Cisco ASA Firewall Configuration Audit

Audit your Cisco ASA config
in 60 seconds.

Upload your `show running-config` output. Get a posture score, prioritized risks, ACL and NAT analysis, AnyConnect crypto review, PSIRT-matched firmware CVEs, and ready-to-paste IOS-CLI fixes — without installing an agent or handing over API access.

Start Free ScanSee Demo

No agent, no API key, no enable secret needed. Multi-context configs split per-context. Raw config parsed in memory and discarded.

One file, one minute

`terminal pager 0` then `show running-config`. Drag the file in. Full posture report in under 60 seconds. Single-context, multi-context, and Firepower-fallback configs all work.

🎯

Object-group expansion done right

Nested object-groups, network objects, service-objects, time-ranges — all resolved at parse time. The engine sees the effective scope of every ACE, not the alias. No phantom findings from deep nesting.

🛡

PSIRT CVEs tied to your config

ASA OS firmware is matched against Cisco PSIRT, CISA KEV, and NVD. CVEs are only surfaced if the affected feature (AnyConnect, WebVPN, IKE, SNMP) is actually enabled.

What CRWLR finds in a Cisco ASA config

ACLs with `permit ip any any`, overly broad subnet masks (/8 in places they shouldn't be), and ACEs that became redundant after object-group consolidation
NAT exposure — static one-to-one mappings that publish RDP/SMB/Telnet, twice-NAT rules that bypass the policy, identity-NAT used as a security boundary
Interface security-levels — same-security-traffic permit inter-interface enabled without compensating ACLs, DMZ at the wrong security level, management interface mis-leveled
AnyConnect / WebVPN — single-factor authentication, weak SSL/TLS settings, AnyConnect profile XML referencing a stale CA, dynamic split-tunnel that defeats inspection
IKE phase 1 and phase 2 — IKEv1 aggressive mode, weak DH groups (1, 2, 5), DES/3DES still configured, PSK strength, lifetime values that exceed best-practice ranges
Management plane — Telnet enabled, SSH version 1, ASDM reachable from outside, AAA missing (local-only fallback), enable password vs enable secret choice
AAA hardening — RADIUS or TACACS+ shared secrets present but auth methods still default to LOCAL fallback in the wrong order, no command authorization
MPF (Modular Policy Framework) — inspection classes missing (ESMTP, SIP, SQL*Net, DNS guard), global service-policy gaps, per-interface policy that overrides intent
Logging completeness — `logging buffered` only, no syslog target, severity threshold too high, timestamps missing, ASA-6-302013 connection logs disabled
ASA OS firmware CVE exposure — current version cross-referenced with Cisco PSIRT; safe upgrade targets recommended deterministically from vendor data, not guessed
Multi-hop attack paths — compound risk chains (outside ACL → static NAT → permissive inside ACL) with pivot awareness and service scoring
Sample finding— what you get per issue
HIGH

AnyConnect group-policy permits all tunnel traffic with single-factor auth

Tunnel-group REMOTE_USERS uses authentication-server-group LOCAL with no secondary authentication. AnyConnect group-policy GP_REMOTE has split-tunnel-policy tunnelall and no vpn-filter. Cisco PSIRT cisco-sa-anyconnect-XXX applies at your current ASA OS.

! Add a vpn-filter to restrict tunnel-side reachability
access-list ACL_REMOTE_USERS extended permit tcp \
  any 10.10.0.0 255.255.0.0 eq 443
access-list ACL_REMOTE_USERS extended deny ip any any log

! Bind the filter to the group-policy
group-policy GP_REMOTE attributes
  vpn-filter value ACL_REMOTE_USERS

! Require RADIUS + a second factor on the tunnel-group
tunnel-group REMOTE_USERS general-attributes
  authentication-server-group RADIUS_PRIMARY
  secondary-authentication-server-group RADIUS_MFA

write memory

Every finding ships with the exact IOS-CLI block above, the line(s) of running-config that triggered it, the PSIRT advisory reference, and a plain-English explanation of why it matters and what changes after `write memory`.

Frequently asked

Which Cisco ASA platforms and ASA OS versions are supported?

Any ASA appliance that produces a `show running-config` — ASA 5505/5510/5512-X/5515-X/5525-X/5545-X/5555-X, ASA 5500-X with Firepower Services, and ASAv (virtual). Tested against ASA OS 9.6 through 9.20. ASA OS context-aware: single-context and multi-context configs are both handled. Firepower (FTD) configs in ASA-fallback mode also parse.

How do I export my ASA configuration?

From enable mode: `terminal pager 0` then `show running-config` and capture the output to a file (or `more system:running-config` for the same content). For multi-context devices, run `show running-config` in each context — CRWLR analyzes them independently. Do not use `show startup-config` — that may not reflect the live state.

What does CRWLR actually check in an ASA config?

140 checks spanning ACL hygiene (extended and standard), NAT (both auto-NAT and twice-NAT), interface security-level configuration, AnyConnect / WebVPN crypto and authentication, IKEv1/IKEv2 IPsec phase 1 and phase 2 parameters, management plane (telnet, ssh, http, asdm), AAA, logging completeness, modular policy framework inspection, and ASA OS firmware CVE exposure. Full list at /security.

Is my ASA running-config stored anywhere?

No. The config is parsed in memory and discarded at the end of the scan. Only the normalized findings, scores, and per-ACE analysis are persisted to your tenant. ASA configs commonly include encrypted password hashes (`enable password`, `username … password`, IKE pre-shared keys) — the parser drops these fields before any normalized data is written.

Does CRWLR check Cisco ASA CVEs?

Yes. ASA OS firmware is matched against CISA KEV, NVD, and the Cisco PSIRT feed, deduplicated across sources. CVEs are filtered to only those that affect features actually enabled — an AnyConnect vulnerability is only flagged if AnyConnect is configured, a WebVPN vulnerability only if WebVPN is on, an IKE vulnerability only if VPN tunnels exist.

Will CRWLR untangle deeply nested object-groups?

Yes. Object-group nesting, object-group service references, network object hierarchies, and time-range conditions are all resolved at parse time. An ACE that references object-group "INSIDE_HOSTS" containing object-group "FINANCE" containing 12 hosts is expanded transparently — the engine sees the effective scope, not the alias.

Can I use this across dozens of ASAs for MSP work?

Yes. CRWLR supports bulk import (drop a ZIP of `show running-config` files), scheduled re-scans, per-firewall finding acknowledgements, and a fleet dashboard that rolls firmware risk, configuration risk, and external exposure into one composite score across your whole estate. Multi-context configs are split out and analyzed per-context.

Do I get IOS-CLI fixes or just findings?

IOS-CLI fixes. Every finding includes the exact ASA commands to remediate it — `access-list`, `nat`, `crypto`, `ssh`, `aaa-server`, `policy-map`, with the right `config terminal` / `interface` / `tunnel-group` mode context. Paste-ready, with `write memory` as the closing reminder.

Upload your ASA running-config. See the gaps in 60 seconds.

No credit card. No agent to install. The raw config never touches our storage.

Start Free Scan →
HomeFortiGate auditPalo Alto auditSophos auditCheck Point auditCheck coverageHow we handle your datavs. SkyboxBlog
Cisco ASA Firewall Configuration Audit — 60 Seconds | CRWLR