05-09-2010 03:46 AM - edited 03-11-2019 10:42 AM
I configured my ASA 5510, please find attached my network diagram for reference, and following configuration
Pleaase review my configuration and advise what should be denied and what should be permitted,
moreover please check basic security levels are working fine or not,
please made changes if required
MTL-ASA# sh run
: Saved
:
ASA Version 7.0(7)
!
hostname MTL-ASA
domain-name millat.com.pk
enable password Qxxxxxxxxxxxxxxt encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.74.2 255.255.255.0
!
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 192.168.1.18 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/3
nameif ptcl
security-level 0
ip address 192.168.95.65 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.90.1 255.255.255.0
management-only
!
passwd NyOrA4dtiFkmSvez encrypted
ftp mode passive
dns domain-lookup DMZ
access-list outside_to_DMZ extended permit ip 192.168.74.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_to_DMZ extended permit tcp any any eq 3389
access-list outside_to_DMZ extended permit ip any any
access-list outside_to_DMZ extended permit tcp any any
access-list 101 extended permit ip any any
access-list 101 extended permit tcp any any
access-list 101 extended permit icmp any any
access-list 101 extended permit tcp any any eq smtp
access-list 101 extended permit tcp any any eq pop3
access-list 101 extended permit tcp any any eq https
access-list 110 extended permit tcp any any eq https
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp any any eq https
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp any any eq ftp
access-list inside_access_in extended permit tcp any any eq pop3
access-list inside_access_in extended permit tcp any any eq smtp
access-list DMZ_access_in extended permit tcp any any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit tcp any any eq www
access-list DMZ_access_in extended permit tcp any any eq https
access-list DMZ_access_in extended permit tcp any any eq ftp
access-list DMZ_access_in extended permit tcp any any eq pop3
access-list DMZ_access_in extended permit tcp any any eq smtp
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu outside 1500
mtu DMZ 2500
mtu inside 1500
mtu ptcl 1500
mtu management 1500
no failover
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) 192.168.74.0 192.168.1.0 netmask 255.255.255.255
access-group outside_to_DMZ in interface outside
access-group DMZ_access_in in interface DMZ
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.74.1 1
route inside 192.168.9.0 255.255.255.0 192.168.20.2 1
route inside 192.168.7.0 255.255.255.0 192.168.20.2 1
route inside 192.168.6.0 255.255.255.0 192.168.20.2 1
route inside 192.168.5.0 255.255.255.0 192.168.20.2 1
route inside 192.168.4.0 255.255.255.0 192.168.20.2 1
route inside 192.168.10.0 255.255.255.0 192.168.20.2 1
route inside 192.168.2.0 255.255.255.0 192.168.20.2 1
route inside 192.168.218.0 255.255.255.0 192.168.20.2 1
route inside 192.168.217.0 255.255.255.0 192.168.20.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username Junaid password kxxxxxxxxxxxxx0 encrypted privilege 15
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.90.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server community Admins
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
telnet 192.168.10.0 255.255.255.0 DMZ
telnet 192.168.20.0 255.255.255.0 inside
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:b6xxxxxxxxxxxxxxxxxxxxf8
: end
05-09-2010 05:02 AM
Is there anything in particular you are having issues with ?
At first glance your software is OLD. Atleast try to upgrade to 8.x that will make your ASDM prettier:-) and your ACL's are abit too loose for my taste.I would atleast specify the destinations and where I can also the sources so as to not have spoofing issues or alot of holes.
05-10-2010 07:13 AM
It is a matter of the admin do decide what is allowed or blocked. It depends on the applications that go through your network
.
I would suggest to block everything inbound on the outside interface ACL except from the thing you are hosting for inbound users (like a web server) if you have any.
I hope it helps.
PK
05-10-2010 03:28 PM
This ASA is no longer a firewall. It's a router with 3 interfaces because all ACLS contain "permit ip any any" and once a packet matches that line it will pass through.
access-list outside_to_DMZ extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list DMZ_access_in extended permit ip any any
Here is what I suggest. This is only my suggestion and you should decide what is best for your specific needs.
1) Change your "outside_to_DMZ" ACL to something a bit more specific on what you really want to allow in to the DMZ. Or just put "ip any any" to allow everything in (which is NOT recommended) and remove all the other lines in the ACL which are doing nothing anyway. It's always best to only allow in only what needs to be let in -- but nothing more.
2) remove the ACL "inside_access_in" as the ASA by default will already allow anything from a higher security level to a lower security level. So inside will already be able to communicate to DMZ and Outside interfaces by default. If you do not want the inside to communicate to the DMZ, simply set the security level of the inside and DMZ interfaces to the same security (but higher than the outside interface) level and issue the command "no same-security-traffic permit inter-interface"
3) remove the ACL "DMZ_access_in" as the ASA by default will already allow anything from a higher security level to a lower security level. So DMZ will already be able to communicate to Outside by default but will NOT be able to communicate to the Inside.
Now you can build from here and add your own specific ACL lines as needed to permit or block specific flows.
Good luck.
05-13-2010 04:37 AM
Thanks JeremyAult,
I have removed all those unnessary ACLs, Its working fine now, DMZ-Inside access has been stopped, Inside users can use resources at DMZ and can Access Internet on outside interface,
Please review my outside interface ACL, I want to refine it, by default, its permitting ip any any ,, and tcp any any,,, I think this should be replaced with my live ip ,
access-list outside_to_DMZ extended permit 58.27.232.16 255.255.255.0 any
this will allow my live ip network pool towards my DMZ and inside .... AM I RIGHT ???
MTL-ASA# sh run
: Saved
:
ASA Version 7.0(7)
!
hostname MTL-ASA
domain-name millat.com.pk
enable password Qxxxxxxxxxxxt encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.74.2 255.255.255.0
!
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 192.168.1.18 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/3
nameif ptcl
security-level 0
ip address 192.168.95.65 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.90.1 255.255.255.0
management-only
!
passwd Nxxxxxxxxxxxxxz encrypted
ftp mode passive
dns domain-lookup DMZ
access-list outside_to_DMZ extended permit ip any any
access-list outside_to_DMZ extended permit tcp any any
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu outside 1500
mtu DMZ 2500
mtu inside 1500
mtu ptcl 1500
mtu management 1500
no failover
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) 192.168.74.0 192.168.1.0 netmask 255.255.255.255
access-group outside_to_DMZ in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.74.1 1
route inside 192.168.217.0 255.255.255.0 192.168.20.2 1
route inside 192.168.218.0 255.255.255.0 192.168.20.2 1
route inside 192.168.2.0 255.255.255.0 192.168.20.2 1
route inside 192.168.10.0 255.255.255.0 192.168.20.2 1
route inside 192.168.4.0 255.255.255.0 192.168.20.2 1
route inside 192.168.5.0 255.255.255.0 192.168.20.2 1
route inside 192.168.6.0 255.255.255.0 192.168.20.2 1
route inside 192.168.7.0 255.255.255.0 192.168.20.2 1
route inside 192.168.9.0 255.255.255.0 192.168.20.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username Junaid password kxxxxxxxxxxxs0 encrypted privilege 15
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.90.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server community Admins
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
telnet 192.168.10.0 255.255.255.0 DMZ
telnet 192.168.20.0 255.255.255.0 inside
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:b62xxxxxxxxxxxxxxxxxx8
: end
MTL-ASA#
Please advise
Regards,
Junaid
05-15-2010 11:42 PM
Actually, I want to allow remote desktop connection and VPN connection permit and all of the other outside to inside traffic blocked..
permit tcp any any eq 3389
for remote desktop
and what ports should be allowed for soft VPN connection ??
Please advise
05-25-2010 09:31 PM
Sorry for the delay in responding.
Yes your first line "permit tcp any any eq 3389" will permit any source to any destination on port 3389.
My suggestion is to only allow RDP to the server you want to allow it on like this.. (where xx.xx.xx.xx is the destination IP)
permit tcp any host xx.xx.xx.xx eq 3389
For VPN, the ASA should permit inbound VPN termination on the firewall without the need for an ACL. However, it you wish to specify the exact ACL lines you would allow UDP 500 (ISAKMP) UDP 4500 (only needed for NAT-T) and ESP like this.. (This allows VPN to your outside interface.)
permit udp any host 192.168.74.2 eq 500
permit udp any host 192.168.74.2 eq 4500
permit esp any host 192.168.74.2
Hope that helps.
Jeremy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: