Cisco ASA – Checking NTP Setup

The easiest way to setup NTP servers is through Cisco ASDM console:
ASA-NTP

and to Verify that is is working – ssh to your ASA and issue:

ciscoasa# show ntp status – Displays the NTP clock information.

Clock is synchronized, stratum 2, reference is 129.6.15.30
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is d97cb143.709fb402 (20:15:15.439 GMT/BDT Mon Aug 17 2015)
clock offset is 10.3378 msec, root delay is 85.92 msec
root dispersion is 7902.33 msec, peer dispersion is 7892.00 msec

ciscoasa# show ntp associations detail – Displays the configured network time server associations.

192.5.41.41 configured, insane, invalid, unsynced, stratum 16
ref ID 0.0.0.0, time 00000000.00000000 (06:28:16.000 GMT/BST Thu Feb 7 2036)
our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.00, reach 0, sync dist 4302.902
delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00
precision 2**5, version 3
org time 00000000.00000000 (06:28:16.000 GMT/BST Thu Feb 7 2036)
rcv time 00000000.00000000 (06:28:16.000 GMT/BST Thu Feb 7 2036)
xmt time d97cb2ab.6554faf6 (20:21:15.395 GMT/BDT Mon Aug 17 2015)
filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

129.6.15.30 configured, our_master, sane, valid, stratum 1
ref ID .ACTS., time d97cb28c.1ea28b1a (20:20:44.119 GMT/BDT Mon Aug 17 2015)
our mode client, peer mode server, our poll intvl 128, peer poll intvl 128
root delay 0.00 msec, root disp 0.00, reach 377, sync dist 59.219
delay 85.94 msec, offset 11.2877 msec, dispersion 16.25
precision 2**29, version 3
org time d97cb2a3.732dc501 (20:21:07.449 GMT/BDT Mon Aug 17 2015)
rcv time d97cb2a3.7b4a5349 (20:21:07.481 GMT/BDT Mon Aug 17 2015)
xmt time d97cb2a3.654933bf (20:21:07.395 GMT/BDT Mon Aug 17 2015)
filtdelay = 85.94 85.75 85.10 85.17 85.04 85.88 85.92 85.27
filtoffset = 11.29 11.54 12.31 12.24 12.44 11.41 10.34 7.60
filterror = 15.63 16.11 17.09 18.07 19.04 20.02 21.00 21.97

Cisco – How to schedule a reload

Usefull command when working with Cisco devices remotely is to be able to revert config in case when configuration changes. If I know that I will be making changes that may cause me to disconnect and loose access to the device I schedule a reload and when I know that the config is fine I just cancel the reload.

To schedule a reload in 15 minutes:

Cisco# reload in 0:15
Proceed with reload? [confirm]
Cisco#


***
*** --- SHUTDOWN in 0:15:00 ---

To see how much time have you got left:

Cisco# show reload
Reload scheduled for 23:15:47 GMT/BDT Fri Jun 5 2015 (in 12 minutes) by console from ssh (remote 1.2.3.4)

To cancel reload:

cisco#reload cancel
cisco#

***
*** --- SHUTDOWN ABORTED ---
***

Cisco – Check specific part of config with show run command

Often when running “show run” command the output is very long and I am usually looking for a specific bit of the config that I want to check/modify – useful commands to to filter the output:

to start displaying the config at a specific line containing <string> :
show run | begin <string>

to display all the lines containing the given <string>
show run | include <string>

Cisco ASA – setup logging to Syslog-ng

Assuming that SyslogNG is configured and running then the setup is quick and easy:

Cisco ASA config:

1. Enable logging:

logging enable 
 logging timestamp

2. Send messages to our sylog server:

logging trap notifications
 logging facility 21 
 logging device-id hostname 
 logging host inside IP.ADD.RE.SS udp 514

available trap levels:

{1 | alerts}—Immediate action needed
{2 | critical}—Critical conditions
{3 | errors}—Error conditions
{4 | warnings}—Warning conditions
{5 | notifications}—Normal but significant conditions
{6 | informational}—Informational messages
{7 | debugging}— Debugging messages

3. Optional – setup NTP

ntp server 192.5.41.41 source outside 
ntp server 192.5.41.40 source outside prefer

 

 Syslog-ng config:

open /etc/syslog-ng/syslog-ng.conf

and add the following lines:

source s_net {
       udp(ip(192.168.1.60) port(514));
       tcp(ip(192.168.1.60) port(51400));
};

and

log {
  source(s_net);
  destination(d_mysql);
};

then restart the syslog-ng service:

service syslog-ng restart

 

How to enable Cisco AnyConnect VPN via Remote Desktop

So I’m getting this message when connecting from Remote Desktop session to AnyConnect VPN:

asamessage

The fix is quite easy:

1.Open ADSM, go to Configuration –> Remote Access VPN –> Network (Client) Access –> AnyConnect Client Profile and click Add:

ASDM-1

2. Create new profile and assign it to your Group Policy. Click OK to Create it:

ASDM-2

3. Now double click the profile to edit it and set the Windows VPN Establishment to: AllowRemoteUsers:

ASDM-3

Click OK and Apply. Save the config.

Job done.