!! Define the traffic that will require the custom timeout

access-list <Match-ACL-Name> extended permit <traffic-to-match>
!! Define the class-map with the match of the ACL above

class-map <Class-Map-Name>
 match access-list <Match-ACL-Name>
!! Define the policy-map to be applied to an interface
!! Note: Only one policy-map can be defined per interface. If you have one already defined for an interface, add the 'class' and settings to the existing policy-map

policy-map <Policy-Map-Name>
 class <Class-Map-Name>
  set connection timeout idle <Timeout-in-HH:MM:SS-Format>
!! Note: Only one policy-map can be defined per interface. If you have one already defined for an interface, the following line is not necessary

service-policy <Policy-Map-Name> interface <interface> 

EXAMPLE CONFIGURATION

access-list SSH-24Hour-ACL extended permit tcp object-group SSH_24Hour_Hosts any eq 22

class-map SSH-24Hour-ClassMap
 match access-list SSH-24Hour-ACL

policy-map inside-policy-map
 class SSH-24Hour-ClassMap
  set connection timeout idle 24:00:00

service-policy inside-policy-map interface inside 

Notes:

  • See documentation for information regarding the interface direction
  • This was designed for versions 8.3+ although it may work on version 8.2

Documentation

[ # ]

!! Configuring the captures
!! Method 1 - ACL Capture
  access-list ryan permit ip host <source> host <dst>
  capture ryan-inside access-list ryan int <int>
  show capture ryan-inside

!! Method 2 - Match Capture (This is bidirectional)
  capture ryan-inside interface <int> match ip host <src ip> dest <dest ip>
  sh cap ryan-inside

!! Obtaining capture as PCAP file
!! 1.) Method 1 - Copying to another location
  copy /pcap capture:/<capture-name> <destination>

!! Example:
  copy /pcap capture:/mycap ftp://1.1.1.1/incoming/mycap.pcap

!! 2.) Method 2 - Downloading from the firewall
 Visit in Browser: https://<FW-IP>/admin/capture/<capture_name>/pcap

!! Example:
  Visit in Browser: https://1.1.1.1/admin/capture/mycap/pcap

Notes:

  • To download the PCAP, ensure you are connecting on the same port as ASDM is configured ('show run http')

Documentation

[ # ]

  1. Launch ASDM from a privilege 15 account
  2. Go to Configuration > Device Managment > Users/AAA > AAA Access > Authorization
  3. Click the button "Set ASDM Defined Roles"
  4. Select "Yes" to have ASDM configure the necessary Priv 3 and Priv 5 permissions
  5. Select "Apply" to set the configuration on the firewall

[ # ]

icmp permit host <ping from IP> <interface>
icmp permit <network ip> <netmask> <interface>

[ # ]

arp permit-nonconnected

Notes:

  • This is not recommended by Cisco due to security concerns
  • This was disabled by default in version 8.4(5). Prior to this, the firewall may ARP for non-directly-connected NAT IPs.

Documentation

[ # ]

access-list <ACL Name> permit <protocol> <host> <host> eq port> inactive

Notes:

  • This will overwrite the previous ACL, if it exists
  • Re-issue ACL command without inactive to enable ACL again

Documentation

[ # ]

route <interface> <ip to route> <subnet mask> <gateway IP>

[ # ]

prompt hostname state

[ # ]

‚ÄčIn order to create a read-only account for ASDM access, you need to ensure the following command is set for the privilege level you are looking to permit the read-only access for:

privilege cmd level 5 mode exec command more

Documentation

[ # ]

!! Traffic still needs to be allowed on the inside ACL. This ACL will still be hit first !!
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq https

!! The first ACL is for bypassing the proxy !!
access-list WCCP_Redirect extended deny ip object-group ProxyBypass any
access-list WCCP_Redirect extended permit tcp 192.168.1.0 255.255.255.0 any eq 80
access-list WCCP_Redirect extended permit tcp 192.168.1.0 255.255.255.0 any eq 443

!! Proxy ACL !!
access-list WCCP-Proxy extended permit ip host <Proxy Server> any

!! The service id (web-cache and 70 in the following cases) is configured on the proxy. We need to know this information from the client !!
!! Commonly used service IDs !!
!! web-cache or 0 - HTTP !!
!! 53 - DNS !!
!! 60 - FTP !!
!! 70 - HTTPS !!
!! The following redirects HTTP traffic based on the WCCP_Redirect ACL !!
wccp web-cache redirect-list WCCP_Redirect group-list WCCP-Proxy
wccp interface inside web-cache redirect in

!! The following redirects HTTPS traffic based on the WCCP_Redirect ACL !!
wccp 70 redirect-list WCCP_Redirect group-list WCCP-Proxy
wccp interface inside 70 redirect in

[ # ]