Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 460
  • Last Modified:

Got ASA5505 installed and connected, now need to tune it

Thanks to EE and especially Jfrederick29 I have been able to make my ASA5505 connect to the remote network. Now I need to do two things, Test it for vulnerablilities and tune it. The more i work with this, the dumber I feel. There is just so much to learn about this.

The connection seems slow, a 6mb file took 3 minutes to transfer from my laptop to a share on the server and that seems like a long time.  The main intended purpose is to connect a remote user to her quickbooks file (80mb) and I can only imagine how badly this would work at that transfer speed. I may set up RDC for this purpose but perhaps there is some "tuning" I can do to improve the speed??

I also need to test it for security, are there programs I can run against it to see if I left any holes?
0
Salad-Dodger
Asked:
Salad-Dodger
1 Solution
 
Kamran ArshadIT AssociateCommented:
Hi,

You can use Nipper like application to check the configuration.

http://sourceforge.net/projects/nipper
0
 
rexxusCommented:
If there isn't much traffic going through the firewall i.e. no load then any tuning you do will only save milliseconds, you're not going to be able to shave minutes off of the transfer rate.  Transfer rate will be limited by bandwidth (to a point) before your hardware, obviously this statement is false with higher speed links.

For testing the security, first thing to do would be to run a port scan against the device, nmap is a fairly standard tool to use for this (http://nmap.org/) and is available for multiple OS's

Depending on what you've left open will determine how to proceed, a reasonable framework on what to check and using what tools is available at http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html 

You should be able to get a reasonable level of confidence but you'll need to put the effort into understanding what you're testing and what else you can do to break things.  If you're serious look at getting a pen test done by a professional.  
0
 
JFrederick29Commented:
As far as the ASA is concerned.  You have it locked down pretty well.  You are only allowing ASDM (HTTP) and telnet access from the inside network (not the outside).  The ASA supports SSH so you may want to disable telnet and just use SSH.

Make these ICMP changes though since we opened ICMP to the outside for testing:

conf t
no icmp permit any outside
icmp permit any echo-reply outside
icmp permit any inside

Make sure USER2 isn't an account that you have given a user since it has admin access (privilege 15).  Remove any accounts you aren't using.

Lastly, you can add "management-access inside" to the ASA.  This will give you the ability to telnet into the ASA to administer it over the VPN tunnel meaning you can connect via VPN and then telnet to the inside interface through the tunnel.  I like this option but if you want it really secure, you can leave it off.
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
JFrederick29Commented:
By the way, the RDC route for the 80MB file is definitely the way to go.  You only have 1.5Mbps to the Internet and the remote Internet connection of the user will also determine the speed of transfer.  Having the user RDP into a system over the VPN tunnel and then work with the 80MB file from that system will provide the best experience.
0
 
JFrederick29Commented:
Sorry to keep piling on but also make sure the inside and outside interfaces of the ASA have no interface errors (show int) and also make sure the Ethernet0/0 interface on the router also has no errors (show in e0/0).
0
 
Salad-DodgerAuthor Commented:
Thank you uetian1707, rexxus and JFrederick29:,
I will proceed with ALL of that that this weekend.
This stuff is fascinating, but without doing it all the time its darn hard to grasp how it all fits together, Heck, even how it even works at all!
0
 
Salad-DodgerAuthor Commented:
And JFred... pile on all you want !!
0
 
Salad-DodgerAuthor Commented:
whew.... It works!
Her local printer doesnt show up through the RDP connection but that may well be her non vista compatible printer showing its age.

included are the show int's,  and the show run

-What does this mean?  "Available but not configured via nameif"
--Is the "MyVPN" unnecessary since the connection is named 'MyVPNTunnel"
I cant change the Telnet password and I dont know what it is. I have used the serial port and teh ASDM for configuration but never telnet. How can I reset that password?
-username admin password xxxxxxxx encrypted privilege 15... what is this "admin"


Result of the command: "show run"
 
: Saved
:
ASA Version 8.0(4) 
!
hostname Frodo
domain-name My.Domain
enable password xxxxxxxx encrypted
passwd xxxxxxxxx encrypted
names
!
interface Vlan1
 description My Lan
 nameif inside
 security-level 100
 ip address 192.168.123.2 255.255.255.0 
!
interface Vlan2
 description VPN to Internet
 nameif outside
 security-level 0
 ip address 216.x.x.19 255.255.255.248 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
boot system disk0:/asa802-k8
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name My.Domain
access-list inside_nat0_outbound extended permit ip any 192.168.123.0 255.255.255.192 
pager lines 24
logging enable
logging asdm warnings
logging from-address ASA@My.Domain
logging recipient-address My.Email.Address level critical
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool MyVPN_IPs 192.168.123.30-192.168.123.35 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo-reply outside
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 216.x.x.20 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server MyAuthGroup protocol ldap
aaa-server MyAuthGroup (inside) host 192.168.123.225
 timeout 5
 server-type auto-detect
aaa authentication telnet console LOCAL 
http server enable
http 192.168.123.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.123.0 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.123.30-192.168.123.40 inside
dhcpd dns 192.168.123.225 interface inside
dhcpd wins 192.168.123.225 interface inside
dhcpd lease 1440 interface inside
dhcpd ping_timeout 10 interface inside
dhcpd domain My.Domain interface inside
!
 
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
group-policy MyVPNTunnel. internal
group-policy MyVPNTunnel. attributes
 wins-server value 192.168.123.225
 dns-server value 192.168.123.225
 vpn-tunnel-protocol IPSec 
 default-domain value My.Domain
group-policy MyVPN internal
group-policy MyVPN attributes
 wins-server value 192.168.123.225
 dns-server value 192.168.123.225
 vpn-tunnel-protocol IPSec 
 default-domain value My.Domain
username Salad-Dodger password xxxxxx encrypted privilege 15
username RemoteUser1 password xxxxxxxx encrypted
username RemoteUser1 attributes
 service-type remote-access
username admin password xxxxxxxx encrypted privilege 15
username RemoteUser2 password xxxxxxxx encrypted
username RemoteUser2 attributes
 service-type remote-access
tunnel-group MyVPNTunnel. type remote-access
tunnel-group MyVPNTunnel. general-attributes
 address-pool MyVPN_IPs
 default-group-policy MyVPNTunnel.
tunnel-group MyVPNTunnel. ipsec-attributes
 pre-shared-key *
tunnel-group MyVPN type remote-access
tunnel-group MyVPN general-attributes
 address-pool MyVPN_IPs
 authentication-server-group MyAuthGroup
 default-group-policy MyVPN
tunnel-group MyVPN ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:xxxxxx
: end
==================================
Interface Ethernet0/0 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
	Auto-Duplex(Half-duplex), Auto-Speed(10 Mbps)
	Available but not configured via nameif
	MAC address xxxx.xxxx.xxxx, MTU not set
	IP address unassigned
	204719 packets input, 60462195 bytes, 0 no buffer
	Received 2330 broadcasts, 7281 runts, 0 giants
	7281 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
	0 L2 decode drops
	8589936970 switch ingress policy drops
	60716 packets output, 30795491 bytes, 0 underruns
	7283 output errors, 2461 collisions, 0 interface resets
	0 babbles, 0 late collisions, 117 deferred
	0 lost carrier, 0 no carrier
	0 rate limit drops
	0 switch egress policy drops
 
 
 
Interface Vlan1 "inside", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
	Description: My Lan
	MAC address xxxx.xxxx.xxxx, MTU 1500
	IP address 192.168.123.2, subnet mask 255.255.255.0
  Traffic Statistics for "inside":
	166397 packets input, 35741749 bytes
	110899 packets output, 73646219 bytes
	64701 packets dropped
      1 minute input rate 15 pkts/sec,  1273 bytes/sec
      1 minute output rate 21 pkts/sec,  3114 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 1 pkts/sec,  211 bytes/sec
      5 minute output rate 1 pkts/sec,  114 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Vlan2 "outside", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
	Description: VPN to Internet
	MAC address xxxx.xxxx.xxxx, MTU 1500
	IP address 216.x.x.19, subnet mask 255.255.255.248
  Traffic Statistics for "outside":
	71081 packets input, 47981760 bytes
	60554 packets output, 29681611 bytes
	6091 packets dropped
      1 minute input rate 8 pkts/sec,  1096 bytes/sec
      1 minute output rate 8 pkts/sec,  1296 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 2 pkts/sec,  249 bytes/sec
      5 minute output rate 1 pkts/sec,  285 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Vlan3 "dmz", is down, line protocol is down
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
	MAC address xxxx.xxxx.xxxx, MTU 1500
	IP address unassigned
  Traffic Statistics for "dmz":
	0 packets input, 0 bytes
	0 packets output, 0 bytes
	0 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Virtual254 "", is up, line protocol is up
  Hardware is Virtual	Available but not configured via nameif
	MAC address 0000.0000.0000, MTU not set
	IP address unassigned
Interface Ethernet0/0 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
	Auto-Duplex(Half-duplex), Auto-Speed(10 Mbps)
	Available but not configured via nameif
	MAC address xxxx.xxxx.xxxx, MTU not set
	IP address unassigned
	204521 packets input, 60437219 bytes, 0 no buffer
	Received 2330 broadcasts, 7281 runts, 0 giants
	7281 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
	0 L2 decode drops
	8589936959 switch ingress policy drops
	60544 packets output, 30770995 bytes, 0 underruns
	7283 output errors, 2461 collisions, 0 interface resets
	0 babbles, 0 late collisions, 117 deferred
	0 lost carrier, 0 no carrier
	0 rate limit drops
	0 switch egress policy drops
Interface Ethernet0/1 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
	Auto-Duplex, Auto-Speed
	Available but not configured via nameif
	MAC address xxxx.xxxx.xxxx, MTU not set
	IP address unassigned
	0 packets input, 0 bytes, 0 no buffer
	Received 0 broadcasts, 0 runts, 0 giants
	0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
	0 L2 decode drops
	0 switch ingress policy drops
	0 packets output, 0 bytes, 0 underruns
	0 output errors, 0 collisions, 0 interface resets
	0 babbles, 0 late collisions, 0 deferred
	0 lost carrier, 0 no carrier
	0 rate limit drops
	0 switch egress policy drops
Interface Ethernet0/2 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
	Auto-Duplex, Auto-Speed
	Available but not configured via nameif
	MAC address xxxx.xxxx.xxxx, MTU not set
	IP address unassigned
	277 packets input, 32305 bytes, 0 no buffer
	Received 42 broadcasts, 0 runts, 0 giants
	0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
	0 L2 decode drops
	0 switch ingress policy drops
	781 packets output, 107675 bytes, 0 underruns
	0 output errors, 0 collisions, 0 interface resets
	0 babbles, 0 late collisions, 0 deferred
	0 lost carrier, 0 no carrier
	0 rate limit drops
	0 switch egress policy drops
Interface Ethernet0/3 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
	Auto-Duplex, Auto-Speed
	Available but not configured via nameif
	MAC address xxxx.xxxx.xxxx, MTU not set
	IP address unassigned
	0 packets input, 0 bytes, 0 no buffer
	Received 0 broadcasts, 0 runts, 0 giants
	0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
	0 L2 decode drops
	0 switch ingress policy drops
	0 packets output, 0 bytes, 0 underruns
	0 output errors, 0 collisions, 0 interface resets
	0 babbles, 0 late collisions, 0 deferred
	0 lost carrier, 0 no carrier
	0 rate limit drops
	0 switch egress policy drops
Interface Ethernet0/4 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
	Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
	Available but not configured via nameif
	MAC address xxxx.xxxx.4f0c, MTU not set
	IP address unassigned
	216086 packets input, 44670939 bytes, 0 no buffer
	Received 81471 broadcasts, 0 runts, 0 giants
	0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
	0 L2 decode drops
	0 switch ingress policy drops
	111067 packets output, 75799729 bytes, 0 underruns
	0 output errors, 0 collisions, 0 interface resets
	0 babbles, 0 late collisions, 0 deferred
	0 lost carrier, 0 no carrier
	0 rate limit drops
	0 switch egress policy drops
Interface Ethernet0/5 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
	Auto-Duplex, Auto-Speed
	Available but not configured via nameif
	MAC address xxxx.xxxx.4f0d, MTU not set
	IP address unassigned
	0 packets input, 0 bytes, 0 no buffer
	Received 0 broadcasts, 0 runts, 0 giants
	0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
	0 L2 decode drops
	0 switch ingress policy drops
	0 packets output, 0 bytes, 0 underruns
	0 output errors, 0 collisions, 0 interface resets
	0 babbles, 0 late collisions, 0 deferred
	0 lost carrier, 0 no carrier
	0 rate limit drops
	0 switch egress policy drops
Interface Ethernet0/6 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
	Auto-Duplex, Auto-Speed
	Available but not configured via nameif
	MAC address xxxx.xxxx.4f0e, MTU not set
	IP address unassigned
	0 packets input, 0 bytes, 0 no buffer
	Received 0 broadcasts, 0 runts, 0 giants
	0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
	0 L2 decode drops
	0 switch ingress policy drops
	0 packets output, 0 bytes, 0 underruns
	0 output errors, 0 collisions, 0 interface resets
	0 babbles, 0 late collisions, 0 deferred
	0 lost carrier, 0 no carrier
	0 rate limit drops
	0 switch egress policy drops
Interface Ethernet0/7 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
	Auto-Duplex, Auto-Speed
	Available but not configured via nameif
	MAC address xxxx.xxxx.xxxx, MTU not set
	IP address unassigned
	0 packets input, 0 bytes, 0 no buffer
	Received 0 broadcasts, 0 runts, 0 giants
	0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
	0 L2 decode drops
	0 switch ingress policy drops
	0 packets output, 0 bytes, 0 underruns
	0 output errors, 0 collisions, 0 interface resets
	0 babbles, 0 late collisions, 0 deferred
	0 lost carrier, 0 no carrier
	0 rate limit drops
	0 switch egress policy drops

Open in new window

0
 
JFrederick29Commented:
>-What does this mean?  "Available but not configured via nameif"
Ignore.  This is normal output.

>--Is the "MyVPN" unnecessary since the connection is named 'MyVPNTunnel"
Yes, if you are only using the MyVPNTunnel group, remove the MyVPN group.

>I cant change the Telnet password and I dont know what it is. I have used the serial port and teh ASDM for configuration but never telnet. How can I reset that password?

Telnet is setup for LOCAL auth meaning username/password.  Add a username and password to login to the ASA via telnet (make sure you use the privilege 15 keyword) or use an existing local account:

These two can be used for telnet administration.

username Salad-Dodger password xxxxxx encrypted privilege 15
username admin password xxxxxxxx encrypted privilege 15

If you don't know the password or want to create a new account, simply remove the others and add a new one:

conf t
no username <username>
username <username> password <password> privilege 15

This will be the account you will use to login via telnet.

The interfaces look fine.  The outside is running at 10/Half which is normal since the router e0/0 interface is 10Mbps capable only.


0
 
Salad-DodgerAuthor Commented:
What else can I say ... Thanks again.
0
 
Salad-DodgerAuthor Commented:
I dont know what made me think of this but why should the router be half duplex? I can see the speed of 10, but half duplex?
0
 
JFrederick29Commented:
You can see if the router supports 10/Full.  It may not so you are probably stuck with half-duplex.  Not a big deal really.
0
 
Salad-DodgerAuthor Commented:
conf t
int e0
duplex full

is this how thats done?
0
 
JFrederick29Commented:
Yes, also change it on the ASA:

conf t
int e0/0
speed 10
duplex full
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now