CCIE Security Quick Tips

As most who follow this blog or my twitter account know, I am in pursuit of CCIE Security and plan to clear the v3 lab soon.  The purpose of this blog entry is a repository for two or three line “quick tips” that may help others pass their lab.  Explanations will not be well polished, but if you are also pursuing the lab, these will make sense.  Some you may already be familiar with, others you may not.  If you want to add to the list, please use the comment feature below.  Check back often as there will be new items added very regularly.  The most recent version will always be at the PacketU main page.

Quick Tips for 7/31/09

clear configure <section>–ASA commands to bulk remove sections of configuration

default <section>–IOS command to return a configuration to its default.  “NO” is not always the default.

test aaa–allows a quick and easy test of AAA servers from the ASA or IOS.

test regex–the ASA has a test Regex that might come in useful for testing expressions used anywhere in the lab.

Quick Tips for 7/29/09

help in the ASA–the ASA has a help command that is similar to the Linux “MAN” command.  Try it and you’ll be surprised at how much information is actually available.

show run ?–The Cisco ASA has a sub menu within show run for just about everything.  Similar to “show run | section” on the router, but quite possibly even better

vpn on the ASA–There is a quick and easy way to coax a vpn configuration template from the asa.  Simply use the vpnsetup command in global configuration.

ciscoasa(config)# vpnsetup ?

configure mode commands/options:
ipsec-remote-access  Display IPSec Remote Access Configuration Commands
l2tp-remote-access   Display L2TP/IPSec Configuration Commands
site-to-site         Display IPSec Site-to-Site Configuration Commands
ssl-remote-access    Display SSL Remote Access Configuration Commands


debug ip packet–can produce a lot of output.  However filtering can be cumbersome.  With TCP connections, debug packets with the syn flag may show exactly what you want.

R1(config)#do show access-list 101
Extended IP access list 101
10 permit tcp any any syn
R1(config)#do debug ip packe
R1(config)#do debug ip packet detail 101
IP packet debugging is on (detailed) for access list 101


numbered extended access-list–can be managed similarly to named acls.  For example:

R1(config)#do show access-list 101
Extended IP access list 101
10 permit icmp any any
20 permit tcp any any
R1(config)#ip access-list extended 101
R1(config-ext-nacl)#no 10
R1(config-ext-nacl)#do show access-list 101
Extended IP access list 101
20 permit tcp any any

ip access-list logging hash-generation–causes any messages logged by an acl to include a tag.  This tag will match a tag found with a show access-list so it can be determined what ACE (access-list entry) that a packet matched.

ip access-list log-update threshold 1–disables the useful, bun annoying in a lab, behavior in which a router logs only the first match then summarizes packets matched.  With this change, each match will be logged.

Web Server Testing—To quickly test a web server from a router:

telnet <ipaddr> 80

GET / HTTP/1.1


tcp intercept–can reside on the same RTR as NAT, but only in “watch” mode

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Career. Bookmark the permalink.