Go to the top

Harden Cisco ASA Firewall – Best Practice

Ziaul / ASA, Network Security /
Firewall-Security

Cisco ASA is a security device that combines firewall, intrusion prevention, virtual private network (VPN) capabilities, and other security features. It provides proactive threat defense that stops attacks before they spread through the network. It is used as a security solution for both small and large networks. Below are the config snippets that can be used to harden the ASA:  

Clear existing configuration (For new deployment): 

!

write erase

reload

!

Enforce password complexity 

!

password-policy minimum-length 8

password-policy minimum-changes 1

password-policy minimum-uppercase 1

password-policy minimum-lowercase 1

password-policy minimum-special 1

password-policy minimum-numeric 1

password-policy authenticate-enable

!

Configure NTP 

!

clock timezone GMT <hours offset>

ntp authenticate

ntp trusted-key [ key key_id ]

ntp authentication-key [ key key_id ] md5 [ passphrase ]

ntp server ip_address [ key key_id ] [ source interface_name ] [ prefer]

!

Service password recovery

!

no service password-recovery

!

Enable Secure Copy:

!
ssh scopy enable
copy scp://username@192.168.11.100//home/username/x flash:
!

Stop Interfaces replying to Ping:

!

icmp {permit or deny} {any or IP and subnet}{type of icmp traffic}{interface name}

!

Secure https access:

!

http server enable <port>

http <remote_ip_address> <remote_subnet_mask> <interface_name>

!

Secure SSL negotiation:

!

ssl server-version tlsv1.2

ssl client-version tlsv1.2

ssl cipher tlsv1.2 high

ssl dh-group group24

ssl ecdh-group group19

!

Enable SSH:

!

hostname <device_hostname>

domain-name <domain-name>

crypto key generate rsa modulus 2048

ssh <remote_ip_address> <remote_subnet_mask> <interface_name>

ssh version 2

ssh key-exchange dh-group14-sha1

!

Timeout for Login Sessions: 

!

console timeout 10

ssh timeout 10

!

AAA and Password Management: 

!

username <local_username> password <local_password> privilege 15

enable password <enable_password>

!

aaa-server TACACS-SVR protocol tacacs+

reactivation-mode timed

max-failed-attempts 3

aaa-server TACACS-SVR <INTERFACE> host x.x.x.x

timeout 3

key xxxxxxxxxx

!

aaa authentication http console TACACS-SVR LOCAL

aaa authentication ssh console TACACS-SVR LOCAL

aaa authentication enable console TACACS-SVR LOCAL

aaa authentication serial console LOCAL

aaa authentication login-history duration 365

aaa local authentication attempts max-fail 5

!

Disable DHCP Service if not required:

!

no dhcpd enable <interface_name>

clear configure dhcpd

!

Control-Plane Access-list:

!

access-class <name> in interface <Interface_name> control-plane

!

Disable Access-List Bypass over VPN:

!

no sysopt connection permit-vpn

!

Configure Dnsguard:

!

dns-guard

!

Configure Unicast Reverse-Path Forwarding:

!

ip verify reverse-path interface <interface_name>

!

Configure Logging: 

!

logging enable

logging standby

logging timestamp

logging device-id hostname

logging buffered informational

logging buffer-size 128000

logging host interface_name ip_address [tcp[/port] | udp[/port]]

logging trap informational

logging asdm informational

logging permit-hostdown

no logging console

no logging monitor

!

Configure SNMPv3 for monitoring:

!

snmp-server enable

!

snmp-server group GR-MONITORING v3 priv

snmp-server user <username> GR-MONITORING v3 auth sha P@$$w0rd priv aes 128 P@$$w0rd

!

snmp-server host <interface> <ip> <mask> poll version 3 <username>

!

snmp-server location <text>

!

snmp-server contact <text>

!

Enable ICMP Inspection:

!

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

!

Enable Login & motd Banner:

!
banner login ################################################
banner login # UNAUTHORISED ACCESS OR USE OF THIS EQUIPMENT #
banner login # IS PROHIBITED AND CONSTITUTES AN OFFENCE #
banner login # UNDER THE COMPUTER MISUSE ACT 1990. IF YOU #
banner login # ARE NOT AUTHORISED TO USE THIS SYSTEM, #
banner login # TERMINATE THIS SESSION NOW. #
banner login ################################################
banner login All activities performed on this system may be
banner login logged, and violations of this policy may result in
banner login disciplinary action, and may be reported to law enforcement.
banner login Use of this system shall constitute consent to monitoring.
banner login ************************************************************
!
banner asdm ################################################
banner asdm # UNAUTHORISED ACCESS OR USE OF THIS EQUIPMENT #
banner asdm # IS PROHIBITED AND CONSTITUTES AN OFFENCE #
banner asdm # UNDER THE COMPUTER MISUSE ACT 1990. IF YOU #
banner asdm # ARE NOT AUTHORISED TO USE THIS SYSTEM, #
banner asdm # TERMINATE THIS SESSION NOW. #
banner asdm ################################################
banner asdm All activities performed on this system may be
banner asdm logged, and violations of this policy may result in
banner asdm disciplinary action, and may be reported to law enforcement.
banner asdm Use of this system shall constitute consent to monitoring.
banner asdm ************************************************************
!
banner motd ************************************************************
banner motd ################# AUTHORISED ACCESS ONLY! #################
banner motd If you are not an authorised user, disconnect IMMEDIATELY!
banner motd All connections are monitored and recorded.
banner motd ************************************************************
!

Write configuration:

!
write memory
!

Few points to keep in mind: 

  • Use secure protocols when possible such as SCP instead of FTP or TFTP
  • Permit as little as possible that includes IP and ports between interfaces using ACL
  • Add an explicit deny any to all interface ACLs

 

Crib Sheets:

 

References:

 

Leave a Comment