Zum Inhalt

Cisco ASA Cheatsheet

generieren

Cisco Adaptive Security Appliance (ASA) ist ein umfassendes Netzwerk-Sicherheitsgerät, das Firewall, VPN und Intrusion Prevention-Funktionen kombiniert. ASA bietet fortschrittlichen Bedrohungsschutz, sicheren Fernzugriff und Netzwerksegmentierung für Unternehmensumgebungen. Dieses Cheatsheet umfasst wesentliche Befehle und Konfigurationen für die Verwaltung von Cisco ASA Firewalls.

Grundkonfiguration

Erster Setup

```bash

Console access

Connect via console cable (9600 baud, 8N1)

Default username: blank, password: blank

Enable privileged mode

enable

Enter global configuration mode

configure terminal

Set hostname

hostname ASA-Firewall

Set domain name

domain-name company.com

Set enable password

enable password P@ssw0rd123

Create local user

username admin password P@ssw0rd123 username admin privilege 15

Set console timeout

console timeout 0

Save configuration

write memory copy running-config startup-config ```_

Schnittstellenkonfiguration

```bash

Enter interface configuration

interface GigabitEthernet0/0 nameif outside security-level 0 ip address 203.0.113.1 255.255.255.0 no shutdown

interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 no shutdown

interface GigabitEthernet0/2 nameif dmz security-level 50 ip address 10.0.1.1 255.255.255.0 no shutdown

Configure management interface

interface Management0/0 nameif management security-level 100 ip address 192.168.100.1 255.255.255.0 management-only no shutdown ```_

Grundlegende Netzwerkeinstellungen

```bash

Configure default route

route outside 0.0.0.0 0.0.0.0 203.0.113.254

Configure DNS

dns domain-lookup outside dns server-group DefaultDNS name-server 8.8.8.8 name-server 8.8.4.4

Configure NTP

ntp server 0.pool.ntp.org ntp server 1.pool.ntp.org clock timezone EST -5 clock summer-time EDT recurring

Configure logging

logging enable logging timestamp logging buffer-size 8192 logging buffered informational logging host inside 192.168.1.100 ```_

Zugangskontrolllisten (ACLs)

ACLs erstellen

```bash

Create access list

access-list OUTSIDE_IN extended permit tcp any host 192.168.1.100 eq 80 access-list OUTSIDE_IN extended permit tcp any host 192.168.1.100 eq 443 access-list OUTSIDE_IN extended permit tcp any host 192.168.1.101 eq 22 access-list OUTSIDE_IN extended deny ip any any log

Apply ACL to interface

access-group OUTSIDE_IN in interface outside

Inside to outside (typically permit all)

access-list INSIDE_OUT extended permit ip any any access-group INSIDE_OUT in interface inside

DMZ access control

access-list DMZ_IN extended permit tcp any host 10.0.1.10 eq 80 access-list DMZ_IN extended permit tcp any host 10.0.1.10 eq 443 access-list DMZ_IN extended deny ip any any log access-group DMZ_IN in interface dmz ```_

Advanced ACL Beispiele

```bash

Time-based ACL

time-range BUSINESS_HOURS periodic weekdays 8:00 to 18:00 access-list INSIDE_OUT extended permit tcp 192.168.1.0 255.255.255.0 any eq 80 time-range BUSINESS_HOURS

Object groups for cleaner ACLs

object-group network WEB_SERVERS network-object host 192.168.1.100 network-object host 192.168.1.101

object-group service WEB_SERVICES tcp port-object eq 80 port-object eq 443

access-list OUTSIDE_IN extended permit tcp any object-group WEB_SERVERS object-group WEB_SERVICES

Protocol-specific ACLs

access-list OUTSIDE_IN extended permit icmp any any echo-reply access-list OUTSIDE_IN extended permit icmp any any unreachable access-list OUTSIDE_IN extended permit icmp any any time-exceeded ```_

Network Address Translation (NAT)

Statische NAT

```bash

Static NAT for web server

object network WEB_SERVER host 192.168.1.100 nat (inside,outside) static 203.0.113.10

Static NAT with port translation

object network MAIL_SERVER host 192.168.1.200 nat (inside,outside) static 203.0.113.20 service tcp 25 25

Static NAT for subnet

object network INSIDE_SUBNET subnet 192.168.1.0 255.255.255.0 nat (inside,outside) static 203.0.113.0 ```_

Dynamische NAT

```bash

Dynamic NAT pool

object network INSIDE_USERS subnet 192.168.1.0 255.255.255.0 nat (inside,outside) dynamic 203.0.113.100-203.0.113.110

PAT (Port Address Translation)

object network INSIDE_NETWORK subnet 192.168.1.0 255.255.255.0 nat (inside,outside) dynamic interface

Manual NAT rules

nat (inside,outside) source dynamic INSIDE_NETWORK interface destination static WEB_SERVER WEB_SERVER ```_

NAT-Ausnahme

```bash

NAT exemption for VPN traffic

object network VPN_POOL subnet 192.168.100.0 255.255.255.0 nat (inside,outside) source static INSIDE_NETWORK INSIDE_NETWORK destination static VPN_POOL VPN_POOL no-proxy-arp

Identity NAT

object network DMZ_SERVERS subnet 10.0.1.0 255.255.255.0 nat (dmz,outside) static DMZ_SERVERS DMZ_SERVERS ```_

VPN Konfiguration

Site-to-Site VPN

```bash

IKE version 1 policy

crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 5 lifetime 86400

IKE version 2 policy

crypto ikev2 policy 10 encryption aes-256 integrity sha256 group 14 prf sha256 lifetime seconds 86400

Group policy for site-to-site

group-policy S2S_POLICY internal group-policy S2S_POLICY attributes vpn-tunnel-protocol ikev1 ikev2

Tunnel group configuration

tunnel-group 203.0.113.50 type ipsec-l2l tunnel-group 203.0.113.50 general-attributes default-group-policy S2S_POLICY tunnel-group 203.0.113.50 ipsec-attributes ikev1 pre-shared-key MySecretKey123 ikev2 remote-authentication pre-shared-key MySecretKey123 ikev2 local-authentication pre-shared-key MySecretKey123

Crypto map

crypto map OUTSIDE_MAP 10 match address VPN_TRAFFIC crypto map OUTSIDE_MAP 10 set peer 203.0.113.50 crypto map OUTSIDE_MAP 10 set ikev1 transform-set ESP-AES256-SHA crypto map OUTSIDE_MAP 10 set ikev2 ipsec-proposal AES256-SHA256 crypto map OUTSIDE_MAP interface outside

Transform set

crypto ikev1 transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac crypto ikev2 ipsec-proposal AES256-SHA256 protocol esp encryption aes-256 protocol esp integrity sha-256 ```_

Remote Access VPN (AnyConnect)

```bash

Enable SSL VPN

webvpn enable outside anyconnect image disk0:/anyconnect-win-4.9.0-webdeploy-k9.pkg anyconnect enable tunnel-group-list enable

IP pool for VPN clients

ip local pool VPN_POOL 192.168.100.1-192.168.100.100 mask 255.255.255.0

Group policy for remote access

group-policy ANYCONNECT_POLICY internal group-policy ANYCONNECT_POLICY attributes vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list SPLIT_TUNNEL_ACL address-pools value VPN_POOL dns-server value 192.168.1.1 8.8.8.8 wins-server value 192.168.1.1

Split tunnel ACL

access-list SPLIT_TUNNEL_ACL standard permit 192.168.1.0 255.255.255.0 access-list SPLIT_TUNNEL_ACL standard permit 10.0.1.0 255.255.255.0

User configuration

username vpnuser password VpnP@ss123 username vpnuser attributes vpn-group-policy ANYCONNECT_POLICY ```_

Zertifikatsbasierte Authentication

```bash

Generate RSA key pair

crypto key generate rsa label ASA_KEY modulus 2048

Create self-signed certificate

crypto ca trustpoint LOCAL_CA enrollment self subject-name CN=ASA-Firewall,O=Company,C=US keypair ASA_KEY crypto ca enroll LOCAL_CA

Configure certificate for SSL VPN

ssl trust-point LOCAL_CA outside

Certificate-based user authentication

username certuser password CertP@ss123 username certuser attributes vpn-group-policy CERT_POLICY ```_

Hohe Verfügbarkeit

Aktiv/Standby Failover

```bash

Primary ASA configuration

failover failover lan unit primary failover lan interface FAILOVER GigabitEthernet0/3 failover link FAILOVER GigabitEthernet0/3 failover interface ip FAILOVER 192.168.200.1 255.255.255.0 standby 192.168.200.2

Interface monitoring

monitor-interface outside monitor-interface inside monitor-interface dmz

Failover key

failover key MyFailoverKey123

Secondary ASA configuration

failover failover lan unit secondary failover lan interface FAILOVER GigabitEthernet0/3 failover link FAILOVER GigabitEthernet0/3 failover interface ip FAILOVER 192.168.200.1 255.255.255.0 standby 192.168.200.2 failover key MyFailoverKey123 ```_

Aktive/Aktive Failover

```bash

Context configuration

context admin allocate-interface GigabitEthernet0/0 allocate-interface GigabitEthernet0/1 config-url disk0:/admin.cfg

context CTX1 allocate-interface GigabitEthernet0/0 allocate-interface GigabitEthernet0/2 config-url disk0:/ctx1.cfg

context CTX2 allocate-interface GigabitEthernet0/1 allocate-interface GigabitEthernet0/3 config-url disk0:/ctx2.cfg

Failover groups

failover group 1 primary preempt failover group 2 secondary preempt

Assign contexts to failover groups

context CTX1 join-failover-group 1 context CTX2 join-failover-group 2 ```_

Überwachung und Fehlerbehebung

Befehle anzeigen

```bash

Interface status

show interface show interface ip brief show interface GigabitEthernet0/0

Routing information

show route show route outside show arp

NAT information

show nat show xlate show nat detail

VPN status

show vpn-sessiondb show vpn-sessiondb detail show crypto ikev1 sa show crypto ikev2 sa show crypto ipsec sa

Access list hits

show access-list show access-list OUTSIDE_IN

System information

show version show inventory show environment show processes show memory show cpu usage ```_

Logging und Debugging

```bash

Configure logging levels

logging enable logging timestamp logging buffer-size 16384 logging buffered debugging logging host inside 192.168.1.100 6/1470

Syslog message IDs

logging message 106023 level informational logging message 302013 level informational logging message 302014 level informational

Debug commands (use with caution)

debug crypto ikev1 debug crypto ikev2 debug crypto ipsec debug nat debug access-list

Packet capture

capture OUTSIDE interface outside match tcp any any eq 80 show capture OUTSIDE copy capture:OUTSIDE tftp://192.168.1.100/outside_capture.pcap

Clear commands

clear xlate clear crypto ikev1 sa clear crypto ikev2 sa clear crypto ipsec sa clear access-list counters ```_

Leistungsüberwachung

```bash

Connection statistics

show conn count show conn detail show local-host

Resource utilization

show blocks show memory detail show processes cpu-usage show interface detail

Threat detection

threat-detection basic-threat threat-detection statistics show threat-detection statistics

Quality of Service

show service-policy show class-map show policy-map ```_

Sicherheitsmerkmale

Vorbeugung

```bash

Enable IPS

policy-map global_policy class inspection_default inspect ips

Custom IPS policy

policy-map type inspect ips IPS_POLICY parameters sig-category all sig-category-action all drop-packet log

class type inspect ips IPS_CLASS match sig-id 1000 to 2000 action drop-packet log

policy-map global_policy class inspection_default inspect ips IPS_POLICY ```_

Anwendung Inspektion

```bash

HTTP inspection

policy-map type inspect http HTTP_POLICY parameters protocol-violation action drop-packet log body-match-maximum 200

class type inspect http HTTP_CLASS match request method get action allow log

policy-map global_policy class inspection_default inspect http HTTP_POLICY

FTP inspection

policy-map type inspect ftp FTP_POLICY parameters mask-banner mask-reply

policy-map global_policy class inspection_default inspect ftp FTP_POLICY ```_

Botnet Traffic Filter

```bash

Enable botnet traffic filter

dynamic-filter enable interface outside dynamic-filter use-database dynamic-filter drop blacklist dynamic-filter whitelist

Custom blacklist

dynamic-filter blacklist name malicious-domain.com name 192.0.2.100

Monitoring

show dynamic-filter statistics show dynamic-filter reports ```_

Erweiterte Konfiguration

Servicequalität (QoS)

```bash

Class maps

class-map VOICE_TRAFFIC match dscp ef class-map VIDEO_TRAFFIC match dscp af41 class-map BULK_TRAFFIC match port tcp 21

Policy map

policy-map QOS_POLICY class VOICE_TRAFFIC priority police output 1000000 8000 class VIDEO_TRAFFIC bandwidth 2000000 class BULK_TRAFFIC bandwidth remaining 10

Apply to interface

service-policy QOS_POLICY interface outside ```_

Modularer Politikrahmen

```bash

Traffic classification

class-map type inspect http HTTP_CLASS match request header host regex ".*.company.com"

Policy actions

policy-map type inspect http HTTP_POLICY class HTTP_CLASS allow log

Global policy application

policy-map global_policy class inspection_default inspect http HTTP_POLICY ```_

Kontext Virtualisierung

```bash

System context configuration

mode multiple context admin allocate-interface GigabitEthernet0/0 config-url disk0:/admin.cfg

context customer1 allocate-interface GigabitEthernet0/1 config-url disk0:/customer1.cfg

context customer2 allocate-interface GigabitEthernet0/2 config-url disk0:/customer2.cfg

Resource allocation

limit-resource All 0 limit-resource Mac-addresses 65535 limit-resource ASDM 5 ```_

Backup und Recovery

Konfigurationssicherung

```bash

Copy configuration to TFTP

copy running-config tftp://192.168.1.100/asa-config-backup.txt copy startup-config tftp://192.168.1.100/asa-startup-backup.txt

Copy to flash

copy running-config disk0:/backup-config.txt

Copy to FTP

copy running-config ftp://user:pass@192.168.1.100/asa-backup.txt

Scheduled backup (via script)

Create script file on external server to pull config regularly

```_

System Image Management

```bash

Show current image

show version show bootvar

Copy new image

copy tftp://192.168.1.100/asa982-smp-k8.bin disk0:

Set boot image

boot system disk0:/asa982-smp-k8.bin

Verify image

verify /md5 disk0:/asa982-smp-k8.bin

Reload with new image

reload ```_

Zurück zur Übersicht

```bash

Erase configuration

write erase erase disk0:/

Reset to factory defaults

configure factory-default

Physical reset button

Hold reset button for 10+ seconds while powered on

```_

Best Practices

Sicherheitshärten

```bash

Disable unnecessary services

no service password-recovery no http server enable no snmp-server enable

Strong authentication

aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authorization exec LOCAL

Secure management

ssh 192.168.1.0 255.255.255.0 inside ssh timeout 10 ssh version 2

Certificate management

crypto ca trustpoint INTERNAL_CA enrollment url http://ca.company.com/certsrv subject-name CN=ASA-Firewall crypto ca authenticate INTERNAL_CA crypto ca enroll INTERNAL_CA

Regular updates

Keep ASA software updated

Update signature databases

Review and update ACLs regularly

```_

Leistungsoptimierung

```bash

Connection limits

set connection conn-max 65535 set connection embryonic-conn-max 1000 set connection per-client-max 100 set connection per-client-embryonic-max 50

TCP optimization

tcp-map TCP_MAP tcp-options selective-ack allow tcp-options timestamp allow tcp-options window-scale allow

class-map TCP_CLASS match any policy-map global_policy class TCP_CLASS set connection advanced-options TCP_MAP

Memory optimization

memory caller-address memory profile enable memory tracking enable ```_

Überwachung und Wartung

```bash

Regular monitoring commands

show memory show processes cpu-usage show interface show conn count show blocks

Log analysis

show logging|include %ASA-4 show logging|include %ASA-3 show logging|include %ASA-2

Performance baselines

show perfmon interval 1 show traffic show cpu usage

Maintenance schedule

Weekly: Review logs and performance

Monthly: Update signatures and review ACLs

Quarterly: Review and test failover

Annually: Review and update security policies

```_

Probleme bei der Fehlerbehebung

Probleme der Konnektivität

```bash

Test connectivity

ping outside 8.8.8.8 traceroute outside 8.8.8.8

Check NAT

show xlate local 192.168.1.100 show nat detail

Verify routing

show route show arp

Check ACLs

show access-list|include hitcnt show access-list OUTSIDE_IN

Packet capture for troubleshooting

capture TROUBLESHOOT interface inside match tcp host 192.168.1.100 any show capture TROUBLESHOOT ```_

VPN Emissionen

```bash

Check VPN status

show vpn-sessiondb show crypto ikev1 sa show crypto ikev2 sa

Debug VPN (use carefully)

debug crypto ikev1 debug crypto ikev2 debug webvpn anyconnect

Check certificates

show crypto ca certificates show ssl trust-point

Clear VPN sessions

clear crypto ikev1 sa clear crypto ikev2 sa vpn-sessiondb logoff all ```_

Leistungsfragen

```bash

Check resource utilization

show memory detail show processes cpu-usage show blocks

Connection analysis

show conn count show local-host detail

Interface statistics

show interface detail show traffic

Clear counters for baseline

clear interface clear traffic clear conn ```_

Ressourcen