Security Basics mailing list archives
Re: Pix to ASA migration
From: Joseph Jenkins <maillist () breathe-underwater com>
Date: Fri, 06 Oct 2006 05:15:53 -0700
In version 7 there is no such thing as turbo acls. The command was deprecated, Cisco reason being that that they already optimize the ACLs. On 10/4/06 10:28 PM, "Mohamad Mneimneh" <Mohamad.Mneimneh () dargroup com> wrote:
A note on the side: the large number of acl entries justifies using
turbo acls to minimize the lookup time {enabled with access-list
compiled in versions < 7.x}
-Mohamad.
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of timpacalypse () yahoo com
Sent: Tuesday, October 03, 2006 20:40
To: security-basics () securityfocus com
Subject: Re: Re: Pix to ASA migration
Here's my config:
ASA Version 7.0(5)
!
hostname XXX
domain-name XXX
enable password
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address A.B.C.D 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.50.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 25
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif vpnnet
security-level 50
ip address 10.10.40.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
banner exec *******AUTHORIZED USERS ONLY********
banner login *******WARNING - AUTHORIZED USE ONLY*******
ftp mode passive
clock timezone EST -5
access-list outside_access_in extended permit tcp any gt 1023 host
A.B.C.D eq www
access-list outside_access_in extended permit tcp any gt 1023 host
A.B.C.D eq https
access-list outside_access_in extended permit tcp any gt 1023 host
A.B.C.D eq www
access-list outside_access_in extended permit tcp any gt 1023 host
A.B.C.D eq https
access-list outside_access_in extended permit tcp any gt 1023 host
A.B.C.D eq smtp
access-list outside_access_in extended permit esp any host A.B.C.D
access-list outside_access_in extended permit ah any host A.B.C.D
access-list outside_access_in extended permit udp any eq 4500 host
A.B.C.D eq 4500
access-list outside_access_in extended permit udp any host A.B.C.D eq
isakmp
access-list outside_access_in extended permit udp any eq 10000 host
A.B.C.D eq 10000
access-list outside_access_in extended permit tcp any gt 1023 host
A.B.C.D eq https
access-list outside_access_in extended permit tcp any gt 1023 host
A.B.C.D eq www
access-list outside_access_in extended permit tcp any gt 1023 host
A.B.C.De q https
access-list outside_access_in extended permit tcp any gt 1023 host
A.B.C.D eq www
access-list outside_access_in extended permit tcp any gt 1023 host
A.B.C.D eq https
access-list outside_access_in extended permit tcp any gt 1023 host
A.B.C.D eq www
access-list outside_access_in extended permit tcp any gt 1023 host
A.B.C.D eq https
access-list outside_access_in extended permit tcp any gt 1023
hostA.B.C.D eq www
access-list outside_access_in extended deny ip any any
access-list dmz_access_in extended permit ip 10.10.10.0 255.255.255.0
10.10.60.0 255.255.255.0
access-list dmz_access_in extended permit ip host 10.10.10.30 any
access-list dmz_access_in extended permit tcp host 10.10.10.28 gt
1023 host 10.10.10.192 eq www
access-list dmz_access_in extended deny ip 10.10.10.0 255.255.255.0
host 10.10.10.192
access-list dmz_access_in extended deny udp host 10.10.10.29 gt 1023
host 10.10.10.6 eq domain
access-list dmz_access_in extended deny udp host 10.10.10.29 gt 1023
host 10.10.10.10 eq domain
access-list dmz_access_in extended deny udp host 10.10.10.29 gt 1023
host 10.10.10.12 eq domain
access-list dmz_access_in extended deny udp host 10.10.10.29 gt 1023
host 10.10.10.35 eq domain
access-list dmz_access_in extended permit udp host 10.10.10.29 gt
1023 any eq domain
access-list dmz_access_in extended permit tcp host 10.10.10.29 gt
1023 any eq do
main
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 host 10.10.10.6 eq www
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 host 10.10.10.10 eq www
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 host 10.10.10.12 eq www
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 host 10.10.10.35 eq www
access-list dmz_access_in extended permit tcp 10.10.10.0
255.255.255.0 gt 1023 any eq www
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 host 10.10.10.6 eq https
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 host 10.10.10.10 eq https
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 host 10.10.10.12 eq https
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 host 10.10.10.35 eq https
access-list dmz_access_in extended permit tcp 10.10.10.0
255.255.255.0 gt 1023 any eq https
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 host 10.10.10.6 eq ftp
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 host 10.10.10.10 eq ftp
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 host 10.10.10.12 eq ftp
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 host 10.10.10.35 eq ftp
access-list dmz_access_in extended permit tcp 10.10.10.0
255.255.255.0 gt 1023 a
ny eq ftp
access-list dmz_access_in extended permit tcp host 10.10.10.29 host
10.10.10.6 e
q smtp
access-list dmz_access_in extended permit tcp host 10.10.10.29 gt
1023 host 10.1
0.10.6 eq ldap
access-list dmz_access_in extended permit tcp host 10.10.10.29 gt
1023 host 10.1
0.10.6 eq imap4
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 hos
t 10.10.10.10 eq smtp
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 hos
t 10.10.10.12 eq smtp
access-list dmz_access_in extended deny tcp 10.10.10.0 255.255.255.0
gt 1023 hos
t 10.10.10.35 eq smtp
access-list dmz_access_in extended permit tcp host 10.10.10.29 gt
1023 any eq sm
tp
access-list dmz_access_in extended permit tcp host 10.10.10.28 host
10.10.10.10
eq 1433
access-list dmz_access_in extended permit ip host 10.10.10.28 host
10.10.10.10
access-list dmz_access_in extended permit tcp host 10.10.10.36 gt
1023 host 10.1
0.10.10 eq 1433
access-list dmz_access_in extended permit tcp host 10.10.10.36 gt
1023 host 10.1
access-list dmz_access_in extended permit tcp host 10.10.10.36 gt
1023 host 10.1
access-list dmz_access_in extended permit tcp host 10.10.10.28 host
10.10.10.10
eq 5001
access-list dmz_access_in extended permit tcp host 10.10.10.28 host
10.10.10.10
eq 5015
access-list dmz_access_in extended deny ip any any
access-list vpnnet_access_in extended deny udp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.6 eq domain
access-list vpnnet_access_in extended deny udp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.10 eq domain
access-list vpnnet_access_in extended deny udp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.12 eq domain
access-list vpnnet_access_in extended deny udp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.35 eq domain
access-list vpnnet_access_in extended permit udp host 10.10.40.34 gt
1023 any eq
domain
access-list vpnnet_access_in extended permit tcp host 10.10.40.34 gt
1023 any eq
domain
access-list vpnnet_access_in extended permit udp 10.10.40.0
255.255.255.0 gt 102
3 host 10.10.10.29 eq domain
access-list vpnnet_access_in extended permit tcp host 10.10.40.30 gt
1023 host 1
0.10.40.6 eq www
access-list vpnnet_access_in extended deny tcp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.6 eq www
access-list vpnnet_access_in extended permit tcp 10.10.40.0
255.255.255.0 gt 102
3 any eq www
access-list vpnnet_access_in extended permit tcp host 192.168.191.10
gt 1023 hos
t 10.10.10.28 eq www
access-list vpnnet_access_in extended deny tcp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.6 eq https
access-list vpnnet_access_in extended deny tcp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.10 eq https
access-list vpnnet_access_in extended deny tcp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.12 eq https
access-list vpnnet_access_in extended deny tcp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.35 eq https
access-list vpnnet_access_in extended permit tcp 10.10.40.0
255.255.255.0 gt 102
3 any eq https
access-list vpnnet_access_in extended deny tcp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.6 eq ftp
access-list vpnnet_access_in extended deny tcp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.10 eq ftp
access-list vpnnet_access_in extended deny tcp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.12 eq ftp
access-list vpnnet_access_in extended deny tcp 10.10.40.0
255.255.255.0 gt 1023
host 10.10.40.35 eq ftp
access-list vpnnet_access_in extended permit tcp host 10.10.40.34 gt
1023 any eq
ftp
access-list vpnnet_access_in extended permit tcp object-group
CITI_Admin_VPN neq
1023 any eq ftp
access-list vpnnet_access_in extended deny tcp object-group
FRA_HQ_Users gt 1023
host 10.10.10.28 eq 3389
access-list vpnnet_access_in extended permit ip object-group
CITI_Admin_VPN host
10.10.10.28
access-list vpnnet_access_in extended deny tcp object-group
FRA_HQ_Users gt 1023
host 10.10.10.29 eq 3389
access-list vpnnet_access_in extended permit tcp object-group
CITI_Admin_VPN gt
1023 host 10.10.10.29 eq 3389
access-list vpnnet_access_in extended deny tcp object-group
FRA_HQ_Users gt 1023
host 10.10.10.36 eq 3389
access-list vpnnet_access_in extended permit ip object-group
CITI_Admin_VPN host
10.10.10.36
access-list vpnnet_access_in extended deny tcp object-group
FRA_HQ_Users gt 1023
host 10.10.40.10 eq 3389
access-list vpnnet_access_in extended deny tcp object-group
CITI_User_VPN gt 102
3 host 10.10.40.10 eq 3389
access-list vpnnet_access_in extended permit ip object-group
CITI_Admin_VPN host
10.10.40.10
access-list vpnnet_access_in extended deny tcp object-group
FRA_HQ_Users gt 1023
host 10.10.40.6 eq 3389
access-list vpnnet_access_in extended deny tcp object-group
CITI_User_VPN gt 102
3 host 10.10.40.6 eq 3389
access-list vpnnet_access_in extended permit tcp object-group
CITI_Admin_VPN gt
1023 host 10.10.40.6 eq 3389
access-list vpnnet_access_in extended deny tcp object-group
FRA_HQ_Users gt 1023
host 10.10.40.12
access-list vpnnet_access_in extended permit tcp 10.10.40.0
255.255.255.0 gt 102
3 host 10.10.40.12 eq 135
access-list vpnnet_access_in extended permit udp 10.10.40.0
255.255.255.0 eq net
bios-ns host 10.10.40.12 eq netbios-ns
access-list vpnnet_access_in extended permit udp 10.10.40.0
255.255.255.0 eq net
bios-dgm host 10.10.40.12 eq netbios-dgm
access-list vpnnet_access_in extended permit tcp 10.10.40.0
255.255.255.0 gt 102
3 host 10.10.40.12 eq netbios-ssn
access-list vpnnet_access_in extended permit tcp 10.10.40.0
255.255.255.0 gt 102
3 host 10.10.40.12 eq 445
access-list vpnnet_access_in extended permit tcp 10.10.40.0
255.255.255.0 gt 102
3 host 10.10.40.12 eq ldap
access-list vpnnet_access_in extended permit udp 10.10.40.0
255.255.255.0 gt 102
3 host 10.10.40.12 eq 389
access-list vpnnet_access_in extended permit udp 10.10.40.0
255.255.255.0 gt 102
3 host 10.10.40.12 eq 88
access-list vpnnet_access_in extended permit tcp 10.10.40.0
255.255.255.0 gt 102
3 host 10.10.40.12 eq 88
access-list vpnnet_access_in extended permit ip object-group
CITI_Admin_VPN host
10.10.40.6
access-list vpnnet_access_in extended permit ip object-group
CITI_Admin_VPN host
10.10.40.12
access-list vpnnet_access_in extended permit ip object-group
CITI_Admin_VPN host
10.10.40.35
access-list vpnnet_access_in extended deny ip any any
access-list inside_access_in extended permit udp object-group
Inside_Servers gt
1023 host 10.10.10.29 eq domain
access-list inside_access_in extended permit tcp object-group
Inside_Servers gt
1023 host 10.10.10.29 eq domain
access-list inside_access_in extended permit udp object-group
Inside_Servers gt
1023 any eq domain
access-list inside_access_in extended permit tcp host 10.10.50.6 gt
1023 host 10
.10.10.29 eq smtp
access-list inside_access_in extended permit tcp 10.10.50.0
255.255.255.0 gt 102
3 any eq www
access-list inside_access_in extended permit tcp 10.10.50.0
255.255.255.0 gt 102
3 any eq https
access-list inside_access_in extended permit tcp 10.10.50.0
255.255.255.0 gt 102
3 any eq ftp
access-list inside_access_in extended permit tcp host 10.10.50.10
host 10.10.10.
28 eq 1433
access-list inside_access_in extended permit ip host 10.10.50.10 host
10.10.10.2
8
access-list inside_access_in extended permit tcp host 10.10.50.35
host 10.10.10.
36 eq 1433
access-list inside_access_in extended permit tcp host 10.10.50.10
host 10.10.10.
28 eq 5001
access-list inside_access_in extended permit tcp host 10.10.50.10
host 10.10.10.
28 eq 5015
access-list inside_access_in extended permit ip object-group
Inside_Admin host 1
0.10.10.28
access-list inside_access_in extended permit tcp object-group
Inside_Admin gt 10
23 host 10.10.10.29 eq 3389
access-list inside_access_in extended permit ip object-group
Inside_Admin host 1
0.10.10.36
access-list inside_access_in extended permit ip object-group
Inside_Admin host 1
0.10.40.34
access-list inside_access_in extended permit ip object-group
Inside_Admin host 1
0.10.10.50
access-list inside_access_in extended permit ip object-group
Inside_Developer ho
st 10.10.40.34
access-list inside_access_in extended permit ip host 10.10.50.12
object-group CI
TI_Admin_VPN
access-list inside_access_in extended permit ip 10.10.50.0
255.255.255.0 152.119
.191.0 255.255.255.0
access-list inside_access_in extended permit ip 10.10.50.0
255.255.255.0 10.10.6
0.0 255.255.255.0
access-list inside_access_in extended deny ip any any
access-list inside_outbound_nat0_acl extended permit ip 10.10.50.0
255.255.255.0
10.10.60.0 255.255.255.0
access-list dmz_outbound_nat0_acl extended permit ip 10.10.10.0
255.255.255.0 10
.10.60.0 255.255.255.0
access-list outside_cryptomap_10 extended permit ip 10.10.50.0
255.255.255.0 10.
10.60.0 255.255.255.0
access-list outside_cryptomap_10 extended permit ip 10.10.10.0
255.255.255.0 10.
10.60.0 255.255.255.0
access-list IPS extended permit ip any any
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu vpnnet 1500
mtu management 1500
ip verify reverse-path interface outside
ip verify reverse-path interface dmz
ip verify reverse-path interface vpnnet
no failover
failover polltime unit 15 holdtime 45
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (outside) 50 A.B.C.D netmask 255.255.255.224
global (outside) 40 A.B.C.D netmask 255.255.255.224
global (outside) 10 A.B.C.D netmask 255.255.255.224
global (dmz) 50 10.10.10.41
global (dmz) 40 10.10.10.42
global (dmz) 192 10.10.10.46
global (dmz) 152 10.10.10.47
global (dmz) 60 10.10.10.48
global (vpnnet) 50 10.10.40.41
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 50 10.10.50.0 255.255.255.0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
nat (dmz) 10 10.10.10.0 255.255.255.0
nat (vpnnet) 40 10.10.40.0 255.255.255.0
nat (vpnnet) 152 152.119.191.0 255.255.255.0
nat (vpnnet) 192 192.168.100.0 255.255.255.0
static (inside,outside) A.B.C.D 10.10.50.17 netmask 255.255.255.255
static (inside,dmz) 10.10.10.6 10.10.50.6 netmask 255.255.255.255
static (inside,dmz) 10.10.10.10 10.10.50.10 netmask 255.255.255.255
static (inside,dmz) 10.10.10.12 10.10.50.12 netmask 255.255.255.255
static (inside,dmz) 10.10.10.35 10.10.50.35 netmask 255.255.255.255
static (inside,vpnnet) 10.10.40.6 10.10.50.6 netmask 255.255.255.255
static (inside,vpnnet) 10.10.40.10 10.10.50.10 netmask
255.255.255.255
static (inside,vpnnet) 10.10.40.12 10.10.50.12 netmask
255.255.255.255
static (inside,vpnnet) 10.10.40.35 10.10.50.35 netmask
255.255.255.255
static (dmz,outside) A.B.C.D 10.10.10.28 netmask 255.255.255.255
static (dmz,outside) A.B.C.D 10.10.10.29 netmask 255.255.255.255
static (dmz,outside) A.B.C.D 10.10.10.30 netmask 255.255.255.255
static (dmz,outside A.B.C.D 10.10.10.36 netmask 255.255.255.255
static (dmz,outside) A.B.C.D 10.10.10.50 netmask 255.255.255.255
static (vpnnet,outside) A.B.C.D 10.10.40.34 netmask 255.255.255.255
static (inside,outside) A.B.C.D 10.10.50.35 netmask 255.255.255.255
static (inside,dmz) 10.10.10.27 10.10.50.27 netmask 255.255.255.255
static (vpnnet,dmz) 10.10.10.192 192.168.191.10 netmask
255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group vpnnet_access_in in interface vpnnet
route
--------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Pix to ASA migration timpacalypse (Oct 02)
- Re: Pix to ASA migration Craig Van Tassle (Oct 03)
- R: Pix to ASA migration Massimo Baschieri (Oct 03)
- <Possible follow-ups>
- Re: Re: Pix to ASA migration timpacalypse (Oct 03)
- RE: Re: Pix to ASA migration Mohamad Mneimneh (Oct 05)
- Re: Pix to ASA migration Joseph Jenkins (Oct 06)