The following command can be used to start Cisco ASDM from command-line on Windows (without ASDM installation) or UNIX. Java must be locally installed:
javaws https:///admin/public/asdm.jnlp
The following command can be used to start Cisco ASDM from command-line on Windows (without ASDM installation) or UNIX. Java must be locally installed:
javaws https:///admin/public/asdm.jnlp
This one-liner takes Cisco ASA config, checks for “tunnel-group … remote-access” and generates the following two lines:
tunnel-group GROUPNAME webvpn-attributes group-url https://CISCO_ASA_FW_FQDN/GROUPNAME enable
for i in `fgrep tunnel-group CISCO_ASA.conf | fgrep remote-access | awk '{print $2}'` do echo "tunnel-group $i webvpn-attributes" echo " group-url https://CISCO_ASA_FW_FQDN/$i enable" done
Sometimes you do not need a detailed log-analysis but several simple one-liners that you can adjust without too much thinking how it works, what you did last time, etc. The examples below are absolutely NOT optimal, but rather modular for easy line-editing.
1. Allowed traffic:
cat asa.log | grep permitted | grep access-list |
sed -e 's/^.*permitted//' -e 's/hit-cnt.*$//' |
sed -e 's/([0-9][0-9]*) ->/ ->/' | less
Result:
tcp outside/10.2.8.30 -> inside/10.1.141.23(8080)
tcp outside/10.2.8.30 -> inside/10.1.141.23(8080)
tcp outside/10.2.8.35 -> inside/10.1.140.137(13000)
udp outside/10.2.8.25 -> inside/10.1.9.14(137)
udp outside/10.2.8.25 -> inside/10.1.81.15(137)
tcp outside/10.2.8.44 -> inside/10.1.140.137(13000)
tcp outside/10.2.8.31 -> inside/10.1.140.149(13000)
Noticed the “permitted” strings?
2. Denied traffic:
cat asa.log | grep denied | grep access-list |
sed -e 's/^.*denied//' -e 's/hit-cnt.*$//' |
sed -e 's/([0-9][0-9]*) ->/ ->/' | less
Result:
tcp inside/10.1.140.159 -> outside/10.2.8.24(515)
tcp inside/10.1.140.159 -> outside/10.2.8.24(515)
tcp inside/10.3.241.116 -> outside/10.2.8.251(1541)
tcp inside/10.3.241.116 -> outside/10.2.8.251(1547)
tcp inside/10.1.140.159 -> outside/10.2.8.24(515)
3. The most popular permitted traffic:
cat asa.log | grep permitted | grep access-list |
sed -e 's/^.*permitted//' -e 's/hit-cnt.*$//' |
sed -e 's/([0-9][0-9]*) ->/ ->/' |
awk ' {conn[$0]++;} END { for ( i in conn ) print conn[i]," ",i;}' | sort +0nr | less
Result (the first column is the amount of corresponding log entries):
21170 tcp outside/10.2.8.40 -> inside/10.1.140.149(13000)
18023 tcp outside/10.2.8.34 -> inside/10.1.140.149(13000)
17981 tcp outside/10.2.8.31 -> inside/10.1.140.149(13000)
11034 tcp inside/10.1.140.251 -> outside/10.2.8.68(10001)
10652 tcp outside/10.2.8.43 -> inside/10.1.140.137(13000)
10628 tcp outside/10.2.8.44 -> inside/10.1.140.137(13000)
10484 tcp outside/10.2.8.47 -> inside/10.1.140.137(13000)
10437 tcp outside/10.2.8.23 -> inside/10.1.140.137(13000)
7618 tcp outside/10.2.8.25 -> inside/10.1.140.137(13000)
7550 tcp outside/10.2.8.27 -> inside/10.1.140.137(13000)
7515 tcp outside/10.2.8.49 -> inside/10.1.140.137(13000)
7496 tcp outside/10.2.8.29 -> inside/10.1.140.137(13000)
6826 tcp outside/10.2.8.30 -> inside/10.1.141.23(8080)
6011 tcp outside/10.2.8.35 -> inside/10.1.140.137(13000)
5896 tcp outside/10.2.8.40 -> inside/10.1.141.23(8080)
5809 tcp outside/10.2.8.30 -> inside/10.1.140.137(13000)
4. Modification for versions 8.2+:
cat asa.log | grep Deny | grep access-group | sed -e 's/^.*Deny//' -e 's/by.*$//' | sed -e 's/dst/ ->/' -e 's/src//' | less
You can use this method to generate a policy based on the current traffic.
Additional “greps” will allow you to filter for specific ports or IP-addresses.
Replace “permitted” with “denied” and you’ll get the “most popular denied traffic”.
If UPnP devices do not see each other, most likely there are two problems:
Multicasts are not forwarded
Simple Service Discovery Protocol (SSDP) uses multicast IPv4 address 239.255.255.250. The local switches must be able to forward such traffic. On a Cisco switch you run the following command to allow that:
no ip igmp snooping vlan 101
Firewall blocks UPnP traffic
Related ports: UDP-1900 and TCP-2869
Solaris 11: root/solaris
Cyclades console servers (e.g. ACS4): root/tslinux
Avocent ACS5000 console servers: root/avocent
Avocent ACS6000 console servers: admin/avocent or root/linux
Cisco VPN3000: admin/admin
Cisco ASA: empty
Netscreen: netscreen/netscreen
Avocent/Cyclades PM IPDU: admin/pm8 root/linux
By default ASA does not decrease the TTL field, hence is not visible in traceroute output. This is how to change this behaviour :
asa# conf t asa(config)# icmp unreachable rate-limit 10 burst-size 5 asa(config)# policy-map global_policy asa(config-pmap)# asa(config-pmap)# class class-default asa(config-pmap-c)# set connection decrement-ttl
The result:
asa# sh run . . . icmp unreachable rate-limit 10 burst-size 5 . . . policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp . . . inspect icmp inspect sunrpc class class-default set connection decrement-ttl service-policy global_policy global . . .
Sources:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
http://packetu.com/content/view/50/
For IOS:
7609(config)#int gigabitEthernet 1/1
7609(config-if)#mtu ?
<1500-9216> MTU size in bytes
7609(config-if)#mtu 9216
Verify in Native IOS:
For CatOS:
Verify in CatOS
Literature:
Cisco manual
How to enable, disable displaying by page and change the number of lines by page in various OS’es