! Disable unnecessary services, including CDP/LLDP (alternatively only enable them on the inside interface) & paste the whole lot without confirming. On all models of routers or all versions of IOS, so don't just copy It provides aīaseline template for router configuration prior to customisation, suchĪs ACLs, routing protocols, QoS etc.
#Asa asdm teardown icmp connection series
This is the second in a planned series of templates. ! These may not be needed, SIP inspect is very commonly required though ! Consider disabling unnecessary inspects
Policy-map type inspect dns custom_dns_map ! ASA 5500-X kludge so the IPS can use an IP address from the inside interface subnet via the Management0/0 interface (which must be connected to the inside switch) ! Enable reverse path filtering, may cause some routing headaches ! Discard routes for RFC1918 summary addresses so as not to forward out via default route Same-security-traffic permit intra-interface ! Set ISAKMP identity to ASA's IP address, don't use if using certificate authenticated site to site VPNs ! Permit ARP for subnets there aren't interfaces for (to present them via NAT) ! Adjust TCP maximum segment size (default is 1380, depends on VPN encapsulations in use) & disable TCP resets ! Allow tracert & MTU path discovery to work through the ASA + RFC2827 anti-spoofing for outside interface (note 224.0.0.0/4 used by IGP routing protocols)Īccess-list OUTSIDE-IN extended deny ip 10.0.0.0 0.0.0.255 anyĪccess-list OUTSIDE-IN extended deny ip 172.16.0.0 0.0.15.255 anyĪccess-list OUTSIDE-IN extended deny ip 192.168.0.0 0.0.255.255 anyĪccess-list OUTSIDE-IN extended deny ip 0.0.0.0 0.0.0.255 anyĪccess-list OUTSIDE-IN extended deny ip 127.0.0.0 0.0.0.255 anyĪccess-list OUTSIDE-IN extended deny ip 169.254.0.0 0.0.255.255 anyĪccess-list OUTSIDE-IN extended deny ip 224.0.0.0 0.0.0.15 anyĪccess-list OUTSIDE-IN extended deny ip 239.0.0.0 0.0.0.255 anyĪccess-list OUTSIDE-IN extended deny ip 240.0.0.0 0.0.1.255 anyĪccess-list OUTSIDE-IN extended permit icmp any any time-exceededĪccess-list OUTSIDE-IN extended permit icmp any any unreachableĪccess-list OUTSIDE-IN extended permit icmp any any parameter-problemĪccess-list OUTSIDE-IN extended permit icmp any any source-quenchĪccess-list OUTSIDE-IN extended permit ip any anyĪccess-group OUTSIDE-IN in interface Icmp unreachable rate-limit 10 burst-size 5 ! Enable ICMP echo & unreachable, but rate limit unreachables ! Enable basic threat detection but disable statistics ! Inbound UDP connection denied outside Firewall Access
! Inbound TCP connection denied outside Firewall Access ! No matching connection for ICMP error message ! Denied ICMP type=0, no matching session ! Disable high volume logging to reduce CPU load: Anyone found using this device or its information forīanner login any unauthorized purpose may be subject to disciplinary action ! Enable logging to syslog server & adjust ASDM logging to reduce CPU loadīanner login ************************************************************************īanner login You have logged on to a proprietary device.īanner login This device may be used only for the authorized business purposesīanner login of. ! Set correct time zone & configure multiple NTP servers via DNSĬlock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00 ! Define an admin user, configure local authentication (ideally use RADIUS/TACACS+) & set 15 minute session timeout
! Enable jumbo frames support (requires reboot), then tweak MTU on interface where jumbo frame are to be used Inline commentary explains various settings. So don't just copy & paste the whole lot without confirming. Not all commands will apply, such as tweaking the TCP MSS if you're using VPNs, or disabling denied connection logging. It provides a baseline template for ASA configuration prior to customisation, such as ACLs, routing protocols, NAT, VPNs, etc. This is the third in a planned series of templates.