topic Re: Problem continues~ in Network Security

Problem continues~

SPERTWCISCO — Mon, 11 Mar 2019 17:37:03 GMT

Sorry for opening another thread, but I keep getting the following error:

------------------------------------------------------------------------------------------------------

ZR1(config)# class-map inspection_default

ZR1(config-cmap)# match default-inspection-traffic

ZR1(config-cmap)# policy-map type inspect dns preset_dns_map

ZR1(config-pmap)# parameters

ZR1(config-pmap-p)# message-length maximum 512

ZR1(config-pmap-p)# policy-map

ZR1(config-pmap-p)# policy-map gl

ZR1(config-pmap-p)# policy-map global

ZR1(config-pmap-p)# policy-map global_policy

ZR1(config-pmap)# class in

ZR1(config)# class inspection_default

ZR1(config-cmap)# inspect dns present_dns_map

ERROR: % Invalid input detected at '^' marker.

------------------------------------------------------------------------------------------------------

Also, how do I configure the ASA to block out spyware or ads when viewing from www? Do I need to know the URL to do this?

thx

Re: Problem continues~

Jennifer Halim — Sun, 25 Apr 2010 04:25:37 GMT

Here is the sequence for the configuration:

policy-map global_policy

class inspection_default

inspect dns present_dns_map

Please make sure that you type in the full "inspection_default" name otherwise, it is going back to the "config" mode, not within the policy-map mode.

In regards to spyware and adware, ASA is not able to block those. You would need to have CSC module on your ASA to block the spyware and adware.

Hope that helps.

Re: Problem continues~

SPERTWCISCO — Sun, 25 Apr 2010 06:26:32 GMT

For some reason, it won't accept the command.

I had to "write erase" the whole config and now is finally working.

Here is my final running-config.

How can I harden it even more?

As well, what is the following command? Can I delete or disable it?

------------------------------

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

--------------------------

thx

------------------------------------------------------------------------------

: Saved

ASA Version 8.3(1)

hostname xxxxx

enable password xxxxxxxxxxxx encrypted

passwd xxxxxxxxxx encrypted

names

interface Vlan200

nameif outside

security-level 0

ip address dhcp setroute

interface Vlan500

no forward interface Vlan800

nameif dmz

security-level 50

ip address 10.2.1.1 255.255.255.0

interface Vlan800

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Ethernet0/0

switchport access vlan 200

interface Ethernet0/1

switchport access vlan 800

interface Ethernet0/2

switchport access vlan 800

interface Ethernet0/3

switchport access vlan 800

interface Ethernet0/4

switchport access vlan 800

interface Ethernet0/5

switchport access vlan 800

interface Ethernet0/6

switchport access vlan 800

interface Ethernet0/7

switchport access vlan 500

boot system disk0:/asa831-k8.bin

ftp mode passive

clock timezone xxxxx

object network obj_any

subnet 0.0.0.0 0.0.0.0

access-list outside_access_in extended deny ip any any

access-list dmz_access_in extended deny ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu dmz 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

object network obj_any

nat (inside,outside) dynamic interface

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 30

ssh version 2

console timeout 0

dhcpd auto_config outside

dhcpd address 192.168.1.8-192.168.1.10 inside

dhcpd dns [ISP DNS1] [ISP DNS2] interface inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username xxxxxxxx password xxxxxxxxx encrypted

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:xxxxxxxxxxxxxxxx

: end

asdm image disk0:/asdm-631.bin

no asdm history enable

-----------------------------------------------------------------

Re: Problem continues~

Jennifer Halim — Sun, 25 Apr 2010 06:34:25 GMT

1) You do not need to configure ACL on the outside interface if you are not initiating inbound connection because by default, traffic from outside (low security level) to inside/dmz (higher security level) will be denied.

The following can be removed:

access-group outside_access_in in interface outside

access-list outside_access_in extended deny ip any any

2) You have the following ACL: "access-list dmz_access_in extended deny ip any any" applied to dmz: "access-group dmz_access_in in interface dmz", which means dmz hosts are not able to initiate any connection at all towards inside and outside. Not sure if this is what you are after, but if it is, you are on the right track.

3) I also see that you have no ACL applied to your inside interface. If you want to restrict access more, you can configure ACL and applied it to the inside interface for traffic from inside towards dmz and outside. Because by default, traffic from higher security level towards lower security level is allowed. So you can restrict access from inside towards dmz and outside with specific ACL.

Hope that helps.

Re: Problem continues~

Magnus Mortensen — Tue, 27 Apr 2010 02:30:59 GMT

The reason you are having issues is becuase it looks like you are using tab completion when typing the class line:

ZR1(config-pmap-p)# policy-map global_policy

ZR1(config-pmap)# class in

ZR1(config)# class inspection_default

Notice the prompt change? Tab completion when doing the class line results in dumping back to the (config) prompt and out of the (config-pmap) sub config. If you did not hit tab, it should have kept you in that config mode and it should have worked.

-M