Security Basics mailing list archives
Re: Re: Pix to ASA migration
From: timpacalypse () yahoo com
Date: 3 Oct 2006 17:39:38 -0000
Here's my config:
ASA Version 7.0(5)
!
hostname XXX
domain-name XXX
enable password
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address A.B.C.D 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.50.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 25
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif vpnnet
security-level 50
ip address 10.10.40.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
banner exec *******AUTHORIZED USERS ONLY********
banner login *******WARNING - AUTHORIZED USE ONLY*******
ftp mode passive
clock timezone EST -5
access-list outside_access_in extended permit tcp any gt 1023 host
A.B.C.D eq www
access-list outside_access_in extended permit tcp any gt 1023 host
A.B.C.D eq https
access-list outside_access_in extended permit tcp any gt 1023 host
A.B.C.D eq www
access-list outside_access_in extended permit tcp any gt 1023 host
A.B.C.D eq https
access-list outside_access_in extended permit tcp any gt 1023 host
A.B.C.D eq smtp
access-list outside_access_in extended permit esp any host A.B.C.D
access-list outside_access_in extended permit ah any host A.B.C.D
access-list outside_access_in extended permit udp any eq 4500 host
A.B.C.D eq 4500
access-list outside_access_in extended permit udp any host A.B.C.D eq
isakmp
access-list outside_access_in extended permit udp any eq 10000 host
A.B.C.D eq 10000
access-list outside_access_in extended permit tcp any gt 1023 host
A.B.C.D eq https
access-list outside_access_in extended permit tcp any gt 1023 host
A.B.C.D eq www
access-list outside_access_in extended permit tcp any gt 1023 host
A.B.C.De q https
access-list outside_access_in extended permit tcp any gt 1023 host
A.B.C.D eq www
access-list outside_access_in extended permit tcp any gt 1023 host
A.B.C.D eq https
access-list outside_access_in extended permit tcp any gt 1023 host
A.B.C.D eq www
access-list outside_access_in extended permit tcp any gt 1023 host
A.B.C.D eq https
access-list outside_access_in extended permit tcp any gt 1023
hostA.B.C.D eq www
access-list outside_access_in extended deny ip any any
access-list dmz_access_in extended permit ip 10.10.10.0 255.255.255.0
10.10.60.0 255.255.255.0
access-list dmz_access_in extended permit ip host 10.10.10.30 any
access-list dmz_access_in extended permit tcp host 10.10.10.28 gt
1023 host 10.10.10.192 eq www
access-list dmz_access_in extended deny ip 10.10.10.0 255.255.255.0
host 10.10.10.192
access-list dmz_access_in extended deny udp host 10.10.10.29 gt 1023
host 10.10.10.6 eq domain
access-list dmz_access_in extended deny udp host 10.10.10.29 gt 1023
host 10.10.10.10 eq domain
access-list dmz_access_in extended deny udp host 10.10.10.29 gt 1023
host 10.10.10.12 eq domain
access-list dmz_access_in extended deny udp host 10.10.10.29 gt 1023
host 10.10.10.35 eq domain
access-list dmz_access_in extended permit udp host 10.10.10.29 gt
1023 any eq domain
access-list dmz_access_in extended permit tcp host 10.10.10.29 gt
1023 any eq do
main
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 host 10.10.10.6 eq www
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 host 10.10.10.10 eq www
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 host 10.10.10.12 eq www
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 host 10.10.10.35 eq www
access-list dmz_access_in extended permit tcp 10.10.10.0
255.255.255.0 gt 1023 any eq www
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 host 10.10.10.6 eq https
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 host 10.10.10.10 eq https
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 host 10.10.10.12 eq https
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 host 10.10.10.35 eq https
access-list dmz_access_in extended permit tcp 10.10.10.0
255.255.255.0 gt 1023 any eq https
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 host 10.10.10.6 eq ftp
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 host 10.10.10.10 eq ftp
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 host 10.10.10.12 eq ftp
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 host 10.10.10.35 eq ftp
access-list dmz_access_in extended permit tcp 10.10.10.0
255.255.255.0 gt 1023 a
ny eq ftp
access-list dmz_access_in extended permit tcp host 10.10.10.29 host
10.10.10.6 e
q smtp
access-list dmz_access_in extended permit tcp host 10.10.10.29 gt
1023 host 10.1
0.10.6 eq ldap
access-list dmz_access_in extended permit tcp host 10.10.10.29 gt
1023 host 10.1
0.10.6 eq imap4
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 hos
t 10.10.10.10 eq smtp
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 hos
t 10.10.10.12 eq smtp
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 hos
t 10.10.10.35 eq smtp
access-list dmz_access_in extended permit tcp host 10.10.10.29 gt
1023 any eq sm
tp
access-list dmz_access_in extended permit tcp host 10.10.10.28 host
10.10.10.10
eq 1433
access-list dmz_access_in extended permit ip host 10.10.10.28 host
10.10.10.10
access-list dmz_access_in extended permit tcp host 10.10.10.36 gt
1023 host 10.1
0.10.10 eq 1433
access-list dmz_access_in extended permit tcp host 10.10.10.36 gt
1023 host 10.1
access-list dmz_access_in extended permit tcp host 10.10.10.36 gt
1023 host 10.1
access-list dmz_access_in extended permit tcp host 10.10.10.28 host
10.10.10.10
eq 5001
access-list dmz_access_in extended permit tcp host 10.10.10.28 host
10.10.10.10
eq 5015
access-list dmz_access_in extended deny ip any any
access-list vpnnet_access_in extended deny udp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.6 eq domain
access-list vpnnet_access_in extended deny udp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.10 eq domain
access-list vpnnet_access_in extended deny udp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.12 eq domain
access-list vpnnet_access_in extended deny udp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.35 eq domain
access-list vpnnet_access_in extended permit udp host 10.10.40.34 gt
1023 any eq
domain
access-list vpnnet_access_in extended permit tcp host 10.10.40.34 gt
1023 any eq
domain
access-list vpnnet_access_in extended permit udp 10.10.40.0
255.255.255.0 gt 102
3 host 10.10.10.29 eq domain
access-list vpnnet_access_in extended permit tcp host 10.10.40.30 gt
1023 host 1
0.10.40.6 eq www
access-list vpnnet_access_in extended deny tcp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.6 eq www
access-list vpnnet_access_in extended permit tcp 10.10.40.0
255.255.255.0 gt 102
3 any eq www
access-list vpnnet_access_in extended permit tcp host 192.168.191.10
gt 1023 hos
t 10.10.10.28 eq www
access-list vpnnet_access_in extended deny tcp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.6 eq https
access-list vpnnet_access_in extended deny tcp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.10 eq https
access-list vpnnet_access_in extended deny tcp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.12 eq https
access-list vpnnet_access_in extended deny tcp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.35 eq https
access-list vpnnet_access_in extended permit tcp 10.10.40.0
255.255.255.0 gt 102
3 any eq https
access-list vpnnet_access_in extended deny tcp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.6 eq ftp
access-list vpnnet_access_in extended deny tcp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.10 eq ftp
access-list vpnnet_access_in extended deny tcp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.12 eq ftp
access-list vpnnet_access_in extended deny tcp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.35 eq ftp
access-list vpnnet_access_in extended permit tcp host 10.10.40.34 gt
1023 any eq
ftp
access-list vpnnet_access_in extended permit tcp object-group
CITI_Admin_VPN neq
1023 any eq ftp
access-list vpnnet_access_in extended deny tcp object-group
FRA_HQ_Users gt 1023
host 10.10.10.28 eq 3389
access-list vpnnet_access_in extended permit ip object-group
CITI_Admin_VPN host
10.10.10.28
access-list vpnnet_access_in extended deny tcp object-group
FRA_HQ_Users gt 1023
host 10.10.10.29 eq 3389
access-list vpnnet_access_in extended permit tcp object-group
CITI_Admin_VPN gt
1023 host 10.10.10.29 eq 3389
access-list vpnnet_access_in extended deny tcp object-group
FRA_HQ_Users gt 1023
host 10.10.10.36 eq 3389
access-list vpnnet_access_in extended permit ip object-group
CITI_Admin_VPN host
10.10.10.36
access-list vpnnet_access_in extended deny tcp object-group
FRA_HQ_Users gt 1023
host 10.10.40.10 eq 3389
access-list vpnnet_access_in extended deny tcp object-group
CITI_User_VPN gt 102
3 host 10.10.40.10 eq 3389
access-list vpnnet_access_in extended permit ip object-group
CITI_Admin_VPN host
10.10.40.10
access-list vpnnet_access_in extended deny tcp object-group
FRA_HQ_Users gt 1023
host 10.10.40.6 eq 3389
access-list vpnnet_access_in extended deny tcp object-group
CITI_User_VPN gt 102
3 host 10.10.40.6 eq 3389
access-list vpnnet_access_in extended permit tcp object-group
CITI_Admin_VPN gt
1023 host 10.10.40.6 eq 3389
access-list vpnnet_access_in extended deny tcp object-group
FRA_HQ_Users gt 1023
host 10.10.40.12
access-list vpnnet_access_in extended permit tcp 10.10.40.0
255.255.255.0 gt 102
3 host 10.10.40.12 eq 135
access-list vpnnet_access_in extended permit udp 10.10.40.0
255.255.255.0 eq net
bios-ns host 10.10.40.12 eq netbios-ns
access-list vpnnet_access_in extended permit udp 10.10.40.0
255.255.255.0 eq net
bios-dgm host 10.10.40.12 eq netbios-dgm
access-list vpnnet_access_in extended permit tcp 10.10.40.0
255.255.255.0 gt 102
3 host 10.10.40.12 eq netbios-ssn
access-list vpnnet_access_in extended permit tcp 10.10.40.0
255.255.255.0 gt 102
3 host 10.10.40.12 eq 445
access-list vpnnet_access_in extended permit tcp 10.10.40.0
255.255.255.0 gt 102
3 host 10.10.40.12 eq ldap
access-list vpnnet_access_in extended permit udp 10.10.40.0
255.255.255.0 gt 102
3 host 10.10.40.12 eq 389
access-list vpnnet_access_in extended permit udp 10.10.40.0
255.255.255.0 gt 102
3 host 10.10.40.12 eq 88
access-list vpnnet_access_in extended permit tcp 10.10.40.0
255.255.255.0 gt 102
3 host 10.10.40.12 eq 88
access-list vpnnet_access_in extended permit ip object-group
CITI_Admin_VPN host
10.10.40.6
access-list vpnnet_access_in extended permit ip object-group
CITI_Admin_VPN host
10.10.40.12
access-list vpnnet_access_in extended permit ip object-group
CITI_Admin_VPN host
10.10.40.35
access-list vpnnet_access_in extended deny ip any any
access-list inside_access_in extended permit udp object-group
Inside_Servers gt
1023 host 10.10.10.29 eq domain
access-list inside_access_in extended permit tcp object-group
Inside_Servers gt
1023 host 10.10.10.29 eq domain
access-list inside_access_in extended permit udp object-group
Inside_Servers gt
1023 any eq domain
access-list inside_access_in extended permit tcp host 10.10.50.6 gt
1023 host 10
.10.10.29 eq smtp
access-list inside_access_in extended permit tcp 10.10.50.0
255.255.255.0 gt 102
3 any eq www
access-list inside_access_in extended permit tcp 10.10.50.0
255.255.255.0 gt 102
3 any eq https
access-list inside_access_in extended permit tcp 10.10.50.0
255.255.255.0 gt 102
3 any eq ftp
access-list inside_access_in extended permit tcp host 10.10.50.10
host 10.10.10.
28 eq 1433
access-list inside_access_in extended permit ip host 10.10.50.10 host
10.10.10.2
8
access-list inside_access_in extended permit tcp host 10.10.50.35
host 10.10.10.
36 eq 1433
access-list inside_access_in extended permit tcp host 10.10.50.10
host 10.10.10.
28 eq 5001
access-list inside_access_in extended permit tcp host 10.10.50.10
host 10.10.10.
28 eq 5015
access-list inside_access_in extended permit ip object-group
Inside_Admin host 1
0.10.10.28
access-list inside_access_in extended permit tcp object-group
Inside_Admin gt 10
23 host 10.10.10.29 eq 3389
access-list inside_access_in extended permit ip object-group
Inside_Admin host 1
0.10.10.36
access-list inside_access_in extended permit ip object-group
Inside_Admin host 1
0.10.40.34
access-list inside_access_in extended permit ip object-group
Inside_Admin host 1
0.10.10.50
access-list inside_access_in extended permit ip object-group
Inside_Developer ho
st 10.10.40.34
access-list inside_access_in extended permit ip host 10.10.50.12
object-group CI
TI_Admin_VPN
access-list inside_access_in extended permit ip 10.10.50.0
255.255.255.0 152.119
.191.0 255.255.255.0
access-list inside_access_in extended permit ip 10.10.50.0
255.255.255.0 10.10.6
0.0 255.255.255.0
access-list inside_access_in extended deny ip any any
access-list inside_outbound_nat0_acl extended permit ip 10.10.50.0
255.255.255.0
10.10.60.0 255.255.255.0
access-list dmz_outbound_nat0_acl extended permit ip 10.10.10.0
255.255.255.0 10
.10.60.0 255.255.255.0
access-list outside_cryptomap_10 extended permit ip 10.10.50.0
255.255.255.0 10.
10.60.0 255.255.255.0
access-list outside_cryptomap_10 extended permit ip 10.10.10.0
255.255.255.0 10.
10.60.0 255.255.255.0
access-list IPS extended permit ip any any
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu vpnnet 1500
mtu management 1500
ip verify reverse-path interface outside
ip verify reverse-path interface dmz
ip verify reverse-path interface vpnnet
no failover
failover polltime unit 15 holdtime 45
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (outside) 50 A.B.C.D netmask 255.255.255.224
global (outside) 40 A.B.C.D netmask 255.255.255.224
global (outside) 10 A.B.C.D netmask 255.255.255.224
global (dmz) 50 10.10.10.41
global (dmz) 40 10.10.10.42
global (dmz) 192 10.10.10.46
global (dmz) 152 10.10.10.47
global (dmz) 60 10.10.10.48
global (vpnnet) 50 10.10.40.41
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 50 10.10.50.0 255.255.255.0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
nat (dmz) 10 10.10.10.0 255.255.255.0
nat (vpnnet) 40 10.10.40.0 255.255.255.0
nat (vpnnet) 152 152.119.191.0 255.255.255.0
nat (vpnnet) 192 192.168.100.0 255.255.255.0
static (inside,outside) A.B.C.D 10.10.50.17 netmask 255.255.255.255
static (inside,dmz) 10.10.10.6 10.10.50.6 netmask 255.255.255.255
static (inside,dmz) 10.10.10.10 10.10.50.10 netmask 255.255.255.255
static (inside,dmz) 10.10.10.12 10.10.50.12 netmask 255.255.255.255
static (inside,dmz) 10.10.10.35 10.10.50.35 netmask 255.255.255.255
static (inside,vpnnet) 10.10.40.6 10.10.50.6 netmask 255.255.255.255
static (inside,vpnnet) 10.10.40.10 10.10.50.10 netmask
255.255.255.255
static (inside,vpnnet) 10.10.40.12 10.10.50.12 netmask
255.255.255.255
static (inside,vpnnet) 10.10.40.35 10.10.50.35 netmask
255.255.255.255
static (dmz,outside) A.B.C.D 10.10.10.28 netmask 255.255.255.255
static (dmz,outside) A.B.C.D 10.10.10.29 netmask 255.255.255.255
static (dmz,outside) A.B.C.D 10.10.10.30 netmask 255.255.255.255
static (dmz,outside A.B.C.D 10.10.10.36 netmask 255.255.255.255
static (dmz,outside) A.B.C.D 10.10.10.50 netmask 255.255.255.255
static (vpnnet,outside) A.B.C.D 10.10.40.34 netmask 255.255.255.255
static (inside,outside) A.B.C.D 10.10.50.35 netmask 255.255.255.255
static (inside,dmz) 10.10.10.27 10.10.50.27 netmask 255.255.255.255
static (vpnnet,dmz) 10.10.10.192 192.168.191.10 netmask
255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group vpnnet_access_in in interface vpnnet
route outside 0.0.0.0 0.0.0.0 A.B.C.D 1
route vpnnet 192.168.191.0 255.255.255.0 10.10.40.30 1
route vpnnet 152.119.191.0 255.255.255.0 10.10.40.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown
coldstart
telnet timeout 60
console timeout 5
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map IPS
match access-list IPS
class-map inspection_default
match default-inspection-traffic
!
!
policy-map IPS
class IPS
ips inline fail-open
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect sqlnet
inspect esmtp
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class IPS
ips inline fail-open
service-policy global_policy global
tftp-server inside 10.10.50.154
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Current thread:
- Pix to ASA migration timpacalypse (Oct 02)
- Re: Pix to ASA migration Craig Van Tassle (Oct 03)
- R: Pix to ASA migration Massimo Baschieri (Oct 03)
- <Possible follow-ups>
- Re: Re: Pix to ASA migration timpacalypse (Oct 03)
- RE: Re: Pix to ASA migration Mohamad Mneimneh (Oct 05)
- Re: Pix to ASA migration Joseph Jenkins (Oct 06)