Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Cisco Newby on ASA5505.....

Cisco Newby on ASA5505..... 8 years 2 months ago #26845

Hello all, I LOVE this website and forum...it has a wealth of information, of which I have been able to get my cisco asa5505 up and running and from what I can tell it is running perfect....I would like to post up the config and get some clarification if everything looks as it is supposed to be...I just don't want any holes because I don't know any better.

this is a simple network setup, initially anyway, until I figure out how to pass a routed block through....

(provided by isp)
single static ip: 66.77.88.99 (for illustration purposes only, have 3, one used on this device)
network: 255.255.255.248
gateway: 66.XXX.XXX.XXX

Here she blows:

: Saved
: Written by enable_15 at 15:36:40.356 UTC Mon Jul 14 2008
!
ASA Version 7.2(3)
!
hostname RSAASA5505
domain-name GENERIC.COM
enable password xxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.59.48.254 255.255.255.128 (*172.59.48.128 network)
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 66.77.88.99 255.255.255.248 (*this is correct, from isp, 3 static and 13 or so routed)
ospf cost 10
!
interface Vlan3 (*unused currently)
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
passwd XXXXX encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name GENERIC.COM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route inside 172.48.130.128 255.255.255.128 172.59.48.218 1 (*vpn to other site for already existing fvs318 devices)
route outside 0.0.0.0 0.0.0.0 66.XXX.XXX.XXX 1 (* isp provided gateway, known correct)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.48.130.128 255.255.255.128 inside (*ASDM accessible from vpn'd network)
http 192.168.1.0 255.255.255.0 inside (* default ASDM access, do I need to delete this?)
http 172.59.48.128 255.255.255.128 inside (*ASDM accessible from local network)
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map global-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
description Global - ICMP
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class global-class
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:XXXXXXX
: end

not sure if I left out any hidden variables, let me know...I just want to know if I can save this and forget it as perfect for now

Thanks
The administrator has disabled public write access.

Re: Cisco Newby on ASA5505..... 8 years 2 months ago #26861

  • Elohim
  • Elohim's Avatar
  • Offline
  • Senior Member
  • Posts: 220
  • Karma: 0
This is a basic config. This is as secure as you can make it. This configuration lets users from the inside network (higher security zone) send traffic to the outside while discarding everything from the outside that is not part of an already established traffic flow. Now, this protects you from being attacked but it doesn't protect others from you, e.g. if one of your systems is compromised and initiates an attack.
Hello all, I LOVE this website and forum...it has a wealth of information, of which I have been able to get my cisco asa5505 up and running and from what I can tell it is running perfect....I would like to post up the config and get some clarification if everything looks as it is supposed to be...I just don't want any holes because I don't know any better.

this is a simple network setup, initially anyway, until I figure out how to pass a routed block through....

(provided by isp)
single static ip: 66.77.88.99 (for illustration purposes only, have 3, one used on this device)
network: 255.255.255.248
gateway: 66.XXX.XXX.XXX

Here she blows:

: Saved
: Written by enable_15 at 15:36:40.356 UTC Mon Jul 14 2008
!
ASA Version 7.2(3)
!
hostname RSAASA5505
domain-name GENERIC.COM
enable password xxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.59.48.254 255.255.255.128 (*172.59.48.128 network)
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 66.77.88.99 255.255.255.248 (*this is correct, from isp, 3 static and 13 or so routed)
ospf cost 10
!
interface Vlan3 (*unused currently)
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
passwd XXXXX encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name GENERIC.COM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route inside 172.48.130.128 255.255.255.128 172.59.48.218 1 (*vpn to other site for already existing fvs318 devices)
route outside 0.0.0.0 0.0.0.0 66.XXX.XXX.XXX 1 (* isp provided gateway, known correct)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.48.130.128 255.255.255.128 inside (*ASDM accessible from vpn'd network)
http 192.168.1.0 255.255.255.0 inside (* default ASDM access, do I need to delete this?)
http 172.59.48.128 255.255.255.128 inside (*ASDM accessible from local network)
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map global-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
description Global - ICMP
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class global-class
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:XXXXXXX
: end

not sure if I left out any hidden variables, let me know...I just want to know if I can save this and forget it as perfect for now

Thanks
The administrator has disabled public write access.

Re: Cisco Newby on ASA5505..... 8 years 2 months ago #26865

This is a basic config. This is as secure as you can make it. This configuration lets users from the inside network (higher security zone) send traffic to the outside while discarding everything from the outside that is not part of an already established traffic flow. Now, this protects you from being attacked but it doesn't protect others from you, e.g. if one of your systems is compromised and initiates an attack.

hmm.....I never would have really thought about that but since you mention it, how would you facilitate something like what you are describing?
The administrator has disabled public write access.

Re: Cisco Newby on ASA5505..... 8 years 2 months ago #26876

  • Elohim
  • Elohim's Avatar
  • Offline
  • Senior Member
  • Posts: 220
  • Karma: 0
Facilitate what?

This is a basic config. This is as secure as you can make it. This configuration lets users from the inside network (higher security zone) send traffic to the outside while discarding everything from the outside that is not part of an already established traffic flow. Now, this protects you from being attacked but it doesn't protect others from you, e.g. if one of your systems is compromised and initiates an attack.

hmm.....I never would have really thought about that but since you mention it, how would you facilitate something like what you are describing?
The administrator has disabled public write access.
Time to create page: 0.091 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup