04-24-2010 07:32 AM - edited 03-11-2019 10:36 AM
Hello,
I am very basic knowledge of ASA5505 and I recently purchase one for home usage.
I need assistance in hardening this ASA.
Below is my current config, please advise suggestions to lock it down.
Also, I am having trouble entering for the following command via CLi, it won't accept the command "class inspection_default":
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
thx
--------------------------------------------------------------------------------------------------
ASA Version 8.3(1) ! hostname xxxxx enable password xxxxxxxxxxxxx encrypted passwd xxxxxxxxxxxxxxxx encrypted names ! interface Vlan200 nameif outside security-level 0 ip address dhcp setroute ! interface Vlan500 no forward interface Vlan800 nameif dmz security-level 50 ip address 10.2.1.1 255.255.255.0 ! interface Vlan800 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 200 ! interface Ethernet0/1 switchport access vlan 800 ! interface Ethernet0/2 switchport access vlan 800 ! interface Ethernet0/3 switchport access vlan 800 ! interface Ethernet0/4 switchport access vlan 800 ! interface Ethernet0/5 switchport access vlan 800 ! interface Ethernet0/6 switchport access vlan 800 ! interface Ethernet0/7 switchport access vlan 500 ! boot system disk0:/asa831-k8.bin ftp mode passive clock timezone xxxxxxx object network obj_any subnet 0.0.0.0 0.0.0.0 access-list outside_access_in extended deny ip any any access-list dmz_access_in extended deny ip any any pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu dmz 1500 mtu inside 1500 ipv6 access-list inside_access_ipv6_in deny ip any any ipv6 access-list dmz_access_ipv6_in deny ip any any icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-631.bin no asdm history enable arp timeout 14400 ! object network obj_any nat (inside,outside) dynamic interface access-group outside_access_in in interface outside access-group dmz_access_in in interface dmz access-group dmz_access_ipv6_in in interface dmz access-group inside_access_ipv6_in in interface inside route outside 0.0.0.0 0.0.0.0 [ISP default gateway] 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh 192.168.1.0 255.255.255.0 inside ssh timeout 5 ssh version 2 console timeout 5 dhcpd auto_config outside ! dhcpd address 192.168.1.8-192.168.1.10 inside dhcpd dns [ISP DNS1] [ISP DNS2] interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection scanning-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 webvpn username mmok password xxxxxxxxxxx encrypted ! ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy policy-map gloabl_policy ! service-policy global_policy global prompt hostname context call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxx : end asdm image disk0:/asdm-631.bin no asdm history enable
Solved! Go to Solution.
04-24-2010 09:20 AM
The policy-map global_policy which contains the class inspection_default are by default part of the configuration of the ASA.
This policy-map is linked globally to the ASA with the service-policy global-policy command.
Check out more information here:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html
Let us know if you have any questions.
Federico.
04-24-2010 09:03 AM
Hi,
It seems the ASA has 3 interfaces (inside, dmz, outside)
All incoming traffic through the outside and dmz interfaces is denied by ACLs.
Outgoing traffic is permitted.
It seems to be ok, the recommendations will be depending on what do you want this ASA to do.
Do you currently have Internet access from your home through the ASA?
Federico.
04-24-2010 09:12 AM
Outside is current connected to my ISP.
Inside contain one laptop.
Nothing in DMZ so far.
I have good handle with access-list (I think), but I am more worry about the inspection policy, etc... which I am not familiar with and hope I can get some help on it.
thx
04-24-2010 09:20 AM
The policy-map global_policy which contains the class inspection_default are by default part of the configuration of the ASA.
This policy-map is linked globally to the ASA with the service-policy global-policy command.
Check out more information here:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html
Let us know if you have any questions.
Federico.
04-24-2010 07:19 PM
The document looks good! I will have to read on it! thx
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide