Cisco Firewall Configuration Examples

ASA

* General VPN Troubleshooting (ASA 5520, ASAOS 8.0.4)

show vpn-sessiondb remote
show vpn-sessiondb remote | include Username

show ipsec sa
show ipsec sa detail
show ipsec sa | include access-list
show ipsec sa | include crypto endpt

show ipsec sa entry
show ipsec sa entry detail
show ipsec sa entry | include peer 
show ipsec sa entry | begin peer address: 192.168.155.101
show ipsec sa entry detail | begin peer address: 192.168.155.101
show ipsec sa peer 192.168.155.101
show ipsec sa peer 192.168.155.101 detail

show ipsec stats
show ipsec sa summary

* Enable SSH (ASA 5510, ASAOS 8.0.4)

asa1# conf term
asa1(config)# crypto key generate rsa
INFO: The name for the keys will be: 
Keypair generation process begin. Please wait...

asa1(config)# show crypto key mypubkey rsa
Key pair was generated at: 16:24:10 UTC Jan 6 2009
Key name: 
 Usage: General Purpose Key
 Modulus Size (bits): 1024
 Key Data:

  xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
  xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
  xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
  xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
  xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxx

ssh 192.168.1.25 255.255.255.255 inside
ssh timeout 30
ssh version 2
username cisco password xxxxxxx
aaa authentication ssh console LOCAL

* Upgrade OS (ASA 5510, ASAOS 7.2.3)

copy run start
show version
show boot
dir
# If you don't have enough room for the new image, delete the old one:
del disk0:asa723-k8.bin
# Once you have enough room, upload the new image:
  copy tftp disk0:
  Address or name of remote host []? 192.168.1.25
  Source filename []? asa804-k8.bin
  Destination filename [asa804-k8.bin]? 
  Accessing tftp://192.168.1.25/asa804-k8.bin...!!!!!!!! (and so on...)
  Writing file disk0:/asa804-k8.bin...!!!!!!!! (and so on...)
  14137344 bytes copied in 38.970 secs (372035 bytes/sec)
# Or, instead of pulling the software, you can push it with scp (after running 'ssh scopy enable' on the firewall)
  scp -v asa943-11-smp-k8.bin cisco@192.168.1.25:disk0:asa943-11-smp-k8.bin
# Now, using the above steps, upload the corresponding asdm software
dir
conf term
no boot system disk0:/asa723-k8.bin
boot system disk0:/asa804-k8.bin
asdm image disk0:/asdm-61551.bin
end
show boot
copy run start
reload

* Basic Failover (ASA 5510, ASAOS 7.2.1, Requires 1 dedicated interface)

interface Ethernet0/0
 description Colo Network
 nameif colo
 security-level 60
 ip address 192.168.99.1 255.255.255.0 standby 192.168.99.2

interface Ethernet0/1
 description Office Network
 nameif office
 security-level 50
 ip address 192.168.77.1 255.255.255.0 standby 192.168.77.2

interface Management0/0
 description LAN Failover Interface


failover
failover lan unit primary
failover lan interface fobasic Management0/0
failover key *****
failover interface ip fobasic 192.168.200.1 255.255.255.0 standby 192.168.200.2

* Stateful Failover (ASA 5550, ASAOS 8.0.4, Requires 2 dedicated interfaces)

interface GigabitEthernet0/0
 description Colo Network
 nameif colo
 security-level 60
 ip address 192.168.99.1 255.255.255.0 standby 192.168.99.2

interface GigabitEthernet0/1
 description STATE Failover Interface

interface Management0/0
 description LAN Failover Interface

interface GigabitEthernet1/0
 description Office Network
 nameif office
 security-level 50
 ip address 192.168.77.1 255.255.255.0 standby 192.168.77.2


failover
failover lan unit primary
failover lan interface fobasic Management0/0
failover key *****
failover link fostate GigabitEthernet0/1
failover interface ip fobasic 192.168.200.1 255.255.255.0 standby 192.168.200.2
failover interface ip fostate 192.168.201.1 255.255.255.0 standby 192.168.201.2

* One-to-One (aka two-way) NAT (ASA 5510, ASAOS 7.2.1)

The syntax for this can be confusing. Here is a generic example:
static (outside interface name, inside interface name) inside ip, outside ip netmask 255.255.255.255

static (internet,office) 192.168.77.101 216.142.200.221 netmask 255.255.255.255 
static (internet,office) 192.168.77.102 216.142.200.222 netmask 255.255.255.255 
static (internet,office) 192.168.77.103 216.142.200.223 netmask 255.255.255.255 
static (test,office) 192.168.77.104 172.30.11.14 netmask 255.255.255.255 
static (test,office) 192.168.77.105 172.30.11.15 netmask 255.255.255.255

* Simple Many-to-One (aka one-way) NAT (ASA 5510, ASAOS 7.2.1)

global (outside) 1 216.142.200.220 netmask 255.255.255.255
nat (inside) 1 192.168.77.0 255.255.255.0 0 0

* Complex Many-to-One (aka one-way) NAT (ASA 5510, ASAOS 7.2.1)

access-list skip-nat-inside permit ip any host 192.168.6.11 
access-list skip-nat-inside permit ip any host 192.168.6.12
access-list skip-nat-inside permit ip any 192.168.222.0 255.255.255.0

global (outside) 1 216.142.200.220 netmask 255.255.255.255
global (outside) 2 216.142.200.221 netmask 255.255.255.255
nat (inside) 0 access-list skip-nat-inside
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
nat (inside) 1 172.66.3.0 255.255.255.0 0 0
nat (inside) 1 192.168.5.0 255.255.255.0 0 0
nat (inside) 2 192.168.77.0 255.255.255.0 0 0

* VLAN Trunking (ASA 5510, ASAOS 7.2.1)

Hey! If you are trying to trunk VLAN 1, you are going to run into trouble (using the below config, I think you may have to 
configure Ethernet0/3 (NOT a sub-interface) to have an ip address. You will not be able to type in 'vlan 1', as it is assumed). You have been warned.

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

interface Ethernet0/3
 no nameif    
 no security-level
 no ip address
!             
interface Ethernet0/3.1
 description Development Network
 vlan 50     
 nameif dev   
 security-level 40
 ip address 192.168.50.1 255.255.255.0 standby 192.168.50.2
!             
interface Ethernet0/3.2
 description Test Network
 vlan 88     
 nameif test  
 security-level 60
 ip address 192.168.88.1 255.255.255.0 standby 192.168.88.2

* MSS Exceeded Error (ASA 5510, ASAOS 7.2.1)

May  8 17:59:37 aus-off-fw01 %ASA-4-419001: Dropping TCP packet from dev:172.20.5.81/80 to office:192.168.210.29/45031, reason: MSS exceeded, MSS 1380, data 1460
May  8 17:59:39 aus-off-fw01 %ASA-4-419001: Dropping TCP packet from dev:172.20.5.81/80 to office:192.168.210.29/45031, reason: MSS exceeded, MSS 1380, data 1460
May  8 17:59:39 aus-off-fw01 %ASA-4-419001: Dropping TCP packet from dev:172.20.5.81/80 to office:192.168.210.29/45031, reason: MSS exceeded, MSS 1380, data 1460

access-list exceed-mss-list permit tcp any host 172.20.5.81
access-list exceed-mss-list permit tcp any host 172.20.5.82

tcp-map msstcpmap
  exceed-mss allow

class-map mssclassmap
 match access-list exceed-mss-list

policy-map global-policy
 class mssclassmap
  set connection advanced-options msstcpmap

PIX

* Failover (PIX 525, PIXOS 6.3.4)

failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 66.179.172.9
failover ip address inside 192.168.10.12
failover ip address secure-dmz 192.168.6.2
no failover ip address unused3
no failover ip address unused4
no failover ip address unused5
failover ip address crossover 192.168.255.2
failover link crossover

Related pages: