Skip to main content

ASA Configuration Example


Cisco ASA stores startup configuration on a flash. Startup configuration is loaded in the boot process. However, running configuration is loaded in the ram of device and it can be different from startup configuration. Running configuration represents actual configuration of the firewall and it can be seen by entering "sh running-config"command in terminal.
If You want to store a running-configuration into startup - flash, hit the "write memory"command: 


ASA1#sh running-config : Saved : ASA Version 8.2(1) ! hostname ASA1 domain-name example.com enable password 8Rw2YwIyt7RRKU24 encrypted passwd 2QFEnbNIdI.2KYOU encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.4.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 195.252.68.14 255.255.255.0 ! interface Vlan50 mac-address d0d0.fd01.a885 nameif perimeter security-level 50 ip address 10.10.15.1 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 description perimeter WIFI interface switchport access vlan 50 ! regex domainlist1 "\.youtube\.com" regex domainlist2 "\.facebook\.com" regex contenttype "Content-Type" banner motd If U are not authorized, please leave !!! boot system disk0:/asa821-k8.bin ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 dns server-group DefaultDNS domain-name example.com object-group network DM_INLINE_NETWORK_1 network-object 10.116.22.0 255.255.255.0 network-object 192.168.2.0 255.255.255.0 object-group network DM_INLINE_NETWORK_2 network-object 10.116.22.0 255.255.255.0 network-object 192.168.2.0 255.255.255.0 object-group network DM_INLINE_NETWORK_3 network-object 10.10.5.0 255.255.255.0 network-object 10.116.12.0 255.255.255.0 network-object 192.168.10.0 255.255.255.0 object-group network DM_INLINE_NETWORK_4 network-object 10.10.5.0 255.255.255.0 network-object 10.116.12.0 255.255.255.0 network-object 192.168.10.0 255.255.255.0 access-list nonat_ACL extended permit ip 192.168.4.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 access-list nonat_ACL extended permit ip 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list nonat_ACL extended permit ip 192.168.4.0 255.255.255.0 object-group DM_INLINE_NETWORK_4 access-list outside_IN_ACL extended permit icmp any any access-list outside_IN_ACL extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list outside_IN_ACL extended permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list outside_IN_ACL extended permit tcp any host 195.252.107.51 eq 3389 access-list outside_IN_ACL extended permit tcp any host 195.252.107.51 eq 3390 access-list outside_IN_ACL extended permit ip any host 195.252.107.50 access-list crypto_pu_ured extended permit ip 192.168.4.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list crypto_zg_ured extended permit ip 192.168.4.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list crypto_sr_ured extended permit ip 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list outside_1_cryptomap extended permit ip 192.168.4.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 access-list outside_2_cryptomap extended permit ip 192.168.4.0 255.255.255.0 object-group DM_INLINE_NETWORK_3 access-list perimeter_in extended permit icmp 10.10.15.0 255.255.255.0 host 10.10.15.1 access-list perimeter_in extended permit ip 10.10.15.0 255.255.255.0 any access-list inside_mpc extended permit tcp 192.168.4.0 255.255.255.128 any eq www access-list perimeter_mpc extended permit tcp any any eq www pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu perimeter 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-634-53.bin no asdm history enable arp timeout 14400 nat-control global (outside) 1 interface global (outside) 2 195.252.117.54 nat (inside) 0 access-list nonat_ACL nat (inside) 2 192.168.4.0 255.255.255.0 nat (perimeter) 2 10.10.15.0 255.255.255.0 static (inside,outside) tcp 195.252.107.51 3390 192.168.4.30 3389 netmask 255.255.255.255 static (inside,outside) tcp 195.252.107.51 3389 192.168.4.10 3389 netmask 255.255.255.255 static (inside,outside) 195.252.107.50 192.168.4.26 netmask 255.255.255.255 access-group outside_IN_ACL in interface outside access-group perimeter_in in interface perimeter route outside 0.0.0.0 0.0.0.0 193.252.68.13 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa-server Infobip-DC6 protocol ldap aaa-server Infobip-DC6 (inside) host 192.168.4.30 timeout 5 server-type auto-detect aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL aaa authentication enable console LOCAL aaa authentication http console LOCAL aaa authentication serial console LOCAL http server enable http 192.168.4.0 255.255.255.0 inside http 212.147.223.160 255.255.255.240 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer 212.147.223.164 crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map 2 match address outside_2_cryptomap crypto map outside_map 2 set pfs crypto map outside_map 2 set peer 193.147.223.166 crypto map outside_map 2 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 telnet 192.168.4.0 255.255.255.0 inside telnet timeout 5 ssh scopy enable ssh 0.0.0.0 0.0.0.0 inside ssh 0.0.0.0 0.0.0.0 outside ssh timeout 30 console timeout 60 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 161.53.160.4 source inside prefer ssl encryption 3des-sha1 des-sha1 rc4-md5 aes128-sha1 aes256-sha1 webvpn enable outside group-policy infobip_userpolicy internal username myuser1 password uJWhT.FZZa3oCiHR encrypted privilege 15 tunnel-group 212.147.223.164 type ipsec-l2l tunnel-group 212.147.223.164 ipsec-attributes pre-shared-key * tunnel-group 193.147.223.166 type ipsec-l2l tunnel-group 193.147.223.166 ipsec-attributes pre-shared-key * tunnel-group infobip_SSL-VPN type remote-access tunnel-group infobip_SSL-VPN general-attributes authentication-server-group Infobip-DC6 ! class-map type regex match-any DomainBlockList description Tu su definirani svi sitovi koje blokiramo match regex domainlist2 match regex domainlist1 class-map httptrafic match access-list perimeter_mpc class-map type inspect http match-all BlockDomainsClass match request header host regex class DomainBlockList class-map inspection_default match default-inspection-traffic class-map httptraffic match access-list inside_mpc ! ! policy-map type inspect http http_inspection_policy parameters protocol-violation action drop-connection log class BlockDomainsClass reset log policy-map perimeter-policy class httptrafic inspect http http_inspection_policy policy-map global_policy class inspection_default inspect pptp policy-map inside-policy class httptraffic inspect http http_inspection_policy ! service-policy global_policy global service-policy inside-policy interface inside service-policy perimeter-policy interface perimeter prompt hostname context Cryptochecksum:10ea02484793d4981b418fad8f0c4f5d : end ASA#


After successful configuration, save changes to flash: 

ASA1#write mem Building configuration... Cryptochecksum: 35e6e5ae 069ce3ff 05ff342c 62996811 7216 bytes copied in 3.700 secs (2405 bytes/sec) [OK] ASA1#

Labels:

Comments

Post a Comment

Popular posts from this blog

Cisco three-layer hierarchical model

Because networks can be extremely complicated, with multiple protocols and diverse technologies, Cisco has developed a layered hierarchical model for designing a reliable network infrastructure. This three-layer model helps you design, implement, and maintain a scalable
Post a Comment
Read more

Debugging on Cisco ASA

Most of debuging on Cisco ASA can be done with simply entering  "debug"  in front of command for which we want to do debugging. For example if wanted to see/capture icmp traffic from user enter: 
Post a Comment
Read more

Run Windows 98 And Linux In Your Web Browser, Thanks To JavaScript And NodeJS

A coder, known as Fabian on GitHub, has created x86 architecture based emulations that allow you to run Windows 98, Linux, KolibriOS etc. inside your browser. Read more about the same and find the links below to try it out.
Post a Comment
Read more