Cisco ASA - ESMTP TLS Inspection

cisco asa 
policy-map type inspect esmtp tls-esmtp
  parameters
    allow-tls
    no mask-banner     !! may only be required if you notice issues related to the banner

policy-map global_policy
  class inspection_default
    no inspect esmtp
    inspect esmtp tls-esmtp

Documentation

[ # ]

Cisco ASA - Enable and Show Historical Performance Data

cisco asa 
!! Enable the performance monitoring
asdm history enable

!! View data
show asdm history feature <all|blocks|cpu|failover|ids|interface|memory|perfmon|sas|tunnels|xlates>
show asdm history view <10m|60m|12h|5d|all> feature <all|blocks|cpu|failover|ids|interface|memory|perfmon|sas|tunnels|xlates>

Notes:

  • You can leave off the feature command to view ALL performance data

Documentation

[ # ]

Cisco ASA - EIGRP Troubleshooting

cisco asa 
show eigrp topology
show eigrp neighbors
debug eigrp neighbor
debug eigrp fsm

[ # ]

Cisco ASA - EIGRP Configuration

cisco asa 
router eigrp <as-num>  !! as number must match on neighbors
 no auto-summary 
 eigrp router-id 10.0.150.3  !! Name for defining the eigrp, name after interface IP
 redistribute static  !! redistribute static routes, can use policy map instead so not ALL statics are distributed
 network 10.0.150.0 255.255.255.0   !! Directly connected network
 network 4.2.2.128 255.255.255.248  !! Directly connected network
 exit

!! configure static routes to point to the interface/IP that you want to monitor and stop advertising the routes when the interface goes down
route <int-to-watch> <network-to-advertise> <subnet> <ip-of-int-to-watch>

[ # ]

Cisco ASA - Disable ESMTP Inspection for Specific Traffic

cisco asa 
access-list no_inspect_ESMTP deny tcp <source> <destination> eq 25
access-list no_inspect_ESMTP permit tcp any any eq 25

class-map no_inspect_ESMTP
 match access-list no_inspect_ESMTP 
 exit

policy-map global_policy 
 class no_inspect_ESMTP 
  inspect ESMTP 
  exit 
 class inspection_default
  no inspect esmtp
  exit

Notes:

  • It's important that the last ACL is specific for port 25 and not all IP. Traffic will break if left as 'ip'

[ # ]

Cisco ASA - Hostname with Failover State

cisco asa 
prompt hostname state

[ # ]

Cisco ASA - Run Command on HA Mate

cisco asa 
failover exec mate <command>

Documentation

[ # ]

Check Point - Splat - Upgrade Firewall

check point splat 
cphastop
mount -t iso9660 -o loop <iso_image> /mnt/cdrom
cd /mnt/cdrom
patch add cd

Notes:

  • It's best to verify these steps from Release Notes
  • After install, modify CP object in policy to reflect new version and push policy
  • HFAs will use ./UnixInstallScript instead of 'patch add cd'

[ # ]

Check Point - Splat - Read Only User Addition

check point splat 
useradd -u 0 -o -g 0 -m <username> -s /bin/rbash

[ # ]

Check Point - IPSO - Configure Read-Only CLI User

check point ipso nokia 
clish 
add user <username> uid <uid#> homedir /var/<username>
set user <username> shell /bin/csh
add rba user <username> role monitorRole
save config

Notes:

  • UID should be above 120. If you give a UID of 0, that will give the user read/write access
  • The 'RBA' line assigns the default readonly Voyager role, monitorRole, to the user. If the user does not need Voyager access, this can be ignored.

[ # ]