Cisco Security Expert

Jamey Heary

Previous Article Next Article

Hidden Secrets in the Cisco ASA

Commands and functions I bet you didn't know existed

By jheary on Mon, 09/13/10 - 9:30pm.

. What's this?

Think you know ASA pretty well? Have you worked with it for years and honed your ASA skills to a razor fine edge? Think you know all of the hidden secrets the ASA has to offer? I'll bet you answered yes to the first two but might have been reluctant to shout out a definitive yes to the last one. Why, because the ASA is a complex system that includes hundreds and hundreds of features making it near impossible to know all the tricks. In this blog I'll talk about a few of the lesser known features and commands that most ASA administrators find useful.

Span/mirror port on the ASA 5505 - The ASA 5505 has an eight port Ethernet switch in it making it unique among the ASA product line. Like all Cisco switches, this one also supports traffic span to allow you to capture packets and send them to a destination switchport for analysis.

Command:switchport monitor source_port [tx | rx | both]

Example: Asa5505(config)# interface ethernet 0/4 Asa5505(config-if)# switchport monitor ethernet 0/0 Asa5505(config-if)# switchport monitor ethernet 0/1

Private VLANs on the ASA 5505 - Another useful switch feature found only on the ASA5505 is private VLAN support. Ethernet ports that are designated as protected ports cannot talk to other ports that are designated as protected. Protected ports can only talk to ports that are NOT protected ports. So if you have two web servers and you configure them as protected ports they will not be able to talk to each other. However, they will be able to talk to any non-protected port like your internet uplink port for example. The protection is done at Layer 2 so absolutely no traffic goes between protected ports.

Command: Switchport protected

Example: Asa5505(config)#interface ethernet 0/3 Asa5505(config-if)#switchport protected

ASA SCP Server - Did you know your ASA could accept incoming SCP (secure copy) file transfer requests. By switching this on it turns your ASA into a secure FTP server so you can upload and download files to flash at your leisure. This makes code upgrades, getting log files, backing up configurations using scripts, etc. much easier. Most folks only know about the ASA's ability to fetch files proactively using things like copy scp flash: from the CLI or via ASDM. Not many know that the ASA has a full blown SCP server in it. Happy secure copying!

Command: Ssh copy enable

Example: asa5505(config)# ssh 192.168.120.0 255.255.255.0 inside asa5505(config)# ssh version 2 asa5505(config)# ssh copy enable asa5505(config)# ssh timeout 60

Quick way to remove parts of your configuration via CLI - Ever find yourself repeatedly using the no command to remove sections from your configuration file? If so, here is a command that you'll love, clear configure. Clear configure allows you to delete whole sections or sub sections of your configuration. In certaint situations it can be a huge timesaver for the ASA admin.

Command: clear configure configurationcommand [level2configurationcommand]

Example: Asa5505(config)# clear configure aaa authentication

Encrypt all passwords in your configuration file - A typical ASA configuration contains all sorts of passwords and pass phrases that aren't usually encrypted. Some examples are OSPF, VPN load balancing, AAA servers, Log servers, etc. The addition of the master passphrase in ASA 8.3.1 allows you to quickly encrypt all those passwords. Now you can feel a bit more comfortable storing and sharing your configuration files with TAC and other consultants.

Command: key config-key password-encryption [new_passphrase [old_passphrase]]

Example: hostname(config)# key config-key password-encryption Old key: cisco New key: cisco123 Confirm key: cisco123

Those are some of the secret ASA features that might help you better administer your ASA's. Please share any secrets you have.

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Google Nexus One vs. Top 10 Phone Security Requirements
* Why you should always shred your boarding pass
* Video rental records are afforded more privacy protections than your online data
* The truth about new SSL attacks
* 2009 Top Urban Legends in IT Security/a>

Go to Jamey’s Blog for more articles on security.

Tags

What is Tech Briefcase?

TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more

Bookmark content

Speed up your research efforts with content across the web.

Search and Store

Find the white papers you need. Create folders for any topic.

View Anywhere

Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.

Don't have an account yet?

About Cisco Security Expert

Jamey Heary, CCIE #7680, sits on the PCI Security Standards Council- Board of Advisors where he provides strategic and technical guidance for future PCI standards. Jamey is the author of Cisco NAC Appliance: Enforcing Host Security with Clean Access. (Check out all of Jamey Heary's books from Cisco Press.) He also has a patent pending on a new DDoS mitigation technique.

Jamey sits on several security advisory boards for Cisco Systems and is a founding member of the Colorado Healthcare InfoSec Users Group. He is an experienced speaker who is recognized as an expert in network security architecture, regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and he is a Certified HIPAA Security Professional. He has been working in the IT field for 15 years and in IT security for 10 years. Jamey is currently a Distinguished Systems Engineer at Cisco Systems.