All users configured on the ASA are assigned a privilege level. This privilege level is specified when configuring the username as follows:

hostname(config)# username name password password privilege priv_level

The privilege level can be any value from 0 (least permissive) to 15 (most permissive), with 2 being the default. Do note that if you want to grant the user access to privileged EXEC mode, you should use the range from 2 to 15. For the purpose of assigning read-only access to a user, we will use a privilege level of 5.

AAA refers to authentication, authorization and accounting. It allows us to authenticate who the user is, authorize what that user is allowed to do, and then keep an accounting record showing what that user has done. In order to create a read-only user account, we need to define which commands the user should be granted access to. This requires knowledge of who the user is, so we first need to ensure that user authentication is configured.

To enable AAA authentication, use the following command:

More »

This post is an index of password recovery procedures for Cisco products. For security reasons, the password recovery procedures listed here require physical access to the equipment.



Cisco 2600 Series Routers Cisco 3600 Series Routers Cisco 3700 Series Routers
Cisco 801, 802, 803, 804, 805, 811, and 813 Series Routers Cisco 806, 826, 827, 828, 831, 836 and 837 Series Routers Cisco SOHO 76, 77, 78, 91, 96, and 97 Routers


Integrated Services Routers (ISR) Products

Cisco 1800 Series Routers Cisco 2800 Series Routers Cisco 3800 Series Routers
Cisco 2900 Series Routers Cisco 1900 Series Routers


High-End Routers

Cisco 12000 Series Routers Cisco uBR7100 Cisco 7200 Series Routers
Cisco 7000 Series Routers Cisco uBR7200 Cisco AGS
Cisco 7000 Series Route Switch Processor (RSP7000) Cisco uBR10000 Route Processor Module
Cisco 7100 Series Routers Cisco 7500 Series Routers Cisco XR 12000 Series Routers


LAN Switches

EtherSwitch/FastSwitch/FastHub Catalyst 2800 Series Switches Catalyst 4000/2980G/2948G Series Switches running Catalyst OS
Catalyst 1200 Series Switches Catalyst 2900-XL/3500-XL Series Switches Catalyst 4000/4500/4900 Switches running Cisco IOS
Catalyst 1600 Series Switches Catalyst 2901-2 Series Switches Catalyst 5500/5000/2926G/2926 Series Switches
Catalyst 1700 Series Switches Catalyst 2948G-L3/4908G-L3/4840G Series Switches Catalyst 6000 Series Switches Running Native IOS
Catalyst 1800 Series Switches Catalyst 2940, 2950/2955, 2960, 2970 Series Switches Catalyst 6500/6000 Series Switches running Catalyst OS
Catalyst 1900/2820 Series Switches Catalyst 3000/3100/3200 Series Switches Cisco Catalyst 6500 Series SSL Services Module in Native (IOS) Mode
Catalyst 2100 Series Switches Catalyst 3550, 3560, 3750 Series Switches Catalyst 8510-CSR Series Switch
Catalyst 2600 Series Switches Catalyst 2970 Switch Catalyst 2950 and Catalyst 2955 Switch
Catalyst 3550 Multilayer Switch Catalyst 3560 Switch Catalyst 3750 Switch
Catalyst 3900 Series Switches Catalyst 8540-CSR Series Switch Catalyst 6500 with Supervisor 720 Running Cisco IOS Software Prior to 12.2(17)SX

More »

04. June 2013 · Write a comment · Categories: Cisco · Tags: , , , ,

6-4-2013 12-02-03 PM

you can safely increase the dns packet length to 1500 ,  512 is the default.

“fixup protocol dns maximum-length 1500 ”

Background on fixup protocol dns

Use the fixup protocol dns command to specify the maximum DNS packet length. DNS requires application inspection so that DNS queries are not subject to the generic UDP handling based on activity timeouts. Instead, UDP connections associated with DNS queries and responses are torn down as soon as a reply to a DNS query has been received.

The port assignment for the Domain Name System (DNS) is not configurable.

Set the maximum length for the DNS fixup as shown in the following example:

pixfirewall(config)# fixup protocol dns maximum-length 1500

pixfirewall(config)# show fixup protocol dns

fixup protocol dns maximum length 1500

Ive needed to know what the site-to-site vpn key is when reconfiguring a firewall.  No one knew what the password is & I was under the impression that I would have to just reset the password on both ends. Well, Ive learned that a command can provide more information without having to reset the vpn key on the other side. If you do a ‘show run’ on the ASA, you will see that you can not see what the key is. It just gives you an: *

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key *

Ok, I need that password. So, Ive learned that if you do a “more system:/running-config”, it will show you that pass key.
Below is what is displayed when I enter the command:

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key !Password1!!


16. December 2012 · Write a comment · Categories: Cisco · Tags:

To get to other client firewalls (which only allows SSH access).  Here is how to SSH from any Cisco router or switch to another device:

ssh -l zope

the SSH command, -l means “username”, which is “zope” for me, and then the target address you are trying to reach .  In this case

Version 9.0 of the Cisco ASA software has now been released. Here are some of the major features in the new release.

Filter ICMP by ICMP code
Clustering of multiple ASAs
OSPFv3 and EIGRP support
IPv6 support on outside interface for VPNs
NAT for IPv6 and NAT64
DHCPv6 relay
Unified ACLs for v4 and v6
Clientless SSL VPN – Support for new browsers and HTML5
Site to Site VPN in multiple context mode
Dynamic routing in multiple context mode
Mixed firewall support in multiple context mode

So Today I decided to upgrade my ASA5505 to Version 9.0(1).  Below are the steps to upgrade your ASA More »

In this example, we want to be able to access a Media Server behind the firewall.  We’ll assume you are using port 32400, the Media Server’s internal IP address is, I’ll give you the steps, then I’ll explain.

Step 1: Create a new object group for you web server.

asa5505(config)# object network MediaServer

Step 2: Add the IP of the web server to the network group.

asa5505(config-network-object)# host

Step 3: Forward the port via the NAT command.

asa5505(config-network-object)# nat (inside,outside) static interface service tcp 32400 32400

Step 4: Exit back to the root and add the access list

 asa5505(config)# access-list outside_access_in permit tcp any object MediaServer eq 32400 any

That’s it!  Now, let’s explain what’s going on here.  Cisco has started moving more and more towards use of object groups in their configs.  It makes things easier, especially when you have a situation where you have 20 web servers behind the firewall and you want to add 1 more in.  Rather than having to rewrite a whole bunch of ACL’s, you just add the IP of the new web server into the object group and everything is done for you.  So here our Media Server is  If you want to send port 80 to more than 1 IP on your internal network, just add more IP’s to that object group.

This works for ANY port forward.  If you want to RDP into a machine, simply replace port 32400 with 3389.  There is one caveat.  You can only do one port forward per object group.  So let’s say that our Media Server is also an FTP server and you want port 21 to forward as well as port 32400.  You’re going to have to create a whole new object group (object network FTPServer), put the same IP in the group (host, do the nat command again (nat (inside,outside) static interface service tcp ftp ftp), exit back to the root of config, and add the access list (access-list outside_access_in  permit tcp any object FTPServer eq ftp).

This should get you up and running in no time

Starting from version 7.2(1) and upwards, the Cisco ASA 5500 series firewall supports now the Dual-ISP capability. You can connect two interfaces of the firewall to two different ISPs and use the new “SLA Monitor” feature (SLA=Service Level Monitoring) to monitor the link to the primary ISP, and if that fails, the traffic is routed to the Backup ISP.

asa 5500 dual isp connection

Assume that the Primary ISP (ISP-1) has assigned to us the public IP address with gateway Also, the Backup ISP (ISP-2) has assigned us the public IP with gateway Normally all traffic should flow through ISP-1, but if the physical link (or route) to that ISP fails, then traffic should be redirected to the Backup ISP. We can configure an SLA monitor service which will be checking every 30 seconds (using a ping echo request) the availability of the primary Gateway IP address ( If there is no response in 20000 milliseconds (20 sec), then the default route will be redirected to the Backup ISP. The configuration is shown below:

asa5500(config)# sla monitor 100
asa5500(config-sla-monitor)# type echo protocol ipIcmpEcho interface outside
asa5500(config-sla-monitor-echo)# timeout 20000
asa5500(config-sla-monitor-echo)# frequency 30
asa5500(config)# sla monitor schedule 100 life forever start-time now
asa5500(config)# track 1 rtr 100 reachability
asa5500(config)# route outside 1 track 1
asa5500(config)# route backup-isp 254

Of course the configuration above assumes that you have already configured two interfaces connected to the ISPs, the first one with name ‘outside’ (security level 0) and the second one with name ‘backup-isp’ (security level 1).

In ASDM go to Remote Access VPN > Network Client Access > Group Policies  and select the group policy you would like to change and click edit. In the group policy screen click on More Options, then make uncheck Clientless SSL VPN and SSL VPN Client is checked. Apply the change.

After this change users will hit the SSL VPN web page, log in, and then be connected with the anyconnect client. The credentials from the SSL Login web page will pass through to the AnyConnect client. If AnyConnect was not installed, it will be after the log in.