Scribd
Upload
70 views9 pages

Configuration Firewall

The document contains the running configuration of a Cisco ASA5516 firewall, detailing its hardware specifications, interfaces, NAT configurations, access lists, and security settings. Key interfaces include 'outside' with a public IP and 'inside' with a private IP, along with various object networks for different services. The configuration also includes logging settings, timeout parameters, and crypto settings for IPsec VPNs.

Uploaded by

fawad.ahmad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
70 views9 pages

Configuration Firewall

The document contains the running configuration of a Cisco ASA5516 firewall, detailing its hardware specifications, interfaces, NAT configurations, access lists, and security settings. Key interfaces include 'outside' with a public IP and 'inside' with a private IP, along with various object networks for different services. The configuration also includes logging settings, timeout parameters, and crypto settings for IPsec VPNs.

Uploaded by

fawad.ahmad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 9

c1asa# sho running-config

: Saved

:
: Serial Number: JAD240802RS
: Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
:
ASA Version 9.8(4)20
!
hostname c1asa
enable password $sha512$5000$JbsKWKLV9/y1d/xkdHrOgw==$15U/x+VZ/jKggvkGPhiJ8Q==
pbkdf2
names
no mac-address auto
ip local pool VPN_POOL 10.17.34.1-10.17.34.63 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 75.151.88.221 255.255.255.248
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.6.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa984-20-lfbff-k8.SPA
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network JC-NAS
host 192.168.6.248
object network JC-NAS-Public_215
host 75.151.88.215
object network MAVENS01-PUBLIC_209
host 75.151.88.209
object network MAVENS01
host 192.168.6.17
object network HORIZON-SS-PUBLIC_218
host 75.151.88.218
object network HORIZON-SS
host 192.168.6.14
object network Fileserver-01-PUBLIC_217
host 75.151.88.217
object network Fileserver-01
host 192.168.6.12
object network MGMT_network
subnet 192.168.10.0 255.255.255.0
object network LAN_INSIDE
subnet 192.168.6.0 255.255.255.0
object network Jitsi-02-Public
host 75.151.88.211
object network Jitsi-02
host 192.168.6.161
object network NETWORK_OBJ_10.17.34.0_26
subnet 10.17.34.0 255.255.255.192
object network Plesk-01-Public
host 75.151.88.220
object network Plesk-01
host 192.168.6.18
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service TCP_UDP_11000_12000 tcp-udp
port-object range 11000 12000
object-group service JitsiCommun udp
port-object eq 10000
object-group service JitsiMeet tcp
port-object eq 4443
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp any object HORIZON-SS eq https
access-list outside_access_in extended permit tcp any object HORIZON-SS eq 8443
access-list outside_access_in extended permit tcp any object HORIZON-SS eq 4172
access-list outside_access_in extended permit udp any object HORIZON-SS eq 4172
access-list outside_access_in extended permit tcp any object Fileserver-01 object-
group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any object Fileserver-01 eq 2121
access-list outside_access_in extended permit object-group TCPUDP any object
Fileserver-01 object-group TCP_UDP_11000_12000
access-list outside_access_in extended permit ip any object JC-NAS
access-list outside_access_in extended permit tcp any object MAVENS01 eq 8087
access-list outside_access_in extended permit tcp any object MAVENS01 eq 8088
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any object Jitsi-02 eq ssh
access-list outside_access_in extended permit tcp any object Jitsi-02 eq https
access-list outside_access_in extended permit tcp any object Jitsi-02 eq www
access-list outside_access_in extended permit tcp any object Jitsi-02 object-group
JitsiMeet
access-list outside_access_in extended permit udp any object Jitsi-02 object-group
JitsiCommun
access-list outside_access_in extended permit tcp any object Jitsi-02 eq ftp
access-list outside_access_in extended permit ip any object Plesk-01
access-list outside_access_in extended permit tcp any object Plesk-01 eq 8443
access-list outside_access_in extended permit tcp any object Plesk-01 eq www
access-list outside_access_in extended permit tcp any object Plesk-01 object-group
DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any object Plesk-01 eq https
access-list outside_access_in extended permit ip any any
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251
eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name
Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252
eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-
ns
access-list Split_Tunnel standard permit 192.168.6.0 255.255.255.0
access-list Split_Tunnel standard permit 192.168.10.0 255.255.255.0
access-list inside_access_in extended permit tcp any object Plesk-01 eq www
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
logging mail errors
logging from-address info@contractone.com
logging recipient-address bryanj@contractone.com level errors
logging class auth mail emergencies
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7131-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static any any destination static
NETWORK_OBJ_10.17.34.0_26 NETWORK_OBJ_10.17.34.0_26 no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
object network JC-NAS
nat (inside,outside) static JC-NAS-Public_215
object network MAVENS01
nat (inside,outside) static MAVENS01-PUBLIC_209 dns
object network HORIZON-SS
nat (inside,outside) static HORIZON-SS-PUBLIC_218 dns
object network Fileserver-01
nat (inside,outside) static Fileserver-01-PUBLIC_217
object network Jitsi-02
nat (inside,outside) static Jitsi-02-Public dns
object network Plesk-01
nat (inside,outside) static Plesk-01-Public dns
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 75.151.88.222 1
route inside 192.168.10.0 255.255.255.0 192.168.6.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256
AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=c1asa
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=192.168.6.1,CN=c1asa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 414fb95e
3082032d 30820215 a0030201 02020441 4fb95e30 0d06092a 864886f7 0d01010b
05003026 310e300c 06035504 03130563 31617361 31143012 06092a86 4886f70d
01090216 05633161 7361301e 170d3230 30353235 32323435 34305a17 0d333030
35323332 32343534 305a3026 310e300c 06035504 03130563 31617361 31143012
06092a86 4886f70d 01090216 05633161 73613082 0122300d 06092a86 4886f70d
01010105 00038201 0f003082 010a0282 010100c1 81e53e57 f1dc96a8 08b5750e
f3f8c4e7 a5cf01d7 70b45be2 396ed43b 50b7b3d0 69115b07 1c809288 9d1eacff
24ea955f 859d199b 5f7be0ed 61dc3796 7661efe6 89a1b34c e4557830 63687a7f
316bb4ea a11e7caf 33f44f35 791ef54a f3907508 0912e432 0c0b9a5e 438e9a46
ecb47632 57338b34 d55e044a 6475e691 64f2e3f7 448f1003 826307c5 fd1b76a9
d8cee51b d7188e0b 74b253e6 a6819463 2cdf4566 62f08239 d2a710b1 8a8b73a5
f1cc7000 fbe46ade 068ccea9 3491dcfe 4b0c1ab2 1110c420 375f9f0a 5c2fdf1b
4a3c1231 15f8cebb 74665abe b43321c1 dee2d400 b5885137 1e671b08 c6dc438e
5e8e56d4 6a30f005 1cafe7e0 3d159420 bf486102 03010001 a3633061 300f0603
551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
03551d23 04183016 8014506e 47f3adaa f10b37b6 8fb7257e 20bf204e feb5301d
0603551d 0e041604 14506e47 f3adaaf1 0b37b68f b7257e20 bf204efe b5300d06
092a8648 86f70d01 010b0500 03820101 00720843 33e03727 6499a8d9 405ce816
80919495 e8f37e84 d28ae4f5 57c6d7e8 997344ab fc8c1a1f d35dba61 45ef5e3a
73df12d2 a469647f 05b36500 d0b8b544 d7d1286e 972c7460 93293cbe da23650d
71eeb02d 8767f935 eeb82bae 15709826 73f31d73 b014b8ca 7234e2a8 72d2b519
3607bb29 8cea1573 f75f7f55 ef44a3ab 76258d29 6ef378a6 45dc66f3 a742c836
52baf1dc fe52cb74 6e007ff9 f5d36860 83e2143a 18fe4b23 105b62ab 7da072df
3a7f79ef 58e5b456 a702c2e6 c2d0cf44 6ca49dba 71f39163 f445c2c5 0554e69a
3ae4c023 6c273e2a e52482f8 2ac245ce e4a74440 7e867efb c1b4df47 cbe700c3
a4e5254d da513cd7 3fdd37e6 544b60f6 77
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 424fb95e
308202c8 308201b0 a0030201 02020442 4fb95e30 0d06092a 864886f7 0d01010b
05003026 310e300c 06035504 03130563 31617361 31143012 06035504 03130b31
39322e31 36382e36 2e31301e 170d3230 30353235 32323437 31305a17 0d333030
35323332 32343731 305a3026 310e300c 06035504 03130563 31617361 31143012
06035504 03130b31 39322e31 36382e36 2e313082 0122300d 06092a86 4886f70d
01010105 00038201 0f003082 010a0282 010100ac d30dcd82 44eab311 6b21aab9
8b993d75 e03e81cb 193ce924 6b217954 f0eee722 002c744a a8b41070 d30f940d
be12317c 0ae03b81 a7400b17 37679397 5560f604 3ee3414f 6b144640 ac713106
101212b0 3f2c5102 8ac859d2 e44824f0 0de164c2 728b10ba c0d96430 6af6f2d8
0a80d5a1 90f1e2f5 edac07bb e88666e8 5dd9dc09 2b4f38fe 997114c7 49bcd7c4
6c81ce0b b4396235 f0285a5a 7490abe3 840a60e3 0855e08c c696171c e888e9f5
0b40bce9 1e3d8ceb 45a5bca2 37f675cb fa5d0cd7 4d542e0f fdb76bb5 2c4d1ab4
50f59878 61923e24 206bd99c 60e80f21 60afa52f 51861cc2 2386f78e 14a53dcb
eb768ed8 b3b8b631 29385117 2859dc26 23763d02 03010001 300d0609 2a864886
f70d0101 0b050003 82010100 1bf4fd23 d27204bf 2e84ad1a 9f7e6b85 1a798890
93c90d18 2add0db0 d51f99e1 ad765a39 c105a453 25c4cc0b 03d3f4ce dce15b2f
506cb869 1092cfc0 5dc92f2b b182e205 9097e920 aad67ce4 cea7bdf3 dd6fc40a
ec3f5e50 c25baae5 742b3bfb 8a7e2e8f 9c21a0a2 e5f73863 2fa54a7e 039014fc
09c86198 3c5ded08 610231b6 9401a585 2b03a1de 65044c5d 942b60b3 5c631b5d
b6e84a2a 1b0b2e93 6972d3c4 883011c5 44d24d04 ffc7670f 8e4b75e8 65524978
a5169e24 7a404a7f 543052ef d624e6cd 894ddd6f cc528f40 faf7d9d7 38fd8cb0
e9b3ef35 0e6a3101 5cbbaea5 3d17a8ff f50ca4c1 f29152cb 394f6715 8f97ace8
0f27830a 1150b700 672f9f87
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.6.100-192.168.6.170 inside
dhcpd dns 192.168.6.10 192.168.6.11 interface inside
dhcpd wins 192.168.6.10 192.168.6.11 interface inside
dhcpd lease 604800 interface inside
dhcpd domain c1.local interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-
rate 200
ntp server 192.168.6.10 source inside prefer
webvpn
enable outside
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect image disk0:/anyconnect-macos-4.8.03052-webdeploy-k9.pkg 1 regex "Intel
Mac OS X"
anyconnect image disk0:/anyconnect-win-4.8.03043-webdeploy-k9.pkg 2
anyconnect profiles ANYCONNECT_VPN_client_profile
disk0:/ANYCONNECT_VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_AnyConnect-SSl-VPN internal
group-policy GroupPolicy_AnyConnect-SSl-VPN attributes
wins-server none
dns-server value 192.168.6.10
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel
default-domain value a1.local
dynamic-access-policy-record DfltAccessPolicy
webvpn
always-on-vpn profile-setting
username bryanj password
$sha512$5000$lIkmG0YPY6OMNfcyEEzkxw==$LcMTLFaiG5v08tEzwbu1VA== pbkdf2 privilege 15
username dulem password
$sha512$5000$WzpIPu/qfZfLDA+MQvOQXg==$e1E8Gd1xQ+NXsE8O96fx9A== pbkdf2 privilege 15
tunnel-group AnyConnect-SSl-VPN type remote-access
tunnel-group AnyConnect-SSl-VPN general-attributes
address-pool VPN_POOL
default-group-policy GroupPolicy_AnyConnect-SSl-VPN
tunnel-group AnyConnect-SSl-VPN webvpn-attributes
group-alias AnyConnect-SSl-VPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:5bc7a2276f4d27bbadadf485978ab0cb
: end
c1asa# $
c1asa# sho inven
c1asa# sho inventory
Name: "Chassis", DESCR: "ASA 5516-X with FirePOWER services, 8GE, AC, DES"
PID: ASA5516 , VID: V08 , SN: JMX2410X0BX

Name: "Storage Device 1", DESCR: "ASA 5516-X SSD"


PID: ASA5516-SSD , VID: N/A , SN: MSA24010R9N

c1asa# sho
c1asa# show ver
c1asa# show version

Cisco Adaptive Security Appliance Software Version 9.8(4)20


Firepower Extensible Operating System Version 2.2(2.124)
Device Manager Version 7.13(1)

Compiled on Thu 02-Apr-20 10:19 PDT by builders


System image file is "disk0:/asa984-20-lfbff-k8.SPA"
Config file at boot was "startup-config"
c1asa up 62 days 14 hours

Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Number of accelerators: 1

1: Ext: GigabitEthernet1/1 : address is cc7f.7647.bd1c, irq 255


2: Ext: GigabitEthernet1/2 : address is cc7f.7647.bd1d, irq 255
3: Ext: GigabitEthernet1/3 : address is cc7f.7647.bd1e, irq 255
4: Ext: GigabitEthernet1/4 : address is cc7f.7647.bd1f, irq 255
5: Ext: GigabitEthernet1/5 : address is cc7f.7647.bd20, irq 255
6: Ext: GigabitEthernet1/6 : address is cc7f.7647.bd21, irq 255
7: Ext: GigabitEthernet1/7 : address is cc7f.7647.bd22, irq 255
8: Ext: GigabitEthernet1/8 : address is cc7f.7647.bd23, irq 255
9: Int: Internal-Data1/1 : address is cc7f.7647.bd1b, irq 255
10: Int: Internal-Data1/2 : address is 0000.0001.0002, irq 0
11: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0
12: Int: Internal-Data1/3 : address is 0000.0001.0003, irq 0
13: Ext: Management1/1 : address is cc7f.7647.bd1b, irq 0
14: Int: Internal-Data1/4 : address is 0000.0100.0001, irq 0

Licensed features for this platform:


Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 300 perpetual
Total VPN Peers : 300 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 1000 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
VPN Load Balancing : Enabled perpetual

Serial Number: JAD240802RS


Running Permanent Activation Key: 0x1f3ce946 0x44f181c1 0x54c3e180 0x90982c24
0x002728b9
Configuration register is 0x1
Image type : Release
Key Version : A
Configuration has not been modified since last system restart.

You might also like