Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
920
Views
5
Helpful
5
Replies

How do you set your asa?

Go to solution
cwhlaw2009
Level 1
Level 1

‎01-25-2016 08:19 PM - edited ‎02-21-2020 05:42 AM

Dear ALL,

I known ASA is powerful device but normally I only set NAT, access list, VPN, dhcp server, management interfaces, login account NTP and PBR. I think I wasted it.

I known every task has different setting. But I want to known which function you always set on the device.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-26-2016 05:57 AM

When in doubt, always check for a manufacturer's base practices guide.

Cisco Firewall Best Practices Guide:

http://www.cisco.com/web/about/security/intelligence/firewall-best-practices.html

Not everything there applies in every use case, but it's a very good place to start. I refer to it often when asked to scrub customers' ASA configurations.

Also, for an existing firewall I look for things like unused objects, access-lists and access list entries. The tool at tunnelsup.cm is very good for doing this:

http://www.tunnelsup.com/config-cleanup/ 

View solution in original post

Go to solution
Rolando Valenzuela
Level 4
Level 4

‎01-26-2016 08:35 AM

While ago, I found this hardening guide which is also very good:

https://www.nsa.gov/ia/_files/factsheets/Cisco_ASA_Configuration_Guide.pdf

Rolando Valenzuela

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-25-2016 10:46 PM

I always set a username and password so I can log into the ASDM.

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Philip D'Ath

‎01-25-2016 10:50 PM

I always enable:

  • SSH
  • ip verify reverse-path interface ...
  • logging, asdm, debug
  • icmp and icmp error inspection
  • Usually threat detection and statistics
  • NTP

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-26-2016 05:57 AM

When in doubt, always check for a manufacturer's base practices guide.

Cisco Firewall Best Practices Guide:

http://www.cisco.com/web/about/security/intelligence/firewall-best-practices.html

Not everything there applies in every use case, but it's a very good place to start. I refer to it often when asked to scrub customers' ASA configurations.

Also, for an existing firewall I look for things like unused objects, access-lists and access list entries. The tool at tunnelsup.cm is very good for doing this:

http://www.tunnelsup.com/config-cleanup/ 

Go to solution
Rolando Valenzuela
Level 4
Level 4

‎01-26-2016 08:35 AM

While ago, I found this hardening guide which is also very good:

https://www.nsa.gov/ia/_files/factsheets/Cisco_ASA_Configuration_Guide.pdf

Rolando Valenzuela

0 Helpful

Go to solution
Samer R. Saleem
Level 4
Level 4

‎02-14-2016 03:39 AM

HI,

first of all, ASA is powerful, specially if you have license that allow you to use all of its features, for example IPS over IOS 

so you can begin with the best practice to secure your management plane

also uRPF

NTP is better to be local from your servers, canceling or not for ICMP 

threat detection

IP audit which is basic IPS features for some signatures

checking unused Objects and ACLs

be more specific for opening service ports for your server farm and try not to use [ any to any ] as much as you can.

also always enable your syslog to a remote local server

also you can set service policy to prevent syn attacks 

check your RA policies and prevent the default actions for the VPN accounts

and lots more to do on the Firewall 

HTH

Samer.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card