Posted on

Basic Cisco ASA initialization

In this guide lets look at the default Cisco ASA configuration and lets perform a basic zone configuration and verify icmp connectivity.

 

Firstly, let’s see how to check whether the ASA is running in routed mode or transparent mode? Then lets check whether it is running in multiple contexts or not?

ciscoasa# show firewall
Firewall mode: Router
ciscoasa# 
ciscoasa# show mode
Security context mode: single 
ciscoasa#show running-config 
: Saved
: 
: Serial Number: JMX1416L12G
: Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
:
ASA Version 9.1(7)11 
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
pager lines 24
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:00000000000000000000000000000000
: end
ciscoasa# show running-config all
: Saved
: 
: Serial Number: JMX1416L12G
: Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
:
ASA Version 9.1(7)11 
!
command-alias exec h help
command-alias exec lo logout
command-alias exec p ping
command-alias exec s show
terminal width 80
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
no asp load-balance per-packet
no asp rule-engine transactional-commit access-group
no asp rule-engine transactional-commit nat
no fips enable
xlate per-session permit tcp any4 any4
xlate per-session permit tcp any4 any6
xlate per-session permit tcp any6 any4
xlate per-session permit tcp any6 any6
xlate per-session permit udp any4 any4 eq domain
xlate per-session permit udp any4 any6 eq domain
xlate per-session permit udp any6 any4 eq domain
xlate per-session permit udp any6 any6 eq domain
names
lacp system-priority 32768
!
interface GigabitEthernet0/0
 speed auto
 duplex auto
no  flowcontrol send on
 shutdown
 no nameif
 no security-level
 no ip address
 delay 1
!
interface GigabitEthernet0/1
 speed auto
 duplex auto
no  flowcontrol send on
 shutdown
 no nameif
 no security-level
 no ip address
 delay 1
!
interface GigabitEthernet0/2
 speed auto
 duplex auto
no  flowcontrol send on
 shutdown
 no nameif
 no security-level
 no ip address
 delay 1
!
interface GigabitEthernet0/3
 speed auto
 duplex auto
no  flowcontrol send on
 shutdown
 no nameif
 no security-level
 no ip address
 delay 1
!
interface Management0/0
 speed auto
 duplex auto
 shutdown
 no nameif
 no security-level
 no ip address
 delay 10
!
regex _default_gator "Gator"
regex _default_firethru-tunnel_2 "[/\\]cgi[-]bin[/\\]proxy"
regex _default_shoutcast-tunneling-protocol "1"
regex _default_http-tunnel "[/\\]HT_PortLog.aspx"
regex _default_x-kazaa-network "[\r\n\t ]+[xX]-[kK][aA][zZ][aA][aA]-[nN][eE][tT][wW][oO][rR][kK]"
regex _default_msn-messenger "[Aa][Pp][Pp][Ll][Ii][Cc][Aa][Tt][Ii][Oo][Nn][/\\][Xx][-][Mm][Ss][Nn][-][Mm][Ee][Ss][Ss][Ee][Nn][Gg][Ee][Rr]"
regex _default_GoToMyPC-tunnel_2 "[/\\]erc[/\\]Poll"
regex _default_gnu-http-tunnel_uri "[/\\]index[.]html"
regex _default_aim-messenger "[Hh][Tt][Tt][Pp][.][Pp][Rr][Oo][Xx][Yy][.][Ii][Cc][Qq][.][Cc][Oo][Mm]"
regex _default_gnu-http-tunnel_arg "crap"
regex _default_icy-metadata "[\r\n\t ]+[iI][cC][yY]-[mM][eE][tT][aA][dD][aA][tT][aA]"
regex _default_GoToMyPC-tunnel "machinekey"
regex _default_windows-media-player-tunnel "NSPlayer"
regex _default_yahoo-messenger "YMSG"
regex _default_httport-tunnel "photo[.]exectech[-]va[.]com"
regex _default_firethru-tunnel_1 "firethru[.]com"
checkheaps check-interval 60
checkheaps validate-checksum 60
ftp mode passive
clock timezone UTC 0
object service ah pre-defined
 service ah 
 description This is a pre-defined object
object service eigrp pre-defined
 service eigrp 
 description This is a pre-defined object
object service esp pre-defined
 service esp 
 description This is a pre-defined object
object service gre pre-defined
 service gre 
 description This is a pre-defined object
object service icmp pre-defined
 service icmp 
 description This is a pre-defined object
object service icmp6 pre-defined
 service icmp6 
 description This is a pre-defined object
object service igmp pre-defined
 service igmp 
 description This is a pre-defined object
object service igrp pre-defined
 service igrp 
 description This is a pre-defined object
object service ip pre-defined
 service ip 
 description This is a pre-defined object
object service ipinip pre-defined
 service ipinip 
 description This is a pre-defined object
object service ipsec pre-defined
 service esp 
 description This is a pre-defined object
object service nos pre-defined
 service nos 
 description This is a pre-defined object
object service ospf pre-defined
 service ospf 
 description This is a pre-defined object
object service pcp pre-defined
 service pcp 
 description This is a pre-defined object
object service pim pre-defined
 service pim 
 description This is a pre-defined object
object service pptp pre-defined
 service gre 
 description This is a pre-defined object
object service snp pre-defined
 service snp 
 description This is a pre-defined object
object service tcp pre-defined
 service tcp 
 description This is a pre-defined object
object service udp pre-defined
 service udp 
 description This is a pre-defined object
object service tcp-aol pre-defined
 service tcp destination eq aol 
 description This is a pre-defined object
object service tcp-bgp pre-defined
 service tcp destination eq bgp 
 description This is a pre-defined object
object service tcp-chargen pre-defined
 service tcp destination eq chargen 
 description This is a pre-defined object
object service tcp-cifs pre-defined
 service tcp destination eq cifs 
 description This is a pre-defined object
object service tcp-citrix-ica pre-defined
 service tcp destination eq citrix-ica 
 description This is a pre-defined object
object service tcp-ctiqbe pre-defined
 service tcp destination eq ctiqbe 
 description This is a pre-defined object
object service tcp-daytime pre-defined
 service tcp destination eq daytime 
 description This is a pre-defined object
object service tcp-discard pre-defined
 service tcp destination eq discard 
 description This is a pre-defined object
object service tcp-domain pre-defined
 service tcp destination eq domain 
 description This is a pre-defined object
object service tcp-echo pre-defined
 service tcp destination eq echo 
 description This is a pre-defined object
object service tcp-exec pre-defined
 service tcp destination eq exec 
 description This is a pre-defined object
object service tcp-finger pre-defined
 service tcp destination eq finger 
 description This is a pre-defined object
object service tcp-ftp pre-defined
 service tcp destination eq ftp 
 description This is a pre-defined object
object service tcp-ftp-data pre-defined
 service tcp destination eq ftp-data 
 description This is a pre-defined object
object service tcp-gopher pre-defined
 service tcp destination eq gopher 
 description This is a pre-defined object
object service tcp-ident pre-defined
 service tcp destination eq ident 
 description This is a pre-defined object
object service tcp-imap4 pre-defined
 service tcp destination eq imap4 
 description This is a pre-defined object
object service tcp-irc pre-defined
 service tcp destination eq irc 
 description This is a pre-defined object
object service tcp-hostname pre-defined
 service tcp destination eq hostname 
 description This is a pre-defined object
object service tcp-kerberos pre-defined
 service tcp destination eq kerberos 
 description This is a pre-defined object
object service tcp-klogin pre-defined
 service tcp destination eq klogin 
 description This is a pre-defined object
object service tcp-kshell pre-defined
 service tcp destination eq kshell 
 description This is a pre-defined object
object service tcp-ldap pre-defined
 service tcp destination eq ldap 
 description This is a pre-defined object
object service tcp-ldaps pre-defined
 service tcp destination eq ldaps 
 description This is a pre-defined object
object service tcp-login pre-defined
 service tcp destination eq login 
 description This is a pre-defined object
object service tcp-lotusnotes pre-defined
 service tcp destination eq lotusnotes 
 description This is a pre-defined object
object service tcp-nfs pre-defined
 service tcp destination eq nfs 
 description This is a pre-defined object
object service tcp-netbios-ssn pre-defined
 service tcp destination eq netbios-ssn 
 description This is a pre-defined object
object service tcp-whois pre-defined
 service tcp destination eq whois 
 description This is a pre-defined object
object service tcp-nntp pre-defined
 service tcp destination eq nntp 
 description This is a pre-defined object
object service tcp-pcanywhere-data pre-defined
 service tcp destination eq pcanywhere-data 
 description This is a pre-defined object
object service tcp-pim-auto-rp pre-defined
 service tcp destination eq pim-auto-rp 
 description This is a pre-defined object
object service tcp-pop2 pre-defined
 service tcp destination eq pop2 
 description This is a pre-defined object
object service tcp-pop3 pre-defined
 service tcp destination eq pop3 
 description This is a pre-defined object
object service tcp-pptp pre-defined
 service tcp destination eq pptp 
 description This is a pre-defined object
object service tcp-lpd pre-defined
 service tcp destination eq lpd 
 description This is a pre-defined object
object service tcp-rsh pre-defined
 service tcp destination eq rsh 
 description This is a pre-defined object
object service tcp-rtsp pre-defined
 service tcp destination eq rtsp 
 description This is a pre-defined object
object service tcp-sip pre-defined
 service tcp destination eq sip 
 description This is a pre-defined object
object service tcp-smtp pre-defined
 service tcp destination eq smtp 
 description This is a pre-defined object
object service tcp-ssh pre-defined
 service tcp destination eq ssh 
 description This is a pre-defined object
object service tcp-sunrpc pre-defined
 service tcp destination eq sunrpc 
 description This is a pre-defined object
object service tcp-tacacs pre-defined
 service tcp destination eq tacacs 
 description This is a pre-defined object
object service tcp-talk pre-defined
 service tcp destination eq talk 
 description This is a pre-defined object
object service tcp-telnet pre-defined
 service tcp destination eq telnet 
 description This is a pre-defined object
object service tcp-uucp pre-defined
 service tcp destination eq uucp 
 description This is a pre-defined object
object service tcp-www pre-defined
 service tcp destination eq www 
 description This is a pre-defined object
object service tcp-http pre-defined
 service tcp destination eq www 
 description This is a pre-defined object
object service tcp-https pre-defined
 service tcp destination eq https 
 description This is a pre-defined object
object service tcp-cmd pre-defined
 service tcp destination eq rsh 
 description This is a pre-defined object
object service tcp-sqlnet pre-defined
 service tcp destination eq sqlnet 
 description This is a pre-defined object
object service tcp-h323 pre-defined
 service tcp destination eq h323 
 description This is a pre-defined object
object service tcp-udp-cifs pre-defined
 service tcp-udp destination eq cifs 
 description This is a pre-defined object
object service tcp-udp-discard pre-defined
 service tcp-udp destination eq discard 
 description This is a pre-defined object
object service tcp-udp-domain pre-defined
 service tcp-udp destination eq domain 
 description This is a pre-defined object
object service tcp-udp-echo pre-defined
 service tcp-udp destination eq echo 
 description This is a pre-defined object
object service tcp-udp-kerberos pre-defined
 service tcp-udp destination eq kerberos 
 description This is a pre-defined object
object service tcp-udp-nfs pre-defined
 service tcp-udp destination eq nfs 
 description This is a pre-defined object
object service tcp-udp-pim-auto-rp pre-defined
 service tcp-udp destination eq pim-auto-rp 
 description This is a pre-defined object
object service tcp-udp-sip pre-defined
 service tcp-udp destination eq sip 
 description This is a pre-defined object
object service tcp-udp-sunrpc pre-defined
 service tcp-udp destination eq sunrpc 
 description This is a pre-defined object
object service tcp-udp-tacacs pre-defined
 service tcp-udp destination eq tacacs 
 description This is a pre-defined object
object service tcp-udp-www pre-defined
 service tcp-udp destination eq www 
 description This is a pre-defined object
object service tcp-udp-http pre-defined
 service tcp-udp destination eq www 
 description This is a pre-defined object
object service tcp-udp-talk pre-defined
 service tcp-udp destination eq talk 
 description This is a pre-defined object
object service udp-biff pre-defined
 service udp destination eq biff 
 description This is a pre-defined object
object service udp-bootpc pre-defined
 service udp destination eq bootpc 
 description This is a pre-defined object
object service udp-bootps pre-defined
 service udp destination eq bootps 
 description This is a pre-defined object
object service udp-cifs pre-defined
 service udp destination eq cifs 
 description This is a pre-defined object
object service udp-discard pre-defined
 service udp destination eq discard 
 description This is a pre-defined object
object service udp-domain pre-defined
 service udp destination eq domain 
 description This is a pre-defined object
object service udp-dnsix pre-defined
 service udp destination eq dnsix 
 description This is a pre-defined object
object service udp-echo pre-defined
 service udp destination eq echo 
 description This is a pre-defined object
object service udp-www pre-defined
 service udp destination eq www 
 description This is a pre-defined object
object service udp-http pre-defined
 service udp destination eq www 
 description This is a pre-defined object
object service udp-nameserver pre-defined
 service udp destination eq nameserver 
 description This is a pre-defined object
object service udp-kerberos pre-defined
 service udp destination eq kerberos 
 description This is a pre-defined object
object service udp-mobile-ip pre-defined
 service udp destination eq mobile-ip 
 description This is a pre-defined object
object service udp-nfs pre-defined
 service udp destination eq nfs 
 description This is a pre-defined object
object service udp-netbios-ns pre-defined
 service udp destination eq netbios-ns 
 description This is a pre-defined object
object service udp-netbios-dgm pre-defined
 service udp destination eq netbios-dgm 
 description This is a pre-defined object
object service udp-ntp pre-defined
 service udp destination eq ntp 
 description This is a pre-defined object
object service udp-pcanywhere-status pre-defined
 service udp destination eq pcanywhere-status 
 description This is a pre-defined object
object service udp-pim-auto-rp pre-defined
 service udp destination eq pim-auto-rp 
 description This is a pre-defined object
object service udp-radius pre-defined
 service udp destination eq radius 
 description This is a pre-defined object
object service udp-radius-acct pre-defined
 service udp destination eq radius-acct 
 description This is a pre-defined object
object service udp-rip pre-defined
 service udp destination eq rip 
 description This is a pre-defined object
object service udp-secureid-udp pre-defined
 service udp destination eq secureid-udp 
 description This is a pre-defined object
object service udp-sip pre-defined
 service udp destination eq sip 
 description This is a pre-defined object
object service udp-snmp pre-defined
 service udp destination eq snmp 
 description This is a pre-defined object
object service udp-snmptrap pre-defined
 service udp destination eq snmptrap 
 description This is a pre-defined object
object service udp-sunrpc pre-defined
 service udp destination eq sunrpc 
 description This is a pre-defined object
object service udp-syslog pre-defined
 service udp destination eq syslog 
 description This is a pre-defined object
object service udp-tacacs pre-defined
 service udp destination eq tacacs 
 description This is a pre-defined object
object service udp-talk pre-defined
 service udp destination eq talk 
 description This is a pre-defined object
object service udp-tftp pre-defined
 service udp destination eq tftp 
 description This is a pre-defined object
object service udp-time pre-defined
 service udp destination eq time 
 description This is a pre-defined object
object service udp-who pre-defined
 service udp destination eq who 
 description This is a pre-defined object
object service udp-xdmcp pre-defined
 service udp destination eq xdmcp 
 description This is a pre-defined object
object service udp-isakmp pre-defined
 service udp destination eq isakmp 
 description This is a pre-defined object
object service icmp6-unreachable pre-defined
 service icmp6 unreachable
 description This is a pre-defined object
object service icmp6-packet-too-big pre-defined
 service icmp6 packet-too-big
 description This is a pre-defined object
object service icmp6-time-exceeded pre-defined
 service icmp6 time-exceeded
 description This is a pre-defined object
object service icmp6-parameter-problem pre-defined
 service icmp6 parameter-problem
 description This is a pre-defined object
object service icmp6-echo pre-defined
 service icmp6 echo
 description This is a pre-defined object
object service icmp6-echo-reply pre-defined
 service icmp6 echo-reply
 description This is a pre-defined object
object service icmp6-membership-query pre-defined
 service icmp6 membership-query
 description This is a pre-defined object
object service icmp6-membership-report pre-defined
 service icmp6 membership-report
 description This is a pre-defined object
object service icmp6-membership-reduction pre-defined
 service icmp6 membership-reduction
 description This is a pre-defined object
object service icmp6-router-renumbering pre-defined
 service icmp6 router-renumbering
 description This is a pre-defined object
object service icmp6-router-solicitation pre-defined
 service icmp6 router-solicitation
 description This is a pre-defined object
object service icmp6-router-advertisement pre-defined
 service icmp6 router-advertisement
 description This is a pre-defined object
object service icmp6-neighbor-solicitation pre-defined
 service icmp6 neighbor-solicitation
 description This is a pre-defined object
object service icmp6-neighbor-advertisement pre-defined
 service icmp6 neighbor-advertisement
 description This is a pre-defined object
object service icmp6-neighbor-redirect pre-defined
 service icmp6 neighbor-redirect
 description This is a pre-defined object
object service icmp-echo pre-defined
 service icmp echo
 description This is a pre-defined object
object service icmp-echo-reply pre-defined
 service icmp echo-reply
 description This is a pre-defined object
object service icmp-unreachable pre-defined
 service icmp unreachable
 description This is a pre-defined object
object service icmp-source-quench pre-defined
 service icmp source-quench
 description This is a pre-defined object
object service icmp-redirect pre-defined
 service icmp redirect
 description This is a pre-defined object
object service icmp-alternate-address pre-defined
 service icmp alternate-address
 description This is a pre-defined object
object service icmp-router-advertisement pre-defined
 service icmp router-advertisement
 description This is a pre-defined object
object service icmp-router-solicitation pre-defined
 service icmp router-solicitation
 description This is a pre-defined object
object service icmp-time-exceeded pre-defined
 service icmp time-exceeded
 description This is a pre-defined object
object service icmp-parameter-problem pre-defined
 service icmp parameter-problem
 description This is a pre-defined object
object service icmp-timestamp-request pre-defined
 service icmp timestamp-request
 description This is a pre-defined object
object service icmp-timestamp-reply pre-defined
 service icmp timestamp-reply
 description This is a pre-defined object
object service icmp-information-request pre-defined
 service icmp information-request
 description This is a pre-defined object
object service icmp-information-reply pre-defined
 service icmp information-reply
 description This is a pre-defined object
object service icmp-mask-request pre-defined
 service icmp mask-request
 description This is a pre-defined object
object service icmp-mask-reply pre-defined
 service icmp mask-reply
 description This is a pre-defined object
object service icmp-traceroute pre-defined
 service icmp traceroute
 description This is a pre-defined object
object service icmp-conversion-error pre-defined
 service icmp conversion-error
 description This is a pre-defined object
object service icmp-mobile-redirect pre-defined
 service icmp mobile-redirect
 description This is a pre-defined object
pager lines 24
logging hide username
logging buffer-size 4096
logging asdm-buffer-size 100
logging flash-minimum-free 3076
logging flash-maximum-allocation 1024
logging rate-limit 1 10 message 747001
logging rate-limit 1 1 message 402116
logging rate-limit 1 10 message 620002
logging rate-limit 1 10 message 717015
logging rate-limit 1 10 message 717018
logging rate-limit 1 10 message 201013
logging rate-limit 1 10 message 201012
logging rate-limit 1 1 message 313009
logging rate-limit 100 1 message 750003
logging rate-limit 100 1 message 750002
logging rate-limit 100 1 message 750004
logging rate-limit 1 10 message 419003
logging rate-limit 1 10 message 405002
logging rate-limit 1 10 message 405003
logging rate-limit 1 10 message 421007
logging rate-limit 1 10 message 405001
logging rate-limit 1 10 message 421001
logging rate-limit 1 10 message 421002
logging rate-limit 1 10 message 337004
logging rate-limit 1 10 message 337005
logging rate-limit 1 10 message 337001
logging rate-limit 1 10 message 337002
logging rate-limit 1 60 message 199020
logging rate-limit 1 10 message 337003
logging rate-limit 2 5 message 199011
logging rate-limit 1 10 message 199010
logging rate-limit 1 10 message 337009
logging rate-limit 2 5 message 199012
logging rate-limit 1 10 message 710002
logging rate-limit 1 10 message 209003
logging rate-limit 1 10 message 209004
logging rate-limit 1 10 message 209005
logging rate-limit 1 10 message 431002
logging rate-limit 1 10 message 431001
logging rate-limit 1 1 message 447001
logging rate-limit 1 10 message 110003
logging rate-limit 1 10 message 110002
logging rate-limit 1 10 message 429007
logging rate-limit 1 10 message 216004
logging rate-limit 1 10 message 450001
flow-export template timeout-rate 30
flow-export active refresh-interval 1
no failover
failover lan unit secondary
failover polltime unit 1 holdtime 15
failover polltime interface 5 holdtime 25
failover interface-policy 1
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
ipv6 dhcprelay timeout 60
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
 action continue
no cts server-group
no cts sxp enable
no cts sxp default password
no cts sxp default source-ip
cts sxp reconciliation period 120
cts sxp retry period 120
user-identity enable
user-identity domain LOCAL
user-identity default-domain LOCAL
user-identity action mac-address-mismatch remove-user-ip
user-identity inactive-user-timer minutes 60
user-identity poll-import-user-group-timer hours 8
user-identity ad-agent active-user-database full-download
user-identity ad-agent hello-timer seconds 30 retry-times 5
no user-identity user-not-found enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no snmp-server enable traps syslog
no snmp-server enable traps ipsec start stop
no snmp-server enable traps entity config-change fru-insert fru-remove fan-failure power-supply power-supply-presence cpu-temperature chassis-temperature power-supply-temperature chassis-fan-failure
no snmp-server enable traps memory-threshold
no snmp-server enable traps interface-threshold
no snmp-server enable traps remote-access session-threshold-exceeded
no snmp-server enable traps connection-limit-reached
no snmp-server enable traps cpu threshold rising
no snmp-server enable traps ikev2 start stop
no snmp-server enable traps nat packet-discard
snmp-server enable
snmp-server listen-port 161
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
service password-recovery
no crypto ipsec ikev2 sa-strength-enforcement
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 64
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
 revocation-check none
 crl cache-time 60
 crl enforcenextupdate
crypto isakmp identity auto 
crypto isakmp nat-traversal 20
crypto ikev2 cookie-challenge 50
crypto ikev2 limit max-in-negotiation-sa 100
no crypto ikev2 limit max-sa
crypto ikev2 redirect during-auth
crypto ikev1 limit max-in-negotiation-sa 20
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign aaa
vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 0
ipv6-vpn-addr-assign aaa
ipv6-vpn-addr-assign local reuse-delay 0
no vpn-sessiondb max-other-vpn-limit
no vpn-sessiondb max-anyconnect-premium-or-essentials-limit
no remote-access threshold 
l2tp tunnel hello 60
!
tls-proxy maximum-session 300
!
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200
threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000
threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl server-version tlsv1
ssl client-version tlsv1-only
ssl encryption rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl certificate-authentication fca-timeout 2
webvpn
 memory-size percent 50
 port 443
 dtls port 443
 character-encoding none
 no http-proxy
 no https-proxy
 default-idle-timeout 1800
 portal-access-rule none
 no csd enable
 no anyconnect enable
 no tunnel-group-list enable
 no http-only-cookie
 no tunnel-group-preference group-url
 rewrite order 65535 enable resource-mask *
 no internal-password
 no onscreen-keyboard
 no default-language
 no smart-tunnel notification-icon
 no keepout
 cache
  disable
  max-object-size 1000
  min-object-size 0
  no cache-static-content enable
  lmfactor 20
  expiry-time 1
 no auto-signon
 no error-recovery disable
 no ssl-server-check
 no mus password
 mus host mus.cisco.com
 no hostscan data-limit
: # show import webvpn customization
: No customization objects are currently defined
: # show import webvpn url-list
: No bookmarks are currently defined
: # show import webvpn translation-table
: Translation Tables' Templates:
:   customization
:   url-list
: # show import webvpn mst-translation
: No MS translation tables defined
: # show import webvpn webcontent
: No custom webcontent is loaded
: # show import webvpn AnyConnect-customization
: No OEM resources defined
: # show import webvpn plug-in
:
group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-idle-timeout alert-interval 1
 vpn-session-timeout none
 vpn-session-timeout alert-interval 1
 vpn-filter none
 ipv6-vpn-filter none
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-clientless
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 ipv6-split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 split-tunnel-all-dns disable
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 client-bypass-protocol disable
 gateway-fqdn none
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 msie-proxy pac-url none
 msie-proxy lockdown enable
 vlan none
 nac-settings none
 address-pools none
 ipv6-address-pools none
 smartcard-removal-disconnect enable
 scep-forwarding-url none
 client-firewall none
 client-access-rule none
 webvpn
  url-list none
  filter none
  homepage none
  html-content-filter none
  port-forward name Application Access
  port-forward disable 
  http-proxy disable
  sso-server none
  anyconnect ssl dtls enable
  anyconnect mtu 1406
  anyconnect firewall-rule client-interface private none
  anyconnect firewall-rule client-interface public none
  anyconnect keep-installer installed
  anyconnect ssl keepalive 20
  anyconnect ssl rekey time none
  anyconnect ssl rekey method none
  anyconnect dpd-interval client 30
  anyconnect dpd-interval gateway 30
  anyconnect ssl compression none
  anyconnect dtls compression none
  anyconnect modules none
  anyconnect profiles none
  anyconnect ask none
  customization none
  keep-alive-ignore 4
  http-comp gzip
  download-max-size 2147483647
  upload-max-size 2147483647
  post-max-size 2147483647
  user-storage none
  storage-objects value cookies,credentials
  storage-key none
  hidden-shares none
  smart-tunnel disable
  activex-relay enable
  unix-auth-uid 65534
  unix-auth-gid 65534
  file-entry enable
  file-browsing enable
  url-entry enable
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  smart-tunnel auto-signon disable
  anyconnect ssl df-bit-ignore disable
  anyconnect routing-filtering-ignore disable
  smart-tunnel tunnel-policy tunnelall
  always-on-vpn profile-setting
password-policy minimum-length 3
password-policy minimum-changes 0
password-policy minimum-lowercase 0
password-policy minimum-uppercase 0
password-policy minimum-numeric 0
password-policy minimum-special 0
password-policy lifetime 0
no password-policy authenticate-enable
quota management-session 0
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
 no accounting-server-group
 default-group-policy DfltGrpPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
 no ikev1 pre-shared-key
 peer-id-validate req
 no chain
 no ikev1 trust-point
 isakmp keepalive threshold 10 retry 2
 no ikev2 remote-authentication
 no ikev2 local-authentication
tunnel-group DefaultRAGroup type remote-access
tunnel-group DefaultRAGroup general-attributes
 no address-pool
 no ipv6-address-pool
 authentication-server-group LOCAL
 secondary-authentication-server-group none
 no accounting-server-group
 default-group-policy DfltGrpPolicy
 no dhcp-server
 no strip-realm
 no nat-assigned-to-public-ip
 no scep-enrollment enable
 no password-management
 no override-account-disable
 no strip-group
 no authorization-required
 username-from-certificate CN OU
 secondary-username-from-certificate CN OU
 authentication-attr-from-server primary
 authenticated-session-username primary
tunnel-group DefaultRAGroup webvpn-attributes
 customization DfltCustomization
 authentication aaa
 no override-svc-download
 no radius-reject-message
 no proxy-auth sdi
 no pre-fill-username ssl-client
 no pre-fill-username clientless
 no secondary-pre-fill-username ssl-client
 no secondary-pre-fill-username clientless
 dns-group DefaultDNS
 no without-csd
tunnel-group DefaultRAGroup ipsec-attributes
 no ikev1 pre-shared-key
 peer-id-validate req
 no chain
 no ikev1 trust-point
 no ikev1 radius-sdi-xauth
 isakmp keepalive threshold 300 retry 2
 ikev1 user-authentication xauth
 no ikev2 remote-authentication
 no ikev2 local-authentication
tunnel-group DefaultRAGroup ppp-attributes
 no authentication pap
 authentication chap
 authentication ms-chap-v1
 no authentication ms-chap-v2
 no authentication eap-proxy
tunnel-group DefaultWEBVPNGroup type remote-access
tunnel-group DefaultWEBVPNGroup general-attributes
 no address-pool
 no ipv6-address-pool
 authentication-server-group LOCAL
 secondary-authentication-server-group none
 no accounting-server-group
 default-group-policy DfltGrpPolicy
 no dhcp-server
 no strip-realm
 no nat-assigned-to-public-ip
 no scep-enrollment enable
 no password-management
 no override-account-disable
 no strip-group
 no authorization-required
 username-from-certificate CN OU
 secondary-username-from-certificate CN OU
 authentication-attr-from-server primary
 authenticated-session-username primary
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 customization DfltCustomization
 authentication aaa
 no override-svc-download
 no radius-reject-message
 no proxy-auth sdi
 no pre-fill-username ssl-client
 no pre-fill-username clientless
 no secondary-pre-fill-username ssl-client
 no secondary-pre-fill-username clientless
 dns-group DefaultDNS
 no without-csd
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 no ikev1 pre-shared-key
 peer-id-validate req
 no chain
 no ikev1 trust-point
 no ikev1 radius-sdi-xauth
 isakmp keepalive threshold 300 retry 2
 ikev1 user-authentication xauth
 no ikev2 remote-authentication
 no ikev2 local-authentication
tunnel-group DefaultWEBVPNGroup ppp-attributes
 no authentication pap
 authentication chap
 authentication ms-chap-v1
 no authentication ms-chap-v2
 no authentication eap-proxy
!
class-map type inspect http match-all _default_gator
 match request header user-agent regex _default_gator
class-map type inspect http match-all _default_msn-messenger
 match response header content-type regex _default_msn-messenger
class-map type inspect http match-all _default_yahoo-messenger
 match request body regex _default_yahoo-messenger
class-map type inspect http match-all _default_windows-media-player-tunnel
 match request header user-agent regex _default_windows-media-player-tunnel
class-map type inspect http match-all _default_gnu-http-tunnel
 match request args regex _default_gnu-http-tunnel_arg
 match request uri regex _default_gnu-http-tunnel_uri
class-map type inspect http match-all _default_firethru-tunnel
 match request header host regex _default_firethru-tunnel_1
 match request uri regex _default_firethru-tunnel_2
class-map type inspect http match-all _default_aim-messenger
 match request header host regex _default_aim-messenger
class-map type inspect http match-all _default_http-tunnel
 match request uri regex _default_http-tunnel
class-map type inspect http match-all _default_kazaa
 match response header regex _default_x-kazaa-network count gt 0
class-map type inspect http match-all _default_shoutcast-tunneling-protocol
 match request header regex _default_icy-metadata regex _default_shoutcast-tunneling-protocol
class-map class-default
 match any
class-map inspection_default
 match default-inspection-traffic
class-map type inspect http match-all _default_GoToMyPC-tunnel
 match request args regex _default_GoToMyPC-tunnel
 match request uri regex _default_GoToMyPC-tunnel_2
class-map type inspect http match-all _default_httport-tunnel
 match request header host regex _default_httport-tunnel
!
!
policy-map type inspect rtsp _default_rtsp_map
 description Default RTSP policymap
 parameters
policy-map type inspect ipv6 _default_ipv6_map
 description Default IPV6 policy-map
 parameters
  verify-header type
  verify-header order
 match header routing-type range 2 255
  drop log
policy-map type inspect h323 _default_h323_map
 description Default H.323 policymap
 parameters
  no rtp-conformance
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
  no message-length maximum server
  dns-guard
  protocol-enforcement
  nat-rewrite
  no id-randomization
  no id-mismatch
  no tsig enforced
policy-map type inspect ip-options _default_ip_options_map
 description Default IP-OPTIONS policy-map
 parameters
  router-alert action allow
policy-map type inspect esmtp _default_esmtp_map
 description Default ESMTP policy-map
 parameters
  mask-banner
  no mail-relay
  no special-character
  allow-tls
 match cmd line length gt 512 
  drop-connection log
 match cmd RCPT count gt 100 
  drop-connection log
 match body line length gt 998 
  log
 match header line length gt 998 
  drop-connection log
 match sender-address length gt 320 
  drop-connection log
 match MIME filename length gt 255 
  drop-connection log
 match ehlo-reply-parameter others 
  mask
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 _default_h323_map 
  inspect h323 ras _default_h323_map 
  inspect ip-options _default_ip_options_map 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp _default_esmtp_map 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
 class class-default
policy-map type inspect sip _default_sip_map
 description Default SIP policymap
 parameters
  im
  no ip-address-privacy
  traffic-non-sip
  no rtp-conformance
policy-map type inspect dns _default_dns_map
 description Default DNS policy-map
 parameters
  no message-length maximum client
  no message-length maximum
  no message-length maximum server
  dns-guard
  protocol-enforcement
  nat-rewrite
  no id-randomization
  no id-mismatch
  no tsig enforced
policy-map type inspect ipsec-pass-thru _default_ipsec_passthru_map
 description Default IPSEC-PASS-THRU policy-map
 parameters
  esp per-client-max 0 timeout 0:10:00 
!
service-policy global_policy global
imap4s
 port 993
 no server
 outstanding 20
 name-separator :
 server-separator @
 authentication-server-group LOCAL
 no authorization-server-group
 no accounting-server-group
 default-group-policy DfltGrpPolicy
 no authentication
 no authorization-required
 authorization-dn-attributes CN OU
pop3s
 port 995
 no server
 outstanding 20
 name-separator :
 server-separator @
 authentication-server-group LOCAL
 no authorization-server-group
 no accounting-server-group
 default-group-policy DfltGrpPolicy
 no authentication
 no authorization-required
 authorization-dn-attributes CN OU
smtps
 port 988
 no server
 outstanding 20
 name-separator :
 server-separator @
 authentication-server-group LOCAL
 no authorization-server-group
 no accounting-server-group
 default-group-policy DfltGrpPolicy
 authentication aaa
 no authorization-required
 authorization-dn-attributes CN OU
prompt hostname context 
auto-update device-id hostname
auto-update poll-period 720 0 5
auto-update timeout 0
compression anyconnect-ssl http-comp
no coredump enable
call-home reporting anonymous prompt 3
call-home
 alert-group all
 alert-group-config environment
  threshold cpu 85-90
  threshold memory 85-90
 event-queue-size 10
 rate-limit 10
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination message-size-limit 3145728
  destination preferred-msg-format xml
  destination transport-method http
  subscribe-to-alert-group diagnostic severity informational
  subscribe-to-alert-group environment severity informational
  subscribe-to-alert-group inventory severity informational periodic monthly 18
  subscribe-to-alert-group configuration export minimum periodic monthly 18
  subscribe-to-alert-group telemetry severity informational periodic daily
no password encryption aes
Cryptochecksum:00000000000000000000000000000000
: end
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
!--- This is the default inspection policy ---!

service-policy global_policy global
!--- The default policy is applied globally ---!

Coming soon


Let’s examine the current interface configuration

ASA5520# show interface ip brief 
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         unassigned      YES unset  administratively down up  
GigabitEthernet0/1         unassigned      YES unset  administratively down up  
GigabitEthernet0/2         unassigned      YES unset  administratively down up  
GigabitEthernet0/3         unassigned      YES unset  administratively down down
Internal-Control0/0        127.0.1.1       YES unset  up                    up  
Internal-Data0/0           unassigned      YES unset  up                    up  
Management0/0              unassigned      YES unset  administratively down down

Now let’s configure the interfaces as per the above network diagram.

ASA5520(config)# interface GigabitEthernet0/0

ASA5520(config-if)# nameif inside

!--- Assign a name of "inside" to the interface. ---!

!--- For an inside interface, the default security level is 100. ---!

INFO: Security level for "inside" set to 100 by default.

ASA5520(config-if)# ip address 192.168.1.254 255.255.255.0

ASA5520(config-if)# no shutdown 

ASA5520(config-if)# exit



ASA5520(config)# interface GigabitEthernet0/1

ASA5520(config-if)# nameif dmz


!--- Assign a name of "dmz" to the interface. ---!

!--- The default security level for an dmz/outside interface is 0. ---!

INFO: Security level for "dmz" set to 0 by default.

ASA5520(config-if)# security-level ?

interface mode commands/options:
    Security level for the interface

ASA5520(config-if)# security-level 50

!--- Assign a security level of 50. ---!



ASA5520(config-if)# ip address 10.1.0.254 255.255.255.0

ASA5520(config-if)# no shutdown

ASA5520(config-if)# exit




ASA5520(config)# interface GigabitEthernet0/2

ASA5520(config-if)# nameif outside

!--- Assign a name of "outside" to the interface. ---!

INFO: Security level for "outside" set to 0 by default.

ASA5520(config-if)# security-level 0

ASA5520(config-if)# ip address 172.16.1.254 255.255.255.0

ASA5520(config-if)# no shut

ASA5520(config-if)# exit

Verification

Let’s verify our configuration.

ASA5520(config)# show interface ip brief 
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         192.168.1.254   YES manual up                    up  
GigabitEthernet0/1         10.1.0.254      YES manual up                    up  
GigabitEthernet0/2         172.16.1.254    YES manual up                    up  
GigabitEthernet0/3         unassigned      YES unset  administratively down down
Internal-Control0/0        127.0.1.1       YES unset  up                    up  
Internal-Data0/0           unassigned      YES unset  up                    up  
Management0/0              unassigned      YES unset  administratively down down


ASA5520(config)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    172.16.1.0 255.255.255.0 is directly connected, outside
C    10.1.0.0 255.255.255.0 is directly connected, dmz
C    192.168.1.0 255.255.255.0 is directly connected, inside

 

It’s time to test whether we can ping the end hosts from the Cisco ASA 5520.

ASA5520# ping 192.168.1.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms

ASA5520# ping 10.1.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms


ASA5520# ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 m

As seen from the output above we can conclude, by default we can ping hosts in different zones from the Cisco ASA.

How to restrict ping

ASA5520# 

ASA5520# conf t

ASA5520(config)# icmp ?

configure mode commands/options:
  deny         Specify packets to reject
  permit       Specify packets to forward
  unreachable  Configure unreachable behavior

ASA5520(config)# icmp deny ?

configure mode commands/options:
  Hostname or A.B.C.D  Hostname or IP address of the host sending ICMP messages
                       to the interface
  any                  Any ip address and mask
  host                 Host implies that the address mask is 255.255.255.255


ASA5520(config)# icmp deny 172.16.1.1 ?

configure mode commands/options:
  A.B.C.D  Mask for the IP address


ASA5520(config)# icmp deny 172.16.1.0 255.255.255.0 ?

configure mode commands/options:
          Enter ICMP type number (0 - 255)
  echo           
  echo-reply     
  time-exceeded  
  unreachable    
Current available interface(s):
  dmz            Name of interface GigabitEthernet0/1
  inside         Name of interface GigabitEthernet0/0
  outside        Name of interface GigabitEthernet0/2


ASA5520(config)# icmp deny 172.16.1.0 255.255.255.0 outside 

!--- This is to read deny icmp protocol packets source from subnetwork 172.16.10.0 /24 on the outside interface ---!

Verifying Ping Restriction

ASA5520#show run icmp
icmp unreachable rate-limit 1 burst-size 1
icmp deny 172.16.1.0 255.255.255.0 outside



ASA5520(config)# ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
?????

!--- Now the ping to 172.16.1.1 is unsuccessful. ---!

Let’s look at the Cisco ASA log to see what is happenning.

ASA5520(config)# show logging 
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Hide Username logging: enabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 110 messages logged
    Trap logging: disabled
    Permit-hostdown logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: disabled
%ASA-5-111008: User 'enable_15' executed the 'logging buffer-size 100000' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'logging buffer-size 100000'
%ASA-5-111008: User 'enable_15' executed the 'ping 192.168.1.254' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'ping 192.168.1.254'
%ASA-7-111009: User 'enable_15' executed cmd: show logging
%ASA-2-106007: Deny inbound UDP from 172.16.1.1/49214 to 10.1.0.1/53 due to DNS Query
%ASA-2-106007: Deny inbound UDP from 172.16.1.1/49214 to 10.1.0.1/53 due to DNS Query
%ASA-2-106007: Deny inbound UDP from 172.16.1.1/49214 to 10.1.0.1/53 due to DNS Query
%ASA-2-106007: Deny inbound UDP from 172.16.1.1/49214 to 10.1.0.1/53 due to DNS Query
%ASA-2-106007: Deny inbound UDP from 172.16.1.1/49214 to 10.1.0.1/53 due to DNS Query



%ASA-5-111008: User 'enable_15' executed the 'ping 10.1.0.254' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'ping 10.1.0.254'
%ASA-7-609001: Built local-host identity:10.1.0.254
%ASA-7-609001: Built local-host dmz:10.1.0.1
%ASA-6-302020: Built outbound ICMP connection for faddr 10.1.0.1/0 gaddr 10.1.0.254/53677 laddr 10.1.0.254/53677
%ASA-5-111008: User 'enable_15' executed the 'ping 10.1.0.1' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'ping 10.1.0.1'
%ASA-6-302021: Teardown ICMP connection for faddr 10.1.0.1/0 gaddr 10.1.0.254/53677 laddr 10.1.0.254/53677
%ASA-7-609002: Teardown local-host identity:10.1.0.254 duration 0:00:00
%ASA-7-609002: Teardown local-host dmz:10.1.0.1 duration 0:00:00
%ASA-2-106007: Deny inbound UDP from 172.16.1.1/65116 to 10.1.0.1/53 due to DNS Query
%ASA-5-111008: User 'enable_15' executed the 'ping 172.16.1.254' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'ping 172.16.1.254'
%ASA-2-106007: Deny inbound UDP from 172.16.1.1/65116 to 10.1.0.1/53 due to DNS Query
%ASA-2-106007: Deny inbound UDP from 172.16.1.1/65116 to 10.1.0.1/53 due to DNS Query
%ASA-2-106007: Deny inbound UDP from 172.16.1.1/65116 to 10.1.0.1/53 due to DNS Query
%ASA-7-609001: Built local-host identity:172.16.1.254
%ASA-7-609001: Built local-host outside:172.16.1.1
%ASA-6-302020: Built outbound ICMP connection for faddr 172.16.1.1/0 gaddr 172.16.1.254/56233 laddr 172.16.1.254/56233
%ASA-3-313001: Denied ICMP type=0, code=0 from 172.16.1.1 on interface outside

!--- As instructed the ASA is neying ICMP packets sourced from 172.16.1.1 on the outside interface ---!

%ASA-6-302021: Teardown ICMP connection for faddr 172.16.1.1/0 gaddr 172.16.1.254/56233 laddr 172.16.1.254/56233
%ASA-7-609002: Teardown local-host identity:172.16.1.254 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:172.16.1.1 duration 0:00:00
%ASA-7-609001: Built local-host identity:172.16.1.254
ASA-7-609001: Built local-host outside:172.16.1.1
%ASA-6-302020: Built outbound ICMP connection for faddr 172.16.1.1/0 gaddr 172.16.1.254/56233 laddr 172.16.1.254/56233
%ASA-3-313001: Denied ICMP type=0, code=0 from 172.16.1.1 on interface outside
%ASA-6-302021: Teardown ICMP connection for faddr 172.16.1.1/0 gaddr 172.16.1.254/56233 laddr 172.16.1.254/56233
%ASA-7-609002: Teardown local-host identity:172.16.1.254 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:172.16.1.1 duration 0:00:00
%ASA-2-106007: Deny inbound UDP from 172.16.1.1/65116 to 10.1.0.1/53 due to DNS Query
%ASA-7-609001: Built local-host identity:172.16.1.254
%ASA-7-609001: Built local-host outside:172.16.1.1
%ASA-6-302020: Built outbound ICMP connection for faddr 172.16.1.1/0 gaddr 172.16.1.254/56233 laddr 172.16.1.254/56233
%ASA-3-313001: Denied ICMP type=0, code=0 from 172.16.1.1 on interface outside
%ASA-6-302021: Teardown ICMP connection for faddr 172.16.1.1/0 gaddr 172.16.1.254/56233 laddr 172.16.1.254/56233
%ASA-7-609002: Teardown local-host identity:172.16.1.254 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:172.16.1.1 duration 0:00:00
%ASA-7-609001: Built local-host identity:172.16.1.254
%ASA-7-609001: Built local-host outside:172.16.1.1
%ASA-6-302020: Built outbound ICMP connection for faddr 172.16.1.1/0 gaddr 172.16.1.254/56233 laddr 172.16.1.254/56233
%ASA-3-313001: Denied ICMP type=0, code=0 from 172.16.1.1 on interface outside
%ASA-6-302021: Teardown ICMP connection for faddr 172.16.1.1/0 gaddr 172.16.1.254/56233 laddr 172.16.1.254/56233
%ASA-7-609002: Teardown local-host identity:172.16.1.254 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:172.16.1.1 duration 0:00:00
%ASA-7-710005: UDP request discarded from 192.168.1.101/68 to inside:255.255.255.255/67
%ASA-7-609001: Built local-host identity:172.16.1.254
%ASA-7-609001: Built local-host outside:172.16.1.1

%ASA-6-302020: Built outbound ICMP connection for faddr 172.16.1.1/0 gaddr 172.16.1.254/56233 laddr 172.16.1.254/56233
%ASA-3-313001: Denied ICMP type=0, code=0 from 172.16.1.1 on interface outside
%ASA-6-302021: Teardown ICMP connection for faddr 172.16.1.1/0 gaddr 172.16.1.254/56233 laddr 172.16.1.254/56233
%ASA-7-609002: Teardown local-host identity:172.16.1.254 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:172.16.1.1 duration 0:00:00
%ASA-5-111008: User 'enable_15' executed the 'ping 172.16.1.1' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'ping 172.16.1.1'
%ASA-7-609001: Built local-host identity:10.1.0.254
%ASA-7-609001: Built local-host dmz:10.1.0.1
%ASA-6-302020: Built outbound ICMP connection for faddr 10.1.0.1/0 gaddr 10.1.0.254/55503 laddr 10.1.0.254/55503
%ASA-5-111008: User 'enable_15' executed the 'ping 10.1.0.1' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'ping 10.1.0.1'
%ASA-6-302021: Teardown ICMP connection for faddr 10.1.0.1/0 gaddr 10.1.0.254/55503 laddr 10.1.0.254/55503
%ASA-7-609002: Teardown local-host identity:10.1.0.254 duration 0:00:00
%ASA-7-609002: Teardown local-host dmz:10.1.0.1 duration 0:00:00
%ASA-2-106007: Deny inbound UDP from 172.16.1.1/51501 to 10.1.0.1/53 due to DNS Query
%ASA-2-106007: Deny inbound UDP from 172.16.1.1/51501 to 10.1.0.1/53 due to DNS Query
%ASA-2-106007: Deny inbound UDP from 172.16.1.1/51501 to 10.1.0.1/53 due to DNS Query
%ASA-2-106007: Deny inbound UDP from 172.16.1.1/51501 to 10.1.0.1/53 due to DNS Query
%ASA-5-111008: User 'enable_15' executed the 'no icmp deny 172.16.1.0 255.255.255.0 outside' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'no icmp deny 172.16.1.0 255.255.255.0 outside'
%ASA-2-106007: Deny inbound UDP from 172.16.1.1/51501 to 10.1.0.1/53 due to DNS Query
%ASA-7-609001: Built local-host identity:172.16.1.254
%ASA-7-609001: Built local-host outside:172.16.1.1

%ASA-6-302020: Built outbound ICMP connection for faddr 172.16.1.1/0 gaddr 172.16.1.254/35173 laddr 172.16.1.254/35173
%ASA-5-111008: User 'enable_15' executed the 'ping 172.16.1.1' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'ping 172.16.1.1'
%ASA-6-302021: Teardown ICMP connection for faddr 172.16.1.1/0 gaddr 172.16.1.254/35173 laddr 172.16.1.254/35173
%ASA-7-609002: Teardown local-host identity:172.16.1.254 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:172.16.1.1 duration 0:00:00

Leave a Reply