Cisco ASA Notes

Licensing Limits

Different ASA models have different licensing options. To see what the limits of the active license, use the following :

sh version

Static NAT

Make sure to add your host  to your access-list

object network obj-192.168.1.100 
host 192.168.1.100 
nat (inside,outside) static 192.166.1.101

Object Groups ASA

object-group service http-https tcp
port-object eq www
port-object eq https

object-group network webservers
network-object host 192.168.1.101
network-object host 192.168.1.102
network-object host 192.168.1.103

access-list OUTSIDE-IN extended permit tcp any object-group webservers object-group http-https
access-group OUTSIDE-IN in interface outside

packet-tracer

packet-tracer input inside icmp 192.168.1.100 8 0 8.8.8.8
packet-tracer input outside tcp 8.8.8.8 53 192.168.1.100 80

Mitigating attack traffic

DEFINE TRAFFIC

First of all we define which traffic the MPF policy will be applied to. In the example below we exclude the host 8.8.8.8 whilst inspecting all other traffic.

access-list mpf-policy-acl extended permit ip any any

CREATE CLASS-MAP

Next we assign the previously created access-list to a class-map.

class-map mpf-policy
match access-list mpf-policy-acl

CREATE POLICY-MAP

Then a policy-map is created and the necessary connection limits defined.

policy-map mpf-policy-map
class mpf-policy
set connection conn-max 9500
set connection embryonic-conn-max 5000
set connection per-client-embryonic-max 100
set connection per-client-max 300

Backup/Restore

Create a Backup 

copy running-config disk0:/backup-2017-00-00

Restore a backup

copy disk0:/backup-2017-08-18 startup-config
reload