Advertisement

[x]
Attachment Details

Review config of Cisco Firewall

[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
9.3
Zones: Miscellaneous Security, Cisco PIX Firewall
Tags: , ,
I am getting ready to deploy a new firewall.  I need to have it looked at before I deploy.  This is how I want it to work.
1.  All internal hosts can reach internet
2.  All internal hosts can reach DMZ
3.  Host in DMZ can reach internet and single IP on internal network.
4.  VPN access for users

Here is the config.   Thanks

:
ASA Version 8.0(3)
!
hostname blizzard
domain-name blizzard.com
enable password xxxxxxxxxxx encrypted
names
name 192.168.255.93 UIServer description UIServerAccess
name 192.168.1.122 UIServerInternal description UIServerJBOSS
dns-guard
!
interface GigabitEthernet0/0
 nameif Internal_Production
 security-level 100
 ip address 192.168.1.233 255.255.255.0
 ospf cost 10
!
interface GigabitEthernet0/1
 nameif DMZ
 security-level 50
 ip address 192.168.255.254 255.255.255.0
 ospf cost 10
!
interface GigabitEthernet0/2
 shutdown
 nameif External_Internet
 security-level 0
 ddns update hostname 4.2.2.1
 dhcp client update dns
 ip address 64.x.x.x 255.255.255.248
 ospf cost 10
!
interface GigabitEthernet0/3
 nameif External
 security-level 75
 ip address 10.0.1.251 255.255.255.0
 ospf cost 10
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.10.6 255.255.255.0
 ospf cost 10
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa803-k8.bin
boot system disk0:/asa723-k8.bin
boot system disk0:/asa707-k8.bin
ftp mode passive
dns domain-lookup Internal_Production
dns domain-lookup External_Internet
dns server-group DefaultDNS
 name-server 4.2.2.1
 name-server 4.2.2.2
 name-server 64.13.135.16
 name-server 64.13.143.18
 domain-name tempo.com
dns server-group Primary
 name-server 4.2.2.1
 name-server 4.2.2.2
 name-server 64.x.x.16
 name-server 64.x.x.18
dns-group Primary
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
 network-object 0.0.0.0 0.0.0.0
 network-object host UIServerInternal
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
 protocol-object ip
 protocol-object tcp
access-list tempoaccess_splitTunnelAcl standard permit host 0.0.0.0
access-list Internal_Production_access_in extended permit object-group DM_INLINE_PROTOCOL_3 host UIServer object-group DM_INLINE_NETWORK_1
access-list DMZ_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any host UIServer log disable
access-list onyx_splitTunnelAcl standard permit any
access-list Internal_Production_nat_static extended permit ip host 0.0.0.0 64.x.x.218 255.255.255.248
pager lines 24
logging enable
logging asdm informational
mtu Internal_Production 1500
mtu DMZ 1500
mtu External_Internet 1500
mtu External 1500
mtu management 1500
ip local pool vpnpool 192.168.1.171-192.168.1.185 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (Internal_Production) 101 interface
static (DMZ,External_Internet) 64.x.x.219 UIServer netmask 255.255.255.255
static (Internal_Production,External_Internet) interface  access-list Internal_Production_nat_static
access-group Internal_Production_access_in in interface Internal_Production
access-group DMZ_access_in in interface DMZ
route External_Internet 0.0.0.0 0.0.0.0 64.x.x.217 1
route Internal_Production 162.31.32.0 255.255.255.0 192.168.1.230 1
route Internal_Production 192.152.100.0 255.255.255.0 192.168.1.230 1
route Internal_Production 192.152.102.0 255.255.255.0 192.168.1.230 1
route Internal_Production 192.168.2.0 255.255.255.0 192.168.1.254 1
route Internal_Production 192.168.10.0 255.255.255.0 192.168.1.253 1
route Internal_Production 199.0.8.0 255.255.255.0 192.168.1.230 1
route Internal_Production 204.194.120.0 255.255.255.0 192.168.1.230 1
route Internal_Production 204.194.125.0 255.255.255.0 192.168.1.230 1
route Internal_Production 204.194.129.0 255.255.255.0 192.168.1.230 1
route Internal_Production 223.3.3.0 255.255.255.0 192.168.1.230 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 Internal_Production
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map External_Internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map External_Internet_map interface External_Internet
crypto map Internal_Production_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Internal_Production_map interface Internal_Production
crypto isakmp enable Internal_Production
crypto isakmp enable External_Internet
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.1.124 255.255.255.255 Internal_Production
telnet timeout 5
ssh 192.168.1.124 255.255.255.255 Internal_Production
ssh timeout 5
console timeout 0
dhcpd dns 192.168.1.72 192.168.1.74 interface Internal_Production
dhcpd lease 64000 interface Internal_Production
dhcpd domain tempo.com interface Internal_Production
!
threat-detection basic-threat
threat-detection statistics access-list
webvpn
 enable External_Internet
 svc enable
group-policy tempoaccess internal
group-policy tempoaccess attributes
 dns-server value 192.168.1.72 192.168.1.74
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value tempoaccess_splitTunnelAcl
 default-domain value blizzard.com
group-policy DfltGrpPolicy attributes
 dns-server value 192.168.1.72
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 password-storage enable
 ip-comp enable
 re-xauth enable
 group-lock value tempoaccess
 pfs enable
 split-tunnel-network-list value tempoaccess_splitTunnelAcl
 address-pools value vpnpool
 webvpn
  svc ask enable
username xxxx password xxxxxxxx encrypted privilege 0
username xxxx attributes
 vpn-group-policy tempoaccess
username xxxx password xxxxxxxx encrypted privilege 15
tunnel-group tempoaccess type remote-access
tunnel-group tempoaccess general-attributes
 address-pool vpnpool
 default-group-policy tempoaccess
tunnel-group tempoaccess ipsec-attributes
 pre-shared-key *
tunnel-group temposc type remote-access
tunnel-group temposc general-attributes
 address-pool vpnpool
tunnel-group temposc webvpn-attributes
 group-alias asaaccess enable
 group-url https://64.x.x.221/asaaccess enable
!
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
!
prompt hostname context
Cryptochecksum:4b0937388532223e73905be8d7b356c3
: end
asdm image disk0:/asdm-603.bin
asdm location UIServerInternal 255.255.255.255 Internal_Production
asdm location UIServer 255.255.255.255 Internal_Production
no asdm history enable
Related Solutions
Related Solutions
# Title
1 Cisco IPSec VPN crashing when chan…
2 IPSec VPN
3 Cisco ASA 5505 IPSec VPN Client a…
4 Cisco ASA interface issues with VPN
5 Cisco Easy VPN 877-M cannot acc…
6 Cisco 1841 VPN Config
 
Loading Advertisement...
 

Rank: Guru

Accepted Solution by Cyclops3590:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
Loading Advertisement...
20080924-EE-VQP-41 / EE_QW_2_20070628