Archive for the ‘PIX \ ASA’ Category

ASA 8.4 – first look

February 4, 2011 3 comments

Just under a year since the last major ASA version, Cisco released a new version: 8.4(x)

While this version came earlier than I would expect, there are some exciting new features, some of them definitely worth upgrading for. I have no intention telling the full story (or chewing the release notes for you ;)) but I do want to go over some of the features and the new commands they bring to the world:

EtherChannel support – up to 48 802.3ad EtherChannels of eight active interfaces each
new commands: channel-group, lacp port-priority, interface port-channel, lacp max-bundle, port-channel min-bundle, port-channel load-balance, lacp system-priority, clear lacp counters, show lacp, show port-channel.

Show Top CPU Processes – You can now monitor the processes that run on the CPU to obtain information related to the percentage of the CPU used by any given process.
new command: show process cpu-usage sorted

TCP Ping Enhancement – you can specify a source IP address and a port and source interface to send pings to a hostname or an IPv4 address
new command: command: ping tcp

Stateful Failover with Dynamic Routing Protocols – Routes that are learned through dynamic routing protocols (such as OSPF and EIGRP) on the active unit are now maintained in a Routing Information Base (RIB) table on the standby unit.
modified command: show failover, show route, show route failover.

Host Scan Package Support – support for the ASA to install or upgrade a Host Scan package and enable or disable Host Scan
new command: csd hostscan image path

These are only few changes that I find exciting and they show Cisco’s commitment to this product. If you’re running ASA (or even an old PIX) in your environment I highly recommend spending the time and reading the release notes. even if you’re not going to upgrade any time soon, it is always good to know what are the available options – you never know when you’ll need it.
If you already upgrade your ASA to 8.4 or even better – upgraded and used one of the new features, we want to hear about it!


How to recover a VPN key

January 14, 2011 Leave a comment

While troubleshooting a VPN connection I wanted to confirm that the pre-shared key is identical on both ends. In order to do so I used a cool, relatively unknown command that allow you to recover the pre-shared key:
more system:running-config

Using the more system:running-config command result in clear text pre-shared key:

tunnel-group tunnel_name ipsec-attributes
pre-shared-key cleartextpassword

While this is the easiest way, you might encounter a device with an old version (pre 7.x) that does not support this command. Don’t worry, there are more opitons. using TFTP you can copy the config to your TFTP server which saves the password in clear text. This is the required command:

copy running-config tftp:

You can also use the less known write net command for the same task. In both cases, the text file containing the configuration on the TFTP server will show the pre-shared key in clear text.

By the way, older ASDM versions  will show the passwords in clear text but I hope you’re not using those old versions 🙂

PIX\ASA as DHCP server

January 12, 2011 Leave a comment

After a long while I had a chance to work with our firewall. Part of the task was setting up our old PIX as DHCP server.

The configuration is simple:

dhcpd address inside
dhcpd dns
dhcpd wins

You can see that the configuration is really simple but I found on interesting detail I wasn’t aware of: You can only use 256 addresses

Well, to be exact it is 253 addresses and it is a software limitation:

The size of the address pool is limited to 256 addresses per pool on the security appliance. This cannot be changed and is a software limitation. The total can only be 256.

One note – this limitation is per interface so if you have more than one inside interface you can use 253 addresses per interface.