Skip to main content
Security & Cloud 24/7

Hardening guide for Cisco Firewall (PIX, ASA, FWSM)

·338 words·2 mins
Eyal Estrin
Author
Eyal Estrin
Author of Cloud Security Handbook & Security for Cloud Native Applications. Cloud Adoption & Cybersecurity expert.

Important note The guide bellow instructs how to secure Cisco Firewall (PIX, ASA, FWSM). Not all commands will work on every device series or on every IOS version. It is highly recommended to test each setting in a test lab before implementing changes to production systems.

Hardening phase Configure AAA Authentication for Enable Mode (ASA, FWSM, PIX): aaa authentication enable console LOCAL

Configure AAA Authentication for Console and VTY Lines (ASA, FWSM, PIX): aaa authentication serial console LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL

Configure Local Password (ASA, FWSM, PIX): passwd <login_password> encrypted

Configure ASDM Access Control (ASA, FWSM, PIX): **_http <remote_ip_address> <remote_subnet_mask> <interface_name>_****

Configuring SSH (ASA, FWSM, PIX): hostname <device_hostname> domain-name <domain-name> crypto key generate rsa modulus 2048

Configure SSH for Remote Device Access (ASA, PIX): no telnet 0.0.0.0 0.0.0.0 <interface_name> ssh <remote_ip_address> <remote_subnet_mask> <interface_name> ssh version 2

Configure Timeout for Login Sessions (ASA, FWSM, PIX): console timeout 10 ssh timeout 10

Configure Local User and Encrypted Password (ASA, FWSM, PIX): username <local_username> password <local_password> encrypted

Configure Enable Password (ASA, FWSM, PIX): enable password <enable_password> encrypted

Disable SNMP Read Access (ASA, FWSM, PIX): clear configure snmp-server no snmp-server host <interface_name> <remote_ip_address>

Disable SNMP Traps (ASA, FWSM, PIX): no snmp-server enable traps all

Configure Clock Time Zone (ASA, PIX): clock timezone GMT <hours offset>

Disable DHCP Server Service (ASA, FWSM, PIX): clear configure dhcpd no dhcpd enable <interface_name>

Disable HTTP Service (ASA, FWSM, PIX) - in-case not in use: no http server enable <port>

Configure Console Logging Severity Level (ASA, FWSM, PIX): logging console critical

Configure Timestamps in Log Messages (ASA, FWSM, PIX): logging timestamp

Configure AAA Flood Guard (FWSM, PIX): floodguard enable

Configure Fragment Chain Fragmentation Checks (ASA, FWSM, PIX): fragment chain 1 <interface_name>

Configure Protocol Inspection (FWSM, PIX): fixup protocol ftp <port> fixup protocol http <port> fixup protocol smtp <port>

Configure Protocol Inspection (ASA): inspect ftp [map_name] inspect http [map_name] inspect esmtp [map_name]

Configure Unicast Reverse-Path Forwarding (ASA, FWSM, PIX): interface <interface_id> ip verify reverse-path interface <interface_name> exit

Save the changes: wr**