Cisco ASA Configuration

  • Recover Password ASA  Step 1 Connect to the ASA console portStep 2 Power off the ASA, and then power it on.

    Step 3 After startup, press the Escape key when you are prompted to enter ROMMON mode.

    Step 4 To update the configuration register value, enter the following command:

    rommon #1> confreg 0x41
    
    Update Config Register (0x41) in NVRAM...

    Step 5 To set the ASA to ignore the startup configuration, enter the following command:

    rommon #1> confreg

    The ASA displays the current configuration register value, and asks whether you want to change it:

    Current Configuration Register: 0x00000041
    
    Configuration Summary: 
    
      boot default image from Flash
    
      ignore system configuration
    
    Do you wish to change this configuration? y/n [n]: y

    Step 6 Record the current configuration register value, so you can restore it later.

    Step 7 At the prompt, enter Y to change the value.

    The ASA prompts you for new values.

    Step 8 Accept the default values for all settings. At the prompt, enter Y.

    Step 9 Reload the ASA by entering the following command:

    rommon #2> boot
    
    Launching BootLoader...
    
    Boot configuration file contains 1 entry.
    
    Loading disk0:/asa800-226-k8.bin... Booting...Loading...

    The ASA loads the default configuration instead of the startup configuration.

    Step 10 Access the privileged EXEC mode by entering the following command:

    hostname> enable

    Step 11 When prompted for the password, press Enter.

    The password is blank.

    Step 12 Load the startup configuration by entering the following command:

    hostname# copy startup-config running-config

    Step 13 Access the global configuration mode by entering the following command:

    hostname# configure terminal

    Step 14 Change the passwords, as required, in the default configuration by entering the following commands:

    hostname(config)# password password
    
    hostname(config)# enable password password
    
    hostname(config)# username name password password

    Step 15 Load the default configuration by entering the following command:

    hostname(config)# no config-register 

    The default configuration register value is 0x1.

    Step 16 Save the new passwords to the startup configuration by entering the following command:

    hostname(config)# copy running-config startup-config

    Disabling Password Recovery

    You might want to disable password recovery to  ensure that unauthorized users cannot use the password recovery  mechanism to compromise the ASA.

    On the ASA, the no service password-recovery command prevents a user from entering ROMMON mode with the configuration intact. When a user enters ROMMON mode, the ASA  prompts the user to erase all Flash file systems. The user cannot enter  ROMMON mode without first performing this erasure. If a user chooses  not to erase the Flash file system, the ASA  reloads. Because password recovery depends on using ROMMON mode and  maintaining the existing configuration, this erasure prevents you from  recovering a password. However, disabling password recovery prevents  unauthorized users from viewing the configuration or inserting different  passwords. In this case, to restore the system to an operating state,  load a new image and a backup configuration file, if available.

  • Restore Factory Default 
    hostname/contexta(config)# clear configure all
  • Copy File to ASDM

    To copy from a TFTP server, enter the following command:

    hostname# copy tftp://server[/path]/filename {flash:/ | disk0:/ | 
    disk1:/}[path/]filename
    
     The flash:/ keyword represents the internal Flash memory on the PIX 500 series security appliance. You can enter flash:/ or disk0:/ for the internal Flash memory on the ASA 5500 series adaptive security appliance. The disk1:/ keyword represents the external Flash memory on the ASA.

    To copy from an FTP server, enter the following command:

    hostname# copy ftp://[user[:password]@]server[/path]/filename {flash:/ | disk0:/ | 
    disk1:/}[path/]filename
    
     To copy from an HTTP or HTTPS server, enter the following command:
    hostname# copy http[s]://[user[:password]@]server[:port][/path]/filename {flash:/ | 
    disk0:/ | disk1:/}[path/]filename
    
     To use secure copy, first enable SSH, then enter the following command:
    hostname# ssh scopy enable

    Then from a Linux client enter the following command:

    scp -v -pw password filename username@asa_address

    The -v is for verbose, and if -pw is not specified you will be prompted for a password.

  • Activate ASDM

Download CISCO ASDM from software download cisco

copy to disk0/ or flash:/ after that reload the device to make it work

  • Configure Static NAT on a Cisco ASA security Appliance

1. Create the network object and static NAT statement. A network object must be created identifying the internal host. Within the network object, you must also create a static NAT statement to identify the outside interface, its IP address, and the type of traffic to be forwarded: object network InternalHost host 192.168.102.5 nat (inside,outside) static interface service tcp 80 80.

2. Create a NAT statement identifying the outside interface. Note that, in the static NAT statement above, the use of the term interface tells NAT to use whatever address is on the outside interface. The first use of 80 identifies the originating port number. The second use of 80 identifies the destination port number.

3. Build the Access-Control List. Build the Access-Control List to permit the traffic flow (this statement goes on a single line): access-list OutsideToWebServer permit tcp any host 192.168.102.5 eq www.

4. Apply the ACL to the outside interface using the Access-Group command: access-group OutsideToWebServer in interface outside. This is the complete configuration:

Access-Control List configuration

When successfully implemented, this configuration will permit a host on the outside network, such as the public Internet, to connect to the internal Web server using the address on the ASA’s outside interface.

Advertisements