Pid (HBL) For Asa, CSC & CSM

ASA, CSC-SSM and CSM
Post-Installation document
Submitted to: HIMALAYAN BANK LTD.

SUMMARY
Data Centre Security Implementation
Himalayan Bank Ltd.
HCL Comnet Limited - Kolkata
PO772403, PO781708
Cisco Solution with ASA, CSC and CSM
The solution consists of two Cisco ASA Firewall along with the CSC (Content Security
and Control) module (ASA 5510 with AIP-SSM-10). The Prime objective is to merge
the different networks and define specific access policies for clients accessing
different services.
Implementation of security devices has been done on the basis of the proposed
diagram for application installation. In the design, there are two Cisco ASA firewalls
with inbuilt CSC modules.
The Internet Facing ASA (ASA 5510 with AIP-SSM-10) is having 3 zones namely
outside (terminating to a Cisco switch where the internal interface of internet router
is also terminated), dmz and inside zone. All the servers which are required be
accessed from internet have been placed in Demilitarized zone (dmz). The inside
interface is connected to the Core L3 CISCO switch and will be the default gateway
for Thamel LAN as well as L3 switch. The internet facing ASA will act as perimeter
security gateway deployed to inspect and filter out all unwanted traffic except those
which are explicitly allowed by the access list according to HBL’s access policy.
The internal ASA has been deployed to provide in-depth second-layer of security to
business-critical resources like core banking servers, database servers and mail
servers. Precisely, the internal ASA has been configured with three interfaces (zones)
namely, SERVER zone, LAN zone and WAN zone. The interface facing LAN zone is
connected to the internal L3 switch in a separate L3 VLAN. The interface facing WAN
zone is connected to the another L3 switch which is further connected to WAN
router(s). The third interface, configured as server zone, is connected to server farm
switch where all business critical servers are placed. This design provides in-depth
multilayer security from External (internet) threats as well as restricts/provides
specific limited access from WAN and even LAN to these business critical servers.
Further, the perimeter ASA has been configured to send all http, https and only
incoming smtp & pop3 traffic to inbuilt CSC module for virus, spyware, spam and
other malware scanning. The internal ASA has also been configured to send all http,
ftp, smtp and pop3 traffic to the inbuilt CSC module.
3
HBL Network Diagram :
202.52.232.12/28
192.168.100.1/24
INTRENET
Internet-Router
DMZ
External ASA/CSC-SSM
L3-Switch IDS
(192.168.240.40/23) CAM-192.168.98.17
Management-VLAN
User-LAN(VLAN-99)
User-LAN(VLAN-1) 10.1.10.14/30
VLAN-100
CAS-trusted
192.168.240.4
CAS-Un-trusted
192.168.240.6 10.1.10.13/30
VLAN-1
Server-Zone
CAS-L3-OOB-VG
LAN-USERS
192.168.1.1/24
LAN-USERS
Internal ASA/CSC-SSM
(10.1.10.10/30) IDS
L3-Switch
10.1.10.9/30
WAN
WAN-Router
WAN-USERS
Remote-WAN-Router
4
Configuration details of perimeter ASA 5510:
The configuration details of perimeter ASA 5510 is explained as under.
1. Configuring the hostname and domain name of the firewall :
hostname hbl-external
domain-name hbl.com.np
2. Setting the password for logging into the privileged mode:
enable password NuLKvvWGg.x9HEKO encrypted
3. Command for specifying the telnet password.
passwd bQq0fYDkRAt.aWco encrypted
4. Commands specifying the name, IP address and security level of the Ethernet 0/0
Interface :
interface Ethernet0/0
nameif outside
security-level 0
ip address 202.52.232.12 255.255.255.240
Interface :
nameif inside
security-level 100
ip address 192.168.240.40 255.255.254.0
Interface :
nameif dmz
security-level 50
ip address 192.168.100.1 255.255.255.0
5
7. Setting internet router’s IP address as default gateway :
route outside 0.0.0.0 0.0.0.0 202.52.232.1 1
8. Commands to add static route for 192.168.0.0/16 network towards L3 switch.
route inside 192.168.0.0 255.255.0.0 192.168.240.1 1
9. Configuring static NAT for servers placed in DMZ to be accessible from internet along
with setting embryonic limits :
static (dmz,outside) 202.52.232.3 192.168.100.3 netmask 255.255.255.255 tcp

1000 400
static (dmz,outside) 202.52.232.11 192.168.100.2 netmask 255.255.255.255
tcp 1000 1000
static (dmz,outside) 202.52.232.4 192.168.100.13 netmask 255.255.255.255 tcp
1000 1000
10. Configuring static NAT for servers placed in Inside zone to be accessible from DMZ
along with setting embryonic limits :
static (inside,dmz) 192.168.100.201 192.168.1.33 netmask 255.255.255.255 tcp

1000 100
static (inside,dmz) 192.168.100.206 192.168.1.48 netmask 255.255.255.255 tcp
25
static (inside,dmz) 192.168.1.7 192.168.1.7 netmask 255.255.255.255
11. Configuring static NAT for servers placed in Inside zone to be accessible from
internet along with setting embryonic limits :
static (inside,outside) 202.52.232.6 192.168.1.33 netmask 255.255.255.255 tcp

1000 500
static (inside,outside) 202.52.232.2 192.168.1.207 netmask 255.255.255.255 tcp
1000 100
static (inside,outside) 202.52.232.5 192.168.240.31 netmask 255.255.255.255
tcp 1000 100
6
12. Configuring static NAT for servers placed in DMZ to be accessed from Inside zone at
their Public IP addresses :
static (dmz,inside) 202.52.232.10 192.168.100.10 netmask 255.255.255.255

13. Configuring PAT for HBL internal network (192.168.0.0/16) and DMZ network
behind ASA’s external IP address. Moreover, PAT has been configured for
192.168.0.0/16 behind IP range from DMZ network :
global (outside) 1 interface

global (dmz) 1 192.168.100.20-192.168.100.110 netmask 255.255.255.0
nat (inside) 1 192.168.0.0 255.255.0.0 dns
nat (dmz) 1 192.168.100.0 255.255.255.0
14. Grouping host objects to be allowed DNS traffic in access-list :
object-group network DNS_Allowed

network-object host 192.168.1.22
15. Configuring access-list for inbound traffic (from internet) :
access-list acl_out extended permit tcp any host 202.52.232.3 eq smtp

access-list acl_out extended permit tcp any host 202.52.232.10 eq www
access-list acl_out extended permit tcp any host 202.52.232.10 eq https
access-list acl_out extended permit tcp any host 202.52.232.14 eq 8444
access-list acl_out extended permit tcp any host 202.52.232.2 eq ssh
access-list acl_out extended permit tcp any host 202.52.232.5 eq pptp
7
access-list acl_out extended permit tcp host 202.52.232.8 host 202.52.232.13
eq 4899
access-list acl_out extended permit tcp host 203.200.181.155 host
202.52.232.13 eq 4899
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit icmp any any
16. Binding the access-list acl_out to interface ‘outside’:
access-group acl_out in interface outside
17. Configuring access-list for traffic originating from DMZ :
access-list acl_dmz extended permit udp 192.168.100.0 255.255.255.0 any eq

domain
access-list acl_dmz extended permit icmp any any
access-list acl_dmz extended permit tcp 192.168.100.0 255.255.255.0 any eq
smtp
access-list acl_dmz extended permit tcp host 192.168.100.3 any eq www
access-list acl_dmz extended permit tcp host 192.168.100.3 any eq https
access-list acl_dmz extended permit tcp host 192.168.100.4 host 192.168.1.7
eq 9000
access-list acl_dmz extended permit tcp host 192.168.100.4 host 192.168.1.7
eq 9001
access-list acl_dmz extended permit tcp host 192.168.100.13 any eq 8800
access-list acl_dmz extended permit tcp host 192.168.100.111 any eq ftp
access-list acl_dmz extended permit tcp host 192.168.100.111 host
203.91.158.196 eq 8082
access-list acl_dmz extended permit tcp host 192.168.100.111 host
65.254.43.214 eq 2087
18. Binding the access-list acl_dmz to interface ‘dmz’:
access-group acl_dmz in interface dmz
8
19. Configuring access-list for outbound traffic (originating from ‘inside’ zone) :
access-list acl_in extended permit tcp 192.168.0.0 255.255.0.0 any eq smtp

access-list acl_in extended permit tcp 192.168.0.0 255.255.0.0 any eq pop3
access-list acl_in extended permit icmp 192.168.0.0 255.255.0.0 any
access-list acl_in extended permit tcp host 192.168.1.111 any eq ftp
access-list acl_in extended permit tcp any host 192.168.100.3 eq 8003
access-list acl_in extended permit tcp 192.168.1.0 255.255.255.0 any eq 8443
access-list acl_in extended permit tcp host 192.168.1.49 host 202.52.232.14 eq
ssh
ftp
access-list acl_in extended permit tcp 192.168.0.0 255.255.0.0 any eq imap4
access-list acl_in extended permit tcp host 192.168.1.15 any eq ssh
ftp
access-list acl_in extended permit tcp host 192.168.1.6 any eq www
access-list acl_in extended permit tcp host 192.168.1.6 any eq https
access-list acl_in extended permit tcp host 192.168.1.111 host 203.91.158.196
eq 8082
access-list acl_in extended permit tcp any host 202.52.232.4 eq ssh
ssh
eq ssh
eq 2087
eq ftp
ftp
eq 445
9
445
ssh
access-list acl_in extended permit ip host 192.168.1.15 host 202.52.232.8
access-list acl_in extended permit tcp 192.168.0.0 255.255.0.0 any eq ssh
access-list acl_in extended permit tcp 192.168.240.0 255.255.254.0 any eq
8443
8444
eq ssh
eq ftp
8082
eq ssh
eq ssh
eq 445
access-list acl_in extended permit tcp any host 192.168.100.10 eq www
eq 445
eq telnet
eq telnet
access-list acl_in extended permit tcp 192.168.0.0 255.255.0.0 host
192.168.100.111 eq 3128
access-list acl_in extended permit udp object-group DNS_Allowed host
202.52.255.3 eq domain
access-list acl_in extended permit udp object-group DNS_Allowed host
202.52.255.47 eq domain
access-list acl_in extended permit tcp object-group DNS_Allowed host
202.52.255.47 eq domain
10
access-list acl_in extended permit tcp object-group DNS_Allowed host
202.52.255.3 eq domain
access-list acl_in extended permit udp any any eq domain
access-list acl_in extended permit icmp any any
access-list acl_in extended permit tcp any any eq www
access-list acl_in extended permit tcp 192.168.0.0 255.255.0.0 host
202.52.232.10 eq www
access-list acl_in extended permit tcp any any eq https
access-list acl_in extended permit tcp host 192.168.240.111 host
203.91.158.196 eq 8082
eq 2087
20. Binding the access-list acl_in to interface ‘inside’:
access-group acl_in in interface inside
21. Allowing telnet from hosts in ‘inside’ zone :
telnet 192.168.98.15 255.255.255.255 inside

telnet 192.168.0.0 255.255.0.0 inside
22. Allowing ssh from hosts in ‘inside’ zone :
ssh 192.168.240.15 255.255.255.255 inside

ssh 192.168.240.44 255.255.255.255 inside
ssh 192.168.98.0 255.255.255.0 inside
23. Configuring access-list for identifying traffic to be sent to CSC-SSM module for
scanning:
access-list CSM_TF_ACL_acl_csc__1 extended permit tcp any any eq www

access-list CSM_TF_ACL_acl_csc__1 extended permit tcp any any eq https
access-list CSM_TF_ACL_acl_csc__1 extended permit tcp any 202.52.232.0
255.255.255.240 eq smtp
access-list CSM_TF_ACL_acl_csc__1 extended permit tcp any 202.52.232.0
255.255.255.240 eq pop3
11
24. Configuring class map, policy map and service policy for sending http, https, smtp
and pop3 traffic to CSC-SSM module for scanning. Notice in policy map configuration
that CSC module has been configured in fail-open mode which means in case csc module
fails for any reason, traffic will bypass the CSC scanning :
class-map HBL_class
description Specifying traffic class
match access-list CSM_TF_ACL_acl_csc__1
!
!
policy-map CSM_POLICY_MAP_global_1
class HBL_class
csc fail-open
!
service-policy CSM_POLICY_MAP_global_1 global
The external ASA5510 firewall is currently running with the following configuration :
sh run
: Saved
:
ASA Version 7.1(2)
!
hostname hbl-external
enable password bQq0fYDkRAt.aWco encrypted
names
!
nameif outside
security-level 0
ip address 202.52.232.12 255.255.255.240
!
nameif inside
security-level 100
ip address 192.168.240.40 255.255.254.0
!
nameif dmz
security-level 50
ip address 192.168.100.1 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
12
!
ftp mode passive
dns server-group DefaultDNS
object-group network DNS_Allowed
access-list acl_out extended permit tcp any host 202.52.232.14 eq 8444
access-list acl_out extended permit tcp any host 202.52.232.2 eq ssh
access-list acl_out extended permit tcp any host 202.52.232.5 eq pptp
access-list acl_out extended permit tcp host 202.52.232.8 host 202.52.232.13 eq 4899
access-list acl_out extended permit tcp host 203.200.181.155 host 202.52.232.13 eq 4899
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit icmp any any
access-list acl_dmz extended permit udp 192.168.100.0 255.255.255.0 any eq domain
access-list acl_dmz extended permit icmp any any
access-list acl_dmz extended permit tcp 192.168.100.0 255.255.255.0 any eq smtp
access-list acl_dmz extended permit tcp host 192.168.100.4 host 192.168.1.7 eq 9000
access-list acl_dmz extended permit tcp host 192.168.100.111 any eq ftp
access-list acl_in extended permit tcp 192.168.0.0 255.255.0.0 any eq smtp
access-list acl_in extended permit tcp 192.168.0.0 255.255.0.0 any eq pop3
access-list acl_in extended permit icmp 192.168.0.0 255.255.0.0 any
13
access-list acl_in extended permit tcp host 192.168.1.49 host 202.52.232.14 eq ssh
access-list acl_in extended permit tcp host 192.168.1.7 host 202.52.232.10 eq ftp
access-list acl_in extended permit tcp 192.168.0.0 255.255.0.0 any eq imap4
access-list acl_in extended permit tcp host 192.168.1.111 host 203.91.158.196 eq 8082
access-list acl_in extended permit tcp any host 202.52.232.4 eq ssh
access-list acl_in extended permit ip host 192.168.1.15 host 202.52.232.8
access-list acl_in extended permit tcp 192.168.0.0 255.255.0.0 any eq ssh
access-list acl_in extended permit tcp host 192.168.240.15 host 202.52.232.1 eq telnet
access-list acl_in extended permit tcp host 192.168.240.44 host 202.52.232.1 eq telnet
access-list acl_in extended permit tcp 192.168.0.0 255.255.0.0 host 192.168.100.111 eq 3128
access-list acl_in extended permit udp object-group DNS_Allowed host 202.52.255.3 eq domain
access-list acl_in extended permit udp object-group DNS_Allowed host 202.52.255.47 eq domain
14
access-list acl_in extended permit tcp object-group DNS_Allowed host 202.52.255.47 eq domain
access-list acl_in extended permit tcp object-group DNS_Allowed host 202.52.255.3 eq domain
access-list acl_in extended permit udp any any eq domain
access-list acl_in extended permit icmp any any
access-list acl_in extended permit tcp any any eq www
access-list acl_in extended permit tcp 192.168.0.0 255.255.0.0 host 202.52.232.10 eq www
access-list acl_in extended permit tcp any any eq https
access-list CSM_TF_ACL_acl_csc__1 extended permit tcp any any eq www
access-list CSM_TF_ACL_acl_csc__1 extended permit tcp any any eq https
access-list CSM_TF_ACL_acl_csc__1 extended permit tcp any 202.52.232.0 255.255.255.240
eq smtp
access-list CSM_TF_ACL_acl_csc__1 extended permit tcp any 202.52.232.0 255.255.255.240
eq pop3
pager lines 25
logging enable
logging timestamp
logging trap notifications
logging host inside 192.168.98.15
mtu outside 1500
mtu inside 1500
mtu dmz 1500
asdm image disk0:/asdm512-k8.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 192.168.100.20-192.168.100.110 netmask 255.255.255.0
nat (inside) 1 192.168.0.0 255.255.0.0 dns
nat (dmz) 1 192.168.100.0 255.255.255.0
static (dmz,outside) 202.52.232.3 192.168.100.3 netmask 255.255.255.255 tcp 1000 400
static (inside,dmz) 192.168.100.201 192.168.1.33 netmask 255.255.255.255 tcp 1000 100
static (inside,outside) 202.52.232.6 192.168.1.33 netmask 255.255.255.255 tcp 1000 500
static (inside,dmz) 192.168.100.206 192.168.1.48 netmask 255.255.255.255 tcp 2 5
static (inside,dmz) 192.168.1.7 192.168.1.7 netmask 255.255.255.255
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 202.52.232.1 1
route inside 192.168.0.0 255.255.0.0 192.168.240.1 1
timeout xlate 3:00:00
15
timeout conn 0:05:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username admin password nMs6Vb93d.LA6IpX encrypted privilege 15
username mars password 3xUK.EMIiHZRC2o/ encrypted privilege 15
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.98.15 255.255.255.255 inside
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh 192.168.240.15 255.255.255.255 inside
ssh 192.168.240.44 255.255.255.255 inside
ssh 192.168.98.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
!
class-map HBL_class
!
!
class HBL_class
csc fail-open
!
tftp-server inside 192.168.240.44 External_ASA_Backup
Cryptochecksum:65bbd04bb5d46b4494898059320e1789
: end
hbl-external#
16
Configuration details of internal ASA5510:
The configuration details of perimeter ASA5510 is explained as under.
1. Configuring the hostname and domain name of the firewall :
hostname hbl-internal
2. Setting the password for logging into the privileged mode:
3. Command for specifying the telnet password.
Interface :
nameif wan_zone
security-level 0
ip address 10.1.10.10 255.255.255.252
Interface :
nameif lan_zone
security-level 99
ip address 10.1.10.13 255.255.255.252
Interface :
nameif server_zone
security-level 100
ip address 192.168.1.1 255.255.255.0
7. Setting core L3 switch(DC SA)’s IP address as default gateway :
route lan_zone 0.0.0.0 0.0.0.0 10.1.10.14 1
17
8. Commands to add static routes :
route wan_zone 172.20.1.0 255.255.255.0 10.1.10.9 1

route wan_zone 10.0.0.0 255.0.0.0 10.1.10.9 1
route wan_zone 192.168.0.0 255.255.0.0 10.1.10.9 1
route lan_zone 192.168.240.0 255.255.254.0 10.1.10.14 1
route lan_zone 192.168.98.0 255.255.255.0 10.1.10.14 1
route lan_zone 192.168.0.0 255.255.255.0 10.1.10.14 1
route lan_zone 192.168.99.0 255.255.255.0 10.1.10.14 1
route lan_zone 192.168.100.0 255.255.255.0 10.1.10.14 1
route lan_zone 192.168.200.0 255.255.255.0 10.1.10.14 1
route lan_zone 192.168.95.0 255.255.255.0 10.1.10.14 1
9. Configuring NAT bypass for all traffic passing through internal ASA :
access-list acl_bypass extended permit ip any any

nat (lan_zone) 0 access-list acl_bypass
nat (server_zone) 0 access-list acl_bypass
10. Configuring access-list for traffic originating from LAN zone (during
implementation, it was decided by HBL that access list would be fine tunned after a
detailed study of day-to-day valid traffic flow, to be done by HBL) :
access-list acl_lan extended permit icmp any any

access-list acl_lan extended permit ip any any
11. Binding the access-list acl_lan to interface ‘lan_zone’:
access-group acl_lan in interface lan_zone
12. Configuring access-list for traffic originating from WAN :
access-list acl_wan extended permit ip any any

access-list acl_wan extended permit icmp any any
13. Binding the access-list acl_wan to interface ‘wan_zone’:
access-group acl_wan in interface wan_zone
14. Configuring access-list for outbound traffic (originating from ‘inside’ zone) :
access-list acl_server extended permit ip any any

access-list acl_server extended permit icmp any any
18
15. Binding the access-list acl_server to interface ‘server_zone’:
access-group acl_server in interface server_zone
16. Allowing telnet from hosts in LAN zone :
telnet 192.168.98.0 255.255.255.0 lan_zone

telnet 192.168.240.0 255.255.254.0 lan_zone
17. Allowing ssh from hosts in LAN zone :
ssh 192.168.240.15 255.255.255.255 lan_zone

ssh 192.168.240.44 255.255.255.255 lan_zone
ssh 192.168.98.0 255.255.255.0 lan_zone
18. Configuring access-list for identifying traffic to be sent to CSC-SSM module for
scanning:
access-list CSM_TF_ACL_acl_csc_1__1 extended permit tcp any any eq

www
access-list CSM_TF_ACL_acl_csc_1__1 extended permit tcp any any eq ftp
smtp
pop3
19. Configuring class map, policy map and service policy for sending http, ftp, smtp and
pop3 traffic to CSC-SSM module for scanning. Notice in policy map configuration that
CSC module has been configured in fail-open mode which means in case csc module
fails for any reason, traffic will bypass the CSC scanning :
class-map HBL_class
!
!
class HBL_class
csc fail-open
!
19
The internal ASA5510 firewall is currently running with the following configuration :
sh run
: Saved
:
ASA Version 7.1(2)
!
hostname hbl-internal
names
!
nameif wan_zone
security-level 0
ip address 10.1.10.10 255.255.255.252
!
nameif lan_zone
security-level 99
ip address 10.1.10.13 255.255.255.252
!
nameif server_zone
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
dns server-group DefaultDNS
access-list acl_lan extended permit icmp any any
access-list acl_lan extended permit ip any any
access-list acl_wan extended deny ip any host 192.168.95.4
access-list acl_wan extended permit ip any any
access-list acl_wan extended permit icmp any any
access-list acl_bypass extended permit ip any any
access-list acl_server extended permit ip any any
access-list acl_server extended permit icmp any any
access-list CSM_TF_ACL_acl_csc_1__1 extended permit tcp any any eq www
access-list CSM_TF_ACL_acl_csc_1__1 extended permit tcp any any eq ftp
access-list CSM_TF_ACL_acl_csc_1__1 extended permit tcp any any eq smtp
access-list CSM_TF_ACL_acl_csc_1__1 extended permit tcp any any eq pop3
pager lines 100
logging enable
20
logging timestamp
logging trap notifications
logging host lan_zone 192.168.98.15
mtu wan_zone 1500
mtu lan_zone 1500
mtu server_zone 1500
asdm image disk0:/asdm512-k8.bin
asdm history enable
arp timeout 14400
nat (lan_zone) 0 access-list acl_bypass
nat (server_zone) 0 access-list acl_bypass
access-group acl_wan in interface wan_zone
access-group acl_lan in interface lan_zone
access-group acl_server in interface server_zone
route wan_zone 172.20.1.0 255.255.255.0 10.1.10.9 1
route wan_zone 10.0.0.0 255.0.0.0 10.1.10.9 1
route wan_zone 192.168.0.0 255.255.0.0 10.1.10.9 1
route lan_zone 192.168.240.0 255.255.254.0 10.1.10.14 1
route lan_zone 192.168.98.0 255.255.255.0 10.1.10.14 1
route lan_zone 192.168.0.0 255.255.255.0 10.1.10.14 1
route lan_zone 192.168.99.0 255.255.255.0 10.1.10.14 1
route lan_zone 192.168.100.0 255.255.255.0 10.1.10.14 1
route lan_zone 192.168.200.0 255.255.255.0 10.1.10.14 1
route lan_zone 0.0.0.0 0.0.0.0 10.1.10.14 1
route lan_zone 192.168.95.0 255.255.255.0 10.1.10.14 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username admin password nMs6Vb93d.LA6IpX encrypted privilege 15
http server enable
http 192.168.98.0 255.255.255.0 lan_zone
http 192.168.240.0 255.255.254.0 lan_zone
http 192.168.0.0 255.255.0.0 lan_zone
http 192.168.0.0 255.255.0.0 server_zone
http 192.168.1.0 255.255.255.0 server_zone
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.98.0 255.255.255.0 lan_zone
telnet 192.168.240.0 255.255.254.0 lan_zone
telnet timeout 5
ssh 192.168.240.15 255.255.255.255 lan_zone
ssh 192.168.240.44 255.255.255.255 lan_zone
ssh 192.168.98.0 255.255.255.0 lan_zone
ssh timeout 5
ssh version 2
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map HBL_class_1
description specifying traffic class
match access-list CSM_TF_ACL_acl_csc_1__1
!
21
!
class HBL_class_1
csc fail-open
!
Cryptochecksum:4e3b825a4edd4f883db7b33beb64401d
: end
hbl-internal(config)#
22
Configuration details of CSC-SSM module in the firewall :
As already discussed, both the firewalls are having inbuilt CSC-SSM module providing content
scanning of http, https, ftp, smtp and pop3 traffic for virus, spyware, warms, spam and other
malware. You must first configure the ASA to send all relevant traffic to CSC-SSM module for
scanning which has already been explained in ASA configuration. The configuration details of
CSC module is explained under.
1. Open the CSC-SSM GUI from browser using https://[CSC-SSM IP address]:8443 and
login. The summary page appears as shown.
23
24
2. Configure scan settings for incoming mail (SMTP) as shown below. Here
incoming mails are those which are destined for internal domain, for example
“hbl.com.np”.
25
3. Configure scan action for incoming mail (SMTP) as shown below. First action
has been set to clean the malware from the mail and if the the first action fails, the
mail will be deleted. Any kind of spyware /grayware will be deleted.
26
4. Perform the same scan setting and action for outgoing mails also.
5. Configuring anti-spam setting for SMTP as shown below.
27
6. Configuring action to be taken if mails (SMTP) are detected as spam.
28
7. Performing antispam setting based on NRS (Network Reputation Service) using RBL
service.
29
8. Configuring action setting for NRS (Network Reputation Service).
30
9. Configuring content scan setting for POP3 traffic is shown below.
31
10. Configuring scan action for POP3 traffic.
32
11. Configuring anti-spam settings for POP3 traffic.
33
12. Configuring action to be taken if spam is detected in POP3 traffic.
34
13. Configuring action to be taken if spam is detected in POP3 traffic.
35
14. Configuring content filtering settings for POP3 traffic.
36
15. Configuring content filtering action for POP3 traffic.
37
16. Configuring scan settings for http traffic passing through CSC-SSM module.
38
17. Configuring scan action for http traffic passing through CSC-SSM module.
39
18. Configuring scan settings for ftp traffic passing through CSC-SSM module.
40
19. Configuring scan action for ftp traffic passing through CSC-SSM module.
41
20. Scheduling automatic updates for various components.
42
21. Configuring proxy server settings to be used by CSC-SSM for component update.
43
22. Specify DNS servers’ IP address to be used by CSC-SSM.
44
23. Configure notification setting to be used by CSC-SSM for sending notifications as
configured.
45
Cisco Security Manager Installation
Cisco Security Manager is the software to manage the ASA and IPS/IDS modules and
HIPS instances. In collaboration with Cisco Security MARS, Cisco Security Manager
provides network threat mitigation. Together, Cisco Security Manager and Cisco Security
MARS provide access to network and security status while maintaining visibility into
configured firewall, VPN, and IPS policies. Cisco Security Manager provides superior
day-to-day security management control and visibility into firewall rule analysis and
optimization, VPN configuration, and IPS signature management. Cisco Security
Manager enables administrators to configure policies for Cisco ASA 5500 Series
appliances and Cisco PIX appliances, effectively manage IPS solution-based
configuration and update policies for Cisco IPS 4200 Series sensors that support Cisco
IPS Sensor Software Versions 5.1 and 6.0.
CSM has three parts – CSM server, CSM Client and IEV Server.
CSM Server is installed with the software downloaded or procured from the OEM CD.
On running the installation CD, CSM will ask for certain default parameter such as the
location for installation files, components to be installed etc. It is required to let the
default settings to be used while installation of CSM. CSM installs Microsoft SQL server
as the database automatically. The administrative password is to be provided when asked
for.
The installation steps are shown below:
1. Run the installation CD. The following screen appears.
46
2. On the screen below, click on ‘Next’ to proceed with the installation.
3. Accept the license agreement and proceed.
47
4. Select the destination folder for installation.
5. Select the components to be installed as shown.
48
6. Locate the license file.
7. Specify the password for admin account.
49
8. Specify System Identity Account password. It is suggested to keep the same
password as admin password.
9. On the screen below, click on ‘Yes’ to proceed.
50
10. Verify the settings and click on ‘Next’.
11. Click on ‘Finish’ and restart the server to complete the installation.
51
Post installation tasks
After the installation of CSM Server, the shortcuts are created in the Program folder for
launching CSM web console. The web console of CSM will look like the following.
Login using user name ‘admin’ and the password created during installation.
52
Once logged in with the username and the password provided during installation, the
console will look as below :
53
Click on ‘Cisco Security Manager Client Installer’ and save the installer locally.
54
Run the client installer file saved. (This client can be installed in any host machine)
Click on ‘Next’ to proceed.
55
Choose the communication protocol. By default, HTTPS is selected.
Specify the in location for client installation.
56
Verify the information provided and click on ‘Next’ to proceed.
The installation progress screen appears.
57
Select to CSM client and click on ‘Next’.
Click on ‘Finish’ to finish the installation.
58
After the installation of the Client is finished, launch the CSM client. Logon to the CSM
client using CSM server name/IP address, the user ID ‘admin’ and the password for CSM
Server.
59
Add all the devices that you want to manage from CSM, for example, ASA, IDS/IPS
sensors. Right click on ‘All’ group and select ‘New Device…’ option as shown below or
click on ‘File > New > Device’ to add the ASA firewall and IPS module. The dialog box
for adding device(s) into the console of CSM appears as shown below :
60
The following window appears. Select ‘Add Device From Network’ option and click
‘Next’.
61
Specify the device specifications as shown.
62
Provide user name and passwords as used in the device, as shown.
63
If created earlier, group the device accordingly. Since the number of devices are few, we
have not grouped them and click ‘Finish’.
64
The device is discovered and added to the CSM console. (Notice that the ASA has been
discovered with a warning. The warning appears as, by default, ‘alias’ commands are not
supported by CSM. This can be ignored as ‘alias’ commands have been removed from
the ASA configuration.)
65
The device appears in CSM console with all its policies discovered as shown below.
Now, CSM can be used to modify/create the policies and push it to the relevant devices
added.
66
Installation of IPS Event Viewer
IPS Event Viewer is used to view real-time logs from IPS/IDS devices. The IEV can be
installed and used in any host node with the specific minimum system configuration as
explained below.
System Requirements
You can install IEV on the following platforms:
• Windows 2000 Service Pack 4

• Windows XP Service Pack 1 or 2
IEV installs and uses the following support applications:
• Java 2 Runtime Environment Version 1.4.2

• MySQL server Version 3.23
You can install IEV on a computer that meets or exceeds the following minimum
hardware requirements:
• Pentium III 800 Mhz

• 256 MB RAM
• 500 MB free disk space
Use the following browsers with IEV:
• Microsoft IE 6.0 or later

• Netscape 7.1 or later
• Firefox 1.0 or later
67
Installing IEV
To install IEV, follow these steps:
1. Download the IEV-min-5.2-1.exe file from the following location on Cisco.com:
http://www.cisco.com/cgi-bin/tablebuild.pl/ids-ev
2. Locate and double-click the IEV-min-5.2-1.exe file to start the installation wizard.
The Welcome dialog box appears.
68
3. Click Next to proceed with installation.
The Select Destination Location dialog box appears.
69
4. To accept the default location for the IEV files, click Next. Otherwise, click
Browse to locate a different folder, and then click Next.
The Select Program Manager Group dialog box appears.
70
5. Click Next to proceed with installation. The Start Installation dialog box appears.
6. Click Next to proceed with installation. The Installing dialog box appears.
71
7. Click Next to proceed with installation.
The Installation Complete dialog box appears.
8. Click Finish to complete installation. The Install dialog box appears.
72
9. You must reboot this host to complete the IEV installation. Click OK to reboot
the host.
73
Verifying Installation
To verify IEV installation, follow these steps:
1. Review the /<path to Cisco IPS Event Viewer>/IEV/log/system.log file. It should

only contain the following message:
Cisco IPS Event Viewer service successfully started.
2. Choose Start > Settings > Control Panel > Administrative Tools > Services
to verify that the following Windows services have started:
• Cisco IPS Event Viewer service
This service lets IEV retrieve alerts from remote device(s), store alerts in
the MySQL database, archive database files, and check for available disk
space.
• MySQL service
This service controls the persistent storing and serving of data.
Note The Cisco IPS Event Viewer service depends on MySQL services.
If you want to stop retrieving alerts, you can stop the Cisco IPS Event
Viewer service. Later you can restart the Cisco IPS Event Viewer service
to resume retrieving and storing alerts.
Warning Do not remove the c:\my.cnf file. The MySQL server used by
IEV requires this file.
Starting IEV
Tip Make sure the Windows NT services for IEV are running. To review the status of
the Cisco IEV and MySQL services, choose Start > Settings > Control Panel >
Administrative Tools > Services.
To start IEV, do one of the following:
• Double-click the Cisco IPS Event Viewer shortcut on your desktop.

• From the Windows Start menu, choose Programs > Cisco Systems > Cisco IPS
Event Viewer > Cisco IPS Event Viewer.
74
Configuring IEV
You can configure IEV to monitor up to 5 sensors. You can configure filters and views to
specify the alerts you want to see. And you can view the events and alerts that your
sensors generate. A new feature of IEV is report generating. You can generate the top 10
most common alerts, attackers, and victims on your sensors and save the reports to a text
file.
Specifying Devices to Monitor
IEV lets you to view alerts for up to five sensors at a time. To specify which five sensors
IEV should monitor, you have to add each sensor to the Devices folder. You can later
change the properties IEV associates with a sensor or delete a sensor from IEV.
75
Adding a Device
Before IEV can receive events from a sensor, you must add the sensor to the list of
devices that IEV monitors. To add a sensor to the Devices folder, follow these steps:
1. Choose File > New > Device.
76
The Device Properties dialog box appears.
1. In the Sensor IP Address field, enter the IP address of the sensor you are adding.
2. In the Sensor Name field, enter the hostname of the sensor you are adding.
3. In the User Name field, enter your username.
4. In the Password field, enter your password.
5. In the Web Server Port field, enter the web server port. The default is 443.
Note The information you provide in the Device Properties dialog box should
match the settings you entered when you initialized the sensor. If you have set up
a user account with Administrator access for IEV, specify the username and
password for that account.
6. To specify the communication protocol IEV should use when connecting to the
sensor, click the Use encrypted connection (https) or Use non-encrypted
connection (http) radio button.
7. To specify what alerts to pull from the sensor, follow these steps:
1. To pull the latest alerts from the sensor, check the Latest Alerts check
box.
IEV receives alerts from the sensor, beginning with the first alert the
sensor receives after connecting with IEV.
2. To pull alerts from the sensor Event Store, uncheck the Latest Alerts
check box and specify the following:
1. Start Date
2. Start Time
IEV receives alerts from the sensor, beginning with the first alert that
matches the criteria you specified.
77
8. To exclude alerts of a certain severity level, check one or more of the following
check boxes:
• Informational
• Low
• Medium
• High
Alerts that match the severity level(s) you checked are not pulled from the sensor
Event Store and do not appear in the Statistical Graph.
78
9. Click OK to apply your changes and close the Device Properties dialog box.
Note IEV sends a subscription request to the sensor. This request remains open
until you modify the device properties or delete the device.
If you specified HTTPS as the communication protocol, IEV retrieves the

certificate information from the sensor and the Certificate Information dialog box
appears as shown in next page.
79
10. Click Yes to accept the certificate and continue the HTTPS connection between
IEV and the sensor.
The sensor has a red dot next to it signifying that it is connected.
80
11. Repeat Steps 1 through 11 for any additional sensors you want to monitor (up to
5).
Note If IEV cannot connect to the sensor, a red X appears next to the device
name to indicate that no connection is present. IEV continues trying to connect to
the sensor every 20 seconds until a connection is established or you delete the
device from IEV.
81
Editing Device Properties
You can edit the properties that IEV associates with a sensor, such as sensor IP Address, sensor
name, or the user account that IEV uses to connect to the sensor.
To edit properties for an existing sensor in the Devices folder, follow these steps:
1. Double-click the Devices folder to view the list of sensors.

2. Right-click the sensor you want to edit, and then click Properties.
The Device Properties dialog box appears.
3. Edit the properties you want change, and then click Update to save your changes.
Deleting a Device
You can remove a sensor from the list of devices that IEV monitors. After you remove a
sensor from the Devices folder, IEV terminates the connection to that sensor and no
longer receives events from that sensor.
To delete a sensor from the Devices folder, follow these steps:
1. Double-click the Devices folder to view the list of sensors.

2. Right-click the sensor you want to delete, and then click Delete Device.
The Device Deletion Confirmation dialog box appears.
3. Click Yes to delete the sensor from the Devices folder.
Configuring Filters
The Filters tab lets you customize and refine your view of event data by specifying alerts
to exclude from your view. IEV ships with a default filter; however, you can create and
store user-defined filters in the Filters folder. You can later apply these filters to any
default or user-defined view.
82
Creating a Filter
You can create a filter to include or exclude alerts that match a specified trait, such as
severity, signature, or time.
To create a filter, follow these steps:
1. Choose File > New > Filter.
83
The Filter Properties dialog box appears.
2. To name the filter, enter an alpha or numeric text string (up to 64 characters) in
the Filter Name field.
3. To filter alerts by severity, check the By Severity check box in the Filter
Functions area and check one or more of the following severity level check boxes:
Informational, Low, Medium, or High.
84
4. To filter alerts by source address or destination address, check the By Src
Address or By Dst Address check box, respectively, in the Filter Functions area.
The Alarm Source Address Set pane appears.
1. To include an IP address or range, click the Included radio button. To

exclude an IP address or range, click the Excluded radio button.
2. To specify a single IP address, click the Unique radio button, enter a valid
IP address in the IP Address field, and then click Add.
The IP address is added to the group of addresses excluded or included

(depending on what you selected) by this filter.
3. To specify a range of IP addresses, click the Range radio button, enter a

valid starting IP address in the Start Address field and a valid ending IP
address in the End Address field, and then click Add.
The IP address range is added to the group of addresses excluded or

included (depending on what you selected) by this filter.
4. Repeat Step 4 to continue adding IP addresses or ranges of IP addresses.
85
5. To filter alerts by signature, check the By Signature check box in Filter
Functions.
The Excluded Signatures pane appears.
1. To locate a signature, click one of the following tabs:

1. Releases—Identifies the signature release categories. You can
expand each signature release to view the signatures that were
added to that release. You can choose an entire signature release,
such as S206, to exclude all signatures contained in that category.
You can choose individual signatures from a release to be
excluded. You can choose as many signature releases as you want.
86
2. L2/L3/L4 Protocol—Identifies the Layer 2, 3, and 4 protocol
categories. You can expand each protocol category to view the
individual signatures contained in that category. You can choose
an entire protocol category, such as UDP signatures, to exclude all
signatures contained in that category.
3. Attack—Identifies the attack classification categories. You can
choose an attack category, such as DoS, to exclude all signatures
contained in that category.
4. OS—Identifies the operating system categories. You can expand
each operating system category to view the individual signatures
contained in that category. You can choose an entire operating
system category, such as Windows NT, to exclude all signatures
contained in that category.
5. Service—Identifies the service categories. You can expand each
service category to view the individual signatures contained in that
category. You can choose an entire service category, such as DNS,
to exclude all signatures contained in that category.
2. To exclude individual signatures, expand the appropriate signature
category and choose the desired signatures.
The signatures you choose are excluded by this filter.
87
6. To exclude alerts by sensor, check the By Sensor Name check box in the Filter
Functions area and choose a sensor from the Devices folder.
7. To exclude alerts by time and date, check the By UTC Time check box in the
Filter Functions area.
The Excluded Alarm Time Period Set pane appears.
1. Enter a valid numerical start date, beginning with the 4-digit year, and
then the 2-digit month and day in the Start Date field.
2. Enter a valid start time, beginning with the 2-digit hour, and then minute
and seconds in the Start Time field.
Tip 16:00:00 is the same as to 4:00 p.m.
3. Enter a valid numerical end date, beginning with the 4-digit year, and then
the 2-digit month and day in the End Date field.
4. Enter a valid end time, beginning with the 2-digit hour, and then minute
and seconds in the End Time field.
88
Tip 22:30:00 is the same as to 10:30 p.m.
5. Repeat Step 7 to add additional time periods.
8. To exclude alerts by status, check the By Status check box in the Filter Functions
area and check one or more of the following status level check boxes:
1. New
2. Acknowledged
3. Assigned
4. Closed
5. Deleted
89
9. To save the filter, click OK.
The filter is added to the Filters folder and you can now use it in a view.
90
Configuring Views
The Views tab lets you analyze filtered event data from a specified source. IEV ships
with five default views; however, you can use the View Wizard to create and store user-
defined views in the Views folder.
Creating a View
To create a view, follow these steps:
1. Choose File > New > View.
91
2. To name the view, enter an alpha or numeric text string (up to 64 characters) in
the View Name field.
3. To specify a filter, check the Use Filter check box and choose a filter from the
drop-down list.
4. To specify how alerts are grouped in the table, check a grouping style check box
in the Select the grouping style on alert aggregation table.
5. To specify the columns that should appear in the table, check one or more check
boxes in the Select the columns initially shown on alert aggregation table.
6. To specify sort order for the columns, choose an option from the Column
Secondary Sort Order drop-down list.
7. Click Next.
8. To specify the alerts that should populate this view, choose a source from the
Choose a data source drop-down list.
Note To view alerts in real time, choose event_realtime_table.
92
9. To specify the columns that should appear in the alert detail, choose one or more
columns in the Select the columns initially shown on alert detail table area. To
rearrange the order of these columns, click Up or Down.
10. To save your changes and create the view, click Finished.
The view is added to the Views folder.
93
Generating Reports
The Reports tab lets you generate reports based on event data. IEV ships with three
default reports: Top Alerts, Top Attackers, and Top Victims, which report the most
common alerts, attackers, and victims (up to 10) over the specified time. You can specify
up to 90 days of past time.
Generating the Top Alerts Report

To generate a report with the top 10 most common alerts, follow these steps:
1. Click the Reports tab.

2. Double-click the Reports folder to display the reports.
3. Double-click Top Alerts in the Reports folder.
The Top Alerts pane appears.
4. In the drop-down list, specify how far back in time you want to gather the most
common alerts.
5. Click Generate Report.
The Reporting Devices folder displays the sensors that have the 10 most common
alerts. ALL displays the 10 most common alerts for all the sensors.
6. Double-click an individual sensor or ALL under the Reporting Devices folder to

display the 10 most common alerts.
The signature ID, subsignature ID, signature name, and count information are
displayed.
7. To save the report in a text file, click Save.

8. To obtain details about a common alert, right-click the alert in the list, and choose
Show Details.
You can also double-click the row in the list to show the details.
The Alarm Information Dialog appears with the list of all occurrences of that
alert.
Note Up to 30,000 alerts are displayed. If the count value of the selected row is
more than the 30,000 limit, you receive a warning message and then the most
recent 30,000 entries are displayed.
94
95
Generating the Top Attackers Report
To generate a report of the top 10 most common attackers, follow these steps:
1. Click the Reports tab.

2. Double-click the Reports folder to display the reports.
3. Double-click Top Attackers in the Reports folder.
The Top Attackers pane appears.
4. In the drop-down list, specify how far back in time you want to gather the top
most common attacker IP addresses.
5. Click Generate Report.
The Reporting Devices folder displays the sensors that have the 10 most common
attackers. ALL displays the 10 most common attackers for all the sensors.
6. Double-click the individual sensor or ALL under the Reporting Devices folder to
display the 10 most common attackers.
The attacker IP address and count information are displayed.
7. To save the report in a text file, click Save.

8. To obtain details about an attacker, right-click the attacker IP address in the list,
and choose Show Details.
You can also double-click the row in the list to show the details.
The Alarm Information Dialog appears with the list of all occurrences of that
source IP address.
Note Up to 30,000 entries are displayed. If the count value of the selected row
is more than the 30,000 limit, you receive a warning message and then the most
recent 30,000 entries are displayed.
96
97
Viewing Events in the Realtime Dashboard
You can use the Realtime Dashboard to view a continuous stream of real-time events
from the sensor.
To view events in the Realtime Dashboard, follow these steps:
1. Choose Tools > Realtime Dashboard > Launch Dashboard.
98
IEV opens a subscription request with the sensor. If the connection is successful,
the Realtime Dashboard appears and displays the most recent events received by
the sensor since the request was opened.
2. To pause the stream of real-time events, click Pause.
IEV stops populating the Realtime Dashboard with events.
3. To resume the stream of real-time events, click Resume.
IEV populates the Realtime Dashboard with events, beginning with the first event
that was received after the stream was paused.
4. To clear all existing events from the Realtime Dashboard, click Reconnect.
All existing events are removed from the Realtime Dashboard and IEV opens a
new subscription with the sensor.
99
Configuring the Realtime Dashboard Settings
By default, the Realtime Dashboard displays the most recent events received from every
device configured in IEV. You can configure the Realtime Dashboard to display only
events from a particular device or only events of a particular severity level. You can also
configure how often the Realtime Dashboard retrieves events from the sensor(s) and the
maximum number of events to display.
To configure the Realtime Dashboard settings, follow these steps:
1. Choose Tools > Realtime Dashboard > Properties.
The Realtime Dashboard Properties dialog box appears.
2. To exclude alerts by severity level, in the Exclude alerts of the following severity
level(s) area, check one or more of the following check boxes:
• Informational
• Low
• Medium
• High
Alerts that match the severity level(s) you selected do not appear in the Realtime
Dashboard.
3. To exclude events from a particular device, choose that device in the Exclude
events from the following device(s) area.
IEV closes any open subscriptions to this device and no events are received from
the sensor.
4. To configure the number of events IEV retrieves each second, follow these steps:
a. Specify the number of events (between 1 and 200) IEV should retrieve
during each request.
b. Specify the number of seconds (between 1 and 120) that should elapse
before IEV retrieves more events.
5. Specify the maximum number of events to display in the Realtime Dashboard
(between 25 and 5,000).
If the maximum number is reached, the oldest alert is removed from the Realtime
Dashboard. This process continues until the number of alerts in the Realtime
Dashboard is less than the maximum number you specified.
6. Click Apply to save your changes and close the Realtime Dashboard Properties
dialog box.
100

Pid (HBL) For Asa, CSC & CSM

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Pid (HBL) For Asa, CSC & CSM

Загружено:

Авторское право:

Доступные форматы

ASA, CSC-SSM and CSM

Submitted to: HIMALAYAN BANK LTD.

Data Centre Security Implementation

Himalayan Bank Ltd.

HCL Comnet Limited - Kolkata

The configuration details of perimeter ASA 5510 is explained as under.

1. Configuring the hostname and domain name of the firewall :

2. Setting the password for logging into the privileged mode:

enable password NuLKvvWGg.x9HEKO encrypted

3. Command for specifying the telnet password.

passwd bQq0fYDkRAt.aWco encrypted

route outside 0.0.0.0 0.0.0.0 202.52.232.1 1

8. Commands to add static route for 192.168.0.0/16 network towards L3 switch.

route inside 192.168.0.0 255.255.0.0 192.168.240.1 1

static (dmz,outside) 202.52.232.3 192.168.100.3 netmask 255.255.255.255 tcp

static (inside,dmz) 192.168.100.201 192.168.1.33 netmask 255.255.255.255 tcp

static (inside,outside) 202.52.232.6 192.168.1.33 netmask 255.255.255.255 tcp

static (dmz,inside) 202.52.232.10 192.168.100.10 netmask 255.255.255.255

global (outside) 1 interface

14. Grouping host objects to be allowed DNS traffic in access-list :

object-group network DNS_Allowed

15. Configuring access-list for inbound traffic (from internet) :

access-list acl_out extended permit tcp any host 202.52.232.3 eq smtp

16. Binding the access-list acl_out to interface ‘outside’:

access-group acl_out in interface outside

17. Configuring access-list for traffic originating from DMZ :

access-list acl_dmz extended permit udp 192.168.100.0 255.255.255.0 any eq

18. Binding the access-list acl_dmz to interface ‘dmz’:

access-group acl_dmz in interface dmz

access-list acl_in extended permit tcp 192.168.0.0 255.255.0.0 any eq smtp

20. Binding the access-list acl_in to interface ‘inside’:

access-group acl_in in interface inside

21. Allowing telnet from hosts in ‘inside’ zone :

telnet 192.168.98.15 255.255.255.255 inside

22. Allowing ssh from hosts in ‘inside’ zone :

ssh 192.168.240.15 255.255.255.255 inside

access-list CSM_TF_ACL_acl_csc__1 extended permit tcp any any eq www

The configuration details of perimeter ASA5510 is explained as under.

1. Configuring the hostname and domain name of the firewall :

2. Setting the password for logging into the privileged mode:

enable password bQq0fYDkRAt.aWco encrypted

3. Command for specifying the telnet password.

passwd bQq0fYDkRAt.aWco encrypted

7. Setting core L3 switch(DC SA)’s IP address as default gateway :

route lan_zone 0.0.0.0 0.0.0.0 10.1.10.14 1

route wan_zone 172.20.1.0 255.255.255.0 10.1.10.9 1

access-list acl_bypass extended permit ip any any

access-list acl_lan extended permit icmp any any

11. Binding the access-list acl_lan to interface ‘lan_zone’:

access-group acl_lan in interface lan_zone

12. Configuring access-list for traffic originating from WAN :

access-list acl_wan extended permit ip any any

13. Binding the access-list acl_wan to interface ‘wan_zone’:

access-group acl_wan in interface wan_zone

access-list acl_server extended permit ip any any

access-group acl_server in interface server_zone

16. Allowing telnet from hosts in LAN zone :

telnet 192.168.98.0 255.255.255.0 lan_zone

17. Allowing ssh from hosts in LAN zone :

ssh 192.168.240.15 255.255.255.255 lan_zone

access-list CSM_TF_ACL_acl_csc_1__1 extended permit tcp any any eq

5. Configuring anti-spam setting for SMTP as shown below.