Replacement for Linux depreciated network tools

Just realized Linux depreciated a lot of the old familiar network tools, such netstat, arp etc. Luckly someone on Internet has already did a cheat sheet regarding the replacements.

The link is here! Kudos to the original writer!


How to download CiscoLive! recording

I like to watch CiscoLive! recordings for training and studying. But not all the time that I have Internet access when I am Free…Plus there are times I just simply want to play the recording at 1.2/1.3x speed to save some time…

I found actually it is quiet easy to download the recording. I use Firefox but should be similiar to Chrome as well.


  1. Load the video in browser
  2. Press “Ctrl+Shift+C” to open Web inspector on Windows. Do not have a Mac at the moment to find shortcut key.
  3. Click on the Video player inside browser
  4. The source link of the Video should be showing in inspector window
  5. Double click the source link to copy it
  6. Paste the link to a new browser tab
  7. Once the page loaded, right click on the video and “Save Video As…”

USB-Serial adaptor on Mac OS X

I have a USB-Serial adaptor (prolific pl2303 chip) and MBP Mac OS 10.11.4 for connecting to console of switches, routers and firewalls via screen. Since somewhere between Mac OS 10.11.2 and 10.11.3, the setup is broken as screen will hang if I exit the screen session and then try to reconnect to the device via USB-Serial adaptor. I did upgrade to the latest firmware from prolific page for Mac but did not help…So I started posting for help on Internet forums…

janm on Stack Exchange really helped. Here is the workarounds: use cu instead of screen on Mac for the task. The catch though is by default cu needs to be run with sudo. So,

  1. Type in the password everytime you try to connect to console.
  2. Use one of the followings to get rid of the password prompts:

OPTION 1: Create cu configuration file like “/Users/test/cu.conf” with content below and also create the lock folder accordingly. Run the cu command as “cu -I /Users/test/cu.conf -l /dev/cu.usbserial -s 9600 –nostop

lockdir /Users/test/cu_lockdir

OPTION 2(HIGHLY NOT Recommended): Run “sudo visudo” and uncomment the line below and save and exit.


BTW, I also opened a bug report with Apple and provided necessary debug but have not heard back yet…I think the screen compiled with Mac OS X changed on handling port open/close.

IPSec tunnel with Policy-Based NAT on Fortigate

First, here is the highlevel diagram


The requirements are:

1. Establish IPSec VPN Tunnel between Fortigate and Cisco ASA

2. Translate the Source IP address to when connect to via the IPSec tunnel.

3. Do not translate when connect to via IPSec tunnel.

With end using ASA, this is just a standard IPSec tunnel setup. Even replace the Fortigate with an ASA, the configuration is fairly straight forward. But with Fortigate, it is a little bit tricky, at least at the very beginning. Because there is no GUI configuration option in my FortiOS 5.2 to create such tunnel. So I have to start from CLI.

Here below are the configuration put onto the Fortigate.

config firewall address
edit "LocalSubnet-RealIP-1"
set associated-interface "LAN"
set subnet
edit "LocalSubnet-RealIP-2"
set associated-interface "LAN"
set subnet
edit "RemoteSubnet"
set subnet

config vpn ipsec phase1
edit "Tunnel4Test"
set interface "WAN"
set nattraversal disable
set proposal aes128-sha1 3des-sha1
set dhgrp 5 2
set remote-gw
set psksecret ENC YHbmejTH3Doryywk/KkQZ+qWXBEOP1RScs+ewjBmhzXcTguEdmuKsW8g==

config vpn ipsec phase2
edit "Tunnel4TestP2"
set phase1name "Tunnel4Test"
set use-natip disable
set proposal aes128-sha1
set pfs disable
set keepalive enable
set auto-negotiate enable
set src-addr-type ip
set dst-addr-type ip
set src-subnet
set dst-subnet

config firewall policy
edit 1
set srcintf "LAN"
set dstintf "WAN"
set srcaddr "LocalSubnet-RealIP-1"
set dstaddr "RemoteSubnet"
set action ipsec
set schedule "always"
set service "ALL"
set utm-status enable
set natip
set av-profile "Default"
set webfilter-profile "Default"
set ips-sensor "Default"
set application-list "Default"
set profile-protocol-options "default"
set inbound enable
set outbound enable
set natoutbound enable
set vpntunnel "Tunnel4Test"
edit 2
set srcintf "LAN"
set dstintf "WAN"
set srcaddr "LocalSubnet-RealIP-2"
set dstaddr "RemoteSubnet"
set action ipsec
set schedule "always"
set service "ALL"
set utm-status enable
set natip
set av-profile "Default"
set webfilter-profile "Default"
set ips-sensor "Default"
set application-list "Default"
set profile-protocol-options "default"
set inbound enable
set outbound enable
set natoutbound enable
set vpntunnel "Tunnel4Test"

Once the initial configuration is done on Fortigate, you can then modify the settings from GUI.

Did I configure the QoS Policy Wrong!!??

“The short answer is maybe”. This was what I gave to one of the customers when he asked me.

The story was he has Cisco 2960-S switches and configure policy-maps for prioritize the Voice Traffic. But when he run “show policy-map interface” on any of his switch, he got no matches…

There is indeed an known bug for the 2960 switch but somehow Cisco only identifies it for IOS 12 while my customer is using IOS 15… Being lazy??…

Anyhow, “show mls qos interface statistics” does show the matches.

Traffic Capture on IOS router

Ever run into scenario that you need to capture the traffic on production network but you can not do SPAN or put the capture device inline to network without bring down network briefly? The answer is capture on the IOS router directly.

First, Create a monitor buffer on router:

Router# monitor capture buffer MYCAPBUFFER Circular

Then create a capture point on router:

Router# monitor capture point ip cef MYCAP serial 1/0 both

Then, Associate the buffer and capture point

Router# monitor capture point associate MYCAP MYCAPBUFFER

Now, Turn on the capture point

Router# monitor capture point start MYCAP

The following message should show up on the console of router.

*May 2 16:25:46.727: %BUFCAP-6-ENABLE: Capture Point MYCAP enabled.

Then try to generate some traffic on network, or simply just use ping. 

Once you think enough traffic has been generated and captured, stop the traffic capture

Router# monitor capture point stop MYCAP

You can view the status of capture, it should show “inactive”.

Router# show monitor capture buffer all parameters

You can also view the traffic dump on router but not much making sense to me though…

Router# show monitor capture buffer MYCAPBUFFER dump

Router# show monitor capture buffer MYCAPBUFFER

I prefer to Export the dump/capture into a proper capture file for further analysis

Router# monitor capture buffer MYCAPBUFFER export ?

bootflash: Location to dump buffer

disk0:     Location to dump buffer

disk1:     Location to dump buffer

flash:     Location to dump buffer

ftp:       Location to dump buffer

http:       Location to dump buffer

https:     Location to dump buffer

pram:       Location to dump buffer

rcp:       Location to dump buffer

scp:       Location to dump buffer

slot0:     Location to dump buffer

slot1:     Location to dump buffer

tftp:       Location to dump buffer

Remote Access vCloud Director VM Console

Not sure if VMware did not do the documentation properly OR I did not read it properly. It took me over 2-day to figure out how to setup vCloud Director to provide VM console access of VM to authorized user on Internet. The highlevel diagram is attached below. This might not be the best setup but works and makes sense to me.
The configuration on Firewall (I use ASA):
  1. Configure Static NAT for to So user on Internet can access to login to vCloud Director portal
  2. Configure identity NAT between External and LAN interfaces: for any traffic, which arrives on External interface of firewall, destines for, firewall will translate the source address to and destination address to
The configuration on vCloud Director (I use centOS with 2 NICs and default gateway
  1. Set the external proxy IP to in the vCloud Director management portal
  2. Add static route in centOS: Send traffic to if the destination address is

Recovery Cisco router/switch login password

There might be tons of same topic on Inter-Web, especially on Cisco website, but I still decide to post it, at least I can archive in case I lost computer or notebook…

Cisco Router/Switch Password Recovery:

1. Apply break during the device booting sequence: Mostly the “Ctrl + Break” will work. I use putty 99% of time and putty needs to be configure/accessed via clicking the left mouse button on the icon in the top left corner of PuTTY’s terminal window to see the special command “break”.

2. Set configure register: rommon 1> confreg 0x2142

3. Reset the device: rommon 2> reset

4. Type no after each setup question, or press Ctrl-C in order to skip the initial setup procedure.

5. Type configure memory OR copy start run

6. Change password(s) when device boots up completely

7. Restore the config register: hostname(config)#config-register 0x2102 <– REMEMBER TO DO IT

8. Type write memory or copy running-config startup-config in order to commit the changes.

9. Reload device.

NOTE, all interfaces are shutdown when doing password recovery. So manual “no shut” is needed for each interface.

For recovering password for Cisco ASA, check here.

See Also: Cisco Reference