How to configure access for remote PCI scan -

ChipGriffen — Tue, 12 Mar 2019 04:03:36 GMT

I have an ASA5505-UL-DMZ-BUN

I need to add two outside IP address to allow them to do a remote PCI scan on my Vlan15 "Micros"

I really am not a CLI guy - is this something easy with WebUI or should I ask TAC to do it for me?

Result of the command: "show running-config"

: Saved
:
ASA Version 8.4(6)5
!
hostname GiodineASA
domain-name Gio.local
enable password NC9T03Fud.TTEt.R encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
no names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
switchport access vlan 15
!
interface Ethernet0/5
switchport access vlan 5
speed 10
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
nameif DVR
security-level 100
ip address 192.168.154.1 255.255.255.0
!
interface Vlan5
nameif dmz
security-level 50
ip address 172.16.0.1 255.255.255.0
!
interface Vlan15
nameif Micros
security-level 15
ip address 192.168.11.1 255.255.255.0
!
boot system disk0:/asa846-5-k8.bin
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name Gio.local
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.255.0
object network obj-10.0.0.0
subnet 10.0.0.0 255.255.255.240
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network any-micros
subnet 0.0.0.0 0.0.0.0
object network dmz-any
subnet 0.0.0.0 0.0.0.0
object network Micros_1
subnet 192.168.11.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0_28
subnet 10.0.0.0 255.255.255.240
object network NETWORK_OBJ_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0
access-list out-to-in extended permit tcp any any eq www
access-list out-to-in extended permit tcp any any eq https
access-list out-to-in extended permit tcp any any eq 1194
access-list out-to-in extended permit tcp any any range 5120 5129
access-list out-to-in extended permit icmp any any
access-list out-to-in extended permit udp any any eq 1194
access-list out-to-in extended permit udp any any range 5120 5129
access-list out-to-in extended permit udp any any eq 443
access-list out-to-in extended permit udp any any eq www
access-list Remote_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DVR 1500
mtu dmz 1500
mtu Micros 1500
ip local pool RemotePool 10.0.0.1-10.0.0.10 mask 255.255.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.0.0.0 obj-10.0.0.0 no-proxy-arp
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_10.0.0.0_28 NETWORK_OBJ_10.0.0.0_28 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
object network any-micros
nat (DVR,outside) dynamic interface
object network dmz-any
nat (dmz,outside) dynamic interface
object network Micros_1
nat (Micros,outside) dynamic interface
access-group out-to-in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=GiodineASA
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 4548bf52
    30820250 308201b9 a0030201 02020445 48bf5230 0d06092a 864886f7 0d010105
    0500303a 31133011 06035504 03130a47 696f6469 6e654153 41312330 2106092a
    864886f7 0d010902 16144769 6f64696e 65415341 2e47696f 2e6c6f63 616c301e
    170d3134 30343036 31383032 34365a17 0d323430 34303331 38303234 365a303a
    31133011 06035504 03130a47 696f6469 6e654153 41312330 2106092a 864886f7
    0d010902 16144769 6f64696e 65415341 2e47696f 2e6c6f63 616c3081 9f300d06
    092a8648 86f70d01 01010500 03818d00 30818902 818100b1 ceb952e3 84820e07
    82ede102 7089223d 109b2faf 541695f1 4519eb61 381e56db 33e184e0 416faa68
    96677299 d65b8a82 f502bf7d 13c2c1d3 9ddb0910 80379d1e 375a0b2c fa0209b8
    95d47b5e a62bb5b9 593b699d 429cdd0c 440a5b68 2de34d88 d5897f28 a72c4141
    7499909d a93e6cfb 5e42538f 0a0e7194 5058858c 25f6cd02 03010001 a3633061
    300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201
    86301f06 03551d23 04183016 80149ccd 02852286 1e71e494 33cdd59d 2fa50de1
    4b6c301d 0603551d 0e041604 149ccd02 8522861e 71e49433 cdd59d2f a50de14b
    6c300d06 092a8648 86f70d01 01050500 03818100 9f0bb024 702926fa 58c8dab6
    dc44c1fb 5b6fc8c5 9f1e66f4 1d81f550 adf3c89a b02d486d 404cebfd 8d68b944
    9aa2cf28 021a3457 7d623bb2 3d354f0b 1f1efd3c e42ebe64 c5c7aa38 3b9acd7a
    c1b339e0 20ddbd88 bfa49e66 0bfc54c9 3a8eaa3a 13d1e4cc 6703954b 67d67af4
    2b7acdf5 aed08a04 91d93112 18c7c99c 97f2e5d0
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable inside client-services port 443
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 75.75.75.75 75.75.76.76
!
dhcpd address 172.16.0.2-172.16.0.254 dmz
dhcpd enable dmz
!
dhcpd address 192.168.11.5-192.168.11.15 Micros
dhcpd auto_config outside interface Micros
dhcpd enable Micros
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 216.171.120.36 source outside prefer
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable inside
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles SupportGio_client_profile disk0:/SupportGio_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_SupportGio internal
group-policy GroupPolicy_SupportGio attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
default-domain value Gio.local
webvpn
anyconnect profiles value SupportGio_client_profile type user
group-policy Remote internal
group-policy Remote attributes
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Remote_splitTunnelAcl
default-domain value Gio.local
username admin password ZPXNZtJ1PEkx9Ak4 encrypted privilege 15
username ********** password jNXc0Jrn2ojo8QSg encrypted
username ******** password 1yRqnC1yOLTRtVh8 encrypted privilege 0
username ******** attributes
vpn-group-policy Remote
tunnel-group Remote type remote-access
tunnel-group Remote general-attributes
address-pool RemotePool
default-group-policy Remote
tunnel-group Remote ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group SupportGio type remote-access
tunnel-group SupportGio general-attributes
address-pool RemotePool
default-group-policy GroupPolicy_SupportGio
tunnel-group SupportGio webvpn-attributes
group-alias SupportGio enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:60086ca76c7e620cd12156ca7ea44e4d
: end

This should do it, if you

ippolito — Fri, 11 Apr 2014 18:02:56 GMT

This should do it, if you want to allow full IP access from the pci scanning machines to your entire vlan15 subnet:

access-list out-to-in extended permit ip host [ip of pci scanner #1] 192.168.11.0 255.255.255.0

access-list out-to-in extended permit ip host [ip of pci scanner #2] 192.168.11.0 255.255.255.0

I also wanted to take the liberty of pointing out that your access lists appear to be allowing *all* internet traffic to all computers on your network on the ports specified in the ACL. Not sure if that was your intention?

topic This should do it, if you in Network Security

How to configure access for remote PCI scan -

This should do it, if you