Cisco ASA Basic Configuration Guide

 

 

Table of Contents

 

 

1.1.       WCCP configuration on Cisco ASA
1.2.       ASA upgrade notes to 8.3
1.3.       Cisco ASA traffic shaping and QoS
1.4.       Cisco ASA policy Based routing alternative
1.5.       Cisco ASA Etherchanneling
1.6.       Redundant interfaces
1.7.       LDAP authentication for VPN clients on Cisco ASA
1.8.       Configuring Netflow on cisco ASA
1.9.       Shunning ip addresses on Cisco ASA
1.10.     Credits

 

WCCP configuration on Cisco ASA

 

 

access-list wccp-traffic extended permit ip 192.168.1.0 255.255.255.0 any
!
access-list wccp-destination extended permit ip host 192.168.1.10 any
!
wccp web-cache redirect-list wccp-traffic group-list wccp-servers
wccp interface inside web-cache redirect in

 

ASA upgrade notes to 8.3

 

Main differences
Firstly you need to make sure the minimum memory requirements are met for the upgrade
That info can be found over here
Take note of the NATTing changes over here
Access list are now applied to the real address not to the natted address
access-list outside extended permit tcp any host 172.16.1.1
access-group outside in interface outside

 

Cisco ASA traffic shaping and QoS

 

priority-queue outside

class-map Shaping-voice-class
match tunnel-group tunnel-grp1
match dscp ef

policy-map priority-policy
class Shaping-voice-class
priority

policy-map shape-priority-policy
class class-default
shape average 800000
service-policy priority-policy

service-policy shape-priority-policy interface outside

 

Cisco ASA policy Based routing alternative

 

 

This feature is not yet available on the Cisco ASA however there are a few tricks of the trade that can be used to achieve the same effect. The below example can be used to send traffic for web over the one link and smtp mail traffic over the other isp link

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route outside1 0.0.0.0 0.0.0.0  193.168.1.1 2

nat (inside) 1 0 0
global (outside) 1 interface
global (outside1) 1 interface

static (outside,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0
static (outside1,inside) tcp 0.0.0.0 smtp 0.0.0.0 smtp netmask 0.0.0.0

 

Cisco ASA Etherchanneling

 

Fast EtherChannel allows multiple physical Fast Ethernet links to combine into one logical channel. This allows load sharing of traffic among the links in the channel as well as redundancy in the event that one or more links in the channel fail. Fast EtherChannel can be used to interconnect LAN switches, routers,and as of February 2011 Cisco ASA via UTP  wiring or single-mode and multimode fiber optic links. Cisco release notes notify us of the new commands added on that feature
Namely  channel-grouplacp port-priority,interface port-channellacp max-bundleport-channel min-bundleport-channel load-balancelacp system-priorityclear lacp countersshow lacp,show port-channel.
This brings the Cisco ASA into a world of unparalleled speeds and performance throughputs rarely seen by another vendor

That configuration is only available as of version 8.4 and the configuration guide can be found over here

 

 

Redundant interfaces

 

What are Cisco ASA redundant interfaces?
Interfaces provide physical link failure combining two physical interfaces on the ASA into a virtual one, then you configure all the Layer 3 parameters on this virtual interface. At the same time only ONE of the interfaces in a group is active, if it fails ASA transparently switches to the next available interface in a group and all traffic passes through it. 

Small diagram providing a traffic flow explanation

 

cisco-asa-redundant-interfaces-traffic-flow

Adding a Redundant Interface

 

 

interface Redundacy
member-interface Ethernet0/1
member-interface Ethernet0/4
no nameif
no security-level
no ip address

 

LDAP authentication for VPN clients on Cisco ASA

 

Configure  the Ldap server as shown below

aaa-server ldap_1 protocol ldap
hostname(config-aaa-server-group)#aaa-server ldap_1 host 10.1.1.4
hostname(config-aaa-server-host)#server-type sun

 

you may need to configure authorization for VPN the access. When the LDAP authentication for VPN access has succeeded, the security appliance queries the LDAP server, which returns LDAP attributes. These attributes generally include authorization data that applies to the VPN session.

 

tunnel-group remote-1 type ipsec-ra
tunnel-group remote-1 general-attributes
authorization-server-group ldap_1

 

Configuring Netflow on cisco ASA

 

The configuration is pretty straight forward as described below

flow-export destination inside 172.16.1.1 4444
access-list netflowacl extended permit ip any any
class-map NetFlow-traffic
  match access-list netflowacl
policy-map global_policy
  class NetFlow-traffic
   flow-export event-type all destination 172.16.1.1

 

Shunning ip addresses on Cisco ASA

 

shun 10.1.1.27 10.2.2.89 555 666 tcp  

no shun 10.1.1.27 10.2.2.89 555 666 tcp 

 
 

 Credits

 

https://supportforums.cisco.com

 

 

Recommended Reading

 

  1. Cisco ACS Best Practices document
  2. Cisco ASA Best Practices and Security Hardening Document.
  3. Cisco-vpn-ipsec-configuration-examples
  4. Cisco-ids-ips-aip-idsm-configuration-examples
  5. Detailed Cisco ACS 5.2 installation and configuration example with print screens

Share The Link And Enjoy Thanks !

 

 

For a free assessment and recommendations on how to optimize your current Cisco ASA solution contact us here