Thursday 9 May 2013

Understanding TCP connection flags

Cisco ASA Firewall  TCP Connection Flags.
 When troubleshooting TCP connections through the ASA, the connection flags shown for each TCP

connection provide a wealth of information about the state of TCP connections to the ASA. This information can be used to troubleshoot problems with the ASA, as well as problems elsewhere in the network.

Here is the output of the show conn protocol tcp command, which shows the state of all TCP connections through the ASA. These connections can also be seen with the show conn command.

ASA# show conn protocol tcp
101 in use, 5589 most used
TCP outside 10.23.232.59:5223 inside 192.168.1.3:52419, idle 0:00:11, bytes 0, flags saA
TCP outside 192.168.3.5:80 dmz 172.16.103.221:57646, idle 0:00:29, bytes 2176, flags UIO
TCP outside 10.23.232.217:5223 inside 192.168.1.3:52425, idle 0:00:10, bytes 0, flags saA
TCP outside 10.23.232.217:443 inside 192.168.1.3:52427, idle 0:01:02, bytes 4504, flags UIO
TCP outside 10.23.232.57:5223 inside 192.168.1.3:52412, idle 0:00:23, bytes 0, flags saA
TCP outside 10.23.232.116:5223 inside 192.168.1.3:52408, idle 0:00:23, bytes 0, flags saA
TCP outside 10.23.232.60:5223 inside 192.168.1.3:52413, idle 0:00:23, bytes 0, flags saA
TCP outside 10.23.232.96:5223 inside 192.168.1.3:52421, idle 0:00:11, bytes 0, flags saA
TCP outside 10.23.232.190:5223 inside 192.168.1.3:52424, idle 0:00:10, bytes 0, flags saA



The next picture shows the ASA TCP Connection flags at different stages of the TCP state machine. The
connection flags can be seen with the show conn command on the ASA.
 


TCP Connection Flag Values
   
Additionally, in order to view all of the possible connection flags issue the show connection detail command
on the command line:
ASA# show conn detail
84 in use, 1537 most used
Flags: A − awaiting inside ACK to SYN, a − awaiting outside ACK to SYN,
B − initial SYN from outside, b − TCP state−bypass or nailed, C − CTIQBE media,
D − DNS, d − dump, E − outside back connection, F − outside FIN, f − inside FIN,
G − group, g − MGCP, H − H.323, h − H.225.0, I − inbound data,
i − incomplete, J − GTP, j − GTP data, K − GTP t3−response
k − Skinny media, M − SMTP data, m − SIP media, n − GUP
O − outbound data, P − inside back connection, p − Phone−proxy TFTP connection,
q − SQL*Net data, R − outside acknowledged FIN,
R − UDP SUNRPC, r − inside acknowledged FIN, S − awaiting inside SYN,
s − awaiting outside SYN, T − SIP, t − SIP transient, U − up,
V − VPN orphan, W − WAAS,
X − inspected by service module

 



at No comments:
Labels:

Tuesday 7 May 2013

CCIE Security ver 4 Rack Rental

CCIE Security ver 4 Rack Rental:  Rs.2500/- per session (each session is of 6hrs)

List of Equipments:
-Cisco ASA 5512x-2nos
-Cisco ASA 5510- 2nos
-Cisco Routers-6nos
-Cisco Switch 3560-4nos
-Cisco Switch 3750-2nos
-Cisco ISE
-Cisco ACS 5.x
-Cisco WLC 2504
-Cisco LWAP
-Cisco WSA (Ironport)
-Test PC

Interested candidates please send email to info@networkexpert.co
at No comments:
Labels:

Monday 6 May 2013

Configuring IOS CA Server

Configuring Cisco Router as CA Server



R1(config)#ip domain-name networkexpert.co
R1(config)#crypto key generate rsa general-keys label netx exportable
R1(config)#crypto key export rsa netx pem url nvram: 3des netx123
!generate and export RSA keys

R1#show crypto key mypubkey rsa

R1(config)#ip http server
R1(config)#crypto pki server netxCA
R1(cs-server)#database url nvram:
!If this command is not specified, all database entries are written to Flash.
R1(cs-server)#database level <minimum | names | complete>
!Minimum: Enough information is stored only to continue issuing new certificates without
conflict; the default value.
!Names: In addition to the information given in the minimal level, the serial number and
subject name of each certificate.
!Complete: In addition to the information given in the minimal and names levels, each issued
certificate is written to the database.
R1(cs-server)#issuer-name CN=iosca.networkexpert.co L=Blr C=In
R1(cs-server)#lifetime ca-certificate 365
!default 3year
R1(cs-server)#lifetime certificate 200  
!default 1 year
R1(cs-server)#cdp-url http://172.18.108.26/netxcdp.netx.crl
R1(cs-server)#lifetime crl 24  
!default 1week
R1(cs-server)#grant auto
R1(cs-server)#no shutdown





R1# show crypto pki server


at No comments:
Labels:

Thursday 2 May 2013

Configuring Anyconnect on ASA 8.2

Anyconnect Confiuration

domain-name netx.com
!
crypto key generate rsa label sslvpnkeypair modulus 1024
!
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.netx.com
subject-name CN=sslvpn.netx.com
keypair sslvpnkeypair
!
crypto ca enroll localtrust noconfirm
!
ssl trust-point localtrust outside
!Above configuration  is for Self Signed Certificate
copy tftp://172.16.1.66/anyconnect-win-2.0.0343-k9.pkg flash
!copy anyconnect s/w package to flash/disk0
webvpn
svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
enable outside
svc enable
!
ip local pool SSLClientPool 192.168.25.1-192.168.25.50 mask 255.255.255.0
!
group-policy SSLCLientPolicy internal
group-policy SSLCLientPolicy attributes
dns-server value 172.16.1.95
vpn-tunnel-protocol svc
default-domain value netx.com
address-pools value SSLClientPool
!
sysopt connection permit-vpn
!
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLCLientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
!
webvpn
tunnel-group-list enable
!
access-list no_nat extended permit ip host 172.16.1.0 255.255.255.0 192.168.25.0 255.255.255.0
!
nat (inside) 0 access-list no_nat

nat (inside) 1 0 0
global (outside) 1 interface
!
username netx password netx
username netx attributes
service-type remote-access
!
at No comments:
Labels:

Wednesday 1 May 2013

Configuring Network Object NAT in ASA 8.4

Network Object NAT
(ASA 8.4)
-----------------------------
Dynamic NAT 
The following example configures dynamic NAT that hides 192.168.2.0 network behind a range of
outside addresses 2.2.2.1-2.2.2.10:

ASA(config)# object network my-range-obj
ASA(config-network-object)# range 2.2.2.1 2.2.2.10
ASA(config)# object network my-inside-net
ASA(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA(config-network-object)# nat (inside,outside) dynamic my-range-obj


Dynamic PAT
The following example configures dynamic PAT that hides the 192.168.2.0 network behind address
2.2.2.2:
ASA(config)# object network my-inside-net
ASA(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA(config-network-object)# nat (inside,outside) dynamic 2.2.2.2


The following example configures dynamic PAT that hides the 192.168.2.0 network behind the outside interface address:
ASA(config)# object network my-inside-net
ASA(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA(config-network-object)# nat (inside,outside) dynamic interface


Dynamic NAT with Dynamic PAT backup
The following example configures dynamic NAT with dynamic PAT backup. Hosts on inside network 10.76.11.0 are mapped first to the nat-range1 pool (10.10.10.10-10.10.10.20). After all addresses in the nat-range1 pool are allocated, dynamic PAT is performed using the pat-ip1 address (10.10.10.21). In the unlikely event that the PAT translations are also use up, dynamic PAT is performed using the outside interface address.

ASA(config)# object network nat-range1
ASA(config-network-object)# range 10.10.10.10 10.10.10.20
!pool of public IP address(Dynamic NAT)

ASA(config-network-object)# object network pat-ip1
ASA(config-network-object)# host 10.10.10.21
!single Public IP for PAT (dynamic PAT)

ASA(config-network-object)# object-group network nat-pat-grp
ASA(config-network-object)# network-object object nat-range1
ASA(config-network-object)# network-object object pat-ip1
!Object grouping of dynamic NAT and then dynamic PAT in order

ASA(config-network-object)# object network my_net_obj5
ASA(config-network-object)# subnet 10.76.11.0 255.255.255.0
ASA(config-network-object)# nat (inside,outside) dynamic nat-pat-grp interface
!private subnet and nat config: first NAT using object group(in order) if full use interface(outside) for PAT

Static NAT
The following example configures static NAT for the real host 1.1.1.1 on the inside to 2.2.2.2 on the outside with DNS rewrite enabled.
ASA(config)# object network my-host-obj1
ASA(config-network-object)# host 1.1.1.1
ASA(config-network-object)# nat (inside,outside) static 2.2.2.2 dns

The following example configures static NAT for the real host 1.1.1.1 on the inside to 2.2.2.2 on the outside using a mapped object.
ASA(config)# object network my-mapped-obj
ASA(config-network-object)# host 2.2.2.2
ASA(config-network-object)# object network my-host-obj1
ASA(config-network-object)# host 1.1.1.1
ASA(config-network-object)# nat (inside,outside) static my-mapped-obj


Static PAT
The following example configures static NAT with port translation for 1.1.1.1 at TCP port 21 to the
outside interface at port 2121.
ASA(config)# object network my-ftp-server
ASA(config-network-object)# host 1.1.1.1
ASA(config-network-object)# nat (inside,outside) static interface service tcp 21 2121


Identity NAT
The following example maps a host address to itself using an inline mapped address:
ASA(config)# object network my-host-obj1
ASA(config-network-object)# host 10.1.1.1
ASA(config-network-object)# nat (inside,outside) static 10.1.1.1
at No comments:
Labels:

Monday 4 July 2011

Core Knowledge Questions Removed from the CCIE Security and CCIE Storage Exams

Effective August 15, 2011, CCIE Security Lab Exam and CCIE Storage Networking Lab Exam, in all global locations, will no longer include the four open-ended Core Knowledge questions.  The removal of Core Knowledge questions allow candidates to utilize the total lab time for configuration and troubleshooting. The total lab time will remain eight hours.
at No comments:
Labels:
Subscribe to: Posts (Atom)

Cisco SD-WAN: Onboarding Controllers step by step (on-prem)

 This configuration example only covers the process of installing the SD-WAN controller software images on a VMWare ESXI instance, establish...