Monday, October 31, 2011

Adding Entries to an Existing ACL on an ASA

Adding Entries (ACEs) to an Existing ACL
You can add entries to ACLs on ASAs by using the line number command. Line numbers on ASAs work differently than on routers. They are not stored in the configs and they will not show up in a show access-list command (basically the ASA doesn't keep the numbers, they are just used for inserting). To do this, just count the line numbers and tell the ASA where you want the new one to go. The existing line of that number will move down (e.g. if you insert at line 3, the old line 3 will become line 4 because you have just added a line above it).  

! Test ACL
access-list TEST_ACL extended permit ip 10.1.1.1 255.255.255.255 any
access-list TEST_ACL extended permit ip 10.1.1.2 255.255.255.255 any
access-list TEST_ACL extended permit ip 10.1.1.3 255.255.255.255 any

! Implicit Deny

! Deny access from 10.1.1.1 to evil DNS servers 4.2.2.2 and 8.8.8.8. We need this to be above the permit any from 10.1.1.1 so the denies will take effect.
! We can use line numbers to do this
access-list TEST_ACL line 1 extended deny ip 10.1.1.1 255.255.255.255 4.2.2.2
access-list TEST_ACL line 2 extended deny ip 10.1.1.1 255.255.255.255 8.8.8.8
!
!NEW ACL
access-list TEST_ACL extended deny ip 10.1.1.1 255.255.255.255 4.2.2.2
access-list TEST_ACL extended deny ip 10.1.1.1 255.255.255.255 8.8.8.8
access-list TEST_ACL extended permit ip 10.1.1.1 255.255.255.255 any
access-list TEST_ACL extended permit ip 10.1.1.2 255.255.255.255 any
access-list TEST_ACL extended permit ip 10.1.1.3 255.255.255.255 any

! Ooops, we forgot to deny access from 10.1.1.2 to these same evil DNS servers
access-list TEST_ACL line 1 extended deny ip 10.1.1.2 255.255.255.255 4.2.2.2
access-list TEST_ACL line 2 extended deny ip 10.1.1.2 255.255.255.255 8.8.8.8
!

!New New ACL
!NEW ACL
access-list TEST_ACL extended deny ip 10.1.1.2 255.255.255.255 4.2.2.2
access-list TEST_ACL extended deny ip 10.1.1.2 255.255.255.255 8.8.8.8
access-list TEST_ACL extended deny ip 10.1.1.1 255.255.255.255 4.2.2.2
access-list TEST_ACL extended deny ip 10.1.1.1 255.255.255.255 8.8.8.8
access-list TEST_ACL extended permit ip 10.1.1.1 255.255.255.255 any
access-list TEST_ACL extended permit ip 10.1.1.2 255.255.255.255 any
access-list TEST_ACL extended permit ip 10.1.1.3 255.255.255.255 any


  Adding an Extended Access List

An access list is made up of one or more access control entries (ACEs) with the same access list ID. To create an access list you start by creating an ACE and applying a list name. An access list with one entry is still considered a list, although you can add multiple entries to the list.
To add an extended access list or an ACE, enter the following command:
Command
Purpose
access-list access_list_name [line 
line_number] [extended] {deny permit} 
protocol source_address mask 
[operator port] dest_address mask 
[operator port | icmp_type] [inactive]

Example:

hostname(config)# access-list ACL_IN 
extended permit ip any any
Adds an extended access control entry.
The line line_number options specify the line number at which insert the ACE. If you do not specify a line number, the ACE is added to the end of the access list. The line number is not saved in the configuration; it only specifies where to insert the ACE.
The extended option adds an ACE.
The deny keyword denies a packet if the conditions are matched. Some features do not allow deny ACEs, such as NAT. See the command documentation for each feature that uses an access list for more information.
The permit keyword permits a packet if the conditions are matched.
The protocol argument specifies the IP protocol name or number. For example UDP is 17, TCP is 6, and EGP is 47.
The source_address specifies the IP address of the network or host from which the packet is being sent. Enter the host keyword before the IP address to specify a single address. In this case, do not enter a mask. Enter the any keyword instead of the address and mask to specify any address.
The operator port option matches the port numbers used by the source or destination. The permitted operators are as follows:
lt—less than.
gt—greater than.
dq—equal to.
neq—not equal to.
range—an inclusive range of values. When you use this operator, specify two port numbers, for example: range 100 200.
The dest_address argument specifies the IP address of the network or host to which the packet is being sent. Enter the host keyword before the IP address to specify a single address. In this case, do not enter a mask. Enter the any keyword instead of the address and mask to specify any address.
The icmp_type argument specifies the ICMP type if the protocol is ICMP.
The inactive keyword disables an ACE. To reenable it, enter the entire ACE without the inactive keyword. This feature enables you to keep a record of an inactive ACE in your configuration to make reenabling easier.
(See the access-list extended command in the Cisco Security Appliance Command Reference for more information about command options.)
Posted by at 1 comment:
Labels: , ,

Monday, October 10, 2011

Default Interface Cisco Command

I can't even count the number of times I've tried to remove all the configs from an interface by doing a no interface command. The router or switch always replies with a snarky "Removal of physical interfaces is not permitted." I then copy all the commands for the interface, open up notepad, put a no in front of all the ones I don't want and then paste it back into the CLI.

A 10 second change has now taken 2 minutes and increased my frustration level unnecessarily.

 Default to the rescue. Just use this command to return the physical interface and any subinterfaces to their default (unconfigured) values. Note: if you only want to default a single subinterface, you can just do a no to remove it and then add it back in.  

default

default fa0/1



http://blog.ioshints.info/2007/06/default-interface-configuration-command.html
http://www.cisco.com/en/US/docs/ios/12_2t/inter/command/reference/irftdce.html#wp1081863


Posted by at No comments:
Labels: ,

Friday, September 23, 2011

Cisco - CUE - Show Voicemail Email Notification Settings for a User from CLI

 show voicemail notification owner email

Posted by at No comments:
Labels: ,

Thursday, June 30, 2011

Check Dropped Packets

show policy-map interface
Posted by at No comments:
Labels:

Tuesday, June 21, 2011

Cisco Config Archive and Replace

Sweet.

http://www.fryguy.net/2011/06/06/cisco-archive-and-configure/

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtrollbk.html#wp1066709
Posted by at No comments:
Labels: ,

Tuesday, May 31, 2011

MWI Manual Disable

For those times when MWI is stuck on:

Find the MWI off DN.

ephone-dn  599
 number A801.... no-reg primary
 mwi off



Build a new DN which has CFA set to the complete dialstring (fill in the .... with the extension you want to turn MWI off on). The below example will shut off MWI for extension 5040.

ephone-dn  559
call-forward all A8015040
number 5990 no-reg primary

Call the number associated with the ephone-dn.
Posted by at No comments:

Tuesday, February 15, 2011

Cisco Router VPN Details


show crypto isakmp peers           - Show ISAKMP peer structures (IPs and etc connected over the VPN)
show crypto isakmp sa                  - Show ISAKMP Security Associations (IPs and etc connected over the VPN)
show crypto session summary   - Show VPN groups and their members (users and groups connected over the VPN)
who                                          - Shows users currently logged into the router
Posted by at No comments:

Friday, February 11, 2011

SIP Carrier Debugs

SIP: Attribute mid, level 1 instance 1 not found.
2524735: Feb 11 17:54:53.522 MST: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
SIP/2.0 200 OK
Via: SIP/2.0/UDP >:5060;branch=z9hG4bK2D041732
Record-Route:
From: "Bob Jones" ;tag=BAAA8198-462
To: ;tag=_1255064163-933720387
Call-ID: 876EDB09-357911E0-970ADCDF-F107A873@>
CSeq: 101 INVITE
Contact: sip:+18004444444@67.231.0.94:5070
Accept: application/sdp, application/isup, application/dtmf, application/dtmf-relay,  multipart/mixed
Allow: INVITE,ACK,CANCEL,BYE,REGISTER,REFER,INFO,SUBSCRIBE,NOTIFY,PRACK,UPDATE,OPTIONS,MESSAGE,PUBLISH
Content-Disposition: session; handling=required
Content-Type: application/sdp
Content-Length: 276

v=0
o=pvp 305419896 305419896 IN IP4 67.231.0.125
s=-

! MEDIA GATEWAY - this is the carrier your SIP provider is having route your call. The IPs may change even if it's the same carrier but an IP whois lookup will show you which carrier your call is routing through. 
c=IN IP4 67.231.0.125

t=0 0
m=audio 24396 RTP/AVP 0 18 101
a=rtpmap:0 PCMU/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
a=maxptime:40
a=sendrecv
Posted by at No comments:

Thursday, February 3, 2011

Cisco Command Tricks - Monitoring Performance


Show the list of tasks running sorted by CPU usage and excluding any that are using 0%
sh proc cpu sorted | ex 0.00
Show spanning tree changes
show spanning-tree detail | inc ieee|occur|from|is exec
Show interface counter errors
sh interface counters errors 
sh int | i line|error
Show interface queue statuses and drops
sh int | in Input|line
Posted by at No comments:
Labels: ,

Friday, January 14, 2011

Excel Tricks

Reformatting Phone Numbers

To remove the dashes from phone numbers (e.g. change 206-456-789 to 206456789):
=SUBSTITUTE(A1,"-","")
To remove dashes and add digits to the beginning of phone numbers (e.g. change 206-456-789 to 1206456789): NOTE: This should be pretty useful in other situations too and should handle small additions better than creating a new cell/column with what you need to add and then Concatenating everything together. 
=1&SUBSTITUTE(A1,"-","")
Reference

Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)