Cisco ASA Basic Configuration Guide



Table of Contents



1.1.       WCCP configuration on Cisco ASA
1.2.       ASA upgrade notes to 8.3
1.3.       Cisco ASA traffic shaping and QoS
1.4.       Cisco ASA policy Based routing alternative
1.5.       Cisco ASA Etherchanneling
1.6.       Redundant interfaces
1.7.       LDAP authentication for VPN clients on Cisco ASA
1.8.       Configuring Netflow on cisco ASA
1.9.       Shunning ip addresses on Cisco ASA
1.10.     Credits


WCCP configuration on Cisco ASA



access-list wccp-traffic extended permit ip any
access-list wccp-destination extended permit ip host any
wccp web-cache redirect-list wccp-traffic group-list wccp-servers
wccp interface inside web-cache redirect in


ASA upgrade notes to 8.3


Main differences
Firstly you need to make sure the minimum memory requirements are met for the upgrade
That info can be found over here
Take note of the NATTing changes over here
Access list are now applied to the real address not to the natted address
access-list outside extended permit tcp any host
access-group outside in interface outside


Cisco ASA traffic shaping and QoS


priority-queue outside

class-map Shaping-voice-class
match tunnel-group tunnel-grp1
match dscp ef

policy-map priority-policy
class Shaping-voice-class

policy-map shape-priority-policy
class class-default
shape average 800000
service-policy priority-policy

service-policy shape-priority-policy interface outside


Cisco ASA policy Based routing alternative



This feature is not yet available on the Cisco ASA however there are a few tricks of the trade that can be used to achieve the same effect. The below example can be used to send traffic for web over the one link and smtp mail traffic over the other isp link

route outside 1
route outside1 2

nat (inside) 1 0 0
global (outside) 1 interface
global (outside1) 1 interface

static (outside,inside) tcp www www netmask
static (outside1,inside) tcp smtp smtp netmask


Cisco ASA Etherchanneling


Fast EtherChannel allows multiple physical Fast Ethernet links to combine into one logical channel. This allows load sharing of traffic among the links in the channel as well as redundancy in the event that one or more links in the channel fail. Fast EtherChannel can be used to interconnect LAN switches, routers,and as of February 2011 Cisco ASA via UTP  wiring or single-mode and multimode fiber optic links. Cisco release notes notify us of the new commands added on that feature
Namely  channel-grouplacp port-priority,interface port-channellacp max-bundleport-channel min-bundleport-channel load-balancelacp system-priorityclear lacp countersshow lacp,show port-channel.
This brings the Cisco ASA into a world of unparalleled speeds and performance throughputs rarely seen by another vendor

That configuration is only available as of version 8.4 and the configuration guide can be found over here



Redundant interfaces


What are Cisco ASA redundant interfaces?
Interfaces provide physical link failure combining two physical interfaces on the ASA into a virtual one, then you configure all the Layer 3 parameters on this virtual interface. At the same time only ONE of the interfaces in a group is active, if it fails ASA transparently switches to the next available interface in a group and all traffic passes through it. 

Small diagram providing a traffic flow explanation



Adding a Redundant Interface



interface Redundacy
member-interface Ethernet0/1
member-interface Ethernet0/4
no nameif
no security-level
no ip address


LDAP authentication for VPN clients on Cisco ASA


Configure  the Ldap server as shown below

aaa-server ldap_1 protocol ldap
hostname(config-aaa-server-group)#aaa-server ldap_1 host
hostname(config-aaa-server-host)#server-type sun


you may need to configure authorization for VPN the access. When the LDAP authentication for VPN access has succeeded, the security appliance queries the LDAP server, which returns LDAP attributes. These attributes generally include authorization data that applies to the VPN session.


tunnel-group remote-1 type ipsec-ra
tunnel-group remote-1 general-attributes
authorization-server-group ldap_1


Configuring Netflow on cisco ASA


The configuration is pretty straight forward as described below

flow-export destination inside 4444
access-list netflowacl extended permit ip any any
class-map NetFlow-traffic
  match access-list netflowacl
policy-map global_policy
  class NetFlow-traffic
   flow-export event-type all destination


Shunning ip addresses on Cisco ASA


shun 555 666 tcp  

no shun 555 666 tcp





Recommended Reading


  1. Cisco ACS Best Practices document
  2. Cisco ASA Best Practices and Security Hardening Document.
  3. Cisco-vpn-ipsec-configuration-examples
  4. Cisco-ids-ips-aip-idsm-configuration-examples
  5. Detailed Cisco ACS 5.2 installation and configuration example with print screens

Share The Link And Enjoy Thanks !