Saltar a contenido

Hoja de Referencia de Cisco ASA

Cisco Adaptive Security Appliance (ASA) es un dispositivo de seguridad de red integral que combina capacidades de firewall, VPN y prevención de intrusiones. ASA proporciona protección avanzada contra amenazas, acceso remoto seguro y segmentación de red para entornos empresariales. Esta hoja de referencia cubre comandos y configuraciones esenciales para administrar firewalls Cisco ASA.

Configuración Básica

Configuración Inicial

# Console access
# Connect via console cable (9600 baud, 8N1)
# Default username: blank, password: blank

# Enable privileged mode
enable

# Enter global configuration mode
configure terminal

# Set hostname
hostname ASA-Firewall

# Set domain name
domain-name company.com

# Set enable password
enable password P@ssw0rd123

# Create local user
username admin password P@ssw0rd123
username admin privilege 15

# Set console timeout
console timeout 0

# Save configuration
write memory
copy running-config startup-config

Configuración de Interfaces

# Enter interface configuration
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 203.0.113.1 255.255.255.0
no shutdown

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown

interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 10.0.1.1 255.255.255.0
no shutdown

# Configure management interface
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
management-only
no shutdown

Configuraciones Básicas de Red

# Configure default route
route outside 0.0.0.0 0.0.0.0 203.0.113.254

# Configure DNS
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4

# Configure NTP
ntp server 0.pool.ntp.org
ntp server 1.pool.ntp.org
clock timezone EST -5
clock summer-time EDT recurring

# Configure logging
logging enable
logging timestamp
logging buffer-size 8192
logging buffered informational
logging host inside 192.168.1.100

Listas de Control de Acceso (ACLs)

Creación de ACLs

# Create access list
access-list OUTSIDE_IN extended permit tcp any host 192.168.1.100 eq 80
access-list OUTSIDE_IN extended permit tcp any host 192.168.1.100 eq 443
access-list OUTSIDE_IN extended permit tcp any host 192.168.1.101 eq 22
access-list OUTSIDE_IN extended deny ip any any log

# Apply ACL to interface
access-group OUTSIDE_IN in interface outside

# Inside to outside (typically permit all)
access-list INSIDE_OUT extended permit ip any any
access-group INSIDE_OUT in interface inside

# DMZ access control
access-list DMZ_IN extended permit tcp any host 10.0.1.10 eq 80
access-list DMZ_IN extended permit tcp any host 10.0.1.10 eq 443
access-list DMZ_IN extended deny ip any any log
access-group DMZ_IN in interface dmz

Ejemplos Avanzados de ACL

# Time-based ACL
time-range BUSINESS_HOURS
periodic weekdays 8:00 to 18:00
access-list INSIDE_OUT extended permit tcp 192.168.1.0 255.255.255.0 any eq 80 time-range BUSINESS_HOURS

# Object groups for cleaner ACLs
object-group network WEB_SERVERS
network-object host 192.168.1.100
network-object host 192.168.1.101

object-group service WEB_SERVICES tcp
port-object eq 80
port-object eq 443

access-list OUTSIDE_IN extended permit tcp any object-group WEB_SERVERS object-group WEB_SERVICES

# Protocol-specific ACLs
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-list OUTSIDE_IN extended permit icmp any any time-exceeded

Traducción de Direcciones de Red (NAT)

NAT Estático

# Static NAT for web server
object network WEB_SERVER
host 192.168.1.100
nat (inside,outside) static 203.0.113.10

# Static NAT with port translation
object network MAIL_SERVER
host 192.168.1.200
nat (inside,outside) static 203.0.113.20 service tcp 25 25

# Static NAT for subnet
object network INSIDE_SUBNET
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) static 203.0.113.0

NAT Dinámico

# Dynamic NAT pool
object network INSIDE_USERS
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic 203.0.113.100-203.0.113.110

# PAT (Port Address Translation)
object network INSIDE_NETWORK
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface

# Manual NAT rules
nat (inside,outside) source dynamic INSIDE_NETWORK interface destination static WEB_SERVER WEB_SERVER

Exención de NAT

# NAT exemption for VPN traffic
object network VPN_POOL
subnet 192.168.100.0 255.255.255.0
nat (inside,outside) source static INSIDE_NETWORK INSIDE_NETWORK destination static VPN_POOL VPN_POOL no-proxy-arp

# Identity NAT
object network DMZ_SERVERS
subnet 10.0.1.0 255.255.255.0
nat (dmz,outside) static DMZ_SERVERS DMZ_SERVERS

Configuración de VPN

VPN Sitio a Sitio

# IKE version 1 policy
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400

# IKE version 2 policy
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400

# Group policy for site-to-site
group-policy S2S_POLICY internal
group-policy S2S_POLICY attributes
vpn-tunnel-protocol ikev1 ikev2

# Tunnel group configuration
tunnel-group 203.0.113.50 type ipsec-l2l
tunnel-group 203.0.113.50 general-attributes
default-group-policy S2S_POLICY
tunnel-group 203.0.113.50 ipsec-attributes
ikev1 pre-shared-key MySecretKey123
ikev2 remote-authentication pre-shared-key MySecretKey123
ikev2 local-authentication pre-shared-key MySecretKey123

# Crypto map
crypto map OUTSIDE_MAP 10 match address VPN_TRAFFIC
crypto map OUTSIDE_MAP 10 set peer 203.0.113.50
crypto map OUTSIDE_MAP 10 set ikev1 transform-set ESP-AES256-SHA
crypto map OUTSIDE_MAP 10 set ikev2 ipsec-proposal AES256-SHA256
crypto map OUTSIDE_MAP interface outside

# Transform set
crypto ikev1 transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
crypto ikev2 ipsec-proposal AES256-SHA256
protocol esp encryption aes-256
protocol esp integrity sha-256

VPN de Acceso Remoto (AnyConnect)

# Enable SSL VPN
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.9.0-webdeploy-k9.pkg
anyconnect enable
tunnel-group-list enable

# IP pool for VPN clients
ip local pool VPN_POOL 192.168.100.1-192.168.100.100 mask 255.255.255.0

# Group policy for remote access
group-policy ANYCONNECT_POLICY internal
group-policy ANYCONNECT_POLICY attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list SPLIT_TUNNEL_ACL
address-pools value VPN_POOL
dns-server value 192.168.1.1 8.8.8.8
wins-server value 192.168.1.1

# Split tunnel ACL
access-list SPLIT_TUNNEL_ACL standard permit 192.168.1.0 255.255.255.0
access-list SPLIT_TUNNEL_ACL standard permit 10.0.1.0 255.255.255.0

# User configuration
username vpnuser password VpnP@ss123
username vpnuser attributes
vpn-group-policy ANYCONNECT_POLICY

Autenticación Basada en Certificados

# Generate RSA key pair
crypto key generate rsa label ASA_KEY modulus 2048

# Create self-signed certificate
crypto ca trustpoint LOCAL_CA
enrollment self
subject-name CN=ASA-Firewall,O=Company,C=US
keypair ASA_KEY
crypto ca enroll LOCAL_CA

# Configure certificate for SSL VPN
ssl trust-point LOCAL_CA outside

# Certificate-based user authentication
username certuser password CertP@ss123
username certuser attributes
vpn-group-policy CERT_POLICY

Alta Disponibilidad

Failover Activo/Standby

# Primary ASA configuration
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/3
failover link FAILOVER GigabitEthernet0/3
failover interface ip FAILOVER 192.168.200.1 255.255.255.0 standby 192.168.200.2

# Interface monitoring
monitor-interface outside
monitor-interface inside
monitor-interface dmz

# Failover key
failover key MyFailoverKey123

# Secondary ASA configuration
failover
failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/3
failover link FAILOVER GigabitEthernet0/3
failover interface ip FAILOVER 192.168.200.1 255.255.255.0 standby 192.168.200.2
failover key MyFailoverKey123

Failover Activo/Activo

# Context configuration
context admin
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1
config-url disk0:/admin.cfg

context CTX1
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/2
config-url disk0:/ctx1.cfg

context CTX2
allocate-interface GigabitEthernet0/1
allocate-interface GigabitEthernet0/3
config-url disk0:/ctx2.cfg

# Failover groups
failover group 1
primary
preempt
failover group 2
secondary
preempt

# Assign contexts to failover groups
context CTX1
join-failover-group 1
context CTX2
join-failover-group 2

Monitoreo y Resolución de Problemas

Comandos Show

# Interface status
show interface
show interface ip brief
show interface GigabitEthernet0/0

# Routing information
show route
show route outside
show arp

# NAT information
show nat
show xlate
show nat detail

# VPN status
show vpn-sessiondb
show vpn-sessiondb detail
show crypto ikev1 sa
show crypto ikev2 sa
show crypto ipsec sa

# Access list hits
show access-list
show access-list OUTSIDE_IN

# System information
show version
show inventory
show environment
show processes
show memory
show cpu usage

Registro y Depuración

# Configure logging levels
logging enable
logging timestamp
logging buffer-size 16384
logging buffered debugging
logging host inside 192.168.1.100 6/1470

# Syslog message IDs
logging message 106023 level informational
logging message 302013 level informational
logging message 302014 level informational

# Debug commands (use with caution)
debug crypto ikev1
debug crypto ikev2
debug crypto ipsec
debug nat
debug access-list

# Packet capture
capture OUTSIDE interface outside match tcp any any eq 80
show capture OUTSIDE
copy capture:OUTSIDE tftp://192.168.1.100/outside_capture.pcap

# Clear commands
clear xlate
clear crypto ikev1 sa
clear crypto ikev2 sa
clear crypto ipsec sa
clear access-list counters

Monitoreo de Rendimiento

# Connection statistics
show conn count
show conn detail
show local-host

# Resource utilization
show blocks
show memory detail
show processes cpu-usage
show interface detail

# Threat detection
threat-detection basic-threat
threat-detection statistics
show threat-detection statistics

# Quality of Service
show service-policy
show class-map
show policy-map

Características de Seguridad

Prevención de Intrusiones

# Enable IPS
policy-map global_policy
class inspection_default
inspect ips

# Custom IPS policy
policy-map type inspect ips IPS_POLICY
parameters
sig-category all
sig-category-action all drop-packet log

class type inspect ips IPS_CLASS
match sig-id 1000 to 2000
action drop-packet log

policy-map global_policy
class inspection_default
inspect ips IPS_POLICY

Inspección de Aplicaciones

# HTTP inspection
policy-map type inspect http HTTP_POLICY
parameters
protocol-violation action drop-packet log
body-match-maximum 200

class type inspect http HTTP_CLASS
match request method get
action allow log

policy-map global_policy
class inspection_default
inspect http HTTP_POLICY

# FTP inspection
policy-map type inspect ftp FTP_POLICY
parameters
mask-banner
mask-reply

policy-map global_policy
class inspection_default
inspect ftp FTP_POLICY

Filtro de Tráfico Botnet

Would you like me to continue with the remaining sections?```bash

Enable botnet traffic filter

dynamic-filter enable interface outside dynamic-filter use-database dynamic-filter drop blacklist dynamic-filter whitelist

Custom blacklist

dynamic-filter blacklist name malicious-domain.com name 192.0.2.100

Monitoring

show dynamic-filter statistics show dynamic-filter reports ## Configuración Avanzadabash

Class maps

class-map VOICE_TRAFFIC match dscp ef class-map VIDEO_TRAFFIC match dscp af41 class-map BULK_TRAFFIC match port tcp 21

Policy map

policy-map QOS_POLICY class VOICE_TRAFFIC priority police output 1000000 8000 class VIDEO_TRAFFIC bandwidth 2000000 class BULK_TRAFFIC bandwidth remaining 10

Apply to interface

service-policy QOS_POLICY interface outside ### Marco de Políticas Modularesbash

Traffic classification

class-map type inspect http HTTP_CLASS match request header host regex ".*.company.com"

Policy actions

policy-map type inspect http HTTP_POLICY class HTTP_CLASS allow log

Global policy application

policy-map global_policy class inspection_default inspect http HTTP_POLICY ### Virtualización de Contextobash

System context configuration

mode multiple context admin allocate-interface GigabitEthernet0/0 config-url disk0:/admin.cfg

context customer1 allocate-interface GigabitEthernet0/1 config-url disk0:/customer1.cfg

context customer2 allocate-interface GigabitEthernet0/2 config-url disk0:/customer2.cfg

Resource allocation

limit-resource All 0 limit-resource Mac-addresses 65535 limit-resource ASDM 5 ## Copia de Seguridad y Recuperaciónbash

Copy configuration to TFTP

copy running-config tftp://192.168.1.100/asa-config-backup.txt copy startup-config tftp://192.168.1.100/asa-startup-backup.txt

Copy to flash

copy running-config disk0:/backup-config.txt

Copy to FTP

copy running-config ftp://user:pass@192.168.1.100/asa-backup.txt

Scheduled backup (via script)

Create script file on external server to pull config regularly

### Gestión de Imagen del Sistemabash

Show current image

show version show bootvar

Copy new image

copy tftp://192.168.1.100/asa982-smp-k8.bin disk0:

Set boot image

boot system disk0:/asa982-smp-k8.bin

Verify image

verify /md5 disk0:/asa982-smp-k8.bin

Reload with new image

reload ### Restablecimiento de Fábricabash

Erase configuration

write erase erase disk0:/

Reset to factory defaults

configure factory-default

Physical reset button

Hold reset button for 10+ seconds while powered on

## Mejores Prácticasbash

Disable unnecessary services

no service password-recovery no http server enable no snmp-server enable

Strong authentication

aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authorization exec LOCAL

Secure management

ssh 192.168.1.0 255.255.255.0 inside ssh timeout 10 ssh version 2

Certificate management

crypto ca trustpoint INTERNAL_CA enrollment url http://ca.company.com/certsrv subject-name CN=ASA-Firewall crypto ca authenticate INTERNAL_CA crypto ca enroll INTERNAL_CA

Regular updates

Keep ASA software updated

Update signature databases

Review and update ACLs regularly

### Optimización de Rendimientobash

Connection limits

set connection conn-max 65535 set connection embryonic-conn-max 1000 set connection per-client-max 100 set connection per-client-embryonic-max 50

TCP optimization

tcp-map TCP_MAP tcp-options selective-ack allow tcp-options timestamp allow tcp-options window-scale allow

class-map TCP_CLASS match any policy-map global_policy class TCP_CLASS set connection advanced-options TCP_MAP

Memory optimization

memory caller-address memory profile enable memory tracking enable ### Monitoreo y Mantenimientobash

Regular monitoring commands

show memory show processes cpu-usage show interface show conn count show blocks

Log analysis

show logging|include %ASA-4 show logging|include %ASA-3 show logging|include %ASA-2

Performance baselines

show perfmon interval 1 show traffic show cpu usage

Maintenance schedule

Weekly: Review logs and performance

Monthly: Update signatures and review ACLs

Quarterly: Review and test failover

Annually: Review and update security policies

## Resolución de Problemas Comunesbash

Test connectivity

ping outside 8.8.8.8 traceroute outside 8.8.8.8

Check NAT

show xlate local 192.168.1.100 show nat detail

Verify routing

show route show arp

Check ACLs

show access-list|include hitcnt show access-list OUTSIDE_IN

Packet capture for troubleshooting

capture TROUBLESHOOT interface inside match tcp host 192.168.1.100 any show capture TROUBLESHOOT ### Problemas de Conectividadbash

Check VPN status

show vpn-sessiondb show crypto ikev1 sa show crypto ikev2 sa

Debug VPN (use carefully)

debug crypto ikev1 debug crypto ikev2 debug webvpn anyconnect

Check certificates

show crypto ca certificates show ssl trust-point

Clear VPN sessions

clear crypto ikev1 sa clear crypto ikev2 sa vpn-sessiondb logoff all ### Problemas de VPNbash

Check resource utilization

show memory detail show processes cpu-usage show blocks

Connection analysis

show conn count show local-host detail

Interface statistics

show interface detail show traffic

Clear counters for baseline

clear interface clear traffic clear conn ```### Problemas de Rendimiento https://www.cisco.com/c/en/us/support/security/adaptive-security-appliances/products-installation-and-configuration-guides-list.html## Recursos https://www.cisco.com/c/en/us/support/security/adaptive-security-appliances/products-command-reference-list.html- Guía de Configuración de Cisco ASAhttps://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliances/118046-troubleshoot-asa-00.html- Referencia de Comandos de Cisco ASA