CISCO ASA Firewall Commands Cheat Sheet [Part 2]

CCNP Security Firewall

CISCO ASA Firewall Commands Cheat Sheet - Part 2

The sheet, and its previous part, assume you have the required knowledge of CCNA, CCNA Security, CCNP and could be handy if you’re already enrolled in CCNP Security pathway.Let's begin... Configuring host name and domain name to create FQDN for the ASA:Hostname hostnameDomain-name domain_nameNote 1: Configuring the above parameters is optional but it’s compulsory to create and generate CA for SSH, HTTPS and VPN connections Configuring DNS client on ASA:Dns domain-lookup insideDns server-group DefaultDNSName-server   primary_dns_srv_ipName-server  secondary_dns_srv_ipDebug dns allNote 2: The DNS client must be enabled on an interface that can reach the DNS server on your network. Otherwise, if you don't have a separate DNS server, then enable it on all interfaces and assign global DNS server like Google.Note 2.1: The last command in DNS client configuration is used to troubleshoot DNS issues. Configuring Secure SSH access or management purposes:Crypto key generate rsa general-keys label 1st-key-pair modulus [size:512,768,1024,2048]Ssh version 2Ssh ip_addr  subnet_maskSsh disconnectNote 3: The IP address in the second command is the network address for allowed hosts to perform SSH sessions or it could be single IP used to manage ASA through SSH.Note 3.1: The last command used to terminate a designated SSH session. Creating local users for management accessUsername admin password password encrypted privilege 15Note 4: Privileges configured with each user are in range between 0-15 with 0 dictating the lowest privilege and 15 for the highest privilege. Configure maximum login attempts into CLI or ASDMAaa local authentication attempts max-fail 3Recovering lost or forgotten passwords to get access back to ASAü  Reboot the ASAü  Press “ESC” button when it prompts you to use “Break”ü  It’s supposed that you are in ROMMON mode nowü  Type: “confreg 0x41”ü  Type: “boot”ü  This will get the ASA to bypass the startup config file and gets you in use modeü  Type: “enable” to enable the privileged modeü  Press enterü  Then you’re free to configure new passwordü  Reset the configuration register back by typing: “config-register 0x1Note 5: The commands above could not be configured unless the connection is made through serial console.Note 5.1: You could disable password recovery by typing: “no service password-recovery” Configure and Enable logging on ASALogging enableLogging ftp-bufferwrapLogging ftp-server ftp_srv_ip  dest_directory  ftp_username ftp_passLogging timestampNote 6: The second and third commands are used to send syslog messages and debugging messages from internal buffer memory into an FTP server. Troubleshooting event log and logging issuesShow logging queueLogging queue 7000Show loggingNote 7: The allowed values for increasing the size of queue value are between [0-8192]. Configuring and enabling HTTP server on ASAhttp server enablehttp ip-addr subnet-mask outside OR inside Configuring storage disks and image bootingDir disk0:Boot config disk0:/img_nameConfigure factory-defaultClear configure allClear configure [keyword]Note 7: In the first command “ disk0” might be “disk1” or “Flash".Note 7.1: The second command instructs the ASA  to boot from the specified image in the command.Note 7.2: The third command will return the ASA back to its factory settingsNote 7.4: The “keyword” in the last command could be anything the administrator wants to remove the configuration that belongs to. Configure redundant interfaces as a failover connectivityInterface redundant 1Member-interface eth0/0Member-interface eth0/1No shutdown Thanks for reading. I hope this was helpful.