Monday, March 26, 2012

Cisco ASA Explanations: Some basic notes for an ASA config

sh run
: Saved
:
--------------------- ASA VERSION --------------
ASA Version 8.2(1)
--------------------- ASA VERSION END --------------
!
------------ HOSTNAME --------
hostname ASA
------------ HOSTNAME END --------

--------------- DOMAIN NAME ---------------
domain-name companyname.com
------------ DOMAIN NAME END ------------ (this does matter for vpn purposes, encryption keys, etc)

--------------- ENABLE PASSWORD ------------------
enable password xxxxxxxxxxx encrypted
--------------- ENABLE PASSWORD END ------------------

--------- PASSWORD ------------
passwd xxxxxxxx encrypted
--------- PASSWORD END ----------- (Dont worry about this. If you enable the 'enable' password, you dont need this)

--------------- NAMES -------------
names
--------------- NAMES END -------------- (to associate names with ip addresses so that you can refer to them in the config below by name instead of by ip address. This is a preference. I use IP addresses instead of names)

!
------------- Interface information --------------------
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 173.1.1.1 255.255.255.192

!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
<--- More --->              !
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
------------- Interface information END --------------------
!
ftp mode passive
dns server-group DefaultDNS
 domain-name companyname.com

------ REMOTE ACCESS 'INTERESTING TRAFFIC' ACL ----------------
access-list 102 extended permit ip 10.0.0.0 255.0.0.0 10.4.10.0 255.255.255.0
access-list 102 extended permit ip 63.63.63.0 255.255.255.0 10.4.10.0 255.255.255.0
------ REMOTE ACCESS 'INTERESTING TRAFFIC' ACL END ----------------

------------------ NONAT ACL FOR THE PURPOSE OF 'NOT' NAT'ING TRAFFIC ----------
access-list nonat extended permit ip host 10.2.1.10 129.1.1.0255.255.255.240
access-list nonat extended permit ip host 10.2.1.11 129.1.1.0255.255.255.240
access-list nonat extended permit ip 10.8.0.0 255.255.0.0 host 21.21.21.229
access-list nonat extended permit ip host 10.6.1.10 host 21.21.21.229
access-list nonat extended permit ip host 10.6.1.10 host 21.21.21.234
access-list nonat extended permit ip host 10.6.1.10 host 21.21.21.235
access-list nonat extended permit ip host 10.6.1.10 host 21.21.21.247
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.4.10.0 255.255.255.0
access-list nonat extended permit ip 63.63.63.0 255.255.255.0 10.4.10.0 255.255.255.0
access-list nonat extended permit ip host 10.10.2.201 host 21.21.21.230
access-list nonat extended permit ip host 10.10.2.202 host 21.21.21.230
access-list nonat extended permit ip host 10.10.2.201 host 21.21.21.231
access-list nonat extended permit ip host 10.10.2.202 host 21.21.21.231
access-list nonat extended permit ip host 10.10.2.201 host 21.21.21.232
access-list nonat extended permit ip host 10.10.2.202 host 21.21.21.232
------------------ NONAT ACL FOR THE PURPOSE OF 'NOT' NAT'ING TRAFFIC END ---------- (this is the nonat ACL referred to in "nat (inside) 0 access-list nonat" below). It means "do not NAT this traffic at all".


------------- INTERESTING TRAFFIC ACL FOR remote-company#1 TO GET ACROSS VPN (WHAT YOU ARE ALLOWED TO GET TO ON THEIR SITE)--------
access-list remote-company#1 extended permit ip host 10.2.1.10 129.1.1.0 255.255.255.240
access-list remote-company#1 extended permit ip host 10.2.1.11 129.1.1.0 255.255.255.240
------------- INTERESTING TRAFFIC ACL FOR remote-company#1 TO GET ACROSS VPN (WHAT YOU ARE ALLOWED TO GET TO ON THEIR SITE)END --------



------------- INTERESTING TRAFFIC ACL FOR remote-company#2 TO GET ACROSS VPN (WHAT YOU ARE ALLOWED TO GET TO ON THEIR SITE) --------------------------------------------------
access-list remote-company#2 extended permit ip 10.8.0.0 255.255.0.0 host 21.21.21.229
access-list remote-company#2 extended permit ip host 10.10.2.201 host 21.21.21.230
access-list remote-company#2 extended permit ip host 10.10.2.202 host 21.21.21.230
access-list remote-company#2 extended permit ip host 10.10.2.201 host 21.21.21.231
access-list remote-company#2 extended permit ip host 10.10.2.202 host 21.21.21.231
access-list remote-company#2 extended permit ip host 10.10.2.201 host 21.21.21.232
access-list remote-company#2 extended permit ip host 10.10.2.202 host 21.21.21.232
------------- INTERESTING TRAFFIC ACL FOR remote-company#2 TO GET ACROSS VPN END-------------------------------------------------- (THIS ACL IS APPLIES DOWN IN 'vpn' 20 VPN TO TELL IT TO LOOK AT THIS ACL FOR 'INTERESTING TRAFFIC')

pager lines 24

------------------- LOGGING CAPABILITIES/POSSIBILITIES -------------------
logging enable
logging trap debugging
logging history informational
logging asdm informational
logging host inside 10.5.5.5
------------------- LOGGING CAPABILITIES/POSSIBILITIES END -------------------


mtu outside 1500
mtu inside 1500

-------- DHCP POOL FOR VPN USERS --------------------------
ip local pool vpnpool 10.4.10.10-10.4.10.245 <-- applied below in vpn attributes
-------- DHCP POOL FOR VPN USERS END --------------------------

no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400

-------------- NAT'ING FOR GENERAL TRAFFIC -----------------------
global (outside) 1 interface <-- Nat inside traffic to the outside interface
nat (inside) 1 0.0.0.0 0.0.0.0 <-- Nat any traffic on the inside interface **Note: The '1' matches on both the global and nat statement. This means they work together.
-------------- NAT'ING FOR GENERAL TRAFFIC END -----------------------


------- NO NAT APPLICATION, '0' SAYS DO NOT NAT, AND REFERS TO 'nonat' ACL -------
nat (inside) 0 access-list nonat
------- NO NAT APPLICATION, '0' SAYS DO NOT NAT, AND REFERS TO 'nonat' ACL END -------

-------------------------- ROUTING TABLE ---------------------
route outside 0.0.0.0 0.0.0.0 173.1.1.2 1
route inside 10.0.0.0 255.0.0.0 10.5.1.1
route inside 63.63.63.0 255.255.255.0 10.5.1.1 1
-------------------------- ROUTING TABLE END ---------------------


timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius

----------------------- LDAP INFORMATION FOR AUTHENTICATION ----------------
aaa-server LDAP_GRP protocol ldap
aaa-server LDAP_GRP (inside) host 10.100.1.1
 ldap-base-dn dc=ad, dc=company, dc=com
 ldap-scope subtree
 ldap-naming-attribute displayName
 ldap-login-password whateveritis
 ldap-login-dn cn=LDAPQUERY, ou=SAccounts, ou=SpUsers, ou=AdministrativeSpecial-GroupsAndUsers, dc=ad, dc=company, dc=com
 server-type microsoft
aaa-server LDAP_GRP (inside) host 10.10.2.1
 ldap-login-password whateveritis
 server-type auto-detect
----------------------- LDAP INFORMATION FOR AUTHENTICATION END ----------------

---------------- AUTHENTICATION REFERENCES FOR PROTOCOLS ----------------------
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authorization exec LOCAL  **Note: These refer to 'LOCAL', meaning the local database.
---------------- AUTHENTICATION REFERENCES FOR PROTOCOLS END ----------------------

---------------------- HTTP ENABLE AND ALLOW ------------------------
http server enable <-- enable HTTP access
http 10.1.0.0 255.255.0.0 inside  <-- allow 10.1.0.0 from the inside interface
---------------------- HTTP ENABLE AND ALLOW END ------------------------

-------------------------- SNMP STRING AND HOST ----------------------
snmp-server host inside 10.1.5.1 community $tring <-- weak string, dont do that!
-------------------------- SNMP STRING AND HOST END ----------------------

no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog

--------------- PHASE II SA FOR VPN --------------------------------
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac <-- MATCHES DOWN IN CRYPTOP MAP 'vpn' VPN 20 FOR PHASE II
--------------- PHASE II SA FOR VPN END --------------------------------

-------------------- DEFAULT SA LIFETIMES -----------------------
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
-------------------- DEFAULT SA LIFETIMES END -----------------------

---------------- FOR REMOTE-ACCESS CLIENTS (DYN_MAP) ------------------
crypto dynamic-map dyn_map 65535 set pfs
crypto dynamic-map dyn_map 65535 set transform-set ESP-3DES-MD5
crypto dynamic-map dyn_map 65535 set security-association lifetime seconds 28800
crypto dynamic-map dyn_map 65535 set security-association lifetime kilobytes 4608000
---------------- FOR REMOTE-ACCESS CLIENTS (DYN_MAP) END ------------------

------- THIS APPLIES PHASE II, INTERESTING TRAFFIC ACL, AND THE PEER ADDRESS TOGETHER FOR remote-company#1 VPN ----
crypto map vpn 10 match address remote-company#1 <-- INTERESTING TRAFFIC ACL (remote-company#1) FOR THIS VPN
crypto map vpn 10 set peer 12.8.2.1 <-- PEER ADDRESS FOR THIS VPN
crypto map vpn 10 set transform-set ESP-3DES-MD5 <-- APPLIES TRANSFORM SET (PHASE II SA) TO THIS VPN
------- THIS APPLIES PHASE II, INTERESTING TRAFFIC ACL, AND THE PEER ADDRESS TOGETHER END FOR remote-company#1 VPN ----


------- THIS APPLIES PHASE II, INTERESTING TRAFFIC ACL, AND THE PEER ADDRESS TOGETHER FOR remote-company#2 VPN ----
crypto map vpn 20 match address remote-company#2 <-- INTERESTING TRAFFIC ACL (alpine-access) FOR THIS VPN
crypto map vpn 20 set peer 64.7.1.5 <-- PEER ADDRESS FOR THIS VPN
crypto map vpn 20 set transform-set ESP-AES-256-SHA <-- APPLIES TRANSFORM SET (PHASE II SA) TO THIS VPN
crypto map vpn 20 set security-association lifetime seconds 3600
------- THIS APPLIES PHASE II, INTERESTING TRAFFIC ACL, AND THE PEER ADDRESS TOGETHER  FOR remote-company#2 VPN END ----


------------ FOR REMOTE-ACCESS - REFERS TO DYN_MAP -----------------
crypto map vpn 65535 ipsec-isakmp dynamic dyn_map
------------ FOR REMOTE-ACCESS - REFERS TO DYN_MAP END -----------------

---------- APPLIES CRYPTO MAP 'vpn' TO THE OUTSIDE INTERFACE ---------------
crypto map vpn interface outside
---------- APPLIES CRYPTO MAP 'vpn' TO THE OUTSIDE INTERFACE END ---------------


crypto isakmp identity hostname

----------- ENABLES ISAKMP ON THE OUTSIDE INTERFACE -------------
crypto isakmp enable outside
----------- ENABLES ISAKMP ON THE OUTSIDE INTERFACE END -------------

------- PHASE I SA FOR VPN ---------------------
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption aes-256
 hash md5
 group 5
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash md5
 group 5
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 8640
--------- PHASE I SA FOR VPN END ---------------------


--- IF YOU TRAVERSE A NAT DEVICE ANYWHERE IN THE PATH, PROBABLY THEIR SIDE DOES --------
crypto isakmp nat-traversal 10
-- IF YOU TRAVERSE A NAT DEVICE ANYWHERE IN THE PATH, PROBABLY THEIR SIDE DOES END -------

----------- ALLOWS TELNET ACCESS FROM ANY ADDRESS ON THE INSIDE -------------
telnet 0.0.0.0 0.0.0.0 inside
----------- ALLOWS TELNET ACCESS FROM ANY ADDRESS ON THE INSIDE END -------------

telnet timeout 5

------------ ALLOWS SSH ACCESS FROM ANY ADDRESS ON THE INSIDE AND OUTSIDE ---------
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
------------ ALLOWS SSH ACCESS FROM ANY ADDRESS ON THE INSIDE AND OUTSIDE END ---------

ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn

---------- REMOTE ACCESS PROFILE FOR USERS --------------
group-policy remote-access1 internal
group-policy remote-access1 attributes
 dns-server value 10.9.2.10 10.9.2.11 <-- DNS servers when remote'd in
 vpn-tunnel-protocol IPSec <-- use IPSEC as the protocol
 split-tunnel-policy tunnelspecified <-- you tell the ASA what acl to use below
 split-tunnel-network-list value 102 <-- use this encryption acl (what you can get to AND what the ASA allows back to the remote client.
 split-dns value companyname.com <-- domain-name to use when accessing servers, etc
---------- REMOTE ACCESS PROFILE FOR USERS END --------------

------------------ LOCAL DATABASE ----------------------
username user1 password password01 encrypted privilege 15
------------------ LOCAL DATABASE END ----------------------


---------- REMOTE ACCESS SETUP FOR VPN (TRULY REMOTE ACCESS)-----------------
tunnel-group remote-access1 type remote-access <-- defines as "remote-access", not site to site vpn
tunnel-group remote-access1 general-attributes
 address-pool vpnpool <-- pull DHCP from this defined DHCP pool above
 authentication-server-group LDAP_GRP <-- use this server group for authentication for remote-access users (this is the LDAP config above)
 default-group-policy remote-access1 <-- applies to group-policy remote-access1 above for attributes like dns server, encryption acl, etc.
tunnel-group remote-access1 ipsec-attributes
 pre-shared-key whateveritis <-- preshared key for remote-access users
---------- REMOTE ACCESS SETUP FOR VPN (TRULY REMOTE ACCESS) END -----------------

---------------- remote-company#1 REMOTE PEER SETUP FOR SITE TO SITE VPN -------------
tunnel-group 12.8.2.1 type ipsec-l2l <-- Defines peer and site to site vpn
tunnel-group 12.8.2.1 ipsec-attributes
 pre-shared-key whateveritis <-- preshared key
---------------- remote-company#1 REMOTE PEER SETUP FOR SITE TO SITE VPN END -------------


---------------- remote-company#2 REMOTE PEER SETUP FOR SITE TO SITE VPN -------------
tunnel-group 64.7.1.5 type ipsec-l2l <-- Defines peer and site to site vpn
tunnel-group 64.7.1.5 ipsec-attributes
 pre-shared-key whateveritis <-- preshared key
---------------- remote-company#2 REMOTE PEER SETUP FOR SITE TO SITE VPN  END -------------
!

---------------- INSPECTION ----------------------
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
<--- More --->              !
service-policy global_policy global
---------------- INSPECTION END ----------------------
prompt hostname context


ASA#
Posted by