Академический Документы
Профессиональный Документы
Культура Документы
cx)
FIREWALL.CXTEAM
NEWS
ALTERNATIVEMENU
RECOMMENDEDSITES
CONTACTUSFEEDBACK
(/MEETTHETEAM.HTML)
(/NEWS.HTML)
(/SITEMAP.HTML)
(/RECOMMENDEDSITES.HTML)
(/CONTACTUS.HTML)
HOME
(/)
NETWORKING
(/networking-topics.html)
(/microsoft-knowledgebase.html)
MICROSOFT
DOWNLOADS
(/downloads.html)
FORUM
LINUX
CISCO
(/cisco-technical-knowledgebase.html)
(/linux-knowledgebase-tutorials.html)
MORE CONTENT
(/general-topics-reviews.html)
(/forums.html)
WEDNESDAY,16DECEMBER2015
search...
HOT DOWNLOADS
(http://clixtrac.com/goto/?99229)
(http://clixtrac.com/goto/?210268)
(http://clixtrac.com/goto/?212109)
NETWORK SECURITY
FREE HYPERV &
AUTOMATED ONLINE
SCANNER
VMWARE BACKUP
WEB SECURITY SCAN
(HTTP://CLIXTRAC.COM/GOTO/? (HTTP://CLIXTRAC.COM/GOTO/? (HTTP://CLIXTRAC.COM/GOTO/?
NETWORK SECURITY
SCANNER
(/component/banners/click/3.html)
(http://clixtrac.com/goto/?
99232)
Rating4.81(16Votes)
Share
Tweet
Like
Share 189peoplelikethis.SignUpto
seewhatyourfriendslike.
(http://clixtrac.com/goto/?
210273)
restricted access to the Internet, securely access and manage the ASA Firewall and
more.
While many consider the Cisco ASA Firewalls complex and difficult to configure
devices, Firewall.cx aims to break that myth and show how easy you can setup an ASA Firewall to deliver basic and advanced
functionality.WevedoneitwithotherCiscotechnologiesanddevices,andwelldoitagain:)
RECOMMENDED
DOWNLOADS
WebSecurity
(http://clixtrac.com/goto/?
99233)
ThetablebelowprovidesabriefcomparisonbetweenthedifferentASA5500seriessecurityappliances:
FreeHyperV&VMware
Backup
Feature
CiscoASA5505 CiscoASA
5510
CiscoASA
CiscoASA
CiscoASA
(http://clixtrac.com/goto/?
5520
5540
5550
210270)
ServerAntiSpam
Users/Nodes
10,50,or
unlimited
Unlimited
Unlimited
Unlimited
Unlimited
(http://clixtrac.com/goto/?
99234)
NetworkScanner
Upto450
Upto650
Upto1.2
(http://clixtrac.com/goto/?
Mbps
Mbps
Gbps
99235)
IDSSecurityManager
MaximumFirewall
Upto150
andIPSThroughput MbpswithAIP
SSC5
Upto150
Upto225
Upto500
Mbpswith
MbpswithAIP Mbpswith
AIPSSM10 SSM10
AIPSSM20
Upto300
Upto375
Upto650
Mbpswith
MbpswithAIP Mbpswith
AIPSSM20 SSM20
Notavailable
(http://clixtrac.com/goto/?
99236)
WebProxyMonitor
(http://clixtrac.com/goto/?
99237)
NetworkAnalyzerSniffer
(http://clixtrac.com/goto/?
AIPSSM40
195370)
Upto450
CiscoVPNClient
MbpswithAIP
(/downloads/ciscotoolsa
SSM40
applications.html)
NetworkFaxServer
3DES/AESVPN
Upto100Mbps Upto170
***
Throughput
Mbps
Upto225
Upto325
Upto425
Mbps
Mbps
Mbps
(http://clixtrac.com/goto/?
100607)
ForensicSecurityAnalysis
(http://clixtrac.com/goto/?
IPsecVPNPeers
1025
250
750
5000
5000
195375)
WebVulnerabilityScanner
Premium
2/25
2/250
2/750
2/2500
2/5000
AnyConnectVPN
(http://clixtrac.com/goto/?
191594)
Peers
(Included/Maximum)
Concurrent
WEBSITE SCANNER
10,00025,000*
New
50,000
280,000
400,000
650,000
130,000*
Connections
4000
9000
12,000
25,000
33,000
IntegratedNetwork
8portFast
5Fast
4Gigabit
4Gigabit
8Gigabit
Ports
Ethernetswitch Ethernet
Ethernet,
Ethernet,
Ethernet,
(including2PoE ports2
1Fast
1Fast
4SFPFiber,
ports)
Ethernet
Ethernet
1Fast
Connections/Second
Gigabit
Ethernet+3
Ethernet
(http://clixtrac.com/goto/?
211418)
NETWORK ANALYZER
Fast
Ethernet
ports *
VirtualInterfaces
3(notrunking
(VLANs)
support)/20(with
50/100*
150
200
400
trunking
support)*
(http://clixtrac.com/goto/?
195373)
Userscanalsodownloadthecompletetechnicaldatasheet(/downloads/ciscoproductdatasheetsaguides/ciscoasa5500series
adaptivesecurityappliances.html)fortheCiscoASA5500seriesfirewallsbyvisitingourCiscoProductDatasheet&GuidesDownload
section(/downloads/ciscoproductdatasheetsaguides.html).
(http://www.linkedin.com/groups?
(https://www.facebook.com/fire
(http://twitter.com/firewall
(http://feeds.feedbu
CONNECT:home=&gid=1037867)
Perhaps one of the most important points, especially for an engineer with limited experience, is that configuring the smaller ASA 5505
Firewall does not really differ from configuring the larger ASA5520 Firewall. The same steps are required to setup pretty much all ASA
5500seriesFirewallswhichisGreatNews!
POPULAR SECURITY
ARTICLES
ImplicationsofUnsecure
Webservers&Websites
(/generaltopics
The main differences besides the licenses, which enable or disable features, are the physical interfaces of each ASA model (mainly
reviews/security
betweentheASA5505andthelarger5510/5520)andpossiblymodulesthatmightbeinstalled.Inanycase,weshouldkeepinmindthatif
articles/1072implications
weareabletoconfigureasmallASA5505thenconfiguringthelargermodelswontbeanissue.
ofunsecurewebservers
andwebsitesfor
At the time of writing of this article Firewall.cx came across a Cisco ASA5505, so we decided to put it to good use for this article,
oganizations
however,donotethatallcommandsandconfigurationphilosophyisthesameacrossallASA5500seriessecurityappliances.
companies.html)
TheImportanceof
Note:ASAsoftwareversion8.3.0andaboveusedifferentNATconfigurationcommands.Thisarticleprovidesbotholdstyle(up
AutomatingWebSecurity
tov8.2.5)andnewstyle(v8.3onwards)NATconfigurationcommands.
PenetrationTesting
(/generaltopics
reviews/security
articles/1074automation
webapplicationsecurity
Additionalreadingmaterial:UsersseekingnothingbutthebestsecurityinformationonASAFirewalls,writtenbyleadingCiscoSecurity
testing.html)
Engineers,shouldconsiderthefollowinghighlyrecommendedCiscoPresstitles:
ChoosingaWebApplication
SecurityScanner(/general
topicsreviews/security
CiscoASA:AllinOneFirewall,IPS,AntiX,andVPNAdaptiveSecurityAppliance,2ndEdition
(http://www.ciscopress.com/store/ciscoasaallinonefirewallipsantixandvpnadaptive9781587058196)
articles/1083choosingweb
CiscoASA,PIX,andFWSMFirewallHandbook,2ndEdition(http://www.ciscopress.com/store/ciscoasapixandfwsm
firewallhandbook9781587054570)
scanner.html)
applicationsecurity
StatisticsHighlightthe
StateofSecurityofWeb
Applications(/general
topicsreviews/security
articles/1073stateof
WevecreatedasimpleconfigurationchecklistthatwillhelpuskeeptrackoftheconfiguredservicesonourASAFirewall.Hereisthelist
securityofweb
ofitemsthatwillbecoveredinthisarticle:
applications.html)
ComparingNetsparker
Eraseexistingconfiguration
Cloud&Desktopbased
SecuritySoftware(/general
ConfigureHostname,Users,Enablepassword&DisableAnonymousReporting
ConfigureinterfaceIPaddressesorVlanIPaddresses(ASA5505)&Descriptions
SetupInside(private)&Outside(public)Interfaces
Configuredefaultroute(defaultGateway)&staticroutes
topicsreviews/cloudbased
solutions/1079cloudbased
vsdesktopbasedsecurity
solutions.html)
HowtoProtectyour
WebsitesandWebServer
fromHackers(/general
ConfigureNetworkAddressTranslation(NAT)forInternalNetworks
topicsreviews/security
articles/1092securitytips
ConfigureASADHCPServer
ConfigureAAAauthenticationforlocaldatabaseuserauthentication
howtoprotectyour
websitesandwebservers
fromhackers.html)
EnableHTTPManagementforinsideinterface
EnableSSH&TelnetManagementforinsideandoutsideinterfaces
Create,configureandapplyTCP/UDPObjectGroupstofirewallaccesslists
ConfigurationofaccesslistsforICMPpacketstotheInternet
ApplyFirewallaccessliststoinsideandoutsideinterfaces
Configurelogging/debuggingofeventsanderrors
Note: it is highly advisable to frequently save the ASA configuration to ensure no work is lost in the event of a power failure or accident
restart.
(/sitenews/316firewall
ciscopress.html)
Notifymeofnewarticles
Name
Savingtheconfigurationcanbeeasilydoneusingthewritememorycommand:
Email
ASA5505(config)#writememory
Buildingconfiguration...
Subscribe
Cryptochecksum:c0aee665598d7cd37fbfe1a5a2d40ab1
3270bytescopiedin1.520secs(3270bytes/sec)
[OK]
CISCO MENU
CISCOROUTERS
(/ciscotechnical
knowledgebase/cisco
routers.html)
CISCOSWITCHES
(/ciscotechnical
knowledgebase/cisco
switches.html)
CISCOVOIP/CCME
CALLMANAGER
[OK]
(/ciscotechnical
ciscoasa(config)#reload
knowledgebase/cisco
Systemconfighasbeenmodified.Save?[Y]es/[N]o:N
voice.html)
Proceedwithreload?[confirm]
CISCOFIREWALLS
ciscoasa(config)#
***
***STARTGRACEFULSHUTDOWN
Shuttingdownisakmp
Shuttingdownwebvpn
(/ciscotechnical
knowledgebase/cisco
firewalls.html)
CISCOWIRELESS
ShuttingdownFilesystem
(/ciscotechnical
***
knowledgebase/cisco
***SHUTDOWNNOW
wireless.html)
Processshutdownfinished
CISCOSERVICES&
Rebooting.....
TECHNOLOGIES
(/ciscotechnical
knowledgebase/cisco
servicestech.html)
CISCOAUTHORS&CCIE
Next,weneedtoconfiguretheEnablepassword,requiredforprivilegedexecmodeaccess,andthenuseraccountsthatwillhaveaccess
INTERVIEWS
tothefirewall.
(/ciscotechnical
knowledgebase/ccie
The ASA Firewall wont ask for a username/password when logging in next, however, the default enable password of cisco, will be
experts.html)
requiredtogainaccesstoprivilegedmode:
Ciscoasa>enable
Password:cisco
ciscoasa#configureterminal
ciscoasa(config)#
*****************************NOTICE*****************************
HelptoimprovetheASAplatformbyenablinganonymousreporting,
whichallowsCiscotosecurelyreceiveminimalerrorandhealth
informationfromthedevice.Tolearnmoreaboutthisfeature,
pleasevisit:http://www.cisco.com/go/smartcall
Wouldyouliketoenableanonymouserrorreportingtohelpimprove
theproduct?[Y]es,[N]o,[A]sklater:N
Inthefuture,ifyouwouldliketoenablethisfeature,
issuethecommand"callhomereportinganonymous".
Pleaseremembertosaveyourconfiguration.
At this point we need to note that when starting off with the factory default configuration, as soon as we enter the configure
terminal command, the system will ask if we would like to enable Ciscos callhome reporting feature. We declined the offer and
continuedwithoursetup:
ciscoasa(config)#hostnameASA5505
ASA5505(config)#enablepasswordfirewall.cx
ASA5505(config)#usernameadminpasswords1jw$528ds2privilege15
The privilege 15 parameter at the end of the command line ensures the system is aware that this is an account with full privileges and
has access to all configuration commands including erasing the configuration and files on the devices flash disk, such as the operating
system.
POPULAR CISCO
ARTICLES
DMVPNConfiguration(/cisco
technical
knowledgebase/cisco
routers/901ciscorouter
dmvpnconfiguration.html)
CiscoIPSLA(/cisco
technical
knowledgebase/cisco
routers/813ciscorouteripsla
basic.html)
VLANSecurity(/cisco
technical
knowledgebase/cisco
switches/818ciscoswitches
vlansecurity.html)
4507REInstallation(/cisco
technical
knowledgebase/cisco
switches/948ciscoswitches
4507rewsx45sup7le
installation.html)
CallManagerExpressIntro
(/ciscotechnical
knowledgebase/cisco
voice/371ciscoccmepart
1.html)
SecureCMESRTP&TLS
(/ciscotechnical
knowledgebase/cisco
Depending on the ASA appliance we have, we can configure physical interfaces (inside/outside) with IP addresses, usually done with
securevoip.html)
ASA5510andlargermodels,orcreateVLANs(inside/outside)andconfigurethemwithIPaddresses,usuallywiththesmallerASA5505
CiscoPasswordCrack(/cisco
models.
technical
voice/956ciscovoicecme
knowledgebase/cisco
InmanycasesnetworkengineersuseVLANinterfacesonthelargerASA5500models,however,thisdependsonthelicensingcapabilities
routers/358ciscotype7
ofthedevice,existingnetworksetupandmore.
passwordcrack.html)
InthecaseoftheASA5505wemustuseVLANinterfaces,whichareconfiguredwiththeirappropriateIPaddressesandthen(nextstep)
characterisedasinside(private)oroutside(public)interfaces:
ASA5505(config)#interfacevlan1
ASA5505(config)#descriptionPrivateInterface
SitetoSiteVPN(/cisco
technical
knowledgebase/cisco
routers/867ciscoroutersite
tositeipsecvpn.html)
ASA5505(configif)#ipaddress10.71.0.1255.255.255.0
ASA5505(configif)#noshutdown
!
ASA5505(config)#interfacevlan2
ASA5505(config)#descriptionPublicInterface
ASA5505(configif)#ipaddress192.168.3.50255.255.255.0
ASA5505(configif)#noshutdown
(http://clixtrac.com/goto/?
99238)
ASA5505(config)#interfaceethernet0/0
ASA5505(configif)#switchportaccessvlan2
ASA5505(configif)#noshutdown
POPULAR LINUX
ARTICLES
LinuxInit&RunLevels(/linux
Alternatively,thePublicinterface(VLAN2)canbeconfiguredtoobtainitsIPaddressautomaticallyviaDHCPwiththefollowing
knowledgebasetutorials/linux
command:
administration/845linux
administrationrunlevels.html)
ASA5505(config)#interfacevlan2
LinuxGroups&Users(/linux
ASA5505(config)#descriptionPublicInterface
knowledgebasetutorials/linux
ASA5505(configif)#ipaddressdhcpsetroute
administration/842linux
ASA5505(configif)#noshutdown
groupsuseraccounts.html)
LinuxPerformanceMonitoring
ThesetrouteparameterattheendofthecommandwillensuretheASAFirewallsetsitsdefaultroute(gateway)usingthedefaultgateway
(/linuxknowledgebase
parametertheDHCPserverprovides.
tutorials/linux
AfterconfiguringVLAN1&VLAN2withtheappropriateIPaddresses,weconfiguredethernet0/0asanaccesslinkforVLAN2sowecan
useitasaphysicalpublicinterface.Outofthe8totalEthernetinterfacestheASA5505has,atleastonemustbesetwiththeswitchport
accessvlan2otherwisetherewontbeanyphysicalpublicinterfaceontheASAforourfrontendroutertoconnectto.Ethernetports0/1 to
0/7mustalsobeconfiguredwiththeno shutdown command in order make them operational. All of these ports are, by default, access
linksforVLAN1.Providedaretheconfigurationcommandsforthefirsttwoethernetinterfaceastheconfigurationisidenticalforall:
administration/837linux
systemresource
monitoring.html)
LinuxVimEditor(/linux
knowledgebasetutorials/linux
ASA5505(config)#interfaceethernet0/1
ASA5505(configif)#noshutdown
ASA5505(configif)#interfaceethernet0/2
ASA5505(configif)#noshutdown
administration/836linux
vi.html)
LinuxSamba(/linux
knowledgebase
tutorials/systemandnetwork
services/848linuxservices
samba.html)
LinuxDHCPServer(/linux
knowledgebase
tutorials/systemandnetwork
Next, we must designate the Inside (private) and Outside (public) interfaces. This step is essential and will help the ASA Firewall
services/849linuxservices
understandwhichinterfaceisconnectedtothetrusted(private)anduntrusted(public)network:
dhcpserver.html)
LinuxBindDNS(/general
ASA5505(config)#interfacevlan1
topicsreviews/linuxunix
ASA5505(configif)#nameifinside
related/829linuxbind
INFO:Securitylevelfor"inside"setto100bydefault.
introduction.html)
LinuxFile&Folder
ASA5505(config)#interfacevlan2
Permissions(/generaltopics
ASA5505(configif)#nameifoutside
reviews/linuxunix
INFO:Securitylevelfor"outside"setto0bydefault.
related/introductionto
linux/299linuxfilefolder
TheASAFirewallwillautomaticallysetthesecuritylevelto100forinsideinterfacesand0tooutsideinterfaces.Trafficcanflowfrom
highersecuritylevelstolower(privatetopublic),butnottheotherwayaround(publictoprivate)unlessstatedbyanaccesslists.
permissions.html)
LinuxOpenMosix(/general
topicsreviews/linuxunix
To change the securitylevel of an interface use the securitylevel xxx command by substituting xxx with a number from 0 to 100. The
related/openmosixlinux
higherthenumber,thehigherthesecuritylevel.DMZinterfacesareusuallyconfiguredwithasecuritylevelof50.
supercomputer.html)
LinuxNetworkConfig(/linux
Itisextremelyimportantthenecessarycautionistakenwhenselectingandapplyingtheinside/outsideinterfacesonanyASAFirewall.
knowledgebasetutorials/linux
administration/851linux
servicestcpip.html)
BANDWIDTH
MONITORING
a router. In case the public interface (VLAN2) is configured using the ip address dhcp setroute command, configuration of the default
gatewayisnotrequired.
ASA5505(config)#routeoutside0.0.0.00.0.0.0192.168.3.1
Atthispoint,itsagoodideatotrytestingthenexthoprouterandconfirmtheASAFirewallcanreachit:
ASA5505(config)#ping192.168.3.1
Typeescapesequencetoabort.
Sending5,100byteICMPEchosto192.168.3.1,timeoutis2seconds:
!!!!!
Successrateis100percent(5/5),roundtripmin/avg/max=1/1/1ms
(http://clixtrac.com/goto/?
99758)
RSS SUBSCRIPTION
SubscribetoFirewall.cxRSS
FeedbyEmail
(http://feedburner.google.com/fb/a/mailverify?
uri=firewallcx&loc=en_US)
FornetworkswithmultipleinternalVLANs,itisnecessarytoconfigurestaticroutestoensuretheASAFirewallknowshowtoreachthem.
UsuallythesenetworkscanbereachedviaaLayer3switchoraninternalrouter.Forourexample,wellassumewehavetwonetworks:
10.75.0.0/24&10.76.0.0/24whichweneedtoprovideInternetaccessto.TheseadditionalnetworksarecontactableviaaLayer3device
withIPaddress10.71.0.100:
ASA5505(config)#routeoutside10.75.0.00.0.0.010.71.0.100
ASA5505(config)#routeoutside10.76.0.00.0.0.010.71.0.100
AnothermethodofconfiguringNATiswiththeuseofaccesslists.Inthiscase,wedefinetheinternalIPaddressestobeNATedwiththe
useofaccesslists:
ASA5505(config)#accesslistNATACLsextendedpermitip10.71.0.0255.255.255.0any
ASA5505(config)#accesslistNATACLsextendedpermitip10.75.0.0255.255.255.0any
ASA5505(config)#accesslistNATACLsextendedpermitip10.76.0.0255.255.255.0any
ASA5505(config)#global(outside)1interface
INFO:outsideinterfaceaddressaddedtoPATpool
ASA5505(config)#nat(inside)1accesslistNATACLs
NATwiththeuseofaccesslistsprovidesgreaterflexibilityandcontrolwhichIPaddressesornetworkswillusetheNATservice.
Withsoftwareversion8.3andnewer,thingshavechangeddramaticallyandtherearenomoreaccesslistsinNATconfigurationlines.
The new NAT format now utilizes "object network", "object service" and "objectgroup network" to define the parameters of the NAT
configuration.
The following commands (software version 8.3 and above) will provide NAT services to our internal networks so they can access the
Internet:
ASA5505(config)#objectnetworknetwork1
ASA5505(confignetworkobject)#subnet10.71.0.0255.255.255.0
ASA5505(confignetworkobject)#nat(inside,outside)dynamicinterface
!
ASA5505(config)#objectnetworknetwork2
ASA5505(confignetworkobject)#subnet10.75.0.0255.255.255.0
ASA5505(confignetworkobject)#nat(inside,outside)dynamicinterface
!
ASA5505(config)#objectnetworknetwork3
ASA5505(confignetworkobject)#subnet10.76.0.0255.255.255.0
ASA5505(confignetworkobject)#nat(inside,outside)dynamicinterface
Asmentioned,ourexampleinstructstheASAFirewalltouseitslocaldatabase:
ASA5505(config)#aaaauthenticationtelnetconsoleLOCAL
ASA5505(config)#aaaauthenticationhttpconsoleLOCAL
ASA5505(config)#aaaauthenticationsshconsoleLOCAL
ENABLE SSH & TELNET MANAGEMENT FOR INSIDE AND OUTSIDE INTERFACES
EnablingSSHandTelnetaccesstotheCiscoFirewallisprettystraightforward.WhilewealwaysrecommendtheuseofSSH,especially
whenaccessingtheFirewallfrompublicIPs,telnetisalsoanoption,however,wemustkeepinmindthattelnetmanagementmethodsdo
notprovideanysecurityasalldata(includingusername,passwordsandconfigurations)aresentincleartext.
Before enabling SSH, we must generate RSA key pairs for identity certificates. Telnet does not require any such step as it does not
provideanyencryptionorsecurity:
ASA5505(config)#cryptokeygeneratersamodulus1024
INFO:Thenameforthekeyswillbe:
Keypairgenerationprocessbegin.Pleasewait...
ASA5505(config)#ssh10.71.0.0255.255.255.0inside
ASA5505(config)#ssh200.200.90.5255.255.255.255outside
ASA5505(config)#telnet10.71.0.0255.255.255.0inside
NotethattheASAFirewallappliancewillonlyacceptSSHconnectionsfromhost200.200.90.5arrivingonitspublicinterface,whileSSH
andtelnetconnectionsarepermittedfromnetwork10.71.0.0/24ontheinsideinterface.
ASA5505(config)#accesslistinsideinremark=[AccessListsForOutgoingPacketsfromInsideinterface]=
ASA5505(config)#accesslistinsideinextendedpermitudp10.71.0.0255.255.255.0anyobjectgroupInternetudp
ASA5505(config)#accesslistinsideinextendedpermittcp10.71.0.0255.255.255.0anyobjectgroupInternettcp
ASA5505(config)#accesslistinsideinextendedpermittcp10.75.0.0255.255.255.0anyobjectgroupInternettcp
ASA5505(config)#accesslistinsideinextendedpermittcp10.76.0.0255.255.255.0anyobjectgroupInternettcp
Note that the 10.71.0.0/25 network has access to both Objectgroups services, our other networks are restricted to only the services
definedintheTCPObjectgroup.TounderstandhowObjectgroupshelpsimplifyaccesslistmanagement:withoutthem,wewouldrequire
37accesslistscommandsinsteadofjust4!
Thecommandsusedaboveenableloginthedebugginglevel(7)andsetsthebuffersizeinRAMto30,000bytes(~30Kbytes).
Issuingtheshowlogcommandwillrevealanumberofimportantlogsincludinganypacketsthatareprocessedordeniedduetoaccess
lists:
ASA5505(config)#showlog
Sysloglogging:enabled
Facility:20
Timestamplogging:disabled
Standbylogging:disabled
Debugtracelogging:disabled
Consolelogging:disabled
Monitorlogging:disabled
Bufferlogging:leveldebugging,39925messageslogged
Traplogging:disabled
Historylogging:disabled
DeviceID:disabled
Maillogging:disabled
ASDMlogging:disabled
n"[0x0,0x0]
%ASA4106023:Denytcpsrcinside:10.71.0.50/54843dstoutside:10.0.0.10/445byaccessgroup"insidein"[0x0,0x0]
%ASA4106023:Denytcpsrcinside:10.71.0.50/54845dstoutside:10.0.0.10/445byaccessgroup"insidein"[0x0,0x0]
%ASA4106023:Denytcpsrcinside:10.71.0.50/54844dstoutside:10.0.0.10/445byaccessgroup"insidein"[0x0,0x0]
%ASA4106023:Denytcpsrcinside:10.71.0.50/54850dstoutside:10.0.0.10/139byaccessgroup"insidein"[0x0,0x0]
%ASA4106023:Denytcpsrcinside:10.71.0.50/54843dstoutside:10.0.0.10/445byaccessgroup"insidein"[0x0,0x0]
%ASA4106023:Denytcpsrcinside:10.71.0.50/54845dstoutside:10.0.0.10/445byaccessgroup"insidein"[0x0,0x0]
%ASA4106023:Denytcpsrcinside:10.71.0.50/54844dstoutside:10.0.0.10/445byaccessgroup"insidein"[0x0,0x0]
%ASA4106023:Denytcpsrcinside:10.71.0.50/54850dstoutside:10.0.0.10/139byaccessgroup"insidein"[0x0,0x0]
%ASA4106023:Denyudpsrcinside:10.71.0.50/137dstoutside:10.0.0.10/137byaccessgroup"insidein"[0x0,0x0]
%ASA6302014:TeardownTCPconnection4718foroutside:173.194.40.49/443toinside:10.71.0.50/54803duration0:02:00bytes
1554462TCPFINs
CONCLUSION