Cisco ASA Any to Any rule..?

Hi
We have managed firewalls in place with an ISP.  One of their 3rd line techs mentioned we have any to any rule in place.
Obviously not good.
Suggestions when changing this?  Dont want to break things...
Thanks
LVL 1
CHI-LTDAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jordan TaylorNetwork EngineerCommented:
Depends, do you have an access-list and an access-group in places?  if not its probably not working at the moment. you can verify this by looking at the hits on the ASA for that any-to-any rule.

here is some good info, on this as well.

https://supportforums.cisco.com/t5/firewalling/allow-traffic-through-outside-inside-asa-5505/td-p/1415241


Depending on what you are trying to do you can always do static nat as well.

Hope this helps.

Cheers,
0
CHI-LTDAuthor Commented:
dont have access to it.  I believe there are hits on the rule..
0
max_the_kingCommented:
Hi,
first thing you need to separate logically rules among interfaces (inside, outside, dmz, etc.).
Then you need to create ACL and eventually apply them on interfaces.

For example you will do an ACL on inside interface:

access-list outbound permit tcp 192.168.0.0 255.255.255.0 any eq 80
access-list outbound permit tcp 192.168.0.0 255.255.255.0 any eq 443
access-list outbound permit udp 192.168.0.0 255.255.255.0 any eq 53

access-list outbound in interface inside

... and this will only allow internet surfing on http and https
then you can add other rules or deny a subset of internal IP.

On the outside interface you will probably want to create an access-list for your public exposed servers.

and yes ... you'd better delete any access-list configured as "any to any"

hope this helps
max
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

CHI-LTDAuthor Commented:
OK. I'm in dialogue with them.
Would config help you?
0
max_the_kingCommented:
sure
max
0
CHI-LTDAuthor Commented:
Im hoping ive omitted sensitive data:

Head Office:

ACC063901-ASA5505# sh run
: Saved
:
: Serial Number: JMX2025Y03U
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.1(6)
!
hostname ACC063901-ASA5505
enable password XXXXX encrypted
passwd XXXXX encrypted
names
ip local pool vpnpool 10.255.255.1-10.255.255.127 mask 255.255.255.128
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!            
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 description to LAN
 nameif inside
 security-level 100
 ip address 172.19.10.15 255.255.0.0
!
interface Vlan2
 description To Internet
 nameif outside
 security-level 0
 ip address WAN IP 255.255.255.248
!
no ftp mode passive
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaulDND
dns server-group DefaultDNS
 name-server 172.19.10.30
 name-server 172.19.10.31
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network inside-network
 subnet 172.19.0.0 255.255.0.0
 description Inside network
object network 10.255.254.0_25
 subnet 10.255.254.0 255.255.255.128
 description Hounslow Roam VPN
object network 10.255.255.0_25
 subnet 10.255.255.0 255.255.255.128
 description siteA Roam VPN
object network 192.168.3.0_24
 subnet 192.168.3.0 255.255.255.0
 description London LAN
object network 172.19.10.21_pop3
 host 172.19.10.21
object network Mimecast_DC_6
 subnet 195.130.217.0 255.255.255.0
object network Mimecast_DC_7
 subnet 91.220.42.0 255.255.255.0
object network 172.19.10.21_smtp
 host 172.19.10.21
object network 192.168.2.0_24
 subnet 192.168.2.0 255.255.255.0
 description Hounslow LAN
object network Bloomberg_1
 subnet 160.43.250.0 255.255.255.0
object network Bloomberg_2
 subnet 205.216.112.0 255.255.255.0
object network Bloomberg_3
 subnet 206.156.53.0 255.255.255.0
object network Bloomberg_4
 subnet 208.22.56.0 255.255.255.0
object network Bloomberg_5
 subnet 208.22.57.0 255.255.255.0
object network Bloomberg_6
 subnet 69.191.192.0 255.255.192.0
object network Proquote_1
 host 195.26.26.140
object network Proquote_2
 host 195.26.26.150
object network Proquote_3
 host 195.26.26.16
object network Proquote_4
 host 195.26.27.141
object network Proquote_5
 host 195.26.27.150
object network Proquote_6
 host 212.47.180.32
object network Proquote_7
 host 213.38.100.13
object network Proquote_8
 host 213.38.100.4
object network Proquote_9
 host 213.38.100.5
object network Proquote_10
 host 213.38.100.6
object network obj-vpn-london
 subnet 192.168.3.0 255.255.255.0
object network Mimecast_DC_8
 subnet 94.185.240.0 255.255.255.0
object network 172.19.10.21_http
 host 172.19.10.21
object network 172.19.10.21_https
 host 172.19.10.21
object network INGATE
 host 172.16.10.35
object network a-188.39.71.100
 host 188.39.71.100
object network a-172.16.10.35
 host 172.16.10.35
object network VLAN20
 subnet 172.16.0.0 255.255.0.0
object network 192.168.100.0_24
 subnet 192.168.100.0 255.255.255.0
 description London Voice
object network access7.cws.sco.cisco.com
 host 108.171.128.134
object network Mimecast_DC_10
 subnet 146.101.78.0 255.255.255.0
object network Mimecast_DC_11
 subnet 207.82.80.0 255.255.255.0
object network Mimecast_DC_9
 subnet 185.58.84.0 255.255.252.0
object network Bristol_VLAN20
 subnet 192.168.200.0 255.255.255.0
object network access607.cws.sco.cisco.com
 host 108.171.133.134
object network access29.cws.sco.cisco.com
 host 108.171.128.156
object network access30.cws.sco.cisco.com
 host 108.171.128.157
object network 172.19.10.30_ldap
 host 172.19.10.30
object network 172.19.99.99_6130
 host 172.19.99.99
object service 6129
 service tcp source eq 6129 destination eq 6129
object network 172.19.99.99_6129
 host 172.19.99.99
object network Proquote_11
 host 195.26.27.150
object network WAN IP
 host WAN IP
object network Cisco WAN IPs.0.189
 host Cisco WAN IPs.0.189
object network 172.19.10.30_32_LDAP
 host 172.19.10.30
object-group network Mimecast
 description Mimecast email filtering sources
 network-object object Mimecast_DC_6
 network-object object Mimecast_DC_7
 network-object object Mimecast_DC_8
 network-object object Mimecast_DC_10
 network-object object Mimecast_DC_11
 network-object object Mimecast_DC_9
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ldap
 port-object eq pop3
 port-object eq smtp
object-group network DM_INLINE_NETWORK_1
 network-object object 10.255.254.0_25
 network-object object 10.255.255.0_25
 network-object object 192.168.2.0_24
 network-object object 192.168.3.0_24
object-group network Bloomberg
 network-object object Bloomberg_1
 network-object object Bloomberg_2
 network-object object Bloomberg_3
 network-object object Bloomberg_4
 network-object object Bloomberg_5
 network-object object Bloomberg_6
object-group network Proquote
 network-object object Proquote_1
 network-object object Proquote_2
 network-object object Proquote_3
 network-object object Proquote_4
 network-object object Proquote_5
 network-object object Proquote_6
 network-object object Proquote_7
 network-object object Proquote_8
 network-object object Proquote_9
 network-object object Proquote_10
 network-object object Proquote_11
object-group service DM_INLINE_SERVICE_1
 service-object tcp destination range 8194 8198
 service-object udp destination range 48129 48137
 service-object tcp destination range 8209 8294
object-group service DM_INLINE_TCP_2 tcp
 port-object range 2300 2400
 port-object eq 6969
object-group network DM_INLINE_NETWORK_2
 network-object object access607.cws.sco.cisco.com
 network-object object access7.cws.sco.cisco.com
 network-object object access29.cws.sco.cisco.com
 network-object object access30.cws.sco.cisco.com
object-group service DM_INLINE_SERVICE_2
 service-object tcp-udp destination eq domain
 service-object tcp destination eq 3101
 service-object tcp destination eq 4103
 service-object tcp destination eq 4105
 service-object tcp destination eq ftp
 service-object tcp destination eq www
 service-object tcp destination eq https
 service-object tcp destination range 49100 49200
object-group service DM_INLINE_TCP_3 tcp
 port-object range 1130 1132
 port-object eq 4800
 port-object eq 50110
 port-object range 50112 50115
 port-object range 50140 50142
 port-object range 50802 50803
 port-object range 50806 50808
 port-object eq 4500
object-group service DM_INLINE_TCP_4 tcp
 port-object eq ldap
 port-object eq pop3
 port-object eq smtp
object-group network DM_INLINE_NETWORK_3
 network-object object inside-network
 network-object 10.255.255.0 255.255.255.128
 network-object 172.16.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_5
 group-object Mimecast
object-group network DM_INLINE_NETWORK_7
 network-object object VLAN20
 network-object object inside-network
object-group network DM_INLINE_NETWORK_4
 network-object object 192.168.2.0_24
 network-object 10.255.254.0 255.255.255.128
 network-object 192.168.200.0 255.255.255.0
object-group network obj-CiscoCloud
 network-object 70.39.231.91 255.255.255.255
 network-object 70.39.231.107 255.255.255.255
 network-object 70.39.231.155 255.255.255.255
 network-object 70.39.231.171 255.255.255.255
 network-object 80.254.147.251 255.255.255.255
 network-object 80.254.158.35 255.255.255.255
 network-object 80.254.158.147 255.255.255.255
 network-object 80.254.158.155 255.255.255.255
object-group network DM_INLINE_NETWORK_8
 network-object object inside-network
 network-object 172.16.0.0 255.255.0.0
 network-object 10.255.255.0 255.255.255.128
object-group network DM_INLINE_NETWORK_9
 network-object 192.168.100.0 255.255.255.0
 network-object 192.168.3.0 255.255.255.0
object-group network DM_INLINE_NETWORK_10
 network-object 172.16.0.0 255.255.0.0
 network-object object inside-network
object-group network DM_INLINE_NETWORK_12
 network-object object 192.168.2.0_24
 network-object object Bristol_VLAN20
object-group network DM_INLINE_NETWORK_11
 network-object 172.16.0.0 255.255.0.0
 network-object 172.19.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_6
 network-object object 192.168.100.0_24
 network-object object 192.168.3.0_24
object-group network DM_INLINE_NETWORK_13
 network-object object VLAN20
 network-object object inside-network
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object echo
 icmp-object echo-reply
object-group network VPN_Destinations
 network-object object 10.255.254.0_25
 network-object object 192.168.100.0_24
 network-object object 192.168.2.0_24
 network-object object 192.168.3.0_24
 network-object object Bristol_VLAN20
 network-object object 10.255.255.0_25
object-group service WannaCry_Ports
 service-object tcp destination eq 445
 service-object tcp destination eq netbios-ssn
 service-object udp destination eq netbios-dgm
 service-object udp destination eq netbios-ns
access-list inbound extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list inbound extended permit icmp any object inside-network time-exceeded
access-list inbound extended permit icmp any object inside-network unreachable
access-list inbound extended permit icmp any object inside-network traceroute
access-list inbound extended permit icmp any object inside-network source-quench
access-list inbound extended permit tcp object-group DM_INLINE_NETWORK_5 host 172.19.10.21 object-group DM_INLINE_TCP_1
access-list inbound extended permit tcp any object 172.19.10.21_http eq www
access-list inbound extended permit tcp any object 172.19.10.21_https eq https
access-list inbound extended permit ip any any
access-list inbound extended permit tcp object-group Mimecast host 172.19.10.10 object-group DM_INLINE_TCP_1 inactive
access-list inbound extended permit tcp object-group Mimecast host 172.19.10.30 object-group DM_INLINE_TCP_1
access-list inbound extended permit tcp any object 172.19.99.99_6130 eq 6130
access-list inbound extended permit tcp any object 172.19.99.99_6129 eq 6129
access-list inside_access_in extended permit object-group WannaCry_Ports any object-group VPN_Destinations
access-list inside_access_in extended deny object-group WannaCry_Ports any any
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_11 object Bristol_VLAN20
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_10 object-group DM_INLINE_NETWORK_1
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 172.19.0.0 255.255.0.0 object-group Bloomberg
access-list inside_access_in extended permit tcp 172.19.0.0 255.255.0.0 object-group Proquote object-group DM_INLINE_TCP_3
access-list inside_access_in extended permit tcp 172.19.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_2 eq 8080
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 172.19.0.0 255.255.0.0 any
access-list inside_access_in extended permit tcp 172.19.0.0 255.255.0.0 host 77.73.1.127 eq ssh
access-list inside_access_in extended permit ip host 172.19.10.21 any
access-list inside_access_in extended permit tcp host 172.19.10.7 any eq 3101
access-list inside_access_in extended permit icmp 172.19.0.0 255.255.0.0 any
access-list inside_access_in extended permit ip any object-group obj-CiscoCloud
access-list inside_access_in extended permit tcp 172.19.0.0 255.255.0.0 host 212.102.222.248 eq 5677
access-list inside_access_in extended permit tcp host 172.19.10.21 object-group Mimecast object-group DM_INLINE_TCP_4
access-list inside_access_in extended permit tcp host 172.19.10.28 any eq 3101
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp 172.19.0.0 255.255.0.0 object access7.cws.sco.cisco.com eq 8080
access-list inside_access_in extended permit tcp host 172.19.10.30 object Mimecast_DC_9 object-group DM_INLINE_TCP_4
access-list inside_access_in extended permit ip host 172.19.10.30 any
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_4
access-list vpn-roam-split standard permit 172.19.0.0 255.255.0.0
access-list vpn-roam-split standard permit 192.168.3.0 255.255.255.0
access-list vpn-roam-split standard permit 192.168.2.0 255.255.255.0
access-list vpn-roam-split standard permit 172.16.0.0 255.255.0.0
access-list vpn-roam-split standard permit 192.168.100.0 255.255.255.0
access-list vpn-roam-split standard permit 10.255.255.0 255.255.255.128
access-list vpn-roam-split standard permit 192.168.200.0 255.255.255.0
access-list acl-vpn-london extended permit ip object inside-network object obj-vpn-london
access-list outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_9
access-list outside_access_in extended permit ip any host 172.16.10.35
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list outbound extended permit udp any any eq ntp
access-list AS-HTTPS extended permit tcp any object 172.19.10.21_https
access-list Voice_access_in extended permit udp any any eq 2727 inactive
access-list Voice_access_in extended permit udp any any range 10000 10550 inactive
access-list outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_13 object-group DM_INLINE_NETWORK_13
access-list testcap extended permit ip any host 172.19.105.107
access-list testcap extended permit ip host 172.19.105.107 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit 172.19.0.0 255.255.0.0 inside
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-752.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,inside) source static 10.255.254.0_25 10.255.254.0_25 destination static VLAN20 VLAN20
nat (inside,any) source static DM_INLINE_NETWORK_7 DM_INLINE_NETWORK_7 destination static DM_INLINE_NETWORK_12 DM_INLINE_NETWORK_12
nat (any,any) source static 10.255.255.0_25 10.255.255.0_25 destination static 192.168.2.0_24 192.168.2.0_24
nat (inside,any) source static inside-network inside-network destination static 10.255.255.0_25 10.255.255.0_25
nat (inside,outside) source static inside-network inside-network destination static obj-vpn-london obj-vpn-london
nat (inside,any) source static inside-network inside-network destination static 10.255.254.0_25 10.255.254.0_25
nat (inside,outside) source static a-172.16.10.35 Cisco WAN IPs.0.189
nat (inside,outside) source static DM_INLINE_NETWORK_8 DM_INLINE_NETWORK_8 destination static DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_9 no-proxy-arp route-lookup
nat (any,inside) source static 10.255.255.0_25 10.255.255.0_25 destination static VLAN20 VLAN20
nat (any,any) source static 10.255.255.0_25 10.255.255.0_25 destination static 192.168.3.0_24 192.168.3.0_24
nat (any,any) source static 10.255.255.0_25 10.255.255.0_25 destination static 192.168.100.0_24 192.168.100.0_24
nat (any,any) source static 10.255.255.0_25 10.255.255.0_25 destination static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6
nat (any,any) source static 192.168.3.0_24 192.168.3.0_24 destination static 10.255.255.0_25 10.255.255.0_25
nat (any,any) source static 192.168.100.0_24 192.168.100.0_24 destination static 10.255.255.0_25 10.255.255.0_25
nat (any,any) source static 10.255.255.0_25 10.255.255.0_25 destination static Bristol_VLAN20 Bristol_VLAN20 no-proxy-arp
!
object network obj_any
 nat (inside,outside) dynamic interface
object network 172.19.10.21_pop3
 nat (inside,outside) static interface service tcp pop3 pop3
object network 172.19.10.21_smtp
 nat (inside,outside) static interface service tcp smtp smtp
object network 172.19.10.21_http
 nat (inside,outside) static interface service tcp www www
object network 172.19.10.21_https
 nat (inside,outside) static interface service tcp https https
object network 172.19.99.99_6130
 nat (any,outside) static interface service tcp 6130 6130
object network 172.19.99.99_6129
 nat (any,outside) static interface service tcp 6129 6129
object network 172.19.10.30_32_LDAP
 nat (any,outside) static interface service tcp ldap ldap
!
nat (any,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 Cisco WAN IPs.0.185 1
route inside 172.16.0.0 255.255.0.0 172.19.4.5 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Hounslow-AAA protocol radius
 interim-accounting-update
aaa-server Hounslow-AAA (inside) host 192.168.2.21
 key *****
 radius-common-pw *****
aaa-server SiteHQ-AAA protocol radius
 interim-accounting-update
aaa-server SiteHQ-AAA (inside) host 172.19.10.21
 key *****
 radius-common-pw *****
 no mschapv2-capable
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable 8443
http 172.19.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 outside
snmp-server host outside 62.24 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt noproxyarp inside
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des ac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des ac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des ac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-mac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des es
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aemac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-amac
crypto ipsec ikev1 transform-set ESP-AES-192-Sc
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-a
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-19........
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer WAN IP 3
crypto map outside_map 1 set ikev1 transform-set
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer WAN IP 2 WAN IP3
crypto map outside_map 2 set ikev1 transform-set
crypto map outside_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 2 set ikev2 pre-shared-key *****
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set peer WAN IP 2
crypto map outside_map 3 set ikev1 transform-set
crypto map outside_map 3 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=WAN IP,CN=ACC063901-ASA5505
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
 certificate fe7b355a
    308201dd 30820146 a0030201 020204fe 7b355a30 0d06092a 864886f7 0d010105
    05003033 311a3018 06035504 03131141 43433036 33393031 2d415341 35353035
    31153013 06035504    25ee00e2 6347aee1 3d2ca841 3ddfc3f0 bc719f36 b89f07ec f8d91624 79c20a55
    0e
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 15
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh 172.19.0.0 255.255.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
webvpn
 port 444    
 enable inside
 anyconnect enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 dns-server value 172.19.10.30 172.19.10.31
 vpn-tunnel-protocol ikev1 ssl-clientless
group-policy GroupPolicy_WAN IP 3 internal
group-policy GroupPolicy_WAN IP 3 attributes
 vpn-tunnel-protocol ikev1
group-policy GroupPolicy_WAN IP 2 internal
group-policy GroupPolicy_WAN IP 2 attributes
 vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ikev1
group-policy VPN-Hounslow internal
group-policy VPN-Hounslow attributes
 wins-server none
 dns-server value 172.19.10.30 172.19.10.31
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
 default-domain value localdomain.local
group-policy roam-vpn internal
group-policy roam-vpn attributes
 wins-server none
 dns-server value 172.19.10.30 172.19.10.31
 vpn-tunnel-protocol ikev1 ssl-clientless
 pfs enable
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn-roam-split
 default-domain value localdomain.local
 split-dns none
 webvpn
  url-list none
username admin password XXXXX encrypted privilege 15
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool vpnpool
 authentication-server-group SiteHQ-AAA
 default-group-policy roam-vpn
tunnel-group roam-vpn type remote-access
tunnel-group roam-vpn general-attributes
 address-pool vpnpool
 authentication-server-group SiteHQ-AAA
 default-group-policy roam-vpn
tunnel-group roam-vpn ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group WAN IP 3 type ipsec-l2l
tunnel-group WAN IP 3 general-attributes
 default-group-policy GroupPolicy_WAN IP 3
tunnel-group WAN IP 3 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group WAN IP 2 type ipsec-l2l
tunnel-group WAN IP 2 general-attributes
 default-group-policy GroupPolicy_WAN IP 2
tunnel-group WAN IP 2 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map VOICE
 match dscp ef
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect icmp
policy-map priority-policy
 class VOICE
  priority
policy-map shape-priority-policy
 class class-default
  shape average 98000000
  service-policy priority-policy
!
service-policy global_policy global
service-policy shape-priority-policy interface outside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:203ab
: end
0
max_the_kingCommented:
Hi,
you have this, somewhere in the middle:

access-list inside_access_in extended permit ip any any

which you may want to delete.

This allows everyone from inside to go to Internet, unless it has been denied on previous lines on ACL (it is processed from top to bottom).

Chances are that you haven't defined some more exception for your inside IPs, which however you'll find out only after deleting that ACL.

max
0
CHI-LTDAuthor Commented:
What about any inbound?  I'd of thought this would be more risky..?
0
CHI-LTDAuthor Commented:
Is it possible to see the type of traffic coming over that rule?
0
max_the_kingCommented:
over that rule ? ANY traffic, no filter at all.

Should you want to see what is going through firewall in general, you can go into ASDM, Monitor, Logging and you will tons of packets ... which you can as well filter out or pause.

max
0
Pete LongTechnical ConsultantCommented:
Address This first!

!
access-list inbound extended permit ip any any
!
access-group inbound in interface outside
!

That's your firewall disabled there :(


That looks like it been put there to make something work, and has never been removed.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.