> Comprehensive Guide: Beginner to Expert — Cisco ASA 5500-X · Firepower FTD · FMC · AnyConnect · Snort IPS 3

Table of Contents

Part 1 — Cisco ASA

1. Introduction & ASA Models
2. Getting Started: CLI & ASDM
3. Interfaces & Security Levels
4. NAT & PAT on ASA
5. ACL & Security Policy
6. Site-to-Site VPN & AnyConnect
7. Active/Standby High Availability

Part 2 — ASA to FTD Migration

8. ASA vs. FTD — Key Differences
9. Migration Process

Part 3 — Cisco Firepower FTD

10. FMC + FTD Architecture
11. Access Control Policies (ACP)
12. IDS/IPS with Snort 3
13. VPN on FTD
14. Monitoring & Events

Part 4 — Advanced Configuration & Security

15. Object Groups & Named Objects
16. Advanced Logging & syslog
17. AAA & RADIUS / Active Directory Authentication
18. Application Inspection — Modular Policy Framework (MPF)
19. Certificate Management & PKI for AnyConnect
20. Troubleshooting — Practical Diagnostics
21. IP Addressing Plan — Multi-Site Enterprise Network
22. Hardening — Cisco ASA & FTD
23. SSL/TLS Decryption Policy (FTD)
24. File Policy & AMP — Malware Blocking (FTD)
25. Identity Policy & Cisco ISE (FTD)
26. FTD High Availability (Active/Standby)

PART 1 — CISCO ASA

1. Introduction & ASA Models

The Cisco ASA (Adaptive Security Appliance) has been the most widely deployed physical firewall in enterprises for over 15 years. It combines stateful firewall, VPN concentrator, and application protection in a single device.

ASA 5500-X Series

> ℹ️ Info — The 5500-X models support the FirePOWER Services (SFR) module, which enables IPS/IDS features without replacing the equipment. This is often the first step toward FTD.

2. Getting Started: CLI & ASDM

The ASA is configured via two interfaces: the CLI (command line interface, recommended for production) and ASDM (Java graphical interface, useful for beginners).

Initial Console Access

! Serial console connection (9600 baud, 8N1)
! Default login: no password

ciscoasa> enable
Password: (blank by default)
ciscoasa# configure terminal
ciscoasa(config)#

CLI Mode Hierarchy

ciscoasa>              ← User EXEC mode (read-only)
ciscoasa# enable       ← Privileged EXEC mode
ciscoasa# conf t       ← Global Configuration mode
ciscoasa(config-if)#   ← Interface mode
ciscoasa(config-crypto-map)# ← Subconfiguration mode

Essential Basic Configuration

! Hostname and domain
ciscoasa(config)# hostname FW-PARIS-01
ciscoasa(config)# domain-name entreprise.local

! Encrypted enable password
ciscoasa(config)# enable password C1sc0S3cur3! encrypted

! Local user with privileges
ciscoasa(config)# username admin privilege 15 password C1sc0@dmin!

! Disable HTTP, enable HTTPS for ASDM
ciscoasa(config)# http server enable
ciscoasa(config)# http 192.168.1.0 255.255.255.0 inside
ciscoasa(config)# no http server enable  ! disable clear HTTP

! SSH on management interface
ciscoasa(config)# crypto key generate rsa modulus 2048
ciscoasa(config)# ssh 192.168.1.0 255.255.255.0 inside
ciscoasa(config)# ssh version 2
ciscoasa(config)# aaa authentication ssh console LOCAL

! NTP
ciscoasa(config)# ntp server 192.168.1.10 source inside

! Backup
ciscoasa# write memory

> ⚠️ Warning — Never leave the enable password blank in a production environment. Configure SSH v2 only — SSHv1 is vulnerable.

3. Interfaces & Security Levels

The fundamental concept of the ASA is the security-level (0 to 100). By default, traffic flows freely from higher levels to lower levels and is blocked in the opposite direction.

Security-Level Rules

Security-level 100 (Inside)  →  Can access 50 and 0  ✓
Security-level 50  (DMZ)     →  Can access 0         ✓
Security-level 0   (Outside) →  Cannot access anything    ✗

Interface Configuration

! Outside Interface (WAN)
FW-PARIS-01(config)# interface GigabitEthernet0/0
FW-PARIS-01(config-if)# nameif outside
FW-PARIS-01(config-if)# security-level 0
FW-PARIS-01(config-if)# ip address 203.0.113.1 255.255.255.252
FW-PARIS-01(config-if)# no shutdown
FW-PARIS-01(config-if)# description "ISP Link"

! Inside Interface (LAN)
FW-PARIS-01(config)# interface GigabitEthernet0/1
FW-PARIS-01(config-if)# nameif inside
FW-PARIS-01(config-if)# security-level 100
FW-PARIS-01(config-if)# ip address 192.168.1.1 255.255.255.0
FW-PARIS-01(config-if)# no shutdown

! DMZ Interface
FW-PARIS-01(config)# interface GigabitEthernet0/2
FW-PARIS-01(config-if)# nameif dmz
FW-PARIS-01(config-if)# security-level 50
FW-PARIS-01(config-if)# ip address 10.0.10.1 255.255.255.0
FW-PARIS-01(config-if)# no shutdown

! Verification
FW-PARIS-01# show interface ip brief
FW-PARIS-01# show nameif

> ℹ️ Info — If two interfaces have the same security-level, traffic between them is blocked by default. Use same-security-traffic permit inter-interface to allow it if necessary.

4. NAT & PAT on ASA

The ASA supports several types of NAT. In enterprise environments, dynamic PAT (overload) is primarily used for Internet access, and static NAT is used for servers in the DMZ.

Dynamic NAT (PAT) — Inside to Internet

! Define the LAN network object
FW-PARIS-01(config)# object network LAN_INSIDE
FW-PARIS-01(config-network-object)# subnet 192.168.1.0 255.255.255.0
FW-PARIS-01(config-network-object)# nat (inside,outside) dynamic interface

! Same for internal servers
FW-PARIS-01(config)# object network SERVERS
FW-PARIS-01(config-network-object)# subnet 10.0.20.0 255.255.255.0
FW-PARIS-01(config-network-object)# nat (inside,outside) dynamic interface

Static NAT — Web Server in DMZ

! Expose a DMZ web server on public IP port 443
FW-PARIS-01(config)# object network WEB_SERVER_DMZ
FW-PARIS-01(config-network-object)# host 10.0.10.10
FW-PARIS-01(config-network-object)# nat (dmz,outside) static 203.0.113.5

! Static NAT port forwarding (port 443 only)
FW-PARIS-01(config)# object network WEB_HTTPS
FW-PARIS-01(config-network-object)# host 10.0.10.10
FW-PARIS-01(config-network-object)# nat (dmz,outside) static 203.0.113.5 service tcp 443 443

! Verification
FW-PARIS-01# show nat
FW-PARIS-01# show xlate

> ℹ️ Info — On ASA 8.3+, the NAT syntax has changed (object-based NAT). The commands above are valid for ASA 8.3 and higher — check your version with show version.

5. ACLs & Security Policy

ACLs on ASA filter incoming traffic on an interface. They complement security levels for granular control.

Creating an ACL

! ACL to allow HTTPS from the Internet to the DMZ server
FW-PARIS-01(config)# access-list OUTSIDE_IN extended permit tcp any host 203.0.113.5 eq 443
FW-PARIS-01(config)# access-list OUTSIDE_IN extended permit tcp any host 203.0.113.5 eq 80

! Allow incoming AnyConnect VPN
FW-PARIS-01(config)# access-list OUTSIDE_IN extended permit udp any host 203.0.113.1 eq 443

! Explicitly block everything else (implicit, but logging is good practice)
FW-PARIS-01(config)# access-list OUTSIDE_IN extended deny ip any any log

! Apply the ACL to the outside interface (inbound)
FW-PARIS-01(config)# access-group OUTSIDE_IN in interface outside

ACL between DMZ and Inside

! Allow the DMZ web server to contact the internal database
FW-PARIS-01(config)# access-list DMZ_TO_INSIDE extended permit tcp host 10.0.10.10 host 10.0.20.5 eq 3306
FW-PARIS-01(config)# access-list DMZ_TO_INSIDE extended deny ip any any log
FW-PARIS-01(config)# access-group DMZ_TO_INSIDE in interface dmz

! Verification
FW-PARIS-01# show access-list
FW-PARIS-01# show access-list OUTSIDE_IN

> 🔐 Security — Always end an ACL with an explicit deny ip any any log. This allows blocked packets to be logged, which is essential for auditing and incident detection.

6. Site-to-Site VPN & AnyConnect

The ASA is an excellent VPN hub. It supports site-to-site IPsec to connect sites to each other and AnyConnect SSL VPN for remote work.

Site-to-Site IPsec (IKEv2)

! Phase 1 — IKEv2 Policy
FW-PARIS-01(config)# crypto ikev2 policy 10
FW-PARIS-01(config-ikev2-policy)# encryption aes-256
FW-PARIS-01(config-ikev2-policy)# integrity sha256
FW-PARIS-01(config-ikev2-policy)# group 14
FW-PARIS-01(config-ikev2-policy)# prf sha256
FW-PARIS-01(config-ikev2-policy)# lifetime seconds 86400

! Phase 2 — IPsec Transform Set
FW-PARIS-01(config)# crypto ipsec ikev2 ipsec-proposal PROP-AES256
FW-PARIS-01(config-ipsec-proposal)# protocol esp encryption aes-256
FW-PARIS-01(config-ipsec-proposal)# protocol esp integrity sha-256

! Crypto Map
FW-PARIS-01(config)# crypto map VPN_MAP 10 match address ACL_VPN_LYON
FW-PARIS-01(config)# crypto map VPN_MAP 10 set peer 198.51.100.1
FW-PARIS-01(config)# crypto map VPN_MAP 10 set ikev2 ipsec-proposal PROP-AES256
FW-PARIS-01(config)# crypto map VPN_MAP interface outside

! ACL for relevant traffic (Paris ↔ Lyon)
FW-PARIS-01(config)# access-list ACL_VPN_LYON extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

! Enable IKEv2 on outside
FW-PARIS-01(config)# crypto ikev2 enable outside

! Verification
FW-PARIS-01# show crypto ikev2 sa
FW-PARIS-01# show crypto ipsec sa

AnyConnect SSL VPN (Remote Work)

! Address pool for VPN clients
FW-PARIS-01(config)# ip local pool VPN_POOL 172.16.10.1-172.16.10.254 mask 255.255.255.0

! Enable AnyConnect
FW-PARIS-01(config)# webvpn
FW-PARIS-01(config-webvpn)# enable outside
FW-PARIS-01(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.x.pkg 1
FW-PARIS-01(config-webvpn)# anyconnect enable

! Group policy
FW-PARIS-01(config)# group-policy GP_ANYCONNECT internal
FW-PARIS-01(config-group-policy)# vpn-tunnel-protocol ssl-client
FW-PARIS-01(config-group-policy)# split-tunnel-policy tunnelspecified
FW-PARIS-01(config-group-policy)# split-tunnel-network-list value ACL_SPLIT

! Tunnel group
FW-PARIS-01(config)# tunnel-group ANYCONNECT_USERS type remote-access
FW-PARIS-01(config-tunnel-general)# address-pool VPN_POOL
FW-PARIS-01(config-tunnel-general)# default-group-policy GP_ANYCONNECT

! Verification
FW-PARIS-01# show vpn-sessiondb anyconnect

> ℹ️ Info — Split tunneling allows VPN clients to send only traffic destined for the internal network through the tunnel; the rest goes directly to the Internet. This reduces the load on the firewall but decreases security control.

7. Active/Standby High Availability

In production, the ASA is always deployed in an Active/Standby pair. If the active node fails, the standby takes over in less than 30 seconds with the same active sessions.

HA Prerequisites

• 2 identical ASAs (same model, same IOS version)
• A dedicated Failover cable (Gi0/3 recommended)
• Distinct IPs per node + shared virtual IP (like CARP on pfSense)

Active Configuration (primary node)

! Enable failover
FW-PARIS-01(config)# failover
FW-PARIS-01(config)# failover lan unit primary
FW-PARIS-01(config)# failover lan interface FAILOVER GigabitEthernet0/3
FW-PARIS-01(config)# failover lan enable
FW-PARIS-01(config)# failover key cisco123secure

! Failover IPs
FW-PARIS-01(config)# failover interface ip FAILOVER 10.255.255.1 255.255.255.252 standby 10.255.255.2

! Standby IPs for each interface
FW-PARIS-01(config)# interface GigabitEthernet0/0
FW-PARIS-01(config-if)# ip address 203.0.113.1 255.255.255.252 standby 203.0.113.2
FW-PARIS-01(config)# interface GigabitEthernet0/1
FW-PARIS-01(config-if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

Standby Configuration (secondary node)

! On the secondary node — minimal configuration
FW-PARIS-02(config)# failover lan unit secondary
FW-PARIS-02(config)# failover lan interface FAILOVER GigabitEthernet0/3
FW-PARIS-02(config)# failover lan enable
FW-PARIS-02(config)# failover key cisco123secure
! The rest of the configuration is automatically synchronized from the primary

! HA Verification
FW-PARIS-01# show failover
FW-PARIS-01# show failover state
! Force a failover (test)
FW-PARIS-01# no failover active

> ✅ Good to know — In Active/Active mode, both ASAs process traffic simultaneously (requires multiple contexts). In Active/Standby mode, only one processes traffic — simpler to operate and recommended for most companies.

PART 2 — ASA → FTD MIGRATION

8. ASA vs. FTD — Fundamental Differences

Migrating from ASA to FTD (Firepower Threat Defense) is a significant paradigm shift. FTD unifies ASA and FirePOWER Services into a single OS managed via FMC (Firepower Management Center).

> ⚠️ Critical Note — FTD does not support all ASA features. Multiple contexts, certain advanced NAT options, and some VPN features are not available on FTD. Audit the ASA configuration before migrating.

9. Migration Process

Cisco provides a free official tool: Cisco Firepower Migration Tool (FMT) that automates the conversion of ASA configurations to FTD.

Migration Steps

1. Audit — Identify the ASA features in use (contexts, VPN, advanced NAT)
2. Export — Export the ASA configuration: more system:running-config > tftp://...
3. Analysis — Use the FMT to analyze incompatibilities
4. Conversion — The FMT generates the equivalent FTD objects, ACLs, and policies
5. Import — Import into FMC and validate manually
6. Test — Validate in a pre-production environment
7. Switchover — Migrate to production with a rollback plan

! ASA features NOT supported on FTD (must be handled manually)
- Multi-context mode
- Botnet Traffic Filter
- Unified Communications (Phone Proxy)
- Certain NAT hairpinning configurations
- TLS proxy
- IOS-based VPN (EasyVPN, DMVPN)

> ⚠️ Warning — Always have a rollback plan in place with the ASA configuration backed up. A failed FTD migration in production can cut off Internet access for the entire company.

PART 3 — CISCO FIREPOWER FTD

10. FMC + FTD Architecture

The FMC (Firepower Management Center) is the centralized brain that manages one or more FTD devices. It provides security policies, signature updates, and network visibility.

FMC Deployment

! FMC is a physical or virtual appliance (VMware/KVM)
! Physical models: FMC 1000, FMC 2500, FMC 4500
! Virtual FMC: FMCv (up to 25 managed FTDs)

! Initial FMC Access
URL: https://<ip_fmc>
Login: admin
Password: Admin123 (change immediately)

! Register an FTD in FMC
On the FTD (CLI):
&gt; configure manager add <ip_fmc> <clé_registration> <ip_ftd>

On FMC: Devices &gt; Device Management &gt; Add Device
- Host: <ip_ftd>
- Registration Key:<même clé="">
- Group: Production

11. Access Control Policies (ACP)

The Access Control Policy replaces the ASA’s ACLs. It is much more powerful: it can filter by application, user, URL, and geolocation in addition to traditional IPs and ports.

Structure of an ACP

FMC > Policies > Access Control > New Policy

Name: ACP_ENTERPRISE
Default Action: Block All Traffic (recommended)

! Rules (order = priority)
Rule 1: Allow_HTTPS_Outbound
  - Source: LAN_NETWORKS
  - Destination: Any
  - Application: SSL, HTTP
  - Action: Allow + Log

Rule 2: Allow_DNS
  - Source: LAN_NETWORKS
  - Destination: DNS_SERVERS
  - Port: DNS (53)
  - Action: Allow

Rule 3: Allow_VPN_AnyConnect
  - Source: Any
  - Destination: FTD_OUTSIDE_IP
  - Port: HTTPS (443)
  - Action: Allow

Rule 4: DMZ_to_DB
  - Source: WEB_SERVER_DMZ
  - Destination: DB_SERVER
  - Port: MySQL (3306)
  - Action: Allow + IPS Inspection

! Default: Block All (log)

> ℹ️ Info — Unlike ASA ACLs, ACP rules can embed IPS inspection (Snort), URL filtering, and application identification directly within the rule. This is the strength of the NGFW.

12. IDS/IPS with Snort 3

FTD natively integrates Snort 3, the world’s most widely used open-source IPS engine. It performs deep traffic analysis and can block attacks in real time.

Configuring an IPS Policy

FMC > Policies > Intrusion > Create Policy

Name: IPS_ENTERPRISE
Base Policy: Balanced Security and Connectivity
  (Connectivity over Security = fewer false positives)
  (Security over Connectivity = stricter)

! Enable in an ACP rule
Rule > Inspection Tab:
  Intrusion Policy: IPS_ENTREPRISE
  Variable Set: Default-Set (adjust the $HOME_NET values)

Critical variables to configure

FMC > Objects > Object Management > Variable Sets

$HOME_NET     = 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
$EXTERNAL_NET = !$HOME_NET
$HTTP_SERVERS = 10.0.10.0/24  (DMZ servers)
$SQL_SERVERS  = 10.0.20.5/32  (DB server)
$DNS_SERVERS  = 192.168.1.10/32

> ⚠️ Warning — As with Suricata on pfSense, start in Detect Only (IDS) mode before switching to Inline (blocking IPS). Analyze false positives for at least 2 weeks before enabling blocking

13. VPN on FTD

FTD supports Site-to-Site IKEv2 and AnyConnect Remote Access VPNs configurable via FMC.

Site-to-Site VPN via FMC

FMC > Devices > VPN > Site To Site > + Topology

Name: VPN_PARIS_LYON
Type: Point to Point
IKE Version: IKEv2

Endpoint A: FTD-PARIS
  - Interface: Outside
  - IP: 203.0.113.1
  - Network: 192.168.1.0/24

Endpoint B: FTD-LYON (or third-party device)
  - IP: 198.51.100.1
  - Network: 192.168.2.0/24

! IKEv2 Settings
Encryption: AES-256
Integrity: SHA-256
PRF: SHA-256
DH Group: 14

! IPsec Settings
Encryption: AES-256-GCM
PFS: Group 14

AnyConnect Remote Access VPN

FMC > Devices > VPN > Remote Access > + New

! Connection Profile
Name: ANYCONNECT_ENTERPRISE
Protocol: SSL + IKEv2

! AAA — Authentication
Authentication: RADIUS / AD via ISE
  (or PKI certificate for MFA)

! Address Pool
IPv4 Pool: 172.16.10.0/24

! Split Tunneling
Traffic destined to: 192.168.0.0/16, 10.0.0.0/8
  → Tunnel
Rest → Direct Internet

! Deploy to FTD-PARIS
Deploy > FTD-PARIS-01

> ℹ️ Info — For maximum security, combine AnyConnect with Cisco ISE (Identity Services Engine) for MFA authentication and posture control (verify that the PC is up to date before authorizing the VPN connection).

14. Monitoring & Events

FMC centralizes all security events. For comprehensive enterprise monitoring, integrate FMC with an external SIEM.

Essential FMC Dashboards

FMC > Overview > Dashboards
  - Summary Dashboard     : overall view of traffic + events
  - Network Dashboard     : top talkers, protocols, geo
  - Threat Dashboard      : intrusions, malware, IOC

FMC > Analysis > Connections > Events
  → Filter: Action = Block, last 24 hours
  → Export CSV for SIEM analysis

FMC > Analysis > Intrusions > Events
  → Sort by Impact Flag (1 = critical)
  → Correlate with internal addresses

Export Syslog to SIEM

FMC > System > Logging > Syslog Servers
  - IP: 10.0.10.50 (SIEM / Graylog)
  - Port: 514 UDP
  - Facility: LOCAL4

! Enable logging on ACP rules
Rule > Logging:
  Log at Beginning: Yes
  Log at End: Yes
  Send Connection Events to: Syslog

15. Object groups & named objects

Why is this essential?

Imagine being asked to find and modify the rule that grants access to the payroll server in an ACL containing 200 lines filled with raw IP addresses like 10.0.20.47. Impossible to read, impossible to audit, and the slightest typo can open a security hole.

Object groups are the solution: we give a human-readable name to each IP, network, or port, then write the ACLs using those names. The result: a rule that says permit tcp any DMZ_SERVERS WEB_PORTS is immediately understandable, even six months later.

Step 1 — Create the individual objects (hosts & subnets)

We start by declaring every server and network that matters in our infrastructure. This is a one-time task, to be done before writing any ACLs.

! ── DMZ SERVERS ──────────────────────────────────────────
FW-PARIS-01(config)# object network WEB_SERVER
FW-PARIS-01(config-network-object)# host 10.0.10.10
FW-PARIS-01(config-network-object)# description "Apache web server - Paris DMZ"

FW-PARIS-01(config)# object network MAIL_SERVER
FW-PARIS-01(config-network-object)# host 10.0.10.11
FW-PARIS-01(config-network-object)# description "Postfix mail server - Paris DMZ"

FW-PARIS-01(config)# object network DNS_SERVER_DMZ
FW-PARIS-01(config-network-object)# host 10.0.10.12
FW-PARIS-01(config-network-object)# description "Public DNS - Paris DMZ"

! ── INTERNAL SERVERS ────────────────────────────────────
FW-PARIS-01(config)# object network DB_SERVER
FW-PARIS-01(config-network-object)# host 10.0.20.5
FW-PARIS-01(config-network-object)# description "MySQL Server - Internal LAN"

FW-PARIS-01(config)# object network AD_SERVER
FW-PARIS-01(config-network-object)# host 192.168.1.10
FW-PARIS-01(config-network-object)# description "AD Domain Controller"

FW-PARIS-01(config)# object network RADIUS_PRIMARY
FW-PARIS-01(config-network-object)# host 192.168.1.50
FW-PARIS-01(config-network-object)# description "Primary NPS/RADIUS Server"

! ── NETWORKS (SUBNETS) ────────────────────────────────────
FW-PARIS-01(config)# object network LAN_PARIS
FW-PARIS-01(config-network-object)# subnet 192.168.1.0 255.255.255.0
FW-PARIS-01(config-network-object)# description "Paris User LAN"

FW-PARIS-01(config)# object network LAN_LYON
FW-PARIS-01(config-network-object)# subnet 192.168.2.0 255.255.255.0
FW-PARIS-01(config-network-object)# description "Lyon User LAN"

FW-PARIS-01(config)# object network DMZ_SUBNET
FW-PARIS-01(config-network-object)# subnet 10.0.10.0 255.255.255.0
FW-PARIS-01(config-network-object)# description "Paris DMZ"

Step 2 — Create service objects (ports)

! Web ports
FW-PARIS-01(config)# object service HTTP
FW-PARIS-01(config-service-object)# service tcp destination eq 80

FW-PARIS-01(config)# object service HTTPS
FW-PARIS-01(config-service-object)# service tcp destination eq 443

FW-PARIS-01(config)# object service SMTP
FW-PARIS-01(config-service-object)# service tcp destination eq 25

FW-PARIS-01(config)# object service SMTPS
FW-PARIS-01(config-service-object)# service tcp destination eq 465

FW-PARIS-01(config)# object service MYSQL_PORT
FW-PARIS-01(config-service-object)# service tcp destination eq 3306

FW-PARIS-01(config)# object service RDP
FW-PARIS-01(config-service-object)# service tcp destination eq 3389

Step 3 — Group into object-groups

An object-group brings together several objects of the same type under a single name. This is where the magic happens.

! ── GROUP: all servers exposed in the DMZ ────────────
FW-PARIS-01(config)# object-group network DMZ_SERVERS
FW-PARIS-01(config-network-object-group)# description "Servers accessible from the Internet"
FW-PARIS-01(config-network-object-group)# network-object host 10.0.10.10
FW-PARIS-01(config-network-object-group)# network-object host 10.0.10.11
FW-PARIS-01(config-network-object-group)# network-object host 10.0.10.12
! → If a new server arrives in the DMZ, add it here.
! → ALL ACLs that use this group are automatically applied
!   to the new server. No oversights.

! ── GROUP: all company sites ──────────────
FW-PARIS-01(config)# object-group network ALL_SITES
FW-PARIS-01(config-network-object-group)# description "All internal LANs (Paris + Lyon + Marseille)"
FW-PARIS-01(config-network-object-group)# network-object 192.168.1.0 255.255.255.0
FW-PARIS-01(config-network-object-group)# network-object 192.168.2.0 255.255.255.0
FW-PARIS-01(config-network-object-group)# network-object 192.168.3.0 255.255.255.0

! ── GROUP: Web ports (HTTP + HTTPS) ────────────────────
FW-PARIS-01(config)# object-group service WEB_PORTS tcp
FW-PARIS-01(config-service-object-group)# description "Standard web ports"
FW-PARIS-01(config-service-object-group)# port-object eq 80
FW-PARIS-01(config-service-object-group)# port-object eq 443
FW-PARIS-01(config-service-object-group)# port-object eq 8080

! ── GROUP: mail ports ───────────────────────────────────
FW-PARIS-01(config)# object-group service MAIL_PORTS tcp
FW-PARIS-01(config-service-object-group)# description "Mail Ports"
FW-PARIS-01(config-service-object-group)# port-object eq 25
FW-PARIS-01(config-service-object-group)# port-object eq 465
FW-PARIS-01(config-service-object-group)# port-object eq 587
FW-PARIS-01(config-service-object-group)# port-object eq 993

Step 4 — Write the ACLs using groups

Compare these two versions, which do exactly the same thing:

! ❌ Version without object groups — impossible to maintain
FW-PARIS-01(config)# access-list OUTSIDE_IN extended permit tcp any host 10.0.10.10 eq 80
FW-PARIS-01(config)# access-list OUTSIDE_IN extended permit tcp any host 10.0.10.10 eq 443
FW-PARIS-01(config)# access-list OUTSIDE_IN extended permit tcp any host 10.0.10.11 eq 80
FW-PARIS-01(config)# access-list OUTSIDE_IN extended permit tcp any host 10.0.10.11 eq 443
FW-PARIS-01(config)# access-list OUTSIDE_IN extended permit tcp any host 10.0.10.11 eq 25
FW-PARIS-01(config)# access-list OUTSIDE_IN extended permit tcp any host 10.0.10.11 eq 465
! ... and so on for each server × each port

! ✅ Version with object groups — readable, maintainable, auditable
FW-PARIS-01(config)# access-list OUTSIDE_IN extended permit tcp any object-group DMZ_SERVERS object-group WEB_PORTS
FW-PARIS-01(config)# access-list OUTSIDE_IN extended permit tcp any object WEB_SERVER object-group MAIL_PORTS
FW-PARIS-01(config)# access-list OUTSIDE_IN extended deny ip any any log

! DMZ → Internal DB traffic (the web server accesses the database)
FW-PARIS-01(config)# access-list DMZ_TO_INSIDE extended permit tcp object WEB_SERVER object DB_SERVER eq 3306
FW-PARIS-01(config)# access-list DMZ_TO_INSIDE extended deny ip any any log

! Apply the ACLs
FW-PARIS-01(config)# access-group OUTSIDE_IN in interface outside
FW-PARIS-01(config)# access-group DMZ_TO_INSIDE in interface dmz

Verification

! List all objects
FW-PARIS-01# show object-group

! Details of a specific group
FW-PARIS-01# show object-group id DMZ_SERVERS

! See how an object is used in ACLs
FW-PARIS-01# show object-group id DMZ_SERVERS | include access-list

! Count hits on each ACL rule
FW-PARIS-01# show access-list OUTSIDE_IN

> ℹ️ Naming convention — In a corporate setting, adopt a convention from the start and never change it. For example: SITE_ROLE_TYPE → PARIS_WEB_HOST, CORP_ADMIN_SUBNET, STD_HTTPS_PORT. A clear convention transforms a 500-line configuration into something readable

16. Advanced Logging & syslog

Why configure logging correctly?

A firewall without usable logs is like a surveillance camera without recording: useless after an incident. In practice, logging serves three purposes: detecting attacks in real time, investigating after an incident, and proving compliance (PCI-DSS and ISO 27001 require a minimum retention period of 90 days).

By default on the ASA, logging is disabled or limited to the local buffer, which is cleared upon reboot. It must be explicitly configured.

The 8 severity levels — which one to choose?

> ⚠️ Golden Rule — In production, use level 6 (informational) to the SIEM. Level 7 (debugging) can overload the firewall’s CPU and cause a service outage.

Step 1 — Configure logging on the ASA

! ── BASIC ACTIVATION ───────────────────────────────────
FW-PARIS-01(config)# logging enable

! Precise timestamp — REQUIRED for log correlation
! Without a timestamp, it is impossible to know when an event occurred
FW-PARIS-01(config)# logging timestamp
FW-PARIS-01(config)# logging device-id hostname
! → Each log line will contain: "FW-PARIS-01: Mar 13 2026 14:32:01 ..."

! ── LOCAL BUFFER (backup if SIEM is unavailable) ──────────
! 1 MB buffer — the most recent logs are retained
FW-PARIS-01(config)# logging buffered informational
FW-PARIS-01(config)# logging buffer-size 1048576

! ── SYSLOG TO EXTERNAL SIEM (Graylog/Splunk) ───────────
! 10.0.10.50 = IP address of your Graylog server on the DMZ
FW-PARIS-01(config)# logging host inside 10.0.10.50
FW-PARIS-01(config)# logging trap informational
! facility 16 = local0 (Cisco convention)
FW-PARIS-01(config)# logging facility 16

! Second syslog destination (redundancy)
FW-PARIS-01(config)# logging host inside 10.0.10.51

! ── LOGGING ON ACLs ──────────────────────────────────
! Without the word "log" at the end, deny rules do not generate any logs !
! interval 1 = log at most once per second (prevents flooding)
FW-PARIS-01(config)# access-list OUTSIDE_IN extended deny ip any any log interval 1

! Also log established connections (useful for audits)
FW-PARIS-01(config)# logging flow-export-v9 enable

! ── DO NOT DO THIS IN PRODUCTION ─────────────────────────────────
! logging console debugging  ← guaranteed CPU saturation
! logging monitor 7          ← same via terminal monitor

Step 2 — Read and interpret the logs

! Display the local buffer (latest logs)
FW-PARIS-01# show logging

! Filter only denied connections
FW-PARIS-01# show logging | include Deny
FW-PARIS-01# show logging | include denied

! Filter by suspicious source IP
FW-PARIS-01# show logging | include 1.2.3.4

! Example of a typical log to know how to read:
! %ASA-4-106023: Deny tcp src outside:1.2.3.4/54321
!   dst inside:192.168.1.100/22 by access-group "OUTSIDE_IN"
!
! Decoding:
! ASA-4     → Level 4 (Warning)
! 106023    → Syslog message ID (available on cisco.com)
! Deny tcp  → protocol denied
! src outside:1.2.3.4/54321 → source: IP:port
! dst inside:192.168.1.100/22 → destination: IP:port
! access-group "OUTSIDE_IN" → the ACL that blocked it

! Clear the local buffer (after analysis)
FW-PARIS-01# clear logging buffer

! View logging statistics
FW-PARIS-01# show logging statistics

Step 3 — Configure Graylog to receive ASA logs (optional)

If you don’t yet have a Graylog server, here are the minimum steps to quickly get one up and running on Ubuntu Server:

# On the Ubuntu server (10.0.10.50)
# 1. Install Java (prerequisite)
sudo apt install -y openjdk-17-jre-headless

# 2. Install MongoDB (Graylog database)
wget -qO - https://www.mongodb.org/static/pgp/server-6.0.asc | sudo apt-key add -
echo "deb [ arch=amd64 ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/6.0 multiverse" \
  | sudo tee /etc/apt/sources.list.d/mongodb-org-6.0.list
sudo apt update && sudo apt install -y mongodb-org
sudo systemctl enable --now mongod

# 3. Install OpenSearch (search engine)
# → Follow the official Graylog documentation for the current version

# 4. Install Graylog
wget https://packages.graylog2.org/repo/packages/graylog-5.2-repository_latest.deb
sudo dpkg -i graylog-5.2-repository_latest.deb
sudo apt update && sudo apt install -y graylog-server

# 5. Configure /etc/graylog/server/server.conf
# password_secret= (generate with: pwgen -N 1 -s 96)
# root_password_sha2= (echo -n "Password" | sha256sum)

# 6. Start Graylog
sudo systemctl enable --now graylog-server
# Web interface available at http://10.0.10.50:9000

# 7. In Graylog: System > Inputs > Launch new input
# Type: Syslog UDP, Port: 514, Bind address: 0.0.0.0
# → ASA logs arrive automatically

> ℹ️ Info — Once Graylog is configured, create automatic alerts: for example, if more than 100 deny messages come from the same IP in less than a minute, it’s likely a port scan. Graylog can send an email or a Slack webhook in real time.

17. AAA & RADIUS / Active Directory Authentication

Why not use local accounts?

By default, administrators log in to the ASA using a local account (username admin password ...). The problem: if 5 admins share this account, it’s impossible to know who did what. If an admin leaves the company, you have to manually change the password on every network device. And if there are 50 switches and firewalls, good luck.

The professional solution: RADIUS + Active Directory. A single location to manage accounts, groups, and permissions. Access is revoked by disabling the AD account, and everything is logged centrally.

Solution Architecture

SSH Admin → ASA → RADIUS (NPS on Windows Server) → Active Directory
                     ↓
              Valid: username in AD?
              Member of the "FW_Admins" group?
              → Access-Accept or Access-Reject

Step 1 — Prepare Active Directory

Before touching the firewall, create the necessary elements in AD.

On the domain controller (Windows Server):

# Open "Active Directory Users and Computers"

# 1. Create an OU dedicated to network accounts
OU: Corp > IT > Network > Firewall_Accounts

# 2. Create the security groups
Group: GRP_FW_ADMINS        → full access to the firewall (privilege 15)
Group: GRP_FW_READONLY      → read-only access (privilege 5)
Group: GRP_VPN_USERS        → authorized to connect via AnyConnect

# 3. Create user accounts
User: fw-admin1   → member of GRP_FW_ADMINS
User: fw-readonly → member of GRP_FW_READONLY
User: john.doe    → member of GRP_VPN_USERS

Step 2 — Install and configure NPS (Windows Server)

NPS (Network Policy Server) is the RADIUS server built into Windows Server. It acts as the link between the ASA and Active Directory.

# On Windows Server (192.168.1.50)
# 1. Install the NPS role
Server Manager > Add Roles and Features
  → Network Policy and Access Services
  → Network Policy Server ✓
  → Click Install

# 2. Open NPS (Network Policy Server) in Administrative Tools

# 3. Register NPS in Active Directory
  Right-click "NPS (Local)" → Register server in Active Directory
  → Confirm: NPS can now read AD attributes

# 4. Register the ASA as a RADIUS client
NPS > RADIUS Clients and Servers > RADIUS Clients > New
  Friendly name:   ASA-FW-PARIS-01
  Address (IP):    192.168.1.1    ← IP of the ASA's inside interface
  Shared secret:   Rad1usS3cr3t! ← same secret as in the ASA configuration
  Confirm:       Rad1usS3cr3t!
  → OK

# Repeat for the Lyon ASA (if applicable)
  Friendly name:   ASA-FW-LYON-01
  Address (IP):    192.168.2.1
  Shared secret:   Rad1usS3cr3t!

Step 3 — Create the NPS policies

Two policies: one for full-access admins, one for read-only admins.

# ── POLICY 1: Full-access admins (privilege 15) ────
NPS > Policies > Network Policies > New

  Name: POLICY_FW_ADMINS
  
  Conditions:
    User Groups: GRP_FW_ADMINS  ← members of this AD group only
    NAS Port Type: Virtual (VTY) ← SSH connections
  
  Access Permission: Access granted ✓
  
  Settings > RADIUS Attributes > Standard:
    Service-Type: Login ✓
  
  Settings > RADIUS Attributes > Vendor Specific > Add:
    Vendor: Cisco
    Attribute: cisco-av-pair
    Value: shell:priv-lvl=15   ← privilege 15 = full access
  
  → Finish

# ── POLICY 2: Read-only Admins (privilege 5) ────────
NPS > Policies > Network Policies > New

  Name: POLICY_FW_READONLY
  
  Conditions:
    User Groups: GRP_FW_READONLY
    NAS Port Type: Virtual (VTY)
  
  Access Permission: Access granted ✓
  
  Settings > RADIUS Attributes > Vendor Specific > Add:
    Vendor: Cisco
    Attribute: cisco-av-pair
    Value: shell:priv-lvl=5    ← privilege 5 = read-only

# ── POLICY 3: Deny everything else ─────────────────
NPS > Policies > Network Policies > New

  Name: POLICY_DENY_ALL
  Conditions: (no specific conditions)
  Access Permission: Access denied ✓
  → This rule catches everything not in the groups above

Step 4 — Configure the ASA on the RADIUS side

Now that NPS is ready, we’ll configure the ASA to use it.

! ── DECLARE THE RADIUS SERVER GROUP ────────────────
FW-PARIS-01(config)# aaa-server RADIUS_CORP protocol radius
FW-PARIS-01(config-aaa-server-group)# accounting-mode simultaneous

! Primary RADIUS server (NPS on Windows Server)
FW-PARIS-01(config)# aaa-server RADIUS_CORP (inside) host 192.168.1.50
FW-PARIS-01(config-aaa-server-host)# key Rad1usS3cr3t!
FW-PARIS-01(config-aaa-server-host)# timeout 10
FW-PARIS-01(config-aaa-server-host)# retry-interval 3

! Secondary RADIUS server (NPS on the secondary DC)
FW-PARIS-01(config)# aaa-server RADIUS_CORP (inside) host 192.168.1.51
FW-PARIS-01(config-aaa-server-host)# key Rad1usS3cr3t!
FW-PARIS-01(config-aaa-server-host)# timeout 10

! ── ENABLE AAA AUTHENTICATION ──────────────────────
! SSH: try RADIUS first, then fallback to LOCAL if RADIUS is unreachable
FW-PARIS-01(config)# aaa authentication ssh console RADIUS_CORP LOCAL

! ASDM WebGUI: same
FW-PARIS-01(config)# aaa authentication http console RADIUS_CORP LOCAL

! Enable password (switch to privileged mode)
FW-PARIS-01(config)# aaa authentication enable console RADIUS_CORP LOCAL

! ── ACCOUNTING: log all admin actions ─────────
! Every command entered is logged in NPS/AD
FW-PARIS-01(config)# aaa accounting command RADIUS_CORP
FW-PARIS-01(config)# aaa accounting ssh console RADIUS_CORP

! ── LOCAL BACKUP ACCOUNT (MANDATORY) ────────────────
! If NPS goes down, this account allows you to regain control
! The password MUST be stored in a secure vault (Passbolt, etc.)
FW-PARIS-01(config)# username fw-breakglass privilege 15 password Br3@kGl@ss2026!

Step 5 — Test Before Validating

Never close your current SSH session before testing! If the RADIUS configuration is incorrect and you close the session, you may find yourself locked out.

! Test from the ASA — without opening a new session
FW-PARIS-01# test aaa-server authentication RADIUS_CORP inside host 192.168.1.50 username fw-admin1 password MyPassword
! Expected result: INFO: Authentication Successful

! Test with an incorrect password — should fail
FW-PARIS-01# test aaa-server authentication RADIUS_CORP inside host 192.168.1.50 username fw-admin1 password wrongpassword
! Expected result: ERROR: Authentication Rejected

! Check the statistics
FW-PARIS-01# show aaa-server RADIUS_CORP
! Look for: Requests Sent, Responses Received, Successes, Errors

! If errors > 0: check the shared secret and UDP 1812 connectivity
FW-PARIS-01# ping inside 192.168.1.50

Step 6 — Configure RADIUS for AnyConnect VPN

! VPN authentication via AD (VPN users authenticate
! with their Windows login)
FW-PARIS-01(config)# tunnel-group ANYCONNECT_USERS general-attributes
FW-PARIS-01(config-tunnel-general)# authentication-server-group RADIUS_CORP
FW-PARIS-01(config-tunnel-general)# accounting-server-group RADIUS_CORP
FW-PARIS-01(config-tunnel-general)# default-group-policy GP_ANYCONNECT

! Authorization: retrieve AD attributes via RADIUS
! (allows assigning different VLANs or ACLs per AD group)
FW-PARIS-01(config-tunnel-general)# authorization-server-group RADIUS_CORP
FW-PARIS-01(config-tunnel-general)# authorization-required

! In NPS, create a VPN_USERS policy:
! Condition: User Groups = GRP_VPN_USERS
! Attribute: Tunnel-Type = Virtual (PPP) or L2TP
! Access: Granted

Common Errors and Solutions

> 🔐 Security — The fw-breakglass account must have a unique, complex password that is different from all others. Store it in a dedicated vault (Passbolt, CyberArk, or even a physically sealed envelope for critical environments). Audit its use: any login with this account must trigger an immediate alert.</même></ip_ftd></ip_ftd></clé_registration></ip_fmc></ip_fmc>

Fig. 17.1 — AAA Architecture: Centralized ASA Authentication via RADIUS and Active Directory

18. Application Inspection — Modular Policy Framework (MPF)

Why Inspect Application Protocols?

A traditional stateful firewall detects that port 53 is open for DNS. But it does not examine whatis in the DNS request. An attacker can use DNS to exfiltrate data from your network (DNS tunneling)—each DNS request contains a piece of encoded data, and the response serves as a return channel. Without application inspection, the ASA lets all of this pass through without batting an eye.

The MPF (Modular Policy Framework) fixes this: it inspects protocol content and can block abnormal behavior.

The 3 building blocks of MPF

class-map      → "what traffic?"  (identify what to inspect)
policy-map     → "what to do?"   (inspect, drop, rate-limit)
service-policy → "where to apply?" (interface or global)

Complete Step-by-Step Configuration

! ── STEP 1: Default Traffic Class ───────────────
! "inspection_default" identifies standard protocols
! This is the class-map provided by Cisco; we use it as-is
FW-PARIS-01(config)# class-map inspection_default
FW-PARIS-01(config-cmap)# match default-inspection-traffic
! This class automatically includes: DNS, FTP, HTTP, SMTP,
! ICMP, SIP, H.323, TFTP, SNMP, SQL*Net, etc.

! ── STEP 2: HTTP Inspection Policy ────────────────
! Create a sub-policy specific to HTTP
FW-PARIS-01(config)# policy-map type inspect http HTTP_STRICT
FW-PARIS-01(config-pmap)# parameters
! Block requests that do not comply with the HTTP RFC
FW-PARIS-01(config-pmap-p)# protocol-violation action drop-connection log
! Limit the size of request bodies (to prevent mass uploads)
FW-PARIS-01(config-pmap-p)# body-match-maximum 8192
! Block URL encodings that bypass ACLs
FW-PARIS-01(config-pmap-p)# no request-method post

! ── STEP 3: DNS Inspection Policy ─────────────────
! Protection against DNS tunneling
FW-PARIS-01(config)# policy-map type inspect dns DNS_STRICT
FW-PARIS-01(config-pmap)# parameters
! Maximum DNS response size: 512 bytes (standard), 4096 with EDNS
! DNS tunneling uses abnormally large responses
FW-PARIS-01(config-pmap-p)# message-length maximum 512
! Block DNS requests to suspicious domains (optional)
FW-PARIS-01(config-pmap-p)# id-randomization

! ── STEP 4: Global policy — put it all together ────────────
FW-PARIS-01(config)# policy-map global_policy
FW-PARIS-01(config-pmap)# class inspection_default
! Inspect FTP — automatically handles active/passive mode
! (without FTP inspection, passive mode does not work through NAT)
FW-PARIS-01(config-pmap-c)# inspect ftp
! Inspect SMTP — blocks dangerous commands (VRFY, EXPN)
FW-PARIS-01(config-pmap-c)# inspect smtp
! Inspect DNS with our strict policy
FW-PARIS-01(config-pmap-c)# inspect dns DNS_STRICT
! Inspect ICMP — allows ICMP responses to pass through the firewall
FW-PARIS-01(config-pmap-c)# inspect icmp
! Inspect HTTP with our strict policy
FW-PARIS-01(config-pmap-c)# inspect http HTTP_STRICT
! Inspect SIP/VoIP if you have IP telephony
FW-PARIS-01(config-pmap-c)# inspect sip
! Inspect NetBIOS/NBSS (Windows file sharing)
FW-PARIS-01(config-pmap-c)# inspect netbios

! ── STEP 5: Apply the policy ─────────────────────
! "global" = applies to all interfaces in both directions
FW-PARIS-01(config)# service-policy global_policy global

! If you want to apply it only to the outside interface:
! FW-PARIS-01(config)# service-policy global_policy interface outside

Verification and Monitoring

! Overview of all active policies
FW-PARIS-01# show service-policy

! HTTP inspection statistics (number of connections, violations)
FW-PARIS-01# show service-policy inspect http

! DNS statistics
FW-PARIS-01# show service-policy inspect dns

! Connections currently being inspected
FW-PARIS-01# show conn detail | include HTTP

! View drops related to inspection
FW-PARIS-01# show asp drop | include inspect

> ℹ️ Real-world example — DNS tunneling — Without DNS inspection, an attacker who has compromised an internal workstation can use DNS queries to exfiltrate 1 file every 30 seconds to an external server, indefinitely, without triggering any standard firewall alerts. The message-length maximum 512 option drastically reduces this risk because DNS tunnels require long responses encoded in base64.

19. Certificate Management & PKI for AnyConnect

Why are self-signed certificates unacceptable in production?

When AnyConnect connects to a firewall with a self-signed certificate, the client sees a security warning. The user clicks "Accept Anyway" — and this is exactly the behavior that man-in-the-middle attacks exploit. If users are accustomed to accepting warnings, a real attacker can easily intercept the VPN.

There are two solutions: an internal Windows CA (free, for managed enterprise fleets) or a public certificate (paid, for access from unmanaged machines).

Option A — Use the internal Windows CA (recommended for enterprises)

Step 1 — Install the CA roles on Windows Server

# On Windows Server (domain controller or dedicated server)
# Server Manager > Add Roles and Features

Roles to install:
  ✓ Active Directory Certificate Services (AD CS)
    → Certification Authority
    → Certificate Enrollment Web Service  ← for SCEP
    → Network Device Enrollment Service (NDES) ← for SCEP on network devices

# During AD CS configuration:
Setup Type:    Enterprise CA (not Standalone)
CA Type:       Root CA (if first CA) or Subordinate CA
Key length:    4096 bits (RSA) or P-384 (ECDSA)
Hash:          SHA-256
CA Name:       CA-ENTREPRISE-PARIS
Validity:      10 years for the Root CA

# Enable IIS if not already done (for SCEP)
Server Manager > Add Roles > Web Server (IIS)

Step 2 — Configure NDES (SCEP intermediary)

NDES is the gateway that allows the ASA to automatically request a certificate via SCEP, without human intervention.

# In Server Manager > AD CS > Configure Active Directory Certificate Services
  ✓ Network Device Enrollment Service

# NDES service account (create in AD):
User: svc-ndes
Group: IIS_IUSRS

# Automatically generated SCEP URL:
# http://ca.entreprise.local/certsrv/mscep/mscep.dll
# → This is the URL we will use in the ASA configuration

# Test SCEP access from a browser:
# http://ca.entreprise.local/certsrv/mscep/mscep.dll?operation=GetCACert
# → Should return the CA certificate (no error)

Step 3 — Configure the ASA to request a certificate via SCEP

! ── GENERATE THE RSA KEY PAIR ────────────────────────
! Do this first — the private key never leaves the ASA
FW-PARIS-01(config)# crypto key generate rsa label RSA_FW_PARIS modulus 2048
! Expected result:
! INFO: The name for the keys will be: RSA_FW_PARIS
! Keypair generation process begin. Please wait...

! ── CREATE THE TRUSTPOINT (certificate profile) ───────────
FW-PARIS-01(config)# crypto ca trustpoint CA_CORP
! URL of the SCEP service on your Windows server
FW-PARIS-01(config-ca-trustpoint)# enrollment url http://ca.entreprise.local/certsrv/mscep/mscep.dll
! Certificate identity (what will appear in the certificate)
FW-PARIS-01(config-ca-trustpoint)# subject-name CN=fw-paris-01.entreprise.local,OU=IT,O=Entreprise,C=FR
! FQDN = firewall DNS name (must match the AnyConnect URL)
FW-PARIS-01(config-ca-trustpoint)# fqdn fw-paris-01.entreprise.local
! Use the RSA key generated above
FW-PARIS-01(config-ca-trustpoint)# keypair RSA_FW_PARIS
! Check for revocation via the Windows CA's CRL
FW-PARIS-01(config-ca-trustpoint)# revocation-check crl

! ── RETRIEVE THE CA ROOT CERTIFICATE ──────────────
! The ASA downloads the CA certificate so it can trust it
FW-PARIS-01(config)# crypto ca authenticate CA_CORP
! The ASA displays the certificate and requests confirmation
! Do you accept this certificate? [yes/no]: yes
! → The root certificate is now stored in the ASA

! ── REQUEST THE CERTIFICATE FOR THE ASA ────────────────────
FW-PARIS-01(config)# crypto ca enroll CA_CORP
! The ASA sends a CSR (Certificate Signing Request) to the CA via SCEP
! Expected result:
! % Start certificate enrollment ..
! % Certificate request successfully submitted.
! % The certificate enrollment is pending approval from the CA.
! (on an Enterprise CA, it is auto-approved)

! ── ASSIGN THE CERTIFICATE TO ANYCONNECT ──────────────────
! The certificate is used to secure VPN connections
FW-PARIS-01(config)# ssl trust-point CA_CORP outside

! ── VERIFICATION ─────────────────────────────────────────
FW-PARIS-01# show crypto ca certificates
! Should display:
! Certificate
!   Status: Available
!   Certificate Serial Number: xxxx
!   Subject Name: CN=fw-paris-01.entreprise.local
!   Validity Date:
!     start date: 13:00:00 UTC Mar 13 2026
!     end   date: 13:00:00 UTC Mar 13 2028
!   Associated Trustpoints: CA_CORP

FW-PARIS-01# show ssl
! Should display: outside: CA_CORP

Step 4 — Distribute the root certificate to client machines

To ensure AnyConnect does not display any alerts, client machines must trust your CA. On an AD domain, this is automatic via GPO.

# On the domain controller:
# Group Policy Management > Default Domain Policy > Edit
# Computer Configuration > Windows Settings > Security Settings
# > Public Key Policies > Trusted Root Certification Authorities
# > Import... → select your CA’s .cer file
# Apply

# Result: all computers in the domain automatically
# trust your CA → AnyConnect displays no alerts

Option B — Import a public certificate (external access)

If users connect with unmanaged devices (personal phones, non-domain PCs), a certificate issued by a recognized public CA (DigiCert, Sectigo, Let's Encrypt) is required.

# ── STEP 1: Generate a CSR on the ASA ─────────────────
FW-PARIS-01(config)# crypto key generate rsa label RSA_PUBLIC_VPN modulus 2048

FW-PARIS-01(config)# crypto ca trustpoint CERT_PUBLIC
FW-PARIS-01(config-ca-trustpoint)# enrollment terminal   ← enter the CSR manually
FW-PARIS-01(config-ca-trustpoint)# subject-name CN=vpn.entreprise.com,O=Company,C=FR
FW-PARIS-01(config-ca-trustpoint)# fqdn vpn.entreprise.com
FW-PARIS-01(config-ca-trustpoint)# keypair RSA_PUBLIC_VPN

! Generate the CSR (Certificate Signing Request)
FW-PARIS-01(config)# crypto ca enroll CERT_PUBLIC
! The ASA displays a block of text beginning with:
! -----BEGIN CERTIFICATE REQUEST-----
! MIICvDCCAaQCAQAwXzELMAkGA1UEBhMCRlIx...
! -----END CERTIFICATE REQUEST-----
! → Copy this block and submit it to your certificate provider

# ── STEP 2: After receiving the certificate (.pfx/.p12) ─
# The provider sends you a .pfx file containing:
# - Your signed certificate
# - The intermediate CA chain
# - Your private key (password-protected)

! Copy the .pfx file to a TFTP server on your internal network
! then import it into the ASA:
FW-PARIS-01(config)# crypto ca import CERT_PUBLIC pkcs12 tftp://192.168.1.10/vpn-cert.pfx
! Enter the passphrase for the PKCS12 file: PFXPassword

! Assign to the outside interface for AnyConnect
FW-PARIS-01(config)# ssl trust-point CERT_PUBLIC outside

! Verify
FW-PARIS-01# show crypto ca certificates CERT_PUBLIC

Monitor certificate expiration

An expired certificate = all VPN users disconnected simultaneously at the time of expiration. This is one of the most embarrassing and preventable service interruptions.

! Check expiration dates
FW-PARIS-01# show crypto ca certificates | include end date

! Example result:
! end date: 13:00:00 UTC Mar 13 2028
! → Create an alert in your SIEM/monitoring system 60 days in advance

! Automatic renewal script (via SCEP, internal CA only)
FW-PARIS-01(config)# crypto ca trustpoint CA_CORP
FW-PARIS-01(config-ca-trustpoint)# auto-enroll 70 regenerate
! → The ASA automatically renews the certificate when 30% of its validity period remains

> 🔐 Security — Never export the ASA’s private key (the crypto ca export command with private key). If an attacker obtains your private key, they can impersonate your VPN and intercept all AnyConnect connections without clients seeing any alerts.

20. Troubleshooting — Practical Diagnostics

Methodology — Never Start at Random

When facing a connectivity issue through the ASA, the approach is always the same, in this order:

1. Does the packet reach the ASA?      → packet-tracer / capture
2. Is it blocked by the ACL?                     → show access-list + packet-tracer
3. Is NAT configured correctly?        → show xlate / show nat
4. Is routing correct?                  → show route
5. Is there an inspection blocking it?         → show asp drop

Tool 1 — packet-tracer (essential)

packet-tracer simulates a packet without actually sending it. It tells you exactly which stage is blocking the packet and why, without affecting production traffic.

! ── SYNTAX ──────────────────────────────────────────────
! packet-tracer input <interface-entrée> <proto> <ip-src> <port-src> <ip-dst><port-dst>

! ── CASE 1: An Internet user cannot reach the web server ──
FW-PARIS-01# packet-tracer input outside tcp 1.2.3.4 12345 203.0.113.5 443

! Typical result if everything is OK:
! Phase 1: ROUTE-LOOKUP        Subtype: Resolve Egress Interface  Result: ALLOW
! Phase 2: ACCESS-LIST         Result: ALLOW  access-group OUTSIDE_IN
! Phase 3: NAT                 Result: ALLOW  static (dmz,outside) 203.0.113.5 → 10.0.10.10
! Phase 4: FLOW-CREATION       Result: ALLOW
! Result: input-interface: outside
!         output-interface: dmz
!         Action: allow

! Result if the ACL blocks:
! Phase 1: ROUTE-LOOKUP        Result: ALLOW
! Phase 2: ACCESS-LIST         Result: DROP   Implicit Rule
! Result: Action: drop  Drop-reason: (acl-drop) Flow is denied by configured rule

! → Immediate diagnosis: the OUTSIDE_IN ACL does not allow this flow
! → Solution: add a permit rule for this traffic

! ── CASE 2: A LAN client cannot access the Internet ────────
FW-PARIS-01# packet-tracer input inside tcp 192.168.1.100 54321 8.8.8.8 443

! If NAT is missing:
! Phase 3: NAT                 Result: DROP
! Drop-reason: (nat-no-xlate-to-pat-pool) Untranslated packet

! → Diagnosis: PAT is not configured for this source network
! → Solution: Check the LAN_PARIS network object + NAT (inside, outside) dynamic interface

! ── CASE 3: AnyConnect VPN fails to establish ──────────────
FW-PARIS-01# packet-tracer input outside tcp 5.6.7.8 12345 203.0.113.1 443

! If this succeeds but the VPN still fails → authentication issue
! → Check: show aaa-server RADIUS_CORP statistics

Tool 2 — packet capture

When packet-tracer isn’t enough (intermittent issue, complex protocol), capture the actual traffic.

! ── CAPTURE TRAFFIC FROM A SUSPECT IP ────────────────
! Start the capture BEFORE reproducing the problem
FW-PARIS-01# capture CAP_DEBUG interface outside match ip host 1.2.3.4 any

! Reproduce the problem (attempt the connection that fails)

! View the capture
FW-PARIS-01# show capture CAP_DEBUG
! Typical result:
!    1: 14:32:01.123456 1.2.3.4.54321 > 203.0.113.5.443: S (SYN)
!    2: 14:32:01.123789 203.0.113.5.443 > 1.2.3.4.54321: S A (SYN-ACK)
!    3: 14:32:01.124012 1.2.3.4.54321 > 203.0.113.5.443: A (ACK)
! → The TCP connection is established correctly on the network side

! If you only see SYN packets without SYN-ACK:
! → The packet arrives but the response does not go out → return routing issue

! ── CAPTURE ON TWO INTERFACES SIMULTANEOUSLY ───────────
! Useful for checking if the packet enters but does not exit
FW-PARIS-01# capture CAP_IN  interface outside match ip host 1.2.3.4 any
FW-PARIS-01# capture CAP_OUT interface dmz    match ip host 10.0.10.10 any
! → If CAP_IN receives the packet but CAP_OUT is empty:
!    the problem is WITHIN the ASA (ACL, NAT, inspection)

! ── EXPORT TO WIRESHARK ──────────────────────────────
! For in-depth analysis with filters and protocol decoding
FW-PARIS-01# copy /pcap capture:CAP_DEBUG tftp://192.168.1.10/debug.pcap
! Open debug.pcap in Wireshark → complete graphical analysis

! ── CLEANUP (always do this afterward) ─────────────────────
FW-PARIS-01# no capture CAP_DEBUG
FW-PARIS-01# no capture CAP_IN
FW-PARIS-01# no capture CAP_OUT

Tool 3 — show asp drop (invisible drops)

asp drop shows the packets that the ASA silently drops without logging them in the ACLs. This is often where mysterious problems hide.

FW-PARIS-01# show asp drop

! Example of revealing results:
! Frame drop:
!   Invalid TCP flags (invalid-tcp-hdr-flags)          452
!   TCP RST/FIN out of order (tcp-rst-fin-ooo)          38
!   Flow is denied by configured rule (acl-drop)       1204
!   No valid adjacency (no-adjacency)                    12  ← routing issue
!   NAT failed (nat-no-xlate-to-pat-pool)                5  ← Missing PAT

! If you see a large number of "acl-drop" entries → check the ACLs
! If "nat-no-xlate" → a source network has no NAT rule
! If "no-adjacency" → incomplete routing table or interface down

! Reset counters after analysis
FW-PARIS-01# clear asp drop

Tool 4 — Common System Diagnostics

! ── CHECK GENERAL STATUS ──────────────────────────────
! Uptime, version, license
FW-PARIS-01# show version

! Interface status (all must be "up up")
FW-PARIS-01# show interface ip brief
! Interface         IP-Address      OK? Method Status Protocol
! GigabitEthernet0/0  203.0.113.1   YES  manual up     up
! GigabitEthernet0/1  192.168.1.1   YES  manual up     up
! GigabitEthernet0/2  10.0.10.1     YES  manual up     up
! If an interface is "down down" → faulty cable or module
! If "up down" → negotiation issue (speed/duplex)

! CPU and memory performance
FW-PARIS-01# show cpu usage
! CPU Usage: 8% 1 sec, 6% 5 sec, 5% 1 min
! If CPU > 80% continuously → possible DDoS attack or debug forgotten

FW-PARIS-01# show memory
! If memory > 90% → possible reboot → investigate connections

! ── ACTIVE CONNECTIONS ────────────────────────────────────
! Total number of connections
FW-PARIS-01# show conn count
! 1842 in use, 8921 most used

! Connections from a specific IP (e.g., a user experiencing issues)
FW-PARIS-01# show conn address 192.168.1.100
! TCP outside 1.2.3.4:443 inside 192.168.1.100:54321, idle 0:00:03, ...

! ── VPN ──────────────────────────────────────────────────
! Summary of active VPN sessions
FW-PARIS-01# show vpn-sessiondb summary
! Sessions: 12 AnyConnect, 3 IPsec LAN-to-LAN

! Details of a specific AnyConnect session
FW-PARIS-01# show vpn-sessiondb anyconnect filter name john.doe@entreprise.local

! Status of IPsec tunnels (site-to-site)
FW-PARIS-01# show crypto ikev2 sa
FW-PARIS-01# show crypto ipsec sa

! ── ACL — COUNTING HITS ───────────────────────────────
! Each rule has a hit counter — useful for determining if a rule is being used
FW-PARIS-01# show access-list OUTSIDE_IN
! access-list OUTSIDE_IN line 1 extended permit tcp any object-group DMZ_SERVERS ...
!   hitcnt=45872    ← this rule has been matched 45,872 times
! access-list OUTSIDE_IN line 2 extended deny ip any any log
!   hitcnt=1247     ← 1,247 connections have been blocked

! If a rule has had hitcnt=0 for days → it may be unnecessary
! Reset the counters to zero to start a new observation
FW-PARIS-01# clear access-list counters OUTSIDE_IN

Quick Troubleshooting Guide — Common Symptoms

> ⚠️ Golden Rule — Never enable debug crypto isakmp 255 or debug crypto ipsec 255 in production without being ready to disable it within 30 seconds. These debug commands generate so much output that they can crash the ASA. Always use undebug all after use.

Fig. 20.1 — Packet-tracer pipeline: identifying the exact phase blocking traffic

21. IP Addressing Plan — Multi-site Enterprise Network

This table is the common reference used throughout the series of guides (Firewall, Routers, Switches). All configuration examples are based on this plan.

> ℹ️ Info — This diagram complies with RFC 1918 for private addresses. The WAN addresses used (203.0.113.x, 198.51.100.x) are RFC 5737 documentation addresses — replace them with your actual ISP IPs in production.

22. Hardening — Cisco ASA & FTD

Essential Hardening Commands

! Password encryption (type 8 = PBKDF2)
FW-PARIS-01(config)# password encryption aes
FW-PARIS-01(config)# key config-key password-encrypt MonMasterKey!

! Mandatory legal banner
FW-PARIS-01(config)# banner login "Access restricted to authorized personnel. Any unauthorized connection is a criminal offense."

! Session timeouts (5 min)
FW-PARIS-01(config)# console timeout 5
FW-PARIS-01(config)# ssh timeout 5

! Disable unnecessary services
FW-PARIS-01(config)# no snmp-server enable traps
FW-PARIS-01(config)# no service tcp-small-servers
FW-PARIS-01(config)# no service udp-small-servers

! Secure SNMPv3
FW-PARIS-01(config)# snmp-server group SNMPV3_GROUP v3 priv
FW-PARIS-01(config)# snmp-server user snmp_admin SNMPV3_GROUP v3 auth sha AuthPass123! priv aes 128 PrivPass456!
FW-PARIS-01(config)# snmp-server host inside 10.0.10.50 version 3 priv snmp_admin

! Overall security check
FW-PARIS-01# show run | include password
FW-PARIS-01# show run | include snmp
FW-PARIS-01# show run | include banner
FW-PARIS-01# show run | include timeout

Fig. 22.1 — Cisco ASA/FTD Hardening Wheel — Reducing the Attack Surface

23. SSL/TLS Decryption Policy (FTD)

HTTPS traffic now accounts for over 90% of web traffic. Without TLS decryption, Snort 3 IPS is blind to this traffic. The SSL Policy allows FTD to inspect encrypted traffic.

How TLS Decryption Works

FMC > Policies > SSL > New Policy

Name: SSL_DECRYPT_POLICY

! Rule 1 — Do not decrypt banking and medical sites
Rule 1: No-Decrypt-Sensitive
  - URL Category: Financial Services, Health and Medicine
  - Action: Do Not Decrypt

! Rule 2 — Do not decrypt OS updates
Rule 2: No-Decrypt-Updates
  - Application: Windows Update, Apple Update
  - Action: Do Not Decrypt

! Rule 3 — Decrypt the rest of the outbound HTTPS traffic
Rule 3: Decrypt-Outbound
  - Source: LAN_NETWORKS
  - Destination: any
  - Port: HTTPS (443)
  - Action: Decrypt (Resign) ← uses the internal CA certificate

! Assign the SSL Policy to the ACP
FMC > Policies > Access Control > Edit ACP
Advanced > SSL Policy: SSL_DECRYPT_POLICY

> ⚠️ Legal Notice — TLS decryption involves intercepting communications. In France, this requires prior notification to users (included in the IT policy) and cannot be applied to personal sessions if they are distinguishable. Consult your DPO before deployment.

24. File Policy & AMP — Malware Blocking (FTD)

The File Policy allows FTD to analyze files in transit and submit them to Cisco AMP (Advanced Malware Protection) for malware detection.

FMC > Policies > Files > New File Policy

Name: FILE_POLICY_ENTREPRISE

! Rule 1 — Block known malicious executables
Rule 1:
  Application Protocol: HTTP, HTTPS (after decryption)
  File Type: Executables (PE, ELF, Mach-O)
  Action: Block Malware
  Store Files: Malware (for forensic analysis)

! Rule 2 — Log PDFs and Office files
Rule 2:
  File Type: PDF, Office Documents
  Action: Detect Files
  Store Files: Malware + Unknown

! Enable in an ACP rule
ACP Rule > Inspection Tab:
  File Policy: FILE_POLICY_ENTREPRISE
  Intrusion Policy: IPS_ENTREPRISE

! Verification in FMC
FMC > Analysis > Files > File Events
FMC > Analysis > Files > Malware Events

25. Identity Policy & Cisco ISE (FTD)

The Identity Policy allows you to associate ACP rules with Active Directory users rather than IP addresses. This is the NGFW feature that truly sets it apart from a traditional firewall.

ISE + FTD Architecture

! ISE collects user identities via:
- Active Directory (Windows login → ISE → FMC)
- 802.1X authentication (switches)
- AnyConnect VPN (ISE as RADIUS)
- ISE captive portal

! FMC > Policies > Identity > New Policy
Name: IDENTITY_POLICY

Rule 1: AD_Authentication
  - Realm: AD_ENTREPRISE (LDAP connection configured)
  - Active Authentication: Kerberos (transparent for Windows)
  - Passive Authentication: User-Agent (ASA)
  - Action: Active Authentication

! Use in ACP rules
ACP Rule:
  Users: AD_FINANCE_GROUP  (instead of an IP address!)
  Destination: FINANCE_SERVERS
  Action: Allow

ACP Rule:
  Users: AD_IT_GROUP
  Destination: any
  Action: Allow + IPS Inspection

! Verification
FMC > Analysis > Users > Active Sessions

> ℹ️ Info — With ISE + FTD, if a user switches workstations, their access rights follow them automatically. No need to update IP-based ACLs—the policy follows the identity, not the machine.

26. FTD High Availability (Active/Standby)

HA on FTD works differently from ASA. It is configured via FMC and not via CLI.

! On FMC: Devices > Device Management > Add High Availability
Type: Firewall High Availability

Primary FTD:   FTD-PARIS-01
Secondary FTD: FTD-PARIS-02

! HA Interfaces
Failover Link: dedicated interface (e.g., Management1/1)
State Link: same interface or dedicated

! HA IPs (configured in FMC)
Primary Failover IP:   10.255.0.1/30
Secondary Failover IP: 10.255.0.2/30

! Standby IPs for each data interface
Outside: Standby IP 203.0.113.2/30
Inside:  Standby IP 192.168.1.2/24
DMZ:     Standby IP 10.0.10.2/24

! Deploy the HA configuration
FMC > Deploy > Deploy All

! Verification from FTD CLI
> show high-availability config
> show high-availability state

> ℹ️ Info — Unlike the ASA, FTD HA configuration is managed entirely via FMC. Do not attempt to configure HA via the FTD CLI — this can desynchronize the FMC. The FMC deployment automatically synchronizes the entire configuration to the secondary node

.Fig. 26.1 — FMC-driven FTD Active/Standby HA Architecture

Cisco®, ASA®, Firepower®, AnyConnect®, FMC®, ISE®, and AMP® are registered trademarks of Cisco Systems, Inc. This tutorial is provided for educational purposes.</interface-entrée>