Cisco ASA – show local-host, show nat, show conn, clear conn

Cisco ASA connection related commands

Cisco ASA commands - techpain.com

Some useful commands for troubleshooting connections on a Cisco ASA – How to show and clear existing connections, show NAT details, and more.

show local-host all

This command shows local host connections grouped by interface, like so:

hostname# show local-host all
Interface outside: 1 active, 2 maximum active, 0 denied
local host: ,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
105 out 11.0.0.4 in 11.0.0.3 idle 0:01:42 bytes 4464
105 out 11.0.0.4 in 11.0.0.3 idle 0:01:44 bytes 4464
Interface inside: 1 active, 2 maximum active, 0 denied
local host: ,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
105 out 17.3.8.2 in 17.3.8.1 idle 0:01:42 bytes 4464
105 out 17.3.8.2 in 17.3.8.1 idle 0:01:44 bytes 4464
Interface NP Identity Ifc: 2 active, 4 maximum active, 0 denied
local host: ,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
105 out 11.0.0.4 in 11.0.0.3 idle 0:01:44 bytes 4464
105 out 11.0.0.4 in 11.0.0.3 idle 0:01:42 bytes 4464
local host: ,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
105 out 17.3.8.2 in 17.3.8.1 idle 0:01:44 bytes 4464
105 out 17.3.8.2 in 17.3.8.1 idle 0:01:42 bytes 4464
hostname# show local-host 10.1.1.91
Interface third: 0 active, 0 maximum active, 0 denied
Interface inside: 1 active, 1 maximum active, 0 denied
local host: ,
TCP flow count/limit = 1/unlimited
TCP embryonic count to (from) host = 0 (0)
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Xlate:
PAT Global 192.150.49.1(1024) Local 10.1.1.91(4984)
Conn:
TCP out 192.150.49.10:21 in 10.1.1.91:4984 idle 0:00:07 bytes 75 flags UI Interface
outside: 1 active, 1 maximum active, 0 denied
hostname# show local-host 10.1.1.91 detail
Interface third: 0 active, 0 maximum active, 0 denied
Interface inside: 1 active, 1 maximum active, 0 denied
local host: ,
TCP flow count/limit = 1/unlimited
TCP embryonic count to (from) host = 0 (0)
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Xlate:
TCP PAT from inside:10.1.1.91/4984 to outside:192.150.49.1/1024 flags ri
Conn:
TCP outside:192.150.49.10/21 inside:10.1.1.91/4984 flags UI Interface outside: 1 active, 1
maximum active, 0 denied

More details on this command can be found at Cisco.com’s ASA command reference

show conn, clear conn

The ‘show conn’ command show active connection, and the ‘clear conn’ command will remove those connections. This can be useful if you need to reset a connection because your configuration has changed. Here are some examples:

ASA-host1# clear conn ?

address Enter this keyword to specify IP address
all Enter this keyword to clear all conns
port Enter this keyword to specify port
protocol Enter this keyword to specify conn protocol
security-group Enter this keyword to specify security-group attributes
user Enter this keyword to specify conn user
user-group Enter this keyword to specify conn user group

ASA-host1# show conn address 192.168.0.2 | inc outside
TCP outside 8.9.10.11:24460 INT_NAME 192.168.0.2:443, idle 0:00:22, bytes 4827, flags UFRIOB
TCP outside 1.1.1.1:47166 INT_NAME 192.168.0.2:443, idle 0:00:41, bytes 6409, flags UFRIOB
TCP outside 1.2.3.4:1928 INT_NAME 192.168.0.2:443, idle 0:00:13, bytes 20147, flags UIOB
TCP outside 6.7.8.9:60002 INT_NAME 192.168.0.2:443, idle 0:01:02, bytes 6434, flags UFRIOB
TCP outside 9.12.10.11:443 INT_NAME 192.168.0.2:63079, idle 0:00:11, bytes 178430, flags UIO
TCP outside 6.4.5.3:443 INT_NAME 192.168.0.2:63464, idle 0:00:14, bytes 2830, flags UIO
TCP outside 7.4.7.4:443 INT_NAME 192.168.0.2:63426, idle 0:00:20, bytes 2709, flags UIO

ASA-host1# clear conn address 6.7.8.9 port 60002 address 192.168.0.2 port 443
1 connection(s) deleted.

ASA-host1# show conn address 192.168.0.2 | inc outside
TCP outside 8.9.10.11:24460 INT_NAME 192.168.0.2:443, idle 0:00:27, bytes 4827, flags UFRIOB
TCP outside 1.1.1.1:47166 INT_NAME 192.168.0.2:443, idle 0:01:12, bytes 6409, flags UFRIOB
TCP outside 1.2.3.4:1928 INT_NAME 192.168.0.2:443, idle 0:00:33, bytes 42223, flags UIOB
TCP outside 9.12.10.11:443 INT_NAME 192.168.0.2:63079, idle 0:00:42, bytes 178430, flags UIO
TCP outside 6.4.5.3:443 INT_NAME 192.168.0.2:63464, idle 0:00:26, bytes 7477, flags UIO
TCP outside 7.4.7.4:443 INT_NAME 192.168.0.2:63426, idle 0:01:24, bytes 2709, flags UIO

ASA-host1# clear conn address 1.1.1.1 port 47166 address 192.168.0.2 port 443
1 connection(s) deleted.

ASA-host1# show conn address 192.168.0.2 | inc outside
TCP outside 8.9.10.11:24460 INT_NAME 192.168.0.2:443, idle 0:01:30, bytes 4827, flags UFRIOB
TCP outside 1.2.3.4:1928 INT_NAME 192.168.0.2:443, idle 0:01:06, bytes 42223, flags UIOB
TCP outside 9.12.10.11:443 INT_NAME 192.168.0.2:63079, idle 0:00:18, bytes 188600, flags UIO
TCP outside 6.4.5.3:443 INT_NAME 192.168.0.2:63464, idle 0:00:00, bytes 12418, flags UIO

ASA-host1# clear conn address 8.9.10.11 port 24460 address 192.168.0.2 port 443
1 connection(s) deleted.

ASA-host1# clear conn address 192.168.0.2 port 443
2 connection(s) deleted.

ASA-host1# show conn address 192.168.0.2 | inc outside
TCP outside 9.12.10.11:443 INT_NAME 192.168.0.2:63079, idle 0:00:18, bytes 198807, flags UIO
TCP outside 6.4.5.3:443 INT_NAME 192.168.0.2:63464, idle 0:00:13, bytes 22300, flags UIO

show nat

This will show nat statistics, and hits for the NAT rules

show xlate

Shows current translated connections

Share

Install a SSL Certificate on a Cisco ASA

To install a certificate on a Cisco ASA firewall, you’ll probably want to use ASDM. Here are the steps:

  1. Select the certificate you want to renew beneath Configuration, Device Management, Identity Certificates, and then click Add.
  2. Under Add Identity Certificate, select the Add a new identity certificate radio button, and choose your key pair from the drop−down menu or create a new key pair.
  3. Enter the appropriate certificate attributes. MAKE SURE TO CLICK ON ‘ADVANCED, AND VERIFY THE FQDN! Once completed, click OK. Then click ‘Add Certificate’.
  4. In the Identity Certificate Request popup window, save your Certificate Signing Request (CSR) to a text file, and click OK. Verify in ASDM that the CSR is pending.
  5. Submit your CSR to get your certificate issued.
  6. Select the pending certificate request under Configuration, Device Management, Identity Certificates, and click Install. In the Install Identity Certificate window, select the Paste the certificate data in base−64 format radio button, and click Install Certificate.
  7. To bind the new certificate to the interface choose Configuration, Device Management, Advanced, SSL Settings. Select your interface under Certificates, and click Edit. Choose your new certificate from the drop−down menu, click OK, and click Apply.

Don’t forget to write your changes!

You can verify the available certs from the CLI using the command

show crypto ca certificates

You can verify the cert is applied to the interface with

show running−config ssl
Share

RADIUS Windows Server for a Cisco ASA VPN

Connect to your Cisco ASA VPN by authenticating against a Windows RADIUS server

Thanks to FixingIT.wordpress.com. I pulled most of this post from there, made some tweaks, and added the Cisco CLI as an alternative to ASDM.

The following steps are a walk through of configuring a Windows 2008 Server Domain Controller as a RADIUS server for an ASA, and configuring that ASA as the RADIUS client. This will allow VPN users to authenticate against Active Directory instead of locally on the ASA.

These steps assume the following:

  • Windows Server 2008: 192.168.0.10
  • Cisco ASA: 192.168.0.5

 

Configure the ASA

CLI

The applicable parts of the config are as follows:

interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.5 255.255.255.0

aaa-server SERVER protocol radius
accounting-mode simultaneous
aaa-server SERVER host 192.168.0.10
key mysecretkey
radius-common-pw mysecretkey

ASDM

Create an IP Name object for the target

  1. Under the Firewall section, expand the Objects link and select the IP Names.
  2. Click the Add button at the top.
  3. Enter a descriptive name, the IP address of the DC/RADIUS server and a description of the server.
  4. Click OK and then Apply

Create a new AAA Server Group

  1. Click the Remote Access VPN section.
  2. Expand AAA Setup and select AAA Server Groups.
  3. Click the Add button to the right of the AAA Server Groups section.
  4. Give the server group a name, like TEST-AD, and make sure the RADIUS protocol is selected.
  5. Accept the default for the other settings. And click OK

Add the RADIUS server to the Server Group

  1. Select the server group created in the step above.
  2. Click the Add button to the right of Servers in the Select Group.
  3. Under the Interface Name select the interface on the ASA that will have access to the RADIUS server, most likely inside.
  4. Under Server Name or IP Address enter the IP Name you created for the RADIUS server above.
  5. Skip to the Server Secret Key field and create a complex password. Make sure you document this as it is required when configuring the RADIUS server. Re-enter the secret in the Common Password field.
  6. Leave the rest of the settings at the defaults and click Ok.

 

Configuring the Windows 2008 DC/RADIUS Server

*requires domain admin privileges

Add the Network Policy Server function

  1. Connect to the Windows Server 2008 server and launch Server Manager.
  2. Click the Roles object and then click the Add Roles link on the right.
  3. Click Next on the Before You Begin page.
  4. Select the Network Policy and Access Services role and click Next.
  5. Under Role Service select only the Network Policy Server service and click Next.
  6. Click Install.

After the role finishes installing you will need to set up the server using the Network Policy Server (NPS) management tool found under Administrative Tools.

Registering the server

After launching the NPS tool right-click on the entry NPS(Local) and click the Register Server in Active Directory. Follow the default prompts.

Create a RADIUS client entry for the ASA

  1. Expand the RADIUS Clients and Servers folder.
  2. Right-click on RADIUS Clients and select New RADIUS Client.
  3. Create a Friendly Name for the ASA device. I used “CiscoASA” but if you had more than one you might want to make it more unique and identifiable. Make sure you document the Friendly Name used as it will be used later in some of the policies created.
  4. Enter the Server Secret Key specified on during the ASA configuration in the Shared secret and Confirm shared secret field.
  5. Leave the default values for the other settings and click OK. See Figure 1 for all the complete RADIUS Client properties.

Create a Connection Request Policy

  1. Expand the Policies folder.
  2. Right-click on the Connection Request Policies and click New.
  3. Set the Policy Nameto something meaningful. I used CiscoASA because this policy is geared specifically for that RADIUS client. Leave the Type of network access server as Unspecified and click Next.
  4. Under Conditions click Add. Scroll down and select the Client Friendly Name condition and click Add
  5. Specify the friendly name that you used when creating the RADIUS Client above. Click OK and Next.
  6. On the next two pages leave the default settings and click Next.
  7. Under the Specify a Realm Name select the Attribute option on the left. From the drop down menu next to Attribute: on the right select User-Name. Click Next again.
  8. Review the settings on the next page and click Finish.

Create a Network Policy

  1. Right-click the Network Policy folder and click New.
  2. Set the Policy Name to something meaningful. Leave the Type of network access server as Unspecified and click Next.
  3. Under Conditions click Add.
  4. Add a UsersGroup condition to limit access to a specific AD user group. You can use a generic group like Domain Users or create a group specifically to restrict access.
  5. Add a Client Friendly Name condition and again specify the Friendly Name you used for your RADIUS client.
  6. Click Next. Leave Access granted selected and click Next again.
  7. (Important Step) On the authentication methods leave the default selection and add Unencrypted authentication (PAP, SPAP).
  8. Accept the default Constraints and click Next.
  9. Accept the default Radius Settings and click Next. Review the settings and click Finish.

Restart the Network Policy Server service. Probably not be necessary, but not a bad idea.

Test Your RADIUS Authentication

CLI

test-fw# test aaa authentication SERVER host 192.168.0.10 username testuser password mypassword 
INFO: Attempting Authentication test to IP address <192.168.0.10> (timeout: 12 seconds)
INFO: Authentication Successful

ASDM

The ASDM utility includes functionality to test RADIUS Authentication.

  1. If necessary re-launch the ASDM utility.
  2. Return to Configuration > Remote Access VPN > AAA Setup > AAA Server Groups.
  3. Select the new Server Group you created.
  4. From the Servers in the Selected Group section highlight the server you created. Click the Test button on the right.
  5. Select the Authentication radio button. Enter the Username and Password of a user that meets the conditions specified in the Network Policy created above then click OK.
  6. If everything works as designed you should see something similar to “Authentication test to host is successful”
Share

Decrypt a Cisco VPN Client Pre-Shared Key

Cisco - Decrypt a pre-shared key

There is an old article at spiration.co.uk that covers how to setup a VPN client on Ubuntu. It includes details on how to decrypt an obfuscated pre-shared key from a .pcf:
You will then need to compile the cisco-decrypt.c utility which is downloadable from here: http://www.unix-ag.uni-kl.de/~massar/soft/cisco-decrypt.c Note that when you come to compile the program you will need to use the following compile options:

gcc -Wall -o cisco-decrypt cisco-decrypt.c $(libgcrypt-config --libs --cflags)

This will result in a working binary in ./cisco-decrypt:

$./cisco-decrypt encyptedpre-sharedkey
pre-sharedkey

In case you’re curious, here is what cisco-decrypt.c looks like:

/* Decoder for password encoding of Cisco VPN client.
Copyright (C) 2005 Maurice Massar
Thanks to HAL-9000@evilscientists.de for decoding and posting the algorithm!

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/

/*
Requires libgcrypt version 1.1.90 or newer
Compile with:
gcc -Wall -o cisco-decrypt cisco-decrypt.c $(libgcrypt-config --libs --cflags)
Usage:
./cisco-decrypt DEADBEEF...012345678 424242...7261
*/

#include
#include
#include
#include

int hex2bin_c(unsigned int c)
{
if ((c >= '0')&&(c <= '9')) return c - '0'; if ((c >= 'A')&&(c <= 'F')) return c - 'A' + 10; if ((c >= 'a')&&(c <= 'f')) return c - 'a' + 10; return -1; } int hex2bin(const char *str, char **bin, int *len) { char *p; int i, l; if (!bin) return EINVAL; for (i = 0; str[i] != ''; i++) if (hex2bin_c(str[i]) == -1) return EINVAL; l = i; if ((l & 1) != 0) return EINVAL; l /= 2; p = malloc(l); if (p == NULL) return ENOMEM; for (i = 0; i < l; i++) p[i] = hex2bin_c(str[i*2]) << 4 | hex2bin_c(str[i*2+1]); *bin = p; if (len) *len = l; return 0; } int c_decrypt(char *ct, int len, char **resp, char *reslenp) { const char *h1 = ct; const char *h4 = ct + 20; const char *enc = ct + 40; char ht[20], h2[20], h3[20], key[24]; const char *iv = h1; char *res; gcry_cipher_hd_t ctx; int reslen; if (len < 48) return 0; len -= 40; memcpy(ht, h1, 20); ht[19]++; gcry_md_hash_buffer(GCRY_MD_SHA1, h2, ht, 20); ht[19] += 2; gcry_md_hash_buffer(GCRY_MD_SHA1, h3, ht, 20); memcpy(key, h2, 20); memcpy(key+20, h3, 4); /* who cares about parity anyway? */ gcry_md_hash_buffer(GCRY_MD_SHA1, ht, enc, len); if (memcmp(h4, ht, 20) != 0) return -1; res = malloc(len); if (res == NULL) return -1; gcry_cipher_open(&ctx, GCRY_CIPHER_3DES, GCRY_CIPHER_MODE_CBC, 0); gcry_cipher_setkey(ctx, key, 24); gcry_cipher_setiv(ctx, iv, 8); gcry_cipher_decrypt(ctx, (unsigned char *)res, len, (unsigned char *)enc, len); gcry_cipher_close(ctx); reslen = len - res[len-1]; res[reslen] = ''; if (resp) *resp = res; if (reslenp) *reslenp = reslen; return 0; } int main(int argc, char *argv[]) { int i, len, ret = 0; char *bin, *pw; gcry_check_version(NULL); for (i = 1; i < argc; i++) { ret = hex2bin(argv[i], &bin, &len); if (ret != 0) { perror("decoding input"); continue; } ret = c_decrypt(bin, len, &pw, NULL); free(bin); if (ret != 0) { perror("decrypting input"); continue; } printf("%sn", pw); free(pw); } exit(ret != 0); }

Share

Cisco Aironet AP PoE Injector Issues – Radios Disabled

Cisco Aironet AP’s disabled due to insufficient power

Cisco Aironet - PoE injector issues

Cisco Aironet AP’s were disabled due to insufficient power (problem with power negotiation from the PoE injector). System Power Settings (web interface) displayed a LOW_POWER_CLASSIC_NO_INJECTOR_CONFIGURED message. I accessed the console and issued ‘power inline negotation injector installed‘ but was told to verify that the required power injector was installed on a particular port.
“This condition occurs when the access point is powered from a power injector but is connected to a switch that supports CDP but cannot provide the full 15.4-W Power over Ethernet (PoE).” (network.allfaq.org)
Disabling CDP on the AP immediately resolved the issue:
no cdp run
Web Interface now displays:
Power State: FULL POWER
Power Source: NON_CISCO-NO_CDP_RECEIVED

Share

Cisco 1721 – Example config for a T1

In this example, the router is for a PTP T1 with static IP’s and no NAT. The FE0 is the local subnet, and the SE0 is the T1’s end of the PTP connection. The ACL is allowing access to an IP range, a host, and the DHCP & Telnet protocols.


version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Hostname
!
logging queue-limit 100
enable secret 5 encrypted password
!
username username privilege 15 password 7 encrypted password
ip subnet-zero
!
ip domain name example.com
ip name-server 192.168.1.5
ip name-server 192.168.1.4
ip dhcp excluded-address 192.168.0.1 192.168.0.200
ip dhcp excluded-address 192.168.0.220 192.168.0.254
!
ip dhcp pool 0
network 192.168.0.0 255.255.255.0
dns-server 192.168.1.4
default-router 192.168.0.1
!
!
interface FastEthernet0
ip address 192.168.0.1 255.255.255.0
speed auto
!
interface Serial0
ip address 192.168.1.5 255.255.255.252
no fair-queue
ip access-group 101 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
!
!
access-list 101 permit ip 192.168.1.0.0 0.0.0.255 any
access-list 101 permit ip host 192.168.2.1 any
access-list 101 permit tcp any any eq telnet
access-list 101 permit udp any any eq bootpc
access-list 101 permit udp any any eq bootps
no cdp run
!
snmp-server community your-snmp-community-name RO
snmp-server enable traps tty
banner motd ^CCYour MOTD Banner goes here!^C
!
line con 0
line aux 0
line vty 0 4
login
transport input telnet
!
no scheduler allocate
end

Share

Share

ICMP on Cisco ASA/PIX 7.x

Inbound ICMP through the PIX/ASA is denied by default. Outbound ICMP is permitted, but the incoming reply is denied by default.

Pings Inbound
Pings initiated from the outside, or another low security interface of the PIX, are denied be default. The pings can be allowed by the use of static and access lists or access lists alone. In this example, one server on the inside of the PIX is made accessible to external pings. A static translation is created between the inside address (10.1.1.5) and the outside address (192.168.1.5).

pix(config)#static (inside,outside) 192.168.1.5 10.1.1.5 netmask 255.255.255.255
pix(config)#access-list 101 permit icmp any host 192.168.1.5 echo
pix(config)#access-group 101 in interface outside

Pings Outbound
There are two options in PIX 7.x that allow inside users to ping hosts on the outside. The first option is to setup a specific rule for each type of echo message.

For example:

access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside

This allows only these return messages through the firewall when an inside user pings to an outside host. The other types of ICMP status messages might be hostile and the firewall blocks all other ICMP messages.

Another option is to configure ICMP inspection. This allows a trusted IP address to traverse the firewall and allows replies back to the trusted address only. This way, hosts on all inside interfaces can ping hosts on the outside and the firewall allows the replies to return. This also gives you the advantage of monitoring the ICMP traffic that traverses the firewall. In this example, icmp inspection is added to the default global inspection policy.

For example:

policy-map global_policy
class inspection_default
inspect icmp


Pulled from Cisco.com

Share

Share

Retrieve a Cisco Serial Number from the Command Line

You can show the Serial Number for your Cisco device from the command line interface with the show inventory command, which was introduced in IOS version 12.3(4)T.

Here’s the sample output from a Cisco 857 ADSL router:
hostname#show inventory
NAME: "857", DESCR: "857 chassis, Hw Serial#: XXXXXXXXXXX, Hw Revision: 0x200"
PID: CISCO857-K9 , VID: V01 , SN: XXXXXXXXXXX

Thanks to Scott Hebert at slaptijack.com

Share

Share

Cacti – Using custom templates

Cacti is an awesome tool, but what really makes it fun is importing templates to graph different kinds of data. Here’s a list of custom templates, and there are a lot more out there…

Each one might vary a bit on how it is imported (perl script added to /cacti/scripts, etc.) but the basic ones simply require a .xml to be imported right from the web interface.

Here’s an example of the Cisco 800 series ADSL template:

Cacti Graph - Cisco 857 DSL info

Share

Share