Руководство администратора cisco asa - RukovodstvoRus.ru - инструкции пользования и руководства

Getting
Started

This chapter describes how to get started with your ASA.

Access the Console
for the Command-Line Interface

For initial configuration, access the CLI directly from the console port. Later, you can configure remote access using Telnet
or SSH according to Management Access. If your system is already in multiple context mode, then accessing the console port places you in the system execution space.

Note

For ASAv console access, see the ASAv quick start guide.

Access the ASA Hardware or ISA 3000
Console

Follow these steps to access the appliance
console.

Procedure

Step 1	Connect a computer to the console port using the provided console cable, and connect to the console using a terminal emulator set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control. See the hardware guide for your ASA for more information about the console cable.
Step 2	Press the Enter key to see the following prompt: `ciscoasa>` This prompt indicates that you are in user EXEC mode. Only basic commands are available from user EXEC mode.
Step 3	Access privileged EXEC mode. enable You are prompted to change the password the first time you enter the enable command: Example: `ciscoasa> enable Password: The enable password is not set. Please set it now. Enter Password: **** Repeat Password: ** ciscoasa#` All non-configuration commands are available in privileged EXEC mode. You can also enter configuration mode from privileged EXEC mode. To exit privileged mode, enter the disable, exit**, or quit command.
Step 4	Access global configuration mode. configure terminal Example: `ciscoasa# configure terminal ciscoasa(config)#` You can begin to configure the ASA from global configuration mode. To exit global configuration mode, enter the exit, quit, or end command.

Access the Firepower 2100 Platform Mode Console

The Firepower 2100 console port connects you to the Firepower
eXtensible Operating System (FXOS CLI). From the FXOS CLI, you can then connect to the ASA console, and back again. If you SSH to FXOS, you can also
connect to the ASA CLI; a connection from SSH is not a console connection, so you can have multiple ASA connections from an
FXOS SSH connection. Similarly, if you SSH to the ASA, you can connect to the FXOS CLI.

Before you begin

Procedure

Step 1	Connect your management computer to the console port. The Firepower 2100 ships with a DB-9 to RJ-45 serial cable, so you will need a third party serial-to-USB cable to make the connection. Be sure to install any necessary USB serial drivers for your operating system. Use the following serial settings: 9600 baud 8 data bits No parity 1 stop bit You connect to the FXOS CLI. Enter the user credentials; by default, you can log in with the admin user and the default password, Admin123.
Step 2	Connect to the ASA: connect asa Example: `firepower-2100# connect asa Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach. Type help or '?' for a list of available commands. ciscoasa>`
Step 3	Access privileged EXEC mode. enable You are prompted to change the password the first time you enter the enable command. Example: `ciscoasa> enable Password: The enable password is not set. Please set it now. Enter Password: **** Repeat Password: ** ciscoasa#` All non-configuration commands are available in privileged EXEC mode. You can also enter configuration mode from privileged EXEC mode. To exit privileged mode, enter the disable, exit**, or quit command.
Step 4	Access global configuration mode. configure terminal Example: `ciscoasa# configure terminal ciscoasa(config)#` You can begin to configure the ASA from global configuration mode. To exit global configuration mode, enter the exit, quit, or end command.
Step 5	To return to the FXOS console, enter Ctrl+a, d.
Step 6	If you SSH to the ASA (after you configure SSH access in the ASA), connect to the FXOS CLI. connect fxos You are prompted to authenticate for FXOS; use the default username: admin and password: Admin123. To return to the ASA CLI, enter exit or type Ctrl-Shift-6, x. Example: ciscoasa# connect fxos Connecting to fxos. Connected to fxos. Escape character sequence is 'CTRL-^X'. FXOS 2.2(2.32) kp2110 kp2110 login: admin Password: Admin123 Last login: Sat Jan 23 16:20:16 UTC 2017 on pts/1 Successful login attempts for user 'admin' : 4 Cisco Firepower Extensible Operating System (FX-OS) Software […] kp2110# kp2110# exit Remote card closed command session. Press any key to continue. Connection with fxos terminated. Type help or '?' for a list of available commands. ciscoasa#

Access the Firepower 1000, 2100 Appliance Mode Console

The Firepower 1000, 2100 Appliance mode console port connects
you to the ASA CLI (unlike the Firepower 2100 Platform mode console, which connects
you to the FXOS CLI). From the ASA CLI, you can then connect to the FXOS CLI using
Telnet for troubleshooting purposes.

Procedure

Step 1	Connect your management computer to the console port. The Firepower 1000 ships with a USB A-to-B serial cable. The Firepower 2100 ships with a DB-9 to RJ-45 serial cable, so you will need a third party serial-to-USB cable to make the connection. Be sure to install any necessary USB serial drivers for your operating system (see the Firepower 1010 hardware guide or Firepower 1100 hardware guide). Use the following serial settings: 9600 baud 8 data bits No parity 1 stop bit You connect to the ASA CLI. There are no user credentials required for console access by default.
Step 2	Access privileged EXEC mode. enable You are prompted to change the password the first time you enter the enable command. Example: `ciscoasa> enable Password: The enable password is not set. Please set it now. Enter Password: **** Repeat Password: ** ciscoasa#` The enable password that you set on the ASA is also the FXOS admin** user password if the ASA fails to boot up, and you enter FXOS failsafe mode. All non-configuration commands are available in privileged EXEC mode. You can also enter configuration mode from privileged EXEC mode. To exit privileged EXEC mode, enter the disable , exit , or quit command.
Step 3	Access global configuration mode. configure terminal Example: `ciscoasa# configure terminal ciscoasa(config)#` You can begin to configure the ASA from global configuration mode. To exit global configuration mode, enter the exit , quit , or end command.
Step 4	(Optional) Connect to the FXOS CLI. connect fxos [admin] admin —Provides admin-level access. Without this option, users have read-only access. Note that no configuration commands are available even in admin mode. You are not prompted for user credentials. The current ASA username is passed through to FXOS, and no additional login is required. To return to the ASA CLI, enter exit or type Ctrl-Shift-6, x. Within FXOS, you can view user activity using the scope security/show audit-logs command. Example: `ciscoasa# connect fxos admin Connecting to fxos. Connected to fxos. Escape character sequence is 'CTRL-^X'. firepower# firepower# exit Connection with FXOS terminated. Type help or '?' for a list of available commands. ciscoasa#`

Access the ASA
Console on the
Firepower 4100/9300 Chassis

For initial
configuration, access the command-line interface by connecting to the
Firepower 4100/9300 chassis
supervisor (either to the console port or remotely using Telnet or SSH) and
then connecting to the ASA security module.

Procedure

Step 1	Connect to the Firepower 4100/9300 chassis supervisor CLI (console or SSH), and then session to the ASA: connect module `slot` `{` console `\|` telnet`}` The benefits of using a Telnet connection is that you can have multiple sessions to the module at the same time, and the connection speed is faster. The first time you access the module, you access the FXOS module CLI. You must then connect to the ASA application. connect asa Example: `Firepower# connect module 1 console Firepower-module1> connect asa asa>`
Step 2	Access privileged EXEC mode, which is the highest privilege level. enable You are prompted to change the password the first time you enter the enable command. Example: `asa> enable Password: The enable password is not set. Please set it now. Enter Password: **** Repeat Password: ** asa#` All non-configuration commands are available in privileged EXEC mode. You can also enter configuration mode from privileged EXEC mode. To exit privileged mode, enter the disable, exit**, or quit command.
Step 3	Enter global configuration mode. configure terminal Example: `asa# configure terminal asa(config)#` To exit global configuration mode, enter the disable , exit , or quit command.
Step 4	Exit the application console to the FXOS module CLI by entering Ctrl-a, d You might want to use the FXOS module CLI for troubleshooting purposes.
Step 5	Return to the supervisor level of the FXOS CLI. Exit the console: Enter ~ You exit to the Telnet application. To exit the Telnet application, enter: telnet>quit Exit the Telnet session: Enter Ctrl-], .

Access the Software Module Console

If you have a software module installed, such as
the ASA FirePOWER module on the ASA 5506-X, you can session to the module
console.

Note

You cannot access the
hardware module CLI over the ASA
backplane using the
session command.

Procedure

From the ASA CLI, session to the module:

session {sfr |
cxsc |
ips}
console

Example:


ciscoasa# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

Cisco ASA SFR Boot Image 5.3.1
asasfr login: admin
Password: Admin123

Access the ASA 5506W-X Wireless Access Point Console

To access the wireless access point console,
perform the following steps.

Procedure

Step 1

From the ASA CLI, session to the access
point:

session
wlan
console

Example:


ciscoasa# session wlan console
opening console session with module wlan
connected to module wlan. Escape character sequence is ‘CTRL-^X’

ap>

Step 2

See the
Cisco IOS Configuration Guide for Autonomous
Aironet Access Points for information about the access point CLI.

Configure ASDM
Access

This section describes how to access ASDM with a
default configuration and how to configure access if you do not have a default
configuration.

Use the Factory Default Configuration for ASDM Access

With a factory default configuration, ASDM connectivity is
pre-configured with default network settings.

Procedure

Connect to ASDM using the following interface and network
settings:

The management interface depends on your model:
- Firepower 1010—Management 1/1 (192.168.45.1), or inside Ethernet 1/2 through 1/8 (192.168.1.1). Management hosts are limited
  to the 192.168.45.0/24 network, and inside hosts are limited to the 192.168.1.0/24 network.
- Firepower 1100, 2100 in Appliance Mode—Inside Ethernet 1/2 (192.168.1.1), or Management
  1/1 (from DHCP). Inside hosts are limited to the
  192.168.1.0/24 network. Management hosts are allowed from
  any network.
- Firepower 2100 in Platform Mode—Management 1/1 (192.168.45.1). Management hosts are limited to the 192.168.45.0/24 network.
- Firepower 4100/9300—The Management type interface and IP address of your choice defined when you deployed. Management hosts are allowed from
  any network.
- ASA 5506-X, ASA 5506W-X—Inside GigabitEthernet 1/2 through
  1/8, and wifi GigabitEthernet 1/9 (192.168.10.1). Inside
  hosts are limited to the 192.168.1.0/24 network, and wifi
  hosts are limited to 192.168.10.0/24.
- ASA 5508-X, and ASA 5516-X—Inside
  GigabitEthernet 1/2 (192.168.1.1). Inside
  hosts are limited to the 192.168.1.0/24 network.
- ASAv—Management 0/0 (set during deployment). Management hosts are limited to the management network.
- ISA 3000—Management 1/1 (192.168.1.1). Management hosts are limited to the 192.168.1.0/24 network.

Note

If you change to multiple context mode, you can access ASDM from
the admin context using the network settings above.

Customize ASDM
Access

Use this procedure if
one or more of the following conditions applies:

You do not have a factory default configuration
You want to change the management IP address
You want to change to transparent firewall mode
You want to change to multiple context mode

For routed, single mode, for quick and easy ASDM access, we
recommend applying the factory default configuration with the option to set
your own management IP address. Use the procedure in this section only if you
have special needs such as setting transparent or multiple context mode, or if
you have other configuration that you need to preserve.

Note

For the ASAv, you can configure transparent mode when you
deploy, so this procedure is primarily useful after you deploy if you need to
clear your configuration, for example.

Procedure

Step 1	Access the CLI at the console port.
Step 2	(Optional) Enable transparent firewall mode: This command clears your configuration. firewall transparent
Step 3	Configure the management interface: `interface interface_id nameif name security-level level no shutdown ip address ip_address mask` Example: `ciscoasa(config)# interface management 0/0 ciscoasa(config-if)# nameif management ciscoasa(config-if)# security-level 100 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0` The security-level is a number between 1 and 100, where 100 is the most secure.
Step 4	(For directly-connected management hosts) Set the DHCP pool for the management network: `dhcpd address ip_address-ip_address interface_name dhcpd enable interface_name` Example: `ciscoasa(config)# dhcpd address 192.168.1.2-192.168.1.254 management ciscoasa(config)# dhcpd enable management` Make sure you do not include the interface address in the range.
Step 5	(For remote management hosts) Configure a route to the management hosts: route `management_ifc` `management_host_ip` `mask` `gateway_ip` 1 Example: `ciscoasa(config)# route management 10.1.1.0 255.255.255.0 192.168.1.50 1`
Step 6	Enable the HTTP server for ASDM: http server enable
Step 7	Allow the management host(s) to access ASDM: http `ip_address` `mask` `interface_name` Example: `ciscoasa(config)# http 192.168.1.0 255.255.255.0 management`
Step 8	Save the configuration: write memory
Step 9	(Optional) Set the mode to multiple mode: mode multiple When prompted, confirm that you want to convert the existing configuration to be the admin context. You are then prompted to reload the ASA.

Examples

The following configuration converts the firewall mode to
transparent mode, configures the Management 0/0 interface, and enables ASDM for
a management host:


firewall transparent
interface management 0/0

ip address 192.168.1.1 255.255.255.0
nameif management
security-level 100
no shutdown

dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
http server enable
http 192.168.1.0 255.255.255.0 management

Start ASDM

You can start ASDM using two methods:

ASDM-IDM Launcher—The Launcher is an application downloaded from
the ASA using a web browser that you can use to connect to any ASA IP address.
You do not need to re-download the launcher if you want to connect to other
ASAs.
Java Web Start—For each ASA that you manage, you need to connect
with a web browser and then save or launch the Java Web Start application. You
can optionally save the shortcut to your computer; however you need separate
shortcuts for each ASA IP address.

Note

If you use web start, clear the Java cache or you might lose changes
to some pre-login policies such as Hostscan. This problem does not occur if you
use the launcher.

Within ASDM, you can choose a different ASA IP address to
manage; the difference between the Launcher and Java Web Start functionality
rests primarily in how you initially connect to the ASA and launch ASDM.

This section describes how to connect to ASDM initially, and
then launch ASDM using the Launcher or the Java Web Start.

ASDM stores files in the local Users<user_id>.asdm directory, including cache, log, and preferences, and also in the Temp
directory, including AnyConnect Client profiles.

Procedure

Step 1

On the computer that you specified as the ASDM client, enter the
following URL:

https://asa_ip_address/admin

Note

Be sure to specify https://, and not http:// or just the IP address (which
defaults to HTTP); the ASA does not automatically forward an HTTP
request to HTTPS.

The ASDM launch page appears with the following buttons:

Install ASDM Launcher and Run
ASDM
Run ASDM
Run Startup Wizard

Step 2

To download the Launcher:

Click
Install ASDM Launcher and Run ASDM.
Leave the username and password fields empty (for a new installation), and click OK. With no HTTPS authentication configured, you can gain access to ASDM with no username and the enable password, which is blank by default. When you enter the enable command at the CLI for the first time, you are prompted to change the password; this behavior is not enforced when you log
into ASDM. We suggest that you change the enable password as soon as possible so that it does not remain blank; see Set the Hostname, Domain Name, and the Enable and Telnet Passwords. Note: If you enabled HTTPS authentication, enter your username and associated password. Even without authentication, if you enter
a username and password at the login screen (instead of leaving the username blank), ASDM checks the local database for a
match.
Save the installer to your computer, and then start the
installer. The ASDM-IDM Launcher opens automatically after installation is
complete.
Enter the management IP address, the same username and password
(blank for a new installation), and then click
OK.

Step 3

To use Java Web Start:

Click
Run ASDM
or Run Startup Wizard.
Save the shortcut to your computer when prompted. You can
optionally open it instead of saving it.
Start Java Web Start from the shortcut.
Accept any certificates according to the dialog boxes that
appear. The Cisco ASDM-IDM Launcher appears.
Leave the username and password fields empty (for a new installation), and click OK. With no HTTPS authentication configured, you can gain access to ASDM with no username and the enable password, which is blank by default. When you enter the enable command at the CLI for the first time, you are prompted to change the password; this behavior is not enforced when you log
into ASDM. We suggest that you change the enable password as soon as possible so that it does not remain blank; see Set the Hostname, Domain Name, and the Enable and Telnet Passwords. Note: If you enabled HTTPS authentication, enter your username and associated password. Even without authentication, if you enter
a username and password at the login screen (instead of leaving the username blank), ASDM checks the local database for a
match.

Factory Default
Configurations

The factory default configuration is the configuration applied by Cisco to new ASAs.

ASA 5506-X—The factory default configuration enables a functional
inside/outside configuration. You can manage the ASA using ASDM from the
inside interfaces, which are placed in a bridge group using Integrated
Routing and Bridging.
ASA 5508-X and 5516-X—The
factory default configuration enables a functional inside/outside
configuration. You can manage the ASA using ASDM from the inside
interface.
Firepower 1010—The factory default configuration enables a functional inside/outside configuration. You can manage the ASA
using ASDM from either the management interface or the inside switch ports.
Firepower 1100—The factory default configuration enables a functional inside/outside configuration. You can manage the ASA
using ASDM from either the management interface or the inside interface.
Firepower 2100—Platform mode (the default):The factory default configuration enables a functional inside/outside configuration. You can manage the ASA using the Firepower Chassis
Manager and ASDM from the management interface.

Appliance mode—If you change to appliance mode, the factory default configuration enables a functional inside/outside configuration.
You can manage the ASA using ASDM from either the management interface or the inside interface.
Firepower 4100/9300 chassis—When you deploy the standalone or cluster of ASAs, the factory default configuration configures an interface for management
so that you can connect to it using ASDM, with which you can then complete your configuration.
ASAv—Depending on your hypervisor, as part of deployment, the deployment configuration (the initial virtual deployment settings)
configures an interface for management so that you can connect to it using ASDM, with which you can then complete your configuration.
You can also configure failover IP addresses. You can also apply a “factory default” configuration if desired.
ISA 3000—The factory default configuration is an almost-complete transparent firewall mode configuration with all inside and
outside interfaces on the same network; you can connect to the management interface with ASDM to set the IP address of your
network. Hardware bypass is enabled for two interface pairs, and all traffic is sent to the ASA FirePOWER module in Inline Tap Monitor-Only Mode. This mode sends a duplicate stream
of traffic to the ASA FirePOWER module for monitoring purposes only.

For appliances, the factory default configuration is available only for routed firewall mode and single context mode, except
for the ISA 3000, where the factory default configuration is only available in transparent mode. For the ASAv and the Firepower 4100/9300 chassis, you can choose transparent or routed mode at deployment.

Note

In addition to the image files and the (hidden) default configuration, the following folders and files are standard in flash
memory: log/, crypto_archive/, and coredumpinfo/coredump.cfg. The date on these files may not match the date of the image
files in flash memory. These files aid in potential troubleshooting; they do not indicate that a failure has occurred.

Restore the Factory
Default Configuration

This section describes how to restore the factory default configuration. For the ASAv, this procedure erases the deployment configuration and applies the following configuration:


interface management 0/0
  ip address 192.168.1.1 255.255.255.0
  nameif management
  security-level 100
  no shutdown
!
asdm logging informational
asdm history enable
!
http server enable
http 192.168.1.0 255.255.255.0 management
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management

Note

On the Firepower 4100/9300, restoring the factory default configuration simply erases the configuration; to restore the default configuration, you must
re-deploy the ASA from the supervisor.

Before you begin

This feature is available only in routed firewall mode, except for the
ISA 3000, where this command is only supported in transparent mode. In addition,
this feature is available only in single context mode; an ASA with a cleared
configuration does not have any defined contexts to configure automatically using
this feature.

Procedure

Step 1

Restore the
factory default configuration:

configure
factory-default [ip_address [mask]]

Example:


ciscoasa(config)# configure factory-default 10.1.1.1 255.255.255.0

Note

This command does not clear the currently-set mode, Appliance or Platform, for the Firepower 2100.

If you specify the ip_address , then you set the inside or management interface IP address, depending on your model, instead of using the default IP address.
See the following model guidelines for which interface is set by the ip_address option:

Firepower 1010—Sets the management interface IP address.
Firepower 1100—Sets the inside interface IP address.
Firepower 2100 in Appliance mode—Sets the inside interface IP address.
Firepower 2100 in Platform mode—Sets the management interface IP address.
Firepower 4100/9300—No effect.
ASAv—Sets the management interface IP address.
ASA 5506-X—Sets the inside interface IP address.
ASA 5508-X and 5516-X—Sets the inside interface IP
address.
ISA 3000—Sets the management interface IP address.

The http command uses the subnet you
specify. Similarly, the dhcpd address command range consists of all
available addresses higher than the IP address you specify. For example, if
you specify 10.5.6.78 with a subnet mask of 255.255.255.0, then the DHCP
address range will be 10.5.6.79-10.5.6.254.

For the Firepower 1000, and the
Firepower 2100 in Appliance mode: This command clears the boot
system command, if present, along with the rest of the
configuration. This configuration change does not affect the image at
bootup: the currently-loaded image continues to be used.

For the Firepower 2100 in Platform mode: This model does not use the boot system command; packages are managed by FXOS.

For all other models: This command clears the boot system command, if present, along with the rest of the configuration. The boot system command lets you boot from a specific image. The next time you reload the ASA after restoring the factory configuration,
it boots from the first image in internal flash memory; if you do not have an image in internal flash memory, the ASA does
not boot.

Example:


docs-bxb-asa3(config)# configure factory-default 10.86.203.151 255.255.254.0
Based on the management IP address and mask, the DHCP address
pool size is reduced to 103 from the platform limit 256

WARNING: The boot system configuration will be cleared.
The first image found in disk0:/ will be used to boot the
system on the next reload.
Verify there is a valid image on disk0:/ or the system will
not boot.

Begin to apply factory-default configuration:
Clear all configuration
WARNING: The new maximum-session limit will take effect after the running-config is saved and the system boots next time. Command accepted
WARNING: Local user database is empty and there are still 'aaa' commands for 'LOCAL'.
Executing command: interface management0/0
Executing command: nameif management
INFO: Security level for "management" set to 0 by default.
Executing command: ip address 10.86.203.151 255.255.254.0
Executing command: security-level 100
Executing command: no shutdown
Executing command: exit
Executing command: http server enable
Executing command: http 10.86.202.0 255.255.254.0 management
Executing command: dhcpd address 10.86.203.152-10.86.203.254 management
Executing command: dhcpd enable management
Executing command: logging asdm informational
Factory-default configuration is completed
ciscoasa(config)#

Step 2

Save the default
configuration to flash memory:

write memory

This command saves the running configuration to the default
location for the startup configuration, even if you previously configured the
boot config command to set a different location; when the
configuration was cleared, this path was also cleared.

Restore the ASAv Deployment Configuration

This section describes how to restore the ASAv deployment (Day 0) configuration.

Procedure

Step 1

For failover, power off the standby unit.

To prevent the standby unit from becoming
active, you must power it off. If you leave it on, when you erase the active
unit configuration, then the standby unit becomes active. When the former
active unit reloads and reconnects over the failover link, the old
configuration will sync from the new active unit, wiping out the deployment
configuration you wanted.

Step 2

Restore the deployment configuration after
you reload. For failover, enter this command on the active unit:

write erase

Note

The ASAv boots the current running image, so you are not reverted to the original boot image. To use the original boot image, see
the boot image command.

Do not save the configuration.

Step 3

Reload the ASAv and load the deployment configuration:

reload

Step 4

For failover, power on the standby unit.

After the active unit reloads, power on the
standby unit. The deployment configuration will sync to the standby unit.

ASA 5506-X Series
Default Configuration

The default factory configuration for the ASA 5506-X series
configures the following:

Integrated Routing and Bridging functionality—GigabitEthernet 1/2 through 1/8 belong to bridge group 1; Bridge Virtual Interface
(BVI) 1
inside —> outside traffic flow—GigabitEthernet 1/1
(outside), BVI 1 (inside)
outside IP address from DHCP, inside IP address—192.168.1.1
(ASA 5506W-X) wifi <—> inside, wifi —> outside
traffic flow—GigabitEthernet 1/9 (wifi)
(ASA 5506W-X) wifi IP address—192.168.10.1
DHCP for clients on inside and wifi. The access point itself and
all its clients use the ASA as the DHCP server.
ASDM access—inside and wifi hosts allowed.
NAT—Interface PAT for all traffic from inside, wifi, and
management to outside.

The configuration consists of the following commands:


interface Management1/1
  management-only
  no nameif
  no security-level
  no ip address
  no shutdown
interface GigabitEthernet1/1
  nameif outside
  security-level 0
  ip address dhcp setroute
  no shutdown
!
interface GigabitEthernet1/2
  nameif inside_1
  security-level 100
  bridge-group 1
  no shutdown
interface GigabitEthernet1/3
  nameif inside_2
  security-level 100
  no shutdown
  bridge-group 1
interface GigabitEthernet1/4
  nameif inside_3
  security-level 100
  no shutdown
  bridge-group 1
interface GigabitEthernet1/5
  nameif inside_4
  security-level 100
  no shutdown
  bridge-group 1
interface GigabitEthernet1/6
  nameif inside_5
  security-level 100
  no shutdown
  bridge-group 1
interface GigabitEthernet1/7
  nameif inside_6
  security-level 100
  no shutdown
  bridge-group 1
interface GigabitEthernet1/8
  nameif inside_7
  security-level 100
  no shutdown
  bridge-group 1
!
interface bvi 1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
!
object network obj_any1
 subnet 0.0.0.0 0.0.0.0
 nat (inside_1,outside) dynamic interface
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
 nat (inside_2,outside) dynamic interface
object network obj_any3
 subnet 0.0.0.0 0.0.0.0
 nat (inside_3,outside) dynamic interface
object network obj_any4
 subnet 0.0.0.0 0.0.0.0
 nat (inside_4,outside) dynamic interface
object network obj_any5
 subnet 0.0.0.0 0.0.0.0
 nat (inside_5,outside) dynamic interface
object network obj_any6
 subnet 0.0.0.0 0.0.0.0
 nat (inside_6,outside) dynamic interface
object network obj_any7
 subnet 0.0.0.0 0.0.0.0
 nat (inside_7,outside) dynamic interface
!
same-security-traffic permit inter-interface
!
http server enable
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
!
dhcpd auto_config outside
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
logging asdm informational

For the ASA 5506W-X, the following commands are also included:


interface GigabitEthernet 1/9
  security-level 100
  nameif wifi
  ip address 192.168.10.1 255.255.255.0
  no shutdown
!
object network obj_any_wifi
 subnet 0.0.0.0 0.0.0.0
 nat (wifi,outside) dynamic interface
!
http 192.168.10.0 255.255.255.0 wifi
!
dhcpd address 192.168.10.2-192.168.10.254 wifi
dhcpd enable wifi

ASA 5508-X and 5516-X Default Configuration

The default factory configuration for the ASA 5508-X and 5516-X configures the following:

inside —> outside traffic flow—GigabitEthernet 1/1
(outside), GigabitEthernet 1/2 (inside)
outside IP address from DHCP
inside IP address—192.168.1.1
DHCP server on inside.
Default route from outside DHCP
Management 1/1 interface is Up, but otherwise unconfigured. The
ASA FirePOWER module can then use this interface to access the ASA inside network and use
the inside interface as the gateway to the Internet.
ASDM access—inside hosts allowed.
NAT—Interface PAT for all traffic from inside and management to outside.

The configuration consists of the following commands:


interface Management1/1
  management-only
  no nameif
  no security-level
  no ip address
  no shutdown
interface GigabitEthernet1/1
  nameif outside
  security-level 0
  ip address dhcp setroute
  no shutdown
interface GigabitEthernet1/2
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  no shutdown
!
object network obj_any
  subnet 0.0.0.0 0.0.0.0
  nat (any,outside) dynamic interface
!
http server enable
http 192.168.1.0 255.255.255.0 inside
!
dhcpd auto_config outside
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
logging asdm informational

Firepower 1010 Default Configuration

The default factory configuration for the Firepower 1010 configures the following:

Hardware switch—Ethernet 1/2 through 1/8 belong to VLAN 1
inside→outside traffic flow—Ethernet 1/1 (outside), VLAN1 (inside)
management—Management 1/1 (management), IP address 192.168.45.1
outside IP address from DHCP, inside IP address—192.168.1.1
DHCP server on inside interface, management interface
Default route from outside DHCP
ASDM access—Management and inside hosts allowed. Management hosts are limited to the 192.168.45.0/24 network, and inside hosts
are limited to the 192.168.1.0/24 network.
NAT—Interface PAT for all traffic from inside to outside.
DNS servers—OpenDNS servers are pre-configured.

The configuration consists of the following commands:


interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown
!
interface Management1/1
managment-only
nameif management
no shutdown
security-level 100
ip address 192.168.45.1 255.255.255.0
!
interface Ethernet1/1
nameif outside
ip address dhcp setroute
no shutdown
!
interface Ethernet1/2
no shutdown
switchport
switchport mode access
switchport access vlan 1
!
interface Ethernet1/3
no shutdown
switchport
switchport mode access
switchport access vlan 1
!
interface Ethernet1/4
no shutdown
switchport
switchport mode access
switchport access vlan 1
!
interface Ethernet1/5
no shutdown
switchport
switchport mode access
switchport access vlan 1
!
interface Ethernet1/6
no shutdown
switchport
switchport mode access
switchport access vlan 1
!
interface Ethernet1/7
no shutdown
switchport
switchport mode access
switchport access vlan 1
!
interface Ethernet1/8
no shutdown
switchport
switchport mode access
switchport access vlan 1
!
object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (any,outside) dynamic interface
!
dhcpd auto_config outside
dhcpd address 192.168.1.20-192.168.1.254 inside
dhcpd address 192.168.45.10-192.168.45.12 management
dhcpd enable inside
dhcpd enable management
!
http server enable
http 192.168.45.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
!
dns domain-lookup outside
dns server-group DefaultDNS
   name-server 208.67.222.222 outside
   name-server 208.67.220.220 outside
!

Firepower 1100 Default Configuration

The default factory configuration for the Firepower 1100 configures the following:

inside→outside traffic flow—Ethernet 1/1 (outside), Ethernet 1/2 (inside)
outside IP address from DHCP, inside IP address—192.168.1.1
management—Management 1/1 (management), IP address from DHCP
DHCP server on inside interface
Default routes from outside DHCP, management DHCP
ASDM access—Management and inside hosts allowed. Inside hosts are limited to the 192.168.1.0/24 network.
NAT—Interface PAT for all traffic from inside to outside.
DNS servers—OpenDNS servers are pre-configured.

The configuration consists of the following commands:


interface Management1/1
  management-only
  nameif management
  security-level 100
  ip address dhcp setroute
  no shutdown
!
interface Ethernet1/1
  nameif outside
  security-level 0
  ip address dhcp setroute
  no shutdown
!
interface Ethernet1/2
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  no shutdown
!
object network obj_any
  subnet 0.0.0.0 0.0.0.0
  nat (any,outside) dynamic interface
!
http server enable
http 0.0.0.0 0.0.0.0 management
http 192.168.1.0 255.255.255.0 inside
!
dhcpd auto_config outside
dhcpd address 192.168.1.20-192.168.1.254 inside
dhcpd enable inside
!
dns domain-lookup outside
dns server-group DefaultDNS
   name-server 208.67.222.222 outside
   name-server 208.67.220.220 outside
!

Firepower 2100 Platform Mode Default Configuration

You can set the Firepower 2100 to run in Platform mode; Appliance mode is the default.

Note

For pre-9.13(1) versions, Platform mode was the default and only option. If you upgrade from Platform mode, this mode is maintained.

ASA Configuration

The default factory configuration for the ASA on the Firepower 2100 configures the following:

inside→outside traffic flow—Ethernet 1/1 (outside), Ethernet 1/2 (inside)
outside IP address from DHCP, inside IP address—192.168.1.1
DHCP server on inside interface
Default route from outside DHCP
management—Management 1/1 (management), IP address 192.168.45.1
ASDM access—Management hosts allowed.
NAT—Interface PAT for all traffic from inside to outside.
FXOS management traffic initiation—The FXOS chassis can initiate management traffic on the ASA outside interface.
DNS servers—OpenDNS servers are pre-configured.

The configuration consists of the following commands:


interface Management1/1
  management-only
  nameif management
  security-level 100
  ip address 192.168.45.1 255.255.255.0
  no shutdown
!
interface Ethernet1/1
  nameif outside
  security-level 0
  ip address dhcp setroute
  no shutdown
!
interface Ethernet1/2
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  no shutdown
!
object network obj_any
  subnet 0.0.0.0 0.0.0.0
  nat (any,outside) dynamic interface
!
http server enable
http 192.168.45.0 255.255.255.0 management
!
dhcpd auto_config outside
dhcpd address 192.168.1.20-192.168.1.254 inside
dhcpd enable inside
!
ip-client outside
!
dns domain-lookup outside
dns server-group DefaultDNS
   name-server 208.67.222.222 outside
   name-server 208.67.220.220 outside

FXOS Configuration

The default factory configuration for FXOS on the Firepower 2100 configures the following:

Management 1/1—IP address 192.168.45.45
Default gateway—ASA data interfaces
Firepower Chassis
Manager and SSH access—From the management network only.
Default Username—admin, with the default password Admin123
DHCP server—Client IP address range 192.168.45.10-192.168.45.12
NTP server—Cisco NTP servers: 0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org, 2.sourcefire.pool.ntp.org
DNS Servers—OpenDNS: 208.67.222.222, 208.67.220.220
Ethernet 1/1 and Ethernet 1/2—Enabled

Firepower 2100 Appliance Mode Default Configuration

The Firepower 2100 runs in Appliance mode by default.

Note

For pre-9.13(1) versions, Platform mode was the default and only option. If you upgrade from Platform mode, Platform mode
is maintained.

The default factory configuration for the Firepower 2100 in Appliance mode configures the following:

inside→outside traffic flow—Ethernet 1/1 (outside), Ethernet 1/2 (inside)
outside IP address from DHCP, inside IP address—192.168.1.1
management IP address from DHCP—Management 1/1 (management)
DHCP server on inside interface
Default routes from outside DHCP, management DHCP
ASDM access—Management and inside hosts allowed. Inside hosts are limited to the 192.168.1.0/24 network.
NAT—Interface PAT for all traffic from inside to outside.
DNS servers—OpenDNS servers are pre-configured.

The configuration consists of the following commands:


interface Management1/1
  management-only
  nameif management
  security-level 100
  ip address dhcp setroute
  no shutdown
!
interface Ethernet1/1
  nameif outside
  security-level 0
  ip address dhcp setroute
  no shutdown
!
interface Ethernet1/2
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  no shutdown
!
object network obj_any
  subnet 0.0.0.0 0.0.0.0
  nat (any,outside) dynamic interface
!
http server enable
http 0.0.0.0 0.0.0.0 management
http 192.168.1.0 255.255.255.0 management
!
dhcpd auto_config outside
dhcpd address 192.168.1.20-192.168.1.254 inside
dhcpd enable inside
!
dns domain-lookup outside
dns server-group DefaultDNS
   name-server 208.67.222.222 outside
   name-server 208.67.220.220 outside
!

Firepower 4100/9300 Chassis Default Configuration

When you deploy the
ASA on the
Firepower 4100/9300 chassis,
you can pre-set many parameters that let you connect to the Management
interface using ASDM. A typical configuration includes the following settings:

Management
interface:
- Management
  type interface of your choice defined on the
  Firepower 4100/9300 Chassis
  supervisor
- Named
  “management”
- IP address
  of your choice
- Security
  level 0
- Management-only
Default route through the management interface
ASDM access—All hosts allowed.

The configuration for a standalone unit consists of the following commands. For additional configuration for clustered units,
see Create an ASA Cluster.


interface <management_ifc>
  management-only
  ip address <ip_address> <mask>
  ipv6 address <ipv6_address>
  ipv6 enable
  nameif management
  security-level 0
  no shutdown
!
http server enable
http 0.0.0.0 0.0.0.0 management
http ::/0 management
!
route management 0.0.0.0 0.0.0.0 <gateway_ip> 1
ipv6 route management ::/0 <gateway_ipv6>

ISA 3000 Default
Configuration

The default factory configuration for the ISA 3000 configures
the following:

Transparent firewall mode—A transparent firewall is a Layer 2 firewall that acts like
a “bump in the wire,” or a “stealth firewall,” and is not seen as a router hop
to connected devices.
1 Bridge Virtual Interface—All member interfaces are in the same network (IP
address not pre-configured; you must set to match your network):
GigabitEthernet 1/1 (outside1), GigabitEthernet 1/2 (inside1), GigabitEthernet
1/3 (outside2), GigabitEthernet 1/4 (inside2)
All inside and outside interfaces can communicate with each
other.
Management 1/1 interface—192.168.1.1/24 for ASDM access.
DHCP for clients on management.
ASDM access—Management hosts allowed.

Hardware bypass is enabled for the following interface pairs: GigabitEthernet 1/1
& 1/2; GigabitEthernet 1/3 & 1/4

Note

When the ISA
3000 loses power and goes into hardware bypass mode, only the above interface
pairs can communicate; inside1 and inside2, and outside1 and outside2 can no
longer communicate. Any existing connections between these interfaces will be
lost. When the power comes back on, there is a brief connection interruption as
the ASA takes over the flows.

ASA FirePOWER module—All traffic is sent to the module in Inline Tap
Monitor-Only Mode. This mode sends a duplicate stream of traffic to the ASA
Firepower module for monitoring purposes only.
Precision Time Protocol—PTP traffic is not sent to the FirePOWER module.

The configuration consists of the following commands:


firewall transparent

interface GigabitEthernet1/1
 	bridge-group 1
 	nameif outside1
 	security-level 0
		no shutdown
interface GigabitEthernet1/2
	 bridge-group 1
 	nameif inside1
 	security-level 100
 	no shutdown
interface GigabitEthernet1/3
	 bridge-group 1
	 nameif outside2
	 security-level 0
 	no shutdown
interface GigabitEthernet1/4
 	bridge-group 1
 	nameif inside2
 	security-level 100
 	no shutdown
interface Management1/1
		management-only
		no shutdown
		nameif management
		security-level 100
		ip address 192.168.1.1 255.255.255.0
interface BVI1
		no ip address

access-list allowAll extended permit ip any any
access-group allowAll in interface outside1
access-group allowAll in interface outside2

same-security-traffic permit inter-interface

hardware-bypass GigabitEthernet 1/1-1/2
hardware-bypass GigabitEthernet 1/3-1/4

http server enable
http 192.168.1.0 255.255.255.0 management

dhcpd address 192.168.1.5-192.168.1.254 management
dhcpd enable management

object-group service bypass_sfr_inspect
  service-object udp destination range 319 320
access-list sfrAccessList extended deny object-group bypass_sfr_inspect any any
access-list sfrAccessList extended permit ip any any
class-map sfrclass
		match access-list sfrAccessList
policy-map global_policy
		class sfrclass
		sfr fail-open monitor-only
service-policy global_policy global

ASAv Deployment Configuration

When you deploy the ASAv, you can pre-set many parameters that let you connect to the Management 0/0 interface using ASDM. A typical configuration
includes the following settings:

Routed or Transparent firewall mode
Management 0/0 interface:
- Named “management”
- IP address or DHCP
- Security level 0
Static route for the management host IP address (if it is not on
the management subnet)
HTTP server enabled or disabled
HTTP access for the management host IP address
(Optional) Failover link IP addresses for GigabitEthernet 0/8,
and the Management 0/0 standby IP address
DNS server
Smart licensing ID token
Smart licensing Throughput Level and Standard Feature Tier
(Optional) Smart Call Home HTTP Proxy URL and port
(Optional) SSH management settings:
- Client IP addresses
- Local username and password
- Authentication required for SSH using the LOCAL database
(Optional) REST API enabled or disabled

Note

To successfully register the ASAv with the Cisco Licensing Authority, the ASAv requires Internet access. You might need to perform additional configuration after deployment to achieve Internet access
and successful license registration.

See the following sample configuration for a standalone unit:


interface Management0/0
  nameif management
  security-level 0
  ip address ip_address
  
  no shutdown
http server enable
http managemment_host_IP mask management
route management management_host_IP mask gateway_ip 1
dns server-group DefaultDNS
  name-server ip_address
call-home
  http-proxy ip_address port port
license smart
  feature tier standard
  throughput level {100M | 1G | 2G}
  license smart register idtoken id_token
aaa authentication ssh console LOCAL
username username password password
ssh source_IP_address mask management
rest-api image boot:/path
rest-api agent

Note

The Essentials license used to be called “Standard” license.

See the following sample configuration for a primary unit in a
failover pair:


nameif management
  security-level 0
  ip address ip_address standby standby_ip
  
  no shutdown
route management management_host_IP mask gateway_ip 1
http server enable
http managemment_host_IP mask management
dns server-group DefaultDNS
  name-server ip_address
call-home
  http-proxy ip_address port port
license smart
  feature tier standard
  throughput level {100M | 1G | 2G}
  license smart register idtoken id_token
aaa authentication ssh console LOCAL
username username password password
ssh source_IP_address mask management
rest-api image boot:/path
rest-api agent
failover 
failover lan unit primary
failover lan interface fover gigabitethernet0/8
failover link fover gigabitethernet0/8
failover interface ip fover primary_ip mask standby standby_ip

Set the Firepower 2100 to Appliance or Platform Mode

The Firepower 2100 runs an underlying operating system called the FXOS. You can run the Firepower 2100 in the following modes:

Appliance mode (the default)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands
are available from the FXOS CLI.
Platform mode—When in Platform mode, you must configure basic operating parameters and hardware interface settings in FXOS.
These settings include enabling interfaces, establishing EtherChannels, NTP, image management, and more. You can use the Firepower Chassis
Manager web interface or FXOS CLI. You can then configure your security policy in the ASA operating system using ASDM or the ASA
CLI.

This procedure tells you how to change the mode. When you change the mode, the configuration is cleared and you need to reload
the system. The default configuration is applied upon reload. Note that the clear configure all and configure factory-default commands do not clear the current mode.

Before you begin

You can only change the mode at the CLI.

Procedure

Step 1	(Optional) Back up your current configuration. See Back Up and Restore Configurations or Other Files. Although there are slight differences between an Appliance mode configuration and a Platform mode configuration, a copy of the old configuration can be a good starting point. For example, for Platform mode, the NTP, DNS, and EtherChannel configuration is not part of the ASA configuration, so it will not be included in your backup, but most other ASA settings are valid for both modes.
Step 2	View the current mode. show fxos mode Example: `ciscoasa(config)# show fxos mode Mode is currently set to appliance`
Step 3	Set the mode to Platform mode. no fxos mode appliance write memory reload After you set the mode, you need to save the configuration and reload the device. Prior to reloading, you can set the mode back to the original value without any disruption. Example: `ciscoasa(config)# no fxos mode appliance Mode set to platform mode WARNING: This command will take effect after the running-config is saved and the system has been rebooted. Command accepted. ciscoasa(config)# write memory Building configuration... Cryptochecksum: c0532471 648dc7c2 4f2b4175 1f162684 23736 bytes copied in 1.520 secs (23736 bytes/sec) [OK] ciscoasa(config)# reload Proceed with reload? [confirm]`
Step 4	Set the mode to Appliance mode. fxos mode appliance write memory reload After you set the mode, you need to save the configuration and reload the device. Prior to reloading, you can set the mode back to the original value without any disruption. Example: `ciscoasa(config)# fxos mode appliance Mode set to appliance mode WARNING: This command will take effect after the running-config is saved and the system has been rebooted. Command accepted. ciscoasa(config)# write memory Building configuration... Cryptochecksum: c0532471 648dc7c2 4f2b4175 1f162684 23736 bytes copied in 1.520 secs (23736 bytes/sec) [OK] ciscoasa(config)# reload Proceed with reload? [confirm]`

Work with the
Configuration

This section describes how to work with the
configuration. The ASA loads the configuration from a text file, called the
startup configuration. This file resides by default as a hidden file in
internal flash memory. You can, however, specify a different path for the
startup configuration.

When you enter a command, the change is made only
to the running configuration in memory. You must manually save the running
configuration to the startup configuration for your changes to remain after a
reboot.

The information in this section applies to both
single and multiple security contexts, except where noted.

Save Configuration
Changes

This section describes how to save your
configuration.

Save Configuration Changes in Single Context Mode

To save the running configuration to the startup
configuration, perform the following procedure.

Procedure

Save the running configuration to the
startup configuration:

write memory

Note

The copy
running-config startup-config command is equivalent to the
write memory command.

Save Configuration
Changes in Multiple Context Mode

You can save each context (and system)
configuration separately, or you can save all context configurations at the
same time.

Save Each Context and System Separately

Use the following procedure to save the system
or context configuration.

Procedure

From within the context or the system, save
the running configuration to the startup configuration:

write memory

For multiple context mode, context startup
configurations can reside on external servers. In this case, the ASA saves the
configuration back to the server you identified in the context URL, except for
an HTTP or HTTPS URL, which do not let you save the configuration to the
server.

Note

The copy
running-config startup-config command is equivalent to the
write memory command.

Save All Context Configurations at the Same Time

Use the following procedure to save all context
configurations at the same time, as well as the system configuration.

Procedure

From the system execution space, save the
running configuration to the startup configuration for all contexts and the
system configuration:

write memory
all [/noconfirm]

If you do not enter the
/noconfirm keyword, you see the
following prompt:


Are you sure [Y/N]:

After you enter
Y, the ASA saves the system
configuration and each context. Context startup configurations can reside on
external servers. In this case, the ASA saves the configuration back to the
server you identified in the context URL, except for an HTTP or HTTPS URL,
which do not let you save the configuration to the server.

After the ASA saves each context, the
following message appears:


‘Saving context ‘b’ ... ( 1/3 contexts saved ) ’

Sometimes, a context is not saved because of
an error. See the following information for errors:

For contexts that are not saved because
of low memory, the following message appears:
```
The context 'context a' could not be saved due to Unavailability of resources
```
For contexts that are not saved because
the remote destination is unreachable, the following message appears:
```
The context 'context a' could not be saved due to non-reachability of destination
```
For contexts that are not saved because
the context is locked, the following message appears:
```
Unable to save the configuration for the following contexts as these contexts are locked.
context ‘a’ , context ‘x’ , context ‘z’ .
```
A context is only locked if another user
is already saving the configuration or in the process of deleting the context.
For contexts that are not saved because
the startup configuration is read-only (for example, on an HTTP server), the
following message report is printed at the end of all other messages:
```
Unable to save the configuration for the following contexts as these contexts have read-only config-urls:
context ‘a’ , context ‘b’ , context ‘c’ .
```
For contexts that are not saved because
of bad sectors in the flash memory, the following message appears:
```
The context 'context a' could not be saved due to Unknown errors
```

Copy the Startup Configuration to the Running Configuration

Use one of the following commands to copy a new
startup configuration to the running configuration:

copy startup-config
running-config

Merges the startup configuration with the
running configuration. A merge adds any new commands from the new configuration
to the running configuration. If the configurations are the same, no changes
occur. If commands conflict or if commands affect the running of the context,
then the effect of the merge depends on the command. You might get errors, or
you might have unexpected results.
reload

Reloads the ASA, which loads the startup
configuration and discards the running configuration.
clear configure all

and then copy startup-config
running-config

Loads the startup configuration and discards
the running configuration without requiring a reload.

View the Configuration

The following commands let you view the running
and startup configurations:

show
running-config

Views the running configuration.
show running-config
command

Views the running configuration of a specific
command.
show
startup-config

Views the startup configuration.

Clear and Remove Configuration Settings

To erase settings, enter one of the following
commands:

clear
configure

configurationcommand
[level2configurationcommand]

Clears all the configuration for a specified
command. If you only want to clear the configuration for a specific version of
the command, you can enter a value for
level2configurationcommand.

For example, to clear the configuration for
all
aaa commands, enter the following
command:
```
 
ciscoasa(config)# clear configure aaa 
```
To clear the configuration for only
aaa authentication commands, enter the
following command:
```
 
ciscoasa(config)# clear configure aaa authentication 
```
no
configurationcommand
[level2configurationcommand]
qualifier

Disables the specific parameters or options
of a command. In this case, you use the
no command to
remove the specific configuration identified by
qualifier.

For example, to remove a specific
access-list command, enter enough of
the command to identify it uniquely; you may have to enter the entire command:
```
 
ciscoasa(config)# no access-list abc extended permit icmp any any object-group obj_icmp_1
				 
```

write erase

Erases the startup configuration.

Note

For the ASAv, this command restores the deployment configuration after a reload. To erase the configuration completely, use the clear configure all command.

clear configure
all

Erases the running configuration.

Note

In multiple context mode, if you enter
clear configure all from the system
configuration, you also remove all contexts and stop them from running. The
context configuration files are not erased, and remain in their original
location.

Note

For the Firepower 1000,
Firepower 2100 in Appliance mode: This command clears the boot
system command, if present, along with the rest of
the configuration. This configuration change does not affect the image
at bootup: the currently-loaded image continues to be used.

For the Firepower 2100 in Platform mode: This model does not use the boot system command; packages are managed by FXOS.

For all other models: This command clears the boot system command, if present, along with the rest of the configuration. The boot system command lets you boot from a specific image, including an image on the external flash memory card. The next time you
reload the ASA, it boots from the first image in internal flash memory; if you do not have an image in internal flash memory,
the ASA does not boot.

Note

This command does not clear the currently-set mode, Appliance or Platform, for the Firepower 2100.

Create Text Configuration Files Offline

This guide describes how to use the CLI to
configure the ASA; when you save commands, the changes are written to a text
file. Instead of using the CLI, however, you can edit a text file directly on
your computer and paste a configuration at the configuration mode command-line
prompt in its entirety, or line by line. Alternatively, you can download a text
file to the ASA internal flash memory. See
Software and Configurations
for information on downloading the configuration file to the ASA.

In most cases, commands described in this guide
are preceded by a CLI prompt. The prompt in the following example is
“ciscoasa(config)#”:

 
ciscoasa(config)# context a

In the text configuration file you are not
prompted to enter commands, so the prompt is omitted as follows:


context a

For additional information about formatting the
file, see
Using the Command-Line Interface.

Apply Configuration Changes to Connections

When you make security policy changes to the
configuration, all
new connections use the new security
policy. Existing connections continue to use the policy that was configured at
the time of the connection establishment.
show command output for old connections
reflect the old configuration, and in some cases will not include data about
the old connections.

For example, if you remove a QoS
service-policy from an interface, then
re-add a modified version, then the show
service-policy
command only displays QoS counters associated with new connections
that match the new service policy; existing connections on the old policy no
longer show in the command output.

To ensure that all connections use the new
policy, you need to disconnect the current connections so that they can
reconnect using the new policy.

To disconnect connections, enter the following command:

clear conn
[all] [protocol {tcp |
udp}] [address
src_ip [-src_ip] [netmask
mask]] [port
src_port [-src_port]] [address
dest_ip [-dest_ip] [netmask
mask]] [port
dest_port [-dest_port]]

This command terminates connections in any
state. See the
show conn
command to view all current connections.

With no arguments, this command clears all
through-the-box connections. To also clear to-the-box connections (including
your current management session), use the
all keyword. To clear specific
connections based on the source IP address, destination IP address, port,
and/or protocol, you can specify the desired options.

Reload the ASA

To reload the ASA, complete the following procedure.

The reload command is not replicated
to data nodes for clustering or to the standby/secondary unit for failover.

In multiple context mode, you can only reload from the system
execution space.

Procedure

Источник

Getting
Started

This chapter describes how to get started with your Cisco ASA.

Access the Console
for the Command-Line Interface

For initial configuration, access the CLI directly
from the console port. Later, you can configure remote access using Telnet or
SSH according to
.
If your system is already in multiple context mode, then accessing the console
port places you in the system execution space.

Note

For ASAv console access, see the ASAv quick
start guide.

Access the Appliance Console

Follow these steps to access the appliance
console.

Procedure

Step 1	Connect a computer to the console port using the provided console cable, and connect to the console using a terminal emulator set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control. See the hardware guide for your ASA for more information about the console cable.
Step 2	Press the Enter key to see the following prompt: `ciscoasa>` This prompt indicates that you are in user EXEC mode. Only basic commands are available from user EXEC mode.
Step 3	Access privileged EXEC mode. enable You are prompted to change the password the first time you enter the enable command: Example: `ciscoasa> enable Password: The enable password is not set. Please set it now. Enter Password: **** Repeat Password: ** ciscoasa#` All non-configuration commands are available in privileged EXEC mode. You can also enter configuration mode from privileged EXEC mode. To exit privileged mode, enter the disable, exit**, or quit command.
Step 4	Access global configuration mode. configure terminal Example: `ciscoasa# configure terminal ciscoasa(config)#` You can begin to configure the ASA from global configuration mode. To exit global configuration mode, enter the exit, quit, or end command.

Access the Firepower 2100 Platform Mode Console

The Firepower 2100 console port connects you to the FXOS CLI. From the FXOS CLI, you can then connect to the ASA console,
and back again. If you SSH to FXOS, you can also connect to the ASA CLI; a connection from SSH is not a console connection,
so you can have multiple ASA connections from an FXOS SSH connection. Similarly, if you SSH to the ASA, you can connect to
the FXOS CLI.

Before you begin

Procedure

Step 1	Connect your management computer to the console port. The Firepower 2100 ships with a DB-9 to RJ-45 serial cable, so you will need a third party serial-to-USB cable to make the connection. Be sure to install any necessary USB serial drivers for your operating system. Use the following serial settings: 9600 baud 8 data bits No parity 1 stop bit You connect to the FXOS CLI. Enter the user credentials; by default, you can log in with the admin user and the default password, Admin123.
Step 2	Connect to the ASA: connect asa Example: `firepower-2100# connect asa Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach. Type help or '?' for a list of available commands. ciscoasa>`
Step 3	Access privileged EXEC mode. enable You are prompted to change the password the first time you enter the enable command. Example: `ciscoasa> enable Password: The enable password is not set. Please set it now. Enter Password: **** Repeat Password: ** ciscoasa#` All non-configuration commands are available in privileged EXEC mode. You can also enter configuration mode from privileged EXEC mode. To exit privileged mode, enter the disable, exit**, or quit command.
Step 4	Access global configuration mode. configure terminal Example: `ciscoasa# configure terminal ciscoasa(config)#` You can begin to configure the ASA from global configuration mode. To exit global configuration mode, enter the exit, quit, or end command.
Step 5	To return to the FXOS console, enter Ctrl+a, d.
Step 6	If you SSH to the ASA (after you configure SSH access in the ASA), connect to the FXOS CLI. connect fxos You are prompted to authenticate for FXOS; use the default username: admin and password: Admin123. To return to the ASA CLI, enter exit or type Ctrl-Shift-6, x. Example: ciscoasa# connect fxos Connecting to fxos. Connected to fxos. Escape character sequence is 'CTRL-^X'. FXOS 2.2(2.32) kp2110 kp2110 login: admin Password: Admin123 Last login: Sat Jan 23 16:20:16 UTC 2017 on pts/1 Successful login attempts for user 'admin' : 4 Cisco Firepower Extensible Operating System (FX-OS) Software […] kp2110# kp2110# exit Remote card closed command session. Press any key to continue. Connection with fxos terminated. Type help or '?' for a list of available commands. ciscoasa#

Access the Firepower 1000 and 2100 Appliance Mode Console

The Firepower 1000 and 2100 Appliance mode console port connects you to the ASA CLI (unlike the Firepower 2100 Platform mode console, which connects
you to the FXOS CLI). From the ASA CLI, you can then connect to the FXOS CLI using Telnet for troubleshooting purposes.

Procedure

Step 1	Connect your management computer to the console port. The Firepower 1000 ships with a USB A-to-B serial cable. The Firepower 2100 ships with a DB-9 to RJ-45 serial cable, so you will need a third party serial-to-USB cable to make the connection. Be sure to install any necessary USB serial drivers for your operating system (see the Firepower 1010 hardware guide or Firepower 1100 hardware guide). Use the following serial settings: 9600 baud 8 data bits No parity 1 stop bit You connect to the ASA CLI. There are no user credentials required for console access by default.
Step 2	Access privileged EXEC mode. enable You are prompted to change the password the first time you enter the enable command. Example: `ciscoasa> enable Password: The enable password is not set. Please set it now. Enter Password: **** Repeat Password: ** ciscoasa#` The enable password that you set on the ASA is also the FXOS admin** user password if the ASA fails to boot up, and you enter FXOS failsafe mode. All non-configuration commands are available in privileged EXEC mode. You can also enter configuration mode from privileged EXEC mode. To exit privileged EXEC mode, enter the disable , exit , or quit command.
Step 3	Access global configuration mode. configure terminal Example: `ciscoasa# configure terminal ciscoasa(config)#` You can begin to configure the ASA from global configuration mode. To exit global configuration mode, enter the exit , quit , or end command.
Step 4	(Optional) Connect to the FXOS CLI. connect fxos [admin] admin —Provides admin-level access. Without this option, users have read-only access. Note that no configuration commands are available even in admin mode. You are not prompted for user credentials. The current ASA username is passed through to FXOS, and no additional login is required. To return to the ASA CLI, enter exit or type Ctrl-Shift-6, x. Within FXOS, you can view user activity using the scope security/show audit-logs command. Example: `ciscoasa# connect fxos admin Connecting to fxos. Connected to fxos. Escape character sequence is 'CTRL-^X'. firepower# firepower# exit Connection with FXOS terminated. Type help or '?' for a list of available commands. ciscoasa#`

Access the ASA
Console on the
Firepower 4100/9300 Chassis

Procedure

Step 1	Connect to the Firepower 4100/9300 chassis supervisor CLI (console or SSH), and then session to the ASA: connect module `slot` `{` console `\|` telnet`}` The benefits of using a Telnet connection is that you can have multiple sessions to the module at the same time, and the connection speed is faster. The first time you access the module, you access the FXOS module CLI. You must then connect to the ASA application. connect asa Example: `Firepower# connect module 1 console Firepower-module1> connect asa asa>`
Step 2	Access privileged EXEC mode, which is the highest privilege level. enable You are prompted to change the password the first time you enter the enable command. Example: `asa> enable Password: The enable password is not set. Please set it now. Enter Password: **** Repeat Password: ** asa#` All non-configuration commands are available in privileged EXEC mode. You can also enter configuration mode from privileged EXEC mode. To exit privileged mode, enter the disable, exit**, or quit command.
Step 3	Enter global configuration mode. configure terminal Example: `asa# configure terminal asa(config)#` To exit global configuration mode, enter the disable , exit , or quit command.
Step 4	Exit the application console to the FXOS module CLI by entering Ctrl-a, d You might want to use the FXOS module CLI for troubleshooting purposes.
Step 5	Return to the supervisor level of the FXOS CLI. Exit the console: Enter ~ You exit to the Telnet application. To exit the Telnet application, enter: telnet>quit Exit the Telnet session: Enter Ctrl-], .

Access the Software Module Console

If you have a software module installed, such as
the ASA FirePOWER module on the ASA 5506-X, you can session to the module
console.

Note

You cannot access the
hardware module CLI over the ASA
backplane using the
session command.

Procedure

From the ASA CLI, session to the module:

session {sfr |
cxsc |
ips}
console

Example:


ciscoasa# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

Cisco ASA SFR Boot Image 5.3.1
asasfr login: admin
Password: Admin123

Access the ASA 5506W-X Wireless Access Point Console

To access the wireless access point console,
perform the following steps.

Procedure

Step 1

From the ASA CLI, session to the access
point:

session
wlan
console

Example:


ciscoasa# session wlan console
opening console session with module wlan
connected to module wlan. Escape character sequence is ‘CTRL-^X’

ap>

Step 2

See the
Cisco IOS Configuration Guide for Autonomous
Aironet Access Points for information about the access point CLI.

Configure ASDM
Access

This section describes how to access ASDM with a
default configuration and how to configure access if you do not have a default
configuration.

Use the Factory
Default Configuration for ASDM Access (Appliances, ASAv)

With a factory default configuration, ASDM connectivity is
pre-configured with default network settings.

Procedure

Connect to ASDM using the following interface and network
settings:

The management interface depends on your model:
- Firepower 1010—Management 1/1 (192.168.45.1), or inside Ethernet 1/2 through 1/8 (192.168.1.1). Management hosts are limited
  to the 192.168.45.0/24 network, and inside hosts are limited to the 192.168.1.0/24 network.
- Firepower 1100 and 2100 in Appliance Mode—Inside Ethernet 1/2 (192.168.1.1), or Management 1/1 (from DHCP). Inside hosts are limited to the
  192.168.1.0/24 network. Management hosts are allowed from any network.
- Firepower 2100 in Platform Mode—Management 1/1 (192.168.45.1). Management hosts are limited to the 192.168.45.0/24 network.
- Firepower 4100/9300—The Management type interface and IP address of your choice defined when you deployed. Management hosts are allowed from
  any network.
- ASA 5506-X, ASA 5506W-X—Inside GigabitEthernet 1/2 through 1/8, and wifi GigabitEthernet 1/9 (192.168.10.1). Inside hosts
  are limited to the 192.168.1.0/24 network, and wifi hosts are limited to 192.168.10.0/24.
- ASA 5508-X, and ASA 5516-X—Inside GigabitEthernet 1/2 (192.168.1.1). Inside hosts are limited to the 192.168.1.0/24 network.
- ASA 5525-X and
  higher—Management 0/0 (192.168.1.1). Management hosts are
  limited to the 192.168.1.0/24 network.
- ASAv—Management 0/0 (set during deployment). Management hosts are limited to the management network.
- ISA 3000—Management 1/1 (192.168.1.1). Management hosts are limited to the 192.168.1.0/24 network.

Note

If you change to multiple context mode, you can access ASDM from
the admin context using the network settings above.

Customize ASDM
Access

Use this procedure if
one or more of the following conditions applies:

You do not have a factory default configuration
You want to change the management IP address
You want to change to transparent firewall mode
You want to change to multiple context mode

Note

For the ASAv, you can configure transparent mode when you
deploy, so this procedure is primarily useful after you deploy if you need to
clear your configuration, for example.

Procedure

Step 1	Access the CLI at the console port.
Step 2	(Optional) Enable transparent firewall mode: This command clears your configuration. firewall transparent
Step 3	Configure the management interface: `interface interface_id nameif name security-level level no shutdown ip address ip_address mask` Example: `ciscoasa(config)# interface management 0/0 ciscoasa(config-if)# nameif management ciscoasa(config-if)# security-level 100 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0` The security-level is a number between 1 and 100, where 100 is the most secure.
Step 4	(For directly-connected management hosts) Set the DHCP pool for the management network: `dhcpd address ip_address-ip_address interface_name dhcpd enable interface_name` Example: `ciscoasa(config)# dhcpd address 192.168.1.2-192.168.1.254 management ciscoasa(config)# dhcpd enable management` Make sure you do not include the interface address in the range.
Step 5	(For remote management hosts) Configure a route to the management hosts: route `management_ifc` `management_host_ip` `mask` `gateway_ip` 1 Example: `ciscoasa(config)# route management 10.1.1.0 255.255.255.0 192.168.1.50 1`
Step 6	Enable the HTTP server for ASDM: http server enable
Step 7	Allow the management host(s) to access ASDM: http `ip_address` `mask` `interface_name` Example: `ciscoasa(config)# http 192.168.1.0 255.255.255.0 management`
Step 8	Save the configuration: write memory
Step 9	(Optional) Set the mode to multiple mode: mode multiple When prompted, confirm that you want to convert the existing configuration to be the admin context. You are then prompted to reload the ASA.

Examples

The following configuration converts the firewall mode to
transparent mode, configures the Management 0/0 interface, and enables ASDM for
a management host:


firewall transparent
interface management 0/0

ip address 192.168.1.1 255.255.255.0
nameif management
security-level 100
no shutdown

dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
http server enable
http 192.168.1.0 255.255.255.0 management

Start ASDM

You can start ASDM using two methods:

ASDM-IDM Launcher—The Launcher is an application downloaded from
the ASA using a web browser that you can use to connect to any ASA IP address.
You do not need to re-download the launcher if you want to connect to other
ASAs.
Java Web Start—For each ASA that you manage, you need to connect
with a web browser and then save or launch the Java Web Start application. You
can optionally save the shortcut to your computer; however you need separate
shortcuts for each ASA IP address.

Note

If you use web start, clear the Java cache or you might lose changes
to some pre-login policies such as Hostscan. This problem does not occur if you
use the launcher.

This section describes how to connect to ASDM initially, and
then launch ASDM using the Launcher or the Java Web Start.

ASDM stores files in
the local Users<user_id>.asdm directory, including cache, log, and
preferences, and also in the Temp directory, including AnyConnect profiles.

Procedure

Step 1

On the computer that you specified as the ASDM client, enter the
following URL:

https://asa_ip_address/admin

Note

Be sure to specify https://, and not http:// or just the IP address (which
defaults to HTTP); the ASA does not automatically forward an HTTP
request to HTTPS.

The ASDM launch page appears with the following buttons:

Install ASDM Launcher and Run
ASDM
Run ASDM
Run Startup Wizard

Step 2

To download the Launcher:

Click
Install ASDM Launcher and Run ASDM.
Leave the username and password fields empty (for a new installation), and click OK. With no HTTPS authentication configured, you can gain access to ASDM with no username and the enable password, which is blank by default. When you enter the enable command at the CLI for the first time, you are prompted to change the password; this behavior is not enforced when you log
into ASDM. We suggest that you change the enable password as soon as possible so that it does not remain blank; see Set the Hostname, Domain Name, and the Enable and Telnet Passwords. Note: If you enabled HTTPS authentication, enter your username and associated password. Even without authentication, if you enter
a username and password at the login screen (instead of leaving the username blank), ASDM checks the local database for a
match.
Save the installer to your computer, and then start the
installer. The ASDM-IDM Launcher opens automatically after installation is
complete.
Enter the management IP address, the same username and password
(blank for a new installation), and then click
OK.

Step 3

To use Java Web Start:

Click
Run ASDM
or Run Startup Wizard.
Save the shortcut to your computer when prompted. You can
optionally open it instead of saving it.
Start Java Web Start from the shortcut.
Accept any certificates according to the dialog boxes that
appear. The Cisco ASDM-IDM Launcher appears.
Leave the username and password fields empty (for a new installation), and click OK. With no HTTPS authentication configured, you can gain access to ASDM with no username and the enable password, which is blank by default. When you enter the enable command at the CLI for the first time, you are prompted to change the password; this behavior is not enforced when you log
into ASDM. We suggest that you change the enable password as soon as possible so that it does not remain blank; see Set the Hostname, Domain Name, and the Enable and Telnet Passwords. Note: If you enabled HTTPS authentication, enter your username and associated password. Even without authentication, if you enter
a username and password at the login screen (instead of leaving the username blank), ASDM checks the local database for a
match.

Factory Default
Configurations

The factory default configuration is the configuration applied by Cisco to new ASAs.

ASA 5506-X—The factory default configuration enables a functional inside/outside configuration. You can manage the ASA using
ASDM from the inside interfaces, which are placed in a bridge group using Integrated Routing and Bridging.
ASA 5508-X and 5516-X—The factory default configuration enables a functional inside/outside configuration. You can manage
the ASA using ASDM from the inside interface.
ASA 5525-X through ASA 5555-X—The factory default
configuration configures an interface for management so that you can connect
to it using ASDM, with which you can then complete your configuration.
Firepower 1010—The factory default configuration enables a functional inside/outside configuration. You can manage the ASA
using ASDM from either the management interface or the inside switch ports.
Firepower 1100—The factory default configuration enables a functional inside/outside configuration. You can manage the ASA
using ASDM from either the management interface or the inside interface.
Firepower 2100—Platform mode (the default):The factory default configuration enables a functional inside/outside configuration. You can manage the ASA using the Firepower
Chassis Manager and ASDM from the management interface.

Appliance mode—If you change to appliance mode, the factory default configuration enables a functional inside/outside configuration.
You can manage the ASA using ASDM from either the management interface or the inside interface.
Firepower 4100/9300 chassis—When you deploy the standalone or cluster of ASAs, the factory default configuration configures an interface for management
so that you can connect to it using ASDM, with which you can then complete your configuration.
ASAv—Depending on your hypervisor, as part of deployment, the deployment configuration (the initial virtual deployment settings)
configures an interface for management so that you can connect to it using ASDM, with which you can then complete your configuration.
You can also configure failover IP addresses. You can also apply a “factory default” configuration if desired.
ISA 3000—The factory default configuration is an almost-complete transparent firewall mode configuration with all inside and
outside interfaces on the same network; you can connect to the management interface with ASDM to set the IP address of your
network. Hardware bypass is enabled for two interface pairs, and all traffic is sent to the ASA FirePOWER module in Inline
Tap Monitor-Only Mode. This mode sends a duplicate stream of traffic to the ASA Firepower module for monitoring purposes only.

For appliances, the factory default configuration is available only for routed firewall
mode and single context mode, except for the ISA 3000, where the factory default
configuration is only available in transparent mode. For the ASAv and the Firepower 4100/9300 chassis, you can choose transparent or routed mode at deployment.

Note

Restore the Factory
Default Configuration

This section describes how to restore the factory default configuration. For the ASAv, this procedure erases
the deployment configuration and applies the same factory default configuration as for
the ASA 5525-X.

Note

On the Firepower 4100/9300, restoring the factory default configuration simply erases the configuration; to restore the default configuration, you must
re-deploy the ASA from the supervisor.

Before you begin

Procedure

Step 1

Restore the
factory default configuration:

configure
factory-default [ip_address [mask]]

Example:


ciscoasa(config)# configure factory-default 10.1.1.1 255.255.255.0

Note

This command does not clear the currently-set mode, Appliance or Platform, for the Firepower 2100.

Firepower 1010—Sets the management interface IP address.
Firepower 1100—Sets the inside interface IP address.
Firepower 2100 in Appliance mode—Sets the inside interface IP address.
Firepower 2100 in Platform mode—Sets the management interface IP address.
Firepower 4100/9300—No effect.
ASAv—Sets the management interface IP address.
ASA 5506-X—Sets the inside interface IP address.
ASA 5508-X and 5516-X—Sets the inside interface IP address.
ASA 5525-X, 5545-X, 5555-X—Sets the management interface IP
address.
ISA 3000—Sets the management interface IP address.

For the Firepower 1000, and the Firepower 2100 in Appliance mode: This command clears the boot system command, if present, along with the rest of the configuration. This configuration change does not affect the image at bootup:
the currently-loaded image continues to be used.

For the Firepower 2100 in Platform mode: This model does not use the boot system command; packages are managed by FXOS.

Example:


docs-bxb-asa3(config)# configure factory-default 10.86.203.151 255.255.254.0
Based on the management IP address and mask, the DHCP address
pool size is reduced to 103 from the platform limit 256

WARNING: The boot system configuration will be cleared.
The first image found in disk0:/ will be used to boot the
system on the next reload.
Verify there is a valid image on disk0:/ or the system will
not boot.

Begin to apply factory-default configuration:
Clear all configuration
WARNING: The new maximum-session limit will take effect after the running-config is saved and the system boots next time. Command accepted
WARNING: Local user database is empty and there are still 'aaa' commands for 'LOCAL'.
Executing command: interface management0/0
Executing command: nameif management
INFO: Security level for "management" set to 0 by default.
Executing command: ip address 10.86.203.151 255.255.254.0
Executing command: security-level 100
Executing command: no shutdown
Executing command: exit
Executing command: http server enable
Executing command: http 10.86.202.0 255.255.254.0 management
Executing command: dhcpd address 10.86.203.152-10.86.203.254 management
Executing command: dhcpd enable management
Executing command: logging asdm informational
Factory-default configuration is completed
ciscoasa(config)#

Step 2

Save the default
configuration to flash memory:

write memory

Restore the ASAv Deployment Configuration

This section describes how to restore the ASAv
deployment (Day 0) configuration.

Procedure

Step 1

For failover, power off the standby unit.

Step 2

Restore the deployment configuration after
you reload. For failover, enter this command on the active unit:

write erase

Note

The ASAv boots the current running image,
so you are not reverted to the original boot image. To use the original boot
image, see the boot image command.

Do not save the configuration.

Step 3

Reload the ASAv and load the deployment
configuration:

reload

Step 4

For failover, power on the standby unit.

After the active unit reloads, power on the
standby unit. The deployment configuration will sync to the standby unit.

ASA 5506-X Series
Default Configuration

The default factory configuration for the ASA 5506-X series
configures the following:

Integrated Routing and Bridging functionality—GigabitEthernet 1/2 through 1/8 belong to bridge group 1; Bridge Virtual Interface
(BVI) 1
inside —> outside traffic flow—GigabitEthernet 1/1
(outside), BVI 1 (inside)
outside IP address from DHCP, inside IP address—192.168.1.1
(ASA 5506W-X) wifi <—> inside, wifi —> outside
traffic flow—GigabitEthernet 1/9 (wifi)
(ASA 5506W-X) wifi IP address—192.168.10.1
DHCP for clients on inside and wifi. The access point itself and
all its clients use the ASA as the DHCP server.
ASDM access—inside and wifi hosts allowed.
NAT—Interface PAT for all traffic from inside, wifi, and
management to outside.

The configuration consists of the following commands:


interface Management1/1
  management-only
  no nameif
  no security-level
  no ip address
  no shutdown
interface GigabitEthernet1/1
  nameif outside
  security-level 0
  ip address dhcp setroute
  no shutdown
!
interface GigabitEthernet1/2
  nameif inside_1
  security-level 100
  bridge-group 1
  no shutdown
interface GigabitEthernet1/3
  nameif inside_2
  security-level 100
  no shutdown
  bridge-group 1
interface GigabitEthernet1/4
  nameif inside_3
  security-level 100
  no shutdown
  bridge-group 1
interface GigabitEthernet1/5
  nameif inside_4
  security-level 100
  no shutdown
  bridge-group 1
interface GigabitEthernet1/6
  nameif inside_5
  security-level 100
  no shutdown
  bridge-group 1
interface GigabitEthernet1/7
  nameif inside_6
  security-level 100
  no shutdown
  bridge-group 1
interface GigabitEthernet1/8
  nameif inside_7
  security-level 100
  no shutdown
  bridge-group 1
!
interface bvi 1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
!
object network obj_any1
 subnet 0.0.0.0 0.0.0.0
 nat (inside_1,outside) dynamic interface
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
 nat (inside_2,outside) dynamic interface
object network obj_any3
 subnet 0.0.0.0 0.0.0.0
 nat (inside_3,outside) dynamic interface
object network obj_any4
 subnet 0.0.0.0 0.0.0.0
 nat (inside_4,outside) dynamic interface
object network obj_any5
 subnet 0.0.0.0 0.0.0.0
 nat (inside_5,outside) dynamic interface
object network obj_any6
 subnet 0.0.0.0 0.0.0.0
 nat (inside_6,outside) dynamic interface
object network obj_any7
 subnet 0.0.0.0 0.0.0.0
 nat (inside_7,outside) dynamic interface
!
same-security-traffic permit inter-interface
!
http server enable
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
!
dhcpd auto_config outside
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
logging asdm informational

For the ASA 5506W-X, the following commands are also included:


interface GigabitEthernet 1/9
  security-level 100
  nameif wifi
  ip address 192.168.10.1 255.255.255.0
  no shutdown
!
object network obj_any_wifi
 subnet 0.0.0.0 0.0.0.0
 nat (wifi,outside) dynamic interface
!
http 192.168.10.0 255.255.255.0 wifi
!
dhcpd address 192.168.10.2-192.168.10.254 wifi
dhcpd enable wifi

ASA 5508-X and 5516-X Default Configuration

The default factory configuration for the ASA 5508-X and 5516-X configures the following:

inside —> outside traffic flow—GigabitEthernet 1/1
(outside), GigabitEthernet 1/2 (inside)
outside IP address from DHCP
inside IP address—192.168.1.1
DHCP server on inside.
Default route from outside DHCP
Management 1/1 interface is Up, but otherwise unconfigured. The
ASA FirePOWER module can then use this interface to access the ASA inside network and use
the inside interface as the gateway to the Internet.
ASDM access—inside hosts allowed.
NAT—Interface PAT for all traffic from inside and management to outside.

The configuration consists of the following commands:


interface Management1/1
  management-only
  no nameif
  no security-level
  no ip address
  no shutdown
interface GigabitEthernet1/1
  nameif outside
  security-level 0
  ip address dhcp setroute
  no shutdown
interface GigabitEthernet1/2
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  no shutdown
!
object network obj_any
  subnet 0.0.0.0 0.0.0.0
  nat (any,outside) dynamic interface
!
http server enable
http 192.168.1.0 255.255.255.0 inside
!
dhcpd auto_config outside
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
logging asdm informational

ASA 5525-X through ASA 5555-X Default Configuration

The default factory configuration for the ASA 5525-X through ASA 5555-X configures the following:

Management interface—Management 0/0 (management).
IP address—The management address is 192.168.1.1/24.
DHCP server—Enabled for management hosts so that a computer
connecting to the management interface receives an address between 192.168.1.2
and 192.168.1.254.
ASDM access—Management hosts allowed.

The configuration consists of the following commands:


interface management 0/0
  ip address 192.168.1.1 255.255.255.0
  nameif management
  security-level 100
  no shutdown
!
asdm logging informational
asdm history enable
!
http server enable
http 192.168.1.0 255.255.255.0 management
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management

Firepower 1010 Default Configuration

The default factory configuration for the Firepower 1010 configures the following:

Hardware switch—Ethernet 1/2 through 1/8 belong to VLAN 1
inside→outside traffic flow—Ethernet 1/1 (outside), VLAN1 (inside)
management—Management 1/1 (management), IP address 192.168.45.1
outside IP address from DHCP, inside IP address—192.168.1.1
DHCP server on inside interface, management interface
Default route from outside DHCP
ASDM access—Management and inside hosts allowed. Management hosts are limited to the 192.168.45.0/24 network, and inside hosts
are limited to the 192.168.1.0/24 network.
NAT—Interface PAT for all traffic from inside to outside.
DNS servers—OpenDNS servers are pre-configured.

The configuration consists of the following commands:


interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown
!
interface Management1/1
managment-only
nameif management
no shutdown
security-level 100
ip address 192.168.45.1 255.255.255.0
!
interface Ethernet1/1
nameif outside
ip address dhcp setroute
no shutdown
!
interface Ethernet1/2
no shutdown
switchport
switchport mode access
switchport access vlan 1
!
interface Ethernet1/3
no shutdown
switchport
switchport mode access
switchport access vlan 1
!
interface Ethernet1/4
no shutdown
switchport
switchport mode access
switchport access vlan 1
!
interface Ethernet1/5
no shutdown
switchport
switchport mode access
switchport access vlan 1
!
interface Ethernet1/6
no shutdown
switchport
switchport mode access
switchport access vlan 1
!
interface Ethernet1/7
no shutdown
switchport
switchport mode access
switchport access vlan 1
!
interface Ethernet1/8
no shutdown
switchport
switchport mode access
switchport access vlan 1
!
object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (any,outside) dynamic interface
!
dhcpd auto_config outside
dhcpd address 192.168.1.20-192.168.1.254 inside
dhcpd address 192.168.45.10-192.168.45.12 management
dhcpd enable inside
dhcpd enable management
!
http server enable
http 192.168.45.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
!
dns domain-lookup outside
dns server-group DefaultDNS
   name-server 208.67.222.222 outside
   name-server 208.67.220.220 outside
!

Firepower 1100 Default Configuration

The default factory configuration for the Firepower 1100 configures the following:

inside→outside traffic flow—Ethernet 1/1 (outside), Ethernet 1/2 (inside)
outside IP address from DHCP, inside IP address—192.168.1.1
management—Management 1/1 (management), IP address from DHCP
DHCP server on inside interface
Default routes from outside DHCP, management DHCP
ASDM access—Management and inside hosts allowed. Inside hosts are limited to the 192.168.1.0/24 network.
NAT—Interface PAT for all traffic from inside to outside.
DNS servers—OpenDNS servers are pre-configured.

The configuration consists of the following commands:


interface Management1/1
  management-only
  nameif management
  security-level 100
  ip address dhcp setroute
  no shutdown
!
interface Ethernet1/1
  nameif outside
  security-level 0
  ip address dhcp setroute
  no shutdown
!
interface Ethernet1/2
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  no shutdown
!
object network obj_any
  subnet 0.0.0.0 0.0.0.0
  nat (any,outside) dynamic interface
!
http server enable
http 0.0.0.0 0.0.0.0 management
http 192.168.1.0 255.255.255.0 inside
!
dhcpd auto_config outside
dhcpd address 192.168.1.20-192.168.1.254 inside
dhcpd enable inside
!
dns domain-lookup outside
dns server-group DefaultDNS
   name-server 208.67.222.222 outside
   name-server 208.67.220.220 outside
!

Firepower 2100 Platform Mode Default Configuration

You can set the Firepower 2100 to run in Platform mode; Appliance mode is the default.

Note

For pre-9.13(1) versions, Platform mode was the default and only option. If you upgrade from Platform mode, this mode is maintained.

ASA Configuration

The default factory configuration for the ASA on the Firepower 2100 configures the following:

inside→outside traffic flow—Ethernet 1/1 (outside), Ethernet 1/2 (inside)
outside IP address from DHCP, inside IP address—192.168.1.1
DHCP server on inside interface
Default route from outside DHCP
management—Management 1/1 (management), IP address 192.168.45.1
ASDM access—Management hosts allowed.
NAT—Interface PAT for all traffic from inside to outside.
FXOS management traffic initiation—The FXOS chassis can initiate management traffic on the ASA outside interface.
DNS servers—OpenDNS servers are pre-configured.

The configuration consists of the following commands:


interface Management1/1
  management-only
  nameif management
  security-level 100
  ip address 192.168.45.1 255.255.255.0
  no shutdown
!
interface Ethernet1/1
  nameif outside
  security-level 0
  ip address dhcp setroute
  no shutdown
!
interface Ethernet1/2
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  no shutdown
!
object network obj_any
  subnet 0.0.0.0 0.0.0.0
  nat (any,outside) dynamic interface
!
http server enable
http 192.168.45.0 255.255.255.0 management
!
dhcpd auto_config outside
dhcpd address 192.168.1.20-192.168.1.254 inside
dhcpd enable inside
!
ip-client outside
!
dns domain-lookup outside
dns server-group DefaultDNS
   name-server 208.67.222.222 outside
   name-server 208.67.220.220 outside

FXOS Configuration

The default factory configuration for FXOS on the Firepower 2100 configures the following:

Management 1/1—IP address 192.168.45.45
Default gateway—ASA data interfaces
Firepower Chassis Manager and SSH access—From the management network only.
Default Username—admin, with the default password Admin123
DHCP server—Client IP address range 192.168.45.10-192.168.45.12
NTP server—Cisco NTP servers: 0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org, 2.sourcefire.pool.ntp.org
DNS Servers—OpenDNS: 208.67.222.222, 208.67.220.220
Ethernet 1/1 and Ethernet 1/2—Enabled

Firepower 2100 Appliance Mode Default Configuration

The Firepower 2100 runs in Appliance mode by default.

Note

For pre-9.13(1) versions, Platform mode was the default and only option. If you upgrade from Platform mode, Platform mode
is maintained.

The default factory configuration for the Firepower 2100 in Appliance mode configures the following:

inside→outside traffic flow—Ethernet 1/1 (outside), Ethernet 1/2 (inside)
outside IP address from DHCP, inside IP address—192.168.1.1
management IP address from DHCP—Management 1/1 (management)
DHCP server on inside interface
Default routes from outside DHCP, management DHCP
ASDM access—Management and inside hosts allowed. Inside hosts are limited to the 192.168.1.0/24 network.
NAT—Interface PAT for all traffic from inside to outside.
DNS servers—OpenDNS servers are pre-configured.

The configuration consists of the following commands:


interface Management1/1
  management-only
  nameif management
  security-level 100
  ip address dhcp setroute
  no shutdown
!
interface Ethernet1/1
  nameif outside
  security-level 0
  ip address dhcp setroute
  no shutdown
!
interface Ethernet1/2
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  no shutdown
!
object network obj_any
  subnet 0.0.0.0 0.0.0.0
  nat (any,outside) dynamic interface
!
http server enable
http 0.0.0.0 0.0.0.0 management
http 192.168.1.0 255.255.255.0 management
!
dhcpd auto_config outside
dhcpd address 192.168.1.20-192.168.1.254 inside
dhcpd enable inside
!
dns domain-lookup outside
dns server-group DefaultDNS
   name-server 208.67.222.222 outside
   name-server 208.67.220.220 outside
!

Firepower 4100/9300 Chassis Default Configuration

Management
interface:
- Management
  type interface of your choice defined on the
  Firepower 4100/9300 Chassis
  supervisor
- Named
  “management”
- IP address
  of your choice
- Security
  level 0
- Management-only
Default route through the management interface
ASDM access—All hosts allowed.

The configuration for a standalone unit consists of the following commands. For additional configuration for clustered units,
see Create an ASA Cluster.


interface <management_ifc>
  management-only
  ip address <ip_address> <mask>
  ipv6 address <ipv6_address>
  ipv6 enable
  nameif management
  security-level 0
  no shutdown
!
http server enable
http 0.0.0.0 0.0.0.0 management
http ::/0 management
!
route management 0.0.0.0 0.0.0.0 <gateway_ip> 1
ipv6 route management ::/0 <gateway_ipv6>

ISA 3000 Default
Configuration

The default factory configuration for the ISA 3000 configures
the following:

Transparent firewall mode—A transparent firewall is a Layer 2 firewall that acts like
a “bump in the wire,” or a “stealth firewall,” and is not seen as a router hop
to connected devices.
1 Bridge Virtual Interface—All member interfaces are in the same network (IP
address not pre-configured; you must set to match your network):
GigabitEthernet 1/1 (outside1), GigabitEthernet 1/2 (inside1), GigabitEthernet
1/3 (outside2), GigabitEthernet 1/4 (inside2)
All inside and outside interfaces can communicate with each
other.
Management 1/1 interface—192.168.1.1/24 for ASDM access.
DHCP for clients on management.
ASDM access—Management hosts allowed.

Hardware bypass is enabled for the following interface pairs: GigabitEthernet 1/1
& 1/2; GigabitEthernet 1/3 & 1/4

Note

ASA FirePOWER module—All traffic is sent to the module in Inline Tap Monitor-Only
Mode. This mode sends a duplicate stream of traffic to the ASA Firepower module
for monitoring purposes only.
Precision Time Protocol—PTP traffic is not sent to the FirePOWER module.

The configuration consists of the following commands:


firewall transparent

interface GigabitEthernet1/1
 	bridge-group 1
 	nameif outside1
 	security-level 0
		no shutdown
interface GigabitEthernet1/2
	 bridge-group 1
 	nameif inside1
 	security-level 100
 	no shutdown
interface GigabitEthernet1/3
	 bridge-group 1
	 nameif outside2
	 security-level 0
 	no shutdown
interface GigabitEthernet1/4
 	bridge-group 1
 	nameif inside2
 	security-level 100
 	no shutdown
interface Management1/1
		management-only
		no shutdown
		nameif management
		security-level 100
		ip address 192.168.1.1 255.255.255.0
interface BVI1
		no ip address

access-list allowAll extended permit ip any any
access-group allowAll in interface outside1
access-group allowAll in interface outside2

same-security-traffic permit inter-interface

hardware-bypass GigabitEthernet 1/1-1/2
hardware-bypass GigabitEthernet 1/3-1/4

http server enable
http 192.168.1.0 255.255.255.0 management

dhcpd address 192.168.1.5-192.168.1.254 management
dhcpd enable management


access-list sfrAccessList extended permit ip any any
class-map sfrclass
		match access-list sfrAccessList
policy-map global_policy
		class sfrclass
		sfr fail-open monitor-only
service-policy global_policy global

ASAv Deployment
Configuration

When you deploy the ASAv, you can pre-set many parameters that
let you connect to the Management 0/0 interface using ASDM. A typical
configuration includes the following settings:

Routed or Transparent firewall mode
Management 0/0 interface:
- Named “management”
- IP address or DHCP
- Security level 0
Static route for the management host IP address (if it is not on
the management subnet)
HTTP server enabled or disabled
HTTP access for the management host IP address
(Optional) Failover link IP addresses for GigabitEthernet 0/8,
and the Management 0/0 standby IP address
DNS server
Smart licensing ID token
Smart licensing Throughput Level and Standard Feature Tier
(Optional) Smart Call Home HTTP Proxy URL and port
(Optional) SSH management settings:
- Client IP addresses
- Local username and password
- Authentication required for SSH using the LOCAL database
(Optional) REST API enabled or disabled

Note

To successfully register the ASAv with the Cisco Licensing
Authority, the ASAv requires Internet access. You might need to perform
additional configuration after deployment to achieve Internet access and
successful license registration.

See the following sample configuration for a standalone unit:


interface Management0/0
  nameif management
  security-level 0
  ip address ip_address
  
  no shutdown
http server enable
http managemment_host_IP mask management
route management management_host_IP mask gateway_ip 1
dns server-group DefaultDNS
  name-server ip_address
call-home
  http-proxy ip_address port port
license smart
  feature tier standard
  throughput level {100M | 1G | 2G}
  license smart register idtoken id_token
aaa authentication ssh console LOCAL
username username password password
ssh source_IP_address mask management
rest-api image boot:/path
rest-api agent

See the following sample configuration for a primary unit in a
failover pair:


nameif management
  security-level 0
  ip address ip_address standby standby_ip
  
  no shutdown
route management management_host_IP mask gateway_ip 1
http server enable
http managemment_host_IP mask management
dns server-group DefaultDNS
  name-server ip_address
call-home
  http-proxy ip_address port port
license smart
  feature tier standard
  throughput level {100M | 1G | 2G}
  license smart register idtoken id_token
aaa authentication ssh console LOCAL
username username password password
ssh source_IP_address mask management
rest-api image boot:/path
rest-api agent
failover 
failover lan unit primary
failover lan interface fover gigabitethernet0/8
failover link fover gigabitethernet0/8
failover interface ip fover primary_ip mask standby standby_ip

Set the Firepower 2100 to Appliance or Platform Mode

The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). You can run
the Firepower 2100 in the following modes:

Appliance mode (the default)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands
are available from the FXOS CLI.
Platform mode—When in Platform mode, you must configure basic operating parameters and hardware interface settings in FXOS.
These settings include enabling interfaces, establishing EtherChannels, NTP, image management, and more. You can use the Firepower
Chassis Manager web interface or FXOS CLI. You can then configure your security policy in the ASA operating system using ASDM
or the ASA CLI.

Before you begin

You can only change the mode at the CLI.

Procedure

Step 1	(Optional) Back up your current configuration. See Back Up and Restore Configurations or Other Files. Although there are slight differences between an Appliance mode configuration and a Platform mode configuration, a copy of the old configuration can be a good starting point. For example, for Platform mode, the NTP, DNS, and EtherChannel configuration is not part of the ASA configuration, so it will not be included in your backup, but most other ASA settings are valid for both modes.
Step 2	View the current mode. show fxos mode Example: `ciscoasa(config)# show fxos mode Mode is currently set to appliance`
Step 3	Set the mode to Platform mode. no fxos mode appliance write memory reload After you set the mode, you need to save the configuration and reload the device. Prior to reloading, you can set the mode back to the original value without any disruption. Example: `ciscoasa(config)# no fxos mode appliance Mode set to platform mode WARNING: This command will take effect after the running-config is saved and the system has been rebooted. Command accepted. ciscoasa(config)# write memory Building configuration... Cryptochecksum: c0532471 648dc7c2 4f2b4175 1f162684 23736 bytes copied in 1.520 secs (23736 bytes/sec) [OK] ciscoasa(config)# reload Proceed with reload? [confirm]`
Step 4	Set the mode to Appliance mode. fxos mode appliance write memory reload After you set the mode, you need to save the configuration and reload the device. Prior to reloading, you can set the mode back to the original value without any disruption. Example: `ciscoasa(config)# fxos mode appliance Mode set to appliance mode WARNING: This command will take effect after the running-config is saved and the system has been rebooted. Command accepted. ciscoasa(config)# write memory Building configuration... Cryptochecksum: c0532471 648dc7c2 4f2b4175 1f162684 23736 bytes copied in 1.520 secs (23736 bytes/sec) [OK] ciscoasa(config)# reload Proceed with reload? [confirm]`

Work with the
Configuration

The information in this section applies to both
single and multiple security contexts, except where noted.

Save Configuration
Changes

This section describes how to save your
configuration.

Save Configuration Changes in Single Context Mode

To save the running configuration to the startup
configuration, perform the following procedure.

Procedure

Save the running configuration to the
startup configuration:

write memory

Note

The copy
running-config startup-config command is equivalent to the
write memory command.

Save Configuration
Changes in Multiple Context Mode

You can save each context (and system)
configuration separately, or you can save all context configurations at the
same time.

Save Each Context and System Separately

Use the following procedure to save the system
or context configuration.

Procedure

From within the context or the system, save
the running configuration to the startup configuration:

write memory

Note

The copy
running-config startup-config command is equivalent to the
write memory command.

Save All Context Configurations at the Same Time

Use the following procedure to save all context
configurations at the same time, as well as the system configuration.

Procedure

From the system execution space, save the
running configuration to the startup configuration for all contexts and the
system configuration:

write memory
all [/noconfirm]

If you do not enter the
/noconfirm keyword, you see the
following prompt:


Are you sure [Y/N]:

After the ASA saves each context, the
following message appears:


‘Saving context ‘b’ ... ( 1/3 contexts saved ) ’

Sometimes, a context is not saved because of
an error. See the following information for errors:

For contexts that are not saved because
of low memory, the following message appears:
```
The context 'context a' could not be saved due to Unavailability of resources
```
For contexts that are not saved because
the remote destination is unreachable, the following message appears:
```
The context 'context a' could not be saved due to non-reachability of destination
```
For contexts that are not saved because
the context is locked, the following message appears:
```
Unable to save the configuration for the following contexts as these contexts are locked.
context ‘a’ , context ‘x’ , context ‘z’ .
```
A context is only locked if another user
is already saving the configuration or in the process of deleting the context.
For contexts that are not saved because
the startup configuration is read-only (for example, on an HTTP server), the
following message report is printed at the end of all other messages:
```
Unable to save the configuration for the following contexts as these contexts have read-only config-urls:
context ‘a’ , context ‘b’ , context ‘c’ .
```
For contexts that are not saved because
of bad sectors in the flash memory, the following message appears:
```
The context 'context a' could not be saved due to Unknown errors
```

Copy the Startup Configuration to the Running Configuration

Use one of the following commands to copy a new
startup configuration to the running configuration:

copy startup-config
running-config

Merges the startup configuration with the
running configuration. A merge adds any new commands from the new configuration
to the running configuration. If the configurations are the same, no changes
occur. If commands conflict or if commands affect the running of the context,
then the effect of the merge depends on the command. You might get errors, or
you might have unexpected results.
reload

Reloads the ASA, which loads the startup
configuration and discards the running configuration.
clear configure all

and then copy startup-config
running-config

Loads the startup configuration and discards
the running configuration without requiring a reload.

View the Configuration

The following commands let you view the running
and startup configurations:

show
running-config

Views the running configuration.
show running-config
command

Views the running configuration of a specific
command.
show
startup-config

Views the startup configuration.

Clear and Remove Configuration Settings

To erase settings, enter one of the following
commands:

clear
configure

configurationcommand
[level2configurationcommand]

Clears all the configuration for a specified
command. If you only want to clear the configuration for a specific version of
the command, you can enter a value for
level2configurationcommand.

For example, to clear the configuration for
all
aaa commands, enter the following
command:
```
 
ciscoasa(config)# clear configure aaa 
```
To clear the configuration for only
aaa authentication commands, enter the
following command:
```
 
ciscoasa(config)# clear configure aaa authentication 
```
no
configurationcommand
[level2configurationcommand]
qualifier

Disables the specific parameters or options
of a command. In this case, you use the
no command to
remove the specific configuration identified by
qualifier.

For example, to remove a specific
access-list command, enter enough of
the command to identify it uniquely; you may have to enter the entire command:
```
 
ciscoasa(config)# no access-list abc extended permit icmp any any object-group obj_icmp_1
				 
```

write erase

Erases the startup configuration.

Note

For the ASAv, this command restores the
deployment configuration after a reload. To erase the configuration completely,
use the
clear configure all command.

clear configure
all

Erases the running configuration.

Note

For the Firepower 1000, and the Firepower 2100 in Appliance mode: This command clears the boot system command, if present, along with the rest of the configuration. This configuration change does not affect the image at bootup:
the currently-loaded image continues to be used.

For the Firepower 2100 in Platform mode: This model does not use the boot system command; packages are managed by FXOS.

Note

This command does not clear the currently-set mode, Appliance or Platform, for the Firepower 2100.

Create Text Configuration Files Offline

In most cases, commands described in this guide
are preceded by a CLI prompt. The prompt in the following example is
“ciscoasa(config)#”:

 
ciscoasa(config)# context a

In the text configuration file you are not
prompted to enter commands, so the prompt is omitted as follows:


context a

For additional information about formatting the
file, see
Using the Command-Line Interface.

Apply Configuration Changes to Connections

To ensure that all connections use the new
policy, you need to disconnect the current connections so that they can
reconnect using the new policy.

To disconnect connections, enter one of the following commands:

clear local-host [ip_address] [all]

This command reinitializes per-client run-time states such as connection limits and embryonic limits. As a result, this command
removes any connection that uses those limits. See the show local-host all command to view all current connections per host.

With no arguments, this command clears all affected through-the-box connections. To also clear to-the-box connections (including
your current management session), use the all keyword. To clear connections to and from a particular IP address, use the ip_address argument.
clear conn
[all] [protocol {tcp |
udp}] [address
src_ip [-src_ip] [netmask
mask]] [port
src_port [-src_port]] [address
dest_ip [-dest_ip] [netmask
mask]] [port
dest_port [-dest_port]]

This command terminates connections in any
state. See the
show conn
command to view all current connections.

With no arguments, this command clears all
through-the-box connections. To also clear to-the-box connections (including
your current management session), use the
all keyword. To clear specific
connections based on the source IP address, destination IP address, port,
and/or protocol, you can specify the desired options.

Reload the ASA

To reload the ASA, complete the following
procedure.

Procedure

Reload the ASA:

reload

Note

In multiple context mode, you can only
reload from the system execution space.

Источник

Contents
Table of Contents
Troubleshooting
Bookmarks

Quick Links

Cisco ASA Series Firewall CLI

Configuration Guide

Software Version 9.4

For the ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5512-X,

ASA 5515-X, ASA 5516-X, ASA 5525-X, ASA 5545-X, ASA 5555-X,

ASA 5585-X, ASA Services Module, and the

Adaptive Security Virtual Appliance

First Published: March 23, 2015

Last Updated: April 7, 2015

Cisco Systems, Inc.

www.cisco.com

Cisco has more than 200 offices worldwide.

Addresses, phone numbers, and fax numbers

are listed on the Cisco website at

www.cisco.com/go/offices.

Text Part Number: N/A, Online only

Troubleshooting

Summary of Contents for Cisco ASA Series

Источник

Read the article BASIC CONFIGURATION OF CISCO ASA in English

Рассмотрим пример подключения офиса к сети Интернет с помощью межсетевого экрана Cisco ASA. Для примера будем использовать самую младшую модель – Cisco ASA 5505. От более старших она отличается тем, что здесь присутствует встроенный коммутатор на 8 портов. Каждый из них – порт второго уровня модели OSI, на котором нельзя задать IP адреса. Чтобы получить интерфейсы 3 уровня, необходимо создать виртуальный интерфейсы Vlan, задать ip адреса на них и после этого привязать к физическим интерфейсам.

В примере используются:

— канал в Интернет со статическим ip адресом
— несколько компьютеров в локальной сети офиса
— межсетевой экран Cisco ASA 5505
— коммутатор (используется для организации локальной сети офиса, без дополнительных настроек)

Задача: обеспечить доступ компьютеров локальной сети в Интернет.

Шаг 0. Очистка конфигурации

(Выполняется только с новым или тестовым оборудованием, так как ведет к полному удалению существующей конфигурации)

Если на устройстве с заводскими настройками будет запрошен пароль для привилегированного режима (#) enable, то просто нажмите клавишу «Enter».
ciscoasa> enable Password: /нажмите Enter/ ciscoasa#

Далее полностью очистим стартовую конфигурацию с устройства. Для этого подключаемся с помощью консольного кабеля к консольному порту устройства, заходим в командную строку и вводим следующие команды:
ciscoasa(config)# clear configure all
После чего подтверждаем удаление всей текущей конфигурации.

В отличии от маршрутизаторов Cisco перезагрузка для сброса конфигурации не требуется. После выполнения команды «clear configure all» на межсетевом экране останутся только технологические строки заводской конфигурации и можно приступать к основной настройке.

Шаг 1. Имя устройства

Задание имени устройства для удобства последующего администрирования выполняется командой hostname «название устройства»
ciscoasa# hostname FW-DELTACONFIG FW-DELTACONFIG#

Шаг 2. Настройка интерфейсов

Необходимо настроить 2 интерфейса: внешний и внутренний.

Через внешний интерфейс outside будет осуществляться связь с Интернет. На нем будут те ip адрес и маска сети, которые выделил Интернет провайдер.
FW-DELTACONFIG (config)# interface Vlan1 nameif outside security-level 0 ip address 200.150.100.2 255.255.255.252 no shut

Внутренний интерфейс inside будет настроен для локальной сети.
FW-DELTACONFIG (config)# interface Vlan2 nameif inside security-level 100 ip address 192.168.10.1 255.255.255.0 no shut

После этого необходимо привязать виртуальные интерфейсы Vlan к реальным интерфейсам Ethernet.
Привязка внешнего интерфейса outside к интерфейсу Ethernet0/0
FW-DELTACONFIG (config)# interface Ethernet0/0 switchport access vlan 1 description --- WAN --- no shut

Важно!
Обратите внимание, что строка с командой «switchport access vlan 1» не будет отображаться в конфигурации устройства (просмотр конфигурации командой «sh run»), так как Vlan 1 привязан к каждому интерфейсу по умолчанию.

Привязка внутреннего интерфейса inside к интерфейсу Ethernet0/1
FW-DELTACONFIG (config)# interface Ethernet0/1 switchport access vlan 2 description --- LAN --- no shut

Шаг 3. Настройка удаленного доступа к устройству

Для удаленного доступа администратора к устройству по протоколу SSH необходимо выполнить следующее:
Создать пароль для привилегированного режима (#). Вместо XXXXX необходимо ввести пароль.
FW-DELTACONFIG(config)# enable password XXXXX
Создать учетную запись администратора. Вместо YYYYY необходимо ввести пароль для пользователя admin).
FW-DELTACONFIG(config)# username admin password YYYYY privilege 15
Далее указывается метод аутентификации и генерируются ключи rsa
FW-DELTACONFIG(config)# aaa authentication ssh console LOCAL crypto key generate rsa modulus 1024 /подтвердите замену клавишей y
Указывается ip адрес рабочей станции администратора, с которого возможно удаленное управление через SSH, а также интерфейс, со стороны которого будут приниматься запросы (inside). При необходимости можно указать несколько адресов или даже задать сети управления.
FW-DELTACONFIG(config)# ssh 192.168.10.100 255.255.255.255 inside
После этого доступ к межсетевому экрану по протоколу SSH будет доступен с компьютера с адресом 192.168.10.100 .

Шаг 4. Настройка шлюза по умолчанию

Для маршрутизации пакетов в сеть Интернет на устройстве необходимо указать шлюз по умолчанию(ближайший к устройству адрес провайдера) и интерфейс, через который он доступен (outside)
FW-DELTACONFIG(config)# route outside 0.0.0.0 0.0.0.0 200.150.100.1

После этого можно проверить не только доступность оборудования провайдера, но и доступность канала связи с Интернет. Для этого необходимо запустить ping с устройства до любого адреса во внешней сети. Для примера возьмем адрес лидера на рынке сервиса icmp запросов – www.yandex.ru (93.158.134.3)
FW-DELTACONFIG#ping 93.158.134.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 93.158.134.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 3/8/15 ms

Важно!
Обратите внимание, что на данный момент ping внешних адресов работает только из консоли управления Cisco ASA. Рабочие станции и устройства локальной сети все еще не имеют доступа в Интернет.

Шаг 5 Настройка трансляции адресов (NAT)

Настройка трансляции адресов различается для разных версий прошивки устройств. Версию прошивки можно узнать из вывода команды «sh ver»
FW-DELTACONFIG#sh ver Cisco Adaptive Security Appliance Software Version 8.2(1)11

Важно!

Принципы использования и настройки NAT не только для Cisco ASA, но и для маршрутизаторов описаны в статье Как использовать NAT. Прочитайте ее, если не уверены какой именно тип вам нужен.

Шаг 5.1 NAT для доступа из локальной сети наружу (PAT)

Для доступа из локальной сети в Интернет необходимо, чтобы частные (серые) адреса офисной сети были транслированы в публичный (белый) адрес.

Для версии 8.2.X и старше

FW-DELTACONFIG(config)# global (outside) 1 interface nat (inside) 1 192.168.10.0 255.255.255.0

Для версии 8.3.X и новее

FW-DELTACONFIG(config)# object network OBJ_NAT_LAN subnet 192.168.10.0 255.255.255.0 nat (inside,outside) dynamic interface

Итог:

После выполнения этих команд адреса устройств из внутренней сети будут динамически транслироваться в адрес интерфейса outside.

Важно!
Трафик можно также транслировать в определенный ip адрес (если провайдер выделил вам сеть больше, чем /30), однако в этом случае это не должен быть адрес самого интерфейса outside.

Либо трансляция будет в адрес внешнего интерфейса как в примере
Либо в другой адрес, принадлежащий сети внешнего интерфейса, но отличный от него

Иначе NAT не будет осуществляться корректно, если вообще заработает.

Шаг 5.2 Для доступа из Интернет на адрес в локальной сети (static NAT)

Для доступа из сети Интернет внутрь локальной сети, например на веб сервер организации, необходимо настроить статическую трансляцию адресов (static NAT).

Для версии 8.2.X и старше

FW-DELTACONFIG(config)# static (inside,outside) interface 192.168.10.200 netmask 255.255.255.255

Важно!
Обратите внимание на последовательность интерфейсов и адресов. В скобках идет внутренний-внешний, а после них адрес внешнего-адрес внутреннго. Наоборот!

Для версии 8.3.X и новее

FW-DELTACONFIG(config)# host object network OBJ_NAT_SERVER host 192.168.10.200 nat (inside,outside) static interface

Итог:

В этом случае любые запросы на внешний интерфейс межсетевого экрана будут переадресовываться на внутренний адрес 192.168.10.200

ИЛИ

Для версии 8.2.X и старше

FW-DELTACONFIG(config)# static (inside,outside) tcp interface www 192.168.10.200 www netmask 255.255.255.255

Для версии 8.3.X и новее

host object network OBJ_NAT_SERVER host host 192.168.10.200 nat (inside,outside) static interface service tcp www www

Итог:

В этом случае запросы на внешний интерфейс межсетевого экрана только по порту TCP 80 (протокол HTTP) будут переадресовываться на внутренний адрес 192.168.10.200.

Важно!
Вместо слова interface можно указывать конкретный адрес, отличный от адреса самого интерфейса outside, однако в нашем примере это невозможно, так как по условиям провайдер предоставляет сеть на 4 адреса 200.150.100.0 /30, из которой для использования доступны и уже заняты всего два адреса: 200.150.100.1 занимает провайдер, а 200.150.100.2 настроен на внешнем интерфейсе. Соответственно доступных свободных адресов в этой сети больше нет.
Если бы была предоставлена сеть большего размера, например с тем же префиксом 200.150.100.0, но с маской подсети /29, то для использования были бы доступны 6 из 8 адресов 200.150.100.1 – 200.150.100.6. Два адреса из шести доступных были бы заняты как в примере выше, а еще 4 доступны для использования. В этом случае можно настроить трансляцию адреса сервера из локальной сети в свободный адрес из сети 200.150.100.0 /29, например в 200.150.100.3.

Для версии 8.2.X и старше

FW-DELTACONFIG(config)# static (inside,outside) tcp 200.150.100.3 www 192.168.10.200 www netmask 255.255.255.255

Для версии 8.3.X и новее

host object network OBJ_NAT_SERVER host 192.168.10.200 nat (inside,outside) static 200.150.100.3 service tcp www www

Важно!
Обратите внимание, что правила трансляции не открывают доступ к тем или иным ресурсам сами собой. Для этой цели необходимо также создать списки доступа (access lists) и привязать их к соответствующим интерфейсам.

Важно!
Более подробное описание настроек для настройки Static NAT также именуемой как «проброс портов» приведены в статье Cisco ASA. «Проброс портов» или static NAT.

Шаг 6. Настройка правил доступа (access list)

Дабы не загромождать материал теорией по спискам доступа и их применению, приведу пример настроек, которые будут достаточны для большинства малых офисов. Если потребуется открыть дополнительный доступ к каким-то ресурсам, то необходимо добавить строки по аналогии с имеющимися.

Важно!
Хотя все правила доступа возможно записать, используя только цифровые ip адреса, для удобства дальнейшего администрирования вначале создаются группы объектов с обозначениями и все строки правил записываются уже с их помощью. Это удобно и практично.
Начнем с access list, разрешающего доступ из внутренней сети в Интернет. Условия будут следующими:

— Каждый пользователь или устройство должны иметь доступ в Интернет для просмотра веб сайтов.
— Рабочие станции администратора и директора фирмы должны иметь доступ в Интернет без каких-либо ограничений.
— Рабочая станция ответственного сотрудника должна иметь доступ к частному ресурсу в сети по порту TCP 9443

Создадим группы объектов:

NET_LAN – все пользователи и устройства локальной сети.
USER_CEO – адрес рабочей станции директора
USER_ADMIN – адрес рабочей станции администратора
USER_PRIVELEDGED – адрес рабочей станции сотрудника, который должен иметь некий расширенный доступ
HOST_X — адрес внешнего ресурса, к которому требуется открыть доступ.
USERS_FULL_ACCESS – группа, которой будет разрешен полный доступ в Интернет
SERVICE_HTTP_HTTPS – группа портов для веб доступа
HOST_DNS – адрес внешнего сервера DNS
SERVICE_DNS – группа портов для доступа к службам DNS
FW-DELTACONFIG(config)# object-group network NET_LAN network-object 192.168.10.0 255.255.255.0 object-group network USER_CEO network-object host 192.168.10.10 object-group network USER_ADMIN network-object host 192.168.10.100 object-group network USERS_FULL_ACCESS group-object USERS_CEO group-object USERS_ADMIN


object-group network USER_PRIVELEDGED

network-object host 192.168.10.50

network-object host 192.168.10.51
object-group network HOST_X

network-object host 1.1.1.1

object-group network HOST_DNS

network-object host 8.8.8.8
object-group service SERVICE_HTTP_HTTPS

service-object tcp eq http

service-object tcp eq https

object-group service SERVICE_DNS service-object tcp eq 53 service-object udp eq 53

Создаем список доступа ACL_INSIDE_IN, в котором описываем все правила^

Полный доступ адресов из группы USERS_FULL_ACCESS в Интернет
FW-DELTACONFIG(config)# access-list ACL_INSIDE_IN extended permit ip object-group USERS_FULL_ACCESS any

Доступ адресов из группы USER_PRIVELEDGED к ресурсу с адресом из группы HOST_X по порту TCP 9443
FW-DELTACONFIG(config)# access-list ACL_INSIDE_IN extended permit tcp object-group USER_PRIVELEDGED object-group HOST_X eq 9443

Доступ в интернет по портам TCP 80(http) и TCP 443(https) для всех устройств локальной сети
FW-DELTACONFIG(config)# access-list ACL_INSIDE_IN extended permit object-group SERVICE_HTTP_HTTPS object-group NET_LAN any

Разрешение доступа всем устройствам локальной сети к серверу DNS Google.
FW-DELTACONFIG(config)# access-list ACL_INSIDE_IN extended permit object-group SERVICE_DNS object-group NET_LAN object-group HOST_DNS

Разрешение протокола icmp для запуска Ping с любого устройства локальной сети.
FW-DELTACONFIG(config)# access-list ACL_INSIDE_IN extended permit icmp object-group NET_LAN any

Явный запрет любых других соединений. Благодаря слову log в конце строки в журнал устройства будут попадать все попытки доступа, которые не были разрешены этим access list.
FW-DELTACONFIG(config)# access-list ACL_INSIDE_IN extended deny ip any any log
Последовательность строк очень важна! Вначале обрабатывается самая верхняя строка, за ней следующая и так до совпадения условия(правила) в этой строке или конца списка доступа. Если поставить запрещающее правило не в самый низ, а в середину списка, то строки после него обрабатываться не будут, а доступ будет закрыт.

После описания всех необходимых правил для фильтрации трафика необходимо привязать список доступа ACL_INSIDE_IN ко внутреннему интерфейсу inside. До привязки он никак не влияет на проходящий через межсетевой экран трафик. Для привязки используется следующая команда:
FW-DELTACONFIG(config)# access-group ACL_INSIDE_IN in interface inside
Дополнительно разрешаем автоматический прием обратных пакетов icmp
FW-DELTACONFIG(config)# policy-map global_policy class inspection_default inspect icmp
Для доступа извне список доступа будет меньше так как в нем нам необходимо разрешить только доступ на веб сервер офиса. Это правило будет дополнять правила трансляции адресов, а именно строку, которая транслирует внутренний адрес веб сервера в адрес внешнего интерфейса межсетевого экрана.

Создаем список доступа ACL_OUTSIDE_IN и привязываем его ко внешнему интерфейсу outside по аналогии с тем, как сделали это в примере выше.
FW-DELTACONFIG(config)# access-list ACL_OUTSIDE_IN extended permit tcp any interface outside eq 80 access-list ACL_OUTSIDE_IN extended deny ip any any log access-group ACL_OUTSIDE_IN in interface outside

Не забываем про статический NAT

Для версии 8.2.X и старше

FW-DELTACONFIG(config)# static (inside,outside) interface 192.168.10.200 netmask 255.255.255.255

Для версии 8.3.X и новее

FW-DELTACONFIG(config)# host object network OBJ_NAT_SERVER host 192.168.10.200 nat (inside,outside) static interface

Теперь в конфигурации присутствуют как правила трансляции (static NAT), так и строки в списках доступа (access lists), разрешающие трафик. Поэтому при обращении любого хоста из сети Интернет к адресу внешнего интерфейса межсетевого экрана outside (200.150.100.2) по порту TCP 80(http) запрос будет разрешен и трансформирован в запрос ко внутреннему адресу веб сервера фирмы (192.168.10.200).

Все описанные выше функции и настройки присутствуют в конфигурациях практически каждого межсетевого экрана Cisco ASA. Надеюсь, что этот простой пример поможет Вам. Не стесняйтесь написать мне, если у Вас возникли вопросы.

Важно!

Не забудьте сохранить конфигурацию командой write или copy run start. Иначе после перезагрузки все изменения будут потеряны.
FW-DELTACONFIG-1#write Building configuration... [OK]

Видео на английском языке о базовой настройке Cisco ASA. Немного отличается в деталях от того, что описано в статье, однако все ключевые моменты настройки выполнены точно по этой инструкции.

Перейти к оглавлению

Источник

Manuals
Brands
Cisco Manuals
Firewall
5505 — ASA Firewall Edition Bundle
Getting started manual

Contents
Table of Contents
Bookmarks

Quick Links

Cisco ASA 5505 Getting Started

Guide

Corporate Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

http://www.cisco.com

Tel:

408 526-4000

800 553-NETS (6387)

Fax:

408 526-4100

Customer Order Number: DOC-7817612=

Text Part Number: 78-17612-01

Related Manuals for Cisco ASA 5505

Summary of Contents for Cisco ASA 5505

Page 1
Cisco ASA 5505 Getting Started Guide Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7817612= Text Part Number: 78-17612-01…
Page 2
COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
Page 3: Table Of Contents

Installing the Chassis Connecting to Network Interfaces Powering on the ASA 5505 Setting Up a PC for System Administration Optional Procedures Connecting to the Console Installing a Cable Lock Ports and LEDs Front Panel Components Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 4
What to Do Next Scenario: Easy VPN Hardware Client Configuration C H A P T E R Using an ASA 5505 as an Easy VPN Hardware Client Client Mode and Network Extension Mode Configuring the Easy VPN Hardware Client Configuring Advanced Easy VPN Attributes…
Page 5
Example IPsec Remote-Access VPN Network Topology Implementing the IPsec Remote-Access VPN Scenario Information to Have Available Starting ASDM Configuring the ASA 5505 for an IPsec Remote-Access VPN Selecting VPN Client Types Specifying the VPN Tunnel Group Name and Authentication Method Specifying a User Authentication Method…
Page 6
Viewing VPN Attributes and Completing the Wizard 8-11 Configuring the Other Side of the VPN Connection 8-13 What to Do Next 8-13 Obtaining a DES License or a 3DES-AES License A P P E N D I X Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 7: Chapter 1 Before You Begin

Use the following table to find the installation and configuration steps that are required for your implementation of the adaptive security appliance. To Do This … See … Learn about deploying the ASA 5505 Chapter 2, “Planning for a VLAN using VLANs Configuration”…
Page 8
To Do This … (continued) See … Refine configuration Cisco Security Appliance Command Line Configuration Guide Configure optional and advanced features Cisco Security Appliance Command Reference Cisco Security Appliance Logging Configuration and System Log Messages Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 9: Chapter 2 Planning For A Vlan Configuration

ASA 5505 in a VLAN configuration and presents several typical VLAN scenarios. If you do not want to use VLANs in your ASA 5505 configuration, continue with Chapter 3, “Installing the ASA 5505.” This chapter includes the following sections: Understanding VLANS, page 2-1 •…
Page 10: Deployment Scenarios With Vlans

In transparent mode, forwarding is done based on the Layer 2 bridge table.) Deployment Scenarios with VLANs This section describes several deployment scenarios using the ASA 5505 in which the network is divided into VLANs. This section includes the following topics: Scenario 1: Inside VLAN with External Connectivity, page 2-3 •…
Page 11: Scenario 1: Inside Vlan With External Connectivity

PIX 501 security appliances in which devices behind the firewall can communicate internally and externally, you can keep the same deployment and replace the PIX 501 devices with ASA 5505 devices. Cisco ASA 5505 Getting Started Guide…
Page 12: Scenario 2: Multiple Vlans

Figure 2-2, an ASA 5505 is installed in a home office environment and is configured for three VLANs: a Business VLAN that consists of all devices used for a home-based business, a Personal VLAN that consists of devices that can be used by all members of the family, and an Internet VLAN that provides Internet connectivity for both the Personal and Work VLANs.
Page 13: Scenario 3: Network With An Inside Vlan And Dual Isp Connectivity

Chapter 2 Planning for a VLAN Configuration Deployment Scenarios with VLANs In this example, the physical ports of the ASA 5505 are used as follows: The Business VLAN consists of four physical switch ports: three Ethernet • switch ports for desktop computers, printers and other devices, and one Power over Ethernet (PoE) switch port for an IP phone.
Page 14: Scenario 4: Private Vlan Services

Planning for a VLAN Configuration Deployment Scenarios with VLANs In this example, the physical ports on the ASA 5505 are used as follows: the Inside VLAN includes three Ethernet switch ports and a PoE switch port for an IP phone and other PoE devices. The number of ports can be increased by adding an additional switch or hub to the Inside VLAN.
Page 15: Maximum Number And Types Of Vlans

License Type Mode Connections Base License Transparent Mode Up to two active VLANs. Routed Mode Up to three active VLANs. One of these VLANs can only be configured to initiate traffic to the Internet. Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 16: What To Do Next

Transparent Mode Up to three active VLANs, one of which must be for failover. The ASA 5505 adaptive security appliance supports active and standby failover, Note but not stateful failover. For more information about VLANs, see the Cisco Security Appliance Command Line Configuration Guide.
Page 17
C H A P T E R Installing the ASA 5505 This chapter describes how to install the ASA 5505 security appliance. This chapter includes the following sections: Verifying the Package Contents, page 3-2 • PoE Ports and Devices, page 3-3 •…
Page 18: Verifying The Package Contents

Installing the ASA 5505 Verifying the Package Contents Verifying the Package Contents Verify the contents of the packing box to ensure that you have received all items necessary to install your Cisco ASA 5505 adaptive security appliance, as shown Figure 3-1. Figure 3-1…
Page 19: Poe Ports And Devices

PoE Ports and Devices PoE Ports and Devices On the ASA 5505, switch ports Ethernet 0/6 and Ethernet 0/7 support PoE devices that are compliant with the IEEE 802.3af standard, such as IP phones or wireless access points. If you install a non-PoE device or do not connect to these switch ports, the adaptive security appliance does not supply power to the ports and the device must be powered on its own.
Page 20: Installing The Chassis

Installing the ASA 5505 Installing the Chassis Installing the Chassis To install the ASA 5505, perform the following steps: Place the chassis on a flat, stable surface. The chassis is not rack mountable. Step 1 Connect Port 0 to the public network (that is, the Internet): Step 2 Use the yellow Ethernet cable to connect the device to a switch or hub.
Page 21: Powering On The Asa 5505

Step 3 computer, or printer. Powering on the ASA 5505 To power on the ASA 5505, perform the following steps: Connect the power supply with the power cable. Step 1 Connect the small, rectangular connector of the power supply cable to the power Step 2 connector on the rear panel.
Page 22: Setting Up A Pc For System Administration

For more information about using ASDM for setup and configuration, see Chapter 4, “Configuring the Adaptive Security Appliance.” To set up a PC from which you can configure and manage the ASA 5505, perform the following steps: Make sure that the speed of the PC interface to be connected to one of the ASA Step 1 5505 inside ports is set to autonegotiate.
Page 23: Optional Procedures

• Connecting to the Console You can access the command line for administration using the console port on the ASA 5505. To do so, you must run a serial terminal emulator on a PC or workstation as shown in Figure 3-3.
Page 24: Installing A Cable Lock

1 stop bit. Installing a Cable Lock The ASA 5505 includes a slot that accepts standard desktop cable locks to provide physical security for small portable equipment, such as a laptop computer. The cable lock is not included.
Page 25: Ports And Leds

Follow the directions from the manufacturer for attaching the other end of the Step 1 cable for securing the adaptive security appliance. Attach the cable lock to the lock slot on the back panel of the ASA 5505. Step 2 Ports and LEDs This section describes the front and rear panels of the ASA 5505.
Page 26
Chapter 3 Installing the ASA 5505 Ports and LEDs Figure 3-4 illustrates the front panel of the ASA 5505. Figure 3-4 ASA 5505 Front Panel LINK/ACT Power Status Active 100 MBPS Cisco ASA 5505 Series Adaptive Security Appliance LED / Component Color…
Page 27
If the LINK/ACT LED does not light up, the link could be down if there is a duplex mismatch. You can fix the problem by changing the settings either on the ASA 5505 or on the other end. If auto-negotiation is disabled (it is enabled by default), you might be using the wrong type of cable.
Page 28: Rear Panel Components

Chapter 3 Installing the ASA 5505 Ports and LEDs Rear Panel Components Figure 3-5 illustrates the back panel of the ASA 5505. Figure 3-5 ASA 5505 Rear Panel Security console Services Card Slot Cisco ASA SSC-05 Status power reset POWER over ETHERNET…
Page 29: What To Do Next

Reserved for future use. RESET button Reserved for future use Cable lock slot Slot supports standard desktop cable locks. What to Do Next Continue with Chapter 4, “Configuring the Adaptive Security Appliance.” Cisco ASA 5505 Getting Started Guide 3-13 78-17612-01…
Page 30
Chapter 3 Installing the ASA 5505 What to Do Next Cisco ASA 5505 Getting Started Guide 3-14 78-17612-01…
Page 31: Configuring The Adaptive Security Appliance

Appliance This chapter describes the initial configuration of the adaptive security appliance. You can perform the configuration steps using either the browser-based Cisco Adaptive Security Device Manager (ASDM) or the command-line interface (CLI). However, the procedures in this chapter refer to the method using ASDM.
Page 32: About The Adaptive Security Device Manager

All configuration changes can be made by using ASDM or by using the CLI. For more information about CLI configuration, see ASA 5500 Series Command-Line Configuration Guide About the Adaptive Security Device Manager Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 33: Using The Startup Wizard

In addition to the ASDM web configuration tool, you can configure the adaptive security appliance by using the command-line interface. For more information, see Cisco Security Appliance Command Line Configuration Guide and the Cisco Security Appliance Command Reference.
Page 34
Easy VPN servers; whether the client is to run in client or network extension mode; and user and group login credentials to match those configured on the primary and secondary Easy VPN servers. Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 35: Running The Startup Wizard

To use the Startup Wizard to set up a basic configuration for the adaptive security appliance, perform the following steps: If you have not already done so, connect a PC to a switch port on the ASA 5505. Step 1 Locate an Ethernet cable, which has an RJ-45 connector on each end.
Page 36
ICMP traffic through the outside interface or any other interface that is necessary. You can configure this access control policy using the icmp command. For more information about the icmp command, see the Cisco Security Appliance Command Reference. Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 37: What To Do Next

DMZ web server Configuration” Configure the adaptive security Chapter 7, “Scenario: IPsec appliance for remote-access VPN Remote-Access VPN Configuration” Configure the adaptive security Chapter 8, “Scenario: Site-to-Site appliance for site-to-site VPN VPN Configuration” Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 38
Chapter 4 Configuring the Adaptive Security Appliance What to Do Next Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 39: Scenario: Easy Vpn Hardware Client Configuration

Easy VPN server at the main site and Easy VPN hardware clients at the remote offices. The Cisco ASA 5505 can function as a Cisco Easy VPN hardware client or as a Cisco Easy VPN server (sometimes called a “headend device”), but not both at the same time.
Page 40: Client Mode And Network Extension Mode

Cisco VPN 30xx, or Cisco IOS 12.2(8)T) When used as an Easy VPN hardware client, the ASA 5505 can also be configured to perform basic firewall services, such as protecting devices in a DMZ from from unauthorized access. However, if the ASA 5505 is configured to function as an Easy VPN hardware client, it cannot establish other types of tunnels.
Page 41
ASA 5505 running in Easy VPN Client Mode. When configured in Client Mode, devices on the inside interface of the ASA 5505 cannot be accessed by devices behind the Easy VPN server. Cisco ASA 5505 Getting Started Guide…
Page 42
LAN from remote LAN When configured in Easy VPN Network Extension Mode, the ASA 5505 does not hide the IP addresses of local hosts by substituting a public IP address. Therefore, hosts on the other side of the VPN connection can communicate directly with hosts on the local network.
Page 43: Configuring The Easy Vpn Hardware Client

Configuring the Easy VPN Hardware Client The Easy VPN server controls the security policies enforced on the ASA 5505 Easy VPN hardware client. However, to establish the initial connection to the Easy VPN server, you must complete some configuration locally.
Page 44
ASDM. To configure the ASA 5505 as an Easy VPN hardware client, perform the following steps: At a PC that has access to the inside interface of the ASA 5505, start ASDM. Step 1 Start a web browser. In the address field of the browser, enter the factory default IP address in the address field: https://192.168.1.1/.
Page 45
Group Password radio button and enter a Group Name and Group Password. In the User Settings area, specify the User Name and User Password to be used Step 7 by the ASA 5505 when establishing a VPN connection. Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 46: Configuring Advanced Easy Vpn Attributes

Easy VPN connection through the tunnel. The public address of the ASA 5505 is not accessible when behind the Note NAT device unless you add static NAT mappings on the NAT device.
Page 47: What To Do Next

Cisco Security Appliance Logging Configuration and System Log Messages An ASA 5505 configured as an Easy VPN hardware client can also be configured to perform basic firewall services. To configure the ASA 5505 to protect a DMZ web server, see Chapter 6, “Scenario: DMZ Configuration.”…
Page 48
Chapter 5 Scenario: Easy VPN Hardware Client Configuration What to Do Next Cisco ASA 5505 Getting Started Guide 5-10 78-17612-01…
Page 49: Scenario: Dmz Configuration

(DMZ). A DMZ is a separate network located in the neutral zone between a private (inside) network and a public (outside) network. Cisco ASA 5505 DMZ configurations are possible only with the Security Plus Note license.
Page 50: Chapter 6
Scenario: Dmz Configuration

IP address of the DMZ web server (209.165.200.226). Figure 6-2 shows the outgoing traffic flow of HTTP requests from the private network to both the DMZ web server and to the Internet. Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 51
IP address of the adaptive security appliance. Outgoing traffic appears to come from this address. Figure 6-3 shows HTTP requests originating from the Internet and destined for the public IP address of the DMZ web server. Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 52: Configuring The Security Appliance For A Dmz Deployment

Configuring the Security Appliance for a DMZ Deployment This section describes how to use ASDM to configure the adaptive security appliance for the configuration scenario shown in Figure 6-1. The procedure uses sample parameters based on the scenario. Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 53: Configuration Requirements

For the internal clients to have access to HTTP and HTTPS resources on the • Internet, you must create a rule that translates the real IP addresses of internal clients to an external address that can be used as the source address. Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 54: Starting Asdm

Remember to add the “s” in “https” or the connection fails. HTTPS over Note SSL (HTTPS) provides a secure connection between your browser and the adaptive security appliance. The Main ASDM window appears. Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 55: Creating Ip Pools For Network Address Translation

DMZ interface and outside interface can use for address translation. A single IP pool can contain both NAT and PAT entries, and it can contain entries for more than one interface. Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 56
Click Add to create a new global pool for the DMZ interface. The Add Global Address Pool dialog box appears. For most configurations, IP pools are added to the less secure, or public, Note interfaces. Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 57
Enter the Starting IP address and Ending IP address of the range. In this – scenario, the range of IP addresses is 10.30.30.50–10.30.30.60. (Optional) Enter the Netmask for the range of IP addresses. – Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 58
Specify a Pool ID for the Outside interface. You can add these addresses to the same IP pool that contains the address pool used by the DMZ interface (in this scenario, the Pool ID is 200). Cisco ASA 5505 Getting Started Guide 6-10 78-17612-01…
Page 59
To the devices on the Internet, it appears that all traffic is coming from this one IP address. Click the Add button to add this new address to the IP pool. Click OK. Cisco ASA 5505 Getting Started Guide 6-11 78-17612-01…
Page 60: Configuring Nat For Inside Clients To Communicate With The Dmz Web Server

Configuring NAT for Inside Clients to Communicate with the DMZ Web Server In the previous procedure, you created a pool of IP addresses that could be used by the adaptive security appliance to mask the private IP addresses of inside clients. Cisco ASA 5505 Getting Started Guide 6-12 78-17612-01…
Page 61: Server

Select check box next to Global Pool ID. In this scenario, the IP pool ID is 200. In this scenario the IP pool that we want to use is already created. If it was not already created, you would click Add to create a new IP pool. Cisco ASA 5505 Getting Started Guide 6-13 78-17612-01…
Page 62
A translation rule between the inside and outside interfaces to be used when • inside clients communicate with the Internet. ASDM is able to create both rules because the addresses to be used for translation are both in the same IP pool. Cisco ASA 5505 Getting Started Guide 6-14 78-17612-01…
Page 63: Configuring Nat For Inside Clients To Communicate With Devices On The Internet

In the previous procedure, you configured a Network Address Translation (NAT) rule that associates IP addresses from the IP pool with the inside clients so they can communicate securely with the DMZ web server. Cisco ASA 5505 Getting Started Guide 6-15 78-17612-01…
Page 64: Configuring An External Identity For The Dmz Web Server

From the Interface drop-down list, choose the DMZ interface. Enter the real IP address of the DMZ web server. In this scenario, the IP address is 10.30.30.30. From the Netmask drop-down list, choose the Netmask 255.255.255.255. Cisco ASA 5505 Getting Started Guide 6-16 78-17612-01…
Page 65
Click OK to add the rule and return to the list of Address Translation Rules. Step 6 This rule maps the real web server IP address (10.30.30.30) statically to the public IP address of the web server (209.165.200.226). Cisco ASA 5505 Getting Started Guide 6-17 78-17612-01…
Page 66: Providing Public Http Access To The Dmz Web Server

You must create an access control rule on the adaptive security appliance to permit specific traffic types from the public network to resources in the DMZ. This access control rule specifies the interface of the adaptive security Cisco ASA 5505 Getting Started Guide 6-18 78-17612-01…
Page 67
Click the Configuration tool. In the Features pane, click Security Policy. Click the Access Rules tab, then from the Add pull-down list, choose Add Access Rule. The Add Access Rule dialog box appears. Cisco ASA 5505 Getting Started Guide 6-19 78-17612-01…
Page 68
Step 3 From the Type drop-down list, choose IP Address. Enter the IP address of the source host or source network. Use 0.0.0.0 to allow traffic originating from any host or network. Cisco ASA 5505 Getting Started Guide 6-20 78-17612-01…
Page 69
Service drop-down list, and then choose Any from the next drop-down list. In the Destination Port area, click the Service radio button, choose “=” (equal to) from the Service drop-down list, and then choose HTTP/WWW from the next drop-down list. Cisco ASA 5505 Getting Started Guide 6-21 78-17612-01…
Page 70
At this point, the entries in the Add Access Rule dialog box should be similar to the following: Click OK. The displayed configuration should be similar to the following. Verify that the Step 6 information you entered is accurate. Cisco ASA 5505 Getting Started Guide 6-22 78-17612-01…
Page 71
The address translation (209.165.200.226 to 10.30.30.30) allows the traffic to be permitted. For information about creating the translation rule, see the “Configuring NAT for Inside Clients to Communicate with the DMZ Web Server” section on page 6-12. Cisco ASA 5505 Getting Started Guide 6-23 78-17612-01…
Page 72: What To Do Next

To Do This … See … Configure a remote-access VPN Chapter 7, “Scenario: IPsec Remote-Access VPN Configuration” Configure a site-to-site VPN Chapter 8, “Scenario: Site-to-Site VPN Configuration” Cisco ASA 5505 Getting Started Guide 6-24 78-17612-01…
Page 73: Scenario: Ipsec Remote-Access Vpn Configuration

Example IPsec Remote-Access VPN Network Topology Figure 7-1 shows an adaptive security appliance configured to accept requests from and establish IPsec connections with VPN clients, such as a Cisco Easy VPN hardware client, over the Internet. Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 74: Implementing The Ipsec Remote-Access Vpn Scenario

This section includes the following topics: Information to Have Available, page 7-3 • Starting ASDM, page 7-4 • Configuring the ASA 5505 for an IPsec Remote-Access VPN, page 7-5 • Selecting VPN Client Types, page 7-6 • Cisco ASA 5505 Getting Started Guide…
Page 75: Information To Have Available

IP addresses for the primary and secondary WINS servers – Default domain name – List of IP addresses for local hosts, groups, and networks that should be – made accessible to authenticated remote clients Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 76: Starting Asdm

Remember to add the “s” in “https” or the connection fails. HTTP over Note SSL (HTTP) provides a secure connection between your browser and the adaptive security appliance. The Main ASDM window appears. Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 77: Configuring The Asa 5505 For An Ipsec Remote-Access Vpn

Chapter 7 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Configuring the ASA 5505 for an IPsec Remote-Access VPN To begin the process for configuring a remote-access VPN, perform the following steps: In the main ASDM window, choose VPN Wizard from the Wizards drop-down Step 1 menu.
Page 78: Selecting Vpn Client Types

Specify the type of VPN client that will enable remote users to connect to this Step 1 adaptive security appliance. For this scenario, click the Cisco VPN Client radio button. You can also use any other Cisco Easy VPN remote product.
Page 79: Specifying The Vpn Tunnel Group Name And Authentication Method

To use a static preshared key for authentication, click the Pre-Shared Key • radio button and enter a preshared key (for example, “Cisco”). This key is used for IPsec negotiations between the adaptive security appliances. To use digital certificates for authentication, click the Certificate radio •…
Page 80: Specifying A User Authentication Method

Chapter 7 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Enter a Tunnel Group Name (such as “Cisco”) for the set of users that use Step 2 common connection parameters and client attributes to connect to this adaptive security appliance.
Page 81
Click the Authenticate Using an AAA Server Group radio button. Choose a preconfigured server group from the drop-down list, or click New to add a new server group. Click Next to continue. Step 3 Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 82: (Optional) Configuring User Accounts

In Step 5 of the VPN Wizard, perform the following steps: To add a new user, enter a username and password, and then click Add. Step 1 When you have finished adding new users, click Next to continue. Step 2 Cisco ASA 5505 Getting Started Guide 7-10 78-17612-01…
Page 83: Configuring Address Pools

Enter the Starting IP address and Ending IP address of the range. (Optional) Enter the Netmask for the range of IP addresses. Click OK to return to Step 6 of the VPN Wizard. Cisco ASA 5505 Getting Started Guide 7-11 78-17612-01…
Page 84: Configuring Client Attributes

Easy VPN hardware client when a connection is established. Make sure that you specify the correct values, or remote clients will not be able to use DNS names for resolution or use Windows networking. Cisco ASA 5505 Getting Started Guide 7-12 78-17612-01…
Page 85: Configuring The Ike Policy

IKE is a negotiation protocol that includes an encryption method to protect data and ensure privacy; it is also an authentication method to ensure the identity of the peers. In most cases, the ASDM default values are sufficient to establish secure VPN tunnels. Cisco ASA 5505 Getting Started Guide 7-13 78-17612-01…
Page 86
Click the Encryption (DES/3DES/AES), authentication algorithms (MD5/SHA), Step 1 and the Diffie-Hellman group (1/2/5/7) used by the adaptive security appliance during an IKE security association. Click Next to continue. Step 2 Cisco ASA 5505 Getting Started Guide 7-14 78-17612-01…
Page 87: Configuring Ipsec Encryption And Authentication Parameters

Configuring IPsec Encryption and Authentication Parameters In Step 9 of the VPN Wizard, perform the following steps: Click the Encryption algorithm (DES/3DES/AES) and authentication algorithm Step 1 (MD5/SHA). Step 2 Click Next to continue. Cisco ASA 5505 Getting Started Guide 7-15 78-17612-01…
Page 88: Specifying Address Translation Exception And Split Tunneling

Specify hosts, groups, and networks that should be in the list of internal resources Step 1 made accessible to authenticated remote users. To add or remove hosts, groups, and networks dynamically from the Selected Hosts/Networks pane, click Add or Delete, respectively. Cisco ASA 5505 Getting Started Guide 7-16 78-17612-01…
Page 89: Verifying The Remote-Access Vpn Configuration

Step 2 Verifying the Remote-Access VPN Configuration In Step 11 of the VPN Wizard, review the configuration attributes for the new VPN tunnel. The displayed configuration should be similar to the following: Cisco ASA 5505 Getting Started Guide 7-17 78-17612-01…
Page 90: What To Do Next

Configuration and System Log Messages You can configure the adaptive security appliance for more than one application. The following sections provide configuration procedures for other common applications of the adaptive security appliance. Cisco ASA 5505 Getting Started Guide 7-18 78-17612-01…
Page 91
To Do This … See … Configure the adaptive security Chapter 6, “Scenario: DMZ appliance to protect a web server in a Configuration” Configure a site-to-site VPN Chapter 8, “Scenario: Site-to-Site VPN Configuration” Cisco ASA 5505 Getting Started Guide 7-19 78-17612-01…
Page 92
Chapter 7 Scenario: IPsec Remote-Access VPN Configuration What to Do Next Cisco ASA 5505 Getting Started Guide 7-20 78-17612-01…
Page 93: Scenario: Site-To-Site Vpn Configuration

Configuring the Other Side of the VPN Connection, page 8-13 • What to Do Next, page 8-13 • Example Site-to-Site VPN Network Topology Figure 8-1 shows an example VPN tunnel between two adaptive security appliances. Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 94: Implementing The Site-To-Site Scenario

IP addresses of local hosts and networks permitted to use the tunnel to communicate with resources on the remote site IP addresses of remote hosts and networks permitted to use the tunnel to • communicate with local resources Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 95: Configuring The Site-To-Site Vpn

Remember to add the “s” in “https” or the connection fails. HTTP over Note SSL (HTTPS) provides a secure connection between your browser and the adaptive security appliance. The Main ASDM window appears. Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 96: Configuring The Security Appliance At The Local Site

To configure the Security Appliance 1, perform the following steps: In the main ASDM window, choose the VPN Wizard option from the Wizards Step 1 drop-down menu. ASDM opens the first VPN Wizard screen. Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 97
VPN concentrators, or other devices that support site-to-site IPsec connectivity. From the drop-down list, choose Outside as the enabled interface for the current VPN tunnel. Click Next to continue. Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 98: Providing Information About The Remote Vpn Peer

To use a static preshared key for authentication, click the Pre-Shared Key • radio button and enter a preshared key (for example, “Cisco”). This key is used for IPsec negotiations between the adaptive security appliances. When using preshared key authentication, the Tunnel Group Name Note must be the IP address of the peer.
Page 99: Configuring The Ike Policy

In Step 3 of the VPN Wizard, perform the following steps: Click the Encryption (DES/3DES/AES), authentication algorithms (MD5/SHA), Step 1 and the Diffie-Hellman group (1/2/5) used by the adaptive security appliance during an IKE security association. Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 100
Note of the options that you chose for Security Appliance 1. Encryption mismatches are a common cause of VPN tunnel failures and can slow down the process. Click Next to continue. Step 2 Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 101: Configuring Ipsec Encryption And Authentication Parameters

Configuring IPsec Encryption and Authentication Parameters In Step 4 of the VPN Wizard, perform the following steps: Choose the Encryption algorithm (DES/3DES/AES) and authentication algorithm Step 1 (MD5/SHA) from the drop-down lists. Click Next to continue. Step 2 Cisco ASA 5505 Getting Started Guide 78-17612-01…
Page 102: Specifying Hosts And Networks

Enter the local IP Address and Netmask. Step 2 In the Destination area, choose IP Address from the Type drop-down list. Step 3 Enter the IP address and Netmask for the remote host or network. Step 4 Cisco ASA 5505 Getting Started Guide 8-10 78-17612-01…
Page 103: Viewing Vpn Attributes And Completing The Wizard

In Step 6 of the VPN Wizard, review the configuration list for the VPN tunnel you just created. If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security appliance. Cisco ASA 5505 Getting Started Guide 8-11 78-17612-01…
Page 104
ASDM. If you do not save the configuration changes, the old configuration takes effect the next time the device starts. This concludes the configuration process for Security Appliance 1. Cisco ASA 5505 Getting Started Guide 8-12 78-17612-01…
Page 105: Configuring The Security Appliance At The Local Site

Refine configuration and configure Cisco Security Appliance Command optional and advanced features Line Configuration Guide Learn about daily operations Cisco Security Appliance Command Reference Cisco Security Appliance Logging Configuration and System Log Messages Cisco ASA 5505 Getting Started Guide 8-13 78-17612-01…
Page 106
To Do This … See … Configure the adaptive security Chapter 6, “Scenario: DMZ appliance to protect a web server in a Configuration” Configure a remote-access VPN Chapter 7, “Scenario: IPsec Remote-Access VPN Configuration” Cisco ASA 5505 Getting Started Guide 8-14 78-17612-01…
Page 107
If you ordered your adaptive security appliance with a DES or 3DES-AES license, the encryption license key comes with the adaptive security appliance. If you are a registered user of Cisco.com and would like to obtain a 3DES/AES encryption license, go to the following website: http://www.cisco.com/go/license…
Page 108
Step 4 Exits global configuration mode. hostname(config)# exit Step 5 Saves the configuration. hostname# copy running-config startup-config Step 6 Reboots the adaptive security appliance and hostname# reload reloads the configuration. Cisco ASA 5505 Getting Started Guide 78-17612-01…

Источник

Итак, вам достался в наследство межсетевой экран Cisco ASA. Руки чешутся подключить, настроить и заставить выполнять своё предназначение. С какой стороны к нему подойти и с чего начать?
При написании данной статьи использовался межсетевой экран Cisco ASA 5520 с версией системы 9.1 и чистой (стандартной) конфигурацией.

Настройка Cisco ASA с нуля:
1. Подключение через COM-порт
2. Настройка интерфейса управления и доступа по ssh
3. Настройка доступа через ASDM
4. Обновление системы и ASDM
5. Настройка интерфейсов
6. Настройка NAT во внешнюю сеть и ping
7. Настройка NAT снаружи во внутреннюю сеть до сервера
8. Тестирование прохождения пакетов

1. Подключение через COM-порт

Если Вы только взяли в руки Cisco ASA, то для начала работы к ней нужно подключиться через COM-порт (голубенький кабель RJ45 — DB9). Настройки порта обычно такие:
Bits per sec: 9600
Data bits: 8
Parity: none
Stop bits: 1
Flow control: none
У Cisco ASA, как и у других устройств Cisco два режима: пользовательский и привилегированный. Перейдите в привилегированный режим командой enable (можно использовать сокращение en):

ciscoasa>
ciscoasa> enable
ciscoasa#

У «свежей» или сброшенной к заводским настройкам Cisco ASA пароль на привилегированный режим ещё не установлен. Можно приступать к настройке: configure terminal или conf t.

ciscoasa# configure terminal
ciscoasa(config)#

Все остальные команды вводятся в режиме конфигурации, если не указано другое. Команда exit, выполненная в режиме конфигурирования, вернет вас назад.
В списках команд у меня имеются комментарии, начинающиеся с символа #, их вводить НЕ надо, они для вас, циска их не поймет…

2. Настройка интерфейса управления и доступа по ssh

Cisco ASA имеет специальный интерфейс для управления. Рекомендуется иметь отдельную сеть для управления и контроля всего оборудования и серверов, недоступную для простых пользователей.

# создание пароля для привилегированного режима
enable password zzz

# настройка интерфейса управления
interface Management 0/0
   nameif manage
   security-level 100
   ip address 192.168.1.100 255.255.255.0
   no shutdown
exit

# настройка доступу по ssh
crypto key generate rsa modulus 1024
username username password yyy
passwd yyy
# задайте список адресов или сетей, с которых разрешено подключаться по ssh
# не стоит указывать лишнее
ssh 192.168.1.22 255.255.255.255
ssh 192.168.1.33 255.255.255.255
ssh version 2
# заодно можно увеличить timeout, по-умолчанию всего 5 минут
ssh timeout 15
aaa authentication ssh console LOCAL

Теперь можете подключиться к ASA по сети через ssh, можно использовать putty или linux-консоль:

ssh username@192.168.1.100

3. Настройка доступа через ASDM

Кроме настройки Cisco ASA через консоль, имеется альтернативный вариант: Cisco Adaptive Security Device Manager (ASDM). Функционал ASDM дублирует возможности CLI и сделан больше для тех кто кликает мышкой. Некоторые операции легче выполнять в ASDM, но для большинства настроек удобнее, нагляднее и проще использовать именно CLI. Рассмотрите оба варианта, выберите наиболее подходящий под ваши задачи.

# если вы не ещё не настроили доступ по ssh, то выполните команду crypto key gen... из предыдущего пункта
# запуск сервера http
http server enable
# задайте список адресов или сетей, с которых разрешено подключаться
http 192.168.1.22 255.255.255.255 manage
http 192.168.1.33 255.255.255.255 manage
# просмотр списка файлов на Cisco ASA
dir
# если доступно несколько версий ASDM, то выберите более свежую
asdm image disk0:/asdm-742.bin

Для доступа к ADSM наберите в браузере https://192.168.1.100

4. Обновление системы и ASDM

Посмотреть текущие версии ПО можете так:

ciscoasa# show version 
Cisco Adaptive Security Appliance Software Version 9.1(7)13 
Device Manager Version 7.7(1)
...

Проверить наличие более свежих версий ПО и их поддержку вашей циской можно на официальном сайте: https://software.cisco.com/download/type.html?mdfid=280582808, а вот скачать их можно только имея действующую лицензию.
Для загрузки и установки файлов обновлений на Cisco ASA проще использовать ASDM:
Загрузка: Tools -> File Management… -> File Transfer
Либо сразу с установкой: Tools -> Upgrade Software from Local Computer
Загрузка файла с командной строки выполняется одной командой (на своём компьютере поднимите сервер tftp, для windows подойдёт Tftpd32):

# запуск команды copy в интерактивном режиме
copy tftp disk0:
Address or name of remote host []? 192.168.1.22
Source filename []? asa917-13-k8.bin
Destination filename [asa917-13-k8.bin]? 
Accessing tftp://192.168.1.22/asa917-13-k8.bin.........!!
Writing file disk0:/asa917-13-k8.bin...........!!
27703296 bytes copied in 3.60 secs

# проверьте, что файл на месте
dir
# выбор используемого образа системы и ASDM
asdm image disk0:/asdm-771.bin
boot system disk0:/asa917-13-k8.bin
# сохранить настройки
write memory
# перезагрузка с новой версией системы
reload

5. Настройка интерфейсов

Для образца возьмём самую распространённую схему сети:

внешняя сеть с белым ip (outside);
выделенная сеть с серверами (dmz): 192.168.20.0/29;
локальная сеть с пользователями (lan): 192.168.10.0/24;

По умолчанию Cisco ASA будет пропускать трафик из зоны с более высоким значением security-level в зону с более низким. Почесав затылок, распределяем значения security-level: outside — 0, dmz — 50, lan — 100. Причем сами цифры значения не имеют, главное — их отношения (больше, меньше).
Порты на оборудовании — очень ценная вещь, особенно на таком. Чтобы их сэкономить можно создать несколько подинтерфейсов:

interface GigabitEthernet0/0
   mac-address 0050.56xx.xxxx
   nameif outside
   security-level 0
   ip address 11.11.11.11 255.255.255.248 
   no shutdown
exit
interface GigabitEthernet0/1.20
   vlan 20
   nameif dmz
   security-level 50
   ip address 192.168.20.1 255.255.255.248 
exit
interface GigabitEthernet0/1.10
   vlan 10
   nameif lan
   security-level 100
   ip address 192.168.10.1 255.255.255.0 
exit
interface GigabitEthernet0/1
   no shutdown
exit
# маршрут по умолчанию
route outside 0.0.0.0 0.0.0.0 11.11.11.10 1
dhcpd dns 8.8.8.8

6. Настройка NAT во внешнюю сеть и ping

Доступ во внешнюю сеть разрешен согласно выставленным security-level, но чтобы всё заработало вы должны сделать NAT:

object network lan-subnet
   subnet 192.168.10.0 255.255.255.0
   nat (lan,outside) dynamic interface
exit

object network dmz-subnet
   subnet 192.168.20.0 255.255.255.248
   nat (dmz,outside) dynamic interface
exit

Готово, ваши пользователи и сервера получили доступ к Интернет. Если нужно разрешить использование icmp, то выполните следующее:

policy-map global_policy
   class inspection_default
      inspect icmp
exit

7. Настройка NAT снаружи во внутреннюю сеть до сервера

Вариант 1. Нужно пробросить один порт, например, 80 до сервера в dmz:

object network server-www
   host 192.168.20.2
   nat (dmz,outside) static interface service tcp www www
exit
# трафик из сети outside в dmz противоречит настройкам security-level
# для его пропуска настройте правила ACL (Access Control List)
access-list outside_acl extended permit tcp any object server-www eq www
access-group outside_acl in interface outside

Вариант 2. Нужно пробросить два порта или больше. Просто добавив новое правило nat к уже существующему, вы перепишете им первое правило, поэтому нужно всё продублировать для каждого порта:

object network server-www
   host 192.168.20.2
   nat (dmz,outside) static interface service tcp www www
exit
object network server-8080
   host 192.168.20.2
   nat (dmz,outside) static interface service tcp 8080 8080
exit
access-list outside_acl extended permit tcp any object server-www eq www
access-list outside_acl extended permit tcp any object server-8080 eq 8080
access-group outside_acl in interface outside

Вариант 3. Пробрасываем все порты, на внутренний сервер (завернуть что-либо на второй сервер уже не получится):

object network server-ip
   host 192.168.20.2
   nat (dmz,outside) static interface
exit
# разрешайте только нужные порты
access-list outside_acl extended permit tcp any object server-ip eq www
access-list outside_acl extended permit tcp any object server-ip eq 8080
access-list outside_acl extended permit tcp any object server-ip eq ssh
access-list outside_acl extended permit tcp any object server-ip eq ftp
access-group outside_acl in interface outside

8. Тестирование прохождения пакетов

Можете тестировать настройки так: «Николай, попробуй выйти на ya.ru… Не работает? Ясно, сейчас посмотрю…». Более правильный подход, более быстрый и информативный — packet-tracer! Данный инструмент генерирует пакет и поэтапно показывает порядок его обработки.
Генерируем пакет из внутренней сети (от пользователя) во внешнюю:

packet-tracer input lan tcp 192.168.10.2 12345 93.159.134.3 80

Генерируем пакет из внешней сети на внешний интерфейс для www-сервера в dmz:

packet-tracer input outside tcp 8.8.8.8 12345 11.11.11.11 80

Сохранить настройки

write memory
# сокращенно wm

Для начала работы выполненных настроек вполне достаточно… но только для начала. Вы не должны рассматривать данную подборку как руководство к действию, это только рекомендации с чего можно начать, своего рода «quick start guide». А что тогда дальше? На этот вопрос однозначного ответа нет. Ответ находится в:

организации вашей сети (сейчас и в перспективе) и месте Cisco ASA в ней;
детальном изучении документации, статей, обзоров: какие из поддерживаемых технологий можно задействовать;
специфика вашей организации: какие уровни безопасности и доступности сервисов необходимы;
и т.п.

Вопросы? Замечания?

Источник

На это странице вы найдете большую подборку уроков и советов по настройке межсетевых экранов Cisco ASA: ASA 5505, ASA 5506, ASA 5510, ASA 5515, ASA 5516 и других мало отличаются друг от друга.

СОДЕРЖАНИЕ:

Быстрая настройка Cisco ASA 5500-X с нуля для доступа в Интернет
Экспресс настройка AnyConnect VPN на Cisco ASA через ASDM
Первое подключение к Cisco ASA Firewall и начальная настройка
Настройка интерфейсов и протоколов управления Сisco ASA
Настройка Cisco ASA 5506-X через PPPOE
Cisco ASA – удаленное управление по SSH, настройка NAT
Сброс Cisco ASA на заводские настройки (по умолчанию)
Сброс пароля на Cisco ASA 5505, 5506, 5510, 5515, 5516 и др
Настройка DHCP на межсетевом экране Cisco ASA

Быстрая настройка Cisco ASA 5500-X с нуля для доступа в Интернет

Начальная настройка Cisco ASA с нуля командной строкой CLI и графическим интерфейсом ASDM. Типовая конфигурация ASA 5500-X для организации безопасного доступа в Интернет небольшой компании или домашней сети. Пошаговая инструкция:

Типовые вопросы по настройке Cisco ASA с нуля

Как настраивать ASA, когда нужно создать маршрутизацию между различными Vlan?

Если используется статика, то для каждого VLAN-а на клиентах указывается в качестве шлюза IP интерфейса/саб интерфейса ASA для этого VLAN-а. Единственная тонкость — если интерфейсы / саб интерфейсы ASA имеют одинаковый security-level, то для хождения трафика между ними надо добавить команду same-security-traffic permit inter-interface.

Если нужны динамические протоколы маршрутизации, то тут также все стандартно, включаем нужный протокол и указываем участвующие сети / подсети.

Вот пример настройки с саб интерфейсами на ASA и транком до коммутатора и статической маршрутизацией:

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

interface GigabitEthernet0/1.10

vlan 10

nameif vlan_10

security-level 100

ip address 192.168.1.1 255.255.255.0

interface GigabitEthernet0/1.20

vlan 20

nameif vlan_20

security-level 100

ip address 192.168.2.1 255.255.255.0

same-security-traffic permit inter-interface

Этого достаточно чтобы пакеты начали ходить между VLAN-ами 10 и 20

Экспресс настройка AnyConnect VPN на Cisco ASA через ASDM

Простая пошаговая настройка Cisco AnyConnect VPN на ASA с нуля через графический интерфейс ASDM.

Типовая конфигурация AnyConnect для организации безопасного удаленного доступа в корпоративную сеть через Интернет.

Типовые вопросы по настройке AnyConnect VPN:

Не подключается по созданному пользователю ra-user, только под локальным админом

Обратите внимание, что ra-user – это обычный пользователь, для входа в сеть, но не для доступа к самой ASA. У админа другой уровень доступа (priv 15).ы

Где его брать файл .pkg

Это часть пакета AnyConnect, которая доступна для скачивания с software.cisco.com при наличии аккаунта и оплаченного сервисного пакета

Возможно ли настроить так, чтобы определенному пользователю всегда выдавался один и тот же IP-адрес?

Метод 1. Можно и постоянный IP и индивидуальные ACL и многое другое через внешний RADIUS сервер (Cisco ACS, ISE).

Метод 2. Также это можно сделать и через атрибуты пользователя, например:

ASA(config)# username test attributes

ASA(config-username)# vpn-framed-ip-address 10.1.1.1 255.255.255.0

Если авторизация идет по локальной базе пользователей, то этот метод должен работать. Но всё надо тестировать и отлаживать, например, с помощью debug. Возможны нюансы.

Первое подключение к Cisco ASA Firewall и начальная настройка

В этом видеоуроке рассмотрено:

первоначальное подключении к Cisco ASA (настройка с нуля);
загрузка устройства ASA5515X-K8;
особенности работы в среде управления в командной строке;
правила и особенности настройки интерфейсов, включая наименования и уровень безопасности;
описание правил ASA Firewall по умолчанию.

Видео сильно облегчит жизнь тем, кто знаком с Cisco IOS CLI, но впервые подключается к Cisco ASA.

Настройка интерфейсов и протоколов управления Сisco ASA

В уроке рассмотрено:

правильная настройка интерфейсов Cisco ASA;
настройка протоколов управления telnet, ssh, http/https/ASDM;
особенности настройки консольного доступа;
настройка пользователей и enable password;
настройку AAA для аутентификации из локальной базы LOCAL.

А также как объединить несколько портов в транк LACP, место Native Vlan и особенности использования VLan 1 на саб-интерфейсах ASA Subinterfaces, включая PortChannel.

Настройка Cisco ASA 5506-X через PPPOE

В этом видео показано, как настроить межсетевой экран ASA 5506-X, подключив одну внутреннюю подсеть локальной сети к внешнему интернет-маршрутизатору с помощью PPPOE.

Cisco ASA – удаленное управление по SSH, настройка NAT

Сброс Cisco ASA 5505, 5506, 5510, 5515, 5516 на заводские настройки (по умолчанию)

Для сброса настроек на заводские есть простая команда: config factory-default

Процесс сброса:

>enable

#config t

#write erase

#reload

>enable

#config t

#config factory-default

#reload

Сброс пароля на Cisco ASA 5505, 5506, 5510, 5515, 5516 и др

Во время загрузки нажимаем клавишу Escape и попадаем RAMMON. Отвечаем утвердительно на вопросы «Do you wish to change this configuration?» и «disable system configuration?».

rommon #1> confreg

Далее даем серию команд (пароль для enable — пустой):

rommon #1> boot

rommon #1> enable

hostname# copy startup-config running-config

hostname# configure terminal

hostname(config)# config factory-default

YOURPASS — Придумайте себе пароль сами:

hostname(config)# enable password YOURPASS

hostname(config)# config-register 0x10011

hostname(config)# exit

hostname(config)# copy running-config startup-config

hostname(config)# reload

Настройка DHCP на межсетевом экране Cisco ASA

Источник

Время на прочтение
9 мин

Количество просмотров 196K

Начнем, пожалуй, с базовых настроек интерфейсов и маршрутизации, а также настройки подключений для удаленного администрирования

Настройка интерфейсов

Cisco ASA является аппаратным межсетевым экраном с инспектированием сессий с сохранением состояния (stateful inspection). ASA умеет работать в двух режимах: routed (режим маршрутизатора, по умолчанию) и transparent (прозрачный межсетевой экран, когда ASAработает как бридж с фильтрацией). Мы познакомимся с работой в первом режиме и далее везде будем его подразумевать, если явно не указан иной режим.

В режиме routed на каждом интерфейсе ASA настраивается ip адрес, маска, уровень безопасности (security-level), имя интерфейса, а также интерфейс надо принудительно «поднять», так как по умолчанию все интерфейсы находятся в состоянии «выключено администратором». (Исключения бывают: иногда АСАшки приходят уже преднастроенными. Это характерно для модели 5505. В этом случае, как правило, внутренний интерфейс с названием inside уже настроен как самый безопасный и поднят, на нем работает DHCP сервер, задан статический адрес из сети 192.168.1.0/24, внешний интерфейс с названием outside тоже поднят и сам получает адрес по DHCP и настроена трансляция адресов из сети за интерфейсом inside в адрес интерфейса outside. Получается такой plug-n-play :))

   
int g0/0
  ip address {адрес} {маска}
  security-level {number}
  nameif {имя}
  no shutdown

Параметр «уровень безопасности» (security level) – это число от 0 до 100, которое позволяет сравнить 2 интерфейса и определить, кто из них более «безопасен». Параметр используется качественно, а не количественно, т.е. важно только отношение «больше-меньше». По умолчанию трафик, идущий «наружу», т.е. с интерфейса с большим уровнем безопасности на интерфейс с меньшим уровнем безопасности, пропускается, сессия запоминается и обратно пропускаются только ответы по этим сессиям. Трафик же идущий «внутрь» по умолчанию запрещен.

Параметр «имя интерфейса» (nameif) в дальнейшем позволяет использовать в настройках не физическое наименование интерфейса, а его имя, которое можно выбрать «говорящим» (inside, outside, dmz, partner и т.д.). По идее, как утверждает сама cisco, имя не зависит от регистра, (не case sensitive), однако на практике ряд команд требует соблюдения регистра, что довольно неудобно. Характерный пример: применение crypto map на интерфейс требует точного написания названия интерфейса. Название интерфейса продолжается нажатием кнопки TAB, т.е. можно набрать начало названия и табулятором продолжить его до конца, если набранное начало однозначно идентифицирует интерфейс.

Такая настройка интерфейсов характерна для всех моделей ASA, кроме ASA 5505. В модели 5505 реализован встроенный 8мипортовый L2/L3 коммутатор. IP адреса в модели 5505 задаются на логических интерфейсах

interface vlan {#}
  ip address {адрес} {маска}
  security-level {number}
  nameif {имя}
  no shutdown

Сами же физические интерфейсы L2 сопоставляются VLANам.

interface f0/0
  switchport access vlan {#}

Таким образом, межсетевое экранирование возникает между логическими interface vlan.
Как правило, уровень безопасности интерфейсов подбирается таким образом, чтобы максимально соответствовать логической топологии сети. Сама топология представляет из себя зоны безопасности и правила взаимодействия между ними. Классической схемой считается присвоение разным интерфейсам разных уровней безопасности.
Никто не запрещает сделать уровень безопасности на разных интерфейсах одинаковым, однако по умолчанию обмен трафиком между такими интерфейсами запрещен. Такой трафик можно сознательно разрешить, дав команду

  same-security-traffic permit inter-interface

Однако надо понимать, что между интерфейсами с одинаковым уровнем безопасности не возникает межсетевого экранирования, а только маршрутизация. Поэтому такой подход применяется для интерфейсов, относящихся к одной и той же логической зоне безопасноcти (например, 2 локальные сети пользователей, объединяемые при помощи ASA)

Маршрутизация

Ну куда же без неё! Как у любого маршрутизатора (ASA тоже им является, т.к. использует таблицу маршрутизации для передачи пакетов) сети, настроенные на интерфейсах, автоматически попадают в таблицу маршрутизации с пометкой «Присоединенные» (connected), правда при условии, что сам интерфейс находится в состоянии «up». Маршрутизация пакетов между этими сетями производится автоматически.
Те сети, которые ASA сама не знает, надо описать. Это можно сделать вручную, используя команду

  route {interface} {network} {mask} {next-hop} [{administrative distance}] [track {#}]

Указывается тот интерфейс, за которым надо искать next-hop, т.к. ASA сама не делает такого поиска (в отличие от обычного маршрутизатора cisco). Напоминаю, что в таблицу маршрутизации попадает только один маршрут в сеть назначения, в отличие от классическим маршрутизаторов, где может использоваться до 16 параллельных путей.
Маршрут по умолчанию задается таким же образом

  route {interface} 0.0.0.0 0.0.0.0 {next-hop}

Если ASA не имеет записи в таблице маршрутизации о сети назначения пакета, она пакет отбрасывает.

Если возникает задача сделать запасной статический маршрут, который будет работать только при пропадании основного, то это решается указанием так называемой Административной дистанции маршрута. Это такое число от 0 до 255, которое указывает, насколько хорош метод выбора маршрута. Например, статическим маршрутам по умолчанию сопоставлена AD 1, EIGRP – 90, OSPF – 110, RIP – 120. Можно явно указать AD для запасного маршрута больше, чем AD основного. Например:

  route outside 0.0.0.0 0.0.0.0 {next-hop} 1
  route backup 0.0.0.0 0.0.0.0 {next-hop_backup} 210

Но в этой ситуации есть один важный вопрос: как заставить «пропасть» основной маршрут? Если физически упал интерфейс все очевидно – само получится, а если интерфейс поднят, а провайдер погиб? Это очень распространенная ситуация, учитывая, что на ASA сплошной ethernet, который физически падает крайне редко.

Для решения этой задачки используется технология SLA. Она весьма развита на классических маршрутизаторах, а на ASA с версии 7.2 внедрили только самый простой механизм: доступность некоторого хоста по протоколу icmp. Для этого создается такая «пинговалка» (sla monitor)

  sla monitor {#}
    type echo protocol ipIcmpEcho {ip адрес} interface {интерфейс}

Далее, её необходимо запустить, указав время начала (есть возможность запустить «сейчас») и окончания работы (можно задать работу до бесконечности)

  sla monitor schedule {#} start now life forever

Но и это ещё не все. Надо создать «переключатель» (track) который будет отслеживать состояние «пинговалки».

  track {track #} rtr {sla #} reachability

Не спрашивайте, почему привязка пинговалки производится ключевым словом rtr – это ошметки несогласованности настроек на маршрутизаторах cisco. К слову, на самих маршрутизаторах такое несоответствие уже починили, а вот на ASA ещё нет.
И вот теперь все готово, чтобы применить эту конструкцию к статической маршрутизации

  route outside 0 0 {next-hop_outside} track {#}
  route backup 0 0 {next-hop_backup} 210

Теперь, пока пингуемый хост доступен, track будет в поднятом (чуть не написал в «приподнятом» :)) состоянии и основной маршрут будет в таблице маршрутизации, но как только связь пропадет, через заданное количество потерянных пакетов (по умолчанию пакеты посылаются раз в 10 секунд и ждем пропадания трех пакетов) track будет переведен в состояние down и основной маршрут пропадет из таблицы маршрутизации, а пакеты будут отправляться по запасному пути.

Приведу пример конфига двух дефолтных маршрутов через разных провайдеров с проверкой доступности основного провайдера:

  sla monitor 1
    type echo protocol ipIcmpEcho 1.1.1.1 interface outside
  sla monitor schedule 1 start now life forever
  track 11 rtr 1 reachability
  route outside 0 0 1.1.1.1 track 11
  route backup 0 0 2.2.2.1 210

Динамическая маршрутизация на ASA возможна по протоколам RIPv1,2, OSPF, EIGRP. Настройка этих протоколов на ASA очень похожа на настройку маршрутизаторов cisco. Пока динамической маршрутизации касаться в этих публикациях не буду, хотя если дойдут руки и будет интерес – напишу отдельную главу.

Удаленное управление

Понятно, что при нынешнем развитии сетей передачи данных было бы неразумно не внедрять удаленное управление межсетевыми экранами. Поэтому ASA, как и большинство устройств cisco, предоставляет несколько способов удаленного управления.
Самое простое и небезопасное – telnet. Чтобы предоставить доступ на ASA по телнету необходимо явно указать, с каких хостов и сетей и на каком интерфейсе разрешен доступ, а также необходимо задать пароль на телнет командой passwd:

  telnet 192.168.1.128 255.255.255.128 inside
  telnet 192.168.1.254 255.255.255.255 inside
  passwd {пароль}

В целях безопасности работа по телнету на самом небезопасном (с наименьшим уровнем безопасности в рамках данной ASA) интерфейсе заблокирована и обеспечить работу на этом интерфейсе по телнету можно только в том случае, если он приходит через IPSec туннель.
Более безопасный доступ к командной строке обеспечивается протоколом ssh. Однако, для обеспечения доступа по ssh кроме явного указания того, с каких хостов можно заходить для управления, необходимо также задать RSA ключи, необходимые для шифрования данных о пользователе. По умолчанию для подключения по ssh используется пользователь pix и пароль, задаваемый командой passwd (пароль на telnet).

  ! Задаем имя домена
  domain name {имя}
  !
  ! Желательно задать недефолтовое имя хоста
  hostname {имя}
  !
  ! После этого можно сгенерировать ключи
  crypto key generate rsa 
  !
  ! Разрешаем ssh
  ssh 192.168.1.128 255.255.255.128 inside
  ssh 1.2.3.4 255.255.255.255 outside
  passwd {пароль}

Как правило, на ASA начиная с версии 7.2 имя домена уже задано (domain.invalid) и дефолтные ключи сгенерированы, однако как минимум это надо проверить

  show crypto key mypubkey rsa

Наличие хотя бы каких то ключей RSA уже позволяет работать по ssh. Но можно дополнительно создать и недефолтовые ключевые пары. Для этого надо указать явно имя ключевой пары

  crypto key generate rsa label {имя пары}

Чтобы удалить ключевую пару (или все пары) используется команда

  crypto key zeroize rsa [label {имя пары}]

Совет: после любых действий с ключевыми парами (создание, удаление) обязательно сохраняйтесь. Для этого можно использовать стандартные команды cisco

  copy running-config startup-config
  write memory

или короткий вариант последней команды

wr

Также ASA предоставляет крайне популярный метод настройки с использованием веб-броузера. Этот метод называется ASDM (Adaptive Security Device Manager). Для доступа используется безопасный протокол https. Обеспечение доступа настраивается очень похоже на настройку ssh: необходимо выработать или убедиться в наличии дефолтовых RSA ключей и указать, откуда можно подключаться.

  domain name {имя}
  hostname {имя}
  crypto key generate rsa
  ! Включаем сам https сервер, по умолчанию часто включен. При включении 
  ! генерирует самоподписанный сертификат.
  http server enable 
  ! Разрешаем https
  http 192.168.1.128 255.255.255.128 inside
  http 1.2.3.4 255.255.255.255 outside

Если больше ничего не настраивать, то доступ будет обеспечен без указания пользователя. Если же был указан пароль на привилегированный режим

  enable password {пароль}

то при подключении надо в качестве пароля указывать именно его, не указывая пользователя.
Надо проверить, что во флеше ASA лежит файл ASDM, соответствующий используемой ОС.

  dir flash:
  show flash

При работе с ASDM используется java и верно следующее: если вы используете ОС версии 7.Х, то ASDM нужен версии 5.Х и java 1.5. Если же используется ОС 8.Х, то ASDM нужен версии 6.Х и java версии 1.6. К чести разработчиков и радости настройщиков, ASDM версии 6 работает не в пример лучше и быстрее версии 5.Х. Чья тут заслуга: java или cisco или обоих – не знаю.

Возникает резонный вопрос: а если хочется использовать не дефолтовые правила доступа, а явно указывать, откуда брать пользователя? Для этого используются команды (console — ключевое слово)

  aaa authentication telnet console {имя AAA сервера} [LOCAL]
  aaa authentication ssh console {имя AAA сервера} [LOCAL]
  aaa authentication http console {имя AAA сервера} [LOCAL]

Если используется только локальная база данных пользователей, то в правиле аутентификации можно указывать только LOCAL (проверьте, что хотя бы один пользователь создан, иначе можно себе заблокировать доступ), а если требуется использовать внешние базы, доступные по протоколам TACACS+, RADIUS или LDAP, то такие сервера надо предварительно настроить

  aaa-server {имя AAA сервера} protocol {tacacs|radius|ldap}
  aaa-server {имя AAA сервера} ({interface}) host {ip}
    key {ключ}
    ! и другие команды, специфичные для данного типа сервера

Локальная база пользователей задается командой

  user {пользователь} password {пароль} [privilege #]

Доступ по ASDM возможен только от имени пользователя с уровнем привилегий 15 (максимальный, означает, что пользователю можно все настраивать)
Также локальным пользователям можно задать ряд атрибутов, используя команду

  user {пользователь} attributes
    ! различные атрибуты пользователя

Завершая эту часть приведу кусочек конфига. В нем настроено 2 интерфейса (в данном случае это gigabitethernet 0/0 и 0/1, однако на разных платформах это могут быть и другие физические интерфейсы), inside и outside, дефолтный маршрут, разрешен удаленный доступ по ssh и https ото всюду, при этом
аутентификация использует локальную базу данных пользователей.

hostname MyAsa
!
domain name anticisco.ru
!
interface g0/0
  nameif outside
  security-level 0
  ip address 1.1.1.2 255.255.255.252
  no shut
!
int g0/1
  nameif inside
  security-level 100
  ip address 10.1.1.1 255.255.255.0
  no shut
!
! на ASA запись 0.0.0.0 можно сократить до 0
!
route outside 0 0 1.1.1.1
!
username admin password cisco privilege 15
!
ssh 0 0 inside
ssh 0 0 outside
!
http 0 0 inside
http 0 0 outside
!
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL

Используя такие настройки вы разрешите пакетам ходить из непосредственно присоединенной сети за интерфейсом inside наружу. Снаружи будут приходить только ответы по сессиям (tcp и udp), открытым изнутри, т.к. напомню по умолчанию трафик идущий «внутрь» весь запрещен. Как его разрешить поговорим в следующей части.

Списки доступа (продолжение следует)

Источник

Getting Started

Access the Console for the Command-Line Interface

Access the ASA Hardware or ISA 3000 Console

Procedure

Example:

Example:

Access the Firepower 2100 Platform Mode Console

Before you begin

Procedure

Example:

Example:

Example:

Example:

Access the Firepower 1000, 2100 Appliance Mode Console

Procedure

Example:

Example:

Example:

Access the ASA Console on the Firepower 4100/9300 Chassis

Procedure

Example:

Example:

Example:

Access the Software Module Console

Procedure

Example:

Access the ASA 5506W-X Wireless Access Point Console

Procedure

Example:

Configure ASDM Access

Use the Factory Default Configuration for ASDM Access

Procedure

Customize ASDM Access

Procedure

Example:

Example:

Example:

Example:

Examples

Start ASDM

Procedure

Factory Default Configurations

Restore the Factory Default Configuration

Before you begin

Procedure

Example:

Example:

Restore the ASAv Deployment Configuration

Procedure

ASA 5506-X Series Default Configuration

ASA 5508-X and 5516-X Default Configuration

Firepower 1010 Default Configuration

Firepower 1100 Default Configuration

Firepower 2100 Platform Mode Default Configuration

ASA Configuration

FXOS Configuration

Firepower 2100 Appliance Mode Default Configuration

Firepower 4100/9300 Chassis Default Configuration

ISA 3000 Default Configuration

ASAv Deployment Configuration

Set the Firepower 2100 to Appliance or Platform Mode

Before you begin

Procedure

Example:

Example:

Example:

Work with the Configuration

Save Configuration Changes

Save Configuration Changes in Single Context Mode

Procedure

Save Configuration Changes in Multiple Context Mode

Save Each Context and System Separately

Procedure

Save All Context Configurations at the Same Time

Procedure

Copy the Startup Configuration to the Running Configuration

View the Configuration

Clear and Remove Configuration Settings

Create Text Configuration Files Offline

Apply Configuration Changes to Connections

Getting
Started

Access the Console
for the Command-Line Interface

Access the ASA Hardware or ISA 3000
Console

Access the ASA
Console on the
Firepower 4100/9300 Chassis

Configure ASDM
Access

Customize ASDM
Access

Factory Default
Configurations

Restore the Factory
Default Configuration

ASA 5506-X Series
Default Configuration

ISA 3000 Default
Configuration

Work with the
Configuration

Save Configuration
Changes

Save Configuration
Changes in Multiple Context Mode

Getting
Started

Access the Console
for the Command-Line Interface

Access the ASA
Console on the
Firepower 4100/9300 Chassis

Configure ASDM
Access

Use the Factory
Default Configuration for ASDM Access (Appliances, ASAv)

Customize ASDM
Access

Factory Default
Configurations

Restore the Factory
Default Configuration

ASA 5506-X Series
Default Configuration

ISA 3000 Default
Configuration

ASAv Deployment
Configuration