Cisco ASA Cli
Licensing Info
Different ASA models have different licensing options. To see what the limits of the active license, use the following:
sh version
Static NAT
object network obj-192.168.1.100
host 192.168.1.100
nat (inside,outside) static 192.166.1.101 dns
Static Service NAT
Allow outside connections targeting TCP port 80 to redirect to internal port 8080.
object network obj-192.166.1.101-srv_8080
host 192.166.1.101
nat (inside,outside) static 192.166.1.101 service tcp 8080 http
PAT
In the example bellow, the subnet will be on a port channel named inside2 and will have a obj-group called net-local2
interface port-channel 150
nameif inside2
security-level 100
ip address 172.10.10.0 255.255.255.0
object-group network net-local2
network-object 172.10.10.0 255.255.255.0
after-auto Inserts the rule at the end of section.
You can translate all addresses on the source interface by specifying source dynamic any mapped_obj
nat (inside2,outside) after-auto source dynamic net-local2 interface dns
PAT connections will be visible in show xlate
fw1# show xlate
TCP PAT from inside2:172.10.10.11/51995 to outside:199.199.199.100/51995 flags riD
idle 0:05:37 timeout 0:00:30
For more advanced configs, refer to article below:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/n.html
Allow non-connected subnets
arp permit-nonconnected
The ASA ARP cache only contains entries from directly-connected subnets by default. You can enable the ARP cache to also include non-directly-connected subnets. We do not recommend enabling this feature unless you know the security risks. This feature could facilitate denial of service (DoS) attack against the ASA; a user on any interface could send out many ARP replies and overload the ASA ARP table with false entries.
You may want to use this feature if you use:
-
Secondary subnets.
-
Proxy ARP on adjacent routes for traffic forwarding.
Object Groups ASA
object-group service http-https tcp
port-object eq www
port-object eq https
object-group network webservers
network-object host 192.168.1.101
network-object host 192.168.1.102
network-object host 192.168.1.103
access-list OUTSIDE-IN extended permit tcp any object-group webservers object-group http-https
access-group OUTSIDE-IN in interface outside
packet-tracer
packet-tracer input inside icmp 192.168.1.100 8 0 8.8.8.8
packet-tracer input outside tcp 8.8.8.8 53 192.168.1.100 80
Backup/Restore
Create a Backup
copy running-config disk0:/backup-2017-00-00
Restore a backup
copy disk0:/backup-2017-08-18 startup-config
reload
Mitigating attack traffic
DEFINE TRAFFIC
First of all we define which traffic the MPF policy will be applied to. In the example below we exclude the host 8.8.8.8 whilst inspecting all other traffic.
access-list mpf-policy-acl extended permit ip any any
CREATE CLASS-MAP
Next we assign the previously created access-list to a class-map.
class-map mpf-policy
match access-list mpf-policy-acl
CREATE POLICY-MAP
Then a policy-map is created and the necessary connection limits defined.
policy-map mpf-policy-map
class mpf-policy
set connection conn-max 9500
set connection embryonic-conn-max 5000
set connection per-client-embryonic-max 100
set connection per-client-max 300
Failover
To run on the Standby FW
failover active
Links
https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-command-reference-list.html <<-- (Bookmark this)
https://wiki.myhypervisor.ca/books/networking/page/cisco-asa-site-to-site