Link to home
Create AccountLog in
Avatar of onyxtalen
onyxtalen

asked on

Review config of Cisco Firewall

I am getting ready to deploy a new firewall.  I need to have it looked at before I deploy.  This is how I want it to work.
1.  All internal hosts can reach internet
2.  All internal hosts can reach DMZ
3.  Host in DMZ can reach internet and single IP on internal network.
4.  VPN access for users

Here is the config.   Thanks

:
ASA Version 8.0(3)
!
hostname blizzard
domain-name blizzard.com
enable password xxxxxxxxxxx encrypted
names
name 192.168.255.93 UIServer description UIServerAccess
name 192.168.1.122 UIServerInternal description UIServerJBOSS
dns-guard
!
interface GigabitEthernet0/0
 nameif Internal_Production
 security-level 100
 ip address 192.168.1.233 255.255.255.0
 ospf cost 10
!
interface GigabitEthernet0/1
 nameif DMZ
 security-level 50
 ip address 192.168.255.254 255.255.255.0
 ospf cost 10
!
interface GigabitEthernet0/2
 shutdown
 nameif External_Internet
 security-level 0
 ddns update hostname 4.2.2.1
 dhcp client update dns
 ip address 64.x.x.x 255.255.255.248
 ospf cost 10
!
interface GigabitEthernet0/3
 nameif External
 security-level 75
 ip address 10.0.1.251 255.255.255.0
 ospf cost 10
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.10.6 255.255.255.0
 ospf cost 10
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa803-k8.bin
boot system disk0:/asa723-k8.bin
boot system disk0:/asa707-k8.bin
ftp mode passive
dns domain-lookup Internal_Production
dns domain-lookup External_Internet
dns server-group DefaultDNS
 name-server 4.2.2.1
 name-server 4.2.2.2
 name-server 64.13.135.16
 name-server 64.13.143.18
 domain-name tempo.com
dns server-group Primary
 name-server 4.2.2.1
 name-server 4.2.2.2
 name-server 64.x.x.16
 name-server 64.x.x.18
dns-group Primary
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
 network-object 0.0.0.0 0.0.0.0
 network-object host UIServerInternal
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
 protocol-object ip
 protocol-object tcp
access-list tempoaccess_splitTunnelAcl standard permit host 0.0.0.0
access-list Internal_Production_access_in extended permit object-group DM_INLINE_PROTOCOL_3 host UIServer object-group DM_INLINE_NETWORK_1
access-list DMZ_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any host UIServer log disable
access-list onyx_splitTunnelAcl standard permit any
access-list Internal_Production_nat_static extended permit ip host 0.0.0.0 64.x.x.218 255.255.255.248
pager lines 24
logging enable
logging asdm informational
mtu Internal_Production 1500
mtu DMZ 1500
mtu External_Internet 1500
mtu External 1500
mtu management 1500
ip local pool vpnpool 192.168.1.171-192.168.1.185 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (Internal_Production) 101 interface
static (DMZ,External_Internet) 64.x.x.219 UIServer netmask 255.255.255.255
static (Internal_Production,External_Internet) interface  access-list Internal_Production_nat_static
access-group Internal_Production_access_in in interface Internal_Production
access-group DMZ_access_in in interface DMZ
route External_Internet 0.0.0.0 0.0.0.0 64.x.x.217 1
route Internal_Production 162.31.32.0 255.255.255.0 192.168.1.230 1
route Internal_Production 192.152.100.0 255.255.255.0 192.168.1.230 1
route Internal_Production 192.152.102.0 255.255.255.0 192.168.1.230 1
route Internal_Production 192.168.2.0 255.255.255.0 192.168.1.254 1
route Internal_Production 192.168.10.0 255.255.255.0 192.168.1.253 1
route Internal_Production 199.0.8.0 255.255.255.0 192.168.1.230 1
route Internal_Production 204.194.120.0 255.255.255.0 192.168.1.230 1
route Internal_Production 204.194.125.0 255.255.255.0 192.168.1.230 1
route Internal_Production 204.194.129.0 255.255.255.0 192.168.1.230 1
route Internal_Production 223.3.3.0 255.255.255.0 192.168.1.230 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 Internal_Production
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map External_Internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map External_Internet_map interface External_Internet
crypto map Internal_Production_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Internal_Production_map interface Internal_Production
crypto isakmp enable Internal_Production
crypto isakmp enable External_Internet
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.1.124 255.255.255.255 Internal_Production
telnet timeout 5
ssh 192.168.1.124 255.255.255.255 Internal_Production
ssh timeout 5
console timeout 0
dhcpd dns 192.168.1.72 192.168.1.74 interface Internal_Production
dhcpd lease 64000 interface Internal_Production
dhcpd domain tempo.com interface Internal_Production
!
threat-detection basic-threat
threat-detection statistics access-list
webvpn
 enable External_Internet
 svc enable
group-policy tempoaccess internal
group-policy tempoaccess attributes
 dns-server value 192.168.1.72 192.168.1.74
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value tempoaccess_splitTunnelAcl
 default-domain value blizzard.com
group-policy DfltGrpPolicy attributes
 dns-server value 192.168.1.72
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 password-storage enable
 ip-comp enable
 re-xauth enable
 group-lock value tempoaccess
 pfs enable
 split-tunnel-network-list value tempoaccess_splitTunnelAcl
 address-pools value vpnpool
 webvpn
  svc ask enable
username xxxx password xxxxxxxx encrypted privilege 0
username xxxx attributes
 vpn-group-policy tempoaccess
username xxxx password xxxxxxxx encrypted privilege 15
tunnel-group tempoaccess type remote-access
tunnel-group tempoaccess general-attributes
 address-pool vpnpool
 default-group-policy tempoaccess
tunnel-group tempoaccess ipsec-attributes
 pre-shared-key *
tunnel-group temposc type remote-access
tunnel-group temposc general-attributes
 address-pool vpnpool
tunnel-group temposc webvpn-attributes
 group-alias asaaccess enable
 group-url https://64.x.x.221/asaaccess enable
!
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
!
prompt hostname context
Cryptochecksum:4b0937388532223e73905be8d7b356c3
: end
asdm image disk0:/asdm-603.bin
asdm location UIServerInternal 255.255.255.255 Internal_Production
asdm location UIServer 255.255.255.255 Internal_Production
no asdm history enable
ASKER CERTIFIED SOLUTION
Avatar of Cyclops3590
Cyclops3590
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of onyxtalen
onyxtalen

ASKER

Thank you for taking the time and providing feedback.