Application Inspection of an ASA

Similar Messages

• Monitor Inspection Load IPS ASA-SSM-20

  All,
    I am aware there is a feature request but don't see any updates.  Taking the chance here that its fallen through the cracks and someone has figured out another way to monitor inspection load on ASA-SSM-20 IPS.  We are currently running 7.0(5a)E4.  I want to be able to use Solarwinds Orion to monitor Inspection Load on our IPS devices.  Does anyone know if that is yet possible...if so how?
  Thanks!

  Bump +1

• Application Inspection of ZBF Router

  Hello there,
  I just wanna verify what I've learned about:
  Stateful Inspection (packet filtering up to L5)  and
  Application Inspection (packet filtering up to L7)
  Regarding an IOS ZBF (IOS ver 12.4(20)T on a router, do these commands implement Application Inspection ?
  (I mean: do they satisfy a protocol like ftp and enable the router to learn about dynamic ports and unwanted activities?)
  class-map type inspect match-any CM
  match protocol ftp
  match protocol http
  policy-map type inspect PM
     class type inspect CM
     inspect
  zone-pair security IN-OUT source inside destination outside
  service-policy type inspect PM
  or  do they implement Stateful Inspection only ? if so yes, how to add  Application Inspection feature (on ftp traffic ,for example)?
  1 more question, is "application-specific matching" another expression of "application inspection feature" ?
  thanks !

  Have u looked at the example in the above maintioned link ?
  Define class-maps that describe the traffic that you want to permit             between zones, according to policies described earlier:
  conf t
  class-map type inspect match-any internet-traffic-class
    match protocol http  match protocol https  match protocol dns  match protocol icmp
  Configure a policy-map to inspect traffic on the class-maps you             just defined:
  conf t
  policy-map type inspect private-internet-policy
    class type inspect internet-traffic-class
     inspect
  Configure the private and Internet zones and assign router             interfaces to their respective zones:
  conf t
  zone security private
  zone security internet
  int bvi1           
  zone-member security private
  int fastethernet 0
  zone-member security internet
  Configure the zone-pair and apply the appropriate             policy-map.
  Note: You only need to configure the private Internet zone pair at                 present in order to inspect connections sourced in the private zone traveling                 to the Internet zone:
  conf t
  zone-pair security private-internet source private destination internet
    service-policy type inspect private-internet-policy
  This completes the configuration of the Layer 7 inspection policy             on the private Internet zone-pair to allow HTTP, HTTPS, DNS, and ICMP             connections from the clients zone to the servers zone and to apply application             inspection to HTTP traffic to assure that unwanted traffic is not allowed to             pass on TCP 80, HTTP’s service port.
  Define class-maps that describe the traffic that you want to permit             between zones, according to policies described earlier:
  conf t
  class-map type inspect match-any L4-inspect-class
  match protocol tcp match protocol udp match protocol icmp
  Configure policy-maps to inspect traffic on the class-maps you just             defined:
  conf t
  policy-map type inspect clients-servers-policy
  class type inspect L4-inspect-class
    inspect
  Configure the clients and servers zones and assign router             interfaces to their respective zones:
  conf t
  zone security clients
  zone security servers
  int vlan 1           
  zone-member security clients
  int vlan 2
  zone-member security servers
  Configure the zone-pair and apply the appropriate             policy-map.
  Note: You only need to configure the clients-servers zone-pair at                 present, to inspect connections sourced in the clients zone traveling to the                 servers zone:
  conf t
  zone-pair security clients-servers source clients destination servers
    service-policy type inspect clients-servers-policy
  This completes the configuration of the Layer 4 inspection policy             for the clients-servers zone-pair to allow all TCP, UDP, and ICMP connections             from the client zone to the server zone. The policy does not apply fixup for             subordinate channels, but provides an example of simple policy to accommodate             most application connections.
  Obviously, "Inspect" is used for both L4 (tcp, udp) and L7 (http, dns) inspection.
  So, It depends on the protocol being inspected, not on the keyword "inspect".
  But I'm not sure what's going on with icmp ? It is in both cases matched and inspected.

• Inspection Rate on ASA System Limit

  Hi all,
  we just testing ASA 5585-SSP60 with software 9.1.3. On the load-generator we found out that there are problems on the system with a inspection rate higher than 40K. Has anyone experience with that ? What is an inspection rate ASA should be able to handle? I didn´t find limits on Cisco.com.
  Thanks in advance,

  Hello,
  I understand that you want to configure bandwidth limits for each AnyConnect client connection. 
  Unfortunately, the ASA does not currently support QoS policing of traffic on a per-user or per-IP-address basis:
  https://supportforums.cisco.com/docs/DOC-1361#Q_Does_ASA_SSL_VPN_AnyConnect_Client_or_Clie
  ntless_support_QOS_and_policing_bandwidth_management_capabilites
  The feature has been requested but it seems it will not be integrated in the near future.
  The available workaround is to use simple QoS as you mention but it is not scalable at all.
    You may police the ASA WAN bandwidth based on the public IP address of each remote-access AnyConnect user hogging bandwidth:
  access-list SSLVPN_LIMIT extended permit udp host host
  (ASA ip address) eq 443
  access-list SSLVPN_LIMIT extended permit tcp host host
  (ASA ip address)
  eq 443
  class-map SSLVPN
  match access-list SSLVPN_LIMIT
  policy-map LIMIT
  class SSLVPN
      police input 1500000
       police output 1500000
  service-policy LIMIT interface outside
  Thanks,
  Itzcoatl

• IPGW and the ASA

  I want to install a 2651XM gateway/Gatekeeper into a DMZ of my firewall so that Internal Polycom devices can register and communicate to both internal Polycom devices and external video conferencing devices. Trouble finding out how to do this? What ports need to be open and can this be done with one gateway/gatekeeper? Documentation I have read suggests two are needed, one acting as a proxy. I only have one unit.

  A Cisco Multiservice IP-IP gateway and Gatekeeper (or MCM Proxy and Gatekeeper) can co-exist on the same box, but a via-zone aware GK is required for an IP-IP Gateway. The IP-IP Gateway is certainly more flexible, particularly for digit manipulation (through the configuration of dial-peers) and integration with Cisco CallManager.
  Have all you endpoints register with a local zone on the GK, and then configure remote zones for external gatekeepers.
  Then, for interoperability with an ASA box perform a static NAT translation of the GK/IPIPGW box to a real-world address, and allow H.323 Gatekeeper RAS (1719/udp) and H.323 H.225 call setup (1720/tcp) and the application inspection on the ASA will open the required ports for the RTP streams.
  Hope this helps. Please rate useful posts!

• ASA app layer inspection and CX IPS inspection

  ASA application layer inspection is critical for protocols such as FTP and SIP for well known reasons.  When implementing a CX module, my understanding is that either the ASA implements inspection or the CX implements inspection.  For instance, if I want my CX to inspect HTTP I need to forward that traffic via a policy-map to the CX engine and ensure that the ASA is not configured to inspect HTTP.  Easy enough.
  What I am unclear about is if it is desired for the CX to inspect protocols such as FTP and SIP.  In my case I'm running the CX IPS which does list some FTP and SIP threats.  If I direct this traffic to the CX for IPS inspection, where would the app layer inspection occur for processing SIP embedded IP addresses or FTP secondary channels?  Or, is it necessary to ensure these protocols remain inspected by the ASA?  Finally, does the answer change for the WSE license?   

  Hogoqo,
  Thanks for the reply. Does this config mean that "default-inspection-traffic" will not be sent to the IPS module?
  What I initially wanted was to send ALL traffic to the IPS module, and also use statefull inspection for the default-inspection-traffic.
  Is this a bad practice (to send all traffic to the IPS module)?
  The ASA is configured with 3 interfaces (inside, outside, dmz), with an e-mail server in the DMZ. In the future, there will also be e-commerce servers in the DMZ.
  Should I send to the IPS module only traffic that has the destination as one of the DMZ servers?
  I am new to IPS, and kind of confused.
  Thanks!

• ASA Transparent Mode - Stateful Inspection

  Hi Community,
  I would appreciate any input other may be able to provide on the behaviour of ASA when in Transparent mode.
  I have a few scenarios and am looking to confirm stateful inspection behaviour for.
  By default I shall block all traffic.
  1 - Flow initiated Inside to outside (Higher to Lower security interface)
       - Rule on inside
  2 - Flow Initiated Outside to Inside (Lower to Higher security interface)
       - Rule on Outside
       - Appears to require rule on inside to allow response - No Stateful inspection
  3 - Flow initiated Inside to Outside - With Application inspection (Higher to Lower)
       - Rule on inside + App inspection
  4 - Flow initiated Outside to Inside - With Application Inspection (Lower to Higher)
       - Rule on outside + App Inspection
       - Appears to require rule on inside to allow response - No Stateful Inspection
  The references guide could do with some clarification around transparent behaviour.
  Many thanks

  Hello,
  For flow innitiated on the inside to the outside you do not need an acl on the outside for the returning traffic, that is the main idea of the stateful inspection.
  As soon as you do not have any ACLs applied to the inside interface this will be like this:
  1 - Flow initiated Inside to outside (Higher to Lower security interface)
  2 - Flow Initiated Outside to Inside (Lower to Higher security interface)
       - Rule on Outside
       - Appears to require rule on inside to allow response - No Stateful inspection
  3 - Flow initiated Inside to Outside - With Application inspection (Higher to Lower)
      App inspection
  4 - Flow initiated Outside to Inside - With Application Inspection (Lower to Higher)
       - Rule on outside + App Inspection
  Regards,

• Ask the Expert: Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features)

  With Namit Agarwal and Rahul Govindan 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features) with experts Namit Agarwal and Rahul Govindan.
  This is a continuation of the live webcast.
  Cisco ASA CX (Context-Aware) is a next generation firewall service that serves as an extension to the Cisco Adaptive Security Appliance (ASA) firewall platform. In addition to the proven stateful inspection firewall capabilities, it provides us with next-generation capabilities and a host of additional network-based security controls for end-to-end network intelligence and streamlined security operations.
  Namit Agarwal is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has more than four years of experience in the security domain. His areas of expertise include ASA firewalls, IPS, and ASA content-aware security (ASA CX). He has been involved in various escalation requests from around the world. He holds CCIE certification (number 33795) in security.   
  Rahul Govindan has been an engineer with the Security Technical Assistance Center team in Bangalore for more than three years. He works on security technologies such as VPN; Cisco ASA firewalls; and authentication, authorization, and accounting. His particular expertise is in Secure Sockets Layer VPN and IP security VPN technologies. He holds CCIE certification (number 29948) in security.
  Remember to use the rating system to let Namit and Govindan know if you have received an adequate response. 
  Because of the volume expected during this event, Namit and Govindan might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity VPN shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
  Webcast related links:
  Slides from the live webcast
  Video Recording of the live webcast
  Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features): FAQ from live webcast

  Hello Namit and Rahul,
  Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
  1)      How is ASA CX different from other UTM solutions ?
  2)      How is dynamic application inspection of CX better than other inspection engines  ?
  3)      What features or functionalities on the CX are available by default ?
  4)      what are the different ways we can run or install CX on the ASA platform ?
  5)      What VPN features are supported with multi context ASA in the 9.x release ?
  6)      What are the IPv6 Enhancements in the ASA version 9.x ?
  Request you to please provide your responses to them individually.
  Thanks.

• Ask the Expert:Configuring, Troubleshooting & Best Practices on ASA & FWSM Failover

  With Prashanth Goutham R.
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Configuring, Troubleshooting & Best Practices on Adaptive Security Appliances (ASA) & Firewall Services Module (FWSM) Failover with Prashanth Goutham. 
  Firewall Services Module (FWSM) is a high-performance stateful-inspection firewall that integrates into the Cisco® 6500 switch and 7600 router chassis. The FWSM monitors traffic flows using application inspection engines to provide a strong level of network security. Cisco ASA is a key component of the Cisco SecureX Framework, protects networks of all sizes with MultiScale performance and a comprehensive suite of highly integrated, market-leading security services.
  Prashanth Goutham is an experienced support engineer with the High Touch Technical Support (HTTS) Security team, covering all Cisco security technologies. During his four years with Cisco, he has worked with Cisco's major customers, troubleshooting routing, LAN switching, and security technologies. He is also qualified as a GIAC Certified Incident Handler (GCIH) by the SANS Institute.
  Remember to use the rating system to let Prashanth know if you have received an adequate response. 
  Prashanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  Hello John,
  This session is on Failover Functionality on all Cisco Firewalls, im not a geek on QOS however i have the answer for what you need. The way to limit traffic would be to enable QOS Policing on your Firewalls. The requirement that you have is about limiting 4 different tunnels to be utilizing the set limits and drop any further packets. This is called Traffic Policing. I tried out the following in my lab and it looks good.
  access-list tunnel_one extended permit ip 10.1.0.0 255.255.0.0 20.1.0.0 255.255.0.0access-list tunnel_two extended permit ip 10.2.0.0 255.255.0.0 20.2.0.0 255.255.0.0access-list tunnel_three extended permit ip 10.3.0.0 255.255.0.0 20.3.0.0 255.255.0.0access-list tunnel_four extended permit ip 10.4.0.0 255.255.0.0 20.4.0.0 255.255.0.0    class-map Tunnel_Policy1     match access-list tunnel_one   class-map Tunnel_Policy2     match access-list tunnel_two   class-map Tunnel_Policy3     match access-list tunnel_three   class-map Tunnel_Policy4     match access-list tunnel_four  policy-map tunnel_traffic_limit     class Tunnel_Policy1      police output 4096000   policy-map tunnel_traffic_limit     class Tunnel_Policy2      police output 5734400   policy-map tunnel_traffic_limit     class Tunnel_Policy3      police output 2457600    policy-map tunnel_traffic_limit     class Tunnel_Policy4      police output 4915200service-policy tunnel_traffic_limit interface outside
  You might want to watch out for the following changes in values:
  HTTS-SEC-R2-7-ASA5510-02(config-cmap)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy1HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 4096000HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy2HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 5734400WARNING: police rate 5734400 not supported. Rate is changed to 5734000    
  HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy3HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 2457600WARNING: police rate 2457600 not supported. Rate is changed to 2457500HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy4HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 4915200WARNING: police rate 4915200 not supported. Rate is changed to 4915000I believe this is because of the software granularity and the way IOS rounds it off in multiples of a certain value, so watch out for the exact values you might get finally. I used this website to calculate your Kilobyte values to Bits: http://www.matisse.net/bitcalc/
  The Final outputs of the configured values were :
      Class-map: Tunnel_Policy1      Output police Interface outside:        cir 4096000 bps, bc 128000 bytes        conformed 0 packets, 0 bytes; actions:  transmit        exceeded 0 packets, 0 bytes; actions:  drop        conformed 0 bps, exceed 0 bps     Class-map: Tunnel_Policy2      Output police Interface outside:        cir 5734000 bps, bc 179187 bytes        conformed 0 packets, 0 bytes; actions:  transmit        exceeded 0 packets, 0 bytes; actions:  drop        conformed 0 bps, exceed 0 bps    Class-map: Tunnel_Policy3      Output police Interface outside:        cir 2457500 bps, bc 76796 bytes        conformed 0 packets, 0 bytes; actions:  transmit        exceeded 0 packets, 0 bytes; actions:  drop        conformed 0 bps, exceed 0 bps    Class-map: Tunnel_Policy4      Output police Interface outside:        cir 4915000 bps, bc 153593 bytes        conformed 0 packets, 0 bytes; actions:  transmit        exceeded 0 packets, 0 bytes; actions:  drop        conformed 0 bps, exceed 0 bps
  Please refer to the QOS document on CCO here for further information: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_qos.html
  Hope that helps..

• DNS Inspection Denial of Service Vulnerability check

  Hi Everyone,
  I am checking this cisco link ---http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa for
  DNS Inspection Denial of Service Vulnerability
  Cisco ASA Software is affected by this vulnerability if the DNS Application Layer Protocol Inspection (ALPI) engine is configured to inspect DNS packets over TCP.
  To verify if the DNS ALPI engine is inspecting DNS packets over TCP, use the
  show running-config access-list <acl_name>
  command where
  acl_name
  is the name of the access-list used in the
  class-map
  to which the DNS inspection is applied.
  This can be found by using the
  show running-config class-map
  and
  show running-config policy-map
  commands.
  The following example shows Cisco ASA Software with the DNS ALPI engine configured to inspect DNS packets over TCP.
  ciscoasa# show running-config access-list
  access-list DNS_INSPECT_ACL extended permit tcp any any
  ORciscoasa# show running-config access-list
  access-list DNS_INSPECT_ACL extended permit ip any any
  ciscoasa# show running-config class-map
  class-map DNS_INSPECT_CP
  match access-list DNS_INSPECT
  ciscoasa# show running-config policy-map
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect ftp
    inspect h323 h225
  class DNS_INSPECT_CP
    inspect dns preset_dns_map
  Note: Cisco ASA Software will not inspect DNS packets over TCP by default.
  show running-config policy-map
  DNS Inspection Denial of Service Vulnerability
  Cisco ASA Software is affected by this vulnerability if the DNS Application Layer Protocol Inspection (ALPI) engine is configured to inspect DNS packets over TCP.
  To verify if the DNS ALPI engine is inspecting DNS packets over TCP, use the show running-config access-list <acl_name>
  command where acl_name
  is the name of the access-list used in the class-map
  to which the DNS inspection is applied.
  This can be found by using the show running-config class-map
  and show running-config policy-map
  commands.
  The following example shows Cisco ASA Software with the DNS ALPI engine configured to inspect DNS packets over TCP.
  ciscoasa# show running-config access-list
  access-list DNS_INSPECT_ACL extended permit tcp any any
  ORciscoasa# show running-config access-list
  access-list DNS_INSPECT_ACL extended permit ip any any
  ciscoasa# show running-config class-map
  class-map DNS_INSPECT_CP
  match access-list DNS_INSPECT
  ciscoasa# show running-config policy-map
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect ftp
    inspect h323 h225
  class DNS_INSPECT_CP
    inspect dns preset_dns_map
  Note: Cisco ASA Software will not inspect DNS packets over TCP by default.
  I check my asa and ran the command
  show running-config policy-map
  policy-map global_policy
  class inspection_default
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect dns
    inspect http
    inspect ftp
  policy-map type inspect dns migrated_dns_map_1
  parameters
    message-length maximum 512
  policy-map map
  class inspection_default
  Does this confirm that this asa is vulnerabile?
  Regards
  Mahesh

  Hi,
  The post says this
  Cisco ASA Software is affected by this vulnerability if the DNS  Application Layer Protocol Inspection (ALPI) engine is configured to  inspect DNS packets over TCP.
  So it says that if the ASA is configured to inspect DNS over TCP then its vulnerable.
  It also says
  Note:Cisco ASA Software will not inspect DNS packets over TCP by default.
  And it seems you have not made any special configurations related to DNS inspection therefore your ASA should not be inspecting DNS that is using TCP therefore it should not be vulnerable. Atleast that is how it seems to me.
  - Jouni

• ASA 5500 model default setting

  Dear All, I saw below default configuration showed in my new 5505 and 5515 ASA.  May i know what is the function of those configuration and does it command affecting of my ASA firewall?
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global

  Hi,
  To my understanding the Inspections purpose is both enable certain applications/protocols that are dynamic in nature to work through your firewall without resorting to opening up the firewall too much. They are also used to set certain restrictions on certain type of connections.
  The most common ones in constant use would probably be (for me atleast)
  ICMP Inspection (not enabled by default) which helps you allow ICMP through the firewall and automatically allow the ICMP Echo reply back without allowing it through the firewall in a separate ACL. It also makes sure that only valid ICMP return messages are allowed through the firewall
  DNS Inspection sets some parameters for the DNS traffic and also makes sure that only one DNS reply is allowed through the firewall. Its also needed you are going to use the "dns" parameter in the NAT configurations to enable ASA so a DNS rewrite.
  FTP Inspection enables the ASA to automatically allow the FTP Data connections which are created in addition to the initial Control connection. Therefore you dont need to allow anything but the FTP Control connection (TCP/21) to form through the firewall and the ASA will use the FTP Inspection to automatically allow through the Data connection that will be formed.
  For more information I would suggest reading the ASA documentation. For example the Command Reference and Configuration Guide
  Here is a link to the Command Reference and the different "inspect" commands
  http://www.cisco.com/en/US/docs/security/asa/command-reference/i2.html
  Here is a section in the Configuration Guide about inspections
  http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/inspect_overview.html
  I have not even fully read them myself.
  Generally there is not much need to touch the above settings. Sometimes Voice/Video related inspections need to be disabled as they might actually cause problems. I have also had to disable the ESMTP inspection sometimes.
  - Jouni

• ASA shun hosts and QoS

  Hi, I'm having trouble configuring Threat-detection and QoS polices at the same time.
  The problem is that if I have QoS rules enabled, this is policing a traffic defined by ACLs, I can't enable at the same time the threat-detection feature "Shun hosts detected by scanning threat" because it shuns the hosts on which there is applying the policing.
  I suppose this is because the policing is based in hits on ACL's so the ASA thinks this is an attack.
  So, how can I resolve this? How can I have policing and shunnig enabled at the same time?
  Thanks

  Hi,
  Weird stuff, one feature doesnt necessarily has to do anything with the Other. Scannig threat what is does is to take statistics of a host in specific and determine if it is sweeping the network or trying to find out if there is a host checking which ports/networks are available.  You have to check what is the factor that is causing the shun to be tiggered. There are a lot of thresholds on scanning theat detection that you will need to modify if it is causing an issue.
  By the thresholds I mean the following table:
  Packet Drop Reason Trigger Settings
  Average Rate Burst Rate
  •DoS attack detected
  •Bad packet format
  •Connection limits exceeded
  •Suspicious ICMP packets detected
  100 drops/sec over the last 600 seconds.
  400 drops/sec over the last 20 second period.
  80 drops/sec over the last 3600 seconds.
  320 drops/sec over the last 120 second period.
  Scanning attack detected
  5 drops/sec over the last 600 seconds.
  10 drops/sec over the last 20 second period.
  4 drops/sec over the last 3600 seconds.
  8 drops/sec over the last 120 second period.
  Incomplete session detected such as TCP SYN attack detected or no data UDP session attack detected (combined)
  100 drops/sec over the last 600 seconds.
  200 drops/sec over the last 20 second period.
  80 drops/sec over the last 3600 seconds.
  160 drops/sec over the last 120 second period.
  Denial by access lists
  400 drops/sec over the last 600 seconds.
  800 drops/sec over the last 20 second period.
  320 drops/sec over the last 3600 seconds.
  640 drops/sec over the last 120 second period.
  •Basic firewall checks failed
  •Packets failed application inspection
  400 drops/sec over the last 600 seconds.
  1600 drops/sec over the last 20 second period.
  320 drops/sec over the last 3600 seconds.
  1280 drops/sec over the last 120 second period.
  Interface overload
  2000 drops/sec over the last 600 seconds.
  8000 drops/sec over the last 20 second period.
  1600 drops/sec over the last 3600 seconds.
  6400 drops/sec over the last 120 second period.
  As you can see on the following document:
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.html#wp1072953
  Scanning threat is based on the threat detection statistics. So you will need to modify those in order to avoid the host to be shunned.
  That being said, I think if you only enable threat detection alone, it would probably to the same thing as if it was configured in conjunction with QoS.
  Bottom line (and sorry for all the info), modify the threat detection rate values and you should be ok.
  Mike

• IPS and application layer firewalls

  Hi all, can anyone explain to me what an IPS does that a layer 7 application firewall does not, i need to know the biggest differences?
  also what can an IPS do for me in simple terms?

  Hi Carl,
  AN IPS is basically deep packet inspection for all protocols generally found on a network. So, for example an IPS is looking for all malicious traffic that relates to an attack, usually by a specific 'signature' or a pattern of traffic. They go over an above a firewall by fully inspecting all traffic flows and alerting on suspect traffic that represents a possible attack/vulnerability.
  With respect to an Application Firewall, this could relate to two different things. For example, the ASA has application inspection which basically means it can drill down into the protocol and check that HTTP request/response headers are RFC compliant, as well as FTP etc. We can also drill down and ensure that SMTP exchanges are as they should be. But if there is data embedded into the actual 'payload' then the ASA is not designed to check for this. That would be an IPS.
  There is however a 'Web Application Firewall' or WAF which takes this even further (ACE WAF) as this is specifically looking for attacks and vulnerabilities relating purely to Web Applications. So the 'WAF' learns the web application/login forms/Parameters etc and therefore can stop attacks such as Cross Site Scripting and SQL Injection.
  It depends on the environment and what you are exactly trying to secure :-)
  I hope this helps!
  Thanks
  Andy

• ASA 5505 VPN HELP!!!

  I have two ASA 5505's.  One is currently setup as my firewall connected to the Cox Cable modem and wireless AP.  I have another ASA that I would like to use, I have an idea that I could set that one up as a VPN unit, but not sure how I could do that.  If that is not an option, can you provide the command line instructions on how to setup the VPN via the console cable.  I am kinda new and I am slowing trying to become more knowledgeable about this.  Any help would be greatly appreciated.
  Thanks,
  Jon
  My current Config:
  ASA Version 8.2(3)wn coldstart' comm
  !d
  hostname Wood-ASA1-if
  %ASA-5-111008:
  domain-name lv.cox.net the 'inspect ip-optio
  enable password 8Ry2YjIyt7RRXU24 encrypted8cb69fe 20cfb60adisk0:/asa823.bin      
  passwd 2KFQnbNIdI.2KYOU encrypteded the 'service-policy global_pol
  namesobal'
  !a
  interface Ethernet0/0in        ^         
  switchport access vlan 2%ASA-5-
  command.ser 'Con
  !S
  interface Ethernet0/1ig' executed the 'pro
  !t
  interface Ethernet0/2mand.tics access-lirv
  interface Ethernet0/3 securi
  rd DfltAccess
  !l
  interface Etherne              
  interface Vlan1ecuted the 'pro
  nameif inside' command.omma
  security-level 100
  %ASA-5-111008: Use
  ip address 192.168.1.1 255.255.255.01008: User 'Config' executed the 'no
  !t
  interface Vlan2 the '
  %ASA-5-1
  nameif outsidefig' executed t
  security-level 0-5-111008: User '
  ip address dhcp setrouteination address http http
  boot system disk0:/asa823-k8.bing' executed the 'class-map inspe
  boot config disk0:/asa823.binom/its/service/oddce/services
  ftp mode passivemand. User 'Conf
  dns server-group DefaultDNS User 'Config' execut
  %ASA-
  domain-name lv.cox.netexecuted the 'destinati
  object-group icmp-type ICMP-INBOUNDation linkup linkdown coldstart' co
  description Permit necessary inbound ICMP trafficand.'policy-map type
  %ASA-5-111008: User 'Config'
  icmp-object echo-replyon transport-method htt
  icmp-object unreachable
  s_map' command.t
  icmp-object t            
  %ASA-
  logging buffered warningsecuted the 'subscribe-to-
  logging asdm notificationsxecuted t
  %ASA-5-111008: U
  mtu inside 1500cuted the 'poli
  mtu outside 1500ct
  riodic month
  icmp unreachable rate-limit 1 burst-size 1-111008: User 'Config' executed the 'subsc
  asdm image disk0:/asdm-625.bino5-111008: User 'Config' execu
  no asdm history enablemmand.outside' command
  arp timeout 14400monthly' command.
  nat-control
  %ASA-5-111
  global (outside) 1 interfacenfig' executed the 'subscrib
  nat (inside) 1 0.0.0.0 0.0.0.0andasa# threat-detec
  d.n
  %ASA
  access-group INBOUND in interface outside08: Us
  riodic daily' command.e          
  timeout xlate 3:             
  aaa authentication ssh console LOCALe Ethernet0/5, changed state to admi
  http server enableas
  %ASA-5-111008:
  http 192.168.1.0 255.255.255.0 inside' executed the
  %ASA-4-411003: Interfa
  no snmp-server locationstate to administra con
  no snmp-server contact                     
  telnet timeout 5# nat-contr
  %ASA
  ssh 0.0.0.0 0.0.0.0 insideec
  %ASA-4-411001: Line pro
  ssh 0.0.0.0 0.0.0.0 outside/3, changed state to upomma
  ssh timeout 5SA-5-111
  %ASA
  console timeout 0onfig' executed t
  dhcpd dns 8.8.8.8 8.8.4.4ne protocol on Interface
  dhcpd auto_config outside to ups_map' com
  %ASA-5-1
  !0
  dhcpd address 192.168.1.2-192.168.1.33 insideommand
  enableR: % I
  Password:SA-5-1110
  Wood-A
  dhcpd dns 8.8.8.8 8.8.4.4 interface inside: Uname: enable_15 From: 1 To:pect netbios
  dhcpd enable insidescoas
  %ASA-5-111008
  !U
  threat-detection basic-threat%ASA-5-111008: User 'enable_1
  threat-detection statistics acce
  .0.0.0 0.0.0.        
  parametersprompt host
    message-length maximum client auto1008: User 'enable_15' executed the
    message-length maximum 512A-5-111008: User 'Config' ex
  policy-map type inspect dns prsent_dns_map 0/0' command. executed the 'inspe
  no shut
  parametersA-5
  Wood-AS
    message-length maximum 512 Interface Ethernet0/0, chan
  policy-map global_policyg' executed the 'inspect
  class inspection_defaultA-5-111008: User 'Con
  ini
    inspect dns preset_dns_map
  %ASA-5-111008: User 'enable
    inspect ftpthe 'no shutd
    inspect h323 h225111008: User 'Confi
    inspect h323 rasstination address
    inspect rsh1001: Line pr
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DD
  CEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:c3a35118ab34143a5e73e414ead343c1

  for sure you can do this with the ASA , see the following configuration example :
  http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a0080950890.shtml
  cheers.

• Site-to-site vpn with 2 asa and home router

  I am trying to establish a site-to-site vpn between 2 ASAs and am able to get the tunnel to establish and can get connectivity from the remote end of the connection to the local side. However, traffic from the local side is not able to get to the remote end. We have 2 ASA 5505 establishing the tunnel, on the remote end there is a linksys home router forwarding all traffic to the ASA outside interface on a private subnet. Our layout is as follows.
  Internal Network              Local ASA                   ISP1      ISP2          Remote Router                       Remote ASA                 Remote Network
  192.168.1.0/24         local-gateway/public ip                                 public ip/192.168.0.1/24     192.168.0.10/10.10.10.254         10.10.10.0/24
  10.10.10.0/24 (remote) -> 192.168.1.0/24 (local) works
  192.168.1.0/24 (local) -> 10.10.10.0/24 (remote) does not work
  Below are the configs of the local and remote asa. any help would be greatly appreaciated.
  local-asa
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.6 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Switch
  host 192.168.1.5
  description 2960-24 Switch
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object network Mark_Public
  host 76.98.2.63
  description Mark Public
  object network Mark
  subnet 10.10.10.0 255.255.255.0
  description Marks Network
  object network Mark_routed_subnet
  subnet 192.168.0.0 255.255.255.0
  access-list outside_access_in extended permit icmp any4 any4 echo-reply
  access-list outside_access_in extended permit tcp any object home-app-svr object-group DM_INLINE_TCP_2
  access-list outside_access_in extended permit ip object Mark 192.168.1.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object Mark
  access-list Home standard permit 192.168.1.0 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  icmp deny any outside
  asdm image disk0:/asdm-711.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Mark Mark no-proxy-arp
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 10.10.10.0 255.255.255.0 24.163.112.1 1
  route outside 10.10.10.0 255.255.255.0 76.98.2.63 128
  aaa-server Radius protocol radius
  aaa-server Radius (inside) host 192.168.1.101
  key *****
  user-identity default-domain LOCAL
  aaa authentication ssh console Radius LOCAL
  aaa authentication telnet console Radius LOCAL
  aaa authentication enable console Radius LOCAL
  aaa authentication http console Radius LOCAL
  aaa authentication serial console Radius LOCAL
  aaa accounting enable console Radius
  aaa accounting serial console Radius
  aaa accounting ssh console Radius
  aaa accounting telnet console Radius
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 66.162.9.0 255.255.255.0 outside
  http 76.98.2.63 255.255.255.255 outside
  http 10.10.10.0 255.255.255.0 inside
  snmp-server host inside 192.168.1.101 community *****
  snmp-server location 149 Cinder Cross
  snmp-server contact Ted Stout
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  snmp-server enable traps syslog
  snmp-server enable traps ipsec start stop
  snmp-server enable traps entity config-change
  snmp-server enable traps memory-threshold
  snmp-server enable traps interface-threshold
  snmp-server enable traps cpu threshold rising
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map0 1 match address outside_cryptomap
  crypto map outside_map0 1 set peer 76.98.2.63
  crypto map outside_map0 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
  crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map0 interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  subject-name CN=stout-fw
  keypair vpn.stoutte.homeip.net
  crl configure
  crypto ca trustpoint ASDM_TrustPoint1
  enrollment terminal
  crl configure
  crypto ca trustpoint Home--Server-CA
  enrollment terminal
  subject-name CN=stout-fw,O=home
  keypair HOME-SERVER-CA
  crl configure
  crypto ca trustpoint HOME-SSL
  enrollment terminal
  fqdn stoutfw.homeip.net
  subject-name CN=stoutfw,O=Home
  keypair HOME-SSL
  no validation-usage
  crl configure
  crypto ca trustpoint SelfSigned
  enrollment self
  fqdn stoutfw.homeip.net
  subject-name CN=stout-fw
  keypair SelfSigned
  crl configure
  crypto ca trustpoint ASDM_TrustPoint2
  enrollment self
  fqdn 192.168.1.6
  subject-name CN=stout-fw
  keypair SelfSigned
  crl configure
  crypto ca trustpool policy
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  crypto ikev1 enable inside
  crypto ikev1 enable outside
  telnet 192.168.1.0 255.255.255.0 inside
  telnet timeout 20
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  management-access inside
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 192.168.1.5 source inside prefer
  ssl trust-point SelfSigned outside
  ssl trust-point ASDM_TrustPoint2 inside
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol ikev1
  username stoutte password 0w8WOxYi69SDg3bs encrypted privilege 15
  username stoutte attributes
  webvpn
    anyconnect keep-installer installed
    anyconnect profiles value VPN_client_profile type user
  tunnel-group 76.98.2.63 type ipsec-l2l
  tunnel-group 76.98.2.63 general-attributes
  default-group-policy GroupPolicy1
  tunnel-group 76.98.2.63 ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group VPN type remote-access
  tunnel-group VPN general-attributes
  authentication-server-group Radius LOCAL
  default-group-policy GroupPolicy_VPN
  dhcp-server link-selection 192.168.1.101
  tunnel-group VPN webvpn-attributes
  group-alias VPN enable
  class-map inspection_default
  match default-inspection-traffic
  remote-asa
  : Saved
  ASA Version 9.1(1)
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.10.10.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 192.168.0.10 255.255.255.0
  ftp mode passive
  clock timezone EDT -5
  clock summer-time EDT recurring
  dns server-group DefaultDNS
  domain-name netlab.com
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Ted
  subnet 192.168.1.0 255.255.255.0
  description Teds Network
  object network Ted_Public
  host 24.163.116.187
  object network outside_private
  subnet 192.168.0.0 255.255.255.0
  object network NETWORK_OBJ_10.10.10.0_24
  subnet 10.10.10.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 10.10.10.0 255.255.255.0 object Ted
  access-list outside_access_in extended permit icmp any4 any4 echo-reply
  access-list outside_access_in extended permit ip object Ted 10.10.10.0 255.255.255.0
  access-list outside_access_in extended permit ip object Ted_Public any
  pager lines 24
  logging enable
  logging buffered debugging
  logging asdm informational
  logging debug-trace
  nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static Ted Ted no-proxy-arp
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
  route outside 192.168.1.0 255.255.255.0 192.168.0.1 1
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 24.163.116.187 255.255.255.255 outside
  http 192.168.0.0 255.255.255.0 outside
  http 10.10.10.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  crypto map outside_map2 1 match address outside_cryptomap
  crypto map outside_map2 1 set peer 24.163.116.187
  crypto map outside_map2 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
  crypto map outside_map2 interface outside
  crypto ikev2 enable outside
  crypto ikev2 enable inside
  crypto ikev1 enable outside
  crypto ikev1 enable inside
  ssh 10.10.10.0 255.255.255.0 inside
  ssh timeout 30
  console timeout 0
  dhcpd address 10.10.10.1-10.10.10.20 inside
  dhcpd enable inside
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol ikev1
  username admin password 8Ec7AqG6iwxq6gQ2 encrypted privilege 15
  tunnel-group 24.163.116.187 type ipsec-l2l
  tunnel-group 24.163.116.187 general-attributes
  default-group-policy GroupPolicy1
  tunnel-group 24.163.116.187 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:2f4107de10e7171c3d951745c56b8d01
  : end
  no asdm history enable

  I am trying to establish a site-to-site vpn between 2 ASAs and am able to get the tunnel to establish and can get connectivity from the remote end of the connection to the local side. However, traffic from the local side is not able to get to the remote end. We have 2 ASA 5505 establishing the tunnel, on the remote end there is a linksys home router forwarding all traffic to the ASA outside interface on a private subnet. Our layout is as follows.
  Internal Network              Local ASA                   ISP1      ISP2          Remote Router                       Remote ASA                 Remote Network
  192.168.1.0/24         local-gateway/public ip                                 public ip/192.168.0.1/24     192.168.0.10/10.10.10.254         10.10.10.0/24
  10.10.10.0/24 (remote) -> 192.168.1.0/24 (local) works
  192.168.1.0/24 (local) -> 10.10.10.0/24 (remote) does not work
  Below are the configs of the local and remote asa. any help would be greatly appreaciated.
  local-asa
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.6 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Switch
  host 192.168.1.5
  description 2960-24 Switch
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object network Mark_Public
  host 76.98.2.63
  description Mark Public
  object network Mark
  subnet 10.10.10.0 255.255.255.0
  description Marks Network
  object network Mark_routed_subnet
  subnet 192.168.0.0 255.255.255.0
  access-list outside_access_in extended permit icmp any4 any4 echo-reply
  access-list outside_access_in extended permit tcp any object home-app-svr object-group DM_INLINE_TCP_2
  access-list outside_access_in extended permit ip object Mark 192.168.1.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object Mark
  access-list Home standard permit 192.168.1.0 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  icmp deny any outside
  asdm image disk0:/asdm-711.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Mark Mark no-proxy-arp
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 10.10.10.0 255.255.255.0 24.163.112.1 1
  route outside 10.10.10.0 255.255.255.0 76.98.2.63 128
  aaa-server Radius protocol radius
  aaa-server Radius (inside) host 192.168.1.101
  key *****
  user-identity default-domain LOCAL
  aaa authentication ssh console Radius LOCAL
  aaa authentication telnet console Radius LOCAL
  aaa authentication enable console Radius LOCAL
  aaa authentication http console Radius LOCAL
  aaa authentication serial console Radius LOCAL
  aaa accounting enable console Radius
  aaa accounting serial console Radius
  aaa accounting ssh console Radius
  aaa accounting telnet console Radius
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 66.162.9.0 255.255.255.0 outside
  http 76.98.2.63 255.255.255.255 outside
  http 10.10.10.0 255.255.255.0 inside
  snmp-server host inside 192.168.1.101 community *****
  snmp-server location 149 Cinder Cross
  snmp-server contact Ted Stout
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  snmp-server enable traps syslog
  snmp-server enable traps ipsec start stop
  snmp-server enable traps entity config-change
  snmp-server enable traps memory-threshold
  snmp-server enable traps interface-threshold
  snmp-server enable traps cpu threshold rising
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map0 1 match address outside_cryptomap
  crypto map outside_map0 1 set peer 76.98.2.63
  crypto map outside_map0 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
  crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map0 interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  subject-name CN=stout-fw
  keypair vpn.stoutte.homeip.net
  crl configure
  crypto ca trustpoint ASDM_TrustPoint1
  enrollment terminal
  crl configure
  crypto ca trustpoint Home--Server-CA
  enrollment terminal
  subject-name CN=stout-fw,O=home
  keypair HOME-SERVER-CA
  crl configure
  crypto ca trustpoint HOME-SSL
  enrollment terminal
  fqdn stoutfw.homeip.net
  subject-name CN=stoutfw,O=Home
  keypair HOME-SSL
  no validation-usage
  crl configure
  crypto ca trustpoint SelfSigned
  enrollment self
  fqdn stoutfw.homeip.net
  subject-name CN=stout-fw
  keypair SelfSigned
  crl configure
  crypto ca trustpoint ASDM_TrustPoint2
  enrollment self
  fqdn 192.168.1.6
  subject-name CN=stout-fw
  keypair SelfSigned
  crl configure
  crypto ca trustpool policy
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  crypto ikev1 enable inside
  crypto ikev1 enable outside
  telnet 192.168.1.0 255.255.255.0 inside
  telnet timeout 20
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  management-access inside
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 192.168.1.5 source inside prefer
  ssl trust-point SelfSigned outside
  ssl trust-point ASDM_TrustPoint2 inside
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol ikev1
  username stoutte password 0w8WOxYi69SDg3bs encrypted privilege 15
  username stoutte attributes
  webvpn
    anyconnect keep-installer installed
    anyconnect profiles value VPN_client_profile type user
  tunnel-group 76.98.2.63 type ipsec-l2l
  tunnel-group 76.98.2.63 general-attributes
  default-group-policy GroupPolicy1
  tunnel-group 76.98.2.63 ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group VPN type remote-access
  tunnel-group VPN general-attributes
  authentication-server-group Radius LOCAL
  default-group-policy GroupPolicy_VPN
  dhcp-server link-selection 192.168.1.101
  tunnel-group VPN webvpn-attributes
  group-alias VPN enable
  class-map inspection_default
  match default-inspection-traffic
  remote-asa
  : Saved
  ASA Version 9.1(1)
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.10.10.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 192.168.0.10 255.255.255.0
  ftp mode passive
  clock timezone EDT -5
  clock summer-time EDT recurring
  dns server-group DefaultDNS
  domain-name netlab.com
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Ted
  subnet 192.168.1.0 255.255.255.0
  description Teds Network
  object network Ted_Public
  host 24.163.116.187
  object network outside_private
  subnet 192.168.0.0 255.255.255.0
  object network NETWORK_OBJ_10.10.10.0_24
  subnet 10.10.10.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 10.10.10.0 255.255.255.0 object Ted
  access-list outside_access_in extended permit icmp any4 any4 echo-reply
  access-list outside_access_in extended permit ip object Ted 10.10.10.0 255.255.255.0
  access-list outside_access_in extended permit ip object Ted_Public any
  pager lines 24
  logging enable
  logging buffered debugging
  logging asdm informational
  logging debug-trace
  nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static Ted Ted no-proxy-arp
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
  route outside 192.168.1.0 255.255.255.0 192.168.0.1 1
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 24.163.116.187 255.255.255.255 outside
  http 192.168.0.0 255.255.255.0 outside
  http 10.10.10.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  crypto map outside_map2 1 match address outside_cryptomap
  crypto map outside_map2 1 set peer 24.163.116.187
  crypto map outside_map2 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
  crypto map outside_map2 interface outside
  crypto ikev2 enable outside
  crypto ikev2 enable inside
  crypto ikev1 enable outside
  crypto ikev1 enable inside
  ssh 10.10.10.0 255.255.255.0 inside
  ssh timeout 30
  console timeout 0
  dhcpd address 10.10.10.1-10.10.10.20 inside
  dhcpd enable inside
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol ikev1
  username admin password 8Ec7AqG6iwxq6gQ2 encrypted privilege 15
  tunnel-group 24.163.116.187 type ipsec-l2l
  tunnel-group 24.163.116.187 general-attributes
  default-group-policy GroupPolicy1
  tunnel-group 24.163.116.187 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:2f4107de10e7171c3d951745c56b8d01
  : end
  no asdm history enable