Cisco Asa howto: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(24 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt)
Zeile 1: Zeile 1:
  
==Unprivilegierter Modus==
+
=Grundlagen=
 +
*[[Cisco ASA Grundlagen]]
 +
=Factory Reset=
 +
*[[Cisco ASA Factoryreset]]
 +
=Grundkonfiguration=
 +
*[[Cisco ASA Grundkonfiguration]]
 +
=SSH konfigurieren=
 +
*[[Cisco ASA SSH konfiguration]]
 +
=Weiter Konfigurieren=
 +
*[[Cisco ASA weiter Konfigurieren]]
 +
=ASDM=
 +
*[[CISCO ASA ASDM]]
  
===Befehle anzeigen===
+
=Acls=
 +
*[[Cisco ASA Acls]]
  
*asa> ?
+
=Nat und PAT=
+
*[[Cisco ASA NAT]]
At the end of show <command>, use the pipe character '|' followed by:
+
*[[Cisco ASA Kompletes Netz NAT]]
begin|include|exclude|grep [-v] <regular_exp>, to filter show output.
 
 
enable        Turn on privileged commands
 
help          Help list
 
login          Log in as a particular user
 
logout        Exit from current user profile, and to unprivileged mode
 
pager          Control page length for pagination
 
quit          Quit from the current mode, end configuration or logout
 
  
===Show nachgeordnete Befehle anzeigen===
+
=Inspection=
 +
*[[Cisco ASA Inspection]]
 +
=Dhcp=
 +
*[[Cisco ASA DHCP]]
 +
=Asa Vpn=
 +
*[[Cisco ASA VPN]]
 +
=Asa Cisco Cert=
 +
*[[Asa Cisco Cert]]
 +
=Asa Misc=
 +
*[[Asa Misc]]
 +
=Asa Diagnose=
 +
*[[Asa Diagnose]]
  
*asa> show ?
+
=Old shit=
+
*[[old shit]]
At the end of show <command>, use the pipe character '|' followed by:
 
begin|include|exclude|grep [-v] <regular_exp>, to filter show output.
 
 
checksum        View configuration information cryptochecksum
 
curpriv        Display current privilege level
 
history        Display the session command history
 
pager          Control page length for pagination
 
version        Display PIX system software version
 
  
===Version anzeigen===
+
=Links=
*asa# show version
+
*http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/basic_hostname_pw.html#pgfId-1080248
<pre>
+
*http://packetpushers.net/cisco-asdm-pro-tip-how-to-preview-commands-before-they-are-sent-to-the-asa/
Cisco PIX Security Appliance Software Version 8.0(4)28
 
Device Manager Version 5.2(4)
 
 
 
Compiled on Wed 18-Mar-09 16:28 by builders
 
System image file is "flash:/image.bin"
 
Config file at boot was "startup-config"
 
 
 
 
 
asa up 1 hour 43 mins
 
 
 
Hardware:  PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
 
Flash E28F128J3 @ 0xfff00000, 16MB
 
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
 
 
 
Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
 
0: Ext: Ethernet0          : address is 0017.9514.8010, irq 10
 
1: Ext: Ethernet1          : address is 0017.9514.8011, irq 11
 
2: Ext: Ethernet2          : address is 000d.8811.c5b8, irq 11
 
3: Ext: Ethernet3          : address is 000d.8811.c5b9, irq 10
 
4: Ext: Ethernet4          : address is 000d.8811.c5ba, irq 9
 
5: Ext: Ethernet5          : address is 000d.8811.c5bb, irq 5
 
 
 
Licensed features for this platform:
 
Maximum Physical Interfaces  : 6       
 
Maximum VLANs                : 25       
 
Inside Hosts                : Unlimited
 
Failover                    : Active/Active
 
VPN-DES                      : Enabled 
 
VPN-3DES-AES                : Enabled 
 
Cut-through Proxy            : Enabled 
 
Guards                      : Enabled 
 
URL Filtering                : Enabled 
 
Security Contexts            : 2       
 
GTP/GPRS                    : Disabled 
 
VPN Peers                    : Unlimited
 
             
 
This platform has an Unrestricted (UR) license.
 
             
 
Serial Number: 810182748
 
Running Activation Key: 0x289b7b00 0x74c5389a 0xa9e57a0e 0x70077345
 
</pre>
 
 
 
==Enable Modus==
 
 
 
===Wechsel in den Enable Modus===
 
 
 
*asa> enable
 
Password: ******
 
*asa#
 
 
 
===Befehle anzeigen===
 
 
 
*asa# ?
 
 
At the end of show <command>, use the pipe character '|' followed by:
 
begin|include|exclude|grep [-v] <regular_exp>, to filter show output.
 
 
arp            Change or view arp table, set arp timeout value, view statistics
 
capture        Capture inbound and outbound packets on one or more interfaces
 
configure      Configure from terminal
 
copy            Copy image or PDM file from TFTP server into flash.
 
.......
 
 
 
==Konfigurations Modus==
 
 
 
===Wechsel in den Konfigurations Modus===
 
 
*asa# configure terminal
 
*asa(config)#
 
 
 
===Befehle anzeigen===
 
 
 
*asa(config)# ?
 
 
At the end of show <command>, use the pipe character '|' followed by:
 
begin|include|exclude|grep [-v] <regular_exp>, to filter show output.
 
 
aaa            Enable, disable, or view TACACS+, RADIUS or LOCAL
 
                user authentication, authorization and accounting
 
aaa-server      Define AAA Server group
 
........
 
 
 
==Hostname setzen==
 
*asa(config)# hostname lurchie
 
*lurchie(config)#
 
==Alte Konfiguration sichern==
 
 
 
===IP setzen===
 
*lurchie# config terminal
 
*lurchie(config)# interface ethernet 1
 
*lurchie(config)# ip address 192.168.244.99 255.255.255.0
 
===TFTP Server bestimmen und Konfiguration sichern===
 
 
*lurchie# config terminal
 
*lurchie(config)# tftp-server inside 192.168.240.200 cisco/pix.conf
 
*lurchie(config)# exit
 
*lurchie# copy running-config tftp
 
 
 
===Konfiguration löschen===
 
 
*lurchie# write erase
 
Erase PIX configuration in flash memory? [confirm]
 
*lurchie# show configure
 
No Configuration
 
 
 
===Warmstart===
 
*lurchie# reload
 
Proceed with reload? [confirm]
 
 
Rebooting...
 
 
 
==Grundkonfiguration==
 
 
 
=== Setzen des Hostnamens===
 
*lurchiefirewall# config terminal
 
*lurchiefirewall(config)# hostname lurchie
 
lurchie(config)# exit
 
lurchie#
 
 
 
=== Setzen der Domain===
 
lurchie# config terminal
 
lurchie(config)# domain-name salamander.int
 
lurchie(config)# exit
 
lurchie#
 
 
 
 
 
===Eintellen der Interfaceparameter===
 
*lurchie# configure terminal
 
*lurchie(config)# interface Ethernet0
 
*lurchie(config)#nameif outside
 
*lurchie(config)#security-level 0
 
*lurchie(config)#ip address 192.168.244.99 255.255.255.0
 
*lurchie(config)# interface Ethernet1
 
*lurchie(config)#nameif inside
 
*lurchie(config)#security-level 100
 
*lurchie(config)#ip address 172.22.2.1 255.255.255.0
 
*lurchie(config)# interface Ethernet2
 
*lurchie(config)#nameif dmz
 
*lurchie(config)#security-level 50
 
*lurchie(config)#ip address 172.21.1.1 255.255.255.0
 
 
 
 
 
 
 
===Setzen der statischen Routen (Letzter Wert immer auf 1 setzen)
 
 
 
*lurchie# configure terminal
 
*lurchie(config)# route outside 0.0.0.0 0.0.0.0 192.168.240.100 1
 
*lurchie(config)# exit
 
*lurchie#
 
 
 
===Setzen des Passwortes===
 
 
*lurchie# configure terminal
 
*lurchie(config)# passwd suxer
 
 
 
===Setzen des Enable Passwortes===
 
 
 
*lurchie(config)# enable password sysadm
 
 
 
 
 
===Speichern der Konfiguration===
 
 
 
lurchie#  copy running-config startup-config
 
 
 
Building configuration...
 
Cryptochecksum: 9df95ad7 96b3e2da 9412b1d1 413e62c7
 
[OK]
 
lurchie#
 
 
 
===Warmstart des Sytems===
 
 
 
lurchie# reload
 
Proceed with reload? [confirm]
 
 
 
==SSH konfigurieren==
 
 
 
 
 
===RSA Key erzeugen===
 
*lurchie(config)#  crypto key generate rsa general-keys modulus 2048
 
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.
 
 
 
Do you really want to replace them? [yes/no]: yes
 
Keypair generation process begin. Please wait...
 
 
 
 
 
===RSA Key anzeigen===
 
 
 
*lurchie(config)# show crypto key mypubkey rsa
 
 
 
 
 
===SSH freischalten===
 
 
 
*lurchie# configure terminal
 
*lurchie(config)# ssh 172.22.2.0 255.255.255.0 inside
 
*lurchie(config)# ssh 0.0.0.0 0.0.0.0  outside       
 
*lurchie(config)# exit
 
*lurchie#
 
 
 
===SSH Timeout auf 10 Minuten einstellen===
 
 
 
*lurchie# configure terminal               
 
*lurchie(config)# ssh timeout 10
 
*lurchie(config)# exit
 
*lurchie# write memory
 
Building configuration...
 
Cryptochecksum: cfeec014 8030f823 db7c17eb e8aa79be
 
[OK]
 
lurchie#
 
 
 
''Nun kann der User*lurchie mit dem Passwort suxer per SSH zugreifen weitere User werden folgendermaßen für SSH eingerichtet''
 
 
 
===AAA für SSH einrichten=== 
 
 
 
*lurchie# configure terminal
 
*lurchie(config)# aaa-server LOCAL protocol local
 
*lurchie(config)# aaa authentication ssh console LOCAL
 
*lurchie(config)# exit
 
 
===User für SSH Zugriff anlegen=== 
 
 
 
lurchie# configure terminal
 
lurchie(config)# username admin password oimel privilege 15                   
 
lurchie(config)# exit
 
 
 
 
===Anzeigen der SSH Sessions===
 
 
 
*lurchie# show ssh session
 
 
Session ID Client IP Version Encryption State Username
 
    0 192.168.250.1 1.5 3DES 6 admin
 
    1 192.168.250.1 1.5 3DES 6 pix
 
    2 192.168.242.1 1.5 3DES 6 pix
 
 
 
===Unterbrechen einer SSH Sessions===
 
 
*lurchie# configure terminal
 
*lurchie(config)# ssh disconnect 2 
 
*lurchie(config)# exit
 
*lurchie#
 
 
 
==Systemzeit==
 
 
 
===Anzeigen der Uhrzeit===
 
 
 
*lurchie# show clock
 
10:54:36.934 UTC Wed May 13 2009
 
 
 
===Einstellung der Zeitzone===
 
 
 
*lurchie# configure terminal
 
*lurchie(config)# clock timezone MET +1
 
*lurchie(config)# exit
 
*lurchie#
 
 
===Einstellen der Default Sommerzeit===
 
 
 
*lurchie# configure terminal   
 
*lurchie(config)# clock summer-time MET recurring last Sunday March 2:00 last  $
 
+lurchie(config)# exit
 
lurchie#
 
 
 
===Einstellen der Uhrzeit===
 
 
 
*lurchie# configure terminal                                   
 
*lurchie(config)# clock set 13:08:50 May 13 2009 
 
*lurchie(config)# exit
 
*lurchie#
 
 
 
===Anzeigen der Uhrzeit (detaliert)===
 
 
 
* lurchie# show clock detail
 
13:09:48.910 MET Wed May 13 2009
 
Time source is user configuration
 
Summer time starts 02:00:00 MET Sun Mar 29 2009
 
Summer time ends 03:00:00 MET Sun Oct 25 2009
 
 
 
===Einstellen des NTP Server===
 
 
 
lurchie# configure terminal
 
lurchie(config)# ntp server 195.145.119.188 source outside
 
lurchie(config)# exit
 
lurchie#
 
 
 
==PAT==
 
 
 
===Bestimmen welche locale Adressen übersetzt werden===
 
 
 
lurchie# configure terminal
 
lurchie(config)# nat (inside) 5 172.22.2.0 255.255.255.0   
 
lurchie(config)# exit
 
lurchie#
 
 
 
Erklärung:
 
nat (interface) id network mask
 
 
 
 
 
===Anwenden der Übersetzung (global)===
 
 
 
lurchie# configure terminal
 
lurchie(config)# global (outside) 5 interface           
 
outside interface address added to PAT pool
 
lurchie(config)# exit
 
lurchie#
 
 
 
Erklärung:
 
global (interface) id keywort
 
keywort kann eine IP, ein Bereich oder das Schlüsselwort Interface sein.
 
 
 
===ICMP wird nicht automatisch durchgelassen===
 
 
 
===Ping freischalten===
 
 
 
===Vor der Version 7.0 musste man eine Accessliste kreieren um ein Ping auf dem externen Inferface zuerlauben:===
 
 
lurchie# configure terminal
 
lurchie(config)# access-list ICMP permit icmp any any echo-reply
 
lurchie(config)# access-list ICMP permit icmp any any unreachable
 
lurchie(config)# access-list ICMP permit icmp any any time-exceeded
 
lurchie(config)# access-group ICMP in interface outside
 
lurchie(config)# exit
 
lurchie#
 
 
 
===Ab der Version 7.0 muss man das "inspect icmp" Kommando benutzen, es ist defaultmäßig abgeschaltet
 
 
 
lurchie# configure terminal
 
lurchie(config)# policy-map global_policy
 
lurchie(config)# class inspection_default
 
lurchie(config)# inspect icmp
 
lurchie(config)# exit
 
lurchie#
 
 
 
===Anzeigen der aktuellen NAT Einstellungen===
 
 
 
lurchie# show nat
 
nat (inside) 5 172.22.2.0 255.255.255.0 0 0
 
 
 
===Anzeigen der aktuellen  Global Einstellungen===
 
 
 
lurchie# show running global
 
global (outside) 5 interface
 
 
 
===Anzeigen der aktuellen NAT Aktivitäten===
 
 
 
lurchie# show xlate
 
2 in use, 22 most used
 
PAT Global 192.168.250.96(1051) Local 172.22.2.2(43223)
 
PAT Global 192.168.250.96(1050) Local 172.22.2.2(43222)
 
 
 
===Löschen der  aktuellen NAT===
 
 
lurchie# clear xlate
 
 
 
 
 
=neuer Befehl global=
 
*https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples
 
 
 
==Accesslisten und Zuordnungen==
 
 
 
===Bilden von Accesslisten===
 
 
 
lurchie# configure terminal
 
lurchie(config)# access-list inside-in permit tcp 172.22.2.0 255.255.255.0 any eq ssh
 
lurchie(config)# access-list inside-in permit tcp 172.22.2.0 255.255.255.0 any eq www
 
lurchie(config)# access-list inside-in permit tcp 172.22.2.0 255.255.255.0 192.168.240.21 255.255.255.255 eq domain
 
lurchie(config)# access-list inside-in permit udp 172.22.2.0 255.255.255.0 192.168.240.21 255.255.255.255 eq domain
 
lurchie(config)# exit
 
lurchie#
 
 
 
Erklärung:
 
 
access-list acl-name  permit|deny  proto  quellnetz quellnetzmaske zielnetz zielnetzmaske op port
 
 
access-list          Schlüsselwort das eine Accessliste einleitet
 
acl-name Name der Accessliste
 
protokoll Das Protokoll  tcp udp icmp .....
 
quellnetz Quellnetz erstes Paket
 
quellnetzmaske  Quellnetzmaske erstes Paket 
 
zielnetz Zielnetz erstes Paket
 
zielnetzmaske Zielnetzmaske erstes Paket 
 
op Operanden  gt lt eq
 
port Zielport des ersten Paketes
 
 
 
===Anwenden der Accesslisten auf die Interfaces===
 
 
 
lurchie# configure terminal
 
lurchie(config)# access-group inside-in in interface inside
 
lurchie(config)# exit
 
lurchie#
 
 
 
Erklärung:
 
 
 
access-group acl-name  in interface interface-name
 
 
 
access-group Schlüsselwort das eine Accessgruppe einleitet
 
acl-name  Name der Accesslistedie angewendet wird
 
in Richtung
 
interface Schlüsselwort das ein Interface einleitet
 
interface-name Name des Interfaces
 
 
 
 
 
===Der Static Befehl===
 
 
===Um von einer Schnittstelle mit niedrigerer Sicherheitsstufe zu einer Schnittstelle mit höherer Sicherheitsstufe Verbindungen
 
zuzulassen, muss man eine statische Adressübersetzung konfigurieren. (Selbst dann wenn die Adressen die gleichen sind)===
 
 
 
static (dmz,outside) 172.21.1.0 172.21.1.0 netmask 255.255.255.0 0 0
 
 
 
===Die Accesslist muss natürlich auch erstellt werden!===
 
 
lurchie# configure terminal
 
lurchie(config)# access-list outside-in permit tcp  any 172.21.1.2 255.255.255.255 eq 22
 
lurchie(config)# access-list outside-in permit tcp  any 172.21.1.2 255.255.255.255 eq 80
 
lurchie(config)# access-list outside-in permit tcp  any 172.21.1.2 255.255.255.255 eq 25
 
lurchie(config)# access-group outside-in in interface outside
 
lurchie(config)# access-group outside-in in interface outside
 
lurchie(config)# exit
 
lurchie#
 
 
 
===Destination NAT ins LAN===
 
 
 
lurchie# configure terminal
 
lurchie(config)# static (inside, outside) tcp 192.168.250.96 80  172.22.2.2 80 netmask 255.255.255.255 0 0
 
lurchie(config)# access-list outside-inside permit tcp any host 192.168.250.96 eq www
 
lurchie(config)# access-group outside-in in interface outside
 
lurchie#
 
 
 
==Externes Logging==
 
===Auf externen Server syslog-ng installieren===
 
apt-get install syslog-ng
 
touch /var/log/pix.log
 
 
 
===/etc/syslog-ng/syslog-ng.conf anpassen===
 
######
 
# sources
 
 
source s_tcp {
 
        tcp( ip(172.22.2.2) port(514) max-connections(20) );
 
        };
 
 
source network {
 
udp();
 
};
 
 
destination df_pix { file("/var/log/pix.log"); };
 
 
filter f_local4 { facility(local4); };
 
 
log {
 
source(network);
 
filter(f_local4);
 
destination(df_pix);
 
};
 
(...)
 
 
 
===Auf*lurchie logging einschalten===
 
lurchie# configure terminal
 
lurchie(config)# logging on
 
lurchie(config)# logging timestamp
 
lurchie(config)# logging standby
 
lurchie(config)# logging facility 20
 
lurchie(config)# logging trap notifications
 
lurchie(config)# logging host inside 172.22.2.2 format emblem
 
lurchie(config)# exit
 
lurchie#
 
 
 
==Site-to-site VPN==
 
 
 
*[[ASA L2L VPN]]
 
*[[ASA L2L VPN old]]
 
 
 
==Links==
 
*http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/site2sit.html
 
 
 
===Openswan-Site===
 
/etc/ipsec.conf
 
version 2.0    # conforms to second version of ipsec.conf specification
 
 
config setup
 
        nat_traversal=yes
 
        nhelpers=0
 
 
conn test
 
        right=192.168.241.90
 
        rightsubnet=172.23.3.0/24
 
        left=192.168.250.96
 
        leftsubnet=172.22.2.0/24
 
        esp=3des-md5-96
 
        keyexchange=ike
 
        authby=secret
 
        pfs=no
 
        auto=add
 
 
include /etc/ipsec.d/examples/no_oe.conf
 
/etc/ipsec.secrets
 
192.168.250.96 192.168.241.90 : PSK "sauhund"
 
 
 
 
 
==Roadwarrior mit Localhost==
 
 
 
crypto ipsec transform-set willset esp-3des esp-sha-hmac
 
crypto dynamic-map dynmap 10 set transform-set willset
 
crypto map willmap 10 ipsec-isakmp dynamic dynmap
 
crypto map willmap client configuration address initiate
 
crypto map willmap client configuration address respond
 
crypto map willmap client authentication LOCAL
 
ip local pool will-pool 192.168.31.1-192.168.31.5
 
vpngroup will password oimel
 
vpngroup will address-pool will-pool
 
vpngroup will dnsserver 172.22.22.2
 
access-list no_nat permit ip any 192.168.31.0 255.255.255.248
 
nat (inside) 0 access-list no_nat
 
access-list outside_cryptomap_dyn_300 permit ip any  192.168.23.0 255.255.255.248
 
crypto dynamic-map outside_dyn_map_2 300 match address outside_cryptomap_dyn_300
 
crypto dynamic-map outside_dyn_map_2 300 set security-association lifetime  seconds 28800 kilobytes 4608000
 
crypto map willmap interface outside
 
sysopt connection permit-ipsec
 
user xinux password suxer
 
 
 
==Roadwarrior mit Radius==
 
 
 
===Radiusserver festlegen===
 
lurchie(config)# name 172.22.2.11 my-radius-server
 
 
 
===Radiusprotokoll dem Radiusserver zuordnen===
 
lurchie(config)# aaa-server radius-server protocol radius
 
 
 
===Radiusserver über inside interfache mit dem Password my-radius-pass einrichten===
 
lurchie(config)# aaa-server radius-server (inside) host my-radius-server ma-radius-pass timeout 10
 
 
 
 
 
 
 
===crypto map vpn client authentication my.radius-server===
 
lurchie(config)#crypto map vpn client authentication my-radius-server
 
 
 
===vpngruppe gallier setzen===
 
lurchie(config)#vpngroup gallier password suxer
 
 
 
===Adresspool gallier-pool setzen===
 
lurchie(config)#ip local pool gallier-pool 192.168.11.1-192.168.11.5
 
 
 
===gallier-pool den gallier zuordnen===
 
lurchie(config)#vpngroup gallier address-pool gallier-pool
 
 
 
===dnsserver für gallier===
 
lurchie(config)#vpngroup gallier dns-server 10.10.1.10 10.10.1.11
 
 
 
===kein nat für gallier pool===
 
lurchie(config)#access-list no_nat permit ip any  192.168.11.0 255.255.255.248
 
 
 
===anwenden von keinem nat===
 
lurchie(config)#nat (inside) 0 access-list no_nat
 
 
 
===Acl benennnen===
 
lurchie(config)#access-list outside_cryptomap_dyn_280 permit ip any  192.168.11.0  255.255.255.248
 
 
 
===Acl zuordnen===
 
lurchie(config)#crypto dynamic-map outside_dyn_map_1 280 match address outside_cryptomap_dyn_280
 
 
 
===Es wird myset als verbindungsparameter benutzt(siehe oben)===
 
lurchie(config)#crypto dynamic-map outside_dyn_map_1 280 set transform-set myset
 
 
 
===Es werden Lifetime und weiter parameter zu geordnet===
 
lurchie(config)#crypto dynamic-map outside_dyn_map_1 280 set security-association lifetime  seconds 28800 kilobytes 4608000
 
 
 
===Festlegen des VPN Interfaces===
 
lurchie(config)#crypto map vpn interface outside
 
 
 
===IPSEC Aktivieren===
 
lurchie(config)#sysopt connection permit-ipsec
 
 
 
==IPSec-Troubleshooting==
 
===Anzeigen der Crypto Maps===
 
*lurchie# show crypto map
 
 
 
===Anzeigen der eingerichtet IPSec-SA===
 
*lurchie(config)# show crypto ipsec sa
 
 
 
===Debuggen des Einrichtens der IKE-SA===
 
*lurchie# debug crypto isakmp
 
 
 
===Debuggen des Einrichtens der IPSEC-SA===
 
*lurchie# debug crypto ipsec
 
 
 
===Erzwingen einer Neuaushandlung einer IPSEC-SA===
 
*lurchie# clear crypto ipsec sa map vpn 10
 
 
 
==Sonstiges Troubleshooting==
 
 
 
===Debugen===
 
====debug modus ausschalten====
 
*lurchie# no debug all
 
 
 
==== ip packet tracen ====
 
*lurchie# debug packet outside dst  192.168.254.27
 
*lurchie# --------- PACKET ---------
 
 
-- IP --
 
192.168.254.27 ==> 192.168.250.96
 
 
ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c
 
id = 0x94ee flags = 0x40 frag off=0x0
 
ttl = 0x40 proto=0x6 chksum = 0x2c00
 
 
-- TCP --
 
source port = 0x87f7 dest port = 0x50syn
 
 
seq = 0x87111bd0
 
ack = 0x0
 
hlen = 0xa window = 0x16d0
 
checksum = 0xfcdd urg = 0x0
 
tcp options: 
 
0x2 0x4 0x5 0xb4 0x4 0x2 0x8 0xa
 
  0x0 0x1d 0x8f 0x3e 0x0 0x0 0x0 0x0
 
0x1 0x3 0x3 0x7
 
--------- END OF PACKET ---------
 
 
 
====icmp Verkehr tracen====
 
*lurchie# debug icmp trace
 
1: ICMP echo-request from outside:192.168.250.1 to 192.168.250.96 ID=4150 seq=177 length=64
 
2: ICMP echo-request: untranslating outside:192.168.250.96 to dmz:172.21.1.2
 
 
 
===Anzeigen der CPU Auslastung===
 
*lurchie# sh cpu usage
 
CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%
 
 
 
===Anzeigen der Prozesse===
 
*lurchie# sh processes
 
 
 
===Leistungsüberwachung===
 
 
lurchie# show perfmon
 
 
PERFMON STATS:    Current      Average
 
Xlates              0/s          0/s
 
Connections          0/s          0/s
 
TCP Conns            0/s          0/s
 
UDP Conns            0/s          0/s
 
URL Access          0/s          0/s
 
URL Server Req      0/s          0/s
 
TCP Fixup            0/s          0/s
 
TCPIntercept        0/s          0/s
 
HTTP Fixup          0/s          0/s
 
FTP Fixup            0/s          0/s
 
AAA Authen          0/s          0/s
 
AAA Author          0/s          0/s
 
AAA Account          0/s          0/s
 
 
 
===Anzeige der Speicherauslastung===
 
lurchie# show memory
 
Free memory:        15974832 bytes
 
Used memory:        17579600 bytes
 
-------------    ----------------
 
Total memory:      33554432 bytes
 
 
 
===Anzeige der Interfacestatistiken===
 
lurchie#  show interface
 
 
 
===Verkehr mitschneiden und löschen===
 
lurchie# show traffic
 
lurchie# clear traffic
 
 
 
===Ping===
 
*lurchie# ping 80.146.204.15
 
*lurchie# ping inside 172.22.2.2
 
 
 
===Anzeigen der Routen===
 
*lurchie# show route
 
        outside 0.0.0.0 0.0.0.0 192.168.240.100 1 OTHER static
 
        dmz 172.21.1.0 255.255.255.0 172.21.1.1 1 CONNECT static
 
        inside 172.22.2.0 255.255.255.0 172.22.2.1 1 CONNECT static
 
        outside 192.168.240.0 255.255.240.0 192.168.250.96 1 CONNECT static
 
 
 
===Anzeigen der IP Addressen===
 
lurchie# show ip address
 
System IP Addresses:
 
        ip address outside 192.168.250.96 255.255.240.0
 
        ip address inside 172.22.2.1 255.255.255.0
 
        ip address dmz 172.21.1.1 255.255.255.0
 
Current IP Addresses:
 
        ip address outside 192.168.250.96 255.255.240.0
 
        ip address inside 172.22.2.1 255.255.255.0
 
        ip address dmz 172.21.1.1 255.255.255.0
 
 
 
===Anzeige der Version===
 
lurchie# show version                                                     
 
 
Cisco PIX Firewall Version 6.3(3)
 
Cisco PIX Device Manager Version 3.0(4)
 
 
Compiled on Wed 13-Aug-03 13:55 by morlee
 
 
lurchie up 19 hours 45 mins
 
 
Hardware:  PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz
 
Flash E28F128J3 @ 0x300, 16MB
 
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
 
 
0: ethernet0: address is 0011.93f6.6c4c, irq 10
 
1: ethernet1: address is 0011.93f6.6c4d, irq 11
 
2: ethernet2: address is 000e.0c69.d31a, irq 5
 
Licensed Features:
 
Failover:                    Disabled
 
VPN-DES:                    Enabled
 
VPN-3DES-AES:                Enabled
 
Maximum Physical Interfaces: 3
 
Maximum Interfaces:          5
 
Cut-through Proxy:          Enabled
 
Guards:                      Enabled
 
URL-filtering:              Enabled
 
Inside Hosts:                Unlimited
 
Throughput:                  Unlimited
 
IKE peers:                  Unlimited
 
 
This PIX has a Restricted (R) license.
 
 
Serial Number: 808312119 (0x302ddd37)
 
Running Activation Key: 0x31d8e400 0x1174e8d9 0xb8eb6114 0xd697604d
 
Configuration last modified by enable_15 at 11:31:41.911 MET Fri May 15 2009
 
 
 
==HTTP Interface PIX Device Manager (PDM)==
 
 
 
===PDM aktivieren===
 
lurchie# configure terminal
 
lurchie(config)# http server enable
 
lurchie(config)# exit
 
lurchie#
 
 
 
===Erlaubter Herkunftsbereich festlegen===
 
lurchie# configure terminal
 
lurchie(config)# http 192.168.240.0 255.255.240.0 outside
 
lurchie(config)# exit
 
lurchie#
 
 
 
==Verschiedenes==
 
 
 
===DHCP Server einrichten===
 
 
 
lurchie# configure terminal
 
lurchie(config)# dhcpd address 172.22.2.69-172.22.2.89 inside 
 
lurchie(config)# dhcpd enable inside                         
 
lurchie(config)# dhcpd dns 192.168.240.21
 
lurchie(config)# exit
 
lurchie#
 
 
 
===Kabelmodem===
 
 
 
lurchie# configure terminal
 
lurchie(config)# ip address outside dhcp setroute
 
lurchie(config)# exit
 
lurchie#
 
 
 
===DSL PPPoE DHCP===
 
lurchie# configure terminal
 
lurchie(config)# ip address outside pppoe setroute
 
lurchie(config)# vpdn group ISP request dialout pppoe
 
lurchie(config)# vpdn group ISP localname ''dsl-username''
 
lurchie(config)# vpdn group ISP ppp authentication pap
 
lurchie(config)# vpdn username ''dsl-username'' password ''dsl-password''
 
lurchie(config)# exit
 
lurchie#
 
 
 
==Capturing von Verkehr==
 
 
 
===Accessliste erzeugen===
 
lurchie# configure terminal
 
lurchie(config)# access-list my-acl permit ip host 172.22.2.2 any
 
lurchie(config)# access-list my-acl permit ip any host 172.22.2.2
 
 
 
===Accessliste my-cap zuordnen, interface festlegen wo gelauscht wird und starten===
 
lurchie(config)#  capture my-cap access-list my-acl buffer 20000 packet-length 200 inteface inside
 
lurchie(config)# exit
 
lurchie#
 
 
 
===Anzeige auf der Konsole===
 
lurchie# show capture xinux-cap-http
 
lurchie# show capture my-cap                                                 
 
132 packets captured
 
16:24:35.518741 172.22.2.1.514 > 172.22.2.2.514:  udp 165
 
16:24:37.944927 172.22.2.1.514 > 172.22.2.2.514:  udp 72
 
16:25:06.135414 192.168.240.21.53 > 172.22.2.2.35243:  udp 125c
 
16:25:06.135887 172.22.2.2.35493 > 212.58.226.139.80: S 2702734858:2702734858(0) win 5840 <mss 1460,sackOK,timestamp 25935138 0,nop,wscale 6>
 
.......
 
 
 
===Anzeige auf der Webbrowser===
 
https://192.168.250.96/capture/my-cap
 
 
 
===Download des Mitschnittes===
 
https://192.168.250.96/capture/my-cap/pcap
 
 
 
===Kopieren des Mitschnittes mittels tftp ASCII===
 
lurchie# copy capture:my-cap tftp://192.168.240.1/pix-dir/my-cap
 
 
 
===Kopieren des Mitschnittes mittels tftp PCAP===
 
lurchie# copy capture:my-cap tftp://192.168.240.1/pix-dir/my-cap.cap pcap
 
 
 
===Anzeige des Verkehrs mit Tcpdump===
 
root@arilon:/var/lib/tftpboot/pix-dir# tcpdump -r my-cap.cap
 
 
 
=== Anzeige des Verkehrs mit Wireshark===
 
root@arilon:/var/lib/tftpboot/pix-dir# wireshark  my-cap.cap
 
 
 
===Löschen des Capture Buffers===
 
lurchie(config)# clear capture my-cap
 
 
 
===Löschen des Capturing===
 
lurchie(config)# no capture my-cap
 
===Netstat mit der asa===
 
*lurchie# sh asp table socket
 
 
 
Proto  Socket    Local Address              Foreign Address        State
 
SSL    00007d7c  172.22.2.1:443              0.0.0.0:*              LISTEN
 
SSL    0000f6b4  192.168.244.99:443          0.0.0.0:*              LISTEN
 
TCP    000169d4  192.168.244.99:22          0.0.0.0:*              LISTEN
 
TCP    0001e82c  172.22.2.1:22              0.0.0.0:*              LISTEN
 
 
 
=Password Recovery=
 
*[[Cisco Pix Password Recovery]]
 
=Flash Upgrade=
 
*[[Cisco Pix Flash Upgrade]]
 

Aktuelle Version vom 24. Juni 2016, 10:46 Uhr

Grundlagen

Factory Reset

Grundkonfiguration

SSH konfigurieren

Weiter Konfigurieren

ASDM

Acls

Nat und PAT

Inspection

Dhcp

Asa Vpn

Asa Cisco Cert

Asa Misc

Asa Diagnose

Old shit

Links

Abgerufen von „http://wiki.ixheim.de/index.php?title=Cisco_Asa_howto&oldid=9265