Search Results

(2019-09-20) Show Dropped Packets ALBERT# capture TEST type asp-drop all real-time […] ^C ALBERT# show capture TEST trace | in 10.7.3.1 9: 10:36:38.550340 10.7.3.1 > 10.1.1.11: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured ru...

(2018-01-10) Problem I have a new ASA and I need some self-signed certificates. Solution (this is all conf t ) Setup stuff: hostname myasa domain-name cisco.com clock set 00:00:00 1 Jan 2010 clock set timezone EST -5 Generate the default rsa keypair: crypto...

(2022-01-08) Problem Some security scanner is complaining that TCP Timestamps are enabled on my ASA. Solution access-list ACL_TCP extended permit tcp any any ! class-map timestamp_class_map match access-list ACL_TCP ! tcp-map timestamp_tcp_map tcp-options t...

(2020-01-20) Problem ASA still responding to, and using, protocols less than TLS1.2. AKA: SSLv2 and SSLv3 are still being used, which is bad. Solution # config (config)# ssl server-version tlsv1.2 (config)# ssl client-version tlsv1.2 (config)# exit Commentary...

(2022-01-08) Problem Some security scanner is complaining that there's no 'httpOnly' cookie attribute. Solution None, cisco won't fix because they don't consider it a serious issue. Reference (requires login)

(2021-12-03) Problem What is happening with my PPPoE session? Solution Nothing, probably, but here are some commands that will show you things: # show vpdn session pppoe state # show vpdn session pppoe packets # show vpdn tunnel pppoe summary # show vpdn pppin...

(2019-01-20) Problem Collection of the SSL mitigations I've been collecting. Solution No commentary. See individual pages in the Cisco/ASA hierarchy for details and sources. conf t ssl cipher tlsv1 fips ssl cipher tlsv1.1 fips ssl cipher tlsv1.2 fips ssl dh-gr...

(2020-09-25) Problem How to set up an ASA to accept an ssh pubkey? Solution Create a ssh key as normal. Create the Base64 Encoded Public Key that the ASA wants: $ ssh-keygen -e -f id_rsa.pub ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "4096-bit RSA, converted by ...

(2020-03-18) Problem Is my Radius (or LDAP) server working? Solution # show run | begin aaa-server aaa-server MS-IAS protocol radius aaa-server MS-IAS (inside) host 192.168.8.7 key ***** radius-common-pw ***** [...] MNI-India-FW# test aaa-server authenticati...

(2020-01-20) Problem Something like SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability Solution # conf (config)# ssl dh-group group14 (config)# end

(2020-12-17) Problem I want to use my username password as the enable password in ssh sessions Solution The ASDM will use the password from your Username, while when logging in to the console it will use the enable password when you enter exec mode (when you t...

(2013-04-30) Problem ASA won't let you define a secondary IP on an interface. Solution Fake it with arp-proxying. Find the mac address of the interface you will be using: sh interface Ethernet0/1 Define a static arp for the new IP with the existing mac addres...

Problem Can't send or receive some messages through a Cisco ASA firewall. Solution Turn off Mailguard on the ASA: ASA# conf t ASA(config)# no fixup protocol smtp 25 ASA(config)# exit ASA# write me Building configuration... It may be necessary to reset/reload ...

Bypass cisco system configuration Plug in your serial console, reboot the ASA press 'ESC' when its booting # Now get into configuration management rommon #0> confreg # Record this next line we'll need it later. Current Configuration Register: 0x00000001 Confi...

(2017-04-26) Some Console Commands # show run | in <string> # more run | begin <string> useful eg: # more run | begin tunnel-group

Session Monitoring This is the vocabulary that Cisco uses to describe port mirroring, port monitoring, RMON Roving Port Analysis, whatever. This example shows how to create SPAN session 1 to monitor both sent and received traffic on a source interface and on a...

(Note from 2024: probably dangerously outdated) Customer Information (brains) : # export PATH=/opt/sfw/bin:/usr/local/bin:/usr/bin:/sbin:/usr/sbin # ././configure --prefix=/usr --disable-cram --disable-digest --disable-otp --with-dblib=none --disable-krb4 --di...

Lists the contents of the sasldb2 database. # sasldblistusers2 cyrus@gwx1: userPassword dave@gwx1: userPassword

This is the utility for creating, changing, and deleting users and passwords from the local sasl database (usually /etc/sasldb2). You can run it either as root or the cyrus admin user (in our case, cyrus ). Check the ownership of the sasl database if you are u...

Hi Dave Finally got the daemontools on netmon01 to supervise radiusd, and it should restart if the computer is restarted. netmon01# cd /service/radiusd/ netmon01# ls env/ run* supervise/ netmon01# cat run #!/bin/sh echo "Starting FreeRadius" ...