My WordPress Blog

Configuring Cisco ASA for NetFlow Export via CLI

Configuring Cisco ASA for NetFlow Export via CLI


To display the available file systems on your switch, use the show file systems privileged
EXEC command as shown in this example :

Switch# show file system

File Systems:
          Size(b)            Free(b)          Type         Flags        =Prefixes
* 8238202880   8052273152      disk            rw        disk0: flash:
   31440470016  31296831488    disk            rw        disk1:
               –                        –               network      rw        tftp:
              –                         –               opaque       rw         system:
              –                         –               network     ro          http:
              –                         –               network     ro          https:
              –                         –               network     rw         scp:
              –                         –               network     rw         ftp:
              –                         –               network     wo        cluster:
              –                         –               stub            ro         cluster_trace:
              –                         –               network     rw        smb:

Under 2nd line “31440470016  31296831488    disk            rw        disk1:

“if it say’s “Unknown“, this means the USB pen drive inserted is uncompatible or not formatted
to fat32 partition”.

To see the contents within the USB pen inserted into Cisco ASA hardware :

Run this command in exec mode :

dir disk1:

Directory of disk1:/

134 -rwx 89837568 10:32:20 Jan 09 2017 asa962-smp-k8.bin
135 -rwx 26053720 10:51:02 Jan 09 2017 asdm-762-150.bin

Here we see 2 firmware, 1 for the System and the 2nd is the ASDM. We will now begin the upload process :

Copy them both to flash:

copy disk1: flash:
Source filename []? asa962-smp-k8.bin
Destination filename [asa962-smp-k8.bin]?
Writing file disk0:/asa962-smp-k8.bin
89837568 bytes copied in 28.170 secs (3208484 bytes/sec)

Follow the same procedure for
copying the ASDM file

Set the system firmware to bootup on every bootup or reload of hardware :

In “configuration t” mode : enters these commands :

boot system disk0:/asa962-smp-k8.bin

Now reboot device and lets check if we are running the upgraded firmwares :

In “exec” mode :

show version

Cisco Adaptive Security Appliance Software Version 9.6(2)

Compiled on Tue 23-Aug-16 18:42 PDT by builders
System image file is “disk0:/asa962-smp-k8.bin
Config file at boot was “startup-config”

Let’s check the ASDM version the firewall is running :

show asdm image
Device Manager image file, disk0:/asdm-713.bin

We see it is running the old firmware for the ASDM and has not loaded the upgraded one. We need to tell ASA to load the specific upgraded ASDM.

Here is the command to do so : In “User” mode :

asdm image disk0:/asdm-762-150.bin

Reboot ASA and check by running command :

show asdm image
Device Manager image file, disk0:/asdm-762-150.bin


All is complete.




Network Security Blocks

On Cisco Pix and ASA Firewalls, there are many different ways to block / drop traffic.

The most obvious way would be to create an Access Control List (ACLs) to block traffic from a specific ip address. This method can be particularly useful as you would be able to control which ip addresses you want to traverse your network.

Another key method to drop any connections already created would be by using the shun command. This is a fantastic command which will help to combat any security threats immediately.  Using this, you can drop traffic for tcp, udp or all protocols. See example below:

For this example I will use the IP address as a threat which needs to be dropped immediately. I will show you a method for dropping specific tcp traffic to followed by dropping any form of traffic to any destination.


Example 1: shun 3389 tcp


This will drop all tcp 3389 connections from to only. To further this, you could be vague and not specify  the port, as below:


Example 2: shun tcp


This will drop all tcp connections from to only.

Example 3 shows how you could utilise this to drop all traffic from This is irrelevant of protocol or destination.

Example 3: shun


The reverse / back out of any of the above commands would be to simply place a “no” at the front.

Hope you find this useful!


Source port translation from external tcp 3390 to internal tcp 3389 :

It appears when connecting to RDP on 3390, it will hit the Nat rule first which will translate it from 3390 to 3389, from here it will hit the ACL rule “OUTSIDE_access_in” on incoming translation destination port of tcp 3389.

So in theory the tcp 3389 will need to be configured as below on the OUTSIDE firewall rule-set as coming in from the internet.


Network Object :

object network RDP_SERVER_20.4
nat (MEDIA,OUTSIDE) static interface service tcp 3389 3390

Service Object

object-group service RDP_SERVER_20.4_tcp_in tcp
port-object eq 3389
OUTSIDE Access in :

access-list OUTSIDE_access_in extended permit tcp any object RDP_SERVER_20.4 object-group RDP_SERVER_20.4_tcp_in

Using Just a Cisco ASA to Block Specific Websites

Block URLs using REGEX’s

object network CDS_Guest_BT_IP

description CHG0044382

! Define the websites we wish to block :
regex REG-URL2 “”
regex REG-URL3 “”
regex REG-URL4 “”

! Set a class to match if the header has any of the URLs in it :
class-map type inspect http match-any CM-BLOCK-URL
match request header host regex REG-URL2
match request header host regex REG-URL3
match request header host regex REG-URL4

! Identify the ACL that will be subject to this inspection
access-list ACL-HTTP-INSPECT extended deny tcp object CDS_Guest_BT_IP object any eq http

! Set a class to match :
class-map CM-BLOCK-HTTP
match access-list ACL-HTTP-INSPECT

! Create a policy map to drop the connection if it matches the class map :
policy-map type inspect http PM-BLOCK-URL
drop-connection log

! Apply the policy
policy-map global_policy
inspect http PM-BLOCK-URL

! service-policy global_policy global
! Identify the 1 URL that will be permitted in :
regex REG-URL1 “”

! Create a class map to pass or permit the traffic if the URL isnt ANY of the regex’s
class-map type inspect http match-all CM-ALLOWED-URLS
match not request header host regex REG-URL1

! Identify the ACL that will be subject to this inspection
access-list ACL-HTTP-INSPECT extended permit tcp object CDS_Guest_BT_IP object any eq http

! Set a class to match :
class-map CM-ALLOW-HTTP
match access-list ACL-HTTP-INSPECT

! Create the policy map to drop any packets that passed the class map
policy-map type inspect http PM-ALLOW-HTTP
drop-connection log

! Apply the Policy
policy-map global_policy
inspect http PM-ALLOW-HTTP

! service-policy global_policy global

Cisco ASA Multiple Context Mode – Configuring Virtual Firewalls on Same Chassis

A single Cisco ASA appliance can be partitioned into multiple virtual firewalls known also as
“Security Contexts”.
Each security context acts as a separate firewall with its own security policy,
interfaces and configuration.
However, some features are not available for virtual firewalls,
such as IPSEC and SSL VPN, Dynamic Routing Protocols,
Multicast and Threat Detection.

Each security context that you create on the appliance includes its own configuration file
(filename.cfg) stored on local
flash memory. This configuration file contains the security policy,
the included interfaces and the virtual firewall configuration
of the specific security context.

By default, an admin context is always created having a configuration file “admin.cfg.
This is just like any other security context except that when a user logs in the admin context
then he has full administrator
access to all other security contexts.

When you convert the appliance from single context mode to multiple context mode
(using the command “mode multiple“)
the firewall converts the current running configuration
into two files: a new startup configuration that comprises the
system configuration, and “admin.cfg
that comprises the admin context (stored in the root directory of the internal Flash memory).

The original running configuration is saved as “old_running.cfg” (in the root directory of the
internal Flash memory).

Configuring Security Contexts

! Enable multiple context mode
ASA(config)# mode multiple

! Then reboot the appliance.

! Configure the administrator context
ASA(config)# admin-context administrator
ASA(config)# context administrator
ASA(config-ctx)# allocate-interface gigabitethernet0/1.10
ASA(config-ctx)# allocate-interface gigabitethernet0/1.11
ASA(config-ctx)# config-url flash:/admin.cfg


! Configure other contexts as required
ASA(config)# context customerA
ASA(config-ctx)# allocate-interface gigabitethernet0/2.100
ASA(config-ctx)# allocate-interface gigabitethernet0/2.200
ASA(config-ctx)# config-url flash:/customerA.cfg

! Configure other contexts as required
ASA(config)# context customerB
ASA(config-ctx)# allocate-interface gigabitethernet0/2.111
ASA(config-ctx)# allocate-interface gigabitethernet0/2.222
ASA(config-ctx)# config-url flash:/customerB.cfg


To change between the system execution space and a context, or between contexts, see the following commands:

! To change to a context named CustomerA, enter the following command:
ASA# changeto context CustomerA

! The prompt changes to the following:

! To change back to the system execution space, enter the following command:
ASA/CustomerA# changeto system

! The prompt changes to the following:


Summary adding a Context :

System context 5580:

changeto context system

context CONTEXT1
allocate-interface GigabitEthernet7/1

changeto context CONTEXT1

interface GigabitEthernet7/1
description Voice Hosting
nameif Voice
security-level 10
ip address #.#.#.#

access-list Voice_access_in extended permit ip any any
mtu Staging_Voice_Hosting 1500
access-group Voice_access_in in interface Voice
route inside #.#.#.# #.#.#.# 1



Cisco ASA NAT Conversion Tool

Do you need to convert ASA 8.2 and under code to the new ASA 8.3+ code? The NAT statements are entirely different in the new code. During the upgrade the ASA will try to convert it automatically but this is worthless because it does a horrible job at it. Cisco recommends using auto NAT. This is also bad advice to use Auto NAT because it makes extremly ugly and hard to manage code. This conversion tool will convert your NAT statements to the easist to read and manage code.

Preparing your code

Gather the output from the following commands in your old ASA code:

show run global
show run nat
show run static

If there are any related ACLs in the NAT statements get that configuration also by doing:

show run access-list | include [ACL-NAME]

Paste the output from the commands above into the text area and click convert. You should examine the results to verify the config is accurate.

Privacy Note: None of the data entered into the text area is uploaded to a server. All of the work of this tool is done on the client side. This means it’s safe to enter sensitive data without worrying about it traveling over the internet. You can even connect to this webpage, disconnect from internet and still use the conversion tool without any difference in functionality.


Static NAT Examples:
static (INSIDE,OUTISDE) netmask
static (DMZ,OUTSIDE) tcp interface 8080 www netmask
static (INSIDE,DMZ) netmask dns
static (INSIDE,DMZ) netmask tcp 255 2000
static (INSIDE,EXT) access-list ACL-NAT2
access-list ACL-NAT2 extended permit ip host

*New* Global+NAT Example:
nat (INSIDE) 1
global (OUTSIDE) 1 interface
nat (INSIDE) 2 access-list ACL-NAT3
global (OUTSIDE) 2 netmask
access-list ACL-NAT3 standard permit host

*New* NAT Zero+ACL Example:
nat (INSIDE) 0 access-list ACL-NONAT
access-list ACL-NONAT extended permit ip host
access-list ACL-NONAT extended permit ip any host

Input ASA 8.2 NAT statements



Next Steps

Did you use the tool and was it helpful at all? Did it save you any time at all? Please either donate to the site to show your thanks or comment below to tell me how it worked or what to improve upon. Thanks!


From a 3rd Party company there is a Fibre link terminating into interface
GigabitEthernet0/2 – RR_VLAB – 192.168.#.100/24.

The IP Address of the 3rd party is 192.168.#.5/24

The 3rd Party is connecting to network 192.168.#.100/24 on interface
GigabitEthernet0/2 – RR_VLAB to interface
GigabitEthernet0/3 – DMZ_QUICK – 10.0.#.1/24 to access the server 0n IP 10.0.#.2

The 3rd Party is coming into network on interface GigabitEthernet0/2 using these IP Network
addresses :

We need to translate the incoming network address from the 3rd party to a private routable address from
within the network within the RR_VLAB interface network address.

All traffic from the 3rd party to get to the server on the internal network on IP 10.0.#.2 will have their
destination address NaTed to 192.168.#.101 and further translated to IP 10.0.#.2 of the internal server.

Here is the ASA Configuration :
interface GigabitEthernet0/3
 nameif DMZ_QUICK
 security-level 30
 ip address 10.0.#.1
interface GigabitEthernet0/2
 nameif RR_VLAB
 security-level 10
 ip address 192.168.#.100

Static Nat Translation :
static (DMZ_QUICK,RR_VLAB) 192.168.#.101 10.0.#.2 netmask

Routing Table :
S [1/0] via 192.168.#.5, RR_VLAB
S [1/0] via 192.168.#.5, RR_VLAB
S [1/0] via 192.168.#.5, RR_VLAB
C    192.168.#.0 is directly connected, RR_VLAB


Note : No reverse static NAT translation is configured here. This only applies to 1 way traffic.





Here is the Cisco TAC link explaining this bug on older firmware releases.

show inventory
show controller
show hardware
show module

Unfortunately, these commands doesn’t show installed SFPs on module.
The TAC answer was: “This option (show installed transceivers on ASA-IC-4GE-SFP-A) doesn’t support thru CLI”.

The solution is to upgrade firmware.


How do you throttle Dropbox Traffic?

object-group network DROPBOX_AS19679


access-list ACL_Dropbox extended permit ip object-group Inside object-group DROPBOX_AS19679
access-list ACL_Dropbox extended permit ip object-group DROPBOX_AS19679 object-group Inside

You would also need to define an object-group for your “Inside” address blocks

class-map Class_Dropbox
 match access-list ACL_Dropbox
policy-map Policy_Police
 class Class_Dropbox
  police input 384000
  police output 384000
 class class-default
service-policy Policy_Police interface INSIDE