Cisco ASA - eekbot/public GitHub Wiki

Checking Tunnel Status

BLAHFW# sh vpn-sessiondb l2l filter ipaddress 13.14.15.16

Session Type: LAN-to-LAN

Connection   : 13.14.15.16
Index        : 3415                   IP Addr      : 13.14.15.16
Protocol     : IKEv2 IPsec
Encryption   : IKEv2: (1)AES256  IPsec: (2)AES256
Hashing      : IKEv2: (1)SHA256  IPsec: (2)SHA256
Bytes Tx     : 6991751                Bytes Rx     : 13100229
Login Time   : 03:03:00 MST Tue Feb 27 2024
Duration     : 10h:47m:03s

Choosing SSH Cipher Upon Login

[BLAHUSER@BASTION ~]$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 10.11.12.13
Unable to negotiate with 10.11.12.13 port 22: no matching MAC found. Their offer: hmac-sha1

[BLAHUSER@BASTION  ~]$ ssh -m hmac-sha1 -A 10.11.12.13
Nexus 5000 Switch
Password:

Going Directly Into Enable Mode

# THIS ASSUMES YOU'RE USING AN AAA SERVER FOR AUTHORIZATION
aaa authorization exec authentication-server auto-enable

Creating A Capture

device# capture blah interface inside match ip host 1.2.3.4 host 4.3.2.1
device# show cap
device# show capture blah

Removing the Capture

device# no cap blah

Moving A Capture From A Cisco ASA Context To The Sys Context

BLAH-CTXT1# show cap

1234-BLAH:
 capture ca1 type raw-data interface BLAH_TRANSIT [Capturing - 370 bytes] 
  match tcp any any eq 1812 
 capture ca type raw-data interface BLAH_TRANSIT [Capturing - 1310 bytes] 
  match ip host 192.168.1.2 host 10.2.3.4

BLAH-CTXT1# copy /pcap capture:1234-BLAH/ca1 disk0:/ca1        
Source capture name [1234-BLAH/ca1]? 

Destination filename [ca1]? 
!
5 packets copied in 0.10 secs

BLAH-CTXT1# dir

Directory of disk0:/

4      drwx  8192         01:30:05 Aug 05 2023  log
17     drwx  4096         07:43:14 Nov 11 2020  crypto_archive
[output cut]
842    -rwx  394          11:45:22 Jan 19 2024  ca1
1      drwx  16384        01:22:06 Aug 05 2023  coredumpfsys
[output cut]

BLAH-CTXT1#

Pulling A File From A Cisco ASA To A Linux Server

[USER@jaxmitlbas03 ~]$ scp [email protected]:disk0:/admin.cfg admin.cfg
Unable to negotiate with 172.16.2.3 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

[USER@BASTION ~]$ scp -oKexAlgorithms=+diffie-hellman-group1-sha1 [email protected]:disk0:/BLAH.cfg BLAH.cfg
[email protected]'s password: 
BLAH.cfg                                                                                                                                                                    100% 7788     3.6MB/s   00:00    
[USER@BASTION ~]$