Show running access-group

sh running-config access-list | include (IP) -------------- to check working rule

nat (wafdmz, outside) static [Link]

object network REAL-[Link]

nat (wafdmz, outside) static [Link]

sh ip route (IP) ------------ to check the route

sh ip route vrf all IP | include (IP) ----------- check IP in which VRF
sh running-config interface VLAN (Port) ---------------- core and ag switch, where
the Subnet is configured in VLAN
sh object-group id (NAME) ---------------- to check object group IPs
sh run object-group network | i object-group | (IP) ------------ to check IPs are
called on which object group
sh running-config access-group ----------- to check the interface
show xlate | i (IP) ----------- To check Nating

Show running access-group

Switch SW CM.
sh module uptime
show module
No poweroff module 1 (1)
show module internal all

tail -f messages | grep (IP)

tracecert

IPSEC Comm.

show crypto ipsec sa | b [Link]

clear crypto ipsec sa peer [Link]

Phase 1 --- sh crypto isakmp sa | b [Link]

Phase 2 --- show crypto ipsec sa peer [Link]

Show ip bgp neighbors [Link] received-routes vrf O2C

troubleshoot cmd

sf_troubleshoot.pl

show running access-group

packet-tracer input azure tcp [Link] 111 [Link] 1535----- new rule
command

As requested, access has been allowed. Source: IP Destination: IP Port No: port

admin
cisco@JAM

username: RilENTNetwork@[Link]
password : 3pUxDE6bpRubBMjt

CRT Pass:- Sagar@9876

object network ULIP-STAGE-URL

fqdn v4 [Link]

time-range 21NOV2024-21DEC2024
absolute start 00:00 21 November 2024 end 23:59 21 December 2024

tail -f messages | grep (IP)

tracecert

Show crypto ipsec sa peer [Link]

sh connection address

sh conn | i IP

sh conn | i

Normal Port Opening

===========================================================================
Show IP route (IP address) ------- to check the specific route
show running-config interface (Vlan224)

[Link]/entidc
[Link]

Change to system ----------- to check cluster-info

show cluster Info ----------- to check CPU states

Sagar@122527

show endpoint (IP) ------------- to check Tenent

DMZ PCI
===========================================================================
sh ip route (IP)----- to check a route in AG
show running-config interface (VLAN) ------ to check a VLAN on AG
show route | i ([Link]) IP --------- to check the route and firewall arm,
which is the route that will be injected.
show running-config access-group ------- to check the running access group on the
firewall
show access-list acl_dmz | i (IP) ----- to check specific arms with access list and
host
show access-list | i (access list name) eg.(acl_dmz line 80) to check existing
object groups
Object-group network (Name of object group) -------- to create an object group
Network-object host (IP address), e.g. [Link] ----- to create an IP object
Network-object (network address with subnet mask), e.g. [Link]
[Link]-------- to create a network subnet
Time-range 15APRIL19_15APRIL19(Name can be for a specific duration) ---- to create
a time object
Absolute start 00:00 15 APRIL 2019 end 23:59 15 APRIL 2019 (actual duration) -----
time object
access-list (policy name) extended permit tcp object-group (source IP Object name)
object-group (Destination IP Object name) (destination port) time-range (start date
end date)
packet-tracer input (arm) tcp (Source IP) (source Port) (Destination IP)
(Destination port)----- new rule command
show access-list | i (IP) ---------- to check static IP.

show access-list | include (IP) ------------- to check rule from source IP or

destination IP

show access-list | include (acl_retrelease line 1939) ---------- rule line and acce

================================================================================

sh route | b 10.131

packet-tracker input dmz tcp (Source IP) (Source Port) (Destination IP)
(Destination Port)

SAMARTH-REAL-IP - [Link] ---FTD FW NAT Host name

SAMARTH-REAL-PUBLIC-IP - [Link]

object network REAL-[Link] >>new

host [Link]
nat (wafdmz, outside) static [Link]

-----------------------------------------------------------------------------------
-

ssh-keygen -R [Link]

HPNNMI Commands
# show processes cpu
# sh cpu usage
# sh cpu utilization
# show module
# show inventory
# show environment all
# show interface port-channel 5
#sh int Ethernet Gi1/0/1
#sh int Ethernet1/29
#show env | i power
#show env power
# sh cpu usage detailed
# show isakmp sa detail
# show port-channel summary
# show environment power
# show environment temperature

# show version | i up
# show environment power-supplies
# show access-list | i
# show interface port-channel 5
# sh interface Ethernet1/28
# sh cpu usage
[Link]

# show ip route
# show run interface vlan224
# show run access-group

#show ip arp vrf all | i [Link]

•To check specific access list with arm details

# show access-list acl_out | i [Link]

•To check existing object groups

# show access-list | i acl_out line 8646
# show run object-group network | i object-group |

•To check firewall interface

#show run logging
#show ip address

•To check sylogs

$ tail -f messages | grep src/dest IP

tail -f messages | grep [Link] | grep Block

more -f messages | grep [Link]

##To generate Tshoot file on FMC through CLI

>expert
admin@FMC:~$ sudo su
root@FMC:volume/home/admin# sf_troubleshoot.pl

---URL filtering---
*To create object Network,
*command to create object network
#object network GOOGLEAPIS
fqdn v4 [Link]

*were GOOGLEAPIS is name for object network

and public url for which object network created is [Link]

*command to find the object network

sh run object network in-lin | i <OBJ GRP NAME>

*command to find the object network

sh run object network in-lin | i <OBJ GRP NAME>

sh running-config object | i [Link]

*create fqdn object network -
object network [Link]
fqdn v4 [Link]

*Packet tracer command -

packet-tracer input dmz-s02 tcp [Link] 100 fqdn [Link] 22

*access-list -
access-list acl_dmz-s02 extended permit tcp object-group CLX-ISCM_DB-SRV object
[Link] eq 22

RF599903
Access- Permanent
Source IP- INTERNET-ANY
Destination IP- [Link]/ [Link]
Application Port No.- 443
Justification- To run application over the internet.
note- approved for waf vip [Link]/[Link] Irm approval required. kindly
update waf sheet.

FW- DMZ-CLUSTER-FMC

***To create New NAT rule***

1. create object for real and natted IP (host object)
2. check arm of the real IP- ex. src ARM RPWAF and Dest Arm OUTSIDE
3. All NAT rule must above the PAT rule.
4. Go to device- NAT- Add rule- Manual NAT-> NAT rule above the PAT rule-> Type-
static
Interface objects- Add source and dest arm
Transaltion-> Original source- select Real IP object grp; Translated Source:
select NAT IP object grp

RSTP-SRV-REAL [Link]
RSTP-SRV-NAT [Link]

Src obj grp- INTERNET-ANY

Dst obj grp- RSTP-SRV-REAL

Rule name- INTERNET-RSTP-SRV-ACCESS

Access is allowed on DMZ-CLUSTER FMC.

####Here is how you can open Remote Desktop Connection with Run:

Right-click Start or press Win + X to open the aptly-named WinX menu.

Select Run on that menu.

Type mstsc in the Open box.

Click the OK button to open Remote Desktop Connection.

Trouble shooting command –

1. To check no of active tunnel
RCP-IDC1-TR-1R01-RETAIL-FW-PRI/Internet# sh crypto isakmp stats
2. To check route
RCP-IDC1-TR-1R01-RETAIL-FW-PRI/Internet# sh route | i [Link](Remote site LAN
ip)
V [Link] [Link] connected by VPN (advertised), outside

3. to clear Phase 2 Tunnel

RCP-IDC1-TR-1R01-RETAIL-FW-PRI/Internet# clear crypto ipsec sa peer (IP)

4. If route is not present and Phase 2 is UP, Then ask WAN Team to re initiate the
tunnel.
As in Dynamic VPN. Reverse Route injected Post Completion of Phase 2.

#show ip arp vrf all | i [Link]

# show mac address-table address 0050.569b.7795
# show cdp neighbors interface port-channel 11 detail

RCP-IDC1-SH02-3R13-9K-CS1# show ip arp vrf all | i [Link]

[Link] [Link] 0050.569b.7795 Vlan251 +
RCP-IDC1-SH02-3R13-9K-CS1# show ma
mac mac-list maintenance
RCP-IDC1-SH02-3R13-9K-CS1# show mac
mac mac-list
RCP-IDC1-SH02-3R13-9K-CS1# show ip
ip ipv6
RCP-IDC1-SH02-3R13-9K-CS1# show mac
mac mac-list
RCP-IDC1-SH02-3R13-9K-CS1# show mac a
access-lists address-table
RCP-IDC1-SH02-3R13-9K-CS1# show mac a
access-lists address-table
RCP-IDC1-SH02-3R13-9K-CS1# show mac address-table address 0050.569b.7795
Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
age - seconds since last seen,+ - primary entry using vPC Peer-Link,
(T) - True, (F) - False, C - ControlPlane MAC, ~ - vsan
VLAN MAC Address Type age Secure NTFY Ports
---------+-----------------+--------+---------+------+----+------------------
+ 251 0050.569b.7795 dynamic 0 F F Po11
RCP-IDC1-SH02-3R13-9K-CS1# show cdp neighbors interface port-channel 11 detail
----------------------------------------
Device ID:[Link](FDO252502AU)
System Name: RCP-IDC1-SH02-1R08-AC1

Interface address(es): 1
IPv4 Address: [Link]
Platform: N9K-C93180YC-FX, Capabilities: Router Switch IGMP Filtering Supports-STP-
Dispute
Interface: Ethernet7/2, Port ID (outgoing port): Ethernet1/49
Holdtime: 170 sec

Version:
Cisco Nexus Operating System (NX-OS) Software, Version 9.3(8)
Advertisement Version: 2

Native VLAN: 777

Duplex: full

MTU: 9216
Mgmt address(es):
IPv4 Address: [Link]
Local Interface MAC: [Link]
Remote Interface MAC: [Link]
----------------------------------------
Device ID:[Link](FDO25250HTQ)
System Name: RCP-IDC1-SH02-1R07-AC1

Interface address(es): 1
IPv4 Address: [Link]
Platform: N9K-C93180YC-FX, Capabilities: Router Switch IGMP Filtering Supports-STP-
Dispute
Interface: Ethernet8/2, Port ID (outgoing port): Ethernet1/49
Holdtime: 140 sec

Version:
Cisco Nexus Operating System (NX-OS) Software, Version 9.3(8)

Advertisement Version: 2

Native VLAN: 777

Duplex: full

MTU: 9216
Mgmt address(es):
IPv4 Address: [Link]
Local Interface MAC: [Link]
Remote Interface MAC: [Link]

RCP-IDC1-SH02-1R08-AC1# show mac address-table address 0050.569b.7795

Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
age - seconds since last seen,+ - primary entry using vPC Peer-Link,
(T) - True, (F) - False, C - ControlPlane MAC, ~ - vsan
VLAN MAC Address Type age Secure NTFY Ports
---------+-----------------+--------+---------+------+----+------------------
* 251 0050.569b.7795 dynamic 0 F F Po35
RCP-IDC1-SH02-1R08-AC1# show por
port-channel port-profile
RCP-IDC1-SH02-1R08-AC1# show port-channel summary interface po35
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
b - BFD Session Wait
S - Switched R - Routed
U - Up (port-channel)
p - Up in delay-lacp mode (member)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
35 Po35(SU) Eth LACP Eth1/1(P)
RCP-IDC1-SH02-1R08-AC1# show interface ethernet1/1
Ethernet1/1 is up
admin state is up, Dedicated Interface
Belongs to Po35
Hardware: 100/1000/10000/25000 Ethernet, address: d477.9829.c048 (bia
d477.9829.c048)
MTU 9216 bytes, BW 25000000 Kbit , DLY 10 usec
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, medium is broadcast
Port mode is trunk
full-duplex, 25 Gb/s, media type is 25G
Beacon is turned off
Auto-Negotiation is turned off FEC mode is Auto
Input flow-control is off, output flow-control is off
Auto-mdix is turned off
Rate mode is dedicated
Switchport monitor is off
EtherType is 0x8100
EEE (efficient-ethernet) : n/a
admin fec state is auto, oper fec state is Fc-fec
Last link flapped 6week(s) 3day(s)
Last clearing of "show interface" counters 106w0d
14 interface resets
Load-Interval #1: 30 seconds
30 seconds input rate 119376 bits/sec, 14 packets/sec
30 seconds output rate 19608 bits/sec, 17 packets/sec
input rate 119.38 Kbps, 14 pps; output rate 19.61 Kbps, 17 pps
Load-Interval #2: 5 minute (300 seconds)
300 seconds input rate 209808 bits/sec, 5 packets/sec
300 seconds output rate 148144 bits/sec, 14 packets/sec
input rate 209.81 Kbps, 5 pps; output rate 148.14 Kbps, 14 pps
RX
95983932235 unicast packets 6508400 multicast packets 19343 broadcast packets
95990459978 input packets 90713761339840 bytes
38138772428 jumbo packets 0 storm suppression bytes
0 runts 0 giants 0 CRC 0 no buffer
0 input error 0 short frame 0 overrun 0 underrun 0 ignored
0 watchdog 0 bad etype drop 0 bad proto drop 0 if down drop
0 input with dribble 0 input discard
0 Rx pause
TX
74790954127 unicast packets 500644161 multicast packets 143946991 broadcast
packets
75435545279 output packets 56144262538621 bytes
24375568613 jumbo packets
0 output error 0 collision 0 deferred 0 late collision
0 lost carrier 0 no carrier 0 babble 0 output discard
0 Tx pause

[Link]

----------------------------------------------------

show port channel summary

show enpoint interface port channel po7 detail

show cluster in
show cpu-usage sorted non-zer0

show processess cpu

show cpu usage detail

show capture

tmatch compile thread is running

show conn count

sysytem support diagnostic-cli

show access-list element-count

show process cpu-hog

sho cluster history

********************************************************************************

connect fxos

connect ftd

system support diagnostic-cli

show failover

configure high-availability disable

yes
yes
sync-from-peer system
show failover
show ip add
show conn count
connect fxos
connect local-mamt
exit
scope firmware
download image usbA:/cisco-asa-fp1k.[Link].SPA
show download-task
show package
scop auto-install
install security-pack version [Link]
yes
yes

Command given by tac

show detail
int m0/0
ip address <ip><subnet>
Anvesh Pathak 27-05-2025 10:57 • int m0/0
no nameif
ip address <ip><subnet>
int g0/0
nameif inside
security-lvl 100
ip address <ip><subnet> standby <ip>
no shut

int g0/1
nameif outside
security-lvl 0
ip address <ip><subnet>
no shut

show ip

ssh 0 0 outside
route outside 0 0 {next hop ip address}
username {} password {} privilege 15
aaa authentication ssh console LOCAL
ssh timeout 60

----

interface

configure high-availablity resume

write memory

failover active

scope auto-install

yes
yes
show detail

#reload
>reboot

show crypto ikev1 stats

show crypto ipsec stats
system support diagnostic-cli

-----------------------------------------------------------------------------------
------------------------------------------------------------------
===================================================================================
========================================================================

M&S IP Pool Migration & Static to Dynamic.

Note: - Kindly confirm the Pool IP and Peer IPs for the User & take details by
mail.

There are 2 firewalls for M&S

1) M&S IP SEC Tunnel: - IP
2) ACL FIREWALL FOR VPN VENDOR: - IP
3) IP

Stapes For
1) M&S IP SEC Tunnel: - IP

• Log in to IP FW and add a New IP pool in MnS-STORE-NW Object Group

CLI Command Below
E.g.
object-group network MnS-STORE-NW
network-object IP /Subnet

• Add to the access List for the New IP POOL

E.g.
access-list MnS standard permit IP /Subnet

object-group network MnS-STORE-NW

RCP-IDC1-TR-1R04-MS-FW-PRI# show running-config | i IP

network-object IP /Subnet
access-list MnS standard permit IP /Subnet
route outside IP /Subnet Route IP 1

2) ACL FIREWALL FOR VPN VENDOR: - IP

• Add to the access List for the New IP POOL

E.g.
access-list EXTNNP standard permit IP /Subnet

• Add as a Route in [Link] Firewall

E.g.
route m&S IP /Subnet Router IP

• Login to IP FW and add a New IP pool in M&S-NEW-IP-POOL Object Group

CLI Command Below
E.g.
object-group network M&S-NEW-IP-POOL
network-object IP /Subnet

3) Add a New IP POOL in RDP Login [Link] and M&S IP SEC Tunnel IP IP
• Login a RDP IP
• Login to Cisco ASDM by IP
• Click on Configuration => Click on Site-to-Site VPN => Go down and Click on
Search =>
Paste Peer IPs => and search you will get a VPN Tunnel => open that Tunnel => You
will able to see a Remote Network => Click on that and Remove an Old Lan Pool IP &
Add a New Lan Pool IP in it. => Click on OK => Click on Apply => Click on Save.
Screenshot of your Reference.

Before Image

After Image
Static to dynamic

Note: - Confirm a Peer IP and Lan Pool IP for the User on mail.

• Login a RDP IP
• Login to Cisco ASDM by IP
• Click on Configuration => Click on Site-to-Site VPN => Go down and Click on
Search =>
Paste Peer IPs => and search you will get a VPN Tunnel => Click on That VPN Tunnel
=> Click on Delete => Click on Apply => Click on Save.

Screenshot of your Reference.

Open Cisco ASDM-IDM Launcher.

Login to in Cisco ASDM-IDM Launcher.

After Login Page

Click on Configuration Then Site-to-Site VPN

Go Down & Search with Peer IPs.

Select That VPN Tunnel you will see the Delete option Click on that.
Then Apply & Save