Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1367
Views
5
Helpful
4
Replies

Is there any unnecessary configuration on Router ASA5510 on my home network which is working fine.

Kamal
Level 1
Level 1

‎11-30-2019 04:42 AM

ASA5510# sh run

: Saved

:

ASA Version 7.1(2)

!

hostname ASA5510

domain-name kimolab.com

enable password 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

description LAN interface

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Ethernet0/1

description WAN interface

nameif outside

security-level 0

ip address 192.168.1.254 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

banner login ### UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. You must have explicit, authorized permission to access or configure this device. Unauthorized attemptsand actions to access or use this system may result in civil and/or criminal penalities. All activities performed on this device are logged and monitored. ###

boot system disk0:/asa712-k8.bin

ftp mode passive

clock timezone EDT -5

clock summer-time EDT recurring

dns domain-lookup outside

dns server-group DefaultDNS

name-server 192.168.1.1

name-server 8.8.8.8

name-server 204.194.232.200

name-server 8.8.4.4

domain-name kimolab.com

object-group network object-google.com

object-group network obj-google.com

group-object object-google.com

object-group service internet-udp udp

description udp standard internet services

port-object eq domain

port-object eq ntp

port-object eq isakmp

port-object eq 4500

object-group service internet-tcp tcp

description tcp standard internet services

port-object eq www

port-object eq https

port-object eq smtp

port-object eq 465

port-object eq pop3

port-object eq 995

port-object eq ftp

port-object eq ftp-data

port-object eq domain

port-object eq ssh

port-object eq telnet

access-list 101 extended permit tcp 192.168.10.0 255.255.255.0 host 192.168.1.1 eq www

access-list 101 extended deny tcp any host 192.168.1.1 eq www

access-list 101 extended permit ip any any

access-list inside-in extended permit icmp 192.168.10.0 255.255.255.0 any

access-list inside-in remark [Access Lists For Outgoing Packets from Inside interface]

access-list inside-in extended permit udp 192.168.10.0 255.255.255.0 any object-group internet-udp

access-list inside-in extended permit tcp 192.168.10.0 255.255.255.0 any object-group internet-tcp

access-list outside-in remark [access list for incoming packetson OUTSIDE interface]

access-list outside-in extended permit icmp any any echo-reply

access-list outside-in extended permit icmp any any source-quench

access-list outside-in extended permit icmp any any unreachable

access-list outside-in extended permit icmp any any time-exceeded

pager lines 24

logging enable

logging timestamp

logging buffer-size 30000

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

asdm image disk0:/asdm512.bin

no asdm history enable

arp timeout 14400

global (outside) 1 192.168.1.10-192.168.1.20

global (outside) 1 interface

nat (inside) 1 192.168.10.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside-in in interface inside

access-group outside-in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username asdm password Yvx83jxa2WCRAZ/m encrypted

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa local authentication attempts max-fail 5

http server enable

http 192.168.10.1 255.255.255.255 inside

snmp-server host inside 192.168.10.10 community kimolab version 2c

snmp-server location kimolab

snmp-server contact kamalghazzar@hotmail.com

snmp-server community kimolab

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 set peer 192.168.1.1

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 40 set peer 192.168.1.1

crypto map outside_map 40 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto ca trustpoint SELF-SIGNED-CERTIFICATE

crl configure

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption 3des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

isakmp nat-traversal  20

telnet 192.168.10.0 255.255.255.0 inside

telnet 192.168.20.0 255.255.255.0 inside

telnet timeout 10

ssh 192.168.10.0 255.255.255.0 inside

ssh 192.168.20.0 255.255.255.0 inside

ssh timeout 10

console timeout 0

dhcpd address 192.168.10.100-192.168.10.200 inside

dhcpd dns 192.168.1.1

dhcpd lease 86400

dhcpd ping_timeout 50

dhcpd enable inside

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

ntp authentication-key 32 md5 *

ntp authenticate

ntp trusted-key 32

ntp server 192.168.10.1 source outside

Cryptochecksum:d1d8266de4b797f3f1d4db74be7a0369

: end

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎11-30-2019 05:08 AM

Hi,

My recommendations would be to modify your crypto transform set and isakmp/ikev1 policies to use stronger, more secure algorithms. Upgrade the ASA code to the latest version supported by your hardware and disable telnet and just use ssh. Other than that it looks ok.

 

HTH

0 Helpful

Kamal
Level 1
Level 1
In response to Rob Ingram

‎11-30-2019 05:48 AM

Thank you for the quick reply, I don't have cisco account that allows me to upgrade. I am preparing for CCNA second exam ICND2 self-thought at home. Thank you again for your encouragement.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-30-2019 06:30 AM

Use this tool:

https://www.tunnelsup.com/config-cleanup/

It will tell you:

! Unused object-group found; suggest removing it
no object-group network obj-google.com
! Unused ACL found; suggest removing it
clear config access-list 101
! Analyzed 375 lines of code.

Kamal
Level 1
Level 1
In response to Marvin Rhoads

‎11-30-2019 07:51 AM

Thank you Marvin for the info I appreciate it.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card