- Posts: 2
- Thank you received: 0
Cisco ASA 5505
15 years 10 months ago #28176
by Jmerc
Cisco ASA 5505 was created by Jmerc
Hey all,
I have my own IT consulting company and I take care of small businesses. I just acquired a new office, ran through it real quick and didn't notice the Cisco device. Anyway after doing some inventory and checking the security on their servers, I was going to open up a port on their Linksys router, so i thought, come to find out they have a ASA 5505.
Lets just say im not real familiar with the Cisco IOS however over these past few days, I've learned a few things. I would like to post the config and see what you guys think. Maybe you can give me some pointers on some security holes and what not, as I was not the person to configure it. I did issue some commands to open up RDC and tried different ways via ASDM, still no luck. Let me know if I can post the config and have you all check it out.
Thanks,
James
I have my own IT consulting company and I take care of small businesses. I just acquired a new office, ran through it real quick and didn't notice the Cisco device. Anyway after doing some inventory and checking the security on their servers, I was going to open up a port on their Linksys router, so i thought, come to find out they have a ASA 5505.
Lets just say im not real familiar with the Cisco IOS however over these past few days, I've learned a few things. I would like to post the config and see what you guys think. Maybe you can give me some pointers on some security holes and what not, as I was not the person to configure it. I did issue some commands to open up RDC and tried different ways via ASDM, still no luck. Let me know if I can post the config and have you all check it out.
Thanks,
James
15 years 10 months ago #28179
by S0lo
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Replied by S0lo on topic Re: Cisco ASA 5505
Sure, shoot us with it. A brief explanation of what you want to do with it can help. You can mask out any passwords or private info.
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
15 years 10 months ago #28182
by Jmerc
Replied by Jmerc on topic Re: Cisco ASA 5505
My goal is to have SMTP, RDC, HTTP, HTTPS, and VPN traffic to flow through. Everything but RDC was working fine, so I looked up some stuff and issued three commands which screwed everything up. SMTP packets are no longer coming in and everything is screwed up. Any help would be great. Also, I started using the ASDM, and after entering in those commands via the CLI the ACLs vanished.
These are the three commands I entered in...
access-list outside_access_in extended permit tcp any interface outside eq 3389
static (inside,outside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
Thank You,
sh run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name xxxx.local
enable password encrypted
passwd encrypted
no names
name 10.10.10.2 CLJPDC1
name 10.10.10.3 CLJPDC2
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.0.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.0.0.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xxx.local
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list 101 extended permit tcp any interface outside eq pcanywhere-data
access-list 101 extended permit object-group TCPUDP any interface outside eq dom
ain
access-list 101 extended permit tcp any interface outside eq https
access-list 101 extended permit tcp any interface outside eq www
access-list 101 extended permit tcp any interface outside eq smtp
access-list 101 extended permit udp any interface outside eq pcanywhere-status
access-list 101 extended permit icmp any any inactive
access-list 101 extended permit udp host 10.10.10.3 host x.x.x.x eq pcany
where-status
access-list 101 extended permit tcp host 10.10.10.3 host x.x.x.x eq pcany
where-data
access-list 101 extended permit tcp any interface outside eq 3389
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.100.100.0 255.2
55.255.0
access-list split_tun standard permit 10.10.10.0 255.255.255.0
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit object-group TCPUDP any interface
outside eq domain
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq pcany
where-data
access-list outside_access_in extended permit udp any interface outside eq pcany
where-status
access-list outside_access_in extended permit icmp any any inactive
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN 10.100.100.1-10.100.100.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 10.10.10.2 smtp netmask 255.255.255.2
55
static (inside,outside) tcp interface domain 10.10.10.2 domain netmask 255.255.2
55.255
static (inside,outside) tcp interface www 10.10.10.2 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.10.10.2 https netmask 255.255.255
.255
static (inside,outside) tcp interface pcanywhere-data 10.10.10.2 pcanywhere-data
netmask 255.255.255.255
static (inside,outside) udp interface pcanywhere-status 10.10.10.2 pcanywhere-st
atus netmask 255.255.255.255
static (inside,outside) tcp 71.252.124.180 pcanywhere-data 10.10.10.3 pcanywhere
-data netmask 255.255.255.255
static (inside,outside) udp 71.252.124.180 pcanywhere-status 10.10.10.3 pcanywhe
re-status netmask 255.255.255.255
static (inside,outside) tcp interface 3389 10.10.10.2 3389 netmask 255.255.255.2
55
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.10.10.2
dhcpd auto_config outside
!
dhcpd address 10.10.10.100-10.10.10.150 inside
dhcpd enable inside
!
group-policy xxxxx internal
group-policy xxxxx attributes
dns-server value 10.10.10.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tun
username xxxx password 274Y4GRAbNElaCoV encrypted
username xxxx password ffIRPGpDSOJh9YLq encrypted
tunnel-group xxxxx type ipsec-ra
tunnel-group xxxxx general-attributes
address-pool VPN
default-group-policy xxxxx
tunnel-group xxxxx ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication none
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0f852441a0508b156d9df40e6c87060a
: end
These are the three commands I entered in...
access-list outside_access_in extended permit tcp any interface outside eq 3389
static (inside,outside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
Thank You,
sh run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name xxxx.local
enable password encrypted
passwd encrypted
no names
name 10.10.10.2 CLJPDC1
name 10.10.10.3 CLJPDC2
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.0.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.0.0.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xxx.local
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list 101 extended permit tcp any interface outside eq pcanywhere-data
access-list 101 extended permit object-group TCPUDP any interface outside eq dom
ain
access-list 101 extended permit tcp any interface outside eq https
access-list 101 extended permit tcp any interface outside eq www
access-list 101 extended permit tcp any interface outside eq smtp
access-list 101 extended permit udp any interface outside eq pcanywhere-status
access-list 101 extended permit icmp any any inactive
access-list 101 extended permit udp host 10.10.10.3 host x.x.x.x eq pcany
where-status
access-list 101 extended permit tcp host 10.10.10.3 host x.x.x.x eq pcany
where-data
access-list 101 extended permit tcp any interface outside eq 3389
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.100.100.0 255.2
55.255.0
access-list split_tun standard permit 10.10.10.0 255.255.255.0
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit object-group TCPUDP any interface
outside eq domain
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq pcany
where-data
access-list outside_access_in extended permit udp any interface outside eq pcany
where-status
access-list outside_access_in extended permit icmp any any inactive
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN 10.100.100.1-10.100.100.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 10.10.10.2 smtp netmask 255.255.255.2
55
static (inside,outside) tcp interface domain 10.10.10.2 domain netmask 255.255.2
55.255
static (inside,outside) tcp interface www 10.10.10.2 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.10.10.2 https netmask 255.255.255
.255
static (inside,outside) tcp interface pcanywhere-data 10.10.10.2 pcanywhere-data
netmask 255.255.255.255
static (inside,outside) udp interface pcanywhere-status 10.10.10.2 pcanywhere-st
atus netmask 255.255.255.255
static (inside,outside) tcp 71.252.124.180 pcanywhere-data 10.10.10.3 pcanywhere
-data netmask 255.255.255.255
static (inside,outside) udp 71.252.124.180 pcanywhere-status 10.10.10.3 pcanywhe
re-status netmask 255.255.255.255
static (inside,outside) tcp interface 3389 10.10.10.2 3389 netmask 255.255.255.2
55
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.10.10.2
dhcpd auto_config outside
!
dhcpd address 10.10.10.100-10.10.10.150 inside
dhcpd enable inside
!
group-policy xxxxx internal
group-policy xxxxx attributes
dns-server value 10.10.10.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tun
username xxxx password 274Y4GRAbNElaCoV encrypted
username xxxx password ffIRPGpDSOJh9YLq encrypted
tunnel-group xxxxx type ipsec-ra
tunnel-group xxxxx general-attributes
address-pool VPN
default-group-policy xxxxx
tunnel-group xxxxx ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication none
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0f852441a0508b156d9df40e6c87060a
: end
Time to create page: 0.121 seconds