10-18-2012 10:06 AM - edited 03-11-2019 05:11 PM
Hi all, I'm getting ready to replace an existing firewall with a new ASA 5510. The environment is pretty straight forward, just an outside and inside interface. I've matched the configs as closely as possible, but I'd like to see if there are any glaring issues. I'm mainly concerned with my NAT statements. Does anything in the following (sanitized) config look out of place? Thanks!!
------------------------------------------------------------
ASA Version 8.4(4)5
!
hostname ciscoasa
enable password xxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 40.100.2.2 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.30.0.100 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa844-5-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
object network 10.10.0.78
host 10.10.0.78
description nospam
object network 10.10.0.39
host 10.10.0.39
description exch
object network 55.100.20.109
host 55.100.20.109
description mail.oursite.com
object network 10.10.0.156
host 10.10.0.156
description
object network 55.100.20.101
host 55.100.20.101
description
object network 10.10.0.155
host 10.10.0.155
description ftp
object network 10.10.0.190
host 10.10.0.190
description www farm
object network 10.10.0.191
host 10.10.0.191
description svc farm
object network 10.10.0.28
host 10.10.0.28
description vpn
object network 10.10.0.57
host 10.10.0.57
description cust.oursite.com
object network 10.10.0.66
host 10.10.0.66
description spoint.oursite.com
object network 55.100.20.102
host 55.100.20.102
description cust.oursite.com
object network 55.100.20.103
host 55.100.20.103
description ftp
object network 55.100.20.104
host 55.100.20.104
description vpn
object network 55.100.20.105
host 55.100.20.105
description app www
object network 55.100.20.106
host 55.100.20.106
description app svc
object network 55.100.20.107
host 55.100.20.107
description spoint.oursite.com
object network 55.100.20.108
host 55.100.20.108
description exchange.oursite.com
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
object-group service Exchange_Inbound tcp
port-object eq 587
port-object eq 993
port-object eq www
port-object eq https
port-object eq imap4
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_1
service-object gre
service-object tcp destination eq pptp
object-group network DM_INLINE_NETWORK_1
network-object object 10.10.0.190
network-object object 10.10.0.191
object-group network DM_INLINE_NETWORK_2
network-object object 10.10.0.156
network-object object 10.10.0.57
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service sharepoint tcp
port-object eq 9255
port-object eq www
port-object eq https
access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list outside_access_in extended permit tcp any object 10.10.0.78 eq smtp
access-list outside_access_in extended permit tcp any object 10.10.0.39 object-group Exchange_Inbound
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any object 10.10.0.155 eq ftp
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object 10.10.0.28
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any object 10.10.0.66 object-group Sharepoint
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (outside,inside) source static any any destination static 55.100.20.109 10.10.0.78
nat (outside,inside) source static any any destination static 55.100.20.108 10.10.0.39 unidirectional
nat (inside,outside) source static 10.10.0.39 55.100.20.109 unidirectional
nat (outside,inside) source static any any destination static 55.100.20.101 10.10.0.156
nat (outside,inside) source static any any destination static 55.100.20.102 10.10.0.57
nat (outside,inside) source static any any destination static 55.100.20.103 10.10.0.155
nat (outside,inside) source static any any destination static 55.100.20.104 10.10.0.28
nat (outside,inside) source static any any destination static 55.100.20.105 10.10.0.190
nat (outside,inside) source static any any destination static 55.100.20.106 10.10.0.191
nat (outside,inside) source static any any destination static 55.100.20.107 10.10.0.66
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 40.100.2.1 1
route inside 10.10.0.0 255.255.255.0 10.30.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.10.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 10.10.0.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server xxxxxxxxxx source outside
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:40cee3a773d380834b10195ffc63a02f
: end
Solved! Go to Solution.
10-18-2012 10:56 AM
Hello,
You are doing the nat (outside,inside) I will rather to do it inside,outside but the configuration is still good,
ACL setup is fine, Nat is fine so you should have any issues,
Regards,
Julio
10-21-2012 02:46 AM
There are some things I would change:
access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
You are allowing statically ICMPs into your network which opens the possibility for DOS. You'd better change to ICMP-inspection:
policy-map global_policy
class inspection_default
inspect icmp
Then you have an PPTP-inspection. PPTP is considered broken and shouldn't be used any more. You should migrate your VPN-clients and -servers away from PPTP and remove that line afterwards.
policy-map global_policy
class inspection_default
...
no inspect pptp
and last your SSH-config. You should enable ver2 only and DH-group1 is also not state of the art any more. To change that you can use the following config:
ssh version 2
ssh key-exchange group dh-group14-sha1
If you are using an older terminal-program it could be that DH14 with 2048bit is not supported. So better test it with a second session before you logout.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
10-18-2012 10:56 AM
Hello,
You are doing the nat (outside,inside) I will rather to do it inside,outside but the configuration is still good,
ACL setup is fine, Nat is fine so you should have any issues,
Regards,
Julio
10-20-2012 06:28 PM
Made the switch last night and it worked perfectly, thanks!
Also added the following > nat (inside,outside) source dynamic any interface
10-21-2012 12:32 AM
Hello,
Great to hear that
Have a great weekend
Julio
10-21-2012 02:46 AM
There are some things I would change:
access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
You are allowing statically ICMPs into your network which opens the possibility for DOS. You'd better change to ICMP-inspection:
policy-map global_policy
class inspection_default
inspect icmp
Then you have an PPTP-inspection. PPTP is considered broken and shouldn't be used any more. You should migrate your VPN-clients and -servers away from PPTP and remove that line afterwards.
policy-map global_policy
class inspection_default
...
no inspect pptp
and last your SSH-config. You should enable ver2 only and DH-group1 is also not state of the art any more. To change that you can use the following config:
ssh version 2
ssh key-exchange group dh-group14-sha1
If you are using an older terminal-program it could be that DH14 with 2048bit is not supported. So better test it with a second session before you logout.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
10-24-2012 07:16 AM
Thanks Karsten! good catch on the pptp. Yes, that's on my list. We're still using a Windows VPN Server at this location, but I plan to migrate to Cisco VPN soon. I'll also make the ICMP and ssh changes tonight. Cheers!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide