Can you see any vulnerabilitie in this running config?

Posted on 2010-01-07
Last Modified: 2012-05-08
We have an CIsco ASA 5505 on our office, and we need to know if was configured from secure way.

The running config attached.




ASA Version 8.0(2) 


hostname ciscoasa

domain-name oursite.intranet

enable password XXXXXXXXXXXXXXX encrypted


name vpn-network

name ourclient_internal_network

name XXX.XXX.XXX.XXX ourprovider_dns_master

name XXX.XXX.XXX.XXX ourprovider_dns_slave

name XXX.XXX.XXX.XXX oursite_outside_ip

name oursite_printserver_on_wireless

name oursite_proxy_on_serverfarm

name XXX.XXX.XXX.XXX ourprovider_mysql_server

name ourclient_external_network

name oursite_webserver_on_dmz

name XXX.XXX.XXX.XXX ourclient_outside_ip

name oursite_activedirectory_on_serverfarm

name ourclient_fileserver

name oursite_sqlserver_on_serverfarm

name oursite_jobserver_on_serverfarm

name oursite_activedirectory_old_on_serverfarm

name XXX.XXX.XXX.XXX ourprovider_smtp_server


interface Vlan1

 description BackOffice - 62  hosts

 nameif backoffice

 security-level 100

 ip address 

 ospf cost 10


interface Vlan2

 description Outside - 1 host

 nameif outside

 security-level 0

 pppoe client vpdn group PPPoE

 ip address pppoe 

 ospf cost 10


interface Vlan22

 description DMZ - 14 hosts

 nameif dmz

 security-level 25

 ip address 


interface Vlan32

 description Wireless - 14 hosts

 nameif wireless

 security-level 50

 ip address 


interface Vlan42

 description ServerFarm - 14 hosts

 nameif serverfarm

 security-level 75

 ip address 


interface Ethernet0/0

 switchport access vlan 2


interface Ethernet0/1

 switchport access vlan 22


interface Ethernet0/2

 switchport access vlan 42


interface Ethernet0/3

 switchport access vlan 32


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7



ftp mode passive

clock timezone BRST -3

clock summer-time BRDT recurring 2 Sun Oct 0:00 3 Sun Feb 0:00

dns server-group DefaultDNS

 domain-name oursite.intranet

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

object-group network DM_INLINE_NETWORK_1


 network-object vpn-network



object-group network DM_INLINE_NETWORK_2


 network-object vpn-network


object-group service yosemite-agent tcp-udp

 port-object eq 3817

access-list backoffice_nat0_outbound_1 extended permit ip object-group DM_INLINE_NETWORK_1

access-list dmz_access_in extended permit ip host oursite_webserver_on_dmz host ourprovider_mysql_server

access-list dmz_access_in extended permit ip host oursite_webserver_on_dmz host oursite_sqlserver_on_serverfarm 

access-list serverfarm_nat_static extended permit ip ourclient_internal_network

access-list oursite_vpnclient_manager standard permit 

access-list oursite_vpnclient_manager standard permit 

access-list oursite_vpnclient_manager standard permit 

access-list oursite_vpnclient_manager standard permit 

access-list serverfarm_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2

access-list wireless_nat0_outbound extended permit ip vpn-network 

access-list dmz_nat0_outbound extended permit ip vpn-network

access-list serverfarm_access_in extended permit ip host oursite_activedirectory_on_serverfarm host ourclient_fileserver 

access-list serverfarm_access_in extended permit tcp host oursite_jobserver_on_serverfarm host ourprovider_smtp_server eq smtp

access-list serverfarm_access_in extended permit ip host oursite_activedirectory_on_serverfarm host oursite_webserver_on_dmz 

access-list vpn_nat_ourclient extended permit ip ourclient_external_network ourclient_internal_network

access-list outside_access_in extended permit tcp host XXX.XXX.XXX.XXX host oursite_outside_ip eq www

access-list backoffice_nat_static extended permit ip ourclient_internal_network 

pager lines 24

logging enable

logging monitor debugging

logging buffered debugging

logging asdm debugging

mtu backoffice 1500

mtu outside 1500

mtu dmz 1500

mtu wireless 1500

mtu serverfarm 1500

ip local pool vpn_dhcp_pool mask

ip verify reverse-path interface outside

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (backoffice) 0 access-list backoffice_nat0_outbound_1

nat (backoffice) 1

nat (dmz) 0 access-list dmz_nat0_outbound

nat (dmz) 1

nat (wireless) 0 access-list wireless_nat0_outbound

nat (wireless) 1

nat (serverfarm) 0 access-list serverfarm_nat0_outbound

nat (serverfarm) 1

static (dmz,outside) tcp interface www oursite_webserver_on_dmz www netmask 

static (dmz,outside) tcp interface ftp oursite_webserver_on_dmz ftp netmask 

static (backoffice,outside) ourclient_external_network  access-list backoffice_nat_static 

static (serverfarm,outside) ourclient_external_network  access-list serverfarm_nat_static 

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

access-group serverfarm_access_in in interface serverfarm

route outside oursite_outside_ip 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http serverfarm

http backoffice

http backoffice

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection reclassify-vpn

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable

crypto map outside_map 1 match address vpn_nat_ourclient

crypto map outside_map 1 set pfs 

crypto map outside_map 1 set peer ourclient_outside_ip

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 1 set nat-t-disable

crypto map outside_map 1 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 28800

no crypto isakmp nat-traversal

crypto isakmp ipsec-over-tcp port 10000 

telnet backoffice

telnet timeout 5

ssh backoffice

ssh timeout 5

console timeout 0

vpdn group PPPoE request dialout pppoe

vpdn group PPPoE localname user@provider

vpdn group PPPoE ppp authentication pap

vpdn username user@provider password ********* store-local

dhcpd auto_config outside


dhcpd address backoffice

dhcpd dns oursite_activedirectory_on_serverfarm ourprovider_dns_master interface backoffice

dhcpd wins oursite_activedirectory_on_serverfarm interface backoffice

dhcpd domain oursite.intranet interface backoffice

dhcpd enable backoffice


dhcpd address wireless

dhcpd dns ourprovider_dns_master ourprovider_dns_slave interface wireless

dhcpd enable wireless


threat-detection basic-threat

threat-detection statistics


class-map inspection_default

 match default-inspection-traffic



policy-map global_policy

 class inspection_default

  inspect ftp 

  inspect icmp 


service-policy global_policy global

group-policy oursite_vpnclient_manager internal

group-policy oursite_vpnclient_manager attributes

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value oursite_vpnclient_manager

 address-pools value vpn_dhcp_pool

username admin password XXXXXXXXXXXXXXX encrypted privilege 0

username admin attributes

 vpn-group-policy oursite_vpnclient_manager

tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l

tunnel-group XXX.XXX.XXX.XXX ipsec-attributes

 pre-shared-key *

 peer-id-validate cert

tunnel-group oursite_vpnclient_manager type remote-access

tunnel-group oursite_vpnclient_manager general-attributes

 address-pool vpn_dhcp_pool

 default-group-policy oursite_vpnclient_manager

tunnel-group oursite_vpnclient_manager ipsec-attributes

 pre-shared-key *

prompt hostname context 


: end

asdm image disk0:/asdm-602.bin

no asdm history enable

Open in new window

Question by:FelipeSchneider
    1 Comment
    LVL 4

    Accepted Solution

    Looks good, the ASA is secure.  I guess it depends on what you are trying to "secure" it from.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    This article summarizes using a simple matrix to map the different type of phishing attempts and its targeted victims. It also run through many scam scheme scenario with "real" phished emails. There are safeguards highlighted to stay vigilance and h…
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now