CiscoASA‎ > ‎

Template: Config

Cisco ASA Config/Setup template


logging enable
logging timestamp
logging list LOG level informational
logging list LOG message 106023
logging list LOG message 106100
logging list LOG message 302020
logging list LOG message 302015
logging trap LOG
logging host outside 8.8.8.1
logging class config trap informational

ntp server 10.0.0.200
ntp server 10.0.0.201

ssh timeout 60
ssh version 2
ssh 10.0.0.254 255.255.255.255 outside

enable password mypassword
passwd mypassword

username fw_admin password mypasswd privilege 15

aaa-server ACSServer protocol tacacs+
aaa-server ACSServer (outside) host 10.0.0.100 ACSPass
aaa-server ACSServer (outside) host 10.0.0.101 ACSPass
aaa authentication ssh console ACSServer LOCAL
aaa authentication enable console ACSServer LOCAL


crypto key generate rsa
global (outside) 1 interface
nat (int1) 1 0.0.0.0 0.0.0.0
nat (dmz1) 1 0.0.0.0 0.0.0.0


This leave setting up the default route and hostname:

route outside 0.0.0.0 0.0.0.0 <Gateway IP> 1

hostname <HostName>



If the firewall is going to be part of a active/passive cluster:

Setup standby IP on each interface

Example:
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2
Here is the config on the primary and secondary firewalls:

*** Primary Firewall ***

interface Ethernet0/3.1
vlan 100
interface Ethernet0/3.2
vlan 101
failover
failover lan unit primary
failover lan interface fail Ethernet0/3.1
failover polltime unit msec 500 holdtime 2
failover polltime interface msec 500 holdtime 5
failover key myClusterPass
failover replication http
failover link fail Ethernet0/3.1
failover link state Ethernet0/3.2
failover interface ip fail 172.16.99.1 255.255.255.252 standby 172.16.99.2
failover interface ip state 172.16.99.5 255.255.255.252 standby 172.16.99.6
prompt hostname priority state

monitor-interface int1
monitor-interface int2
monitor-interface dmz1
monitor-interface outside
interface Ethernet0/3
no shut



*** Secondary Firewall ***

interface Ethernet0/3.1
vlan 100
interface Ethernet0/3.2
vlan 101
failover
failover lan unit secondary
failover lan interface fail Ethernet0/3.1
failover polltime unit msec 500 holdtime 2
failover polltime interface msec 500 holdtime 5
failover key myClusterPass
failover replication http
failover link fail Ethernet0/3.1
failover link state Ethernet0/3.2
failover interface ip fail 172.16.99.1 255.255.255.252 standby 172.16.99.2
failover interface ip state 172.16.99.5 255.255.255.252 standby 172.16.99.6
interface Ethernet0/3
no shut



Comments