Cisco ASA Feuilles de chaleur
Cisco Adaptive Security Appliance (ASA) est un dispositif de sécurité réseau complet qui combine les capacités de pare-feu, VPN et de prévention des intrusions. ASA fournit une protection avancée contre les menaces, un accès sécurisé à distance et une segmentation du réseau pour les environnements d'entreprise. Cette triche couvre les commandes et configurations essentielles pour la gestion des pare-feu Cisco ASA.
Configuration de base
Configuration initiale
# Console access
# Connect via console cable (9600 baud, 8N1)
# Default username: blank, password: blank
# Enable privileged mode
enable
# Enter global configuration mode
configure terminal
# Set hostname
hostname ASA-Firewall
# Set domain name
domain-name company.com
# Set enable password
enable password P@ssw0rd123
# Create local user
username admin password P@ssw0rd123
username admin privilege 15
# Set console timeout
console timeout 0
# Save configuration
write memory
copy running-config startup-config
Configuration de l'interface
# Enter interface configuration
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 203.0.113.1 255.255.255.0
no shutdown
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 10.0.1.1 255.255.255.0
no shutdown
# Configure management interface
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
management-only
no shutdown
```_
### Paramètres de base du réseau
```bash
# Configure default route
route outside 0.0.0.0 0.0.0.0 203.0.113.254
# Configure DNS
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
# Configure NTP
ntp server 0.pool.ntp.org
ntp server 1.pool.ntp.org
clock timezone EST -5
clock summer-time EDT recurring
# Configure logging
logging enable
logging timestamp
logging buffer-size 8192
logging buffered informational
logging host inside 192.168.1.100
```_
## Listes de contrôle d'accès (LAC)
### Création de LCA
```bash
# Create access list
access-list OUTSIDE_IN extended permit tcp any host 192.168.1.100 eq 80
access-list OUTSIDE_IN extended permit tcp any host 192.168.1.100 eq 443
access-list OUTSIDE_IN extended permit tcp any host 192.168.1.101 eq 22
access-list OUTSIDE_IN extended deny ip any any log
# Apply ACL to interface
access-group OUTSIDE_IN in interface outside
# Inside to outside (typically permit all)
access-list INSIDE_OUT extended permit ip any any
access-group INSIDE_OUT in interface inside
# DMZ access control
access-list DMZ_IN extended permit tcp any host 10.0.1.10 eq 80
access-list DMZ_IN extended permit tcp any host 10.0.1.10 eq 443
access-list DMZ_IN extended deny ip any any log
access-group DMZ_IN in interface dmz
Exemples ACL avancés
# Time-based ACL
time-range BUSINESS_HOURS
periodic weekdays 8:00 to 18:00
access-list INSIDE_OUT extended permit tcp 192.168.1.0 255.255.255.0 any eq 80 time-range BUSINESS_HOURS
# Object groups for cleaner ACLs
object-group network WEB_SERVERS
network-object host 192.168.1.100
network-object host 192.168.1.101
object-group service WEB_SERVICES tcp
port-object eq 80
port-object eq 443
access-list OUTSIDE_IN extended permit tcp any object-group WEB_SERVERS object-group WEB_SERVICES
# Protocol-specific ACLs
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
Traduction des adresses réseau (NAT)
NAT statique
# Static NAT for web server
object network WEB_SERVER
host 192.168.1.100
nat (inside,outside) static 203.0.113.10
# Static NAT with port translation
object network MAIL_SERVER
host 192.168.1.200
nat (inside,outside) static 203.0.113.20 service tcp 25 25
# Static NAT for subnet
object network INSIDE_SUBNET
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) static 203.0.113.0
NAT dynamique
# Dynamic NAT pool
object network INSIDE_USERS
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic 203.0.113.100-203.0.113.110
# PAT (Port Address Translation)
object network INSIDE_NETWORK
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
# Manual NAT rules
nat (inside,outside) source dynamic INSIDE_NETWORK interface destination static WEB_SERVER WEB_SERVER
Exonération NAT
# NAT exemption for VPN traffic
object network VPN_POOL
subnet 192.168.100.0 255.255.255.0
nat (inside,outside) source static INSIDE_NETWORK INSIDE_NETWORK destination static VPN_POOL VPN_POOL no-proxy-arp
# Identity NAT
object network DMZ_SERVERS
subnet 10.0.1.0 255.255.255.0
nat (dmz,outside) static DMZ_SERVERS DMZ_SERVERS
VPN Configuration
VPN site à site
# IKE version 1 policy
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
# IKE version 2 policy
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
# Group policy for site-to-site
group-policy S2S_POLICY internal
group-policy S2S_POLICY attributes
vpn-tunnel-protocol ikev1 ikev2
# Tunnel group configuration
tunnel-group 203.0.113.50 type ipsec-l2l
tunnel-group 203.0.113.50 general-attributes
default-group-policy S2S_POLICY
tunnel-group 203.0.113.50 ipsec-attributes
ikev1 pre-shared-key MySecretKey123
ikev2 remote-authentication pre-shared-key MySecretKey123
ikev2 local-authentication pre-shared-key MySecretKey123
# Crypto map
crypto map OUTSIDE_MAP 10 match address VPN_TRAFFIC
crypto map OUTSIDE_MAP 10 set peer 203.0.113.50
crypto map OUTSIDE_MAP 10 set ikev1 transform-set ESP-AES256-SHA
crypto map OUTSIDE_MAP 10 set ikev2 ipsec-proposal AES256-SHA256
crypto map OUTSIDE_MAP interface outside
# Transform set
crypto ikev1 transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
crypto ikev2 ipsec-proposal AES256-SHA256
protocol esp encryption aes-256
protocol esp integrity sha-256
VPN d'accès à distance (AnyConnect)
# Enable SSL VPN
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.9.0-webdeploy-k9.pkg
anyconnect enable
tunnel-group-list enable
# IP pool for VPN clients
ip local pool VPN_POOL 192.168.100.1-192.168.100.100 mask 255.255.255.0
# Group policy for remote access
group-policy ANYCONNECT_POLICY internal
group-policy ANYCONNECT_POLICY attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list SPLIT_TUNNEL_ACL
address-pools value VPN_POOL
dns-server value 192.168.1.1 8.8.8.8
wins-server value 192.168.1.1
# Split tunnel ACL
access-list SPLIT_TUNNEL_ACL standard permit 192.168.1.0 255.255.255.0
access-list SPLIT_TUNNEL_ACL standard permit 10.0.1.0 255.255.255.0
# User configuration
username vpnuser password VpnP@ss123
username vpnuser attributes
vpn-group-policy ANYCONNECT_POLICY
Authentification fondée sur un certificat
# Generate RSA key pair
crypto key generate rsa label ASA_KEY modulus 2048
# Create self-signed certificate
crypto ca trustpoint LOCAL_CA
enrollment self
subject-name CN=ASA-Firewall,O=Company,C=US
keypair ASA_KEY
crypto ca enroll LOCAL_CA
# Configure certificate for SSL VPN
ssl trust-point LOCAL_CA outside
# Certificate-based user authentication
username certuser password CertP@ss123
username certuser attributes
vpn-group-policy CERT_POLICY
Disponibilité élevée
Échec actif/inactif
# Primary ASA configuration
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/3
failover link FAILOVER GigabitEthernet0/3
failover interface ip FAILOVER 192.168.200.1 255.255.255.0 standby 192.168.200.2
# Interface monitoring
monitor-interface outside
monitor-interface inside
monitor-interface dmz
# Failover key
failover key MyFailoverKey123
# Secondary ASA configuration
failover
failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/3
failover link FAILOVER GigabitEthernet0/3
failover interface ip FAILOVER 192.168.200.1 255.255.255.0 standby 192.168.200.2
failover key MyFailoverKey123
Échec actif/actif
# Context configuration
context admin
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1
config-url disk0:/admin.cfg
context CTX1
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/2
config-url disk0:/ctx1.cfg
context CTX2
allocate-interface GigabitEthernet0/1
allocate-interface GigabitEthernet0/3
config-url disk0:/ctx2.cfg
# Failover groups
failover group 1
primary
preempt
failover group 2
secondary
preempt
# Assign contexts to failover groups
context CTX1
join-failover-group 1
context CTX2
join-failover-group 2
Surveillance et dépannage
Afficher les commandes
# Interface status
show interface
show interface ip brief
show interface GigabitEthernet0/0
# Routing information
show route
show route outside
show arp
# NAT information
show nat
show xlate
show nat detail
# VPN status
show vpn-sessiondb
show vpn-sessiondb detail
show crypto ikev1 sa
show crypto ikev2 sa
show crypto ipsec sa
# Access list hits
show access-list
show access-list OUTSIDE_IN
# System information
show version
show inventory
show environment
show processes
show memory
show cpu usage
Exploitation forestière et débogage
# Configure logging levels
logging enable
logging timestamp
logging buffer-size 16384
logging buffered debugging
logging host inside 192.168.1.100 6/1470
# Syslog message IDs
logging message 106023 level informational
logging message 302013 level informational
logging message 302014 level informational
# Debug commands (use with caution)
debug crypto ikev1
debug crypto ikev2
debug crypto ipsec
debug nat
debug access-list
# Packet capture
capture OUTSIDE interface outside match tcp any any eq 80
show capture OUTSIDE
copy capture:OUTSIDE tftp://192.168.1.100/outside_capture.pcap
# Clear commands
clear xlate
clear crypto ikev1 sa
clear crypto ikev2 sa
clear crypto ipsec sa
clear access-list counters
Surveillance de la performance
# Connection statistics
show conn count
show conn detail
show local-host
# Resource utilization
show blocks
show memory detail
show processes cpu-usage
show interface detail
# Threat detection
threat-detection basic-threat
threat-detection statistics
show threat-detection statistics
# Quality of Service
show service-policy
show class-map
show policy-map
Caractéristiques de sécurité
Prévention des intrusions
# Enable IPS
policy-map global_policy
class inspection_default
inspect ips
# Custom IPS policy
policy-map type inspect ips IPS_POLICY
parameters
sig-category all
sig-category-action all drop-packet log
class type inspect ips IPS_CLASS
match sig-id 1000 to 2000
action drop-packet log
policy-map global_policy
class inspection_default
inspect ips IPS_POLICY
Contrôle des demandes
# HTTP inspection
policy-map type inspect http HTTP_POLICY
parameters
protocol-violation action drop-packet log
body-match-maximum 200
class type inspect http HTTP_CLASS
match request method get
action allow log
policy-map global_policy
class inspection_default
inspect http HTTP_POLICY
# FTP inspection
policy-map type inspect ftp FTP_POLICY
parameters
mask-banner
mask-reply
policy-map global_policy
class inspection_default
inspect ftp FTP_POLICY
Filtre de trafic de la bouteille
# Enable botnet traffic filter
dynamic-filter enable interface outside
dynamic-filter use-database
dynamic-filter drop blacklist
dynamic-filter whitelist
# Custom blacklist
dynamic-filter blacklist
name malicious-domain.com
name 192.0.2.100
# Monitoring
show dynamic-filter statistics
show dynamic-filter reports
Configuration avancée
Qualité du service (QoS)
# Class maps
class-map VOICE_TRAFFIC
match dscp ef
class-map VIDEO_TRAFFIC
match dscp af41
class-map BULK_TRAFFIC
match port tcp 21
# Policy map
policy-map QOS_POLICY
class VOICE_TRAFFIC
priority
police output 1000000 8000
class VIDEO_TRAFFIC
bandwidth 2000000
class BULK_TRAFFIC
bandwidth remaining 10
# Apply to interface
service-policy QOS_POLICY interface outside
Cadre politique modulaire
# Traffic classification
class-map type inspect http HTTP_CLASS
match request header host regex ".*\.company\.com"
# Policy actions
policy-map type inspect http HTTP_POLICY
class HTTP_CLASS
allow
log
# Global policy application
policy-map global_policy
class inspection_default
inspect http HTTP_POLICY
Contexte Virtualisation
# System context configuration
mode multiple
context admin
allocate-interface GigabitEthernet0/0
config-url disk0:/admin.cfg
context customer1
allocate-interface GigabitEthernet0/1
config-url disk0:/customer1.cfg
context customer2
allocate-interface GigabitEthernet0/2
config-url disk0:/customer2.cfg
# Resource allocation
limit-resource All 0
limit-resource Mac-addresses 65535
limit-resource ASDM 5
Sauvegarde et récupération
Sauvegarde de configuration
# Copy configuration to TFTP
copy running-config tftp://192.168.1.100/asa-config-backup.txt
copy startup-config tftp://192.168.1.100/asa-startup-backup.txt
# Copy to flash
copy running-config disk0:/backup-config.txt
# Copy to FTP
copy running-config ftp://user:pass@192.168.1.100/asa-backup.txt
# Scheduled backup (via script)
# Create script file on external server to pull config regularly
Gestion de l'image système
# Show current image
show version
show bootvar
# Copy new image
copy tftp://192.168.1.100/asa982-smp-k8.bin disk0:
# Set boot image
boot system disk0:/asa982-smp-k8.bin
# Verify image
verify /md5 disk0:/asa982-smp-k8.bin
# Reload with new image
reload
Réinitialisation de l'usine
# Erase configuration
write erase
erase disk0:/
# Reset to factory defaults
configure factory-default
# Physical reset button
# Hold reset button for 10+ seconds while powered on
Meilleures pratiques
Renforcement de la sécurité
# Disable unnecessary services
no service password-recovery
no http server enable
no snmp-server enable
# Strong authentication
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization exec LOCAL
# Secure management
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 10
ssh version 2
# Certificate management
crypto ca trustpoint INTERNAL_CA
enrollment url http://ca.company.com/certsrv
subject-name CN=ASA-Firewall
crypto ca authenticate INTERNAL_CA
crypto ca enroll INTERNAL_CA
# Regular updates
# Keep ASA software updated
# Update signature databases
# Review and update ACLs regularly
Optimisation des performances
# Connection limits
set connection conn-max 65535
set connection embryonic-conn-max 1000
set connection per-client-max 100
set connection per-client-embryonic-max 50
# TCP optimization
tcp-map TCP_MAP
tcp-options selective-ack allow
tcp-options timestamp allow
tcp-options window-scale allow
class-map TCP_CLASS
match any
policy-map global_policy
class TCP_CLASS
set connection advanced-options TCP_MAP
# Memory optimization
memory caller-address
memory profile enable
memory tracking enable
Surveillance et entretien
# Regular monitoring commands
show memory
show processes cpu-usage
show interface
show conn count
show blocks
# Log analysis
show logging|include %ASA-4
show logging|include %ASA-3
show logging|include %ASA-2
# Performance baselines
show perfmon interval 1
show traffic
show cpu usage
# Maintenance schedule
# Weekly: Review logs and performance
# Monthly: Update signatures and review ACLs
# Quarterly: Review and test failover
# Annually: Review and update security policies
Résolution de problèmes communs
Problèmes de connectivité
# Test connectivity
ping outside 8.8.8.8
traceroute outside 8.8.8.8
# Check NAT
show xlate local 192.168.1.100
show nat detail
# Verify routing
show route
show arp
# Check ACLs
show access-list|include hitcnt
show access-list OUTSIDE_IN
# Packet capture for troubleshooting
capture TROUBLESHOOT interface inside match tcp host 192.168.1.100 any
show capture TROUBLESHOOT
VPN Problèmes
# Check VPN status
show vpn-sessiondb
show crypto ikev1 sa
show crypto ikev2 sa
# Debug VPN (use carefully)
debug crypto ikev1
debug crypto ikev2
debug webvpn anyconnect
# Check certificates
show crypto ca certificates
show ssl trust-point
# Clear VPN sessions
clear crypto ikev1 sa
clear crypto ikev2 sa
vpn-sessiondb logoff all
Problèmes de performance
# Check resource utilization
show memory detail
show processes cpu-usage
show blocks
# Connection analysis
show conn count
show local-host detail
# Interface statistics
show interface detail
show traffic
# Clear counters for baseline
clear interface
clear traffic
clear conn