ASA Basic Command _02

Domain DNSASA1 (config) # hostname asa1asa1 (config) # domain-name java.localasa1 (config) #  show running-config dns    dns domain-lookup dmz               //dns parsing goes out from the DMZ port     dns  server-group DefaultDNS        name-server  192.168.15.200     //These two can be knocked directly in the global  dns + ....         domain-name java.local time ASA1 (config) # clock timezone gmt +8     //Setting the time zone  +8 represents the East 8 zone ASA1 (config) # clock set 10:26:00 jun 10  2016  //set time ASA1 (config) # show clock     10:27:05.239  GMT FRI JUN 10 2016NTP Sync (client) ASA1 (config) # show running-config ntp      ntp authentication-key 1 md5 cisco    ntp authenticate     ntp trusted-key 1    ntp server 192.168.12.100 key 1  Source dmzasa file system ASA1 (config) # dir /all    //virtual machine can only see asdm     disk0:/asa842-k8.bin    //boot system  Optional System     disk0:/ ASDM-731.BIN    //ASDM IMAGE ASDM Mirror     disk0:/boot.cfg         //cfg  boot profiles   runningconfig  and start  invisible ASA1 ( config) # boot system disk0:/asa842-k8.binasa1 (config) # asdm image disk0:/ ASDM-731.BINASA1 (config) # copy running-config disk0:/boot.cfg //saves running to the specified file ASA1 (config ) # boot config disk0:/boot.cfg        //Specify the configuration file to start loading

Log system

Can be sent to: Console;asdm;monitor;buffer;syslog;snmp Trap;email;netflow

Log format and message level:

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/82/8D/wKioL1daMBqhHb_sAABhM8O0bSI325.png "title=" 1616. PNG "alt=" Wkiol1dambqhhb_saabhm8o0bsi325.png "/>

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/82/8F/wKiom1daL0aBjk3LAACUaSqxO2Q046.png "title=" level. PNG "alt=" Wkiom1dal0abjk3laacuasqxo2q046.png "/>

Logging default off logging enablelogging console 7    //indicates that level 7 (all information) is sent to the console port   Cancel Add nologging buffered 7    //cache logging asdm informational  //sent to ASDM Level 6 log ASA1 (config) # show running-config logging logging enablelogging  trap debugging    //  send a specified log level (customizable list) **logging  list   locketest  level information  class  ospf  //define a list of OSPF * * logging  trap  debugging         // Send locketestlogging  message  503001  level  alerts     //set the information level from 503001 to 1no  logging  message  503001                //Disable Logging 503001logging host dmz  192.168.12.1  //specifies the interface log server (SYSLogserver) IP Address 

Troubleshooting tool Packet Tracer

The Packet tracer simulates a packet traversing the data channel of the ASA and tracks the entire processing of the packet by the ASA

ASA1 (config) # packet-tracer input dmz icmp 192.168.12.100 8 0  192.168.12.139 phase: 1                 //View Route Type: route-lookupsubtype: resolve egress interfaceresult:  allowconfig:additional information:in   192.168.12.139  255.255.255.255  identityPhase: 2Type: ACCESS-LISTSubtype: Result: ALLOWConfig:Implicit  Ruleadditional information:phase: 3type: natsubtype: per-sessionresult: allowconfig: additional information:phase: 4                   //View the Options field for IP, the firewall does not allow IP packet type: ip-optionssubtype with options by default:       result: allowconfig:additional information:phase: 5type:  cluster-redirectsubtype: cluster-redirectresult: allowconfig:additional information:phase: 6type: inspectsubtype:  np-inspectresult: allowconfig:additional information:phase: 7type: inspectsubtype:  Np-inspectresult: allowconfig:       additional information:phase : 8type: flow-creationsubtype: result: allowconfig:additional information:new  Flow created with id 33, packet dispatched to next moduleresult: input-interface: dmzinput-status: upinput-line-status: upoutput-interface: np  Identity ifcoutput-status: upoutput-line-status: upaction: allow

Grab Bag

ASA1 (config) # capture Test interface DMZ ASA1 (config) # No capture Test Interface DMZ//stop grab packet ASA1 (config) # no capture test Delete package ASA1 (config) # Show capture test23 packets captured 1:13:34:41.259263 192.168.12.139.514 > 192.168.12.1.514:UDP 2:13:34:41.259340 192.168.12.139.514 > 192.168.12.1.514:udp 107 ..... .....  ............ 23:13:35:17.952999 192.168.12.139.514 > 192.168.12.1.514:UDP 94 Packets shown

Configuring the Out of band management port

Interface ASA1 (config-if) # Security-level 100//recommended security level up to ASA1 (config-if) # Management-only//for network management only

Telnet network Management

Enable Telnet network ASA1 (config) # telnet 192.168.17.100 255.255.255.255 inside//Allow inside port to specify IpTelnetASA1 (config) # telnet 0 0 DMZ//Allow all Telnet connections from the DMZ Port note: The lowest interface level telnet entry ASA1 (config) # passwd Cisco//Login requires password ASA1 (config) # enable PA ssWOrd 502asa1 (config) # username admin password Cisco privilege 15//Also available local user authentication ASA1 (config) # AAA authentication Telnet C Onsole Local//Telnet login app log in locally

SSH Network Management

ASA1 (config) # show running-config DNS//First name DNS domain-lookup dmzdns server-group defaultdns name-server 192.16  8.12.100 domain-name java.local ASA1 (config) # Crypto key generate RSA modulus 1024//Generate encryption key for SSH encryption session ASA1 (config) # SSH 192.168.17.100 255.255.255.255 inside//Allow access ASA1 (config) # AAA authentication SSH Console LOCAL//ssh with AAA Local authentication ASA1 (config) # SSH 0 0 DMZ Note: Remote cannot use Telnet, must be SSH

Create a local admin account

ASA1 (config) # username admin attributes        // Set the attribute named Admin account ASA1 (config-username) # service-type ?            //Set the service type (not set, anything can be used) username mode commands/options:  admin           User is allowed access to the  configuration prompt.    //allowed into config  nas-prompt      user is allowed access to the exec prompt.    // Low privilege   cannot enter config  remote-access  user is allowed network access.     //only Remote   aaa authentication enable console LOCAL         //These two sentences can let service-type take effect aaa authorization exec localr3# ssh -l admin 192.168.12.100                //Login 

HTTPS Network Management

ASA1 (config) # http server enableASA1 (config) # http 192.168.12.0 255.255.255.0 DMZASA1 (config) # AAA authentication HTTP Co Nsole LOCAL ASA1 (config) # username Cisco password Cisco privilege 15//permissions must be 15 levels can only use Asdmasa require a server certificate (default is the ASA self-signed certificate-usually error ) Customer authentication: Any password AAA One-time Password certificate authentication + one-time password

Snmp

V1/v2c/v3 SNMPV3 has cryptographic authentication function. Authentication includes MD5 or SHA, encryption includes des or RSA

ASA1 (config) # snmp-server group group001 v3 priv        //Create group ASA1 (config) # snmp-server user admin group001 v3 auth md5  cisco privde des cisco    //account admin  belongs to group001 Group   version v3   Authentication MD5 password is cisco   encrypted des password CiscoASA1 (config) # snmp-server host dmz 192.168.12.1  version 3 admin    //v1 v2  changed version 3  to comunit  . &NBSP;&NBSP;ASA1 (config) # snmp-server location beijing         //(non-mandatory) ASA1 (config) # snmp-server contact xiaomingasa1 (config) #  snmp-server enable traps snmp ?    //allows trap snmp some information configure  mode commands/options:  authentication  enable authentication trap   coldstart       enable coldstart trap  linkdown         Enable linkDown trap  linkup           Enable linkUp trap  warmstart        Enable warmstart trap  <cr>

Authentication Management Access

ASA1 (config) # aaa-server aaaname protocol ?             //defines the protocol and name to use Configure mode commands/options:  http-form   protocol http form-based  kerberos   protocol kerberos   ldap       Protocol LDAP  radius      protocol radius  sdi        protocol  SDI  TACACS+    PROTOCOL TACACS+ASA1 (config) # aaa-server  aaaname  (DMZ)  host 192.168.12.100 cisco  //defines the server location and Key-cisco on SSH with AAAASA1 (config ) # aaa authentication ssh console aaaname local  Note: Remember no aaa  authentication exec local      to do local authorization, set up an account locally with the same username and password on the authentication server:     ASA1 (config) # usernaMe test1 password cisco privilege 15 

Self-signed certificate

This article is from the "Try" blog, so be sure to keep this source http://beening.blog.51cto.com/9079117/1787927

ASA Basic Command _02