ASA 5505

Internet Access
To ensure your remote VPN clients can access the Internet you have two options. The first (and most common) way is to enable ‘Split Tunneling’ this lets the user access the Internet form their LOCAL Internet connection.

Or you can provide Internet connection via the ASA’s public Internet connection, this is known as a ‘Tunnel All’ solution.

Details: https://www.petenetlive.com/KB/Article/0000977

Cisco ASA5506-X

Basic Setup:

Basic Cisco ASA 5506-x Configuration Example

Cisco Documentation:
https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5506X/5506x-quick-start.html

Active/Standby Failover Configuration:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.html

ssh configuration
Enable SSH access for admin

There are three steps to enable SSH access:

Create a hostname for your ASA
Generate a RSA key
Configure SSH access to the ASA, and only allow from known IP/networks.
Configuration example:

ASA1(config)# hostname ASA1
ASA1(config)# crypto key generate rsa modulus 1024
WARNING: You have a RSA keypair already defined named .
Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...
! The IP subnets from where you trust to manage the ASA

ssh 12.2.1.0 255.255.255.0 outside
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 30
ssh version 2
aaa authentication ssh console LOCAL

Create user to login ASA remotely

#username cisco password cisco123 privilege 15

Then to assign local authentication to ASDM and SSH you enter the command in case sensitive:

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

NAT/PAT Examples
https://www.networkworld.com/article/2162844/tech-primers/how-to-configure-static-nat-on-a-cisco-asa-security-appliance.html

Open a range of ports
https://community.cisco.com/t5/firewalls/pat-multiple-ports-to-outside-interface-ip/td-p/3043388

Show DHCP IP Leasing
#show dhcpd binding

Clear IP Leasing
#clear dhcpd binding...

ASA 5506 VPN

Trouble Shooting ASA

debug crypto isakmp
debug crypto ipsec

Check current VPN Settings
#show run crypto map
#show run tunnel
#show run object network
#show crypto isakmp sa
#show crypto ipsec sa
#show access-list
#show run access-list

Run Debugging
check the setting:
(config)#show log

Turn on:
(config)logging on (no loggin on to disable)

Sending Debug Output to the Screen:
logging monitor debugging
terminal monitor (disable: 'terminal no monitor', NOT ‘no terminal monitor’)

sh crypto debug-condition:
Crypto conditional debug is turned ON
IKE debug context unmatched flag: OFF
IPSec debug context unmatched flag: OFF
IKE debug context error flag: OFF
IPSec debug context error flag: OFF
IKE peer IP address filters: 1.1.1.1/32

Cisco VPN on Windows 8.1/10 – Reason 442: Failed to enable Virtual Adapter
https://supertekboy.com/2013/10/19/cisco-vpn-on-windows-8-1-reason-442-failed-to-enable-virtual-adapter/


Finding IP using most of the bandwidth

https://yurisk.info/2008/12/06/finding-the-stationip-usingabusing-most-of-the-bandwidth-pixasa/

#show local-host

#show local-host 192.168.15.103

Show a summary of all:
#show local-host | incl host|count|embryonic

Block an IP connection
#shun 192.168.15.103

Show blocked IPs
#show shun

Unblock it
#no shun 192.168.15.103

Related to Scanning Attacks & Syn Attacks
#show run threat
Result:
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics

ASA Logging
https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html

Cisco ASA Devices