Difference between revisions of "Cisco ASA"

From HackerNet
Jump to: navigation, search
m
 
(9 intermediate revisions by the same user not shown)
Line 1: Line 1:
Adaptive Security Appliance är Ciscos VPN- och brandväggsenhet. Detta är skrivet för 8.4 och senare.  
+
Adaptive Security Appliance är Ciscos VPN- och brandväggsenhet. Detta är skrivet för 8.4 och senare. <br/>
 +
Hårdvara och mjukvara [http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html kompatibilitet]
  
 
==Konfiguration==
 
==Konfiguration==
 
Grunder
 
Grunder
 
  conf t
 
  conf t
hostname ASA
+
  hostname ASA
 
IP adress
 
IP adress
 
  int e0/0
 
  int e0/0
mac-address 0011.2233.4455
+
  mac-address 0011.2233.4455
security-level 100
+
  security-level 100
nameif inside
+
  nameif inside
ip address 10.0.0.1 255.255.255.0
+
  ip address 10.0.0.1 255.255.255.0
no shut
+
  no shut
exit
 
 
Default route och DNS
 
Default route och DNS
 
  route outside 0.0.0.0 0.0.0.0 190.10.160.1 1
 
  route outside 0.0.0.0 0.0.0.0 190.10.160.1 1
Line 20: Line 20:
  
 
===ASDM===
 
===ASDM===
ASDM är en javamjukvara man kan använda för GUI till ASA. Slå på det och vitlista IP/nät.
+
ASDM är en javamjukvara man kan använda för GUI till ASA.  
 +
asdm image disk0:/asdm-752.bin
 +
show asdm image
 +
Slå på det och vitlista IP/nät som får ansluta.
 
  http server enable
 
  http server enable
 
  http 10.0.0.0 255.255.255.0 inside
 
  http 10.0.0.0 255.255.255.0 inside
Line 35: Line 38:
 
  crypto key generate rsa modulus 2048
 
  crypto key generate rsa modulus 2048
  
==Mgmt VRF==
+
===Mgmt VRF===
 
Man kan sedan 9.5 lägga management-interface i en egen routingtabell.
 
Man kan sedan 9.5 lägga management-interface i en egen routingtabell.
 
  int gi0/1
 
  int gi0/1
management-only
+
  management-only
 
  show route management-only
 
  show route management-only
 +
show asp table routing management-only
 +
 +
===Management access===
 +
Vill man managera sin brandvägg genom en VPN-tunnel måste man komplettera ssh/http-kommandon med:
 +
management-access inside
 +
 +
===Upgrade===
 +
copy http://<webbserver.se>/filer/asa952-smp-k8.bin disk0:/
 +
boot system disk0:/asa952-smp-k8.bin
 +
show bootvar
 +
wr
 +
reload
 +
 +
===Reset===
 +
clear configure all
 +
crypto key zeroize rsa
 +
Setup basic firewall
 +
configure factory-default
  
 
==Diverse==
 
==Diverse==
===ICMP-inspection===
+
'''ICMP-inspection''' <br/>
 
Default så är inte icmp-inspection påslaget.
 
Default så är inte icmp-inspection påslaget.
 
  fixup protocol icmp
 
  fixup protocol icmp
 
Alternativt
 
Alternativt
 
  policy-map global_policy
 
  policy-map global_policy
class inspection_default
+
  class inspection_default
  inspect icmp
+
  inspect icmp
===ARP Inspection===
+
 
 +
'''Traceroute''' <br/>
 +
Tillåt traceroute genom en ASA
 +
  access-list ACL extended permit icmp any any time-exceeded
 +
access-list ACL extended permit icmp any any unreachable
 +
 
 +
'''Accelerated Security Path'''
 +
show asp drop
 +
capture asp-drop type asp-drop all
 +
show capture asp-drop
 +
 
 +
'''ARP Inspection''' <br/>
 +
Static entries
 
  arp inside 193.10.161.37 0c0c.0c0c.0c03 alias
 
  arp inside 193.10.161.37 0c0c.0c0c.0c03 alias
 
  ---
 
  ---
  
===Management access===
+
'''Botnet Filtering'''
Vill man managera sin brandvägg genom en VPN-tunnel måste man komplettera ssh/http-kommandon med:
 
management-access inside
 
 
 
===Botnet Filtering===
 
 
  #köp licens
 
  #köp licens
 
  #Enable DNS Client
 
  #Enable DNS Client
  
===NTP===
+
'''NTP'''
 
  clock timezone CEST 1 0
 
  clock timezone CEST 1 0
 
  clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 60
 
  clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 60
 
  ntp server 94.199.180.200 source outside
 
  ntp server 94.199.180.200 source outside
 +
show ntp status
  
===uRPF===
+
'''uRPF'''
 
  ip verify reverse-path interface outside
 
  ip verify reverse-path interface outside
 +
show run ip verify reverse-path
  
===Logging===
+
'''Logging'''
 
  logging enable
 
  logging enable
 
  logging console 4
 
  logging console 4
 +
Om man kör syslog med TCP så slutar ASA:n att forwarda trafik om anslutning till syslog-servern tappas, ändra detta.
 +
logging permit-hostdown
  
===Certificate Management===
+
'''Jumbo Frames'''
show crypto ca certificate
 
(config) crypto ca export
 
show crypto key mypubkey rsa
 
 
 
===Jumbo Frames===
 
 
  jumbo frame-reservation
 
  jumbo frame-reservation
 
  mtu inside 9000
 
  mtu inside 9000
 
  mtu outside 9000
 
  mtu outside 9000
  
===Global Timeouts===
+
'''Global Timeouts'''
 
  timeout xlate 10:00:00
 
  timeout xlate 10:00:00
 
  timeout uauth 10:00:00 absolute
 
  timeout uauth 10:00:00 absolute
 
  timeout uauth 09:00:00 inactivity
 
  timeout uauth 09:00:00 inactivity
  
===Permanent Self-Signed Certificate===
+
'''Certificate Management'''
 +
show crypto ca certificate
 +
(config) crypto ca export
 +
show crypto key mypubkey rsa
 +
 
 +
'''Permanent Self-Signed Certificate'''
 
  crypto ca trustpoint ASDM_TrustPoint0
 
  crypto ca trustpoint ASDM_TrustPoint0
 
  id-usage ssl-ipsec
 
  id-usage ssl-ipsec
Line 99: Line 132:
 
  snmp-server host inside 10.0.0.50 community PUBLIC version 2c
 
  snmp-server host inside 10.0.0.50 community PUBLIC version 2c
 
  show snmp-server oidlist  #"hidden command"
 
  show snmp-server oidlist  #"hidden command"
 +
Se även [[Cisco_SNMP|Cisco SNMP]].
  
 
==DHCP==
 
==DHCP==
 +
[[Cisco DHCP]]
 +
 
===Klient===
 
===Klient===
 
  int e0/0
 
  int e0/0
ip address dhcp setroute
+
  ip address dhcp setroute
 
  exit
 
  exit
 
  dhcp-client client-id interface outside
 
  dhcp-client client-id interface outside
 +
 
===Server===
 
===Server===
 
  dhcpd address 10.0.0.50-10.0.0.60 inside
 
  dhcpd address 10.0.0.50-10.0.0.60 inside
 
  dhcpd enable inside
 
  dhcpd enable inside
 
  dhcpd dns 8.8.8.8 interface inside
 
  dhcpd dns 8.8.8.8 interface inside
''OBS ASA don't repond to unicast dhcp requests''
+
''OBS ASA doesn't respond to unicast dhcp requests''
 +
 
 +
===Relay===
 +
dhcprelay server 192.168.10.11 inside
 +
dhcprelay enable DMZ
 +
 
 +
Verify
 +
show dhcpd state
  
 
==NAT==
 
==NAT==
 +
Se även [[Cisco_NAT|Cisco NAT]].
 
===PAT===
 
===PAT===
 
  nat (inside,outside) 1 source dynamic any interface
 
  nat (inside,outside) 1 source dynamic any interface
 +
 
===Dynamic===
 
===Dynamic===
object network inside_10
 
subnet 10.0.0.0 255.255.255.0
 
 
  object network outside-pool
 
  object network outside-pool
range 193.10.161.190 193.10.161.199
+
  range 193.10.161.190 193.10.161.199
 
  object network inside_10
 
  object network inside_10
nat (inside,any) dynamic outside-pool
+
  subnet 10.0.0.0 255.255.255.0
 +
  nat (inside,any) dynamic outside-pool
 +
 
 
===Static===
 
===Static===
object network dmz_server
 
host 172.16.0.5
 
 
  object network dmz_global
 
  object network dmz_global
host 193.10.161.31
+
  host 193.10.161.31
 
  object network dmz_server
 
  object network dmz_server
nat (dmz,outside) static dmz_global
+
  host 172.16.0.5
 +
  nat (dmz,outside) static dmz_global
 +
 
 
===Exempt===
 
===Exempt===
 
  object network LAN1
 
  object network LAN1
Line 136: Line 182:
 
  nat (inside,outside) 1 source static LAN1 LAN1 destination static LAN2 LAN2
 
  nat (inside,outside) 1 source static LAN1 LAN1 destination static LAN2 LAN2
 
''1an är viktig så att regeln hamnar först''
 
''1an är viktig så att regeln hamnar först''
===Show===
+
 
 +
'''Verify'''
 
  show run nat
 
  show run nat
 +
show nat proxy-arp
  
 
==Port Forwarding==
 
==Port Forwarding==
 
  object network websrv  
 
  object network websrv  
host 10.1.1.3
+
  host 10.1.1.3
nat (inside,outside) static interface service tcp 80 80
+
  nat (inside,outside) static interface service tcp 80 80
 
  exit
 
  exit
 
  access-list outside_access_in permit tcp any object websrv eq http
 
  access-list outside_access_in permit tcp any object websrv eq http
Line 148: Line 196:
 
===ACL===
 
===ACL===
 
  access-list ACL1 permit tcp any object dmz_server eq http
 
  access-list ACL1 permit tcp any object dmz_server eq http
 +
access-list ACL1 line 15 permit tcp any object dmz_server eq https
 
  access-group ACL1 in interface outside
 
  access-group ACL1 in interface outside
 +
show access-list ACL1
 +
Matcha på DNS-namn
 +
object network hackernet.se
 +
  fqdn v4 hackernet.se
  
 
==Routing==
 
==Routing==
 +
Se även [[Cisco_Routing|Cisco Routing]].
 +
 
===Static===
 
===Static===
 
  route inside 10.0.1.0 255.255.255.0 {next hop address} 10
 
  route inside 10.0.1.0 255.255.255.0 {next hop address} 10
Line 156: Line 211:
 
===OSPF===
 
===OSPF===
 
  router ospf 1
 
  router ospf 1
area 1
+
  area 1
network 10.0.0.0 255.255.255.0 area 1
+
  network 10.0.0.0 255.255.255.0 area 1
  
 
===RIP===
 
===RIP===
 
  router rip
 
  router rip
no auto-summary
+
  no auto-summary
version 2
+
  version 2
network 10.0.0.0
+
  network 10.0.0.0
  
 
===EIGRP===
 
===EIGRP===
 
  router eigrp 1
 
  router eigrp 1
network 10.0.0.0 255.255.255.0
+
  network 10.0.0.0 255.255.255.0
 +
 
 +
===BGP===
 +
Ska man köra BGP genom en ASA måste man stänga av att TCP option 19 strippas vilket det gör default. Samt måste TCP sequence number randomization stängas av.
 +
 
 +
access-list BGP extended permit tcp any eq bgp any
 +
access-list BGP extended permit tcp any any eq bgp
 +
tcp-map BGP
 +
tcp-options range 19 19 allow
 +
  class-map BGP
 +
  match access-list BGP
 +
policy-map global_policy
 +
  class BGP
 +
  set connection advanced-options BGP
 +
  set connection random-sequence-number disable
  
 
==Modular Policy Framework==
 
==Modular Policy Framework==
Line 193: Line 262:
 
Service Policy
 
Service Policy
 
  service-policy inside-policy interface inside
 
  service-policy inside-policy interface inside
 +
Se även [[Cisco_QoS|Cisco QoS]].
  
 
===Tweaking Connections===
 
===Tweaking Connections===
Line 225: Line 295:
 
===VLAN - !5505===
 
===VLAN - !5505===
 
  int e0/2
 
  int e0/2
no shut
+
  no shut
 
  int e0/2.10
 
  int e0/2.10
vlan 10
+
  vlan 10
security-level 100
+
  security-level 100
nameif VLAN10
+
  nameif VLAN10
ip add 10.0.10.1 255.255.255.0
+
  ip add 10.0.10.1 255.255.255.0
no shut
+
  no shut
 
  exit
 
  exit
  
 
==EtherChannel==
 
==EtherChannel==
 +
Se även [[Cisco_EtherChannel|Cisco EtherChannel]].
 
  interface e0/2
 
  interface e0/2
channel-group mode Active
+
  channel-group mode Active
 
  interface e0/3
 
  interface e0/3
channel-group mode Active
+
  channel-group mode Active
 
  interface port-channel1
 
  interface port-channel1
port-channel load-balance src-port
+
  port-channel load-balance src-port
port-channel min-bundle 1
+
  port-channel min-bundle 1
lacp max-bundle 8
+
  lacp max-bundle 8
duplex auto
+
  duplex auto
speed auto
+
  speed auto
nameif DMZ
+
  nameif DMZ
security-level 50
+
  security-level 50
ip add 10.0.10.1 255.255.255.0
+
  ip add 10.0.10.1 255.255.255.0
no shut
+
  no shut
exit
 
  
 
===Redundancy===
 
===Redundancy===
 +
Samma som etherchannel fast endast ett ben är aktivt i taget. Användbart om asan är kopplad till 2 switchar utan [[Arista_MLAG|MLAG]] (t.ex. [[Nexus_vPC|vPC]]).
 
  interface e0/4
 
  interface e0/4
no shut
+
  no shut
 
  interface e0/5
 
  interface e0/5
no shut
+
  no shut
 
  interface redundant1
 
  interface redundant1
member interface e0/4
+
  member interface e0/4
member interface e0/5
+
  member interface e0/5
nameif outside
+
  nameif outside
security-level
+
  security-level
ip address 193.10.161.31
+
  ip address 193.10.161.31
no shut
+
  no shut
exit
 
  
 
==Transparent - 5505==
 
==Transparent - 5505==
Line 290: Line 360:
 
  aaa-server OUR-GROUP protocol radius
 
  aaa-server OUR-GROUP protocol radius
 
  aaa-server OUR-GROUP (inside) host 10.0.0.50
 
  aaa-server OUR-GROUP (inside) host 10.0.0.50
key ********
+
  key ********
radius-common-pw *********
+
  radius-common-pw *********
exit
+
  exit
  
 
===Cut-through User AAA===
 
===Cut-through User AAA===
Line 341: Line 411:
 
  allocate-interface e0/4
 
  allocate-interface e0/4
 
  config-url disk0:/newcontext.cfg
 
  config-url disk0:/newcontext.cfg
 +
Save in all contexts
 +
wr mem all
  
 
===Active/Active Failover===
 
===Active/Active Failover===
Line 389: Line 461:
  
 
==VPN==
 
==VPN==
Förutsättningar för att sätta upp VPN-tunnlar är att klocka måste gå rätt och att NAT-regler måste ligga i rätt ordning.
+
Se [[Cisco_ASA_VPN|ASA VPN]]
 
 
Kolla hur man gör på aktuell version
 
vpnsetup site-to-site steps
 
vpnsetup ipsec-remote-access steps
 
  
IKEv2 behåller inte riktigt nomenklaturen med faser men ändå.
+
==REST API==
===Fas 1===
+
Man kan lägga till en agent så att ASAn får ett REST API.
  crypto isakmp policy 10
+
  copy http://<webbserver>/asa-restapi-122-lfbff-k8.SPA disk0:
  authentication pre-share
+
  rest-api image disk0:/asa-restapi-122-lfbff-k8.SPA
  encryption aes-256
+
  rest-api agent
  hash sha
+
Sedan behöver webbservern konfigureras om inte det är gjort, se [[Cisco_ASA#ASDM|ASDM]]
  lifetime 28800
 
  group 2
 
PSK
 
tunnel-group <other-side> type ipsec-l2l
 
  tunnel-group <other-side> ipsec-attributes
 
  ikev1 pre-shared-key *****
 
  crypto map VPNMAP 10 set peer <other-side>
 
  
===Fas 2===
+
Använd en REST-klient (Firefox/Chrome)
crypto ipsec ikev1 transform-set SITE2-FAS2 esp-aes-256 esp-sha-hmac
+
  https:<asa-ip>/api/objects/networkobjects
crypto map VPNMAP 10 set transform-set SITE2-FAS2
 
  access-list CRYPTO-to-SITE2 extended permit ip 172.16.20.0 255.255.255.0 172.16.40.0 255.255.255.0
 
crypto map VPNMAP 10 match address CRYPTO-to-SITE2
 
crypto map VPNMAP 10 set security-association lifetime seconds 3600
 
  
===NAT Exempt===
+
===Docs===
object network LAN1
+
Följer med agenten
  subnet 172.16.20.0 255.255.255.0
+
  https://<asa-ip>/doc/
object network LAN2
 
  subnet 172.16.40.0 255.255.255.0
 
  nat (inside,outside) 1 source static LAN1 LAN1 destination static LAN2 LAN2
 
  
===Övrigt===
 
Tillåt trafik in från andra sidan.
 
access-list OUTSIDE-IN extended permit ip object LAN2 object LAN1
 
 
Behöver endast göras vid första VPN-tunneluppsättningen.
 
crypto map VPNMAP interface OUTSIDE
 
crypto isakmp enable OUTSIDE
 
 
'''Troubleshoot'''
 
show crypto isakmp sa detail
 
show vpn-sessiondb detail l2l
 
 
 
[[Category:Cisco]]
 
[[Category:Cisco]]

Latest revision as of 09:22, 15 April 2020

Adaptive Security Appliance är Ciscos VPN- och brandväggsenhet. Detta är skrivet för 8.4 och senare.
Hårdvara och mjukvara kompatibilitet

Konfiguration

Grunder

conf t
 hostname ASA

IP adress

int e0/0
 mac-address 0011.2233.4455
 security-level 100
 nameif inside
 ip address 10.0.0.1 255.255.255.0
 no shut

Default route och DNS

route outside 0.0.0.0 0.0.0.0 190.10.160.1 1
same-security-traffic permit inter-interface
dns domain-lookup outside
dns name-server 8.8.8.8

ASDM

ASDM är en javamjukvara man kan använda för GUI till ASA.

asdm image disk0:/asdm-752.bin
show asdm image

Slå på det och vitlista IP/nät som får ansluta.

http server enable
http 10.0.0.0 255.255.255.0 inside

Skapa användare så att det går att logga in. Peka autentisering mot lokal databas.

username admin password cisco privilege 15
aaa authentication http console LOCAL

SSH

ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
aaa authentication ssh console LOCAL
domain-name inhouse.local
crypto key generate rsa modulus 2048

Mgmt VRF

Man kan sedan 9.5 lägga management-interface i en egen routingtabell.

int gi0/1
 management-only
show route management-only
show asp table routing management-only

Management access

Vill man managera sin brandvägg genom en VPN-tunnel måste man komplettera ssh/http-kommandon med:

management-access inside

Upgrade

copy http://<webbserver.se>/filer/asa952-smp-k8.bin disk0:/
boot system disk0:/asa952-smp-k8.bin
show bootvar
wr
reload

Reset

clear configure all
crypto key zeroize rsa

Setup basic firewall

configure factory-default

Diverse

ICMP-inspection
Default så är inte icmp-inspection påslaget.

fixup protocol icmp

Alternativt

policy-map global_policy
 class inspection_default
  inspect icmp

Traceroute
Tillåt traceroute genom en ASA

access-list ACL extended permit icmp any any time-exceeded
access-list ACL extended permit icmp any any unreachable

Accelerated Security Path

show asp drop
capture asp-drop type asp-drop all
show capture asp-drop

ARP Inspection
Static entries

arp inside 193.10.161.37 0c0c.0c0c.0c03 alias
---

Botnet Filtering

#köp licens
#Enable DNS Client

NTP

clock timezone CEST 1 0
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 60
ntp server 94.199.180.200 source outside
show ntp status

uRPF

ip verify reverse-path interface outside
show run ip verify reverse-path

Logging

logging enable
logging console 4

Om man kör syslog med TCP så slutar ASA:n att forwarda trafik om anslutning till syslog-servern tappas, ändra detta.

logging permit-hostdown

Jumbo Frames

jumbo frame-reservation
mtu inside 9000
mtu outside 9000

Global Timeouts

timeout xlate 10:00:00
timeout uauth 10:00:00 absolute
timeout uauth 09:00:00 inactivity

Certificate Management

show crypto ca certificate
(config) crypto ca export
show crypto key mypubkey rsa

Permanent Self-Signed Certificate

crypto ca trustpoint ASDM_TrustPoint0
id-usage ssl-ipsec
no fqdn
subject-name CN=ASA
enrollment self
crypto ca enroll ASDM_TrustPoint0 noconfirm

SNMP

snmp-server host inside 10.0.0.50 community PUBLIC version 2c
show snmp-server oidlist   #"hidden command"

Se även Cisco SNMP.

DHCP

Cisco DHCP

Klient

int e0/0
 ip address dhcp setroute
exit
dhcp-client client-id interface outside

Server

dhcpd address 10.0.0.50-10.0.0.60 inside
dhcpd enable inside
dhcpd dns 8.8.8.8 interface inside

OBS ASA doesn't respond to unicast dhcp requests

Relay

dhcprelay server 192.168.10.11 inside
dhcprelay enable DMZ

Verify

show dhcpd state

NAT

Se även Cisco NAT.

PAT

nat (inside,outside) 1 source dynamic any interface

Dynamic

object network outside-pool
 range 193.10.161.190 193.10.161.199
object network inside_10
 subnet 10.0.0.0 255.255.255.0
 nat (inside,any) dynamic outside-pool

Static

object network dmz_global
 host 193.10.161.31
object network dmz_server
 host 172.16.0.5
 nat (dmz,outside) static dmz_global

Exempt

object network LAN1
 subnet 1.1.1.0 255.255.255.0
object network LAN2
 subnet 2.2.2.0 255.255.255.0
nat (inside,outside) 1 source static LAN1 LAN1 destination static LAN2 LAN2

1an är viktig så att regeln hamnar först

Verify

show run nat
show nat proxy-arp

Port Forwarding

object network websrv 
 host 10.1.1.3
 nat (inside,outside) static interface service tcp 80 80
exit
access-list outside_access_in permit tcp any object websrv eq http

ACL

access-list ACL1 permit tcp any object dmz_server eq http
access-list ACL1 line 15 permit tcp any object dmz_server eq https
access-group ACL1 in interface outside
show access-list ACL1

Matcha på DNS-namn

object network hackernet.se
 fqdn v4 hackernet.se

Routing

Se även Cisco Routing.

Static

route inside 10.0.1.0 255.255.255.0 {next hop address} 10

OSPF

router ospf 1
 area 1
 network 10.0.0.0 255.255.255.0 area 1

RIP

router rip
 no auto-summary
 version 2
 network 10.0.0.0

EIGRP

router eigrp 1
 network 10.0.0.0 255.255.255.0

BGP

Ska man köra BGP genom en ASA måste man stänga av att TCP option 19 strippas vilket det gör default. Samt måste TCP sequence number randomization stängas av.

access-list BGP extended permit tcp any eq bgp any
access-list BGP extended permit tcp any any eq bgp
tcp-map BGP
tcp-options range 19 19 allow
 class-map BGP
  match access-list BGP
policy-map global_policy
 class BGP
  set connection advanced-options BGP
  set connection random-sequence-number disable

Modular Policy Framework

Application Inspection

access-list dmz_ftp permit tcp any any eq ftp

Class Map

class-map FTP-class-MAP
match access-list dmz_ftp

Policy Map

policy-map FTP-policy-MAP
class FTP-class-MAP
inspect ftp

Service Policy

service-policy FTP-policy-MAP interface dmz

QoS

priority-queue inside

Class Map

class-map VOIP
match dscp 46

Policy Map

policy-map inside-policy
class VOIP
priority

Service Policy

service-policy inside-policy interface inside

Se även Cisco QoS.

Tweaking Connections

access-list ACL1 permit tcp any object dmz_server eq http
class-map TCP-Sessions
match access-list ACL1
policy-map Conn-Limits
class TCP-Sessions
set connection conn-max 500 embryonic-conn-max 50
set connection timeout embryonic 0:05:00 half-closed 0:10:00
service-policy Conn-Limits interface outside

TCP Intercept

access-list ACL1 permit tcp any object dmz_server eq http
class-map no-syn-flood-class
match access-list ACL1
policy-map NO-SYN-FLOOD
class no syn-flood-class
set connection embryonic-conn-max 50
service-policy NO-SYN-FLOOD interface outside 

Advanced Application Inspection - HTTP

policy-map type inspect http http-inspect-pmap
parameters
protocol-violation action dropconnection log
match req-resp content-type mismatch
drop-connection log
policy-map global_policy
class inspection_default
inspect http http-inspect-pmap

VLAN - !5505

int e0/2
 no shut
int e0/2.10
 vlan 10
 security-level 100
 nameif VLAN10
 ip add 10.0.10.1 255.255.255.0
 no shut
exit

EtherChannel

Se även Cisco EtherChannel.

interface e0/2
 channel-group mode Active
interface e0/3
 channel-group mode Active
interface port-channel1
 port-channel load-balance src-port
 port-channel min-bundle 1
 lacp max-bundle 8
 duplex auto
 speed auto
 nameif DMZ
 security-level 50
 ip add 10.0.10.1 255.255.255.0
 no shut

Redundancy

Samma som etherchannel fast endast ett ben är aktivt i taget. Användbart om asan är kopplad till 2 switchar utan MLAG (t.ex. vPC).

interface e0/4
 no shut
interface e0/5
 no shut
interface redundant1
 member interface e0/4
 member interface e0/5
 nameif outside
 security-level
 ip address 193.10.161.31
 no shut

Transparent - 5505

firewall transparent
int BVI 1
ip add 193.10.161.38 255.255.255.0
exit
int e0/0
switchport access vlan 1
no shut
int e0/1
switchport access vlan 2
no shut
interface vlan 1
security-level 100
nameif inside
bridge-group 1
no shut
interface vlan 2
security-level 0
nameif outside
bridge-group 1
no shut

AAA

aaa-server OUR-GROUP protocol radius
aaa-server OUR-GROUP (inside) host 10.0.0.50
 key ********
 radius-common-pw *********
 exit

Cut-through User AAA

access-list outside_authentication permit tcp any object dmz-server eq http
username bob password cisco priv 2
username bob attributes
service-type remote-access
exit
aaa authentication match outside_authentication outside LOCAL

Failover

#Criteria
ASA1
int e0/0
ip address 193.10.161.38 255.255.254.0 standby 193.10.161.39
int e0/1
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2
failover lan interface Fail-1 e0/3
failover interface ip Fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2
failover key cisco
failover link Fail-2 e0/4
failover interface ip Fail-2 10.2.2.1 255.255.255.252 standby 10.2.2.2
failover replication http
failover lan unit primary
failover mac address e0/0 0000.1111.2222 0000.3333.4444
failover

ASA2
int e0/3
no shut
exit
failover lan interface Fail-1 e0/3
failover interface ip Fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2
failover key cisco
failover lan unit secondary
failover

Virtual Firewall

mode multiple
changeto context admin
changeto system
mac-address auto
class silver
limit resource asdm 3
context newcontext
member silver
allocate-interface e0/3
allocate-interface e0/4
config-url disk0:/newcontext.cfg

Save in all contexts

wr mem all

Active/Active Failover

changeto system
prompt hostname priority
failover group 1
primary
preempt 120
exit
failover group 2
secondary
preempt 120
exit
context Ctx-1
join-failover-group 1
exit
context Ctx-2
join-failover-group 2
exit
int e0/4
no shut
int e0/5
no shut
exit
failover lan unit primary
failover lan interface Fail-1 e0/4
failover interface ip Fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2
failover link Fail-2 e0/4
failover interface ip Fail-2 10.2.2.1 255.255.255.252 standby 10.2.2.2
failover

int e0/3
no shut
exit
failover lan unit secondary
failover lan interface Fail-1 e0/3
failover interface ip Fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2
failover

SLA

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 track 1
sla monitor 10
 type echo protocol ipIcmpEcho 1.1.1.1 interface outside
 num-packets 3
 frequency 5
sla monitor schedule 10 life forever start-time now
track 1 rtr 10 reachability

VPN

Se ASA VPN

REST API

Man kan lägga till en agent så att ASAn får ett REST API.

copy http://<webbserver>/asa-restapi-122-lfbff-k8.SPA disk0:
rest-api image disk0:/asa-restapi-122-lfbff-k8.SPA
rest-api agent

Sedan behöver webbservern konfigureras om inte det är gjort, se ASDM

Använd en REST-klient (Firefox/Chrome)

https:<asa-ip>/api/objects/networkobjects

Docs

Följer med agenten

https://<asa-ip>/doc/