Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Firewalling for Noobs

Hello all,



about to go through a penetration test and was wondering if there was a checklist of things to do to tighten down an ASA as much as possible.  Something like 1) turn off this service 2) Set this to that.  etc.  I know every environment is different but I am looking for a general guidline.



Thanks in advance.  Replies rated.


The Center for Internet

The Center for Internet Security has some benchmarks you can download from, including three for different Cisco firewall scenarios.  One of them should fit your case fairly well, and be helpful.

The first 5 things to do are turn off telnet access in favor of SSHv2 and TLS, turn on NTP, crank up the crypto past the Cisco export defaults, limit what IP addresses can reach the management interface, and turn on remote sysloging.

-- Jim Leinweber, WI State Lab of Hygiene

Hall of Fame Super Silver

Good pointers Jim.I would

Good pointers Jim.

I would also add - when turning on remote syslog for firewalls tune the logging level down to 4 or so and HAVE SOMEONE REVIEW AND ACT ONTHE LOG EVENTS. (Yes, I  was shouting - Target had great security system (FireEye) in place but failed to act on the warning indicators it was giving them.)

CreatePlease to create content