Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About Adam David
Stats
Member since
01-21-2010
64
Posts
7
Helpful
0
Solutions
07-21-2010
01:00 AM
Hi all, We can check the number of SSH sessions that are connected and the connection state to the PIX by issuing this command: show ssh session How about telnet session? Console session? Or any connection from firewall administrator to the firewall. There is no show telnet command. I'll implement TACACS later and each of firewall administrator will have their own id. But how if I don't want to implement TACACS for certain reasons and I want to monitor who is currently connect to the firewall. Thanks in advance. Reference: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml#active
... View more
- Tags:
- telnet_session
Labels:
06-18-2010
10:49 PM
Hi all, I was wondering how to troubleshoot if failover happens to one of our firewall. Let say we've received alerts from monitoring team. Normally what I'll do is to: 1. ping both firewall (primary & secondary) to make sure both of them are running. 2. try to access to both firewall 3. issue show failover command to check the status of the firewall 4. issue show version command to check uptime 5. issue show log command to check logs message What else should we do in order to find the root cause of the problem? Why failover happened? ping FW01 FW01 is alive ping FW01-failover no answer from FW01-failover FW01 up 1 hours 37 mins FW01# sh fail Failover On Cable status: Other side powered off Reconnect timeout 0:00:00 Poll frequency 15 seconds Last Failover at: 13:37:00 UTC Fri Jun 17 2010 This host: Primary - Active Active time: 28005 (sec) Interface outside (10.10.10.100): Normal (Waiting) Interface inside (11.11.11.100): Normal ( Waiting ) Interface failover (1.1.1.100): Link Down (Waiting) Interface vpn (7.7.7.100): Normal ( Waiting ) Interface intf4 (0.0.0.0): Link Down (Shutdown) Interface intf5 (0.0.0.0): Link Down (Shutdown) Other host: Secondary - Standby Active time: 0 (sec) Interface outside (10.10.10.99): Unknown (Waiting) Interface inside (11.11.11.99): Unknown (Waiting) Interface failover (1.1.1.99): Unknown (Waiting) Interface vpn (7.7.7.99): Unknown (Waiting) Interface intf4 (0.0.0.0): Unknown (Shutdown) Interface intf5 (0.0.0.0): Unknown (Shutdown) From what I've checked on this article, ( http://www.ciscoarticles.com/CCSP-Cisco-Certified-Security-Professional/Failover-Configuration-with-Failover-Cable.html ) Link Down means Interface line protocol is down Unknown means IP address isn’t configured for the interface, so it can’t determine the status Waiting means Monitoring the other unit’s network interface hasn’t started yet Here is the log message.. FW01#
sh log
Syslog logging: enabled
Facility: 20
Timestamp logging:
enabled
Standby logging:
disabled
Console logging:
disabled
Monitor logging:
disabled
Buffer logging:
level notifications, 25 messages logged
Trap logging:
level informational, 9162 messages logged
Logging to
inside 6.6.6.6
History logging:
level notifications, 25 messages logged
Device ID:
disabled
105002: (PIX) Enabling failover.
411001: Line protocol on Interface outside, changed state to
up
411001: Line protocol on Interface vpn, changed state to up
502101: New user added to local dbase: Uname: admin Priv: 15
Encpass: xxxxxxxxxxx.
104001: (Primary) Switching to ACTIVE - no power detected
from mate.
105007: (Primary) Link status 'Down' on interface intf5
105007: (Primary) Link status 'Down' on interface intf4
105006: (Primary) Link status 'Up' on interface vpn
105007: (Primary) Link status 'Down' on interface failover
105007: (Primary) Link status 'Down' on interface inside
105006: (Primary) Link status 'Up' on interface outside
105003: (Primary) Monitoring on interface vpn waiting
105003: (Primary) Monitoring on interface outside waiting
411001: Line protocol on Interface inside, changed state to
up
105006: (Primary) Link status 'Up' on interface inside
105003: (Primary) Monitoring on interface inside waiting
502103: User priv level changed: Uname: adam From: 1 To: 15
111008: User 'adam' executed the 'enable' command.
... View more
- Tags:
- failover
Labels:
06-18-2010
04:07 AM
Thanks Andrew & Jon for your reply. Yes, I know we can combine columns for both service and port number. However user tend to forget to fill up whether the service is tcp or udp. They only provide the ports number. How about services/network ports? Do you have any idea how to explain it in a easy way? Here is the definition that I get from wiki, however I believe that person who don’t have background in networking will have a problem to understand it. According to IANA "The Well Known Ports are assigned by the IANA and on most systems can only be used by system (or root) processes or by programs executed by privileged users. Ports are used in the TCP [RFC793] to name the ends of logical connections which carry long term conversations. For the purpose of providing services to unknown callers, a service contact port is defined. This list specifies the port used by the server process as its contact port. The contact port is sometimes called the "well-known port"." [1] http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
... View more
06-18-2010
01:33 AM
Hi, This post has been taken from governmentsecurity forum after I did a little bit searching on common question asked by firewall admin to a user in order to get more information. Normally, user didn’t provide much information and it makes troubleshooting harder to solve. I would appreciate if you guys can share what kind of information do you ask when do a troubleshooting with user. 1. What is the firewall
name/ip address (so we know which firewall
involved in this incident)
2. What is the source and destination ip address (so we can check whether the
traffic hit the firewall or not)
3. Traceroute result from source to destination ip. (so we know if the traffic
was dropped at somewhere else)
4. What is the incident number (if you are using the ticketing system so we can
keep track what happened.)
5. Has this work before? (if it worked, the possibilities of some changes has
been done to the firewall or server)
6. What application and protocol are they using to access
the server. 7. Can they access any other server using the same application and protocol
8. Has the client or host made any upgrades or patches recently
9. What version of VPN software is the client using.
Also I always start a remote desktop session using logmein.com or some other
software. Speeds up the entire process when you can see the clients desktop. 10: when did it stop working?
11: Reboot! http://www.governmentsecurity.org/forum/index.php?showtopic=31184&st=0&p=199417&hl=firewall&fromsearch=1&#entry199417
... View more
Labels:
06-14-2010
03:16 AM
Thanks Marcin for the tips on wireshark. Hardware: ASA5520, Software Version 8.0(4)32 Yeah, I notice that. The retransmission started at packet 511 to 520 before the server sent the RST packet. I've captured both inside and outside interface. The only RST packet that I can see is in inside interface. Here are the commands that I use to capture the network packet. Access list to filter both source & destination access-list cap extended permit tcp host 1.1.1.1 host 2.2.2.2 access-list cap extended permit tcp host 2.2.2.2 host 1.1.1.1 Capture both inside & outside interface capture cap access-list cap interface inside packet-length 54 capture cap-out access-list cap interface outside packet-length 54 View capture show capture cap-in show capture cap-out Let me know if you need more information.
... View more
06-13-2010
10:34 PM
Thanks Marcin for your suggestion. RDP client version is 5.1(Build 2600), Control Version 5.1.2600.3627 RDPserver version is 5.2.3790.3959 <-- I'm not sure whether this is correct or not? May I know how to check the version of RDP server? I did the packet capture and here is the result... Packet 1-3: TCP Three way handshake 1: 10:05:27.279373 1.1.1.1.5555 > 2.2.2.2.3389: S 945100646:945100646(0) win 64512 <[|tcp]> 2: 10:05:27.280381 2.2.2.2.3389 > 1.1.1.1.5555: S 2051713410:2051713410(0) ack 945100647 win 16384 <[|tcp]> 3: 10:05:27.280548 1.1.1.1.5555 > 2.2.2.2.3389: . ack 2051713411 win 64860 The next packet: Data transfer 4: 10:05:27.280731 1.1.1.1.5555 > 2.2.2.2.3389: P 945100647:945100685(38) ack 2051713411 win 64860 5: 10:05:27.282273 2.2.2.2.3389 > 1.1.1.1.5555: P 2051713411:2051713422(11) ack 945100685 win 65497 6: 10:05:27.282517 1.1.1.1.5555 > 2.2.2.2.3389: P 945100685:945101097(412) ack 2051713422 win 64849 7: 10:05:27.283859 2.2.2.2.3389 > 1.1.1.1.5555: P 2051713422:2051713759(337) ack 945101097 win 65085 8: 10:05:27.284119 1.1.1.1.5555 > 2.2.2.2.3389: P 945101097:945101109(12) ack 2051713759 win 64512 9: 10:05:27.284164 1.1.1.1.5555 > 2.2.2.2.3389: P 945101109:945101117(8) ack 2051713759 win 64512 10: 10:05:27.284851 2.2.2.2.3389 > 1.1.1.1.5555: . ack 945101117 win 65065 Everything looks normal untill packet number 511. User sents a few PUSH packet to the server, but the server never reply. 511: 10:06:32.454215 1.1.1.1.5.5.5.5 > 2.2.2.2.3389: P 457295239:457295635(396) ack 3592134313 win 64860 512: 10:06:32.738258 1.1.1.1.5.5.5.5 > 2.2.2.2.3389: P 457295121:457295635(514) ack 3592134313 win 64860 513: 10:06:33.285156 1.1.1.1.5.5.5.5 > 2.2.2.2.3389: P 457295121:457295635(514) ack 3592134313 win 64860 514: 10:06:33.557145 1.1.1.1.5.5.5.5 > 2.2.2.2.3389: P 457295635:457295657(22) ack 3592134313 win 64860 515: 10:06:33.665981 1.1.1.1.5.5.5.5 > 2.2.2.2.3389: P 457295657:457295758(101) ack 3592134313 win 64860 516: 10:06:33.802158 1.1.1.1.5.5.5.5 > 2.2.2.2.3389: P 457295758:457295838(80) ack 3592134313 win 64860 517: 10:06:33.953869 1.1.1.1.5.5.5.5 > 2.2.2.2.3389: P 457295838:457295862(24) ack 3592134313 win 64860 518: 10:06:34.394739 1.1.1.1.5.5.5.5 > 2.2.2.2.3389: P 457295862:457295928(66) ack 3592134313 win 64860 519: 10:06:34.488256 1.1.1.1.5.5.5.5 > 2.2.2.2.3389: P 457295121:457295657(536) ack 3592134313 win 64860 520: 10:06:36.894423 1.1.1.1.5.5.5.5 > 2.2.2.2.3389: P 457295121:457295657(536) ack 3592134313 win 64860 At packet 521, suddently the server sent RESET packet to the user to terminate the connection 521: 10:06:36.894591 2.2.2.2.3389 > 1.1.1.1.5555: R 3592134313:3592134313(0) ack 457295657 win 64860 Packet 522-524, client try to re-establish the connection 522: 10:06:36.919630 1.1.1.1.6666 > 2.2.2.2.3389: S 2294133377:2294133377(0) win 64512 <[|tcp]> 523: 10:06:36.920484 2.2.2.2.3389 > 1.1.1.1.6666: S 2704546546:2704546546(0) ack 2294133378 win 16384 <[|tcp]> 524: 10:06:36.920667 1.1.1.1.6666 > 2.2.2.2.3389: . ack 2704546547 win 64860 And communication re-created again.. 525: 10:06:36.920805 1.1.1.1.6666 > 2.2.2.2.3389: P 2294133378:2294133416(38) ack 2704546547 win 64860 526: 10:06:36.922376 2.2.2.2.3389 > 1.1.1.1.6666: P 2704546547:2704546558(11) ack 2294133416 win 65497 527: 10:06:36.922636 1.1.1.1.6666 > 2.2.2.2.3389: P 2294133416:2294133828(412) ack 2704546558 win 64849 528: 10:06:36.923978 2.2.2.2.3389 > 1.1.1.1.6666: P 2704546558:2704546895(337) ack 2294133828 win 65085 529: 10:06:36.924207 1.1.1.1.6666 > 2.2.2.2.3389: P 2294133828:2294133840(12) ack 2704546895 win 64512 530: 10:06:36.924253 1.1.1.1.6666 > 2.2.2.2.3389: P 2294133840:2294133848(8) ack 2704546895 win 64512 531: 10:06:36.924955 2.2.2.2.3389 > 1.1.1.1.6666: . ack 2294133848 win 65065 And die again.... I don't understand why the server keep sending RESET packet to the client?
... View more
06-06-2010
07:38 PM
Hi, These three terms are common for network & firewall guy. However others who are not working in this are normally doesn’t really know what is the meaning of this terms. The problem start when people requesting to open certain network port from certain source to certain destination. However, they don’t really understand what of the meaning of this terms even though we've prepared proper form for them to fill up these informations. Sometimes, they put destination at source column and always forget to put either TCP/UDP. Normally they only put the number of the ports. Here is the example of the form. Source IP Destination IP Service (TCP/UDP) Port Number 1 2 3 Therefore, I would appreciate if anyone can share how to explain these terms in easy way especially to those who didn’t have knowledge in networking. Thanks.
... View more
- Tags:
- basic_networking
Labels:
05-31-2010
08:20 PM
Hi all, User A can login into server B via RDP (tcp 3389) however he cannot copy the file from server B via remote desktop.He also can ping and do a traceroute to the server. When I do a testing with him, I’ve found out the following message on ASA. This is the only message that I saw on the firewall. %ASA-2-106001: Inbound TCP connection denied from ASA-fw# sh log | grep 1.1.1.1 Jun 01 2010 08:46:00 3.3.3.3 : %ASA-2-106001: Inbound TCP connection denied from 1.1.1.1/1852 to 2.2.2.2/3389 flags PSH ACK on interface inside Jun 01 2010 08:46:00 3.3.3.3 : %ASA-2-106001: Inbound TCP connection denied from 1.1.1.1/1852 to 2.2.2.2/3389 flags PSH ACK on interface inside Jun 01 2010 08:46:00 3.3.3.3 : %ASA-2-106001: Inbound TCP connection denied from 1.1.1.1/1852 to 2.2.2.2/3389 flags PSH ACK on interface inside Jun 01 2010 08:46:00 3.3.3.3 : %ASA-2-106001: Inbound TCP connection denied from 1.1.1.1/1852 to 2.2.2.2/3389 flags PSH ACK on interface inside Let say User A = 1.1.1.1 Server B = 2.2.2.2 New Fw ASA = 3.3.3.3 Fw is allowed RDP connection from user A to Server B.Here are the rules on the firewall related to the server B. object-group service Standard_Remote_Access service-object tcp eq telnet service-object tcp eq ssh service-object tcp eq https service-object tcp eq www service-object tcp eq 3389 access-list acl-in extended permit object-group Standard_Remote_Access any object-group Network_2.2.2.2_24 This problem only occured after New Fw ASA installed between the user A and server B. Any advice would be appreciated. Thanks
... View more
- Tags:
- unstable_rdp_session
Labels:
05-19-2010
10:34 PM
That was perfect. Thanks Btw, do you have the picture of PIX 515 ports?
... View more
05-19-2010
06:07 AM
Thanks a lot halijenn, you always be the first who respond to any question. I really appreciate it These links definitely will help me a lot in the upgrade process. But I still hope someone can post the real picture of the ports of PIX 515 & ASA 5510. I'll post the pictures here if I get the chance to see these devices physically.
... View more
05-19-2010
02:03 AM
Hi all, I'm in the process to upgrade PIX 515 to ASA 5510. Since the device is at remote location and the new firewall is not arrived yet, I would appreciate if anyone can share the picture of real PIX 515 & ASA 5510 especially on the ports portion. This is because I need to explain to the local support which cable they should put in as the name of ports for PIX 515 & ASA 5510 are slightly different. http://www.google.com/images?&q=cisco+pix+515+port http://www.google.com/images?&q=cisco+asa+5510+port This is an example that I've managed to find on google PIX 515 http://www.cisco.com/en/US/docs/security/pix/pix63/quick/guide/63_515qk.html ASA 5510 This is something that I'm looking, but the label of the ports was covered by the cable. Would appreciate if anyone who has the picture without the cable can share the picture so I can see the label of the firewall ports clearly. Thanks Thanks
... View more
Labels:
04-20-2010
11:14 PM
Hi, I've heard about RIP, IGRP, EIGRP, OSPF, BGP, IS-IS and FRAME RELAY routing but never heard about round robin routing. I've had google about this but not come up with anything related. I would appreciate if anyone could explain what is round robin routing. Reference: http://homepages.uel.ac.uk/u0223755/Routing%20protocols.htm http://hubpages.com/hub/Types-of-Routing-protocol Many thanks in advance
... View more
- Tags:
- round_robin_routing
Labels:
04-19-2010
11:00 PM
Hi, There's not much information that can be found on the internet regarding this topic. I would appreciate if anyone can share the similarities and differences between these two mode, the pro and cons and example of them. Thanks in advance
... View more
Labels:
Created by
Adam David
in Security Management
in Security Management
04-15-2010
12:44 AM
04-15-2010
12:44 AM
Hi, I have a quick question regarding the auditing system in CSM. In Checkpoint, we can do an audit via SmartView Tracker to determine who was the last person did a change to the Checkpoint firewall. How about CSM? I believe CSM have something similar like Checkpoint. Thanks in advance
... View more
Labels:
- « Previous
- Next »
07-21-2010
Hi all,We can check the number of SSH sessions that are connected and
the connection state to the PI...
06-18-2010
Hi all,I was wondering how to troubleshoot if failover happens to one of
our firewall. Let say we've...
Created by
Adam David
in Firewalls
06-18-2010
06-18-2010
/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table
Normal"; mso-tstyle-rowband-size...
06-18-2010
/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table
Normal"; mso-tstyle-rowband-size...
06-14-2010
Thanks Marcin for the tips on wireshark.Hardware: ASA5520,Software
Version 8.0(4)32Yeah, I notice th...
06-13-2010
Thanks Marcin for your suggestion.RDP client version is 5.1(Build 2600),
Control Version 5.1.2600.36...
Created by
Adam David
in Firewalls
06-06-2010
06-06-2010
Hi,These three terms are common for network & firewall guy. However
others who are not working in th...
05-31-2010
Hi all,User A can login into server B via RDP (tcp 3389) however he
cannot copy the file from server...
05-19-2010
Thanks a lot halijenn, you always be the first who respond to any
question. I really appreciate it T...
05-19-2010
Hi all,I'm in the process to upgrade PIX 515 to ASA 5510. Since the
device is at remote location and...
04-20-2010
Hi,I've heard about RIP, IGRP, EIGRP, OSPF, BGP, IS-IS and FRAME RELAY
routing but never heard about...
04-19-2010
Hi,There's not much information that can be found on the internet
regarding this topic. I would appr...
Created by
Adam David
in Security Management
04-15-2010
04-15-2010
Hi,I have a quick question regarding the auditing system in CSM. In
Checkpoint, we can do an audit v...
Public Statistics
| Date Registered | 01-21-2010 12:03 AM |
| Date Last Visited | 10-09-2017 11:55 AM |
| Total Messages Posted | 64 |
| Total Helpful Votes Received | 7 |
Helpful Votes Given To
| User | Helpful Count |
|---|---|
| 15 | |
| 5 | |
| 3 | |
| 14 | |
| 49 |
.jpg "Hall of Fame Guru"){kind=icon}
