migrate l2l

Notes:

  • This will add ikev2 options with ikev1 fallback

Documentation

[ # ]

!! Define the traffic that will require the custom timeout

access-list <Match-ACL-Name> extended permit <traffic-to-match>
!! Define the class-map with the match of the ACL above

class-map <Class-Map-Name>
 match access-list <Match-ACL-Name>
!! Define the policy-map to be applied to an interface
!! Note: Only one policy-map can be defined per interface. If you have one already defined for an interface, add the 'class' and settings to the existing policy-map

policy-map <Policy-Map-Name>
 class <Class-Map-Name>
  set connection timeout idle <Timeout-in-HH:MM:SS-Format>
!! Note: Only one policy-map can be defined per interface. If you have one already defined for an interface, the following line is not necessary

service-policy <Policy-Map-Name> interface <interface> 

EXAMPLE CONFIGURATION

access-list SSH-24Hour-ACL extended permit tcp object-group SSH_24Hour_Hosts any eq 22

class-map SSH-24Hour-ClassMap
 match access-list SSH-24Hour-ACL

policy-map inside-policy-map
 class SSH-24Hour-ClassMap
  set connection timeout idle 24:00:00

service-policy inside-policy-map interface inside 

Notes:

  • See documentation for information regarding the interface direction
  • This was designed for versions 8.3+ although it may work on version 8.2

Documentation

[ # ]

router eigrp <as-num>  !! as number must match on neighbors
 no auto-summary 
 eigrp router-id 10.0.150.3  !! Name for defining the eigrp, name after interface IP
 redistribute static  !! redistribute static routes, can use policy map instead so not ALL statics are distributed
 network 10.0.150.0 255.255.255.0   !! Directly connected network
 network 4.2.2.128 255.255.255.248  !! Directly connected network
 exit

!! configure static routes to point to the interface/IP that you want to monitor and stop advertising the routes when the interface goes down
route <int-to-watch> <network-to-advertise> <subnet> <ip-of-int-to-watch>

[ # ]

show eigrp topology
show eigrp neighbors
debug eigrp neighbor
debug eigrp fsm

[ # ]

Pix 6

ca zeroize rsa
ca generate rsa key 1024
sh ca mypubkey rsa
ca save all

Pix 7+

crypto key zeroize rsa 
crypto key generate rsa modulus 1024
sh crypto key mypubkey rsa

Notes:

  • The command "crypto key zeroize rsa" will remove certificates using the default keychain as well

[ # ]

show failover  !! View current failover status, statistics, etc
show failover history  !! View recent failover and sync history 
show failover state  !! View last failover reasons and information

[ # ]

policy-map type inspect esmtp tls-esmtp
  parameters
    allow-tls
    no mask-banner     !! may only be required if you notice issues related to the banner

policy-map global_policy
  class inspection_default
    no inspect esmtp
    inspect esmtp tls-esmtp

Documentation

[ # ]

!! Enable the performance monitoring
asdm history enable

!! View data
show asdm history feature <all|blocks|cpu|failover|ids|interface|memory|perfmon|sas|tunnels|xlates>
show asdm history view <10m|60m|12h|5d|all> feature <all|blocks|cpu|failover|ids|interface|memory|perfmon|sas|tunnels|xlates>

Notes:

  • You can leave off the feature command to view ALL performance data

Documentation

[ # ]

!! Most SPLAT Devices
echo "<NAT-IP> <Physical-Interface-MAC-Address>" >> $FWDIR/conf/local.arp

!! SPLAT Devices with VMAC mode enabled
echo "<NAT-IP> <Virtual-MAC-Address>" <Physical-Int-IP> >> $FWDIR/conf/local.arp

Notes:

  • AutoNATs normally do not require a proxy arp. Ensure "merge manual proxy arp configuration" is enabled in the Global Properties -> NAT

[ # ]

cphaconf set_ccp multicast   !! Use Multicast (default mode, most efficient)
cphaconf set_ccp broadcast   !! Use Unicast

cphaprob -a if    !! Verify current mode and monitored interfaces

Documentation

[ # ]