Sunday, September 25, 2016

Cisco ASA Tips and Tricks - 5500-X Series Software 9.x Configuration Notes

This post is using Cisco ASA 5515-X with software version 9.1(2) as configuration example. Here are some basic steps I recorded during configuring it.



Related posts in this blog:

1. Check System Version and Module:

ciscoasa(config)# sh ver

Cisco Adaptive Security Appliance Software Version 9.1(2) 
Device Manager Version 7.1(3)

Compiled on Thu 09-May-13 16:20 PDT by builders
System image file is "disk0:/asa912-smp-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 7 days 18 hours

Hardware:   ASA5515, 8192 MB RAM, CPU Clarkdale 3059 MHz, 1 CPU (4 cores)
            ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-PLUS-T020
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0024
                             Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4


 0: Int: Internal-Data0/0    : address is 7426.acc8.e4df, irq 11
 1: Ext: GigabitEthernet0/0  : address is 7426.acc8.e4e3, irq 10
 2: Ext: GigabitEthernet0/1  : address is 7426.acc8.e4e0, irq 10
 3: Ext: GigabitEthernet0/2  : address is 7426.acc8.e4e4, irq 5
 4: Ext: GigabitEthernet0/3  : address is 7426.acc8.e4e1, irq 5
 5: Ext: GigabitEthernet0/4  : address is 7426.acc8.e4e5, irq 10
 6: Ext: GigabitEthernet0/5  : address is 7426.acc8.e4e2, irq 10
 7: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0
 8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
 9: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0
10: Ext: Management0/0       : address is 7426.acc8.e4df, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has an ASA 5515 Security Plus license.

Serial Number: FCH100871J
Running Permanent Activation Key: 0xd516745 0x38b8dee 0x2533184 0xc09147c 0x001f093 
Configuration register is 0x1
Configuration last modified by enable_15 at 07:55:47.355 UTC Wed Apr 16 2014

ciscoasa(config)# show module      

Mod  Card Type                                    Model              Serial No. 
---- -------------------------------------------- ------------------ -----------
   0 ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5515            FCH180871J
 ips Unknown                                      N/A                FCH180871J
cxsc Unknown                                      N/A                FCH180871J

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version     
---- --------------------------------- ------------ ------------ ---------------
   0 7426.acc8.e4df to 7426.acc8.e4e6  1.0          2.1(9)8      9.1(2)
 ips 7426.acc8.e4dd to 7426.acc8.e4dd  N/A          N/A          
cxsc 7426.acc8.e4dd to 7426.acc8.e4dd  N/A          N/A          

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 ips Unknown                        No Image Present Not Applicable
cxsc Unknown                        No Image Present Not Applicable

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   0 Up Sys             Not Applicable        
 ips Unresponsive       Not Applicable        
cxsc Unresponsive       Not Applicable        

Mod  License Name   License Status  Time Remaining
---- -------------- --------------- ---------------
 ips IPS Module     Disabled        perpetual     

2. Set up ASDM Access 



interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 10.94.200.31 255.255.255.0 
 no shutdown

http server enable
http 10.94.200.0 255.255.255.128 management

ssh 10.94.200.0 255.255.255.128 management


Browse to webpage https://10.94.200.31/admin , then install ASDM launcher.

 Note: leave username and password as empty. Click ok.

3. Set up SSH Access on Management Interface


ciscoasa(config)# username admin password admin
ciscoasa(config)# crypto key generate rsa modulus 2048
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
ciscoasa(config)# write memory
Building configuration...
Cryptochecksum: 67435a18 4790aaff 7584afa7 d28c43c0 

2837 bytes copied in 0.680 secs
[OK]

ciscoasa(config)# aaa authentication ssh console LOCAL
WARNING: local database is empty! Use 'username' command to define local users.
ciscoasa(config)# username test password test

ciscoasa(config)# ssh 10.94.200.0 255.255.255.0 management 



4. Basic Setup and Examples

  • nameif
    • ciscoasa(config)# interface vlan1
      ciscoasa(config-if)# nameif inside
      INFO: Security level for "inside" set to 100 by default.
  • security-level
    • ciscoasa(config-if)# interface vlan3
      ciscoasa(config-if)# nameif dmz
      ciscoasa(config-if)# security-level 50
  • interface or vlan ip address
    • ciscoasa(config-if)# interface vlan 1
      ciscoasa(config-if)# ip address 192.168.106.1
    • ciscoasa(config-if)# interface ethernet 0/1
      ciscoasa(config-if)# switchport access vlan 1
      ciscoasa(config-if)# no shutdown
  • Route
    • ciscoasa(config-if)# route outside 0 0 1.1.1.1
  • Test Configuration with Packet Tracer Feature
    • Simulate a TCP packet coming in the inside interface from ip address 192.168.0.125 on source port 12345 destined to an ip address of 203.0.113.1 on port 80  
      • ciscoasa# packet-tracer input inside tcp 192.168.0.125 12345 203.0.113.1 8
    •   Simulate a TCP packet coming in the outside interface from ip address 192.0.2.123 on source port 12345 destined to an ip address of 198.51.100.101 on port 80
      • ciscoasa# packet-tracer input outside tcp 192.0.2.123 12345 98.51.100.101 80

5. Transparent or Routed Firewall 

Unicast IPv4 and IPv6 traffic is allowed through the transparent firewall automatically from a higher
security interface to a lower security interface, without an ACL.

Broadcast and multicast traffic can be passed using access rules.

The following destination MAC addresses are allowed through the transparent firewall. Any
MAC address not on this list is dropped.
• TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF
• IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF
• IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF
• BPDU multicast address equal to 0100.0CCC.CCCD
• AppleTalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF

The transparent mode ASA does not pass CDP packets packets, or any packets that do not have a valid EtherType greater than or equal to 0x600. An exception is made for BPDUs and IS-IS, which are supported.

To prevent loops using the Spanning Tree Protocol, BPDUs are passed by default. To block BPDUs, you need to configure an EtherType ACL to deny them. If you are using failover, you might want to block BPDUs to prevent the switch port from going into a blocking state when the topology changes.

When the ASA runs in transparent mode, the outgoing interface of a packet is determined by performing a MAC address lookup instead of a route lookup. Route lookups, however, are necessary for the following traffic types:
• Traffic originating on the ASA
• Traffic that is at least one hop away from the ASA with NAT enabled
Voice over IP (VoIP) and DNS traffic with inspection enabled, and the endpoint is at least one hop
away from the ASA.

By default, all ARP packets are allowed through the ASA. You can control the flow of ARP packets by enabling ARP inspection.

Because the ASA is a firewall, if the destination MAC address of a packet is not in the table, the ASA
does not flood the original packet on all interfaces as a normal bridge does. Instead, it generates the
following packets for directly connected devices or for remote devices:
• Packets for directly connected devices—
• Packets for remote devices—

Transparent Mode Default Settings - The default mode is routed mode.
• By default, all ARP packets are allowed through the ASA.
• If you enable ARP inspection, the default setting is to flood non-matching packets.
• The default timeout value for dynamic MAC address table entries is 5 minutes.
• By default, each interface automatically learns the MAC addresses of entering traffic, and the ASA
adds corresponding entries to the MAC address table.

6. Multiple Context Mode


ciscoasa(config)# mode multiple 
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm] 
Convert the system configuration? [confirm] 
!!
The old running configuration file will be written to flash
Converting the configuration - this may take several minutes for a large configuration
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple 

***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
***   change mode

ciscoasa/admin# show context detail 
Context "admin", has been created
  Config URL: disk0:/admin.cfg
  Interfaces: GigabitEthernet0/0, GigabitEthernet0/5, Management0/0
  IPS Sensors: 
  Class: default, Flags: 0x00000813, ID: 1

ciscoasa/admin# changeto system 
ciscoasa# show context 
Context Name      Class      Interfaces           Mode         URL
*admin            default    GigabitEthernet0/0,  Routed       disk0:/admin.cfg
                             GigabitEthernet0/5, 
                             Management0/0       
 Test             default    GigabitEthernet0/1   Routed       disk0:/sample_context.cfg

Total active Security Contexts: 2

ciscoasa(config-ctx)# show configuration 
: Saved
: Written by enable_15 at 15:23:23.089 EDT Fri May 16 2014
!
ASA Version 9.1(2) <system>
!
hostname ciscoasa
enable password gszFpnIcgTCoPiuN encrypted
no mac-address auto
!
interface GigabitEthernet0/0
!
interface GigabitEthernet0/1
 shutdown
!
interface GigabitEthernet0/2
 shutdown
!
interface GigabitEthernet0/3
 shutdown
!
interface GigabitEthernet0/4
 shutdown
!
interface GigabitEthernet0/5
!
interface Management0/0
!
class default
  limit-resource All 0
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
!

banner login 
banner login '
banner login You have logged in to a secure device.
banner login If you are not authorized to access this
banner login device, log out immediately or risk possible criminal consequences.
banner motd 
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
pager lines 24
no failover
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
console timeout 0

admin-context admin
context admin
  allocate-interface GigabitEthernet0/0 
  allocate-interface GigabitEthernet0/5 
  allocate-interface Management0/0 
  config-url disk0:/admin.cfg
!

context Test
  description This is a context for test customer A
  allocate-interface GigabitEthernet0/1 interface1 
  allocate-interface GigabitEthernet0/2 
  config-url disk0:/sample_context.cfg
!

username test password P4ttSyrm33SV8TYp encrypted

prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:58e3ee4507ba1ced5b2adaa4f1b150f0


ciscoasa/admin(config)# changeto context Test
ciscoasa/Test(config)# show configuration 
: Saved
: Written by enable_15 at 15:30:24.969 EDT Fri May 16 2014
!
ASA Version 9.1(2) <context>
!
hostname Test
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface interface1
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 no nameif
 no security-level
 no ip address
!
pager lines 24
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
service-policy global_policy global
Cryptochecksum:37989de030631be2f716051eca2f01c1

: end

ciscoasa(config-ctx)#  write memory all 
Building configuration...
Saving context :           system : (000/002 Contexts saved) 
Cryptochecksum: 6469133b e64dd3f3 5a634ba6 42d1495d 

1684 bytes copied in 0.690 secs
Saving context :            admin : (001/002 Contexts saved) 
Cryptochecksum: 714e8aba f5ca6ed0 8508dbaf eba2f3cb 

7649 bytes copied in 0.190 secs
Saving context :             Test : (002/002 Contexts saved) 
Cryptochecksum: 6124f114 b4910350 b1137692 0dfc32c1 

1671 bytes copied in 0.80 secs
[OK]                           

7. Ping from ASA Internal Interface to outside

Note: 11.11.11.11 is local LAN interface, and 1.1.1.2 is another ASA's WAN Interface. The ping from local ASA LAN Interface to Outside is faild, because the ASA by default maintains a state table for TCP & UDP connections only. It’s not that the pings aren’t successful, its just the ASA does not allow the echo reply from an interface with a lower configured security-level. Solution will be in this post with using ASDM turn on your icmp inspect in your global policy.


ciscoasa(config)# packet-tracer input WAN icmp 11.11.11.11 8 0 1.1.1.2 detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   1.1.1.0         255.255.255.0   WAN

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd98d6050, priority=111, domain=permit, deny=true
        hits=4, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=WAN, output_ifc=WAN

Result:
input-interface: WAN
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


For the icmp traffic to ASA itself, the command is in the following:


ciscoasa(config)# sh run icmp
icmp unreachable rate-limit 1 burst-size 1
icmp permit any WAN
icmp permit any LAN

Note: If there is NAT enabled from Internal to External, you may need to add a access-list to allow icmp echo-reply packet in to external interface.

8. Enable Logging


ciscoasa(config)# logging enable
ciscoasa(config)# logging buffered 7
ciscoasa(config)# logging asdm informational
asa842-1(config)# sh logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 6 messages logged
    Trap logging: disabled
    Permit-hostdown logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 23 messages logged
%ASA-5-111008: User 'enable_15' executed the 'logging buffered 7' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'logging buffered 7'
%ASA-7-609001: Built local-host LAN:11.11.11.12
%ASA-7-609001: Built local-host WAN:22.22.22.23
%ASA-6-302020: Built outbound ICMP connection for faddr 22.22.22.23/0 gaddr 11.11.11.12/55300 laddr 11.11.11.12/55300
%ASA-6-302020: Built inbound ICMP connection for faddr 22.22.22.23/0 gaddr 11.11.11.12/55300 laddr 11.11.11.12/55300




9. NAT 
  • Dynamic nat (Global)
    • object network inside-subnet
       subnet 192.168.0.0 255.255.255.0
       nat (inside,outside) dynamic interface
  • Static nat with Objects
    • object network webserver-external-ip
       host 198.51.100.101
      !
      object network webserver
       host 192.168.1.100
       nat (dmz,outside) static webserver-external-ip service tcp www www
Following is From fir3net.com's Post

There are now 2 types of NAT. Auto and Manual NAT.
  • Auto NAT - Only the source is used as a match criteria when NAT`ing.
  • Manual NAT - The source and destination is used as a match criteria when NAT`ing.

Auto NAT

Auto NAT only considers the source address when performing NAT. Based on this Auto NAT is only used for Static or Dynamic NAT.
When configuring Auto NAT is is configured within an object.
Example
Below is an example of a static NAT.
asa(config)# object network obj-server
asa(config-network-object)# host 192.168.100.1 <-- REAL IP
asa(config-network-object)# nat (inside,outsidestatic 88.88.88.1 <-- MAPPED IP
After configuring this NAT and looking at the configuration we can see the configuration in 2 places ; NAT and object.
asa# show run object
object network obj-server
  host 192.168.100.1

asa# show run nat
object network obj-server
  nat (inside,outside) static 88.88.88.1

Manual NAT

Manual NAT considers either only the source or the source and destination address when performing NAT. Manual NAT can be used for (pretty much) all types of NAT i.e NAT exempt, policy NAT etc.
Because Manual NAT can also NAT the source and destination within a single statement it is also known as twice NAT.
Unlike Auto NAT which is configured within an object, Manual NAT is configured directly from the global configuration mode. However only objects are used within the Manual NAT rule rather then IP addresses directly.
Example
Below is an example of static NAT where only the source is considered for NAT. However this is typically done with Auto NAT.
object network obj-server-private
  host 192.168.100.1
object network obj-server-public
  host 88.88.88.88

nat (DMZ,outside) source static obj-server-private obj-server-public
Below shows the syntax is we wanted to consider both the source and destination. This method (twice NAT) is also used for NAT exempt (click here for article
nat (real_ifc,mapped_ifc) source static REAL-SRC MAPPED-SRC destination static REAL-DST MAPPED-DST
NAT Order
NAT is order within 3 sections.
  • Section 1 – Manual NAT
  • Section 2 – Auto NAT
  • Section 3 – Manual Nat After-Auto
By default only sections 1 and 2 are used. However should you need to place a manual NAT rule after Auto NAT you can specify the keyword after-auto when configuring a Manual NAT rule to place it within Section 3.
nat (real,mapped) [after-auto] [Line#] .........
To view the order of precedence the "show nat" command is used. 


10. Access Rules
Enable traffic between interfaces which are configured with same security level



Inbound and Outbound Rules
You can configure access rules based on the direction of traffic:
• Inbound—Inbound access rules apply to traffic as it enters an interface. Global and management access
rules are always inbound.
• Outbound—Outbound rules apply to traffic as it exits an interface.
“Inbound” and “outbound” refer to the application of an ACL on an interface, either to traffic entering the
ASA on an interface or traffic exiting the ASA on an interface. These terms do not refer to the movement of traffic from a lower security interface to a higher security interface, commonly known as inbound, or from a higher to lower interface, commonly known as outbound.
Note
An outbound ACL is useful, for example, if you want to allow only certain hosts on the inside networks to access a web server on the outside network. Rather than creating multiple inbound ACLs to restrict access,
  • access-list (ACLs)
    • Traffic going from a lower security interface is denied when going to a higher security interface
    • Traffic going from a higher security interface is allowed when going to a lower security interface
    •  Examples 1:
      access-list outside_acl extended permit tcp any object webserver eq www
      !
      access-group outside_acl in interface outside
    •  Examples 2:
    • object network dns-server
       host 192.168.0.53
      !
      access-list dmz_acl extended permit udp any object dns-server eq domain
      access-list dmz_acl extended deny ip any object inside-subnet
      access-list dmz_acl extended permit ip any any
      !
      access-group dmz_acl in interface dmz

11. Access Rules Examples

ASA Example Topology




ciscoasa#   sh run
: Saved

:
: Serial Number: 9ALU3EW6LDF
: Hardware:   ASAv, 1024 MB RAM, CPU Xeon 5500 series 2294 MHz
:
ASA Version 9.5(1)200
!
hostname ciscoasa
enable password PVSASRJovmamnVkD encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
 description Internal Interface
 nameif INTERNAL
 security-level 100
 ip address 10.94.200.12 255.255.255.0
!
interface GigabitEthernet0/1
 description DMZ Interface
 nameif DMZ
 security-level 100
 ip address 172.17.3.12 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!....
!
interface Management0/0
 management-only
 nameif MGMT
 security-level 0
 ip address 192.168.2.12 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
object network H_172.17.3.62_DMZ
 host 172.17.3.62
 description OpenWRT2
object network h_10.94.200.62_Internal
 host 10.94.200.62
 description Internal OpenWRT1
object-group service DM_INLINE_SERVICE_1
 service-object icmp
 service-object tcp destination eq ssh
access-list DMZ_access_in extended permit icmp any any
access-list INTERNAL_access_in extended permit object-group DM_INLINE_SERVICE_1 object h_10.94.200.62_Internal object H_172.17.3.62_DMZ
pager lines 23
logging enable
logging buffered debugging
logging asdm informational
mtu MGMT 1500
mtu INTERNAL 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group INTERNAL_access_in in interface INTERNAL
access-group DMZ_access_in in interface DMZ
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 MGMT
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
    308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
  .........
    6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
    6c2527b9 deb78458 c61f381e a4c4cb66
  quit
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.2.0 255.255.255.0 MGMT
ssh 10.94.200.0 255.255.255.0 INTERNAL
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username admin password eY/fQXw7Ure8Qrz7 encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ip-options
  inspect netbios
  inspect rtsp
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect esmtp
  inspect sqlnet
  inspect sip
  inspect skinny
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile License
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination transport-method http
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:f0b9b7ac46de68d4f289d84909d1d497
: end



12. Backup and Restore Configuration

Backup configuration to local disk.
ciscoasa# copy startup-config disk0:/backup-02202016

Destination filename [backup-02202016]? 

Copy in progress...C
7072 bytes copied in 0.10 secs
ciscoasa# 

Restore Configuration
ciscoasa(config)# clear configure all
ciscoasa# copy disk0:/backup-02202016 startup-config 





13. ICMP/SSH/ASDM to another interface behind one interface

I met same issue as the post "Failed to locate egress interface...".
Topology:

Lan2Lan.jpg

Symptom:
IP Computer 1 is able to reach IP computer 2 , but not firewall ASA's IP inside2, even it is in same segment as IP Computer2.

Solution from the post:
"Cisco firewalls do not allow ICMP from behind one interface to another interface on the same device. The only exception to this is when traffic is coming through VPN and a specific configuration command has been entered to the device to which you are trying to ICMP from behind a VPN connection.
So if Computer 1 needs to ICMP Inside 2 then the firewall that has the Inside 2 interface must be configured with the command
management-access
"



http server enable

http 10.50.2.0 255.255.255.0 Mgmt
http 172.17.0.0 255.255.255.0 MGMT

ssh 10.50.2.0 255.255.255.0 MGMT
ssh 172.17.0.0 255.255.255.0 MGMT

management-access MGMT




No comments:

Post a Comment