Category: Cisco

This KB will show you how to edit Cisco Access lists, Since IOS 12.2 we no longer need to use notepad to edit access list.

This KB is only valid to Cisco IOS 12.2 or higher.

Cisco has a new command that make editing and deleting easy, The new command is ip access-list.
Solution: Edit ACL.

Step 1:

Type the show ip-access-list to see all ACL
EXAMPLE

RTR#sh ip access-lists
Standard IP access list 23
10 permit 192.168.1.2
30 permit 10.50.0.0, wildcard bits 0.0.7.255

Step 2:

Edit ACL command

RTR(config)#ip access-list standard 23
RTR(config-std-nacl)#no 10
RTR(config-std-nacl)#deny 30

In order to upgrade CISCO ASDM software we need to follow the following steps:

1.Download the software from Cisco Website (you need a cisco username)
2.Load the software to the device (ASA)
3.Cofigure the ASA (device to use the new version image file)

Step 1:
Downkload link:
http://www.cisco.com/en/US/products/ps6121/index.html

Step 2:
To load the new version we use the ASDM manger with the following 3 options:
1.
Tools -> Upgrade software from Local computer
2.
Tools -> File Management
3.
Tools -> Upgrade Software from Cisco.com

We can also upload the software using a TFTP server and the copy tftp flash command:
firewall#copy tftp flash

Step 3:
Once image uploaded to the Firewall we need to configure the ASA to point to the new ASDM software and use it (there is no need to reboot router after configuration)

To configure ASA to use new ASDM version:

In ASDM go to:
Device Management – > System Image\configuration -> Boot Image/configuration
Int the ASDM file path click browse and select the new ASDM image.

You can also change the ASDM boot image from the CLI command line using the following command:

firewall(config)#asdm image flash:asdm-613.bin

Step 4:
Save config, close ASDM and go to router page https://ip_address and start the ASDM.

How To:

This Guide will show you how to create a new user account on your Cisco Router\switch.
By doing this you can grant access to other administrators and monitor changes made on the device.

Solution:

In order to make this work we need to follow two steps:
1.    Create a new account
2.    Configure the device (router or switch to authenticate  users from the local users db).

1.Create Users

Create a new user with the right privilege level.

Router# service password-encryption
Router(config)# username admin priv 15 pass password

2.Authenticate

Router(config)# line vty 0 5
Router(config)# login local

Router(config)# line con 0
Router(config)# login local

Router(config)# line aux 0
Router(config)# login local

Save configuration and try to log on.

How To:
On Cisco Routers and Switches we have the option to set up a banner display when people log in to the device.

Solution:
To setup welcome banner on a cisco device we need to use the banner command:

Banner Command:

switch(config)#banner ?
LINE            c banner-text c, where ‘c’ is a delimiting character
config-save     Set message for saving configuration
exec            Set EXEC process creation banner
incoming        Set incoming terminal line banner
login           Set login banner
motd            Set Message of the Day banner
prompt-timeout  Set Message for login authentication timeout
slip-ppp        Set Message for SLIP/PPP

Example on how to set up a login banner:

switch#config t
Enter configuration commands, one per line.  End with CNTL/Z.
VSW2(config)#banner login Z ########### MY SWITCH ########## Z

Setting the session timeout parameter in a cisco router or switch is an easy task that will make your day to day work easy.

How to set the session timeout:

log on to the router and type:

router#configure t

router(config)#line vty 0 4

router(config-line)#session-timeout 10       —- 10 is the amount of minutes we want to configure before timeout.

router(config-line)#exec-timeout 0                    — this is when we log in exec mode ( 0 is never)

router(config-line)#end                                      –  exit the config line mode

router#copy run start

router#copy run start

To set a limit on the number of allowed IPSEC VPN session on an Cisco ASA 5540 we need to define how many sessions \ users are allowed to be connected to the ASA in each given time.

By default the number of allowed VPN session is unlimited.

To set a limit we need use the Cisco ASDM.

Once logged to the ASDM go to:

Configuration > remote access VPN > Network (client) access > advanced > IPsec > System options

Once there change the maximum IPsec sessions, to the applicable number.

To check which ports are active or disable on a Cisco switch we need to use the status command and follow the steps below.

1. Log on to the router.
2. Type “show interfaces status” command

Example:
SWITCH1#sh interfaces status
Port      Name               Status       Vlan       Duplex  Speed Type
Gi0/1                        connected    24         a-full a-1000 10/100/1000BaseTX
Gi0/2                        connected    24         a-full a-1000 10/100/1000BaseTX
Gi0/3                        disabled     24           auto   auto 10/100/1000BaseTX
Gi0/4                        disabled     24           auto   auto 10/100/1000BaseTX
Gi0/5                        disabled     24           auto   auto 10/100/1000BaseTX
Gi0/6                        connected    24         a-full  a-100 10/100/1000BaseTX
Gi0/7                        connected    23         a-full a-1000 10/100/1000BaseTX
Gi0/8                        connected    23         a-full  a-100 10/100/1000BaseTX
Gi0/9                        connected    22         a-full a-1000 10/100/1000BaseTX
Gi0/10                       notconnect   1            auto   auto 10/100/1000BaseTX
Gi0/11                       connected    27         a-full a-1000 10/100/1000BaseTX
Gi0/12                       connected    26         a-full a-1000 10/100/1000BaseTX
Gi0/13                       disabled     26           auto   auto 10/100/1000BaseTX
Gi0/14                       connected    26         a-full  a-100 10/100/1000BaseTX
Gi0/15                       connected    22         a-full a-1000 10/100/1000BaseTX
Gi0/16                       notconnect   27           auto   auto 10/100/1000BaseTX
Gi0/17                       connected    22         a-full a-1000 10/100/1000BaseTX
Gi0/18                       notconnect   25           auto   auto 10/100/1000BaseTX
Gi0/19                       connected    25         a-full a-1000 10/100/1000BaseTX
Gi0/20                       connected    25         a-full a-1000 10/100/1000BaseTX
Gi0/21                       disabled     1            auto   auto Not Present
Gi0/22                       disabled     1            auto   auto Not Present
Gi0/23                       connected    trunk      a-full a-1000 1000BaseLX SFP
Gi0/24                       connected    trunk      a-full a-1000 1000BaseLX SFP
Po1                          connected    trunk      a-full a-1000
 
In order for us to enable or disable a port on a Cisco switch do the following:
To Enable a Port Type:
SWITCH1# int Gi0/2
SWITCH1# no shutdown

To disable a port Type:
SWITCH1#int Gi0/2
SWITCH1#shutdown\0

If you would like to configure you Cisco Router or switch to send all it’s logs to a SysLog server all you have to do is to type a few command that will tell the router\switch to send the logs to the server.

To do that:

Log to the router \ switch and type (in this example I used a switch):

SWITCH# Config t
SWITCH(config)#logging 172.40.51.44   — SysLog IP address
SWITCH(config)#logging trap notifications  — What do you want to send
SWITCH(config)#logging source-interface ?   — Interface that will send the logs
  Async              Async interface
  Auto-Template      Auto-Template interface
  BVI                Bridge-Group Virtual Interface
  CTunnel            CTunnel interface
  Dialer             Dialer interface
  Filter             Filter interface
  Filtergroup        Filter Group interface
  GigabitEthernet    GigabitEthernet IEEE 802.3z
  GroupVI            Group Virtual interface
  Lex                Lex interface
  Loopback           Loopback interface
  Null               Null interface
  Port-channel       Ethernet Channel of interfaces
  Portgroup          Portgroup interface
  Pos-channel        POS Channel of interfaces
  Tunnel             Tunnel interface
  Vif                PGM Multicast Host interface
  Virtual-Template   Virtual Template interface
  Virtual-TokenRing  Virtual TokenRing
  Vlan               Catalyst Vlans
  fcpa               Fiber Channel

SWITCH(config)#logging source-interface vlan2�
SWITCH(config)#exit
All done, don’t forget to save the config.

ROUTER(config)#copy run start.

Sometimes there are times that you will need to grant access to other administrators to access the CISCO ASA using telnet.

In Cisco ASA Devices enabling Telnet will not allow all network\hosts to access the ASA using Telnet which will work with Routers and Switches.

In ASA we need to add hosts or networks to the Allowed telnet access list.

First, to view who can access the ASA using telnet type:

ASA# sh run telnet

telnet 10.60.4.20 255.255.255.255 inside
telnet 10.60.4.30 255.255.255.255 inside

In this case we have two host that can access the ASA using telnet.

To add an host to the Telnet access list type:

ASA (config)# telnet 10.60.4.30 255.255.255.255 inside

Hostname or A.B.C.D  The IP address of the host and/or network authorized to

You can also use the ASDM GUI interface by going to:

Configuration > Device Managment > Management Access > Command Line (CLI) >Telnet