lørdag, januar 23, 2021

Cisco ASA 5505 config

Daily Rush Debat Off-topic Cisco ASA 5505 config

  • Forfatter
    Emne
  • #0

    supermegaman
    Bruger
    62 indlæg
    Offline

    Hey DailyRush.

    Jeg sidder med en opgave jeg håber i kan hjælpe med da jeg nu har stirret mig blindt på den.

    Sagen er at vores web server i dmz ikke længere kan tilgås hverken fra inside eller outside.

    Det virkede fint, og det hele spillede, men pludslig var dmz blevet til et dark hole uden netværk af nogen art.

    Asa kan ikke pinge webserver, og webserver kan ikke pinge sin gateway.

    Inside kan fint komme igennem til outside og retur.

    Er der en der kan give et blik på min config og se hvad der er gået galt?

    Jeg tænker selv der mangler en ACL eller noget NAT, men som sagt det holdt op med at virke fra det ene øjeblik til det andet.

    ASA(config-network-object)# show run
    : Saved
    :
    : Serial Number: JMX1831Z086
    : Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
    :
    ASA Version 9.2(3)
    !
    hostname ASA
    domain-name GBOF-cph.local
    enable password .h2T1va7bpb/xWzw encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    names
    !
    interface Ethernet0/0
    description Outside
    !
    interface Ethernet0/1
    description DMZ
    switchport access vlan 3
    !
    interface Ethernet0/2
    description Inside
    switchport access vlan 2
    !
    interface Ethernet0/3
    shutdown
    !
    interface Ethernet0/4
    shutdown
    !
    interface Ethernet0/5
    shutdown
    !
    interface Ethernet0/6
    shutdown
    !
    interface Ethernet0/7
    shutdown
    !
    interface Vlan1
    description Outside
    nameif Outside
    security-level 0
    ip address dhcp setroute
    !
    interface Vlan2
    nameif Inside
    security-level 100
    ip address 10.1.1.26 255.255.255.252
    !
    interface Vlan3
    description DMZ
    nameif DMZ
    security-level 50
    ip address 10.1.80.1 255.255.255.0
    !
    interface Vlan99
    description Managment
    management-only
    nameif Managment
    security-level 80
    ip address 10.1.99.7 255.255.255.0
    !
    ftp mode passive
    dns domain-lookup Inside
    dns server-group DefaultDNS
    name-server 10.1.10.2
    domain-name GBOF-cph.local
    object network inside-subnet
    subnet 10.1.0.0 255.255.0.0
    object network dmz-subnet
    subnet 10.1.80.0 255.255.255.0
    object network webserver
    host 10.1.80.2
    object network dns-server
    host 10.1.10.2
    object-group service RDP tcp
    port-object eq 3389
    access-list _Trace extended permit icmp any any time-exceeded
    access-list outside_acl extended permit tcp any object webserver eq www
    access-list dmz_acl extended permit udp any object dns-server eq domain
    access-list dmz_acl extended deny ip any object inside-subnet
    access-list dmz_acl extended permit ip any any
    pager lines 24
    logging enable
    logging asdm informational
    mtu Outside 1500
    mtu Inside 1500
    mtu DMZ 1500
    mtu Managment 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-741.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (Inside,DMZ) source static inside-subnet inside-subnet destination static dmz-subnet dmz-subnet
    !
    object network inside-subnet
    nat (Inside,Outside) dynamic interface
    object network dmz-subnet
    nat (DMZ,Outside) dynamic interface
    object network webserver
    nat (any,Outside) static interface service tcp www www
    access-group outside_acl in interface Outside
    access-group dmz_acl in interface DMZ
    router ospf 1
    router-id 8.8.8.8
    network 10.1.1.24 255.255.255.252 area 1
    network 10.1.80.0 255.255.255.0 area 1
    network 10.1.99.0 255.255.255.0 area 1
    area 1
    log-adj-changes
    redistribute connected metric-type 1
    default-information originate
    !
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 10.1.20.0 255.255.255.0 Inside
    http 10.1.20.13 255.255.255.255 Inside
    no snmp-server location
    no snmp-server contact
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 5
    ssh stricthostkeycheck
    ssh 10.1.0.0 255.255.0.0 Inside
    ssh timeout 5
    ssh version 2
    ssh key-exchange group dh-group1-sha1
    console timeout 0

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    username admin password 2m7sKG1GI14Mn5fy encrypted
    username cisco password eeH8sl9M4wy/URjZ encrypted
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect icmp
    class class-default
    user-statistics accounting
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email callhome@cisco.com
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:d042d4a10f234ac21a3838a6264a3416
    : end
    ASA(config-network-object)#

Viser 3 kommentarer - 1 til 3 (af 3 i alt)
  • Forfatter
    Kommentarer
  • #1

    Stangtennis
    Bruger
    8 indlæg
    Offline

    Jeg ville meget hurtigt fjerne den config. Den indeholder jo både password og IP.

    Og du kører en version som er åben for f.eks poodle.

    #2

    supermegaman
    Bruger
    62 indlæg
    Offline

    Det er inderside adresser, passwords er ikke er i klar test, og desuden er det blot et midlertidigt test setup.

    Men ville stadig gerne have et bud på hvorfor dmz ikke virker

    #3

    Sindre
    Bruger
    12 indlæg
    Offline

    kig på din dmz access list.
    in er fra dmz nettet mod routeren.
    Første step vil være at fjerne denne linie
    access-group dmz_acl in interface DMZ
    for at se om det gør en forskel eller ikke.

Viser 3 kommentarer - 1 til 3 (af 3 i alt)
  • Du skal være logget ind for at kommentere på dette indlæg.