Cisco ASA Example
from
http://www.howtonetworking.com/cisco/asasample1.htm
ASA Version 7.0(5)
!
hostname ciscoasa
domain-name default.domain.invalid
names
name 192.168.0.114 Consults
name 192.168.0.112 IBM
name 192.168.0.117 Outer
name 192.168.102.0 DMZ
name 192.168.0.213 Color
name 192.168.0.95 USA8200
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address x.x.129.37 255.255.255.248
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.0.250 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.102.250 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
ftp mode passive
same-security-traffic permit intra-interface
access-list tac extended permit ip any host x.x.241.10
access-list tac extended permit ip host x.x.241.10 any
access-list out_to_inside extended permit tcp any host x.x.129.34 eq www
access-list out_to_inside extended permit tcp any host x.x.129.34 eq 8080
access-list out_to_inside extended permit tcp any host x.x.129.34 eq 8383
access-list out_to_inside extended permit tcp any host x.x.129.36 eq www
access-list out_to_inside extended permit tcp any host x.x.129.34 eq smtp
access-list out_to_inside extended permit tcp any host x.x.129.34 eq pop3
access-list out_to_inside extended permit tcp any host x.x.129.34 eq 3389
access-list out_to_inside extended permit tcp any host x.x.129.34 eq 13001
access-list out_to_inside extended permit tcp any host x.x.129.36 eq 13001
access-list out_to_inside extended permit tcp any host x.x.129.36 eq 3389
access-list out_to_inside extended permit tcp any host x.x.129.36 eq pop3
access-list out_to_inside extended permit tcp any host x.x.129.36 eq smtp
access-list out_to_inside extended permit tcp any host x.x.129.36 eq 8383
access-list out_to_inside extended permit icmp any any
access-list out_to_inside extended permit tcp any host x.x.129.35 eq www
access-list out_to_inside extended permit tcp any host x.x.129.38 eq www
access-list out_to_inside extended permit tcp any host x.x.129.35 eq 8383
access-list out_to_inside extended permit tcp any host x.x.129.35 eq smtp
access-list out_to_inside extended permit tcp any host x.x.129.35 eq pop3
access-list out_to_inside extended permit tcp any host 1x.x.129.36 eq pptp
access-list Inside_nat0_outbound extended permit ip any 192.168.101.0 255.255.255.0
remark incorrect line
remark access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 host x.x.53.106
Remark it should be
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list 102 standard permit 192.168.0.0 255.255.0.0
remark incorrect line
remark
access-list Outside_cryptomap_20 extended permit ip 192.168.0.0 255.255.255.0 host x.x.53.106
Remark it should be
access-list Outside_cryptomap_20 extended permit ip 192.168.0.0 255.255.255.0 192.168.11.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool 101 192.168.101.1-192.168.101.254 mask 255.255.255.0
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 0.0.0.0 0.0.0.0
nat (management) 10 0.0.0.0 0.0.0.0
static (Inside,Outside) x.x.129.36 IBM netmask 255.255.255.255 dns
static (Inside,Outside) x.x.129.34 Color netmask 255.255.255.255 dns
static (Inside,Outside) x.x.129.35 Consult netmask 255.255.255.255 dns
static (Inside,Outside) x.x.129.38 Outer netmask 255.255.255.255 dns
static (Inside,Outside) 1x.x.129.36 USA8200 netmask 255.255.255.255
access-group out_to_inside in interface Outside
route Outside 0.0.0.0 0.0.0.0 x.x.129.33 1
route Inside 192.168.1.0 255.255.255.0 192.168.0.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
url-list chicagotech "chicagotech" http://chicagotech.dyndns.org
url-list chicagotech "199" http://x.x.43.199
url-list chicagotech "197" http://x.x.43.197
group-policy DfltGrpPolicy attributes
banner none
wins-server value 192.168.0.231
dns-server value 192.168.0.231 4.2.2.1
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 5
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 102
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
group-policy Webvpn internal
group-policy Webvpn attributes
vpn-tunnel-protocol IPSec webvpn
webvpn
functions url-entry file-access file-entry file-browsing
username demo password GBlBq1FXkhsjWruD encrypted
username demo attributes
vpn-group-policy DfltGrpPolicy
webvpn
username admin password W77CNyqO17KPQbW3 encrypted privilege 15
username admin attributes
vpn-group-policy DfltGrpPolicy
webvpn
username chrisp password A9yadLd/TEEGgSex encrypted
username chrisp attributes
vpn-group-policy DfltGrpPolicy
webvpn
vpn-group-policy DfltGrpPolicy
webvpn
http server enable
http 192.168.0.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 20 match address Outside_cryptomap_20
crypto map Outside_map 20 set peer x.x.53.106
crypto map Outside_map 20 set transform-set ESP-3DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
tunnel-group DefaultRAGroup general-attributes
default-group-policy Webvpn
tunnel-group PPTPVPN type ipsec-ra
tunnel-group PPTPVPN general-attributes
address-pool 101
tunnel-group PPTPVPN ipsec-attributes
pre-shared-key *
tunnel-group x.x.53.106 type ipsec-l2l
tunnel-group x.x.53.106 ipsec-attributes
pre-shared-key *
telnet 192.168.0.0 255.255.255.0 Inside
telnet timeout 10
ssh x.x.208.81 255.255.255.255 Outside
ssh x.x.115.246 255.255.255.255 Outside
ssh x.x.89.0 255.255.255.0 Outside
ssh timeout 5
console timeout 0
management-access Inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
webvpn
enable Outside
nbns-server 192.168.0.231 master timeout 2 retry 2
: end