This post is using Cisco ASA 5515-X with software version 9.1(2) as configuration example. Here are some basic steps I recorded during configuring it.

Related posts in this blog:

1. Check System Version and Module:

ciscoasa(config)# sh ver

Cisco Adaptive Security Appliance Software Version 9.1(2) 
Device Manager Version 7.1(3)

Compiled on Thu 09-May-13 16:20 PDT by builders
System image file is “disk0:/asa912-smp-k8.bin”
Config file at boot was “startup-config”

ciscoasa up 7 days 18 hours

Hardware:   ASA5515, 8192 MB RAM, CPU Clarkdale 3059 MHz, 1 CPU (4 cores)
            ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-PLUS-T020
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0024
                             Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4


 0: Int: Internal-Data0/0    : address is 7426.acc8.e4df, irq 11
 1: Ext: GigabitEthernet0/0  : address is 7426.acc8.e4e3, irq 10
 2: Ext: GigabitEthernet0/1  : address is 7426.acc8.e4e0, irq 10
 3: Ext: GigabitEthernet0/2  : address is 7426.acc8.e4e4, irq 5
 4: Ext: GigabitEthernet0/3  : address is 7426.acc8.e4e1, irq 5
 5: Ext: GigabitEthernet0/4  : address is 7426.acc8.e4e5, irq 10
 6: Ext: GigabitEthernet0/5  : address is 7426.acc8.e4e2, irq 10
 7: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0
 8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
 9: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0
10: Ext: Management0/0       : address is 7426.acc8.e4df, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has an ASA 5515 Security Plus license.

Serial Number: FCH100871J
Running Permanent Activation Key: 0xd516745 0x38b8dee 0x2533184 0xc09147c 0x001f093 
Configuration register is 0x1
Configuration last modified by enable_15 at 07:55:47.355 UTC Wed Apr 16 2014

ciscoasa(config)# show module      

Mod  Card Type                                    Model              Serial No. 
—- ——————————————– —————— ———–
   0 ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5515            FCH180871J
 ips Unknown                                      N/A                FCH180871J
cxsc Unknown                                      N/A                FCH180871J

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version     
—- ——————————— ———— ———— —————
   0 7426.acc8.e4df to 7426.acc8.e4e6  1.0          2.1(9)8      9.1(2)
 ips 7426.acc8.e4dd to 7426.acc8.e4dd  N/A          N/A          
cxsc 7426.acc8.e4dd to 7426.acc8.e4dd  N/A          N/A          

Mod  SSM Application Name           Status           SSM Application Version
—- —————————— —————- ————————–
 ips Unknown                        No Image Present Not Applicable
cxsc Unknown                        No Image Present Not Applicable

Mod  Status             Data Plane Status     Compatibility
—- —————— ——————— ————-
   0 Up Sys             Not Applicable        
 ips Unresponsive       Not Applicable        
cxsc Unresponsive       Not Applicable        

Mod  License Name   License Status  Time Remaining
—- ————– ————— —————
 ips IPS Module     Disabled        perpetual     

2. Set up ASDM Access 


interface Management0/0
 management-only
nameif management
security-level 100
ip address 10.9.200.31 255.255.255.0
no shutdown

http server enable
http 10.9.200.0 255.255.255.128 management

ssh 10.9.200.0 255.255.255.128 management


Browse to webpage https://10.9.200.31/admin , then install ASDM launcher.

 Note: leave username and password as empty. Click ok.

3. Set up SSH Access on Management Interface

ciscoasa(config)# username admin password admin
ciscoasa(config)# crypto key generate rsa modulus 2048
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait…
ciscoasa(config)# write memory
Building configuration…
Cryptochecksum: 67435a18 4790aaff 7584afa7 d28c43c0 

2837 bytes copied in 0.680 secs
[OK]

ciscoasa(config)# aaa authentication ssh console LOCAL
WARNING: local database is empty! Use ‘username’ command to define local users.
ciscoasa(config)# username test password test

ciscoasa(config)# ssh 10.9.200.0 255.255.255.0 management 

4. Basic Setup and Examples

  • nameif
    • ciscoasa(config)# interface vlan1
      ciscoasa(config-if)# nameif inside
      INFO: Security level for “inside” set to 100 by default.

  • security-level
    • ciscoasa(config-if)# interface vlan3
      ciscoasa(config-if)# nameif dmz
      ciscoasa(config-if)# security-level 50

  • interface or vlan ip address
    • ciscoasa(config-if)# interface vlan 1
      ciscoasa(config-if)# ip address 192.168.106.1

    • ciscoasa(config-if)# interface ethernet 0/1
      ciscoasa(config-if)# switchport access vlan 1
      ciscoasa(config-if)# no shutdown

  • Route
    • ciscoasa(config-if)# route outside 0 0 1.1.1.1
    • Test Configuration with Packet Tracer Feature
      • Simulate a TCP packet coming in the inside interface from ip address 192.168.0.125 on source port 12345 destined to an ip address of 203.0.113.1 on port 80  
        • ciscoasa# packet-tracer input inside tcp 192.168.0.125 12345 203.0.113.1 8
      •   Simulate a TCP packet coming in the outside interface from ip address 192.0.2.123 on source port 12345 destined to an ip address of 198.51.100.101 on port 80
        • ciscoasa# packet-tracer input outside tcp 192.0.2.123 12345 98.51.100.101 80

      5. Transparent or Routed Firewall 

      Unicast IPv4 and IPv6 traffic is allowed through the transparent firewall automatically from a higher
      security interface to a lower security interface, without an ACL.

      Broadcast and multicast traffic can be passed using access rules.

      The following destination MAC addresses are allowed through the transparent firewall. Any
      MAC address not on this list is dropped.
      • TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF
      • IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF
      • IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF
      • BPDU multicast address equal to 0100.0CCC.CCCD
      • AppleTalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF

      The transparent mode ASA does not pass CDP packets packets, or any packets that do not have a valid EtherType greater than or equal to 0x600. An exception is made for BPDUs and IS-IS, which are supported.

      To prevent loops using the Spanning Tree Protocol, BPDUs are passed by default. To block BPDUs, you need to configure an EtherType ACL to deny them. If you are using failover, you might want to block BPDUs to prevent the switch port from going into a blocking state when the topology changes.

      When the ASA runs in transparent mode, the outgoing interface of a packet is determined by performing a MAC address lookup instead of a route lookup. Route lookups, however, are necessary for the following traffic types:
      • Traffic originating on the ASA
      • Traffic that is at least one hop away from the ASA with NAT enabled
      Voice over IP (VoIP) and DNS traffic with inspection enabled, and the endpoint is at least one hop
      away from the ASA.

      By default, all ARP packets are allowed through the ASA. You can control the flow of ARP packets by enabling ARP inspection.

      Because the ASA is a firewall, if the destination MAC address of a packet is not in the table, the ASA
      does not flood the original packet on all interfaces as a normal bridge does. Instead, it generates the
      following packets for directly connected devices or for remote devices:
      • Packets for directly connected devices—
      • Packets for remote devices—

      Transparent Mode Default Settings – The default mode is routed mode.
      • By default, all ARP packets are allowed through the ASA.
      • If you enable ARP inspection, the default setting is to flood non-matching packets.
      • The default timeout value for dynamic MAC address table entries is 5 minutes.
      • By default, each interface automatically learns the MAC addresses of entering traffic, and the ASA
      adds corresponding entries to the MAC address table.

      6. Multiple Context Mode

      ciscoasa(config)# mode multiple 
      WARNING: This command will change the behavior of the device
      WARNING: This command will initiate a Reboot
      Proceed with change mode? [confirm] 
      Convert the system configuration? [confirm] 
      !!
      The old running configuration file will be written to flash
      Converting the configuration – this may take several minutes for a large configuration
      The admin context configuration will be written to flash
      The new running configuration file was written to flash
      Security context mode: multiple 

      ***
      *** — SHUTDOWN NOW —
      ***
      *** Message to all terminals:
      ***
      ***   change mode

      ciscoasa/admin# show context detail 
      Context “admin”, has been created
        Config URL: disk0:/admin.cfg
        Interfaces: GigabitEthernet0/0, GigabitEthernet0/5, Management0/0
        IPS Sensors: 
        Class: default, Flags: 0x00000813, ID: 1

      ciscoasa/admin# changeto system 
      ciscoasa# show context 
      Context Name      Class      Interfaces           Mode         URL
      *admin            default    GigabitEthernet0/0,  Routed       disk0:/admin.cfg
                                   GigabitEthernet0/5, 
                                   Management0/0       
       Test             default    GigabitEthernet0/1   Routed       disk0:/sample_context.cfg

      Total active Security Contexts: 2

      ciscoasa(config-ctx)# show configuration 
      : Saved
      : Written by enable_15 at 15:23:23.089 EDT Fri May 16 2014
      !
      ASA Version 9.1(2) <system>
      !
      hostname ciscoasa
      enable password gszFpnIcgTCoPiuN encrypted
      no mac-address auto
      !
      interface GigabitEthernet0/0
      !
      interface GigabitEthernet0/1
       shutdown
      !
      interface GigabitEthernet0/2
       shutdown
      !
      interface GigabitEthernet0/3
       shutdown
      !
      interface GigabitEthernet0/4
       shutdown
      !
      interface GigabitEthernet0/5
      !
      interface Management0/0
      !
      class default
        limit-resource All 0
        limit-resource ASDM 5
        limit-resource SSH 5
        limit-resource Telnet 5
      !

      banner login 
      banner login ‘
      banner login You have logged in to a secure device.
      banner login If you are not authorized to access this
      banner login device, log out immediately or risk possible criminal consequences.
      banner motd 
      boot system disk0:/asa912-smp-k8.bin
      ftp mode passive
      clock timezone EST -5
      clock summer-time EDT recurring
      pager lines 24
      no failover
      asdm image disk0:/asdm-713.bin
      no asdm history enable
      arp timeout 14400
      no arp permit-nonconnected
      console timeout 0

      admin-context admin
      context admin
        allocate-interface GigabitEthernet0/0 
        allocate-interface GigabitEthernet0/5 
        allocate-interface Management0/0 
        config-url disk0:/admin.cfg
      !

      context Test
        description This is a context for test customer A
        allocate-interface GigabitEthernet0/1 interface1 
        allocate-interface GigabitEthernet0/2 
        config-url disk0:/sample_context.cfg
      !

      username test password P4ttSyrm33SV8TYp encrypted

      prompt hostname context 
      no call-home reporting anonymous
      Cryptochecksum:58e3ee4507ba1ced5b2adaa4f1b150f0


      ciscoasa/admin(config)# changeto context Test
      ciscoasa/Test(config)# show configuration 
      : Saved
      : Written by enable_15 at 15:30:24.969 EDT Fri May 16 2014
      !
      ASA Version 9.1(2) <context>
      !
      hostname Test
      enable password 8Ry2YjIyt7RRXU24 encrypted
      names
      !
      interface interface1
       no nameif
       no security-level
       no ip address
      !
      interface Management0/0
       management-only
       no nameif
       no security-level
       no ip address
      !
      pager lines 24
      icmp unreachable rate-limit 1 burst-size 1
      no asdm history enable
      arp timeout 14400
      timeout xlate 3:00:00
      timeout pat-xlate 0:00:30
      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
      timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
      timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
      timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
      timeout tcp-proxy-reassembly 0:01:00
      timeout floating-conn 0:00:00
      user-identity default-domain LOCAL
      no snmp-server location
      no snmp-server contact
      crypto ipsec security-association pmtu-aging infinite
      telnet timeout 5
      ssh timeout 5
      ssh key-exchange group dh-group1-sha1
      no threat-detection statistics tcp-intercept
      !
      class-map inspection_default
       match default-inspection-traffic
      !
      !
      policy-map type inspect dns preset_dns_map
       parameters
        message-length maximum client auto
        message-length maximum 512
      policy-map global_policy
       class inspection_default
        inspect dns preset_dns_map 
        inspect ftp 
        inspect h323 h225 
        inspect h323 ras 
        inspect ip-options 
        inspect netbios 
        inspect rsh 
        inspect rtsp 
        inspect skinny  
        inspect esmtp 
        inspect sqlnet 
        inspect sunrpc 
        inspect tftp 
        inspect sip  
        inspect xdmcp 
      !
      service-policy global_policy global
      Cryptochecksum:37989de030631be2f716051eca2f01c1

      : end

      ciscoasa(config-ctx)#  write memory all 
      Building configuration…
      Saving context :           system : (000/002 Contexts saved) 
      Cryptochecksum: 6469133b e64dd3f3 5a634ba6 42d1495d 

      1684 bytes copied in 0.690 secs
      Saving context :            admin : (001/002 Contexts saved) 
      Cryptochecksum: 714e8aba f5ca6ed0 8508dbaf eba2f3cb 

      7649 bytes copied in 0.190 secs
      Saving context :             Test : (002/002 Contexts saved) 
      Cryptochecksum: 6124f114 b4910350 b1137692 0dfc32c1 

      1671 bytes copied in 0.80 secs
      [OK]                           

      7. Ping from ASA Internal Interface to outside

      Note: 11.11.11.11 is local LAN interface, and 1.1.1.2 is another ASA’s WAN Interface. The ping from local ASA LAN Interface to Outside is faild, because the ASA by default maintains a state table for TCP & UDP connections only. It’s not that the pings aren’t successful, its just the ASA does not allow the echo reply from an interface with a lower configured security-level. Solution will be in this post with using ASDM turn on your icmp inspect in your global policy.

      ciscoasa(config)# packet-tracer input WAN icmp 11.11.11.11 8 0 1.1.1.2 detail

      Phase: 1
      Type: ROUTE-LOOKUP
      Subtype: input
      Result: ALLOW
      Config:
      Additional Information:
      in   1.1.1.0         255.255.255.0   WAN

      Phase: 2
      Type: ACCESS-LIST
      Subtype: 
      Result: DROP
      Config:
      Implicit Rule
      Additional Information:
       Forward Flow based lookup yields rule:
       in  id=0xd98d6050, priority=111, domain=permit, deny=true
              hits=4, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
              src ip/id=0.0.0.0, mask=0.0.0.0, port=0
              dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
              input_ifc=WAN, output_ifc=WAN

      Result:
      input-interface: WAN
      input-status: up
      input-line-status: up
      output-interface: WAN
      output-status: up
      output-line-status: up
      Action: drop
      Drop-reason: (acl-drop) Flow is denied by configured rule

      For the icmp traffic to ASA itself, the command is in the following:

      ciscoasa(config)# sh run icmp
      icmp unreachable rate-limit 1 burst-size 1
      icmp permit any WAN
      icmp permit any LAN

      Note: If there is NAT enabled from Internal to External, you may need to add a access-list to allow icmp echo-reply packet in to external interface.

      8. Enable Logging

      ciscoasa(config)# logging enable
      ciscoasa(config)# logging buffered 7
      ciscoasa(config)# logging asdm informational
      asa842-1(config)# sh logging
      Syslog logging: enabled
          Facility: 20
          Timestamp logging: disabled
          Standby logging: disabled
          Debug-trace logging: disabled
          Console logging: disabled
          Monitor logging: disabled
          Buffer logging: level debugging, 6 messages logged
          Trap logging: disabled
          Permit-hostdown logging: disabled
          History logging: disabled
          Device ID: disabled
          Mail logging: disabled
          ASDM logging: level informational, 23 messages logged
      %ASA-5-111008: User ‘enable_15’ executed the ‘logging buffered 7’ command.
      %ASA-5-111010: User ‘enable_15’, running ‘CLI’ from IP 0.0.0.0, executed ‘logging buffered 7’
      %ASA-7-609001: Built local-host LAN:11.11.11.12
      %ASA-7-609001: Built local-host WAN:22.22.22.23
      %ASA-6-302020: Built outbound ICMP connection for faddr 22.22.22.23/0 gaddr 11.11.11.12/55300 laddr 11.11.11.12/55300
      %ASA-6-302020: Built inbound ICMP connection for faddr 22.22.22.23/0 gaddr 11.11.11.12/55300 laddr 11.11.11.12/55300


      9. NAT 

      • Dynamic nat (Global)
        • object network inside-subnet
          subnet 192.168.0.0 255.255.255.0
          nat (inside,outside) dynamic interface
      • Static nat with Objects
        • object network webserver-external-ip
          host 198.51.100.101
          !
          object network webserver
          host 192.168.1.100
          nat (dmz,outside) static webserver-external-ip service tcp www www

      Following is From fir3net.com’s Post

      There are now 2 types of NAT. Auto and Manual NAT.
      • Auto NAT – Only the source is used as a match criteria when NAT`ing.
      • Manual NAT – The source and destination is used as a match criteria when NAT`ing.

      Auto NAT

      Auto NAT only considers the source address when performing NAT. Based on this Auto NAT is only used for Static or Dynamic NAT.
      When configuring Auto NAT is is configured within an object.
      Example
      Below is an example of a static NAT.
      asa(config)# object network obj-server
      asa(config-network-object)# host 192.168.100.1 <– REAL IP
      asa(config-network-object)# nat (inside,outsidestatic 88.88.88.1 <– MAPPED IP
      After configuring this NAT and looking at the configuration we can see the configuration in 2 places ; NAT and object.
      asa# show run object
      object network obj-server
        host 192.168.100.1

      asa# show run nat
      object network obj-server
        nat (inside,outside) static 88.88.88.1

      Manual NAT

      Manual NAT considers either only the source or the source and destination address when performing NAT. Manual NAT can be used for (pretty much) all types of NAT i.e NAT exempt, policy NAT etc.
      Because Manual NAT can also NAT the source and destination within a single statement it is also known as twice NAT.
      Unlike Auto NAT which is configured within an object, Manual NAT is configured directly from the global configuration mode. However only objects are used within the Manual NAT rule rather then IP addresses directly.
      Example
      Below is an example of static NAT where only the source is considered for NAT. However this is typically done with Auto NAT.
      object network obj-server-private
        host 192.168.100.1
      object network obj-server-public
        host 88.88.88.88

      nat (DMZ,outside) source static obj-server-private obj-server-public

      Below shows the syntax is we wanted to consider both the source and destination. This method (twice NAT) is also used for NAT exempt (click here for article
      nat (real_ifc,mapped_ifc) source static REAL-SRC MAPPED-SRC destination static REAL-DST MAPPED-DST
      NAT Order
      NAT is order within 3 sections.
      • Section 1 – Manual NAT
      • Section 2 – Auto NAT
      • Section 3 – Manual Nat After-Auto
      By default only sections 1 and 2 are used. However should you need to place a manual NAT rule after Auto NAT you can specify the keyword after-auto when configuring a Manual NAT rule to place it within Section 3.
      nat (real,mapped) [after-auto] [Line#] ………
      To view the order of precedence the “show nat” command is used. 

      10. Access Rules

      Enable traffic between interfaces which are configured with same security level

      Inbound and Outbound Rules
      You can configure access rules based on the direction of traffic:
      • Inbound—Inbound access rules apply to traffic as it enters an interface. Global and management access
      rules are always inbound.
      • Outbound—Outbound rules apply to traffic as it exits an interface.
      “Inbound” and “outbound” refer to the application of an ACL on an interface, either to traffic entering the
      ASA on an interface or traffic exiting the ASA on an interface. These terms do not refer to the movement of traffic from a lower security interface to a higher security interface, commonly known as inbound, or from a higher to lower interface, commonly known as outbound.
      Note
      An outbound ACL is useful, for example, if you want to allow only certain hosts on the inside networks to access a web server on the outside network. Rather than creating multiple inbound ACLs to restrict access,

      • access-list (ACLs)
        • Traffic going from a lower security interface is denied when going to a higher security interface
        • Traffic going from a higher security interface is allowed when going to a lower security interface
        •  Examples 1:
          access-list outside_acl extended permit tcp any object webserver eq www
          !
          access-group outside_acl in interface outside
        •  Examples 2:
        • object network dns-server
          host 192.168.0.53
          !
          access-list dmz_acl extended permit udp any object dns-server eq domain
          access-list dmz_acl extended deny ip any object inside-subnet
          access-list dmz_acl extended permit ip any any
          !
          access-group dmz_acl in interface dmz

      11. Access Rules Examples

      ASA Example Topology

      ciscoasa#   sh run
      : Saved

      :
      : Serial Number: 9ALU3EW6LDF
      : Hardware:   ASAv, 1024 MB RAM, CPU Xeon 5500 series 2294 MHz
      :
      ASA Version 9.5(1)200
      !
      hostname ciscoasa
      enable password PVSASRJovmamnVkD encrypted
      xlate per-session deny tcp any4 any4
      xlate per-session deny tcp any4 any6
      xlate per-session deny tcp any6 any4
      xlate per-session deny tcp any6 any6
      xlate per-session deny udp any4 any4 eq domain
      xlate per-session deny udp any4 any6 eq domain
      xlate per-session deny udp any6 any4 eq domain
      xlate per-session deny udp any6 any6 eq domain
      names
      !
      interface GigabitEthernet0/0
       description Internal Interface
       nameif INTERNAL
       security-level 100
       ip address 10.9.200.12 255.255.255.0
      !
      interface GigabitEthernet0/1
       description DMZ Interface
       nameif DMZ
       security-level 100
       ip address 172.17.3.12 255.255.255.0
      !
      interface GigabitEthernet0/2
       shutdown
       no nameif
       no security-level
       no ip address
      !….
      !
      interface Management0/0
       management-only
       nameif MGMT
       security-level 0
       ip address 192.168.2.12 255.255.255.0
      !
      ftp mode passive
      same-security-traffic permit inter-interface
      object network H_172.17.3.62_DMZ
       host 172.17.3.62
       description OpenWRT2
      object network h_10.9.200.62_Internal
       host 10.9.200.62
       description Internal OpenWRT1
      object-group service DM_INLINE_SERVICE_1
       service-object icmp
       service-object tcp destination eq ssh
      access-list DMZ_access_in extended permit icmp any any
      access-list INTERNAL_access_in extended permit object-group DM_INLINE_SERVICE_1 object h_10.9.200.62_Internal object H_172.17.3.62_DMZ
      pager lines 23
      logging enable
      logging buffered debugging
      logging asdm informational
      mtu MGMT 1500
      mtu INTERNAL 1500
      mtu DMZ 1500
      no failover
      icmp unreachable rate-limit 1 burst-size 1
      no asdm history enable
      arp timeout 14400
      no arp permit-nonconnected
      access-group INTERNAL_access_in in interface INTERNAL
      access-group DMZ_access_in in interface DMZ
      timeout xlate 3:00:00
      timeout pat-xlate 0:00:30
      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
      timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
      timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
      timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
      timeout tcp-proxy-reassembly 0:01:00
      timeout floating-conn 0:00:00
      user-identity default-domain LOCAL
      aaa authentication ssh console LOCAL
      http server enable
      http 192.168.2.0 255.255.255.0 MGMT
      no snmp-server location
      no snmp-server contact
      crypto ipsec security-association pmtu-aging infinite
      crypto ca trustpoint _SmartCallHome_ServerCA
       no validation-usage
       crl configure
      crypto ca trustpool policy
      crypto ca certificate chain _SmartCallHome_ServerCA
       certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
          308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
        ………
          6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
          6c2527b9 deb78458 c61f381e a4c4cb66
        quit
      telnet timeout 5
      ssh stricthostkeycheck
      ssh 192.168.2.0 255.255.255.0 MGMT
      ssh 10.9.200.0 255.255.255.0 INTERNAL
      ssh timeout 5
      ssh key-exchange group dh-group1-sha1
      console timeout 0
      threat-detection basic-threat
      threat-detection statistics access-list
      no threat-detection statistics tcp-intercept
      dynamic-access-policy-record DfltAccessPolicy
      username admin password eY/fQXw7Ure8Qrz7 encrypted
      !
      class-map inspection_default
       match default-inspection-traffic
      !
      !
      policy-map type inspect dns preset_dns_map
       parameters
        message-length maximum client auto
        message-length maximum 512
      policy-map global_policy
       class inspection_default
        inspect ip-options
        inspect netbios
        inspect rtsp
        inspect sunrpc
        inspect tftp
        inspect xdmcp
        inspect dns preset_dns_map
        inspect ftp
        inspect h323 h225
        inspect h323 ras
        inspect rsh
        inspect esmtp
        inspect sqlnet
        inspect sip
        inspect skinny
      policy-map type inspect dns migrated_dns_map_1
       parameters
        message-length maximum client auto
        message-length maximum 512
      !
      service-policy global_policy global
      prompt hostname context
      no call-home reporting anonymous
      call-home
       profile License
        destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
        destination transport-method http
       profile CiscoTAC-1
        no active
        destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
        destination address email [email protected]
        destination transport-method http
        subscribe-to-alert-group diagnostic
        subscribe-to-alert-group environment
        subscribe-to-alert-group inventory periodic monthly
        subscribe-to-alert-group configuration periodic monthly
        subscribe-to-alert-group telemetry periodic daily
      hpm topN enable
      Cryptochecksum:f0b9b7ac46de68d4f289d84909d1d497
      : end

      12. Backup and Restore Configuration

      Backup configuration to local disk.

      ciscoasa# copy startup-config disk0:/backup-02202016

      Destination filename [backup-02202016]? 

      Copy in progress…C
      7072 bytes copied in 0.10 secs
      ciscoasa# 

      Restore Configuration

      ciscoasa(config)# clear configure all
      ciscoasa# copy disk0:/backup-02202016 startup-config 

      13. ICMP/SSH/ASDM to another interface behind one interface

      I met same issue as the post “Failed to locate egress interface…“.
      Topology:

      Lan2Lan.jpg

      Symptom:
      IP Computer 1 is able to reach IP computer 2 , but not firewall ASA’s IP inside2, even it is in same segment as IP Computer2.

      Solution from the post:

      “Cisco firewalls do not allow ICMP from behind one interface to another interface on the same device. The only exception to this is when traffic is coming through VPN and a specific configuration command has been entered to the device to which you are trying to ICMP from behind a VPN connection.
      So if Computer 1 needs to ICMP Inside 2 then the firewall that has the Inside 2 interface must be configured with the command
      management-access

      
      
      http server enable

      http 10.50.2.0 255.255.255.0 Mgmt
      http 172.17.0.0 255.255.255.0 MGMT

      ssh 10.50.2.0 255.255.255.0 MGMT
      ssh 172.17.0.0 255.255.255.0 MGMT

      management-access MGMT

      By Jon

      Leave a Reply