topic Help please fw config in Network Security

Help please fw config

spivy6666 — Tue, 12 Mar 2019 01:44:00 GMT

below is my config. Can someone tell if this below config will let my users .36.0/24 access the internet? i think it does but i need to be certain. the 192.168.36.0/24 just needs all outbound access for internet and any thing outbound?

: Saved
:
ASA Version 8.2(5)
!
hostname ASAfirewall
enable password 8RRRXU24 encrypted
passwd 2KFQ2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.36.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list OPEN extended permit ip 192.168.36.0 255.255.255.0 any
no pager
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 192.168.36.0 255.255.255.0
access-group OPEN out interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.36.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh scopy enable
ssh 192.168.36.0 255.255.255.0 inside
ssh timeout 5
console timeout 20
dhcpd dns 2.2.2.138 2.2.2.4
dhcpd lease 4600
!
dhcpd address 192.168.36.40-192.168.36.100 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username admin password GaV64ZRjSgXshU9e encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DD

CEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:9118468c95c765234a5c6215f9fd4779

: end

Re: Help please fw config

Jouni Forss — Wed, 15 May 2013 18:41:14 GMT

Hi,

One thing you need to change is how the ACL is attached

no access-group OPEN out interface inside

access-group OPEN in interface inside

The parameter "out" would mean traffic heading out the interface inside. In other words traffic headed towards the networks behind inside.

The parameter "in" would however control traffic coming from inside, which is what you want to do

Hope this helps 🙂

- Jouni

Sent from Cisco Technical Support iPad App

Re: Help please fw config

spivy6666 — Wed, 15 May 2013 19:58:49 GMT

Ok i will make that chnage and thanks. but the entry below is right. with out the access list my users would not have access to the net? thanks again. Lets say i had eveyting but the access list .My users would not have access becuse you need a acl applied on an interface ?

access-list OPEN extended permit ip 192.168.36.0 255.255.255.0 any

Help please fw config

jj27 — Wed, 15 May 2013 20:10:32 GMT

You do not need an access list defined on the inside interface for them to be able to get to the internet due to the security levels of the interfaces. On an ASA, the higher security level interfaces are allowed to transit lower security level interfaces. In your case, and many similar cases, inside is set to 100 and outside is set to 0. The inside access list is usually configured to restrict certain types of traffic towards the internet, but not required for to permit general access.

Re: Help please fw config

spivy6666 — Wed, 15 May 2013 20:24:15 GMT

Thanks for your reply JJ but i tried to use the below config as you stated and packets were getting denided due to globa group policy? can you fix my config so it will work?

sh run

: Saved

ASA Version 8.2(5)

hostname ASAfirewall

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

shutdown

interface Ethernet0/6

shutdown

interface Ethernet0/7

shutdown

interface Vlan1

nameif inside

security-level 100

ip address 192.168.36.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.248

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

access-list OPEN extended permit ip 192.168.36.0 255.255.255.0 any

no pager

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 192.168.36.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

http server enable

http 192.168.36.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh scopy enable

ssh 192.168.36.0 255.255.255.0 inside

ssh timeout 5

console timeout 20

dhcpd dns 2.2.2.138 2.2.2.4

dhcpd lease 4600

dhcpd address 192.168.36.40-192.168.36.100 inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username admin password GaV64ZRjSgXshU9e encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:8bf43babbcc428dd5a8adb5f515c463e

: end

ASAfirewall#