 Faults -list |" );

EMC CLARiiON - Nagios

EMC CARiiON - Status Detail

EMC CLARiiON - Cacti graph

Share

Running the Dig utility from Windows command line

How to install and use the dig utility on a Windows system

The dig (domain information groper) utility is something I use on my Linux hosts so often that I miss it when I move back to a Windows host. Here’s how to install and use the dig utility on a Windows system:

  1. Download the BIND package from the Internet Systems Consortium web site for your Windows
  2. Extract to the directory that you’d like to run the program from, probably C:UsersMyUsername
  3. Run the dig command

Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:Userstechpain>dig mx msn.com ; <<>> DiG 9.9.5-W1 <<>> mx msn.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<
Dan Esparza’s blog has a great post on different ways to use the dig utility and understanding the output.

Also, check out how to run the WhoIs utility from Windows command line.


Windows dig command options

Share

WhoIs lookup from Windows command line

A WhoIs lookup will show the registration record for a domain name, and being able to run this right from the command line is really convenient.

This utility will run on Windows XP and higher (client) and Windows Server 2003 and higher (server).

Download the utility from the Windows Sysinternals site and copy it to the path that you want to use (probably C:\Users\MyUsername). After that you can run the WhoIs utility like this:

Windows WhoIs - Command line example
An example whois lookup from the Windows command line

 

WhoIS command and output

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\techpain>whois techpain.com

Whois v1.11 - Domain information lookup utility
Sysinternals - www.sysinternals.com
Copyright (C) 2005-2012 Mark Russinovich

Connecting to COM.whois-servers.net...
Connecting to whois.name.com...

Domain Name: TECHPAIN.COM
Registrar WHOIS Server: whois.name.com
Registrar URL: http://www.name.com
Updated Date: 2013-10-22T03:40:00-06:00
Creation Date: 2010-08-04T00:59:03-06:00
Registrar Registration Expiration Date: 2017-08-04T00:59:03-06:00
Registrar: Name.com, Inc.
Registrar IANA ID: 625
Registrar Abuse Contact Email: abuse@name.com
Registrar Abuse Contact Phone: +1.17202492374
Resellser:
Domain Status: clientTransferProhibited
Registrant Name: Whois Agent
Registrant Organization: Whois Privacy Protection Service, Inc.
Registrant Street: PO Box 639
Registrant City: Kirkland
Registrant State/Province: WA
Registrant Postal Code: 98083
Registrant Country: US
Registrant Phone: +1.4252740657
Registrant Fax: +1.4259744730
Registrant Email: techpain.com@protecteddomainservices.com
Admin Name: Whois Agent
Admin Organization: Whois Privacy Protection Service, Inc.
Admin Street: PO Box 639
Admin City: Kirkland
Admin State/Province: WA
Admin Postal Code: 98083
Admin Country: US
Admin Phone: +1.4252740657
Admin Fax: +1.4259744730
Admin Email: techpain.com@protecteddomainservices.com
Tech Name: Whois Agent
Tech Organization: Whois Privacy Protection Service, Inc.
Tech Street: PO Box 639
Tech City: Kirkland
Tech State/Province: WA
Tech Postal Code: 98083
Tech Country: US
Tech Phone: +1.4252740657
Tech Fax: +1.4259744730
Tech Email: techpain.com@protecteddomainservices.com
Name Server: ns2.reachone.com
Name Server: ns1.reachone.com
DNSSEC: NotApplicable
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

>>> Last update of WHOIS database: 2014-02-15T13:50:43-07:00 <<< The Data in the Name.com, Inc. WHOIS database is provided by Name.com, Inc. for information purposes, and to assist persons in obtaining information about or re lated to a domain name registration record. Name.com, Inc. does not guarantee i ts accuracy. By submitting a WHOIS query, you agree that you will use this Data only for lawful purposes and that, under no circumstances will you use this Dat a to: (1) allow, enable, or otherwise support the transmission of mass unsolici ted, commercial advertising or solicitations via e-mail (spam); or (2) enable hi gh volume, automated, electronic processes that apply to Name.com, Inc. (or its systems). Name.com, Inc. reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.

Also, check out how to run the dig utility from Windows command line.

Share

Run Netflix on Ubuntu in seconds

Since Microsoft Silverlight isn’t available on Linux, so Netlix hasn’t been either. Now there’s an unofficial desktop package available. You simply add the repository, run updates, and download and install the ‘netflix-desktop’ package. The package bundles WINE and Netflix, and makes the process really easy.

NETFLIX – techpain.com

Three simple commands

Three simple commands in the terminal window:
sudo apt-add-repository ppa:ehoover/compholio
sudo apt-get update
sudo apt-get install netflix-desktop

Then search for ‘Netlix’ and launch the application.

Netflix Shortcut

Netflix on Ubuntu

It launches in full screen mode, but you can press F11 to exit full screen mode. Close the application by clicking on the close button in the upper right of the screen, or press Alt + F4. To go back to the Netflix menu, click the left arrow at the top left of the screen.

Share

Android Apps

Updated list available at https://techpain.com/android-apps-march2017/

My favorite System and Network related Android apps. At the time of this post they are all free and none of them require a rooted device.

  • Mocha VNC Lite: Mocha VNC provides access to VNC Servers. Windows and Mac OS X compatible.
  • uNagi: A Nagios and Incinga client. My favorite features: Allows connections over https, acknowledge notifications, view service and host problems, no additional Nagios plugins required.
  • 2Xclient: An easy to use RDP client.
  • OpenVPN Connect: VPN client for the OpenVPN Access Server, Private Tunnel and OpenVPN Community.
  • Lookout Security & Antivirus: Protection against malware and viruses.
  • FoxFi: Wifi tethering without a rooted device.
  • Fing – Network Tools: Network discover, ping, traceroute, DNS lookup, port scan, and more.
  • Glympse: Not necessarily an app for just tech types, but great for letting people know where you are and when you’ll get to your destination.
  • Quickoffice: View and edit Word, Excel, and PowerPoint files, view PDF’s.
  • Wifi Analyzer: Show information about wifi networks; Channels, stength, and more.
  • WordPress: Easily, write, edit, and publish WordPress posts on WordPress.com AND self-hosted WordPress sites.
  • OpenSignal: Locate better cellular coverage or wi-fi, report dropped calls, and much more.
  • Speedtest.net: Ookla speedtest shows upload and download speeds, as well as ping times.
  • Name.com for Android: Name.com is one of the best registrars out there. This app allows you to manage your Name.com registered domains, including renewal and DNS management. Check domain name availability, register new domain names, and search for domain names based on your geographical location.
  • Servers Ultimate: Turn your Android phone in to a multipurpose server.
  • AndFTP: FTP client that manages multiple FTP connections
  • AirDroid: Connect to your Android phone from your computer to manages SMS and more – with no wires.
Share

Name.com Android app – Domain name registration

Manage your domain names from your phone

UPDATE – Sadly, the Name.com Android app is no longer available 🙁

I’ve always liked using Name.com as a registrar, and now I have even more reason to. I stumbled upon their Android app recently, and its actually useful. They didn’t just make a marketing or sales tool, because there’s more to it than finding and registering new domains. You can also manage your existing domains, including renewals, nameserver and DNS changes, whois info, domain locking, payment options, and more.

Name.com Android App

You can get the Name.com Android app at the Google Play store, or scan the QR code below to download the app.

Scan this QR code to download the Name.com Android app
 

Share