Scribd Logo
Upload

Welcome to Scribd!

  • Understanding The Rules in The - Show Asp Table Classify Crypto - Output - Tech Zone

    Uploaded by

    Akash Thakur
    139 views3 pages
    This document discusses the output of the "show asp table classify crypto" command on an ASA device. It summarizes the different rules seen in the output including decryption rules with SPI values, tunnel flow rules to verify decrypted traffic matches negotiations, and a NAT-T rule. The rules are analyzed to understand how they function and what traffic they apply to such as public-to-public, any-to-NEM, and any-to-public traffic flows.

    Original Description:

    Original Title

    Understanding the rules in the _show asp table classify crypto_ output - Tech Zone

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses the output of the "show asp table classify crypto" command on an ASA device. It summarizes the different rules seen in the output including decryption rules with SPI values, tunnel flow rules to verify decrypted traffic matches negotiations, and a NAT-T rule. The rules are analyzed to understand how they function and what traffic they apply to such as public-to-public, any-to-NEM, and any-to-public traffic flows.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    139 views3 pages

    Understanding The Rules in The - Show Asp Table Classify Crypto - Output - Tech Zone

    Uploaded by

    Akash Thakur
    This document discusses the output of the "show asp table classify crypto" command on an ASA device. It summarizes the different rules seen in the output including decryption rules with SPI values, tunnel flow rules to verify decrypted traffic matches negotiations, and a NAT-T rule. The rules are analyzed to understand how they function and what traffic they apply to such as public-to-public, any-to-NEM, and any-to-public traffic flows.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 3

    3/23/2020 Understanding the rules in the "show asp table classify crypto" output - Tech Zone

    akashtha My Settings Messages (1) Help Sign Out


    Virtual Private Networks Staging
    Tech Zone Discussion Board Tribal Knowledge Base Content Request Queue Topic (TZ Only) Search

    Tech Zone Tech Zone Knowledge Base Security Knowledge Base Virtual Private Networks (VPN) Knowledge Base VPN Staging

    Understanding the rules in the "show asp table classify crypto" output
    2
    Understanding the rules in the "show asp table classify crypto" output Kudos

    Started 04-08-2013 by Modified 04-08-2013 by Edit Article Options


    atbasu atbasu

    Understanding the rules in the "show asp table classify crypto" output Reminder: Link Your Cases
    (10,574 Views)
    Please remember to link your support
    cases to Tech Zone articles or
    by atbasu on 04-08-2013 10:50 AM discussions that help you solve them.
    This helps everyone understand which
    Activity: Troubleshooting content is most useful, gives credit to the
    Product (Cisco): ASA contributors, and could impact what
    Protocol, Standards & Languages: IPsec appears in Topic Search results and which
    articles get published externally for our
    customers to read.

    FIRE19-5505(config)# sh asp table classify crypto Instructions for linking cases are here, and
    additional information is here.
    Interface outside:

    ****** The decrypt rules are for the outer header, therefore they all have the same address. ******
    ----- Public to public SPI = 0x2F083E0C Publishing Life Cycle
    in id=0xd85c2018, priority=70, domain=decrypt, deny=false
    Step 1: Internal
    hits=0, user_data=0xf8cfac, cs_id=0x0, reverse, flags=0x0, protocol=50
    src ip=209.194.208.101, mask=255.255.255.255, port=2095 Step 2: External Preview
    dst ip=67.79.40.14, mask=255.255.255.255, port=3134, dscp=0x0
    Step 3: External
    ----- NEM to Any SPI = 0x10212561

    in id=0xd8525478, priority=70, domain=decrypt, deny=false Link Your Case


    hits=76, user_data=0xfcff84, cs_id=0x0, reverse, flags=0x0, protocol=50
    src ip=209.194.208.101, mask=255.255.255.255, port=8464
    dst ip=67.79.40.14, mask=255.255.255.255, port=24869, dscp=0x0 Enter case #
    Same Problem Link
    ----- Public to Any SPI = 0xD6D068A9 (used for management)

    in id=0xd53817a8, priority=70, domain=decrypt, deny=false Link An Automation Task


    hits=5, user_data=0x1008f1c, cs_id=0x0, reverse, flags=0x0, protocol=50
    src ip=209.194.208.101, mask=255.255.255.255, port=53462 Enter BDB App Name Link
    dst ip=67.79.40.14, mask=255.255.255.255, port=43368, dscp=0x0

    ****** The ipsec-tunnel-flow rules verify that the decrypted traffic matches what was negotiated
    ------ Tunnel flow rule for public to public Actions
    in id=0xd85c1f80, priority=69, domain=ipsec-tunnel-flow, deny=false
    hits=82, user_data=0xf8cfac, cs_id=0x0, reverse, flags=0x0, protocol=0 Edit Article
    src ip=209.194.208.101, mask=255.255.255.255, port=0
    Flag for Improvement
    dst ip=67.79.40.14, mask=255.255.255.255, port=0, dscp=0x0
    Nominate for External Publication

    Article Options
    ------ Tunnel flow rule for any to NEM networks
    in id=0xd85253e0, priority=69, domain=ipsec-tunnel-flow, deny=false
    hits=1550, user_data=0xfcff84, cs_id=0x0, reverse, flags=0x0, protocol=0 Labels
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=172.23.119.0, mask=255.255.255.0, port=0, dscp=0x0 Activity:
    Troubleshooting

    ------ Tunnel flow rule for any to public Product (Cisco):


    in id=0xd85b41b8, priority=69, domain=ipsec-tunnel-flow, deny=false ASA
    hits=26, user_data=0x1008f1c, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0 Protocol, Standards & Languages:
    dst ip=67.79.40.14, mask=255.255.255.255, port=0, dscp=0x0 IPsec

    ------ NAT-T
    Contributors
    in id=0xd7f808c8, priority=12, domain=ipsec-natt, deny=false
    hits=0, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=17
    src ip=0.0.0.0, mask=0.0.0.0, port=0 atbasu
    dst ip=67.79.40.14, mask=255.255.255.255, port=4500, dscp=0x0

    https://techzone.cisco.com/t5/Virtual-Private-Networks-Staging/Understanding-the-rules-in-the-quot-show-asp-table-classify/ta-p/217046 1/3
    3/23/2020 Understanding the rules in the "show asp table classify crypto" output - Tech Zone
    ------ Default tunnel flow deny rule - IPv4 ccondon
    in id=0xd8392a10, priority=12, domain=ipsec-tunnel-flow, deny=true
    hits=4, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

    Case Links
    ------ Default tunnel flow deny rule - IPv6
    in id=0xd8392bc0, priority=12, domain=ipsec-tunnel-flow, deny=true 1111640821 Same Problem
    hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
    src ip=::/0, port=0 629747911 Not Same, but Helpful
    dst ip=::/0, port=0
    636812171 Not Same, but Helpful

    ------ Cascade delimiter 637321859 Not Same, but Helpful


    out id=0xd852a000, priority=70, domain=encrypt, deny=false
    hits=0, user_data=0x0, cs_id=0xd7f77958, reverse, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=255.255.255.255, port=0
    dst ip=0.0.0.0, mask=255.255.255.255, port=0, dscp=0x0 BDB Tasks

    There were no tasks found in Big Data Broker


    ------ Encrypt rule for public to public that match the labels associated with this
    board.
    out id=0xd8508310, priority=70, domain=encrypt, deny=false
    You should write one!
    hits=1, user_data=0xf76cec, cs_id=0xd7f77958, reverse, flags=0x0, protocol=0
    Get started here: BDB Training Material
    src ip=67.79.40.14, mask=255.255.255.255, port=0
    Feedback/Info
    dst ip=209.194.208.101, mask=255.255.255.255, port=0, dscp=0x0

    ------ Default encrypt rule for public to public Top Tags

    out id=0xd852a0d8, priority=70, domain=encrypt, deny=false


    hits=2, user_data=0x0, cs_id=0xd7f77958, reverse, flags=0x0, protocol=0 Add Tag...
    src ip=67.79.40.14, mask=255.255.255.255, port=0
    View All
    dst ip=209.194.208.101, mask=255.255.255.255, port=0, dscp=0x0

    ------ Encrypt rule for NEM to any


    out id=0xd85bfaf8, priority=70, domain=encrypt, deny=false
    hits=1556, user_data=0xfb9524, cs_id=0xd7f77958, reverse, flags=0x0, protocol=0
    src ip=172.23.119.0, mask=255.255.255.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

    ------ Default encrypt rule for NEM to any


    out id=0xd8598868, priority=70, domain=encrypt, deny=false
    hits=1, user_data=0x0, cs_id=0xd7f77958, reverse, flags=0x0, protocol=0
    src ip=172.23.119.0, mask=255.255.255.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

    ------ Deny encrypt rule for DHCP


    out id=0xd7fd0958, priority=70, domain=encrypt, deny=true
    hits=0, user_data=0x0, cs_id=0xd7f77958, reverse, flags=0x0, protocol=17
    src ip=67.79.40.14, mask=255.255.255.255, port=68
    dst ip=0.0.0.0, mask=0.0.0.0, port=67, dscp=0x0

    ------ Encrypt rule for Public to any


    out id=0xd859dff8, priority=70, domain=encrypt, deny=false
    hits=26, user_data=0xffc41c, cs_id=0xd7f77958, reverse, flags=0x0, protocol=0
    src ip=67.79.40.14, mask=255.255.255.255, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

    ------ Default encrypt rule for Public to any


    out id=0xd852ab58, priority=70, domain=encrypt, deny=false
    hits=0, user_data=0x0, cs_id=0xd7f77958, reverse, flags=0x0, protocol=0
    src ip=67.79.40.14, mask=255.255.255.255, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

    Interface inside:
    in id=0xd837e2c0, priority=12, domain=aaa-user, deny=false
    hits=66768, user_data=0xd613c360, cs_id=0x0, flags=0x0, protocol=0
    src ip=172.23.119.0, mask=255.255.255.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    in id=0xd837e468, priority=12, domain=aaa-user, deny=true
    hits=0, user_data=0xd613c310, cs_id=0x0, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

    Interface _internal_loopback:

    Interface identity:

    Last clearing of hits counters: Never

    Everyone's Tags: tz:km:1111640821 tz:km:629747911 tz:km:636812171 tz:km:637321859 View All (4)


    Add Tag...

    https://techzone.cisco.com/t5/Virtual-Private-Networks-Staging/Understanding-the-rules-in-the-quot-show-asp-table-classify/ta-p/217046 2/3
    3/23/2020 Understanding the rules in the "show asp table classify crypto" output - Tech Zone
    2 Kudos

    Cisco Internal Information (access controlled / confidential)

    Hide Comments
    Comments

    Post a Comment

    Rich Text HTML Preview Quote

          OVP Photos Video    Paragraph Arial Size

                        


    Email me when someone replies

    Cancel Post Your Comment

    https://techzone.cisco.com/t5/Virtual-Private-Networks-Staging/Understanding-the-rules-in-the-quot-show-asp-table-classify/ta-p/217046 3/3

    You might also like