====== Cisco ASA Tips & Hacks ======


===== Display Pre-Shared Keys in ASA Running Configuration =====
Simple tip to see pre-shared VPN keys:
   CiscoASA# more system:running-configuration


===== ASA Site-to-site VPN =====

It doesn't matter how many times I've done this, I always forget one piece. Here's a template for the future:

Assume local subnet 192.168.15.0/24, remote subnet 192.168.16.0/24. Remote public IP 11.11.11.11.

<code>

crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 1
 lifetime 28800

access-list REMOTE_SITE ex permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto map OUTSIDE_MAP 20 match address REMOTE_SITE
crypto map OUTSIDE_MAP 20 set pfs group1
crypto map OUTSIDE_MAP 20 set peer 11.11.11.11
crypto map OUTSIDE_MAP 20 set transform-set ESP-AES-128-SHA
crypto map OUTSIDE_MAP 20 set security-association lifetime seconds 28800
crypto map OUTSIDE_MAP interface outside

nat (inside) 0 access-list REMOTE_SITE

tunnel-group 11.11.11.11 type ipsec-l2l
tunnel-group 11.11.11.11 ipsec-attributes
 pre-shared-key ***
</code>

===== Masking the Server in an HTTP header using Cisco ASA. =====

//ref: http://www.globalconfig.net/2009/07/09/masking-the-server-in-an-http-header-using-cisco-asa //

It’s actually acomplished by a very simple MPF configuration as seen below:

<code>
access-list HTTP permit tcp any any eq www

class-map HTTP
match access-l HTTP

policy-map type inspect HTTP_SPOOF
parameters
spoof-server "Apache/2/2/0 (Unix)
policy-map HTTP
class HTTP
inspect http HTTP_SPOOF

service-policy HTTP interface outside
</code>