Monday, April 9, 2012

Setting up a Cisco ASA5510, 5520, 5540 or 5550

Posted by: Boaz Minitzer

In today's post, we will go over a Cisco ASA5540 Firewall configuration I did, as promised in the post I did previously about the Cisco 881W.

This configuration below, which you can also download here, will give you a fully functional ASA5540, or for that matter a 5510, 5520, 5540 or 5550, and you would have to tweak it for the 5505's, and of course for the much bigger 5580's and 5585's.

Also note, that this is using IOS 8.2.5, which is the last version with this syntax to my recollection, from 8.3 onwards you have a different syntax on various sections, so watch out for that.

This configuration will give you:

  1. Site to Site VPN, ASA to IOS (this ASA5540 connected to the Cisco 881W in this post.
  2. various access lists that are good starters
  3. Nice connection banner (wooh hoo!)
  4. WebVPN, which is the Cisco VPN that in the default unit gives you up to two users
  5. An authentication against an RSA server (another post which Ill do at a later date) for one of the VPN options
  6. Three (3) connected interfaces, one of which is sub-interfaced for a vlan, for a DMZ, this in turn connects to a Cisco 3750X which I will post configs for at a later date, however on that switch, the switch config looks like this:  
interface GigabitEthernet0/18
 description Goes to Eth4 on Dell R610 for DMZ VLAN
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100-200
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
!

So that's a wrap up of this config, there are various other goodies, that I don't remember right now, however there are a bunch of lines in there that now that you have them, make life ALOT easier.

Note, that as in the post on the 881W router, you will have to generate the certificates on this unit, if they are self signed, or if you have the money, get them from Verisign, or the Cisco option, Entrust, as you can see in the ASDM:



However to buy one of these puppies, it's a cool $275 right now, used to be more, but this is for 2 years.  I would check if GoDaddy has one.... never got the chance however.

The ASDM, if you dont know, is the GUI for the ASA, although all hardcore Cisco guys will prefer the CLI, it looks like this when loading:



and when up, the interface looks like this:


I had to take out some identifying IPs and so on, as this is an active firewall.  While it's not a preference for me, it is good for monitoring and reporting, at some point I will do a piece about that.

Just a quick note, in order to enable yourself to connect to the ASDM, you need to have a line in the config like this: (which is another goody in my config, it's in there for my Fake IP (33.33.33.129)

http server enable
http 33.33.33.33 255.255.255.255 outside
http redirect outside 80

The first line enables the ASDM, the 2nd tells it which IP you are enabling (substitute your IP for that 33.xx)
and you can add as many of these as you want.
The third line redirects port 80 to 443, you dont have to do this, but in today's world you probably want to!

Anyway, on to the configuration:

: Saved
: Written by boaz at 22:11:22.374 IST Mon Nov 7 2011
!
ASA Version 8.2(5)
!
hostname ASA5540
domain-name domain.net
enable password aimpQ7TlYQOLOdnA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 33.33.33.33 EXCH-SERVER
name 33.33.33.134 DNS2
name 33.33.33.135 MAC1
name 33.33.33.136 VCENTER
name 33.33.33.131 CENT01
name 33.33.33.137 ZUZ
name 33.33.33.138 VMHOST
name 33.33.33.139 NETAPP
name 33.33.33.132 CENT02
name 33.33.33.140 UBU01
name 10.0.10.0 InsideHosts
name 33.33.33.141 CENT04
name 64.69.47.0 CalPOP
name 33.33.33.142 CHAT
name 192.168.230.0 Wilshire8612Net
name 173.196.143.178 cisco881w-wilshire
!
interface GigabitEthernet0/0
 description CONNECTION TO OUTSIDE INTERNET
 speed 1000
 duplex full
 nameif outside
 security-level 0
 ip address 33.33.33.129 255.255.255.128
!
interface GigabitEthernet0/1
 description CONNECTION TO INSIDE
 speed 1000
 duplex full
 nameif inside
 security-level 100
 ip address 10.0.10.1 255.255.255.0
!
interface GigabitEthernet0/2
 description CONNECTION TO DMZ
 speed 1000
 duplex full
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2.10
 description DMZ on vlan 110
 vlan 110
 nameif dmz
 security-level 50
 ip address 192.168.10.254 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
banner motd #######################################################
banner motd #          W A R N I N G                              #
banner motd #  Unauthorized access prohibited. All access is      #
banner motd #  monitored, and trespassers shall be prosecuted     #
banner motd #  to the fullest extent of the law.                  #
banner motd #######################################################
banner asdm This device is part of a private computer system. It is solely for users that have been authorized, and can be used only to the extent of such authorization.Users (authorized and unauthorized) have no explicit or implicit expectation of privacy when using this system. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized site, corporate, and law enforcement personnel, as well as authorized of
banner asdm YOU MUST LOG OFF IMMEDIATELY - if you do not agree to all of the conditions stated in this warning.
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone IST 5 30
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 4.2.2.2
 name-server 8.8.8.8
 name-server 10.0.10.60
 name-server 10.0.10.61
 name-server 10.0.10.40
 domain-name domain.net
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service EXCH-SERVER-PORTS tcp
 description Ports allowed for Exchange Server
 port-object eq smtp
 port-object eq www
 port-object eq https
 port-object eq imap4
 port-object eq echo
object-group service UBU01-PORTS tcp
 description Ports allowed for Ubuntu ubu01 Linux Server
 port-object eq www
 port-object eq domain
 port-object eq echo
 port-object eq https
object-group service CENT01-PORTS tcp
 description Ports allowed for Cent01 Linux Server
 port-object eq www
 port-object eq domain
 port-object eq echo
 port-object eq https
object-group service CENT02-PORTS tcp
 description Ports allowed for Cent02 Linux Server
 port-object eq www
 port-object eq domain
 port-object eq echo
 port-object eq https
object-group service UYUYELLOW-PORTS tcp
 description Ports allowed for UYUYELLOW Server
 port-object eq www
 port-object eq https
object-group network VPN-Users
 network-object 192.168.100.0 255.255.255.0
object-group service CENT04-PORTS tcp
 description Ports allowed for Cent04 Linux Server
 port-object eq www
 port-object eq domain
 port-object eq echo
 port-object eq https
object-group network BOAZ
 description Access for Boaz Networks
 network-object host 76.90.128.2
 network-object host 76.202.70.2
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit tcp any host EXCH-SERVER object-group EXCH-SERVER-PORTS
access-list OUTSIDE_IN extended permit tcp any host MAC1 object-group MAC-SERVERS-PORTS
access-list OUTSIDE_IN extended permit tcp CalPOP 255.255.255.0 host CENT01 eq ssh
access-list OUTSIDE_IN extended permit tcp any host CENT01 object-group CENT01-PORTS
access-list OUTSIDE_IN extended permit udp any host CENT01 eq domain
access-list OUTSIDE_IN extended permit udp any host CENT02 eq domain
access-list OUTSIDE_IN extended permit tcp any host CENT02 object-group CENT02-PORTS
access-list OUTSIDE_IN extended permit tcp any host UYUYELLOW object-group UYUYELLOW-PORTS
access-list OUTSIDE_IN extended permit tcp any host UBU01 object-group UBU01-PORTS
access-list OUTSIDE_IN extended permit tcp CalPOP 255.255.255.0 host UYUYELLOW eq ssh
access-list OUTSIDE_IN extended permit tcp host 24.43.35.219 host VCENTER object-group VCENTER-PORTS
access-list OUTSIDE_IN extended permit tcp any host CENT04 object-group CENT04-PORTS
access-list OUTSIDE_IN extended permit ip object-group VPN-Users any
access-list OUTSIDE_IN extended permit ip 192.168.10.0 255.255.255.0 any
access-list OUTSIDE_IN extended permit tcp 192.168.10.0 255.255.255.0 host UYUYELLOW eq www
access-list OUTSIDE_IN extended permit ip object-group BOAZ any
access-list SplitTunnelACL standard permit 10.13.0.0 255.255.0.0
access-list SplitTunnelACL standard permit 10.14.0.0 255.255.0.0
access-list SplitTunnelACL standard permit 10.15.0.0 255.255.0.0
access-list SplitTunnelACL standard permit InsideHosts 255.255.255.0
access-list SplitTunnelACL standard permit Wilshire8612Net 255.255.255.0
access-list DMZtoInside extended permit tcp host 192.168.10.20 host 192.168.10.21 eq ssh
access-list DMZtoInside extended permit ip 192.168.10.0 255.255.255.0 any
access-list DMZtoInside extended permit tcp host UYUYELLOW host CHAT eq www
access-list 8612WilshireVPN_CRYPTOMAP extended permit ip InsideHosts 255.255.255.0 Wilshire8612Net 255.255.255.0
access-list inside_nat0_outbound extended permit ip InsideHosts 255.255.255.0 Wilshire8612Net 255.255.255.0
access-list inside_nat0_outbound extended permit ip InsideHosts 255.255.255.0 object-group VPN-Users
access-list inside_nat0_outbound extended permit ip object-group VPN-Users InsideHosts 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging standby
logging list e-mail-notification level critical
logging list e-mail-notification message 713050
logging list e-mail-notification message 611101-611102
logging list Auth-Alerts level alerts class auth
logging buffer-size 1048576
logging console warnings
logging buffered informational
logging trap informational
logging asdm informational
logging mail e-mail-notification
logging from-address ASA55XX@domain.NET
logging recipient-address Boaz@domain.com level emergencies
logging recipient-address cto@domain.com level critical
logging facility 18
logging class auth buffered alerts monitor emergencies
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool OPS_VPN_IP_POOL 192.168.100.70-192.168.100.74
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-643.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (inside) 1 interface
global (dmz) 1 33.33.33.150 netmask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 InsideHosts 255.255.255.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) CENT01 10.0.10.60 netmask 255.255.255.255
static (inside,outside) MAC1 10.0.10.50 netmask 255.255.255.255
static (inside,outside) VCENTER 10.0.10.42 netmask 255.255.255.255
static (inside,outside) EXCH-SERVER 10.0.10.55 netmask 255.255.255.255
static (inside,outside) ZUZ 10.0.10.40 netmask 255.255.255.255
static (inside,outside) VMHOST 10.0.10.5 netmask 255.255.255.255
static (inside,outside) NETAPP 10.0.10.11 netmask 255.255.255.255
static (inside,outside) CENT02 10.0.10.62 netmask 255.255.255.255
static (inside,outside) UYUYELLOW 10.0.10.63 netmask 255.255.255.255
static (dmz,outside) UBU01 192.168.10.20 netmask 255.255.255.255
static (inside,outside) CENT04 10.0.10.61 netmask 255.255.255.255
static (inside,dmz) 192.168.10.21 10.0.10.60 netmask 255.255.255.255
static (dmz,outside) CHAT 192.168.10.25 netmask 255.255.255.255
access-group OUTSIDE_IN in interface outside
access-group DMZtoInside in interface dmz
route outside 0.0.0.0 0.0.0.0 33.33.33.254 1
timeout xlate 3:00:00
timeout conn 3:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server VPNUSERS protocol sdi
 reactivation-mode timed
aaa-server VPNUSERS (inside) host 10.0.10.65
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 33.33.33.33 255.255.255.255 outside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set SpotEquinixSET esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 900
crypto ipsec security-association lifetime kilobytes 4608000
crypto map 8612_wilshire_map 9 match address 8612WilshireVPN_CRYPTOMAP
crypto map 8612_wilshire_map 9 set peer cisco881w-wilshire
crypto map 8612_wilshire_map 9 set transform-set SpotEquinixSET
crypto map 8612_wilshire_map 9 set security-association lifetime seconds 900
crypto map 8612_wilshire_map 9 set reverse-route
crypto map 8612_wilshire_map interface outside
crypto ca trustpoint localtrust
 enrollment self
 fqdn sslvpn.domain.com
 subject-name CN=sslvpn.domain.com
 keypair sslvpnkeypair
 crl configure
crypto ca certificate chain localtrust
 certificate 04ec574e
    308201ef 30820158 a0030201 02020404 ec574e30 0d06092a 864886f7 0d010105
    0500303c 31193017 06035504 03131073 736c7670 6e2e6476 6972742e 636f6d31
    1f301d06 092a8648 86f70d01 09021610 73736c76 706e2e64 76697274 2e636f6d
    301e170d 31313039 30363231 33303131 5a170d32 31303930 33323133 3031315a
    303c3119 30170603 55040313 1073736c 76706e2e 64766972 742e636f 6d311f30
    1d06092a 864886f7 0d010902 16107373 6c76706e 2e647669 72742e63 6f6d3081
    9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100d7 b0d897e9
    2011a0ca 7a471b2c 69984191 2ff024f3 714b7ac0 d728c649 23ffb20a ae26f71c
    d9175958 9168f61b 4160f371 49960f3d c0be3759 7612adb8 e1b69acc 5ad14bad
    249ce358 c43f0ae1 a28f967d 7d7eb493 2adbdb07 581fb382 cda00c4c 99dc5ff6
    613bea4c 2e7aad75 0e7aac52 0adaf90f 92470f65 3ca345da 62932d02 03010001
    300d0609 2a864886 f70d0101 05050003 818100b0 d8b1a8d6 b6054d10 b2b5ae94
    492d5696 644243cd ae3604e0 0ac6fd2a 9289c5b3 cd047aae abeac854 4308f572
    f81db100 f760512e a9232e88 1d20182f 72517a64 65800718 0ffa2dba 7345a79b
    54ccbcf8 09819199 efb92460 d5355794 cf6db208 5112c2df 7c44256e 224dadda
    df799348 613e3ef9 fa6f85c3 46c29fb8 1ea482
  quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 9
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 900
telnet timeout 5
ssh 33.33.33.33 255.255.255.255 outside
ssh InsideHosts 255.255.255.0 inside
ssh timeout 20
ssh version 2
console timeout 60
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 148.167.132.201 source outside prefer
tftp-server dmz 192.168.10.20 ASA5540-Running-Config
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1 null-sha1
ssl trust-point localtrust outside
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 2
 svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
 svc profiles sslgroup disk0:/sslgroup.xml
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy Anyconnect-Policy internal
group-policy Anyconnect-Policy attributes
 wins-server none
 dns-server value 10.0.10.60 10.0.10.40
 vpn-idle-timeout 30
 vpn-tunnel-protocol svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SplitTunnelACL
 default-domain value domain.net
 address-pools value OPS_VPN_IP_POOL
 webvpn
  url-list none
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
  svc profiles value sslgroup
  svc ask enable default svc
  customization value DfltCustomization
group-policy Anyconnect-tunnelall-policy internal
group-policy Anyconnect-tunnelall-policy attributes
 wins-server none
 dns-server value 10.0.10.60 10.0.10.40
 vpn-idle-timeout 432000
 vpn-tunnel-protocol svc webvpn
 split-tunnel-policy tunnelall
 split-tunnel-network-list value SplitTunnelACL
 default-domain value domain.net
 address-pools value OPS_VPN_IP_POOL
 webvpn
  url-list none
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
  svc profiles value sslgroup
  svc ask enable default svc
  customization value DfltCustomization
username admin password <password removed> encrypted privilege 15
username boaz password 
<password removed> encrypted privilege 15
tunnel-group DVT_OPS type remote-access
tunnel-group DVT_OPS general-attributes
 address-pool DVT_Ops
 default-group-policy Anyconnect-Policy
tunnel-group DVT_OPS webvpn-attributes
 group-alias DVT_OPS enable
 group-url https://33.33.33.129/DVT_OPS enable
tunnel-group DVT_OPS ipsec-attributes
 pre-shared-key eat2meat
tunnel-group rsausers type remote-access
tunnel-group rsausers general-attributes
 authentication-server-group VPNUSERS
 default-group-policy Anyconnect-Policy
tunnel-group rsausers webvpn-attributes
 group-alias 2_RSA_USERS enable
 group-alias RSA_USERS disable
tunnel-group 173.196.143.178 type ipsec-l2l
tunnel-group 173.196.143.178 ipsec-attributes
 pre-shared-key branch2vpnkey
 isakmp keepalive threshold 30 retry 5
tunnel-group TUNNELALL type remote-access
tunnel-group TUNNELALL general-attributes
 address-pool DVT_Ops
tunnel-group TUNNELALL webvpn-attributes
 group-alias TUNNELALL enable
 group-url https://33.33.33.129/TUNNELALL enable
tunnel-group TUNNELALL ipsec-attributes
 pre-shared-key 12345
!
class-map insp
class-map inspection_default
 match default-inspection-traffic
class-map default
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
!
service-policy global_policy global
smtp-server 10.0.10.55
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:133a71b606a9f1a9318529c1517914e3
: end

By the way, I just noticed that I took out the "inspect esmtp" out of the global policy map.  I needed to test
access to an exchange server so I did that, by default you have that line in there, but due to a cisco bug, it doesn't perform as it should.

When you test telnetting to port 25 from the outside, you will get a banner like this:


After doing the following:

ASA5540(config)#policy-map global_policy
ASA5540(config-pmap)#class inspection_default
ASA5540(config-pmap-c)#no inspect esmtp 


you will then get the banner like this:



If you want to add esmtp inspection back, just do the above commands and take out the "no" as with any Cisco command.

Email me with any questions if you have!


No comments:

Post a Comment