| Port Number | Description |
|---|---|
| 1 | TCP Port Service Multiplexer (TCPMUX) |
| 5 | Remote Job Entry (RJE) |
| 7 | ECHO |
| 18 | Message Send Protocol (MSP) |
| 20 | FTP -- Data |
| 21 | FTP -- Control |
| 22 | SSH Remote Login Protocol |
| 23 | Telnet |
| 25 | Simple Mail Transfer Protocol (SMTP) |
| 29 | MSG ICP |
| 37 39 | Time RIP |
| 42 | Host Name Server (Nameserv) |
| 43 | WhoIs |
| 49 | Login Host Protocol (Login) |
| 53 67 68 | Domain Name System (DNS) bootps bootpc |
| 69 | Trivial File Transfer Protocol (TFTP) |
| 70 | Gopher Services |
| 79 | Finger |
| 80 88 101 102 | HTTP Kerberos Hostname iso-tsap |
| 103 107 | X.400 Standard rtelnet |
| 108 | SNA Gateway Access Server |
| 109 | POP2 |
| 110 111 113 | POP3 sunrpc auth |
| 115 117 | Simple File Transfer Protocol (SFTP) uucp-path |
| 118 | SQL Services |
| 119 123 | Newsgroup (NNTP) NTP - Network Time Protocol |
| 137 | NetBIOS Name Service |
| 139 | NetBIOS Datagram Service |
| 143 | Interim Mail Access Protocol (IMAP) |
| 150 | NetBIOS Session Service |
| 156 | SQL Server |
| 161 | SNMP |
| 179 | Border Gateway Protocol (BGP) |
| 190 | Gateway Access Control Protocol (GACP) |
| 194 | Internet Relay Chat (IRC) |
| 197 | Directory Location Service (DLS) |
| 389 | Lightweight Directory Access Protocol (LDAP) |
| 396 | Novell Netware over IP |
| 443 | HTTPS |
| 444 | Simple Network Paging Protocol (SNPP) |
| 445 | Microsoft-DS |
| 458 | Apple QuickTime |
| 546 | DHCP Client |
| 547 | DHCP Server |
| 563 | SNEWS |
| 569 | MSN |
| 1080 | Socks |
Wednesday, October 16, 2013
Well Known Ports
The full range of available ports is 0 - 65536 and can be used dynamically by any application however in general ports 0 - 1024 are pre-defined and 'well known' which is to say 22 is always ssh, 80 is http and so on.
Wednesday, October 2, 2013
Output Characters from PING
This table is taken from the following Cisco article:
Understanding PING and Traceroute Commands
Understanding PING and Traceroute Commands
The table below lists the possible output characters from the ping facility:
| Character | Description |
|---|---|
| ! | Each exclamation point indicates receipt of a reply. |
| . | Each period indicates the network server timed out while waiting for a reply. |
| U | A destination unreachable error PDU was received. |
| Q | Source quench (destination too busy). |
| M | Could not fragment. |
| ? | Unknown packet type. |
| & | Packet lifetime exceeded. |
And I just want to log this here for quick reference. Thanks
Monday, September 30, 2013
Download a Packet Capture from an ASA
Firstly run your capture:
1) create an access list that will match the packets you are interested in seeing e.g:
#access-list TESTCAP extended permit tcp 10.10.10.0 255.255.255.0 host 10.10.10.254 eq ldap
2) Create the capture on your ASA:
#capture TESTCAP access-list TESTCAP interface INSIDE
Let that run then once you have collected enough data (use sh capture TESTCAP to view the capture ) transfer the capture file (pcap) to your local machine to view in a packet analyser programme such as WireShark:
1) Download and install a TFTP server programe (I used Solarwinds TFTP server) and then start the server.
2) From the firewall concerned run change to the System Context then run the following :
#changeto context system
#copy /pcap capture:[ContextName]/TESTCAP tftp:
You will be asked for the destination IP - this will be your laptop IP that is running TFTP
Note - [ContextName] should be the name of the context that the capture is running on.
3) Check the TFTP-root folder on your local machine to verify the transfer was successful.
4) Open WireShark then open the pcap file from there.
1) create an access list that will match the packets you are interested in seeing e.g:
#access-list TESTCAP extended permit tcp 10.10.10.0 255.255.255.0 host 10.10.10.254 eq ldap
2) Create the capture on your ASA:
#capture TESTCAP access-list TESTCAP interface INSIDE
Let that run then once you have collected enough data (use sh capture TESTCAP to view the capture ) transfer the capture file (pcap) to your local machine to view in a packet analyser programme such as WireShark:
1) Download and install a TFTP server programe (I used Solarwinds TFTP server) and then start the server.
2) From the firewall concerned run change to the System Context then run the following :
#changeto context system
#copy /pcap capture:[ContextName]/TESTCAP tftp:
You will be asked for the destination IP - this will be your laptop IP that is running TFTP
Note - [ContextName] should be the name of the context that the capture is running on.
3) Check the TFTP-root folder on your local machine to verify the transfer was successful.
4) Open WireShark then open the pcap file from there.
Friday, September 6, 2013
View the Pre-Shared Key on an IPsec VPN tunnel-group
When troubleshooting VPN connectivity issues a common problem is a mis-matched pre-shared key.
When you add a pre-shared key to a tunnel-group if you issue a #sh run the output hides the key with a simple *. e.g:
tunnel-group 10.10.10.10 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
To confirm precisely what has been applied (and therefore help confirm if both ends of your tunnel have the same key) use the following command:
#more system:running-config
tunnel-group 10.10.10.10 ipsec-attributes
pre-shared-key AbCdEfG192837645
isakmp keepalive threshold 15 retry 2
When you add a pre-shared key to a tunnel-group if you issue a #sh run the output hides the key with a simple *. e.g:
tunnel-group 10.10.10.10 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
#more system:running-config
tunnel-group 10.10.10.10 ipsec-attributes
pre-shared-key AbCdEfG192837645
isakmp keepalive threshold 15 retry 2
Upgrade the IOS on a Cisco Catalyst 3750 switch
Steps to conduct an upgrade of the IOS are as follows:
- Download the new image from www.cisco.com using a suitable account
- Install a TFTP server such as SolarWinds TFTP Server (other TFTP programs are available)
- Boot the switch and apply an IP address to the VLAN1 interface
- Apply an IP in the same subnet to your PC/Laptop LAN port and cable up using a CAT5 straight through
- Ping both sides to confirm connectivity
- Copy the downloaded BIN image to the TFTP-Root folder you'll find on the C:drive
- Start the TFTP Server on the PC/Laptop
- On the switch back up the current image to your PC/Laptop #copy Flash:/[filename.bin] tftp
- Enter the required remote host IP and confirm the destination file name when prompted
- Allow the current file to copy over to the PC/Laptop
- Once complete delete the original from the switch to create space for the new image #delete /recursive Flash:/[filename.bin]
- Next copy the new image from the PC/Lpatop to the switch #copy tftp: flash:
- Enter the remote host details and file name then confirm
- Allow the file to copy
- Set the new BIN as the system boot image #boot system flash:/[filename.bin]
- write this #wr
- Reload
Verify the image in use via - #sh ver
Tuesday, September 3, 2013
VPN - QM FSM error and PFS
We're busy attempting to bring up a site to site IPSec tunnel to Cisco router from our ASA.
Phase1 is completing but Phase2 fails with a 'QM FSM Error'.
This very unhelpful error message results from PFS not matching at either end. Either set it or don't set but if you have one end configured and the other not then you'll get an error like the one above.
Check the config on both ends of your VPN and either add PFS or remove by entering the following:
[no] crypto map VPNCONNECTION set pfs [group1 | group2 | group 5 ]
Notes:
Phase1 is completing but Phase2 fails with a 'QM FSM Error'.
This very unhelpful error message results from PFS not matching at either end. Either set it or don't set but if you have one end configured and the other not then you'll get an error like the one above.
Check the config on both ends of your VPN and either add PFS or remove by entering the following:
[no] crypto map VPNCONNECTION set pfs [group1 | group2 | group 5 ]
Notes:
- PFS must match at either end
- The default action on an ASA is to be off
- If you just enter 'set pfs' and don't define a group then group1 is offered by default and group1/group2 is accepted
- If you set the group then the same group must be returned by the remote peer.
Cisco CCDA - Done!
At the start of August I returned to the site of my last attempt and faced the Cisco CCDA once again.
This time I have re-read the OCG, read more from the Cisco Design Zone -
http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html
I had also reviewed all the exam material I had and not take the results for granted (as I did last time).
What I found with my resit was that is was SOOOOOO much harder! really hard. I'm mean difficult hard. Hard.
Cisco must have a large pool of questions on this exam as I only spotted one question on the entire exam that I recognised from my first attempt and the rest were very detailed and narrow on the topic selection. As it is, I took my time, paced my self as best I could and finished with about 5 minutes to spare. last time I done a good chunk of the exam in the first 15 minutes.
I passed with a reasonable (not brilliant) mark and I'm just grateful I'm now looking at my new certificate on the desk partition in front of me.
My advise for the exam is truely go in depth. As much as you can, learn the detail, and ensure you know the 'Key Topic' sections of OCG of by heart. It's a tough exam but lays the foundation for the ARCH exam so I guess it has to be.
I'm picking the books up in October and hope to have my CCDP by Christmas. Lets see shall we...
This time I have re-read the OCG, read more from the Cisco Design Zone -
http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html
I had also reviewed all the exam material I had and not take the results for granted (as I did last time).
What I found with my resit was that is was SOOOOOO much harder! really hard. I'm mean difficult hard. Hard.
Cisco must have a large pool of questions on this exam as I only spotted one question on the entire exam that I recognised from my first attempt and the rest were very detailed and narrow on the topic selection. As it is, I took my time, paced my self as best I could and finished with about 5 minutes to spare. last time I done a good chunk of the exam in the first 15 minutes.
I passed with a reasonable (not brilliant) mark and I'm just grateful I'm now looking at my new certificate on the desk partition in front of me.
My advise for the exam is truely go in depth. As much as you can, learn the detail, and ensure you know the 'Key Topic' sections of OCG of by heart. It's a tough exam but lays the foundation for the ARCH exam so I guess it has to be.
I'm picking the books up in October and hope to have my CCDP by Christmas. Lets see shall we...
Thursday, June 20, 2013
Troubleshooting IPSec Phase2 issues
Problem - '#sh crypto ipsec sa' shows packets are being encrypted outbound but no packets are being decrypted inbound.
Check the following:
policy-map global_policy
class inspection_default
inspect ipsec-pass-thru
Check the following:
- Crypto ACL at either end is a mirror of each other. Use host to host /32 addresses don't use subnets
- Check routing at remote end is in place with correct exit interface
- If traffic passes through a Firewall towards the VPN terminating peer check that NAT Traversal is in place - apply:
policy-map global_policy
class inspection_default
inspect ipsec-pass-thru
- Check that port 500/4500/ah/esp are permitted on outbound acls to the remote end. Look at ACL's.
- Check that 'sysopt connection permit-vpn' is applied to permit IPSEC protocols to by pass ACLs that are applied to the tunnel interface
Thursday, June 13, 2013
Off Topic - Spark's Laws
I decided I'd write down some of my musings. Nothing structured just observations from family life, work life and life in general.
Here you go:
Spark's Laws
#1 - Always tell the truth, that way you never have to remember anything
#2 - The smaller the child the bigger the splash they can make in the pool
#3 - The smaller the child the bigger the poo you have to clean up
#4 - If everyone did their job right first time, every time we could all have Fridays off.
#5 - You have to pay tax. Get over it.
#6 - The public can't handle the truth. - The truth is war is not nice but at times necessary to stand up for freedom. Taxes are not nice but pay for everything around you.
#7 - The media can't handle the truth. - They expect politicians to be honest but when one is honest and says 'Yes, I made a mistake' they hound them until they are forced to resign, instead of allowing them to learn, improve and move on. Is it any wonder Politicians lie? (and sports personalities for that matter)
#8 - Nature is cruel. Civilization, technology, and education does not change that.
#9 - Project deadlines are simply the date at which the project gets signed off, renamed, restarted and the PM gets their bonus regardless of what is achieved
#10 - If you want a project to run smoothly. Show the PM where the coffee machine is, close the door, and continue as normal.
#11 - The earlier in a project life cycle you implement your build the higher the certainty you'll have to back it out and rebuild it with 'new, unexpected' requirements that should have been captured right at the start.
#12 - The job's not done until you've finished the documentation.
#13 - In business, once you start copying the competition you've lost.
#14 - Spark's Law of Office Parties - Always make sure there is someone in a worse state than you...
I'll add more as I think of them.
Cheers.
Here you go:
Spark's Laws
#1 - Always tell the truth, that way you never have to remember anything
#2 - The smaller the child the bigger the splash they can make in the pool
#3 - The smaller the child the bigger the poo you have to clean up
#4 - If everyone did their job right first time, every time we could all have Fridays off.
#5 - You have to pay tax. Get over it.
#6 - The public can't handle the truth. - The truth is war is not nice but at times necessary to stand up for freedom. Taxes are not nice but pay for everything around you.
#7 - The media can't handle the truth. - They expect politicians to be honest but when one is honest and says 'Yes, I made a mistake' they hound them until they are forced to resign, instead of allowing them to learn, improve and move on. Is it any wonder Politicians lie? (and sports personalities for that matter)
#8 - Nature is cruel. Civilization, technology, and education does not change that.
#9 - Project deadlines are simply the date at which the project gets signed off, renamed, restarted and the PM gets their bonus regardless of what is achieved
#10 - If you want a project to run smoothly. Show the PM where the coffee machine is, close the door, and continue as normal.
#11 - The earlier in a project life cycle you implement your build the higher the certainty you'll have to back it out and rebuild it with 'new, unexpected' requirements that should have been captured right at the start.
#12 - The job's not done until you've finished the documentation.
#13 - In business, once you start copying the competition you've lost.
#14 - Spark's Law of Office Parties - Always make sure there is someone in a worse state than you...
I'll add more as I think of them.
Cheers.
Subscribe to:
Posts (Atom)