11-30-2017 05:43 AM - edited 03-08-2019 12:56 PM
Hi,
I am a newbie at configuring ASA's and trying to setup a Cisco ASA 5506 for the work flow on the attached image. If anyone could please recommend the best way to setup this ASA to Deny all traffic from LAN PC to Presstek PCs with the exception of port 445 for SMB file transfer. The Presstek computers will have static IP's on the same LAN subnet but they will be connected to the ASA ports and not LAN switch. If you need further info or need me to clarify certain things please let me know. Thanks
Solved! Go to Solution.
12-13-2017 07:37 AM
You have but you are specify the origin. Are you sure you are trying from the proper origin. The suggestion I gave ignore the origin allowing from everywhere.
-If I helped you somehow, please, rate it as useful.-
11-30-2017 05:57 AM
Hi @acabezas11
The image is not available. It would be helpful if you also add the firewall config.
-If I helped you somehow, please, rate it as useful.-
11-30-2017 05:59 AM
Hi Sorry,
I just uploaded another image are you able to see it?
11-30-2017 06:01 AM
Not available also. Maybe is the image format.
11-30-2017 06:07 AM
11-30-2017 06:07 AM
does the one I just uploaded work?
11-30-2017 06:20 AM
Now it is ok. Well, you have two firewall interface, right? Both is inside probably and both have security level 100 probably. You can change the security level of DOHMH for 50, this way no traffic will be permitted between them.
Then you can create an ACL:
access-list 100 permit tcp 10.53.23.0 10.156.23.0 ep 445.
access-group 100 in interface DOHMH
Keep in mind that only 445 port may be not enough if you are trying to work is windows file sharing
You may need 137,138 and 139 as well.
-If I helped you somehow, please, rate it as useful.-
11-30-2017 06:34 AM
This is the current config I had loaded on the ASA. I created a bridge group and add all the interfaces to that group with security level 100. I also had a few NAT rules and ACL's but not sure if I still need those or not? Being that they are on the same subnet does port gi1/1 need to be on security level 100 as well?
Thank you.
ciscoasa# sh run
: Saved
:
: Serial Number: JAD21260FF5
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.7(1)4
!
hostname ciscoasa
enable password $sha512$5000$614vemnZqQcfOfmiKv+YsQ==$4oqF99AoyBNdRBqxtB/e3Q== pbkdf2
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 10.156.23.126 255.255.255.128
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network Presstek_LAN
subnet 192.168.1.0 255.255.255.0
description Presstek_LAN
object network 192.168.1.10
host 192.168.1.10
object network obj-192.168.1.20
host 192.168.1.20
object network outside-network
subnet 10.156.23.0 255.255.255.128
object network DOHMH
host 10.156.23.120
description DOHMH
object network 10.156.23.33
host 10.156.23.33
description Presstek PC1
object network 10.156.23.88
host 10.156.23.88
description Presstek PC3
object-group network Inside_Network_Group
description Inside_Network_Group
network-object object Presstek_LAN
network-object object 192.168.1.10
network-object object obj-192.168.1.20
object-group service DM_INLINE_TCP_1 tcp
port-object eq 445
port-object eq ftp
port-object eq netbios-ssn
object-group network Presstek_PCs
description Presstek PCs
network-object object 10.156.23.33
network-object object 10.156.23.88
object-group service DM_INLINE_TCP_2 tcp
port-object eq 445
port-object eq ftp
port-object eq netbios-ssn
access-list inside_access_in extended permit ip object Presstek_LAN any
access-list outside_access_in extended permit ip any object Presstek_LAN
access-list outside_access_in extended permit ip any object-group Inside_Network_Group log
access-list outside_access_in extended permit tcp object DOHMH object-group Presstek_PCs object-group DM_INLINE_TCP_2
access-list inside_1_access_in_1 extended permit ip object Presstek_LAN any
access-list inside_2_access_in_2 extended permit ip object Presstek_LAN any
access-list inside_2_access_in_2 extended permit tcp object-group Inside_Network_Group object DOHMH object-group DM_INLINE_TCP_1
access-list inside_4_access_in_4 extended permit ip object Presstek_LAN any
access-list inside_5_access_in_5 extended permit ip object Presstek_LAN any
access-list inside_6_access_in_6 extended permit ip object Presstek_LAN any
access-list inside_7_access_in_7 extended permit ip object Presstek_LAN any
access-list inside_5_access_in extended permit ip object Presstek_LAN any
access-list inside_6_access_in extended permit ip object Presstek_LAN any
access-list inside_4_access_in extended permit ip object Presstek_LAN any
access-list inside_7_access_in extended permit ip object Presstek_LAN any
access-list inside_2_access_in extended permit ip object 192.168.1.10 any log
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside_1
icmp permit any inside_2
icmp permit any inside_3
icmp permit any inside_4
icmp permit any inside_5
icmp permit any inside_6
icmp permit any inside_7
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside_1,outside) source dynamic Presstek_LAN interface
nat (inside_2,outside) source dynamic Presstek_LAN interface
nat (inside_3,outside) source dynamic Presstek_LAN interface
nat (inside_4,outside) source dynamic Presstek_LAN interface
nat (inside_5,outside) source dynamic Presstek_LAN interface
nat (inside_6,outside) source dynamic Presstek_LAN interface
nat (inside_7,outside) source dynamic Presstek_LAN interface
access-group outside_access_in in interface outside
access-group inside_1_access_in_1 in interface inside_1
access-group inside_2_access_in_2 in interface inside_2
access-group inside_4_access_in_4 in interface inside_3
access-group inside_4_access_in in interface inside_4
access-group inside_5_access_in in interface inside_5
access-group inside_6_access_in in interface inside_6
access-group inside_7_access_in in interface inside_7
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.156.23.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
http 0.0.0.0 0.0.0.0 inside_1
http 0.0.0.0 0.0.0.0 inside_2
http 0.0.0.0 0.0.0.0 inside_3
http 0.0.0.0 0.0.0.0 inside_4
http 0.0.0.0 0.0.0.0 inside_5
http 0.0.0.0 0.0.0.0 inside_6
http 0.0.0.0 0.0.0.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:04363acee2485e13b91f1edc399785d5
: end
ciscoasa#
11-30-2017 06:57 AM
You don't need NAT actually.
In terms of ACL:
You should delete those ACL:
access-list outside_access_in extended permit ip any object Presstek_LAN
access-list outside_access_in extended permit ip any object-group Inside_Network_Group log
This ACL is ok. However, it will allow traffic from DOHMH to Presstek_PCs. If you want to permit all host from DOHMH to all host on Presstek you should change it.
access-list outside_access_in extended permit tcp object DOHMH object-group Presstek_PCs object-group DM_INLINE_TCP_2
-If I helped you somehow, please, rate it as useful.-
11-30-2017 07:04 AM
Ok so port Gi1/1 will be connected to a switch on the LAN subnet where DOHMH PC is connected too. Presstek devices will be connected to the ASA and have IP's on the same subnet.
Do I need to change gi1/1 to security level 50 or 100? Also do I still need to have the BVI1? I want all other traffic to be blocked. There should be no communication initiated from the Presstek PCs to the DOHMH network.
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 10.156.23.126 255.255.255.128
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
11-30-2017 07:10 AM
You dont need to change the security level as it is already 0. I suggest that before I see firewall config. If interface has the same security level and firewall has the command same-security-level... then all traffic will be permitted.
Which is not your case as outside has security level of 0.
BVI is not necessary for this flow.
Apparently the problem is those two ACL I highlighted that is permitting at IP level.
-If I helped you somehow, please, rate it as useful.-
11-30-2017 07:15 AM
Ok so this is what I have now. I removed the NAT and ACL's. I also changed outside interface level to 50 but you saying it should be at 0 and leave the BVI group and have all the interfaces applied to that group and set to level 100 as well? I also tried to add that ACL you sent me but it didn't work.
ciscoasa# sh run
: Saved
:
: Serial Number: JAD21260FF5
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.7(1)4
!
hostname ciscoasa
enable password $sha512$5000$614vemnZqQcfOfmiKv+YsQ==$4oqF99AoyBNdRBqxtB/e3Q== pbkdf2
names
!
interface GigabitEthernet1/1
nameif outside
security-level 50
ip address 10.156.23.126 255.255.255.128
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network Presstek_LAN
subnet 192.168.1.0 255.255.255.0
description Presstek_LAN
object network 192.168.1.10
host 192.168.1.10
object network obj-192.168.1.20
host 192.168.1.20
object network outside-network
subnet 10.156.23.0 255.255.255.128
object network DOHMH
host 10.156.23.120
description DOHMH
object network 10.156.23.33
host 10.156.23.33
description Presstek PC1
object network 10.156.23.88
host 10.156.23.88
description Presstek PC3
object-group network Inside_Network_Group
description Inside_Network_Group
network-object object Presstek_LAN
network-object object 192.168.1.10
network-object object obj-192.168.1.20
object-group network Presstek_PCs
description Presstek PCs
network-object object 10.156.23.33
network-object object 10.156.23.88
object-group service DM_INLINE_TCP_2 tcp
port-object eq 445
port-object eq ftp
port-object eq netbios-ssn
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside_1
icmp permit any inside_2
icmp permit any inside_3
icmp permit any inside_4
icmp permit any inside_5
icmp permit any inside_6
icmp permit any inside_7
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
route outside 0.0.0.0 0.0.0.0 10.156.23.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
http 0.0.0.0 0.0.0.0 inside_1
http 0.0.0.0 0.0.0.0 inside_2
http 0.0.0.0 0.0.0.0 inside_3
http 0.0.0.0 0.0.0.0 inside_4
http 0.0.0.0 0.0.0.0 inside_5
http 0.0.0.0 0.0.0.0 inside_6
http 0.0.0.0 0.0.0.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3d172ec1d3dab5f38b84dabed2f34727
: end
11-30-2017 07:17 AM
I also just want traffic from the one DOHMH PC 10.256.23.120 to be able to access the Presstek PCs to be able to transfer files from it to the 2 Presstek machines and nothing else.
11-30-2017 07:51 AM
Alright. Then, try what I suggested and let me know.
-If I helped you somehow, please, rate it as useful.-
11-30-2017 08:17 AM
So this is what my config looks like right now. Is this correct? Do I need to have the IP assigned to BVI port and what level should I leave the outside interface on? Thank you
ciscoasa# sh run
: Saved
:
: Serial Number: JAD21260FF5
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.7(1)4
!
hostname ciscoasa
enable password $sha512$5000$614vemnZqQcfOfmiKv+YsQ==$4oqF99AoyBNdRBqxtB/e3Q== pbkdf2
names
!
interface GigabitEthernet1/1
nameif outside
security-level 50
ip address 10.156.23.126 255.255.255.128
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network Presstek_LAN
subnet 192.168.1.0 255.255.255.0
description Presstek_LAN
object network 192.168.1.10
host 192.168.1.10
object network obj-192.168.1.20
host 192.168.1.20
object network outside-network
subnet 10.156.23.0 255.255.255.128
object network DOHMH
host 10.156.23.120
description DOHMH
object network 10.156.23.33
host 10.156.23.33
description Presstek PC1
object network 10.156.23.88
host 10.156.23.88
description Presstek PC3
object-group network Inside_Network_Group
description Inside_Network_Group
network-object object Presstek_LAN
network-object object 192.168.1.10
network-object object obj-192.168.1.20
object-group network Presstek_PCs
description Presstek PCs
network-object object 10.156.23.33
network-object object 10.156.23.88
object-group service DM_INLINE_TCP_2 tcp
port-object eq 445
port-object eq ftp
port-object eq netbios-ssn
access-list outside_access_in extended permit tcp object DOHMH object-group Presstek_PCs object-group DM_INLINE_TCP_2
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside_1
icmp permit any inside_2
icmp permit any inside_3
icmp permit any inside_4
icmp permit any inside_5
icmp permit any inside_6
icmp permit any inside_7
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
route outside 0.0.0.0 0.0.0.0 10.156.23.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
http 0.0.0.0 0.0.0.0 inside_1
http 0.0.0.0 0.0.0.0 inside_2
http 0.0.0.0 0.0.0.0 inside_3
http 0.0.0.0 0.0.0.0 inside_4
http 0.0.0.0 0.0.0.0 inside_5
http 0.0.0.0 0.0.0.0 inside_6
http 0.0.0.0 0.0.0.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:23afc59a09e17b09057bdd97e9fac5e7
: end
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: