Common ASA command


Common Cisco ASA Firewall Configuration Commands

Setting up a Trunk with a Between Cisco ASA and Cisco 3560 Switch

 
ASA Configuration
To configure the ASA side of the trunk you need to:
  1. Select the interface you will be using. interface ethernet0/2
  2. Then create a subinterface for each VLAN you intend to use.. interface ethernet0/2.2
  3. Configure the IP address on each subinterface. ip address 192.168.64.1 255.255.255.0
  4. Add a description (not neccessary). description DMZ Interface
  5. Configure nameif. nameif DMZ
  6. Configure the security Level. security-level 50
  7. Configure the VLAN ID. vlan 25
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.2
description DMZ Interface
vlan 25
nameif DMZ
security-level 50
ip address 192.168.64.1 255.255.255.0
!
Switch Configuration
To configure the switch side of the configuration you need to:
  1. Select the interface you will be using. interface fastethernet 0/1
  2. Set the trunk encapsulation. switchport trunk encapsulation dot1q
  3. Set the port to trunk mode. switchport mode trunk
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
For an expanded look at VLAN Trunking or 802.1Q Trunking on the ASA, see the article Cisco ASA 5510 VLAN, VLAN Trunking or 802.1Q Trunking Expanded

Setting Up Windows Multicast Network Load Balancing (NLB) with Cisco ASA

 
ASA Configuration
When using multicast Windows NLB, you need to setup a static ARP entry on the ASA. For more information on why this is required please see my previous post Windows Network Load Balancing (NLB). To do this use the global configuration mode command arp
  • arp DMZ 192.168.64.50 03ii.aaa8.122e alias
Replacing the MAC address (03ii.aaa8.122e) with the NLB cluster MAC address.
ASA NLB
 

Setting Up Static NAT For Public Servers, Setting Up PAT for LAN Internet Access

 
To configure Port Address Translation (PAT) to allow your internal LAN to access the Internet, you need to:
  1. Use the nat command to specify the internal IP addresses you want translated. nat (INSIDE) 1 192.168.60.0 255.255.255.0
  2. Setup a corresponding global command with the address you want to translate to. global (OUTSIDE) 1 66.123.45.91
To configure Static Network Address Translation for 1-to-1 mappings for hosts like web servers, you need to use the static command.
Syntax for static NAT command – static (real_interface,mapped_interface) mapped_ip real_ip netmask mask
  • static (INSIDE,OUTSIDE) 210.193.162.197 192.168.10.2 netmask 255.255.255.255
  • static (DMZ,OUTSIDE) 66.123.45.95 192.168.64.45 netmask 255.255.255.255
Commands to view NAT details:
  • show local-host – will display both tcp and udp flows active on the firewall for all or a certain number of hosts.

Configure Logging on the ASA

 
To configure buffered logging and syslog logging.
  • Enable logging. logging enable
  • Timestamp logs. logging timestamp
  • Enable buffered logging. logging buffered errors (by default the asa allocates 4096 bytes of memory, this can be changed with the command logging buffer-size xxxx)
  • To automatically save the buffered logs to flash memory:
    • Enable saving to flash. logging flash-bufferwrap
    • Set the minimum free space the ASA must reserve to ensure other admin tasks can be performed. logging flash-minimum-free 4000
    • Set the maximum space the ASA can use to store buffered logs. logging flash-maximum-allocation 2000
  • Enable logging to a Syslog server:
    • Enable logging to a UDP Syslog server. logging host inside 192.168.10.3 format emblem
    • Enable Logging to a TCP Syslog server. logging host inside 192.168.10.3 TCP/port
    • Enable Syslog logging. logging trap debugging
    • For TCP-based syslog servers, the security appliance drops the new connections if the session to the syslog server cannot be established. This default behavior can be changed by using the logging permit-hostdown command.
  • You can limit the rate at which log messages are generate using logging rate-limit 1 1 level ‘x’ where x is the logging level, 1 1 represents 1 log message per 1 second (in order).
To view buffered logs, show logging
To view the logs saved to flash, dir flash:/syslog
Splunk is a handy tool for analysing the Syslog output – http://www.splunk.com
 

Disable ICMP on the Outside Interface

 
Disable ICMP on the outside interface using the global configuration command, icmp deny any OUTSIDE

 

Configuring Routes

 
To configure a default gateway, route outside 0.0.0.0 0.0.0.0 gatewayIP metric
To configure routes for internal destination networks, route inside 192.168.10.0 255.255.255.0 gatewayIP metric

 

Configure Interface Duplex

 
Configure each interfaces duplex, with the interface subcommand. duplex full or half or auto.

 

Configure Access Lists

 
Access lists are configured similarly to on a Cisco router. You create an extended access list with commands similar to the below (italics are not part of the command):
  • access-list outside_in extended remark Allow port 8o to WebServer A (used to create comments in the Access Lists)
  • access-list outside_in extended permit tcp any host 192.168.80.4 eq 80 (allows traffic destined for 192.168.80.4 on port 80 through the firewall)
  • access-list outside_in extended permit tcp any object-group WEBServerSubnet eq 80 (you can use an object-group to group multiple hosts, or networks for which you need to allow the same ports for, see below)
  • access-list outside_in extended deny ip any any log (block all other traffic and log it)
To create an object-group for use in you access lists, from global configuration mode:
  1. object-group network WebServerSubnet
  2. network-object 192.168.76.0 255.255.255.0
Access lists are applied to an interface using, access-group outside_in in interface outside where in is the direction of the traffic flow.
Commands:
  • show access-list – show the access list, and also the hit count per entry.

Enable Remote Management Using SSH

 
To enable remote management of the ASA of using SSH:
  1. Set the domain-name. domain-name blah.blah
  2. Generate RSA Keys which are used to encrypt the session. crypto key generate RSA
  3. Enable SSH on an interface. ssh 192.168.2.0 255.255.255.0 management for a specific host ssh 192.168.19.74 255.255.255.255 inside
  4. Restrict the SSH version. ssh version 2

Add Users

 
Add users to the ASA using the following command syntax from global configuration mode:
command syntax: username name {nopassword | password password [mschap]} [privilege priv_level]
username bob password cisco1234 privilege 15
 

Configuring SNMP

To configure SNMP (Simple Network Management Protocol) on the ASA you need to.
  1. Configure a global community string.
  2. Configure an SNMP server, and set the SNMP version.
  3. Configure SNMP traps. (disabled by default) The example below will setup a trap for syslog messages, and linkup/linkdown messages.
  4. Modify the UDP ports. (The default port for sending is UDP 162, the defualt port for receiving SNMP polls is UDP 161)
  5. Restrict traps and polls. The example below will limit the host to polls only.
  6. Set device information.
ASAFW#configure terminal
ASAFW(config)#snmp-server community NetworkfooSNMP
ASAFW(config)#snmp-server host inside 192.168.77.12 community NetworkfooSNMP1 version 2c
ASAFW(config)#snmp-server enable traps snmp linkup linkdown
ASAFW(config)#logging history debugging
ASAFW(config)#snmp-server enable traps syslog
ASAFW(config)#snmp-server host inside 192.168.77.12 udp-port 182
ASAFW(config)#snmp-server listen-port 181
ASAFW(config)#snmp-server host inside 192.168.77.12 poll
ASAFW(config)#snmp-server location Australia
ASAFW(config)#snmp-server contact Networkfoo Admin
 

Other Commands

  • Use packet tracer to simulate traffic flow through the ASA to view how it will process certain types of packets. Example: packet-tracer input outside tcp 66.55.44.33 1459 201.6.44.3 80 detailed.
  • Use packet capture to capture if packets are being transmitted and received by the ASA. Example capturing an internal host telnetting to an external server:
    • access-list telnet-acl tcp permit host 192.168.5.3 host 203.55.44.22 eq telnet
    • access-list telnet-acl tcp permit host 203.55.44.22 eq telnet host 192.168.5.3
    • capture telnet-cap access-list telnet_acl interface inside

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)