Professional Documents
Culture Documents
9.)On the egress interface, the interface route lookup is performed. Remember, the egress interface is
determined by the translation rule that will take the priority.
10.)Once a Layer 3 route has been found and the next hop identified, Layer 2 resolution is performed.
Layer 2 rewrite of MAC header happens at this stage.
11)The packet is transmitted on wire, and Interface counters increment on the egress interface.
TCP/IP is the communication protocol for communication between computers on the Internet.
TCP/IP stands for Transmission Control Protocol / Internet Protocol.
TCP/IP defines how electronic devices (like computers) should be connected to the Internet, and how data
should be transmitted between them.
Inside TCP/IP
Inside the TCP/IP standard there are several protocols for handling data communication:
IP Routers
When an IP packet is sent from a computer, it arrives at an IP router.
The IP router is responsible for "routing" the packet to the correct destination, directly or via another router.
The path the packet will follow might be different from other packets of the same communication. The router is
responsible for the right addressing, depending on traffic volume, errors in the network, or other parameters.
Connection-Less Analogy
Communicating via IP is like sending a long letter as a large number of small postcards, each finding its own (often
different) way to the receiver.
TCP/IP
Name two network commands which uses ICMP at the network layer
Ping and Tracert
Which port number does ICMP use
ICMP does not use any port number as it does not use any transport layer protocols.
Which port does TFTP server works on
UDP port 69
Is TFTP a secure protocol
57 network:
Node IpAddress: [57.5.196.222] Scope Id: []
Type
Status
Registered
Registered
INNIIT-TECH
<00> GROUP
Registered
INNIIT-TECH
<1E> GROUP
Registered
pdel1347#sh ip accounting
Source Destination Packets Bytes
57.5.209.56 57.5.178.180 3358 3811507 <<<< 3.6mb
57.5.208.217 57.5.178.79 67413 3070463 <<<< 2.9mb
57.5.209.13 57.5.178.180 3957 3017559
57.5.208.224 57.5.179.12 4815 2176410
57.5.209.22 57.5.178.79 46225 2073058
57.5.209.25 57.5.178.79 48522 2047308
How to Force a Manual Failover on a Cisco ASA via Command Line
Forcing a manual failover via command line can be done in two different ways.
######################################
On the active firewall you can do the following:
CiscoASA# no failover active
On the standby firewall you can do the following:
CiscoASA# failover active
Personally I prefer force the failover from the standby unit.
Example 11-29 shows relevant configuration of the primary Cisco ASA and the bootstrap configuration of the
secondary Cisco ASA. The primary Cisco ASA, being the active unit, synchronizes the entire running configuration
to the secondary Cisco ASA. The connection and translation tables are constantly replicated to the secondary Cisco
ASA over a dedicated interface.
Example 11-29. Cisco ASA Full Configuration Using Active/Standby Failover
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 209.165.200.225 255.255.255.224 standby 209.165.200.226
!inside interface with security level set to 100. The system IP address is
! 192.168.10.1 and the Standby IP address is 192.168.10.2
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2
! Interface used as a failover control interface
interface GigabitEthernet0/2
description LAN Failover Interface
! Interface used as a Stateful link
interface GigabitEthernet0/3
description STATE Failover Interface
<snip>
! Cisco ASA will send periodic hellos every 500 milliseconds, and initiate a
! failover if hellos are not acknowledged for 3 seconds
failover polltime unit msec 500 holdtime 3
! Failover key to encrypt the control messages. This keys will be X'ed out
! in the configuration
failover key cisco123
! Stateful interface
failover link statefullink GigabitEthernet0/3
! IP address assignment on the failover control interface
failover interface ip FOCtrlIntf 10.10.10.1 255.255.255.252 standby 10.10.10.2
! IP address assignment on the stateful failover interface
failover interface ip statefullink 10.10.10.5 255.255.255.252 standby 10.10.10.6
! interfaces to be monitored for failover
monitor-interface outside
monitor-interface inside
! Address translation for the inside hosts to get Internet Access
global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0
<snip>
______________________________________________________________________________
Configuration of Secondary Cisco ASA
! The unit is acting as a Secondary device
After the secondary Cisco ASA is configured for bootstrap configuration, the primary Cisco ASA synchronizes the
running configuration to the secondary Cisco ASA, as shown in Example 11-32.
Example 11-32. Configuration Replication
The secondary Cisco ASA loads the running configuration and becomes standby to monitor the status of the primary
Cisco ASA. In Example 11-33, the secondary Cisco ASA is in standby with its current IP addresses set as the
standby addresses.
Example 11-33. Output of show ip
Chicago# show ip
System IP Addresses:
Interface
Name
IP address
Subnet mask
Method
GigabitEthernet0/0 outside
GigabitEthernet0/1 inside
192.168.10.1
255.255.255.0 CONFIG
GigabitEthernet0/2 FOCtrlIntf
10.10.10.1
255.255.255.252 CONFIG
GigabitEthernet0/3 statefullink
10.10.10.5
255.255.255.252 CONFIG
Current IP Addresses:
Interface
Name
IP address
Subnet mask
Method
GigabitEthernet0/0 outside
GigabitEthernet0/1 inside
192.168.10.2
255.255.255.0 CONFIG
GigabitEthernet0/2 FOCtrlIntf
10.10.10.2
255.255.255.252 CONFIG
GigabitEthernet0/3 statefullink
10.10.10.6
255.255.255.252 CONFIG
The failover or standby IP addresses can also be checked by using the show failover command. If stateful failover is
set up, show failover also displays the stateful failover statistics along with the number of updates it has received
and transmitted. Example 11-34 shows the output of show failover with the system and standby IP addresses and
information about stateful failover.
Example 11-34. Output of show failover in Active/Standby Deployment
xmit
xerr
rcv
rerr
General
7509
23239 0
sys cmd
4009
4009
up time
RPC services
0
0
0
0
TCP conn
55001
43023 0
UDP conn
3300
3205
ARP tbl
3500
Xlate_Timeout 0
VPN IKE upd
19230 0
0
14
13
28
0
0
0
0
0
0
Recv Q:
Max
0
Total
110826
0
0
0
0
Xmit Q:
12417
Note
The xerr and rerr are transmit and receive errors that occur when Cisco ASA send stateful information to each other.
Stateful failover is best effort and there will be times when errors increment because of congestion and other
reasons.
Cisco PIX ASA failover troubleshooting Tips
* Type sh fail command to check if any configured interface is in waiting or failed state.
* Try to ping the interface IPs, both devices must be able to ping each other.
* Type sh run | inc fail to make sure the configuration is correct.
* If there is a switch between them, make sure the interfaces are on the right VLAN
* Try using another FE port on the switch if still an issue or change the network cable.
* Make sure port fast is enabled on the switch port and both trunking and channeling is disabled on those
ports.
* Type sh log | inc fail command to see if there are any failover related messages in the logs.
Q. Will IPSEC make firewalls obsolete (no longer In use / bekar) ?
A.IPSEC (IP SECurity) refers to a set of standards developed by the Internet Engineering Task Force (IETF). There
are many documents that collectively define what is known as ``IPSEC'' [4]. IPSEC solves two problems which
have plagued the IP protocol suite for years: host-to-host authentication (which will let hosts know that they're
talking to the hosts they think they are) and encryption (which will prevent attackers from being able to watch the
traffic going between machines).
1.FTP server
2.Email server
3.E-commerce server
4.DNS servers
5.Web servers
Q.Does the Cisco IOS Firewall feature set act as a stateful or stateless packet filter?
A.The Cisco IOS Firewall is a stateful filter.
1.RADIUS server
2.ACACS+ server
Upon successful authentication, that particular users security policy is downloaded from the RADIUS or
TACACS+ server and applied by the IOS Firewall router.
Q. Configuring ACLs is an important part of working with the IOS Firewall. What wildcard masks are
replaced in ACLs by the words host and any?
We have the option of using the word host to represent a wildcard mask of 0.0.0.0.
Consider a configuration where only packets from IP source 10.1.1.1 should be allowed and all other packets denied.
The following ACLs both do that.
A.
R3#conf t
R3(config)#access-list 6 permit 10.1.1.1 0.0.0.0
R3(config)#conf t
R3(config)#access-list 7 permit host 10.1.1.1
The keyword any can be used to represent a wildcard mask of 255.255.255.255. Both of the following lines permit
all traffic.
R3(config)#access-list 15 permit any
R3(config)#access-list 15 permit 0.0.0.0 255.255.255.255
Theres no right or wrong decision to make when youre configuring ACLs in the real world. For your exam,
though, Id be very familiar with the proper use of host and any.
Firewall Services Module (FWSM) is a firewall module integrated by Cisco into its Catalyst 6500 Switches and
7600 Series Routers.
Installed inside a Cisco Catalyst 6500 Series Switch or Cisco 7600 Internet Router, the FWSM allows any VLAN on
the switch to be passed through to the device to operate as a firewall port and integrates firewall security inside the
network infrastructure.
The FWSM is based on Cisco PIX technology and uses the same Cisco PIX Operating System, a secure, real-time
operating system. The Cisco FWSM enables organizations to manage multiple firewalls from the same management
platform.
Question: What command will show you if packets are being dropped by one of the Inspection engines?
Question: What type of connection is not replicated by default when stateful failover is configured?
Answer: HTTP connections. Use optional failover replication http command to enable replication of HTTP connections.
Show Nat
The show nat command displays information about the nat table of the firewall
TCP Connection Termination Reasons
If a TCP connection is built through the firewall, it will always have a teardown reason.
The TCP teardown syslog is logged at level six.
Question: What other command can one run to see the information provided by show service-policy flow in an ASA?
Answer: packet-tracer
In computer networking, an embryonic connection refers to a TCP connection which is in the process of being established
Introduction
This document provides troubleshooting ideas and suggestions for when you use the Cisco ASA 5500 Series
Adaptive Security Appliance (ASA) and the Cisco PIX 500 Series Security Appliance. More often than not, when
applications or network sources break or are not available, firewalls (PIX or ASA) tend to be a primary target and
blamed as the cause of outages. With some testing on the ASA or PIX, an administrator can determine whether or
not the ASA/PIX causes the problem.
Refer to PIX/ASA: Establish and Troubleshoot Connectivity through the Cisco Security Appliance in order to learn
more about the interface related troubleshooting on the Cisco security appliances.
Note: This document focuses on the ASA and PIX. Once troubleshooting is complete on the ASA or PIX, it is likely
that additional troubleshooting might be necessary with other devices (routers, switches, servers, and so forth).
Components Used
The information in this document is based on Cisco ASA 5510 with OS 7.2.1 and 8.3.
The information in this document was created from the devices in a specific lab environment. All of the devices
used in this document started with a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Related Products
This document can also be used with these hardware and software versions:
ASA and PIX OS 7.0, 7.1, 8.3, and later
Firewall Services Module (FWSM) 2.2, 2.3, and 3.1
Note: Specific commands and syntax can vary between software versions.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Background Information
The example assumes the ASA or PIX is in production. The ASA/PIX configuration can be relatively simple (only
50 lines of configuration) or complex (hundreds to thousands of configuration lines). Users (clients) or servers can
either be on a secure network (inside) or an unsecure network (DMZ or outside).
The ASA starts with this configuration. The configuration is intended to give the lab a reference point.
ASA Initial Configuration
ciscoasa#show running-config
: Saved
:
ASA Version 7.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.22.1.160 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.1.1.1 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list outside_acl extended permit tcp any host 172.22.1.254 eq
www
access-list inside_acl extended permit icmp 192.168.1.0
255.255.255.0 any
access-list inside_acl extended permit tcp 192.168.1.0 255.255.255.0
any eq www
access-list inside_acl extended permit tcp 192.168.1.0 255.255.255.0
any eq telnet
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no asdm history enable
arp timeout 14400
global (outside) 1 172.22.1.253
nat (inside) 1 192.168.1.0 255.255.255.0
statements
!--- for ASA 8.3 and later.
Note: In order to download the capture file to a system such as ethereal, you can do it as this output shows.
!--- Open an Internet Explorer and browse with this https link format:
https://[<pix_ip>/<asa_ip>]/capture/<capture name>/pcap
Refer to ASA/PIX: Packet Capturing using CLI and ASDM Configuration Example in order to know more
about Packet Capturing in ASA.
Debug
The debug icmp trace command is used to capture the ICMP traffic of the user.
ciscoasa#debug icmp trace
The user pings the inside interface of the ASA (ping 192.168.1.1). This output is displayed on the console.
ciscoasa#
The user initiates application X. The ASA administrator then issues the show capture inside_interface
command and views the output.
ciscoasa(config)#show capture inside_interface
1: 15:59:42.749152 192.168.1.50.1107 > 172.22.1.1.80:
S 3820777746:3820777746(0) win 65535 <mss 1460,nop,nop,sackOK>
2: 15:59:45.659145 192.168.1.50.1107 > 172.22.1.1.80:
S 3820777746:3820777746(0) win 65535 <mss 1460,nop,nop,sackOK>
3: 15:59:51.668742 192.168.1.50.1107 > 172.22.1.1.80:
S 3820777746:3820777746(0) win 65535 <mss 1460,nop,nop,sackOK>
The captured traffic provides the administrator with several pieces of valuable information:
Destination address172.22.1.1
Port number80/http
ProtocolTCP (notice the "S" or syn flag)
In addition, the administrator also knows that the data traffic for application X does arrive at the ASA.
If the output had been this show capture inside_interface command output, then the application traffic
either never reached the ASA or the capture filter was not set to capture the traffic:
ciscoasa#show capture inside_interface
0 packet captured
0 packet shown
In this case, the administrator should consider investigating the user's computer and any router or other
network devices in the path between the user computer and the ASA.
Note: When traffic arrives at an interface, the capture command records the data before any ASA security
policies analyze the traffic. For example, an access-list denies all incoming traffic on an interface. The
capture command still records the traffic. The ASA security policy then analyzes the traffic.
Debug
The administrator is not familiar with application X and therefore does not know which of the debug
services to enable for application X investigation. Debug might not be the best troubleshooting option at
this point.
With the information collected in Step 2, the ASA administrator gains several bits of valuable information. The
administrator knows the traffic arrives at the inside interface of the ASA, source IP address, destination IP address
and the service application X uses (TCP/80). From the syslogs, the administrator also knows that the communication
was initially permitted.
Step 3 - Confirm and Monitor Application Traffic
The ASA administrator wants to confirm that application X traffic has left the ASA as well as monitor any return
traffic from the application X server.
Monitor syslog messages.
Filter syslog messages for the source IP address (192.168.1.50) or the destination IP address (172.22.1.1).
From the command line, filtering syslog messages look like show logging | include 192.168.1.50 or show
logging | include 172.22.1.1. In this example, the show logging command is used without filters. The
output is suppressed in order to make reading easy.
ciscoasa#show logging
The syslog message indicates the connection closed because the of SYN timeout. This tells the
administrator that no application X server responses were received by the ASA. Syslog message
termination reasons can vary.
The SYN timeout gets logged because of a forced connection termination after 30 seconds that occurs after
the three-way handshake completion. This issue usually occurs if the server fails to respond to a connection
request, and, in most cases, is not related to the configuration on PIX/ASA.
In order to resolve this issue, refer to this checklist:
1.
Make sure the static command is entered correctly and that it does not overlap with other static commands,
for example,
static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255
The static NAT in ASA 8.3 and later can be configured as shown here:
object network obj-y.y.y.y
host y.y.y.y
nat (inside,outside) static x.x.x.x
2.
Make sure that an access list exists in order to permit access to the global IP address from the outside and
that it is bound to the interface:
access-list OUTSIDE_IN extended permit tcp any host x.x.x.x eq www
access-group OUTSIDE_IN in interface outside
3.
For a successful connection with the server, the default gateway on the server must point towards the DMZ
interface of PIX/ASA.
Refer to ASA System Messages for more information on the syslog messages.
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.22.1.0
Phase: 5
255.255.255.0 outside
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_acl in interface inside
access-list inside_acl extended permit tcp 192.168.1.0 255.255.255.0 any eq www
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 192.168.1.0 255.255.255.0
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 192.168.1.0 255.255.255.0
match ip inside 192.168.1.0 255.255.255.0 outside any
dynamic translation to pool 1 (172.22.1.254)
translate_hits = 6, untranslate_hits = 0
Additional Information:
Phase: 10
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 94, packet dispatched to next module
Phase: 15
Type: ROUTE-LOOKUP
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
The most important output of the packet-tracer command is the last line, which is Action: allow.
The three options in Step 3 each show the administrator that the ASA is not responsible for the application X issues.
The application X traffic leaves the ASA and the ASA does not receive a reply from the application X server.
What is Next?
There are many components that allow application X to work correctly for users. The components include the user's
computer, the application X client, routing, access policies, and the application X server. In the previous example,
we proved that the ASA receives and forwards the application X traffic. The server and application X administrators
should now get involved. Administrators should verify that the application services are running, review any logs on
the server, and verify that the user's traffic is received by the server and application X.
Problem: Terminating TCP-Proxy Connection Error Message
You receive this error message:
interface_name:source_address/source_port dest
interface_name:dest_address/dest_port denied due to NAT reverse path
failure.
Solution
When the NAT is performed, ASA also tries to reverse the packet and checks if this hits any translation. If it does
not hit any or a different NAT translation, then there is a mismatch. You most commonly see this error message
when there are different NAT rules configured for outbound and incoming traffic with same source and destination.
Check the NAT statement for the concerned traffic.
Problem: Receive error - %ASA-5-321001: Resource 'conns' limit of 10000 reached for system
Solution
This error signifies that the connections for a server located across an ASA have reached their maximum limit. This
could be an indication of a DoS attack to a server in your network. Use MPF on the ASA and reduce the embryonic
connections limit. Also, enable Dead Connection Detection (DCD). Refer to this configuration snippet:
class-map limit
match access-list limit
!
policy-map global_policy
class limit
set connection embryonic-conn-max 50
set connection timeout embryonic 0:00:10 dcd
!
access-list limit line 1 extended permit tcp any host x.x.x.x
Problem: Receive error %PIX-1-106021: Deny TCP/UDP reverse path check from src_addr to dest_addr on
interface int_name
Solution
This log message is received when the reverse path check is enabled. Issue this command in order to resolve the
problem and disable the reverse path check:
no ip verify reverse-path interface <interface name>
Port
Application
21,20
22
23
Telnet
25
42
43
Whois Port :- Port used for whois request (For the retrieval fo domain name information) to
whois servers
53
DNS (This port is used by client and servers when exchanging domain name information and
routing (DNS= Domain Name Server)
67
80
110
POP3 This is a port normally called the incoming mail port in email programs
115
Secure FTP Port used for ftp file transfers and modifications over a secure shell connections
(SSH)
119
123
Network Time Protocol (NTP):- Port used for checking and syncronizing time with another
computer (Time Server)
137
Netbios name service port :- This port used by the netbios protocol to find other computers
on a workgroup network
143
161
SNMP(Simple Network Management Protocol): UDP port used to manage configure and
gather information about network devices like routers firewall etc
179
379
Site Replication Services :- TCP Port used by microsoft site replication services
389
LDAP:- TCP port used to find and manage network resources on an hierarchical network
systems like Microsoft active directory service domain
443
Secure HTTP:-
465
636
993
995
1533
Sametime server
1352
3389
Introduction
This guide has been prepared for Medco Health to help them troubleshoot PIX Firewall issues in their network. The
document is broken down into three main sections: Connection Issues (User A cannot talk to Server B through the
PIX), Performance Issues (Slow connectivity through the PIX), and Failover Issues. I hope you find it useful.
The show conn Command
When troubleshooting connection issues through the PIX (you can't get to a web site, or you can't telnet to a device),
it is most helpful to examine the status of the connection through the PIX. Since the PIX is a "stateful" firewall, it
must see the complete 3-way handshake (SYN, SYN+ACK, ACK) - in order - before the connection is considered
"up". Many times the PIX will receive the SYN packet, and maybe even the SYN+ACK packet, but not the final
ACK. When this occurs, the connection is considered to be in the embryonic state, and data will not flow until the
connection completes and moves out of the embryonic state.
The easiest way to view the connections - and their state - on the PIX is to issue the command show conn. The
show conn command will display all the active connections through the PIX, along with the state the connection is
in. The connection's state is represented by the "flags" field. The "flags" field is displayed at the very end of the
connection line. See example below.
Example: show conn
TCP out 199.244.222.174:62112 in 54.26.166.67:4092 idle 0:02:01 Bytes 6563 flags UIOB
TCP out 199.244.222.171:61853 in 54.26.166.67:4092 idle 0:04:58 Bytes 6464 flags UIOB
TCP out 159.132.12.27:52269 in 54.26.166.70:4093 idle 0:03:25 Bytes 20335 flags UIOB
TCP out 199.244.222.173:62578 in 54.26.166.67:4092 idle 0:02:32 Bytes 21692 flags UIOB
TCP out 159.132.12.23:53481 in 54.26.166.70:4093 idle 0:02:14 Bytes 5588 flags UIOB
TCP out 199.244.222.171:62431 in 54.26.166.67:4092 idle 0:03:12 Bytes 7039 flags UIOB
TCP out 199.244.222.173:62576 in 54.26.166.67:4092 idle 0:03:13 Bytes 23020 flags UIOB
TCP out 159.132.12.23:53614 in 54.26.166.70:4093 idle 0:00:11 Bytes 8152 flags UIOB
One can also use modifiers to the show conn command to limit the output. Most frequently, one will want to find
all the connections from a given source IP address. If the source address is on the outside use the foreign modifier.
If the source address is on the inside, use the local modifier. Below is the command syntax for the show conn
command.
usage: show conn [count] | [protocol <tcp|udp>] [foreign|local <ip1[-ip2]> [netmask <mask>]]
[lport|fport <port1[-port2>] [state
<up[,finin][,finout][,http_get][,smtp_data][,data_in][,data_out][,...]>]
For further information on the show conn command see the PIX 5.3 Command Reference.
Connection Flags
+------+-------------------------------------------------------+
| Flag | Description
|
+------+-------------------------------------------------------+
| U | up
|
| f | inside FIN
|
| F | outside FIN
|
| r | inside acknowledged FIN
|
| R | outside acknowledged FIN
|
| s | awaiting outside SYN
|
| S | awaiting inside SYN
|
| M | SMTP data
|
| I | inbound data
|
| O | outbound data
|
| q | SQL*Net data
|
| d | dump
|
| P | inside back connection
|
Inside
Outside
Flags
+---+----------------------------+--------+
| 1 | SYN -->
| saA |
|2|
<-- SYN + ACK | A |
| 3 | ACK -->
| U |
|4|
<-- Data
| UI |
| 5 | Data -->
| UIO |
+---+-------------------------------------+
By using the example above, along with the Connection Flags table, one can determine the state of every connection
that is currently passing through the PIX.
For TCP connections that have already terminated, one can look in the syslogs and search for message ID 302002
(Teardown TCP connection). At the end of this message is the TCP termination reason. The table below lists the
possible reasons, along with their description.
Note: This syslog message is logged at level 6 (Informational), if you are logging at level 5 or lower, you will not
see this message.
The show xlate count command shows the current and maximum number of translations through the PIX. A
translation is a mapping of an internal address to an external address. It can be a one-to-one mapping (as is the case
with NAT) or a many-to-one mapping (as is the case with PAT). It is a subset of the command show xlate which
outputs each translation through the PIX.
The following table lists and describes the fields in the show cpu usage output:
Field
Description
one minute
five minutes
Average of 5 second samples of CPU utilization over the last five minutes
0 bytes
0 pkts/sec
0 bytes/sec
0 bytes
0 pkts/sec
0 bytes/sec
inside:
received (in 3716258.469 secs):
26496476 packets
0 pkts/sec
3045395087 bytes
0 bytes/sec
0 bytes/sec
B2B:
received (in 3716258.469 secs):
7440766 packets 519398369 bytes
0 pkts/sec
1 bytes/sec
1 bytes/sec
intf3:
received (in 3716258.469 secs):
301759 packets 28607868 bytes
0 pkts/sec
0 bytes/sec
0 bytes/sec
Client-access:
received (in 3716260.589 secs):
18335582 packets
0 pkts/sec
701805637 bytes
0 bytes/sec
0 bytes
0 pkts/sec
0 bytes/sec
PixState:
received (in 3716260.589 secs):
743120 packets 77281878 bytes
0 pkts/sec
1 bytes/sec
0 bytes/sec
Client-PIX#
If you are coming close - or reaching - the rated throughput on one of your interfaces, it is highly suggested that you
think about upgrading to a faster interface, or limit the amount of traffic going into or out of that interface. Failure
to do so will result in packets getting dropped. This is most observable by examining the interface counters. See
more information on this under the show interface command below.
Syslog messages sent out from the PIX also use the 256 byte blocks, but they are generally not released in such
quantity to cause a depletion of the 256 byte block pool. However, if you are experiencing the CNT column of the
256 byte blocks hovering near zero check to make sure you are not logging at debugging level to the syslog server.
This is indicated by the logging trap line in the PIX config. It is recommended to log at Notification Level (level 5)
or lower, unless you require additional information for debugging purposes.
MAX
LOW
CNT
1600
1560 1599
80
400
356
398
256
500
400
500
1550
Client-PIX#
The following table lists and describes the columns in the show blocks command output:
Column
Description
SIZE
MAX
The Maximum number of blocks available for that specific Byte block pool.
Note: The Maximum number of blocks are carved out of Memory at bootup.
Typically, the Maximum number of blocks does not change. The exception is
for the 256 and 1550 byte blocks, where the PIX can dynamically create more
when needed, up to a maximum of 8192.
LOW
The Low water mark. This is the lowest number of this size blocks available
since the PIX was powered up, or since the last clearing of the blocks "clear
blocks".
CNT
The Current number of blocks available for that specific size block pool.
The following table lists and describes the rows in the show blocks command output:
Size
4
Description
Used in TCP Intercept to generate an ACK packets, used for failover hello
messages.
256
Used for Stateful Failover updates, Syslogging, and other TCP functions.
1550
16384
Only used for the 64-bit, 66 MHz Gigabit Ethernet cards (i82543) in the PIX
535.
be high. If this is caused by traffic load, then you should consider upgrading your PIX to a more powerful one that
can handle the load.
When a packet first enters an interface, it is placed in the input hardware queue. If the input hardware queue is full,
the packet will be placed in the input software queue. Once the packet is in the input queue it is next passed up to
the PIX OS and placed in a 1550 byte block (16384 byte block for the 66 MHz Gigabit Ethernet interfaces). The
PIX then determines the output interface for the packet and proceeds to place the packet in the outbound interface's
hardware queue. If this is full, it is placed in the output software queue. If the max blocks in either of the software
queues are large, this indicates that the interface is being overrun. For example, if 200 Mbps are coming into the
PIX and all going out a single 100 Mbps interface, the output software queue will indicate high numbers on the
outbound interface, indicating that the interface cannot handle the traffic volume. If this is occurring, consider
upgrading to a faster interface.
You also want to check the interface for errors. If you are receiving Runts, Input Errors, CRCs, or Frame errors you most likely have a duplex mismatch. (The other likely cause is a faulty cable - but speaking from experience 9
times out of 10 it is a duplex issue). Please remember that each error counter represents the number of packets that
were dropped because of that error. So, if you see a specific counter incrementing quite regularly - your
performance is most likely really suffering and you need to find the root cause of the problem.
While we are examining the interface counters, please note that if the interface is set to full-duplex, you should not
have any collisions, late collisions, or deferred packets. Conversely, if the interface is set to half-duplex, you should
be receiving collisions, some late collisions, and possibly some deferred. The number of collisions + late collisions
+ deferred should not exceed 10% of the sum of the input + output packet counters. If your collisions exceed 10%
of your total traffic this indicates that this link is being over utilized and you need to upgrade to either full-duplex, or
a faster speed (10 Mbps to 100 Mbps). Again, remember that if you have 10% collisions, that means you are
dropping 10% of your packets going through that interface and each of these packets must be re-transmitted.
For detailed information on the interface counters, please see the interface command in the PIX Command
Reference.
to have their Primary PIX run as the Active PIX for normal operation. That way if a user logs in and sees that the
Secondary PIX is Active, they will know that a failover occurred.
The Poll Frequency is the amount of time in seconds that the PIX sends out hello messages out each interface. Both
PIXes (Active and Standby) send hello messages out each interface every poll frequency. If three consecutative
hello messages are missed on any interface, the PIX will go into a testing state, and run through the failover tests to
see if any interface is bad on either PIX. If an interface is found to be bad, then that PIX will fail itself and if it was
the Active PIX, the Standby will then take over as the Active PIX.
Failover testing consists of the following four consecutive tests:
1.
This test is a Link Up/Down check of the NIC itself. If an interface card is not plugged into an operational
network, it is considered failed.
2.
This test is simply a "received network activity" test. The unit counts all received packets for up to 5
seconds. If any packets are received at any time during this interval, the interface is considered operational
and testing stops. If no traffic is received, the unit performs an ARP test.
3.
ARP Test:
In the ARP test, the unit?s ARP cache is read for the 10 most recently acquired entries. Then, one at a time,
the unit sends ARP requests to these machines, attempting to stimulate network traffic. After each request,
the unit counts all received traffic for up to 5 seconds. If traffic is received, the interface is considered
operational. If no traffic is received, an ARP request is sent to the next machine. If at the end of the list no
traffic has been received, the unit performs the Ping test.
4.
Ping Test:
To perform the Ping test, the unit sends out a broadcast ping request. The unit then counts all received
packets for up to 5 seconds. If any packets are received at any time during this interval, the interface is
considered operational and testing stops. If no traffic is received, the testing starts over again with the ARP
test.
When either PIX is brought up, the PIX detects that Failover is enabled, and its interfaces enter a "Waiting" state.
They must receive 2 hello messages before they can transition out of the "Waiting" State and into a "Normal" state.
When the PIX Failover is functioning properly, all interfaces will be in a "Normal" state.
If a PIX should happen to fail, use the syslogs to search for the failover reason, and then consult the table below. If
either PIX is in a "Failed" state, you can issue the command failover reset to clear the PIX out of the "Failed" state.
It is important to note that the uptime displayed in the output of a show version is the total time that the PIX set
(either the Primary or Secondary) has been up. To determine how long either PIX has been "active" (actively
passing traffic) issue the command show failover and examine the "Active time". The show failover command can
be issued on either PIX. Always look at the information displayed for "This host" to determine whether you are on
the Primary or Secondary, and whether it is Active or Standby.
The failover statistics are displayed at the end of the show failover command output. The General xmit and rcv
counts are the sum of all the other stateful object counts. It is normal to ocassionally receive General xerr. This is
due to logical updates being dropped during configuration synchronization between the two PIXes. LUs (or Logical
Updates) are packets that are transmitted between the two PIXes on the stateful failover link. They mostly consist of
connection and translation updates. This is how the two PIXes synchronize themselves. If either receive or transmit
errors are incrementing on the TCP or UDP connections, this is ok. The PIX updates all the connections every few
seconds, so if an update gets dropped for any reason, it will be picked up on the next update. The Logical Update
Queue information lets one know how many updates are currently in the queue to be sent over to the other PIX. It
also lets you know the Maximum amount of updates ever in the queue (high water mark). If the Cur equals the Max
and these numbers are very high (in the hundreds) then the PIX is currently having difficulty keeping up with the
stateful failover updates. Check the CPU usage and the number of connections going through the PIX. Also look at
the Current 256 byte block to see if they are hovering near zero (also indicitative of a CPU issue).
xmit
xerr
rcv
rerr
General
6631272 0
497208
sys cmd
497197
497203
up time
26
xlate
80
0
0
tcp conn
6133969 0
udp conn
ARP tbl
RIP Tbl
Max
Total
Recv Q:
497208
Xmit Q:
1399086 Xmit Q:
For more information on PIX Failover see - How Failover Works on the Cisco Secure PIX Firewall
Failover Reason Codes
If one of your PIXes happens to fail, causing a Failover, it is important to try to determine the cause of the failure.
The easiest course of action is to search the syslogs for any Level 1 (Alert) messages. All failover messages are sent
out as a Level 1 syslog. If your syslog messages are stored in a flat text file, you can use the grep command in Unix
to grep for the string "PIX-1-" to view all level 1 syslogs. This will show you exactly what happened and to which
PIX. If the failover occured because of a loss of communication between the two PIXes, then you will receive the
following syslog:
%PIX-1-103001: (Secondary) No response from other firewall (reason code = 3). The Reason Code has three
possible values. To determine what these mean, please use the table below. Once you have determined the cause
of the failover, it is important to take corrective actions to correct the situation so that it does not occur in the future.
Description
Reason Code
Capture ASA
Find out what the IP address is of the client host and if possible, what port that host will connect to on the server (for
our example, http is tcp port 80). For this example we are going to use 10.0.0.1 as the client IP, 192.168.0.1 as the
server.
To define the the interesting traffic in order to catch it, use an ACL.
ASA(config)# access-list cap-list permit tcp host 10.0.0.1 host 192.168.0.1 eq 80
ASA(config)# access-list cap-list permit tcp host 192.168.0.1 eq 80 host 10.0.0.1
Make sure you identify traffic in both directions (to and from the server). While an access-list is not needed, it does
help keep the captures clean and concise.
For example:
Please note that if there is NATting/PATting taking place you might need to create two different access lists with
different Ip addresses and/or ports to capture the NATted/PATted traffic.
In ASA 8.0 and late you can do the above capture using the match option that captures BI-directionally.
ASA# capture in-cap interface inside match tcp host 10.0.0.1 host 192.168.0.1 eq 80
An example command to enable HTTP management traffic is as follows:
ASA(config)# http 10.0.0.0 255.0.0.0 inside
where 10.0.0.0 is the allowed subnet and 255.0.0.0 is the mask.
To view the captures, browse to
https://ip_of_firewall/capture/in-cap/pcap
https://ip_of_firewall/capture/out-cap/pcap
By default the browser will save the file as 'pcap' which is largely useless. Alternatively you can specify the name it
should save it as by appending the desired name to the end of the URL:
https://ip_of_firewall/capture/in-cap/pcap/inside.pcap
https://ip_of_firewall/capture/out-cap/pcap/outside.pcap
Use the commands
ASA# no capture in-cap
ASA# no capture out-cap
We can transfer the capture to our workstation:
Chicago(config-time-range)#
In the time-range configuration mode, you can specify two different types of time restrictions:
Absolute
Periodic
Absolute
Using the absolute function, you can specify the values based on a start and/or an end time. This function is useful in
cases where a company hires consultants for a period of time and wants to restrict access when they leave. In this
case, you can set an absolute time and specify the start and the end time. Once the time period expires, the
consultants will not be able to pass traffic through the security appliance.
The start and end times are optional. If there is no start time provided, the security appliance assumes that the ACL
needs to be applied right away. If there is no end time configured, the security appliance applies the ACL
indefinitely. Additionally, only one instance of the absolute parameter is allowed to be set up in a given time range.
The following is the command syntax to configure an absolute time range:
start time date specifies when to begin applying an ACE, and end time date directs the security appliance when to
stop applying it. In Example 5-14, the administrator has created a time-range policy called business_hours for a
new consultant whose start time/date is 8 a.m. on June 1, 2005 and end time/date is 5 p.m. on December 30, 2005.
Example 5-14. Absolute Time-Range Configuration
December 2005
Note
The start and end times use the same format as the clock set command when configuring time and date values in the
absolute function.
Periodic
Using the periodic function, you can specify the values based on the recurring events. The security appliance
provides many easy-to-configure parameters to suit an environment. Time-based ACLs using this option is useful
when a company wants to allow user access during the normal business hours on the weekdays and wishes to deny
access over the weekends. Cisco ASA allows you to configure multiple instances of the periodic parameter. If both
absolute and periodic parameters are configured in a time range, the absolute time parameters are evaluated first
before evaluating the periodic time value. The following shows the command syntax to configure a periodic time
range:
The days-of-the-week values can be Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, and Sunday. If
you need to configure periodic days-of-the-week from Monday through Friday, you can use a shortcut of weekdays
instead. For periodic Saturday and Sunday, you can use weekend as a shortcut. The security appliance can further
the restrictions on the users by setting the optional 24-hour format hh:mm time specifications. In Example 5-15, the
administrator has created a time-range policy called business_hours for the regular employees who work from 8
a.m. to 5 p.m. on weekdays and from 8 a.m. to 12 p.m. on Saturdays.
Example 5-15. Periodic Time-Range Configuration
Once a time-range entry has been set up, the next step is to map it to the ACL by using the time-range keyword, as
illustrated in Example 5-16, in which the administrator allows outside users access to an internal web server,
209.165.202.131, during business hours (8 a.m. to 5 p.m. Monday through Friday and 8 a.m. to 12 p.m. Saturday). If
the outside users try to access the servers outside of this time window, the security appliance will drop the packets
and generate a syslog message logging this event. The ACL name is inside_server and the time-range name is
business_hours. The ACL is applied to the outside interface in the inbound direction.
Example 5-16. Configuration of a Time-Based ACL
TCP outside 10.23.232.60:5223 inside 192.168.1.3:52413, idle 0:00:23, bytes 0, flags saA
TCP outside 10.23.232.96:5223 inside 192.168.1.3:52421, idle 0:00:11, bytes 0, flags saA
TCP outside 10.23.232.190:5223 inside 192.168.1.3:52424, idle 0:00:10, bytes 0, flags saA
The next picture shows the ASA TCP Connection flags at different stages of the TCP state machine. The connection
flags can be seen with the show conn command on the ASA.
set connection
To specify connection values within a policy-map for a traffic class, use the set connection command in class mode.
Use this command to specify the maximum number of simultaneous connections and to specify whether to enable or
disable TCP sequence number randomization
The maximum number of simultaneous TCP and/or UDP connections that are allowed.
disable
enable
embryonicconn-max n
random-seq#
Enable or disable TCP sequence number randomization. Each TCP connection has two ISNs:
one generated by the client and one generated by the server. The security appliance randomizes
the ISN of the TCP SYN passing in both the inbound and outbound directions.
Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN
for a new connection and potentially hijacking the new session.
TCP initial sequence number randomization can be disabled if required. For example:
If another in-line firewall is also randomizing the initial sequence numbers, there is no need
for both firewalls to be performing this action, even though this action does not affect the
traffic.
If you use eBGP multi-hop through the security appliance, and the eBGP peers are using
MD5. Randomization breaks the MD5 checksum.
You use a WAAS device that requires the security appliance not to randomize the sequence
numbers of connections.
Defaults
For both the conn-max and embryonic-conn-max parameters, the default value of n is 0, which allows unlimited
connections.
Sequence number randomization is enabled by default.
Note The set connection command parameters (conn-max, embryonic-conn-max, random-seq#) can co-exist
with any nat or static command; that is, you can configure connection parameters either through the nat/static
commands using max-conn, emb_limit, or noramdomseq parameters, or through the MPC set connection
command using conn-max, embryonic-conn-max, or random-seq# parameters. A mixed configuration is not
recommended,
but
if
one
exists,
it
behaves
in
the
following
ways:
When a traffic class is subject to a connection limit or embryonic connection limit from both the MPC set
connection command and the nat/static command, then whichever limit is reached, that limit is applied.
When a TCP traffic class is configured to have sequence number randomization disabled by either the MPC set
connection command or the nat/static command, then sequence number randomization is disabled.
Examples
The following is an example of the use of the set connection command in class mode to configure the maximum
number of simultaneous connections as 256 and to disable TCP sequence number randomization:
Sends a TCP RST packet to both end systems after TCP idle connections are removed.
tcp hh[:mm[:ss]] The idle time after which an established connection closes.
Defaults
The default embryonic connection timeout value is 30 seconds.
The default half-closed connection timeout value is 10 minutes.
The default tcp connection timeout value is 1 hour.
Usage Guidelines
You must have configured the policy-map command and the class command before issuing this command.
A TCP connection for which a three-way handshake is not complete is an embryonic connection. For the embryonic
connection timeout value, use 0:0:0 to specify that the connection never times out. Otherwise, the timeout duration
must be at least 5 seconds.
When the TCP connection is in the closing state, use the half-closed parameter to configure the length of time until
the connection is freed. Use 0:0:0 to specify that the connection never times out. The minimum timeout duration is 5
minutes.
The tcp inactive connection timeout configures the period after which an idle TCP connection in the established
state is disconnected. Use 0:0:0 to specify that the connection never times out. The minimum timeout duration is 5
minutes.
The reset keyword is used to send a TCP RST packet to both end systems once an idle TCP connection has timed
out. Some applications require a TCP RST after a timeout to perform properly.
Examples
The following is an example of a set connection timeout command that specifies an embryonic connection timeout
of two minutes:
Syntax Description
locked (Optional) Shows the list of usernames that are currently locked.
Usage Guidelines
If you omit the optional keyword locked, the security appliance displays the failed-attempts and lockout
status details for all AAA local users.
You can specify a single user by using the username option or all users with the all option.
This command affects only the status of users that are locked out.
The administrator cannot be locked out of the device.
Examples
The following example shows use of the show aaa local user command to display the lockout status of
all usernames:
This example shows the use of the show aaa local user command to display the number of failed
authentication attempts and lockout status details for all AAA local users, after the limit has been set
to 5:
hostname(config)# aaa local authentication attempts max-fail 5
hostname(config)# show aaa local user
Lock-time Failed-attempts Locked User
- 6 Y test
- 2 N mona
- 1 N cisco
- 4 N newuser
hostname(config)#
This example shows the use of the show aaa local user command with the lockout keyword to display
the number of failed authentication attempts and lockout status details only for any locked-out AAA
local users, after the limit has been set to 5:
hostname(config)# aaa local authentication attempts max-fail 5
hostname(config)# show aaa local user
Lock-time Failed-attempts Locked User
- 6 Y test
hostname(config)#
Related Commands
Command
Description
Configures the maximum number of times a user can enter a wrong password
before being locked out.
Resets the number of failed attempts to 0 without modifying the lockout status.
Clears th e lockout status of the specified user or all users and sets their failed
attempts counters to 0.
show access-list
To display the counters for an access list, use the show access-list command in privileged EXEC mode.
show access-list id
Examples
The following is sample output from the show access-list command:
Related Commands
Command
Description
clear access-list
show activation-key
To display the commands in the configuration for features that are enabled by your activation key, including the
number of contexts allowed, use the show activation-key command in privileged EXEC mode.
show activation-key
Usage Guidelines
The show activation-key command output indicates the status of the activation key as follows:
If the activation key in the security appliance Flash file system is the same as the activation key running on the
security appliance, then the show activation-key output reads as follows:
If the activation key in the security appliance Flash file system is different from the activation key running on
the security appliance, then the show activation-key output reads as follows:
If you downgrade your activation key, the display shows that the running key (the old key) differs from the key
that is stored in the Flash (the new key). When you restart, the security appliance uses the new key.
If you upgrade your key to enable extra features, the new key starts running immediately without a restart.
For the PIX Firewall platform, if there is any change in the failover feature (R/UR/FO) between the new key
and the oldkey, it prompts for confimation. If the user enters n, it aborts the change; otherwise it updates the key in
the Flash file system. When you restart the security appliance uses the new key.
Examples
This example shows how to display the commands in the configuration for features that are enabled by your
activation key:
: 50
: Unlimited
: Enabled
: Enabled
: Disabled
: Enabled
: Enabled
URL-filtering
: Enabled
Security Contexts
: 20
GTP/GPRS
: Disabled
VPN Peers
: 5000
Related Commands
Command
activation-key
Description
Changes the activation key.
show arp
To view the ARP table, use the show arp command in privileged EXEC mode.
show arp
Usage Guidelines
The display output shows dynamic, static, and proxy ARP entries. Dynamic ARP entries include the age of the ARP
entry in seconds. Static ARP entries include a dash (-) instead of the age, and proxy ARP entries state "alias."
Examples
The following is sample output from the show arp command. The first entry is a dynamic entry aged 2 seconds. The
second entry is a static entry, and the third entry is from proxy ARP.
Setting Up ASDM
Uploading ASDM
You can use the dir command to determine whether or not the ASDM software is installed. In case the security
Cisco ASA does not have the ASDM software, your first step is to upload the image from an external file server
using the supported protocols
Example 18-1. Uploading the ASDM Image to the Local Flash
Directory of disk0:/
To establish an SSL connection, launch a browser and point the URL to the IP address of Cisco ASA. In Figure 181, the administrator is accessing ASDM by typing in
https://172.18.124.205/admin/index.html as the URL.
ASA Accelerated Security Path
This post will provide a brief overview of a seldom referred to part of the ASA, the Accelerated Security Path
(ASP). As we know the ASAs Adaptive Security Algorithm is responsible for inspecting all traffic that traverses
the ASA, and based on its configured security policies will either permit or deny the traffic.
As a new connection enters the ASA it is processed using the Session Management Path.
Part of the Session Management Paths processing is to inspect and create the relevant entry in the ASAs
state/connection table, if a policies exists allowing the traffic.
Generally any further packets received for these established connections, does not require further inspection and are
subsequently handled by the Fast Path. Although, there may be certain packets that would continue to use the
session management path or be passed to the control plane path, such as flows requiring HTTP inspection, FTP or
H.232 etc.
This is akin to Process switching and CEF switching in IOS Routers.
The Session Management Path and Fast Path combined are what make up the Accelerated Security Path.
ASP can come in handy when we want to troubleshoot traffic flows through the ASA. This is done via a suite of
ASP show commands, and can also be incorporated into packet captures, using a capture type of asp-drop.
With ASP debugging we can drill down into the output to see what functions or methods are responsible for
dropping the traffic on the ASA. There are two set of commands available to us, both of which have a substantial
amount of optional keywords; these are, show asp drop and show asp table.
Starting with show asp drop will give us a summary of packets or connections that have been denied by ASP
providing an associated reason and hits on each. As we can see from the output below it is split into 2 sections;
Frame Drop which is based on packet failures; and Flow Drop based on inspected traffic flow failures.
It gives us a brief breakdown of denies based on malformed TCP sessions, Reverse Path Forwarding violations, or
simply denies based on ACL entries etc.
You can also further drill into more specific output using optional keywords, based on either frame or flow drop,
such as show asp drop frame ifc-classify when in virtual firewall mode shows counts for packets that failed to be
classified to context; or show asp drop flow conn-limit-exceeded increments when the value applied to set
connection conn-max is breached.
These are just a couple of the vast amount of options available for use. Check out the ASA Command Reference
document for a full listing.
A key point with the ASP drop output is when running in Multi Context Mode, the information provided is a
summary for all of the virtual contexts not just the context you are currently logged into.
The other side of ASP is the show asp table commands. These are typically used by TAC, so contain a great deal
of info on a production appliance. These tables are primarily used for debugging, so the output is prone to regular
changes.
Below are the asp tables available:
The show asp table arp for instance can be used to check that traffic is flowing to/from a specific host/s based on
an incrementing hit count. It is important to remember that this is dynamic real time output though and will be
subject to resetting.
The show asp table routing can give us further info into how specific nets are routed. This is provided based on
two tables; an input routing table and an output routing table, each showing the routable nets and their associated
interfaces.
And to finish off a quick look at the classify table. This table consists of multiple classifier domains which
correspond to a specific rule action within the ASA, I.e. Inspection rules, filtering rules nat rules etc. Again check
out the command reference for a list of the options.
Below is an example showing SMTP traffic is being inspected and allowed to the inside interface:
show clock
To view the time on the security appliance, use the show clock command in user EXEC mode.
show clock [detail]
show cpu
To display the CPU utilization information, use the show cpu usage command in privileged EXEC mode.
show cpu [usage]
From the system configuration in multiple context mode:
show cpu [usage] [context {all | context_name}]
Usage Guidelines
The cpu usage is computed using an approximation of the load every five seconds, and by further feeding this
approximation into two, following moving averages.
You can use the show cpu command to find process related loads (that is, activity on behalf of items listed by the
output of the show process command in both single mode and from the system configuration in multiple context
mode).
Further, you can request, when in multiple context mode, a breakdown of the process related load to CPU consumed
by any configured contexts by changing to each context and entering the show cpu command or by entering the
show cpu context variant of this command.
While process related load is rounded to the nearest whole number, context related loads include one additional
decimal digit of precision. For example, entering show cpu from the system context produces a different number
than from entering the show cpu context system command. The former is an approximate summary of everything
in show cpu context all, and the latter is only a portion of that summary.
Examples
The following example shows how to display the CPU utilization:
This example shows how to display the CPU utilization for the system context in multiple mode:
The following shows how to display the CPU utilization for all contexts:
show crashinfo
To display the contents of the crash file stored in Flash memory, enter the show crashinfo command in privileged
EXEC mode.
show crashinfo [save]
Usage Guidelines
If the crash file is from a test crash (generated from the crashinfo test command), the first string of the crash file is
": Saved_Test_Crash" and the last string is ": End_Test_Crash". If the crash file is from a real crash, the first string
of the crash file is ": Saved_Crash" and the last string is ": End_Crash". (This includes crashes from use of the
crashinfo force page-fault or crashinfo force watchdog commands).
If there is no crash data saved in flash, or if the crash data has been cleared by entering the clear crashinfo
command, the show crashinfo command displays an error message.
Examples
The following example shows how to display the current crash information configuration:
Related Commands
Command
Description
clear crashinfo
crashinfo force
crashinfo save
disable
crashinfo test
Tests the ability of the security appliance to save crash information to a file in Flash memory.
show conn
To display the connection state for the designated connection type, use the show conn command in
privileged EXEC mode. This command supports IPv4 and IPv6 addresses.
show conn [count | [all] [detail] [long] [state state_type] [protocol {tcp | udp}]
[address src_ip[-src_ip] [netmask mask]] [port src_port[-src_port]]
[address dest_ip[-dest_ip] [netmask mask]] [port dest_port[-dest_port]]]
show failover
To display information about the failover status of the unit, use the show failover command in privileged EXEC
mode.
show failover [group num | history | interface | state | statistics]
Usage Guidelines
The show failover command displays the dynamic failover information, interface status, and Stateful Failover
statistics. The Stateful Failover Logical Update Statistics output appears only when Stateful Failover is enabled. The
"xerr" and "rerr" values do not indicate errors in failover, but rather the number of packet transmit or receive errors.
In the show failover command output, the fields have the following values:
sys cmdRefers to the logical update system commands, such as login or stay alive.
up timeIndicates the value for the security appliance up time, which the active security appliance passes on to
the standby security appliance.
show firewall
To show the current firewall mode (routed or transparent), use the show firewall command in privileged EXEC
mode.
show firewall
Examples
The following is sample output from the show firewall command:
Related Commands
Command
Description
firewall transparent
show mode
show flash
To display the contents of the internal Flash memory, use the show flash: command in privileged EXEC mode.
show flash:
show icmp
To display the ICMP configuration, use the show icmp command in privileged EXEC mode.
show icmp
show interface
To view interface statistics, use the show interface command in user EXEC mode.
show interface [physical_interface[.subinterface] | mapped_name | interface_name] [stats | detail]
Syntax Description
detail
(Optional) Shows detailed interface information, including the order in which the interface
was added, the configured state, the actual state, and asymmetrical routing statistics, if
enabled by the asr-group command. If you show all interfaces, then information about the
internal interfaces for SSMs displays, if installed on the ASA 5500 series adaptive security
appliance. The internal interface is not user-configurable, and the information is for
debugging purposes only.
interface_name
(Optional) Identifies the interface name set with the nameif command.
mapped_name
(Optional) In multiple context mode, identifies the mapped name if it was assigned using
the allocate-interface command.
physical_interface
(Optional) Identifies the interface ID, such as gigabitethernet0/1. See the interface
command for accepted values.
stats
(Default) Shows interface information and statistics. This keyword is the default, so this
keyword is optional.
subinterface
Examples
The following is sample output from the show interface command:
(Optional) Identifies the interface name set with the nameif command.
mapped_name
(Optional) In multiple context mode, identifies the mapped name if it was assigned using
the allocate-interface command.
physical_interface
(Optional) Identifies the interface ID, such as gigabitethernet0/1. See the interface
command for accepted values.
subinterface
Usage Guidelines
In multiple context mode, if you mapped the interface ID in the allocate-interface command, you can only specify
the mapped name or the interface name in a context.
See the "Examples" section for a description of the display output.
Examples
The following is sample output from the show ip brief command:
Interface
Control0/0
IP-Address
127.0.1.1
Protocol
YES CONFIG up
up
GigabitEthernet0/0
GigabitEthernet0/1
unassigned
GigabitEthernet0/2
10.1.1.50
GigabitEthernet0/3
192.168.2.6
Management0/0
up
Description
Interface
The interface ID or, in multiple context mode, the mapped name if you configured it using the
allocate-interface command. If you show all interfaces, then information about the internal
interface for the AIP SSM displays, if installed on the ASA adaptive security appliance. The
internal interface is not user-configurable, and the information is for debugging purposes only.
IPAddress
OK?
Method
The method by which the interface received the IP address. Values include the following:
Status
Protocol
downEither the cable is incorrect or not plugged into the interface connector.
show ip address
To view interface IP addresses or, for transparent mode, the management IP address, use the show ip address
command in privileged EXEC mode
Examples
The following is sample output from the show ip address command:
Name
GigabitEthernet0/0
mgmt
GigabitEthernet0/1
inside
GigabitEthernet0/2.40
GigabitEthernet0/3
outside
dmz
IP address
10.7.12.100
10.1.1.100
Subnet mask
Method
255.255.255.0
CONFIG
255.255.255.0
CONFIG
209.165.201.2
255.255.255.224 DHCP
209.165.200.225
255.255.255.224 manual
show isakmp sa
To display the IKE runtime SA database, use the show isakmp sa command in global configuration mode or
privileged EXEC mode.
show isakmp sa [detail]
Examples
The following example, entered in global configuration mode, displays detailed information about the SA database:
IKE Peer
IKE Peer
Lifetime
Lifetime
Related Commands
Command
Description
clear configure
isakmp
clear configure
isakmp policy
clear isakmp sa
isakmp enable
show running-config
isakmp
show mac-address-table
To show the MAC address table, use the show mac-address-table command in privileged EXEC mode.
show memory
To display a summary of the maximum physical memory and current free memory available to the operating system,
use the show memory command in privileged EXEC mode.
show memory [detail]
Usage Guidelines
The show memory command lets you display a summary of the maximum physical memory and current free
memory available to the operating system. Memory is allocated as needed.
You can use the show memory detail output with show memory binsize command to debug memory leaks.
You can also display the information from the show memory command using SNMP.
Examples
This example shows how to display a summary of the maximum physical memory and current free memory
available:
Used memory:
-------------
----------------
Total memory:
show mode
To show the security context mode for the running software image and for any image in Flash memory, use the
show mode command in privileged EXEC mode.
show mode
Examples
The following is sample output from the show mode command. The following example shows the current mode and
the mode for the non-running image "image.bin":
show nameif
To view the interface name set using the nameif command, use the show nameif command in privileged EXEC
mode
Examples
The following is sample output from the show nameif command:
Name
Security
GigabitEthernet0/0
outside
GigabitEthernet0/1
inside
100
GigabitEthernet0/2
test2
50
Examples
The following is sample output from the show ospf border-routers command:
Examples
The following example issued in global configuration mode, displays information about the ISKAKMP
configuration:
Examples
The following sample output shows how to use the show running-config http command:
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.86.194.60 255.255.254.0
webvpn enable
!
interface GigabitEthernet0/1
shutdown
nameif test
security-level 0
ip address 10.10.4.200 255.255.0.0
To display tunnel group information about all or a specified tunnel group and tunnel-group attributes, use the show
running-config tunnel-group command in global configuration or privileged EXEC mode.
Examples
The following example entered in global configuration mode, displays the current configuration for all tunnel
groups:
show service-policy
To display the configured service policies, use the service-policy command in global configuration mode.
show service-policy [global | interface intf] [inspect | ips | police | priority | set connection]
show xlate
To display information about the translation slots, use the show xlate command in privileged EXEC mode.
Examples
The following is sample output from the show xlate command. It shows how translation slot information with three
active PATs.
shutdown
To disable an interface, use the shutdown command in interface configuration mode. To enable an interface, use the
no form of this command.
shutdown
no shutdown
Examples\
The following example enables a main interface:
ssh
To add SSH access to the security appliance, use the ssh command in global configuration mode. To disable SSH
access to the security appliance, use the no form of this command. This command supports IPv4 and IPv6 addresses.
Usage Guidelines
The ssh ip_address command specifies hosts or networks that are authorized to initiate an SSH connection to the
security appliance. You can have multiple ssh commands in the configuration. The no form of the command
removes a specific SSH command from the configuration. Use the clear configure ssh command to remove all SSH
commands.
Before you can begin using SSH to the security appliance, you must generate a default RSA key using the crypto
key generate rsa command.
The following security algorithms and ciphers are supported on the security appliance:
The following SSH Version 2 features are not supported on the security appliance:
X11 forwarding
Port forwarding
SFTP support
Data compression
Examples
The following example shows how to configure the inside interface to accept SSH version 2 connections from a
management console with the IP address 10.1.1.1. The idle session timeout is set to 60 minutes and SCP is enabled.
In this example, we want to be able to access a web server behind the firewall. We'll assume you are using the
standard HTTP port, the web server's internal IP address is 10.9.8.7/24, and that you at least know what you're doing
enough to be configuring an ASA in the first place. I'll give you the steps, then I'll explain.
Step 1: Create a new object group for you web server.
asa5505(config)# object network Webserver
Step 2: Add the IP of the web server to the network group.
asa5505(config-network-object)# host 10.9.8.7
Step 3: Forward the port via the NAT command.
asa5505(config-network-object)# nat (inside,outside) static interface service tcp www www
Step 4: Exit back to the root and add the access list
asa5505(config)# access-list outside_access_in permit tcp any object Webserver eq www
Using the fixup Command
You can use the fixup command to change the default port assignments or to enable or disable application
inspection for the following protocols and applications:
FTP
H.323
HTTP
ILS
RSH
RTSP
SIP
SKINNY (SCCP)
SMTP
SQL*Net
To change the default port assignment, identify the protocol and the new port number to assign. Use the no fixup
protocol command to reset the application inspection entries to the default configuration.
Note Disabling or modifying application inspection only affects connections that are initiated after the command is
processed. Disabling application inspection for a specific port or application does not affect existing connections. If
you want the change to take effect immediately, enter the clear xlate command to remove all existing application
inspection entries.
The following is the detailed syntax of the fixup command showing the syntax for each configurable application:
fixup protocol ftp [strict] [port] | http [port[-port]] | h323 [port[-port]] | ils
[port[-port]] | rsh [514] | rtsp [port] | sip [5060] | skinny [port] | smtp [port[-port]] |
sqlnet [port[-port]]
You can view the explicit (configurable) fixup protocol settings with the show fixup command. The default settings
for configurable protocols are as follows.
show fixup
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
The default port value for rsh cannot be changed, but additional port statements can be added.
The show fixup protocol protocol command displays the configuration for an individual protocol.
The following are other related commands that let you manage fixup configuration:
The clear fixup command removes fixup commands from the configuration that you added. It does not remove the
default fixup protocol commands.
You can disable the fixup of a protocol by removing all fixups of the protocol from the configuration using the no
fixup command. After you remove all fixups for a protocol, the no fixup form of the command or the default port is
stored in the configuration.
For some applications, you can define multiple port assignments. This is useful when multiple instances of the same
service are running on different ports.
The following example shows how to define multiple ports for FTP by entering separate commands:
These commands do not change the standard FTP port assignment (21). After entering these commands, the
PIX Firewall listens for FTP traffic on port 21, 2100, 4254, and 9090.
Some protocols let you assign a range of ports. This is indicated in the command syntax as port[-port]. For example,
the following command assigns the port range from 1500 to 2000 to SQL*Net.
Static NAT/PAT
Pre-8.3 NAT
8.3 NAT
Pre-8.3 NAT
host 10.1.2.27
object network obj-192.168.100.100
host 192.168.100.100
object network obj-10.76.5.0
subnet 10.76.5.0 255.255.255.224
nat (inside,outside) source static obj-10.1.2.27
obj-192.168.100.100
destination static obj-10.76.5.0 obj10.76.5.0
8.3 NAT
nat (inside) 1 0 0
global (outside) 1 interface
Outside NAT
global (inside) 1 10.1.2.30-1-10.1.2.40
nat (dmz) 1 10.1.1.0 255.255.255.0
outside
static (inside,dmz) 10.1.1.5 10.1.2.27
netmask 255.255.255.255
On the inside:
host 10.30.97.129
(out)
10.1.1.1-------ASA------xlate-------> 10.2.2.2
Static NAT for a Range of Ports