Tuesday, January 18, 2011

Hidden Secrets in the Cisco ASA

Think you know ASA pretty well? Have you worked with it for years and honed your ASA skills to a razor fine edge? Think you know all of the hidden secrets the ASA has to offer? I'll bet you answered yes to the first two but might have been reluctant to shout out a definitive yes to the last one. Why, because the ASA is a complex system that includes hundreds and hundreds of features making it near impossible to know all the tricks. In this blog I'll talk about a few of the lesser known features and commands that most ASA administrators find useful.

Span/mirror port on the ASA 5505 - The ASA 5505 has an eight port Ethernet switch in it making it unique among the ASA product line. Like all Cisco switches, this one also supports traffic span to allow you to capture packets and send them to a destination switchport for analysis.

switchport monitor source_port [tx | rx | both]

Asa5505(config)# interface ethernet 0/4
Asa5505(config-if)# switchport monitor ethernet 0/0
Asa5505(config-if)# switchport monitor ethernet 0/1

Private VLANs on the ASA 5505 - Another useful switch feature found only on the ASA5505 is private VLAN support. Ethernet ports that are designated as protected ports cannot talk to other ports that are designated as protected. Protected ports can only talk to ports that are NOT protected ports. So if you have two web servers and you configure them as protected ports they will not be able to talk to each other. However, they will be able to talk to any non-protected port like your internet uplink port for example. The protection is done at Layer 2 so absolutely no traffic goes between protected ports.

Switchport protected

Asa5505(config)#interface ethernet 0/3
Asa5505(config-if)#switchport protected

ASA SCP Server - Did you know your ASA could accept incoming SCP (secure copy) file transfer requests. By switching this on it turns your ASA into a secure FTP server so you can upload and download files to flash at your leisure. This makes code upgrades, getting log files, backing up configurations using scripts, etc. much easier. Most folks only know about the ASA's ability to fetch files proactively using things like copy scp flash: from the CLI or via ASDM. Not many know that the ASA has a full blown SCP server in it. Happy secure copying!

Ssh copy enable

asa5505(config)# ssh inside
asa5505(config)# ssh version 2
asa5505(config)# ssh copy enable
asa5505(config)# ssh timeout 60

Quick way to remove parts of your configuration via CLI - Ever find yourself repeatedly using the no command to remove sections from your configuration file? If so, here is a command that you'll love,clear configure. Clear configure allows you to delete whole sections or sub sections of your configuration. In certaint situations it can be a huge timesaver for the ASA admin.

clear configure configurationcommand [level2configurationcommand]

Asa5505(config)# clear configure aaa authentication

Encrypt all passwords in your configuration file - A typical ASA configuration contains all sorts of passwords and pass phrases that aren't usually encrypted. Some examples are OSPF, VPN load balancing, AAA servers, Log servers, etc. The addition of the master passphrase in ASA 8.3.1 allows you to quickly encrypt all those passwords. Now you can feel a bit more comfortable storing and sharing your configuration files with TAC and other consultants.

key config-key password-encryption
[new_passphrase [old_passphrase]]

hostname(config)# key config-key
Old key: cisco
New key: cisco123
Confirm key: cisco123

Those are some of the secret ASA features that might help you better administer your ASA's. Please share any secrets you have.


No comments: