The ASA command line interface has a similar look and feel to the Cisco router IOS. However, the ASA CLI also has different commands.
This table contrasts common IOS router and ASA commands.
IOS Router COmmand | Equivalent ASA Command |
---|---|
enable secret password |
enable password password |
line vty 0 4 password password login |
password password |
ip route |
route int_name |
show ip route |
show route |
show ip interface brief |
show interface ip brief |
show ip nat translations |
show xlate |
copy running-config startup-config |
write [memory] |
erase startup-config |
write erase |
ASA CLI commands can be executed regardless of the current configuration mode prompt. The IOS command do
is not required nor recognized.
Most ASA devices ship with a default configuration that, in the majority of cases, is sufficient for a basic SOHO deployment.
The default hostname is ciscoasa. By default, the privileged EXEC and console line passwords are not configured. All interfaces are shut down and unnamed.
The ASA can be restored to its factory default configuration by using the configure factory-default
global configuration mode command.
he ASA provides an interactive setup initialization wizard to simplify the initial configuration of the device. This wizard is displayed when there is no startup configuration, or if the startup configuration is erased and the ASA is rebooted using the write erase
and reload
privileged EXEC commands. To cancel the wizard and display the ASA default user EXEC mode prompt, enter no
at the startup prompt.
After the interactive portion of the wizard is completed, the security appliance displays the summary of the new configuration and prompts the user to save or reject the settings. Answering yes saves the configuration to flash and displays the configured hostname prompt. Answering no restarts the Setup Initialization wizard from the beginning with any changes that had been made as the new default settings. This enables the administrator to correct a misconfigured setting.
An ASA should be configured with basic management settings:
hostname name
domain-name name
enable password password
banner motd message
key config-key password-encryption [new-pass [old-pass]]
password encryption aes
The privileged EXEC password is automatically encrypted using MD5. However, stronger encryption using AES should be enabled.
Like the IOS CLI, legal notification is provided using the banner motd
command. However, the command is configured somewhat differently than the IOS version. To configure a banner with several lines, the banner motd
must be entered multiple times. To remove a line(s), use the no banner motd message
command.
Each configured interface must have a name, a security-level, an address.
nameif name
— Configure the interface name.
security-level {0-100}
— Interfaces with a security-level of 100 are considered completely trusthworthy. Interfaces with a security-level of 0 are considered untrustworthy.
The security level default behavior is to implicitly permit traffic from a higher security interface to an interface with the same or lower security level. Traffic moving from lower to higher security levels is implicitly denied.
ip address address mask
— (Optional) manually configure the interface's IP address.
Using the no nameif name
command will delete all configurations that refer to the named interface. To rename an interface, simply use the nameif
command with a new value.
For interfaces that may be assigned IP addresses through remote means (dynamically or through remote management), an alternate configuration may be used:
DHCP — Used when an interface is connecting to an upstream device providing DHCP services. The interface can be a DHCP client and discover its IP address and DHCP-related information from the upstream device.
PPPoE — Used when an interface is connecting to an upstream DSL device providing point-to-point connectivity over Ethernet services. The interface can be a PPPoE client and discover its IP address from an upstream PPPoE DSL device.
In ASA IOS software versions 9.7 and later, individual ports can be combined into bridge groups that make them act like switch ports on the same logical network. In this way, multiple devices can be connected directly to the ASA device inside logical networks. This is done by configuring the ports into bridged virtual interfaces (BVI). The BVI is then configured with a name, security-level, IP address and mask, and other settings. In order to permit devices on different physical interfaces, the same-security-traffic permit inter-interface
global configuration command must be configured.
A drawback to using BVIs is that many commands, such as no shutdown
, must be configured on the individual interfaces. In addition, if an access list is to be used on the BVI, the list must be grouped with each physical interface individually.
If an ASA is configured as a DHCP client, then it can receive and install a default route from the upstream device. Otherwise, a default static route must be configured using the route interface-name 0.0.0.0 0.0.0.0 next-hop-address
command.
To verify the route entry, use the show route
command.
Telnet or SSH is required to manage an ASA device, when using the CLI remotely. To enable Telnet services, use the following commands:
To remove the Telent configuration, use the clear config telnet
command.
To configure the Telnet service to use the local authentication database instead, use the aaa authentication telnet console LOCAL
command.
To remove the SSH configuration, use the clear config ssh
command.
Network Time Protocol (NTP) services can be enabled on an ASA to obtain the date and time from an NTP server:
An ASA can be configured to be a DHCP server to provide IP addresses and DHCP-related information to hosts:
If the ASA outside interface was configured as a DHCP client, then the dhcpd auto_config OUTSIDE
global configuration mode command can be used to pass the DHCP-obtained information to the DHCP clients inside the secured network.
To verify DHCP settings, use the following commands:
show dhcpd state
— Displays the current DHCP state for inside and outside interfaces.show dhcpd binding
— Displays the current DHCP bindings of inside users.show dhcpd statistics
— Displays the current DHCP statistics.When an ASA device has an interface that is connected to an upstream device providing DHCP services, the interface can be configured as a DHCP client, to discover its IP address and DHCP-related information from the upstream device.
Objects are reusable components for use in configurations. Objects make it easy to maintain configurations, because when an object is modified, the change is automatically applied to all rules that use the specified object.
There are two types of objects that can be configured:
These objects can be used in NAT, access lists, and object groups.
Objects can be attached or detached from one or more object groups as needed, ensuring that the objects are not duplicated, but can be re-used wherever needed.
By grouping like objects together, an object group can be used in an access control entry (ACE) instead of having to enter an ACE for each object separately.
Object groups can include any of the following components:
Although protocol object groups can be created, it is recommended against. Service object groups should be used instead.
To create an object group, use the object-group group-type name
configuration command to enter the object-group subconfiguration mode. After entering the command, add objects to the group using object configuration commands of the appropriate type (i.e. network-objects for network-groups, etc). Other group-objects may also be assigned while in object-group subconfiguration mode. This creates nested object-groups.
To remove all object groups from the configuration, use the clear config object-group
configuration command.
Verify object group configurations via the show run object-group
command.
Network object groups can contain multiple network objects as well as inline networks or hosts. Network object groups can also include a mix of both IPv4 and IPv6 addresses.
Network object groups cannot be used to implement NAT. Individual network objects are required to implement NAT.
When configuring a service object group for TCP, UDP, or TCP & UDP, specify the mode in the group declaration, via the object-group service grp-name [tcp | udp | tcp-udp]
configuration command. When specified this way, service objects should be added via the port-object operator { service | port(s) }
The following guidelines and limitations apply to object groups:
Network objects are a vital part of configuring NAT and can greatly simplify ACLs.
To create a network object, use the object network object-name
configuration command. The prompt changes to network object configuration mode.
The commands available in network object configuration mode are shown in the table below.
ASA Command | Description |
---|---|
attribute attribute-agent attribute-type attribute-value |
Used to filter traffic associated with one or more virtual machines. |
description message |
Enter a description of the object up to 200 characters in length. |
fqdn domain |
A fully-qualified domain name such as the name of a host, such as www.example.com. Specify v4 to limit the address to IPv4, and v6 for IPv6. If you do not specify an address type, IPv4 is assumed. |
host address |
The IPv4 or IPv6 address of a single host. |
range start-address end-address |
A range of addresses. You can specify IPv4 or IPv6 ranges. Do not include masks or prefixes. |
subnet { address mask | ipv6/prefix } |
Associates a network subnet with the current object. |
To create a service object, use the object service object-name
configuration command. The prompt changes to service object configuration mode. The service object can contain a protocol, ICMP, ICMPv6, TCP port, or UDP port, or port ranges.
The table provides an overview of common service options available.
ASA Command | Description |
---|---|
service protocol |
Specifies an IP protocol name or number. |
service {tcp|udp} [source operator port] [destination operator port] |
Specifies that the service object is for the TCP or UDP protocol. |
service {icmp|icmp6} [icmp-type [icmp-code]] |
Specifies that the service object is for the ICMP or ICMPv6 protocol. |
Operators—such as eq, neq, lt, gt, and range—can be used while configuring a port for a given protocol. If no operator is specified, the default operator is eq.
Use the no
form of the command to remove a specific service object. To erase all service objects, use the clear config object service
command.
To verify, use the show running-config object service
command.
Cisco ASAs provide basic traffic filtering capabilities with ACLs. ACLs control access in a network by preventing defined traffic from entering or exiting. In addition, an ACL can be used to select traffic to which a feature will apply, thereby performing a matching service rather than a control service.
There are many similarities between ASA ACLs and IOS ACLs. For example, both are made up of ACEs, processed sequentially from the top down, and there is an implicit deny any at the bottom. Additionally, the rule of only one ACL per interface, protocol, or direction, still applies.
Like IOS Router ACLs, those on ASAs can be enabled/disabled based on time ranges.
ASA ACLs differ from IOS ACLs in that they use a network mask (e.g., 255.255.255.0) instead of a wildcard mask (e.g. 0.0.0.255). Nearly all ASA ACLs are named instead of numbered.
The ASA supports five types of access lists:
Standard ACLs may also be used to filter traffic for LAN-to-LAN (L2L), Cisco VPN Client, and the Cisco AnyConnect Secure Mobility Client traffic.
In addition to filtering packets passing through the ASA on the way to a destination host (called through-traffic filtering), ACLs can also be used to filter packets destined for the ASA directly (called to-the-box-traffic filtering).
ASA devices differ from their router counterparts because of interface security levels. By default, security levels apply implicit access control (without an ACL configured). For instance, traffic from a smore secure interface, such as security level 100, is allowed to access less secure interfaces, such as level 0. Traffic from a less secure interface is blocked from accessing more secure interfaces.
The full ACL configuration syntax has a very long list of parameters, including object-context, filter-type, direction, interface, protocol/port, and logging options. However, for most needs, a more useful and condensed version of the syntax is shown below.
ASA(config)# access-list id extended { deny | permit } protocol { src-ip mask | any | host src-ip | interface interface } [operator [port]] { dst-ip mask | any | host dst-ip | interface interface } [operator [port]] [log] [time-range name]
Time-ranges allow ACLs to be dynamically rotated based on a periodic schedule or a lifespan. This allows granular control of time-of-day based network restrictions.
Configure a time-range using the time-range name
command to enter the time-range subconfiguration mode.
ASA(config)# access-group id { in | out } interface interface [ per-user-override | control-plane ]
The per-user-override keyword indicates that ACLs downloaded from an AAA server should be used to override entries on the ACL applied to the interface.
The control-plane keyword indicates that the applied ACL should be used to limit management traffic destined for the ASA.
To erase a configured ACL, use the clear config access-list id
command.
To verify ACLs, use the show access-list
and show run access-list
commands.
To allow connectivity between interfaces with the same security levels, the same-security-traffic permit inter-interface
global configuration command is required. To enable traffic to enter and exit the same interface, such as when encrypted traffic enters an interface and is then routed out the same interface unencrypted, use the same-security-traffic permit intra-interface
global configuration command.
Object grouping for ACL configuration is a way to group similar items together to reduce the number of individual ACEs. By grouping like objects together, object groups can be reused in multiple ACLs instead of having to enter an ACE for each object separately. This also simplifies reading ACL configurations.
ASA(config)# access-list id extended { deny | permit } protocol object-group src-network-group-id object-group dst-network-group-id object-group service-group-id [log] [time-range name]
As with IOS routers, the ASA supports Network Address Translation (NAT). NAT is typically used to translate private IP network addresses into public IP addresses.
NAT can be deployed using one of the following methods:
View current NAT usage via the show xlate
command. Additional configuration information can be verified using the show nat
and show nat detail
commands.
Cisco ASA devices support the following common types of NAT:
Another ASA NAT feature is called Twice-NAT. Twice-NAT identifies both the source and destination address in a single rule (nat command). Twice-NAT is used when configuring remote-access IPsec and SSL VPNs.
These types of NAT are referred to as network object NAT because they require network objects to be configured.
To configure network object dynamic NAT, two network objects are required:
These are identified using the range
or subnet
network object commands.
The two objects are then bound together using the following network object command syntax:
ASA(config)# object network name
ASA(config-network-object)# nat [(real_if_name,mapped_if_name)] dynamic mapped_object [interface [ipv6]] [dns]
The real_if_name
is the pre-NAT interface. The mapped_if_name
is the post-NAT interface. Notice that there is no space after the comma in the command syntax.
To allow inside hosts to ping outside hosts, you can use a policy map to permit ICMP messages to return through the external interface.
NAT Configuration Example
Permit ICMP Example
Port Address Translation (PAT) is a variant of NAT. Cisco ASA devices can be configured for Dynamic PAT. Dynamic PAT is used any time multiple internal hosts need to share a single public IP address.
Only one network object is required when overloading the outside interface. To enable inside hosts to overload the outside address (using Dynamic PAT), use the nat [(real_if_name,mapped_if_name)] dynamic interface
network object configuration command.
Static NAT is configured when an inside address is mapped to an outside address. For instance, static NAT can be used when a server must be accessible from the outside.
To configure static NAT, use the nat [(real_if_name,mapped_if_name)] static mapped_ip
network object configuration command.
An ACL is required for a dynamic translation to be successful.
Cisco ASA can be configured to authenticate using a local user database or an external server for authentication or both.
To enable authentication of users connecting via console port, SSH, HTTPS, or Telnet, or to authenticate users attempting to access privilieged EXEC mode, use the following command syntax:
ASA(config)# aaa authentication {serial|enable|telnet|ssh|http} console { LOCAL | server-group [LOCAL] }
Use the username name password password [privilege priv-level]
command to create local user accounts. To erase a user from the local database, use the clear config username [name]
command. To view all user accounts, use the show running-config username
command.
To configure a TACACS+ or RADIUS server, use the following steps:
aaa-server server-tag protocol { tacacs+ | radius }
configuration command. This will enter the AAA-server-group subconfiguration mode.aaa-server server-tag [(interface_name)] host { server-ip | hostname } [key]
command. This will enter the host-specific AAA subconfiguration mode.To erase AAA configurations, use the following commands:
clear config aaa-server
— remove all AAA server configurations.clear config aaa
— remove all AAA-based console authentication configurations.To view AAA configurations, use the following commands:
show running-config aaa-server
— view all configured AAA servers and host-specific parameters.show running-config aaa
— view all AAA-based console authentication configurations.The Modular Policy Framework (MPF) allows granular classification of traffic flows, which enables the application of different advanced policies to different flows. MPF is used with hardware modules to redirect traffic granularly from the ASA to the modules that use Cisco MPF. MPF can be used for advanced application layer inspection of traffic by classifying at Layers 5-7. MPF can also be used to implement rate limiting and QoS.
Cisco MPF uses three configuration objects to define modular, object-oriented, hierarchical policies:
Class Maps — The class of traffic to be filtered. Creates a Layer 3/4 class map that can contain multiple match criteria.
Policy Maps — The action that will be applied to matched traffic. Defines a policy for the traffic that applies to Layers 3-7. Policy maps can be assigned to multiple class maps.
Service Policy — The interface-binding configuration that applies a policy-map to an interface.
There are four steps to configure MPF on an ASA:
Class maps are configured to identify Layer 3/4 traffic.
To create a class map, use the class-map name
global configuration command to enter the class-map configuration mode. The names "class-default" and any name that begins with "_internal" or "_default" are reserved.
A variation of the class-map command is used for management traffic that is destined for the ASA. In this case, use the class-map type management name
command.
When configuring a class-map, always include a description explaining the purpose of the class map, by using the description message
class-map configuration command.
To identify traffic that the class-map should match, use match any
to match all traffic or match access-list acl-name
to match traffic specified by an extended access list.
Unless otherwise specified, only include one match command in the class map.
To erase all class map configurations, use the clear config class-map
global configuration command.
To verify class map configuration, use the show run class-map
command.
The ASA also automatically defines a default Layer 3/4 class map identified in the running configuration as class-map inspection_default
. This class map identifies the match default-inspection-traffic, which sets default rules for service-based packet inspection. When used in a policy map, this class map ensures that the correct inspection is applied to each packet, based on the destination port of the traffic.
Policy maps are used to associate class maps with actions. Actions are applied to traffic bidirectionally or unidirectionally depending on the feature.
There are several steps to configure a policy map:
policy-map name
global configuration command to enter policy-map configuration mode.description message
policy-map configuration command.class class-map-name
command.inspect protocol
command.policy-map name [ interface interface | global ]
global configuration command.The maximum number of policy maps is 64. However, there can be multiple class maps and multiple actions associated with each policy map.
Additional actions are available to the policy-map configuration mode, including:
set connection
— Sets connection values.police
— Sets rate limits for the matched traffic classes.To verify the policy map configuration, use the show run policy-map
command.
To erase all configured policy maps, use the clear config policy-map
command.
The default ASA configuration includes a default policy map, called the global_policy, which is configured to require inspections on all default inspection traffic. There can only be one global policy. Therefore, to alter the global policy, either directly edit or replace it.