Show running access-group

sh running-config access-list | include (IP) -------------- to check working rule

nat (wafdmz, outside) static 116.50.97.90

object network REAL-10.131.195.123

nat (wafdmz, outside) static 116.50.97.90

sh ip route (IP) ------------ to check the route

sh ip route vrf all IP | include (IP) ----------- check IP in which VRF
sh running-config interface VLAN (Port) ---------------- core and ag switch, where
the Subnet is configured in VLAN
sh object-group id (NAME) ---------------- to check object group IPs
sh run object-group network | i object-group | (IP) ------------ to check IPs are
called on which object group
sh running-config access-group ----------- to check the interface
show xlate | i (IP) ----------- To check Nating

Show running access-group

Switch SW CM.
sh module uptime
show module
No poweroff module 1 (1)
show module internal all

tail -f messages | grep (IP)

tracecert

IPSEC Comm.

show crypto ipsec sa | b 10.92.32.192

clear crypto ipsec sa peer 117.254.196.59

Phase 1 --- sh crypto isakmp sa | b 103.102.65.92

Phase 2 --- show crypto ipsec sa peer 117.254.196.59

Show ip bgp neighbors 10.67.122.252 received-routes vrf O2C

troubleshoot cmd

sf_troubleshoot.pl

show running access-group

packet-tracer input azure tcp 10.45.156.32 111 10.166.164.60 1535----- new rule
command

As requested, access has been allowed. Source: IP Destination: IP Port No: port

admin
cisco@JAM

username: RilENTNetwork@ril.com
password : 3pUxDE6bpRubBMjt

CRT Pass:- Sagar@9876

object network ULIP-STAGE-URL

fqdn v4 ulipstaging.dpiit.gov.in

time-range 21NOV2024-21DEC2024
absolute start 00:00 21 November 2024 end 23:59 21 December 2024

tail -f messages | grep (IP)

tracecert

Show crypto ipsec sa peer 13.232.1.150

sh connection address

sh conn | i IP

sh conn | i

Normal Port Opening

===========================================================================
Show IP route (IP address) ------- to check the specific route
show running-config interface (Vlan224)

raccess.ril.com/entidc
evpn.ril.com

Change to system ----------- to check cluster-info

show cluster Info ----------- to check CPU states

Sagar@122527

show endpoint (IP) ------------- to check Tenent

DMZ PCI
===========================================================================
sh ip route (IP)----- to check a route in AG
show running-config interface (VLAN) ------ to check a VLAN on AG
show route | i (10.129.78.0) IP --------- to check the route and firewall arm,
which is the route that will be injected.
show running-config access-group ------- to check the running access group on the
firewall
show access-list acl_dmz | i (IP) ----- to check specific arms with access list and
host
show access-list | i (access list name) eg.(acl_dmz line 80) to check existing
object groups
Object-group network (Name of object group) -------- to create an object group
Network-object host (IP address), e.g. 10.131.53.28 ----- to create an IP object
Network-object (network address with subnet mask), e.g. 10.129.99.128
255.255.255.128-------- to create a network subnet
Time-range 15APRIL19_15APRIL19(Name can be for a specific duration) ---- to create
a time object
Absolute start 00:00 15 APRIL 2019 end 23:59 15 APRIL 2019 (actual duration) -----
time object
access-list (policy name) extended permit tcp object-group (source IP Object name)
object-group (Destination IP Object name) (destination port) time-range (start date
end date)
packet-tracer input (arm) tcp (Source IP) (source Port) (Destination IP)
(Destination port)----- new rule command
show access-list | i (IP) ---------- to check static IP.

show access-list | include (IP) ------------- to check rule from source IP or

destination IP

show access-list | include (acl_retrelease line 1939) ---------- rule line and acce

================================================================================

sh route | b 10.131

packet-tracker input dmz tcp (Source IP) (Source Port) (Destination IP)
(Destination Port)

SAMARTH-REAL-IP - 10.21.108.140 ---FTD FW NAT Host name

SAMARTH-REAL-PUBLIC-IP - 116.50.90.157

object network REAL-10.131.195.176 >>new

host 10.131.195.176
nat (wafdmz, outside) static 116.50.97.15

-----------------------------------------------------------------------------------
-

ssh-keygen -R 10.44.45.50

HPNNMI Commands
# show processes cpu
# sh cpu usage
# sh cpu utilization
# show module
# show inventory
# show environment all
# show interface port-channel 5
#sh int Ethernet Gi1/0/1
#sh int Ethernet1/29
#show env | i power
#show env power
# sh cpu usage detailed
# show isakmp sa detail
# show port-channel summary
# show environment power
# show environment temperature

# show version | i up
# show environment power-supplies
# show access-list | i
# show interface port-channel 5
# sh interface Ethernet1/28
# sh cpu usage
dsa.msc

# show ip route
# show run interface vlan224
# show run access-group

#show ip arp vrf all | i 10.22.131.22

•To check specific access list with arm details

# show access-list acl_out | i 10.131.37.56

•To check existing object groups

# show access-list | i acl_out line 8646
# show run object-group network | i object-group |

•To check firewall interface

#show run logging
#show ip address

•To check sylogs

$ tail -f messages | grep src/dest IP

tail -f messages | grep 10.129.208.13 | grep Block

more -f messages | grep 10.21.106.34

##To generate Tshoot file on FMC through CLI

>expert
admin@FMC:~$ sudo su
root@FMC:volume/home/admin# sf_troubleshoot.pl

---URL filtering---
*To create object Network,
*command to create object network
#object network GOOGLEAPIS
fqdn v4 fcm.googleapis.com

*were GOOGLEAPIS is name for object network

and public url for which object network created is fcm.googleapis.com

*command to find the object network

sh run object network in-lin | i <OBJ GRP NAME>

*command to find the object network

sh run object network in-lin | i <OBJ GRP NAME>

sh running-config object | i facebook.com

*create fqdn object network -
object network ftp1.tpinformation.com
fqdn v4 ftp1.tpinformation.com

*Packet tracer command -

packet-tracer input dmz-s02 tcp 10.128.78.185 100 fqdn ftp1.tpinformation.com 22

*access-list -
access-list acl_dmz-s02 extended permit tcp object-group CLX-ISCM_DB-SRV object
ftp1.tpinformation.com eq 22

RF599903
Access- Permanent
Source IP- INTERNET-ANY
Destination IP- 10.129.84.58/ 116.50.66.46
Application Port No.- 443
Justification- To run application over the internet.
note- approved for waf vip 10.129.84.58/116.50.66.46 Irm approval required. kindly
update waf sheet.

FW- DMZ-CLUSTER-FMC

***To create New NAT rule***

1. create object for real and natted IP (host object)
2. check arm of the real IP- ex. src ARM RPWAF and Dest Arm OUTSIDE
3. All NAT rule must above the PAT rule.
4. Go to device- NAT- Add rule- Manual NAT-> NAT rule above the PAT rule-> Type-
static
Interface objects- Add source and dest arm
Transaltion-> Original source- select Real IP object grp; Translated Source:
select NAT IP object grp

RSTP-SRV-REAL 10.129.84.58
RSTP-SRV-NAT 116.50.66.46

Src obj grp- INTERNET-ANY

Dst obj grp- RSTP-SRV-REAL

Rule name- INTERNET-RSTP-SRV-ACCESS

Access is allowed on DMZ-CLUSTER FMC.

####Here is how you can open Remote Desktop Connection with Run:

Right-click Start or press Win + X to open the aptly-named WinX menu.

Select Run on that menu.

Type mstsc in the Open box.

Click the OK button to open Remote Desktop Connection.

Trouble shooting command –

1. To check no of active tunnel
RCP-IDC1-TR-1R01-RETAIL-FW-PRI/Internet# sh crypto isakmp stats
2. To check route
RCP-IDC1-TR-1R01-RETAIL-FW-PRI/Internet# sh route | i 10.120.88.208(Remote site LAN
ip)
V 10.120.88.208 255.255.255.240 connected by VPN (advertised), outside

3. to clear Phase 2 Tunnel

RCP-IDC1-TR-1R01-RETAIL-FW-PRI/Internet# clear crypto ipsec sa peer (IP)

4. If route is not present and Phase 2 is UP, Then ask WAN Team to re initiate the
tunnel.
As in Dynamic VPN. Reverse Route injected Post Completion of Phase 2.

#show ip arp vrf all | i 10.128.254.24

# show mac address-table address 0050.569b.7795
# show cdp neighbors interface port-channel 11 detail

RCP-IDC1-SH02-3R13-9K-CS1# show ip arp vrf all | i 10.128.254.24

10.128.254.24 00:11:43 0050.569b.7795 Vlan251 +
RCP-IDC1-SH02-3R13-9K-CS1# show ma
mac mac-list maintenance
RCP-IDC1-SH02-3R13-9K-CS1# show mac
mac mac-list
RCP-IDC1-SH02-3R13-9K-CS1# show ip
ip ipv6
RCP-IDC1-SH02-3R13-9K-CS1# show mac
mac mac-list
RCP-IDC1-SH02-3R13-9K-CS1# show mac a
access-lists address-table
RCP-IDC1-SH02-3R13-9K-CS1# show mac a
access-lists address-table
RCP-IDC1-SH02-3R13-9K-CS1# show mac address-table address 0050.569b.7795
Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
age - seconds since last seen,+ - primary entry using vPC Peer-Link,
(T) - True, (F) - False, C - ControlPlane MAC, ~ - vsan
VLAN MAC Address Type age Secure NTFY Ports
---------+-----------------+--------+---------+------+----+------------------
+ 251 0050.569b.7795 dynamic 0 F F Po11
RCP-IDC1-SH02-3R13-9K-CS1# show cdp neighbors interface port-channel 11 detail
----------------------------------------
Device ID:RCP-IDC1-SH02-1R08-AC1.ril.com(FDO252502AU)
System Name: RCP-IDC1-SH02-1R08-AC1

Interface address(es): 1
IPv4 Address: 10.22.26.18
Platform: N9K-C93180YC-FX, Capabilities: Router Switch IGMP Filtering Supports-STP-
Dispute
Interface: Ethernet7/2, Port ID (outgoing port): Ethernet1/49
Holdtime: 170 sec

Version:
Cisco Nexus Operating System (NX-OS) Software, Version 9.3(8)
Advertisement Version: 2

Native VLAN: 777

Duplex: full

MTU: 9216
Mgmt address(es):
IPv4 Address: 10.22.26.18
Local Interface MAC: 6c:13:d5:03:76:bc
Remote Interface MAC: 00:00:00:00:00:00
----------------------------------------
Device ID:RCP-IDC1-SH02-1R07-AC1.ril.com(FDO25250HTQ)
System Name: RCP-IDC1-SH02-1R07-AC1

Interface address(es): 1
IPv4 Address: 10.22.26.17
Platform: N9K-C93180YC-FX, Capabilities: Router Switch IGMP Filtering Supports-STP-
Dispute
Interface: Ethernet8/2, Port ID (outgoing port): Ethernet1/49
Holdtime: 140 sec

Version:
Cisco Nexus Operating System (NX-OS) Software, Version 9.3(8)

Advertisement Version: 2

Native VLAN: 777

Duplex: full

MTU: 9216
Mgmt address(es):
IPv4 Address: 10.22.26.17
Local Interface MAC: f8:7a:41:b5:f5:e0
Remote Interface MAC: d4:77:98:29:c0:47

RCP-IDC1-SH02-1R08-AC1# show mac address-table address 0050.569b.7795

Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
age - seconds since last seen,+ - primary entry using vPC Peer-Link,
(T) - True, (F) - False, C - ControlPlane MAC, ~ - vsan
VLAN MAC Address Type age Secure NTFY Ports
---------+-----------------+--------+---------+------+----+------------------
* 251 0050.569b.7795 dynamic 0 F F Po35
RCP-IDC1-SH02-1R08-AC1# show por
port-channel port-profile
RCP-IDC1-SH02-1R08-AC1# show port-channel summary interface po35
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
b - BFD Session Wait
S - Switched R - Routed
U - Up (port-channel)
p - Up in delay-lacp mode (member)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
35 Po35(SU) Eth LACP Eth1/1(P)
RCP-IDC1-SH02-1R08-AC1# show interface ethernet1/1
Ethernet1/1 is up
admin state is up, Dedicated Interface
Belongs to Po35
Hardware: 100/1000/10000/25000 Ethernet, address: d477.9829.c048 (bia
d477.9829.c048)
MTU 9216 bytes, BW 25000000 Kbit , DLY 10 usec
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, medium is broadcast
Port mode is trunk
full-duplex, 25 Gb/s, media type is 25G
Beacon is turned off
Auto-Negotiation is turned off FEC mode is Auto
Input flow-control is off, output flow-control is off
Auto-mdix is turned off
Rate mode is dedicated
Switchport monitor is off
EtherType is 0x8100
EEE (efficient-ethernet) : n/a
admin fec state is auto, oper fec state is Fc-fec
Last link flapped 6week(s) 3day(s)
Last clearing of "show interface" counters 106w0d
14 interface resets
Load-Interval #1: 30 seconds
30 seconds input rate 119376 bits/sec, 14 packets/sec
30 seconds output rate 19608 bits/sec, 17 packets/sec
input rate 119.38 Kbps, 14 pps; output rate 19.61 Kbps, 17 pps
Load-Interval #2: 5 minute (300 seconds)
300 seconds input rate 209808 bits/sec, 5 packets/sec
300 seconds output rate 148144 bits/sec, 14 packets/sec
input rate 209.81 Kbps, 5 pps; output rate 148.14 Kbps, 14 pps
RX
95983932235 unicast packets 6508400 multicast packets 19343 broadcast packets
95990459978 input packets 90713761339840 bytes
38138772428 jumbo packets 0 storm suppression bytes
0 runts 0 giants 0 CRC 0 no buffer
0 input error 0 short frame 0 overrun 0 underrun 0 ignored
0 watchdog 0 bad etype drop 0 bad proto drop 0 if down drop
0 input with dribble 0 input discard
0 Rx pause
TX
74790954127 unicast packets 500644161 multicast packets 143946991 broadcast
packets
75435545279 output packets 56144262538621 bytes
24375568613 jumbo packets
0 output error 0 collision 0 deferred 0 late collision
0 lost carrier 0 no carrier 0 babble 0 output discard
0 Tx pause

10.92.33.64

----------------------------------------------------

show port channel summary

show enpoint interface port channel po7 detail

show cluster in
show cpu-usage sorted non-zer0

show processess cpu

show cpu usage detail

show capture

tmatch compile thread is running

show conn count

sysytem support diagnostic-cli

show access-list element-count

show process cpu-hog

sho cluster history

********************************************************************************

connect fxos

connect ftd

system support diagnostic-cli

show failover

configure high-availability disable

yes
yes
sync-from-peer system
show failover
show ip add
show conn count
connect fxos
connect local-mamt
exit
scope firmware
download image usbA:/cisco-asa-fp1k.9.20.3.16.SPA
show download-task
show package
scop auto-install
install security-pack version 9.20.3.16
yes
yes

Command given by tac

show detail
int m0/0
ip address <ip><subnet>
Anvesh Pathak 27-05-2025 10:57 • int m0/0
no nameif
ip address <ip><subnet>
int g0/0
nameif inside
security-lvl 100
ip address <ip><subnet> standby <ip>
no shut

int g0/1
nameif outside
security-lvl 0
ip address <ip><subnet>
no shut

show ip

ssh 0 0 outside
route outside 0 0 {next hop ip address}
username {} password {} privilege 15
aaa authentication ssh console LOCAL
ssh timeout 60

----

interface

configure high-availablity resume

write memory

failover active

scope auto-install

yes
yes
show detail

#reload
>reboot

show crypto ikev1 stats

show crypto ipsec stats
system support diagnostic-cli

-----------------------------------------------------------------------------------
------------------------------------------------------------------
===================================================================================
========================================================================

M&S IP Pool Migration & Static to Dynamic.

Note: - Kindly confirm the Pool IP and Peer IPs for the User & take details by
mail.

There are 2 firewalls for M&S

1) M&S IP SEC Tunnel: - IP
2) ACL FIREWALL FOR VPN VENDOR: - IP
3) IP

Stapes For
1) M&S IP SEC Tunnel: - IP

• Log in to IP FW and add a New IP pool in MnS-STORE-NW Object Group

CLI Command Below
E.g.
object-group network MnS-STORE-NW
network-object IP /Subnet

• Add to the access List for the New IP POOL

E.g.
access-list MnS standard permit IP /Subnet

object-group network MnS-STORE-NW

RCP-IDC1-TR-1R04-MS-FW-PRI# show running-config | i IP

network-object IP /Subnet
access-list MnS standard permit IP /Subnet
route outside IP /Subnet Route IP 1

2) ACL FIREWALL FOR VPN VENDOR: - IP

• Add to the access List for the New IP POOL

E.g.
access-list EXTNNP standard permit IP /Subnet

• Add as a Route in 10.128.0.242 Firewall

E.g.
route m&S IP /Subnet Router IP

• Login to IP FW and add a New IP pool in M&S-NEW-IP-POOL Object Group

CLI Command Below
E.g.
object-group network M&S-NEW-IP-POOL
network-object IP /Subnet

3) Add a New IP POOL in RDP Login 10.128.3.100 and M&S IP SEC Tunnel IP IP
• Login a RDP IP
• Login to Cisco ASDM by IP
• Click on Configuration => Click on Site-to-Site VPN => Go down and Click on
Search =>
Paste Peer IPs => and search you will get a VPN Tunnel => open that Tunnel => You
will able to see a Remote Network => Click on that and Remove an Old Lan Pool IP &
Add a New Lan Pool IP in it. => Click on OK => Click on Apply => Click on Save.
Screenshot of your Reference.

Before Image

After Image
Static to dynamic

Note: - Confirm a Peer IP and Lan Pool IP for the User on mail.

• Login a RDP IP
• Login to Cisco ASDM by IP
• Click on Configuration => Click on Site-to-Site VPN => Go down and Click on
Search =>
Paste Peer IPs => and search you will get a VPN Tunnel => Click on That VPN Tunnel
=> Click on Delete => Click on Apply => Click on Save.

Screenshot of your Reference.

Open Cisco ASDM-IDM Launcher.

Login to in Cisco ASDM-IDM Launcher.

After Login Page

Click on Configuration Then Site-to-Site VPN

Go Down & Search with Peer IPs.

Select That VPN Tunnel you will see the Delete option Click on that.
Then Apply & Save