Security is balance between convenience and paranoia.

ASA (Adaptive Security Appliances)

Interfaces and Security levels
ASA(config)# int gi0/0
ASA(config-if)# nameif INSIDE
ASA(config-if)# security-level 100
ASA(config-if)# speed 100
ASA(config-if)# duplex full
ASA(config-if)# ip address 192.168.1.2 255.255.255.0
ASA(config)# int gi0/1
ASA(config-if)# name OUTSIDE
ASA(config-if)# security-level 0
ASA(config-if)# speed 100
ASA(config-if)# duplex full
ASA(config-if)# ip address 63.227.68.2 255.255.255.240

Names
ASA(config)# names
ASA(config)# name 10.0.0.53 FileServer
ASA(config)# name 10.0.0.52 WebServer
ASA(config)# access-list acl-in extended permit tcp any host WebServer eq www
ASA# show names

Object Groups
ASA(config)# object-group service Webserver-svcs tcp
ASA(config-service)# description ### For Webservers ###
ASA(config-service)# port-object eq smtp
ASA(config-service)# port-object eq www
ASA(config-service)# port-object eq https
ASA(config)# access-list acl-in permit tcp any host 10.0.0.15 object-group Webserver-svcs
ASA(config)# access-list acl-in permit tcp any host 10.0.1.16 object-group Webserver-svcs
ASA(config)# access-list acl-in permit tcp any host 10.0.2.19 object-group Webserver-svcs
!
ASA(config)# object-group network Webservers
ASA(config-service)# description ### Webservers ###
ASA(config-service)# network-object host 10.0.0.15
ASA(config-service)# network-object host 10.0.1.16
ASA(config-service)# network-object host 10.0.2.19
ASA(config)# access-list acl-in permit tcp any object-group Webservers object-group Webserver-svcs
!
ASA# show access-list acl-in
access-list acl-in line 1 permit tcp any object-group Webservers object-group Webserver-svcs (hitcnt=0)

Object Groups in use cant be deleted. You must remove the individual ACLs or the entire list.
Then you can remove the object-group.
ASA(config)# clear configure access-list acl-in
ASA(config)# no object-group service Webserver-svcs

Show Pre-Shared Key
OHI-ASAFW# more system:running-config | b tunnel-group

Inspects
ASA(config)# policy-map global_policy
ASA(config-pmap)# class inspection_default
ASA(config-pmap-c)# inspect ftp
ASA(config-pmap-c)# inspect h323 h225
ASA(config-pmap-c)# inspect esmtp
ASA# show service-policy global
Remote Access
telnet 192.168.2.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 inside

Enable SSH for OUTSIDE Access
asa (config)# domain-name company.local
ASA(config)# crypto key generate rsa
ASA(config)# ssh 0.0.0.0 0.0.0.0 outside
ASA(config)# username asaadmin password l3tmein priv 15
ASA(config)# aaa authentication ssh console LOCAL

Simple NAT using the OUTSIDE Interface
All internal IP addresses will be translated, because the NAT statement references 0.0.0.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

Simple NAT using a Dedicated IP Address
global (outside) 1 63.227.68.2
nat (inside) 1 0.0.0.0 0.0.0.0

Static NAT For Host Inside for Public Access
static (inside,outside) 63.227.68.3 192.168.2.12 netmask 255.255.255.255 0 0

Static NAT for DMZ Server for Public Access
static (dmz,outside) 63.227.68.4 192.168.64.45 netmask 255.255.255.255 0 0

Port Redirection (Static PAT)
static (inside,outside) tcp 63.227.68.4 80 192.168.2.12 80 netmask 255.255.255.255
static (inside,outside) tcp 63.227.68.4 443 192.168.64.45 443 netmask 255.255.255.255

Logging
logging enable
logging console notifications
logging timestamp
logging buffered errors
logging buffer-size 50000

Logging to Syslog Server
logging enable
logging trap informational
logging facility 22
logging host inside 192.168.2.15


ASA Firewall Configuration By: Scott Schmit
Secure Monitor Test Improve
Remote Access Tunnel VPN
(ISKAMP)
ASA(config)# isakmp policy 1 authentication pre-share
ASA(config)# isakmp policy 1 encryption 3des
ASA(config)# isakmp policy 1 hash sha
ASA(config)# isakmp policy 1 group 2
ASA(config)# isakmp policy 1 lifetime 43200
ASA(config)# isakmp enable outside
(Address Pool)
ASA(config)# ip local pool testpool 192.168.0.10-192.168.0.15
(User)
ASA(config)# username testuser password 12345678
(Transform Set - combines an encryption and authentication method)
ASA(config)# crypto ipsec transform set FirstSet esp-3des esp-md5-hmac
(Tunnel Group)
ASA(config)# tunnel-group testgroup type ipsec-ra
ASA(config)# tunnel-group testgroup general-attributes
ASA(config-general)# address-pool testpool
ASA(config)# tunnel-group testgroup ipsec-attributes
ASA(config-ipsec)# pre-shared-key 44kkaol59636jnfx
(Dynamic Crypto Map)
ASA(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet
ASA(config)# crypto dynamic-map dyn1 1 set reverse-route
ASA(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
ASA(config)# crypto map mymap interface outside

LAN-to-LAN IPSec VPNs
(ISKAMP)
ASA(config)# isakmp policy 1 authentication pre-share
ASA(config)# isakmp policy 1 encryption 3des
ASA(config)# isakmp policy 1 hash sha
ASA(config)# isakmp policy 1 group 2
ASA(config)# isakmp policy 1 lifetime 43200
ASA(config)# isakmp enable outside
(Transform Set)
ASA(config)# crypto ipsec transform set FirstSet esp-3des esp-md5-hmac
(ACL)
ASA(config)# access-list l2l_list extended permit ip 192.168.0.0 255.255.0.0
150.150.0.0 255.255.0.0
(Tunnel Group)
ASA(config)# tunnel-group 10.10.4.108 type ipsec-l2l
ASA(config)# tunnel-group 10.10.4.108 ipsec-attributes
ASA(config-ipsec)# pre-shared-key 44kkaol59636jnfx
(Crypto Map)
ASA(config)# crypto map abcmap 1 match address l2l_list
ASA(config)# crypto map abcmap 1 set peer 10.10.4.108
ASA(config)# crypto map abcmap 1 set transform-set FirstSet
ASA(config)# crypto map abcmap interface outside

Static Routes
route outside 0.0.0.0 0.0.0.0 68.45.123.199 0
route inside192.168.10.0 255.255.255.0 10.1.2.2 0


Configure access-list
access-list alc_in extended remark Allow port 8o to WebServer A
access-list outside_access_in extended permit tcp any host 192.168.2.12 eq 80
(allows traffic destined for 192.168.80.4 on port 80 through the firewall)

Restoring Factory Defaults
#ASAFW(config)# configure factory-default

Configure DHCP
dhcpd dns 10.17.17.32 4.2.2.2
dhcpd wins 10.17.17.32
dhcpd domain rmi.local
dhcpd address 10.17.20.107-10.17.20.126 inside
dhcpd enable inside

Configure Failover/Standby
*Both ASAs in failover pair must be the same major ISO version, or they will not synchronize configurations.

ASA(config)# failover
ASA(config)# int gi0/0
ASA(config-if)# nameif INSIDE
ASA(config-if)# security-level 100
ASA(config-if)# ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3
ASA(config)# int gi0/1
ASA(config-if)# name OUTSIDE
ASA(config-if)# security-level 0
ASA(config-if)# ip address 63.227.68.2 255.255.255.240 standby 63.227.68.3

ASA(config)# int gi0/3
ASA(config-if)# description ### LAN/STATE Failover Interface! ###

ASA(config)# failover lan unit primary
ASA(config)# failover lan interface failover GigabitEthernet0/3
ASA(config)# failover link failover GigabitEthernet0/3
ASA(config)# failover interface ip failover 192.168.255.1 255.255.255.0 standby 192.168.255.2

ASA-TWO(config)# failover
ASA-TWO(config)# failover lan unit secondary
ASA-TWO(config)# failover lan interface failover GigabitEthernet0/3
ASA-TWO(config)# failover interface ip failover 192.168.255.1 255.255.255.0 standby 192.168.255.2

Troubleshooting
ASA# show xlate (Shows Translations)
ASA# clear xlate CAUTION USING THIS! ALL SESSIONS IN THE FIREWALL WILL BE BROKEN!
ASA# show conn detail (Shows Connections)

Saving Configuration Changes
ASA# wri mem
ASA# copy run startup-config
ASA# write mem all Saves Configurations for All Contexts