Security Basics mailing list archives
RE: Re: Pix to ASA migration
From: "Mohamad Mneimneh" <Mohamad.Mneimneh () dargroup com>
Date: Thu, 5 Oct 2006 08:28:02 +0300
A note on the side: the large number of acl entries justifies using turbo acls to minimize the lookup time {enabled with access-list compiled in versions < 7.x} -Mohamad. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of timpacalypse () yahoo com Sent: Tuesday, October 03, 2006 20:40 To: security-basics () securityfocus com Subject: Re: Re: Pix to ASA migration Here's my config: ASA Version 7.0(5) ! hostname XXX domain-name XXX enable password names dns-guard ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address A.B.C.D 255.255.255.224 ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 10.10.50.1 255.255.255.0 ! interface GigabitEthernet0/2 nameif dmz security-level 25 ip address 10.10.10.1 255.255.255.0 ! interface GigabitEthernet0/3 nameif vpnnet security-level 50 ip address 10.10.40.1 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! banner exec *******AUTHORIZED USERS ONLY******** banner login *******WARNING - AUTHORIZED USE ONLY******* ftp mode passive clock timezone EST -5 access-list outside_access_in extended permit tcp any gt 1023 host A.B.C.D eq www access-list outside_access_in extended permit tcp any gt 1023 host A.B.C.D eq https access-list outside_access_in extended permit tcp any gt 1023 host A.B.C.D eq www access-list outside_access_in extended permit tcp any gt 1023 host A.B.C.D eq https access-list outside_access_in extended permit tcp any gt 1023 host A.B.C.D eq smtp access-list outside_access_in extended permit esp any host A.B.C.D access-list outside_access_in extended permit ah any host A.B.C.D access-list outside_access_in extended permit udp any eq 4500 host A.B.C.D eq 4500 access-list outside_access_in extended permit udp any host A.B.C.D eq isakmp access-list outside_access_in extended permit udp any eq 10000 host A.B.C.D eq 10000 access-list outside_access_in extended permit tcp any gt 1023 host A.B.C.D eq https access-list outside_access_in extended permit tcp any gt 1023 host A.B.C.D eq www access-list outside_access_in extended permit tcp any gt 1023 host A.B.C.De q https access-list outside_access_in extended permit tcp any gt 1023 host A.B.C.D eq www access-list outside_access_in extended permit tcp any gt 1023 host A.B.C.D eq https access-list outside_access_in extended permit tcp any gt 1023 host A.B.C.D eq www access-list outside_access_in extended permit tcp any gt 1023 host A.B.C.D eq https access-list outside_access_in extended permit tcp any gt 1023 hostA.B.C.D eq www access-list outside_access_in extended deny ip any any access-list dmz_access_in extended permit ip 10.10.10.0 255.255.255.0 10.10.60.0 255.255.255.0 access-list dmz_access_in extended permit ip host 10.10.10.30 any access-list dmz_access_in extended permit tcp host 10.10.10.28 gt 1023 host 10.10.10.192 eq www access-list dmz_access_in extended deny ip 10.10.10.0 255.255.255.0 host 10.10.10.192 access-list dmz_access_in extended deny udp host 10.10.10.29 gt 1023 host 10.10.10.6 eq domain access-list dmz_access_in extended deny udp host 10.10.10.29 gt 1023 host 10.10.10.10 eq domain access-list dmz_access_in extended deny udp host 10.10.10.29 gt 1023 host 10.10.10.12 eq domain access-list dmz_access_in extended deny udp host 10.10.10.29 gt 1023 host 10.10.10.35 eq domain access-list dmz_access_in extended permit udp host 10.10.10.29 gt 1023 any eq domain access-list dmz_access_in extended permit tcp host 10.10.10.29 gt 1023 any eq do main access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0 gt 1023 host 10.10.10.6 eq www access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0 gt 1023 host 10.10.10.10 eq www access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0 gt 1023 host 10.10.10.12 eq www access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0 gt 1023 host 10.10.10.35 eq www access-list dmz_access_in extended permit tcp 10.10.10.0 255.255.255.0 gt 1023 any eq www access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0 gt 1023 host 10.10.10.6 eq https access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0 gt 1023 host 10.10.10.10 eq https access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0 gt 1023 host 10.10.10.12 eq https access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0 gt 1023 host 10.10.10.35 eq https access-list dmz_access_in extended permit tcp 10.10.10.0 255.255.255.0 gt 1023 any eq https access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0 gt 1023 host 10.10.10.6 eq ftp access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0 gt 1023 host 10.10.10.10 eq ftp access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0 gt 1023 host 10.10.10.12 eq ftp access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0 gt 1023 host 10.10.10.35 eq ftp access-list dmz_access_in extended permit tcp 10.10.10.0 255.255.255.0 gt 1023 a ny eq ftp access-list dmz_access_in extended permit tcp host 10.10.10.29 host 10.10.10.6 e q smtp access-list dmz_access_in extended permit tcp host 10.10.10.29 gt 1023 host 10.1 0.10.6 eq ldap access-list dmz_access_in extended permit tcp host 10.10.10.29 gt 1023 host 10.1 0.10.6 eq imap4 access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0 gt 1023 hos t 10.10.10.10 eq smtp access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0 gt 1023 hos t 10.10.10.12 eq smtp access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0 gt 1023 hos t 10.10.10.35 eq smtp access-list dmz_access_in extended permit tcp host 10.10.10.29 gt 1023 any eq sm tp access-list dmz_access_in extended permit tcp host 10.10.10.28 host 10.10.10.10 eq 1433 access-list dmz_access_in extended permit ip host 10.10.10.28 host 10.10.10.10 access-list dmz_access_in extended permit tcp host 10.10.10.36 gt 1023 host 10.1 0.10.10 eq 1433 access-list dmz_access_in extended permit tcp host 10.10.10.36 gt 1023 host 10.1 access-list dmz_access_in extended permit tcp host 10.10.10.36 gt 1023 host 10.1 access-list dmz_access_in extended permit tcp host 10.10.10.28 host 10.10.10.10 eq 5001 access-list dmz_access_in extended permit tcp host 10.10.10.28 host 10.10.10.10 eq 5015 access-list dmz_access_in extended deny ip any any access-list vpnnet_access_in extended deny udp 10.10.40.0 255.255.255.0 gt 1023 host 10.10.40.6 eq domain access-list vpnnet_access_in extended deny udp 10.10.40.0 255.255.255.0 gt 1023 host 10.10.40.10 eq domain access-list vpnnet_access_in extended deny udp 10.10.40.0 255.255.255.0 gt 1023 host 10.10.40.12 eq domain access-list vpnnet_access_in extended deny udp 10.10.40.0 255.255.255.0 gt 1023 host 10.10.40.35 eq domain access-list vpnnet_access_in extended permit udp host 10.10.40.34 gt 1023 any eq domain access-list vpnnet_access_in extended permit tcp host 10.10.40.34 gt 1023 any eq domain access-list vpnnet_access_in extended permit udp 10.10.40.0 255.255.255.0 gt 102 3 host 10.10.10.29 eq domain access-list vpnnet_access_in extended permit tcp host 10.10.40.30 gt 1023 host 1 0.10.40.6 eq www access-list vpnnet_access_in extended deny tcp 10.10.40.0 255.255.255.0 gt 1023 host 10.10.40.6 eq www access-list vpnnet_access_in extended permit tcp 10.10.40.0 255.255.255.0 gt 102 3 any eq www access-list vpnnet_access_in extended permit tcp host 192.168.191.10 gt 1023 hos t 10.10.10.28 eq www access-list vpnnet_access_in extended deny tcp 10.10.40.0 255.255.255.0 gt 1023 host 10.10.40.6 eq https access-list vpnnet_access_in extended deny tcp 10.10.40.0 255.255.255.0 gt 1023 host 10.10.40.10 eq https access-list vpnnet_access_in extended deny tcp 10.10.40.0 255.255.255.0 gt 1023 host 10.10.40.12 eq https access-list vpnnet_access_in extended deny tcp 10.10.40.0 255.255.255.0 gt 1023 host 10.10.40.35 eq https access-list vpnnet_access_in extended permit tcp 10.10.40.0 255.255.255.0 gt 102 3 any eq https access-list vpnnet_access_in extended deny tcp 10.10.40.0 255.255.255.0 gt 1023 host 10.10.40.6 eq ftp access-list vpnnet_access_in extended deny tcp 10.10.40.0 255.255.255.0 gt 1023 host 10.10.40.10 eq ftp access-list vpnnet_access_in extended deny tcp 10.10.40.0 255.255.255.0 gt 1023 host 10.10.40.12 eq ftp access-list vpnnet_access_in extended deny tcp 10.10.40.0 255.255.255.0 gt 1023 host 10.10.40.35 eq ftp access-list vpnnet_access_in extended permit tcp host 10.10.40.34 gt 1023 any eq ftp access-list vpnnet_access_in extended permit tcp object-group CITI_Admin_VPN neq 1023 any eq ftp access-list vpnnet_access_in extended deny tcp object-group FRA_HQ_Users gt 1023 host 10.10.10.28 eq 3389 access-list vpnnet_access_in extended permit ip object-group CITI_Admin_VPN host 10.10.10.28 access-list vpnnet_access_in extended deny tcp object-group FRA_HQ_Users gt 1023 host 10.10.10.29 eq 3389 access-list vpnnet_access_in extended permit tcp object-group CITI_Admin_VPN gt 1023 host 10.10.10.29 eq 3389 access-list vpnnet_access_in extended deny tcp object-group FRA_HQ_Users gt 1023 host 10.10.10.36 eq 3389 access-list vpnnet_access_in extended permit ip object-group CITI_Admin_VPN host 10.10.10.36 access-list vpnnet_access_in extended deny tcp object-group FRA_HQ_Users gt 1023 host 10.10.40.10 eq 3389 access-list vpnnet_access_in extended deny tcp object-group CITI_User_VPN gt 102 3 host 10.10.40.10 eq 3389 access-list vpnnet_access_in extended permit ip object-group CITI_Admin_VPN host 10.10.40.10 access-list vpnnet_access_in extended deny tcp object-group FRA_HQ_Users gt 1023 host 10.10.40.6 eq 3389 access-list vpnnet_access_in extended deny tcp object-group CITI_User_VPN gt 102 3 host 10.10.40.6 eq 3389 access-list vpnnet_access_in extended permit tcp object-group CITI_Admin_VPN gt 1023 host 10.10.40.6 eq 3389 access-list vpnnet_access_in extended deny tcp object-group FRA_HQ_Users gt 1023 host 10.10.40.12 access-list vpnnet_access_in extended permit tcp 10.10.40.0 255.255.255.0 gt 102 3 host 10.10.40.12 eq 135 access-list vpnnet_access_in extended permit udp 10.10.40.0 255.255.255.0 eq net bios-ns host 10.10.40.12 eq netbios-ns access-list vpnnet_access_in extended permit udp 10.10.40.0 255.255.255.0 eq net bios-dgm host 10.10.40.12 eq netbios-dgm access-list vpnnet_access_in extended permit tcp 10.10.40.0 255.255.255.0 gt 102 3 host 10.10.40.12 eq netbios-ssn access-list vpnnet_access_in extended permit tcp 10.10.40.0 255.255.255.0 gt 102 3 host 10.10.40.12 eq 445 access-list vpnnet_access_in extended permit tcp 10.10.40.0 255.255.255.0 gt 102 3 host 10.10.40.12 eq ldap access-list vpnnet_access_in extended permit udp 10.10.40.0 255.255.255.0 gt 102 3 host 10.10.40.12 eq 389 access-list vpnnet_access_in extended permit udp 10.10.40.0 255.255.255.0 gt 102 3 host 10.10.40.12 eq 88 access-list vpnnet_access_in extended permit tcp 10.10.40.0 255.255.255.0 gt 102 3 host 10.10.40.12 eq 88 access-list vpnnet_access_in extended permit ip object-group CITI_Admin_VPN host 10.10.40.6 access-list vpnnet_access_in extended permit ip object-group CITI_Admin_VPN host 10.10.40.12 access-list vpnnet_access_in extended permit ip object-group CITI_Admin_VPN host 10.10.40.35 access-list vpnnet_access_in extended deny ip any any access-list inside_access_in extended permit udp object-group Inside_Servers gt 1023 host 10.10.10.29 eq domain access-list inside_access_in extended permit tcp object-group Inside_Servers gt 1023 host 10.10.10.29 eq domain access-list inside_access_in extended permit udp object-group Inside_Servers gt 1023 any eq domain access-list inside_access_in extended permit tcp host 10.10.50.6 gt 1023 host 10 .10.10.29 eq smtp access-list inside_access_in extended permit tcp 10.10.50.0 255.255.255.0 gt 102 3 any eq www access-list inside_access_in extended permit tcp 10.10.50.0 255.255.255.0 gt 102 3 any eq https access-list inside_access_in extended permit tcp 10.10.50.0 255.255.255.0 gt 102 3 any eq ftp access-list inside_access_in extended permit tcp host 10.10.50.10 host 10.10.10. 28 eq 1433 access-list inside_access_in extended permit ip host 10.10.50.10 host 10.10.10.2 8 access-list inside_access_in extended permit tcp host 10.10.50.35 host 10.10.10. 36 eq 1433 access-list inside_access_in extended permit tcp host 10.10.50.10 host 10.10.10. 28 eq 5001 access-list inside_access_in extended permit tcp host 10.10.50.10 host 10.10.10. 28 eq 5015 access-list inside_access_in extended permit ip object-group Inside_Admin host 1 0.10.10.28 access-list inside_access_in extended permit tcp object-group Inside_Admin gt 10 23 host 10.10.10.29 eq 3389 access-list inside_access_in extended permit ip object-group Inside_Admin host 1 0.10.10.36 access-list inside_access_in extended permit ip object-group Inside_Admin host 1 0.10.40.34 access-list inside_access_in extended permit ip object-group Inside_Admin host 1 0.10.10.50 access-list inside_access_in extended permit ip object-group Inside_Developer ho st 10.10.40.34 access-list inside_access_in extended permit ip host 10.10.50.12 object-group CI TI_Admin_VPN access-list inside_access_in extended permit ip 10.10.50.0 255.255.255.0 152.119 .191.0 255.255.255.0 access-list inside_access_in extended permit ip 10.10.50.0 255.255.255.0 10.10.6 0.0 255.255.255.0 access-list inside_access_in extended deny ip any any access-list inside_outbound_nat0_acl extended permit ip 10.10.50.0 255.255.255.0 10.10.60.0 255.255.255.0 access-list dmz_outbound_nat0_acl extended permit ip 10.10.10.0 255.255.255.0 10 .10.60.0 255.255.255.0 access-list outside_cryptomap_10 extended permit ip 10.10.50.0 255.255.255.0 10. 10.60.0 255.255.255.0 access-list outside_cryptomap_10 extended permit ip 10.10.10.0 255.255.255.0 10. 10.60.0 255.255.255.0 access-list IPS extended permit ip any any pager lines 24 logging enable logging monitor debugging logging asdm informational mtu outside 1500 mtu inside 1500 mtu dmz 1500 mtu vpnnet 1500 mtu management 1500 ip verify reverse-path interface outside ip verify reverse-path interface dmz ip verify reverse-path interface vpnnet no failover failover polltime unit 15 holdtime 45 asdm image disk0:/asdm505.bin no asdm history enable arp timeout 14400 global (outside) 50 A.B.C.D netmask 255.255.255.224 global (outside) 40 A.B.C.D netmask 255.255.255.224 global (outside) 10 A.B.C.D netmask 255.255.255.224 global (dmz) 50 10.10.10.41 global (dmz) 40 10.10.10.42 global (dmz) 192 10.10.10.46 global (dmz) 152 10.10.10.47 global (dmz) 60 10.10.10.48 global (vpnnet) 50 10.10.40.41 nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 50 10.10.50.0 255.255.255.0 nat (dmz) 0 access-list dmz_outbound_nat0_acl nat (dmz) 10 10.10.10.0 255.255.255.0 nat (vpnnet) 40 10.10.40.0 255.255.255.0 nat (vpnnet) 152 152.119.191.0 255.255.255.0 nat (vpnnet) 192 192.168.100.0 255.255.255.0 static (inside,outside) A.B.C.D 10.10.50.17 netmask 255.255.255.255 static (inside,dmz) 10.10.10.6 10.10.50.6 netmask 255.255.255.255 static (inside,dmz) 10.10.10.10 10.10.50.10 netmask 255.255.255.255 static (inside,dmz) 10.10.10.12 10.10.50.12 netmask 255.255.255.255 static (inside,dmz) 10.10.10.35 10.10.50.35 netmask 255.255.255.255 static (inside,vpnnet) 10.10.40.6 10.10.50.6 netmask 255.255.255.255 static (inside,vpnnet) 10.10.40.10 10.10.50.10 netmask 255.255.255.255 static (inside,vpnnet) 10.10.40.12 10.10.50.12 netmask 255.255.255.255 static (inside,vpnnet) 10.10.40.35 10.10.50.35 netmask 255.255.255.255 static (dmz,outside) A.B.C.D 10.10.10.28 netmask 255.255.255.255 static (dmz,outside) A.B.C.D 10.10.10.29 netmask 255.255.255.255 static (dmz,outside) A.B.C.D 10.10.10.30 netmask 255.255.255.255 static (dmz,outside A.B.C.D 10.10.10.36 netmask 255.255.255.255 static (dmz,outside) A.B.C.D 10.10.10.50 netmask 255.255.255.255 static (vpnnet,outside) A.B.C.D 10.10.40.34 netmask 255.255.255.255 static (inside,outside) A.B.C.D 10.10.50.35 netmask 255.255.255.255 static (inside,dmz) 10.10.10.27 10.10.50.27 netmask 255.255.255.255 static (vpnnet,dmz) 10.10.10.192 192.168.191.10 netmask 255.255.255.255 access-group outside_access_in in interface outside access-group inside_access_in in interface inside access-group dmz_access_in in interface dmz access-group vpnnet_access_in in interface vpnnet route outside 0.0.0.0 0.0.0.0 A.B.C.D 1 route vpnnet 192.168.191.0 255.255.255.0 10.10.40.30 1 route vpnnet 152.119.191.0 255.255.255.0 10.10.40.30 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa authentication enable console LOCAL aaa authentication http console LOCAL aaa authentication serial console LOCAL aaa authentication ssh console LOCAL no snmp-server location no snmp-server contact snmp-server community public snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 60 console timeout 5 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd lease 3600 dhcpd ping_timeout 50 dhcpd enable management ! class-map IPS match access-list IPS class-map inspection_default match default-inspection-traffic ! ! policy-map IPS class IPS ips inline fail-open policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect sqlnet inspect esmtp inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp class IPS ips inline fail-open service-policy global_policy global tftp-server inside 10.10.50.154 ------------------------------------------------------------------------ --- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Pix to ASA migration timpacalypse (Oct 02)
- Re: Pix to ASA migration Craig Van Tassle (Oct 03)
- R: Pix to ASA migration Massimo Baschieri (Oct 03)
- <Possible follow-ups>
- Re: Re: Pix to ASA migration timpacalypse (Oct 03)
- RE: Re: Pix to ASA migration Mohamad Mneimneh (Oct 05)
- Re: Pix to ASA migration Joseph Jenkins (Oct 06)