!! On Primary Firewall
interface <int>        !! configure each interface with standby ip
ip address <ip> <netmask> standby <standby-ip>

interface <failover-int>
description LAN Failover Interface
no shutdown
exit
failover
failover lan unit primary
failover lan interface failover <failover-int>
failover interface ip failover <failover-int-ip> 255.255.255.0 standby <failover-int-standby-ip>

!! On Secondary Firewall
failover
failover lan unit secondary
failover lan interface failover <failover-int>
failover interface ip failover <failover-int-ip> 255.255.255.0 standby <failover-int-standby-ip>

[ # ]

show eigrp topology
show eigrp neighbors
debug eigrp neighbor
debug eigrp fsm

[ # ]

router eigrp <as-num>  !! as number must match on neighbors
 no auto-summary 
 eigrp router-id 10.0.150.3  !! Name for defining the eigrp, name after interface IP
 redistribute static  !! redistribute static routes, can use policy map instead so not ALL statics are distributed
 network 10.0.150.0 255.255.255.0   !! Directly connected network
 network 4.2.2.128 255.255.255.248  !! Directly connected network
 exit

!! configure static routes to point to the interface/IP that you want to monitor and stop advertising the routes when the interface goes down
route <int-to-watch> <network-to-advertise> <subnet> <ip-of-int-to-watch>

[ # ]

!! Enable the performance monitoring
asdm history enable

!! View data
show asdm history feature <all|blocks|cpu|failover|ids|interface|memory|perfmon|sas|tunnels|xlates>
show asdm history view <10m|60m|12h|5d|all> feature <all|blocks|cpu|failover|ids|interface|memory|perfmon|sas|tunnels|xlates>

Notes:

  • You can leave off the feature command to view ALL performance data

Documentation

[ # ]

policy-map type inspect esmtp tls-esmtp
  parameters
    allow-tls
    no mask-banner     !! may only be required if you notice issues related to the banner

policy-map global_policy
  class inspection_default
    no inspect esmtp
    inspect esmtp tls-esmtp

Documentation

[ # ]

same-security-traffic permit intra-interface

nat (Outside) 1 172.16.1.0 255.255.255.0
group-policy <name> attributes
  split-tunnel-policy tunnelall

Notes:

  • The last 3 lines are to allow traffic over a client-to-site VPN to pass all traffic through the firewall and to the internet. ie. No split tunneling

[ # ]

Pix 6

ca zeroize rsa
ca generate rsa key 1024
sh ca mypubkey rsa
ca save all

Pix 7+

crypto key zeroize rsa 
crypto key generate rsa modulus 1024
sh crypto key mypubkey rsa

Notes:

  • The command "crypto key zeroize rsa" will remove certificates using the default keychain as well

[ # ]

show failover  !! View current failover status, statistics, etc
show failover history  !! View recent failover and sync history 
show failover state  !! View last failover reasons and information

[ # ]

access-list no_inspect_ESMTP deny tcp <source> <destination> eq 25
access-list no_inspect_ESMTP permit tcp any any eq 25

class-map no_inspect_ESMTP
 match access-list no_inspect_ESMTP 
 exit

policy-map global_policy 
 class no_inspect_ESMTP 
  inspect ESMTP 
  exit 
 class inspection_default
  no inspect esmtp
  exit

Notes:

  • It's important that the last ACL is specific for port 25 and not all IP. Traffic will break if left as 'ip'

[ # ]

access-list <ACL Name> permit <protocol> <host> <host> eq port> inactive

Notes:

  • This will overwrite the previous ACL, if it exists
  • Re-issue ACL command without inactive to enable ACL again

Documentation

[ # ]