Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Firewalls Community


ASA config checkover for security holes

We are setting up a test environment and are using our old ASA for the router. I've noticed a lot of traffic getting blocked, and most of it is from a strange source IP and the destination is and that interface is disabled on the ASA so I'm not sure why it is showing it.


Here is my config


ciscoasa# show run
: Saved
: Serial Number: 
: Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
ASA Version 9.1(7)32
hostname ciscoasa
enable password sAKEz/ encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQ encrypted
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address
interface GigabitEthernet0/1
description Test Environment
nameif inside
security-level 100
ip address
interface GigabitEthernet0/2
nameif ICTWebHost02
security-level 50
ip address
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
interface Management0/0
no nameif
no security-level
no ip address
boot system disk0:/asa917-32-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
object network
object network TestPC02
object network SQL-Test
object network TestHost
object service tcp-1433
service tcp source eq 1433
object service 3398
service tcp source eq 3398
object network obj-
object network
object network ICTWebHost02_Network
description ICTWebHost02
object network
description webhostnat
object network
host 50.5050.85
object network Test_Network
object network Test
description Test
access-list outside-inside extended permit tcp object TestPC02 eq 3397 inactive
access-list outside-inside extended permit tcp host object TestHost eq ftp inactive
access-list outside-inside extended permit tcp host object SQL-Test eq 1433 inactive
access-list ICTWebHost02_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu ICTWebHost02 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface ICTWebHost02
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-781-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static
nat (ICTWebHost02,outside) source static ICTWebHost02_Network
access-group outside-inside in interface outside
access-group inside_access_in in interface inside
access-group ICTWebHost02_access_in in interface ICTWebHost02
route outside 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http inside
http outside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh outside
ssh inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption dhe-aes256-sha1 dhe-aes128-sha1 aes256-sha1
username admin password qc***cl.mWE****** encrypted
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
profile CiscoTAC-1
no active
destination address http
destination address email
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end


Any major security holes on my config that you can see? 


Thank you for the help and input!

Rising star

Re: ASA config checkover for security holes

I dont see any major hole in your config. if your 10.x.x.x interface is shutdown and if you see a lot of traffic is coming to hit this subnet than that make sense to say that traffic is block because ASA know the interface is shutdown state so it drop the packets


configuration looks fine to me.

please do not forget to rate.