We help IT Professionals succeed at work.
Get Started

ASA5510 - Check this config for me

995 Views
Last Modified: 2013-11-16
OK Im putting this in in 10 hours  -Ive sanitised it - all the publics are prefiled 123.123.123.x and I've changed everything else

Please see if Ive missed anything out - or made any dumb errors, cause this is the most complicated config Ive written =[ and I want it to go as smooth as possible.
-----------------------------------------------------------------------------------------------------------------------------------------
: Saved
: Written by enable_15 at 11:26:07.174 UTC Wed May 9 2007
!
ASA Version 7.2(2)
!
hostname CLIENTFWALL1
domain-name default.domain.invalid
enable password zzzzzzzzzzz encrypted
names
name 216.82.240.0 MLabs1
name 85.158.136.0 MLabs2
name 193.209.254.0 MLabs3
name 194.106.220.0 MLabs4
name 195.245.230.0 MLabs5
name 62.231.131.0 MLabs6
name 212.125.74.44 MLabs7
name 195.216.16.211 MLabs8
name 212.125.75.0 MLabs9
name 194.205.110.128 MLabs10
name 62.173.108.16 MLabs11
name 62.173.108.208 MLabs12
name 172.31.3.8 DC1
name 172.16.3.10 SQL1
name 172.16.3.12 DC2
name 172.16.3.14 OLD_SERVER
name 172.16.3.17 SQL2
name 172.16.3.33 PC1
name 172.16.3.38 SQL3
name 172.16.3.201 MAC_OS1
name 172.16.3.202 MAC_OS2
name 172.16.3.203 MAC_OS3
name 172.16.3.204 MAC_OS4
name 172.16.3.205 MAC_OS5
name xx.xx.xx.xx External_Hosting
name 172.16.4.4 MAILB_INT
name 172.16.5.3 WEB1_INT
name 172.16.5.5 WEB2_INT
name 172.16.3.11 MAILA_INT
name 123.123.123.238 MAILB_EXT
name 123.123.123.240 WEB1_EXT
name 123.123.123.242 WEB2_EXT
name 123.123.123.241 MAILA_EXT
dns-guard
!
interface Ethernet0/0
 speed 100
 duplex full
 nameif Outside
 security-level 0
 ip address 123.123.123.225 255.255.255.224
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif Inside
 security-level 100
 ip address 172.16.3.3 255.255.255.0
!
interface Ethernet0/2
 speed 100
 duplex full
 nameif DMZ1
 security-level 50
 ip address 172.16.5.1 255.255.255.0
!
interface Ethernet0/3
 speed 100
 duplex full
 nameif DMZ2
 security-level 55
 ip address 172.16.4.1 255.255.255.0
!
interface Management0/0
 speed 100
 duplex full
 nameif Failover
 security-level 100
 ip address 172.16.254.1 255.255.255.0
!
passwd xxxxxxxxxxxxxxxxxx encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group network Message_Labs_Servers
 network-object MLabs1 255.255.240.0
 network-object MLabs2 255.255.248.0
 network-object MLabs3 255.255.254.0
 network-object MLabs4 255.255.254.0
 network-object MLabs5 255.255.254.0
 network-object MLabs6 255.255.255.0
 network-object MLabs7 255.255.255.255
 network-object MLabs8 255.255.255.255
 network-object MLabs9 255.255.255.224
 network-object MLabs10 255.255.255.224
 network-object MLabs11 255.255.255.240
 network-object MLabs12 255.255.255.240
object-group network WEB_Servers_INT
 network-object WEB1_INT 255.255.255.255
 network-object WEB2_INT 255.255.255.255
object-group network WEB_Servers_EXT
 network-object WEB1_EXT 255.255.255.255
 network-object WEB2_EXT 255.255.255.255
object-group network SMTP_Clients
 network-object MAILA_INT 255.255.255.255
 network-object OLD_SERVER 255.255.255.255
 network-object MAC_OS1 255.255.255.255
 network-object MAC_OS2 255.255.255.255
 network-object MAC_OS3 255.255.255.255
 network-object MAC_OS4 255.255.255.255
 network-object MAC_OS5 255.255.255.255
 network-object PC1 255.255.255.255
access-list Outside-Inbound extended permit icmp any any
access-list Outside-Inbound extended permit tcp any object-group WEB_Servers_EXT eq www
access-list Outside-Inbound extended permit tcp any object-group WEB_Servers_EXT eq https
access-list Outside-Inbound extended permit tcp any object-group WEB_Servers_EXT eq ftp
access-list Outside-Inbound extended permit tcp any host MAILB_EXT eq https
access-list Outside-Inbound extended permit tcp any host MAILB_EXT eq www
access-list Outside-Inbound extended permit tcp any host MAILB_EXT eq pop3
access-list Outside-Inbound extended permit tcp any host MAILB_EXT eq smtp
access-list Outside-Inbound extended permit tcp any host MAILB_EXT eq ftp
access-list Outside-Inbound extended permit tcp any host MAILA_EXT eq https
access-list Outside-Inbound extended permit tcp any host MAILA_EXT eq www
access-list Outside-Inbound extended permit tcp any host MAILA_EXT eq lotusnotes
access-list Outside-Inbound extended permit tcp any host MAILA_EXT eq pop3
access-list Outside-Inbound extended permit tcp object-group Message_Labs_Servers host MAILA_EXT eq smtp
access-list Outside-Inbound extended permit tcp host External_Hosting host MAILA_EXT eq lotusnotes
access-list Inside-Outbound extended permit tcp object-group SMTP_Clients any eq smtp
access-list Inside-Outbound extended deny tcp any any eq smtp
access-list Inside-Outbound extended permit ip any any
access-list Inside-Outbound extended permit icmp any any
access-list DMZ1-Outbound extended permit tcp host WEB2_INT host MAILA_INT eq smtp
access-list DMZ1-Outbound extended permit ip any any
access-list DMZ1-Outbound extended permit tcp object-group WEB_Servers_INT host SQL1 eq 1433
access-list DMZ1-Outbound extended permit tcp object-group WEB_Servers_INT host SQL2 eq 1433
access-list DMZ1-Outbound extended permit tcp object-group WEB_Servers_INT host SQL3 eq 1433
access-list Split standard permit 172.16.3.0 255.255.255.0
access-list Split standard permit 172.16.5.0 255.255.255.0
access-list NoNat extended permit ip 172.16.3.0 255.255.255.0 172.16.3.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu DMZ1 1500
mtu DMZ2 1500
mtu Failover 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 123.123.123.227-123.123.123.228 netmask 255.255.255.224
global (Outside) 1 123.123.123.226 netmask 255.255.255.224
nat (Inside) 1 172.16.3.0 255.255.255.0
nat (DMZ1) 1 172.16.5.0 255.255.255.0
nat (DMZ2) 1 172.16.4.0 255.255.255.0
nat (Failover) 10 0.0.0.0 0.0.0.0
static (Inside,Outside) MAILA_EXT MAILA_INT netmask 255.255.255.255
static (DMZ1,Outside) WEB1_EXT WEB1_INT netmask 255.255.255.255
static (DMZ1,Outside) WEB2_EXT WEB2_INT netmask 255.255.255.255
static (DMZ2,Outside) MAILB_EXT MAILB_INT netmask 255.255.255.255
static (Inside,DMZ1) SQL1 SQL1 netmask 255.255.255.255
static (Inside,DMZ1) SQL2 SQL2 netmask 255.255.255.255
static (Inside,DMZ1) SQL3 SQL3 netmask 255.255.255.255
static (Inside,DMZ1) MAILA_INT MAILA_INT netmask 255.255.255.255
static (DMZ1,Inside) MAILB_INT MAILB_INT netmask 255.255.255.255
static (DMZ1,Inside) WEB1_INT WEB1_INT netmask 255.255.255.255
static (DMZ1,Inside) WEB2_INT WEB2_INT netmask 255.255.255.255
access-group Outside-Inbound in interface Outside
access-group Inside-Outbound in interface Inside
access-group DMZ1-Outbound in interface DMZ1
route Outside 0.0.0.0 0.0.0.0 123.123.123.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Windows-IAS protocol radius
aaa-server Windows-IAS host DC2
 timeout 5
 key xxxxxxxxx
aaa-server Windows-IAS host DC1
 timeout 5
 key xxxxxxxxx
group-policy CLIENT-VPN internal
group-policy CLIENT-VPN attributes
 banner value You are connected to a private server - Disconnect NOW if not Authorised
 dns-server value 172.16.3.12 172.16.3.8
 vpn-idle-timeout 20
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split
 default-domain value internal.local
username support password xxxxxxxxxxxxx encrypted
http server enable
http 172.16.3.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set CLIENT-TS esp-aes esp-sha-hMAC_OS
crypto dynamic-map CLIENT-Map 20 set transform-set CLIENT-TS
crypto map CLIENT-Map 20 ipsec-isakmp dynamic CLIENT-Map
crypto map CLIENT-Map interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
crypto isakmp disconnect-notify
tunnel-group CLIENT-VPN type ipsec-ra
tunnel-group CLIENT-VPN general-attributes
 authentication-server-group Windows-IAS LOCAL
 authorization-server-group LOCAL
 default-group-policy CLIENT-VPN
 dhcp-server DC1
 dhcp-server DC2
tunnel-group CLIENT-VPN ipsec-attributes
 pre-shared-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
telnet 172.16.3.0 255.255.255.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
  inspect sqlnet
  inspect icmp
policy-map global-policy
 class inspection_default
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f3d0065a08c7fb5f647ff6033f3e5dac
: end
Comment
Watch Question
CERTIFIED EXPERT
Top Expert 2007
Commented:
This problem has been solved!
Unlock 1 Answer and 5 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE