Scribd Logo
Upload

Welcome to Scribd!

  • 3K views

    Cisco ASA Firewall Commands - Cheat Sheet

    Uploaded by

    Asif
    The document provides a summary of the most important Cisco ASA firewall commands organized into the following categories: configuration and management, software management, user and password management, interface configuration, network address translation, access control lists, object groups, subinterfaces and VLANs, logging, and verification/troubleshooting commands. The summary highlights commands for enabling privileged mode, entering global configuration mode, viewing and saving configurations, interface configuration, network address translation rules, access control lists, object groups, and useful show commands.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd

    Cisco ASA Firewall Commands - Cheat Sheet

    Uploaded by

    Asif
    3K views8 pages
    The document provides a summary of the most important Cisco ASA firewall commands organized into the following categories: configuration and management, software management, user and password management, interface configuration, network address translation, access control lists, object groups, subinterfaces and VLANs, logging, and verification/troubleshooting commands. The summary highlights commands for enabling privileged mode, entering global configuration mode, viewing and saving configurations, interface configuration, network address translation rules, access control lists, object groups, and useful show commands.

    Original Description:

    Original Title

    Cisco ASA Firewall Commands – Cheat Sheet

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document provides a summary of the most important Cisco ASA firewall commands organized into the following categories: configuration and management, software management, user and password management, interface configuration, network address translation, access control lists, object groups, subinterfaces and VLANs, logging, and verification/troubleshooting commands. The summary highlights commands for enabling privileged mode, entering global configuration mode, viewing and saving configurations, interface configuration, network address translation rules, access control lists, object groups, and useful show commands.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Download as txt, pdf, or txt
    3K views8 pages

    Cisco ASA Firewall Commands - Cheat Sheet

    Uploaded by

    Asif
    The document provides a summary of the most important Cisco ASA firewall commands organized into the following categories: configuration and management, software management, user and password management, interface configuration, network address translation, access control lists, object groups, subinterfaces and VLANs, logging, and verification/troubleshooting commands. The summary highlights commands for enabling privileged mode, entering global configuration mode, viewing and saving configurations, interface configuration, network address translation rules, access control lists, object groups, and useful show commands.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Download as txt, pdf, or txt
    of 8
    At a glance
    Powered by AI
    The document provides an overview of many important commands for configuring and managing a Cisco ASA firewall, including commands for interfaces, NAT, routing, access control, logging and monitoring.

    Important interface configuration commands include nameif, ip address, security-level, and no shutdown. The nameif command assigns an interface name, ip address configures the IP, security-level sets the security level, and no shutdown enables the interface.

    NAT commands include object network for defining network objects, nat for configuring dynamic NAT/PAT, and static nat for configuring static NAT mappings. The document provides examples of configuring dynamic PAT and static NAT.

    Cisco ASA Firewall Commands � Cheat Sheet

    Most Important Cisco ASA Firewall Commands


    Start Configuring the firewall
    ciscoasa> enable
    Password:

    [Enter into �Privileged Mode�. This will require to enter the �enable� password]

    ciscoasa# configure terminal


    ciscoasa(config)#

    [Enter into �Global Configuration Mode� to start configuring the device]

    Viewing and Saving the configuration


    ciscoasa# show running-config

    [Show the currently running configuration]

    ciscoasa# show startup-config

    [Show the configuration which is stored on the device. This is the one which will
    be loaded if you reboot the firewall]

    ciscoasa# copy run start


    or
    ciscoasa# write memory

    [Save the running configuration so it won�t be lost if you reboot]

    Image Software Management


    ciscoasa# copy tftp flash

    [Copy image file from TFTP to Flash of ASA]

    ciscoasa#config term
    ciscoasa(config)# boot system flash:/asa911-k8.bin

    [At next reboot, the firewall will use the software image �asa911-k8.bin� from
    flash]

    Passwords and Users


    ciscoasa(config)# enable password Gh4w7$-s39fg#(!

    [You must create a strong �enable� password which gives access to the configuration
    mode of the device]

    ciscoasa(config)#username ciscoadmin password adminpassword privilege 15

    [Create a local user account and assign privilege level 15 which means
    administrator access]

    Change Device Hostname


    ciscoasa(config)# hostname DATA-CENTER-FW
    DATA-CENTER-FW(config)#

    Configure Secure Management Access to the Firewall


    ciscoasa(config)# crypto key generate rsa modulus 2048
    [Create SSH keys]

    ciscoasa(config)#aaa authentication ssh console LOCAL

    [The device will authenticate SSH user access from the LOCAL user database]

    ciscoasa(config)#username admin password adminpassword privilege 15

    [Create local administrator user]

    ciscoasa(config)#ssh 192.168.1.10 255.255.255.255 inside

    [Allow SSH access only from host 192.168.1.10 from the �inside� interface]

    Interface Configuration and Security Levels


    ciscoasa(config)# interface GigabitEthernet0/1
    ciscoasa(config-if)# nameif DMZ
    ciscoasa(config-if)# ip address 192.168.1.2 255.255.255.0
    ciscoasa(config-if)# security-level 50
    ciscoasa(config-if)# no shutdown

    The absolutely necessary Interface Sub-commands that you need to configure in order
    for the interface to pass traffic are the following:

    nameif �interface name�: Assigns a name to an interface


    ip address �ip_address� �subnet_mask� : Assigns an IP address to the interface
    security-level �number 0 to 100� : Assigns a security level to the interface
    no shutdown : By default all interfaces are shut down, so enable them.
    Static and Default Routes
    ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 100.1.1.1

    MORE READING: IP Phones behind a Cisco ASA 5505 Firewall


    [Configure a default route via the �outside� interface with gateway IP of 100.1.1.1
    ]

    ciscoasa(config)# route inside 192.168.2.0 255.255.255.0 192.168.1.1

    [Configure a static route via the �inside� interface. To reach network


    192.168.2.0/24 go via gateway IP 192.168.1.1 ]

    Network Address Translation (NAT)


    ciscoasa(config)# object network internal_lan
    ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
    ciscoasa(config-network-object)# nat (inside,outside) dynamic interface

    [Configure PAT for internal LAN (192.168.1.0/24) to access the Internet using the
    outside interface]

    ciscoasa(config)# object network obj_any


    ciscoasa(config-network-object)# subnet 0.0.0.0 0.0.0.0
    ciscoasa(config-network-object)# nat (any,outside) dynamic interface

    [Configure PAT for all (�any�) networks to access the Internet using the outside
    interface]
    ciscoasa(config)# object network web_server_static
    ciscoasa(config-network-object)# host 192.168.1.1
    ciscoasa(config-network-object)# nat (DMZ , outside) static 100.1.1.1

    [Configure static NAT. The private IP 192.168.1.1 in DMZ will be mapped statically
    to public IP 100.1.1.1 in outside zone]

    ciscoasa(config)# object network web_server_static


    ciscoasa(config-network-object)# host 192.168.1.1
    ciscoasa(config-network-object)# nat (DMZ , outside) static 100.1.1.1 service tcp
    80 80

    [Configure static Port NAT. The private IP 192.168.1.1 in DMZ will be mapped
    statically to public IP 100.1.1.1 in outside zone only for port 80]

    Access Control Lists (ACL)


    ciscoasa(config)# access-list OUTSIDE_IN extended permit tcp any host 192.168.1.1
    eq 80

    [Create an ACL to allow TCP access from �any� source IP to host 192.168.1.1 port
    80]

    ciscoasa(config)# access-group OUTSIDE_IN in interface outside

    [Apply the ACL above at the �outside� interface for traffic coming �in� the
    interface]

    ciscoasa(config)# access-list INSIDE_IN extended deny ip host 192.168.1.1 any


    ciscoasa(config)# access-list INSIDE_IN extended permit ip any any
    ciscoasa(config)# access-group INSIDE_IN in interface inside

    [Create an ACL to deny all traffic from host 192.168.1.1 to any destination and
    allow everything else. This ACL is then applied at the �inside� interface for
    traffic coming �in� the interface]

    Object Groups
    ciscoasa(config)# object-group network WEB_SRV
    ciscoasa(config-network)# network-object host 192.168.1.1
    ciscoasa(config-network)# network-object host 192.168.1.2

    [Create a network group having two hosts (192.168.1.1 and 192.168.1.2). This group
    can be used in other configuration commands such as ACLs]

    ciscoasa(config)# object-group network DMZ_SUBNETS


    ciscoasa(config-network)# network-object 10.1.1.0 255.255.255.0
    ciscoasa(config-network)# network-object 10.2.2.0 255.255.255.0

    [Create a network group having two subnets (10.1.1.0/24 and 10.2.2.0/24). This
    group can be used in other configuration commands such as ACLs]
    ciscoasa(config)# object-group service DMZ_SERVICES tcp
    ciscoasa(config-service)# port-object eq http
    ciscoasa(config-service)# port-object eq https
    ciscoasa(config-service)# port-object range 21 23

    [Create a service group having several ports. This group can be used in other
    configuration commands such as ACLs]

    ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp any object-group


    DMZ_SUBNETS object-group DMZ_SERVICES

    [Example of using object groups in ACLs]

    Subinterfaces and VLANs


    ciscoasa(config)# interface gigabitethernet 0/1
    ciscoasa(config-if)# no nameif
    ciscoasa(config-if)# no security-level
    ciscoasa(config-if)# no ip address
    ciscoasa(config-if)# exit

    ciscoasa(config)# interface gigabitethernet 0/1.1


    ciscoasa(config-subif)# vlan 10
    ciscoasa(config-subif)# nameif inside1
    ciscoasa(config-subif)# security-level 80
    ciscoasa(config-subif)# ip address 192.168.1.1 255.255.255.0

    ciscoasa(config)# interface gigabitethernet 0/1.2


    ciscoasa(config-subif)# vlan 20
    ciscoasa(config-subif)# nameif inside2
    ciscoasa(config-subif)# security-level 90
    ciscoasa(config-subif)# ip address 192.168.2.1 255.255.255.0

    [In example above we have a physical interface (GE0/1) which is split into two
    subinterfaces (GE0/1.1 and GE0/1.2) belonging to two different VLANs with different
    IPs and security levels]

    Clock Settings
    ciscoasa# clock set 18:30:00 Aug 10 2016

    [Set the time and date]

    ciscoasa(config)# clock timezone MST -7

    [Set the timezone to MST with -7 hours offset from UTC]

    MORE READING: How can we allow whole traffic in ASA from inside to outside
    ciscoasa(config)# clock summer-time MST recurring 1 Sunday April 2:00 last Sunday
    October 2:00

    [Set daylight saving time]


    Logging Commands
    ASA(config)# logging enable

    [Enable logging]

    ASA(config)# logging timestamp

    [Attach timestamp to log messages]

    ASA(config)# logging buffer-size 64000

    [Set log buffer to 64kB]

    ASA(config)# logging buffered warnings

    [Send warning log messages to buffer log]

    ASA(config)# logging asdm errors

    [Send error log messages to ASDM management]

    ASA(config)# logging host inside 192.168.1.30

    ASA(config)# logging trap errors

    [Send error log messages to syslog server 192.168.1.30 ]

    Enable Management Access with ASDM


    ASA(config)# asdm image disk0:/asdm-647.bin

    [Location of ASDM image on the ASA]

    ASA(config)# http server enable

    [Enable the http server on the device ]

    ASA(config)# http 10.10.10.0 255.255.255.0 inside

    [Tell the device which IP addresses are allowed to connect with HTTP (ASDM)]

    ASA(config)#username admin password adminpass

    [Configure user/pass to login with ASDM]


    DHCP (Assign IP addresses to computers from the ASA device)
    ciscoasa(config)# dhcpd address 192.168.1.101-192.168.1.110 inside

    [Create a DHCP address pool to assign to clients. This address pool must be on the
    same subnet as the ASA interface]

    ciscoasa(config)# dhcpd dns 209.165.201.2 209.165.202.129

    [The DNS servers to assign to clients via DHCP]

    ciscoasa(config)# dhcpd enable inside

    [Enable the DHCP server on the inside interface]

    Permit Traffic Between Same Security Levels


    ciscoasa(config)# same-security-traffic permit inter-interface

    [Permits communication between different interfaces that have the same security
    level.]

    ciscoasa(config)# same-security-traffic permit intra-interface

    [Permits traffic to enter and exit the same interface.]

    Useful Verification and Troubleshooting Commands


    ciscoasa# show access-list OUTSIDE-IN

    [Shows hit-counts on ACL with name �OUTSIDE-IN�. It shows how many hits each entry
    has on the ACL]

    Sample output:

    access-list OUTSIDE-IN line 1 extended permit tcp 100.100.100.0 255.255.255.0


    10.10.10.0 255.255.255.0 eq telnet (hitcnt=15) 0xca10ca21

    ciscoasa# show clock

    [Verify that time and date are correct on the appliance]

    ciscoasa# show conn

    [The show conn command displays the number of active TCP and UDP connections, and
    provides information about connections of various types.]

    ciscoasa# show conn all


    [Shows all the connections through the appliance]

    ciscoasa# show conn state up,http_get,h323,sip

    [Shows HTTP GET, H323, and SIP connections that are in the �up� state]

    ciscoasa# show conn count

    54 in use, 123 most used

    [Shows overall connection counts]

    ciscoasa# show cpu usage

    [show CPU utilization]

    ciscoasa# show crypto ipsec sa

    [show details about IPSEC VPNs like packets encrypted/decrypted, tunnel peers etc]

    ciscoasa# show crypto isakmp sa

    [show details if an IPSEC VPN tunnel is up or not. MM_ACTIVE means the tunnel is
    up]

    ciscoasa# show disk

    [List the contents of the internal flash disk of the ASA]

    ciscoasa# show environment

    [Displays operating information about hardware system components such as CPU, fans,
    power supply, temperature etc]

    ciscoasa# show failover

    [Displays information about Active/Standby failover status]

    ciscoasa# show interface

    [Shows information about Interfaces, such as line status, packets received/sent, IP


    address etc]

    ciscoasa# show local-host

    [Displays the network states of local hosts. A local-host is created for any host
    that forwards traffic to, or through, the ASA.]

    ciscoasa# show memory

    [Displays maximum physical memory and current free memory]

    ciscoasa# show route

    [Displays the routing table]

    ciscoasa# show version

    [Displays the software version, hardware configuration, license key, and related
    uptime data]

    ciscoasa# show xlate

    [Displays information about NAT sessions]

    You might also like