Cisco Firewall Configuration Examples
ASA
* General VPN Troubleshooting (ASA 5520, ASAOS 8.0.4)
show vpn-sessiondb remote
show vpn-sessiondb remote | include Username
show ipsec sa
show ipsec sa detail
show ipsec sa | include access-list
show ipsec sa | include crypto endpt
show ipsec sa entry
show ipsec sa entry detail
show ipsec sa entry | include peer
show ipsec sa entry | begin peer address: 192.168.155.101
show ipsec sa entry detail | begin peer address: 192.168.155.101
show ipsec sa peer 192.168.155.101
show ipsec sa peer 192.168.155.101 detail
show ipsec stats
show ipsec sa summary
* Enable SSH (ASA 5510, ASAOS 8.0.4)
asa1# conf term
asa1(config)# crypto key generate rsa
INFO: The name for the keys will be:
Keypair generation process begin. Please wait...
asa1(config)# show crypto key mypubkey rsa
Key pair was generated at: 16:24:10 UTC Jan 6 2009
Key name:
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:
xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxx
ssh 192.168.1.25 255.255.255.255 inside
ssh timeout 30
ssh version 2
username cisco password xxxxxxx
aaa authentication ssh console LOCAL
* Upgrade OS (ASA 5510, ASAOS 7.2.3)
copy run start
show version
show boot
dir
# If you don't have enough room for the new image, delete the old one:
del disk0:asa723-k8.bin
# Once you have enough room, upload the new image:
copy tftp disk0:
Address or name of remote host []? 192.168.1.25
Source filename []? asa804-k8.bin
Destination filename [asa804-k8.bin]?
Accessing tftp://192.168.1.25/asa804-k8.bin...!!!!!!!! (and so on...)
Writing file disk0:/asa804-k8.bin...!!!!!!!! (and so on...)
14137344 bytes copied in 38.970 secs (372035 bytes/sec)
# Or, instead of pulling the software, you can push it with scp (after running 'ssh scopy enable' on the firewall)
scp -v asa943-11-smp-k8.bin cisco@192.168.1.25:disk0:asa943-11-smp-k8.bin
# Now, using the above steps, upload the corresponding asdm software
dir
conf term
no boot system disk0:/asa723-k8.bin
boot system disk0:/asa804-k8.bin
asdm image disk0:/asdm-61551.bin
end
show boot
copy run start
reload
* Basic Failover (ASA 5510, ASAOS 7.2.1, Requires 1 dedicated interface)
interface Ethernet0/0
description Colo Network
nameif colo
security-level 60
ip address 192.168.99.1 255.255.255.0 standby 192.168.99.2
interface Ethernet0/1
description Office Network
nameif office
security-level 50
ip address 192.168.77.1 255.255.255.0 standby 192.168.77.2
interface Management0/0
description LAN Failover Interface
failover
failover lan unit primary
failover lan interface fobasic Management0/0
failover key *****
failover interface ip fobasic 192.168.200.1 255.255.255.0 standby 192.168.200.2
* Stateful Failover (ASA 5550, ASAOS 8.0.4, Requires 2 dedicated interfaces)
interface GigabitEthernet0/0
description Colo Network
nameif colo
security-level 60
ip address 192.168.99.1 255.255.255.0 standby 192.168.99.2
interface GigabitEthernet0/1
description STATE Failover Interface
interface Management0/0
description LAN Failover Interface
interface GigabitEthernet1/0
description Office Network
nameif office
security-level 50
ip address 192.168.77.1 255.255.255.0 standby 192.168.77.2
failover
failover lan unit primary
failover lan interface fobasic Management0/0
failover key *****
failover link fostate GigabitEthernet0/1
failover interface ip fobasic 192.168.200.1 255.255.255.0 standby 192.168.200.2
failover interface ip fostate 192.168.201.1 255.255.255.0 standby 192.168.201.2
* One-to-One (aka two-way) NAT (ASA 5510, ASAOS 7.2.1)
The syntax for this can be confusing. Here is a generic example:
static (outside interface name, inside interface name) inside ip, outside ip netmask 255.255.255.255
static (internet,office) 192.168.77.101 216.142.200.221 netmask 255.255.255.255
static (internet,office) 192.168.77.102 216.142.200.222 netmask 255.255.255.255
static (internet,office) 192.168.77.103 216.142.200.223 netmask 255.255.255.255
static (test,office) 192.168.77.104 172.30.11.14 netmask 255.255.255.255
static (test,office) 192.168.77.105 172.30.11.15 netmask 255.255.255.255
* Simple Many-to-One (aka one-way) NAT (ASA 5510, ASAOS 7.2.1)
global (outside) 1 216.142.200.220 netmask 255.255.255.255
nat (inside) 1 192.168.77.0 255.255.255.0 0 0
* Complex Many-to-One (aka one-way) NAT (ASA 5510, ASAOS 7.2.1)
access-list skip-nat-inside permit ip any host 192.168.6.11
access-list skip-nat-inside permit ip any host 192.168.6.12
access-list skip-nat-inside permit ip any 192.168.222.0 255.255.255.0
global (outside) 1 216.142.200.220 netmask 255.255.255.255
global (outside) 2 216.142.200.221 netmask 255.255.255.255
nat (inside) 0 access-list skip-nat-inside
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
nat (inside) 1 172.66.3.0 255.255.255.0 0 0
nat (inside) 1 192.168.5.0 255.255.255.0 0 0
nat (inside) 2 192.168.77.0 255.255.255.0 0 0
* VLAN Trunking (ASA 5510, ASAOS 7.2.1)
Hey! If you are trying to trunk VLAN 1, you are going to run into trouble (using the below config, I think you may have to
configure Ethernet0/3 (NOT a sub-interface) to have an ip address. You will not be able to type in 'vlan 1', as it is assumed). You have been warned.
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Ethernet0/3.1
description Development Network
vlan 50
nameif dev
security-level 40
ip address 192.168.50.1 255.255.255.0 standby 192.168.50.2
!
interface Ethernet0/3.2
description Test Network
vlan 88
nameif test
security-level 60
ip address 192.168.88.1 255.255.255.0 standby 192.168.88.2
* MSS Exceeded Error (ASA 5510, ASAOS 7.2.1)
May 8 17:59:37 aus-off-fw01 %ASA-4-419001: Dropping TCP packet from dev:172.20.5.81/80 to office:192.168.210.29/45031, reason: MSS exceeded, MSS 1380, data 1460
May 8 17:59:39 aus-off-fw01 %ASA-4-419001: Dropping TCP packet from dev:172.20.5.81/80 to office:192.168.210.29/45031, reason: MSS exceeded, MSS 1380, data 1460
May 8 17:59:39 aus-off-fw01 %ASA-4-419001: Dropping TCP packet from dev:172.20.5.81/80 to office:192.168.210.29/45031, reason: MSS exceeded, MSS 1380, data 1460
access-list exceed-mss-list permit tcp any host 172.20.5.81
access-list exceed-mss-list permit tcp any host 172.20.5.82
tcp-map msstcpmap
exceed-mss allow
class-map mssclassmap
match access-list exceed-mss-list
policy-map global-policy
class mssclassmap
set connection advanced-options msstcpmap
PIX
* Failover (PIX 525, PIXOS 6.3.4)
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 66.179.172.9
failover ip address inside 192.168.10.12
failover ip address secure-dmz 192.168.6.2
no failover ip address unused3
no failover ip address unused4
no failover ip address unused5
failover ip address crossover 192.168.255.2
failover link crossover
Related pages: