There are a couple of ways to download the packet captures for analysis offline. One of the possible ways is that you do this using the following url:
https://<ip_of_asa>/admin/capture/<capture_name>/pcap
https://<ip_of_asa>/admin/capture/<capture_name>/pcap
C:\>certreq -submit -attrib "CertificateTemplate:TemplateName" CertSignRequest.csrNow The following output shows the available options for the certreq command (for reference).
Active Directory Enrollment Policy
..//..
Certificate retrieved(Issued) Issued
C:\>certreq.exe -?
Usage:
CertReq -?
CertReq [-v] -?
CertReq [-Command] -?
CertReq [-Submit] [Options] [RequestFileIn [CertFileOut [CertChainFileOut [Ful
lResponseFileOut]]]]
Submit a request to a Certification Authority.
Options:
-attrib AttributeString
-binary
-PolicyServer PolicyServer
-config ConfigString
-Anonymous
-Kerberos
-ClientCertificate ClientCertId
-UserName UserName
-p Password
-crl
-rpc
-AdminForceMachine
-RenewOnBehalfOf
CertReq -Retrieve [Options] RequestId [CertFileOut [CertChainFileOut [FullResp
onseFileOut]]]
Retrieve a response to a previous request from a Certification Authority.
Options:
-binary
-PolicyServer PolicyServer
-config ConfigString
-Anonymous
-Kerberos
-ClientCertificate ClientCertId
-UserName UserName
-p Password
-crl
-rpc
-AdminForceMachine
CertReq -New [Options] [PolicyFileIn [RequestFileOut]]
Create a new request as directed by PolicyFileIn
Options:
-attrib AttributeString
-binary
-cert CertId
-PolicyServer PolicyServer
-config ConfigString
-Anonymous
-Kerberos
-ClientCertificate ClientCertId
-UserName UserName
-p Password
-user
-machine
-xchg ExchangeCertFile
CertReq -Accept [Options] [CertChainFileIn | FullResponseFileIn | CertFileIn]
Accept and install a response to a previous new request.
Options:
-user
-machine
CertReq -Policy [Options] [RequestFileIn [PolicyFileIn [RequestFileOut [PKCS10
FileOut]]]]
Construct a cross certification or qualified subordination request
from an existing CA certificate or from an existing request.
Options:
-attrib AttributeString
-binary
-cert CertId
-PolicyServer PolicyServer
-Anonymous
-Kerberos
-ClientCertificate ClientCertId
-UserName UserName
-p Password
-noEKU
-AlternateSignatureAlgorithm
-HashAlgorithm HashAlgorithm
CertReq -Sign [Options] [RequestFileIn [RequestFileOut]]
Sign a certificate request with an enrollment agent or qualified
subordination signing certificate.
Options:
-binary
-cert CertId
-PolicyServer PolicyServer
-Anonymous
-Kerberos
-ClientCertificate ClientCertId
-UserName UserName
-p Password
-crl
-noEKU
-HashAlgorithm HashAlgorithm
CertReq -Enroll [Options] TemplateName
CertReq -Enroll -cert CertId [Options] Renew [ReuseKeys]
Enroll for or renew a certificate.
Options:
-PolicyServer PolicyServer
-user
-machine
access-list outside_1_cryptomap remark VPN Description access-list outside_1_cryptomap extended permit ip x.x.x.x 255.255.255.0 y.y.y.y 255.255.0.0
!
access-list vpnfilter-name extended permit ip any4 any4
!
crypto ikev1 policy xx authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
!
!
group-policy grpol-s2s-xxxx internal
group-policy grpol-s2s-xxxx attributes
vpn-idle-timeout none
vpn-filter value vpnfilter-name
vpn-tunnel-protocol ikev1
!
tunnel-group p.p.p.p type ipsec-l2l
tunnel-group p.p.p.p general-attributes
default-group-policy grpol-s2s-xxxx
tunnel-group p.p.p.p ipsec-attributes
ikev1 pre-shared-key vpn-secret
!
crypto map outside_map n match address outside_1_cryptomap
crypto map outside_map n set pfs group5
crypto map outside_map n set peer p.p.p.p
crypto map outside_map n set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map n set security-association lifetime seconds xxxxx
crypto map outside_map n set nat-t-disable
FGT60D # config system modemNow a good thing to do is to check if the modem is detected successfully. To check is I used the following commands:
FGT60D (modem) # set status enable
FGT60D (modem) # end
FGT60D # diagnose sys modem detect
modem is attached.
dialtone is detected.
FGT60D # diagnose sys modem external-modem
External modem vendor: Huawei
External modem vendor id: 12d1
External modem model : E392/E397/E398/E353/E3276
External modem product id: 1506
config system modemYou need to enter the correct APN for portalmmm.nl. If everything goed well, you can check the 4G connection with the following commands.
set status enable
set pin-init "AT+CPIN=****"
set mode redundant
set interface "wan1"
set phone1 "*99#"
set extra-init1 "at+cgdcont=1,\"ip\",\"portalmmm.nl\""
FGT60D # diagnose sys modem queryNow all should work! You can check if the modem interface comes UP and gets it's Connected state:
USB status: Connected
manufacturer: Huawei Technologies Co., Ltd.
model: E398
IMEI number: ******
SIM state: Valid
service status: Valid Service
signal level: 4/4
network name: KPN
network type: UTRAN
location area code:
active profile(AT&V):
<<output omitted>>
$ openssl genrsa -des3 -out private.key 2048
$ openssl req -sha256 -new -key private.key -out cert.csr
$ openssl pkcs12 –export –inkey private.key –in signed-csr.cer –out cert.p12check the CSR:
$ openssl req -text -noout -in csr.reqGenerate a self-signed certificate with a lifetime of 1 year:
$ openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout my_key.pem -out my_cert.pemWhen you want to make a PFX file, and you want to include the whole trusted CA chain in it, you can do this with the following steps:
$ openssl pkcs12 -export -out incl_chain.pfx -in certificate.pem -certfile trusted_chain.pemIn this example, the private key is included in certificate.pem.