Hardening guide for Cisco Firewall (PIX, ASA, FWSM)
Important note
The guide bellow instructs how to secure Cisco Firewall (PIX, ASA, FWSM).
Not all commands will work on every device series or on every IOS version.
It is highly recommended to test each setting in a test lab before implementing changes to production systems.
Hardening phase
Configure AAA Authentication for Enable Mode (ASA, FWSM, PIX):
aaa authentication enable console LOCAL
Configure AAA Authentication for Console and VTY Lines (ASA, FWSM, PIX):
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
Configure Local Password (ASA, FWSM, PIX):
passwd
Configure ASDM Access Control (ASA, FWSM, PIX):
http
Configuring SSH (ASA, FWSM, PIX):
hostname
domain-name
crypto key generate rsa modulus 2048
Configure SSH for Remote Device Access (ASA, PIX):
no telnet 0.0.0.0 0.0.0.0
ssh
ssh version 2
Configure Timeout for Login Sessions (ASA, FWSM, PIX):
console timeout 10
ssh timeout 10
Configure Local User and Encrypted Password (ASA, FWSM, PIX):
username
Configure Enable Password (ASA, FWSM, PIX):
enable password
Disable SNMP Read Access (ASA, FWSM, PIX):
clear configure snmp-server
no snmp-server host
Disable SNMP Traps (ASA, FWSM, PIX):
no snmp-server enable traps all
Configure Clock Time Zone (ASA, PIX):
clock timezone GMT
Disable DHCP Server Service (ASA, FWSM, PIX):
clear configure dhcpd
no dhcpd enable
Disable HTTP Service (ASA, FWSM, PIX) – in-case not in use:
no http server enable
Configure Console Logging Severity Level (ASA, FWSM, PIX):
logging console critical
Configure Timestamps in Log Messages (ASA, FWSM, PIX):
logging timestamp
Configure AAA Flood Guard (FWSM, PIX):
floodguard enable
Configure Fragment Chain Fragmentation Checks (ASA, FWSM, PIX):
fragment chain 1
Configure Protocol Inspection (FWSM, PIX):
fixup protocol ftp
fixup protocol http
fixup protocol smtp
Configure Protocol Inspection (ASA):
inspect ftp [map_name]
inspect http [map_name]
inspect esmtp [map_name]
Configure Unicast Reverse-Path Forwarding (ASA, FWSM, PIX):
interface
ip verify reverse-path interface
exit
Save the changes:
wr
Good guide, its easy to leave an open hole on a firewall.
Very helpful for my new job as a network support.