Mac
asked on
Got ASA5505 installed and connected, now need to tune it
Thanks to EE and especially Jfrederick29 I have been able to make my ASA5505 connect to the remote network. Now I need to do two things, Test it for vulnerablilities and tune it. The more i work with this, the dumber I feel. There is just so much to learn about this.
The connection seems slow, a 6mb file took 3 minutes to transfer from my laptop to a share on the server and that seems like a long time. The main intended purpose is to connect a remote user to her quickbooks file (80mb) and I can only imagine how badly this would work at that transfer speed. I may set up RDC for this purpose but perhaps there is some "tuning" I can do to improve the speed??
I also need to test it for security, are there programs I can run against it to see if I left any holes?
The connection seems slow, a 6mb file took 3 minutes to transfer from my laptop to a share on the server and that seems like a long time. The main intended purpose is to connect a remote user to her quickbooks file (80mb) and I can only imagine how badly this would work at that transfer speed. I may set up RDC for this purpose but perhaps there is some "tuning" I can do to improve the speed??
I also need to test it for security, are there programs I can run against it to see if I left any holes?
If there isn't much traffic going through the firewall i.e. no load then any tuning you do will only save milliseconds, you're not going to be able to shave minutes off of the transfer rate. Transfer rate will be limited by bandwidth (to a point) before your hardware, obviously this statement is false with higher speed links.
For testing the security, first thing to do would be to run a port scan against the device, nmap is a fairly standard tool to use for this (http://nmap.org/) and is available for multiple OS's
Depending on what you've left open will determine how to proceed, a reasonable framework on what to check and using what tools is available at http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
You should be able to get a reasonable level of confidence but you'll need to put the effort into understanding what you're testing and what else you can do to break things. If you're serious look at getting a pen test done by a professional.
For testing the security, first thing to do would be to run a port scan against the device, nmap is a fairly standard tool to use for this (http://nmap.org/) and is available for multiple OS's
Depending on what you've left open will determine how to proceed, a reasonable framework on what to check and using what tools is available at http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
You should be able to get a reasonable level of confidence but you'll need to put the effort into understanding what you're testing and what else you can do to break things. If you're serious look at getting a pen test done by a professional.
As far as the ASA is concerned. You have it locked down pretty well. You are only allowing ASDM (HTTP) and telnet access from the inside network (not the outside). The ASA supports SSH so you may want to disable telnet and just use SSH.
Make these ICMP changes though since we opened ICMP to the outside for testing:
conf t
no icmp permit any outside
icmp permit any echo-reply outside
icmp permit any inside
Make sure USER2 isn't an account that you have given a user since it has admin access (privilege 15). Remove any accounts you aren't using.
Lastly, you can add "management-access inside" to the ASA. This will give you the ability to telnet into the ASA to administer it over the VPN tunnel meaning you can connect via VPN and then telnet to the inside interface through the tunnel. I like this option but if you want it really secure, you can leave it off.
Make these ICMP changes though since we opened ICMP to the outside for testing:
conf t
no icmp permit any outside
icmp permit any echo-reply outside
icmp permit any inside
Make sure USER2 isn't an account that you have given a user since it has admin access (privilege 15). Remove any accounts you aren't using.
Lastly, you can add "management-access inside" to the ASA. This will give you the ability to telnet into the ASA to administer it over the VPN tunnel meaning you can connect via VPN and then telnet to the inside interface through the tunnel. I like this option but if you want it really secure, you can leave it off.
By the way, the RDC route for the 80MB file is definitely the way to go. You only have 1.5Mbps to the Internet and the remote Internet connection of the user will also determine the speed of transfer. Having the user RDP into a system over the VPN tunnel and then work with the 80MB file from that system will provide the best experience.
Sorry to keep piling on but also make sure the inside and outside interfaces of the ASA have no interface errors (show int) and also make sure the Ethernet0/0 interface on the router also has no errors (show in e0/0).
ASKER
Thank you uetian1707, rexxus and JFrederick29:,
I will proceed with ALL of that that this weekend.
This stuff is fascinating, but without doing it all the time its darn hard to grasp how it all fits together, Heck, even how it even works at all!
I will proceed with ALL of that that this weekend.
This stuff is fascinating, but without doing it all the time its darn hard to grasp how it all fits together, Heck, even how it even works at all!
ASKER
And JFred... pile on all you want !!
ASKER
whew.... It works!
Her local printer doesnt show up through the RDP connection but that may well be her non vista compatible printer showing its age.
included are the show int's, and the show run
-What does this mean? "Available but not configured via nameif"
--Is the "MyVPN" unnecessary since the connection is named 'MyVPNTunnel"
I cant change the Telnet password and I dont know what it is. I have used the serial port and teh ASDM for configuration but never telnet. How can I reset that password?
-username admin password xxxxxxxx encrypted privilege 15... what is this "admin"
Her local printer doesnt show up through the RDP connection but that may well be her non vista compatible printer showing its age.
included are the show int's, and the show run
-What does this mean? "Available but not configured via nameif"
--Is the "MyVPN" unnecessary since the connection is named 'MyVPNTunnel"
I cant change the Telnet password and I dont know what it is. I have used the serial port and teh ASDM for configuration but never telnet. How can I reset that password?
-username admin password xxxxxxxx encrypted privilege 15... what is this "admin"
Result of the command: "show run"
: Saved
:
ASA Version 8.0(4)
!
hostname Frodo
domain-name My.Domain
enable password xxxxxxxx encrypted
passwd xxxxxxxxx encrypted
names
!
interface Vlan1
description My Lan
nameif inside
security-level 100
ip address 192.168.123.2 255.255.255.0
!
interface Vlan2
description VPN to Internet
nameif outside
security-level 0
ip address 216.x.x.19 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
boot system disk0:/asa802-k8
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name My.Domain
access-list inside_nat0_outbound extended permit ip any 192.168.123.0 255.255.255.192
pager lines 24
logging enable
logging asdm warnings
logging from-address ASA@My.Domain
logging recipient-address My.Email.Address level critical
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool MyVPN_IPs 192.168.123.30-192.168.123.35 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo-reply outside
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 216.x.x.20 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server MyAuthGroup protocol ldap
aaa-server MyAuthGroup (inside) host 192.168.123.225
timeout 5
server-type auto-detect
aaa authentication telnet console LOCAL
http server enable
http 192.168.123.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.123.0 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.123.30-192.168.123.40 inside
dhcpd dns 192.168.123.225 interface inside
dhcpd wins 192.168.123.225 interface inside
dhcpd lease 1440 interface inside
dhcpd ping_timeout 10 interface inside
dhcpd domain My.Domain interface inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
group-policy MyVPNTunnel. internal
group-policy MyVPNTunnel. attributes
wins-server value 192.168.123.225
dns-server value 192.168.123.225
vpn-tunnel-protocol IPSec
default-domain value My.Domain
group-policy MyVPN internal
group-policy MyVPN attributes
wins-server value 192.168.123.225
dns-server value 192.168.123.225
vpn-tunnel-protocol IPSec
default-domain value My.Domain
username Salad-Dodger password xxxxxx encrypted privilege 15
username RemoteUser1 password xxxxxxxx encrypted
username RemoteUser1 attributes
service-type remote-access
username admin password xxxxxxxx encrypted privilege 15
username RemoteUser2 password xxxxxxxx encrypted
username RemoteUser2 attributes
service-type remote-access
tunnel-group MyVPNTunnel. type remote-access
tunnel-group MyVPNTunnel. general-attributes
address-pool MyVPN_IPs
default-group-policy MyVPNTunnel.
tunnel-group MyVPNTunnel. ipsec-attributes
pre-shared-key *
tunnel-group MyVPN type remote-access
tunnel-group MyVPN general-attributes
address-pool MyVPN_IPs
authentication-server-group MyAuthGroup
default-group-policy MyVPN
tunnel-group MyVPN ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxxxxx
: end
==================================
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Half-duplex), Auto-Speed(10 Mbps)
Available but not configured via nameif
MAC address xxxx.xxxx.xxxx, MTU not set
IP address unassigned
204719 packets input, 60462195 bytes, 0 no buffer
Received 2330 broadcasts, 7281 runts, 0 giants
7281 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
8589936970 switch ingress policy drops
60716 packets output, 30795491 bytes, 0 underruns
7283 output errors, 2461 collisions, 0 interface resets
0 babbles, 0 late collisions, 117 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Interface Vlan1 "inside", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
Description: My Lan
MAC address xxxx.xxxx.xxxx, MTU 1500
IP address 192.168.123.2, subnet mask 255.255.255.0
Traffic Statistics for "inside":
166397 packets input, 35741749 bytes
110899 packets output, 73646219 bytes
64701 packets dropped
1 minute input rate 15 pkts/sec, 1273 bytes/sec
1 minute output rate 21 pkts/sec, 3114 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 1 pkts/sec, 211 bytes/sec
5 minute output rate 1 pkts/sec, 114 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Vlan2 "outside", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
Description: VPN to Internet
MAC address xxxx.xxxx.xxxx, MTU 1500
IP address 216.x.x.19, subnet mask 255.255.255.248
Traffic Statistics for "outside":
71081 packets input, 47981760 bytes
60554 packets output, 29681611 bytes
6091 packets dropped
1 minute input rate 8 pkts/sec, 1096 bytes/sec
1 minute output rate 8 pkts/sec, 1296 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 2 pkts/sec, 249 bytes/sec
5 minute output rate 1 pkts/sec, 285 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Vlan3 "dmz", is down, line protocol is down
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
MAC address xxxx.xxxx.xxxx, MTU 1500
IP address unassigned
Traffic Statistics for "dmz":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Virtual254 "", is up, line protocol is up
Hardware is Virtual Available but not configured via nameif
MAC address 0000.0000.0000, MTU not set
IP address unassigned
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Half-duplex), Auto-Speed(10 Mbps)
Available but not configured via nameif
MAC address xxxx.xxxx.xxxx, MTU not set
IP address unassigned
204521 packets input, 60437219 bytes, 0 no buffer
Received 2330 broadcasts, 7281 runts, 0 giants
7281 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
8589936959 switch ingress policy drops
60544 packets output, 30770995 bytes, 0 underruns
7283 output errors, 2461 collisions, 0 interface resets
0 babbles, 0 late collisions, 117 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/1 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address xxxx.xxxx.xxxx, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/2 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address xxxx.xxxx.xxxx, MTU not set
IP address unassigned
277 packets input, 32305 bytes, 0 no buffer
Received 42 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
781 packets output, 107675 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/3 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address xxxx.xxxx.xxxx, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/4 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address xxxx.xxxx.4f0c, MTU not set
IP address unassigned
216086 packets input, 44670939 bytes, 0 no buffer
Received 81471 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
111067 packets output, 75799729 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/5 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address xxxx.xxxx.4f0d, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/6 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address xxxx.xxxx.4f0e, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/7 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address xxxx.xxxx.xxxx, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
What else can I say ... Thanks again.
ASKER
I dont know what made me think of this but why should the router be half duplex? I can see the speed of 10, but half duplex?
You can see if the router supports 10/Full. It may not so you are probably stuck with half-duplex. Not a big deal really.
ASKER
conf t
int e0
duplex full
is this how thats done?
int e0
duplex full
is this how thats done?
Yes, also change it on the ASA:
conf t
int e0/0
speed 10
duplex full
conf t
int e0/0
speed 10
duplex full
You can use Nipper like application to check the configuration.
http://sourceforge.net/projects/nipper