ASA 5505
Internet Access
To ensure your remote VPN clients can access the Internet you have two options. The first (and most common) way is to enable ‘Split Tunneling’ this lets the user access the Internet form their LOCAL Internet connection.
Or you can provide Internet connection via the ASA’s public Internet connection, this is known as a ‘Tunnel All’ solution.
Cisco ASA5506-X
Basic Setup:
Cisco Documentation:
https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5506X/5506x-quick-start.html
Active/Standby Failover Configuration:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.html
ssh configuration
Enable SSH access for admin
There are three steps to enable SSH access:
Create a hostname for your ASA
Generate a RSA key
Configure SSH access to the ASA, and only allow from known IP/networks.
Configuration example:
ASA1(config)# hostname ASA1
ASA1(config)# crypto key generate rsa modulus 1024
WARNING: You have a RSA keypair already defined named
Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...
! The IP subnets from where you trust to manage the ASA
ssh 12.2.1.0 255.255.255.0 outside
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 30
ssh version 2
aaa authentication ssh console LOCAL
Create user to login ASA remotely
#username cisco password cisco123 privilege 15
Then to assign local authentication to ASDM and SSH you enter the command in case sensitive:
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
NAT/PAT Examples
https://www.networkworld.com/article/2162844/tech-primers/how-to-configure-static-nat-on-a-cisco-asa-security-appliance.html
Open a range of ports
https://community.cisco.com/t5/firewalls/pat-multiple-ports-to-outside-interface-ip/td-p/3043388
Show DHCP IP Leasing
#show dhcpd binding
Clear IP Leasing
#clear dhcpd binding...
ASA 5506-x Failover Configuration
ASA 5506 VPN
Using Wizard for Site-to-Site VPN
https://www.youtube.com/watch?v=hQXTWqu3Us0
ASA Site to Site (Step by Step)
https://www.youtube.com/watch?v=sIbi_bYb2k4
Tunnel Group Configuration
https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/vpngrp.html#wp1113843
Crypto Maps
https://www.cisco.com/c/en/us/td/docs/wireless/asr_5000/20/IPSec/b_20_IPSec/b_20_IPSec_chapter_0110.html
Switch Ports Configuration
Trouble Shooting ASA
debug crypto isakmp
debug crypto ipsec
Check current VPN Settings
#show run crypto map
#show run tunnel
#show run object network
#show crypto isakmp sa
#show crypto ipsec sa
#show access-list
#show run access-list
Run Debugging
check the setting:
(config)#show log
Turn on:
(config)logging on (no loggin on to disable)
Sending Debug Output to the Screen:
logging monitor debugging
terminal monitor (disable: 'terminal no monitor', NOT ‘no terminal monitor’)
sh crypto debug-condition:
Crypto conditional debug is turned ON
IKE debug context unmatched flag: OFF
IPSec debug context unmatched flag: OFF
IKE debug context error flag: OFF
IPSec debug context error flag: OFF
IKE peer IP address filters: 1.1.1.1/32
Cisco VPN on Windows 8.1/10 – Reason 442: Failed to enable Virtual Adapter
https://supertekboy.com/2013/10/19/cisco-vpn-on-windows-8-1-reason-442-failed-to-enable-virtual-adapter/
Finding IP using most of the bandwidth
https://yurisk.info/2008/12/06/finding-the-stationip-usingabusing-most-of-the-bandwidth-pixasa/
#show local-host
#show local-host 192.168.15.103
Show a summary of all:
#show local-host | incl host|count|embryonic
Block an IP connection
#shun 192.168.15.103
Show blocked IPs
#show shun
Unblock it
#no shun 192.168.15.103
Related to Scanning Attacks & Syn Attacks
#show run threat
Result:
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics