Cisco ASA 5500
You need a tftp server and client to move rules files back and forth.
Login to the shell
Login via telnet. The ASA can use LDAP, so if it talks to your Active Directory Server then your login and password will taken from there.
set enable to turn on privileged commands -- pretty much useless without doing this!
View saved Startup Configuration
Use the show command:
fw-asa-01# show configuration
View the Running Configuration
Normally Running and Startup Configuration should be the same. See below to edit or save the Running Configuration to the Startup.
fw-asa-01# show running-config
Shun or Ban an external host
It's easy to ban a host by IP address:
fw-asa-01# shun A.B.C.D
This is equivalent to the following in Linux iptables:
iptables -I INPUT -j DROP -s A.B.C.D
Save running configuration
Edits to the running configuration must be saved before a reboot:
fw-asa-01# write memory
Copy running configuration to remote server
You can also save the configuration to a TFTP server:
fw-asa-01# write net 192.168.1.55:running-config
Load running configuration from a remote serve
Most of the instructions out there show you how to load a new running-config using a command like this:
fw-asa-01# copy tftp://192.168.1.55/running running-config
The problem is that this actually merges your file with the current running-config. That works fine when you don't have a running-config already defined. This is useless if you are trying to edit and update existing firewall rules. If you try to merge with an existing complex running-config you will get a lot of errors like this:
ERROR: DNS Duplicate server address activedirectory01 ERROR: DNS Duplicate server address 192.168.1.2 Adding obj (port-object eq pop3) to grp (mail) failed; object already exists Adding obj (port-object eq imap4) to grp (mail) failed; object already exists Adding obj (port-object eq smtp) to grp (mail) failed; object already exists Adding obj (port-object eq ssh) to grp (Roothack) failed; object already exists Adding obj (port-object eq www) to grp (Roothack) failed; object already exists
The trick is to copy your new rules over the startup-config and then restart the ASA. This seems stupid because then you can't load and test new rules without being able to revert to a working state if something goes wrong.
copy tftp://192.168.2.69/running-config2 startup-config reload
TFTP Note for Ubuntu
To move the configuration on and off the firewall you will need a Trivial FTP server. On Ubuntu, install tftpd-hpa:
apt-get -q -y install tftpd-hpa
Edit configuration (vim /etc/default/tftpd-hpa) to something like this:
#Defaults for tftpd-hpa RUN_DAEMON="yes" # The -c option allows clients to write files. # Files are read and written from /tmp. OPTIONS="-c -l -s /tmp"
Start the TFTP server:
Now you can get and put files to /tmp. When you are done with the server you should shut it down: