Sysadmin > CiscoFirewall > ASAConfigExample

Cisco ASA Example

from http://www.howtonetworking.com/cisco/asasample1.htm

ASA Version 7.0(5)
!
hostname ciscoasa
domain-name default.domain.invalid
names
name 192.168.0.114 Consults
name 192.168.0.112 IBM
name 192.168.0.117 Outer
name 192.168.102.0 DMZ
name 192.168.0.213 Color
name 192.168.0.95 USA8200
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address x.x.129.37 255.255.255.248
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.0.250 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 192.168.102.250 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 no ip address
 management-only
!
ftp mode passive
same-security-traffic permit intra-interface
access-list tac extended permit ip any host x.x.241.10
access-list tac extended permit ip host x.x.241.10 any
access-list out_to_inside extended permit tcp any host x.x.129.34 eq www
access-list out_to_inside extended permit tcp any host x.x.129.34 eq 8080
access-list out_to_inside extended permit tcp any host x.x.129.34 eq 8383
access-list out_to_inside extended permit tcp any host x.x.129.36 eq www
access-list out_to_inside extended permit tcp any host x.x.129.34 eq smtp
access-list out_to_inside extended permit tcp any host x.x.129.34 eq pop3
access-list out_to_inside extended permit tcp any host x.x.129.34 eq 3389
access-list out_to_inside extended permit tcp any host x.x.129.34 eq 13001
access-list out_to_inside extended permit tcp any host x.x.129.36 eq 13001
access-list out_to_inside extended permit tcp any host x.x.129.36 eq 3389
access-list out_to_inside extended permit tcp any host x.x.129.36 eq pop3
access-list out_to_inside extended permit tcp any host x.x.129.36 eq smtp
access-list out_to_inside extended permit tcp any host x.x.129.36 eq 8383
access-list out_to_inside extended permit icmp any any
access-list out_to_inside extended permit tcp any host x.x.129.35 eq www
access-list out_to_inside extended permit tcp any host x.x.129.38 eq www
access-list out_to_inside extended permit tcp any host x.x.129.35 eq 8383
access-list out_to_inside extended permit tcp any host x.x.129.35 eq smtp
access-list out_to_inside extended permit tcp any host x.x.129.35 eq pop3
access-list out_to_inside extended permit tcp any host 1x.x.129.36 eq pptp
access-list Inside_nat0_outbound extended permit ip any 192.168.101.0 255.255.255.0
remark incorrect line
remark access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 host x.x.53.106
Remark it should be
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list 102 standard permit 192.168.0.0 255.255.0.0
remark incorrect line
remark
access-list Outside_cryptomap_20 extended permit ip 192.168.0.0 255.255.255.0 host x.x.53.106
Remark it should be
access-list Outside_cryptomap_20 extended permit ip 192.168.0.0 255.255.255.0 192.168.11.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool 101 192.168.101.1-192.168.101.254 mask 255.255.255.0
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 0.0.0.0 0.0.0.0
nat (management) 10 0.0.0.0 0.0.0.0
static (Inside,Outside) x.x.129.36 IBM netmask 255.255.255.255 dns
static (Inside,Outside) x.x.129.34 Color netmask 255.255.255.255 dns
static (Inside,Outside) x.x.129.35 Consult netmask 255.255.255.255 dns
static (Inside,Outside) x.x.129.38 Outer netmask 255.255.255.255 dns
static (Inside,Outside) 1x.x.129.36 USA8200 netmask 255.255.255.255
access-group out_to_inside in interface Outside
route Outside 0.0.0.0 0.0.0.0 x.x.129.33 1
route Inside 192.168.1.0 255.255.255.0 192.168.0.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
url-list chicagotech "chicagotech" http://chicagotech.dyndns.org
url-list chicagotech "199" http://x.x.43.199
url-list chicagotech "197" http://x.x.43.197
group-policy DfltGrpPolicy attributes
 banner none
 wins-server value 192.168.0.231
 dns-server value 192.168.0.231 4.2.2.1
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 5
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 102
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  port-forward-name value Application Access
group-policy Webvpn internal
group-policy Webvpn attributes
 vpn-tunnel-protocol IPSec webvpn
 webvpn
  functions url-entry file-access file-entry file-browsing
username demo password GBlBq1FXkhsjWruD encrypted
username demo attributes
 vpn-group-policy DfltGrpPolicy
 webvpn
username admin password W77CNyqO17KPQbW3 encrypted privilege 15
username admin attributes
 vpn-group-policy DfltGrpPolicy
 webvpn
username chrisp password A9yadLd/TEEGgSex encrypted
username chrisp attributes
 vpn-group-policy DfltGrpPolicy
 webvpn
 vpn-group-policy DfltGrpPolicy
 webvpn
http server enable
http 192.168.0.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 20 match address Outside_cryptomap_20
crypto map Outside_map 20 set peer x.x.53.106
crypto map Outside_map 20 set transform-set ESP-3DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
tunnel-group DefaultRAGroup general-attributes
 default-group-policy Webvpn
tunnel-group PPTPVPN type ipsec-ra
tunnel-group PPTPVPN general-attributes
 address-pool 101
tunnel-group PPTPVPN ipsec-attributes
 pre-shared-key *
tunnel-group x.x.53.106 type ipsec-l2l
tunnel-group x.x.53.106 ipsec-attributes
 pre-shared-key *
telnet 192.168.0.0 255.255.255.0 Inside
telnet timeout 10
ssh x.x.208.81 255.255.255.255 Outside
ssh x.x.115.246 255.255.255.255 Outside
ssh x.x.89.0 255.255.255.0 Outside
ssh timeout 5
console timeout 0
management-access Inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
webvpn
 enable Outside
 nbns-server 192.168.0.231 master timeout 2 retry 2
: end