ASA Firewall

Adaptive Security Appliance firewall policy, NAT, and site-to-site/remote-access VPN configuration.

Interface & Connectivity

Show interface status, names, and security levels

show interface ip brief

Output

Interface           IP-Address      OK? Method Status    Protocol
GigabitEthernet0/0  203.0.113.1     YES manual up        up
GigabitEthernet0/1  10.50.1.1       YES manual up        up
Management0/0       192.168.1.1     YES manual up        up

Show nameif assignments — maps interface to security zone

show nameif

Output

Interface                Name                     Security
GigabitEthernet0/0       outside                  0
GigabitEthernet0/1       inside                   100
Management0/0            management               50

Assign nameif and security-level to an interface

interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.50.1.1 255.255.255.0
 no shutdown

Traffic flows from higher security-level to lower by default. Lower-to-higher requires explicit ACL.

NAT — Network Address Translation

Auto NAT (object NAT) — inside host to outside dynamic PAT

object network OBJ-INSIDE-NET
 subnet 10.50.1.0 255.255.255.0
 nat (inside,outside) dynamic interface

Manual NAT — more control over source and destination matching

nat (inside,outside) source static OBJ-SERVER OBJ-SERVER-MAPPED destination static OBJ-REMOTE OBJ-REMOTE

Twice NAT — static 1:1 for a server (inbound access)

object network OBJ-WEB-SERVER
 host 10.50.1.80
 nat (inside,outside) static 203.0.113.80

Verify NAT translations currently active

show xlate

Output

3 in use, 15 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
TCP PAT from inside:10.50.1.100/54321 to outside:203.0.113.1/54321 flags ri idle 0:00:30

Clear all NAT translations — use during NAT rule changes

clear xlate

Access Control

Show access-list hit counts — find unused or heavily used rules

show access-list

Output

access-list OUTSIDE_IN; 3 elements; name hash: 0x1234abcd
access-list OUTSIDE_IN line 1 extended permit tcp any host 203.0.113.80 eq www
  hitcnt=48291 (hash 0xdeadbeef)
access-list OUTSIDE_IN line 2 extended permit tcp any host 203.0.113.80 eq https
  hitcnt=102844 (hash 0xcafebabe)
access-list OUTSIDE_IN line 3 extended deny ip any any
  hitcnt=7831 (hash 0x12345678)

Object-group for cleaner ACLs — group hosts and services

object-group network OG-WEB-SERVERS
 network-object host 10.50.1.80
 network-object host 10.50.1.81

object-group service OG-WEB-SERVICES tcp
 port-object eq www
 port-object eq https

access-list OUTSIDE_IN extended permit tcp any object-group OG-WEB-SERVERS object-group OG-WEB-SERVICES

Apply access-list to an interface

access-group OUTSIDE_IN in interface outside

Connection Tracking

Show active connections — verify traffic is flowing

show conn

Output

5 in use, 112 most used
TCP outside 198.51.100.50:443 inside 10.50.1.100:54321, idle 0:00:05, bytes 28472, flags UIO
TCP outside 198.51.100.51:80 inside 10.50.1.101:54322, idle 0:01:30, bytes 1024, flags UIO

Show conn filtered by address — isolate one host

show conn address 10.50.1.100

Show connection count summary

show conn count

Failover

Show failover status — active/standby state

show failover

Output

Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds

This host:    Primary - Active
  Interface inside (10.50.1.1): Normal (Monitored)
  Interface outside (203.0.113.1): Normal (Monitored)

Other host:   Secondary - Standby Ready
  Interface inside (10.50.1.2): Normal (Monitored)
  Interface outside (203.0.113.2): Normal (Monitored)

Force failover to standby — controlled switchover

failover active
no failover active

Packet Tracer — Simulate Traffic Without Sending Packets

Trace a TCP packet from outside to inside web server

packet-tracer input outside tcp 198.51.100.50 12345 203.0.113.80 443 detailed

Output (abbreviated)

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
NAT: 203.0.113.80/443 -> 10.50.1.80/443

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW

Result: input-interface: outside
        output-interface: inside
        Action: allow

packet-tracer is the single most useful ASA troubleshooting command. It walks every phase of the packet path: ACL, NAT, routing, inspection.

Packet Capture

Capture traffic on inside interface for a specific host

capture CAP-INSIDE interface inside match tcp host 10.50.1.100 any

View captured packets

show capture CAP-INSIDE

Download capture as pcap for Wireshark analysis

copy /pcap capture:CAP-INSIDE tftp://10.50.1.200/cap-inside.pcap

Remove capture when done

no capture CAP-INSIDE

VPN — Site-to-Site IPsec

Show IKEv1/IKEv2 SA status

show crypto isakmp sa
show crypto ikev2 sa

Show IPsec SA — verify encryption/decryption counters

show crypto ipsec sa

Output (key fields)

interface: outside
    Crypto map tag: CRYPTO-MAP, seq num: 10, local addr: 203.0.113.1

    access-list VPN-TRAFFIC extended permit ip 10.50.1.0 255.255.255.0 10.60.1.0 255.255.255.0
    local ident  (addr/mask/prot/port): (10.50.1.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (10.60.1.0/255.255.255.0/0/0)

    #pkts encaps: 48291, #pkts encrypt: 48291, #pkts digest: 48291
    #pkts decaps: 51003, #pkts decrypt: 51003, #pkts verify: 51003
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 48291, #pkts not decompressed: 0
    #send errors 0, #recv errors 0

If encaps/decaps are zero, traffic is not matching the crypto ACL. Check ACL and routing.

Clear a stuck VPN tunnel — forces renegotiation

clear crypto ipsec sa peer 198.51.100.100
clear crypto isakmp sa