Cisco asa 5500 series command reference pdf

If it is necessary to recover the password after this feature is enabled, the entire configuration is deleted. Being a security device, the Cisco firewall does not run many services for example, bootp , finger , Cisco Discovery Protocol by default. As a security best practice, any unnecessary services must be disabled. These unneeded services, especially those that use UDP, are infrequently used for legitimate purposes, but can also be used to launch DoS and other attacks that are otherwise prevented by packet filtering.

Network Time Protocol NTP is not an especially dangerous service, but any unneeded service can represent an attack vector. If NTP is used, it is important to explicitly configure a trusted time source and to use proper authentication. Accurate and reliable time is required for syslog purposes for example, during forensic investigations of potential attacks and for successful VPN connectivity when depending on certificates for Phase 1 authentication. The command must be used to log out sessions Telnet, SSH, console that are left idle.

By default, sessions are disconnected after 5 minutes of inactivity. See the following example:. The management plane of a device is accessed via in-band and out-of-band methods through physical and logical means.

Ideally, both in-band and out-of-band management access exists for each network device so that the management plane can be accessed during network outages. Cisco firewalls define a specific interface as being the Management interface. This designation is defined by configuring the management-only command on the specific interface. By default the physically defined Management interface has this command defined.

This interface is used for in-band access to a Cisco firewall. The Management interface can also be used for regular traffic when removing the management-only interface configuration command.

It is recommended to use the Management interface of the ASA device exclusively as a management interface. This allows administrators and engineers to apply management traffic-based policies throughout the network. Note that the Management interfaces on a Cisco firewall use the global routing table of the device; they do not use a separate routing table.

This feature enables a device to generate an SNMP notification when the memory pool buffer usage reaches a new peak. The following example will generate the memory-threshold trap toward the SNMP server when the system memory reaches 70 percent. Note: The default memory threshold is 70 percent. Introduced in Cisco ASA 8. When the threshold is crossed, the device generates and sends an SNMP trap message.

As such, the messages it conveys can have far-reaching ramifications to the TCP and IP protocols in general. While the network troubleshooting tools ping and traceroute use ICMP, external ICMP connectivity is rarely needed for the proper operation of a network.

Cisco firewall software provides functionality to filter ICMP messages destined to itself by name or type and code. Cisco firewalls will, by default, allow pings to the firewalls' interfaces. The following example allows pings to a Cisco firewall interface from trusted management stations and NMS servers and blocks all other ICMP packets that are destined to the firewall:. Management sessions destined to devices allow one to view and collect information about a device and its operations.

If this information is disclosed to a malicious user, the device can become the target of an attack, compromised, and used to perform additional attacks. Anyone with privileged access to a device has the capability for full administrative control of that device. Securing management sessions is imperative to preventing information disclosure and unauthorized access.

The authentication credential information, such as the password, is sent as clear text. The HTTP server and client communication occurs only in clear text. It is not recommended to access the security appliance through a Telnet-based command-line interface CLI session. The Telnet server and client communication occurs only in clear text.

Because information can be disclosed during an interactive management session, this traffic must be encrypted so a malicious user cannot access the data being transmitted. Encrypting the traffic allows a secure remote access connection to the device. If the traffic for a management session is sent over the network in clear text, an attacker can obtain sensitive information about the device and the network.

As previously stated, it is not recommended to access the security appliance through an HTTP or Telnet session because the authentication credential information is sent in clear text. By default, a Cisco firewall will not accept Telnet to its lowest trusted interface, as defined via the interface-configured security levels.

Cisco recommends using SSH for more secure data communication. In addition, IPsec can be used for encrypted and secure remote access connections to a Cisco firewall device, if supported, but IPsec adds additional CPU overhead to the device. Cisco firewall software supports the SCP, which allows an encrypted and secure connection for copying device configurations or software images. On Cisco firewall devices, the console port is an asynchronous line that can be used for local and remote access to a device.

One must be aware that the console port on Cisco firewall devices has special privileges. In particular, these privileges allow an administrator to perform the password recovery procedure. To perform password recovery, an unauthenticated attacker would need access to the console port in addition to the ability to interrupt power to the device or cause the device to crash and reload.

Any method used to access the console port of a device must be secured in a manner that is equal to the security that is enforced for privileged access to a device. Methods used to secure access must include the use of AAA, console timeouts, and modem passwords if a modem is attached to the console.

As previously mentioned, if password recovery is not required, an administrator can remove the ability to perform the password recovery procedure using the no service password-recovery global configuration command; however, once the no service password-recovery command has been enabled, an administrator can no longer perform password recovery on a device without losing the firewall device configuration. To ensure that a device can be accessed via a local or remote management session, proper controls must be enforced for the management protocols.

Cisco firewall devices have a limited number of available management connections; the number of sessions available can be determined by using the show resource usage EXEC command. When all sessions are in use, new management sessions cannot be established, creating a DoS condition for access to the device. The simplest form of access control to a device is through authenticated management sessions. Furthermore, authentication can be enforced through the use of AAA, which is the recommended method for authenticated access to a device.

AAA uses the local user database or the enable password in the case of Telnet and console sessions. Cisco firewall devices, specifically the ASA , , , and models, can use two types of Security Services Modules SSMs , which provide additional security functionality.

Much like the Cisco ASA device, securing management sessions for the SSMs is imperative to prevent information disclosure and unauthorized access. If the traffic for a management session is sent over the network in clear text, an attacker may obtain sensitive information about the device and the network.

Furthermore, an SSM should be configured to accept only encrypted and secure remote-access management connections to the device. In addition, only authorized subnet ranges should be allowed to access these modules. One method to provide this notification is the banner message configuration on the Cisco firewall using the banner login command. Legal notification requirements are complex, vary by jurisdiction and situation, and should be discussed with legal counsel.

Even within jurisdictions, legal opinions can differ. In cooperation with counsel, a banner can provide the following information:.

From a security point of view, a login banner should not contain any specific information about the device name, model, software, or ownership because this information can be abused by malicious users. The Authentication, Authorization, and Accounting AAA framework is critical to securing interactive access to network devices. The AAA framework provides a highly scalable architecture consisting of flexibility and granular configuration that can be tailored to the needs of the network.

In removing the dependence on a single shared password, the security of the network is improved and accountability is strengthened. However, it only encrypts the password sent across the network. The previous configuration can be used as a starting point for an organization-specific AAA authentication template.

On Cisco ASA software releases that encrypt passwords for locally defined users, fallback to local authentication can be desirable. This allows a locally defined user to be created for one or more network administrators. The AAA server then uses its configured policies to permit or deny the command or operation for that particular user.

The following configuration can be added to the previous AAA authentication example to implement command authorization:. It is critical that SNMP be properly secured to protect the confidentiality, integrity, and availability of both the network data and the network devices through which this data transits.

SNMP provides one with a wealth of information on the health of network devices. This information should be protected from malicious users that want to use it to perform attacks against the network. Community strings are passwords that are applied to an ASA device to restrict access, both read-only and read-write access, to the SNMP data on the device. These community strings, as with all passwords, should be carefully chosen to ensure they are not trivial.

Community strings should be changed at regular intervals and in accordance with network security policies. For example, the strings should be changed when a network administrator changes roles or leaves the company. Note that the preceding community string examples have been chosen to clearly explain the use of these strings. For production environments, community strings should be chosen with caution and should consist of a series of alphabetical, numerical, and nonalphanumeric symbols.

Refer to Use a Strong Password for more information on the selection of nontrivial passwords. MIBs are either standard or enterprise specific. The firewall can support a variety of MIBs.

Cisco ASA version 8. A recommended minimum list of MIBs and traps to monitor that focus on device health, resources, and normal operation follows:. SNMPv3 provides secure access to devices by authenticating and optionally encrypting packets over the network. SNMPv3 consists of three primary configuration options:.

The local-engine and remote-engine IDs are not configurable. There is no support for SNMP views. If needed, SNMP users and groups should also be removed in the correct order. Note that snmp-server user configuration commands are not displayed in the configuration output of the device as required by RFC ; therefore, the user password is not viewable from the configuration. The show snmp user command in the following example allows administrators to view the configured users:.

Event logging provides visibility into the operation of a Cisco ASA device and the network where it is deployed. Cisco ASA Software provides several flexible logging options that can help achieve an organization's network management and visibility goals. These sections provide some basic logging best practices that can help an administrator use logging successfully while minimizing the impact of logging on a Cisco ASA device.

Sending logging information to a remote syslog server allows administrators to correlate and audit network and security events across network devices more effectively. Note that, by default, syslog messages are transmitted unreliably by UDP and in clear text. For this reason, any protections that a network provides for management traffic for example, encryption or out-of-band access should be applied to syslog traffic as well.

The following configuration example configures a Cisco ASA device to send logging information to a remote syslog server:.

It offers proactive diagnostics and real-time alerts on the Cisco ASA and provides higher network availability and increased operational efficiency. SCH can also collect syslogs to the central portal page hosted on Cisco's servers. Note that SCH does not serve as a syslog collecting service because certain limitations apply.

However, it can collect syslogs at higher levels warning or error , and under certain conditions it can proactively open service requests and notify the administrators. Each log message that is generated by a Cisco ASA device is assigned one of eight severity levels that range from level 0, emergency, through level 7, debugging. Unless specifically required, it is advisable to avoid logging at level 7. This level produces an elevated CPU load on the device that can lead to device and network instability.

The global configuration command logging trap level is used to specify which logging messages are sent to remote syslog servers. The specified level indicates the lowest severity message that is sent. For buffered logging, the logging buffered level command is used. The following configuration example limits log messages that are sent to remote syslog servers and the local log buffer to levels 0 emergency through 6 information :.

Refer to Configuring Logging for more information. Monitor sessions are interactive management sessions in which the EXEC command terminal monitor has been issued. Instead, administrators are advised to send logging information to the local log buffer, which can be viewed using the show logging command. Use the global configuration commands no logging console and no logging monitor to disable logging to the console sessions and terminal lines.

The following configuration example shows the use of these commands:. Refer to Configuring Logging for more information about global configuration commands.

Cisco ASA software supports the use of a local log buffer so that an administrator can view locally generated log messages. The use of buffered logging is highly recommended versus logging to either the console or monitor sessions.

There are two configuration options that are relevant when configuring buffered logging: the logging buffer size and the message severities that are stored in the buffer.

The size of the logging buffer is configured with the global configuration command logging buffer-size. The lowest severity included in the buffer is configured using the logging buffered command.

An administrator is able to view the contents of the logging buffer through the show logging EXEC command. The following configuration example includes the configuration of a logging buffer of 16, bytes and a severity of 6, information, indicating that messages at levels 0 emergency through 6 information are stored:. The configuration of logging time stamps helps administrators and engineers correlate events across network devices. It is important to implement a correct and consistent logging time stamp configuration to enable correlation of logging data.

Logging time stamps should be configured to include the date and time with millisecond precision and to include the time zone in use on the device. The following example includes the configuration of logging time stamps with millisecond precision:. Administrators are encouraged to follow standard configuration management and logging procedures that will enable configuration rollback, configuration restoration, or misconfiguration tracking.

AAA accounting can be used to track configuration changes on a firewall. In addition, if the firewall is managed through an external management tool, it should be able to provide configuration management logs.

The Cisco Security Manager platform manages firewall devices and can provide change management and configuration change logging functionality. The configuration archive can then be used to replace or roll back the current running configuration.

Note : This link requires login because the Smart Call Home feature is a registered service. Control plane functions consist of the protocols and processes that communicate between network devices to move data from source to destination.

It is important that events in the management and data planes do not adversely affect the control plane. If a data plane event such as a DoS attack impacts the control plane, the entire network can become unstable. The information that follows provides features and configurations that can help ensure the resilience of the control plane. Protection of the control plane of a network device is critical because the control plane ensures that the management and data planes are maintained and operational.

If the control plane becomes unstable during a security incident, it may not be possible for administrators and engineers to recover the stability of the network. Because of the secure nature and operations of Cisco firewall platforms, the platforms do not support ICMP redirects. Filtering with an interface access list elicits the transmission of ICMP unreachable messages back to the source of the filtered traffic.

Generating these messages can increase CPU utilization on the device. Cisco firewalls can be configured to elicit or suppress ICMP unreachable messages. ICMP unreachables should be filtered to allow only known sources, for example those from management subnets. The following example illustrates filtering ICMP unreachable messages to permit only messages to known sources:.

ICMP unreachable rate limiting can be changed from the default using the icmp unreachable rate-limit rate burst-size size global configuration command.

ICMP responses are often used for troubleshooting and monitoring services. Because of the secure nature and operations of Cisco firewall platforms, ICMP responses from the firewall should be limited by filtering traffic to permit only what is necessary or expected. ICMP responses can also be limited by disabling ICMP responses on interfaces, specifically the outside or "untrusted" interface s at a minimum.

The following command syntax limits ICMP responses on interfaces:. To enhance security, routing updates may be authenticated using a simple password or keys depending on the routing protocol being used. Use routing protocol authentication to prevent spoofing and routing attacks on firewalls. To enable authentication of EIGRP packets and specify the authentication key leveraging MD5 , use the authentication mode eigrp and authentication key eigrp commands as follows:.

To enable authentication of Routing Information Protocol RIP version 2 packets and specify the authentication key, use the rip authentication mode and rip authentication key commands as follows:.

Note: By default "text" authentication is used. We recommend the use of "MD5. To enable authentication of OSPF packets and specify the authentication key, use the ospf authentication and ospf authentication-key commands as follows:. Note: MD5 is the recommended configuration for ospf authentication,! The firewall data plane handles most of the traff i c that traverses the firewall.

Data plane protection can prevent attacks for both the firewall and devices to which the firewall sends traffic. Securing the control plane and management plane is essential, but all control plane and data plane traffic traverses through the data plane. Because the data plane is responsible for processing and forwarding traffic, protecting the firewall data plane plays an important part in firewall hardening and security.

Any activated firewall feature may affect data plane traffic, so it is important to keep the firewall software version updated to the latest stable code that meets business requirements.

It is also important to back up all firewall rulebase and configuration files regularly on a separate, accessible location.

Backups can be used after a system failure and helps reduce total downtime. The Adaptive Security Algorithm ensures the secure use of applications and services.

Some applications require special handling in the Adaptive Security Algorithm firewall application inspection function.

These applications embed IP addressing information in the user data packet or open secondary channels on dynamically assigned ports. A host on one firewall interface can create any type of connection to a host on another interface of the same firewall as long as any required address translation can be made and relevant interface access lists permit it. When address translation methods are required and after they have been configured between pairs of firewall interfaces, the administrator must configure and apply access lists to the interfaces.

The steps required for placing an ACL on the firewall include configuring the ACL and binding it to a firewall interface. Any source and destination address specified in the ACL is relative to any address translation that occurs on the interface where the ACL is applied.

ACEs can classify packets by inspecting Layer 2 through Layer 4 headers for a number of parameters, including the following:. After an ACL has been properly configured, the administrator can apply it to an interface to filter traffic. The security appliance can filter packets in both the inbound and outbound direction on an interface. An ACL must be applied to each lower-security interface so that specific inbound connections are permitted. For information about security levels, refer to the Security Levels section of this document.

Once the packet is allowed, the flow is created in the Adaptive Security Algorithm connection table, and all further packets in the flow are permitted based on the connection entry, bypassing the ACL check. You can use the show conn command to view the connection table. Note: ACLs are normally evaluated in the order in which they appear in the firewall configuration.

It is important to configure and use an ACL to limit the types of traffic in a specific direction. When traffic is permitted by an ACL, connections are allowed to pass; when traffic is denied, all corresponding packets are dropped at the firewall. In addition, when an xlate entry is created for a new connection and the interface ACLs permit the initial traffic, the return traffic specific to that connection is also permitted because the firewall has built the proper xlate and conn entries for it.

Therefore, ACL changes should be made when traffic through the firewall is low. This section lists some best practices to be followed for ACL configuration on firewalls.

However, the list is not exhaustive and should serve as a guideline for firewall hardening. To control access to an interface, use the access-group command in interface configuration mode. This rule determines whether there any ACLs are defined that are not applied to an interface. The permit ip any any command is not recommended. Allowing access to all destinations provides access to all the hosts inside the perimeter, including the firewall itself, and to all Internet hosts.

For the best results, if your device allows it, Oracle recommends that you upgrade to a software version that supports route-based configuration. Cisco ASA. The access to the console port can be controlled with the aaa authentication serial console LOCAL command, in which the keyword LOCAL means that the local user database is used for validation.

Other user databases are analyzed in Chapter 14, Identity. Cisco ASA Overview. Before You Begin. In order for the InsightOps parser to work, make sure logging timestamp is turned on and the logging host has been configured for the InsightOps collector The GUI on the ASA is fairly intuitive for this sort of thing.

If you need to use the command line, I would caution you against just pasting in someone else's code. Cisco ASA is one of the few event sources that can handle multiple types of logs on a single port because it hosts Firewall and VPN logs. The ordered set of commands to append to the end of the command stack if a changed needs to be made.

These are a some good commands you can use to help troubleshoot new VPN tunnels. First lets take a look at an sample standard ACL where we permit traffic from the host Umbrella is Cisco's cloud-based Secure Internet Gateway SIG platform that provides you with multiple levels of defense against internet-based threats. Umbrella integrates secure web gateway, firewall, DNS-layer security, and cloud access security broker CASB functionality for the most effective protection against threats and enables you to extend protection from your network to branch.

Configure the moduleedit. You can further refine the behavior of the cisco module by specifying variable settings in the modules. As a firewall, the Cisco ASA drops packets.

That's great until it drops packets that you want to permit, and you have no idea what is going on. Fortunately, the ASA supports different tools to show you why and what packets it drops. In this lesson, we'll cover the following tools You can think of it as a security zone thus give it the meaningful name as a best practice. To set the nameif and security level issue following commands: ASA configure terminal. ASA config-if nameif outside.

ASA config-if security-level ASA config-if ip address Use the extended or named access list in order to specify the traffic that should be protected by encryption.

Here is an example: access-list remark Interesting traffic access-list access-list permit ip This command has the same logic as the 'show run' as it can remove entire configuration snippets with it, so for example all NAT config and a specific ACL.

Rack1ASA1 config clear configure global. Rack1ASA1 config clear. The output will look something like the following screenshot The ASA is now knows as Lina engine on FTD, in fact, when you connect to FTD through the console, you can still go into the ASA module and running all the commands you would run on a normal ASA with same syntax, of course you cannot do any configuration from the command line any longer, but you can still run show commands, running packet.

Cisco ASA has in-built switching hardware. But, it doesn't have STP feature. The physical ports are used for layer 2 and use switching hardware function For the same access-list, if it is configured for inbound access-list, the connection will be dropped without any discard being sent out: access-list OUT line 1 extended deny ip host 1.

As of 7. Cisco ASA - 8. Introduction ASA 8. It is used for remote access from roaming users to connect back to their corporate network over the Internet Cisco IOS Software.

After the IPv6 access list is applied to an interface in the ingress direction, administrators can use the show ipv6 access-list command to identify the number of IPv6 packets that are being filtered with any Routing header type 0 through Filtered packets should be investigated to determine whether they are being used.

Securing Routing Protocols. Routing Protocol. Solved: hi, here the list access-list 1 permit Cisco ASA 9. This article may help network and security guys who deals in day to day troubleshooting call and also help in implementation new setup of cisco ASA firewall in the network..

Cisco ASA useful commands. There are thousands of commands available on Cisco ASA. I found some of the commands very useful when troubleshooting. Also, make sure the connection is using DTLS. One other thing is to use g compression. Cisco recommends it for voice over a VPN connection. You have to install a server side plug-in. There are three types of plug-ins available that you can download from Cisco's website. If you are not choosing the plug-ins and want to tunnel the traffic, the second option is to use thin client with smart tunnel options and port forwarding.

However, the restriction is that it terminates the IPv4 tunnels. For example, in a way it is encapsulating v6 traffic over v4 so your slot indicates to the head and you are still pushed down.

In summary, your client is encapsulating v6 traffic over v4 traffic in a tunnel. In v6 perspective, you should be able to communicate end to end. Bookmarks are used to link clientless users to internal servers via the clientless VPN tunnel. However, they tunnel the traffic through the ASA. Refer to the clientless configuration guide at:. ASDM is easier when configuring bookmark templates. The only way you can add bookmarks from the CLI is by manually creating an xml file and uploading. Slides of the Live Webcast.

Cisco Support Security community. Buy or Renew. Find A Community. Cisco Community. Thank you for your support! We're happy to announce that we met our goal for the Community Helping Community campaign! Turn on suggestions. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. Showing results for.

Search instead for. Did you mean:. All Community This category This board. Labels: VPN.