Viewing pre-shared keys in Cisco ASA configuration

Most of the configuration on an ASA can be viewed in plain text just by using the “show run” command. One of the exceptions to this is viewing pre-shared keys for VPN’s (the keys appear as asterisks ‘*’). These keys can however be viewed using the command “more system:running-config” which displays the running configuration including the pre-shared keys in plain text. If you want to filter the output to just the lines containing the keys use “more system:running-config | include keys”.

ASA 5505 Switch Redundancy

I came across a situation where I had an ASA 5505 connected to a 3750 switch via two physical interfaces. These interfaces were both on the same chassis of a two chassis 3750 stack. This ASA has been running well for some time and no issues had arisen until one of the two 3750’s experienced an issue (the one connected to the ASA of course) causing an Internet outage. I did some research and didn’t find anything on the ASA end of things that would allow for redundant links to the secondary switch. Then as I was reading through a Cisco Catalyst IOS configuration guide I saw something about “Flex Links” and struck gold! Simply put Flex Links allow backup interfaces to be administratively defined on a switch (or stack of switches). The configuration one the switch side is very straightforward as shown in the example below. The ASA configuration is very simple as well. I simply assigned the appropriate VLAN’s to the ASA switched interfaces and attached the cables to the proper backup interfaces on my second stacked switch. The ports that are in a standby state will have orange status lights but will show “up/up” on both ends.

interface GigabitEthernet1/0/23
 description ASA 5505 INSIDE - BACKUP
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/24
 description ASA 5505 OUTSIDE - BACKUP
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet2/0/23
 description ASA 5505 INSIDE
 switchport access vlan 10
 switchport mode access
 switchport backup interface Gi1/0/23
 switchport backup interface Gi1/0/23 preemption mode forced
 spanning-tree portfast
!
interface GigabitEthernet2/0/24
 description ASA 5505 OUTSIDE
 switchport access vlan 30
 switchport mode access
 switchport backup interface Gi1/0/24
 switchport backup interface Gi1/0/24 preemption mode forced
 spanning-tree portfast

This configuration statically configures port Gig1/0/23 as a backup for Gig2/0/23 and Gig1/0/24 as a backup for Gig 2/0/24. The “preemption mode forced” command simply means that if a failed primary interface becomes available a failback will occur rather than just remaining in the last working state.

Two very useful show commands are “show interfaces switchport backup” which provides a simple output showing active and backup interfaces:

Active Interface        Backup Interface        State
------------------------------------------------------------------------
GigabitEthernet2/0/23   GigabitEthernet1/0/23   Active Up/Backup Standby
GigabitEthernet2/0/24   GigabitEthernet1/0/24   Active Up/Backup Standby

The second useful command is “show interfaces switchport backup detail” which strangely enough just provides more detailed information

Switch Backup Interface Pairs:

Active Interface        Backup Interface        State
------------------------------------------------------------------------
GigabitEthernet2/0/23   GigabitEthernet1/0/23   Active Up/Backup Standby
        Preemption Mode  : forced
        Preemption Delay : 35 seconds (default)
        Multicast Fast Convergence  : Off
        Bandwidth : 100000 Kbit (Gi2/0/23), 100000 Kbit (Gi1/0/23)
        Mac Address Move Update Vlan : auto

GigabitEthernet2/0/24   GigabitEthernet1/0/24   Active Up/Backup Standby
        Preemption Mode  : forced
        Preemption Delay : 35 seconds (default)
        Multicast Fast Convergence  : Off
        Bandwidth : 100000 Kbit (Gi2/0/24), 100000 Kbit (Gi1/0/24)
        Mac Address Move Update Vlan : auto

More information from Cisco can be found here

Clear WebVPN Sessions

The Cisco ASA platform ships with default licensing that permits two simultaneous WebVPN sessions. If users don’t logout when they finish using WebVPN the ASA still considers these sessions open and will consume licensing until the timeout period expires. There are two useful commands to troubleshoot issues surround WebVPN sessions. The first command shows current WebVPN sessions:

“show vpn-sessiondb webvpn”

The second command will terminate all WebVPN sessions:

“vpn-sessiondb logoff webvpn”

H.323 inspection on ASA platform

When running h323 h225 inspection on an ASA using the command “inspect h323 h225” on an ASA in transparent mode routes are required for the inspection to work correctly. These routes are ONLY needed for the inspection process and are NOT used to route the actual traffic as the transparent mode firewall does not participate in routing.
More information can be found here

ASA/PIX Packet Capture

There is an excellent packet capture capability built in to the ASA/PIX software. In order to capture traffic perform the following:

1) Create an ACL to identify the traffic you want to capture:

access-list ACL_CAPTURE permit tcp any any eq smtp

2) Create the capture statement:

capture MYCAP access-list ACL_CAPTURE interface inside

If you want to see the entire packet you would need to add the “packet-length 1522”

capture MYCAP access-list ACL_CAPTURE packet-length 1522 interface inside

You can then do a “show capture MYCAP” to see the traffic.

If you want to download the capture to a sniffer (wireshark), you have to do that while the capture is running you do that from a browser with the URL https:///capture//pcap

NOTE: This assumes that the interface on your ASA is named “inside”