In today's post, we will go over a Cisco ASA5540 Firewall configuration I did, as promised in the post I did previously about the Cisco 881W.
This configuration below, which you can also download here, will give you a fully functional ASA5540, or for that matter a 5510, 5520, 5540 or 5550, and you would have to tweak it for the 5505's, and of course for the much bigger 5580's and 5585's.
Also note, that this is using IOS 8.2.5, which is the last version with this syntax to my recollection, from 8.3 onwards you have a different syntax on various sections, so watch out for that.
This configuration will give you:
- Site to Site VPN, ASA to IOS (this ASA5540 connected to the Cisco 881W in this post.
- various access lists that are good starters
- Nice connection banner (wooh hoo!)
- WebVPN, which is the Cisco VPN that in the default unit gives you up to two users
- An authentication against an RSA server (another post which Ill do at a later date) for one of the VPN options
- Three (3) connected interfaces, one of which is sub-interfaced for a vlan, for a DMZ, this in turn connects to a Cisco 3750X which I will post configs for at a later date, however on that switch, the switch config looks like this:
description Goes to Eth4 on Dell R610 for DMZ VLAN
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100-200
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
So that's a wrap up of this config, there are various other goodies, that I don't remember right now, however there are a bunch of lines in there that now that you have them, make life ALOT easier.
Note, that as in the post on the 881W router, you will have to generate the certificates on this unit, if they are self signed, or if you have the money, get them from Verisign, or the Cisco option, Entrust, as you can see in the ASDM:
However to buy one of these puppies, it's a cool $275 right now, used to be more, but this is for 2 years. I would check if GoDaddy has one.... never got the chance however.
The ASDM, if you dont know, is the GUI for the ASA, although all hardcore Cisco guys will prefer the CLI, it looks like this when loading:
and when up, the interface looks like this:
I had to take out some identifying IPs and so on, as this is an active firewall. While it's not a preference for me, it is good for monitoring and reporting, at some point I will do a piece about that.
Just a quick note, in order to enable yourself to connect to the ASDM, you need to have a line in the config like this: (which is another goody in my config, it's in there for my Fake IP (33.33.33.129)
http server enable
http 33.33.33.33 255.255.255.255 outside
http redirect outside 80
The first line enables the ASDM, the 2nd tells it which IP you are enabling (substitute your IP for that 33.xx)
and you can add as many of these as you want.
The third line redirects port 80 to 443, you dont have to do this, but in today's world you probably want to!
Anyway, on to the configuration:
: Saved
: Written by boaz at 22:11:22.374 IST Mon Nov 7 2011
!
ASA Version 8.2(5)
!
hostname ASA5540
domain-name domain.net
enable password aimpQ7TlYQOLOdnA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 33.33.33.33 EXCH-SERVER
name 33.33.33.134 DNS2
name 33.33.33.135 MAC1
name 33.33.33.136 VCENTER
name 33.33.33.131 CENT01
name 33.33.33.137 ZUZ
name 33.33.33.138 VMHOST
name 33.33.33.139 NETAPP
name 33.33.33.132 CENT02
name 33.33.33.140 UBU01
name 10.0.10.0 InsideHosts
name 33.33.33.141 CENT04
name 64.69.47.0 CalPOP
name 33.33.33.142 CHAT
name 192.168.230.0 Wilshire8612Net
name 173.196.143.178 cisco881w-wilshire
!
interface GigabitEthernet0/0
description CONNECTION TO OUTSIDE INTERNET
speed 1000
duplex full
nameif outside
security-level 0
ip address 33.33.33.129 255.255.255.128
!
interface GigabitEthernet0/1
description CONNECTION TO INSIDE
speed 1000
duplex full
nameif inside
security-level 100
ip address 10.0.10.1 255.255.255.0
!
interface GigabitEthernet0/2
description CONNECTION TO DMZ
speed 1000
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.10
description DMZ on vlan 110
vlan 110
nameif dmz
security-level 50
ip address 192.168.10.254 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
banner motd #######################################################
banner motd # W A R N I N G #
banner motd # Unauthorized access prohibited. All access is #
banner motd # monitored, and trespassers shall be prosecuted #
banner motd # to the fullest extent of the law. #
banner motd #######################################################
banner asdm This device is part of a private computer system. It is solely for users that have been authorized, and can be used only to the extent of such authorization.Users (authorized and unauthorized) have no explicit or implicit expectation of privacy when using this system. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized site, corporate, and law enforcement personnel, as well as authorized of
banner asdm YOU MUST LOG OFF IMMEDIATELY - if you do not agree to all of the conditions stated in this warning.
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone IST 5 30
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 4.2.2.2
name-server 8.8.8.8
name-server 10.0.10.60
name-server 10.0.10.61
name-server 10.0.10.40
domain-name domain.net
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service EXCH-SERVER-PORTS tcp
description Ports allowed for Exchange Server
port-object eq smtp
port-object eq www
port-object eq https
port-object eq imap4
port-object eq echo
object-group service UBU01-PORTS tcp
description Ports allowed for Ubuntu ubu01 Linux Server
port-object eq www
port-object eq domain
port-object eq echo
port-object eq https
object-group service CENT01-PORTS tcp
description Ports allowed for Cent01 Linux Server
port-object eq www
port-object eq domain
port-object eq echo
port-object eq https
object-group service CENT02-PORTS tcp
description Ports allowed for Cent02 Linux Server
port-object eq www
port-object eq domain
port-object eq echo
port-object eq https
object-group service UYUYELLOW-PORTS tcp
description Ports allowed for UYUYELLOW Server
port-object eq www
port-object eq https
object-group network VPN-Users
network-object 192.168.100.0 255.255.255.0
object-group service CENT04-PORTS tcp
description Ports allowed for Cent04 Linux Server
port-object eq www
port-object eq domain
port-object eq echo
port-object eq https
object-group network BOAZ
description Access for Boaz Networks
network-object host 76.90.128.2
network-object host 76.202.70.2
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit tcp any host EXCH-SERVER object-group EXCH-SERVER-PORTS
access-list OUTSIDE_IN extended permit tcp any host MAC1 object-group MAC-SERVERS-PORTS
access-list OUTSIDE_IN extended permit tcp CalPOP 255.255.255.0 host CENT01 eq ssh
access-list OUTSIDE_IN extended permit tcp any host CENT01 object-group CENT01-PORTS
access-list OUTSIDE_IN extended permit udp any host CENT01 eq domain
access-list OUTSIDE_IN extended permit udp any host CENT02 eq domain
access-list OUTSIDE_IN extended permit tcp any host CENT02 object-group CENT02-PORTS
access-list OUTSIDE_IN extended permit tcp any host UYUYELLOW object-group UYUYELLOW-PORTS
access-list OUTSIDE_IN extended permit tcp any host UBU01 object-group UBU01-PORTS
access-list OUTSIDE_IN extended permit tcp CalPOP 255.255.255.0 host UYUYELLOW eq ssh
access-list OUTSIDE_IN extended permit tcp host 24.43.35.219 host VCENTER object-group VCENTER-PORTS
access-list OUTSIDE_IN extended permit tcp any host CENT04 object-group CENT04-PORTS
access-list OUTSIDE_IN extended permit ip object-group VPN-Users any
access-list OUTSIDE_IN extended permit ip 192.168.10.0 255.255.255.0 any
access-list OUTSIDE_IN extended permit tcp 192.168.10.0 255.255.255.0 host UYUYELLOW eq www
access-list OUTSIDE_IN extended permit ip object-group BOAZ any
access-list SplitTunnelACL standard permit 10.13.0.0 255.255.0.0
access-list SplitTunnelACL standard permit 10.14.0.0 255.255.0.0
access-list SplitTunnelACL standard permit 10.15.0.0 255.255.0.0
access-list SplitTunnelACL standard permit InsideHosts 255.255.255.0
access-list SplitTunnelACL standard permit Wilshire8612Net 255.255.255.0
access-list DMZtoInside extended permit tcp host 192.168.10.20 host 192.168.10.21 eq ssh
access-list DMZtoInside extended permit ip 192.168.10.0 255.255.255.0 any
access-list DMZtoInside extended permit tcp host UYUYELLOW host CHAT eq www
access-list 8612WilshireVPN_CRYPTOMAP extended permit ip InsideHosts 255.255.255.0 Wilshire8612Net 255.255.255.0
access-list inside_nat0_outbound extended permit ip InsideHosts 255.255.255.0 Wilshire8612Net 255.255.255.0
access-list inside_nat0_outbound extended permit ip InsideHosts 255.255.255.0 object-group VPN-Users
access-list inside_nat0_outbound extended permit ip object-group VPN-Users InsideHosts 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging standby
logging list e-mail-notification level critical
logging list e-mail-notification message 713050
logging list e-mail-notification message 611101-611102
logging list Auth-Alerts level alerts class auth
logging buffer-size 1048576
logging console warnings
logging buffered informational
logging trap informational
logging asdm informational
logging mail e-mail-notification
logging from-address ASA55XX@domain.NET
logging recipient-address Boaz@domain.com level emergencies
logging recipient-address cto@domain.com level critical
logging facility 18
logging class auth buffered alerts monitor emergencies
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool OPS_VPN_IP_POOL 192.168.100.70-192.168.100.74
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-643.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (inside) 1 interface
global (dmz) 1 33.33.33.150 netmask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 InsideHosts 255.255.255.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) CENT01 10.0.10.60 netmask 255.255.255.255
static (inside,outside) MAC1 10.0.10.50 netmask 255.255.255.255
static (inside,outside) VCENTER 10.0.10.42 netmask 255.255.255.255
static (inside,outside) EXCH-SERVER 10.0.10.55 netmask 255.255.255.255
static (inside,outside) ZUZ 10.0.10.40 netmask 255.255.255.255
static (inside,outside) VMHOST 10.0.10.5 netmask 255.255.255.255
static (inside,outside) NETAPP 10.0.10.11 netmask 255.255.255.255
static (inside,outside) CENT02 10.0.10.62 netmask 255.255.255.255
static (inside,outside) UYUYELLOW 10.0.10.63 netmask 255.255.255.255
static (dmz,outside) UBU01 192.168.10.20 netmask 255.255.255.255
static (inside,outside) CENT04 10.0.10.61 netmask 255.255.255.255
static (inside,dmz) 192.168.10.21 10.0.10.60 netmask 255.255.255.255
static (dmz,outside) CHAT 192.168.10.25 netmask 255.255.255.255
access-group OUTSIDE_IN in interface outside
access-group DMZtoInside in interface dmz
route outside 0.0.0.0 0.0.0.0 33.33.33.254 1
timeout xlate 3:00:00
timeout conn 3:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server VPNUSERS protocol sdi
reactivation-mode timed
aaa-server VPNUSERS (inside) host 10.0.10.65
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 33.33.33.33 255.255.255.255 outside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set SpotEquinixSET esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 900
crypto ipsec security-association lifetime kilobytes 4608000
crypto map 8612_wilshire_map 9 match address 8612WilshireVPN_CRYPTOMAP
crypto map 8612_wilshire_map 9 set peer cisco881w-wilshire
crypto map 8612_wilshire_map 9 set transform-set SpotEquinixSET
crypto map 8612_wilshire_map 9 set security-association lifetime seconds 900
crypto map 8612_wilshire_map 9 set reverse-route
crypto map 8612_wilshire_map interface outside
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.domain.com
subject-name CN=sslvpn.domain.com
keypair sslvpnkeypair
crl configure
crypto ca certificate chain localtrust
certificate 04ec574e
308201ef 30820158 a0030201 02020404 ec574e30 0d06092a 864886f7 0d010105
0500303c 31193017 06035504 03131073 736c7670 6e2e6476 6972742e 636f6d31
1f301d06 092a8648 86f70d01 09021610 73736c76 706e2e64 76697274 2e636f6d
301e170d 31313039 30363231 33303131 5a170d32 31303930 33323133 3031315a
303c3119 30170603 55040313 1073736c 76706e2e 64766972 742e636f 6d311f30
1d06092a 864886f7 0d010902 16107373 6c76706e 2e647669 72742e63 6f6d3081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100d7 b0d897e9
2011a0ca 7a471b2c 69984191 2ff024f3 714b7ac0 d728c649 23ffb20a ae26f71c
d9175958 9168f61b 4160f371 49960f3d c0be3759 7612adb8 e1b69acc 5ad14bad
249ce358 c43f0ae1 a28f967d 7d7eb493 2adbdb07 581fb382 cda00c4c 99dc5ff6
613bea4c 2e7aad75 0e7aac52 0adaf90f 92470f65 3ca345da 62932d02 03010001
300d0609 2a864886 f70d0101 05050003 818100b0 d8b1a8d6 b6054d10 b2b5ae94
492d5696 644243cd ae3604e0 0ac6fd2a 9289c5b3 cd047aae abeac854 4308f572
f81db100 f760512e a9232e88 1d20182f 72517a64 65800718 0ffa2dba 7345a79b
54ccbcf8 09819199 efb92460 d5355794 cf6db208 5112c2df 7c44256e 224dadda
df799348 613e3ef9 fa6f85c3 46c29fb8 1ea482
quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 9
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 900
telnet timeout 5
ssh 33.33.33.33 255.255.255.255 outside
ssh InsideHosts 255.255.255.0 inside
ssh timeout 20
ssh version 2
console timeout 60
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 148.167.132.201 source outside prefer
tftp-server dmz 192.168.10.20 ASA5540-Running-Config
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1 null-sha1
ssl trust-point localtrust outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 2
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
svc profiles sslgroup disk0:/sslgroup.xml
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy Anyconnect-Policy internal
group-policy Anyconnect-Policy attributes
wins-server none
dns-server value 10.0.10.60 10.0.10.40
vpn-idle-timeout 30
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnelACL
default-domain value domain.net
address-pools value OPS_VPN_IP_POOL
webvpn
url-list none
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc profiles value sslgroup
svc ask enable default svc
customization value DfltCustomization
group-policy Anyconnect-tunnelall-policy internal
group-policy Anyconnect-tunnelall-policy attributes
wins-server none
dns-server value 10.0.10.60 10.0.10.40
vpn-idle-timeout 432000
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelall
split-tunnel-network-list value SplitTunnelACL
default-domain value domain.net
address-pools value OPS_VPN_IP_POOL
webvpn
url-list none
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc profiles value sslgroup
svc ask enable default svc
customization value DfltCustomization
username admin password <password removed> encrypted privilege 15
username boaz password <password removed> encrypted privilege 15
tunnel-group DVT_OPS type remote-access
tunnel-group DVT_OPS general-attributes
address-pool DVT_Ops
default-group-policy Anyconnect-Policy
tunnel-group DVT_OPS webvpn-attributes
group-alias DVT_OPS enable
group-url https://33.33.33.129/DVT_OPS enable
tunnel-group DVT_OPS ipsec-attributes
pre-shared-key eat2meat
tunnel-group rsausers type remote-access
tunnel-group rsausers general-attributes
authentication-server-group VPNUSERS
default-group-policy Anyconnect-Policy
tunnel-group rsausers webvpn-attributes
group-alias 2_RSA_USERS enable
group-alias RSA_USERS disable
tunnel-group 173.196.143.178 type ipsec-l2l
tunnel-group 173.196.143.178 ipsec-attributes
pre-shared-key branch2vpnkey
isakmp keepalive threshold 30 retry 5
tunnel-group TUNNELALL type remote-access
tunnel-group TUNNELALL general-attributes
address-pool DVT_Ops
tunnel-group TUNNELALL webvpn-attributes
group-alias TUNNELALL enable
group-url https://33.33.33.129/TUNNELALL enable
tunnel-group TUNNELALL ipsec-attributes
pre-shared-key 12345
!
class-map insp
class-map inspection_default
match default-inspection-traffic
class-map default
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
smtp-server 10.0.10.55
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:133a71b606a9f1a9318529c1517914e3
: end
: Written by boaz at 22:11:22.374 IST Mon Nov 7 2011
!
ASA Version 8.2(5)
!
hostname ASA5540
domain-name domain.net
enable password aimpQ7TlYQOLOdnA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 33.33.33.33 EXCH-SERVER
name 33.33.33.134 DNS2
name 33.33.33.135 MAC1
name 33.33.33.136 VCENTER
name 33.33.33.131 CENT01
name 33.33.33.137 ZUZ
name 33.33.33.138 VMHOST
name 33.33.33.139 NETAPP
name 33.33.33.132 CENT02
name 33.33.33.140 UBU01
name 10.0.10.0 InsideHosts
name 33.33.33.141 CENT04
name 64.69.47.0 CalPOP
name 33.33.33.142 CHAT
name 192.168.230.0 Wilshire8612Net
name 173.196.143.178 cisco881w-wilshire
!
interface GigabitEthernet0/0
description CONNECTION TO OUTSIDE INTERNET
speed 1000
duplex full
nameif outside
security-level 0
ip address 33.33.33.129 255.255.255.128
!
interface GigabitEthernet0/1
description CONNECTION TO INSIDE
speed 1000
duplex full
nameif inside
security-level 100
ip address 10.0.10.1 255.255.255.0
!
interface GigabitEthernet0/2
description CONNECTION TO DMZ
speed 1000
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.10
description DMZ on vlan 110
vlan 110
nameif dmz
security-level 50
ip address 192.168.10.254 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
banner motd #######################################################
banner motd # W A R N I N G #
banner motd # Unauthorized access prohibited. All access is #
banner motd # monitored, and trespassers shall be prosecuted #
banner motd # to the fullest extent of the law. #
banner motd #######################################################
banner asdm This device is part of a private computer system. It is solely for users that have been authorized, and can be used only to the extent of such authorization.Users (authorized and unauthorized) have no explicit or implicit expectation of privacy when using this system. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized site, corporate, and law enforcement personnel, as well as authorized of
banner asdm YOU MUST LOG OFF IMMEDIATELY - if you do not agree to all of the conditions stated in this warning.
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone IST 5 30
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 4.2.2.2
name-server 8.8.8.8
name-server 10.0.10.60
name-server 10.0.10.61
name-server 10.0.10.40
domain-name domain.net
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service EXCH-SERVER-PORTS tcp
description Ports allowed for Exchange Server
port-object eq smtp
port-object eq www
port-object eq https
port-object eq imap4
port-object eq echo
object-group service UBU01-PORTS tcp
description Ports allowed for Ubuntu ubu01 Linux Server
port-object eq www
port-object eq domain
port-object eq echo
port-object eq https
object-group service CENT01-PORTS tcp
description Ports allowed for Cent01 Linux Server
port-object eq www
port-object eq domain
port-object eq echo
port-object eq https
object-group service CENT02-PORTS tcp
description Ports allowed for Cent02 Linux Server
port-object eq www
port-object eq domain
port-object eq echo
port-object eq https
object-group service UYUYELLOW-PORTS tcp
description Ports allowed for UYUYELLOW Server
port-object eq www
port-object eq https
object-group network VPN-Users
network-object 192.168.100.0 255.255.255.0
object-group service CENT04-PORTS tcp
description Ports allowed for Cent04 Linux Server
port-object eq www
port-object eq domain
port-object eq echo
port-object eq https
object-group network BOAZ
description Access for Boaz Networks
network-object host 76.90.128.2
network-object host 76.202.70.2
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit tcp any host EXCH-SERVER object-group EXCH-SERVER-PORTS
access-list OUTSIDE_IN extended permit tcp any host MAC1 object-group MAC-SERVERS-PORTS
access-list OUTSIDE_IN extended permit tcp CalPOP 255.255.255.0 host CENT01 eq ssh
access-list OUTSIDE_IN extended permit tcp any host CENT01 object-group CENT01-PORTS
access-list OUTSIDE_IN extended permit udp any host CENT01 eq domain
access-list OUTSIDE_IN extended permit udp any host CENT02 eq domain
access-list OUTSIDE_IN extended permit tcp any host CENT02 object-group CENT02-PORTS
access-list OUTSIDE_IN extended permit tcp any host UYUYELLOW object-group UYUYELLOW-PORTS
access-list OUTSIDE_IN extended permit tcp any host UBU01 object-group UBU01-PORTS
access-list OUTSIDE_IN extended permit tcp CalPOP 255.255.255.0 host UYUYELLOW eq ssh
access-list OUTSIDE_IN extended permit tcp host 24.43.35.219 host VCENTER object-group VCENTER-PORTS
access-list OUTSIDE_IN extended permit tcp any host CENT04 object-group CENT04-PORTS
access-list OUTSIDE_IN extended permit ip object-group VPN-Users any
access-list OUTSIDE_IN extended permit ip 192.168.10.0 255.255.255.0 any
access-list OUTSIDE_IN extended permit tcp 192.168.10.0 255.255.255.0 host UYUYELLOW eq www
access-list OUTSIDE_IN extended permit ip object-group BOAZ any
access-list SplitTunnelACL standard permit 10.13.0.0 255.255.0.0
access-list SplitTunnelACL standard permit 10.14.0.0 255.255.0.0
access-list SplitTunnelACL standard permit 10.15.0.0 255.255.0.0
access-list SplitTunnelACL standard permit InsideHosts 255.255.255.0
access-list SplitTunnelACL standard permit Wilshire8612Net 255.255.255.0
access-list DMZtoInside extended permit tcp host 192.168.10.20 host 192.168.10.21 eq ssh
access-list DMZtoInside extended permit ip 192.168.10.0 255.255.255.0 any
access-list DMZtoInside extended permit tcp host UYUYELLOW host CHAT eq www
access-list 8612WilshireVPN_CRYPTOMAP extended permit ip InsideHosts 255.255.255.0 Wilshire8612Net 255.255.255.0
access-list inside_nat0_outbound extended permit ip InsideHosts 255.255.255.0 Wilshire8612Net 255.255.255.0
access-list inside_nat0_outbound extended permit ip InsideHosts 255.255.255.0 object-group VPN-Users
access-list inside_nat0_outbound extended permit ip object-group VPN-Users InsideHosts 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging standby
logging list e-mail-notification level critical
logging list e-mail-notification message 713050
logging list e-mail-notification message 611101-611102
logging list Auth-Alerts level alerts class auth
logging buffer-size 1048576
logging console warnings
logging buffered informational
logging trap informational
logging asdm informational
logging mail e-mail-notification
logging from-address ASA55XX@domain.NET
logging recipient-address Boaz@domain.com level emergencies
logging recipient-address cto@domain.com level critical
logging facility 18
logging class auth buffered alerts monitor emergencies
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool OPS_VPN_IP_POOL 192.168.100.70-192.168.100.74
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-643.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (inside) 1 interface
global (dmz) 1 33.33.33.150 netmask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 InsideHosts 255.255.255.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) CENT01 10.0.10.60 netmask 255.255.255.255
static (inside,outside) MAC1 10.0.10.50 netmask 255.255.255.255
static (inside,outside) VCENTER 10.0.10.42 netmask 255.255.255.255
static (inside,outside) EXCH-SERVER 10.0.10.55 netmask 255.255.255.255
static (inside,outside) ZUZ 10.0.10.40 netmask 255.255.255.255
static (inside,outside) VMHOST 10.0.10.5 netmask 255.255.255.255
static (inside,outside) NETAPP 10.0.10.11 netmask 255.255.255.255
static (inside,outside) CENT02 10.0.10.62 netmask 255.255.255.255
static (inside,outside) UYUYELLOW 10.0.10.63 netmask 255.255.255.255
static (dmz,outside) UBU01 192.168.10.20 netmask 255.255.255.255
static (inside,outside) CENT04 10.0.10.61 netmask 255.255.255.255
static (inside,dmz) 192.168.10.21 10.0.10.60 netmask 255.255.255.255
static (dmz,outside) CHAT 192.168.10.25 netmask 255.255.255.255
access-group OUTSIDE_IN in interface outside
access-group DMZtoInside in interface dmz
route outside 0.0.0.0 0.0.0.0 33.33.33.254 1
timeout xlate 3:00:00
timeout conn 3:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server VPNUSERS protocol sdi
reactivation-mode timed
aaa-server VPNUSERS (inside) host 10.0.10.65
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 33.33.33.33 255.255.255.255 outside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set SpotEquinixSET esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 900
crypto ipsec security-association lifetime kilobytes 4608000
crypto map 8612_wilshire_map 9 match address 8612WilshireVPN_CRYPTOMAP
crypto map 8612_wilshire_map 9 set peer cisco881w-wilshire
crypto map 8612_wilshire_map 9 set transform-set SpotEquinixSET
crypto map 8612_wilshire_map 9 set security-association lifetime seconds 900
crypto map 8612_wilshire_map 9 set reverse-route
crypto map 8612_wilshire_map interface outside
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.domain.com
subject-name CN=sslvpn.domain.com
keypair sslvpnkeypair
crl configure
crypto ca certificate chain localtrust
certificate 04ec574e
308201ef 30820158 a0030201 02020404 ec574e30 0d06092a 864886f7 0d010105
0500303c 31193017 06035504 03131073 736c7670 6e2e6476 6972742e 636f6d31
1f301d06 092a8648 86f70d01 09021610 73736c76 706e2e64 76697274 2e636f6d
301e170d 31313039 30363231 33303131 5a170d32 31303930 33323133 3031315a
303c3119 30170603 55040313 1073736c 76706e2e 64766972 742e636f 6d311f30
1d06092a 864886f7 0d010902 16107373 6c76706e 2e647669 72742e63 6f6d3081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100d7 b0d897e9
2011a0ca 7a471b2c 69984191 2ff024f3 714b7ac0 d728c649 23ffb20a ae26f71c
d9175958 9168f61b 4160f371 49960f3d c0be3759 7612adb8 e1b69acc 5ad14bad
249ce358 c43f0ae1 a28f967d 7d7eb493 2adbdb07 581fb382 cda00c4c 99dc5ff6
613bea4c 2e7aad75 0e7aac52 0adaf90f 92470f65 3ca345da 62932d02 03010001
300d0609 2a864886 f70d0101 05050003 818100b0 d8b1a8d6 b6054d10 b2b5ae94
492d5696 644243cd ae3604e0 0ac6fd2a 9289c5b3 cd047aae abeac854 4308f572
f81db100 f760512e a9232e88 1d20182f 72517a64 65800718 0ffa2dba 7345a79b
54ccbcf8 09819199 efb92460 d5355794 cf6db208 5112c2df 7c44256e 224dadda
df799348 613e3ef9 fa6f85c3 46c29fb8 1ea482
quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 9
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 900
telnet timeout 5
ssh 33.33.33.33 255.255.255.255 outside
ssh InsideHosts 255.255.255.0 inside
ssh timeout 20
ssh version 2
console timeout 60
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 148.167.132.201 source outside prefer
tftp-server dmz 192.168.10.20 ASA5540-Running-Config
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1 null-sha1
ssl trust-point localtrust outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 2
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
svc profiles sslgroup disk0:/sslgroup.xml
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy Anyconnect-Policy internal
group-policy Anyconnect-Policy attributes
wins-server none
dns-server value 10.0.10.60 10.0.10.40
vpn-idle-timeout 30
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnelACL
default-domain value domain.net
address-pools value OPS_VPN_IP_POOL
webvpn
url-list none
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc profiles value sslgroup
svc ask enable default svc
customization value DfltCustomization
group-policy Anyconnect-tunnelall-policy internal
group-policy Anyconnect-tunnelall-policy attributes
wins-server none
dns-server value 10.0.10.60 10.0.10.40
vpn-idle-timeout 432000
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelall
split-tunnel-network-list value SplitTunnelACL
default-domain value domain.net
address-pools value OPS_VPN_IP_POOL
webvpn
url-list none
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc profiles value sslgroup
svc ask enable default svc
customization value DfltCustomization
username admin password <password removed> encrypted privilege 15
username boaz password <password removed> encrypted privilege 15
tunnel-group DVT_OPS type remote-access
tunnel-group DVT_OPS general-attributes
address-pool DVT_Ops
default-group-policy Anyconnect-Policy
tunnel-group DVT_OPS webvpn-attributes
group-alias DVT_OPS enable
group-url https://33.33.33.129/DVT_OPS enable
tunnel-group DVT_OPS ipsec-attributes
pre-shared-key eat2meat
tunnel-group rsausers type remote-access
tunnel-group rsausers general-attributes
authentication-server-group VPNUSERS
default-group-policy Anyconnect-Policy
tunnel-group rsausers webvpn-attributes
group-alias 2_RSA_USERS enable
group-alias RSA_USERS disable
tunnel-group 173.196.143.178 type ipsec-l2l
tunnel-group 173.196.143.178 ipsec-attributes
pre-shared-key branch2vpnkey
isakmp keepalive threshold 30 retry 5
tunnel-group TUNNELALL type remote-access
tunnel-group TUNNELALL general-attributes
address-pool DVT_Ops
tunnel-group TUNNELALL webvpn-attributes
group-alias TUNNELALL enable
group-url https://33.33.33.129/TUNNELALL enable
tunnel-group TUNNELALL ipsec-attributes
pre-shared-key 12345
!
class-map insp
class-map inspection_default
match default-inspection-traffic
class-map default
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
smtp-server 10.0.10.55
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:133a71b606a9f1a9318529c1517914e3
: end
By the way, I just noticed that I took out the "inspect esmtp" out of the global policy map. I needed to test
access to an exchange server so I did that, by default you have that line in there, but due to a cisco bug, it doesn't perform as it should.
When you test telnetting to port 25 from the outside, you will get a banner like this:
After doing the following:
ASA5540(config)#policy-map global_policy
ASA5540(config-pmap)#class inspection_default
ASA5540(config-pmap-c)#no inspect esmtp
you will then get the banner like this:
If you want to add esmtp inspection back, just do the above commands and take out the "no" as with any Cisco command.
Email me with any questions if you have!
No comments:
Post a Comment