Cisco ASA Firewall Commands - Cheat Sheet
Cisco ASA Firewall Commands - Cheat Sheet
Cisco ASA Firewall Commands - Cheat Sheet
[Enter into �Privileged Mode�. This will require to enter the �enable� password]
[Show the configuration which is stored on the device. This is the one which will
be loaded if you reboot the firewall]
ciscoasa#config term
ciscoasa(config)# boot system flash:/asa911-k8.bin
[At next reboot, the firewall will use the software image �asa911-k8.bin� from
flash]
[You must create a strong �enable� password which gives access to the configuration
mode of the device]
[Create a local user account and assign privilege level 15 which means
administrator access]
[The device will authenticate SSH user access from the LOCAL user database]
[Allow SSH access only from host 192.168.1.10 from the �inside� interface]
The absolutely necessary Interface Sub-commands that you need to configure in order
for the interface to pass traffic are the following:
[Configure PAT for internal LAN (192.168.1.0/24) to access the Internet using the
outside interface]
[Configure PAT for all (�any�) networks to access the Internet using the outside
interface]
ciscoasa(config)# object network web_server_static
ciscoasa(config-network-object)# host 192.168.1.1
ciscoasa(config-network-object)# nat (DMZ , outside) static 100.1.1.1
[Configure static NAT. The private IP 192.168.1.1 in DMZ will be mapped statically
to public IP 100.1.1.1 in outside zone]
[Configure static Port NAT. The private IP 192.168.1.1 in DMZ will be mapped
statically to public IP 100.1.1.1 in outside zone only for port 80]
[Create an ACL to allow TCP access from �any� source IP to host 192.168.1.1 port
80]
[Apply the ACL above at the �outside� interface for traffic coming �in� the
interface]
[Create an ACL to deny all traffic from host 192.168.1.1 to any destination and
allow everything else. This ACL is then applied at the �inside� interface for
traffic coming �in� the interface]
Object Groups
ciscoasa(config)# object-group network WEB_SRV
ciscoasa(config-network)# network-object host 192.168.1.1
ciscoasa(config-network)# network-object host 192.168.1.2
[Create a network group having two hosts (192.168.1.1 and 192.168.1.2). This group
can be used in other configuration commands such as ACLs]
[Create a network group having two subnets (10.1.1.0/24 and 10.2.2.0/24). This
group can be used in other configuration commands such as ACLs]
ciscoasa(config)# object-group service DMZ_SERVICES tcp
ciscoasa(config-service)# port-object eq http
ciscoasa(config-service)# port-object eq https
ciscoasa(config-service)# port-object range 21 23
[Create a service group having several ports. This group can be used in other
configuration commands such as ACLs]
[In example above we have a physical interface (GE0/1) which is split into two
subinterfaces (GE0/1.1 and GE0/1.2) belonging to two different VLANs with different
IPs and security levels]
Clock Settings
ciscoasa# clock set 18:30:00 Aug 10 2016
MORE READING: How can we allow whole traffic in ASA from inside to outside
ciscoasa(config)# clock summer-time MST recurring 1 Sunday April 2:00 last Sunday
October 2:00
[Enable logging]
[Tell the device which IP addresses are allowed to connect with HTTP (ASDM)]
[Create a DHCP address pool to assign to clients. This address pool must be on the
same subnet as the ASA interface]
[Permits communication between different interfaces that have the same security
level.]
[Shows hit-counts on ACL with name �OUTSIDE-IN�. It shows how many hits each entry
has on the ACL]
Sample output:
[The show conn command displays the number of active TCP and UDP connections, and
provides information about connections of various types.]
[Shows HTTP GET, H323, and SIP connections that are in the �up� state]
[show details about IPSEC VPNs like packets encrypted/decrypted, tunnel peers etc]
[show details if an IPSEC VPN tunnel is up or not. MM_ACTIVE means the tunnel is
up]
[Displays operating information about hardware system components such as CPU, fans,
power supply, temperature etc]
[Displays the network states of local hosts. A local-host is created for any host
that forwards traffic to, or through, the ASA.]
[Displays the software version, hardware configuration, license key, and related
uptime data]