Feeds:
Posts
Comments

Archive for the ‘Cisco’ Category

Here is a little something that I have found helpful when troubleshooting network problems; a chart that shows the order in which a packet is processed on an interface of a Cisco router/firewall.  For example, it can be handy to know that NAT is applied outbound prior to hitting an output ACL.  As usual, it is kind of difficult to locate this on the Cisco documentation website, so I include it here for those who, like me, want a quick way to find it in a pinch.

Inside-to-Outside (LAN to WAN)

  • If IPSec then check input access list
  • decryption – for CET (Cisco Encryption Technology) or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • policy routing
  • routing
  • redirect to web cache
  • WAAS application optimization
  • NAT inside to outside (local to global translation)
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect (Context-based Access Control (CBAC))
  • TCP intercept
  • encryption
  • Queueing
  • MPLS VRF tunneling (if MPLS WAN deployed)

Outside-to-Inside (WAN to LAN)

  • MPLS tunneling (if MPLS WAN deployed)
  • decryption – for CET or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • NAT outside to inside (global to local translation)
  • policy routing
  • routing
  • redirect to web cache
  • WAAS application optimization
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect CBAC
  • TCP intercept
  • encryption
  • Queueing

 

Advertisements

Read Full Post »

Cisco ASA Connection Flags

Have you ever run the show connection command on a Cisco firewall and wondered what the connection flags meant? Are you frustrated by your attempts to find a list of them on Cisco’s website? Never fear. Here is a list of the flags along with their meanings. This is probably more for my sake than anyone else, but if it helps one person out there, I will feel as though I have made a positive contribution:
a – awaiting outside ACK to SYN
A – awaiting inside ACK to SYN
B – initial SYN from outside
C – Computer Telephony Interface Quick Buffer Encoding (CTIQBE) media connection
d – dump
D – DNS
E – outside back connection
f – inside FIN
F – outside FIN
g – Media Gateway Control Protocol (MGCP) connection
G – connection is part of a group
h – H.225
H – H.323
i – incomplete TCP or UDP connection
I – inbound data
k – Skinny Client Control Protocol (SCCP) media connection
m – SIP media connection
M – SMTP data
O – outbound data
p – replicated (unused)
P – inside back connection
q – SQL*Net data
r – inside acknowledged FIN
R – outside acknowledged FIN for TCP connection
R – UDP RPC
s – awaiting outside SYN
S – awaiting inside SYN
t – SIP transient connection
T – SIP connection
U – up

Read Full Post »

This for all those folks who want to know how to connect to a console port on a Cisco device (or any console, really) using a Mac.  Because OSX is built on a Unix derivative, it includes a number of tools that are built in, including a little application called screen.  You don’t need SecureCRT, Putty, or any other application.  Screen is a powerful application with a number of different uses, but the manual page is as cumbersome as any.  Using it to connect to a Cisco device, however, is easy.  You only need to take three steps to use it successfully.

First, connect your Mac to the console port using any Mac compatible USB/serial adapter.

Second, from the terminal, run the ls /dev/tty.* command.  This will show you the name of the USB/serial adapter as it appears in the /dev directory.

Third, from the terminal, run the screen /dev/tty.<device name> 9600,-cstop,-cs8,-parenb command.  This invokes Screen using the USB/serial adapter, instructs it to use 9600 baud, one stop bit, 8 data bits, no parity.

That’s it.  When you are finished, press and hold the <control> <a> key combination and then press the <d> key.  This will disconnect screen and release the terminal.  If you want to know more about how Screen works and all that it can do, read the man page.

Read Full Post »

I have encountered various circumstances in which it was possible to transfer a file to a Cisco device only via FTP.  The first few times were trying as the CLI syntax is a little tricky.  Since then, FTP has become my preferred method as it is faster and more reliable.  For those who need a quick reminder of the syntax (myself included), here it is:

copy ftp://<username>:<password>@<ip address>/<root directory>/<image directory>/<file name> flash:/<filename>

Obviously, if you are copying in the opposite direction, just swap the flash and ftp fields in the command.

Read Full Post »

« Newer Posts

%d bloggers like this: