CISCO ASA Firewall Commands Cheat Sheet [Part 2]

May 16, 2016 | Views: 10114

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

CCNP Security Firewall

CISCO ASA Firewall Commands Cheat Sheet – Part 2

The sheet, and its previous part, assume you have the required knowledge of CCNA, CCNA Security, CCNP and could be handy if you’re already enrolled in CCNP Security pathway.

Let’s begin…


Configuring host name and domain name to create FQDN for the ASA:

Hostname hostname

Domain-name domain_name

Note 1: Configuring the above parameters is optional but it’s compulsory to create and generate CA for SSH, HTTPS and VPN connections


Configuring DNS client on ASA:

Dns domain-lookup inside

Dns server-group DefaultDNS

Name-server   primary_dns_srv_ip

Name-server  secondary_dns_srv_ip

Debug dns all

Note 2: The DNS client must be enabled on an interface that can reach the DNS server on your network. Otherwise, if you don’t have a separate DNS server, then enable it on all interfaces and assign global DNS server like Google.

Note 2.1: The last command in DNS client configuration is used to troubleshoot DNS issues.


Configuring Secure SSH access or management purposes:

Crypto key generate rsa general-keys label 1st-key-pair modulus [size:512,768,1024,2048]

Ssh version 2

Ssh ip_addr  subnet_mask

Ssh disconnect

Note 3: The IP address in the second command is the network address for allowed hosts to perform SSH sessions or it could be single IP used to manage ASA through SSH.

Note 3.1: The last command used to terminate a designated SSH session.


Creating local users for management access

Username admin password password encrypted privilege 15

Note 4: Privileges configured with each user are in range between 0-15 with 0 dictating the lowest privilege and 15 for the highest privilege.


Configure maximum login attempts into CLI or ASDM

Aaa local authentication attempts max-fail 3

Recovering lost or forgotten passwords to get access back to ASA

ü  Reboot the ASA

ü  Press “ESC” button when it prompts you to use “Break”

ü  It’s supposed that you are in ROMMON mode now

ü  Type: “confreg 0x41”

ü  Type: “boot”

ü  This will get the ASA to bypass the startup config file and gets you in use mode

ü  Type: “enable” to enable the privileged mode

ü  Press enter

ü  Then you’re free to configure new password

ü  Reset the configuration register back by typing: “config-register 0x1

Note 5: The commands above could not be configured unless the connection is made through serial console.

Note 5.1: You could disable password recovery by typing: “no service password-recovery”


Configure and Enable logging on ASA

Logging enable

Logging ftp-bufferwrap

Logging ftp-server ftp_srv_ip  dest_directory  ftp_username ftp_pass

Logging timestamp

Note 6: The second and third commands are used to send syslog messages and debugging messages from internal buffer memory into an FTP server.


Troubleshooting event log and logging issues

Show logging queue

Logging queue 7000

Show logging

Note 7: The allowed values for increasing the size of queue value are between [0-8192].


Configuring and enabling HTTP server on ASA

http server enable

http ip-addr subnet-mask outside OR inside


Configuring storage disks and image booting

Dir disk0:

Boot config disk0:/img_name

Configure factory-default

Clear configure all

Clear configure [keyword]

Note 7: In the first command “ disk0” might be “disk1” or “Flash”.

Note 7.1: The second command instructs the ASA  to boot from the specified image in the command.

Note 7.2: The third command will return the ASA back to its factory settings

Note 7.4: The “keyword” in the last command could be anything the administrator wants to remove the configuration that belongs to.


Configure redundant interfaces as a failover connectivity

Interface redundant 1

Member-interface eth0/0

Member-interface eth0/1

No shutdown


Thanks for reading. I hope this was helpful.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. awesome

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?