Category: Cisco

One-liner: how to generate group-url for all remote-access tunnel-groups (Cisco ASA)

This one-liner takes Cisco ASA config, checks for “tunnel-group … remote-access” and generates the following two lines:

tunnel-group GROUPNAME webvpn-attributes
 group-url https://CISCO_ASA_FW_FQDN/GROUPNAME enable
for i in `fgrep tunnel-group CISCO_ASA.conf | fgrep remote-access | awk '{print $2}'`
do
echo "tunnel-group $i webvpn-attributes"
echo " group-url https://CISCO_ASA_FW_FQDN/$i enable"
done

One-liners: simple ASA log parsers

Sometimes you do not need a detailed log-analysis but several simple one-liners that you can adjust without too much thinking how it works, what you did last time, etc. The examples below are absolutely NOT optimal, but rather modular for easy line-editing.

Continue reading “One-liners: simple ASA log parsers”

UPnP devices do not see each other

If UPnP devices do not see each other, most likely there are two problems:

Multicasts are not forwarded

Simple Service Discovery Protocol (SSDP) uses multicast IPv4 address 239.255.255.250. The local switches must be able to forward such traffic. On a Cisco switch you run the following command to allow that:

no ip igmp snooping vlan 101

Firewall blocks UPnP traffic

Related ports: UDP-1900 and TCP-2869

Default passwords

Solaris 11: root/solaris
Cyclades console servers (e.g. ACS4): root/tslinux
Avocent ACS5000 console servers: root/avocent
Avocent ACS6000 console servers: admin/avocent or root/linux
Cisco VPN3000: admin/admin
Cisco ASA: empty
Netscreen: netscreen/netscreen
Avocent/Cyclades PM IPDU: admin/pm8 root/linux

ASA and traceroute

By default ASA does not decrease the TTL field, hence is not visible in traceroute output. This is how to change this behaviour :

asa# conf t
asa(config)# icmp unreachable rate-limit 10 burst-size 5
asa(config)# policy-map global_policy
asa(config-pmap)#
asa(config-pmap)# class class-default
asa(config-pmap-c)# set connection decrement-ttl

The result:
Continue reading “ASA and traceroute”

CheckPoint Firewall policy parsers and converters

Jumbo frames on Cisco

For IOS:

3750(config)# system mtu jumbo 9000
3750(config)# exit
3750# reload

7609(config)#int gigabitEthernet 1/1
7609(config-if)#mtu ?
<1500-9216> MTU size in bytes

7609(config-if)#mtu 9216

Verify in Native IOS:

7609#show interfaces gigabitEthernet 1/1
GigabitEthernet1/1 is up, line protocol is up (connected)
Hardware is C6k 1000Mb 802.3, address is 0007.0d0e.640a (bia 0007.0d0e.640a)
MTU 9216 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255

For CatOS:

Cat6509> (enable) set port jumbo
Usage: set port jumbo <mod/port> <enable|disable>
Cat6509> (enable) set port jumbo 1/1 enable
Jumbo frames enabled on port 1/1.
Cat6509> (enable) 2002 May 29 12:34:35 %PAGP-5-PORTFROMSTP:
Port 1/1 left bridge port 1/1
2002 May 29 12:34:38 %PAGP-5-PORTTOSTP:Port 1/1 joined bridge port 1/1

Verify in CatOS

Cat6509> (enable) show port jumbo
Jumbo frames MTU size is 9216 bytes.
Jumbo frames enabled on port(s) 1/1,9/1.

Literature:
Cisco manual