ASA 5505

Internet Access
To ensure your remote VPN clients can access the Internet you have two options. The first (and most common) way is to enable ‘Split Tunneling’ this lets the user access the Internet form their LOCAL Internet connection.

Or you can provide Internet connection via the ASA’s public Internet connection, this is known as a ‘Tunnel All’ solution.


Cisco ASA5506-X

Basic Setup:

Basic Cisco ASA 5506-x Configuration Example

Cisco Documentation:

Active/Standby Failover Configuration:

ssh configuration
Enable SSH access for admin

There are three steps to enable SSH access:

Create a hostname for your ASA
Generate a RSA key
Configure SSH access to the ASA, and only allow from known IP/networks.
Configuration example:

ASA1(config)# hostname ASA1
ASA1(config)# crypto key generate rsa modulus 1024
WARNING: You have a RSA keypair already defined named .
Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...
! The IP subnets from where you trust to manage the ASA

ssh outside
ssh inside
ssh timeout 30
ssh version 2
aaa authentication ssh console LOCAL

Create user to login ASA remotely

#username cisco password cisco123 privilege 15

Then to assign local authentication to ASDM and SSH you enter the command in case sensitive:

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

NAT/PAT Examples

Open a range of ports

Show DHCP IP Leasing
#show dhcpd binding

Clear IP Leasing
#clear dhcpd binding...

Trouble Shooting ASA

debug crypto isakmp
debug crypto ipsec

Check current VPN Settings
#show run crypto map
#show run tunnel
#show run object network
#show crypto isakmp sa
#show crypto ipsec sa
#show access-list
#show run access-list

Run Debugging
check the setting:
(config)#show log

Turn on:
(config)logging on (no loggin on to disable)

Sending Debug Output to the Screen:
logging monitor debugging
terminal monitor (disable: 'terminal no monitor', NOT ‘no terminal monitor’)

sh crypto debug-condition:
Crypto conditional debug is turned ON
IKE debug context unmatched flag: OFF
IPSec debug context unmatched flag: OFF
IKE debug context error flag: OFF
IPSec debug context error flag: OFF
IKE peer IP address filters:

Cisco VPN on Windows 8.1/10 – Reason 442: Failed to enable Virtual Adapter

Finding IP using most of the bandwidth

#show local-host

#show local-host

Show a summary of all:
#show local-host | incl host|count|embryonic

Block an IP connection

Show blocked IPs
#show shun

Unblock it
#no shun

Related to Scanning Attacks & Syn Attacks
#show run threat
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics

ASA Logging

Cisco ASA Devices