====== Cisco ASA ====== Info on the ancient, but ubiquitous, Cisco ASA. ---- ===== Clear User Sessions ===== * [[https://www.tunnelsup.com/how-to-show-and-clear-user-sessions-on-a-cisco-asa/|How to Show and Clear User Sessions on a Cisco ASA]] show resource usage resource ssh show ssh sessions ssh disconnect 3 ---- ===== Cisco ASA Order of Operation ===== * [[https://www.tunnelsup.com/cisco-asa-order-of-operation/|Cisco ASA Order of Operation]] - Tunnels UP * [[https://community.cisco.com/t5/network-security/order-of-operation-asa/td-p/2668695|Order of operation ASA]] - Cisco forum ---- ===== ASDM ===== * ASDM - Once upon a time on a new Windows machine, ASDM wouldn't connect to anything, I'd get connection errors for everything. I finally got it working by disabling "Automatically detect settings" in Settings > Network & Internet > Proxy. ===== show and logoff AnyConnect users ===== sh vpn-sessiondb anyconnect filter name USERNAME vpn-sessiondb logoff name USERNAME ===== ASDM "this app can't run on your PC" - Windows 10 ===== * 2021-07-21: Quick Add - Fix this... * https://community.cisco.com/t5/network-security/asdm-quot-this-app-can-t-run-on-your-pc-quot-windows-10/td-p/3782580 * In Start > Cisco ASDM-IDM Launcher > right click the launcher and go to More > Open file location * Then you'll be looking at the shortcut to the ASDM launcher, right click it and go to Properties and look at the Target. You'll see a long path to wscript.exe - change this to C:\Windows\System32\wscript.exe (leave the invisible.vbs run.bat on the end as these scripts are used to open up ASDM). After changing this I was able to launch ASDM fine. ===== Apply ACL via CLI ===== To block inbound traffic that would flow through the firewall... access-list OUTSIDE_INBOUND extended deny ip host 192.0.2.99 any log access-list OUTSIDE_INBOUND extended permit ip any any access-group OUTSIDE_INBOUND in interface outside To block inbound traffic that the firewall would respond to... access-list CP_OUTSIDE_INBOUND extended deny ip host 192.0.2.99 any log access-list CP_OUTSIDE_INBOUND extended permit ip any any no access-group CP_OUTSIDE_INBOUND in interface outside control-plane The upper one will not block someone trying to login to AnyConnect while the lower one will.