seeking Asa 5506 firewall configuration tips

Ministry — Fri, 21 Feb 2020 17:56:12 GMT

Hi All.

Ive just setup an ASA 5506 for my home (office) use.

Its been awhile since ive last configured a cisco appliance, so i was wondered if you guys would take a quick peek at my config and give me pointers on silly or stupid configs.

My setup is that ive replaced my standard ISP router with the ASA, its tagged via VLAN on the outside interface and configured via DHCP.

Ive configured a basic firewall rule to basicly just deny anything from the outside interface to the inside, thats really all i had the fantasy to do.

Any tips for strengthening the security of my network? i dont care about bogging down my internet connection or losing performance.

Thank you.

Note: i dont have a license for the firePOWER module as that is too expensive for home office usage.

Apologies if this is posted in the wrong place

ASA Version 9.8(4)15 
!
hostname ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
no mac-address auto

!
interface GigabitEthernet1/1
 no nameif
 security-level 0
 no ip address
!
interface GigabitEthernet1/1.101
 vlan 101
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface GigabitEthernet1/2
 description Internal network
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object udp
 protocol-object tcp
access-list outside_access_in extended deny object-group DM_INLINE_PROTOCOL_1 interface outside interface inside 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7131.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcp-client client-id interface outside
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
dynamic-access-policy-record DfltAccessPolicy
username admin password $sha512$5000$FqM9HtGlgl0T5UAebeZtVw==$viUddbBKQlbadGunFq9KWw== pbkdf2 privilege 15
!
!
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 12
  subscribe-to-alert-group configuration periodic monthly 12
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0413fcf1335c163fd8b0d9f2364e9b74
: end

Re: seeking Asa 5506 firewall configuration tips

balaji.bandi — Thu, 20 Feb 2020 00:03:07 GMT

High level looks ok, Did your PC able to get the internet ? then all good.

by default outside to inside is denied by the behaviour of ASA.

you can look hardening ASA in many ways if you looking to do so.

https://www.dionach.com/blog/cisco-asa-firewall-hardening/

Re: seeking Asa 5506 firewall configuration tips

saids3 — Thu, 20 Feb 2020 02:35:14 GMT

Hello - Common config t -

dhcpd address 192.168.1.5-192.168.1.254 inside
dhcp dns 208.67.222.222 208.67.220.220
dhcpd option 3 ip 192.168.1.1
dhcpd enable inside
dhcpd auto_config outside
route outside 0.0.0.0 0.0.0.0 192.168.200.5

object network INSIDE-NET
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
class-map inspection_default
match default-inspection-traffic

policy-map global_policy
class inspection_default
inspect icmp

service-policy global_policy global

policy-map global_policy
class inspection_default
inspect http

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512

policy-map global_policy
class inspection_default
inspect dns preset_dns_map

domain-name ministry.com
username admin password ********** priv 15
crypto key generate rsa modulus 2048

Yes

ssh 192.168.1.0 255.255.255.0 outside
ssh 192.168.1.0 255.255.0.0 inside
ssh timeout 30
ssh version 2

aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL

dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy

class-map global-class
match any
policy-map global_policy
class global-class
sfr fail-open

Re: seeking Asa 5506 firewall configuration tips

Ministry — Thu, 20 Feb 2020 12:36:08 GMT

Thank you!

Re: seeking Asa 5506 firewall configuration tips

Ministry — Thu, 20 Feb 2020 13:22:39 GMT

Thanks alot, nice input!

topic seeking Asa 5506 firewall configuration tips in Network Security

seeking Asa 5506 firewall configuration tips

Re: seeking Asa 5506 firewall configuration tips

Re: seeking Asa 5506 firewall configuration tips

Re: seeking Asa 5506 firewall configuration tips

Re: seeking Asa 5506 firewall configuration tips