Wednesday, November 3, 2010

Basic Cisco ASA 8.2 Template

A basic Cisco ASA 8.2 template.This is meant to used as a starting point for a production configuration and obviously it has to be customized to meet your particular security requirements.

This templates uses:

*3 Interfaces (outside 192.168.100.0/24, inside10.0.0.0/24 and dmz 172.16.0.0/24)
*Management interface (192.168.0.0/24)
*Banner for motd and ADSM.
*CET/CEST timezone.
*Firewall/NAT rules that allow IP/icmp traffic from inside to outside with nat, inside to dmz without nat, dmz to outside with nat.
*Static NATs for both dmz and inside hosts (tcp 80 and tcp 8080).
*AAA configuration with a local validation in case the AAA servers are unreachable or down (notacacsuser).
*SNMP access
*SSH/ASDM access everywhere except the dmz
*NTP

Configuration:

ASA Version 8.2(3) 
!
hostname ASA-TEMPLATE
domain-name foo.bar
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 192.168.100.2 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0 
!
interface GigabitEthernet0/2
 nameif dmz
 security-level 50
 ip address 172.16.0.1 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.0.22 255.255.255.0 
 management-only
!
banner motd -----------------------------------------------
banner motd WARNING: You have accessed a restricted system.
banner motd -----------------------------------------------
banner asdm -----------------------------------------------
banner asdm WARNING: You have accessed a restricted system.
banner asdm -----------------------------------------------
ftp mode passive
clock timezone CEST 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name foo.bar
object-group service Web8080 tcp
 port-object eq 8080
access-list inside_access_in extended permit icmp 10.0.0.0 255.255.255.0 any 
access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 any 
access-list inside_access_in extended permit icmp 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit tcp any interface outside eq www 
access-list outside_access_in extended permit tcp any interface outside object-group Web8080 
access-list dmz_access_in extended permit icmp 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0 echo-reply 
access-list dmz_access_in extended deny ip 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list dmz_access_in extended permit ip 172.16.0.0 255.255.255.0 any 
access-list dmz_access_in extended deny icmp 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list dmz_access_in extended permit icmp 172.16.0.0 255.255.255.0 any 
pager lines 24
logging enable
logging timestamp
logging buffer-size 96000
logging buffered debugging
logging asdm informational
logging host outside 192.168.102.245
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.255.255.0
nat (dmz) 1 172.16.0.0 255.255.255.0
static (inside,outside) tcp interface www 10.0.0.45 www netmask 255.255.255.255 
static (dmz,outside) tcp interface 8080 172.16.0.10 www netmask 255.255.255.255 
static (dmz,outside) 192.168.100.3 172.16.0.2 netmask 255.255.255.255 
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server tacacs protocol tacacs+
aaa-server tacacs (management) host 192.168.0.5
 key tacacssecret
aaa authentication ssh console tacacs LOCAL
aaa authentication telnet console tacacs LOCAL
aaa authentication serial console tacacs LOCAL
aaa authentication enable console tacacs LOCAL
aaa authentication http console tacacs LOCAL
aaa authorization command tacacs LOCAL
http server enable
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
snmp-server host inside 1.1.1.1 poll community test version 2c
snmp-server location LOCATION
snmp-server contact super-firewall-admin@foo.bar
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp outside
sysopt noproxyarp inside
sysopt noproxyarp dmz
sysopt noproxyarp management
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
ssh version 2
console timeout 5
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 1.1.1.1
webvpn
username notacacsuser password notacacsuser privilege 15
Posted by at
Labels: , , ,

2 comments:

  1. JGNovember 30, 2010 at 7:33 PM

    "ntp server 1.1.1.1"

    Am I really seeing 1.0.0.0/8 in an example in late 2010? Just sayin :)

    ReplyDelete
  2. Jose LeitaoDecember 1, 2010 at 1:35 PM

    Easy to replace for the real ip :)

    ReplyDelete

Subscribe to: Post Comments (Atom)