cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5195
Views
0
Helpful
74
Replies

lan to lan with asa5506 on the same phisical network

acabezas11
Level 1
Level 1

 Hi,

I am a newbie at configuring ASA's and trying to setup a Cisco ASA 5506 for the work flow on the attached image. If anyone could please recommend the best way to setup this ASA to Deny all traffic from LAN PC to Presstek PCs with the exception of port 445 for SMB file transfer. The Presstek computers will have static IP's on the same LAN subnet but they will be connected to the ASA ports and not LAN switch. If you need further info or need me to clarify certain things please let me know. Thanks

 

Presstek Op Flow3.jpg

1 Accepted Solution

Accepted Solutions

You have but you are specify the origin. Are you sure you are trying from the proper origin. The suggestion I gave ignore the origin allowing from everywhere.

 

 

 

-If I helped you somehow, please, rate it as useful.-

View solution in original post

74 Replies 74

Hi @acabezas11

The image is not available. It would be helpful if you also add the firewall config.

 

 

 

 

 

-If I helped you somehow, please, rate it as useful.-

acabezas11
Level 1
Level 1

Hi Sorry,

I just uploaded another image are you able to see it?

Not available also. Maybe is the image format.

 

does the one I just uploaded work?

Now it is ok. Well, you have two firewall interface, right? Both is inside probably and both have security level 100 probably. You can change the security level of DOHMH for 50, this way no traffic will be permitted between them. 

 Then you can create an ACL:

access-list 100 permit tcp 10.53.23.0 10.156.23.0 ep 445.

access-group 100 in interface DOHMH 

Keep in mind that only 445 port may be not enough if you are trying to work is windows file sharing

You may need 137,138 and 139 as well.

 

-If I helped you somehow, please, rate it as useful.-

This is the current config I had loaded on the ASA.  I created a bridge group and add all the interfaces to that group with security level 100.  I also had a few NAT rules and ACL's but not sure if I still need those or not?  Being that they are on the same subnet does port gi1/1 need to be on security level 100 as well?

Thank you.

ciscoasa# sh run

: Saved

 

:

: Serial Number: JAD21260FF5

: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)

:

ASA Version 9.7(1)4

!

hostname ciscoasa

enable password $sha512$5000$614vemnZqQcfOfmiKv+YsQ==$4oqF99AoyBNdRBqxtB/e3Q== pbkdf2

names

 

!

interface GigabitEthernet1/1

nameif outside

security-level 0

ip address 10.156.23.126 255.255.255.128

!

interface GigabitEthernet1/2

bridge-group 1

nameif inside_1

security-level 100

!

interface GigabitEthernet1/3

bridge-group 1

nameif inside_2

security-level 100

!

interface GigabitEthernet1/4

bridge-group 1

nameif inside_3

security-level 100

!

interface GigabitEthernet1/5

bridge-group 1

nameif inside_4

security-level 100

!

interface GigabitEthernet1/6

bridge-group 1

nameif inside_5

security-level 100

!

interface GigabitEthernet1/7

bridge-group 1

nameif inside_6

security-level 100

!

interface GigabitEthernet1/8

bridge-group 1

nameif inside_7

security-level 100

!

interface Management1/1

management-only

no nameif

no security-level

no ip address

!

interface BVI1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

same-security-traffic permit inter-interface

object network obj_any1

subnet 0.0.0.0 0.0.0.0

object network obj_any2

subnet 0.0.0.0 0.0.0.0

object network obj_any3

subnet 0.0.0.0 0.0.0.0

object network obj_any4

subnet 0.0.0.0 0.0.0.0

object network obj_any5

subnet 0.0.0.0 0.0.0.0

object network obj_any6

subnet 0.0.0.0 0.0.0.0

object network obj_any7

subnet 0.0.0.0 0.0.0.0

object network Presstek_LAN

subnet 192.168.1.0 255.255.255.0

description Presstek_LAN

object network 192.168.1.10

host 192.168.1.10

object network obj-192.168.1.20

host 192.168.1.20

object network outside-network

subnet 10.156.23.0 255.255.255.128

object network DOHMH

host 10.156.23.120

description DOHMH

object network 10.156.23.33

host 10.156.23.33

description Presstek PC1

object network 10.156.23.88

host 10.156.23.88

description Presstek PC3

object-group network Inside_Network_Group

description Inside_Network_Group

network-object object Presstek_LAN

network-object object 192.168.1.10

network-object object obj-192.168.1.20

object-group service DM_INLINE_TCP_1 tcp

port-object eq 445

port-object eq ftp

port-object eq netbios-ssn

object-group network Presstek_PCs

description Presstek PCs

network-object object 10.156.23.33

network-object object 10.156.23.88

object-group service DM_INLINE_TCP_2 tcp

port-object eq 445

port-object eq ftp

port-object eq netbios-ssn

access-list inside_access_in extended permit ip object Presstek_LAN any

access-list outside_access_in extended permit ip any object Presstek_LAN

access-list outside_access_in extended permit ip any object-group Inside_Network_Group log

access-list outside_access_in extended permit tcp object DOHMH object-group Presstek_PCs object-group DM_INLINE_TCP_2

access-list inside_1_access_in_1 extended permit ip object Presstek_LAN any

access-list inside_2_access_in_2 extended permit ip object Presstek_LAN any

access-list inside_2_access_in_2 extended permit tcp object-group Inside_Network_Group object DOHMH object-group DM_INLINE_TCP_1

access-list inside_4_access_in_4 extended permit ip object Presstek_LAN any

access-list inside_5_access_in_5 extended permit ip object Presstek_LAN any

access-list inside_6_access_in_6 extended permit ip object Presstek_LAN any

access-list inside_7_access_in_7 extended permit ip object Presstek_LAN any

access-list inside_5_access_in extended permit ip object Presstek_LAN any

access-list inside_6_access_in extended permit ip object Presstek_LAN any

access-list inside_4_access_in extended permit ip object Presstek_LAN any

access-list inside_7_access_in extended permit ip object Presstek_LAN any

access-list inside_2_access_in extended permit ip object 192.168.1.10 any log

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside_1 1500

mtu inside_2 1500

mtu inside_3 1500

mtu inside_4 1500

mtu inside_5 1500

mtu inside_6 1500

mtu inside_7 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside_1

icmp permit any inside_2

icmp permit any inside_3

icmp permit any inside_4

icmp permit any inside_5

icmp permit any inside_6

icmp permit any inside_7

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 16384

nat (inside_1,outside) source dynamic Presstek_LAN interface

nat (inside_2,outside) source dynamic Presstek_LAN interface

nat (inside_3,outside) source dynamic Presstek_LAN interface

nat (inside_4,outside) source dynamic Presstek_LAN interface

nat (inside_5,outside) source dynamic Presstek_LAN interface

nat (inside_6,outside) source dynamic Presstek_LAN interface

nat (inside_7,outside) source dynamic Presstek_LAN interface

access-group outside_access_in in interface outside

access-group inside_1_access_in_1 in interface inside_1

access-group inside_2_access_in_2 in interface inside_2

access-group inside_4_access_in_4 in interface inside_3

access-group inside_4_access_in in interface inside_4

access-group inside_5_access_in in interface inside_5

access-group inside_6_access_in in interface inside_6

access-group inside_7_access_in in interface inside_7

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 10.156.23.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside_1

http 192.168.1.0 255.255.255.0 inside_2

http 192.168.1.0 255.255.255.0 inside_3

http 192.168.1.0 255.255.255.0 inside_4

http 192.168.1.0 255.255.255.0 inside_5

http 192.168.1.0 255.255.255.0 inside_6

http 192.168.1.0 255.255.255.0 inside_7

http 0.0.0.0 0.0.0.0 inside_1

http 0.0.0.0 0.0.0.0 inside_2

http 0.0.0.0 0.0.0.0 inside_3

http 0.0.0.0 0.0.0.0 inside_4

http 0.0.0.0 0.0.0.0 inside_5

http 0.0.0.0 0.0.0.0 inside_6

http 0.0.0.0 0.0.0.0 inside_7

no snmp-server location

no snmp-server contact

service sw-reset-button

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh stricthostkeycheck

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

 

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.254 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

dynamic-access-policy-record DfltAccessPolicy

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:04363acee2485e13b91f1edc399785d5

: end

ciscoasa#

You don't need NAT actually.

In terms of ACL:

You should delete those ACL:

access-list outside_access_in extended permit ip any object Presstek_LAN

access-list outside_access_in extended permit ip any object-group Inside_Network_Group log

 

This ACL is ok. However, it will allow traffic from  DOHMH  to    Presstek_PCs. If you want to permit all host from DOHMH to all host on Presstek you should change it.

 

access-list outside_access_in extended permit tcp object DOHMH object-group Presstek_PCs object-group DM_INLINE_TCP_2

 

-If I helped you somehow, please, rate it as useful.-

Ok so port Gi1/1 will be connected to a switch on the LAN subnet where DOHMH PC is connected too.  Presstek devices will be connected to the ASA and have IP's on the same subnet. 

Do I need to change gi1/1 to security level 50 or 100?  Also do I still need to have the BVI1?  I want all other traffic to be blocked. There should be no communication initiated from the Presstek PCs to the DOHMH network. 

 

interface GigabitEthernet1/1

nameif outside

security-level 0

ip address 10.156.23.126 255.255.255.128

!

interface GigabitEthernet1/2

bridge-group 1

nameif inside_1

security-level 100

!

interface GigabitEthernet1/3

bridge-group 1

nameif inside_2

security-level 100

!

interface GigabitEthernet1/4

bridge-group 1

nameif inside_3

security-level 100

!

interface GigabitEthernet1/5

bridge-group 1

nameif inside_4

security-level 100

!

interface GigabitEthernet1/6

bridge-group 1

nameif inside_5

security-level 100

!

interface GigabitEthernet1/7

bridge-group 1

nameif inside_6

security-level 100

!

interface GigabitEthernet1/8

bridge-group 1

nameif inside_7

security-level 100

!

interface Management1/1

management-only

no nameif

no security-level

no ip address

!

interface BVI1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

You dont need to change the security level as it is already 0.  I suggest that before I see firewall config. If interface has the same security level and firewall has the command same-security-level... then all traffic will be permitted.

 Which is not your case as outside has security level of 0. 

BVI is not necessary for this flow.

 

Apparently the problem is those two ACL I highlighted  that is permitting at IP level. 

 

-If I helped you somehow, please, rate it as useful.-

Ok so this is what I have now.  I removed the NAT and ACL's.  I also changed outside interface level to 50 but you saying it should be at 0 and leave the BVI group and have all the interfaces applied to that group and set to level 100 as well?  I also tried to add that ACL you sent me but it didn't work.

 

 

ciscoasa# sh run

: Saved

 

:

: Serial Number: JAD21260FF5

: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)

:

ASA Version 9.7(1)4

!

hostname ciscoasa

enable password $sha512$5000$614vemnZqQcfOfmiKv+YsQ==$4oqF99AoyBNdRBqxtB/e3Q== pbkdf2

names

 

!

interface GigabitEthernet1/1

nameif outside

security-level 50

ip address 10.156.23.126 255.255.255.128

!

interface GigabitEthernet1/2

bridge-group 1

nameif inside_1

security-level 100

!

interface GigabitEthernet1/3

bridge-group 1

nameif inside_2

security-level 100

!

interface GigabitEthernet1/4

bridge-group 1

nameif inside_3

security-level 100

!

interface GigabitEthernet1/5

bridge-group 1

nameif inside_4

security-level 100

!

interface GigabitEthernet1/6

bridge-group 1

nameif inside_5

security-level 100

!

interface GigabitEthernet1/7

bridge-group 1

nameif inside_6

security-level 100

!

interface GigabitEthernet1/8

bridge-group 1

nameif inside_7

security-level 100

!

interface Management1/1

management-only

no nameif

no security-level

no ip address

!

interface BVI1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

same-security-traffic permit inter-interface

object network obj_any1

subnet 0.0.0.0 0.0.0.0

object network obj_any2

subnet 0.0.0.0 0.0.0.0

object network obj_any3

subnet 0.0.0.0 0.0.0.0

object network obj_any4

subnet 0.0.0.0 0.0.0.0

object network obj_any5

subnet 0.0.0.0 0.0.0.0

object network obj_any6

subnet 0.0.0.0 0.0.0.0

object network obj_any7

subnet 0.0.0.0 0.0.0.0

object network Presstek_LAN

subnet 192.168.1.0 255.255.255.0

description Presstek_LAN

object network 192.168.1.10

host 192.168.1.10

object network obj-192.168.1.20

host 192.168.1.20

object network outside-network

subnet 10.156.23.0 255.255.255.128

object network DOHMH

host 10.156.23.120

description DOHMH

object network 10.156.23.33

host 10.156.23.33

description Presstek PC1

object network 10.156.23.88

host 10.156.23.88

description Presstek PC3

object-group network Inside_Network_Group

description Inside_Network_Group

network-object object Presstek_LAN

network-object object 192.168.1.10

network-object object obj-192.168.1.20

object-group network Presstek_PCs

description Presstek PCs

network-object object 10.156.23.33

network-object object 10.156.23.88

object-group service DM_INLINE_TCP_2 tcp

port-object eq 445

port-object eq ftp

port-object eq netbios-ssn

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside_1 1500

mtu inside_2 1500

mtu inside_3 1500

mtu inside_4 1500

mtu inside_5 1500

mtu inside_6 1500

mtu inside_7 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside_1

icmp permit any inside_2

icmp permit any inside_3

icmp permit any inside_4

icmp permit any inside_5

icmp permit any inside_6

icmp permit any inside_7

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 16384

route outside 0.0.0.0 0.0.0.0 10.156.23.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside_1

http 192.168.1.0 255.255.255.0 inside_2

http 192.168.1.0 255.255.255.0 inside_3

http 192.168.1.0 255.255.255.0 inside_4

http 192.168.1.0 255.255.255.0 inside_5

http 192.168.1.0 255.255.255.0 inside_6

http 192.168.1.0 255.255.255.0 inside_7

http 0.0.0.0 0.0.0.0 inside_1

http 0.0.0.0 0.0.0.0 inside_2

http 0.0.0.0 0.0.0.0 inside_3

http 0.0.0.0 0.0.0.0 inside_4

http 0.0.0.0 0.0.0.0 inside_5

http 0.0.0.0 0.0.0.0 inside_6

http 0.0.0.0 0.0.0.0 inside_7

no snmp-server location

no snmp-server contact

service sw-reset-button

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh stricthostkeycheck

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

 

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.254 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

dynamic-access-policy-record DfltAccessPolicy

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:3d172ec1d3dab5f38b84dabed2f34727

: end

I also just want traffic from the one DOHMH PC 10.256.23.120 to be able to access the Presstek PCs to be able to transfer files from it to the 2 Presstek machines and nothing else.

Alright. Then, try what I suggested and let me know.

 

 

 

 

 

-If I helped you somehow, please, rate it as useful.-

So this is what my config looks like right now.  Is this correct?  Do I need to have the IP assigned to BVI port and what level should I leave the outside interface on?  Thank you

 

ciscoasa# sh run

: Saved

 

:

: Serial Number: JAD21260FF5

: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)

:

ASA Version 9.7(1)4

!

hostname ciscoasa

enable password $sha512$5000$614vemnZqQcfOfmiKv+YsQ==$4oqF99AoyBNdRBqxtB/e3Q== pbkdf2

names

 

!

interface GigabitEthernet1/1

nameif outside

security-level 50

ip address 10.156.23.126 255.255.255.128

!

interface GigabitEthernet1/2

bridge-group 1

nameif inside_1

security-level 100

!

interface GigabitEthernet1/3

bridge-group 1

nameif inside_2

security-level 100

!

interface GigabitEthernet1/4

bridge-group 1

nameif inside_3

security-level 100

!

interface GigabitEthernet1/5

bridge-group 1

nameif inside_4

security-level 100

!

interface GigabitEthernet1/6

bridge-group 1

nameif inside_5

security-level 100

!

interface GigabitEthernet1/7

bridge-group 1

nameif inside_6

security-level 100

!

interface GigabitEthernet1/8

bridge-group 1

nameif inside_7

security-level 100

!

interface Management1/1

management-only

no nameif

no security-level

no ip address

!

interface BVI1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

same-security-traffic permit inter-interface

object network obj_any1

subnet 0.0.0.0 0.0.0.0

object network obj_any2

subnet 0.0.0.0 0.0.0.0

object network obj_any3

subnet 0.0.0.0 0.0.0.0

object network obj_any4

subnet 0.0.0.0 0.0.0.0

object network obj_any5

subnet 0.0.0.0 0.0.0.0

object network obj_any6

subnet 0.0.0.0 0.0.0.0

object network obj_any7

subnet 0.0.0.0 0.0.0.0

object network Presstek_LAN

subnet 192.168.1.0 255.255.255.0

description Presstek_LAN

object network 192.168.1.10

host 192.168.1.10

object network obj-192.168.1.20

host 192.168.1.20

object network outside-network

subnet 10.156.23.0 255.255.255.128

object network DOHMH

host 10.156.23.120

description DOHMH

object network 10.156.23.33

host 10.156.23.33

description Presstek PC1

object network 10.156.23.88

host 10.156.23.88

description Presstek PC3

object-group network Inside_Network_Group

description Inside_Network_Group

network-object object Presstek_LAN

network-object object 192.168.1.10

network-object object obj-192.168.1.20

object-group network Presstek_PCs

description Presstek PCs

network-object object 10.156.23.33

network-object object 10.156.23.88

object-group service DM_INLINE_TCP_2 tcp

port-object eq 445

port-object eq ftp

port-object eq netbios-ssn

access-list outside_access_in extended permit tcp object DOHMH object-group Presstek_PCs object-group DM_INLINE_TCP_2

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside_1 1500

mtu inside_2 1500

mtu inside_3 1500

mtu inside_4 1500

mtu inside_5 1500

mtu inside_6 1500

mtu inside_7 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside_1

icmp permit any inside_2

icmp permit any inside_3

icmp permit any inside_4

icmp permit any inside_5

icmp permit any inside_6

icmp permit any inside_7

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 16384

route outside 0.0.0.0 0.0.0.0 10.156.23.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside_1

http 192.168.1.0 255.255.255.0 inside_2

http 192.168.1.0 255.255.255.0 inside_3

http 192.168.1.0 255.255.255.0 inside_4

http 192.168.1.0 255.255.255.0 inside_5

http 192.168.1.0 255.255.255.0 inside_6

http 192.168.1.0 255.255.255.0 inside_7

http 0.0.0.0 0.0.0.0 inside_1

http 0.0.0.0 0.0.0.0 inside_2

http 0.0.0.0 0.0.0.0 inside_3

http 0.0.0.0 0.0.0.0 inside_4

http 0.0.0.0 0.0.0.0 inside_5

http 0.0.0.0 0.0.0.0 inside_6

http 0.0.0.0 0.0.0.0 inside_7

no snmp-server location

no snmp-server contact

service sw-reset-button

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh stricthostkeycheck

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

 

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.254 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

dynamic-access-policy-record DfltAccessPolicy

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

 message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:23afc59a09e17b09057bdd97e9fac5e7

: end

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco