Cisco ASA 9.8 CLI Commands
This article is covering most important cisco ASA command of ASA Version 9.8. This article may help network and security guys who deals in day to day troubleshooting call and also help in implementation new setup of cisco ASA firewall in the network.
This article intent to NAT, Static NAT, PAT, Object Group, access-list, Inspect ICMP, IKEv2 Policy and SSH access enabling on ASA.
ASA Outside Interface Configuration
outside interface is consider as untrusted zone interface have 0 (zero) security level by default.
Example –
ASA-A(Config)# interface GigabitEthernet0/0
ASA-A(Config-if)# nameif outside
ASA-A(Config-if)# security-level 0
ASA-A(Config-if)# ip address 200.100.0.1 255.255.255.0ASA inside Interface Configuration
inside interface is consider as trusted zone interface have 100 security level by default.
Example –
ASA-A(Config)# interface GigabitEthernet0/1
ASA-A(Config-if)# nameif inside
ASA-A(Config-if)# security-level 100
ASA-A(Config-if)# ip address 172.16.10.2 255.255.255.0Object Group
Object network/service Groups is very significant part on cisco ASA Firewall software ASA 8.4 and later version. Object group contain IP address and subnet extensively used for NAT and Access-list.
Example –
ASA-A(Config)# object network inside_network ASA-A(Config-network-object)# subnet 172.16.10.0 255.255.255.0 ASA-A(Config-network-object)# Subnet 172.16.11.0 255.255.255.0
ASA-A(Config)# object network web-server-172.16.10.11 ASA-A(Config-network-object)# host 172.16.10.11
Create a Service Group for service Protocol tcp/udp
ASA-A(Config)# object-group service www-protocols tcp ASA-A(config-server-object-group)# port-object eq 80 ASA-A(config-server-object-group)# port-object eq 443
PAT (Port address Translation)
It’s very obvious to have PAT configuration for inside users who need to access internet or external public servers. PAT act as Forward Proxy server. So, PAT hide the inside network from internet users. It only allow inside to outside Access.
Example –
Inside LAN – 172.16.10.0/24 , Dynamic NAT – outside Interface.
ASA-A(Config)# object network inside_network ASA-A(Config-network-object)# subnet 172.16.10.0 255.255.255.0 ASA-A(Config-network-object)# nat (inside,outside) dynamic interface
Static NAT Configuration on ASA
In case you want to give a static public IP address to a web-server (Hosted Inside) to make it public facing server. So Internet user can access web application that hosted on this server.
Example –
Private IP Address – 172.16.10.11 , Public IP address – 200.100.0.11
Let’s assume we have web-server hosted in Data Center inside network having IP – 172.16.10.11. So, we are mapping that web-server with public IP – 200.100.0.11 (Static NAT) and only allowing internet inbound access on port 80,443.
ASA-A(Config)# object network web-server-172.16.10.11 ASA-A(Config-network-object)# host 172.16.10.11 255.255.255.0 ASA-A(Config-network-object)# nat (inside,outside) static 200.100.0.11 ASA-A(Config)# access-list outside_in extended permit tcp any host 200.100.0.11 eq www-protocols
OR
ASA-A(Config)# access-list outside_in extended permit tcp any host 200.100.0.11 eq 443 ASA-A(Config)# access-list outside_in extended permit tcp any host 200.100.0.11 eq 80
Apply ACL on interface.
ASA-A(Config)# access-group outside_in in interface outsideICMP Allow ACL for Any Any
ICMP protocol is most vital part of network in order to test the connectivity with help of ping.So, here you can see how to allow icmp traffic on ASA.
Example –
ASA-A(Config)# access-list outside_in extended permit icmp any4 any4NO NAT (NAT Zero)
No NAT concept is normally used for VPN traffic which does not need to NAT or change actual IP address that traversing thru vpn tunnel.
Example –
Local vpn subnet Object – ASA-A
Remote vpn subnet Object – ASA-B
ASA-A(Config)# object network ASA-A ASA-A(Config-network-object)# subnet 172.16.10.0 255.255.255.0 ASA-A(Config)# object network ASA-B ASA-A(Config-network-object)# subnet 192.168.10.0 255.255.255.0 ASA-A(Config-network)# nat (inside,outside) source static ASA-A ASA-A destination static ASA-B ASA-B no-proxy-arp route-lookup
Configure NAT to Web-Server
Example of creating pubic static NAT IP to web-server hosting in DMZ network.
object network webserver-public-ip host 200.100.0.100 object network webserver host 192.168.10.100 nat (dmz,outside) static webserver-pubic-ip service tcp www www
SSH Configuration
Cisco ASA does not enable SSH access by default. Below mentioned command and steps will help to enabling SSH access from inside network.
ASA-A(config)# enable password <password> encrypted << enable password ASA-A(config)# username <username> password <password> encrypted privilege 15 <<SSH Login ASA-A(config)# aaa authentication ssh console LOCAL <<Local Authentication ASA-A(config)# ssh 192.168.0.10 255.255.255.0 inside << Inside Subnet allow SSH to ASA Firewall ASA-A(config)# domain-name <domain-name> <<Domain name ASA-A(config)# crypto key gen rsa mod 4096 << Generate RSA key pairs for your Cisco ASA, The 4096-bit RSA keys are only supported on the ASA5580, 5585, or later platforms. ASA-A(config)# ssh version 2 << restrict ASA to only use version 2 ASA-A(config)# ssh key-exchange group dh-group14-sha1 << exchange keys method using either the Diffie-Hellman (DH) Group 1 DH Group 14
Inspect ICMP
Inspect ICMP will start to allow all ICMP types traffic such as echo to pass through ASA. ICMP packet will be allowed through the ASA without a Pre-configure ACL evaluation.
ASA-A(Config)#policy-map global_policy ASA-A(Config-pmap)#class inspection_default ASA-A(Config-pmap-c)#inspect icmp
ISAKMP Policies for IKEv2
IKEv2 Crypto policy configuration on ASA
ASA-A(Config)#crypto ikev2 policy 10 << IKEv2 policy configuration mode ASA-A(Config-ikev2-policy)#encryption aes-256 << Set the encryption algorithm ASA-A(Config-ikev2-policy)#integrity sha256 << Configure a hash method ASA-A(Config-ikev2-policy)#group 19 << Set the Diffie-Hellman group ASA-A(Config-ikev2-policy)#prf sha256 << Configure the Pseudo-Random Function ASA-A(Config-ikev2-policy)#lifetime seconds 86400<<Set the encryption key lifetime ASA-A(Config)#crypto ikev2 enable outside <<Enable IKEv2 on the interface
