topic Re: ASA Firewall in Network Security

ASA Firewall

Senbonzakura — Sat, 04 Apr 2020 18:08:46 GMT

I currently am using a ASA 5510 Firewall and ASA 5516-X, by defaut what security settings aren't enabled that I should have enabled in any network configuration? Also, by Default is IPS/IDS enabled or is this something that needs to be configured? Any advice would be appreciated and any recommendations as well.

Re: ASA Firewall

Sheraz.Salim — Sat, 04 Apr 2020 18:47:53 GMT

few i have a choice between 5510 and 5516 I would stick with 5516 as it has firepower features. you need to get a lic in place in order to use the firepower services it come with 1 year, 3 year and 5 years.

now coming to your question what security setting you need enable it depends on your setup. you want legacy layer 4 security in that case 5510 and 5516 both can do the same for you. but firepower runs only 0n 55xx-X series models.

Re: ASA Firewall

Senbonzakura — Sat, 04 Apr 2020 19:28:30 GMT

Yes, I do currently have a lic for the 5516-X. Are all features by default active do is this something you manually have to accomplish? We are going very simple here, On one port of the firewall, we have a guest-WiFi then on another port you are looking at the main WiFi along with the LAN network, and another port going to a different switch is the Voice. They're al segmented, with that being said. What is recommended for that type of setup? Generally speaking that is.

Re: ASA Firewall

Sheraz.Salim — Sat, 04 Apr 2020 19:59:29 GMT

first think first if you are concern about security element of your network and want to use layer 7 inspection. login into 5516-x and give a command

"show module sfr" if you have a sfr install on the unit.

are you asking for a best practice configuration for this setup?

do you want me to write a basic script?

Re: ASA Firewall

Senbonzakura — Sat, 04 Apr 2020 20:56:48 GMT

I won't forget.

Yes a basic configuration would be nice for the best security practices, right now I don't have any bad habits when it comes to configuring things so if someone could show me the right way from the beginning it would be appreciated.

Re: ASA Firewall

Sheraz.Salim — Sat, 04 Apr 2020 22:27:45 GMT

do you have a topology diagram and ip addresses?

if you can forward it this would be helpful to understand and write a basic config.

Re: ASA Firewall

Senbonzakura — Sun, 05 Apr 2020 00:25:57 GMT

ASA# show run

: Saved

: Serial Number: JMX0949K0DM

: Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz

ASA Version 9.1(7)32

hostname ASA

domain-name www.domain.com

enable password 8Ry2YjIyt7RRXU24 encrypted

names

interface Ethernet0/0

description WAN

nameif outside

security-level 0

ip address dhcp setroute

interface Ethernet0/1

description Inside-Ruckus

nameif Inside-Ruckus

security-level 100

ip address 192.168.50.1 255.255.255.0

interface Ethernet0/2

description ISR

nameif Inside-ISR

security-level 100

ip address 192.168.200.1 255.255.255.252

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 0

ip address 192.168.100.1 255.255.255.0

ftp mode passive

dns server-group DefaultDNS

domain-name www.domain.com

object network inside-subnet

subnet 192.168.50.0 255.255.255.0

object network obj_isr

subnet 192.168.200.0 255.255.255.252

object network obj_vlan80

subnet 192.168.80.0 255.255.255.0

object network obj_vlan250

subnet 192.168.250.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu Inside-Ruckus 1500

mtu Inside-ISR 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

object network inside-subnet

nat (Inside-Ruckus,outside) dynamic interface

object network obj_isr

nat (Inside-ISR,outside) dynamic interface

object network obj_vlan80

nat (Inside-ISR,outside) dynamic interface

object network obj_vlan250

nat (Inside-ISR,outside) dynamic interface

route Inside-ISR 192.168.80.0 255.255.255.0 192.168.200.2 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.100.2 255.255.255.255 management

no snmp-server location

no snmp-server contact

no service password-recovery

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh stricthostkeycheck

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 192.168.50.10-192.168.50.254 Inside-Ruckus

dhcpd dns 75.75.75.75 75.75.76.76 interface Inside-Ruckus

dhcpd enable Inside-Ruckus

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:c0d1bad779dbd0baebaa348eabcde24b

: end

heres just a basic configuration that ill be doing on the ASA5516-X shortly. Execpt, I won't be using an ISR connected to a switch for VLAN traffic. I'm not sure how to setup encap dotq1 on the firewall so I just did it from an ISR instead, maybe you could help me with that.