Content added Content deleted
imported>DrOwl No edit summary |
imported>DrOwl No edit summary |
||
(2 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
= Some notes on working with Cisco ASA's = |
= Some notes on working with Cisco ASA's = |
||
⚫ | |||
== object-groups == |
|||
Make everything object groups! ok so not everything can be an object group things like access lists are access lists not object groups. |
|||
Even if you just have one host or service make an object group for it it make it all much nicer honist! |
|||
Examples: |
|||
show run object-group id DMZ-HOSTS |
|||
object-group network DMZ-HOSTS |
|||
network-object host 10.10.10.10 |
|||
network-object host 10.10.10.11 |
|||
=== object-group network === |
|||
The ''object-group network'' sub command is used for creating groups of network type objects. |
|||
==== network-object ==== |
|||
The network-object command is used with the object-group command to define a host object, a network object, or a subnet object. |
|||
To create an member that is just one host use an ip address of dns name: |
|||
network-object host '''a.b.c.d''' |
|||
network-object host '''host.name.tld''' |
|||
To create an member that is a sub net: |
|||
network-object '''a.b.c.d 255.255.255.0''' |
|||
To create an member that is a network object (created by the object network command) |
|||
network-object object '''object_network_name''' |
|||
=== object-group service === |
|||
port-object eq |
|||
port-object range |
|||
=== object-group icmp-type === |
|||
icmp-object echo |
|||
⚫ | |||
== Capture packets (like linux tcpdump/ Solaris snoop) == |
== Capture packets (like linux tcpdump/ Solaris snoop) == |
||
=== Start a Capture === |
=== Start a Capture === |
||
# capture [name] interface [interface name] match [protical (ip/icmp/tcp/udp)] host [source host (x.x.x.x/any)] [Dest host (x.x.x.x/any)] |
# capture [name] interface [interface name] match [protical (ip/icmp/tcp/udp)] host [source host (x.x.x.x/any)] [Dest host (x.x.x.x/any)] |
||
=== Stop the capture but keep the data === |
=== Stop the capture but keep the data === |
||
# no capture [name] interface [interface name] |
# no capture [name] interface [interface name] |
||
=== List Caputres === |
=== List Caputres === |
||
# show capture [name] |
# show capture [name] |
||
=== Delete the capture === |
=== Delete the capture === |
||
# no capture [name] |
# no capture [name] |
||
Line 43: | Line 84: | ||
== packet tracer |
== packet tracer == |
||
# packet-tracer input [interface name] [protical (icmp/tcp/udp)] [source host (x.x.x.x)] [source port] [dest host (x.x.x.x)] [desk port] (detailed) |
# packet-tracer input [interface name] [protical (icmp/tcp/udp)] [source host (x.x.x.x)] [source port] [dest host (x.x.x.x)] [desk port] (detailed) |
||
=== Example === |
=== Example === |
||
# packet-tracer input external tcp 10.10.10.3 64216 10.10.10.10 53 detailed |
# packet-tracer input external tcp 10.10.10.3 64216 10.10.10.10 53 detailed |
Latest revision as of 11:13, 7 October 2014
Some notes on working with Cisco ASA's[edit]
Commands on an asa 8.3 and above[edit]
object-groups[edit]
Make everything object groups! ok so not everything can be an object group things like access lists are access lists not object groups. Even if you just have one host or service make an object group for it it make it all much nicer honist!
Examples:
show run object-group id DMZ-HOSTS object-group network DMZ-HOSTS network-object host 10.10.10.10 network-object host 10.10.10.11
object-group network[edit]
The object-group network sub command is used for creating groups of network type objects.
network-object[edit]
The network-object command is used with the object-group command to define a host object, a network object, or a subnet object.
To create an member that is just one host use an ip address of dns name:
network-object host a.b.c.d network-object host host.name.tld
To create an member that is a sub net:
network-object a.b.c.d 255.255.255.0
To create an member that is a network object (created by the object network command)
network-object object object_network_name
object-group service[edit]
port-object eq port-object range
object-group icmp-type[edit]
icmp-object echo
Capture packets (like linux tcpdump/ Solaris snoop)[edit]
Start a Capture[edit]
# capture [name] interface [interface name] match [protical (ip/icmp/tcp/udp)] host [source host (x.x.x.x/any)] [Dest host (x.x.x.x/any)]
Stop the capture but keep the data[edit]
# no capture [name] interface [interface name]
List Caputres[edit]
# show capture [name]
Delete the capture[edit]
# no capture [name]
Example[edit]
# capture SH interface extern match ip host 10.10.10.10 any
# show capt capture SH type raw-data [Capturing - 14486 bytes] match ip host 10.10.10.10 any
# show capture SH 71 packets captured 1: 16:47:19.884750 10.10.10.3.64216 > 10.10.10.10.53: udp 42 2: 16:47:19.885086 10.10.10.10.53 > 10.10.10.3.64216: udp 238 ...
packet tracer[edit]
# packet-tracer input [interface name] [protical (icmp/tcp/udp)] [source host (x.x.x.x)] [source port] [dest host (x.x.x.x)] [desk port] (detailed)
Example[edit]
# packet-tracer input external tcp 10.10.10.3 64216 10.10.10.10 53 detailed