Link to home
Create AccountLog in
Avatar of onyxtalen

asked on

Review config of Cisco Firewall

I am getting ready to deploy a new firewall.  I need to have it looked at before I deploy.  This is how I want it to work.
1.  All internal hosts can reach internet
2.  All internal hosts can reach DMZ
3.  Host in DMZ can reach internet and single IP on internal network.
4.  VPN access for users

Here is the config.   Thanks

ASA Version 8.0(3)
hostname blizzard
enable password xxxxxxxxxxx encrypted
name UIServer description UIServerAccess
name UIServerInternal description UIServerJBOSS
interface GigabitEthernet0/0
 nameif Internal_Production
 security-level 100
 ip address
 ospf cost 10
interface GigabitEthernet0/1
 nameif DMZ
 security-level 50
 ip address
 ospf cost 10
interface GigabitEthernet0/2
 nameif External_Internet
 security-level 0
 ddns update hostname
 dhcp client update dns
 ip address 64.x.x.x
 ospf cost 10
interface GigabitEthernet0/3
 nameif External
 security-level 75
 ip address
 ospf cost 10
interface Management0/0
 nameif management
 security-level 100
 ip address
 ospf cost 10
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa803-k8.bin
boot system disk0:/asa723-k8.bin
boot system disk0:/asa707-k8.bin
ftp mode passive
dns domain-lookup Internal_Production
dns domain-lookup External_Internet
dns server-group DefaultDNS
dns server-group Primary
 name-server 64.x.x.16
 name-server 64.x.x.18
dns-group Primary
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
 network-object host UIServerInternal
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
 protocol-object ip
 protocol-object tcp
access-list tempoaccess_splitTunnelAcl standard permit host
access-list Internal_Production_access_in extended permit object-group DM_INLINE_PROTOCOL_3 host UIServer object-group DM_INLINE_NETWORK_1
access-list DMZ_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any host UIServer log disable
access-list onyx_splitTunnelAcl standard permit any
access-list Internal_Production_nat_static extended permit ip host 64.x.x.218
pager lines 24
logging enable
logging asdm informational
mtu Internal_Production 1500
mtu DMZ 1500
mtu External_Internet 1500
mtu External 1500
mtu management 1500
ip local pool vpnpool mask
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (Internal_Production) 101 interface
static (DMZ,External_Internet) 64.x.x.219 UIServer netmask
static (Internal_Production,External_Internet) interface  access-list Internal_Production_nat_static
access-group Internal_Production_access_in in interface Internal_Production
access-group DMZ_access_in in interface DMZ
route External_Internet 64.x.x.217 1
route Internal_Production 1
route Internal_Production 1
route Internal_Production 1
route Internal_Production 1
route Internal_Production 1
route Internal_Production 1
route Internal_Production 1
route Internal_Production 1
route Internal_Production 1
route Internal_Production 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Internal_Production
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map External_Internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map External_Internet_map interface External_Internet
crypto map Internal_Production_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Internal_Production_map interface Internal_Production
crypto isakmp enable Internal_Production
crypto isakmp enable External_Internet
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet Internal_Production
telnet timeout 5
ssh Internal_Production
ssh timeout 5
console timeout 0
dhcpd dns interface Internal_Production
dhcpd lease 64000 interface Internal_Production
dhcpd domain interface Internal_Production
threat-detection basic-threat
threat-detection statistics access-list
 enable External_Internet
 svc enable
group-policy tempoaccess internal
group-policy tempoaccess attributes
 dns-server value
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value tempoaccess_splitTunnelAcl
 default-domain value
group-policy DfltGrpPolicy attributes
 dns-server value
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 password-storage enable
 ip-comp enable
 re-xauth enable
 group-lock value tempoaccess
 pfs enable
 split-tunnel-network-list value tempoaccess_splitTunnelAcl
 address-pools value vpnpool
  svc ask enable
username xxxx password xxxxxxxx encrypted privilege 0
username xxxx attributes
 vpn-group-policy tempoaccess
username xxxx password xxxxxxxx encrypted privilege 15
tunnel-group tempoaccess type remote-access
tunnel-group tempoaccess general-attributes
 address-pool vpnpool
 default-group-policy tempoaccess
tunnel-group tempoaccess ipsec-attributes
 pre-shared-key *
tunnel-group temposc type remote-access
tunnel-group temposc general-attributes
 address-pool vpnpool
tunnel-group temposc webvpn-attributes
 group-alias asaaccess enable
 group-url https://64.x.x.221/asaaccess enable
policy-map type inspect dns migrated_dns_map_1
  message-length maximum 512
prompt hostname context
: end
asdm image disk0:/asdm-603.bin
asdm location UIServerInternal Internal_Production
asdm location UIServer Internal_Production
no asdm history enable
Avatar of Cyclops3590
Flag of United States of America image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of onyxtalen


Thank you for taking the time and providing feedback.