[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 296
  • Last Modified:

Can you see any vulnerabilitie in this running config?

We have an CIsco ASA 5505 on our office, and we need to know if was configured from secure way.

The running config attached.


ASA Version 8.0(2) 
hostname ciscoasa
domain-name oursite.intranet
enable password XXXXXXXXXXXXXXX encrypted
name vpn-network
name ourclient_internal_network
name XXX.XXX.XXX.XXX ourprovider_dns_master
name XXX.XXX.XXX.XXX ourprovider_dns_slave
name XXX.XXX.XXX.XXX oursite_outside_ip
name oursite_printserver_on_wireless
name oursite_proxy_on_serverfarm
name XXX.XXX.XXX.XXX ourprovider_mysql_server
name ourclient_external_network
name oursite_webserver_on_dmz
name XXX.XXX.XXX.XXX ourclient_outside_ip
name oursite_activedirectory_on_serverfarm
name ourclient_fileserver
name oursite_sqlserver_on_serverfarm
name oursite_jobserver_on_serverfarm
name oursite_activedirectory_old_on_serverfarm
name XXX.XXX.XXX.XXX ourprovider_smtp_server
interface Vlan1
 description BackOffice - 62  hosts
 nameif backoffice
 security-level 100
 ip address 
 ospf cost 10
interface Vlan2
 description Outside - 1 host
 nameif outside
 security-level 0
 pppoe client vpdn group PPPoE
 ip address pppoe 
 ospf cost 10
interface Vlan22
 description DMZ - 14 hosts
 nameif dmz
 security-level 25
 ip address 
interface Vlan32
 description Wireless - 14 hosts
 nameif wireless
 security-level 50
 ip address 
interface Vlan42
 description ServerFarm - 14 hosts
 nameif serverfarm
 security-level 75
 ip address 
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
 switchport access vlan 22
interface Ethernet0/2
 switchport access vlan 42
interface Ethernet0/3
 switchport access vlan 32
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone BRST -3
clock summer-time BRDT recurring 2 Sun Oct 0:00 3 Sun Feb 0:00
dns server-group DefaultDNS
 domain-name oursite.intranet
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network DM_INLINE_NETWORK_1
 network-object vpn-network
object-group network DM_INLINE_NETWORK_2
 network-object vpn-network
object-group service yosemite-agent tcp-udp
 port-object eq 3817
access-list backoffice_nat0_outbound_1 extended permit ip object-group DM_INLINE_NETWORK_1
access-list dmz_access_in extended permit ip host oursite_webserver_on_dmz host ourprovider_mysql_server
access-list dmz_access_in extended permit ip host oursite_webserver_on_dmz host oursite_sqlserver_on_serverfarm 
access-list serverfarm_nat_static extended permit ip ourclient_internal_network
access-list oursite_vpnclient_manager standard permit 
access-list oursite_vpnclient_manager standard permit 
access-list oursite_vpnclient_manager standard permit 
access-list oursite_vpnclient_manager standard permit 
access-list serverfarm_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2
access-list wireless_nat0_outbound extended permit ip vpn-network 
access-list dmz_nat0_outbound extended permit ip vpn-network
access-list serverfarm_access_in extended permit ip host oursite_activedirectory_on_serverfarm host ourclient_fileserver 
access-list serverfarm_access_in extended permit tcp host oursite_jobserver_on_serverfarm host ourprovider_smtp_server eq smtp
access-list serverfarm_access_in extended permit ip host oursite_activedirectory_on_serverfarm host oursite_webserver_on_dmz 
access-list vpn_nat_ourclient extended permit ip ourclient_external_network ourclient_internal_network
access-list outside_access_in extended permit tcp host XXX.XXX.XXX.XXX host oursite_outside_ip eq www
access-list backoffice_nat_static extended permit ip ourclient_internal_network 
pager lines 24
logging enable
logging monitor debugging
logging buffered debugging
logging asdm debugging
mtu backoffice 1500
mtu outside 1500
mtu dmz 1500
mtu wireless 1500
mtu serverfarm 1500
ip local pool vpn_dhcp_pool mask
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (backoffice) 0 access-list backoffice_nat0_outbound_1
nat (backoffice) 1
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 1
nat (wireless) 0 access-list wireless_nat0_outbound
nat (wireless) 1
nat (serverfarm) 0 access-list serverfarm_nat0_outbound
nat (serverfarm) 1
static (dmz,outside) tcp interface www oursite_webserver_on_dmz www netmask 
static (dmz,outside) tcp interface ftp oursite_webserver_on_dmz ftp netmask 
static (backoffice,outside) ourclient_external_network  access-list backoffice_nat_static 
static (serverfarm,outside) ourclient_external_network  access-list serverfarm_nat_static 
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group serverfarm_access_in in interface serverfarm
route outside oursite_outside_ip 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http serverfarm
http backoffice
http backoffice
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection reclassify-vpn
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable
crypto map outside_map 1 match address vpn_nat_ourclient
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer ourclient_outside_ip
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800
no crypto isakmp nat-traversal
crypto isakmp ipsec-over-tcp port 10000 
telnet backoffice
telnet timeout 5
ssh backoffice
ssh timeout 5
console timeout 0
vpdn group PPPoE request dialout pppoe
vpdn group PPPoE localname user@provider
vpdn group PPPoE ppp authentication pap
vpdn username user@provider password ********* store-local
dhcpd auto_config outside
dhcpd address backoffice
dhcpd dns oursite_activedirectory_on_serverfarm ourprovider_dns_master interface backoffice
dhcpd wins oursite_activedirectory_on_serverfarm interface backoffice
dhcpd domain oursite.intranet interface backoffice
dhcpd enable backoffice
dhcpd address wireless
dhcpd dns ourprovider_dns_master ourprovider_dns_slave interface wireless
dhcpd enable wireless

threat-detection basic-threat
threat-detection statistics
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect icmp 
service-policy global_policy global
group-policy oursite_vpnclient_manager internal
group-policy oursite_vpnclient_manager attributes
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value oursite_vpnclient_manager
 address-pools value vpn_dhcp_pool
username admin password XXXXXXXXXXXXXXX encrypted privilege 0
username admin attributes
 vpn-group-policy oursite_vpnclient_manager
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
 pre-shared-key *
 peer-id-validate cert
tunnel-group oursite_vpnclient_manager type remote-access
tunnel-group oursite_vpnclient_manager general-attributes
 address-pool vpn_dhcp_pool
 default-group-policy oursite_vpnclient_manager
tunnel-group oursite_vpnclient_manager ipsec-attributes
 pre-shared-key *
prompt hostname context 
: end
asdm image disk0:/asdm-602.bin
no asdm history enable

Open in new window

1 Solution
Looks good, the ASA is secure.  I guess it depends on what you are trying to "secure" it from.

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now