problema attacchi su rdp con asa 5505
Inviato: sab 30 nov , 2013 11:35 am
Ciao a tutti. Premetto che ho cercato un po' nel sito e non ho trovato risposta al quesito che vi pongo:
ho un firewall 5505 configurato per varie funzionalità su una rete di un mio cliente, detta configurazione vede vari accessi vpn e ssh configurati per le varie funzionalità richieste.
Tutte le parti funzionano correttamente, mi si presenta però un problema ciclico, quindi deduco sia un possibile attacco, sulla configurazione di un server rdp.
nello specifico ho un server sbs2003 che pubblica la parte Owa, activesinc e Exchange, che funziona senza problemi; poi un server 2003 configurato per l'accesso di client remoti in rdp. Ed è quest'ultimo che genera problemi.
Ho 3 sedi staccate che accedono per usufruire di un software gestionale su questo server. una è collegata tramite vpn client e non ha problemi, la seconda e la terza invece non possono sfruttare questo sistema, quindi ho pubblicato l'rdp.
Alcuni accessi devono essere effettuati da apparati che non hanno ip statico quindi non posso mettere nella configurazione dell'rdp l'ip chiamante. succede pertanto che ogni tanto a random mi trovo un traffico enorme che blocca internet e tutti gli accessi. Modificando la mappatura della porta traslata, risolvo momentaneamente il problema. Qualche consiglio su come evitare il problema ? Vi posto la configurazione.
ASA Version 8.3(1)
!
hostname xxxxxxxxx
domain-name xxxxxxxxxxx
enable password h/zpzIQH9Jdn3tNU encrypted
passwd h/zpzIQH9Jdn3tNU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 87.241.13.196 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name xxxxxxxxxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Serverweb
host 192.168.0.100
description Server exchange
object network dvr
host 192.168.0.xxx
description Sorveglianza
object service 5445-5445
service tcp destination range 5445 5445
object service 110-110
service tcp destination range pop3 pop3
object service 25-25
service tcp destination range smtp smtp
object network Internet
subnet 192.168.0.0 255.255.255.0
object network NETWORK_OBJ_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.3.0_24
subnet 192.168.3.0 255.255.255.0
object network NETWORK_OBJ_192.168.5.0_24
subnet 192.168.5.0 255.255.255.0
object network DesktopRemoto
host 192.168.0.101
description Desktop Remoto
object service desktopremoto
service tcp source eq 3389 destination eq 60606
description desk pubblicato
object service 60606
service tcp source eq 60606 destination eq 60606
object service 3389
service tcp source eq 3389 destination eq 3389
object network NETWORK_OBJ_192.168.13.0_27
subnet 192.168.13.0 255.255.255.224
object network NETWORK_OBJ_192.168.11.0_27
subnet 192.168.11.0 255.255.255.224
object network NETWORK_OBJ_192.168.21.0_27
subnet 192.168.21.0 255.255.255.224
object network obj_10.255.94.0
subnet 10.255.94.0 255.255.255.0
object network obj_10.0.1.67
host 10.0.1.67
object network obj_192.168.0.0
subnet 192.168.0.0 255.255.255.0
object network NETWORK_OBJ_192.168.16.0_27
subnet 192.168.16.0 255.255.255.224
object network NETWORK_OBJ_192.168.15.0_26
subnet 192.168.15.0 255.255.255.192
object-group service Dvr
description Servizi Sorveglianza
service-object object 5445-5445
service-object tcp destination eq www
service-object tcp destination eq https
object-group service webServer
description Servizi exchange
service-object object 110-110
service-object object 25-25
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq pop3
service-object tcp destination eq smtp
service-object tcp destination eq ssh
object-group service DeskRemotoTcp
description Pubblicazione server remoto
service-object object 3389
service-object object 60606
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit object-group webServer any object Serverweb
access-list outside_access_in extended permit object-group Dvr any object dvr
access-list outside_access_in extended permit object-group DeskRemotoTcp any object DesktopRemoto
access-list global_access extended permit ip any 192.168.0.0 255.255.255.0
access-list global_access extended permit ip interface outside 192.168.0.0 255.255.255.0
access-list vpngrottaglie_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list BGremoto_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list Newmiro_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list Miroremdvd_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list new extended permit ip 10.255.94.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list policynat-xxxx extended permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list Boremoto_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list Boremoto_splitTunnelAcl_1 standard permit 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool Grotta 192.168.2.1-192.168.2.254 mask 255.255.255.0
ip local pool Bgresia 192.168.3.1-192.168.3.254 mask 255.255.255.0
ip local pool Miroremoto 192.168.13.1-192.168.13.20 mask 255.255.255.0
ip local pool Newmiro 192.168.11.10-192.168.11.20 mask 255.255.255.0
ip local pool Mirodvd 192.168.21.10-192.168.21.30 mask 255.255.255.0
ip local pool Boremoto 192.168.15.20-192.168.15.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.168.0.0 255.255.255.0 inside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.13.0_27 NETWORK_OBJ_192.168.13.0_27
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.11.0_27 NETWORK_OBJ_192.168.11.0_27
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.21.0_27 NETWORK_OBJ_192.168.21.0_27
nat (inside,outside) source static obj_192.168.0.0 obj_10.255.94.0 destination static obj_10.0.1.67 obj_10.0.1.67
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.16.0_27 NETWORK_OBJ_192.168.16.0_27
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.15.0_26 NETWORK_OBJ_192.168.15.0_26
!
object network Serverweb
nat (any,any) static 87.241.13.199
object network dvr
nat (any,any) static 87.241.xx.xxx
object network Internet
nat (any,outside) dynamic interface
object network DesktopRemoto
nat (any,any) static 87.241.13.200 service tcp 3389 60609
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 87.241.13.195 1
timeout xlate 3:00:00
timeout conn 4:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:00:00 absolute uauth 0:05:00 inactivity
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http xxxxxxxxxxxx 255.255.255.0 inside
http xxxxxxxxxxxx 255.255.255.255 outside
http xxxxxxxxxxxx 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 20 match address new
crypto map outside_map 20 set peer 91.224.72.247
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=xxxxxxxxxxxxxx
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=xxxxxxxxxxxxxx
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate f56d4951
30820203 3082016c a0030201 020204f5 6d495130 0d06092a 864886f7 0d010105
05003046 31173015 06035504 03130e41 73613535 30354d69 726f7372 6c312b30
2906092a 864886f7 0d010902 161c4173 61353530 354d6972 6f73726c 2e6d6972
6f73726c 2e6c6f63 616c301e 170d3133 30333231 31333237 35305a17 0d323330
33313931 33323735 305a3046 31173015 06035504 03130e41 73613535 30354d69
726f7372 6c312b30 2906092a 864886f7 0d010902 161c4173 61353530 354d6972
6f73726c 2e6d6972 6f73726c 2e6c6f63 616c3081 9f300d06 092a8648 86f70d01
01010500 03818d00 30818902 818100d2 9dabf2fe 358a3fca 14d83662 8dfdf2bc
de2bf10c 2e0860d9 32a743da 1c3bb3a6 80699f75 d95d5481 725569a2 92bf1c74
c57be4ef 0fc2ecc0 e0bfa3cd 50ab4ff5 7c0dee13 0a99aecd d12af555 b23ae1dc
5eef2b6c 4a04826e 57593674 ca48d683 fc249415 55504f21 8ff97692 a495bcdd
a9394a34 d8305dd1 2a8782e7 deb28b02 03010001 300d0609 2a864886 f70d0101
05050003 81810015 7d7c0946 ae35e5fc bcacf4ea c803eba4 33fc4675 a32dafc0
98e0f15a 31e808c1 47962d6a 1c0db37e 78b81f9b 67951318 a9e2a12f 889f7613
ff4447c6 df53395f b1d0fed6 6edd1d8b 41236a33 16b27bac 249f05f1 3ec4019e
bbbf56eb 987e0cec 42f13aef 063839c4 49e9c95f 9d38fcbb 2656b790 925e88b9
9a195d4b fed16a
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 5
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh xxxxxxxxxxx 255.255.255.0 inside
ssh xxxxxxxxxxx 255.255.255.255 outside
ssh xxxxxxxxxxx 255.255.255.255 outside
ssh xxxxxxxxxxx 255.255.255.255 outside
ssh timeout 10
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy Miroremdvd internal
group-policy Miroremdvd attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Miroremdvd_splitTunnelAcl
group-policy Miroremoto internal
group-policy Miroremoto attributes
vpn-tunnel-protocol IPSec
group-policy BGremoto internal
group-policy BGremoto attributes
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value BGremoto_splitTunnelAcl
group-policy vpngrottaglie internal
group-policy vpngrottaglie attributes
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpngrottaglie_splitTunnelAcl
user-authentication-idle-timeout none
group-policy Newmiro internal
group-policy Newmiro attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Newmiro_splitTunnelAcl
group-policy Boremoto internal
group-policy Boremoto attributes
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-idle-timeout 15
vpn-session-timeout none
vpn-tunnel-protocol IPSec webvpn
group-lock none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Boremoto_splitTunnelAcl_1
vlan none
webvpn
url-list none
filter none
port-forward disable
hidden-shares none
file-entry enable
file-browsing enable
url-entry enable
smart-tunnel tunnel-policy tunnelall
username Bgresia password YlcJeHv6mvI7Yxq9gKw4gA== nt-encrypted privilege 7
username Bgresia attributes
vpn-group-policy BGremoto
vpn-simultaneous-logins 3
vpn-session-timeout none
username Davide password /Ujo.Nyf2lTin7.T encrypted
username Grotta password 1rXhCYizo/ZwqHWI encrypted privilege 0
username Grotta attributes
vpn-group-policy vpngrottaglie
vpn-simultaneous-logins 10
username Remdvd password JOxCSdYrUqAJrm2t encrypted privilege 15
username Remdvd attributes
vpn-group-policy Miroremoto
username NewMiro password YIaNGkyB8FH5TxTZ encrypted privilege 0
username NewMiro attributes
vpn-group-policy Newmiro
username Boremoto password ekUCSO1qo1Zs32fI encrypted privilege 0
username Boremoto attributes
vpn-group-policy Boremoto
tunnel-group vpngrottaglie type remote-access
tunnel-group vpngrottaglie general-attributes
address-pool Grotta
default-group-policy vpngrottaglie
tunnel-group vpngrottaglie ipsec-attributes
pre-shared-key *****
tunnel-group BGremoto type remote-access
tunnel-group BGremoto general-attributes
address-pool Bgresia
default-group-policy BGremoto
tunnel-group BGremoto ipsec-attributes
pre-shared-key *****
tunnel-group Miroremoto type remote-access
tunnel-group Miroremoto general-attributes
address-pool Miroremoto
default-group-policy Miroremoto
tunnel-group Miroremoto ipsec-attributes
pre-shared-key *****
tunnel-group Newmiro type remote-access
tunnel-group Newmiro general-attributes
address-pool Newmiro
default-group-policy Newmiro
tunnel-group Newmiro ipsec-attributes
pre-shared-key *****
tunnel-group Miroremdvd type remote-access
tunnel-group Miroremdvd general-attributes
address-pool Miroremoto
default-group-policy Miroremdvd
tunnel-group Miroremdvd ipsec-attributes
pre-shared-key *****
tunnel-group 91.224.72.247 type ipsec-l2l
tunnel-group 91.224.72.247 ipsec-attributes
pre-shared-key *****
tunnel-group Boremoto type remote-access
tunnel-group Boremoto general-attributes
address-pool Boremoto
default-group-policy Boremoto
tunnel-group Boremoto ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
end
Grazie in anticipo per le eventuali risposte che potrete darmi.
ho un firewall 5505 configurato per varie funzionalità su una rete di un mio cliente, detta configurazione vede vari accessi vpn e ssh configurati per le varie funzionalità richieste.
Tutte le parti funzionano correttamente, mi si presenta però un problema ciclico, quindi deduco sia un possibile attacco, sulla configurazione di un server rdp.
nello specifico ho un server sbs2003 che pubblica la parte Owa, activesinc e Exchange, che funziona senza problemi; poi un server 2003 configurato per l'accesso di client remoti in rdp. Ed è quest'ultimo che genera problemi.
Ho 3 sedi staccate che accedono per usufruire di un software gestionale su questo server. una è collegata tramite vpn client e non ha problemi, la seconda e la terza invece non possono sfruttare questo sistema, quindi ho pubblicato l'rdp.
Alcuni accessi devono essere effettuati da apparati che non hanno ip statico quindi non posso mettere nella configurazione dell'rdp l'ip chiamante. succede pertanto che ogni tanto a random mi trovo un traffico enorme che blocca internet e tutti gli accessi. Modificando la mappatura della porta traslata, risolvo momentaneamente il problema. Qualche consiglio su come evitare il problema ? Vi posto la configurazione.
ASA Version 8.3(1)
!
hostname xxxxxxxxx
domain-name xxxxxxxxxxx
enable password h/zpzIQH9Jdn3tNU encrypted
passwd h/zpzIQH9Jdn3tNU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 87.241.13.196 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name xxxxxxxxxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Serverweb
host 192.168.0.100
description Server exchange
object network dvr
host 192.168.0.xxx
description Sorveglianza
object service 5445-5445
service tcp destination range 5445 5445
object service 110-110
service tcp destination range pop3 pop3
object service 25-25
service tcp destination range smtp smtp
object network Internet
subnet 192.168.0.0 255.255.255.0
object network NETWORK_OBJ_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.3.0_24
subnet 192.168.3.0 255.255.255.0
object network NETWORK_OBJ_192.168.5.0_24
subnet 192.168.5.0 255.255.255.0
object network DesktopRemoto
host 192.168.0.101
description Desktop Remoto
object service desktopremoto
service tcp source eq 3389 destination eq 60606
description desk pubblicato
object service 60606
service tcp source eq 60606 destination eq 60606
object service 3389
service tcp source eq 3389 destination eq 3389
object network NETWORK_OBJ_192.168.13.0_27
subnet 192.168.13.0 255.255.255.224
object network NETWORK_OBJ_192.168.11.0_27
subnet 192.168.11.0 255.255.255.224
object network NETWORK_OBJ_192.168.21.0_27
subnet 192.168.21.0 255.255.255.224
object network obj_10.255.94.0
subnet 10.255.94.0 255.255.255.0
object network obj_10.0.1.67
host 10.0.1.67
object network obj_192.168.0.0
subnet 192.168.0.0 255.255.255.0
object network NETWORK_OBJ_192.168.16.0_27
subnet 192.168.16.0 255.255.255.224
object network NETWORK_OBJ_192.168.15.0_26
subnet 192.168.15.0 255.255.255.192
object-group service Dvr
description Servizi Sorveglianza
service-object object 5445-5445
service-object tcp destination eq www
service-object tcp destination eq https
object-group service webServer
description Servizi exchange
service-object object 110-110
service-object object 25-25
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq pop3
service-object tcp destination eq smtp
service-object tcp destination eq ssh
object-group service DeskRemotoTcp
description Pubblicazione server remoto
service-object object 3389
service-object object 60606
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit object-group webServer any object Serverweb
access-list outside_access_in extended permit object-group Dvr any object dvr
access-list outside_access_in extended permit object-group DeskRemotoTcp any object DesktopRemoto
access-list global_access extended permit ip any 192.168.0.0 255.255.255.0
access-list global_access extended permit ip interface outside 192.168.0.0 255.255.255.0
access-list vpngrottaglie_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list BGremoto_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list Newmiro_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list Miroremdvd_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list new extended permit ip 10.255.94.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list policynat-xxxx extended permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list Boremoto_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list Boremoto_splitTunnelAcl_1 standard permit 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool Grotta 192.168.2.1-192.168.2.254 mask 255.255.255.0
ip local pool Bgresia 192.168.3.1-192.168.3.254 mask 255.255.255.0
ip local pool Miroremoto 192.168.13.1-192.168.13.20 mask 255.255.255.0
ip local pool Newmiro 192.168.11.10-192.168.11.20 mask 255.255.255.0
ip local pool Mirodvd 192.168.21.10-192.168.21.30 mask 255.255.255.0
ip local pool Boremoto 192.168.15.20-192.168.15.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.168.0.0 255.255.255.0 inside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.13.0_27 NETWORK_OBJ_192.168.13.0_27
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.11.0_27 NETWORK_OBJ_192.168.11.0_27
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.21.0_27 NETWORK_OBJ_192.168.21.0_27
nat (inside,outside) source static obj_192.168.0.0 obj_10.255.94.0 destination static obj_10.0.1.67 obj_10.0.1.67
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.16.0_27 NETWORK_OBJ_192.168.16.0_27
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.15.0_26 NETWORK_OBJ_192.168.15.0_26
!
object network Serverweb
nat (any,any) static 87.241.13.199
object network dvr
nat (any,any) static 87.241.xx.xxx
object network Internet
nat (any,outside) dynamic interface
object network DesktopRemoto
nat (any,any) static 87.241.13.200 service tcp 3389 60609
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 87.241.13.195 1
timeout xlate 3:00:00
timeout conn 4:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:00:00 absolute uauth 0:05:00 inactivity
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http xxxxxxxxxxxx 255.255.255.0 inside
http xxxxxxxxxxxx 255.255.255.255 outside
http xxxxxxxxxxxx 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 20 match address new
crypto map outside_map 20 set peer 91.224.72.247
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=xxxxxxxxxxxxxx
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=xxxxxxxxxxxxxx
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate f56d4951
30820203 3082016c a0030201 020204f5 6d495130 0d06092a 864886f7 0d010105
05003046 31173015 06035504 03130e41 73613535 30354d69 726f7372 6c312b30
2906092a 864886f7 0d010902 161c4173 61353530 354d6972 6f73726c 2e6d6972
6f73726c 2e6c6f63 616c301e 170d3133 30333231 31333237 35305a17 0d323330
33313931 33323735 305a3046 31173015 06035504 03130e41 73613535 30354d69
726f7372 6c312b30 2906092a 864886f7 0d010902 161c4173 61353530 354d6972
6f73726c 2e6d6972 6f73726c 2e6c6f63 616c3081 9f300d06 092a8648 86f70d01
01010500 03818d00 30818902 818100d2 9dabf2fe 358a3fca 14d83662 8dfdf2bc
de2bf10c 2e0860d9 32a743da 1c3bb3a6 80699f75 d95d5481 725569a2 92bf1c74
c57be4ef 0fc2ecc0 e0bfa3cd 50ab4ff5 7c0dee13 0a99aecd d12af555 b23ae1dc
5eef2b6c 4a04826e 57593674 ca48d683 fc249415 55504f21 8ff97692 a495bcdd
a9394a34 d8305dd1 2a8782e7 deb28b02 03010001 300d0609 2a864886 f70d0101
05050003 81810015 7d7c0946 ae35e5fc bcacf4ea c803eba4 33fc4675 a32dafc0
98e0f15a 31e808c1 47962d6a 1c0db37e 78b81f9b 67951318 a9e2a12f 889f7613
ff4447c6 df53395f b1d0fed6 6edd1d8b 41236a33 16b27bac 249f05f1 3ec4019e
bbbf56eb 987e0cec 42f13aef 063839c4 49e9c95f 9d38fcbb 2656b790 925e88b9
9a195d4b fed16a
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 5
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh xxxxxxxxxxx 255.255.255.0 inside
ssh xxxxxxxxxxx 255.255.255.255 outside
ssh xxxxxxxxxxx 255.255.255.255 outside
ssh xxxxxxxxxxx 255.255.255.255 outside
ssh timeout 10
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy Miroremdvd internal
group-policy Miroremdvd attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Miroremdvd_splitTunnelAcl
group-policy Miroremoto internal
group-policy Miroremoto attributes
vpn-tunnel-protocol IPSec
group-policy BGremoto internal
group-policy BGremoto attributes
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value BGremoto_splitTunnelAcl
group-policy vpngrottaglie internal
group-policy vpngrottaglie attributes
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpngrottaglie_splitTunnelAcl
user-authentication-idle-timeout none
group-policy Newmiro internal
group-policy Newmiro attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Newmiro_splitTunnelAcl
group-policy Boremoto internal
group-policy Boremoto attributes
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-idle-timeout 15
vpn-session-timeout none
vpn-tunnel-protocol IPSec webvpn
group-lock none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Boremoto_splitTunnelAcl_1
vlan none
webvpn
url-list none
filter none
port-forward disable
hidden-shares none
file-entry enable
file-browsing enable
url-entry enable
smart-tunnel tunnel-policy tunnelall
username Bgresia password YlcJeHv6mvI7Yxq9gKw4gA== nt-encrypted privilege 7
username Bgresia attributes
vpn-group-policy BGremoto
vpn-simultaneous-logins 3
vpn-session-timeout none
username Davide password /Ujo.Nyf2lTin7.T encrypted
username Grotta password 1rXhCYizo/ZwqHWI encrypted privilege 0
username Grotta attributes
vpn-group-policy vpngrottaglie
vpn-simultaneous-logins 10
username Remdvd password JOxCSdYrUqAJrm2t encrypted privilege 15
username Remdvd attributes
vpn-group-policy Miroremoto
username NewMiro password YIaNGkyB8FH5TxTZ encrypted privilege 0
username NewMiro attributes
vpn-group-policy Newmiro
username Boremoto password ekUCSO1qo1Zs32fI encrypted privilege 0
username Boremoto attributes
vpn-group-policy Boremoto
tunnel-group vpngrottaglie type remote-access
tunnel-group vpngrottaglie general-attributes
address-pool Grotta
default-group-policy vpngrottaglie
tunnel-group vpngrottaglie ipsec-attributes
pre-shared-key *****
tunnel-group BGremoto type remote-access
tunnel-group BGremoto general-attributes
address-pool Bgresia
default-group-policy BGremoto
tunnel-group BGremoto ipsec-attributes
pre-shared-key *****
tunnel-group Miroremoto type remote-access
tunnel-group Miroremoto general-attributes
address-pool Miroremoto
default-group-policy Miroremoto
tunnel-group Miroremoto ipsec-attributes
pre-shared-key *****
tunnel-group Newmiro type remote-access
tunnel-group Newmiro general-attributes
address-pool Newmiro
default-group-policy Newmiro
tunnel-group Newmiro ipsec-attributes
pre-shared-key *****
tunnel-group Miroremdvd type remote-access
tunnel-group Miroremdvd general-attributes
address-pool Miroremoto
default-group-policy Miroremdvd
tunnel-group Miroremdvd ipsec-attributes
pre-shared-key *****
tunnel-group 91.224.72.247 type ipsec-l2l
tunnel-group 91.224.72.247 ipsec-attributes
pre-shared-key *****
tunnel-group Boremoto type remote-access
tunnel-group Boremoto general-attributes
address-pool Boremoto
default-group-policy Boremoto
tunnel-group Boremoto ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
end
Grazie in anticipo per le eventuali risposte che potrete darmi.