Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Review ASA 5510 config with diagram

I configured my ASA 5510, please find attached my network diagram for reference, and following configuration

Pleaase review my configuration and advise what should be denied and what should be permitted,

moreover please check basic security levels are working fine or not,

please made changes if required

MTL-ASA# sh run
: Saved
:
ASA Version 7.0(7)
!
hostname MTL-ASA
domain-name millat.com.pk
enable password Qxxxxxxxxxxxxxxt encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.74.2 255.255.255.0
!
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 192.168.1.18 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/3
nameif ptcl
security-level 0
ip address 192.168.95.65 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.90.1 255.255.255.0
management-only
!
passwd NyOrA4dtiFkmSvez encrypted
ftp mode passive

dns domain-lookup DMZ

access-list outside_to_DMZ extended permit ip 192.168.74.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_to_DMZ extended permit tcp any any eq 3389
access-list outside_to_DMZ extended permit ip any any
access-list outside_to_DMZ extended permit tcp any any


access-list 101 extended permit ip any any
access-list 101 extended permit tcp any any
access-list 101 extended permit icmp any any
access-list 101 extended permit tcp any any eq smtp
access-list 101 extended permit tcp any any eq pop3
access-list 101 extended permit tcp any any eq https
access-list 110 extended permit tcp any any eq https


access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp any any eq https
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp any any eq ftp
access-list inside_access_in extended permit tcp any any eq pop3
access-list inside_access_in extended permit tcp any any eq smtp


access-list DMZ_access_in extended permit tcp any any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit tcp any any eq www
access-list DMZ_access_in extended permit tcp any any eq https
access-list DMZ_access_in extended permit tcp any any eq ftp
access-list DMZ_access_in extended permit tcp any any eq pop3
access-list DMZ_access_in extended permit tcp any any eq smtp
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu outside 1500
mtu DMZ 2500
mtu inside 1500
mtu ptcl 1500
mtu management 1500

no failover

asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400


global (outside) 1 interface
nat (outside) 1 0.0.0.0 0.0.0.0


static (DMZ,outside) 192.168.74.0 192.168.1.0 netmask 255.255.255.255


access-group outside_to_DMZ in interface outside
access-group DMZ_access_in in interface DMZ
access-group inside_access_in in interface inside


route outside 0.0.0.0 0.0.0.0 192.168.74.1 1
route inside 192.168.9.0 255.255.255.0 192.168.20.2 1
route inside 192.168.7.0 255.255.255.0 192.168.20.2 1
route inside 192.168.6.0 255.255.255.0 192.168.20.2 1
route inside 192.168.5.0 255.255.255.0 192.168.20.2 1
route inside 192.168.4.0 255.255.255.0 192.168.20.2 1
route inside 192.168.10.0 255.255.255.0 192.168.20.2 1
route inside 192.168.2.0 255.255.255.0 192.168.20.2 1
route inside 192.168.218.0 255.255.255.0 192.168.20.2 1
route inside 192.168.217.0 255.255.255.0 192.168.20.2 1


timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

username Junaid password kxxxxxxxxxxxxx0 encrypted privilege 15

http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.90.0 255.255.255.0 management

no snmp-server location
no snmp-server contact
snmp-server community Admins
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded

telnet 192.168.10.0 255.255.255.0 DMZ
telnet 192.168.20.0 255.255.255.0 inside
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
Cryptochecksum:b6xxxxxxxxxxxxxxxxxxxxf8
: end

6 REPLIES
Community Member

Re: Review ASA 5510 config with diagram

Is there anything in particular you are having issues with ?

At first glance your software is OLD. Atleast try to upgrade to 8.x that will make your ASDM prettier:-)  and your ACL's are abit too loose for my taste.I would atleast specify the destinations and where I can also the sources so as to not have spoofing issues or alot of holes.

Cisco Employee

Re: Review ASA 5510 config with diagram

It is a matter of the admin do decide what is allowed or blocked. It depends on the applications that go through your network

.

I would suggest to block everything inbound on the outside interface ACL except from the thing you are hosting for inbound users (like a web server) if you have any.

I hope it helps.

PK

Community Member

Re: Review ASA 5510 config with diagram

This ASA is no longer a firewall.  It's a router with 3 interfaces because all ACLS contain "permit ip any any" and once a packet matches that line it will pass through.

access-list outside_to_DMZ extended permit ip any any

access-list inside_access_in extended permit ip any any

access-list DMZ_access_in extended permit ip any any

Here is what I suggest.  This is only my suggestion and you should decide what is best for your specific needs.

1) Change your "outside_to_DMZ" ACL to something a bit more specific on what you really want to allow in to the DMZ.  Or just put "ip any any" to allow everything in (which is NOT recommended) and remove all the other lines in the ACL which are doing nothing anyway.  It's always best to only allow in only what needs to be let in -- but nothing more.

2) remove the ACL "inside_access_in" as the ASA by default will already allow anything from a higher security level to a lower security level.  So inside will already be able to communicate to DMZ and Outside interfaces by default.  If you do not want the inside to communicate to the DMZ, simply set the security level of the inside and DMZ interfaces to the same security (but higher than the outside interface) level and issue the command "no same-security-traffic permit inter-interface"

3) remove the ACL "DMZ_access_in" as the ASA by default will already allow anything from a higher security level to a lower security level.  So DMZ will already be able to communicate to Outside by default but will NOT be able to communicate to the Inside.

Now you can build from here and add your own specific ACL lines as needed to permit or block specific flows.

Good luck.

Community Member

Re: Review ASA 5510 config with diagram

Thanks JeremyAult,

I have removed all those unnessary ACLs, Its working fine now, DMZ-Inside access has been stopped, Inside users can use resources at DMZ and can Access Internet on outside interface,

Please review my outside interface ACL, I want to refine it, by default, its permitting ip any any ,, and tcp any any,,, I think this should be replaced with my live ip ,

access-list outside_to_DMZ extended permit 58.27.232.16 255.255.255.0 any

this will allow my live ip network pool towards my DMZ and inside .... AM I RIGHT ???

MTL-ASA# sh run
: Saved
:
ASA Version 7.0(7)
!
hostname MTL-ASA
domain-name millat.com.pk
enable password Qxxxxxxxxxxxt encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.74.2 255.255.255.0
!
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 192.168.1.18 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/3
nameif ptcl
security-level 0
ip address 192.168.95.65 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.90.1 255.255.255.0
management-only
!
passwd Nxxxxxxxxxxxxxz encrypted
ftp mode passive
dns domain-lookup DMZ
access-list outside_to_DMZ extended permit ip any any
access-list outside_to_DMZ extended permit tcp any any
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu outside 1500
mtu DMZ 2500
mtu inside 1500
mtu ptcl 1500
mtu management 1500
no failover
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) 192.168.74.0 192.168.1.0 netmask 255.255.255.255
access-group outside_to_DMZ in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.74.1 1
route inside 192.168.217.0 255.255.255.0 192.168.20.2 1
route inside 192.168.218.0 255.255.255.0 192.168.20.2 1
route inside 192.168.2.0 255.255.255.0 192.168.20.2 1
route inside 192.168.10.0 255.255.255.0 192.168.20.2 1
route inside 192.168.4.0 255.255.255.0 192.168.20.2 1
route inside 192.168.5.0 255.255.255.0 192.168.20.2 1
route inside 192.168.6.0 255.255.255.0 192.168.20.2 1
route inside 192.168.7.0 255.255.255.0 192.168.20.2 1
route inside 192.168.9.0 255.255.255.0 192.168.20.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username Junaid password kxxxxxxxxxxxs0 encrypted privilege 15
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.90.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server community Admins
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
telnet 192.168.10.0 255.255.255.0 DMZ
telnet 192.168.20.0 255.255.255.0 inside
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
Cryptochecksum:b62xxxxxxxxxxxxxxxxxx8
: end
MTL-ASA#

Please advise

Regards,

Junaid

Community Member

Re: Review ASA 5510 config with diagram

Actually, I want to allow remote desktop connection and VPN connection permit and all of the other outside to inside traffic blocked..

permit tcp any any eq 3389

for remote desktop

and what ports should be allowed for soft VPN connection ??

Please advise

Community Member

Re: Review ASA 5510 config with diagram

Sorry for the delay in responding.

Yes your first line "permit tcp any any eq 3389" will permit any source to any destination on port 3389.

My suggestion is to only allow RDP to the server you want to allow it on like this.. (where xx.xx.xx.xx is the destination IP)

permit tcp any host xx.xx.xx.xx eq 3389

For VPN, the ASA should permit inbound VPN termination on the firewall without the need for an ACL.  However, it you wish to specify the exact ACL lines you would allow UDP 500 (ISAKMP) UDP 4500 (only needed for NAT-T) and ESP like this..   (This allows VPN to your outside interface.)

permit udp any host 192.168.74.2 eq 500

permit udp any host 192.168.74.2 eq 4500

permit esp any host 192.168.74.2

Hope that helps.

Jeremy

1604
Views
0
Helpful
6
Replies
CreatePlease to create content