ASA 5505
Internet Access
To ensure your remote VPN clients can access the Internet you have two options. The first (and most common) way is to enable ‘Split Tunneling’ this lets the user access the Internet form their LOCAL Internet connection.
Or you can provide Internet connection via the ASA’s public Internet connection, this is known as a ‘Tunnel All’ solution.
Details: https://www.petenetlive.com/KB/Article/0000977
Show current User
show ssh sessions
show asdm session
show user list
show aaa local user
Show login history
show aaa login-history
Cisco ASA5506-X
Basic Setup:
Cisco Documentation:
https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5506X/5506x-quick-start.html
Active/Standby Failover Configuration:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.html
ssh configuration
Enable SSH access for admin
There are three steps to enable SSH access:
Create a hostname for your ASA
Generate a RSA key
Configure SSH access to the ASA, and only allow from known IP/networks.
Configuration example:
ASA1(config)# hostname ASA1
ASA1(config)# crypto key generate rsa modulus 1024
WARNING: You have a RSA keypair already defined named
Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...
! The IP subnets from where you trust to manage the ASA
ssh 12.2.1.0 255.255.255.0 outside
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 30
ssh version 2
aaa authentication ssh console LOCAL
Create user to login ASA remotely
#username cisco password cisco123 privilege 15
Remove a user account
no username test
or
clear configure username test
Then to assign local authentication to ASDM and SSH you enter the command in case sensitive:
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
NAT/PAT Examples
https://www.networkworld.com/article/2162844/tech-primers/how-to-configure-static-nat-on-a-cisco-asa-security-appliance.html
Open a range of ports
https://community.cisco.com/t5/firewalls/pat-multiple-ports-to-outside-interface-ip/td-p/3043388
Show DHCP IP Leasing
#show dhcpd binding
Clear IP Leasing
#clear dhcpd binding...
Search in show run configuration
"show run interface ..." to check a particular interface
"show run | begin
"show run | include
"show run | section
ASA 5506-x Failover Configuration
ASA 5506 VPN
Using Wizard for Site-to-Site VPN
https://www.youtube.com/watch?v=hQXTWqu3Us0
General
ASA Site to Site (Step by Step)
https://www.youtube.com/watch?v=sIbi_bYb2k4
Tunnel Group Configuration
Crypto Maps
ASA 5500 Authentication by Windows Server
Switch Ports Configuration
Trouble Shooting ASA
Find in configuration:
show running-config | include
debug crypto isakmp
debug crypto ipsec
Check current VPN Settings
#show run crypto map
#show run tunnel
#show run object network
#show crypto isakmp sa
#show crypto ipsec sa
#show access-list
#show run access-list
Run Debugging
check the setting:
(config)#show log
Turn on:
(config)logging on (no loggin on to disable)
Sending Debug Output to the Screen:
logging monitor debugging
terminal monitor (disable: 'terminal no monitor', NOT ‘no terminal monitor’)
sh crypto debug-condition:
Crypto conditional debug is turned ON
IKE debug context unmatched flag: OFF
IPSec debug context unmatched flag: OFF
IKE debug context error flag: OFF
IPSec debug context error flag: OFF
IKE peer IP address filters: 1.1.1.1/32
Cisco VPN on Windows 8.1/10 – Reason 442: Failed to enable Virtual Adapter
https://supertekboy.com/2013/10/19/cisco-vpn-on-windows-8-1-reason-442-failed-to-enable-virtual-adapter/
Finding IP using most of the bandwidth
https://yurisk.info/2008/12/06/finding-the-stationip-usingabusing-most-of-the-bandwidth-pixasa/
#show local-host
#show local-host 192.168.15.103
Show a summary of all:
#show local-host | incl host|count|embryonic
Block an IP connection
#shun 192.168.15.103
Show blocked IPs
#show shun
Unblock it
#no shun 192.168.15.103
Related to Scanning Attacks & Syn Attacks
#show run threat
Result:
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
New ASA Firewpower 1010 (replacement of ASA5506)
https://www.youtube.com/watch?v=Vpt7217QIn0&t=163s
Listing Users Already Created
#show aaa local user
More details about user and user privilges
1. Enable command authorization ( LOCAL in this case means , keep the command authorization configuration on the firewall ) :
aaa authorization command LOCAL
2. You can define commands you want to use on a certain level, for example these commands will enable a user in privilege level 5 to view and clear crypto tunnels
privilege show level 5 command crypto
privilege clear level 5 command crypto
3. Create a user and assign the privilege level to her/him :
username userName password userPass privilege 5
4. Create an enable password for the new privilege level :
enable password enablePass level 5
Now when the user logs in she/he can type :
enable 5
Enter the password from step for and they will be able to run the above crypto commands.
---
To add a user to the security appliance database, enter the username command in global configuration mode. To remove a user, use the no version of this command with the username you want to remove. To remove all usernames, use the no version of this command without appending a username.
username name {nopassword | password password [mschap | encrypted | nt-encrypted]} [privilege priv_level]
This privilege level is used with command authorization.
no username name
----------
In general you can use this version of username command as well for simple config:
username password privilege
e.i. (lever 15 allows full EXEC mode access - as well as all ASDM features)
username sachingarg password HC!@%$#@! privilege 15
The default privilege level is 2.
Please remember as I have said above that access levels (1-15) aren't relevant much unless you authorize command authorization:
aaa authorization command LOCAL
---
Viewing Command Privilege Levels
The following commands let you view privilege levels for commands.
•To show all commands, enter the following command:
hostname(config)# show running-config all privilege all
•To show commands for a specific level, enter the following command:
hostname(config)# show running-config privilege level level
The level is an integer between 0 and 15.
•To show the level of a specific command, enter the following command:
hostname(config)# show running-config privilege command command
For example, for the show running-config all privilege all command, the system displays the current assignment of each CLI command to a privilege level. The following is sample output from the command.
hostname(config)# show running-config all privilege all
privilege show level 15 command aaa
privilege clear level 15 command aaa
privilege configure level 15 command aaa
privilege show level 15 command aaa-server
privilege clear level 15 command aaa-server
privilege configure level 15 command aaa-server
privilege show level 15 command access-group
privilege clear level 15 command access-group
privilege configure level 15 command access-group
privilege show level 15 command access-list
privilege clear level 15 command access-list
privilege configure level 15 command access-list
privilege show level 15 command activation-key
privilege configure level 15 command activation-key
....
The following command displays the command assignments for privilege level 10:
hostname(config)# show running-config privilege level 10
privilege show level 10 command aaa
The following command displays the command assignment for the access-list command:
hostname(config)# show running-config privilege command access-list
privilege show level 15 command access-list
privilege clear level 15 command access-list
privilege configure level 15 command access-list
ciscoasa5520# show run all username
ciscoasa5520# show run all privilege | grep pwd
