Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2952
Views
0
Helpful
4
Replies

seeking Asa 5506 firewall configuration tips

Ministry
Level 1
Level 1

‎02-19-2020 02:41 PM - edited ‎02-21-2020 09:56 AM

Hi All.

 

Ive just setup an ASA 5506 for my home (office) use.

 

Its been awhile since ive last configured a cisco appliance, so i was wondered if you guys would take a quick peek at my config and give me pointers on silly or stupid configs.

 

My setup is that ive replaced my standard ISP router with the ASA, its tagged via VLAN on the outside interface and configured via DHCP.

 

Ive configured a basic firewall rule to basicly just deny anything from the outside interface to the inside, thats really all i had the fantasy to do.

 

Any tips for strengthening the security of my network? i dont care about bogging down my internet connection or losing performance.

 

Thank you.

Note: i dont have a license for the firePOWER module as that is too expensive for home office usage.


Apologies if this is posted in the wrong place

ASA Version 9.8(4)15 
!
hostname ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
no mac-address auto

!
interface GigabitEthernet1/1
 no nameif
 security-level 0
 no ip address
!
interface GigabitEthernet1/1.101
 vlan 101
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface GigabitEthernet1/2
 description Internal network
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object udp
 protocol-object tcp
access-list outside_access_in extended deny object-group DM_INLINE_PROTOCOL_1 interface outside interface inside 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7131.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcp-client client-id interface outside
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
dynamic-access-policy-record DfltAccessPolicy
username admin password $sha512$5000$FqM9HtGlgl0T5UAebeZtVw==$viUddbBKQlbadGunFq9KWw== pbkdf2 privilege 15
!
!
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 12
  subscribe-to-alert-group configuration periodic monthly 12
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0413fcf1335c163fd8b0d9f2364e9b74
: end

 

0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎02-19-2020 04:03 PM

High level looks ok, Did your PC able to get the internet ? then all good.

 

by default outside to inside is denied by the behaviour of ASA.

 

you can look hardening ASA in many ways if you looking to do so.

 

https://www.dionach.com/blog/cisco-asa-firewall-hardening/

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Ministry
Level 1
Level 1
In response to balaji.bandi

‎02-20-2020 04:36 AM

Thank you!
0 Helpful

saids3
Level 1
Level 1

‎02-19-2020 06:35 PM

Hello - Common config t - 

 

dhcpd address 192.168.1.5-192.168.1.254 inside
dhcp dns 208.67.222.222 208.67.220.220
dhcpd option 3 ip 192.168.1.1
dhcpd enable inside
dhcpd auto_config outside
route outside 0.0.0.0 0.0.0.0 192.168.200.5

object network INSIDE-NET
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
class-map inspection_default
match default-inspection-traffic

policy-map global_policy
class inspection_default
inspect icmp

service-policy global_policy global

policy-map global_policy
class inspection_default
inspect http

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512

policy-map global_policy
class inspection_default
inspect dns preset_dns_map

domain-name ministry.com
username admin password ********** priv 15
crypto key generate rsa modulus 2048

Yes 

ssh 192.168.1.0 255.255.255.0 outside
ssh 192.168.1.0 255.255.0.0 inside
ssh timeout 30
ssh version 2


aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL

dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy

class-map global-class
match any
policy-map global_policy
class global-class
sfr fail-open

0 Helpful

Ministry
Level 1
Level 1
In response to saids3

‎02-20-2020 05:22 AM

Thanks alot, nice input!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card