Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2555
Views
0
Helpful
0
Comments

TAC Security Podcast Episode #52 - ASA/FTD Troubleshooting Enhancements and Cisco Live US 2018

Kevin Klous
Cisco Employee
Cisco Employee

‎06-07-2018 07:19 PM - edited ‎03-08-2019 07:03 PM

 

Show Name: ASA/FTD Troubleshooting Enhancements and Cisco Live US 2018

Contributors: Kevin Klous, Jay Johnston, and Magnus Mortensen

Posting Date:  June 2018

Description: The team discusses the recently released troubleshooting enhancements to ASA/FTD packet tracer and packet capture tools, some new facts about FTD 6.2.3, and a look ahead to Cisco Live US 2018 coming up in Orlando, Florida.

Listen Now    (MP3 82.4 MB; 34:17 mins)

 Subscribe to the Podcast in iTunes by clicking the image below:

button_itunes.gifrss.gif

 

Show Notes 

Cisco Live US 2018 - June 10-14 in Orlando, FL, USA

https://www.ciscolive.com/us/

 

Sessions Mentioned:

 

BRKSEC-3020 - Troubleshooting ASA Firewalls

https://www.ciscolive.com/us/learn/sessions/session-catalog/?search=BRKSEC-3020&showEnrolled=false


TECSEC-3004 - Troubleshooting Firepower Threat Defense like a TAC Engineer (Additional cost)

https://www.ciscolive.com/us/learn/sessions/session-catalog/?search=TECSEC-3004&showEnrolled=false

 

New Commands Discussed and Examples:

 

Packet Tracer with 'transmit' option

 asa# sh cap

capture capin type raw-data trace interface inside [Capturing - 0 bytes]

  match icmp any any

capture capout type raw-data trace interface outside [Capturing - 0 bytes]

  match tcp any any eq ssh

 

asa# packet-tracer input inside tcp 10.1.1.20 10000 10.1.2.100 22 transmit

 Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

 

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

 

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

asa# sh cap capout

 

1 packet captured

 

   1: 07:48:37.428978       10.1.1.20.10000 > 10.1.2.100.22: S 2316587550:2316587550(0) win 8192

1 packet shown

asa#

 

Packet-tracer to simulate inbound VPN traffic with 'decrypted' option:

 asa# packet-tracer input inside tcp 10.1.1.20 10000 10.1.2.100 22 decrypted

 

*********************************************************************

WARNING: An existing decryption SA was not found. Please confirm the

IPsec Phase 2 SA or Anyconnect Tunnel is established.

*********************************************************************

 

Note:  Above output is seen when there are no active VPN Security Associations (SA) active on the ASA

 

Packet Capture of decrypted traffic using the 'include-decrypted' option

 

asa# cap capout interface outside include-decrypted match tcp any any eq 22

 

Important Links for More Information:

 

Firepower 6.2.3 Release Notes

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/relnotes/Firepower_Release_Notes_623.html

 

ASA 9.9.2 Release Notes

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/release/notes/asarn99.html

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents