Archive for November, 2013

How to use the Cisco ASA built in packet capture tool

Posted: November 27, 2013 in Cisco Security - Firewalls
0

 

 
During troubleshooting it is often necessary to see what traffic is being passed between two networks or two hosts. Lets use built-in capture tool. Below are the steps you need to take:
So, we are troubleshooting traffic between a host with the address of 20.20.20.1 and a host with the address of 10.10.10.1.

1.) Define the traffic that you would like to check by creating capture file called LB:

#access-list LB extended permit ip host 20.20.20.1 host 10.10.10.1
#access-list LB extended permit ip host 10.10.10.1 host 20.20.20.1
#access-list LB extended permit icmp host 20.20.20.1 host 10.10.10.1
#access-list LB extended permit icmp host 10.10.10.1 host 20.20.20.1

2.) Create and start the packet capture process called LB:

#capture LB access-list LB

3.) Create some traffic between these hosts.
Our defined ACL will detect all traffic between these two hosts, so let just start pinging:

From the host 20.20.20.1 ping 10.10.10.1
From the host 10.10.10.1 ping 20.20.20.1

4.) Analyze the packet capture.

#show capture LB !— This will show all captured traffic.

5.) Turn off the packet capture and remove the ACL:

#no capture LB
#clear configure access-list LB

#clear capture LB !—clear the capture log by using this command
#show capture LB | inc 20.20.20.1 !—use the pipe functionality when viewing output

 

 

 

 

BGP

Posted: November 26, 2013 in Generic IOS, Uncategorized
0

 

ScreenClip


Router1(config-router)#do sh ip int br
FastEthernet0/0 136.1.13.1
Loopback0 150.1.1.1

Router1(config)#router bgp 11
Router1(config-router)#neighbor 136.1.23.2 remote-as 22
Router1(config-router)#neighbor 136.1.23.2 ttl-security hops 2
Router1(config-router)#network 150.1.1.1 mask 255.255.255.255
Router1(config-router)#exit

router bgp 11
no synchronization
bgp log-neighbor-changes
network 150.1.1.1 mask 255.255.255.255
neighbor 136.1.23.2 remote-as 22
neighbor 136.1.23.2 ttl-security hops 2
no auto-summary
!
Router2(config)#router bgp 22
Router2(config-router)#neighbor 136.1.13.1 remote-as 11
Router2(config-router)#neighbor 136.1.13.1 ttl-security hops 2
Router2(config-router)#network 150.1.2.2 mask 255.255.255.255
Router2(config-router)#exit

router bgp 22
no synchronization
bgp log-neighbor-changes
network 150.1.2.2 mask 255.255.255.255
neighbor 136.1.13.1 remote-as 11
neighbor 136.1.13.1 ttl-security hops 2
no auto-summary

Router2#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 136.1.23.2
Loopback0 150.1.2.2

Router2#sh ip bgp summary
BGP router identifier 150.1.2.2, local AS number 22
BGP table version is 2, main routing table version 2
1 network entries using 120 bytes of memory
1 path entries using 52 bytes of memory
1/1 BGP path/bestpath attribute entries using 124 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 296 total bytes of memory
BGP activity 1/0 prefixes, 1/0 paths, scan interval 60 secs

Neighbor    V   AS    MsgRcvd     MsgSent     TblVer    InQ    OutQ   Up/Down State/PfxRcd
136.1.13.1   4   11       0                   0                   1              0        0              never      Idle

Class, class-map, policy-map

Posted: November 5, 2013 in Generic Firewalling
0

ip access-list extended TTL    
permit ip host 172.16.1.1 any ttl lt 2

 

class-map acl-filter-class

# match access-group name TTL

 

policy-map acl-filter
class acl-filter-class

drop

 

control-plane
service-policy input acl-filter

The following example configures a traffic class called acl-filter-class for use in a policy map called acl-filter. An access list permits IP packets from any source having a TTL of 0 or 1. Any packets matching the access list are dropped.
The policy map is attached to the control plane.

!– defines an IP access list that filters on a TTL value; it must be an extended access list.
ip access-list extended TTL    !–Every access list must have at least one permit statement.!–This access-list sets conditions to allow a packet to pass a named IP access list.
!–This example permits packets from source 172.16.1.1 to any destination with a TTL value less than 2. Any packets that pass the access list are dropped in policy. This special access list is separate from any interface access list.
#permit ip host 172.16.1.1 any ttl lt 2!– Creates a class map to be used for matching packets to a specified class.
#class-map acl-filter-class!– Configures the match criteria for a class map on the basis of the specified access control list.

     # match access-group name TTL!– Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.

policy-map acl-filter!– Specifies the name of the class whose policy you want to create or change or to specify the default class (commonly known as the class-default class) before you configure its policy.

class acl-filter-class!– Configures a traffic class to discard packets belonging to a specific class.

drop!– Associates or modifies attributes or parameters that are associated with the control plane of the device.

control-plane

!– Attaches a policy map to a control plane for aggregate control plane services.Router(config-cp)# service-policy input acl-filter