Just change everything in yellow.
Do:
1. Read what you're copying and pasting
2. Try to understand which each command does
Don't:
1. Ever leave the default passwords!!!
2. Ever allow remote management from 0.0.0.0!!!
///Clear
out unneeded factory default stuff
conf t
no nat (inside) 1 0.0.0.0 0.0.0.0
no dhcpd auto_config outside
no dhcpd address 192.168.1.2-192.168.1.254 inside
no dhcpd enable inside
no http 192.168.1.0 255.255.255.0 inside
no http server enable
//Run HTTP Server on 444 - Allows SSL VPN Client on interface IP & also helps against causally curious users
http server enable 444
///Start
Config
console timeout 5
asdm history enable
ssh timeout 60
ssh version 2
management-access inside
clock timezone EST -5
clock summer-time EDT recurring
hostname <hostname
for firewall>
domain-name <domain.local>
dns domain-lookup inside
dns name-server <Internal DNS Server #1>
dns name-server <Internal DNS Server #2>
ntp server <Internal
NTP Server IP> source inside prefer
crypto key generate rsa general-keys modulus 1024 <Wait a few moments>
logging enable
logging asdm informational
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30
burst-rate 400 average-rate 200
ip verify reverse-path interface outside
///Set up
protocol inspection
fixup protocol pptp 1723
no fixup protocol smtp 25
policy-map global_policy
class inspection_default
inspect ftp
inspect dns
preset_dns_map
exit
exit
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096
exit
exit
///Set up
authentication
passwd <YOUR
PASSWORD>
enable password <YOUR PASSWORD> level 15
username administrator password <YOUR PASSWORD> privilege 15
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
///Set
External IP Address
ip address x.x.x.x 255.255.255.x
exit
route outside 0.0.0.0 0.0.0.0 <DEFAULT GW IP>
///Set
Internal IP Address
interface vlan 1
ip address x.x.x.x 255.255.255.x
exit
///Set Up Outbound NAT
Pool
***********FOR BELOW ASA VERSION 8.3******************
global (outside) 1 interface
nat (inside) 1 <Inside Network> <Inside Subnet Mask>
***********FOR ASA 8.3 and ABOVE******************
object network inside-net
subnet <Inside Network> <Inside Subnet Mask>
nat (inside,outside) dynamic interface
///Allow Management & Monitoring from wherever you like
snmp-server location <Location of the firewall>
snmp-server contact <Contact Info for Site>
snmp-server enable
snmp-server host outside <SNMPOUTSIDEOLLER> poll community <READCOMM> version
2c
snmp-server host inside <SNMPINSIDEOLLER poll community <READCOMM> version
2c
http <inside
network> <inside
subnet mask> inside
ssh <inside
network> <inside
subnet mask> inside
///Allow Remote Management from Outside. Don't use 0.0.0.0
http <inside network> <inside subnet mask> outside
ssh <inside network> <inside subnet mask> outside
///Allow
Pings
icmp permit any inside
icmp permit any outside
///DHCP
Configuration
dhcpd address x.x.x.x-x.x.x.x inside
dhcpd dns <DNS
Server 1> <DNS
Server 2> interface inside
dhcpd wins <WINS
Server 1> <WINS
Server 2> interface inside
dhcpd lease 86400 interface inside
dhcpd domain <domain.local>
dhcpd enable inside
No comments:
Post a Comment