Some notes on working with Cisco ASA's

Commands on an asa 8.3 and above

object-groups

Make everything object groups! ok so not everything can be an object group things like access lists are access lists not object groups. Even if you just have one host or service make an object group for it it make it all much nicer honist!

object-group network

The object-group network sub command is used for creating groups of network type objects.

network-object

The network-object command is used with the object-group command to define a host object, a network object, or a subnet object.

To create an member that is just one host use an ip address of dns name:

network-object host a.b.c.d

network-object host host.name.tld

To create an member that is a sub net:

network-object a.b.c.d 255.255.255.0

To create an member that is a network object (created by the object network command)

network-object object object_network_name

object-group service

port-object eq port-object range

object-group icmp-type

icmp-object echo

Capture packets (like linux tcpdump/ Solaris snoop)

Start a Capture

\# capture [name] interface [interface name] match [protical (ip/icmp/tcp/udp)] host [source host (x.x.x.x/any)] [Dest host (x.x.x.x/any)]

Stop the capture but keep the data

\# no capture [name] interface [interface name]

List Caputres

\# show capture [name]

Delete the capture

\# no capture [name]

Example

# capture SH interface extern match ip host 10.10.10.10 any

# show capt
capture SH type raw-data [Capturing - 14486 bytes] 
  match ip host 10.10.10.10 any 

# show capture SH

71 packets captured

   1: 16:47:19.884750       10.10.10.3.64216 > 10.10.10.10.53:  udp 42 
   2: 16:47:19.885086       10.10.10.10.53 > 10.10.10.3.64216:  udp 238 
...

packet tracer

1. packet-tracer input [interface name] [protical (icmp/tcp/udp)] [source host (x.x.x.x)] [source port] [dest host (x.x.x.x)] [desk port] (detailed)

Example

1. packet-tracer input external tcp 10.10.10.3 64216 10.10.10.10 53 detailed