Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
827
Views
5
Helpful
1
Replies

ASA config checkover for security holes

maniac79
Level 1
Level 1

‎01-30-2019 12:46 PM - edited ‎02-21-2020 08:43 AM

We are setting up a test environment and are using our old ASA for the router. I've noticed a lot of traffic getting blocked, and most of it is from a strange source IP and the destination is 10.15.2.0 and that interface is disabled on the ASA so I'm not sure why it is showing it.

 

Here is my config

 

ciscoasa# show run
: Saved
:
: Serial Number: 
: Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
:
ASA Version 9.1(7)32
!
hostname ciscoasa
enable password sAKEz/ encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQ encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 50.50.50.80 255.255.255.192
!
interface GigabitEthernet0/1
description Test Environment
shutdown
nameif inside
security-level 100
ip address 10.15.2.251 255.255.255.0
!
interface GigabitEthernet0/2
nameif ICTWebHost02
security-level 50
ip address 10.250.1.251 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa917-32-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
object network 10.15.2.0_nat
subnet 10.15.2.0 255.255.255.0
object network TestPC02
host 10.15.2.84
object network SQL-Test
host 10.15.2.19
object network TestHost
host 10.15.2.75
object service tcp-1433
service tcp source eq 1433
object service 3398
service tcp source eq 3398
object network obj-50.50.50.80
host 50.50.50.80
object network 50.50.50.90
host 50.50.50.90
object network ICTWebHost02_Network
subnet 10.250.1.0 255.255.255.0
description ICTWebHost02
object network 10.250.1.0_nat
subnet 10.250.1.0 255.255.255.0
description webhostnat
object network 50.50.50.85
host 50.5050.85
object network Test_Network
host 10.15.2.0
description 255.255.255.0
object network Test
subnet 10.15.2.0 255.255.255.0
description Test
access-list outside-inside extended permit tcp 50.50.50.64 255.255.255.192 object TestPC02 eq 3397 inactive
access-list outside-inside extended permit tcp host 50.50.142.174 object TestHost eq ftp inactive
access-list outside-inside extended permit tcp host 5.100.50.19 object SQL-Test eq 1433 inactive
access-list ICTWebHost02_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu ICTWebHost02 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface ICTWebHost02
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-781-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static 10.15.2.0_nat 50.50.50.85
nat (ICTWebHost02,outside) source static ICTWebHost02_Network 50.50.50.90
access-group outside-inside in interface outside
access-group inside_access_in in interface inside
access-group ICTWebHost02_access_in in interface ICTWebHost02
route outside 0.0.0.0 0.0.0.0 50.50.50.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.15.2.0 255.255.255.0 inside
http 50.50.50.111 255.255.255.255 outside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 50.50.50.111 255.255.255.255 outside
ssh 10.15.2.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption dhe-aes256-sha1 dhe-aes128-sha1 aes256-sha1
username admin password qc***cl.mWE****** encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f03d8ff6a4d20b139c886d4e
: end

 

Any major security holes on my config that you can see? 

 

Thank you for the help and input!

0 Helpful
1 Reply 1

Sheraz.Salim
VIP
VIP

‎01-30-2019 03:49 PM

I dont see any major hole in your config. if your 10.x.x.x interface is shutdown and if you see a lot of traffic is coming to hit this subnet than that make sense to say that traffic is block because ASA know the interface is shutdown state so it drop the packets

 

configuration looks fine to me.

please do not forget to rate.
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card