CISCO ASA BASIC COMMANDS-PART-1

Raghavendra Seshumurthy
  1. To view the current configuration

              Ciscoasa# show running-config

2. Show the configuration which is stored on the device. This is the one which will be loaded if you reboot the firewall.

  Ciscoasa# show startup-config

3. Save the running configuration so it won’t be lost if you reboot.

ciscoasa# copy run start
or
ciscoasa# write memory

4.  Copy image file from TFTP to Flash of ASA

ciscoasa# copy tftp flash

5. Boot the firewall with new image

ciscoasa(config)# boot system flash:/asa964-k8.bin

6. Create a local user account and assign privilege level 15 which means administrator access

ciscoasa(config)#username ciscoadmin password adminpassword privilege 15

7. To change device host name

ciscoasa(config)# hostname test123
test123(config)#

8.  To configure Secure Management Access to the Firewall

ciscoasa(config)# crypto key generate rsa modulus 2048

9.  Configure Interface Configuration and Security Levels.

ciscoasa(config)# interface GigabitEthernet0/1
ciscoasa(config-if)# nameif DMZ
ciscoasa(config-if)# ip address 192.168.1.5 255.255.255.0
ciscoasa(config-if)# security-level 50
ciscoasa(config-if)# no shutdown

10. Allow SSH access only from host 172.10.1.10 from the “inside” interface

ciscoasa(config)#ssh 172.10.1.10 255.255.255.255 inside

11. Configure a default route via the “outside” interface with gateway IP of 20.1.1.1

ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 20.1.1.1

12. Configure a static route via the “inside” interface. To reach network 192.168.5.0/24 go via gateway IP 192.168.5.10

ciscoasa(config)# route inside 192.168.5.0 255.255.255.0 192.168.5.10

13. Configure PAT for internal LAN (192.168.5.0/24) to access the Internet using the outside interface.

ciscoasa(config)# object network internal_lan
ciscoasa(config-network-object)# subnet 192.168.5.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic interface

14. Configure PAT for all (“any”) networks to access the Internet using the outside interface

ciscoasa(config)# object network obj_any
ciscoasa(config-network-object)# subnet 0.0.0.0 0.0.0.0
ciscoasa(config-network-object)# nat (any,outside) dynamic interface

 

15. Configure static NAT. The private IP 192.168.5.1 in DMZ will be mapped statically to public IP 20.1.1.1 in outside zone.

ciscoasa(config)# object network web_server_static
ciscoasa(config-network-object)# host 192.168.5.1
ciscoasa(config-network-object)# nat (DMZ , outside) static 20.1.1.1

 

16. Configure static Port NAT. The private IP 192.168.5.1 in DMZ will be mapped statically to public IP 20.1.1.1 in outside zone only for port 80.

Ciscoasa(config)# object network web_server_static
Ciscoasa(config-network-object)# host 192.168.5.1
Ciscoasa(config-network-object)# nat (DMZ , outside) static 20.1.1.1 service tcp 80 80

17. Apply the ACL above at the “outside” interface for traffic coming “in” the interface

Ciscoasa(config)# access-group OUTSIDE_IN in interface outside

 

Published by Raghavendra Seshumurthy

My name is Raghavendra Seshumurthy. Presently I am working as a technolgy manager for Microland Organization. I have experience on security/cloud products: F5, Checkpoint, ASA, PA, AWS, Bluecoat, VPN, PITC, Zscaler, Azure, GCP, network, security, cloud. This blog is created just to share thoughts on new technologies and features in the network, security and cloud environment.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s