Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
466
Views
4
Helpful
4
Replies

ASA Questions

tahirs001
Level 1
Level 1

‎04-22-2010 02:20 AM - edited ‎03-11-2019 10:36 AM

Dear friends,

  1. I need to tidy up my ASA5520, which includes remove unused access-list, NAT etc. what is the best way to document my ruleset?
  2. Need advise on VPN, we have alot of 3rd party companies dial in, they are currently use a mixture of secure desktop and vpn client, they need access to servers which they RDP on to, what would you recommend they use?
  3. How would you hand out passwords to 3rd party companies?

Thanks

Tahir

Labels:
0 Helpful
4 Replies 4

scott-goodwin
Level 1
Level 1

‎04-22-2010 02:48 AM

Hi,

With regards to documenting rulebases, I think its more an individual thing and how your current documentation is laid out, having worked with multiple customers some just keep the raw ACL's in configuration backups. Others run spreadsheets which they add to whenever a change comes in, however the later soon starts to get huge.:)

Secure desktop or VPN client should give you the granular control over what they can/cant do, it will also give you the option of checking for valid anti-virus etc.. etc.. The main thing here is to make sure they only have access to what they need and the specific services.

In my opinion the issue of RSA token to external companies is always the best option when it come to password security.

Hope this heps

Scott

0 Helpful

tahirs001
Level 1
Level 1
In response to scott-goodwin

‎04-22-2010 02:52 AM

Hi Scott,

Thanks for the advice, My rulebase is already huge - I need to take control over it. How would i document a spreadsheet?

Also when i issue the command "show access-list" there is alot of access-list that do not get hit. is there a way to monitor access list apart from the hit count.

Thanks

Tahir

0 Helpful

scott-goodwin
Level 1
Level 1
In response to tahirs001

‎04-22-2010 03:07 AM

Hi Tahir,

I presume you are using object groups within your configuration, if this is the case the spreadsheets i have seen (I have never personally constructed one) have a sheet with all the object groups in and the relevent ip address, and then seperate sheets for each interface. Hence the easiest way I can think of when starting from scratch would be to get the rule base comma delliminated so you can import it into the spreadsheet.

As for 0 hit rules, its all down to house keeping and is always common to find lots of rules with no hits that were added as knee jerk reactions to faults or requests. I don't think there is any otherway to monitor the acl's with zero hit on the actual device, you would need to look at a reporting/management platform I guess that could collate the data for you.

Scott

If you found any of this helpfull please rate the posts..

tahirs001
Level 1
Level 1
In response to scott-goodwin

‎04-22-2010 03:23 AM

Scott,

Thanks for the advice

Tahir

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card