TAC Security Podcast Episode #18 - Useful ASA and IPS Commands and Features You Might Not Know About

Document

Mon, 06/20/2011 - 08:09
Apr 11th, 2011
User Badges:
  • Cisco Employee,

Episode Information


Episode Name: Episode 18 - Useful commands for the Cisco ASA and IPS platforms

Contributors:  Blayne Dreier, Jay Johnston, Magnus Mortensen, David White

Posting Date: April 19, 2011

Description:  In this episode, the panel discusses seldom known but extremely useful commands on the Cisco ASA and IPS platforms. These are commands that we use often in the TAC when diagnosing and troubleshooting network issues, but we find that many of our customers don't know about them. In this episode we discuss several commands, when to use them and how to interpret their output. For a list of commands discussed in the episode, see the show notes on this page.




Listen Now    (MP3 xx.x MB; xx:xx mins)


Subscribe to the Podcast in iTunes by clicking the image below:

button_itunes.gifrss.gif


About the Cisco TAC Security Podcast


The Cisco TAC Security Podcast Series is created by Cisco TAC engineers. Each episode provides an in-depth technical discussion of Cisco product security features, with emphasis on troubleshooting.


Complete episode listing and show information





Show Notes

ASA


show parser dump <feature>


This command dumps the entire parse chain on the ASA, displaying the privilege level of the commmand (first column), followed by the modifier (if applicable), the command, and any keywords or options.


Example:


ASA# show parser dump all

Mode Name :exec
. . .
15 crypto ca server revoke 
15 crypto ca server unrevoke 
15 crypto ca server crl issue
15 crypto ca server user-db email-otp user 
15 crypto ca server user-db email-otp user 
15 crypto ca server user-db email-otp all-unenrolled
15 crypto ca server user-db email-otp all-certholders
15 crypto ca server user-db email-otp
15 crypto ca server user-db show-otp
15 crypto ca server user-db add  email


show proccess cpu-usage sorted non-zero


This command displays all of the processes running on the ASA that have non-zero cpu usage (meaning they are using some of the CPU) and sorts them by the amount of CPU usage. In this example, esw_stats is the top process, but this is normal since it is a ASA 5505 model, and this low-priority process functions to constantly poll the embedded 8-port switch.


Example:


ASA5505# show process cpu-usage sorted non-zero
PC             Thread       5Sec     1Min     5Min   Process
0x094c6cab   0xc81a87fc    12.4%     8.9%     8.7%   esw_stats
0x081ecc51   0xc81b497c     3.2%     1.3%     0.5%   Dispatch Unit
0x08e5f07c   0xc81adea8     0.6%     0.2%     0.1%   Logger
0x08e1e785   0xc8199214     0.6%     1.4%     0.4%   ssh
0x0866d56e   0xc81a3d68     0.1%     0.1%     0.1%   ARP Thread
0x087741d5   0xc81a2d48     0.1%     0.1%     0.1%   MFIB
0x08aad2dc   0xc81a69c0     0.1%     0.1%     0.1%   update_cpu_usage


failover exec mate

This command allows you to run any command from one firewall in an HA pair on the other. For example, from the PRIMARY ACTIVE firewall, one can run show failover on the mate (STANDBY) firewall:


asa/pri/act# failover exec ?

   active   Execute command on the active unit
   mate     Execute command on the peer unit
   standby  Execute command on the standby unit
asa/pri/act# failover exec mate show failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover Ethernet0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 110 maximum
Version: Ours 8.4(1), Mate 8.4(1)
Last Failover at: 10:27:22 UTC Apr 8 2011
     This host: Secondary - Standby Ready
..


failover reload-standby

This command is useful when it comes to upgrading code. THis allows you to reload the standby ASA in a failover pair:

asa/pri/act# failover reload-standby
asa/pri/act#

And on the STANDBY firewall, the console shows:

asa/sec/stby#


***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
***   requested by active unit
Process shutdown finished
Rebooting.....



failover reload-standby


This command is useful when it comes to upgrading code. This command allows you to reload the Standby ASA in a failover pair from the Active ASA:



asa/pri/act# failover reload-standby
asa/pri/act#


And on the STANDBY firewall, the console shows:



asa/sec/stby#


***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
***   requested by active unit
Process shutdown finished
Rebooting.....




show service-policy flow


Shows each of the Modular Policy Framework (MPF) objects (access-lists, class-maps, policy-maps, and service-policies) that will affect a particular flow.


asa# show service-policy flow tcp host 10.1.1.1 eq 55555 host 198.133.219.25 eq 80

Global policy:
   Service-policy: global_policy
     Class-map: inspection_default
       Match: default-inspection-traffic
       Action:
         Input flow:  inspect http
     Class-map: class-default
       Match: any
       Action:
         Output flow:
Interface corpnet:
   Service-policy: ips
     Class-map: ips
       Match: access-list ips
         Access rule: permit ip any any
       Action:
         Input flow:  ips inline fail-open
     Class-map: class-default
       Match: any
       Action:
         Output flow:
Interface inside:
   Service-policy: ips
     Class-map: ips
       Match: access-list ips
         Access rule: permit ip any any
       Action:
         Input flow:  ips inline fail-open
     Class-map: class-default
       Match: any
       Action:
asa#


show nat pool


This command shows the utilization of the different port ranges for a  NAT global IP addresses configured on the ASA. In the example below,  there is one global IP address of 172.18.254.123


Example:


ASA5505# show nat pool
TCP PAT pool outside, address 172.18.254.123, range 1-511, allocated 2
TCP PAT pool outside, address 172.18.254.123, range 512-1023, allocated 0
TCP PAT pool outside, address 172.18.254.123, range 1024-65535, allocated 38
UDP PAT pool outside, address 172.18.254.123, range 1-511, allocated 4
UDP PAT pool outside, address 172.18.254.123, range 512-1023, allocated 0
UDP PAT pool outside, address 172.18.254.123, range 1024-65535, allocated 4


show run <feature>

This command is very useful for displaying all the commands which make up a given feature. In the below, we can output all the commands which make up the call-home feature.  The only other way of getting this data would be to issue show run | begin call-home.


ASA# show run call-home
service call-home
call-home
contact-email-addr [email protected]
profile CiscoTAC-1
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration export full periodic daily
  subscribe-to-alert-group telemetry periodic daily
ASA#


perfmon verbose

This command displays the output of show perfmon  every 60 seconds (by default).  The output interval can be changed by issuing the perfmon interval <seconds> command.


To disable the displaying of the output, issue perfmon quiet command.


Example:


PERFMON STATS:                     Current      Average
Xlates                              3/s          4/s
Connections                        20/s         23/s
TCP Conns                          18/s         21/s
UDP Conns                           2/s          2/s
URL Access                          0/s          0/s
URL Server Req                      0/s          0/s
TCP Fixup                          15/s         11/s
TCP Intercept Established Conns     0/s          0/s
TCP Intercept Attempts              0/s          0/s
TCP Embryonic Conns Timeout         0/s          0/s
HTTP Fixup                          0/s          0/s
FTP Fixup                           0/s          0/s
AAA Authen                          0/s          0/s
AAA Author                          0/s          0/s
AAA Account                         0/s          0/s

VALID CONNS RATE in TCP INTERCEPT:    Current      Average
                                        N/A         100.00%



IPS


show statistics virtual-sensor


Number of seconds since a reset of the statistics


The number of seconds since a show statistics virtual-sensor clear was issued. If a show statistics virtual-sensor clear has never been issued, this is the up-time of the sensor.


Processing Load Percentage


A good overall measure of the sensor's inspection resource utilization.


Sig 1330.x


1330 sub-signatures are part of the TCP Normalizer Engine. Specific normalizer events can indicate TCP issues in the inspected traffic.




sensor# show stat virt Virtual Sensor Statistics
     Statistics for Virtual Sensor vs0
        Name of current Signature-Defintion instance = sig0
        Name of current Event-Action-Rules instance = rules0
        List of interfaces monitored by this virtual sensor = GigabitEthernet0/1 subinterface 0
        General Statistics for this Virtual Sensor
           Number of seconds since a reset of the statistics = 95110
           MemoryAlloPercent = 53
           MemoryUsedPercent = 52
           MemoryMaxCapacity = 614400
           MemoryMaxHighUsed = 378880
           MemoryCurrentAllo = 330232
           MemoryCurrentUsed = 325261
           Processing Load Percentage = 4
           Total packets processed since reset = 79409976
           Total number of bytes processed since reset = 68654420781
           The rate of packets per second since reset = 834
           The rate of bytes per second since reset = 721842
           The average bytes per packet since reset = 864
        SigEvent Preliminary Stage Statistics
           Number of Alerts received = 460137
           Number of Alerts Consumed by AlertInterval = 1881
           Number of Alerts Consumed by Event Count = 126
           Number of FireOnce First Alerts = 3
           Number of FireOnce Intermediate Alerts = 0
           Number of Summary First Alerts  = 14262
           Number of Summary Intermediate Alerts = 428994
           Number of Regular Summary Final Alerts  = 13039
           Number of Global Summary Final Alerts  = 183
           Number of Active SigEventDataNodes  = 52
           Number of Alerts Output for further processing = 458130
           Per-Signature SigEvent count since reset
              Sig 1306.0 = 9
              Sig 1311.0 = 27
              Sig 1317.0 = 19
              Sig 1330.5 = 470
              Sig 1330.10 = 73
              Sig 1330.12 = 73769
              Sig 1330.14 = 7
              Sig 1330.16 = 842
              Sig 1330.17 = 6624
              Sig 1330.18 = 5527

iplog


Via the global iplog command:


sensor# iplog vs0 10.1.1.1 bytes 5000 packets 250
Logging started for virtual sensor vs0, IP address 10.1.1.1, Log ID 1818324577
Warning: IP Logging will affect system performance.



Via a signature definition action:


sensor# conf t
sensor(config)# service signature-definition sig0
sensor(config-sig)# signatures 3327 13
sensor(config-sig-sig)# engine string-tcp
sensor(config-sig-sig-str)# event-action log-pair-packets
sensor(config-sig-sig-str)# exit
sensor(config-sig-sig)# exit
sensor(config-sig)# exit
Apply Changes?[yes]:
sensor(config)#



packet capture


Defining a packet capture:


sensor# packet capture GigabitEthernet0/1 count 250 expression host 10.1.1.1 and tcp port 80



packet display


Displaying a live packet capture:


sensor# packet display GigabitEthernet0/1 count 250 expression host 10.1.1.1 and tcp port 80



Displaying the contents of a previous packet capture:


sensor# packet display packet-file



Displaying  the contents of an iplog:


packet display iplog 1818324577
reading from file -, link-type EN10MB (Ethernet)
20:26:31.779644 IP 192.168.1.3.445 > 10.1.1.3.17236: P 1820139296:1820139297(1) ack 1556908342 win 8760
20:26:31.780040 IP 10.1.1.3.57550 > 192.168.1.3.445: S 2470220233:2470221489(1256) win 8760
20:26:31.780061 IP 192.168.1.3.445 > 10.1.1.3.7688: R 2055594473:2055594473(0) win 8760
20:26:31.780071 IP 192.168.1.3.445 > 10.1.1.3.44705: R 1228413248:1228413248(0) win 8760
20:26:31.780111 IP 192.168.1.3.445 > 10.1.1.3.44865: P 1625648103:1625648104(1) ack 1556916921 win 8760
20:26:31.780133 IP 192.168.1.3.445 > 10.1.1.3.46794: P 1741804190:1741804191(1) ack 1556925500 win 8760
20:26:31.780146 IP 192.168.1.3.445 > 10.1.1.3.45314: S 2055695379:2055695379(0) ack 1561395159 win 8760
20:26:31.780424 IP 10.1.1.3.53591 > 192.168.1.3.445: S 3168046082:3168047338(1256) win 8760
20:26:31.780439 IP 10.1.1.3.16866 > 192.168.1.3.445: . ack 966721888 win 8760
20:26:31.780448 IP 10.1.1.3.51611 > 192.168.1.3.445: . ack 966727921 win 8760
20:26:31.780457 IP 10.1.1.3.4907 > 192.168.1.3.445: . ack 966733954 win 8760
20:26:31.780469 IP 192.168.1.3.445 > 10.1.1.3.39042: S 2755602194:2755602194(0) ack 1561403738 win 8760
20:26:31.780495 IP 192.168.1.3.445 > 10.1.1.3.49863: P 1214725317:1214725318(1) ack 1556934079 win 8760
20:26:31.780517 IP 192.168.1.3.445 > 10.1.1.3.19870: P 2822795228:2822795229(1) ack 1556942658 win 8760
20:26:31.780527 IP 192.168.1.3.445 > 10.1.1.3.41920: R 1588614407:1588614407(0) win 8760
20:26:31.780549 IP 192.168.1.3.445 > 10.1.1.3.39849: P 2309451107:2309451108(1) ack 1556951237 win 8760
20:26:31.780571 IP 192.168.1.3.445 > 10.1.1.3.62491: P 1423823578:1423823579(1) ack 1556959816 win 8760
20:26:31.780861 IP 10.1.1.3.45122 > 192.168.1.3.445: S 3014003755:3014005011(1256) win 8760
20:26:31.781144 IP 10.1.1.3.40352 > 192.168.1.3.445: S 2474761156:2474762412(1256) win 8760
Loading.
Jay Johnston Thu, 04/21/2011 - 07:40
User Badges:
  • Cisco Employee,

Thanks Manish! Do you have any useful commands that you use on the ASA that you can share?

manish arora Thu, 04/21/2011 - 09:43
User Badges:
  • Silver, 250 points or more

Jay,

I might not have any Command that you don't know of , the "show parser dump all" shows all the possible commands that you have an option of using. But I have used "clear/show crypto protocol ikev1/ipsec"  alot when i am trying to troubleshoot a vpn issue of tunnel to coming up. It shows the requests for encrypting / dycrypting.

I am sure you were aware of these commands.

Thanks Again for the Post BTW

manish

karthikaravind Fri, 04/29/2011 - 09:13
User Badges:

Would like to add this one:


ciscoasa(config)# vpnsetup ?


configure mode commands/options:
  ipsec-remote-access  Display IPSec Remote Access Configuration Commands
  l2tp-remote-access     Display L2TP/IPSec Configuration Commands
  site-to-site                 Display IPSec Site-to-Site Configuration Commands
  ssl-remote-access      Display SSL Remote Access Configuration Commands

Jay Johnston Mon, 05/02/2011 - 08:20
User Badges:
  • Cisco Employee,

This is a great command, can you show the full sample output from it, such as 'vpnsetup site-to-site steps'? That will really show the usefulness of the command (expecially for those studying for the CCIE)

karthikaravind Mon, 05/02/2011 - 09:20
User Badges:

Steps to configure a remote access IKE/IPSec connection with examples:


ciscoasa(config)# vpnsetup ipsec-remote-access steps


1. Configure Interfaces


    interface GigabitEthernet0/0
     ip address 10.10.4.200 255.255.255.0
     nameif outside
     no shutdown


    interface GigabitEthernet0/1
     ip address 192.168.0.20 255.255.255.0
     nameif inside
     no shutdown


2. Configure ISAKMP policy


    crypto isakmp policy 65535
     authentication pre-share
     encryption aes
     hash sha


3. Setup an address pool


    ip local pool client-pool 192.168.1.1-192.168.1.254


4. Configure authentication method


    aaa-server MyRadius protocol radius
    aaa-server MyRadius host 192.168.0.254
     key $ecretK3y


5. Define tunnel group


    tunnel-group client type remote-access
    tunnel-group client general-attributes
     address-pool client-pool
     authentication-server-group MyRadius
    tunnel-group client ipsec-attributes
     pre-shared-key [email protected]


6. Setup ipsec parameters


    crypto ipsec transform-set myset esp-aes esp-sha-hmac


7. Setup dynamic crypto map


    crypto dynamic-map dynmap 1 set transform-set myset
    crypto dynamic-map dynmap 1 set reverse-route


8. Create crypto map entry and associate dynamic map with it


    crypto map mymap 65535 ipsec-isakmp dynamic dynmap


9. Attach crypto map to interface


    crypto map mymap interface outside


10. Enable isakmp on interface


    crypto isakmp enable outside


Steps to configure a remote access L2TP/IPSec connection with examples:


ciscoasa(config)# vpnsetup l2tp-remote-access steps


1. Configure Interfaces


    interface GigabitEthernet0/0
     ip address 10.10.4.200 255.255.255.0
     nameif outside
     no shutdown


    interface GigabitEthernet0/1
     ip address 192.168.0.20 255.255.255.0
     nameif inside
     no shutdown


2. Configure ISAKMP policy


    crypto isakmp policy 65535
     authentication pre-share
     encryption aes
     hash sha


3. Setup an address pool


    ip local pool client-pool 192.168.1.1-192.168.1.254


4. Configure authentication method


    aaa-server MyRadius protocol radius
    aaa-server MyRadius host 192.168.0.254
     key $ecretK3y


5. Define tunnel group


    tunnel-group client type remote-access
    tunnel-group client general-attributes
     address-pool client-pool
     authentication-server-group MyRadius
    tunnel-group client ipsec-attributes
     pre-shared-key [email protected]
    tunnel-group DefaultRAGroup ppp-attributes
     authentication pap


6. Setup ipsec parameters


    crypto ipsec transform-set myset esp-aes esp-sha-hmac
    crypto ipsec transform-set myset mode transport


7. Setup dynamic crypto map


    crypto dynamic-map dynmap 1 set transform-set myset


8. Create crypto map entry and associate dynamic map with it


    crypto map mymap 65535 ipsec-isakmp dynamic dynmap


9. Attach crypto map to interface


    crypto map mymap interface outside


10. Enable isakmp on interface


    crypto isakmp enable outside


Steps to configure a site-to-site IKE/IPSec connection with examples:


ciscoasa(config)# vpnsetup site-to-site steps


1. Configure Interfaces


    interface GigabitEthernet0/0
     ip address 10.10.4.200 255.255.255.0
     nameif outside
     no shutdown


    interface GigabitEthernet0/1
     ip address 192.168.0.20 255.255.255.0
     nameif inside
     no shutdown


2. Configure ISAKMP policy


    crypto isakmp policy 10
     authentication pre-share
     encryption aes
     hash sha


3. Configure transform-set


    crypto ipsec transform-set myset esp-aes esp-sha-hmac


4. Configure ACL


    access-list L2LAccessList extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0


5. Configure Tunnel group


    tunnel-group 10.20.20.1 type ipsec-l2l
    tunnel-group 10.20.20.1 ipsec-attributes
     pre-shared-key [email protected]


6. Configure crypto map and attach to interface


    crypto map mymap 10 match address L2LAccessList
    crypto map mymap 10 set peer 10.10.4.108
    crypto map mymap 10 set transform-set myset
    crypto map mymap 10 set reverse-route
    crypto map mymap interface outside


7. Enable isakmp on interface


    crypto isakmp enable outside


Steps to configure a remote access SSL VPN remote access connection and AnyConnect with examples:


ciscoasa(config)# vpnsetup ssl-remote-access steps


1. Configure and enable interface


    interface GigabitEthernet0/0
     ip address 10.10.4.200 255.255.255.0
     nameif outside
     no shutdown


    interface GigabitEthernet0/1
     ip address 192.168.0.20 255.255.255.0
     nameif inside
     no shutdown


2. Enable WebVPN on the interface


    webvpn
     enable outside


3. Configure default route


    route outside 0.0.0.0 0.0.0.0 10.10.4.200


4. Configure AAA authentication and tunnel group


    tunnel-group DefaultWEBVPNGroup type remote-access
    tunnel-group DefaultWEBVPNGroup general-attributes
     authentication-server-group LOCAL


5. If using LOCAL database, add users to the Database


    username test password [email protected]
    username test attributes
     service-type remote-access


Proceed to configure AnyConnect VPN client:


6. Point the ASA to an AnyConnect image


    webvpn
     svc image anyconnect-win-2.1.0148-k9.pkg


7. enable AnyConnect


    svc enable


8. Add an address pool to assign an ip address to the AnyConnect client


    ip local pool client-pool 192.168.1.1-192.168.1.254 mask 255.255.255.0


9. Configure group policy


    group-policy DfltGrpPolicy internal
    group-policy DfltGrpPolicy attributes
     vpn-tunnel-protocol svc webvpn

golly_wog Tue, 05/10/2011 - 14:40
User Badges:

Don't rely on this command! It isn't in the code currently used in the lab... :-)

Jay Johnston Mon, 06/20/2011 - 08:08
User Badges:
  • Cisco Employee,

Eugene, The 'show nat pool' command is only available in version 8.3 and later.

andy.winford Thu, 06/16/2011 - 13:32
User Badges:

Jay, I really enjoy the podcast.   Tell David to speak up.   I have to turn up the volume and then Magnus comes in and blows out my speaker.   As a consultant for a Gold Partner, I would like to share a command that I use frequently to help my customers when troubleshooting site-to-site VPNs.   Usually a change has been made around the configuration that may have modified the preshared key being utilized.   Using the more system:running-config command, it will display the full key instead of the asterix.   Hope this is helpful.  Keep up the great podcast.  I travel a lot and enjoy listening to you guys.

Jay Johnston Mon, 06/20/2011 - 08:09
User Badges:
  • Cisco Employee,

Andy, thanks for the comments, we're working on making the audio quality better, and keeping the levels more "level"


Let us know if there are topics you would like us to cover in the future!

Actions

This Document

Related Content