Cisco ASA Best Security Configuration Examples

 

 

Contents

 


NAT before version 8.3
NAT after version 8.3
VPN tunnel password recovery as well as Site to Site shared secret password recovery
Cisco ASA failover
Cisco ASA upgrade
Two ip address on the same interface of the Cisco ASA
Two isps on the Cisco ASA for redundancy.
adding a new VPN tunnel along with a configuration that exists on the ASA Firewall
Configuring Cisco  ASA Firewall to block Instant Messenger services
Cisco ASA URL filtering
Allow unlimited access to  the web  for specific hosts, block specific urls for the rest of the users
Fixing Problems with VPN
Cisco ASA password recovery
Cisco Output Interpreter Tool
Cisco Dynamic configuration tool
Cisco Configuration Migration tools
Credits and Rerfrences

 

 

Feature

Cisco ASA Configuration Example

NAT before version 8.3

! Static Translation or 1 to 1 translation

static (inside,outside1) 196.38.244.1 10.10.10.1 netmask 255.255.255.255

!Nat Exemption used usually to allow access for vpn users or site to site !VPN tunnels establishment

access-list inside_nat0_outbound extended permit ip host 192.168.1.2 194.168.100.0 255.255.255.0

 

nat (inside) 0 access-list inside_nat0_outbound

Inside to Outside NAT Inside to outside natting ususally used to allow traffic from inside to outside by hiding the local networks from the outside world

nat (inside) 1 192.168.0.0 255.255.0.0

 

global (outside) 1 interface

NAT after version 8.3

nat (any,any) source static 192.168.1.119 192.168.1.119
!
object network 192.168.1.119
nat (any,any) static outsidenat
object network obj-192.168.1.0
nat (inside,outside) dynamic interface

for a complete guide on how to achieve natting on Cisco ASA devices after version 8.3 go here

VPN tunnel password recovery as well as Site to Site shared secret password recovery

 

more system:running-config or

write net 10.27.16.20:running

Cisco ASA failover

Prerequisites make sure the interfaces on the cisco asa on both devices assigned for failover are connected and you can ping between them to verify connectivity is up.

on Primary Device you need to have at least 1 interface configured with standby address.

interface GigabitEthernet0/1

speed 100
duplex full
nameif outside_management
security-level 100
ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2

 

failover
failover lan unit primary
failover lan interface faillink GigabitEthernet0/0
failover link faillink GigabitEthernet0/0
failover interface ip faillink 192.168.252.1 255.255.255.252 standby 192.168.252.2

 

On Secondary
failover
failover lan unit secondary
failover lan interface faillink GigabitEthernet0/0
failover link faillink GigabitEthernet0/0
failover interface ip faillink 192.168.252.1 255.255.255.252 standby 192.168.252.2

Cisco ASA upgrade

If the device is already up and running on the network issue the bellow command

ASA5510#copy tftp disk0:

Address or name of remote host []? 172.16.31.1
Source filename []? asa722-k8.bin
Destination filename [asa722-k8.bin]?
Accessing tftp://172.16.31.1/asa722-k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asa722-k8.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
8312832 bytes copied in 163.350 secs (50998 bytes/sec)

ASA5510#show disk0:
-#- --length-- -----date/time------ path
6 5124096    Jan 01 2003 00:06:22 asa702-k8.bin
7 5623108    Feb 12 2007 00:23:48 asdm-522.bin
10 5539756    Feb 12 2007 00:14:18 asdm-521.bin
11 8294400    Dec 07 2006 05:47:20 asa721-24-k8.bin
12 6002680    Dec 21 2006 03:58:30 asdm-52034.bin
13 8312832    Feb 12 2007 22:46:30 asa722-k8.bin

23949312 bytes available (38932480 bytes used)

!--- Command to set "asa722-k8.bin" as the boot image.

ASA5510(config)# boot system disk0:/asa722-k8.bin

!--- Command to set "asdm-522.bin" as the ASDM image.

ASA5510(config)# asdm image disk0:/asdm-522.bin
ASA5510# write memory
ASA5510# reload remove the old boot file if any was configured or delete it from the flash
delete flash:/asapreviusrelease.bin
no boot system disk0:/ asapreviusrelease.bin
if the device is not up and running on the network then you need to reboot it whilst connected to it via a cisco console cable and then break the boot sequence by pressing Ctrl+Break in order to send a BREAK. You may also need to connect a cross over cable to the device in order to copy the necessary upgrade file to see how that connections must be established please see this page

 

basically you need to setup an ip address so that you can copy the upgrade file from your machine to the cisco asa .an example is show bellow

monitor>address <asa_ip_address>
monitor>server <your_pc_with_tftp__Installed_server_ip_address>
monitor>file <filename_of_the_upgrade_file>
monitor>ping <tftp_server_ip_address>
monitor>tftp

once you have booted into the ASA configuration mode you still need to copy that file into flash and set it as bootable as shown above

 

Two ip address on the same interface of the Cisco ASA

ASA:
interface Ethernet0/3
nameif test1
security-level 100
ip address 192.168.1.1 255.255.255.0
arp test1 192.168.0.2 0001.96a4.c261

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
ensure you route for that new ip address via the physical interface of the ASA on devices that need to know how to reach it.

Two isps on the Cisco ASA for redundancy

!
Interface eth0
nameif outside (primary isp link)
security-level 0
ip address 10.200.159.2 255.255.255.248
!
interface eth1
nameif backup (this is another isp link)
security-level 0
ip address 10.250.250.2 255.255.255.248
!
interface eth2
nameif inside
security-ledress 100
ip address 10.10.10.2 255.255.255.0
!
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 10.10.10.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1
!
route backup 0.0.0.0 0.0.0.0 10.250.250.1 254
!
sla monitor 123
type echo protocol ipIcmpEcho 10.0.0.1 interface outside
num-packets 3
frequency 10

(configure a new monitoring process with id 123, specify the monitoring
protocol & the target network object whose availability the tracking
process monitors. )
!
sla monitor schedule 123 life fireever start-time now
!
track 1 rtr 123 reachability

adding a new VPN tunnel along with a configuration that exists on the ASA Firewall

 

This is an example of an existing configuration: 

access-list 101 permit ip 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 102 permit ip 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list 102
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 1000
isakmp key ********** address 172.22.112.12 netmask 255.255.255.255
crypto ipsec transform-set chevelle esp-des esp-md5-hmac 
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 172.22.112.12
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside

Complete these steps in order to add a VPN tunnel for a new peer:

Peer ip address:- 1.1.1.1
Local network :- 10.1.1.0 
Remote network :- 192.168.1.0 255.255.255.0
Remove the crypto map that exists off the outside interface. 

Note: When you remove crypto map off the interface, it brings down tunnels that exist. 

no crypto map transam interface outside
Create new crypto access-list with the source as the internal network of the PIX Firewall and the destinations as the remote network.

access-list 103 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
Create an identical access-list for Network Address Translation (NAT) 0 as crypto access-list for the NAT bypass.

access-list 102 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
Create a new crypto map with the same name, but with a different sequence number.

crypto map transam 2 ipsec-isakmp
crypto map transam 2 match address 103
crypto map transam 2 set peer 1.1.1.1
crypto map transam 2 set transform-set chevelle
Configure the ISAKMP policy preshare key.

isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 1000
isakmp key address 1.1.1.1 netmask 255.255.255.255
Bind the crypto map to the outside interface.

crypto map transam interface outside 

Ping the remote network in order to bring up the new tunnel.

Configuring Cisco  ASA Firewall to block Instant Messenger services

 

Common ports
Internet Relay Chat (IRC)?TCP 6667 and 6660 through 6670 (the default being 6667) 
Common IRC?TCP 6665 through 6669 
AOL Intern ICQ?TCP 5190, dyn greater than or equal to 1024 
AOL Instant Messenger?TCP and User Datagram Protocol (UDP) 5190 through 5193 
MSN?TCP 1863 
Yahoo Voice Chat?TCP 5000 and 5001, and UDP 5000 through 5010 
Yahoo Messages?TCP 5050 
Yahoo Webcams?TCP 5100
access-list block-msn deny tcp any any eq 1863 access-list block-msn permit ip any any access-group block-msn in interface inside
There is one another method called instant messaging inspection, which can be used in order to block instant messengers. This feature is available from version 7.2.

Cisco ASA URL filtering

regex blockex1 "/test/"
regex blockex2 "cisco\.com"

class-map type inspect http match-any block-url-class
match request uri regex blockex1
match request header host regex blockex2

policy-map type inspect http block-url-policy
parameters
class block-url-class
drop-connection log
policy-map global_policy
class inspection_default
inspect http block-url-policy

service-policy global_policy global

Allow unlimited access to  the web  for specific hosts, block specific urls for the rest of the users

 

regex blockex1 "/test/"
regex blockex2 "cisco\.com"

access-list user-acl extended deny tcp host 192.168.1.2 any eq www
access-list user-acl extended permit tcp any any eq www

 

class-map type inspect http match-any block-url-class
match request uri regex blockex1
match request header host regex blockex2
class-map block-user-class
match access-list user-acl

policy-map type inspect http block-url-policy
parameters
class block-url-class
drop-connection
policy-map block-user-url-policy
class block-user-class
inspect http block-url-policy

service-policy block-user-url-policy interface inside

Fixing Problems with VPN

These are a few of the common reasons why a VPN tunnel does not come up or fails to pass traffic on a PIX Firewall,Concentrator, ASA or router:
The wrong IP address is configured in the pre-shared key or crypto map. 
The crypto map is not bound to the outside interface. 
There are mismatched access control lists (ACLs) on the peers.
The ACLs overlap with other tunnels.
NATting is not bypassed on the router or PIX Firewall.
The same ACLs applied for crypto map and NAT bypass (NAT 0 ACLs) on the PIX Firewall.
ACLs for NAT bypass configured with keyword any, instead of specific source and destination.
The ISP blocks UDP port 500 or changes the IP address of the remote peer.
There is a mismatch in the ISAKMP policies. 
There are routing issues. 
There are older Security Associations. 
Perfect Forward Secracy (PFS) is incorrectly enabled or disabled.

In order to isolate and resolve the above mentioned issues, review this checklist:
Make sure crypto map is applied to the outside interface, the interface that faces the Internet.
Match the access-lists with peers and make sure these do not overlap with the ACLs of any other tunnels that exist. 
Match the ISAKMP policies on peers. Both end devices must have similar ISAKMP policies.
If the show crypto isakmp sa command shows MM_KEY_EXCH in the output, refer to TAC Case Collection Case #K24004384.

If the ISP has changed the IP address of the remote peer, refer to TAC Case Collection Case #K10533154
While you troubleshoot, it is always good practice to reapply crypto map on the outside interface and to clear older Security Associations with the use of the clear crypto sa command on the router and the clear isakmp sa command on the PIX Firewall. But, these commands bring down other tunnels and Security Associations are cleared for tunnels that exist. 
On the PIX Firewall, always create and bind separate access-lists to NAT 0 and crypto map. NAT 0 and crypto ACLs should be identical but with a different sequence number. 
Make sure that interesting traffic should be DENIED first in order to correct the NAT bypass order on routers, and the PERMIT statement should come in last. For example: 

Bad Configuration

ip access-list extended nonat
deny ip 192.168.15.0 0.0.0.255 10.1.2.0 0.0.0.255
permit ip 192.168.15.0 0.0.0.255 any
deny ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255

Good Configuration

ip access-list extended nonat
deny ip 192.168.15.0 0.0.0.255 10.1.2.0 0.0.0.255
deny ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255
permit ip 192.168.15.0 0.0.0.255 any
PFS must be enabled or disabled on both peers. Refer to TAC Case Collection Case #K14663353 for more information about PFS.
If PIX, ASA or Router is configured for LAN-to-LAN and VPN client access, make sure that dynamic crypto map comes in the last. For example, according to this configuration, LAN-to-LAN tunnel for peer 2.2.2.2 fails to come up, as PIX stops to look for actual peer once it hits dynamic crypto map according to sequence number. It is always a good idea to assign highest sequence number to dynamic maps, for example, 65535.
BAD configuration crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set myset
crypto map newmap 20 ipsec-isakmp dynamic dynmap
crypto map newmap 30 ipsec-isakmp
crypto map newmap 30 match address 120
crypto map newmap 30 set peer 2.2.2.2
crypto map newmap 30 set transform-set myset
crypto map newmap interface outside Good configuration crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set myset
crypto map newmap 30 ipsec-isakmp
crypto map newmap 30 match address 120
crypto map newmap 30 set peer 2.2.2.2
crypto map newmap 30 set transform-set myset
crypto map newmap 65535 ipsec-isakmp dynamic dynmap
crypto map newmap interface outside
Refer to IP Security Troubleshooting - Understanding and Using debug Commands for more information and to resolve common VPN related issues that use debug commands.

Cisco ASA password recovery

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/trouble.html#wp1058131

 

 

Cisco Output Interpreter Tool

(requires a CCO login if you dont have one please contact us for more info)

Output Interpreter is a troubleshooting tool that reports potential problems by analyzing supported "show" command output. Output Interpreter supports various "show" command output from your router, switch, PIX/ASA firewall, IOS® wireless access point, or Meeting Place Platform.

The output interpreter supports all of the bellow platforms and is excellent for troubleshooting different kind of problems :

The tool itself will provide you an output of your existing configuration file with recommendations on how to tweak and tune your current installation as well as any errors or abnormalities it may detect in your current setup along with a ways to optimize and fix the situation.Its a highly recommended tool for advanced users

Cisco 12000 IOS XR Firmware, Hardware and Software Readiness Assessment (Up to version 3.8)

Wireless LAN Controller - show & debug commands

GOLD diagnostics - show diagnostic result

ASA Commands - show tech-support, show running-config

 

 

Here is the link of where you can access that excellent troubleshooting tool
If you don’t have a CCO login and you are unable to access the tool please contact us for assistance on how to obtain that CCO login etc.

 

Cisco Dynamic configuration tool

 

Cisco Dynamic Configuration Tool enables online configuration of Cisco products and offers detailed compatibility information and intelligent feedback to streamline the ordering process. Use the help links to the right or start a configuration below.
Cisco Value Added Resellers that prefer to receive list price information from Cisco Dynamic Configuration Tool will need to Login with their Cisco Connection Online(CCO) id and password.
If you don’t have a CCO login and you are unable to access the tool please contact us for assistance on how to obtain that CCO login etc

 

Cisco Configuration Migration tools

 

The bellow section contains a few tools useful when you are migrating large configurations from other platforms into Cisco ASA .

Checkpoint Configuration Migration tool can be found here on Cisco’s Web site it requires CCO
You can read more on the tool over here
If you don’t have a CCO login and you are unable to access the tool please contact us for assistance on how to obtain that CCO login etc

Cisco PIX to Cisco ASA conversion tool exists or a manual upgrade of the configuration can be performed please contact us for more information on how to proceed.

 

 

Credits and Rerfrences

As with everything credit must be give where credit is due .Materials used from Cisco WIKI support site to compile this page.
https://supportforums.cisco.com/index.jspa

 

 

To get a free assessment on how to optimize your current Cisco ASA solution contact us here