Cisco ASA Configuration
Cisco ASA Firewall and Security Appliance Configuration - Best Practices
Script applies to version 7.2 but still applies to newer versions
The below Cisco ASA configuration default is intended to bring up a device from an out of the box state to a baseline level. Cisco leaves many important features off by default. See our best practices documents. A documented default configuration is important for PCI compliance. To deploy a Cisco ASA Firewall and Security Appliance in your network, a documented plan should followed. The below configuration supports Cisco ASA5505, ASA5510, ASA 5520, ASA5540.
! Cisco ASA configurations
! Default administrative config for box - NO Security POLICY DEFINED HERE
! Cisco ASA 5500 series device deployments - Target Version 7.2(4)
! Created on: 21 July 2008
! Created by: John L
! Last revised by: Daniel 09/05/08
!
! Reviewed by:
! Reviewed on:
!
! Search on ZZZ for got you's or items set per unique ASA box.
!
! NOTE: This script contains CLEAR CONFIGURE xxx commands. It is intended
! to be used on new boxes in turn up mode. Be careful if you are
! adjusting existing production boxes.
!
! Use the script from the serial console cable.
!
! What you don't get - Routes, NAT, Access Rules, Object definitions, VPN
!
!
! Modifications noted below
!
! Original
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! A new ASA box has settings that will allow a PC attached to the management !
! port to obtain a 192.168.x.x address. DHCP is enabled so !
! !
! DO NOT CONNECT the management port to the network before disabling DHCP !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
config t
clear configure dhcpd
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! !
! If you want to clear a config or password recovery see below !
! !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! !
! Now we do the interface configurations. Many further commands require the use !
! of the unique names assigned via nameif. See best practicesdocument !
! !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Note speed per L2 design specification
! Note asa5510 has 100mb ports
! Enterprise arp timeout default value - unique for your locations L2 domain
arp timeout 300
! Reset everything
clear configure interface
interface GigabitEthernet0/0
speed 1000
duplex full
shutdown
description outside not trusted toward internet - DESTINATION DEVICE + PORT
nameif outside
security-level 0
! ZZZ
! ip address xx.xx.xx.xx 255.255.255.x standby xx.xx.xx.xx+1
ip address 8.8.8.1 255.255.255.240 standby 8.8.8.2
interface GigabitEthernet0/1
speed 1000
duplex full
shutdown
description inside most trusted - DESTINATION DEVICE + PORT
nameif inside
security-level 100
! ZZZ
! ip address xx.xx.xx.xx 255.255.255.x standby xx.xx.xx.xx+1
ip address 7.7.7.1 255.255.255.240 standby 7.7.7.2
interface GigabitEthernet0/2
speed 1000
duplex full
description DMZ Trunk port - Not Tagged - DO NOT assign Interface Name or
! Security level - DESTINATION DEVICE + PORT
no shutdown
! do not assign a name to this untagged interface
! Just a sample here to show how a trunk is done
Interface GigabitEthernet0/2.65
vlan 65
shutdown
description our applications production only - ON TRUNK
nameif dmz65_our_applications
security-level 55
! ZZZ
! ip address 10.30.86.33 255.255.255.240 standby 10.30.86.34
ip address 9.9.9.1 255.255.255.240 standby 9.9.9.2
interface GigabitEthernet0/3
speed 1000
duplex full
no shutdown
description failover+stateful - asa55xx-sec G0/3
interface Management0/0
speed 100
duplex full
no shutdown
description management interface - DESTINATION DEVICE + PORT
nameif management
security-level 100
management-only
! ZZZ
! Allow a /26 for the management and support mechanisms
ip address 10.21.12.1 255.255.255.192
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
! Our implementations use a failover box
! Remember to monitor appropriate interfaces as they are added
!
! Failover configuration - Note the primary and secondary setting
! - Note we failover in 10 seconds
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Reset everything
clear configure failover
! ZZZ Pick one! ZZZ Pick one below !
failover lan unit primary
! failover lan unit secondary
failover lan interface failover+stateful
failover link failover link failover+stateful GigabitEthernet0/3
! We HAVE CHOSEN 1.1.1.1 as our failover network number - it will not be routed
failover interface ip failover+stateful 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover key hex 123456789abcdef00fedcba987654321
failover polltfailover polltime unit 1 holdtime 10
! below specifies hello's sent every 2 seconds. Hold time is 5x polltime
failover polltime interface 2 holdtime 10ilover replication http
no monitor-interface management
! prompt redundant pair - primary secondary unit/active or stand/hostname
prompt priority state hostname
! ZZZ prompt standalone
! prompt hostname
! TURN ON FAILOVER
failover
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Access to the box. We need asdm, ssh, logins, tacacs setups !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! access via ASDM on port 443 from corp management addresses
! ZZZ as of this config we are unsure about a dedicated management network
clear configure http
http server enable
http 10.21.12.0 255.255.255.192 management
! access via SSH on port 443 from management subnet addresses
clear configure ssh
ssh timeout 10
http 10.21.12.0 255.255.255.192 management
! use winscp to move files to and from
ssh scopy enable
! Cannot do SSH until we have a key - maybe there is one, well let's be sure
crypto key zeroize rsa noconfirm
crypto key gen rsa general-keys mod 1024 noconfirm
! set your emulator width to 132 while viewing access-lists and logs
! easier display - read - analyze
term width 132
! names or no names - how do you like show access-list displayed
names
! these two passwords will never be seen or used by the box because we will set AAA
! configuration
password DoNotUseTheDefaultcisco
enable password DoNotUseTheDefaultcisco
! Note after you set your basic box/no TACACS passwords delete the above and copy
! the encrypted version from your config so that plain text passwords are not
! displayed like below:
! password 2KFQnbNIdI.2KYOU encrypted
! enable password B1p/v.dKPnaAFzGm encrypted
! You could opt to remove the above commands from the config but we have seen
! previous versions where the config demands a setting
! Local user account setups - TACACS+ first - else this local accountin first
! Again first run through sets your plain text, then get its encrypted version and
! put it here
username localboy password the1Icanremberfrom1998% privilege 15
! username localboy password HSajUEmuTco1AnQ0 encrypted privilege 15
! Until we get TACACS+ online we will suffer the timeout and then authenticate
! local
! Starting with authentication section
clear configure aaa-servererver our-group1 protocol tacacs+
! While there is only one server in the group, we will use timed
! otherwise depletion
reactivation-mode timed
aaa-server our-group1 (inside) host 10.80.14.230
! 10 is the default - in case AAA is not available do not wait too long
! Its not that busy
timeout 3
key wow!theKEYisnotencrypted
clear configure aaa
aaa local authentication attempts max-fail 5
aaa authentication telnet console our-group1 LOCAL
aaa authentication http console our-group1 LOCAL
aaa authentication ssh console our-group1 LOCAL
aaa authentication serial console our-group1 LOCAL
! find by username. Are you allowed the enable prompt in ACS? -
aaa authentication enable console our-group1 LOCAL
! command sets on ACS must be built and function. This is what locks you out .!.
aaa authorization command our-group1 LOCAL
! this is command accounting
aaa accounting command our-group1
aaa accounting enable console our-group1
aaa accounting ssh console our-group1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Set up some box basics Get the code loaded !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Copy the image files to disk0: Use asdm or tftp !
! Directory of disk0:/ !
! !
! 1436 -rw- 6514852 06:04:20 Jul 21 2008 asdm-52450.bin !
! 2232 -rw- 8515584 06:09:58 Jul 21 2008 asa724-9-k8.bin !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
clear configure boot system
clear configure dns
clear config banner
clear configure clock
clear configure ntp
asdm image disk0:/asdm-52450.bin
boot system disk0:/asa724-9-k8.bin
! ZZZ Setting here per DNS standard naming document
hostname odc-5520-test
! if we want DNS lookups choose interface below
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.14.20.233
name-server 10.14.20.234
domain-name yourname.com
dns-guard
clock timezone EST -5
clock summer-time EDT recurring
! NTP @ NAVOBS1.MIT.EDU via Internet
ntp server 18.145.0.30
banner login -
banner login ACCESS IS RESTRICTED TO AUTHORIZED PERSONNEL ONLY!!
banner login -
banner motd -
banner motd ACCESS IS RESTRICTED TO AUTHORIZED PERSONNEL ONLY!!
banner motd This is a privately owned computing system.
banner motd Access is permitted only by authorized employees or agents of the
banner motd company.
banner motd The system may be used only for authorized company business.
banner motd Company management approval is required for all access privileges.
banner motd This system is equipped with a security system intended to prevent and
banner motd record unauthorized access attempts.
banner motd Unauthorized access or use is a crime under the law.
banner motd -
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Trap and logging !
! Kiwi - 10.14.187.22 syslog1.nw.yourplace.com !
! Cisco Works - 10.14.187.231 cworks1.nw.yourplace.com !
! !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ftp mode passive
! ZZZ set the tftp directory
! tftp-server inside 10.14.187.231 /odc-5520-test/
clear configure snmp-server
clear configure logging
! SNMP configuration
snmp-server enable
snmp-server host inside 151.214.156.13 community zzz
snmp-server host inside 10.14.187.231 community zzz
! ZZZ SNMP Settings
snmp-server location odc-5520-test Orlando FL (ODC)
snmp-server contact ITS Network Engineering
snmp-server community theBigDogEatsSlowCats
! SNMP to send via Syslog settings to the servers defined as SNMP trap
snmp-server enable traps snmp authentication linkup linkdown coldstart
logging history Critical
! Logging setup
logging enable
logging timestamp
! internal buffer
logging buffer-size 16384
logging buffered Informational
! Console off
no logging console
! A ssh session
logging monitor Informational
! To syslog servers Kiwi
logging host inside 10.14.187.22
logging trap informational
! ASDM Sessions
logging asdm informational
asdm history enable
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! !
! The default UDP port is 514. The default TCP port is 1470 !
! 0 emergencies System unusable !
! 1 alert Immediate action needed !
! 2 critical Critical condition !
! 3 error Error condition !
! 4 warning Warning condition !
! 5 notification Normal but significant condition !
! 6 informational Informational message only !
! 7 debugging Appears during debugging only !
! !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! The WebSense service - could only apply to the default-route internet firewall !
! Do our servers go out to the internet ? !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
clear configure url-cache
clear configure url-block
clear configure filter
clear configure url-server
! zzz
url-server (inside) vendor websense host xx.xx.xx.xx timeout 10 protocol TCP version 4 connections 5
url-block url-mempool 512
url-block url-size 4
url-block block 32
url-cache dst 32
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
! From Best practice document
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
no same-security-traffic permit intra-interface
no same-security-traffic permit inter-interface
nat-control
! After a clear config all is used, several class and policy maps are not
! created by default - we recreate below
class-map class_sip_tcp
match port tcp eq sip
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
no message-length maximum server
no message-length maximum client
dns-guard
protocol-enforcement
nat-rewrite
no id-randomization
no id-mismatch
no tsig enforced
policy-map global_policy
class inspection_default
! Enable inspection for icmp traffic
inspect icmp
inspect icmp error
inspect http
inspect ppptp
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225 _default_h323_map
inspect h323 ras _default_h323_map
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
class class_sip_tcp
inspect sip
service-policy global_policy global
! This is ICMP to an ASA interface -
! Outside we only allow unrachable messaages to support MTU path discovery
clear conf icmp
no icmp permit 0.0.0.0 0.0.0.0 outside
icmp permit 0.0.0.0 0.0.0.0 unreachable outside
icmp deny 0.0.0.0 0.0.0.0 outside
! For each named interface name - inside is usually named
no icmp permit 0.0.0.0 0.0.0.0 inside
icmp permit 0.0.0.0 0.0.0.0 echo inside
icmp permit 0.0.0.0 0.0.0.0 echo-reply inside
icmp permit 0.0.0.0 0.0.0.0 unreachable inside
icmp permit 0.0.0.0 0.0.0.0 time-exceeded inside
icmp deny 0.0.0.0 0.0.0.0 inside
! ZZZ For each named interface name -
no icmp permit 0.0.0.0 0.0.0.0 dmz65_our_applications
icmp permit 0.0.0.0 0.0.0.0 echo dmz65_our_applications
icmp permit 0.0.0.0 0.0.0.0 echo-reply dmz65_our_applications
icmp permit 0.0.0.0 0.0.0.0 unreachable dmz65_our_applications
icmp permit 0.0.0.0 0.0.0.0 time-exceeded dmz65_our_applications
icmp deny 0.0.0.0 0.0.0.0 dmz65_our_applications
! This is default type of ICMP_allowed through the ASA firewall interface -
! This should be used as the SERVICE when specifying ICMP in access - lists
object-group icmp-type svc_ICMP_types_allowed
description Security - ICMP types allowed in our network
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
! Cisco devices use a UDP probe in their traceroute routine
! Use this object for the rule
object-group service svc_UDP_cisco_IOS_traceroute udp
description Cisco IOS uses a udp traceroute starting at 33434 - we will allow
90 probes (3x30)-default udp timeout=2minutes
port-object range 33434 33524
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! The ASA has a route table. Make sure packets align with the route table
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ip verify reverse-path interface inside
ip verify reverse-path interface management
ip verify reverse-path interface outside
! ZZZ Set per configured dmz
ip verify reverse-path interface dmzXXXX
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
! IP Audit checks for bad things and drops reset alarms as defined
!
! These are strict to start with - we may have to do some tuning
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
clear configure ip audit
ip audit name our_audit_outside_attack attack action alarm drop
ip audit name our_audit_outside_info info action alarm
ip audit name our_audit_inside_attack attack action alarm drop reset
ip audit name our_audit_inside_info info action alarm
ip audit name our_audit_dmz_attack attack action alarm drop reset
ip audit name our_audit_dmz_info info action alarm
ip audit interface outside our_audit_outside_info
ip audit interface outside our_audit_outside_attack
ip audit interface inside our_audit_inside_info
ip audit interface inside our_audit_inside_attack
! ZZZ Set per configured dmz
! ip audit interface dmzXXXX our_audit_dmz_info
! ip audit interface dmzXXXX our_audit_dmz_attack
! The below commands disable a few inspections we are not worried about
! Timestamp considered DOS but needed for RFC1323 support
ip audit signature 1002 disable
! ICMP echo reply
ip audit signature 2000 disable
! ICMP unreachable
ip audit signature 2001 disable
! ICMP echo request
ip audit signature 2004 disable
! ICMP time exceeded
ip audit signature 2005 disable
! DNS zone transfer - we are likely doing these and do not want to drop
ip audit signature 6051 disable
! Below commands look backwards as typed but they DO ENABLE the signature identified
no ip audit signature 2008
no ip audit signature 1003
no ip audit signature 2009
no ip audit signature 1004
no ip audit signature 2006
no ip audit signature 1001
no ip audit signature 2007
no ip audit signature 1005
no ip audit signature 2002
no ip audit signature 1006
no ip audit signature 2003
no ip audit signature 1102
no ip audit signature 1103
no ip audit signature 1100
no ip audit signature 2012
no ip audit signature 2011
no ip audit signature 3154
no ip audit signature 2010
no ip audit signature 2150
no ip audit signature 3153
no ip audit signature 2151
no ip audit signature 2154
no ip audit signature 6151
no ip audit signature 6150
no ip audit signature 6155
no ip audit signature 6154
no ip audit signature 6153
no ip audit signature 6152
no ip audit signature 6053
no ip audit signature 6052
no ip audit signature 3040
no ip audit signature 6190
no ip audit signature 3041
no ip audit signature 6050
no ip audit signature 3042
no ip audit signature 1000
no ip audit signature 6180
no ip audit signature 4050
no ip audit signature 4051
no ip audit signature 4052
no ip audit signature 6175
no ip audit signature 6100
no ip audit signature 6103
no ip audit signature 6102
no ip audit signature 6101
! The ASA system options default settings
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt noproxyarp Outside
no sysopt noproxyarp Inside
no sysopt noproxyarp management
!
service resetoutside
END
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! END of configuration script !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! If you want to clear a config or password recovery !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
! Preferred:
! hostname(config)# clear configure all
!
! This command
! hostname(config)# configure factory-default
!
! erase all configuration EXCEPT passwd and enable
! then
!
! interface management 0/0
! ip address 192.168.1.1 255.255.255.0
! nameif management
! security-level 100
! no shutdown
! asdm logging informational 100
! asdm history enable
! http server enable
! http 192.168.1.0 255.255.255.0 management
! dhcpd address 192.168.1.2-192.168.1.254 management
! dhcpd lease 3600
! dhcpd ping_timeout 750
! dhcpd enable management
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
! Password Recovery - Power on boot and use ESCAPE key
!
! rommon #1> confreg 0x41
! rommon #2> boot
! hostname> enable
! adjust usernames and passwords as desired
! move running and start configs accordingly
! hostname(config)# config-register 0x1
!
! If the ASA has the command: no service password-recovery
! rmon will request that you erase all file systems including
! configuration files and images
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
