ASA5510 - protecting the web server

Unanswered Question

i am trying to protect single web server behind an asa5510. i am using access lists, tcp normalization, connection limiting and http inspection (blocking http methods i know i won't need). can anyone see what else i can do as far as security goes? thanks in advance.

ASA Version 8.0(3)


firewall transparent

hostname xxxx

enable password xxxx



interface Ethernet0/0

nameif outside

security-level 0


interface Ethernet0/1

nameif inside

security-level 100


interface Ethernet0/2


no nameif

no security-level


interface Ethernet0/3


no nameif

no security-level


interface Management0/0


no nameif

no security-level



passwd xxxx

regex trace "TRACE"

ftp mode passive

access-list inspect_web_traffic extended permit tcp any host xxxx eq https

access-list inspect_web_traffic extended permit tcp any host xxxx eq www

access-list allow_web_traffic extended permit tcp any host xxxx eq www

access-list allow_web_traffic extended permit tcp any host xxxx eq https

access-list inspect_tcp_traffic extended permit tcp any any


tcp-map tcp_normalization_map



reserved-bits clear

syn-data drop


pager lines 24

mtu outside 1500

mtu inside 1500

ip address xxxx xxxx

ip audit name FW-IDS-info info action reset

ip audit name FW-IDS-attack attack action reset

ip audit interface outside FW-IDS-info

ip audit interface outside FW-IDS-attack

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group allow_web_traffic in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

fragment chain 1 outside

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection scanning-threat shun

threat-detection statistics


class-map inspect_http_traffic

description Inspect HTTP and HTTPS

match access-list inspect_web_traffic

class-map tcp_normalization

description TCP normalization

match access-list inspect_tcp_traffic

class-map type regex match-any methods_to_drop

match regex trace

class-map type inspect http match-all http_method_policy

match request method regex class methods_to_drop

class-map connection_limits

description Limit number of connection and number of embrionic connections per client

match access-list inspect_tcp_traffic



policy-map type inspect http http_policy


spoof-server "noyb"

protocol-violation action reset

class http_method_policy


policy-map global_policy

class connection_limits

set connection per-client-max 500 per-client-embryonic-max 100

class tcp_normalization

set connection advanced-options tcp_normalization_map

class inspect_http_traffic

inspect http http_policy


service-policy global_policy global

prompt hostname context


: end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
brettmilborrow Fri, 03/07/2008 - 15:50
User Badges:

I think you have it covered! You are also able to install an IPS module in the 5510 chassis and protect the web server further using the module to protect it further.


This Discussion