Vai al contenuto

Cisco ASA Cheat Sheet

# Console access
# Connect via console cable (9600 baud, 8N1)
# Default username: blank, password: blank

# Enable privileged mode
enable

# Enter global configuration mode
configure terminal

# Set hostname
hostname ASA-Firewall

# Set domain name
domain-name company.com

# Set enable password
enable password P@ssw0rd123

# Create local user
username admin password P@ssw0rd123
username admin privilege 15

# Set console timeout
console timeout 0

# Save configuration
write memory
copy running-config startup-config
```Cisco Adaptive Security Appliance (ASA) è un dispositivo di sicurezza di rete completo che combina firewall, VPN e capacità di prevenzione delle intrusioni. ASA fornisce protezione avanzata dalle minacce, accesso remoto sicuro e segmentazione di rete per ambienti aziendali. Questo cheat sheet copre comandi e configurazioni essenziali per la gestione dei firewall Cisco ASA.

## Configurazione Base

### Configurazione Iniziale

```bash
# Enter interface configuration
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 203.0.113.1 255.255.255.0
no shutdown

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown

interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 10.0.1.1 255.255.255.0
no shutdown

# Configure management interface
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
management-only
no shutdown

Configurazione Interfacce

# Configure default route
route outside 0.0.0.0 0.0.0.0 203.0.113.254

# Configure DNS
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4

# Configure NTP
ntp server 0.pool.ntp.org
ntp server 1.pool.ntp.org
clock timezone EST -5
clock summer-time EDT recurring

# Configure logging
logging enable
logging timestamp
logging buffer-size 8192
logging buffered informational
logging host inside 192.168.1.100

Impostazioni di Rete Base

# Create access list
access-list OUTSIDE_IN extended permit tcp any host 192.168.1.100 eq 80
access-list OUTSIDE_IN extended permit tcp any host 192.168.1.100 eq 443
access-list OUTSIDE_IN extended permit tcp any host 192.168.1.101 eq 22
access-list OUTSIDE_IN extended deny ip any any log

# Apply ACL to interface
access-group OUTSIDE_IN in interface outside

# Inside to outside (typically permit all)
access-list INSIDE_OUT extended permit ip any any
access-group INSIDE_OUT in interface inside

# DMZ access control
access-list DMZ_IN extended permit tcp any host 10.0.1.10 eq 80
access-list DMZ_IN extended permit tcp any host 10.0.1.10 eq 443
access-list DMZ_IN extended deny ip any any log
access-group DMZ_IN in interface dmz

Liste di Controllo Accessi (ACL)

Creazione di ACL

# Time-based ACL
time-range BUSINESS_HOURS
periodic weekdays 8:00 to 18:00
access-list INSIDE_OUT extended permit tcp 192.168.1.0 255.255.255.0 any eq 80 time-range BUSINESS_HOURS

# Object groups for cleaner ACLs
object-group network WEB_SERVERS
network-object host 192.168.1.100
network-object host 192.168.1.101

object-group service WEB_SERVICES tcp
port-object eq 80
port-object eq 443

access-list OUTSIDE_IN extended permit tcp any object-group WEB_SERVERS object-group WEB_SERVICES

# Protocol-specific ACLs
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-list OUTSIDE_IN extended permit icmp any any time-exceeded

Esempi Avanzati di ACL

# Static NAT for web server
object network WEB_SERVER
host 192.168.1.100
nat (inside,outside) static 203.0.113.10

# Static NAT with port translation
object network MAIL_SERVER
host 192.168.1.200
nat (inside,outside) static 203.0.113.20 service tcp 25 25

# Static NAT for subnet
object network INSIDE_SUBNET
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) static 203.0.113.0

Traduzione Indirizzi di Rete (NAT)

NAT Statico

# Dynamic NAT pool
object network INSIDE_USERS
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic 203.0.113.100-203.0.113.110

# PAT (Port Address Translation)
object network INSIDE_NETWORK
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface

# Manual NAT rules
nat (inside,outside) source dynamic INSIDE_NETWORK interface destination static WEB_SERVER WEB_SERVER

NAT Dinamico

# NAT exemption for VPN traffic
object network VPN_POOL
subnet 192.168.100.0 255.255.255.0
nat (inside,outside) source static INSIDE_NETWORK INSIDE_NETWORK destination static VPN_POOL VPN_POOL no-proxy-arp

# Identity NAT
object network DMZ_SERVERS
subnet 10.0.1.0 255.255.255.0
nat (dmz,outside) static DMZ_SERVERS DMZ_SERVERS

Esenzione NAT

# IKE version 1 policy
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400

# IKE version 2 policy
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400

# Group policy for site-to-site
group-policy S2S_POLICY internal
group-policy S2S_POLICY attributes
vpn-tunnel-protocol ikev1 ikev2

# Tunnel group configuration
tunnel-group 203.0.113.50 type ipsec-l2l
tunnel-group 203.0.113.50 general-attributes
default-group-policy S2S_POLICY
tunnel-group 203.0.113.50 ipsec-attributes
ikev1 pre-shared-key MySecretKey123
ikev2 remote-authentication pre-shared-key MySecretKey123
ikev2 local-authentication pre-shared-key MySecretKey123

# Crypto map
crypto map OUTSIDE_MAP 10 match address VPN_TRAFFIC
crypto map OUTSIDE_MAP 10 set peer 203.0.113.50
crypto map OUTSIDE_MAP 10 set ikev1 transform-set ESP-AES256-SHA
crypto map OUTSIDE_MAP 10 set ikev2 ipsec-proposal AES256-SHA256
crypto map OUTSIDE_MAP interface outside

# Transform set
crypto ikev1 transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
crypto ikev2 ipsec-proposal AES256-SHA256
protocol esp encryption aes-256
protocol esp integrity sha-256

Configurazione VPN

VPN Sito-a-Sito

# Enable SSL VPN
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.9.0-webdeploy-k9.pkg
anyconnect enable
tunnel-group-list enable

# IP pool for VPN clients
ip local pool VPN_POOL 192.168.100.1-192.168.100.100 mask 255.255.255.0

# Group policy for remote access
group-policy ANYCONNECT_POLICY internal
group-policy ANYCONNECT_POLICY attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list SPLIT_TUNNEL_ACL
address-pools value VPN_POOL
dns-server value 192.168.1.1 8.8.8.8
wins-server value 192.168.1.1

# Split tunnel ACL
access-list SPLIT_TUNNEL_ACL standard permit 192.168.1.0 255.255.255.0
access-list SPLIT_TUNNEL_ACL standard permit 10.0.1.0 255.255.255.0

# User configuration
username vpnuser password VpnP@ss123
username vpnuser attributes
vpn-group-policy ANYCONNECT_POLICY

VPN Accesso Remoto (AnyConnect)

# Generate RSA key pair
crypto key generate rsa label ASA_KEY modulus 2048

# Create self-signed certificate
crypto ca trustpoint LOCAL_CA
enrollment self
subject-name CN=ASA-Firewall,O=Company,C=US
keypair ASA_KEY
crypto ca enroll LOCAL_CA

# Configure certificate for SSL VPN
ssl trust-point LOCAL_CA outside

# Certificate-based user authentication
username certuser password CertP@ss123
username certuser attributes
vpn-group-policy CERT_POLICY

Autenticazione basata su Certificato

# Primary ASA configuration
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/3
failover link FAILOVER GigabitEthernet0/3
failover interface ip FAILOVER 192.168.200.1 255.255.255.0 standby 192.168.200.2

# Interface monitoring
monitor-interface outside
monitor-interface inside
monitor-interface dmz

# Failover key
failover key MyFailoverKey123

# Secondary ASA configuration
failover
failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/3
failover link FAILOVER GigabitEthernet0/3
failover interface ip FAILOVER 192.168.200.1 255.255.255.0 standby 192.168.200.2
failover key MyFailoverKey123

Alta Disponibilità

Failover Attivo/Standby

# Context configuration
context admin
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1
config-url disk0:/admin.cfg

context CTX1
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/2
config-url disk0:/ctx1.cfg

context CTX2
allocate-interface GigabitEthernet0/1
allocate-interface GigabitEthernet0/3
config-url disk0:/ctx2.cfg

# Failover groups
failover group 1
primary
preempt
failover group 2
secondary
preempt

# Assign contexts to failover groups
context CTX1
join-failover-group 1
context CTX2
join-failover-group 2

Failover Attivo/Attivo

# Interface status
show interface
show interface ip brief
show interface GigabitEthernet0/0

# Routing information
show route
show route outside
show arp

# NAT information
show nat
show xlate
show nat detail

# VPN status
show vpn-sessiondb
show vpn-sessiondb detail
show crypto ikev1 sa
show crypto ikev2 sa
show crypto ipsec sa

# Access list hits
show access-list
show access-list OUTSIDE_IN

# System information
show version
show inventory
show environment
show processes
show memory
show cpu usage

Monitoraggio e Risoluzione Problemi

Comandi Show

# Configure logging levels
logging enable
logging timestamp
logging buffer-size 16384
logging buffered debugging
logging host inside 192.168.1.100 6/1470

# Syslog message IDs
logging message 106023 level informational
logging message 302013 level informational
logging message 302014 level informational

# Debug commands (use with caution)
debug crypto ikev1
debug crypto ikev2
debug crypto ipsec
debug nat
debug access-list

# Packet capture
capture OUTSIDE interface outside match tcp any any eq 80
show capture OUTSIDE
copy capture:OUTSIDE tftp://192.168.1.100/outside_capture.pcap

# Clear commands
clear xlate
clear crypto ikev1 sa
clear crypto ikev2 sa
clear crypto ipsec sa
clear access-list counters

Logging e Debug

# Connection statistics
show conn count
show conn detail
show local-host

# Resource utilization
show blocks
show memory detail
show processes cpu-usage
show interface detail

# Threat detection
threat-detection basic-threat
threat-detection statistics
show threat-detection statistics

# Quality of Service
show service-policy
show class-map
show policy-map

Monitoraggio Prestazioni

# Enable IPS
policy-map global_policy
class inspection_default
inspect ips

# Custom IPS policy
policy-map type inspect ips IPS_POLICY
parameters
sig-category all
sig-category-action all drop-packet log

class type inspect ips IPS_CLASS
match sig-id 1000 to 2000
action drop-packet log

policy-map global_policy
class inspection_default
inspect ips IPS_POLICY

Funzionalità di Sicurezza

Prevenzione Intrusioni

# HTTP inspection
policy-map type inspect http HTTP_POLICY
parameters
protocol-violation action drop-packet log
body-match-maximum 200

class type inspect http HTTP_CLASS
match request method get
action allow log

policy-map global_policy
class inspection_default
inspect http HTTP_POLICY

# FTP inspection
policy-map type inspect ftp FTP_POLICY
parameters
mask-banner
mask-reply

policy-map global_policy
class inspection_default
inspect ftp FTP_POLICY

Ispezione Applicazioni

```bash

Enable botnet traffic filter

dynamic-filter enable interface outside dynamic-filter use-database dynamic-filter drop blacklist dynamic-filter whitelist

Custom blacklist

dynamic-filter blacklist name malicious-domain.com name 192.0.2.100

Monitoring

show dynamic-filter statistics show dynamic-filter reports ## Configurazione Avanzatabash

Class maps

class-map VOICE_TRAFFIC match dscp ef class-map VIDEO_TRAFFIC match dscp af41 class-map BULK_TRAFFIC match port tcp 21

Policy map

policy-map QOS_POLICY class VOICE_TRAFFIC priority police output 1000000 8000 class VIDEO_TRAFFIC bandwidth 2000000 class BULK_TRAFFIC bandwidth remaining 10

Apply to interface

service-policy QOS_POLICY interface outside ### Framework di Policy Modularebash

Traffic classification

class-map type inspect http HTTP_CLASS match request header host regex ".*.company.com"

Policy actions

policy-map type inspect http HTTP_POLICY class HTTP_CLASS allow log

Global policy application

policy-map global_policy class inspection_default inspect http HTTP_POLICY ### Virtualizzazione del Contestobash

System context configuration

mode multiple context admin allocate-interface GigabitEthernet0/0 config-url disk0:/admin.cfg

context customer1 allocate-interface GigabitEthernet0/1 config-url disk0:/customer1.cfg

context customer2 allocate-interface GigabitEthernet0/2 config-url disk0:/customer2.cfg

Resource allocation

limit-resource All 0 limit-resource Mac-addresses 65535 limit-resource ASDM 5 ## Backup e Ripristinobash

Copy configuration to TFTP

copy running-config tftp://192.168.1.100/asa-config-backup.txt copy startup-config tftp://192.168.1.100/asa-startup-backup.txt

Copy to flash

copy running-config disk0:/backup-config.txt

Copy to FTP

copy running-config ftp://user:pass@192.168.1.100/asa-backup.txt

Scheduled backup (via script)

Create script file on external server to pull config regularly

### Gestione Immagine di Sistemabash

Show current image

show version show bootvar

Copy new image

copy tftp://192.168.1.100/asa982-smp-k8.bin disk0:

Set boot image

boot system disk0:/asa982-smp-k8.bin

Verify image

verify /md5 disk0:/asa982-smp-k8.bin

Reload with new image

reload ### Ripristino alle Impostazioni di Fabbricabash

Erase configuration

write erase erase disk0:/

Reset to factory defaults

configure factory-default

Physical reset button

Hold reset button for 10+ seconds while powered on

## Best Practicebash

Disable unnecessary services

no service password-recovery no http server enable no snmp-server enable

Strong authentication

aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authorization exec LOCAL

Secure management

ssh 192.168.1.0 255.255.255.0 inside ssh timeout 10 ssh version 2

Certificate management

crypto ca trustpoint INTERNAL_CA enrollment url http://ca.company.com/certsrv subject-name CN=ASA-Firewall crypto ca authenticate INTERNAL_CA crypto ca enroll INTERNAL_CA

Regular updates

Keep ASA software updated

Update signature databases

Review and update ACLs regularly

### Ottimizzazione delle Prestazionibash

Connection limits

set connection conn-max 65535 set connection embryonic-conn-max 1000 set connection per-client-max 100 set connection per-client-embryonic-max 50

TCP optimization

tcp-map TCP_MAP tcp-options selective-ack allow tcp-options timestamp allow tcp-options window-scale allow

class-map TCP_CLASS match any policy-map global_policy class TCP_CLASS set connection advanced-options TCP_MAP

Memory optimization

memory caller-address memory profile enable memory tracking enable ### Monitoraggio e Manutenzionebash

Regular monitoring commands

show memory show processes cpu-usage show interface show conn count show blocks

Log analysis

show logging|include %ASA-4 show logging|include %ASA-3 show logging|include %ASA-2

Performance baselines

show perfmon interval 1 show traffic show cpu usage

Maintenance schedule

Weekly: Review logs and performance

Monthly: Update signatures and review ACLs

Quarterly: Review and test failover

Annually: Review and update security policies

## Risoluzione dei Problemi Comunibash

Test connectivity

ping outside 8.8.8.8 traceroute outside 8.8.8.8

Check NAT

show xlate local 192.168.1.100 show nat detail

Verify routing

show route show arp

Check ACLs

show access-list|include hitcnt show access-list OUTSIDE_IN

Packet capture for troubleshooting

capture TROUBLESHOOT interface inside match tcp host 192.168.1.100 any show capture TROUBLESHOOT ### Problemi di Connettivitàbash

Check VPN status

show vpn-sessiondb show crypto ikev1 sa show crypto ikev2 sa

Debug VPN (use carefully)

debug crypto ikev1 debug crypto ikev2 debug webvpn anyconnect

Check certificates

show crypto ca certificates show ssl trust-point

Clear VPN sessions

clear crypto ikev1 sa clear crypto ikev2 sa vpn-sessiondb logoff all ### Problemi VPNbash

Check resource utilization

show memory detail show processes cpu-usage show blocks

Connection analysis

show conn count show local-host detail

Interface statistics

show interface detail show traffic

Clear counters for baseline

clear interface clear traffic clear conn ```### Problemi di Prestazioni https://www.cisco.com/c/en/us/support/security/adaptive-security-appliances/products-installation-and-configuration-guides-list.html#

Risorse

https://www.cisco.com/c/en/us/support/security/adaptive-security-appliances/products-command-reference-list.html- Guida alla Configurazione Cisco ASAhttps://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliances/118046-troubleshoot-asa-00.html- Riferimento Comandi Cisco ASA