11-04-2019 11:24 PM
I'm using ASA cisco 5520 with ASA version 8.0 and ASDM 7.1. My network only set DMZ and outside.
DMZ: 172.16.77.1 and Mail server: 172.16.77.100.
Outside (PPPOE): IP public get from ISP (and I have 1 IP static: X.X.X.27).
I'm browsing a lot of pages on the internet and most of them said remove estmp but it didn't work I (removed inspect estmp).
I configue on ASDM and the output CML from ASDM below:
: Saved : ASA Version 8.0(2) ! hostname FW-ASA5520 domain-name X.X.X.25 enable password KgwHsoJDrVdTCwX. encrypted names name 8.8.8.8 DNS-goole name 192.168.1.2 BKpacs name X.X.X.27 IP-Public3 name 172.16.77.100 MailWeb description Mail Web dns-guard ! interface GigabitEthernet0/0 description WAN interface nameif Outside security-level 0 pppoe client vpdn group cty-uv ip address pppoe ! interface GigabitEthernet0/1 description Connect to Web/Internet Server nameif admin security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface GigabitEthernet0/2 nameif DMZ security-level 0 ip address 172.16.77.1 255.255.255.0 ! interface GigabitEthernet0/3 nameif User security-level 100 ip address 192.168.6.1 255.255.255.0 ! interface Management0/0 nameif Mana security-level 100 ip address 10.0.0.1 255.255.255.0 ! passwd 2KFQnbNIdI.2KYOU encrypted boot system disk0:/asa802-k8.bin ftp mode passive clock timezone ICT 7 dns domain-lookup Outside dns domain-lookup admin dns domain-lookup DMZ dns domain-lookup User dns server-group DefaultDNS name-server 208.67.222.222 name-server 156.154.70.1 name-server DNS-goole name-server 199.85.126.30 name-server 8.8.4.4 name-server 46.151.208.154 domain-name 113.161.118.25 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group service dns tcp-udp description domain name service port-object eq domain object-group service outside_services tcp-udp description services alowed form outside port-object eq domain port-object eq echo port-object eq www object-group service sqlnet_backup tcp port-object eq 1522 object-group service RDP tcp port-object eq 3389 object-group service Shared_file service-object tcp eq domain service-object tcp eq netbios-ssn service-object udp eq domain object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service VPN tcp-udp port-object eq 1194 object-group service Oracle_Naming tcp port-object eq 2030 object-group service AGI tcp-udp port-object eq 5038 object-group service PACS tcp port-object eq 18080 port-object eq 1982 port-object eq 5432 port-object eq 9090 object-group service Video_Conf tcp port-object eq 1935 port-object eq 88 port-object eq 9123 port-object eq www object-group protocol DM_INLINE_PROTOCOL_1 protocol-object udp protocol-object tcp object-group service DM_INLINE_SERVICE_2 service-object tcp-udp eq www service-object tcp eq https object-group service toto tcp port-object eq 8080 object-group service DM_INLINE_SERVICE_4 service-object tcp-udp eq www service-object tcp eq https object-group service DM_INLINE_SERVICE_5 service-object tcp-udp eq www service-object tcp eq https object-group service DM_INLINE_SERVICE_6 service-object tcp-udp eq www service-object tcp eq https object-group service DM_INLINE_TCP_1 tcp port-object eq www port-object eq https object-group service DM_INLINE_TCP_3 tcp port-object eq www port-object eq https object-group service DM_INLINE_TCP_4 tcp port-object eq www port-object eq https object-group service DM_INLINE_TCP_5 tcp port-object eq www port-object eq https object-group service DM_INLINE_TCP_6 tcp group-object outside_services port-object eq https object-group service Efilm tcp-udp description Efilm port-object eq 6004 object-group service internet service-object icmp service-object udp service-object icmp6 service-object tcp object-group protocol DM_INLINE_PROTOCOL_2 protocol-object udp protocol-object tcp object-group service BKpacs service-object tcp-udp eq domain service-object tcp-udp eq www service-object tcp eq ftp service-object tcp eq ftp-data service-object tcp eq https service-object tcp eq ssh service-object tcp eq 6002 service-object icmp object-group service H323_Group service-object tcp range 3230 3243 service-object tcp eq h323 service-object udp range 3230 3285 object-group service PMSoft tcp port-object eq 81 object-group service Mail_port tcp port-object eq 465 port-object eq 993 port-object eq 995 port-object eq imap4 port-object eq pop3 port-object eq smtp object-group service DM_INLINE_TCP_7 tcp port-object eq www port-object eq https port-object eq pop3 port-object eq smtp object-group service Team_viewer tcp port-object eq 5938 object-group service Trienkhai_port tcp port-object eq 1194 port-object eq 16002 port-object eq 8080 port-object eq 8088 port-object eq 9443 object-group service BVGD_mana_Vigor tcp port-object eq 6443 object-group service ASA_mana_port tcp port-object eq 7443 object-group network MW_Internal object-group network MailWeb object-group network tan object-group protocol DM_INLINE_PROTOCOL_3 protocol-object ip protocol-object icmp object-group protocol DM_INLINE_PROTOCOL_5 protocol-object ip protocol-object icmp object-group network DMZ-network object-group network DMZ-network1 object-group network obj_name object-group service DM_INLINE_TCP_14 tcp group-object Mail_port port-object eq 3389 port-object eq 8005 port-object eq 8009 port-object eq 8080 port-object eq 8090 port-object eq 81 port-object eq www port-object eq https access-list DMZ_access_in extended permit ip any any access-list Outside_access_in extended permit tcp any host IP-Public3 object-group DM_INLINE_TCP_14 access-list User_access_in extended permit object-group DM_INLINE_PROTOCOL_3 host 192.168.6.3 any access-list admin_access_in extended permit object-group DM_INLINE_PROTOCOL_5 any any pager lines 24 logging enable logging timestamp logging list Alert-admin-by-mail level alerts logging list Alert-admin-by-mail message 101003 logging list Alert-admin-by-mail message 101005 logging list Alert-admin-by-mail message 101004 logging list Alert-admin-by-mail message 101001 logging list Alert-admin-by-mail message 101002 logging console warnings logging history alerts logging asdm informational logging mail Alert-admin-by-mail logging from-address thinh.hd@inext.vn logging recipient-address hoducthinh1994@gmail.com level warnings logging class auth history alerts mail alerts mtu Outside 1500 mtu admin 1500 mtu DMZ 1500 mtu User 1500 mtu Mana 1500 ip verify reverse-path interface Outside ip verify reverse-path interface admin ip verify reverse-path interface DMZ ip verify reverse-path interface User ip verify reverse-path interface Mana ipv6 enforce-eui64 admin no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any Outside asdm image disk0:/asdm-713.bin no asdm history enable arp timeout 14400 nat-control global (Outside) 1 interface nat (DMZ) 1 172.16.77.0 255.255.255.0 dns nat (User) 1 192.168.6.0 255.255.255.0 dns static (DMZ,Outside) IP-Public4 Hapi netmask 255.255.255.255 dns access-group Outside_access_in in interface Outside access-group admin_access_in in interface admin access-group DMZ_access_in in interface DMZ access-group User_access_in in interface User route Outside 0.0.0.0 0.0.0.0 14.169.128.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy aaa authentication serial console LOCAL aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL aaa authentication enable console LOCAL aaa authentication http console LOCAL aaa authorization command LOCAL aaa authorization exec authentication-server http server enable http 172.16.77.0 255.255.255.0 admin http 192.168.6.0 255.255.255.0 User http 192.168.141.0 255.255.255.240 DMZ http 10.0.0.0 255.255.255.252 Mana snmp-server host Outside 192.168.0.100 community public snmp-server host Outside 192.168.100.1 community public snmp-server host Outside 192.168.100.11 community public snmp-server location quan 10, Ho Chi Minh snmp-server contact Firewall 5520-0000 snmp-server community public snmp-server enable traps snmp authentication linkup linkdown coldstart snmp-server enable traps syslog snmp-server enable traps ipsec start stop snmp-server enable traps remote-access session-threshold-exceeded sysopt connection tcpmss 0 crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map inext_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map inext_map interface DMZ crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface Outside crypto map Web_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Web_map interface admin crypto map Inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Inside_map interface User crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=FIREWALL.CISCOPRESS.CCNP keypair Hcmutinext crl configure crypto ca trustpoint ASDM_TrustPoint1 enrollment url http://certserver.ciscopress.ccnp:80 subject-name CN=FW-ASA5520 crl configure crypto ca certificate chain ASDM_TrustPoint0 certificate 31 30820212 3082017b a0030201 02020131 300d0609 2a864886 f70d0101 04050030 4f312130 1f060355 04031318 46495245 57414c4c 2e434953 434f5052 4553532e 43434e50 312a3028 06092a86 4886f70d 01090216 1b46572d 41534135 3532302e 66773535 32302e64 6f6d6169 6e2e766e 301e170d 31373031 31383032 32313530 5a170d32 37303131 36303232 3135305a 304f3121 301f0603 55040313 18464952 4557414c 4c2e4349 53434f50 52455353 2e43434e 50312a30 2806092a 864886f7 0d010902 161b4657 2d415341 35353230 2e667735 3532302e 646f6d61 696e2e76 6e30819f 300d0609 2a864886 f70d0101 01050003 818d0030 81890281 8100945e f4fa57a6 c60550d9 607735b7 fd828266 91e41d19 448704d5 ecfdcaf7 7e1019e8 c7e4bec2 fb262390 d966bfcb d686c1cb 7bc7d823 e183c291 667c226f aa4541a4 0bf7ef4f 375b66d5 659a6f3e aabe65da bf9fb16c 33fb1896 b0c34989 ec947ab6 18f45836 bdecd94d c36fee21 0fff200c 3492749c 4ff3a73b 8ed6d95e 9a5b0203 01000130 0d06092a 864886f7 0d010104 05000381 81002008 7bc86728 a5d1a698 4fd29bfb 82c50285 36b5e421 21c0ea23 6c473df9 001165cb c2183418 45e1c29a d17ddce5 f50ecfd1 608bd7ac baa225cc 53224911 5137d3a5 d7893448 7bd7a991 d7fcb171 ac3327c1 02c16ed3 7852bb25 0537a3dd 480dd417 a0f1254a 7b18a82f 9f7f6d5c ae82819e abf22072 4b723d2a 443f385d 193b quit crypto isakmp policy 2 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 no crypto isakmp nat-traversal telnet timeout 5 ssh 172.16.77.0 255.255.255.0 admin ssh 192.168.1.0 255.255.255.0 admin ssh timeout 15 ssh version 2 console timeout 0 management-access admin vpdn group cty-uv request dialout pppoe vpdn group cty-uv localname cty-uv vpdn group cty-uv ppp authentication pap vpdn username cty-uv password ********* dhcp-client broadcast-flag dhcp-client update dns server both dhcpd dns 208.67.222.222 DNS-goole dhcpd lease 300 dhcpd domain 192.168.100.253 dhcpd update dns both override dhcpd option 6 ip 156.154.70.1 8.8.4.4 ! dhcpd dns 208.67.222.222 DNS-goole interface admin dhcpd update dns both override interface admin ! dhcpd dns 203.162.4.191 DNS-goole interface DMZ dhcpd update dns both override interface DMZ ! dhcpd address 192.168.6.2-192.168.6.3 User dhcpd dns 208.67.222.222 8.8.4.4 interface User dhcpd update dns both override interface User dhcpd enable User ! dhcpd address 10.0.0.2-10.0.0.3 Mana ! vpn load-balancing interface lbprivate admin threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list ! class-map global-class match default-inspection-traffic ! ! policy-map BKpacs policy-map global-policy description global-policy class global-class inspect ctiqbe inspect dns inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect sip inspect skinny inspect snmp inspect sqlnet inspect sunrpc inspect tftp inspect xdmcp inspect icmp policy-map type inspect im IM_User parameters match not service chat conference file-transfer games voice-chat webcam drop-connection log policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 ! service-policy global-policy global ssl encryption aes256-sha1 aes128-sha1 rc4-sha1 3des-sha1 ssl trust-point ASDM_TrustPoint0 Outside group-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn username pacscloud password W2qS.iPbqt55yuyy encrypted privilege 15 username ncngoc password E0Nw3B9XJD3Nrx1z encrypted privilege 15 privilege cmd level 3 mode exec command perfmon privilege cmd level 5 mode exec command dir privilege cmd level 3 mode exec command ping privilege cmd level 3 mode exec command who privilege cmd level 3 mode exec command logging privilege cmd level 3 mode exec command failover privilege cmd level 3 mode exec command vpn-sessiondb privilege cmd level 3 mode exec command packet-tracer privilege cmd level 5 mode exec command export privilege show level 5 mode exec command import privilege show level 5 mode exec command running-config privilege show level 3 mode exec command reload privilege show level 3 mode exec command mode privilege show level 3 mode exec command firewall privilege show level 3 mode exec command asp privilege show level 3 mode exec command cpu privilege show level 3 mode exec command interface privilege show level 3 mode exec command clock privilege show level 3 mode exec command dns-hosts privilege show level 3 mode exec command access-list privilege show level 3 mode exec command logging privilege show level 3 mode exec command vlan privilege show level 3 mode exec command ip privilege show level 3 mode exec command ipv6 privilege show level 3 mode exec command failover privilege show level 3 mode exec command asdm privilege show level 3 mode exec command arp privilege show level 3 mode exec command route privilege show level 3 mode exec command ospf privilege show level 3 mode exec command aaa-server privilege show level 3 mode exec command aaa privilege show level 3 mode exec command eigrp privilege show level 3 mode exec command crypto privilege show level 3 mode exec command vpn-sessiondb privilege show level 3 mode exec command ssh privilege show level 3 mode exec command dhcpd privilege show level 3 mode exec command vpn privilege show level 3 mode exec command blocks privilege show level 3 mode exec command wccp privilege show level 3 mode exec command webvpn privilege show level 3 mode exec command module privilege show level 3 mode exec command uauth privilege show level 3 mode exec command compression privilege show level 3 mode configure command interface privilege show level 3 mode configure command clock privilege show level 3 mode configure command access-list privilege show level 3 mode configure command logging privilege show level 3 mode configure command ip privilege show level 3 mode configure command failover privilege show level 5 mode configure command asdm privilege show level 3 mode configure command arp privilege show level 3 mode configure command route privilege show level 3 mode configure command aaa-server privilege show level 3 mode configure command aaa privilege show level 3 mode configure command crypto privilege show level 3 mode configure command ssh privilege show level 3 mode configure command dhcpd privilege show level 5 mode configure command privilege privilege clear level 3 mode exec command dns-hosts privilege clear level 3 mode exec command logging privilege clear level 3 mode exec command arp privilege clear level 3 mode exec command aaa-server privilege clear level 3 mode exec command crypto privilege cmd level 3 mode configure command failover privilege clear level 3 mode configure command logging privilege clear level 3 mode configure command arp privilege clear level 3 mode configure command crypto privilege clear level 3 mode configure command aaa-server prompt hostname context Cryptochecksum:61d0cd37afcdb9d982d69fe8bd5f1268 : end asdm image disk0:/asdm-713.bin asdm location DNS-goole 255.255.255.255 User asdm location BKpacs 255.255.255.255 admin asdm location Forum 255.255.255.255 Mana asdm location internetgate 255.255.255.255 DMZ asdm location Turn 255.255.255.255 Mana asdm location SMS 255.255.255.255 Mana asdm location WAN1 255.255.255.255 Mana asdm location Hapi 255.255.255.255 Mana asdm location Pacs 255.255.255.255 Mana asdm location MailWeb 255.255.255.255 Mana asdm location VideoNew 255.255.255.255 Mana no asdm history enable
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide