See

discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/303518237

Cisco ASA firewall command line Technical Guide

Working Paper · May 2016

DOI: 10.13140/RG.2.1.1157.4649

CITATIONS READS

0 1,473

1 author:

Motasem Hamdan
American University of Science and Technology
14 PUBLICATIONS 0 CITATIONS

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Blocking peer to peer traffic on Cisco ASA Firewall and other Intrusion prevention systems View project

CTF 2017 Solutions View project

All content following this page was uploaded by Motasem Hamdan on 25 May 2016.

The user has requested enhancement of the downloaded file.

 Cisco ASA firewall command line technical Guide
Streamlined and simple to use

Author: Eng. Motasem Hamdan

Category: Network Security
Academy: Cisco Networking Academy

1
 Abstract
This guide is intended to streamline the most used commands by network security engineers when
managing Cisco ASA firewall. It covers the very basic common commands to manage, administer,
secure, and providing connectivity operations to devices connected to Cisco ASA firewall. This guide is
neither comprehensive nor reference document for commands in Cisco ASA and the main reference for
command line syntaxes is refered at the end of this document. This paper is handy for network security
engineers to manage command line for most common aspects in cisco ASA while other operations such
as Virtual firewalls and VPN remote access could be done seamlessly using ASDM. This guide assumes
you have the required knowledge of CCNA, CCNA Security, CCNP and could be handy if you’re already
enrolled in CCNP Security pathway.

2
Basic IP Connectivity and routing protocols
Configuring trunk link and sub-interfaces between ASA and Switch
On the outside physical interface of switch1:
Interface f0/10
Switchport mode trunk
No shutdown
On the inside interface of ASA firewall:
Interface f0/3
Switchport mode trunk
Switchport trunk allowed vlan 20,10
No shutdown
Interface f0/3.1
Vlan 20 [ or use encapsulation command]
No shutdown
Interface f0/3.2
Vlan 10 [ or use encapsulation command]
No shutdown
Note: the command used to create trunk link between two networking devices should be used once
between router and switch and must be used twice between firewall and switch on each opposite
interface

Configure an ASA interface

Interface eth0/0
Nameif outside [ or inside]
Ip address ip-address [subnet-mask]
Speed [ auto | 10 | 100 | 1000]
Duplex [ auto | full | half]
Ip address dhcp [setroute]

3
Security-level [level:0-100]
When configuring interfaces with same security level, a command must be explicitly configured to
allow traffic between them
Same-security-traffic permit inter-interface

Configuring and changing MTU size for each interface to carry larger packets
Mtu if_name bytes

Enabling Jumbo frame processing. This applicable only on ASA 5580

Jumbo-frame reservation

Verifying the status of an interface

Show interface if_name

Verifying the status of all interfaces

Show interface ip brief

The ASA does not forward DHCP requests by default so it needs to be configured to use
dhcp relay agent
Dhcprelay server ip-address interface
Dhcprelay enable interface
Note that in the first command, the refered interface is the one connected to the DHCP Server or
gateway while the second interface in the second command is the one facing the clients

Enabling DHCP Server on ASA to assign IP addresses to clients

Dhcp enable interface
Dhcp address ip1-ip2 interface [address pool]

Delivering DNS addresses to clients

Dhcp dns ip1 ip2

Delivering the domain name to the clients

Dhcp domain your-domain

Configuring default and static routes

Route [ inside – outside ] [ dest ] [ dest-subnet mask ] [next hop gateway ]
Route [ inside – outside ] 0.0.0.0 0.0.0.0 [next hop gateway ]

Configuring RIPV2 to Exchange routing information with other RIPv2 routers.

4
 Access-list [Access-list name ] standard [ permi tor deny ] [ network ip ] [ subnet mask ]
Router rip
Version 2
No auto-summary
Default-information orginiate [ to advertise static routes ]
Network [ the IP of the intended network to be advertised ]
Distribute-list [Access-list name used above ] [ in or out ]] interface [ inside or outside]
Exit
İnterface eth0/2
Rip authentication mode md5
Rip authentication key [ your key ] key_id [id]

Configuring EIGRP routing on ASA

Router eigrp [AS number]
Network ip-addr [mask]
İnterface [interface]
Summary-address eigrp [AS number] [ip-addr] [ mask] [AD]

Redistribute routes that are learned through RIPv2, Static routes or Directly connected
routes
Redistribute [ rip | static | connected ] [metric : bandwidth | delay | reliability | load | mtu ] [
route-map map_name]

Define default metric for redistribution withh different routes

Default-metric bandwidth delay reliability loading mtu

Securing EIGRP routes

İnterface interface
Authentication mode eigrp AS number md5
Authentication key eigrp AS number key-string key_id key_id

Filtering routing updates

Access-list [Access-list name ] standard [ permi tor deny ] [ network ip ] [ subnet mask ]
Distribute-list [Access-list name used above ] [ in or out ]] interface [ inside or outside]

5
Configure OSPF on ASA
Router ospf pid
Router-id ip_addr
Network ip_addr netmask area area_id
Area area_id authentication md5
İnterface interface
Ospf message-digest-key key_id md5 key
Ospf authentication –message-digest
Prefix-list list_name [permit | deny ] network_ip ge min_bit le max_bit
Area area_id filter-list prefix list_name [in | out ]

Configuring host name and domain name to create FQDN for the ASA:
Hostname hostname
Domain-name domain_name
Note 1: configuring the above parameters is optional but it’s compulsory to create and generate CA for
SSH, HTTPS and VPN connections

Configuring DNS client on ASA

Dns domain-lookup inside
Dns server-group DefaultDNS
Name-server primary_dns_srv_ip
Name-server secondary_dns_srv_ip
Debug dns all
Note 2: the DNS client must be enabled on an interface which can reach the DNS server on your network
otherwise if you do not have separate dns server then enable it on all interfaces and assign global dns
server like google
Note 2.1: the last command in dns client configuration is used to troubleshoot dns issues

Management and secure access

Configuring Secure SSH access or management purposes
Crypto key generate rsa general-keys label 1st-key-pair modulus [size:512,768,1024,2048]
Ssh version 2

6
 Ssh ip_addr subnet_mask
Ssh disconnect
Note 3: the ip address in the second command is the network address for allowed hosts to perform ssh
sessions or could be single ip used to manage ASA through SSH
Note 3.1: the last command used to terminate a designated SSH session

Creating local users for managements access

Username admin password password encrypted privilege 15
Note 4: privileges configured with each user are in range between 0-15 with 0 dictating the lowest
privilege and 15 for the highest privilege

Configure maximum login attempts into CLI or ASDM

Aaa local authentication attempts max-fail 3

Recovering lost or forgotten passwords to get access back to asa

 Reboot the ASA
 Press “ESC” button when it prompts you to use “Break”
 It’s supposed that you are in ROMMON mode now
 Type: “confreg 0x41”
 Type: “boot”
 This will get the ASA to bypass the startup config file and gets you in use mode
 Type: “enable” to enable the privileged mode
 Press enter
 Then you’re free to configure new password
 Reset the configuration register back by typing: “config-register 0x1
Note 5: The commands above could not be configured unless the connection is made through serial
console
Note 5.1: you could disable password recovery by typing: “no service password-recovery”

Configure and Enable logging on ASA

Logging enable
Logging ftp-bufferwrap
Logging ftp-server ftp_srv_ip dest_directory ftp_username ftp_pass
Logging timestamp

7
Note 6: The second and third command used to send syslog messages and debugging messages from
internal buffer memory into an ftp server

Troubleshooting event log and logging issues

Show logging queue
Logging queue 7000
Show logging
Note 7: The allowed values for increasing the size of queue value are between [0-8192]

Configuring and enabling http server on ASA

http server enable
http ip-addr subnet-mask outside OR inside

Configuring storage disks and image booting

Dir disk0:
Boot config disk0:/img_name
Configure factory-default
Clear configure all
Clear configure [keyword]

Note 7: in the first command “disk0” might be “disk1” or “Flash”

Note 7.1: The second command instructs the ASA to boot from the specified image in the command
Note 7.3: the third command will return the ASA back to its factory settings
Note 7.4: The “keyword” in the last command could be anything the administrator wants to remove the
configuration that belong to.

Configure redundant interfaces as a failover connectivity

Interface redundant 1
Member-interface eth0/0
Member-interface eth0/1
No shutdown

8
NAT and PAT procedures
Configuring Dynamic NAT
Nat inside 1 network_ip subnet_mask
Global outside 1 pool_translated_ip netmask netmask
Timeout xlate 1:00:00
A must – read note: Dynamic Nat is a type of nat where a pool of public ip addresses are
assigned to local host every time they initiate an outbound connection to the outside world but
for hosts in DMZ the connection back from the client will not happen because of the dynamic
ip address assignment.

Note 1: The first commands specify the inside interface and every local host connected to it
which will be subjected to Dynamic NAT
Note 1.1: The second command specifies the outside interface in which the translation will take
place along with the pool of the selected ip addresses and their netmask
Note 1.2: the third command specifies the lease time for each local host before a new assignment
of public ip addresses occur

Configuring Dynamic PAT

Nat DMZ 2 dmz_network_ip subnet_mask tcp 0 0 udp 0
Nat inside 2 inside_network_ip subnet_mask tcp 0 0 udp 0
Global outside 2 interface
Global DMZ 2 global_ip_addr netmask 255.255.255.255
A must-read note: Dynamic PAT is a type of address translation where group of local hosts
either on the DMZ or the client hosts are translated to single ip address or limited pool of ip
addresses along with port used in each session initiated to the outside world

Note 2: the first command specifies the DMZ interface to be subject to PAT along with the ip
addresses that exist in this space
Note 2.1: the second command specifies the inside interface with its local hosts ip addresses to
be subject to PAT along with the ports

9
Note 2.2: the third command specifies the outside interface in which PAT occurs
Note 2.3: the fourth command specifies the global ip address that will be used for the DMZ hosts
in order to initiate connections to the internet and receive back.
Note 2.4: in the fourth command, a pool of ip addresses can be specified and so the subnet mask
must be accordingly changed.

Verifying Dynamic PAT and NAT

Show xlate
Note 3: the commands are used to show the table designated for translation entries

Configure Host-Static Nat

Static DMZ public_ip local_host_ip netmask 255.255.255.255 tcp 0 0 udp 0
A must-read note: Host-static NAT is a type of translation where single local host ip
address is subject to translation into single public ip address
Note 4: the command above used DMZ for translation of local host on the DMZ into public ip
address

Configure network – static NAT:

Static DMZ public_ip network_ip_local_hosts netmask netmask tcp 0 0 udp 0
A must-read note: in Network-static NAT, a group of local hosts either on the DMZ or client hosts
are subject to translation into one single public ip address and this type is ideal for client hosts that
do not need to receive connection back from the internet
Note 5: The command above used the network ip of the local hosts instead of single ip as used in Note 4

Configure static PAT

static DMZ tcp public_ip translated_port server_private_ip original_port netmask
255.255.255.255 tcp 0 0 udp 0
A must-read note: Static PAT is type of address translation where single or group of local ip
addresses more commonly in DMZ are translated into one single public ip address along with their
port numbers and that is the ideal type for servers receiving connection back from clients
Note 6: The command above specifies a public ip, translated port (the port used to allow clients from
outside to connect back to the server) and the original port

10
Configure No-Translation or NAT exempt
Nat inside network_ip subnet_mask 0 0 tcp 0 0 udp 0
A must-read note: NAT exempt states that no translation takes place for local hosts and this type is
used for connections in the internal space only.
Note 7: the command above specifies that a network of local hosts ip addresses will not be subject to
translation kind

Configure Identity static NAT:

Static inside local_host_ip same_local_host_ip netmask 255.255.255.255 tcp 0 0 udp 0

A must-read note: this type of NAT is the most preferred for connections between DMZ and
client’s hosts and vice versa. It uses the same ip as the translated ip address
Note 8: the commands above could be specified for inside of DMZ interface on the ASA with the host ip
address remains the same after translation

Access control lists

Examine real time connections through looking in the connection table
Show conn
Show conn detail
Clear conn address ip_addr
Note 1: The connection table displays information and details about the connections initiated by hosts in
the internal network with the outside world.
Note 1.2: Every session established from internal hosts to public hosts is stated and written in the
connection table so the incoming connection for the same session does not need to be permitted by an
ACL to serve back the internal hosts
Note 1.3: The third command is used to clear all the connections initiated by the specified ip address

Configuring real scenario access lists for small network

 Allowing internal clients or hosts to communicate and browser the internet

Access-list INSIDE line 1 extended permit tcp src_ip subnet_mask any eq http

11
 Access-list INSIDE line 2 extended permit tcp src_ip subnet_mask any eq smtp
Access-list INSIDE line 3 extended permit tcp src_ip subnet_mask any eq ftp
Access-list INSIDE line 4 extended permit tcp src_ip subnet_mask any eq sftp

 Allowing incoming connection to the web server on the DMZ

Access-list OUTSIDE line 1 extended permit tcp any host web_srv_addr eq http

 Allow incoming connections to the smtp, ftp and sftp server for “in” and “out”
direction

Access-list OUTSIDE line 2 extended permit tcp any host smtp_srv_ip eq smtp
Access-list OUTSIDE line 3 extended permit tcp any host ftp_srv_ip eq ftp
Access-list OUTSIDE line 4 extended permit tcp any host sftp_srv_ip eq sftp
Access-list DMZ line 1 extended permit tcp host smtp_srv_ip any eq smtp
Access-list DMZ line 2 extended permit tcp host ftp_srv_ip any eq ftp
Access-list DMZ line 3 extended permit tcp host tftp_srv_ip any eq tftp
Access-list DMZ line 4 extended permit tcp host http_srv_ip any eq http

 Logging denied packets by stating explicit deny access list

Access-list OUTSIDE line 3 remark explicit deny all to change log message to
106100
Access-list OUTSIDE line 4 extended deny ip any any log 4 interval 300

 Allowing packets between same security level interfaces

Same-security-traffic permit inter-interface

 Applying access lists to the related interfaces

Access-group INSIDE in interface inside
Access-group OUTSIDE in interface outside
Access-group DMZ in interface DMZ

Note 2: The last section or last two commands are specified to log the denied packets with 106100 log
message to be appeared in syslog server
Note 2.1: We could disable any access list above by appending the word “inactive” to the end of the
access list

Configuring time range access lists or attach time range to access lists

12
 Time-range temporary-FTP-access-workhours ( for employees )
Periodic weekdays 09:00 to 06:00
Time-range ftp-hosting
Absolute start 00:00:01 May 2015 end 00:00:01 May 2016
Note 3: Every access list needs a time range to be appended to it so a time range must be named
and settled to related range

Applying time ranges to existed access lists

Access-list OUTSIDE line 3 extended permit tcp any host ftp_srv_ip eq ftp

Time-range temporary-FTP-access-workhours
Access-list INSIDE line 5 extended permit tcp src_ip subnet_mask host ftp_srv eq ftp

Time-range temporary-FTP-access-workhours
Note 4: the time range for limiting access to ftp server beyond the working hours was applied to the
access lists the permit connection from outside and from the internal clients to the ftp server so that they
are only given access remotely or locally during working hours

Verifying access lists configuration

Show access-list OUTSIDE
Show access-list INSIDE
Show access-list DMZ

Configuring network- object groups and service-object groups for enterprise access list
implementation
Name 10.0.10.0 Internal-clients
Name 10.0.30.0 DMZ-servers
Name 10.0.40.0 LA-Internal-clients
Name 10.0.50.0 LA-DMZ servers
Object-group network US-Offices
Network-object 10.0.10.0 255.0.255.0

13
 Network-object 10.0.30.0 255.0.255.0
Network-object 10.0.40.0 255.0.255.0
Network-object 10.0.50.0 255.0.255.0
Object-group network internal-clients-offices
Network-object 10.0.10.0 255.0.255.0
Network-object 10.0.40.0 255.0.255.0
Object-group network DMZ-offices
Network-object 10.0.30.0 255.0.255.0
Network-object 10.0.50.0 255.0.255.0
Object-group service Allowed-services-ext-clients-DMZ
Description external services allowed for inside clients an DMZ servers
Port-object eq ftp
Port-object eq stp
Port-object eq http
Port-object eq smtp
Port-object eq pop3
Access-list INSIDE line 1 extended permit tcp object-group US-Offices any object-group
Allowed-services-ext-clients-DMZ
Access-list DMZ line 1 extended permit tcp object-group US-Offices any object-group
Allowed-services-ext-clients-DMZ
Access-list INSIDE line 2 extended permit tcp object-group internal-clients-offices object-
group DMZ-offices eq ftp
Time-range temporary-FTP-access-workhours
Access-list DMZ line 2 extended permit tcp object-group DMZ-offices object-group
internal-clients-offices eq any
Access-list OUTSIDE line 1 extended permit tcp any object-group DMZ-offices object-
group Allowed-services-ext-clients-DMZ
Note 6: the specified ACLs are to provide full connectivity to the DMZ server and internal client
server using object groups for network and services

14
Configure protection against spoofed ip packets towards the ASA
Ip verify reverse-path interface outside
Note 7: the specified command enables the unicast reverse path forwarding feature that if it’s enabled on
specific interface, it will examine every incoming connection whether exists in the connection table or not
and if not it will extract the source ip address to determine whether it’s reachable or not based on the
ASA’s routing table.
Note 7.1: Do not enable this feature on the outside interface in case a default route exists on your network
architecture to avoid the process overhead

Block packets from specific ip address using a feature called “shunning”

Shun malicious_ip_addr

Packet inspection and traffic filtering

Defining a service policy, policy map and class map
Service-policy srv1
Policy-map pmap1
Class-map cmap1
Action
Class-map cmap1
Match….
Service-policy policy-map-name interface outside
Note 1: to inspect traffic passes through the ASA, a service policy that contains policy map and
class map must be created
Note 1.1: the policy map is responsible for taking an action when a specified traffic is matched
by class map. The action the could be taken by the policy map ranges from setting connection
timeouts, connection volumes, TCP parameters, http parameters, FTP parameters, DNS
parameters, ESMTP parameters, management traffic, sending the matched traffic to
inspection engines and Intrusion prevention systems, providing priority handling and limiting
bandwidth.

15
Note 1.2: the class map matches the traffic whether all traffic, defined set of traffic, traffic
destined for specific destination, destined for specific port, matches against specific access list,
matches against VPN traffic or Qos values.

Note 1.3: in table 92 above, a list of all available commands that can be typed and specified in
class map to match against specific 3-4 OSI layer traffic. Most of these match commands will be
used on the outside interface to inspect traffic incoming to our network.

16
 Table 2 - policy map action commands

Note 1.4: table 2 lists all actions that could be taken when a specified criterion matched in the class map.
Note 1.5: the last command above binds the policy map inside a service policy and applies it to the
outside interface

Table 3 - traffic direction by policy map actions

Note 1.6: table 3 lists the directions in which the actions of policy map could be applied. For
example, setting connection’s volume and limits, adjusting tcp parameters and sending the
traffic to an inspection engine and IPS could be applied and implemented on an interface in
both direction for traffic destined to the internet and for inbound traffic.

17
Note1.7: applying Quality of service, limiting bandwidth and shaping the traffic could be only on
an egress direction meaning that for outbound traffic only.

Essential and Important: the service policy which contains policy map and class map could be
applied for 3-4 OSI traffic or 5-7 OSI traffic while the former is used to examine, analyze and
inspect TCP and UDP traffic for connection parameters, connection volumes, connection
timeouts , protocol inspection , traffic analyzation using IPS module and for Qos of service
purposes and the latter which is 5-7 OSI traffic is used to examine and inspect application
layer traffic destined for DMZ servers.

Configuring TCP connection parameters to prevent TCP SYN attack

By using policy map with class map to set connection timeouts for embryonic connections and
limiting the number of simultaneous connections by setting connection volume.

Table 4 tcp connection timeouts

Table 4 lists parameters for use in the “set connection timeouts” command when defining an action to be
taken by the policy map.

set connection timeout [embryonic {hh:mm:ss | 0}] [half-closed {hh:mm:ss | 0}] [tcp
{hh:mm:ss | 0} [dcd [retry_interval [max_retries]]

18
 Table 5 tcp connection volume

Table 5 lists the parameters to be used in “set connection “command to control tcp connection volume.
set connection [conn-max n] [embryonic-conn-max n] [per-client-embryonic-max n] [per-client-max n]

To prevent TCP SYN attack the ASA must set a maximum number of simultaneous embryonic
connections which are half open or half closed. If the maximum number is reached the ASA triggers the
TCP Intercept feature and begins to act as proxy and send TCP handshake on target host behalf to
determine if the source address which communicates with the target host is legitimate or not so it drops
the connection is not.
Assuming that internal clients are under object-group (see previous sheet about object-groups) “Internal-
clients” and DMZ servers are under object-group “DMZ-Servers”. Let’s apply a connection limit for
embryonic connections initiated by these object groups.
Access-list INSIDE line 1 extended permit tcp Internal-clients any eq any
Access-list INSIDE line 2 extended permit udp Internal-clients any eq any
Service-policy SYN-Attack-protect
Class-map cmap1
Match access-list INSIDE
Policy-map pmap1
Class-map cmap1
Set connection embryonic-conn-max 65000
Access-list DMZ line 1 extended permit tcp any DMZ-Servers eq http
Access-list DMZ line 2 extended permit tcp DMZ-Servers any eq http
Service-policy SYN-Attack-protect

19
 Class-map cmap2
Match access-list DMZ
Policy-map pmap2
Class-map cmap2
Set connection embryonic-conn-max 65000

Configuring and enabling the protection from TCP sequence number brute force
set connection random-sequence-number {enable | disable}

Configuring TCP connection options using TCP normalizer

TCP normalizer used to manipulate the tcp connection content like tcp checksum, tcp flags, tcp
options. TCP normalizer used change or alter the content of tcp packet content to render it
compatible with some protocol or connection requirements. In addition, it can be leveraged to
protect DMZ hosts against packets that are crafted to evade stateful inspection like information
gathering packets or reconnaissance packets.

Table 6 -TCP normalizer actions

20
 Table 6 tcp normalizer actions

Table 7 tcp options table

Tcp-map TCP-Protect
invalid-ack drop
synack-data drop
ttl-evasion-protection
seq-past-window drop
exit

class-map cmap1
match access-list Internal-clients
exit
class-map cmap2
match access-list DMZ-Servers
exit

21
policy-map pmap3
class cmap1
set connection advanced-options TCP-Protect
exit
class cmap2
match access-list DMZ-Servers
set connection advanced-options TCP-Protect
exit
service-policy pmap3 interface outside

Note 4: The commands above matches against traffic inbound to internal clients and internal DMZ
servers and check for certain TCP parameters to protect internal hosts from TCP SYN attack,
reconnaissance packets and SYN flood attack by limiting the number or embryonic connections, dropping
invalid handshake packets or that contains invalid payload, dropping packets with invalid sequence
number and dropping values above maximum segment size in TCP window packet

Configuring ICMP Inspection

Policy-map global_policy
Class inspection_default
Inspect icmp
Inspect icmp error
Exit

Note 5: the ICMP inspection feature is enabled when an access list that permits incoming ping request is
enabled. ICMP inspection used to allow only one response per ICMP request and inspect ICMP packet
for invalid sequence number.

Configuring Inspection for 5-7 OSI layer traffic

 Inspecting HTTP

Http inspection policy is implemented to examine and analyze traffic destined to protected servers or
clients. It’s main core to minimize http content to the minimal set of requirements and to look deeply in
the application signature for known bad cues mainly using regular expressions.

A class map that matches specific conditions in the http traffic should be defined along with a policy map
used to apply the appropriate action.

22
 Table 7 - http match commands

Let’s say we want to configure a http policy map to allow only GET and POLL request to be passed
to the protected server.
class-map type inspect http match-all MY_HTTP_CLASS
match [not] request method get

23
match [not] request method poll
policy-map type inspect http http_map_name
parameters
protocol-violation drop-connection log
class MY_HTTP_CLASS
drop-connection log
exit
Now to match against regular expression we should use the following table

24
 Table 8 regular expression match commands

For example, let’s suppose we want to filter incoming http traffic and take away any embedded link
within the http content
regex Embedded-link https?://
policy-map type inspect http HTTP_MAP_1
match request args regex Embedded-link
drop-connection
exit
in case of a multiple regular expressions we could use class map with match-any to apply OR
operation on the match commands or use match-all to apply AND operation on the match
commands
regex Embedded-link-1 https?://
regex Embedded-link-2 http?://
class-map type regex match-any embedded-link
match regex Embedded-link-1
match regex Embedded-link-2
now applying the http inspection map using the following command

25
inspect http http-map-name
the activation command must be applied inside a policy map

 Inspecting FTP

Inspecting FTP traffic includes masking FTP banner, masking reply message, prevent uploading “exe”
files to the server unless it’s stated in the security policy and restricting request methods to GET and PUT

Table 9 -ftp traffic matching commands

policy-map type inspect ftp FTP_MAP_1

parameters
mask-banner
mask-syst-reply
exit
regex FTP_BADNAMES \.exe
policy-map type inspect ftp FTP_MAP_1
match not request-command get put help
reset
match filename regex FTP_BADNAMES
inspect ftp FTP_MAP_1

26
The commands above create a policy map to inspect FTP. Banner information and system reply
information are masked to prevent malicious users from conducting vulnerability assessment using the
FTP server information. Also, the commands filters request to the server to only accept GET and PULL
request as well as prevent EXE file names to be uploaded.

 Inspecting DNS traffic

DNS inspection includes applying NAT rules to the DNS packets, randomizing DNS ID values so to
protect from DNS Spoofing attacks, DNS protocol verification, Guarding DNS connection by closing
DNS UDP connection after successful receipt of reply packet

Table 10 dns inspection commands match

policy-map type inspect dns DNS_MAP_1

parameters
protocol-enforcement
dns-guard
id-randomization
nat-rewrite

27
exit
The ASA has a default dns inspection policy map called “preset_dns_map” which limits the size of dns
packets to 512 bytes

Quality of service, Bandwidth control, Transparent firewall mode and

Integrating SSM-IPS

Configuring mtu size for more control of fragmented traffic

Suppose we will configure the mtu size on the outside interface to control the incoming packets
to our network so to reduce the percentage of packets fragmentation to enable more inspection
on the traffic by our ASA so we need to increase the size of mtu to maximum size
Mtu outside 65535
Knowing that the least value of mtu is 64 Byte. To verify the mtu size on an interface, we use the
command
Show fragment outside
Configuring QOS and prioritizing packets
Every packet arrives to the ASA or comes to the ASA is stored first in the Best-effort queue
which is used to store packets in a buffer and then retransmitting them respectively. Suppose we
have critical packets such as audio streaming or video, we need to create a Low-latency queue
which is a buffer stores packets so to transmit them ahead of other packets in BEQ. We need to
enable LLQ on an interface and specify a policy map and class map to match the traffic.
Priority-queue outside
Class-map Qos
Match rtp 5060-65
Policy-map RTP
Class-map Qos
Priority
Exit
Service-policy RTP interface outside

28
Configuring traffic policing and traffic shaping
Controlling bandwidth limits is essential when it comes to Qos and prioritizing packets over other ones.
Controlling packets is performed either by dropping the packet which surpasses the bandwidth threshold
or by re-shaping it so it conforms to the bandwidth limits.

Traffic policing
Suppose we want to configure a policy map to match all traffic and drop every packet that consumes more
than 2Mbps. To achieve so we need a policy map with a class map to match all traffic therefore we need
the following commands
Class-map Policing
Match any
Exit
Policy-map mine
Class-map policing
Police output 200000000 conform-action transmit exceed-action drop
Exit
Exit
Service-policy mine interface outside

Traffic shaping
Traffic shaping is the act of placing the packets inside a buffer and then pulling out the traffic with a
bandwidth limits beneath the threshold. This type of bandwidth control is applicable and permissible only
to all traffic or bulk.
Policy-map outside-policy
Class class-default
Shape average 200000000
Exit
Exit
Service-policy outside-policy interface outside

Using Transparent firewall mode

29
Deploying transparent mode has some challenges and restrictions so this mode should not be applied until
you specify your network requirements and recognize the limitations imposed by this mode

 IPsec protocol and VPN tunnels

 Dynamic routing protocols
 Broadcast and multicast packets
 DHCP relay
 QOS and bandwidth control
Before implementing transparent mode be sure to back up the current configuration in case you want to
revert back to routed mode.
Use the following command to switch to transparent mode
Firewall transparent
Configuring interfaces one as outside and the another as inside with the same ip address for both.
Interface eth0/0
Namif outside
Security-level 0
No shutdown
Exit
Interface eth0/1
Nameif inside
Security-level 100
No shutdown
Exit
Ip address 192.168.1.100 255.255.255.0
Because this mode does not support dynamic routing, a static route or default route must be configured
Route [inside interface or outside] network-ip subnet-mask next-hop ip

Permitting ospf or eigrp packets through transparent mode

Access-list permit-ospf extended permit ospf [source] [dest]
Access-group permit-ospf [ in | out ] interface [ outside | inside ]

Protection from ARP Spoofing attack and ARP flooding attack

The protection from ARP spoofing attack includes the creation of static ARP entries in the firewall MAC
address table stating the ip address and the associated mac address so that the firewall can compare and

30
match the incoming packet with the information in the ARP table so to drop the packet or allow it to pass
based on the match conditions.
Arp interface ip_address mac_address
Arp-inspection interface enable
Show arp-inspection
Now coming to prevent MAC address denial of service by disabling mac address learning feature in
transparent mode and here the administrator must create MAC address table just like above and maintain
it regularly.
Mac-learn interface disable
Mac-address-table static interface mac_address

Integrating Security service module, Intrusion prevention system and content security
control
After inserting the card module in the specified slot, create a vlan and upload the IPS software to the
modules through the commands
Interface vlan 10
Allow-ssc-mgmt
Ip address ip_address subnet_mask
Nameif inside
Interface eth0/10
Switchport mode access vlan 10
No shutdown
Hw-module 1 recover configure
Hw-module 1 recover boot
Hw-module 1 password-rest : resets to “cisco”
Hw-module 1 reload
Hw-module 1 reset
Hw-module 1 shutdown : used to shutdown the module
Now coming to initialization knowing that the IPS could work in an inline mode [ drop the packets as it
violates or determined a malicious] or in a promiscuous mode [ allow the packet to pass to the intended
destination while sending the packet for analysis].
Session 1

31
 Setup
Policy-map IPS
Class class-default
Ips inline fail-open
Service-policy IPS interface outside

Conclusion
Virtual firewalls and many other aspects and configurations related to Cisco ASA were not mentioned
here because it’s easier to manage it using ASDM and this guide documented the most common tasks
related to command line in Cisco ASA firewall.

References
Cisco CCNP Security Firewall Certification Guide
CCNP Certification Guide

32
33
 34

View publication stats