Cisco ASA Cheatsheet

Cisco Adaptive Security Appliance (ASA) is a comprehensive network security device that combines firewall, VPN, and intrusion prevention capabilities. ASA provides advanced threat protection, secure remote access, and network segmentation for enterprise environments. This cheatsheet covers essential commands and configurations for managing Cisco ASA firewalls.

Basic Configuration

Initial Setup

# Console access
# Connect via console cable (9600 baud, 8N1)
# Default username: blank, password: blank

# Enable privileged mode
enable

# Enter global configuration mode
configure terminal

# Set hostname
hostname ASA-Firewall

# Set domain name
domain-name company.com

# Set enable password
enable password P@ssw0rd123

# Create local user
username admin password P@ssw0rd123
username admin privilege 15

# Set console timeout
console timeout 0

# Save configuration
write memory
copy running-config startup-config

Interface Configuration

# Enter interface configuration
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 203.0.113.1 255.255.255.0
no shutdown

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown

interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 10.0.1.1 255.255.255.0
no shutdown

# Configure management interface
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
management-only
no shutdown

Basic Network Settings

# Configure default route
route outside 0.0.0.0 0.0.0.0 203.0.113.254

# Configure DNS
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4

# Configure NTP
ntp server 0.pool.ntp.org
ntp server 1.pool.ntp.org
clock timezone EST -5
clock summer-time EDT recurring

# Configure logging
logging enable
logging timestamp
logging buffer-size 8192
logging buffered informational
logging host inside 192.168.1.100

Access Control Lists (ACLs)

Creating ACLs

# Create access list
access-list OUTSIDE_IN extended permit tcp any host 192.168.1.100 eq 80
access-list OUTSIDE_IN extended permit tcp any host 192.168.1.100 eq 443
access-list OUTSIDE_IN extended permit tcp any host 192.168.1.101 eq 22
access-list OUTSIDE_IN extended deny ip any any log

# Apply ACL to interface
access-group OUTSIDE_IN in interface outside

# Inside to outside (typically permit all)
access-list INSIDE_OUT extended permit ip any any
access-group INSIDE_OUT in interface inside

# DMZ access control
access-list DMZ_IN extended permit tcp any host 10.0.1.10 eq 80
access-list DMZ_IN extended permit tcp any host 10.0.1.10 eq 443
access-list DMZ_IN extended deny ip any any log
access-group DMZ_IN in interface dmz

Advanced ACL Examples

# Time-based ACL
time-range BUSINESS_HOURS
periodic weekdays 8:00 to 18:00
access-list INSIDE_OUT extended permit tcp 192.168.1.0 255.255.255.0 any eq 80 time-range BUSINESS_HOURS

# Object groups for cleaner ACLs
object-group network WEB_SERVERS
network-object host 192.168.1.100
network-object host 192.168.1.101

object-group service WEB_SERVICES tcp
port-object eq 80
port-object eq 443

access-list OUTSIDE_IN extended permit tcp any object-group WEB_SERVERS object-group WEB_SERVICES

# Protocol-specific ACLs
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-list OUTSIDE_IN extended permit icmp any any time-exceeded

Network Address Translation (NAT)

Static NAT

# Static NAT for web server
object network WEB_SERVER
host 192.168.1.100
nat (inside,outside) static 203.0.113.10

# Static NAT with port translation
object network MAIL_SERVER
host 192.168.1.200
nat (inside,outside) static 203.0.113.20 service tcp 25 25

# Static NAT for subnet
object network INSIDE_SUBNET
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) static 203.0.113.0

Dynamic NAT

# Dynamic NAT pool
object network INSIDE_USERS
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic 203.0.113.100-203.0.113.110

# PAT (Port Address Translation)
object network INSIDE_NETWORK
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface

# Manual NAT rules
nat (inside,outside) source dynamic INSIDE_NETWORK interface destination static WEB_SERVER WEB_SERVER

NAT Exemption

# NAT exemption for VPN traffic
object network VPN_POOL
subnet 192.168.100.0 255.255.255.0
nat (inside,outside) source static INSIDE_NETWORK INSIDE_NETWORK destination static VPN_POOL VPN_POOL no-proxy-arp

# Identity NAT
object network DMZ_SERVERS
subnet 10.0.1.0 255.255.255.0
nat (dmz,outside) static DMZ_SERVERS DMZ_SERVERS

VPN Configuration

Site-to-Site VPN

# IKE version 1 policy
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400

# IKE version 2 policy
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400

# Group policy for site-to-site
group-policy S2S_POLICY internal
group-policy S2S_POLICY attributes
vpn-tunnel-protocol ikev1 ikev2

# Tunnel group configuration
tunnel-group 203.0.113.50 type ipsec-l2l
tunnel-group 203.0.113.50 general-attributes
default-group-policy S2S_POLICY
tunnel-group 203.0.113.50 ipsec-attributes
ikev1 pre-shared-key MySecretKey123
ikev2 remote-authentication pre-shared-key MySecretKey123
ikev2 local-authentication pre-shared-key MySecretKey123

# Crypto map
crypto map OUTSIDE_MAP 10 match address VPN_TRAFFIC
crypto map OUTSIDE_MAP 10 set peer 203.0.113.50
crypto map OUTSIDE_MAP 10 set ikev1 transform-set ESP-AES256-SHA
crypto map OUTSIDE_MAP 10 set ikev2 ipsec-proposal AES256-SHA256
crypto map OUTSIDE_MAP interface outside

# Transform set
crypto ikev1 transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
crypto ikev2 ipsec-proposal AES256-SHA256
protocol esp encryption aes-256
protocol esp integrity sha-256

Remote Access VPN (AnyConnect)

# Enable SSL VPN
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.9.0-webdeploy-k9.pkg
anyconnect enable
tunnel-group-list enable

# IP pool for VPN clients
ip local pool VPN_POOL 192.168.100.1-192.168.100.100 mask 255.255.255.0

# Group policy for remote access
group-policy ANYCONNECT_POLICY internal
group-policy ANYCONNECT_POLICY attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list SPLIT_TUNNEL_ACL
address-pools value VPN_POOL
dns-server value 192.168.1.1 8.8.8.8
wins-server value 192.168.1.1

# Split tunnel ACL
access-list SPLIT_TUNNEL_ACL standard permit 192.168.1.0 255.255.255.0
access-list SPLIT_TUNNEL_ACL standard permit 10.0.1.0 255.255.255.0

# User configuration
username vpnuser password VpnP@ss123
username vpnuser attributes
vpn-group-policy ANYCONNECT_POLICY

Certificate-based Authentication

# Generate RSA key pair
crypto key generate rsa label ASA_KEY modulus 2048

# Create self-signed certificate
crypto ca trustpoint LOCAL_CA
enrollment self
subject-name CN=ASA-Firewall,O=Company,C=US
keypair ASA_KEY
crypto ca enroll LOCAL_CA

# Configure certificate for SSL VPN
ssl trust-point LOCAL_CA outside

# Certificate-based user authentication
username certuser password CertP@ss123
username certuser attributes
vpn-group-policy CERT_POLICY

High Availability

Active/Standby Failover

# Primary ASA configuration
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/3
failover link FAILOVER GigabitEthernet0/3
failover interface ip FAILOVER 192.168.200.1 255.255.255.0 standby 192.168.200.2

# Interface monitoring
monitor-interface outside
monitor-interface inside
monitor-interface dmz

# Failover key
failover key MyFailoverKey123

# Secondary ASA configuration
failover
failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/3
failover link FAILOVER GigabitEthernet0/3
failover interface ip FAILOVER 192.168.200.1 255.255.255.0 standby 192.168.200.2
failover key MyFailoverKey123

Active/Active Failover

# Context configuration
context admin
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1
config-url disk0:/admin.cfg

context CTX1
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/2
config-url disk0:/ctx1.cfg

context CTX2
allocate-interface GigabitEthernet0/1
allocate-interface GigabitEthernet0/3
config-url disk0:/ctx2.cfg

# Failover groups
failover group 1
primary
preempt
failover group 2
secondary
preempt

# Assign contexts to failover groups
context CTX1
join-failover-group 1
context CTX2
join-failover-group 2

Monitoring and Troubleshooting

Show Commands

# Interface status
show interface
show interface ip brief
show interface GigabitEthernet0/0

# Routing information
show route
show route outside
show arp

# NAT information
show nat
show xlate
show nat detail

# VPN status
show vpn-sessiondb
show vpn-sessiondb detail
show crypto ikev1 sa
show crypto ikev2 sa
show crypto ipsec sa

# Access list hits
show access-list
show access-list OUTSIDE_IN

# System information
show version
show inventory
show environment
show processes
show memory
show cpu usage

Logging and Debugging

# Configure logging levels
logging enable
logging timestamp
logging buffer-size 16384
logging buffered debugging
logging host inside 192.168.1.100 6/1470

# Syslog message IDs
logging message 106023 level informational
logging message 302013 level informational
logging message 302014 level informational

# Debug commands (use with caution)
debug crypto ikev1
debug crypto ikev2
debug crypto ipsec
debug nat
debug access-list

# Packet capture
capture OUTSIDE interface outside match tcp any any eq 80
show capture OUTSIDE
copy capture:OUTSIDE tftp://192.168.1.100/outside_capture.pcap

# Clear commands
clear xlate
clear crypto ikev1 sa
clear crypto ikev2 sa
clear crypto ipsec sa
clear access-list counters

Performance Monitoring

# Connection statistics
show conn count
show conn detail
show local-host

# Resource utilization
show blocks
show memory detail
show processes cpu-usage
show interface detail

# Threat detection
threat-detection basic-threat
threat-detection statistics
show threat-detection statistics

# Quality of Service
show service-policy
show class-map
show policy-map

Security Features

Intrusion Prevention

# Enable IPS
policy-map global_policy
class inspection_default
inspect ips

# Custom IPS policy
policy-map type inspect ips IPS_POLICY
parameters
sig-category all
sig-category-action all drop-packet log

class type inspect ips IPS_CLASS
match sig-id 1000 to 2000
action drop-packet log

policy-map global_policy
class inspection_default
inspect ips IPS_POLICY

Application Inspection

# HTTP inspection
policy-map type inspect http HTTP_POLICY
parameters
protocol-violation action drop-packet log
body-match-maximum 200

class type inspect http HTTP_CLASS
match request method get
action allow log

policy-map global_policy
class inspection_default
inspect http HTTP_POLICY

# FTP inspection
policy-map type inspect ftp FTP_POLICY
parameters
mask-banner
mask-reply

policy-map global_policy
class inspection_default
inspect ftp FTP_POLICY

Botnet Traffic Filter

# Enable botnet traffic filter
dynamic-filter enable interface outside
dynamic-filter use-database
dynamic-filter drop blacklist
dynamic-filter whitelist

# Custom blacklist
dynamic-filter blacklist
name malicious-domain.com
name 192.0.2.100

# Monitoring
show dynamic-filter statistics
show dynamic-filter reports

Advanced Configuration

Quality of Service (QoS)

# Class maps
class-map VOICE_TRAFFIC
match dscp ef
class-map VIDEO_TRAFFIC
match dscp af41
class-map BULK_TRAFFIC
match port tcp 21

# Policy map
policy-map QOS_POLICY
class VOICE_TRAFFIC
priority
police output 1000000 8000
class VIDEO_TRAFFIC
bandwidth 2000000
class BULK_TRAFFIC
bandwidth remaining 10

# Apply to interface
service-policy QOS_POLICY interface outside

Modular Policy Framework

# Traffic classification
class-map type inspect http HTTP_CLASS
match request header host regex ".*\.company\.com"

# Policy actions
policy-map type inspect http HTTP_POLICY
class HTTP_CLASS
allow
log

# Global policy application
policy-map global_policy
class inspection_default
inspect http HTTP_POLICY

Context Virtualization

# System context configuration
mode multiple
context admin
allocate-interface GigabitEthernet0/0
config-url disk0:/admin.cfg

context customer1
allocate-interface GigabitEthernet0/1
config-url disk0:/customer1.cfg

context customer2
allocate-interface GigabitEthernet0/2
config-url disk0:/customer2.cfg

# Resource allocation
limit-resource All 0
limit-resource Mac-addresses 65535
limit-resource ASDM 5

Backup and Recovery

Configuration Backup

# Copy configuration to TFTP
copy running-config tftp://192.168.1.100/asa-config-backup.txt
copy startup-config tftp://192.168.1.100/asa-startup-backup.txt

# Copy to flash
copy running-config disk0:/backup-config.txt

# Copy to FTP
copy running-config ftp://user:pass@192.168.1.100/asa-backup.txt

# Scheduled backup (via script)
# Create script file on external server to pull config regularly

System Image Management

# Show current image
show version
show bootvar

# Copy new image
copy tftp://192.168.1.100/asa982-smp-k8.bin disk0:

# Set boot image
boot system disk0:/asa982-smp-k8.bin

# Verify image
verify /md5 disk0:/asa982-smp-k8.bin

# Reload with new image
reload

Factory Reset

# Erase configuration
write erase
erase disk0:/

# Reset to factory defaults
configure factory-default

# Physical reset button
# Hold reset button for 10+ seconds while powered on

Best Practices

Security Hardening

# Disable unnecessary services
no service password-recovery
no http server enable
no snmp-server enable

# Strong authentication
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization exec LOCAL

# Secure management
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 10
ssh version 2

# Certificate management
crypto ca trustpoint INTERNAL_CA
enrollment url http://ca.company.com/certsrv
subject-name CN=ASA-Firewall
crypto ca authenticate INTERNAL_CA
crypto ca enroll INTERNAL_CA

# Regular updates
# Keep ASA software updated
# Update signature databases
# Review and update ACLs regularly

Performance Optimization

# Connection limits
set connection conn-max 65535
set connection embryonic-conn-max 1000
set connection per-client-max 100
set connection per-client-embryonic-max 50

# TCP optimization
tcp-map TCP_MAP
tcp-options selective-ack allow
tcp-options timestamp allow
tcp-options window-scale allow

class-map TCP_CLASS
match any
policy-map global_policy
class TCP_CLASS
set connection advanced-options TCP_MAP

# Memory optimization
memory caller-address
memory profile enable
memory tracking enable

Monitoring and Maintenance

# Regular monitoring commands
show memory
show processes cpu-usage
show interface
show conn count
show blocks

# Log analysis
show logging | include %ASA-4
show logging | include %ASA-3
show logging | include %ASA-2

# Performance baselines
show perfmon interval 1
show traffic
show cpu usage

# Maintenance schedule
# Weekly: Review logs and performance
# Monthly: Update signatures and review ACLs
# Quarterly: Review and test failover
# Annually: Review and update security policies

Troubleshooting Common Issues

Connectivity Problems

# Test connectivity
ping outside 8.8.8.8
traceroute outside 8.8.8.8

# Check NAT
show xlate local 192.168.1.100
show nat detail

# Verify routing
show route
show arp

# Check ACLs
show access-list | include hitcnt
show access-list OUTSIDE_IN

# Packet capture for troubleshooting
capture TROUBLESHOOT interface inside match tcp host 192.168.1.100 any
show capture TROUBLESHOOT

VPN Issues

# Check VPN status
show vpn-sessiondb
show crypto ikev1 sa
show crypto ikev2 sa

# Debug VPN (use carefully)
debug crypto ikev1
debug crypto ikev2
debug webvpn anyconnect

# Check certificates
show crypto ca certificates
show ssl trust-point

# Clear VPN sessions
clear crypto ikev1 sa
clear crypto ikev2 sa
vpn-sessiondb logoff all

Performance Issues

# Check resource utilization
show memory detail
show processes cpu-usage
show blocks

# Connection analysis
show conn count
show local-host detail

# Interface statistics
show interface detail
show traffic

# Clear counters for baseline
clear interface
clear traffic
clear conn

Resources

• Cisco ASA Configuration Guide
• Cisco ASA Command Reference
• Cisco Security Documentation
• ASA Troubleshooting Guide
• Cisco Learning Network