Cisco ASA firewalls have been a major security product for Cisco for many years now, with several generations. And whilst there is a shift to a more GUI based environment with the latest iteration, there are still a significant number of ASAs deployed in the field.
Here are some hints and tips that may help. This list will be updated over time, so check back frequently. Please also leave your Hints and Tips in the comments.
Cisco Resources
Cisco provides excellent resources online including full books for Cisco ASA CLI and ASDM. Here are some links:
Cisco Security products including Cisco ASA
Cisco ASA General Operations Guide (Book 1)
Cisco ASA Firewall Configuration Guide (Book 2)
Cisco ASA VPN Configuration Guide
Cisco ASDM General Operations Guide (Book 1)
Cisco ASDM Firewall Configuration Guide (Book 2)
Cisco ASDM VPN Configuration Guide
Disable Enable Login
As from software version 9.1.5 you can go straight into enable mode with the auto-enable command
aaa authorization exec LOCAL auto-enable
Show Sections of the Running-Config
Like IOS it is possible to show sections of the ASA running-config. However, with ASA’s it is a lot easier, as these are defined as subcommands of the show run command e.g.
ASA1# show run object
object network google1-mapped
host 8.8.8.8
object network google1-real
host 208.67.222.123
object network google2-real
host 208.67.220.123
object network google2-mapped
host 8.8.4.4
<snip>
ASA1# show run NAT
nat (inside,outside) source static host1-real host1-mapped destination static google1-mapped google1-real
nat (inside,outside) source static host1-real host1-mapped destination static google2-mapped google2-real
!
object network host1-real
nat (any,any) static host1-mapped
<snip>
ASA1# show run ?
aaa Show AAA configuration information
aaa-server Show aaa-server configuration information
access-group Show access group(s)
access-list Show configured access control elements
all Show current operating configuration including
defaults
arp Show configured ARP entries, ARP timeout
asdm Show ASDM configuration
asp Show ASP configuration
auth-prompt Show configured authentication challenge,
reject and acceptance prompts
auto-update Show Auto Update configuration
<snip>
Informative Prompt
The command prompt can be set to show useful information such as;
Hostname
Whether the firewall is configured to be primary or secondary
Failover state (active or standby)
Etc
This can be configured as follows:
ASA1(config)# prompt ? configure mode commands/options: cluster-unit Display the cluster unit name in the session prompt context Display the context in the session prompt (multimode only) domain Display the domain in the session prompt hostname Display the hostname in the session prompt priority Display the priority in the session prompt state Display the traffic passing state in the session prompt ASA1(config)# prompt hostname priority state ASA1/pri/act(config)
NAT vs ACL
For software versions 8.3+ NAT is processed before the ACL for inbound traffic, therefore you should always use the real IP address (typically inside private) of the hosts in the ACL
Terminal Width
Quite often when configuring an ASA, you’ll find the end of your line gets truncated. For example, your might type the following line
nat (inside,outside) source static host1-real host1-mapped destination static google1-mapped google1-real
But it will display as follows:
asa1(config)# $apped destination static google1-mapped google1-real
To resolve this change the terminal width as follows:
asa1(config)# terminal width ? configure mode commands/options: 0 Specify this value to set the maximum permitted width <40-511> Terminal width columns, default is 80 asa1(config)# terminal width 160
The Traceroute Blog 