Tag Archives: ASA

Convert Cisco FTD to ASA firmware

The Cisco firewall comes with the FTD firmware by default, and there are several reasons of using the ASA firmware on this Cisco new firewall. I have attached the steps below to let the Cisco firewall to run the ASA firmware by re-imaging it.

This is the same way to change from ASA firmware to FTD firmware.

Continue reading

Cisco ASA – Site to Site IPSec VPN with dynamic IP address

Setting up a policy based site to site IPSec VPN tunnel with static IP address is quite stright forward in Cisco ASA, but what if one of the end point is using dymanic IP address?
In this lab, I will be using 2 virtual ASA (9.6(2)) to create a site to site IPSec VPN tunnel, as well as setting up Cisco VPN client in one of the ASA with static IP address.
The ASA-F14 is the one with static IP address, and the ASA-F16 is using dynamic IP address.
20161221-mpls-2vrfs
Continue reading

Cisco ASA – simple 1 to 1 NAT and firewall policy setup

For those who had been working with Cisco routers, setting up a Cisco ASA stateful policy is as simple as setting up an ACL.  By default, ASA would drop any TCP connection that doesn’t have a session record created with a sync packet. In that case user doesn’t require to a setup ACL for return traffic like working with routers.
In this example, we have 192.168.104.250/32 as the server in the DMZ and have the have NAT 1 to 1 incoming traffic mapping applied to allow internet user accessing the http service only.
The IP address of the firewall is 10.50.2.10/29, and we will assign the mapping of the server to another external IP address of 10.50.2.11
20161215-vasa-lab-nat Continue reading

Cisco ASA – routing sample

In this post, I will show you guys how to setup a Cisco ASA firewall serves as a layer 3 packet transfer device. The example will be demonstrate with 192.168.3.10/32 machine accessing to 9.9.9.92/32 via IPerf. There is only simple routing and has no NAT involve.
In this setup, the ASA is acting as the gateway between office network and the internet. The 192.168.3.0/24 is the internal subnet and 10.0.0.20/30 is the internet. There are couple areas we have to handle, and they are routing, and policy. Since ASA is a stateful device, we have to apply policy to allow internal network to access external network, but not vise versa.
Continue reading

Cisco ASA – Checking information

Cisco ASA firewall is a security appliance that can perform packet inspection and with limited routing features. For those who are new to this product, it uses different ways to present its information than Cisco routers. There might have some difficulty at first, but since it is using syntax similar with other Cisco products, such as “show run”, and it is not too hard to pick up this product. I will list out some frequently  used commands for troubleshooting purpose.

  1. show run – this is to show the running configuration the cisco ASA is running with.
  2. show run all – this is to show the configuration users had input and as well the default settings that is being run by the ASA.
  3. show ip – this is similar with the “sho ip int br” from other Cisco products, and it displays the address information being set in the ASA.
  4. show nameif – this is to show the association of the interfaces and the “zone”. This “zone” used for differentiate the purpose of each interface, such as “DMZ”, “inside”, “outside”, and etc…
  5. show xlate – this is to show the NAT information with the translated flow. It shares some information with “show nat” too.
  6. show nat – similar with “show xlate”.
  7. show conn – it can be used to show sessions with.
  8. show version – it shows the information of the ASA, including RAM, CPU, serial number of the device, uptime, and license information.
  9. show crypto ikev1 sa – to check the ikev1 active tunnels info.
  10. show crypto ikev2 sa – to check the ikev2 active tunnels info.
  11. show ipsec sa – it shows the ipsec active tunnels info.
  12. show interface – it shows information for the physical interfaces including the MAC address, BW, duplex, speed, as well as CRC errors.

Commands above are for general use, and can be run under “config mode” without the “do”. I will demonstrate more command within my ASA posts.