Source: Pinging ASA Interfaces
This is a base configuration template that can be used to start building your Cisco ASA firewalls. Enjoy !!!
! username admin password mypassword privilege 15 hostname <hostname> ! enable password mypassword ! clock timezone GMT/BST 0 clock summer-time BST recurring 1 Sun Apr 3:00 last Sun Oct 2:00 ! interface Ethernet0/0 speed 100 duplex full nameif outside security-level 0 ip address x.x.x.x x.x.x.x ! interface Ethernet0/1 speed 100 duplex full nameif inside security-level 100 ip address x.x.x.x x.x.x.x ! interface Management0/0 nameif management security-level 100 ip address x.x.x.x management-only ! pager lines 24 logging enable logging timestamp logging standby logging buffered informational logging trap informational logging asdm informational logging facility 23 logging queue 250 ! logging host management x.x.x.x ! logging host inside x.x.x.x ! mtu inside 1500 mtu management 1500 mtu outside 1500 ! route management x.x.x.x x.x.x.x route inside x.x.x.x x.x.x.x ! aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ (management) host x.x.x.x key mytacacskey aaa-server TACACS+ (management) host x.x.x.x key mytacacskey ! aaa authentication ssh console TACACS+ aaa authentication telnet console TACACS+ aaa authentication http console TACACS+ aaa authentication serial console TACACS+ LOCAL aaa accounting command TACACS+ aaa accounting enable console TACACS+ aaa accounting serial console TACACS+ aaa accounting ssh console TACACS+ aaa accounting telnet console TACACS+ or aaa authentication serial console LOCAL aaa authentication enable console TACACS+ LOCAL aaa authentication ssh console TACACS+ LOCAL aaa authentication http console TACACS+ aaa authorization command TACACS+ LOCAL aaa accounting command TACACS+ LOCAL aaa accounting enable console TACACS+ LOCAL aaa accounting serial console LOCAL aaa accounting ssh console TACACS+ LOCAL snmp-server host inside x.x.x.x community or snmp-server host inside x.x.x.x snmp-server community snmp-server location snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart snmp-server enable traps syslog ! policy-map global_policy class inspection_default inspect icmp !
When troubleshooting problems related connection timeout on Cisco ASA, there are few things necessary to look at if need investigate in more details. Such as TCP handshake messages below. You may have Syslog enabled on the firewall which may provide you clue of what is actually going on. But having a look at the Firewall in real time to provide you open or active or inactive TCP or even UDP session.
Take a look at the each flag and root cause the time outs.
In this tutorial, I am going to show how you can setup the Cisco ASA to allow internet access to the LAN behind. Our lab topology would like as following:
Configure the Un-trusted and Trusted network as following:
! interface GigabitEthernet0/0 speed 100 duplex full nameif outside security-level 0 ip address 172.16.1.3 255.255.255.248 ! interface GigabitEthernet0/2 speed 100 duplex full nameif inside security-level 100 ip address 10.10.10.1 255.255.255.224 !
Setup an Object of type network named ANY to represent any traffic coming from the LAN interface of the firewall that is named as inside interface.
! object network ANY nat (inside,outside) dynamic interface !
Setup a default route that should be pointing to the VRRP interface of the PE router:
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
Enable the DHCP for the any device connected to the inside interface to get an IP address automatically:
dhcpd dns 126.96.36.199 188.8.131.52 ! dhcpd address 10.10.10.5-10.10.10.30 inside dhcpd enable inside ! dhcprelay timeout 60
Login to Firewall as an administrator. You will land into the admin context. You need to go back to the system context to make changes.
conf t changeto system ! !
Now you are in system context, you need to delete the context as following:
! no context mycontext-100 delete disk:/mycontext-100.cfg !
Then recover/delete the assigned sub-interfaces which were assigned to the context which you deleted in the step above: ! no interface TenGigabitEthernet0/9.3201 no interface TenGigabitEthernet0/9.3202 !
Now re-assign/create the sub-interfaces with new VLAN numbers: ! interface TenGigabitEthernet0/9.1201 vlan 1201 ! interface TenGigabitEthernet0/9.1202 vlan 1202 !
Now create new context and assign the sub-interfaces into the new context:
! context mynewcontext-200 allocate-interface interface Management0/0 allocate-interface interface TenGigabitEthernet0/9.1201 allocate-interface interface TenGigabitEthernet0/9.1202 config-url disk0:/mynewcontext-200.cfg !
Now getinto the context and apply required configuration etc. ! changeto context mynewcontext-200 enable password Cisco123 encrypted ! interface TenGigabitEthernet0/9.1201 nameif outside security-level 0 ip address 184.108.40.206. 255.255.255.240 standby 220.127.116.11 ! interface TenGigabitEthernet0/9.1202 nameif inside security-level 100 ip address 10.1.1.1 255.255.255.248 standby 10.1.1.2 !
This is very simple to configure but in production environment, secure a maintenance window, take configuration back and verify the patching before hand. Following steps involved:
1. Setup failover interface on Primary ASA
Execute the following commands to mark the port 0/3 as failover lan unit primary. This is the interface between Primary & Secondary Firewall pair that carries all the information necessary to recover at Secondary unit in case of failure inducing session table etc.
enable config t interface gigabitEthernet 0/3 description LAN Failover Interface no shutdown
2. Assign the failover ip-address on Primary ASA using LANFAIL
failover lan unit primary failover lan interface LANFAIL gi0/3 failover link LANFAIL gigabitethernet 0/3 failover interfaces ip LANFAIL 172.31.1.1 255.255.255.0 standby 172.31.1.2
3. Assign the External ip-address on Primary ASA
config t interface gigabitEthernet 0/0 ip address 10.141.144.228 255.255.255.248 standby 10.141.144.229 exit
4. Assign the Internal ip-address on Primary ASA
interface gigabitEthernet 0/1 ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3 exit failover monitor-interface MGT monitor-interface DMZ
failover lan unit secondary failover lan interface LANFAIL gigabitethernet 0/3 failover link LANFAIL gigabitethernet 0/3 failover interface ip LANFAIL 172.31.1.1 255.255.255.0 standby 172.31.1.2 failover interface gigabitEthernet 0/3 no shutdown
Don’t forget to workout the back-out plan in case. It is always good to write in before hand.
- on Primary firewall:
enable config t interface gigabitEthernet 0/3 shutdown ! no failover interfaces ip LANFAIL 172.31.1.1 255.255.255.0 standby 172.31.1.2 no failover link LANFAIL gigabitethernet 0/3 no failover lan interface LANFAIL gigabitethernet 0/3 no failover lan unit primary ! interface gigabitEthernet 0/0 no ip address 10.141.144.228 255.255.255.248 standby 10.141.144.229 ip address 10.141.144.228 255.255.255.248 ! interface gigabitEthernet 0/1 no ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3 ip address 192.168.1.2 255.255.255.0 ! no failover no monitor-interface MGT no monitor-interface DMZ
no failover interfaces ip LANFAIL 172.31.1.1 255.255.255.0 standby 172.31.1.2 no failover link LANFAIL gigabitethernet 0/3 no failover lan interface LANFAIL gigabitethernet 0/3 no failover lan unit secondary interface gigabitEthernet 0/3 shutdown no failover
Check for the existing licences on your Firewall:
#show ver . . Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 50 perpetual Inside Hosts : Unlimited perpetual Failover : Disabled perpetual Encryption-DES : Enabled perpetual Encryption-3DES-AES : Enabled perpetual Security Contexts : 0 perpetual GTP/GPRS : Disabled perpetual AnyConnect Premium Peers : 2 perpetual AnyConnect Essentials : Disabled perpetual Other VPN Peers : 250 perpetual Total VPN Peers : 250 perpetual Shared License : Disabled perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Disabled perpetual UC Phone Proxy Sessions : 2 perpetual Total UC Proxy Sessions : 2 perpetual Botnet Traffic Filter : Disabled perpetual Intercompany Media Engine : Disabled perpetual IPS Module : Disabled perpetual Cluster : Disabled perpetual This platform has a Base license. Serial Number: FCHS208DWST Running Permanent Activation Key: 0x20dfsdf 0x48dfsf 0x3sdfdf 0xegfdg 0xsdfdff Configuration register is 0x1 ! !
Now perform following steps and key-in the activation key provided by the Cisco when purchased the new release.
HO-Markhorr-KHI-FW01(config)# activation-key 000sdfs 1c42dfsfsd fddfsfsd asdfsdsf Validating activation key. This may take a few minutes... Failover is different. running permanent activation key: Restricted(R) new permanent activation key: Unrestricted(UR) WARNING: The running activation key was not updated with the requested key. Proceed with update flash activation key? [confirm] The flash permanent activation key was updated with the requested key, and will become active after the next reload. HO-Markhorr-KHI-FW01(config)# HO-Markhorr-KHI-FW01(config)# HO-Markhorr-KHI-FW01(config)# wr Building configuration... Cryptochecksum: 5e648459 ea268bf2 20d92ce8 7709071b 21647 bytes copied in 0.730 secs [OK] HO-Markhorr-KHI-FW01(config)# HO-Markhorr-KHI-FW01(config)# HO-Markhorr-KHI-FW01(config)# HO-Markhorr-KHI-FW01(config)# reload Proceed with reload? [confirm] HO-Markhorr-KHI-FW01(config)# *** *** --- START GRACEFUL SHUTDOWN --- Shutting down isakmp Shutting down sw-module Shutting down License Controller Shutting down File system *** *** --- SHUTDOWN NOW ---