Announcement

Collapse
No announcement yet.

Simple Cisco ASA configuration (allowSIP/SSH, disallow the rest)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Simple Cisco ASA configuration (allowSIP/SSH, disallow the rest)

    Hi Guys out there,

    i'm googled arround the whole day, and couldn't solve it... so i thought... for someone who knows what he does... it's just writing 5 lines of code...

    I tried it the whole day...

    So what do i want to do?

    Below my Laptop there's a Cisco ASA running. I just want the following simple configuration:

    - Allow SIP sessions (with dynamically allocated rtp-traffic port <- this is the tricky thing)
    - Allow ssh sessions (simple allow port tcp/22)
    - Disallow the rest

    So, i tried nearly everything, worked with access-lists class-maps policy-maps and the inspection types of them.
    It really would be great if anyone could help me with my "little" problem. It seems just like a basic task... i thought...

    So thank you for now... greetz myname
    Last edited by thisismyname; 23rd October 2008, 22:38. Reason: forgot a not ;)

  • #2
    Re: Simple Cisco ASA configuration (allowSIP/SSH, disallow the rest)

    The disallow isn't an issue as it is automatically assumed.
    The SSH should be easy enough.
    SIP - not sure on but we can give it a try.

    Where is the SIP going to ? A specific box? Do you get traffic from anywhere in particular or everywhere?

    How about the SSH as well, is that to a specific host?
    How many public IP? Which one(s) is/are allowing traffic in?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Simple Cisco ASA configuration (allowSIP/SSH, disallow the rest)

      Hi, thx for the reply first ...

      i want to perform some sip stress tests and watch for the performance of the firewall(transparent mode). So watching the jitter, things like those.

      There are two Computers 10.0.0.10 and 10.0.0.11. They should be with the same rights(security-level), so no out/inside. But if thats neccessary.. ok. The ssh is just needed for the controll of the "other side".

      Linux A Linux B
      10.0.0.10<------>Cisco ASA5520<-------->10.0.0.11

      So some questions:
      Are you really shure that everything is forbidden on factory settings? Cause i just plugged in both computers typed "firewall transparent", activated the interfaces and everything worked.

      So my current config looks like this:
      (maybe there are some missconfigurations with the webserver.. but i dont need them)
      Code:
      ASA Version 7.2(1)
      !
      firewall transparent
      hostname ciscoasa
      enable password xxx encrypted
      names
      !
      interface GigabitEthernet0/0
       nameif input
       security-level 100
      !
      interface GigabitEthernet0/1
       nameif output
       security-level 100
      !
      interface GigabitEthernet0/2
       no nameif
       security-level 100
      !
      interface GigabitEthernet0/3
       shutdown
       no nameif
       no security-level
      !
      ..management..
      !
      passwd xxx encrypted
      ftp mode passive
      same-security-traffic permit inter-interface
      access-list IPS extended permit ip any any
      access-list everything extended permit ip any any
      access-list acc_ssh extended permit tcp any any eq ssh
      pager lines 24
      mtu input 1500
      mtu output 1500
      mtu management 1500
      ip address 10.0.0.1 255.255.255.0
      no failover
      asdm image disk0:/asdm521.bin
      no asdm history enable
      arp timeout 14400
      timeout xlate 3:00:00
      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
      timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
      timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
      timeout uauth 0:05:00 absolute
      http server enable
      http 192.168.1.0 255.255.255.0 management
      http 10.0.0.0 255.255.255.0 management
      no snmp-server location
      no snmp-server contact
      service internal
      telnet timeout 5
      ssh timeout 5
      console timeout 0
      !
      class-map test
       match access-list everything
      class-map udp5060
       match port udp eq sip
      class-map tcp5060
       match port tcp eq sip
      class-map tcp22
       match port tcp eq ssh
      class-map type inspect sip match-all sipcmap
      class-map allowALL
       match any
      !
      !
      policy-map type inspect sip sippmap
       parameters
       class sipcmap
      policy-map myGLOBALpolicy
       class allowALL
        inspect sip sippmap
        ips inline fail-close
       class test
        ips inline fail-close
      !
      service-policy myGLOBALpolicy global
      prompt hostname context
      Cryptochecksum:ccc4d13edb164ecdc4da246778551ba8
      : end

      Comment


      • #4
        Re: Simple Cisco ASA configuration (allowSIP/SSH, disallow the rest)

        Originally posted by thisismyname View Post
        Are you really shure that everything is forbidden on factory settings? Cause i just plugged in both computers typed "firewall transparent", activated the interfaces and everything worked.
        Well, to be pedantic, that would be changing the factory settings surely?

        Are you saying you are working ok now?
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: Simple Cisco ASA configuration (allowSIP/SSH, disallow the rest)

          jeh, so, it took 2 days... but now i'm working fine...

          Thx for help!!


          greetz myname

          Comment


          • #6
            Re: Simple Cisco ASA configuration (allowSIP/SSH, disallow the rest)

            Well, I'm glad it is working how you want.
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: Simple Cisco ASA configuration (allowSIP/SSH, disallow the rest)

              moved to cisco security.
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment

              Working...
              X