fw tab -t http_vpnd_cookies -f !! View currently connected clients
fw tab -t http_vpnd_cookies -x !! Clear all currently connected clients!! Contains the following directories by default
$FWDIR/conf
$FWDIR/database
$CPDIR/conf
$CPDIR/databasefwm lock_admin -v // View locked admins
fwm lock_admin -u <admin> // Unlock a specific admin
fwm lock_admin -ua // Unlock all adminsfw unloadlocal- Launch ASDM from a privilege 15 account
- Go to Configuration > Device Managment > Users/AAA > AAA Access > Authorization
- Click the button "Set ASDM Defined Roles"
- Select "Yes" to have ASDM configure the necessary Priv 3 and Priv 5 permissions
- Select "Apply" to set the configuration on the firewall
!! Configuring the captures
!! Method 1 - ACL Capture
access-list ryan permit ip host <source> host <dst>
capture ryan-inside access-list ryan int <int>
show capture ryan-inside
!! Method 2 - Match Capture (This is bidirectional)
capture ryan-inside interface <int> match ip host <src ip> dest <dest ip>
sh cap ryan-inside
!! Obtaining capture as PCAP file
!! 1.) Method 1 - Copying to another location
copy /pcap capture:/<capture-name> <destination>
!! Example:
copy /pcap capture:/mycap ftp://1.1.1.1/incoming/mycap.pcap
!! 2.) Method 2 - Downloading from the firewall
Visit in Browser: https://<FW-IP>/admin/capture/<capture_name>/pcap
!! Example:
Visit in Browser: https://1.1.1.1/admin/capture/mycap/pcapNotes:
- To download the PCAP, ensure you are connecting on the same port as ASDM is configured ('show run http')
boot system flash:/<new-imagename>
no boot system flash:/<old-imagename>!! As of writing this, some (or all) versions of Android do not support AES 256 so AES 128 is in use here
crypto ikev1 policy 20
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!! Configure Nat-T for Android phones
crypto isakmp nat-traversal
!! Configure the phase 2 transform set for Android
crypto ipsec ikev1 transform-set aes-128-sha-transport esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set aes-128-sha-transport mode transport
!! Assign the transform-set to the first dynamic-map if possible
!! note, aes-256-sha is a previously used transform-set I use with my iphone
crypto dynamic-map dynMap 10 set ikev1 transform-set aes-256-sha aes-128-sha-transport
!! Configure l2tp group-policy
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
!! Configure tunnel-group to use the required PSK and pool
tunnel-group DefaultRAGroup general-attributes
address-pool <ip-pool>
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key <pre-shared-key>
!! Configure group-policy of group-policy username lock to also accept l2tp
group-policy <group-policy-related-to-lock> attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec <etc>
!! Configure username with mchap encryption and lock to the required group-policy
username <username> password <password> mschap
username <username> attributes
vpn-group-policy <group-policy-related-to-group>In order to create a read-only account for ASDM access, you need to ensure the following command is set for the privilege level you are looking to permit the read-only access for:
privilege cmd level 5 mode exec command moreinterface GigabitEthernet0/2
description <optional description>
vlan 40 !! optional
nameif <name for interface>
security-level <0-100>
ip address <ip> <netmask> standby <standby ip>
exitNotes:
- The 'standby' portion of the IP address can be omitted if this is not part of a High Availability pair of firewalls