Cisco ASA – show local-host, show nat, show conn, clear conn

Cisco ASA connection related commands

Cisco ASA commands - techpain.com

Some useful commands for troubleshooting connections on a Cisco ASA – How to show and clear existing connections, show NAT details, and more.

show local-host all

This command shows local host connections grouped by interface, like so:

hostname# show local-host all
Interface outside: 1 active, 2 maximum active, 0 denied
local host: ,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
105 out 11.0.0.4 in 11.0.0.3 idle 0:01:42 bytes 4464
105 out 11.0.0.4 in 11.0.0.3 idle 0:01:44 bytes 4464
Interface inside: 1 active, 2 maximum active, 0 denied
local host: ,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
105 out 17.3.8.2 in 17.3.8.1 idle 0:01:42 bytes 4464
105 out 17.3.8.2 in 17.3.8.1 idle 0:01:44 bytes 4464
Interface NP Identity Ifc: 2 active, 4 maximum active, 0 denied
local host: ,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
105 out 11.0.0.4 in 11.0.0.3 idle 0:01:44 bytes 4464
105 out 11.0.0.4 in 11.0.0.3 idle 0:01:42 bytes 4464
local host: ,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
105 out 17.3.8.2 in 17.3.8.1 idle 0:01:44 bytes 4464
105 out 17.3.8.2 in 17.3.8.1 idle 0:01:42 bytes 4464
hostname# show local-host 10.1.1.91
Interface third: 0 active, 0 maximum active, 0 denied
Interface inside: 1 active, 1 maximum active, 0 denied
local host: ,
TCP flow count/limit = 1/unlimited
TCP embryonic count to (from) host = 0 (0)
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Xlate:
PAT Global 192.150.49.1(1024) Local 10.1.1.91(4984)
Conn:
TCP out 192.150.49.10:21 in 10.1.1.91:4984 idle 0:00:07 bytes 75 flags UI Interface
outside: 1 active, 1 maximum active, 0 denied
hostname# show local-host 10.1.1.91 detail
Interface third: 0 active, 0 maximum active, 0 denied
Interface inside: 1 active, 1 maximum active, 0 denied
local host: ,
TCP flow count/limit = 1/unlimited
TCP embryonic count to (from) host = 0 (0)
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Xlate:
TCP PAT from inside:10.1.1.91/4984 to outside:192.150.49.1/1024 flags ri
Conn:
TCP outside:192.150.49.10/21 inside:10.1.1.91/4984 flags UI Interface outside: 1 active, 1
maximum active, 0 denied

More details on this command can be found at Cisco.com’s ASA command reference

show conn, clear conn

The ‘show conn’ command show active connection, and the ‘clear conn’ command will remove those connections. This can be useful if you need to reset a connection because your configuration has changed. Here are some examples:

ASA-host1# clear conn ?

address Enter this keyword to specify IP address
all Enter this keyword to clear all conns
port Enter this keyword to specify port
protocol Enter this keyword to specify conn protocol
security-group Enter this keyword to specify security-group attributes
user Enter this keyword to specify conn user
user-group Enter this keyword to specify conn user group

ASA-host1# show conn address 192.168.0.2 | inc outside
TCP outside 8.9.10.11:24460 INT_NAME 192.168.0.2:443, idle 0:00:22, bytes 4827, flags UFRIOB
TCP outside 1.1.1.1:47166 INT_NAME 192.168.0.2:443, idle 0:00:41, bytes 6409, flags UFRIOB
TCP outside 1.2.3.4:1928 INT_NAME 192.168.0.2:443, idle 0:00:13, bytes 20147, flags UIOB
TCP outside 6.7.8.9:60002 INT_NAME 192.168.0.2:443, idle 0:01:02, bytes 6434, flags UFRIOB
TCP outside 9.12.10.11:443 INT_NAME 192.168.0.2:63079, idle 0:00:11, bytes 178430, flags UIO
TCP outside 6.4.5.3:443 INT_NAME 192.168.0.2:63464, idle 0:00:14, bytes 2830, flags UIO
TCP outside 7.4.7.4:443 INT_NAME 192.168.0.2:63426, idle 0:00:20, bytes 2709, flags UIO

ASA-host1# clear conn address 6.7.8.9 port 60002 address 192.168.0.2 port 443
1 connection(s) deleted.

ASA-host1# show conn address 192.168.0.2 | inc outside
TCP outside 8.9.10.11:24460 INT_NAME 192.168.0.2:443, idle 0:00:27, bytes 4827, flags UFRIOB
TCP outside 1.1.1.1:47166 INT_NAME 192.168.0.2:443, idle 0:01:12, bytes 6409, flags UFRIOB
TCP outside 1.2.3.4:1928 INT_NAME 192.168.0.2:443, idle 0:00:33, bytes 42223, flags UIOB
TCP outside 9.12.10.11:443 INT_NAME 192.168.0.2:63079, idle 0:00:42, bytes 178430, flags UIO
TCP outside 6.4.5.3:443 INT_NAME 192.168.0.2:63464, idle 0:00:26, bytes 7477, flags UIO
TCP outside 7.4.7.4:443 INT_NAME 192.168.0.2:63426, idle 0:01:24, bytes 2709, flags UIO

ASA-host1# clear conn address 1.1.1.1 port 47166 address 192.168.0.2 port 443
1 connection(s) deleted.

ASA-host1# show conn address 192.168.0.2 | inc outside
TCP outside 8.9.10.11:24460 INT_NAME 192.168.0.2:443, idle 0:01:30, bytes 4827, flags UFRIOB
TCP outside 1.2.3.4:1928 INT_NAME 192.168.0.2:443, idle 0:01:06, bytes 42223, flags UIOB
TCP outside 9.12.10.11:443 INT_NAME 192.168.0.2:63079, idle 0:00:18, bytes 188600, flags UIO
TCP outside 6.4.5.3:443 INT_NAME 192.168.0.2:63464, idle 0:00:00, bytes 12418, flags UIO

ASA-host1# clear conn address 8.9.10.11 port 24460 address 192.168.0.2 port 443
1 connection(s) deleted.

ASA-host1# clear conn address 192.168.0.2 port 443
2 connection(s) deleted.

ASA-host1# show conn address 192.168.0.2 | inc outside
TCP outside 9.12.10.11:443 INT_NAME 192.168.0.2:63079, idle 0:00:18, bytes 198807, flags UIO
TCP outside 6.4.5.3:443 INT_NAME 192.168.0.2:63464, idle 0:00:13, bytes 22300, flags UIO

show nat

This will show nat statistics, and hits for the NAT rules

show xlate

Shows current translated connections

Share

Android Apps

Updated list available at https://techpain.com/android-apps-march2017/

My favorite System and Network related Android apps. At the time of this post they are all free and none of them require a rooted device.

  • Mocha VNC Lite: Mocha VNC provides access to VNC Servers. Windows and Mac OS X compatible.
  • uNagi: A Nagios and Incinga client. My favorite features: Allows connections over https, acknowledge notifications, view service and host problems, no additional Nagios plugins required.
  • 2Xclient: An easy to use RDP client.
  • OpenVPN Connect: VPN client for the OpenVPN Access Server, Private Tunnel and OpenVPN Community.
  • Lookout Security & Antivirus: Protection against malware and viruses.
  • FoxFi: Wifi tethering without a rooted device.
  • Fing – Network Tools: Network discover, ping, traceroute, DNS lookup, port scan, and more.
  • Glympse: Not necessarily an app for just tech types, but great for letting people know where you are and when you’ll get to your destination.
  • Quickoffice: View and edit Word, Excel, and PowerPoint files, view PDF’s.
  • Wifi Analyzer: Show information about wifi networks; Channels, stength, and more.
  • WordPress: Easily, write, edit, and publish WordPress posts on WordPress.com AND self-hosted WordPress sites.
  • OpenSignal: Locate better cellular coverage or wi-fi, report dropped calls, and much more.
  • Speedtest.net: Ookla speedtest shows upload and download speeds, as well as ping times.
  • Name.com for Android: Name.com is one of the best registrars out there. This app allows you to manage your Name.com registered domains, including renewal and DNS management. Check domain name availability, register new domain names, and search for domain names based on your geographical location.
  • Servers Ultimate: Turn your Android phone in to a multipurpose server.
  • AndFTP: FTP client that manages multiple FTP connections
  • AirDroid: Connect to your Android phone from your computer to manages SMS and more – with no wires.
Share

Changing the IP address of a Scalix Server

Change your Scalix IP without breaking things

Scalix webmail - Change your Scalix IP address

Changing the IP of a Scalix server is really easy. Along with changing the obvious stuff (etc/hosts, /etc/sysconfig/network, /etc/sysconfig/network-scripts/ifcfg-eth0…) just follow these directions from the Scalix Wiki:

Update the Postgres Client Authentication

Changing your IP address does not update Postgres and access to the Scalix API is then denied. To rectify this you need to modify the file /var/opt/scalix/NN/postgres/data/pg_hba.conf. Remember NN is the abreviation of your Scalix node, so it will change depending on the hostname of your scalix server.
Find the line that looks like:

host    scalix      scalix      192.168.1.100/32   md5

Edit the file to change this line to look like:

host    scalix      scalix      192.168.1.50/32   md5

Update the Search and Index Service

Changing your IP address does not update the Search and Index Service properties. To rectify this you need to modify the file /var/opt/scalix/NN/sis/sis.properties. Again remember NN is the abreviation of your Scalix node!
Find the lines that look like:

index.client.whitelist=192.168.1.100,127.0.0.1
search.client.whitelist=192.168.1.100,127.0.0.1

Edit the file to change the lines to look like:

index.client.whitelist=192.168.1.50,127.0.0.1
search.client.whitelist=192.168.1.50,127.0.0.1

Update the Uber Manager Service

As above changing your IP address does not fix the Uber Manager. To fix this you need to modify the file /var/opt/scalix/NN/caa/scalix.res/config/ubermanager.properties. Again remember NN is the abreviation of your Scalix node!
Find the line that looks like:

ubermanager.notification.listener.address=192.168.1.100

Edit the file to change the line to look like:

ubermanager.notification.listener.address=192.168.1.50

Reboot and enjoy your server

After you have finished this procedure please reboot. Everything should be working just like before.
Do remember, however, that this post only covered Scalix. Other services or other parts of the server which depend on the IP Address instead of hostname will still need to be changed.

Share