Solved: ASA 5510 Config review

dkraut · ‎10-18-2012

Hi all, I'm getting ready to replace an existing firewall with a new ASA 5510. The environment is pretty straight forward, just an outside and inside interface. I've matched the configs as closely as possible, but I'd like to see if there are any glaring issues. I'm mainly concerned with my NAT statements. Does anything in the following (sanitized) config look out of place? Thanks!!

------------------------------------------------------------

ASA Version 8.4(4)5

!

hostname ciscoasa

enable password xxxxxxxxxx encrypted

passwd xxxxxxxxxx encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 40.100.2.2 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.30.0.100 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa844-5-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

object network 10.10.0.78

host 10.10.0.78

description nospam

object network 10.10.0.39

host 10.10.0.39

description exch

object network 55.100.20.109

host 55.100.20.109

description mail.oursite.com

object network 10.10.0.156

host 10.10.0.156

description

www.oursite.com-Internal

object network 55.100.20.101

host 55.100.20.101

description

www.oursite.com-External

object network 10.10.0.155

host 10.10.0.155

description ftp

object network 10.10.0.190

host 10.10.0.190

description www farm

object network 10.10.0.191

host 10.10.0.191

description svc farm

object network 10.10.0.28

host 10.10.0.28

description vpn

object network 10.10.0.57

host 10.10.0.57

description cust.oursite.com

object network 10.10.0.66

host 10.10.0.66

description spoint.oursite.com

object network 55.100.20.102

host 55.100.20.102

description cust.oursite.com

object network 55.100.20.103

host 55.100.20.103

description ftp

object network 55.100.20.104

host 55.100.20.104

description vpn

object network 55.100.20.105

host 55.100.20.105

description app www

object network 55.100.20.106

host 55.100.20.106

description app svc

object network 55.100.20.107

host 55.100.20.107

description spoint.oursite.com

object network 55.100.20.108

host 55.100.20.108

description exchange.oursite.com

object-group icmp-type DM_INLINE_ICMP_1

icmp-object echo-reply

icmp-object time-exceeded

icmp-object unreachable

object-group service Exchange_Inbound tcp

port-object eq 587

port-object eq 993

port-object eq www

port-object eq https

port-object eq imap4

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_SERVICE_1

service-object gre

service-object tcp destination eq pptp

object-group network DM_INLINE_NETWORK_1

network-object object 10.10.0.190

network-object object 10.10.0.191

object-group network DM_INLINE_NETWORK_2

network-object object 10.10.0.156

network-object object 10.10.0.57

object-group service DM_INLINE_TCP_2 tcp

port-object eq www

port-object eq https

object-group service sharepoint tcp

port-object eq 9255

port-object eq www

port-object eq https

access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1

access-list outside_access_in extended permit tcp any object 10.10.0.78 eq smtp

access-list outside_access_in extended permit tcp any object 10.10.0.39 object-group Exchange_Inbound

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit tcp any object 10.10.0.155 eq ftp

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object 10.10.0.28

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_TCP_2

access-list outside_access_in extended permit tcp any object 10.10.0.66 object-group Sharepoint

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649-103.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (outside,inside) source static any any destination static 55.100.20.109 10.10.0.78

nat (outside,inside) source static any any destination static 55.100.20.108 10.10.0.39 unidirectional

nat (inside,outside) source static 10.10.0.39 55.100.20.109 unidirectional

nat (outside,inside) source static any any destination static 55.100.20.101 10.10.0.156

nat (outside,inside) source static any any destination static 55.100.20.102 10.10.0.57

nat (outside,inside) source static any any destination static 55.100.20.103 10.10.0.155

nat (outside,inside) source static any any destination static 55.100.20.104 10.10.0.28

nat (outside,inside) source static any any destination static 55.100.20.105 10.10.0.190

nat (outside,inside) source static any any destination static 55.100.20.106 10.10.0.191

nat (outside,inside) source static any any destination static 55.100.20.107 10.10.0.66

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 40.100.2.1 1

route inside 10.10.0.0 255.255.255.0 10.30.0.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.10.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 10.10.0.0 255.255.255.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server xxxxxxxxxx source outside

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect pptp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:40cee3a773d380834b10195ffc63a02f

: end

Julio Carvajal · ‎10-18-2012

Hello,

You are doing the nat (outside,inside) I will rather to do it inside,outside but the configuration is still good,

ACL setup is fine, Nat is fine so you should have any issues,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Karsten Iwen · ‎10-21-2012

There are some things I would change:

access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1

You are allowing statically ICMPs into your network which opens the possibility for DOS. You'd better change to ICMP-inspection:

policy-map global_policy

class inspection_default

inspect icmp

Then you have an PPTP-inspection. PPTP is considered broken and shouldn't be used any more. You should migrate your VPN-clients and -servers away from PPTP and remove that line afterwards.

policy-map global_policy

class inspection_default

...

no inspect pptp

and last your SSH-config. You should enable ver2 only and DH-group1 is also not state of the art any more. To change that you can use the following config:

ssh version 2

ssh key-exchange group dh-group14-sha1

If you are using an older terminal-program it could be that DH14 with 2048bit is not supported. So better test it with a second session before you logout.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Julio Carvajal · ‎10-18-2012

Hello,

You are doing the nat (outside,inside) I will rather to do it inside,outside but the configuration is still good,

ACL setup is fine, Nat is fine so you should have any issues,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

dkraut · ‎10-20-2012

Made the switch last night and it worked perfectly, thanks!

Also added the following > nat (inside,outside) source dynamic any interface

Julio Carvajal · ‎10-21-2012

Hello,

Great to hear that

Have a great weekend

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Karsten Iwen · ‎10-21-2012

There are some things I would change:

access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1

You are allowing statically ICMPs into your network which opens the possibility for DOS. You'd better change to ICMP-inspection:

policy-map global_policy

class inspection_default

inspect icmp

Then you have an PPTP-inspection. PPTP is considered broken and shouldn't be used any more. You should migrate your VPN-clients and -servers away from PPTP and remove that line afterwards.

policy-map global_policy

class inspection_default

...

no inspect pptp

and last your SSH-config. You should enable ver2 only and DH-group1 is also not state of the art any more. To change that you can use the following config:

ssh version 2

ssh key-exchange group dh-group14-sha1

If you are using an older terminal-program it could be that DH14 with 2048bit is not supported. So better test it with a second session before you logout.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

dkraut · ‎10-24-2012

Thanks Karsten! good catch on the pptp. Yes, that's on my list. We're still using a Windows VPN Server at this location, but I plan to migrate to Cisco VPN soon. I'll also make the ICMP and ssh changes tonight. Cheers!