Documente Academic
Documente Profesional
Documente Cultură
Session BRKSEC-3020
Agenda
Packet Flow Understanding the Architecture Failover Troubleshooting Case Studies Online Resources Best Practices
BRKSEC-3020
Cisco Public
Packet Flow
Note: All Firewall Issues Can Be Simplified to Two Interfaces (Ingress and Egress) and the Rules Tied to Both
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Example Flow
Flow
SRC IP: 10.1.1.9 DST IP: 198.133.219.25 SRC Port: 11030 DST Port: 80 Destination: Outside
Servers
Protocol: TCP
Interfaces
Source: Inside
Client: 10.1.1.9
Packet Flow
Eng
With the Flow Defined, Examination of Configuration Issues Boils Down to Just the Two Interfaces: Inside and Outside
BRKSEC-3020
Cisco Public
Packet arrives on ingress interface Input counters incremented Software input queue is an indicator of load No buffers indicates packet drops, typically due to bursty traffic
ASA-5540# show interface gb-ethernet1 interface gb-ethernet1 "inside" is up, line protocol is up Hardware is i82543 rev02 gigabit ethernet, address is 0003.470d.6214 IP address 10.1.1.1, subnet mask 255.255.255.0 MTU 1500 bytes, BW 1 Gbit full duplex 5912749 packets input, 377701207 bytes, 0 no buffer Received 29519 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 286298 packets output, 18326033 bytes, 0 underruns input queue (curr/max blocks): hardware (4/25) software (0/0) output queue (curr/max blocks): hardware (0/3) software (0/0)
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Check first for existing connection If connection exists, flow is matched; bypass ACL check If no existing connection
TCP non-SYN packet, drop and log TCP SYN or UDP packet, pass to ACL checks Established Connection:
ASA-5540# show conn TCP out 198.133.219.25:80 in 10.1.1.9:11030 idle 0:00:04 Bytes 1293 flags UIO
First packet in flow is processed through interface ACLs ACLs are first match First packet in flow matches ACE, incrementing hit count by one Denied packets are dropped and logged
Packet Permitted by ACL:
ASA-5540B# show access-list inside access-list inside line 10 permit ip 10.1.1.0 255.255.255.0 any (hitcnt=1)
Translation Matching
Pre version 8.3 Version 8.3+
1. nat 0 access-list (nat-exempt) 2. Match existing xlates 3. Match static commands (Cisco ASA/PIX first match; FWSM best match) 4. Match nat commands First Match First Match
BRKSEC-3020
Cisco Public
Inspections are applied to ensure protocol compliance (Optional) customized AIC inspections NAT-embedded IPs in payload Question! Additional security checks are applied to the packet
What command will show you if packets are being dropped (Optional) packets passed to Content Security and Control (CSC) module one of the Inspection engines? by
Syslog from Packets Denied by Security Check:
ASA-4-406002: FTP port command different address: 10.2.252.21 (192.168.1.21) to 209.165.202.130 on interface inside ASA-4-405104: H225 message received from outside_address/outside_port to inside_address/inside_port before SETUP
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
10
Translate the IP address in the IP header Translate the port if performing PAT Update checksums (Optional) Following the above, pass packet to IPS (AIP) module
BRKSEC-3020
Cisco Public
11
Packet is virtually forwarded to egress interface (i.e., not forwarded to the driver yet) Egress interface is determined first by translation rules If translation rules do not specify egress interface (e.g., outbound initial packet) the results of a global route lookup are used to determine egress interface Example:
Inside
172.16.0.0/16
Outside DMZ
172.16.12.0/24 172.16.12.4
BRKSEC-3020
Cisco Public
12
Once on egress interface, an interface route lookup is performed Only routes pointing out the egress interface are eligible Remember: translation rule can forward the packet to the egress interface, even though the routing table may point to a different interface
Syslog from Packet on Egress Interface with No Route Pointing Out Interface:
%ASA-6-110003: Routing failed to locate next hop for TCP from inside: 192.168.103.220/59138 to dmz:172.18.124.76/23
BRKSEC-3020
Cisco Public
13
Once a Layer 3 route has been found, and next hop identified, Layer 2 resolution is performed Layer 2 rewrite of MAC header If Layer 2 resolution failsno syslog show arp will not display an entry for the L3 next hop debug arp will indicate if we are not receiving an ARP reply
BRKSEC-3020
Cisco Public
14
15
Agenda
Packet Flow Understanding the Architecture Failover Troubleshooting Case Studies Online Resources Best Practices
BRKSEC-3020
Cisco Public
16
ASA platforms have software imposed connection limits Multi-CPU / Multi-Core systems hash packets in the same flow to the same CPU/core. 10 Gig interfaces hash flow to same RX ring. Architecture optimized for multi-flow traffic patterns ASASM packet processing is also done in software, unlike FWSM
BRKSEC-3020
Cisco Public
17
5510
80k 80k
5520
200k 300k
5540
500k 700k
5550
700k 700k 2.74 million
5580
750k 1 million+ 2.77 million
5585
10/20/40/60 500k / 750k 1 / 2 million 500k / 750k 1 / 2 million
ASA SM
2 million 2 million
Note: Issue show access-list | include elements to see how many ACEs you have
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
18
Nested object-groups:
Assume you add a SRC object-group to the above, which contains 25 additional sources Result: (10+25)x21x33 = 24,255 rules (ACEs) New command to reduce ACL memory impact for large ACLs. Available starting in 8.3(1)
ASA-5585(config)# object-group-search access-control
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
19
Global ACLs
Interface Independent Policies Global ACLs introduced in version 8.3 Best used for new installations, or migration from other vendors
access-group <access_list> global
ASA Only
Policy Ordering Interface Specific access-list Global access-list Default (implicit) deny ip any any
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
20
21
Static Policy NAT nat (inside,outside) source static ServerReal ServerTrans destination static RemoteSite RemoteSite
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
22
The ASA configuration is built into the NAT Table (show nat) The NAT Table is based on First Match (top to bottom)
NAT Table Static NAT
Longest Prefix
Shortest Prefix
Dynamic NAT
Longest Prefix
Shortest Prefix
BRKSEC-3020
Cisco Public
23
Real, Un-translated address object network obj-WebServer of internal Server host 10.3.19.50 nat (inside,outside) static 198.51.100.50 ! access-list allowIn permit tcp any host 10.3.19.50 eq 80 ! access-group allowIn in interface outside
BRKSEC-3020
Cisco Public
24
BRKSEC-3020
Cisco Public
25
Software Hardware
Session Manager NP 3
Control Point ACL Compilation, Fixups, Syslog, AAA, IPv6 in Software Session Manager Session Establishment and Teardown, AAA Cache, ACLs Fast Path Flow Identification, Security Checks and NAT in Hardware
Fast Path NP 1
Fast Path NP 2
FWSM
BRKSEC-3020
Cisco Public
26
FWSMHardware Limits
See Appendix
FWSM has several hardware limits that should be considered in your network design Limits are hard set, but vary based on single or multimode Some limits include:
Increase over 2.3 Increase over 3.1
2.3 (Multimode) ACEs AAA Rules Global Statements Static NAT Statements Policy NAT ACEs NAT Translations Connections Route Table Entries Fixup/Inspect Rules Filter Statements
BRKSEC-3020
3.1/3.2 (Multimode) 72,806 (11,200) 6,451 (992) 4K (4K) 2K (2K) 1,843 (283) 256K (256K) 999,990 (999,990) 32K (32K) 4147 (1,417) 2764 (425)
Cisco Public
4.0/4.1 (Multimode) 100,567 (14,801) 8,744 (1,345) 4K (4K) 2K (2K) 2,498 (384) 256K (256K) 999,990 (999,990) 32K (32K) 5621 (1,537) 3747 (576)
56,627 (9,704) 3,942 (606) 1K (1K) 2K (2K) 3,942 (606) 256K (256K) 999,990 (999,990) 32K (32K) 32 (32 per) 3942 (606)
X X
27
Single Context
Tree 0 : Active 100,567 ACEs
Multi-Context
Tree 0 : active = 14,801 ACEs Tree 1 : active = 14,801 ACEs Tree 2 : active = 14,801 ACEs Tree 3 : active = 14,801 ACEs Tree 4 : active = 14,801 ACEs Tree 5 : active = 14,801 ACEs Tree 6 : active = 14,801 ACEs Tree 7 : active = 14,801 ACEs
Tree 8 : active = 14,801 ACEs Tree 9 : active = 14,801 ACEs Tree 10 : active = 14,801 ACEs Tree 11 : active = 14,801 ACEs Tree 12 : backup
BRKSEC-3020
Cisco Public
28
Classifier in Multimode
When the firewall receives a packet, it must classify it to determine where to send the packet (which context) Packets are classified based on the following
Unique ingress interface/VLAN Packets destination IP matches a global IP
FWSM has a single MAC address for all interfaces ASA has single MAC for shared interfaces (physical interfaces have unique MACs)
ASA Ver 7.2 introduces mac-address auto option to change this
BRKSEC-3020
Cisco Public
29
Classifier in Multimode
Example
Inbound traffic is classified to context CTX3, based on the global IP in the NAT translation
FWSM Inside 10.1.1.2 Inside VLAN 5 10.1.2.2 Inside VLAN 6 10.1.3.2 static (inside, outside) 10.14.3.89 10.1.3.2
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
SRC IP 192.168.5.4
VLAN 4
Inbound Packet
CTX2
.2
CTX3
.3
Shared Interface
30
Forgetting to monitor-interface for Failover Forgetting to assign unique IP for each Transparent mode context Transparent mode, multi-BVI, one routing table
BRKSEC-3020
Cisco Public
31
Agenda
Packet Flow Understanding the Architecture Failover Troubleshooting Case Studies Online Resources Best Practices
BRKSEC-3020
Cisco Public
32
Failover Basics
Active/Standby vs. Primary/ Secondary Serial vs. LAN failover Stateful failover (optional) A failover only occurs when either firewall determines the standby firewall is healthier than the active firewall Both firewalls swap MAC and IP addresses when a failover occurs Level 1 syslogs will give reason of failover
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
Corp
33
34
BRKSEC-3020
Cisco Public
35
The first test passed causes the interface on that unit to be marked healthy; only if all tests fail will the interface be marked failed
BRKSEC-3020
Cisco Public
36
BRKSEC-3020
Cisco Public
37
See Appendix
ASA-4-411002: Line protocol on Interface inside, changed state to down ASA-1-105007: (Primary) Link status Down on interface 1 ASA-1-104002: (Primary) Switching to STNDBYinterface check, mate is healthier
BRKSEC-3020
Cisco Public
38
State Secondary
Issue failover active
Act Stb
Primary
Stb Act
Copy new image over and reboot Wait for failover to finish syncing, and to normalize approx 2 min Verify config; conns replicated
Act
Issue failover active Copy new image over and reboot Wait for failover to finish syncing, and to normalize approx 2 min Verify config; conns replicated
Stb
Upgrade Complete
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
39
Agenda
Packet Flow Understanding the Architecture Failover Troubleshooting Case Studies Online Resources Best Practices
BRKSEC-3020
Cisco Public
40
Troubleshooting Tools
Syslogs Debug commands Show commands Packet capture Packet tracer TCP Ping
BRKSEC-3020
Cisco Public
41
Uses of Syslogs
Primary mechanism to record traffic to and through the firewall The best troubleshooting tool available
Archival Purposes Debugging Purposes
Console
Syslog Server Internet
SSH Client
Trap SNMP Server Syslog . Buffered
BRKSEC-3020
Cisco Public
42
Number of Messages (SUM) Ver. 7.0 0 62 (62) 29 (91) 274 (365) 179 (544) 161 (705) 234 (939) 217 (1156) Ver. 7.2 0 77 (77) 35 (112) 334 (446) 267 (713) 206 (919) 302 (1221) 258 (1479) Ver. 8.0 0 78 (78) 49 (127) 361 (488) 280 (768) 216 (984) 335 (1319) 266 (1585) Ver. 8.1 0 87 (87) Ver. 8.2 0 87 (87) Ver. 8.3 0 95 (95) 57 (152) 408 (560) 324 (884) 246 (1130) 377 (1507) 269 (1776) Ver. 8.4 0 109 (109) 63 (172) 448 (620) 357 (997) 265 (1242) 395 (1637) 276 (1913)
43
0 1 2 3 4 5 6 7
50 (137) 56 (143) More messages 363 (500) 281 (781) 218 (999) 337 (1336) 267 (1603) 384 (527) 315 (842) 237 (1079) 368 (1447) 269 (1716)
Cisco Public
Levels
0Emergency 1Alert 2Critical 3Errors 4Warnings 5Notifications 6Informational 7Debugging
Problem
You want to record what exec commands are being executed on the firewall; syslog ID 111009 records this information, but by default it is at level seven (debug) %ASA-7-111009: User johndoe executed cmd: show run The problem is we dont want to log all 1775 other syslogs that are generated at debug level
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
BRKSEC-3020
44
If you were only interested in logging one syslog message, how could you Now our syslog looks as follows do it?
%ASA-3-111009: User johndoe executed cmd: show run
Tip: Use show logging message all to see the default level for any message
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
45
46
Debug Commands
1. Debugs should not be the first choice to troubleshoot a problem 2. Debugs can negatively impact the CPU of the box, and also the performance of it; use with caution 3. Debugs are not conditional* 4. Know how much traffic, of the specified type, is passing through the firewall before enabling the respective debug
47
Valuable tool used to troubleshoot connectivity issues Provides interface and translation information to quickly determine flow Echo-replies must be explicitly permitted through ACL, or ICMP inspection must be enabled
Example debug icmp trace output
ICMP echo-request from inside:10.1.1.2 to 198.133.219.25 ID=3239 seq=4369 length=80 ICMP echo-request: translating inside:10.1.1.2 to outside:209.165.201.22 ICMP echo-reply from outside:198.133.219.25 to 209.165.201.22 ID=3239 seq=4369 length=80 ICMP echo-reply: untranslating outside:209.165.201.22 to inside:10.1.1.2
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
48
See Appendix
Use output filters to filter the output of show command to only the information you want to see To use them, at the end of show <Command>, use the pipe character | followed by
begin include exclude grep grep v
Start displaying the output beginning at the first match of the RegEx, and continue to display the remaining output Display any line that matches the RegEx Display any line that does not match the RegEx Same as include Same as exclude
BRKSEC-3020
Cisco Public
49
50
*First Introduced in Cisco ASA Version 7.2(4.11), 8.0(4.5), 8.1(1.100), 8.2(1). Currently not Available in FWSM
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
51
A corresponding syslog message is also generated Note: The Traceback syslog below does not signify a crash
May 29 2009 14:18:47: %ASA-7-711002: Task ran for 10 msec, Process = ssh_init, PC = 8b9ac8c, Traceback = 0x08B9AC8C 0x08BA573E 0x08BA58E8 0x08BA6971 0x08BA02B4 0x08062413 *First introduced in Cisco ASA Version 7.0(1). Currently not Available in FWSM
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
0x08BA77ED
52
Show Traffic
The show traffic command displays the traffic received and transmitted out each interface of the firewall
ASA# show traffic outside: received (in 124.650 secs): 295468 packets 167218253 bytes 2370 pkts/sec 1341502 bytes/sec transmitted (in 124.650 secs): 260901 packets 120467981 bytes 2093 pkts/sec 966449 bytes/sec inside: received (in 124.650 secs): 261478 packets 120145678 bytes 2097 pkts/sec 963864 bytes/sec transmitted (in 124.650 secs): 294649 packets 167380042 bytes 2363 pkts/sec 1342800 bytes/sec !
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
53
Warning
FWSM# show np blocks MAX FREE NP1 (ingress) 32768 32768 (egress) 521206 521206 NP2 (ingress) 32768 32768 (egress) 521206 521206 NP3 (ingress) 32768 32768 (egress) 521206 521206 THRESH_0 0 0 0 0 13 0 THRESH_1 0 0 0 0 460417 0 THRESH_2 550 0 92 0 4427509 0
BRKSEC-3020
Cisco Public
54
BRKSEC-3020
Cisco Public
55
56
Connection Flags
57
ExampleConnection Build Up
Firewall receives an initial SYN packet from the inside; the SYN is permitted by the access-list, a translation (xlate) is built up, and the connection is also created with the flags saA The outside device responds to the SYN packet with a SYN+ACK; the connection flags are updated to reflect this, and now show A The inside device responds to the SYN+ACK with an ACK and this completes the TCP three-way handshake, and the connection is now considered up (U flag) The outside device sends the first data packet; the connection is updated and an I is added to the flags to indicate the firewall received Inbound data on that connection Finally, the inside device has sent a data packet and the connection is updated to include the O flag
1 5 3 SYN+ACK SYN Data ACK Connection Flags 42
UI UIO saA U A
Client
Inside
Outside Server
BRKSEC-3020
Cisco Public
58
ExampleConnection Teardown
Firewall receives a FIN packet from the inside; as the FIN passes through the firewall, it updates the connection flags by adding an f to indicate that the FIN was received on the Inside interface The outside device immediately responds to the FIN packet with a FIN+ACK; the connection flags are updated to reflect this, and now show UfFR The inside device responds to the FIN+ACK with a final ACK and the firewall tears down the connection; thus, there are no more connection flags, because the connection no longer exists
3 1
Connection Flags 2
UfFRr UfUfFR
Inside Client Outside Server
Cisco Public
BRKSEC-3020
59
BRKSEC-3020
Cisco Public
60
ASA-6-302014: Teardown TCP connection number for intf_name:real_IP/real_port to intf_name:real_IP/real_port duration time bytes number [reason] [(user)]
BRKSEC-3020
Cisco Public
61
BRKSEC-3020
Cisco Public
62
TCP Connection Termination Reasons your For Quick Reference (Cont.) reference
Reason SYN Timeout TCP Bad Retransmission TCP Fins TCP Invalid SYN TCP Reset-I TCP Reset-O TCP Segment Partial Overlap TCP Unexpected Window Size Variation Tunnel Has Been Torn Down Unauth Deny Unknown Xlate Clear Description Force Termination After Two Minutes Awaiting Three-Way Handshake Completion Connection Terminated Because of Bad TCP Retransmission Normal Close Down Sequence Invalid TCP SYN Packet TCP Reset Was Sent From the Inside Host TCP Reset Was Sent From the Outside Host Detected a Partially Overlapping Segment Connection Terminated Due to a Variation in the TCP Window Size Flow Terminated Because Tunnel Is Down Connection Denied by URL Filtering Server Catch-All Error User Executed the Clear Xlate Command
BRKSEC-3020
Cisco Public
63
show local-host
A local-host entry is created for any IP tracked through the firewall It groups the xlates, connections, and AAA information Very useful for seeing the connections terminating on servers
ASA# show local-host ASA# show local-host detail connection tcp 50 Interface dmz: 0 active, 0 maximum active, 0 denied Interface inside: 1 active, 1 maximum active, 0 denied local host: <192.168.103.220>, TCP flow count/limit = 798/unlimited TCP embryonic count to host = 0 Add show local-host TCP intercept watermark = unlimited UDP flow count/limit = 0/unlimited detail connection Conn: arguments TCP outside:172.18.124.76/80 inside:192.168.103.220/34078, flags UO, idle 0s, uptime 0s, timeout 30s, bytes 0 TCP outside:172.18.124.76/80 inside:192.168.103.220/34077, flags UO, idle 0s, uptime 0s, timeout 30s, bytes 0 (output truncated)
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
64
show service-policy
The show service-policy command is used to quickly see what inspection policies are applied and the packets matching them
ASA-5585/admin# show service-policy Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: ftp, packet 0, lock fail 0, drop 0, reset-drop 0 Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0 tcp-proxy: bytes in buffer 0, bytes dropped 0 Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0 Inspect: rsh, packet 0, lock fail 0, drop 0, reset-drop 0 Inspect: rtsp, packet 0, lock fail 0, drop 0, reset-drop 0 tcp-proxy: bytes in buffer 0, bytes dropped 0 Inspect: sqlnet, packet 0, lock fail 0, drop 0, reset-drop 0 Inspect: http, packet 1215927, lock fail 0, drop 0, reset-drop 0 Inspect: icmp, packet 57, lock fail 0, drop 0, reset-drop 0 ASA-5585/admin# ... Interface outside: Service-policy: VoIP Class-map: voice_marked Priority: Interface outside: aggregate drop 0, aggregate transmit 349
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
65
ASA# show service-policy flow tcp host 10.1.9.6 host 10.8.9.3 eq 1521 Global policy: Service-policy: global_policy Interface outside: Service-policy: outside Class-map: oracle-dcd Match: access-list oracle-traffic Access rule: permit tcp host 10.1.9.6 host 10.8.9.3 eq sqlnet Action: Input flow: set connection timeout dcd
BRKSEC-3020
Cisco Public
66
10897 9382 10 5594 1009 15 25247101 36888 67148 731 10942 893
67
Packet Capture
capture <capture-name> [access-list <acl-name>] [buffer <buf-size>] [ethernet-type <type>] [interface <if-name>] [packet-length <bytes>] [circular-buffer] [type raw-data|asp-drop|isakmp|webvpn user <username>] [match <prot> {host <sip> | <sip> <mask> | any} [eq | lt |gt <port>] {host <dip> | <dip> <mask> | any} [eq | lt | gt <port>]] [real-time [dump] [detail] [trace]] [trace [detail] [trace-count <1-1000>]]
Capture command first introduced in Cisco 7.0; FWSM need to use 3.1.5 or later ASA 7.2(3) and 8.0(3) added a real-time option ASDM 6.0 adds a capture wizard Capture sniffs packets on an interface that match an ACL, or match line Key steps
Use the match keyword to specify what traffic to capture (implicitly bidirectional) Define the capture and bind it to an access-list and interface View the capture on the firewall, or copy it off in .pcap format
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
68
See Appendix
Traffic can be captured both before and after it passes through the firewall; one capture on the inside interface, one capture on the outside interface Capture buffer saved in RAM (default size 512 KB) Default is to stop capturing when buffer is full Default packet length is 1518 bytes Copy captures off via TFTP or HTTPS
69
Packets are captured at the first and last points they can be in the flow Ingress packets are captured before any packet processing has been done on them Egress packets are captured after all processing (including L2 source MAC rewrite)
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
70
BRKSEC-3020
Cisco Public
71
ASA Only
A packet tagged with the trace option is injected into the interface, and processed in the data-plane Each action taken on the packet is recorded in the packet itself When the packet reaches the egress interface, or is dropped, it is punted to the control-plane The control-plane reads and displays the actions taken on the packet, along with the associated lines in the configuration
BRKSEC-3020
Cisco Public
72
Final Result
BRKSEC-3020
Cisco Public
73
74
BRKSEC-3020
Cisco Public
75
Important!
.
Then
S S . P .
BRKSEC-3020
Cisco Public
76
TCP Ping
New troubleshooting tool added in ASA ver 8.4.1 Why is it needed??? Consider the following
10.1.1.7
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
TCP Ping
Previously limited reachability tools: Ping and Traceroute Access to client machine? What about Attempts to validate the path but with ICMP PAT? NAT and/or
ICMP Echo Request ICMP Echo Reply ICMP Echo Request ICMP Echo Reply
10.1.1.7
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
TCP Ping
Sources TCP SYN packet with Clients IP and injects it into Clients interface of the ASA
Packet with SRC of 10.1.1.7 injected on Inside interface
Internal hosts are PATed to 198.51.100.2
inside 10.1.1.7
BRKSEC-3020
Cisco Public
79
inside 10.1.1.7
1st Leg
2nd Leg
3rd Leg
BRKSEC-3020
Cisco Public
80
inside 10.1.1.7
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved.
81
Agenda
Packet Flow Understanding the Architecture Failover Troubleshooting Case Studies Online Resources Best Practices
BRKSEC-3020
Cisco Public
82
Case Study
Leveraging Smart Call Home
ASA Only
This will send a plain-text e-mail with the output of the command to the e-mail address specified, with the command in the subject line.
Example: Subject: CLI show run output
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
84
BRKSEC-3020
Cisco Public
85
BRKSEC-3020
Cisco Public
86
Case Study
Intermittent Access to Web Server
NATed to 10.1.1.50
Clients
BRKSEC-3020
Cisco Public
88
Traffic Spike
BRKSEC-3020
Cisco Public
89
ASA-5510# show perfmon PERFMON STATS: Xlates Connections TCP Conns UDP Conns URL Access URL Server Req TCP Fixup TCP Intercept Established Conns TCP Intercept Attempts TCP Embryonic Conns Timeout HTTP Fixup FTP Fixup AAA Authen AAA Author AAA Account VALID CONNS RATE in TCP INTERCEPT: Current 0/s 2059/s 2059/s 0/s 0/s 0/s 0/s 0/s 0/s 1092/s 0/s 0/s 0/s 0/s 0/s Current N/A Average 0/s 299/s 299/s 0/s 0/s 0/s 0/s 0/s 0/s 4/s 0/s 0/s 0/s 0/s 0/s Average 95.00%
BRKSEC-3020
Cisco Public
90
ASA-5510# show conn 54764 in use, 54764 most used TCP outside 17.24.101.118:26093 inside 10.1.1.50:80, idle 0:00:23, bytes 0, flags aB TCP outside 111.76.36.109:23598 inside 10.1.1.50:80, idle 0:00:13, bytes 0, flags aB TCP outside 24.185.110.202:32729 inside 10.1.1.50:80, idle 0:00:25, bytes 0, flags aB TCP outside 130.203.2.204:56481 inside 10.1.1.50:80, idle 0:00:29, bytes 0, flags aB TCP outside 39.142.106.205:18073 inside 10.1.1.50:80, idle 0:00:02, bytes 0, flags aB TCP outside 75.27.223.63:51503 inside 10.1.1.50:80, idle 0:00:03, bytes 0, flags aB TCP outside 121.226.213.239:18315 inside 10.1.1.50:80, idle 0:00:04, bytes 0, flags aB TCP outside 66.187.75.192:23112 inside 10.1.1.50:80, idle 0:00:06, bytes 0, flags aB TCP outside 13.50.2.216:3496 inside 10.1.1.50:80, idle 0:00:13, bytes 0, flags aB TCP outside 99.92.72.60:47733 inside 10.1.1.50:80, idle 0:00:27, bytes 0, flags aB TCP outside 30.34.246.202:20773 inside 10.1.1.50:80, idle 0:00:02, bytes 0, flags aB TCP outside 95.108.110.131:26224 inside 10.1.1.50:80, idle 0:00:02, bytes 0, flags aB TCP outside 76.181.105.229:21247 inside 10.1.1.50:80, idle 0:00:06, bytes 0, flags aB TCP outside 82.210.233.230:44115 inside 10.1.1.50:80, idle 0:00:02, bytes 0, flags aB TCP outside 134.195.170.77:28138 inside 10.1.1.50:80, idle 0:00:12, bytes 0, flags aB TCP outside 70.133.128.41:22257 inside 10.1.1.50:80, idle 0:00:15, bytes 0, flags aB TCP outside 124.82.133.172:27391 inside 10.1.1.50:80, idle 0:00:27, bytes 0, flags aB TCP outside 26.147.236.181:37784 inside 10.1.1.50:80, idle 0:00:07, bytes 0, flags aB TCP outside 98.137.7.39:20591 inside 10.1.1.50:80, idle 0:00:13, bytes 0, flags aB TCP outside 37.27.115.122:24542 inside 10.1.1.50:80, idle 0:00:12, bytes 0, flags aB . . .
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
91
BRKSEC-3020
Cisco Public
92
BRKSEC-3020
Cisco Public
93
Why did the Connection countFew Clients Represent Intercept drop after TCP TCP Intercept 50+ was applied? % of Traffic Applied
BRKSEC-3020
Cisco Public
94
BRKSEC-3020
Cisco Public
95
TCP Intercept
BRKSEC-3020
Cisco Public
96
97
Agenda
Packet Flow Understanding the Architecture Failover Troubleshooting Case Studies Online Resources Best Practices
BRKSEC-3020
Cisco Public
98
Online Resources
Support Communities - Supportforums.cisco.com TAC Security Show Podcast Online learning modules (VoD Training) Security RSS Feeds
BRKSEC-3020
Cisco Public
99
Supportforums.cisco.com
Public wiki anyone can author articles Combines supportwiki and Netpro forums Sections for: ASA, FWSM and PIX Hundreds of Sample Configs Troubleshooting Docs FAQs
http://supportforums.cisco.com/
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
100
BRKSEC-3020
Cisco Public
101
BRKSEC-3020
Cisco Public
102
BRKSEC-3020
Cisco Public
103
https://supportforums.cisco.com/docs/DOC-5727
BRKSEC-3020
Cisco Public
104
Agenda
Packet Flow Understanding the Architecture Failover Troubleshooting Case Studies Online Resources Best Practices
BRKSEC-3020
Cisco Public
105
BRKSEC-3020
Cisco Public
106
BRKSEC-3020
Cisco Public
107
EOL EOL
7.2.5
8.0.5
ASA-5580 only
EOL
8.2.1 8.2.2 8.2.3 8.2.4 8.2.5
ASA-SM only
BRKSEC-3020
Cisco Public
108
Q&A
BRKSEC-3020
Cisco Public
110
1 1
BRKSEC-3020
Cisco Public
111
1 1
Thank you.
BRKSEC-3020
Cisco Public
112
Appendix
Lucky You This appendix contains extra information which you may find useful, but I just didnt have enough time to cover in the lecture or which was covered in previous years. Enjoy :-)
BRKSEC-3020
Cisco Public
113
Appendix
ASA 8.3 Memory Requirements SNMP OIDs to Monitor Example: Show Output Filters Code Base History Case studies
Poor Voice Quality Out-of-order packet buffering TCP MSS issue Out of memory High CPU Capture Example
FWSM Additional Architecture Slides Failover Extras Packet Capture Example Online Tools ASDM Information to include when opening a TAC case
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
BRKSEC-3020
114
Solution
Create a logging list with only syslog ID 711001
ASA(config)# logging list Networkers message 711001 .
.
115
* For the 5505, only the Security Plus or Unlimited licenses require the memory upgrade
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
116
SNMP OIDs
CPU usage 1.3.6.1.4.1.9.9.109.1.1.1.1.3.1 (5 sec) 1.3.6.1.4.1.9.9.109.1.1.1.1.4.1 (1 min) 1.3.6.1.4.1.9.9.109.1.1.1.1.5.1 (5 min) Connections 1.3.6.1.4.1.9.9.147.1.2.2.2.1.5.40.6 (Current total) 1.3.6.1.4.1.9.9.147.1.2.2.2.1.5.40.7 (Max total) Traffic 1.3.6.1.2.1.2.2.1.{10|16}.n (in/out octets) Use SNMPwalk to verify the interfaces!
BRKSEC-3020
Cisco Public
117
Examples Display the interface stats starting with the inside interface
show interface | begin inside
118
PIX
6.0(1)
In Sync
7.0(1) 7.1(1)
PIX/ASA
7.2(1) 8.0(2) 8.3(1)
FWSM
1.1(1) 2.2(1) Feature Releases 1.1(2) 1.1(3) 2.3(1) 2.3(2) 3.1(1) 3.2(1) 4.0(1) 4.0(2) 4.1(1)
SafeHarbor
4.0(4)
4.0(11)
Maintenance Releases
SafeHarbor
3.2(2)
SafeHarbor
3.2(4)
GD
3.2(17)
3.1(2) Time
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
3.1(6)
3.1(10)
3.1(17)
119
Case Study
Poor Voice Quality
Presentation_ID
Cisco Public
120
100 Mbps
Cable Modem
2 Mbps
WAN
BRKSEC-3020
Cisco Public
121
Shape to 2 Mbps
WAN
2 Mbps
BRKSEC-3020
Cisco Public
122
class-map voice-traffic ! match dscp af13 ef! !! policy-map qos_class_policy ! class voice-traffic ! priority! !! policy-map qos_outside_policy ! class class-default ! shape average 2000000 ! service-policy qos_class_policy! !! service-policy qos_outside_policy interface outside!
To view statistics on the operation of the shaper, use the command show service-policy shape
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
123
BRKSEC-3020
Cisco Public
124
Case Study
Out-of-Order Packet Buffering
Presentation_ID
Cisco Public
125
BRKSEC-3020
Cisco Public
126
Some networks have high numbers of out-of-order packets; often caused by asymmetric traffic flows If the out-of-order packet buffer isnt large enough, traffic is dropped and packets must be retransmitted
192.168.1.30 Client
Inside
Outside Server
10.16.9.2
BRKSEC-3020
Cisco Public
127
46331 90943
How to fix?
access-list OOB-nets permit tcp any 10.16.9.0 255.255.255.0 ! tcp-map OOO-Buffer queue-limit 6 ! class-map tcp-options match access-list OOB-nets ! policy-map global_policy class tcp-options set connection advanced-options OOO-Buffer ! service-policy global_policy global
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
128
BRKSEC-3020
Cisco Public
129
Case Study
TCP MSS (Maximum Segment Size)
Presentation_ID
Cisco Public
130
BRKSEC-3020
Cisco Public
131
Some servers have broken TCP stacks and ignore the MSS advertised by the Client The firewall will drop packets that exceed the advertised MSS
192.168.1.30 Client
Inside
Outside Server
10.16.9.2
SYN
MSS=1380
SYN+ACK MSS=1400
DATA=1390
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
132
%ASA-4-419001: Dropping TCP packet from outside:10.16.9.2/80 to inside:192.168.1.30/1025, reason: MSS exceeded, MSS 1380, data 1390
How to fix?
access-list MSS-hosts permit tcp any host 10.16.9.2 ! tcp-map mss-map exceed-mss allow ! class-map mss match access-list MSS-hosts ! policy-map global_policy class mss set connection advanced-options mss-map ! service-policy global_policy global
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
133
BRKSEC-3020
Cisco Public
134
Case Study
Out of Memory
Presentation_ID
Cisco Public
135
Users are unable to access the Internet No new connections are working All old (long lived) connections continue to work Step 1: Check the Syslogs
%PIX-3-211001: Memory allocation Error %PIX-3-211001: Memory allocation Error
136
pixfirewall# show xlate 251 in use, 258 most used PAT Global 209.165.201.26(2379) Local 10.1.1.132(52716) PAT Global 209.165.201.26(2378) Local 10.1.1.227(20276) Global 209.165.201.25 Local 10.1.1.102 PAT Global 209.165.201.26(2255) Local 10.1.1.125(12783) PAT Global 209.165.201.26(2382) Local 10.1.1.175(39197) PAT Global 209.165.201.26(2254) Local 10.1.1.34(43543)
137
BRKSEC-3020
Cisco Public
138
Traffic Flow
Vast majority of traffic is coming in the inside interface and going out the outside interface
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Inside
Outside
139
Conn Count Is Very High, but xlate Count Is Low Many connections per xlate Probably one, or a few hosts, are generating the vast majority of connections Most likely due to a virus on the host(s)
BRKSEC-3020
Cisco Public
140
Only Show Lines That Have the Word host or count/limit in Them
= 146608/unlimited = 0/unlimited
Host 10.1.1.99 is eating up all the connections, and they are TCP-based connections
BRKSEC-3020
Cisco Public
141
saA saA saA saA saA saA saA saA saA saA
142
Question: Which help because the source address is valid TCP intercept wont One Can Be Used Here? Limiting the maximum number of connections each internal host can have is the only option
BRKSEC-3020
Cisco Public
143
Note: the local-host must be cleared before the new connection limits are applied
pixfirewall(config)# clear local-host 10.1.1.99 pixfirewall(config)# show local-host 10.1.1.99 Interface inside: 250 active, 250 maximum active, 0 denied local host: <10.1.1.99>, The Infected Host TCP connection count/limit = 50/50 Is Limited to 50 TCP embryonic count = 50 TCP intercept watermark = unlimited TCP Connections UDP connection count/limit = 0/unlimited . . .
BRKSEC-3020
Cisco Public
144
Things look much better now Question: How could we configure the Cisco PIX so the connection limit was only applied to the one host (10.1.1.99) which was infected with the virus?
nat (inside) 1 10.1.1.99 255.255.255.255 50 0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0
BRKSEC-3020
Cisco Public
145
Case Study
High CPU Usage
Presentation_ID
Cisco Public
146
For more Information on the Output of the show processes Command, See
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a008009456c.shtml
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
147
In One Minute, These Processes Account for 44 Seconds of CPU Time ~ 73% The Interface Polling Processes Always Run, and Are not Counted in the CPU Usage
BRKSEC-3020
Cisco Public
148
149
Enable buffered logging to same level as syslog server, and examine the buffered messages
pixfirewall(config)# show log Buffer logging: level warnings, 31527 messages logged Trap logging: level warnings, 6453127 messages logged Logging to lab 172.18.173.123
. . . 400011: 400011: 400011: 400011: 400011: 400011: IDS:2001 IDS:2001 IDS:2001 IDS:2001 IDS:2001 IDS:2001 ICMP ICMP ICMP ICMP ICMP ICMP unreachable unreachable unreachable unreachable unreachable unreachable from from from from from from 172.18.173.123 172.18.173.123 172.18.173.123 172.18.173.123 172.18.173.123 172.18.173.123 to to to to to to
on on on on on on
BRKSEC-3020
Cisco Public
150
Syslog service was down on the syslog server ICMP unreachable was generated by syslog server for each syslog message the Cisco PIX sent it Cisco PIXs IDS configuration also logged every ICMP unreachable message, creating the exponentially increasing problem
Syslog Server
Lab
BRKSEC-3020
Cisco Public
151
Bring back up syslog service on server Take server offline Configure Cisco PIX to not log IDS ICMP unreachable messages
ip audit signature 2001 disable or no logging message 400011
pixfirewall# show run | grep signature ip audit signature 2001 disable pixfirewall# show cpu usage CPU utilization for 5 seconds = 2%; 1 minute: 50%; 5 minutes: 99%
BRKSEC-3020
Cisco Public
152
Examine the DIFF of two show processes taken over a one minute interval Find the process taking up the highest amount of CPU (excluding the polling processes) Take actions to lower that processs CPU time Reexamine the CPU output, and repeat as necessary
BRKSEC-3020
Cisco Public
153
FWSM
Additional architecture information
BRKSEC-3020
Cisco Public
154
Log Level 0 1 2 3 4 5 6 7
Number of Messages (SUM) Description Ver. 2.3 Emergencies Alerts Critical Errors Warnings Notifications 0 58 (58) 21 (79) 94 (173) 131 (304) 26 (330) Ver. 3.1 0 67 (67) 29 (96) 305 (401) 194 (595) 167 (762) 245 (1007) 225 (1232) Ver. 3.2 0 67 (67) 29 (96) 306 (402) 196 (598) 169 (767) 248 (1015) 225 (1240) Ver. 4.0 0 67 (67) 29 (96) 318 (414) 199 (613) 178 (791) 255 (1046) 226 (1272) Ver. 4.1 0 67 (67) 29 (96) 318 (414) 199 (613) 178 (791) 259 (1050) 231 (1281)
BRKSEC-3020
Cisco Public
155
BRKSEC-3020
Cisco Public
156
FWSM/admin(config)# show np 3 acl stats ---------------------------ACL Tree Statistics ---------------------------Rule count : 9584 Bit nodes (PSCB's): 8760 Leaf nodes : 8761 Total nodes : 17521 (max 24260) Leaf chains : 6912 Total stored rules: 15673 Max rules in leaf : 3 Node depth : 32 ---------------------------Note: One ACE Does not Equal One Node
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
157
FWSM# show np 3 acl tree -------------------------------------------ACL Tree Instance <-> Context Name (ID) Map -------------------------------------------Tree Instance 0 Context (001) admin Tree Instance 1 Context (002) core Tree Instance 2 Context (003) Engineering Tree Instance 3 Context (004) Accounting -------------------------------------------Context Name
BRKSEC-3020
Cisco Public
158
BRKSEC-3020
Cisco Public
159
160
FWSMResource Rule
FWSM 3.2 introduced
resource-ruleallows further customization of a partition
resource rule nat 10000 acl 2200 filter 400 fixup 595 est 70 aaa 555 console 283
161
FWSMResource Partition
FWSM 4.0 introduced
resource partitionallows customization of the size of individual partitions (multi-context mode)
FWSM(config)# resource partition 10 FWSM(config-partition)# size 1000 WARNING: The rule max has been reset based on partition size 1000. The <size> command leads to re-partitioning of ACL Memory. It will not take effect until you save the configuration and reboot.
Before
FWSM# show resource rule partition 10 Default Configured Absolute CLS Rule Limit Limit Max -----------+---------+----------+--------Policy NAT 384 384 833 ACL 14801 14801 14801 Filter 576 576 1152 Fixup 1537 1537 3074 Est Ctl 96 96 96 Est Data 96 96 96 AAA 1345 1345 2690 Console 384 384 768 -----------+---------+----------+--------Total 19219 19219 Partition Limit - Configured Limit = Available to allocate 19219 19219 = 0
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved.
After
FWSM# show resource rule partition 10 Default Configured Absolute CLS Rule Limit Limit Max -----------+---------+----------+--------Policy NAT 20 20 43 ACL 770 770 770 Filter 30 30 60 Fixup 80 80 160 Est Ctl 5 5 5 Est Data 5 5 5 AAA 70 70 140 Console 20 20 40 -----------+---------+----------+--------Total 1000 1000 Partition Limit - Configured Limit = Available to allocate 1000 1000 = 0
Cisco Public
162
Traffic sourced from, or destined to, the FWSM also goes through the control point
Syslogs AAA (RADIUS/TACACS+) Management traffic (telnet/SSH/ HTTPS/SNMP) Failover communications Routing protocols (OSPF/ RIP) etc.
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
163
Cisco Public
This issue might be encountered when performing TCP throughput testing, or passing high speed TCP flows through the FWSM
Examples: CIFS, FTP, AFP, backups
FWSM version 3.1(10) and 3.2(5) introduce a new command sysopt np completion-unit to ensure the firewall maintains the packet order (by enabling a hardware knob on the NPs called the completion unit) In multiple mode enter this command in the admin context configuration; It will then be enabled for all contexts on the firewall
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
165
Case Study
Advanced Syslog Analysis
167
May 24 2010 23:19:53: %ASA-6-302014: Teardown TCP connection 1019934 for outside:203.0.113.126/6243 to inside:10.100.19.190/21 duration 0:00:30 bytes 0 SYN Timeout
Reason
BRKSEC-3020
Cisco Public
168
grep used to find the syslogs we want awk used to print the destination column (IP/port) uniq used to print only unique entries, with a count sort used to display ordered list, highest count first
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
169
Case Study
FWSM Slow Single-Flow TCP Throughput
Presentation_ID
Cisco Public
170
BRKSEC-3020
Cisco Public
171
FWSM Only
Due to the FWSMs NP architecture, there exists a possibility that packets arriving with a low inter-packet gap might be re-ordered by the FWSM. 4 3 2 1 4 2 3 1
TCP Flow
FWSM version 3.1(10) and 3.2(5) introduce a new command sysopt np completion-unit to ensure the firewall maintains the packet order
Enable np completion-unit
TCP Flow Note: In multi-mode add command to admin context, and it will be applied globally
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
172
Failover
What to Do After a Failover Additional Failover Commands
BRKSEC-3020
Cisco Public
173
ASA# show failover state This host State Primary Failed Last Failure Reason Ifc Failure Inside: Failed None Date/Time 12:56:00 UTC May 6 2010
Other host -
Secondary Active
174
BRKSEC-3020
Cisco Public
175
BRKSEC-3020
Cisco Public
176
Syntax
keywords: Hostname Configures the prompt to display the hostname Domain Configures the prompt to display the domain Context Configures the prompt to display the current context (multi-mode only) Priority Configures the prompt to display the failover lan unit setting State Configures the prompt to display the current traffic handling state Slot Configures the prompt to display the slot location (when applicable)
Example
FWSM(config)# prompt hostname domain priority state slot FWSM/cisco.com/sec/actNoFailover/4(config)#
BRKSEC-3020
Cisco Public
177
Capture Example
BRKSEC-3020
Cisco Public
178
Internet
198.133.219.25
10.1.3.2
192.168.2.2
Step 1: Create ACL for Both Inside and Outside Interface Step 2: Create Captures on Both Inside and Outside Interface Step 3: Have Inside User Access www.cisco.com Step 4: Copy the Captures Off to a TFTP Server Step 5: Analyze Captures with Sniffer Program
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
179
Step 3: have inside user access www.cisco.com Step 4: copy the captures off to a TFTP server
! ASA ver 7.0+ / FWSM 3.0+ copy capture copy /pcap capture:out tftp://10.1.3.5/out.pcap copy /pcap capture:in tftp://10.1.3.5/in.pcap ! PIX ver 6.x / FWSM 2.3 copy capture copy capture:out tftp://10.1.3.5/out.pcap pcap copy capture:in tftp://10.1.3.5/in.pcap pcap
https://<FW_IP>/capture/out/pcap
BRKSEC-3020
Cisco Public
180
Inside CAP
BRKSEC-3020
Cisco Public
181
Session Manager NP 3
FWSM 3.1(5) both ingress and egress transient packets can be captured which flow through hardware
Capture requires an ACL to be applied Capture copies the matched packets in hardware to the control point where they are captured; be careful not to flood the control point with too much traffic FWSM
BRKSEC-3020
Cisco Public
182
Online Tools
Networking professionals connection Bug toolkit Output Interpreter
BRKSEC-3020
Cisco Public
183
BRKSEC-3020
Cisco Public
184
http://www.cisco.com/go/netpro
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
185
Bug Toolkit
BRKSEC-3020
Cisco Public
186
BRKSEC-3020
Cisco Public
187
Version
Search Keywords
Severity
Status
BRKSEC-3020
Cisco Public
188
BRKSEC-3020
Cisco Public
189
BRKSEC-3020
Cisco Public
190
Output Interpreter
Linked off the Technical Support and Documentation Tools and Resources Section on CCO
BRKSEC-3020
Cisco Public
191
https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
192
ASDM
BRKSEC-3020
Cisco Public
193
ASDM
Run as a standalone application using the ADSM Launcher This allows for one-stop access to multiple firewalls ASDM 6.0 adds Upgrade Wizard to upgrade ASA and ASDM software direct from cisco.com ASDM 6.2 works with ASA 8.2, ASA 8.1 and 8.0 releases ASDM 6.1F works with FWSM 4.0, 3.2, and 3.1 releases
BRKSEC-3020
Cisco Public
194
Device Information
Real-Time Syslogs
BRKSEC-3020 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
195
BRKSEC-3020
Cisco Public
196
BRKSEC-3020
Cisco Public
197
BRKSEC-3020
Cisco Public
198
At a minimum include:
Detailed problem description Output from show tech
Optionally include:
Syslogs captured during time of problem Sniffer traces from both interfaces using the capture command (capturing only the relevant packets, and saved in pcap format)
BRKSEC-3020
Cisco Public
199