Created
August 13, 2019 19:15
-
-
Save thorr18/3ac10e38dc14d5933d375541744ecf40 to your computer and use it in GitHub Desktop.
ACL for internet access
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ASA Version 9.3(2) | |
| ! | |
| hostname ACTUNNEL_ASA | |
| ip local pool ACTUNNEL_POOL 10.10.11.1-10.10.11.20 mask 255.255.255.0 | |
| ! | |
| interface GigabitEthernet0/0 | |
| nameif outside | |
| security-level 0 | |
| ip address 172.16.21.1 255.255.255.0 | |
| ! | |
| interface GigabitEthernet0/1 | |
| nameif inside | |
| security-level 100 | |
| ip address 10.10.10.1 255.255.255.0 | |
| ! | |
| object network INSIDE_NETWORK | |
| subnet 10.10.10.0 255.255.255.0 | |
| object network ACTUNNEL_NETWORK | |
| subnet 10.10.11.0 255.255.255.224 | |
| access-list ACL_OUTSIDE_IN extended permit ip any any | |
| !***********Split ACL configuration*********** | |
| access-list ACTUNNEL_SPLIT standard permit 10.10.10.0 255.255.255.0 | |
| access-list ACTUNNEL_SPLIT standard permit 0.0.0.0 128.0.0.0 | |
| access-list ACTUNNEL_SPLIT standard permit 128.0.0.0 128.0.0.0 | |
| mtu outside 1500 | |
| mtu inside 1500 | |
| arp timeout 14400 | |
| no arp permit-nonconnected | |
| !************** NAT exemption Configuration ***************** | |
| !This will exempt traffic from Local LAN(s) to the | |
| !Remote LAN(s) from getting NATted on any dynamic NAT rule. | |
| nat (inside,outside) source static INSIDE_NETWORK INSIDE_NETWORK | |
| destination static ACTUNNEL_NETWORK ACTUNNEL_NETWORK no-proxy-arp | |
| route-lookup | |
| ! | |
| access-group ACL_OUTSIDE_IN in interface outside | |
| ! | |
| route outside 0.0.0.0 0.0.0.0 172.16.21.2 1 | |
| route outside 0.0.0.0 128.0.0.0 172.16.21.2 1 | |
| route outside 128.0.0.0 128.0.0.0 172.16.21.2 1 | |
| dynamic-access-policy-record DfltAccessPolicy | |
| user-identity default-domain LOCAL | |
| aaa authentication ssh console LOCAL | |
| ssl server-version tlsv1-only | |
| ssl encryption des-sha1 3des-sha1 aes128-sha1 aes256-sha1 | |
| !******** Bind the certificate to the outside interface******** | |
| ssl trust-point SelfsignedCert outside | |
| !********Configure the Anyconnect Image and enable Anyconnect*** | |
| webvpn | |
| enable outside | |
| anyconnect image disk0:/anyconnect-win-3.1.06073-k9.pkg 1 | |
| anyconnect enable | |
| tunnel-group-list enable | |
| !*******Group Policy configuration********* | |
| !Tunnel protocol, Spit tunnel policy, Split | |
| !ACL, etc. can be configured. | |
| group-policy ACTUNNEL_POLICY internal | |
| group-policy ACTUNNEL_POLICY attributes | |
| wins-server none | |
| dns-server value 10.10.10.23 | |
| vpn-tunnel-protocol ikev2 ssl-client | |
| split-tunnel-policy tunnelspecified | |
| split-tunnel-network-list value ACTUNNEL_SPLIT | |
| default-domain value Cisco.com | |
| !*******Tunnel-Group (Connection Profile) Configuraiton***** | |
| tunnel-group ACTUNNEL type remote-access | |
| tunnel-group ACTUNNEL general-attributes | |
| address-pool ACTUNNEL_POOL | |
| default-group-policy ACTUNNEL_POLICY | |
| tunnel-group ACTUNNEL webvpn-attributes | |
| group-alias ACTUNNEL enable | |
| ! | |
| ! | |
| service-policy global_policy global | |
| : end |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ASA Version 9.3(2) | |
| ! | |
| hostname PeerASA-29 | |
| enable password 8Ry2YjIyt7RRXU24 encrypted | |
| ip local pool SSL-Pool 10.10.11.1-10.10.11.20 mask 255.255.255.0 | |
| ! | |
| interface GigabitEthernet0/0 | |
| nameif outside | |
| security-level 0 | |
| ip address 172.16.21.1 255.255.255.0 | |
| ! | |
| interface GigabitEthernet0/1 | |
| nameif inside | |
| security-level 100 | |
| ip address 10.10.10.1 255.255.255.0 | |
| ! | |
| boot system disk0:/asa932-smp-k8.bin | |
| ftp mode passive | |
| object network NETWORK_OBJ_10.10.10.0_24 | |
| subnet 10.10.10.0 255.255.255.0 | |
| object network NETWORK_OBJ_10.10.11.0_27 | |
| subnet 10.10.11.0 255.255.255.224 | |
| access-list all extended permit ip any any | |
| !***********Split ACL configuration*********** | |
| access-list Split-ACL standard permit 10.10.10.0 255.255.255.0 | |
| no pager | |
| logging enable | |
| logging buffered debugging | |
| mtu outside 1500 | |
| mtu inside 1500 | |
| mtu dmz 1500 | |
| no failover | |
| icmp unreachable rate-limit 1 burst-size 1 | |
| asdm image disk0:/asdm-721.bin | |
| no asdm history enable | |
| arp timeout 14400 | |
| no arp permit-nonconnected | |
| !************** NAT exemption Configuration ***************** | |
| !This will exempt traffic from Local LAN(s) to the | |
| !Remote LAN(s) from getting NATted on any dynamic NAT rule. | |
| nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 | |
| destination static NETWORK_OBJ_10.10.11.0_27 NETWORK_OBJ_10.10.11.0_27 no-proxy-arp | |
| route-lookup | |
| access-group all in interface outside | |
| route outside 0.0.0.0 0.0.0.0 172.16.21.2 1 | |
| timeout xlate 3:00:00 | |
| timeout pat-xlate 0:00:30 | |
| timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 | |
| timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 | |
| timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 | |
| timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute | |
| timeout tcp-proxy-reassembly 0:01:00 | |
| timeout floating-conn 0:00:00 | |
| dynamic-access-policy-record DfltAccessPolicy | |
| user-identity default-domain LOCAL | |
| aaa authentication ssh console LOCAL | |
| http server enable | |
| http 0.0.0.0 0.0.0.0 outside | |
| no snmp-server location | |
| no snmp-server contact | |
| !********** Trustpoint for Selfsigned certificate*********** | |
| !Genarate the key pair and then configure the trustpoint | |
| !Enroll the trustpoint genarate the self-signed certificate | |
| crypto ca trustpoint SelfsignedCert | |
| enrollment self | |
| subject-name CN=anyconnect.cisco.com | |
| keypair sslcert | |
| crl configure | |
| crypto ca trustpool policy | |
| crypto ca certificate chain SelfsignedCert | |
| certificate 4748e654 | |
| 308202f0 308201d8 a0030201 02020447 48e65430 0d06092a 864886f7 0d010105 | |
| 0500303a 311d301b 06035504 03131461 6e79636f 6e6e6563 742e6369 73636f2e | |
| 636f6d31 19301706 092a8648 86f70d01 0902160a 50656572 4153412d 3239301e | |
| 170d3135 30343032 32313534 30375a17 0d323530 33333032 31353430 375a303a | |
| 311d301b 06035504 03131461 6e79636f 6e6e6563 742e6369 73636f2e 636f6d31 | |
| 19301706 092a8648 86f70d01 0902160a 50656572 4153412d 32393082 0122300d | |
| 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100f6 a125d0d0 | |
| 55a975ec a1f2133f 0a2c3960 0da670f8 bcb6dad7 efefe50a 482db3a9 7c6db7c4 | |
| ed327ec5 286594bc 29291d8f 15140bad d33bc492 02f5301e f615e7cd a72b60e0 | |
| 7877042b b6980dc7 ccaa39c8 c34164d9 e2ddeea1 3c0b5bad 5a57ec4b d77ddb3c | |
| 75930fd9 888f92b8 9f424fd7 277e8f9e 15422b40 071ca02a 2a73cf23 28d14c93 | |
| 5a084cf0 403267a6 23c18fa4 fca9463f aa76057a b07e4b19 c534c0bb 096626a7 | |
| 53d17d9f 4c28a3fd 609891f7 3550c991 61ef0de8 67b6c7eb 97c3bff7 c9f9de34 | |
| 03a5e788 94678f4d 7f273516 c471285f 4e23422e 6061f1e7 186bbf9c cf51aa36 | |
| 19f99ab7 c2bedb68 6d182b82 7ecf39d5 1314c87b ffddff68 8231d302 03010001 | |
| 300d0609 2a864886 f70d0101 05050003 82010100 d598c1c7 1e4d8a71 6cb43296 | |
| c09ea8da 314900e7 5fa36947 c0bc1778 d132a360 0f635e71 400e592d b27e29b1 | |
| 64dfb267 51e8af22 0a6a8378 5ee6a734 b74e686c 6d983dde 54677465 7bf8fe41 | |
| daf46e34 bd9fd20a bacf86e1 3fac8165 fc94fe00 4c2eb983 1fc4ae60 55ea3928 | |
| f2a674e1 8b5d651f 760b7e8b f853822c 7b875f91 50113dfd f68933a2 c52fe8d9 | |
| 4f9d9bda 7ae2f750 313c6b76 f8d00bf5 1f74cc65 7c079a2c 8cce91b0 a8cdd833 | |
| 900a72a4 22c2b70d 111e1d92 62f90476 6611b88d ff58de5b fdaa6a80 6fe9f206 | |
| 3fe4b836 6bd213d4 a6356a6c 2b020191 bf4c8e3d dd7bdd8b 8cc35f0b 9ad8852e | |
| b2371ee4 23b16359 ba1a5541 ed719680 ee49abe8 | |
| quit | |
| telnet timeout 5 | |
| ssh timeout 5 | |
| ssh key-exchange group dh-group1-sha1 | |
| console timeout 0 | |
| management-access inside | |
| threat-detection basic-threat | |
| threat-detection statistics access-list | |
| no threat-detection statistics tcp-intercept | |
| ssl server-version tlsv1-only | |
| ssl encryption des-sha1 3des-sha1 aes128-sha1 aes256-sha1 | |
| !******** Bind the certificate to the outside interface******** | |
| ssl trust-point SelfsignedCert outside | |
| !********Configure the Anyconnect Image and enable Anyconnect*** | |
| webvpn | |
| enable outside | |
| anyconnect image disk0:/anyconnect-win-3.1.06073-k9.pkg 1 | |
| anyconnect enable | |
| tunnel-group-list enable | |
| !*******Group Policy configuration********* | |
| !Tunnel protocol, Spit tunnel policy, Split | |
| !ACL, etc. can be configured. | |
| group-policy GroupPolicy_SSLClient internal | |
| group-policy GroupPolicy_SSLClient attributes | |
| wins-server none | |
| dns-server value 10.10.10.23 | |
| vpn-tunnel-protocol ikev2 ssl-client | |
| split-tunnel-policy tunnelspecified | |
| split-tunnel-network-list value Split-ACL | |
| default-domain value Cisco.com | |
| username User1 password PfeNk7qp9b4LbLV5 encrypted | |
| username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15 | |
| !*******Tunnel-Group (Connection Profile) Configuraiton***** | |
| tunnel-group SSLClient type remote-access | |
| tunnel-group SSLClient general-attributes | |
| address-pool SSL-Pool | |
| default-group-policy GroupPolicy_SSLClient | |
| tunnel-group SSLClient webvpn-attributes | |
| group-alias SSLClient enable | |
| ! | |
| class-map inspection_default | |
| match default-inspection-traffic | |
| ! | |
| ! | |
| policy-map type inspect dns preset_dns_map | |
| parameters | |
| message-length maximum client auto | |
| message-length maximum 512 | |
| policy-map global_policy | |
| class inspection_default | |
| inspect dns preset_dns_map | |
| inspect ftp | |
| inspect sip | |
| inspect xdmcp | |
| ! | |
| service-policy global_policy global | |
| Cryptochecksum:8d492b10911d1a8fbcc93aa4405930a0 | |
| : end |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| !include public internet halves A & B while only including private network(s) of interest: | |
| access-list ACTUNNEL_SPLIT standard permit 10.10.10.0 255.255.255.0 | |
| access-list ACTUNNEL_SPLIT standard deny 10.0.0.0 255.0.0.0 | |
| access-list ACTUNNEL_SPLIT standard deny 172.16.0.0 255.240.0.0 | |
| access-list ACTUNNEL_SPLIT standard deny 192.168.0.0 255.255.0.0 | |
| access-list ACTUNNEL_SPLIT standard permit 0.0.0.0 128.0.0.0 | |
| access-list ACTUNNEL_SPLIT standard permit 128.0.0.0 128.0.0.0 | |
| access-list ACTUNNEL_SPLIT standard deny any any |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment