11-30-2019 04:42 AM
ASA5510# sh run
: Saved
:
ASA Version 7.1(2)
!
hostname ASA5510
domain-name kimolab.com
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description LAN interface
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/1
description WAN interface
nameif outside
security-level 0
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
banner login ### UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. You must have explicit, authorized permission to access or configure this device. Unauthorized attemptsand actions to access or use this system may result in civil and/or criminal penalities. All activities performed on this device are logged and monitored. ###
boot system disk0:/asa712-k8.bin
ftp mode passive
clock timezone EDT -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.1
name-server 8.8.8.8
name-server 204.194.232.200
name-server 8.8.4.4
domain-name kimolab.com
object-group network object-google.com
object-group network obj-google.com
group-object object-google.com
object-group service internet-udp udp
description udp standard internet services
port-object eq domain
port-object eq ntp
port-object eq isakmp
port-object eq 4500
object-group service internet-tcp tcp
description tcp standard internet services
port-object eq www
port-object eq https
port-object eq smtp
port-object eq 465
port-object eq pop3
port-object eq 995
port-object eq ftp
port-object eq ftp-data
port-object eq domain
port-object eq ssh
port-object eq telnet
access-list 101 extended permit tcp 192.168.10.0 255.255.255.0 host 192.168.1.1 eq www
access-list 101 extended deny tcp any host 192.168.1.1 eq www
access-list 101 extended permit ip any any
access-list inside-in extended permit icmp 192.168.10.0 255.255.255.0 any
access-list inside-in remark [Access Lists For Outgoing Packets from Inside interface]
access-list inside-in extended permit udp 192.168.10.0 255.255.255.0 any object-group internet-udp
access-list inside-in extended permit tcp 192.168.10.0 255.255.255.0 any object-group internet-tcp
access-list outside-in remark [access list for incoming packetson OUTSIDE interface]
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended permit icmp any any source-quench
access-list outside-in extended permit icmp any any unreachable
access-list outside-in extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging timestamp
logging buffer-size 30000
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
asdm image disk0:/asdm512.bin
no asdm history enable
arp timeout 14400
global (outside) 1 192.168.1.10-192.168.1.20
global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside-in in interface inside
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username asdm password Yvx83jxa2WCRAZ/m encrypted
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa local authentication attempts max-fail 5
http server enable
http 192.168.10.1 255.255.255.255 inside
snmp-server host inside 192.168.10.10 community kimolab version 2c
snmp-server location kimolab
snmp-server contact kamalghazzar@hotmail.com
snmp-server community kimolab
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 set peer 192.168.1.1
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 40 set peer 192.168.1.1
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ca trustpoint SELF-SIGNED-CERTIFICATE
crl configure
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal 20
telnet 192.168.10.0 255.255.255.0 inside
telnet 192.168.20.0 255.255.255.0 inside
telnet timeout 10
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.20.0 255.255.255.0 inside
ssh timeout 10
console timeout 0
dhcpd address 192.168.10.100-192.168.10.200 inside
dhcpd dns 192.168.1.1
dhcpd lease 86400
dhcpd ping_timeout 50
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
ntp authentication-key 32 md5 *
ntp authenticate
ntp trusted-key 32
ntp server 192.168.10.1 source outside
Cryptochecksum:d1d8266de4b797f3f1d4db74be7a0369
: end
11-30-2019 05:08 AM
Hi,
My recommendations would be to modify your crypto transform set and isakmp/ikev1 policies to use stronger, more secure algorithms. Upgrade the ASA code to the latest version supported by your hardware and disable telnet and just use ssh. Other than that it looks ok.
HTH
11-30-2019 05:48 AM
Thank you for the quick reply, I don't have cisco account that allows me to upgrade. I am preparing for CCNA second exam ICND2 self-thought at home. Thank you again for your encouragement.
11-30-2019 06:30 AM
Use this tool:
https://www.tunnelsup.com/config-cleanup/
It will tell you:
! Unused object-group found; suggest removing it
no object-group network obj-google.com
! Unused ACL found; suggest removing it
clear config access-list 101
! Analyzed 375 lines of code.
11-30-2019 07:51 AM
Thank you Marvin for the info I appreciate it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide