Ltrsec 3021 PDF

ASA Hands-on
Troubleshooting Lab
LTRSEC-3021
Jay Johnston – Technical Leader, Cisco Services

David White – Principal Engineer, Cisco Services
Introduction
• Who we are
Jay Johnston David White

jajohnst@cisco.com dwhitejr@cisco.com
Technical Leader, Services Principal Engineer, Services
11 years @ Cisco 15 years @ Cisco
• Why we wanted to create this Lab

• What we hope you get out of it
Agenda
• 4 hour class with 5 hands-on Labs

• Format is alternating Lecture… then Lab
• Lectures will focus on CLI troubleshooting tools which you can use in
daily troubleshooting scenarios
• For each Lab, you will have approximately 20 minutes to resolve the
issue
• After each Lab, we will walk through the solution
• There will be 1 – 15 minute break at around 9:30am
Troubleshooting Basics
ASA Troubleshooting
• All troubleshooting starts with identifying the Symptom (Problem).
• One needs to be as specific as possible
• With the ASA, it generally means defining the traffic flow (connection)
• Ask these questions:
1. Who is having the problem (What IP)
2. What are they trying to access (Dest IP and Port)
3. What interface is the packet ingressing
4. What interface is the packet egressing
5. Finally, WHAT is the problem
ASA Troubleshooting
• With the problem properly scoped, use the tools in your tool bag to start
narrowing in on the issue.
• Start, by trying to answer these questions:
1. Is the traffic making it to the ASA?
2. Is the traffic leaving the ASA?
3. Is a connection created?
4. Why is the connection torn down?
5. Is the ASA dropping any packets on the flow?
Syslogs
• Syslogs should almost always be the first place you go when starting to
troubleshoot a problem.
• ASA has very robust syslogs for almost everything.
• Currently, ASA as 2,140 unique syslogs
• Syslogs are assigned to one of eight levels (0-7)
• Syslogs can be sent to multiple destinations:
Local buffer E-mail

Terminal session FTP Server
Console Flash (local)
Syslog server SNMP server
Syslogs - Examples
• Connection creation and teardown are two of the most useful syslogs when
troubleshooting
Translated IP Real IP
%ASA-6-302013: Built inbound TCP connection 16181591 for outside:10.1.1.211/54356

(10.1.1.211/54356) to inside:10.3.20.50/80 (10.19.4.11/80)
%ASA-6-302014: Teardown TCP connection 16181591 for outside:10.1.1.211/54356 to

inside:10.3.20.50/80 duration 0:00:00 bytes 600 TCP FINs
Interface Bytes Teardown

Names Transmitted Reason
Syslogs – CLI Configuration
• When troubleshooting – enable syslogging to the local buffer, generally at
debug level
• May need to increase the default buffer-size. Max is 1 MB (size is in Bytes)
• Use show filters to filter out syslogs you are not interested in, or to filter for a
specific IP
logging enable
logging buffered debugging
!
! Optional
logging buffer-size 512000
logging timestamp
Syslogs – ASDM Configuration
• Enable Syslogs in ASDM from the Monitoring Tab  Logging
• Specify the ASDM logging Level, and Buffer Limit, then View
Syslogs – Viewing in ASDM
Filtering Output with the CLI
• Filtering output is very useful when issuing ‘show’ commands, or when
searching though syslogs
• ASA supports:
include <regex match>
exclude <regex match>
grep <regex match>
grep -v <regex match>
begin <regex match>
• Example:
! Show the syslogs minus those we aren’t interested in
ASA# show log | exclude 609001|609002|710005
! Show only TCP Built and Teardown Connections

ASA# show log | include 302013|302014
Filtering Output with ASDM
ASDM filter
accepts Regular
Expression
Patterns (regex)
show conn
• All traffic which passes through the ASA will create a connection
• show conn is used to view the ACTIVE ASA connection table
Client IP Server IP
PodXX# show conn

1340 in use, 8064 most used
TCP outside 107.193.95.48:21081 inside 10.3.20.50:80, idle 0:00:00, bytes 540, flags UIOB
TCP outside 97.231.75.232:20991 inside 10.3.20.50:80, idle 0:00:00, bytes 544, flags UfB
TCP outside 64.133.83.157:20976 inside 10.3.20.50:80, idle 0:00:00, bytes 0, flags SaAB
Interface Bytes Connection

Names Transmitted Flags
ASDM Connection Table
• Connection Table is found under Monitoring  Properties  Connections
• Must click Refresh manually to see latest connections
• Important: No connection Flags are Displayed!
For your
reference
show conn
• Common Connection Flags
S Awaiting Inside SYN
Flags REMOVED s Awaiting Outside SYN
Upon Receipt of packet A Awaiting Inside ACK to SYN
a Awaiting Outside ACK to SYN
B Initial SYN from Outside (Inbound Conn)
U 3-way Handshake Complete
I Received Inbound Data
O Received Outbound Data
Flags ADDED Upon
F Received Outside FIN
Receipt of packet
f Received Inside FIN
R Received Outside ACK to FIN
r Received Inside ACK to FIN
X Inspected by Service Module
For your
reference
show conn
• Issue show conn detail to view definition of all connection Flags
ASA# show conn detail

Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media,
D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, M - SMTP data, m - SIP media, n - GUP
O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
V - VPN orphan, W - WAAS,
X - inspected by service module
For your
reference
Connection Flags — Quick Reference
Outbound Connection Inbound Connection
show perfmon
• Perfmon – stands for Performance Monitor
• show perfmon is used to display current rate information.
ASA# show perfmon
PERFMON STATS: Current Average

Xlates 10/s 0/s
Connections 479/s 350/s
TCP Conns 459/s 327/s
UDP Conns 20/s 23/s
URL Access 312/s 250/s
URL Server Req 0/s 0/s
TCP Fixup 0/s 0/s
TCP Intercept Established Conns 0/s 0/s
TCP Intercept Attempts 0/s 0/s
TCP Embryonic Conns Timeout 0/s 0/s
HTTP Fixup 0/s 0/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
VALID CONNS RATE in TCP INTERCEPT: Current Average

N/A 100.00%
Perfmon in ASDM
• Select Monitoring  Properties  Connection Graphs  Perfmon
• Next, select the perfmon
statistics you want to graph.
• Choose Add
• Choose Show Graphs
Let the Fun Begin!
Objective
• The objective is simple, keep your web server up
(100% availability).
• Watch the status of your server on the screen.
Green means UP
Red means Down

Lab – General Rules
1. Do Not – Remove the IP Address from your ASA
2. Do Not – Shutdown any of the Interfaces on your ASA
3. Do Not – Block SSH access to your ASA (by modifying the ‘ssh …’ commands
4. Do Not – Remove/Change usernames or passwords
5. Do Not – Modify the AAA configuration
6. Do Not – Block access from our monitoring server (10.1.1.211) to your web server
7. Please see us if you feel the need to ‘reboot’ your ASA
Lab – Initial Connectivity
• The Lab Guide provides the topology and all connectivity information.
• Follow the steps there to:
1. Establish the SSH Session to your ASA
2. Verify your Web Server is serving up your web page
3. (Optionally) Establish an ASDM connection to your ASA
Lab - Topology
XX = Pod Number
SSH Authentication: Use Putty to 10.2. XX.2 user: cisco pass: cisco
ASDM Authentication: https://10.2. XX.2 user: cisco pass: cisco
HTTP to Web Server
SSH to Outside of ASA
Outside Inside
.2 .1
192.168.1.0/24 10.2.XX.0/24 10.3.XX.0/24
10.4.XX.0/24
Web Server
DMZ
10.3.XX.50
Important Notes
• The ASAs are in production, so only make changes to them that you
would make on your own production ASAs to restore network
connectivity.
• Use the Lab Guide if you get stuck, and work through the Helpful Steps
• After each lab, we will reset the configurations to a default state, and
you will be kicked out. You will lose your SSH/ASDM connection and
will need to reconnect.
LAB 1
• You have been hired as a civilian Networking Expert on a
Fast Attack Submarine. Your job is to ensure the network
for the sub is available at all times. The network controls
both the dive and attack functions of the sub, as well as all
other systems necessary for your survival.
• The sub is preparing to leave the base, but is currently

connected to the mainland Internet. HQs needs to run
remote diagnostics on the systems before the sub can
depart. To do this, they need access to the web server.
• Your job - ensure that anyone is able to reach the web

server 100% of the time.
Lab 1 – Solution Walkthrough
ASA 8.3+ NAT – Crash Course
• Prior to 8.3, NAT on the ASA was configured using:
nat command nat (inside) 0 203.0.113.0 255.255.255.0
nat (inside) 1 10.3.19.0 255.255.255.0

nat + global commands global (outside) 1 interface
static (inside,outside) 198.51.100.50

static command 10.3.19.50
• With 8.3, all NAT is configured using the nat command

• There are two types of NAT configurations.
• Object NAT (Auto-NAT)
• Manual NAT (Twice NAT)
Object-NAT (Auto-NAT) CLI Examples
• Object NAT is the simplest form of NAT, and is defined within an object
Host NAT
object network obj-WebServer
host 10.3.19.50
nat (inside,outside) static 198.51.100.50
Network NAT
object network Servers
subnet 10.0.54.0 255.255.255.0
Dynamic PAT (interface overload)

object network InternalUsers
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) dynamic interface
Object-NAT (Auto-NAT)
• Dynamic NAT with PAT overload is configured in a Manual NAT rule using the
pat-pool keyword
object network localIPs
range 10.1.1.1 10.1.1.254
object network globalIPs
range 192.168.1.1 192.168.1.254
object network patIPs
range 1.1.1.4 1.1.1.8
!
nat (inside,outside) source dynamic localIPs globalIPs pat-pool patIPs
Manual NAT (Twice NAT)
• Manual NAT is configured using only Objects or Object-Groups – NO IPs!
• Manual NAT is used to specify how to translate traffic depending on the
destination IP/subnet of the packet
• Manual NAT is also called Twice-NAT because it can specify how to translate
the source and the destination of the packet in one line (“NAT the packet
twice”)
• If the Manual NAT line specifies an identity translation for the destination, then
the destination is not changed, and the destination is simply used to match the
packet.
Manual NAT command breakdown
For the packet to match this
translation the destination IP
must match ‘outGlobal’
Specify interfaces the Change the source IP Change the destination IP

NAT rule applies to from ‘inLocal’ to ‘inGlobal’ from ‘outGlobal’ to ‘outLocal’
nat (in,out) source static inLocal inGlobal destination static outGlobal outLocal
Translate the source Translate the destination

statically (one to one) statically (one to one)
• Manual NAT should be used to translate the destination, or for policy NAT
object network ServerReal
host 10.3.19.50
object network ServerTrans
host 198.51.100.50
object network RemoteSite
subnet 10.0.0.0 255.255.255.0
Static NAT
nat (inside,outside) source static ServerReal ServerTrans
Static Policy NAT

nat (inside,outside) source static ServerReal ServerTrans destination static RemoteSite RemoteSite
• Manual NAT should be used to translate the destination, or for policy NAT
host 10.3.19.50
host 198.51.100.50
object network RemoteSite
subnet 10.0.0.0 255.255.255.0
object network RemoteTrans
subnet 203.0.113.0 255.255.255.0
Static Policy NAT – NAT Exemption (for VPN)

nat (inside,outside) source static ServerReal ServerReal destination static RemoteSite RemoteSite
Translate
Static - Twice NAT Source IP
nat (inside,outside) source static ServerReal ServerTrans destination static RemoteSite RemoteTrans
Translate
Destination IP
ASA 8.3+ NAT Troubleshooting
• Prior to 8.3, show xlate was the best command to use for troubleshooting NAT
issues.
• With the NAT changes introduced in 8.3, one should now use the
show nat detail command
• Allows for visibility of IPs/Networks within an object
show xlate vs. show nat detail
Real Translated
Pod19# show xlate
(UnMapped) IP
14 in use, 16 most used (Mapped) IP
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from dmz:10.3.19.98 to outside:209.165.200.252
flags s idle 0:00:07 timeout 0:00:00
NAT from inside:10.3.19.20 to outside:209.165.200.225
NAT from inside:10.3.19.22 to outside:209.165.200.227
Pod19# show nat detail Real (UnMapped) Translated (Mapped)
Manual NAT Policies (Section Source
1) IP Source IP
1 (dmz) to (outside) source static obj-10.3.19.98 obj-209.165.200.252 destination
static obj-209.165.201.0 obj-209.165.201.0
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.3.19.98/32, Translated: 209.165.200.252/32
Destination - Origin: 209.165.201.0/24, Translated: 209.165.201.0/24
Auto NAT Policies (Section 2)

1 (inside) to (outside) source static obj-HR-unixServer 209.165.200.225
Real (UnMapped) Translated (Mapped)
Destination IP Destination IP
2 (inside) to (outside) source static obj-HR-linuxServer 209.165.200.227
Real-IP
• Finally, a reminder that with 8.3+ Real-IPs are used in ACLs
Real, UnTranslated address
object network obj-WebServer of internal Server
host 10.3.19.50
!
access-list allowIn permit tcp any host 10.3.19.50 eq 80
!
access-group allowIn in interface outside
Inbound ACL permits traffic

destined to 10.3.19.50
198.51.100.50 10.3.19.50
outside inside
Web Server
10.3.19.50
Packet Capture
• ASA packet capture provides built-in sniffer functionality pre- and post-Firewall
processing
• Allows one to see exact changes made on the packet passing through the ASA
• By default, full packet is captured. Optionally, one can specify the packet-
length, or headers-only (L2-L4)
• ACLs or Match criteria should be applied to limit captured traffic to what is
interesting
• ACLs are unidirectional, Match statements are bi-directional
• Multiple captures can be applied to the same interface, but a packet is only
captured once.
Packet Capture
• Captures can be viewed in real-time, but typically better to view in the buffer
• By default, when viewing packets in the buffer the ASA displays L3 and L4
information
• The detailed option adds L2 information
• The dump option displays packet contents (in ascii)
• Captures can be exported in pcap format
• A circular-buffer may be used to allow buffer wrap
• ASDM provides a nice capture wizard
ASDM Packet Capture Wizard
• Enable Packet Captures in ASDM from Wizards  Packet Capture Wizard
Packet Capture – Real Benefit
• Allows one to validate if traffic:
1. Is being received by ASA
2. Being passed through, and transmitted out of the ASA
3. If reply traffic is returning to the ASA
4. If the reply traffic transits the ASA and transmitted out egress interface
1. 2.
4. 3.
.2 .1
192.168.1.0/24 10.2.XX.0/24 10.3.XX.0/24
Web Server
10.3.XX.50
Packet Capture – Best Practices
• Use short names for capture names. Preferably, an abbreviation of the
interface name where the capture is applied.
• Create two captures. One for ingress interface, one for egress interface.
(ASDM does this by default :-)
• Don’t apply the same capture to multiple interfaces.
• Stop a capture by removing it from the interface
• Use show capture to see how many bytes have been captured (if any)
ASA# show capture
capture in type raw-data interface inside [Capturing - 4674 bytes]
capture out type raw-data interface outside [Capturing - 74271 bytes]
capture man type raw-data interface management [Buffer Full - 522977 bytes]
Packet Capture – Lab info
• Be sure to filter out your SSH/ASDM connection using either ACLs or the
Match statement
access-list capture deny tcp any any eq 22

access-list capture deny tcp any eq 22 any
access-list capture permit ip any any
!
capture out interface outside access-list capture
-- OR --
capture out interface outside match tcp any host 10.3.XX.50 eq 80
• Clear all captures simultaneously with:

ASA# clear capture /all
Accelerated Security Path
• The Accelerated Security Path (ASP) comprises most of the checks and
modifications applied to transient packets.
• If a packet is dropped due to violating any security check, it will be accounted
for in the output of show asp drop.
• There are both packet (frame) drop counters and connection (flow) drop
counters.
• Packets dropped in the ASP can be captured, using a capture type of asp-drop.
(Note: Not available from within ASDM Capture Wizard)
• Asp-drop captures cannot be filtered by an ACL, but must be filtered by drop
reason.
• Use the drop reason of all to capture all ASP drops.
Accelerated Security Path
PodXX# show asp drop
Frame drop:
No valid adjacency (no-adjacency) 39
Flow is denied by configured rule (acl-drop) 5262
First TCP packet not SYN (tcp-not-syn) 331
TCP failed 3 way handshake (tcp-3whs-failed) 2
TCP RST/FIN out of order (tcp-rstfin-ooo) 2
Slowpath security checks failed (sp-security-failed) 129
Interface is down (interface-down) 8
Non-IP packet received in routed mode (non-ip-pkt-in-routed-mode) 1
Flow drop:
NAT failed (nat-failed) 16
NAT reverse path failed (nat-rpf-failed) 4
PodXX# capture asp type asp-drop ?
acl-drop Flow is denied by configured rule

all All packet drop reasons
async-lock-queue-limit Async lock queue limit exceeded
bad-crypto Bad crypto return in packet
bad-ipsec-natt Bad IPSEC NATT packet
bad-ipsec-prot IPSEC not AH or ESP
LAB 2
• Now that you have earned your pay by preventing rouge

countries from taking the sub offline via DDoS attacks, it’s
time to find your bunk and relax. Enjoy the run out to sea.
• But, not so fast. As the sub reaches the Pacific, all

systems are brought online, but something is wrong. The
Dive/Surface controls are off-line again.
• You have 20 minutes to bring the Dive/Surface controls

back up, or the sub will have go back to port. While the
enlisted men do not believe that bringing online all
systems could have caused a problem, they are unsure.
Also, they claim no one touched the ASA.
show service-policy
• The show service-policy command shows what inspections are applied, and
what class-maps they are assigned to.
• Allows one to quickly see:
• How many packets are matching an L7 inspection engine
• How many packets are being dropped by an L7 inspection engine
• How many bytes are being held in the tcp-proxy
• How many bytes were dropped in the tcp-proxy
• Provides idea of distribution of inspected traffic

show service-policy
PodXX# show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 351, drop 0, reset-drop 0
Inspect: ftp, packet 56543., drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: esmtp _default_esmtp_map, packet 6546418, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
Class-map: SIP-class
Inspect: sip , packet 5467731, drop 31, reset-drop 0
Class-map: Skinny-class
Inspect: skinny , packet 0, drop 0, reset-drop 0
Class-map: H323-class
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
show service-policy flow …
• show service-policy flow… allows you to define a flow (connection), and the
ASA will tell you what inspection engine is applied to that flow.
• The configuration which is matched is also displayed
PodXX# show service-policy flow tcp host 192.168.5.5 host 10.3.20.50 eq 80
Global policy:
Service-policy: global_policy
Class-map: Web-class
Match: access-list WebTraffic
Access rule: permit tcp any any eq www
Action:
Input flow: inspect http
Class-map: class-default
Match: any
Action:
show service-policy flow …
• show service-policy flow is very useful to:
• Understand what policies are applied to any given traffic flow
• Unravel complex configurations, with multiple service-policies (both global and
interface)
• Validate the configuration
Note: There is no ASDM option for this command

LAB 3
• You’ve been at sea for three weeks now. Based on your
stellar performance, the Captain has promoted you. You
now manage the Sub’s Networking group and have two
reports – Jack and John. Congratulations!
• As fate would have it, it’s Friday and the sub pulls into a
nice South-Pacific birth for a weekend of R&R. You decide
to celebrate your recent promotion by drinking some local
concoctions with your friends and some locals. Early
Saturday morning an ensign comes running up saying
access to the Dive system is down again and the Captain
has ordered you to return to the sub. As you stumble back
(with assistance) you are trying to figure out what was in
those coconuts.
• Identify why the Dive system is down again, and restore

connectivity as fast as possible.
Object NAT vs. Manual NAT
• Object NAT and Manual NAT are functionally equivalent.

host 10.3.19.50
host 198.51.100.50
Object NAT
nat (inside,outside) static ServerTrans
Manual NAT
Object NAT vs. Manual NAT
• The difference is where the entries exist in the NAT table (different sections)
ASA# show nat detail

Manual NAT Policies (Section 1)
1 (inside) to (outside) source static ServerReal ServerTrans

NAT Order of Operation
• The ASA configuration is built into the NAT Table (show nat)
• The NAT Table is based on First Match (top to bottom)
NAT Table
Static NAT Manual NAT Policies First Match
Longest Prefix (Section 1) (in config)
Shortest Prefix Auto NAT Policies

Dynamic NAT (Section 2)
Longest Prefix
Manual NAT [after auto] Policies First Match

Shortest Prefix (Section 3) (in config)
NAT Order of Operation
ASA# show run nat
nat (inside,outside) source dynamic Users1 NATPool1
!
object network Users2
nat (inside,outside) dynamic NATPool2
object network SecureServ
! NAT line hit counts
nat (inside,outside) after-auto source dynamic Users3 NATPool3
nat (inside,outside) after-auto source static Servers ServersTrans
increment when new
connections match
ASA# show nat
NAT rule
1 (inside) to (outside) source dynamic Users1 NATPool1

1 (inside) to (outside) source static SecureServ 203.0.113.82

2 (inside) to (outside) source static Servers ServersTrans
Packet Tracer
• Packet Tracer allows you to trace the packet as it passes through the ASA
• You can trace either a crafted packet, or a packet that was previously captured
Trace Crafted Packet

Pod19# packet-tracer input outside tcp 192.168.1.5 1025 10.3.19.50 80
Trace Captured Packet

Pod19# capture out interface outside access-list cap trace
Pod19# show capture out

. . .
43: 19:30:24.765615 802.1Q vlan#5 P0 10.1.1.211.43730 > 10.3.19.50.80: S
612034548:612034548(0) win 5840 <mss 1460,sackOK,timestamp 372044700
0,nop,wscale 6>
Pod19# show capture out trace packet-number 43

Packet Tracer
• Example CLI Output
Pod19# packet-tracer input outside tcp 192.168.1.5 1025 10.3.19.50 80
. . .
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network obj-ServerNet
nat (inside,outside) static obj-ServerNet
Additional Information:
NAT divert to egress interface inside
Untranslate 10.3.19.50/80 to 10.3.19.50/80
. . .
ASDM Packet Tracer Example
Located off the

Tools  Packet Tracer
menu
LAB 4
• Having found the NAT configuration overlap, you realize
someone must be sabotaging the ASA config. You
suspect it could be Jack or John, since both were passed
over for your promotion.
• It seems the saboteur has struck again and the dive

control system is down. To make things worse, the
captain just received Flash traffic from HQ with orders to
pursue and track an enemy sub which is currently at 300
fathoms (1800 ft).
• You must gain access to the Dive control system to dive

your sub and fall in behind the enemy. You have 20
minutes to accomplish this task.
Quick Review
What You Should have Learned by Now
• Syslogs – Are you best friend in troubleshooting

• Show Filters – Use to remove extraneous syslog messages you don’t care about
• show conn – Use to monitor current state of connections
• Packet Captures – Use to see what is really going out on the wire
• Packet Tracer – Use to see what actions/config is applied to a packet
• Show/Capture ASP Drop – Use to view packets/flows the ASA is dropping due
to the security policy
LAB 5
• Great job in getting the sub positioned behind the enemy.
The captain has offered you an officer commission.
• However, alarms start going off on the bridge as the Dive

control system is erratic. Sometimes it is accessible and
sometimes it isn’t! As you rush into the network control
room, John bumps into you on his way out. You have
found the saboteur!
• John is thrown into the brig, but remains silent on what he

changed on the network. The sub is now in a steep dive
and passing though 350 fathoms. It’s crush depth is 500
fathoms.
• You must restore full and reliable access to the dive

control web server in the next 20 minutes or the sub will
pass through crush depth and will implode.
Closing Comments
Closing Comments
• Gain knowledge and techniques which can be used to troubleshoot any
unknown problem on the ASA
• The problems/issues introduced in the lab are not key
• Key takeaway is the tools and process
• We hope you enjoyed it

Online Resources
• TAC Security Show Podcast
• Supportforums.cisco.com
• Security RSS Feeds
TAC Security Podcast
• Knowledge from TAC… On the go!
• Monthly podcast episodes with
troubleshooting tips from TAC
• Focus on Cisco Security Technologies like
ASA Clustering, Anyconnect, ISE, Voice
Security, etc…and CCIE study tips!
Episodes already available!
@CiscoTACPodcast
Podcast Episodes
Ep. # Topic Ep. # Topic
41 Troubleshooting ASA Clustering 27 IOS Embedded Event Manager (EEM)
40 Introduction to ASA Clustering 26 Troubleshooting IPSec VPNs
39 Voice Security Concepts and Best Practices 25 Understanding DMVPN and GETVPN
38 Introduction to OnePK 24 The Cisco Identity Services Engine
37 ASA Network Address Translation (NAT) 23 The Cisco ASA Services Module
How Cisco uses the Web Security Appliance to protect its
36 Network Management at Cisco Live! 2013 22
network
35 Identity Services Engine v1.2 21 Cisco Live! Las Vegas 2011
34 Cisco Live! 2013 Orland, FL 20 This Week In TAC!
Virtual Security: The ASA 1000v and Virtual Security
33 19 Troubleshooting the NAC Appliance
Gateway (VSG)
Useful ASA and IPS Commands and Features You Might
32 Investigating Syslogs: Tips and Tricks 18
Not Know About
Answering Questions From The Cisco Support
31 A look into ASA Quality with the Quality Assurance Team 17
Community
30 Introducing FlexVPN 16 Mitigating a SQL attack with ASA, IPS and IOS Firewall
29 Cisco Live! 2012 San Diego 15 Using Certificates on the ASA and IOS platforms
28 The History of the PIX 14 TCP connections through the ASA and FWSM
Podcast Episodes
Ep. # Topic
13 HTTP Filtering on the ASA
12 Securing Cisco Routers
11 ASA Anyconnect VPN
10 ASA Version 8.3 Overview
Multiple Context Mode on the ASA and FWSM
9
Platforms
8 ASA Advanced Application Protocol Inspection
7 Monitoring Firewall Performance
6 Tips for Taking the CCIE Security Exam
5 Troubleshooting Firewall Failover, Part 2
Troubleshooting Firewall Failover Part 1; Guest Omar
4
Santos from PSIRT
3 Transparent Firewall Mode; Lifecycle of a TAC Case
2 New Features Introduced with ASA Version 8.2

Using the ASA Packet Capture Utility for
1
Troubleshooting
Supportforums.cisco.com
• Ask a Question (for Free!)

• Hundreds of Sample Configs
http://supportforums.cisco.com/
• Troubleshooting Docs
• FAQs
Security Hot Issues – RSS Feeds
• Subscribe with an RSS reader
• Receive weekly updates on the Hot Issues customers
are facing
• Separate feeds for: ASA, FWSM, ASDM
https://supportforums.cisco.com/docs/DOC-5727
Any Final Questions?
Complete Your Online Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.
• Complete your session surveys
though the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
Participate in the “My Favorite Speaker” Contest
Promote Your Favorite Speaker and You Could Be a Winner
• Promote your favorite speaker through Twitter and you could win $200 of
Cisco Press products (@CiscoPress)
• Send a tweet and include
• Your favorite speaker’s Twitter handle @ciscotacpodcast
• Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you
TCP Connection Termination Reasons For your
reference
— Quick Reference
Reason Description
Connection Ended Because It Was Idle Longer Than the
Conn-Timeout
Configured Idle Timeout
Deny Terminate Flow Was Terminated by Application Inspection
The Standby Unit in a Failover Pair Deleted a Connection
Failover Primary Closed
Because of a Message Received from the Active Unit
Force Termination After Ten Minutes Awaiting the Last ACK or
FIN Timeout
After Half-Closed Timeout
Flow Closed by Inspection Flow Was Terminated by Inspection Feature
Flow Terminated by IPS Flow Was Terminated by IPS
Flow Reset by IPS Flow Was Reset by IPS
Flow Terminated by
Flow Was Terminated by TCP Intercept
TCP Intercept
Invalid SYN SYN Packet Not Valid
Connection Timed Out Because It Was Idle Longer than the
Idle Timeout
Timeout Value
IPS Fail-Close Flow Was Terminated Due to IPS Card Down
SYN Control Back Channel Initiation from Wrong Side
TCP Connection Termination Reasons For your
reference
— Quick Reference (Cont.)

Reason Description
Force Termination After Two Minutes Awaiting
SYN Timeout
Three-Way Handshake Completion
TCP Bad Retransmission Connection Terminated Because of Bad TCP Retransmission
TCP Fins Normal Close Down Sequence
TCP Invalid SYN Invalid TCP SYN Packet
TCP Reset-I TCP Reset Was Sent From the Inside Host
TCP Reset-O TCP Reset Was Sent From the Outside Host
TCP Segment Partial
Detected a Partially Overlapping Segment
Overlap
TCP Unexpected Window Connection Terminated Due to a Variation in the
Size Variation TCP Window Size
Tunnel Has Been Torn
Flow Terminated Because Tunnel Is Down
Down
Unauth Deny Connection Denied by URL Filtering Server
Unknown Catch-All Error
Xlate Clear User Executed the ‘Clear Xlate’ Command
Anyconnect Access to Your Pod
• Launch a web browser to:
https://64.102.242.78:10000
Note the port 10000
• It will ask you to authenticate use the info below, X is your pod #:
username: podX
password: <ask>
• Anyconnect will download and install. You will now have access to your ASA
and the Web Server
Internet of Things (IoT) Cisco Education Offerings
Course Description Cisco Certification
NEW! CCNA Industrial An associate level instructor led training course designed to prepare you CCNA® Industrial
for the CCNA Industrial certification
Managing Industrial Networks with This curriculum addresses foundational skills needed to manage and Cisco Industrial
Cisco Networking Technologies (IMINS) administer networked industrial control systems. It provides plant Networking Specialist
administrators, control system engineers and traditional network engineers
with an understanding of the networking technologies needed in today's
connected plants and enterprises
Control Systems Fundamentals For IT and Network Engineers, covers basic concepts in Industrial Control
for Industrial Networking (ICINS) systems including an introduction to automation industry verticals,
automation environment and an overview of industrial control networks
Networking Fundamentals For Industrial Engineers and Control System Technicians, covers basic IP
for Industrial Control Systems (INICS) and networking concepts, and introductory overview of Automation
industry Protocols.
For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact ask-edu-pm-dcv@cisco.com
Business Transformation Cisco Education Offerings
For IT and Network Professionals:
Building Business Specialist Skills • Builds non-technical skills key to ensure business impact and influence. Cisco Enterprise IT
Topics include: business analysis, finance, technology adoption and Business Specialist
effective communications.
• Bridges IT and business impacts of mature and emerging solutions

including cloud plus Internet of Everything
For Technology Sellers:

Applying Cisco Specialized Business Value Builds skills to discover and address technology needs using a business- Cisco Business Value Specialist
Analysis Skills focused, consultative sales approach
Executing Advanced Cisco Business Value Enables customer transformation through business architecture and Cisco Certified Business
Analysis and Design Techniques solution selling expertise Value Practitioner
Performing Cisco Business-Focused Provides skills and an approach to build a strategic roadmap of IT Cisco Transformative
Transformative Architecture Engagements initiatives, aligned to business priorities Architecture Specialist

Security Cisco Education Offerings
Implementing Cisco IOS Network Security (IINS) Focuses on the design, implementation, and monitoring of a comprehensive CCNA® Security
security policy, using Cisco IOS security features
Implementing Cisco Edge Network Security Solutions
(SENSS) Configure Cisco perimeter edge security solutions utilizing Cisco Switches, Cisco
Routers, and Cisco Adaptive Security Appliance (ASA) Firewalls
Implementing Cisco Threat Control Solutions (SITCS)
Deploy Cisco’s Next Generation Firewall (NGFW) as well as Web Security, Email
Implementing Cisco Secure Access Solutions (SISAS) Security and Cloud Web Security
Implementing Cisco Secure Mobility Solutions Deploy Cisco’s Identity Services Engine and 802.1X secure network access
(SIMOS)
Protect data traversing a public or shared infrastructure such as the Internet by
implementing and maintaining Cisco VPN solutions
Securing Cisco Networks with Threat Detection and Designed for professional security analysts, the course covers essential areas of Cisco Cybersecurity Specialist
Analysis (SCYBER) competency including event monitoring, security event/alarm/traffic analysis, and
incident response
Network Security Product and Solutions Training For official product training on Cisco’s latest security products, including Adaptive
Security Appliances, NGIPS, Advanced Malware Protection, Identity Services
Engine, Email and Web Security Appliances see
www.cisco.com/go/securitytraining

R&S Related Cisco Education Offerings
CCIE R&S Advanced Workshops (CIERS-1 & Expert level trainings including: instructor led workshops, self CCIE® Routing & Switching
CIERS-2) plus assessments, practice labs and CCIE Lab Builder to prepare candidates
Self Assessments, Workbooks & Labs for the CCIE R&S practical exam.
• Implementing Cisco IP Routing v2.0 Professional level instructor led trainings to prepare candidates for the CCNP® Routing & Switching
• Implementing Cisco IP Switched CCNP R&S exams (ROUTE, SWITCH and TSHOOT). Also available in
Networks V2.0 self study eLearning formats with Cisco Learning Labs.
• Troubleshooting and Maintaining
Cisco IP Networks v2.0
Interconnecting Cisco Networking Devices: Configure, implement and troubleshoot local and wide-area IPv4 and IPv6 CCNA® Routing & Switching
Part 2 (or combined) networks. Also available in self study eLearning format with Cisco Learning
Lab.
Interconnecting Cisco Networking Devices: Installation, configuration, and basic support of a branch network. Also CCENT® Routing & Switching
Part 1 available in self study eLearning format with Cisco Learning Lab.

Wireless Cisco Education Offerings
• Conducting Cisco Unified Wireless Site Survey Professional level instructor led trainings to prepare candidates to conduct CCNP® Wireless
• Implementing Cisco Unified Wireless Voice site surveys, implement, configure and support APs and controllers in
Networks converged Enterprise networks. Focused on 802.11 and related
• Implementing Cisco Unified Wireless Mobility technologies to deploy voice networks, mobility services, and wireless
Services security.
• Implementing Cisco Unified Wireless Security
Services
Implementing Cisco Unified Wireless Network Prepares candidates to design, install, configure, monitor and conduct CCNA® Wireless
Essential basic troubleshooting tasks of a Cisco WLAN in Enterprise installations.

Design Cisco Education Offerings
Designing Cisco Network Service Architectures Provides learner with the ability to perform conceptual, intermediate, and CCDP® (Design Professional)
(ARCH) detailed design of a network infrastructure that supports desired capacity,
performance, availability required for converged Enterprise network
services and applications.
Designing for Cisco Internetwork Solutions Instructor led training focused on fundamental design methodologies used CCDA® (Design Associate)
(DESGN) to determine requirements for network performance, security, voice, and
wireless solutions. Prepares candidates for the CCDA certification exam.

Service Provider Cisco Education Offerings
Deploying Cisco Service Provider Network Routing SPROUTE covers the implementation of routing protocols (OSPF, IS-IS, BGP), CCNP Service Provider®
(SPROUTE) & Advanced (SPADVROUTE) route manipulations, and HA routing features; SPADVROUTE covers advanced
routing topics in BGP, multicast services including PIM-SM, and IPv6;
Implementing Cisco Service Provider Next-Generation
Core Network Services (SPCORE) SPCORE covers network services, including MPLS-LDP, MPLS traffic engineering,
QoS mechanisms, and transport technologies;
Edge Network Services (SPEDGE) SPEDGE covers network services, including MPLS Layer 3 VPNs, Layer 2 VPNs,
and Carrier Ethernet services; all within SP IP NGN environments.
Building Cisco Service Provider Next-Generation The two courses introduce networking technologies and solutions, including OSI CCNA Service Provider®
Networks, Part 1&2 (SPNGN1), (SPNGN2) and TCP/IP models, IPv4/v6, switching, routing, transport types, security, network
management, and Cisco OS (IOS and IOS XR).
Implementing Cisco Service Provider Mobility UMTS The three courses (SPUMTS, SPCDMA, SPLTE) cover knowledge and skills Cisco Service Provider Mobility
Networks (SPUMTS); required to understand products, technologies, and architectures that are found in CDMA to LTE Specialist;
Implementing Cisco Service Provider Mobility CDMA Universal Mobile Telecommunications Systems (UMTS) and Code Division Multiple Cisco Service Provider Mobility UMTS
Networks (SPCDMA); Access (CDMA) packet core networks, plus their migration to Long-Term Evolution to LTE Specialist
Implementing Cisco Service Provider Mobility LTE (LTE) Evolved Packet Systems (EPS), including Evolved Packet Core (EPC) and
Networks (SPLTE) Radio Access Networks (RANs).
Implementing and Maintaining Cisco Technologies Service Provider/Enterprise engineers to implement, verification-test, and optimize Cisco IOS XR Specialist
Using IOS XR (IMTXR) core/edge technologies in a Cisco IOS XR environment.

Collaboration Cisco Education Offerings
CCIE Collaboration Advanced Workshop (CIEC) Gain expert-level skills to integrate, configure, and troubleshoot complex CCIE® Collaboration
collaboration networks
Implementing Cisco Collaboration Applications Understand how to implement the full suite of Cisco collaboration CCNP® Collaboration
(CAPPS) applications including Jabber, Cisco Unified IM and Presence, and Cisco
Unity Connection.
Implementing Cisco IP Telephony and Video Learn how to implement Cisco Unified Communications Manager, CUBE, CCNP® Collaboration
Part 1 (CIPTV1) and audio and videoconferences in a single-site voice and video network.
Implementing Cisco IP Telephony and Video Obtain the skills to implement Cisco Unified Communications Manager in a
Part 2 (CIPTV2) modern, multisite collaboration environment.
Troubleshooting Cisco IP Telephony and Video Troubleshoot complex integrated voice and video infrastructures
(CTCOLLAB)
Implementing Cisco Collaboration Devices Acquire a basic understanding of collaboration technologies like Cisco Call CCNA® Collaboration
(CICD) Manager and Cisco Unified Communications Manager.
Implementing Cisco Video Network Devices Learn how to evaluate requirements for video deployments, and implement
(CIVND) Cisco Collaboration endpoints in converged Cisco infrastructures.

Data Center / Virtualization Cisco Education Offerings
Cisco Data Center CCIE Unified Fabric Prepare for your CCIE Data Center practical exam with hands on lab CCIE® Data Center
Workshop (DCXUF); exercises running on a dedicated comprehensive topology
Cisco Data Center CCIE Unified Computing
Workshop (DCXUC)
Implementing Cisco Data Center Unified Fabric Obtain the skills to deploy complex virtualized Data Center Fabric and CCNP® Data Center
(DCUFI); Computing environments with Nexus and Cisco UCS.
Implementing Cisco Data Center Unified
Computing (DCUCI)
Introducing Cisco Data Center Networking Learn basic data center technologies and how to build a data center CCNA® Data Center
(DCICN); Introducing Cisco Data Center infrastructure.
Technologies (DCICT)
Product Training Portfolio: DCAC9k, DCINX9k, Get a deep understanding of the Cisco data center product line including
DCMDS, DCUCS, DCNX1K, DCNX5K, DCNX7K the Cisco Nexus9K in ACI and NexusOS modes

Network Programmability Cisco Education Offerings
Integrating Business Applications with Network Learn networking concepts, and how to deploy and troubleshoot Cisco Business Application
Programmability (NIPBA); programmable network architectures with these self-paced courses. Engineer Specialist Certification
Integrating Business Applications with Network
Programmability for Cisco ACI (NPIBAACI)
Developing with Cisco Network Programmability Learn how to build applications for network environments and effectively Cisco Network Programmability
(NPDEV); bridge the gap between IT professionals and software developers. Developer Specialist Certification
Developing with Cisco Network Programmability
for Cisco ACI (NPDEVACI)
Designing with Cisco Network Programmability Learn how to expand your skill set from traditional IT infrastructure to Cisco Network Programmability
(NPDES); application integration through programmability. Design Specialist Certification
Designing with Cisco Network Programmability
for Cisco ACI (NPDESACI)
Implementing Cisco Network Programmability Learn how to implement and troubleshoot open IT infrastructure Cisco Network Programmability
(NPENG); technologies. Engineer Specialist Certification
Implementing Cisco Network Programmability
for Cisco ACI (NPENGACI)

Cloud Cisco Education Offerings
Designing the FlexPod Solution (FPDESIGN); Learn how to design, implement and administer FlexPod solutions FlexPod Design Specialist;
Implementing and Administering the FlexPod FlexPod Implementation &
Solution (FPIMPADM) Administration Specialist
UCS Director (UCSDF) Learn how to manage physical and virtual infrastructure using
orchestration and automation functions of UCS Director.
Cisco Prime Service Catalog Learn how to deliver data center, workplace, and application services in an
on-demand, automated, and repeatable method.
Cisco Intercloud Fabric Learn how to implement end-to-end hybrid clouds with Intercloud Fabric
for Business and Intercloud Fabric for Providers.
Cisco Intelligent Automation for Cloud Learn how to implement and manage cloud deployments with Cisco
Intelligent Automation for Cloud


Ltrsec 3021 PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Ltrsec 3021 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

ASA Hands-on

Jay Johnston – Technical Leader, Cisco Services

Jay Johnston David White

• Why we wanted to create this Lab

• 4 hour class with 5 hands-on Labs

Local buffer E-mail

%ASA-6-302013: Built inbound TCP connection 16181591 for outside:10.1.1.211/54356

%ASA-6-302014: Teardown TCP connection 16181591 for outside:10.1.1.211/54356 to

Interface Bytes Teardown

! Show only TCP Built and Teardown Connections

PodXX# show conn

Interface Bytes Connection

ASA# show conn detail

PERFMON STATS: Current Average

VALID CONNS RATE in TCP INTERCEPT: Current Average

Red means Down

HTTP to Web Server

SSH to Outside of ASA

• The sub is preparing to leave the base, but is currently

• Your job - ensure that anyone is able to reach the web

nat command nat (inside) 0 203.0.113.0 255.255.255.0

nat (inside) 1 10.3.19.0 255.255.255.0

static (inside,outside) 198.51.100.50

• With 8.3, all NAT is configured using the nat command

Dynamic PAT (interface overload)

Specify interfaces the Change the source IP Change the destination IP

Translate the source Translate the destination

Static Policy NAT

Static Policy NAT – NAT Exemption (for VPN)

Auto NAT Policies (Section 2)

Inbound ACL permits traffic

access-list capture deny tcp any any eq 22

• Clear all captures simultaneously with:

PodXX# capture asp type asp-drop ?

acl-drop Flow is denied by configured rule

• Now that you have earned your pay by preventing rouge

• But, not so fast. As the sub reaches the Pacific, all

• You have 20 minutes to bring the Dive/Surface controls

• Provides idea of distribution of inspected traffic

PodXX# show service-policy flow tcp host 192.168.5.5 host 10.3.20.50 eq 80

Note: There is no ASDM option for this command

• Identify why the Dive system is down again, and restore

object network ServerReal

ASA# show nat detail

Auto NAT Policies (Section 2)

Shortest Prefix Auto NAT Policies

Manual NAT [after auto] Policies First Match

Auto NAT Policies (Section 2)

Manual NAT Policies (Section 3)

Trace Crafted Packet

Trace Captured Packet

Pod19# show capture out

Pod19# show capture out trace packet-number 43

Pod19# packet-tracer input outside tcp 192.168.1.5 1025 10.3.19.50 80

Located off the

• It seems the saboteur has struck again and the dive

• You must gain access to the Dive control system to dive

• Syslogs – Are you best friend in troubleshooting

• However, alarms start going off on the bridge as the Dive

• John is thrown into the brig, but remains silent on what he

• You must restore full and reliable access to the dive

• We hope you enjoyed it

Episodes already available!